About Splunk SOAR Automation Broker
You can run actions in playbooks or on an ad hoc basis while investigating a notable in Splunk SOAR. If those actions involve on-premises applications or assets, you must set up and install the Splunk SOAR Automation Broker in order to run those actions. You can use the Splunk SOAR Automation Broker to run actions from Splunk SOAR in your on-premises environment.
Splunk SOAR Automation Broker can be used with either Splunk SOAR (Cloud) or Splunk SOAR (On-premises).
Diagram showing Splunk SOAR Automation Broker used with Splunk SOAR (Cloud):
Diagram showing Splunk SOAR Automation Broker used with Splunk SOAR (On-premises):
The Splunk SOAR Automation Broker is not supported in a Splunk SOAR (On-premises) cluster.
Splunk SOAR uses an on-premises application, the Splunk SOAR Automation Broker, to securely run actions through connections to your on-premises tools and applications. Splunk SOAR sends an action request for a specific connector configuration to the Splunk SOAR Automation Broker. In combination with the connector, the Splunk SOAR Automation Broker dispatches the action to the relevant on-premises application.
After the action run completes, the action results are securely communicated to Splunk SOAR using REST and HTTPS.
You don't need the Splunk SOAR Automation Broker to run actions and see the results of those action runs with connectors on your Splunk SOAR (Cloud) instance.
About the Splunk SOAR Automation Broker container
The Splunk SOAR Automation Broker is delivered as a Docker container.
- In release 6.2.1 and higher, the base operating system inside the container is fully updated Ubuntu 20.04.
- In release 6.1.0 through 6.2.0, the base operating system inside the container is fully updated Ubuntu 18.04.
- In releases 6.0.2 and lower, the base operating system inside the container is fully updated CentOS 7.2009.
Each Splunk SOAR Automation Broker release has all operating system patches applied when it is built.
Matching the Splunk SOAR Automation Broker with Splunk SOAR releases
You must use a release of the Splunk SOAR Automation Broker that is supported for use with your release of Splunk SOAR (Cloud) or Splunk SOAR (On-premises).
Supported releases are:
- The matching release version
- The previous release version
Example
If you are using Splunk SOAR (On-premises) release 6.1.0, then you must use either the matching 6.1.0 or the 6.0.2 tagged release of the Splunk SOAR Automation Broker.
See these topics for more information on installing, upgrading, or interacting with the Automation Broker.
- Install Splunk SOAR Automation Broker
- Upgrade or update the Splunk SOAR Automation Broker
- Interact with the Splunk SOAR Automation Broker
Communications limits
The Splunk SOAR Automation Broker supports transferring action requests or action results and logs up to 100MB in size.
See also
- Docker documentation website: https://docs.docker.com
- Install Docker on CentOS: https://docs.centos.org/en-US/docs/
- Install Docker on Ubuntu: https://docs.docker.com/engine/install/ubuntu/
- Install Docker on Amazon Linux 2: Creating a container image for use on Amazon ECS
- Podman documentation website: Podman Docs
- Installing Podman: Podman Installation
Fixed issues for Splunk SOAR Automation Broker | Splunk SOAR Automation Broker system requirements |
This documentation applies to the following versions of Splunk® Automation Broker: current
Feedback submitted, thanks!