Splunk® SOAR (Cloud)

Administer Splunk SOAR (Cloud)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Take a tour of and perform product onboarding when you log in for the first time

When you log in to for the first time, there are several screens you must navigate before arriving at the home page. The screens appear in the following order:

Read and accept the Splunk End User License Agreement

When you log in to for the first time, you must read and accept the Splunk End User License Agreement.

  1. Scroll to the bottom of the End User License Agreement.
  2. Click I Accept.

Review and understand how Splunk collects and uses aggregated product usage data

Splunk collects and sends anonymized usage data to Splunk. This behavior is enabled by default. Read the text on the Helping You Get More Value from Splunk Software page and click Got it.

See Share data from for information about how to opt out, what information is shared, and how it is used.

Take a tour of and create some sample data

Generate some sample data and get a guided tour of 's main pages.

Click Exit Tour at any time to leave the tour and go to the onboarding tutorial, where you can Configure basic settings for your instance, data sources, playbooks, and apps and assets.

Perform the following tasks to create some sample data and take the guided tour:

  1. Click Get Started to begin the product tour and create sample events.
  2. Generate some sample events. Click the number of sample events you want to generate. After the events are generated, the Sources page shows you the sample events.
  3. Click View Event to view the details for an event on the Investigation page.
  4. Click Run Playbook to run a playbook against this event. In Investigation, the Activity tab shows the automated actions taken against the event by the playbook.
  5. Click View Playbook to view the playbook in the Playbook Editor. Playbooks run from the Start block and perform the actions up to the End block.
  6. Click Configure to complete the tour and go to the onboarding tutorial, where you can Configure basic settings for your Splunk SOAR instance, data sources, playbooks, and apps and assets.

Configure basic settings for your instance, data sources, playbooks, and apps and assets

Click Skip on-boarding at any time to go directly to the home page. See Log in and navigate in Use .

Configure basic settings

Configure basic administrative and email settings for your instance.

  1. Configure the administrative password, company name, IT contact email address, system time zone, and the base URL for this instance. If you skip the on-boarding, you can configure these fields later. See Configure your company settings in for more information about these fields.
  2. Configure email server settings. requires an email server to send users email for action approvals, when SLAs are breached, and when items that they are tracking change. If you skip the on-boarding, you can configure the email server and asset later. See Add and configure apps and assets to provide actions in .
    1. Use smtp as the default asset name, or enter a new name.
    2. Enter the IP address or hostname of the email server.
    3. Select the SSL method that your instance should use to connect to the email server.
    4. Complete the email asset configuration by providing a tag, username, password, sender address, and port.
    5. Click Enable Unicode Support to enable to properly display Unicode characters in the emails.

Splunk SOAR (Cloud) comes preconfigured with an SMTP asset called internal_smtp. The sender address of the internal_smtp asset cannot be changed. If you want Splunk SOAR (Cloud) to send emails from another address and domain, configure an SMTP asset using the previous instructions.

Configure a data source

Configure a data source from which can ingest data. In this on-boarding procedure, you can add one data source. You can add additional data sources later at any time. See Add and configure apps and assets to provide actions in .

Perform the following tasks to configure a data source during the on-boarding procedure.

  1. Select a data source. For example, you can configure your email server as a data source.
  2. Select or specify an asset name. For example, "office365-phishing-inbox".
  3. Select or specify a container name. For example, "FW: Spam Quarantine Notification".
  4. (Optional) Click Additional Information to expand the section.
    1. Enter one or more Tags to attach to the objects from this data source. With the email server example, you might want to add tags that specify the inbox name the email came from, or the backing service, such as "office365".
    2. Enter a description for the asset. For example, "Data ingested from Office 365".
    3. Complete other fields specific to the asset type. The fields may vary depending on the data source you selected. With this example, you might want to configure the Mailbox folder to be Polled and the Maximum Emails to Poll First Time for Scheduled Polling.
  5. Click Save.
  6. In some cases, you are asked to perform additional tasks. For example, if you configure a Splunk data source, you must record the authorization token that is provided and also download a separate app from Splunkbase in order for the integration between and the Splunk platform to work.
  7. Click Continue.

Run a demo playbook

A list of playbooks is available based on the data source you configured. Select a playbook you want to run, then click Save and Continue.

Configure apps and assets

Configure apps and assets that will provide actions for your playbooks.

  1. Select the apps that will provide the actions for the selected playbook.
    • If you selected the investigate playbook, select one app in each of the Information Services, File Reputation Services, Domain Reputation Services, Sandbox, and Threat Intel.
    • If you selected the hunting playbook, select one app in each of the Information Services, Endpoint Services, File Reputation Services, and Sandbox.
  2. In the Select Apps to Configure section, select each app and provide the required information to configure an instance of the app, called an asset.
  3. Select Additional Information to expand the section and provide additional information.
  4. Select Save and Test Connectivity to verify the configuration of each asset.
Last modified on 18 September, 2024
Reset the admin password   security information

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters