Require user input using the Prompt block in your Splunk SOAR (Cloud) playbook
Use a Prompt block in your playbook to send a message to a user or group that they must acknowledge, to continue running a playbook or to enter required information. This is also known as prompt-driven automation.
Using a prompt playbook block, you can send a message to a user or group whether they are logged into Splunk SOAR (Cloud) (an internal prompt) or not (an external prompt). For example, you can prompt a Security Analyst in the Security Operations Center (SOC) who is using Splunk SOAR (Cloud) or use email to prompt someone in your organization's network operations team to approve blocking a firewall, even if they don't use Splunk SOAR (Cloud).
The processes for setting up internal prompts and external prompts are different. Refer to the appropriate section of this article:
Prompt users or groups who are logged into Splunk SOAR (Internal prompts)
To configure an internal prompt, perform the following steps:
- Drag and drop the half-circle icon attached to any existing block in the editor. Select a Prompt block from the menu that appears.
- Select Splunk SOAR users to prompt registered Splunk SOAR users. To prompt other users, refer to the instructions in the next section.
- Select a User or Role to approve the prompt. If the task is assigned to a group of users, the first user to approve it starts the playbook run. Consider selecting one of these dynamic roles: 
- Event owner: to prompt the user or role the container is assigned to when the playbook is run.
- Playbook run owner: to prompt the user who initiated the playbook. If a playbook run is initiated by automation, the prompt block fails and no prompt is sent.
 
- In the Message box, craft a meaningful message so the users receiving the prompt understand what actions they must take.
- (Optional) Select + Message Parameter to search for and add the datapath to a message parameter. You can then add the values for this parameter in your message. Optionally add more parameters by selecting the plus icon. For details on specifying datapaths, see Specify data in your playbook. For details on formatting your prompt message, see Customize the format of your Splunk SOAR (Cloud) playbook content.
- Select + Question and enter a question to ask the approver in the Question 1 box. Although questions are not required, they are useful in guiding user responses.
- From the Response type list, choose the type of response to the question that is required to complete the task.
- Select the Required checkbox if the approver must answer the question in order for the playbook to resume running. If a response is not required, the question is informational.
- (Optional) Repeat the previous three steps for additional questions and response types.
- From the Required response time field, choose the response time in minutes.
- Select Done.
You can also configure Advanced settings for a prompt block. Use the Delimiter box to specify an alternate separator to use when joining parameters that result in a list together. The default separator is ",". Use the Drop None checkbox to select whether or not you want to drop the "None" values from the resulting lists of parameters. By default, the "None" values are included. For more information on other Advanced settings, see Advanced settings.
Additionally, you can select the Info tab to create a custom name for the block, add a description for the block, and add a tooltip to the block. For details, see Use custom names.
Prompt users or groups who are not logged into Splunk SOAR (External prompts)
To lower the risks of sending prompts to users outside of Splunk SOAR (Cloud):
- Carefully consider the distribution for your prompt link and avoid sending unauthenticated prompts to large groups or open channels, like distribution lists.
- Avoid using unauthenticated prompts to approve sensitive actions, like quarantining hosts. Consider requiring SAML authentication or implementing role based access controls (RBAC) on the asset instead.
- Avoid using free text input response types as inputs to downstream actions for unauthenticated prompts. This prevents a response from invoking the action in an unintended way.
- Consider setting the required response time to be as short-lived as possible to reduce risk.
To configure an external prompt for non-Splunk SOAR (Cloud) users, perform the following steps:
- Drag and drop the half-circle icon attached to any existing block in the editor. Select a Prompt block from the menu that appears.
- Select Others users to prompt non-Splunk SOAR (Cloud) users. To prompt Splunk SOAR users, refer to the instructions in the previous section.
- (Optional) Select Require SAML authentication to specify that any recipients must be authenticated through SAML. For details on configuring groups in SAML within Splunk SOAR (Cloud), see Configure single sign-on authentication for Splunk SOAR (Cloud).
- Select one or more SAML groups that the recipients must belong to so they can answer the prompt.
 
- In the Distribution section, specify how you want to contact the recipients. You can specify up to 4 distribution methods.- Select +Distribution method. Select a method from the list of available options, like SMTP, then select the specific method, like send email. Notice that the options are essentially actions that you are calling from within the prompt block
- Configure the distribution method, specifying datapaths or values for all of the required fields, like, in the case of an email, the recipient and body of the email. Within the message body, include a link to the prompt itself, so the user can select it navigate to the location where they will respond to the prompt. In the datapath picker, locate the prompt block you are working on, like prompt_1. Then select the link parameter, usually ending with.secure_link. For example, here is a data path for the link for sending an SMTP email:prompt_1:action_result.parameter.secure_link. For details on specifying data in a playbook block, see Specify data in your playbook.
- (Optional) For the distribution method, select the Info tab. Specify a descriptive, custom name for the prompt. This is the name that the recipient will see. For details, see Use custom names. You can also add a description and a tooltip to the block.
- (Optional) For the distribution method, select the Loop tab. Create a loop for this distribution method, so the prompt will continue to be sent until a condition is met. For example, depending on the urgency of the prompt, you might want to send a Slack message to the recipient every 10 minutes until the recipient responds. For details on configuring loops, see Repeat actions with logic loops.
- (Optional) Select +Distribution method to add another distribution method. Repeat the steps in this section.
 
- In the Message box, craft a meaningful message so the users receiving the prompt understand what actions they must take.
- (Optional) Select + Message Parameter to search for and add the datapath to a message parameter. You can then add the values for this parameter in your message. Optionally add more parameters by selecting the plus icon. For details on specifying datapaths, see Specify data in your playbook. For details on formatting your prompt message, see Customize the format of your Splunk SOAR (Cloud) playbook content.
- Select + Question and enter a question to ask the approver in the Question 1 box. Although questions are not required, they are useful in guiding user responses.
- Select the Required checkbox if the approver must answer the question in order for the playbook to resume running. If a response is not required, the question is informational.
- From the Response type list, choose the type of response to the question that is required to complete the task.
- (Optional) Repeat the previous three steps for additional questions and response types.
- From the Required response time field, choose the response time in minutes.
- Select Done.
You can also configure Advanced settings for a prompt block. Use the Delimiter box to specify an alternate separator to use when joining parameters that result in a list together. The default separator is ",". Use the Drop None checkbox to select whether or not you want to drop the "None" values from the resulting lists of parameters. By default, the "None" values are included. For more information on other Advanced settings, see Advanced settings.
How Splunk SOAR-licensed recipients respond to prompts
Users or groups who are licensed to use Splunk SOAR (Cloud) receive prompts as emails and as notifications when they are logged into Splunk SOAR (Cloud). The notifications display on the bell icon near their login name.
How other recipients respond to prompts
For external prompts, Splunk SOAR (Cloud) generates a link where the non-Splunk SOAR (Cloud) user can access the prompt. Those users or groups receive the link by the distribution method you specify, for example, email. When the user accesses the link, and authenticates with SAML if you specify that requirement, they can view the message, respond to, and answer any questions in the prompt.
The prompt is no longer visible or actionable in the following cases:
- After the user responds to the prompt
- If the Required response time specified in the prompt block is reached before the recipient responds to the prompt
- If a Splunk SOAR (Cloud) user cancels the prompt
In each of these cases, if the recipient follows the link to the prompt, they will see a message letting them know that the prompt is not available and why.
Identify who answered a prompt
find out which non-SOAR user answered a prompt
You can find the email of the SAML user who responded to an external prompt in the action_result.summary.user parameter resulting from the prompt block. You can use that parameter in downstream playbook blocks for any additional processing. For example, when a SAML user responds to a prompt, you might run the their email against a list of emails that are approved for interaction with SOC requests in your organization.