Splunk® Automation Broker

Set Up and Manage the Splunk SOAR Automation Broker

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

About Splunk SOAR Automation Broker

You can run actions in playbooks or on an ad hoc basis while investigating a notable in Splunk SOAR. If those actions involve on-premises applications or assets, you must set up and install the Splunk SOAR Automation Broker in order to run those actions. You can use the Splunk SOAR Automation Broker to run actions from Splunk SOAR in your on-premises environment.

Splunk SOAR Automation Broker can be used with either Splunk SOAR (Cloud) or Splunk SOAR (On-premises).

Diagram showing Splunk SOAR Automation Broker used with Splunk SOAR (Cloud): This screen image shows a flowchart of how the Splunk Automation Broker works with Splunk SOAR (Cloud). On the left is a cloud icon surrounding an icon for a web-based user interface. From the top of this icon, several lines capped with boxes represent connectors to cloud services. A double-headed arrow points to and from a cloud icon representing the Cloud Gateway Service in the center of the image. An icon representing the Splunk Automation Broker is on the other side of the Cloud Gateway Service. From the top of that icon, on the right, several lines capped with boxes represent connectors to on-premises services. Two unidirectional arrows point from the Splunk Automation Broker. The first arrow points directly to Splunk SOAR (Cloud), transporting action results and logs. The second arrow points to the Cloud Gateway Service, transporting action requests.

Diagram showing Splunk SOAR Automation Broker used with Splunk SOAR (On-premises): This screen image shows a flowchart of how the Splunk Automation Broker works with Splunk SOAR (On-premises). On the left is a cloud icon surrounding an icon for a web-based user interface. From the top of this icon, several lines capped with boxes represent connectors to remote network segment's services. An icon representing the Splunk Automation Broker appears in the center of the image. An icon representing the on-premises system is on the other side of the Splunk Automation Broker.  From the top of that icon, on the right, several lines capped with boxes represent connectors to on-premises services. Two bidirectional arrows point from the Splunk Automation Broker to both the web-based, remote network segment on the left and the rest of the network on the right. The first arrow points directly to Splunk SOAR (Cloud), transporting action results and logs. The second arrow points to the Cloud Gateway Service, transporting action requests.

Splunk SOAR uses an on-premises application, the Splunk SOAR Automation Broker, to securely run actions through connections to your on-premises tools and applications. Splunk SOAR sends an action request for a specific connector configuration to the Splunk SOAR Automation Broker. In combination with the connector, the Splunk SOAR Automation Broker dispatches the action to the relevant on-premises application.

After the action run completes, the action results are securely communicated to Splunk SOAR using REST and HTTPS.

You don't need the Splunk SOAR Automation Broker to run actions and see the results of those action runs with connections to cloud services.

About the Splunk SOAR Automation Broker container

The Splunk SOAR Automation Broker is delivered as a Docker container.

In release 6.1.0 and later, the base operating system inside the container is fully updated Ubuntu 18.04. In lower releases, the base operating system inside the container is fully updated CentOS 7.2009.

Each Splunk SOAR Automation Broker release has all operating system patches applied when it is built.

Matching the Splunk SOAR Automation Broker with Splunk SOAR releases

You must use a release of the Splunk SOAR Automation Broker that is supported for use with your release of Splunk SOAR (Cloud) or Splunk SOAR (On-premises).

Supported releases are:

  • The matching release version
  • The previous release version

Example

If you are using Splunk SOAR (On-premises) release 6.1.0, then you must use either the matching 6.1.0 or the 6.0.2 tagged release of the Splunk SOAR Automation Broker.

See these topics for more information on installing, upgrading, or interacting with the Automation Broker.

Communications limits

The Splunk SOAR Automation Broker supports transferring action requests or action results and logs up to 100MB in size.

See also

Last modified on 26 September, 2023
PREVIOUS
Release Notes
  NEXT
Install Splunk SOAR Automation Broker

This documentation applies to the following versions of Splunk® Automation Broker: current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters