Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Welcome to 6.0.0

If you are new to , read About in the Use manual to learn how you can use for security automation.

If your deployment uses the Splunk SOAR Automation Broker see the Release Notes for the concurrent release.

What's new in 6.0.0

This release of includes the following enhancements.

Feature Description
Important:
New SOAR default administrative user
Starting with this release, the default administrative user is called soar_local_admin. This change is to support user accounts with the user name admin in single sign-on systems.
  • On new deployments of version 6.0.0 and higher, the administrator account is created as soar_local_admin.
  • On deployments which have upgraded from versions 5.5.0 or earlier:
    • The existing user account admin will be automatically renamed to soar_local_admin.
    • A copy of the existing user account admin will be created with the user name admin. This copy is for your convenience, and may be deleted.


Action needed

  • Before you upgrade: If you already have a user account named soar_local_admin, you must rename that user account.
  • After you upgrade: Anywhere you are explicitly using the user id admin, for example, in asset configurations, playbooks, scripts using the REST API, or custom apps, you should change to soar_local_admin. You must make this change manually.
Find related playbooks Find existing playbooks associated with your installed apps. You can use an existing playbook from the community or from your instance, so you do not have to create playbooks from scratch. For details, see Find existing playbooks for your apps.
Custom Functions and Custom Lists location update Custom Functions and Custom Lists now have their own menu selections under the Home menu. They are no longer located within the Playbooks section. For details, see Add custom code to your playbook with a custom function and Create custom lists for use in playbooks.
User-based data paths You can now specify the user who launched the current playbook run, either by id or name, when configuring datapaths in the following playbook blocks: action, code, custom function, decision, and filter. These options appear in the datapath picker under playbook . For details, see Specifying data in your playbook and Understanding datapaths in the Python playbook API Reference.
Nested values in custom fields You can now access values nested inside custom fields using datapaths instead of writing custom code. For details, see Important datapaths in the Playbook API in the Python Playbook API Reference for documentation.
Pending icon for playbooks waiting to run A new icon helps distinguish between playbooks that are currently running and those that are waiting. In the Sources view/Analyst queue, the Activity panel displays the following icons for the running playbook:

Icon of arrows turning in a circle - Playbook is currently running
Icon of a clock face - Playbook is waiting its turn to run, or is waiting for user input in a Prompt block.
The Pending status is now an option for the /rest/action_run/<id>/app_runs API. For details, see the /rest/action_run/<id> section of the REST Run Action article.

New delimiter option for Playbook Automation API For the condition and decision endpoints, you can now specify any string as a delimiter to split field values in artifacts (CEF fields) by that string and treat the results as a list. For details, see condition and decision in the Playbook API article.
Playbook API decision endpoint Boolean values automatically converts true and false strings to their Boolean values in the Playbook API decision endpoint. For details, see decision in the Playbook API article.
Performance improvement - loading apps Default apps that are a part of Splunk SOAR install and upgrade are not fully installed until an asset is configured against them.

See also

  • For known issues in this release, see Known issues for .
  • For fixed issues in this release, see Fixed issues for .
  • For release notes for the Splunk SOAR Automation Broker, see Release Notes in the Set up and manage Splunk Automation Broker documentation.
Last modified on 30 October, 2024
  Known issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters