Add a new block to your Splunk SOAR (On-premises) playbook using the classic playbook editor
To add a new block to a playbook, drag the half-circle icon attached to any block on the canvas. Release your mouse to create a new empty block connected to the originating block with an arrow.
When you place a new block on the editor, a set of playbook types appears for you to select:
| Playbook type | Description |
|---|---|
| Action | Run an action provided by an app that is installed and configured in Splunk SOAR (On-premises). For example, you can use the MaxMind connector to geolocate an IP address. See Add an Action block to a Splunk SOAR (On-premises) playbook using the classic playbook editor. |
| Playbook | Run an existing playbook inside your current playbook. See Run other Splunk SOAR (On-premises) playbooks inside your playbook using the classic playbook editor. |
| API | Perform an action by making an API call. See Set container parameters in Splunk SOAR (On-premises) using the API block. |
| Filter | Filter the results of the previous block. For example, you can separate items that have a specific severity and perform a different set of actions on those items. See Use filters to separate Splunk SOAR (On-premises) artifacts before further processing with the classic playbook editor. |
| Decision | Make a decision and perform different actions depending on the results of the previous block. For example, you can blacklist all destination IPs that belong to a specific country. See Use decisions to send Splunk SOAR (On-premises) artifacts to a specific downstream action with the classic playbook editor. |
| Format | Format the results of the previous block. For example, you can gather data, format that data in a specific way, and send an email. Customize the format of your Splunk SOAR (On-premises) playbook content using the classic playbook editor. |
| Prompt | Require a user to take action before proceeding to the next block. See Require user input to continue running the Splunk SOAR (On-premises) playbook using the classic playbook editor. |
| Manual Task | Send a message to a Splunk SOAR (On-premises) user or group that must be acknowledged. See Require user input to continue running the Splunk SOAR (On-premises) playbook using the classic playbook editor. |
| Custom Function | Add custom Python code to your playbook to expand the kinds of processing that are performed by the playbook. Add custom code to your Splunk SOAR (On-premises) playbook with the Custom Function block using the classic playbook editor. |
| Legacy Custom Function | Legacy custom functions are the custom functions that were introduced for playbooks in Splunk Phantom version 4.2. Add custom code to your Splunk SOAR (On-premises) Playbook with the Legacy Custom Function block using the classic playbook editor. Legacy custom functions are supported for users transitioning from Splunk Phantom to Splunk SOAR (On-premises). Legacy custom functions should be converted to the newer custom function type. For information on converting legacy custom functions to new custom functions, see Convert legacy custom functions to new custom functions. |
Advanced settings
Follow these steps to configure advanced settings for a block.
To use Advanced settings, when configuring a block follow these steps:
- Click Advanced.
- Modify the advanced settings.
| Setting | Block type | Description |
|---|---|---|
| Join Settings | Available for action, playbook, filter, decision, format, and prompt block types. | You can configure join settings when multiple incoming blocks that support the synchronous functionality are linked to any downstream block. All Action, Prompt, and Manual Task blocks run synchronously and playbooks can be toggled to run synchronously in the block configuration. See Run other playbooks inside your playbooks in Splunk SOAR (On-premises) for more information on the synchronous functionality. Configure join settings from the downstream block. These settings determine whether or not you wait to execute the next block until the required upstream blocks finish running. Click the required checkbox if the action in the upstream block must be completed before this downstream block is run. The required checkbox is enabled by default. |
| Scope | Available for action, playbook, filter, decision, format, and prompt block types. | Configure scope to determine how the artifact data passed into a block's API is collected. Collection occurs in the context of the current playbook. Setting the scope advanced setting on a playbook block doesn't change the scope of a child playbook. Scope only affects the collected artifact data that is passed in as inputs to the child playbook and the collection occurs before the child playbook is run.
|
| Action Settings | Available for action blocks. | Configure the action settings that a user must perform. Action settings are only available from an action block.
|
| Case-sensitive | Available for decision and filter blocks. | Select if you want the conditions evaluation to be case-sensitive, or case-insensitive. The default is case-sensitive. |
| Delimiter | Available for prompt and format blocks. | Specify an alternate separator to use when joining parameter values that result in a list together. The default separator is ",". |
| Drop None Values | Available for prompt and format blocks. | Select whether or not you want to drop the "None" values from the resulting lists of parameters. By default, the "None" values are included. |
| Re-fetch Container Data | Available for API blocks. | Select this option to fetch updated container data. The default state is checked. If you uncheck the checkbox to use the original cached container data, it is less expensive. |