Splunk® SOAR (Cloud)

Migrate from Splunk Phantom to Splunk SOAR (Cloud)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Migrate Splunk Phantom administration settings to Splunk SOAR (Cloud)

Perform the following steps to reconfigure your Splunk Phantom administration settings in Splunk SOAR (Cloud). Some administration settings can be migrated using the Splunk Phantom REST API. See REST System Settings in the REST API Reference for Splunk Phantom manual.

  1. Perform the prerequisite migration steps. See Prerequisites for migrating from Splunk Phantom to Splunk SOAR (Cloud).
  2. Navigate to your Splunk SOAR (Cloud) instance. From the main menu in Splunk SOAR (Cloud), click Administration to see the list of settings.
  3. Configure Company Settings. In Splunk SOAR (Cloud), there isn't the option to change the Base URL or the licensing settings. See Configure your company settings in in the Administer manual.
  4. Configure Administration Settings. See Configure a source control repository for your playbooks in the Administer manual. The following options have changed in Splunk SOAR (Cloud):
    1. You can't configure playbook execution from the Administration Settings.
    2. The Source Control setting only accepts HTTP or HTTPS connections. HTTP presents the username and password or token in plain text as necessary by the protocol.
    3. Email settings are already configured. Don't change the email settings unless you are planning on using a different SMTP forwarder that is internet accessible.
  5. Configure Product Settings. In Splunk SOAR (Cloud), there isn't the option to configure clustering, multi-tenancy, or telemetry. There is also a new configuration setting called the Automation Broker. See Set Up and Manage the Splunk SOAR Automation Broker in the Splunk Automation Broker manual.
  6. Configure Event Settings. All event settings can be recreated in Splunk SOAR (Cloud) in the same way that they are used in Splunk Phantom. See Create custom status labels in in the Administer manual.
  7. Configure User Management Settings. See Manage users in the Administer manual. The following options have changed in Splunk SOAR (Cloud):
    1. In Splunk SOAR (Cloud), only configure users if you are only using local credentials access. If you aren't using local credentials, SAML2 is the only authentication authorized. If you decide to configure local authentication, ensure that you correctly copy the settings for Account Security so that the proper authentication policies are in place.
    2. Configure the Roles & Permissions settings before you configure the Authentication settings.
    3. Configure Authentication settings. The Authentication settings only have SAML2 as a configuration option. Remember to add groups assertions to the Splunk SOAR Role to allow for authentication automapping to allowable group or role permissions.
  8. Configure System Health Settings. The following options have changed in Splunk SOAR (Cloud):
    1. The Debugging setting can only be changed for the action daemon. The default is warning. See Configure the logging levels for the Splunk SOAR action daemon in the Administer manual.
    2. The audit settings on the Audit Trail page are configured by default and can't be changed.
Last modified on 06 November, 2024
Prerequisites for migrating from Splunk Phantom to Splunk SOAR (Cloud)   Migrate Splunk Phantom applications to Splunk SOAR (Cloud)

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters