For details, see:
Welcome to Splunk SOAR (On-premises) 6.4.1
The Splunk SOAR (On-premises) platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.
If you are new to , read About in the Use manual to learn how you can use for security automation.
If your deployment uses the Splunk SOAR Automation Broker see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.
May 27, 2025 Release 6.4.1
Automation Broker requirement notice
Splunk SOAR (On-premises) release 6.4.1 and higher enforce versioning for the Splunk SOAR Automation Broker. You must use a release of the Splunk SOAR Automation Broker that is supported for use with your release of Splunk SOAR (Cloud) or Splunk SOAR (On-premises). See Matching the Splunk SOAR Automation Broker with Splunk SOAR releases in About Splunk SOAR Automation Broker from Set Up and Manage the Splunk SOAR Automation Broker. Splunk SOAR (On-premises) may disconnect from Splunk SOAR Automation Brokers which are outside of the supported versions.
Supported releases for the Splunk SOAR Automation Broker are calculated as "N-1" where "N" is the current release of Splunk SOAR.
- N: The Splunk SOAR Automation Broker release version matching the release version of Splunk SOAR.
- N-1: The previous release version of Splunk SOAR Automation Broker.
Example: If you are using Splunk SOAR (On-premises) release 6.4.1, then you must use either the matching 6.4.1 or the 6.4.0 tagged release of the Splunk SOAR Automation Broker.
Removed feature
Amazon Linux 2: Support for Amazon Linux 2 has been removed. Amazon Linux 2023 is supported. For migration information, see Migrate a Splunk SOAR (On-premises) install from Amazon Linux 2 to Amazon Linux 2023.
Deprecated features
Splunk Mobile App for Splunk SOAR (On-premises): As of this release, this feature is deprecated and will be removed in late 2025.
phantom_scheduler: The phantom_scheduler component is deprecated and will be removed in a future release. The phantom_scheduler is an internal component used by for task scheduling. The component is only accessible from a command line and was never intended for use other than by internal systems.
To schedule automatic tasks for your Splunk SOAR (On-premises) deployment, use an operating system tool such as cron. You can add scheduled tasks for to your deployment's crontab outside of the block for phantom jobs, labeled like this: ### START OF PHANTOM JOBS - KEEP THEM AS THEY ARE ###. Consult the instructions for your deployment's operating system for information about using cron.
What's new in
This release of includes the following enhancements.
| Splunk idea | Feature | Description |
|---|---|---|
| Guided automation enhancements | Guided Automation, also known as Data Preview, now supports Filter and Decision blocks. For details, see Use Data Preview to build, test, and edit playbooks. | |
| PPSID-I-448 | Visual Playbook Editor copy-paste shortcuts | New shortcuts allow users to copy and paste multiple blocks within a playbook or across playbooks, preserving data paths and block settings for quick, accurate playbook design. For details, see Use Data Preview to build, test, and edit playbooks. |
| Pairing with Splunk Enterprise Security* | Information on how to pair your Splunk SOAR instance with your Splunk Enterprise Security instance. For details, see Pair Splunk SOAR with Splunk Enterprise Security. | |
| Visual Playbook Editor changes for ES pairing* |
| |
| Automation rules framework* | You can trigger SOAR playbooks for event-based detections or finding-based detections in Splunk Enterprise Security. For details, see Configure automation rules to run playbooks based on detections in Splunk Enterprise Security. | |
| Improved Python efficiency | Real-time custom code validation is now available in SOAR code editors, significantly improving the speed and ease of using custom code across the Splunk SOAR UI. | |
| Ingestion status enhancements | The Ingestion status page now includes a time range selector to focus on data you want to see and to improve performance. For details, see View ingested container statistics using Ingestion Status. | |
| Webhooks support for Apps | Apps can define webhooks to extend with new HTTP endpoints. These webhooks can be used by apps to define callback URLs for other services to use. This new feature is used by the Microsoft Teams connector to enable the "ask question" action, and other apps may soon implement webhooks of their own. For information on how to manage and configure webhooks defined by assets, see Configure webhooks settings for a Splunk SOAR (On-premises) asset. |
* This feature will be available when your Enterprise Security stack is upgraded to 8.1.
This version of Splunk SOAR uses Splunk Universal Forwarder version 9.4.1
See also
- For known issues in this release, see Known issues for .
- For fixed issues in this release, see Fixed issues for .
- For release notes for the Splunk SOAR Automation Broker, see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.
| Known issues for |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.4.1
Download manual
Feedback submitted, thanks!