Analysts can use the /playbook command to run a playbook from the command line in Splunk SOAR (On-premises).

To run a playbook from the command line, you must supply the playbook_id or playbook_name and the scope. A playbook_name consists of a repository, followed by a slash ( / ), and the name of the playbook.

You can get a playbook_id or playbook_name by looking up the playbook from Main Menu > Playbooks, and clicking the playbook name from the list. The ID is the number in the playbook URL. See the following example:

https://<phantom.example.com/playbook/1

Or you can use the REST API to query /rest/playbook. See Query for Data in REST API Reference for Splunk SOAR (On-premises).

Scope is one of the following values:

• new - Run the playbook for only artifacts added to the container since the last time the playbook was run.
• all - Run the playbook against all artifacts in the container.
• <artifact ID> - Run the playbook for either a specific artifact or a list of artifacts.

Example using the playbook ID

/playbook 1 new

Example using the playbook name

/playbook local/example_playbook all

You can also supply lists for IDs or scope to run multiple playbooks, to run a playbook for multiple specified artifacts or scopes, or multiple playbooks for multiple specified artifacts.

Example of multiple specified artifacts

/playbook 1 ["41", "43", "45"]

This example runs playbook 1, for artifact IDs 41, 43, and 45 in the container.

Example of multiple playbooks

/playbook ["1", "2", "3"] new

This example runs playbooks 1, 2, and 3 for new artifacts in the container.

Example of multiple playbooks and multiple scopes

/playbook ["1", "2"] ["new", "all"]

The example runs playbooks 1 and 2 for both the new and all scope.