Splunk® SOAR (Cloud)

Administer Splunk SOAR (Cloud)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Splunk SOAR (Cloud) in restricted environments

Splunk SOAR (Cloud) is available for restricted environments, such as FedRAMP Moderate (IL2), Health Insurance Portability and Accountability Act (HIPAA), Information Security Registered Assessors Program (IRAP), and Payment Card Industry Data Security Standard (PCI DSS).

Splunk SOAR (Cloud) FedRAMP Moderate

This section applies only to Splunk SOAR (Cloud) in FedRAMP Moderate environments.

Splunk SOAR (Cloud) is available for customers who must meet United States Federal Information Processing Standard (FIPS) 199 Moderate Impact Level requirements.

Splunk SOAR (Cloud) FedRAMP Moderate is different from Splunk SOAR (Cloud) in these areas:

Area Difference
Hosting Splunk SOAR (Cloud) FedRAMP Moderate is hosted in AWS GovCloud (US) regions.
FIPS mode FIPS mode is turned on for all Splunk SOAR (Cloud) FedRAMP Moderate deployments.

Any Splunk SOAR Automation Brokers that you use in conjunction with your deployment must also run in FIPS mode.

Playbooks Splunk SOAR (Cloud) FedRAMP Moderate playbooks have additional restrictions over Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instances.
  • Playbooks cannot modify declared global variables.
  • Playbooks cannot open direct connections to the the PostgreSQL database. Playbooks must use the playbook automation APIs.
  • Playbooks cannot share information between playbook runs by using the host's file system.
  • The directories /tmp and /opt/phantom/tmp cannot be used to share information between playbook runs. These directories can still be used to share information in the context of a single playbook run.
  • Playbooks cannot read or modify the directory /opt/phantom/vault by using the file system. Playbooks that interact with the vault must use the Vault automation API.
  • Playbooks should not create subprocesses, either by using the built-in os.system python function or the built-in subprocess python module.
Automation isolation Playbook code run in Splunk SOAR (Cloud) FedRAMP Moderate environments is run in isolation using dynamically managed containers. These containers are connected to Splunk SOAR (Cloud) FedRAMP Moderate through an internal automation broker.
Internal automation broker Splunk SOAR (Cloud) FedRAMP Moderate uses an internal Splunk SOAR Automation Broker to run actions.
  • The internal automation broker is called soar_internal_ab, and cannot be edited or deleted.
  • You can see the status of the internal automation broker from the Home menu, Administration, Product settings, Automation Broker.

For more information about the Splunk SOAR Automation Broker, see About Splunk SOAR Automation Broker.

Restoring from Splunk SOAR (On-premises) or Splunk SOAR (Cloud) Splunk SOAR (Cloud) FedRAMP Moderate does not currently allow migration of any native data from Splunk SOAR (On-premises) or existing Splunk SOAR (Cloud) instances. This data includes containers, artifacts, notes, comments, and playbook and action runs data. A recommended alternative method is to use the Splunk App for SOAR to move relevant data to Splunk Cloud Platform for retention.
Last modified on 18 September, 2024
security information   About automation isolation in Splunk SOAR

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters