Create a new action with the action builder

Make universal API calls in the Splunk SOAR Visual Playbook Editor

Note: Action builder is a beta feature. Beta features described in this document are provided by Splunk to you "as is" without any warranties, maintenance and support, or service-level commitments. Splunk makes this [Alpha/Beta] feature available at its sole discretion and may discontinue it at any time. These documents are not yet publicly available and we ask that you keep this information confidential. Use of [Alpha/Beta] features is subject to the Splunk Pre-Release Agreement for Hosted Services
To perform an action that doesn't already exist in your connectors, you can create a new action. Within an action block in the Visual Playbook Editor, you can create a new API call without needing to use code.

You can use two kinds of apps with the action builder:

  • Splunk-provided apps: After the beta release, Splunk will provide apps to support the action builder. The catalog of supported apps will increase over time.

    Note: For the beta release, the Splunk-supported app VirusTotal v3 supports the action builder.

  • Apps you create using the Splunk SOAR SDK: When you create these apps, you must include the make_request action. For details, see Develop an app using the Splunk SOAR SDK and the associated Splunk SOAR SDK documentation in GitHub.

To create a new action, follow these steps:

  1. In your playbook, add a new action block.

  2. Confirm that the action you want to perform does not already exist in your configured apps. If it already exists, continue with Add an action block to your Splunk SOAR (Cloud) playbook.

  3. In the action block configuration panel, select the New Action tab.

  4. Select the app you want to create a new action for. Then select the configured asset for that app.

  5. Select the HTTP method you want to use for this action. Options include the following standard HTTP methods.

    HTTP method Description
    GET Retrieves specified data. Compare to HEAD.
    POST Submits specified data.
    PUT Creates or replaces a resource at a specific known Uniform Resource Identifier (URI). Compare to PATCH.
    DELETE Requests that the server remove the resource identified by the Uniform Resource Identifier (URI).
    PATCH Similar to a PUT request, but applies only partial modifications to the target. It is more efficient for small, targeted updates
    HEAD Similar to a GET request, but retrieves only the header, not the response body.
    OPTIONS Requests which communication options are permitted for a given URL or server.
  6. Use the data path picker to provide the following parameters. Not all parameters are part of all HTML methods. For details on specifying data paths, see Specify data in your playbook.
    Parameter Required Description
    Endpoint Required The endpoint for the URL for this action. The datapath you choose will be appended to the end of the app URL.
    Query parameters Optional A query string or JSON object to append to the URL
    Headers Optional Headers to send with the request, usually JSON objects. For example, {'Content-Type':'application/json'}
    Body Optional A JSON object) to send with the request. For example, {'key':'value', 'key2':'value2'}.
  7. (Optional) Specify advanced options for this block.
  8. (Optional) To repeat the action in this block, create a logic loop. For details, see Repeat actions with logic loops.
  9. Select Apply.
  10. Select Save.
  11. Enter a comment about this action.