Splunk® SOAR (Cloud)

Splunk SOAR (Cloud) Service Description

Acrobat logo Download manual as PDF


The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Acrobat logo Download topic as PDF


Splunk SOAR (Cloud) introduction

Splunk SOAR (Cloud) delivers the benefits of SOAR as a cloud-based service. With Splunk SOAR (Cloud), you gain the functionality of a security orchestration, automation, and response (SOAR) system that is delivered as a software-as-a-service (SaaS) solution hosted and managed by Splunk.

The Splunk SOAR (Cloud) combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.

Use Splunk SOAR (Cloud) to perform the following tasks:

  • Ingest security events from Splunk Cloud Platform or other multiple products such as firewalls, or other security products.
  • Triage, analyze, and track events in a unified interface.
  • Automate responses to security events with automation playbooks.

Splunk manages and updates the Splunk SOAR (Cloud) service uniformly, so all Splunk SOAR (Cloud) customers receive access to the most current features and functionality. Your subscription to the Splunk SOAR (Cloud) service is sized for capacity and the number of individual users assigned to your purchased platform subscription. See Splunk Offerings Purchase Capacity and Limitations. Be sure to keep your Operational Contacts up-to-date to ensure you receive timely notifications for service updates; see Your maintenance responsibilities for more details.

This document describes the features, capabilities, limitations, and constraints of the Splunk SOAR (Cloud) service and our responsibilities to you as a SaaS provider. This document also notes your responsibilities as a subscriber to the service. Be sure to read the complete service description and the service terms and policies documents listed in the following section. If you have questions after reading any of this material, contact your Splunk sales representative.


Service terms and policies

The following links access important terms and policies that pertain to the Splunk Cloud Platform through which the Splunk SOAR (Cloud) service is delivered. Be sure to read these documents to have a clear understanding of the service. If you have any questions, contact your Splunk sales representative.

Available regions and region differences

is available in the following global regions.

AWS regions Google Cloud regions
US (Oregon, Virginia) Not currently available
UK (London)
Europe (Dublin, Frankfurt, Paris)
Asia Pacific (Mumbai, Singapore, Sydney, Tokyo)
Canada (Central)

Compliance and certifications

Splunk has attained a number of compliance attestations and certifications from industry-leading auditors as part of our commitment to adhere to industry standards worldwide and part of our efforts to safeguard customer data. The following compliance attestations/certifications are available:

  • SOC 2 Type II: Splunk SOAR (Cloud) has an annual SOC 2 Type 2 audit report issued. The SOC 2 audit assesses an organization's security, availability, process integrity, and confidentiality processes to provide assurance about the systems that a company uses to protect customers' data. If you require the SOC 2 Type 2 attestation to review, contact your Splunk sales representative to request it.
  • ISO 27001: Splunk SOAR (Cloud) is ISO/IEC 27001:2013-certified. ISO/IEC 27001:2013 is a standard for an information security management system, specifying the policies and procedures for all legal, physical, and technical controls used by an organization to minimize risk to information. See https://www.splunk.com/pdfs/legal/splunk-ISO-27001-certificate.pdf to access a PDF version of the Splunk ISO 27001 certificate.

For information regarding the availability of service components between the AWS and Google Cloud regions, see Available regions and region differences. If your data must be maintained in a regulated cloud environment to assist you with meeting your compliance needs, Splunk SOAR (Cloud) provides these optional subscriptions.

  • Health Insurance Portability and Accountability Act (HIPAA): Splunk SOAR (Cloud) (HIPAA) is compliant with the HIPAA Security Rule and HITECH Breach Notification Requirements. These regulations establish a standard for the security of any entity that accesses, processes, transmits, or stores electronic protected health information (ePHI).
  • Information Security Registered Assessors Program (IRAP): Splunk attests Splunk SOAR (Cloud) against the PROTECT level of the IRAP standard. The IRAP standard allows the Commonwealth of Australia and commercial customers to run sensitive workloads by using an IRAP assessed Splunk SOAR (Cloud) environment in Australia (AWS Sydney region).
  • Payment Card Industry Data Security Standard (PCI DSS): Splunk tests Splunk SOAR (Cloud) for compliance with the PCI DSS v3.2 standard. This standard applies to any entity that processes, transmits, or stores payment card data as well as their critical service providers.

The table lists additional SOAR (Cloud) service information for regulated cloud environments.

Subscription type Region availability Encryption at rest IP Allow List Certification documents
DoD IL5 Not currently available
FedRAMP Moderate Not currently available
HIPAA All AWS regions Active by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. If available in your region, you have the option to manage the encryption keys instead. You must provide IP allow list rules to access your Splunk SOAR (Cloud) HIPAA environment. If you require the HIPAA compliance report to review, contact your Splunk sales representative to request a copy.
IRAP Not currently available
PCI DSS All AWS regions except GovCloud (US-West and US-East) Active by default. Splunk manages the encryption keys on your behalf and they are regularly rotated. You must provide IP allow list rules to access your Splunk SOAR (Cloud) PCI DSS environment. If you require the PCI DSS attestation of compliance to review, contact your Splunk sales representative to request a copy.

Data collection

Splunk SOAR (Cloud) provides software and APIs that let you ingest data from your applications, cloud services, servers, network devices, and sensors into the service. The following sections describe how you can send data to Splunk SOAR (Cloud).


Splunk App for SOAR Export

Splunk SOAR (Cloud), and Splunk SOAR (On-premises) can use the Splunk Cloud Platform as a source of data by ingesting events. The Splunk App for SOAR Export is required to configure Splunk Enterprise or Splunk Cloud Platform as a data source for getting data into Splunk SOAR (Cloud) or Splunk SOAR (On-premises). For additional information, see Splunk App for SOAR Export.

Splunk App for SOAR

Splunk SOAR (Cloud) and Splunk SOAR (On-premises) can use the Splunk Cloud Platform as a source of alerts, reporting, and dashboarding SOAR content. The Splunk App for SOAR is required to configure Splunk Enterprise or Splunk Cloud Platform to receive data from Splunk SOAR (Cloud) or Splunk SOAR (On-premises). For additional information, see Splunk App for SOAR.

Splunk SOAR Apps/Connectors

Splunk SOAR (Cloud), and Splunk SOAR (On-premises) have applications (also called connectors) that provide an on-poll capability to ingest data from an integration. This integration provides all the necessary information and creates the necessary items within Splunk SOAR. For more information, see Add and configure apps and assets to provide actions in Splunk SOAR (Cloud) or Develop Apps for Splunk SOAR (Cloud).

Splunk SOAR (Cloud) REST API

Splunk SOAR (Cloud) has REST API definitions to allow customers to build custom ingestion scenarios as needed. For more information, see REST API Reference for Splunk SOAR (Cloud).

Additional information about data collection

Encryption in transit

For security, data in transit is TLS 1.2+ encrypted. Senders and receivers authorize each other, and HTTP-based data collection is secured using token-based authentication.

IP allow list

You can specify that data is collected only from allowed IP addresses. File a support ticket for Splunk to assist you with this task.

Differences Between Splunk SOAR (Cloud) and Splunk SOAR (On-premises)

Splunk SOAR (Cloud) delivers the benefits of Splunk SOAR (On-premises) as a cloud-based service, with some differences. Although Splunk SOAR (On-premises) (formerly, Splunk Phantom) and Splunk SOAR (Cloud) share many similarities, there are a few restrictions within Splunk SOAR (Cloud) to consider before deciding whether or not to purchase Splunk SOAR (Cloud). Consider the following restrictions before purchasing and migrating to Splunk SOAR (Cloud):

Area Difference
Restoring Splunk SOAR (On-premises) or Splunk Phantom Splunk SOAR (Cloud) does not currently allow migration of any native data from Splunk SOAR (On-premises) instances. This data includes containers, artifacts, notes, comments, and playbook and action runs data. A recommended alternative method is to use the Splunk App for SOAR to move relevant data to Splunk Cloud Platform for retention.
Playbook Execution Playbook execution settings are usually managed with the Splunk resource management processes. See Run playbooks in parallel with vertical scaling in the Administer Splunk SOAR (On-premises) manual. However, the resource management process capability has been removed from Splunk SOAR (Cloud). Splunk does manage these on behalf of the customer to ensure the maximum allowable performance within the configuration provided.
Clustering Splunk Cloud Platform controls the configuration and resources allocated to the Splunk SOAR (Cloud) environment. You can no longer configure or monitor a clustered environment.
Multitenancy Multitenancy is discontinued. Contact OnDemand Services for help reconfiguring your environment from multitenancy to using a robust role-based access control and appropriate container labels to mirror the functionality of multitenancy. See Splunk Expert and Adoption Services.
Telemetry Telemetry is necessary for Splunk Cloud Platform to provide an appropriate application environment. In Splunk SOAR (Cloud), telemetry is not user configurable. See Share data from Splunk SOAR in the Administer Splunk SOAR (Cloud) manual.
Authentication LDAP and OpenID options are removed. Splunk recommends that you use a SAML2 provider to give the best protection and security options for your authentication needs. For more information, see Users and authentication.
Mobile Mobile device configuration is removed from Splunk SOAR (Cloud).
TCP port 25 Splunk SOAR (Cloud) does not provide access for outbound connections nor exceptions for TCP port 25. The nature of the content and capabilities of the SOAR platform allow an unsecured connection to deliver email messages of a sensitive nature without a way to ensure a proper level of encryption or acceptable recovery processes. Splunk SOAR (On-premises) does and will provide outbound access for cloud to cloud connections for appropriate SMTPS ports like 587, 465, or a customized port. Customers who still require TCP port 25 SMTP support can do so within their internal environments through the Automation Broker.
No custom pip installations phenv python pip install installations aren't allowed in Splunk Cloud environments. This might impact your imported custom functions. Make sure you review the import statements in your custom functions. See Specifying pip dependencies in the Develop Apps for Splunk SOAR (Cloud) manual.
API endpoints Splunk SOAR (Cloud) supports additional API endpoints not available in Splunk SOAR (On-premises). See html_file_to_pdf and html_string_to_pdf in the Python Playbook API Reference for Splunk SOAR (Cloud) manual.

Maintenance

This section describes the maintenance responsibilities handled by Splunk or you, the customer.

Splunk maintenance responsibilities

The following sections describe the maintenance responsibilities and tasks that Splunk does on your behalf.

Gets you started

When you first subscribe to Splunk SOAR (Cloud), Splunk sends you a welcome email containing the information required for you to access your Splunk SOAR (Cloud) deployment and get started. This email contains a lot of important details, so keep it handy.

Assists you with supported tasks

Splunk SOAR (Cloud) allows you to customize the SOAR platform through the SOAR administration page along with installing apps/connectors and playbooks. However, there are features in Splunk SOAR (Cloud) that require assistance from Splunk to activate or make changes to your configurations, such as IP allow listing or data retention settings. When you file a support ticket, Splunk will perform such changes on your behalf. For these types of customer-initiated changes, it is performed per customer necessity and the customer contact in the Support Case will receive notice of customer-initiated changes once the work is scheduled. During these types of customer-initiated changes, services might be available but degraded. In most cases, login will be impacted for no more than 10 minutes. You will receive email notices from Splunk Support when such maintenance is starting and when it is complete.

Upgrades and expands your subscriptions

By default, you will receive the current version of Splunk SOAR (Cloud) and a current version of Splunk-certified SOAR Connectors (Apps) through Splunk-initiated Service Updates. Current Splunk Cloud Platform and Premium App versions are in the Supported versions section of this service description. To ensure efficiency and agility, you will be assigned to a cohort and an upgrade window where your SOAR deployment is located. This window is normally between 1:00 AM and 3:00 AM local to the SOAR deployment location. Example: A SOAR deployment located in the AWS Sydney region would be updated 1:00 AM Sydney time (+10 hours GMT). As Splunk releases new features of Splunk SOAR (Cloud), your cohort will be notified by Splunk of the upcoming maintenance window.
Note the following operational information regarding Splunk-initiated maintenance windows:

  • There is no modification of the upgrade delivery timeline from a customer request. All deployments will be updated and only delayed by the Splunk-initiated internal release change process from Product Engineering. Customers will be notified as soon as we know the delays.
  • There is normally a monthly Service Update when we deliver the latest features set for our customers and users OR a monthly Routine Maintenance for non-feature-related enhancements. Splunk reserves the right to not conduct an update if there isn't a need to do so.
  • Splunk will notify your Operational Contacts at least 14 days in advance for Service Updates OR Routine Maintenance. We will also try to include the nature of the features or fixes for the announced Service Update or Routine Maintenance notification.
  • Our communications will provide specifics whether any service will be degraded or unavailable during the maintenance window.
  • Splunk will make commercially reasonable efforts to notify your Operational Contacts in the rare occurrence of an unscheduled Emergency Maintenance. Our communications will provide specifics whether any customer action such as updates to data ingestion, automation mechanisms and applications is required.
  • We expect that newly provisioned customers will be upgraded to the latest features within 7 days of provisioning using our Emergency Maintenance process and will endeavor to notify customers of their upgrade. Those systems provisioned after the 7-day window should also be at the latest product version.
  • There is no modification of the upgrade delivery timeline from a customer request. All deployments will be updated and only delayed by the Splunk-initiated internal release change process from Product Engineering. Customers will be notified as soon as we know the delays.

Monitors Splunk SOAR (Cloud) uptime and security

Splunk continuously monitors the status of your Splunk SOAR (Cloud) environment to ensure uptime and availability. We look at various health and performance variables such as the availability of the webserver, uptime of critical processes, and system resource utilization. Splunk maintains the following:

  • We aim for 100% uptime per the Splunk Cloud Service - Service Level Schedule
  • 5.3 days' worth of point-in-time snapshots, taken every 6 hours, of your Splunk SOAR (Cloud) database and filesystem
  • Historical application logs from Splunk SOAR (Cloud)
  • A rolling 7-day collection of live health metrics, which allow Splunk to proactively detect problems in your Splunk SOAR (Cloud) environment

See also the information in the Manage Splunk SOAR (Cloud) users regarding the Administrator and system user roles, and the certification of Splunk SOAR (Cloud) by independent third-party auditors to meet SOC2 Type II and ISO 27001 security standards.

Your maintenance responsibilities

The following section describes your maintenance responsibilities and tasks.

Keep Operational Contacts up-to-date

Ensure that the Operational Contacts listed in your Splunk.com support portal are accurate and updated as necessary. Operational Contacts are notified when your Splunk SOAR (Cloud) environment undergoes maintenance, requires configuration awareness, or experiences a performance-impacting event. These contacts will receive regular notifications of planned and unplanned downtime, including scheduled maintenance window alerts and email updates related to incident-triggered cases.
For information on the Splunk Cloud Service Maintenance Policy see the Service terms and policies section.

Review Splunk SOAR (Cloud) documentation

Splunk will attempt to notify your Operational Contacts at least 14 days in advance for Service Updates and Routine Maintenance. To ensure your Splunk SOAR (Cloud) environment and your team are ready, review the following sections in the Splunk SOAR (Cloud) Release Notes prior to the maintenance:

Network connectivity and data transfer

You access your Splunk SOAR (Cloud) environment via public endpoints, except for DoD IL5 environments. By default, for both Splunk SOAR (Cloud) access and sending your data, traffic from your network is encrypted, sent over the public internet and then routed to your Splunk (Cloud) environment in a Virtual Private Cloud (VPC). If you choose to use private connectivity instead of the public internet to access Splunk SOAR (Cloud) and send your data, you are responsible for ensuring connectivity between your users or data sources and the Splunk SOAR (Cloud) public endpoints. These public endpoints are protected using firewall rules and customers can also specify additional access control rules using their IP allow list. See the Splunk Cloud Platform service limits and constraints section for the available customer-defined rules and size limits.
You can restrict data collection from only allowed IP addresses; you can file a support ticket for Splunk to assist you with this task.
If you are using optional AWS and Google Cloud services or resources for private connectivity to reduce your overall network costs and increase bandwidth throughput, such as Dynamic Data Self-Storage to export your aged ingested data to your Amazon S3 or Google Cloud Storage account or AWS Kinesis Data Firehose service for data ingestion, note the following:

  • You are responsible for setup, configuration, and operation of these optional AWS and Google Cloud services and resources, and any associated payments to AWS and Google Cloud.
  • You are responsible for ensuring connectivity between your users or data sources and the Splunk SOAR (Cloud) public endpoints. Splunk SOAR (Cloud) also does not provide a virtual gateway for data ingestion purposes.
  • These optional AWS and Google Cloud services or resources might not be available in all Splunk SOAR (Cloud) regions. See Available regions and region differences for the regions Splunk SOAR (Cloud) supports and also refer to the respective AWS and Google Cloud documentation for more information.

Security

The security and privacy of your data is of the utmost importance to you and your organization, and Splunk makes this a top priority. Splunk Cloud Platform service is designed and delivered using key security controls described in the following sections.

App security

All Splunk apps hosted on Splunk Cloud Platform by Splunk are examined by Splunk engineers to ensure that they comply with the Vet apps and add-ons for Splunk Cloud Platform. Splunk Cloud Platform vetting provides a set of best practices for app developers. For details about how to submit an app for evaluation for Splunk Cloud Platform readiness, see the Splunk Developer web page.
Splunk SOAR (Cloud) connectors (apps) also follow the process just described, but the submission process is slightly different. Refer to the Splunk SOAR Connectors for details. For information on how to build a Splunk SOAR (Cloud) connector (app), see the Develop Apps for Splunk SOAR (Cloud).

Data handling

You can store your data in one of the available AWS or GCP regions. See Available regions and region differences for global regions supported in the Splunk Cloud Platform service.

Data is kept in the region you choose. If you need to store your data in more than one region, you can purchase multiple subscriptions. Data is retained in Splunk Cloud Platform according to the volumes, durations, and index configurations you set. Expired data is deleted based on your pre-determined schedule.

For the purposes of disaster recovery, your configuration and recently-ingested data is backed up on a rolling seven-day window. If you require your ingested data to be moved into your control before the termination of your subscription, this is accomplished through a Splunk Professional Services engagement. Some data can be moved into your control by activating Dynamic Data Self-Storage to export your aged data to your Amazon S3 or Google Cloud Storage account in the same region. Note that Dynamic Data Self-Storage does not export your configuration data. Depending on the amount of data and the work involved, we might charge for this service. For more information on Splunk Cloud Platform data management, see Review Splunk Cloud Platform data policies and also Manage Splunk Cloud Platform indexes in the Splunk Cloud Platform Admin manual.

Instance security

Every Splunk Cloud Platform deployment runs in a secured environment on a stable operating system and in a network that is hardened to industry standards using a default-deny firewall policy, which permits access only to specific IP addresses and services. Your deployment is regularly scanned for host- and application-level threats.

Isolation of data and service

In the cloud, your data is logically isolated from other customers' data, so your performance and data integrity cannot be affected by other customers who are using the Splunk Cloud Platform service.

Security controls and background screening

Splunk security controls are described in our most recent Service Organization Control II, Type II Report (SOC 2/Type 2 Report). For more information about regions for which Splunk does not have SOC2 controls in place, see the Splunk Cloud Platform Security Addendum. Splunk conducts criminal background checks on its employees prior to hire, as permitted by law.

User authentication and access

You can configure authentication using local authentication provided by Splunk SOAR (Cloud) and single sign-on using any SAML v2 identity provider. To control what your Splunk SOAR (Cloud) Platform users can do, you assign them roles that have a defined set of specific capabilities. Splunk SOAR (Cloud) Platform allows you to configure account policies that require unique user names, minimum password length, and regular password resets with supported SAML v2 identity providers. To use multifactor authentication, customers must configure a SAML v2 identity provider that supports multifactor authentication. Only SHA-256 signatures in the SAML message between your IdP and Splunk Cloud Platform are supported.

See also

For more information about See
User authentication Users and authentication
Splunk data privacy, security and compliance Splunk Protects
Availability of service components between the AWS and Google Cloud regions Available regions and region differences

Self-service capabilities

The table lists common Splunk SOAR (Cloud) self-service tasks. For more information regarding these self-service tasks, refer to the respective Splunk SOAR (Cloud) manual.

Area Example tasks Interface
Applications / Connectors Configure Integrations

Develop Applications

Splunk SOAR (Cloud)
Health monitoring Platform performance

Active users

Ingestion

Splunk SOAR (Cloud)
Ingestion Application On Poll

Splunk App for SOAR Export

Splunk SOAR (Cloud)

Splunk Web

Network Connectivity and Data Transfer IP Allow List management

Outbound Port Management

Export Expired Data

Via Splunk Support

Not Available

Not Available

Splunkbase and private app Installation and updates Splunk SOAR (Cloud)
Users and Authentication Manage user and roles

Configure central authentication

Manage authentication tokens

Splunk SOAR (Cloud)

Not Available

Not Available

Service level agreement

Splunk provides an uptime SLA for Splunk Cloud Platform. You will receive service credits in the event of SLA failures, as set forth in our current SLA schedule. As Splunk SOAR (Cloud) is offered uniformly across all customers, the SLA cannot be modified on a customer by customer basis.

Splunk SOAR (Cloud) is considered available if you are able to log into your Splunk SOAR (Cloud) Service account and start using the Splunk SOAR software. Splunk continuously monitors the status of each Splunk SOAR (Cloud) environment to ensure the SLA. In addition, Splunk Cloud Platform monitors several additional health and performance variables, including but not limited to the following:

  • Ability to log into Splunk SOAR (Cloud) (non-SAML)
  • Ability to access Splunk SOAR (Cloud)
  • Ability to access a Splunk SOAR REST API endpoint

Splunk adds predefined system users and system roles to all Splunk SOAR (Cloud) environments. Splunk leverages system users or roles to perform essential monitoring and maintenance activities in Splunk SOAR (Cloud) environments. Customers are advised to not delete or edit system users or roles because they are essential to perform monitoring and maintenance activities in Splunk SOAR (Cloud) environments.

See also

For more information about See
Splunk SOAR (Cloud) system users Manage Splunk SOAR (Cloud) users and roles in the Splunk SOAR (Cloud) Admin manual
SLA for Splunk Cloud Platform Splunk Cloud Service - Service Level Schedule

Service limits and constraints

The following are Splunk SOAR (Cloud) service limits and constraints within Splunk Cloud Platform. You can use this list as guidance to help ensure the best Splunk SOAR (Cloud) experience. Keep in mind that some limits depend on a combination of configuration, automation designs, system load, performance, and available resources. Contact Splunk if your requirements are different or exceed what is recommended in this table.

Splunk Cloud Platform service limits and constraints

Category Service component Limitation Additional information
Connectors / Apps Private apps unlimited There is no limit to the number of connectors installed. Platform storage space is impacted by the app data and state of ingested objects until the app is removed.
Data Collection HEC maximum content length size limit 1 MB There is a recommended limit to the HEC payload size in Splunk Cloud Platform to ensure data balance and ingestion fidelity. A HEC request can have one or more Splunk events batched into it, but the payload size should be no larger than this limit. If you exceed this limit, you might experience performance issues related to data balance and ingestion fidelity.
Data Egress Dynamic Data Self-Storage export of aged data per index from Splunk Cloud Platform to Amazon S3 or Google Cloud Storage No limit to the amount of data that can be exported from your indexes to your Amazon S3 or Google Cloud Storage account in the same region. Dynamic Data Self-Storage is designed to export 1 TB of data per hour.
Data Egress Search results via UI or REST API Recommend no more than 5% of ingested data For optimal performance, no single query, or all queries in aggregate over the day from the UI or REST API, should return full results of more than 5% of ingested daily volume. To route data to multiple locations, consider solutions like AWS Kinesis Data Firehose.
Data Egress Search results to Splunk User Behavior Analytics (UBA) No limit Data as a result of search queries to feed into Splunk User Behavior Analytics (UBA).
Email notifications Maximum number of email recipients 50 This is a hard limit of the Splunk Cloud Platform email relay service. Use an email distribution list to increase the number of email recipients.
Email notifications Maximum email attachment size 10 MB This is a hard limit of the Splunk Cloud Platform email relay service.
Ingestion Maximum number of Events created per Splunk SOAR (Cloud) environment 750 events per hour The maximum limit to the number of events per hour for the Splunk SOAR (Cloud) environment. Events over this limit can be ingested and processed based on the automation used. Performance is dependent on a number of concurrent users, size and playbook design and customized code usage.

Note: The Splunk SOAR (Cloud) is regression tested to ensure

  • At least 61,000 events per hour with no automation
  • Approximately 4800 events per hour with automation
  • Automation consists of 2 playbooks and 5 actions per playbook per hour

Our acceptable regression is 100% processed. Tests for events and playbooks are processed serially.

Custom Lists Maximum collection size 256 MB The maximum size of a JSON Blob (JBLOB) that is tested with the Splunk SOAR (Cloud) environment.
Database Storage Total maximum size 600 GB The maximum size of RDS Database Store in each deployment per Splunk SOAR (Cloud) environment.

Note: This sizing is sufficient for at least two years of typical use. You can purchase additional storage by contacting your Splunk Account team.

Vault Storage Total maximum size 600 GB The maximum configured size of System File Store in each deployment per Splunk SOAR (Cloud) environment.
Other Splunk SOAR (Cloud) ID For AWS regions, a minimum of 2 characters and a maximum of 22 characters. Any lowercase letter from the alphabet, any number from 0 to 9, and the hyphen character are allowed. All other ASCII characters are not allowed.

For Google Cloud regions, a minimum of 4 characters and a maximum of 22 characters. The ID must start with a letter. Any lowercase letter from the alphabet, any number from 0 to 9, and the hyphen character are allowed. All other ASCII characters are not allowed.

Unique Splunk SOAR (Cloud) name chosen by you that determines your URL at [Splunk Cloud Platform ID].soar.splunkcloud.com or [Splunk Cloud Platform ID].soar.splunkcloudgc.com

The Splunk SOAR (Cloud) ID should not be the same as your Splunk Cloud Platform ID. Splunk has discretion to decline a submitted Splunk SOAR (Cloud) ID and can request that an alternative be selected.

Security IP allow list address rules per Splunk Cloud Platform environment in AWS regions 230 This is the aggregate hard limit of the IP allow list groups for the Splunk SOAR (Cloud) service. For example, the service limit is the aggregate of the IP allow list for collecting data and for sending search queries. Customers specify the IP address or IP address range that is permitted to access Splunk SOAR (Cloud). These are generically referred to as IP allow list rules. These rules can be configured to use CIDR blocks to maximize the IP allow list coverage.
Security IP allow list address rules per Splunk Cloud Platform environment in Google Cloud regions 250 This is the hard limit per IP allow list group. For example, the IP allow list service limit for collecting data is separate from sending search queries. Customers specify the IP address or IP address range that is permitted to access Splunk Cloud Platform. These are generically referred to as IP allow list rules. These rules can be configured to use CIDR blocks to maximize the IP allow list coverage.

Splunk premium solutions

For more information on purchasing the Splunk SOAR (Cloud) premium solution, contact your Splunk sales representative. Configuration of Splunk SOAR (Cloud) can be done by you or through a Splunk Professional Services engagement. See the Splunk SOAR documentation.

For information on other optional Splunk apps and premium solutions subscriptions on Splunk Cloud Platform. See Splunk Premium Solutions for details.

Splunkbase and private apps

SOAR Connectors (Apps) include features and functionality ranging from data ingest to unique and valuable action integrations. To ensure security and minimize effects on performance, only vetted and compatible apps can run on Splunk Cloud Platform. Note the following:

  • Splunkbase is the system of record for app vetting and compatibility with Splunk SOAR (Cloud). Any app that is listed as compatible with Splunk SOAR (Cloud) can be installed, inclusive of FedRAMP Moderate and DoD IL5.
  • For FedRAMP Moderate and DoD IL5, Splunk's scope of responsibility for apps and add-ons pertains only to apps that meet all the following criteria:
    • Splunk Certified which are Splunk Authored and Splunk Supported
    • Splunk Community which are Cloud Platform Compatible
  • Splunk provides support and maintenance for Splunk Supported Apps. In addition, Splunk Cloud Platform ensures compatibility for any installed Splunk Supported Apps before commencing Splunk Cloud Platform upgrades.
  • Splunk does not provide support or maintenance for apps published by any third-party developers. For any Developer Supported or Not Supported Apps, you need to ensure compatibility with Splunk Cloud Platform.
  • Compatibility of Developer Supported or Not Supported Apps is asserted by the developers of those apps. Splunk does not perform compatibility testing of third-party apps with specific versions of Splunk Cloud Platform.
  • Splunk support will not be able to assist in tailoring the Splunkbase apps to your use case. For apps that grant you the license to customize, you will need to perform the customization yourself or through a Splunk Professional Services engagement.

For more information, see the following:


Apps that are Splunk SOAR (Cloud) vetted and compatible are listed in either the app browser in Splunk Web or through Splunkbase. For more information about self-service app installation, see Add and configure apps and assets to provide actions in Splunk SOAR (Cloud).

Apps you create to support your business needs are called private or custom apps and these apps can also be self-service installed on Splunk SOAR (Cloud). During the private app installation, Splunk will automatically validate your app for Splunk SOAR (Cloud). Private apps that are developed wholly by you are owned by you and any customization of your private app is outside the scope of the Splunk SOAR (Cloud) subscription.

For more information about apps, see the following topics in the Splunk Cloud Platform Admin manual:

Storage

This section describes the data retention policy and the types of storage available to you.

Data retention

When you send data to Splunk SOAR (Cloud), it is stored in a Block Storage and Database Storage. Splunk SOAR (Cloud) retains data based on SOAR retention settings that allow you to specify when data is to be deleted. By default, there are no retention levels set. To configure different data retention settings for different sources of data, store the data in separate areas according to the desired retention policy. You can configure different data retention policies for individual storage models according to your auditing and compliance requirements. For more information on Splunk SOAR (On-premises) Storage Models, see Use data retention strategies to schedule and manage your database cleanup. Data retention configuration in SOAR (Cloud) requires a Splunk support request.

Each model lets you specify the maximum age of events and units of measure in the model that the service uses to determine when to delete data. A cron job runs daily, pruning the model to the specified maximum size and, when events reach the specified maximum age, deleting the oldest event-related data. When data is deleted from the model, it is no longer searchable or visible by Splunk Cloud Platform.

The following are the types of storage available in a Splunk Cloud Platform and Splunk SOAR (Cloud) subscription:

  • Dynamic Data Automation Database (DDAD) is used for the storage of all SOAR automation content stored within the postgres database. You can optionally purchase additional DDAD in 500 GB increments.
  • Dynamic Data File Archive (DDFA) is used for storage of all SOAR files or connector/app files in block storage. You can optionally purchase additional DDFA in 500 GB increments.
  • Dynamic Data Active Searchable (DDAS) is used for searching ingested data. DDAS is also commonly known as searchable storage. You can optionally purchase additional DDAS in 500 GB increments.
  • Dynamic Data Active Archive (DDAA) is used as a long term storage and data in DDAA can be restored to DDAS to be searched. You can optionally purchase additional DDAA in 500 GB increments

For DDAD and DDFA, your data is encrypted at rest using AES 256-bit encryption at no additional charge. Splunk manages the encryption keys on your behalf by default.

For both DDAS and DDAA, you can choose to have your data encrypted at rest using AES 256-bit encryption for an additional charge. If you choose encryption at rest, Splunk manages the encryption keys on your behalf by default. If available in your region, you have the option to manage the encryption keys instead.

You can review your storage consumption in the Splunk SOAR (Cloud) environment in the Splunk SOAR Administration System Health page.

You can review your Splunk Cloud Platform storage consumption in the Cloud Monitoring Console app included in your Splunk Cloud Platform environment. The app provides information such as the amount of data stored and the number of days of retention for each index.

For more information about the data that Splunk retains and maintains on your behalf, see the Ensures Splunk Cloud Platform uptime and security section in Splunk maintenance responsibilities.

Dynamic Data Active Database (DDAD)

DDAD in your Splunk SOAR (Cloud) environment is sized with 600GB of storage initially. For user-based subscriptions, you purchase additional DDAD storage based on your data retention requirements, providing you the flexibility to tailor the variability in your use case. For example, if your forecasted daily volume of events is 350 events per day and your retention needs are 365 days, your Splunk SOAR (Cloud) environment should be sized to have 1 to 1.5 TB of DDAD. On a quarterly basis, Splunk will true-up your DDAS usage storage for any overages and your Splunk Account team will be notified. Note the following:

  • If you ingested far more data than your initial estimate and thus exceeded your entitled DDAD capacity, the Splunk SOAR (Cloud) service will expand the amount of DDAD to retain your data per your retention settings.
  • While DDAD is expanded to ensure your data does not prematurely age out, consistently over ingesting beyond estimated might impact platform performance.
  • Splunk will true-up your DDAD usage storage for any overages upon renewal.

Dynamic Data File Archive (DDFA)

DDFA in your Splunk SOAR (Cloud) environment is sized with 600GB of storage initially. For user-based subscriptions, you purchase additional DDFA storage based on your data retention requirements, providing you the flexibility to tailor the variability in your use case. For example, if your forecasted daily volume of vault files is 350 events per day at 100MB of files per event and your retention needs are 365 days, your Splunk SOAR (Cloud) environment should be sized to have 1 to 1.5 TB of DDFA. On a quarterly basis, Splunk will true-up your DDFA usage storage for any overages and your Splunk Account team will be notified. Note the following:

  • If you ingested far more data than your initial estimate and thus exceeded your entitled DDFA capacity, the Splunk SOAR (Cloud) service will expand the amount of DDFA to retain your data per your retention settings.
  • While DDFA is expanded to ensure your data does not prematurely age out, consistently over ingesting beyond estimated might impact platform performance.
  • Splunk will true-up your DDFA usage storage for any overages upon renewal.

Dynamic Data Active Searchable (DDAS)

DDAS in your Splunk Cloud Platform environment should be sized based on the volume of uncompressed data that you want to index on a daily basis. For workload-based subscriptions, you purchase DDAS based on your data retention requirements, providing you the flexibility to tailor the variability in your use case. For example, if your forecasted daily volume of uncompressed data is 1 TB and your searchable retention needs are 365 days, your Splunk Cloud Platform environment should be sized to have 365 TB of DDAS. On a quarterly basis, Splunk will true-up your DDAS usage storage for any overages. Ingest-based subscriptions include sufficient DDAS to allow you to store up to 90 days of your uncompressed data. For example, if your daily volume of uncompressed data is 100 GB, your Splunk Cloud Platform environment will have 9000 GB (9 TB) of DDAS. Note the following:

  • If you ingested far more data than your initial estimate and thus exceeded your entitled DDAS capacity, the Splunk Cloud Platform service elastically expands the amount of DDAS to retain your data per your retention settings.
  • While DDAS is elastically expanded to ensure your data does not prematurely age out, consistently over ingesting beyond estimated might impact search performance.

Dynamic Data Active Archive (DDAA)

If you require a lower cost option for long term storage of data, you can optionally augment Splunk Cloud Platform with DDAA. As data ages from DDAS based on your index retention setting, the aged data is automatically moved to DDAA before deletion. Data remains in DDAA until the DDAA retention setting that you specify expires.

Your DDAA subscription allows you to perform restores, subject to the amount of DDAS you have purchased as part of your Splunk Cloud Platform subscription. An additional 10% of DDAS is included with your DDAA subscription to assist with restores. The 10% is calculated based on the total DDAS amount in your subscription. For example, a workload-based subscription that has a 10 TB DDAS entitlement will have an additional 1 TB of DDAS added with a DDAA subscription, effectively increasing the DDAS entitlement to 11 TB. Note that this additional 1 TB should be considered as reserved for DDAA restores, as any restore volumes that result in surpassing the DDAS entitlement might incur a true-up cost.

Note the following:

  • Restored DDAA data is typically ready to search within 24 hours after a restoration request and remains searchable for up to 30 days.
  • Large amounts of DDAA data restore can take beyond 24 hours to complete.
  • Multiple restores that overlap within a 30-day period will accrue against the additional 10% of searchable storage included with your DDAA subscription.
  • For workload-based subscriptions, on a quarterly basis, Splunk will true-up your DDAA usage for any overages.

Dynamic Data Self-Storage (DDSS)

You can also export your aged data from Splunk Cloud Platform. If you activate Dynamic Data Self-Storage (DDSS) to export your aged ingested data, the oldest data is moved to your Amazon S3 or Google Cloud Storage account in the same region as your Splunk Cloud Platform deployment before it is deleted from the index.

Note the following:

  • You are responsible for payments for your use of Amazon S3 or Google Cloud Storage.
  • Aged data is exported unencrypted to your Amazon S3 or Google Cloud Storage account.

See also

For more information about See
Exporting your aged ingested data Store expired Splunk Cloud Platform data to your private archive
Archiving your aged ingested data Store expired Splunk Cloud Platform data to a Splunk-managed archive
Managing indexes Monitor your Splunk Cloud Platform Deployment in the Splunk Cloud Platform Admin manual
Cloud Monitoring Console Monitor your Splunk Cloud Platform Deployment in the Splunk Cloud Platform Admin manual
Splunk SOAR Storage Monitor your Splunk SOAR (Cloud) Deployment in the Splunk SOAR (Cloud) Admin manual
Availability of service components between the AWS and Google Cloud regions Available regions and region differences

Subscription types

Your subscription to the Splunk SOAR (Cloud) service is user-based. It includes either Standard Success Plan or Premium Success Plan. For more information, refer to the Splunk Success Plan.

User-based subscription

This subscription is based on the user capacity which aligns to the resource capacity consumed, rather than the data volume ingested. Your subscription entitles you to the user resources purchased. This subscription meters the number of concurrent users, but does not limit the number of user accounts added to the system. You can add more users and/or load and operate the service to your desired performance objective. Splunk SOAR (Cloud) is configured with a finite amount of resources. There are many factors that go into performance. As necessary, you can purchase additional resource capacity by increasing your number of users to improve performance. You purchase units of storage blocks based on your data retention requirements for your user-based subscription.

For information on license types, see View your Splunk SOAR (Cloud) license.

Data policies

Splunk Cloud Platform administers your data according to the following policies:

  • Your user-based subscription entitles you to the purchased workload resources to adequately support that user base. This subscription meters the number of concurrent users, but does not limit the number of user accounts added to the system.
  • Your user-based subscription has a finite amount of resources. Apps/Connectors, Playbooks, and Events forwarded to your Splunk SOAR (Cloud) all play a part in the performance of the resources assigned.

To see current and past daily data ingestion information in Splunk SOAR (Cloud) to monitor health and storage sizes. For more information, see View how much data is ingested in Splunk SOAR (Cloud) using ingestion summary and View your Splunk SOAR (Cloud) license. Splunk recommends you set up alerts in the Splunk system to monitor your license usage and system health. The Splunk App for SOAR and ITSI have integrations to monitor Splunk SOAR (Cloud) and Splunk SOAR software operational aspects.

Subscription expansions, renewals, and terminations

You can expand aspects of your Splunk SOAR (Cloud) subscription any time during the term of the subscription to meet your business needs. You can optionally add subscriptions to do the following:

  • Increase your user-based subscription level.
  • Add additional storage capacity in 500 GB increments to store more data.
  • Add encryption services to maintain the privacy of data at rest.
  • Add a HIPAA or PCI DSS cloud environment to assist you with meeting your compliance needs.
  • Add new use cases for Splunk SOAR (Cloud) with Splunk premium solutions such as Enterprise Security (ES) and IT Service Intelligence (ITSI). With workload-based subscriptions, ES entitlement is measured in units of Protected Devices while ITSI entitlement is measured in units of Entity. With ingest-based subscriptions, the unit of measurement is in GB for both entitlements.

You will receive renewal notifications starting 60 days prior to the end date of your current subscription term. For more information on subscription renewals, contact your Splunk sales representative. If your Splunk SOAR (Cloud) subscription expires, it is considered terminated. The policy for terminated Splunk SOAR (Cloud) subscriptions specifies:

  • Your ability to perform searches stops immediately.
  • Your ability to ingest data stops 7 days following termination.
  • Your data is deleted 31 days following termination.

If you require your SOAR data to be moved into your control before the termination of your subscription, this is accomplished through a Splunk Professional Services engagement.

Supported versions

This section lists the supported versions for Premium Apps, forwarders, hybrid search configurations, and Python interpreters that integrate with the Splunk Cloud Platform.

Current Splunk Cloud Platform and Premium App versions

Splunk determines which versions of Splunk SOAR (Cloud), Splunk Cloud Platform, and Premium Apps to make available to Splunk Cloud Platform subscribers. Splunk adopts the release that has the most benefits for customers as quickly as possible. The table lists the current versions for Splunk SOAR (Cloud), Splunk Cloud Platform, and Premium App subscriptions, as of March 2024.

Subscription Version
Splunk SOAR Software 6.2.1

Note: Splunk SOAR (Cloud) will always be at the most current available version, as a Software-as-a-Service product.

Splunk Cloud Platform 9.1.2312.101
Splunk Enterprise Security 7.3.0
Splunk IT Service Intelligence 4.18.0, with ITSI content pack 1.7.0
Splunk App for PCI Compliance 4.6

Splunk SOAR software versions have the following release numbering format that is unique and is available for Splunk SOAR software: [Major Release].[Minor Release]. [Build Version]

When possible the Splunk SOAR (Cloud) and Splunk SOAR (On-premises) products are almost identical. See Differences Between Splunk SOAR (Cloud) and Splunk SOAR for differences.

Supported Python versions

This table lists the supported Python interpreters for Splunk SOAR (Cloud). For more information on Python 2.x deprecation and support on Splunk Cloud Platform, see Prerequisites for migrating from Splunk Phantom to Splunk SOAR (Cloud).

Splunk SOAR version Supported Python interpreters
Current 3.9

Technical support

Splunk SOAR (Cloud) subscriptions include either Standard Success Plan or Premium Success Plan. For more information regarding Splunk SOAR (Cloud) support terms and program options, see Splunk Support Programs. You should also note the following:

  • Splunk SOAR (Cloud) offers multiple options to automate your data so it is your responsibility to ensure the correct data model method is configured for your data sources.
  • Splunk SOAR (Cloud) allows you to perform user, playbook, and app management via Splunk SOAR (Cloud). Any customization of Splunk SOAR (Cloud) vetted and compatible apps is also your responsibility.
  • To use multifactor authentication for your Splunk SOAR (Cloud) user accounts, you must use a SAML v2 identity provider that supports multifactor authentication. It is your responsibility to ensure your Splunk SOAR (Cloud) user accounts are properly configured for multifactor authentication.
  • You can choose to leverage the optional Admin on Demand Services to quickly request technical adoption assistance from remote Splunk technical consultants. The Splunk technical consultants can assist you with tasks, such as index creation, building lookups and dashboards, assist with data on-boarding plus install Splunk Cloud Platform vetted and compatible apps.
  • There are features in Splunk Cloud Platform that require assistance from Splunk to activate or change your configuration, such as real-time search and allowing AWS Kinesis Data Firehose data to be received. When you file a support ticket, Splunk will activate such features on your behalf.

See also

For more information about See
Admin on Demand Services Admin On Demand data sheet and catalog
Performing user, playbook, and app management Splunk SOAR (Cloud) Admin Manual

Users and authentication

An initial global administration account is provided for access upon provisioning of the environment. Splunk SOAR (Cloud) that allows you to configure local account policies that require unique usernames, minimum password length, and password resets. You are responsible for creating and administering your users' accounts, the roles assigned to them, the authentication method they use, and global password policies. To control what your Splunk SOAR (Cloud) users can do, you assign them roles that have a defined set of specific capabilities or roles.

Roles give Splunk Cloud Platform users access to features in the service, and permission to perform tasks within the Splunk SOAR (Cloud) service. Each user account is assigned one or more roles. Splunk uses the Admin role and system user roles to perform essential monitoring and maintenance activities. You might observe the Admin and system user roles authenticating against your Splunk Cloud Platform environment as part of Splunk's performing monitoring and maintenance activities. These activities are performed in accordance with a comprehensive security program designed to protect your data's confidentiality, integrity, and availability in accordance with the highest industry standards. Splunk Cloud Platform has been certified by independent third-party auditors to meet SOC2 Type II and ISO 27001 security standards, as described in Compliance and certifications. You should not delete or modify these system users or roles.

Splunk SOAR (Cloud) provides several default roles like the admin role, which has the capabilities required to administer Splunk SOAR (Cloud). You can learn more about all the roles available by reviewing Manage roles and permissions in Splunk SOAR (Cloud). Splunk SOAR (Cloud) does not support direct access to infrastructure, so you do not have command-line access to Splunk Cloud Platform. This means that any supported task that requires command-line access is performed by Splunk on your behalf.

Splunk recommends customers use the enterprise best practice to configure your user accounts to be authenticated using a centralized Identity Providers (IdP) that use SAML authentication for single sign-on (SSO). To use multifactor authentication for your Splunk Cloud Platform user accounts, you must use a SAML v2 identity provider that supports multifactor authentication. Depending on the Splunk Cloud Platform version and your identity provider (IdP), token-based authentication is supported. While Splunk SOAR software has built-in support for multifactor authentication for Duo, Splunk SOAR (Cloud) only supports this method of integration for local accounts.

Only SHA-256 signatures in the SAML message between your IdP and Splunk SOAR software are supported. You are responsible for the SAML configuration of your IdP including the use of SHA-256 signatures.

See also

For more information about See
Users and roles Manage Splunk SOAR (Cloud) users and roles in the Splunk SOAR (Cloud) Admin manual
Single Sign On Configure Splunk SOAR (Cloud) to use SAML for authentication tokens in the Splunk SOAR (Cloud) Admin manual
Token-based authentication "Create an automation user in Splunk SOAR (Cloud)" in Configure Splunk SOAR (Cloud) to use SAML for authentication tokens in the Splunk SOAR (Cloud) Admin manual
Last modified on 27 March, 2024
 

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters