Splunk® SOAR (Cloud)

Release Notes

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

What's new in

is a cloud-based Security Orchestration, Automation, and Response (SOAR) system that is delivered as a SaaS (software-as-a-service) solution hosted and managed by Splunk Inc.

The platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.

releases continuously. This list is periodically updated with the latest functionality and changes to .

May 17, 2023 Release 6.0.1

Enhancements

This release of includes the following enhancements.

Feature Description
Updated encryption algorithm
Action might be required
Encryption algorithm for SAML updated from rsa-1_5 to rsa-oaep-mgf1p.


If you have not done so already, update the configured SAML encryption algorithm on your IDP to rsa-oaep-mgf1p. For information, see Configure single sign-on authentication for in the Administer documentation.

New behavior in asset configuration when changing app versions As part of an app upgrade, downgrade, or reinstall, automatically performs the following actions for any asset configurations associated with that app:
  • adds new fields present in the version you are changing to, along with their default values if the app provides a default value
  • removes fields not present in the version you are changing to, along with any values associated with them

Note when switching back and forth between versions: If you set a configuration setting to a custom value, then switch to a version of the app that removes that configuration setting, then switch back to the original version, your custom value will either:

  • revert to the default value, if the app provides a default value, or
  • not be present in the asset configuration, if the app does not provide a default value.

For more information on app configurations see Configure metadata in a JSON schema to define your app's configuration in Develop Apps for Splunk SOAR (Cloud).

Comma splitting in Decision and Filter playbook blocks When configuring Decision and Filter blocks, you can now choose whether you want to use a delimiter and, if so, specify the string you want to use as a delimiter. For additional details, see Specify a datapath in your playbook in the Build Playbooks with the Playbook Editor manual.
Custom status label length increased Custom status labels can now be up to 128 characters long. For additional details, see Create custom status labels in in the Administer documentation.
Improved visual playbook editor experience Additional background block output calculations run automatically when you open a playbook, providing increased reliability.

See also

  • For known issues in this release, see Known issues for .
  • For fixed issues in this release, see Fixed issues for .
  • For release notes for Automation Broker, see Release Notes in the Set up and manage Splunk Automation Broker documentation.




February 22, 2023 Release 6.0.0

Enhancements

This release of includes the following enhancements.

Feature Description
Important:
New SOAR default administrative user
Starting with this release, the default administrative user is called soar_local_admin. This change is to support user accounts with the user name admin in single sign-on systems.
  • On new deployments of version 6.0.0 and higher, the administrator account is created as soar_local_admin.
  • On deployments which have been upgraded from versions 5.5.0 or earlier:
    • The existing user account admin will be automatically renamed to soar_local_admin.
    • A copy of the existing user account admin will be created with the user name admin. This copy is for your convenience, and may be deleted.


Action needed

  • After you upgrade: Anywhere you are explicitly using the user id admin, for example, in asset configurations, playbooks, scripts using the REST API, or custom apps, you should change to soar_local_admin. You must make this change manually.
Integration with Splunk Mission Control If you have Splunk Mission Control installed, you can now use Splunk SOAR (Cloud) playbooks to automate against your Splunk Mission Control incidents. Add Mission Control blocks to your playbooks to write a playbook that uses data from Splunk Mission Control. For details, see Investigate and Respond to Threats in Splunk Mission Control.
Find related playbooks Find existing playbooks associated with your installed apps. You can use an existing playbook from the community or from your instance, so you do not have to create playbooks from scratch. For details, see Find existing playbooks for your apps.
Custom Functions and Custom Lists location update Custom Functions and Custom Lists now have their own menu selections under the Home menu. They are no longer located within the Playbooks section. For details, see Add custom code to your playbook with a custom function and Create custom lists for use in playbooks.
User-based data paths You can now specify the user who launched the current playbook run, either by id or name, when configuring datapaths in the following playbook blocks: action, code, custom function, decision, and filter. These options appear in the datapath picker under playbook . For details, see Specify data in your playbook and Understanding datapaths in the Python playbook API Reference.
Pending icon for playbooks waiting to run A new icon helps distinguish between playbooks that are currently running and those that are waiting. In the Sources view/Analyst queue, the Activity panel displays the following icons for the running playbook:

Icon of arrows turning in a circle - Playbook is currently running
Icon of a clock face - Playbook is waiting its turn to run, or is waiting for user input in a Prompt block.
The Pending status is now an option for the /rest/action_run/<id>/app_runs API. For details, see the /rest/action_run/<id> section of the REST Run Action article.

New delimiter option for Playbook Automation API For the condition and decision endpoints, you can now specify any string as a delimiter to split field values in artifacts (CEF fields) by that string and treat the results as a list. For details, see condition and decision in the Playbook API article.
Playbook API decision endpoint Boolean values automatically converts true and false strings to their Boolean values in the Playbook API decision endpoint. For details, see decision in the Playbook automation API article.
Performance improvement - loading apps Default apps that are a part of Splunk SOAR install and upgrade are not fully installed until an asset is configured against them.

January 4, 2023

There are no new enhancements in this release.

This release is a patch for the December 14 release. Refer to the Fixed Issues page for details on issues fixed in this patch release.

December 14, 2022

Deprecated features

The following features are deprecated as of release 5.5.0. Although these features continue to function, support might be removed in a future release.

  • Support for DUO 2FA is deprecated.
  • Support for OpenID as a identity provider is deprecated.

Enhancements

This release of includes the following enhancements.

Feature Description
Performance improvement for Indicators To improve performance a change was made to polling and filtering data for the Indicators feature.

If an event contains an artifact larger than 4KB then no Indicator is created or displayed in Home menu > Indicators for the event.
This change only affects new deployments of .

User-based data paths In Prompt playbook blocks, you can now choose to prompt newly defined, dynamic users and roles. New prompt options include Event owner and Playbook run owner. For details, see Require user input using the Prompt block in your playbook and prompt2 in the Playbook automation API article.
Custom Functions - List output type Custom functions now have the concept of output types. There are now two output types:
  • Item - The original output type. This is the default when creating the data type.
  • List - New output type. Creates and returns a list of items.

Existing playbooks and code using existing custom functions are not affected. If you have existing custom functions that use the item output type, you can edit and resave the custom functions to use the list output type. Note that you might have to change the datapaths that use this output type. For details, see Add custom code to your playbook with a custom function

Smart block context for playbooks in the Visual Playbook Editor If you change the name of a block, that changed name will now automatically update in any downstream datapaths that refer to that block.

If you make configuration changes to a block that modify its output datapaths, a warning message displays on any downstream blocks that used the affected datapaths before they were modified. The message notifies you that you must update those downstream blocks to account for the affected datapaths.

Automation Broker key rotation A new menu item was added to the user interface to get new credentials for Automation Brokers whose credentials have expired. See Rotate the encryption keys for the Splunk SOAR Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker for more information.

October 27, 2022

This release of includes the following enhancements.

Feature Description
Automatic update for Splunk SOAR Automation Broker Once upgraded to this release, the Splunk SOAR Automation Broker can automatically upgrade itself when new versions are released. See Upgrade or update the Splunk SOAR Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker.
Simplified install process for Splunk SOAR Automation Broker The process for installing and configuring the Splunk SOAR Automation Broker has been simplified. See Install Splunk SOAR Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker.

September 28, 2022

This release of includes the following enhancements.

Feature Description
New button to view reports New button to view Executive Summary reports within the browser, in addition to generating a report PDF. See Create Executive Summary reports and view all reports in Splunk SOAR.
Splunk SOAR Automation Broker no longer depends on Splunk Cloud Gateway Service. The newest release of the Splunk SOAR Automation Broker no longer requires the Splunk Cloud Gateway Service. See: Release notes in Set Up and Manage the Splunk SOAR Automation Broker.

August 31, 2022

This release of includes the following enhancements.

Feature Description
Simplified adding CA certificates to the Splunk Automation Broker. The process for adding TLS/SSL certificates from a Certificate Authority was simplified. See Add a Certificate Authority to the Splunk Automation Broker in Set Up Automation in .

If you have previously installed custom CA certificates for your Splunk SOAR Automation Broker, you must add them again.

Asset Mapper for the Visual Playbook Editor Enables you to map missing assets when importing playbooks from other environments. See Missing configurations in imported playbooks in the Build Playbooks with the Playbook Editor manual.

July 28, 2022

This release of includes the following enhancements.

Feature Description
View playbook run statistics You can now view statistics about playbook runs in the Visual Playbook Editor. See View Playbook Run Statistics in Administer .

You can also access the playbook run statistics through the API. See Playbook Resource Usage in REST API Reference for Splunk SOAR.

June 22, 2022

This release of includes fixes to known issues from previous versions.

April 11, 2022

This release of includes the following enhancements.

Feature Description
Improved telemetry To help improve Splunk SOAR (Cloud), Splunk now collects playbook names, playbook descriptions, and custom-function names in telemetry.

Due to this change, don't include any personally identifiable or sensitive information in playbook names, playbook descriptions, and custom-function names.

Python upgrade Python has been upgraded from version 3.6 to 3.9. For detailed information, see the Python 3 upgrade section.

Python 3.9 impact on apps: You must upgrade apps to be compatible with with Python 3.9. If you don't, those apps might not run in the Python 3.9 environment.

Python 3.9 impact on apps: If you use the terms "async" or "await" as names of variables, functions, or other pieces of code in your playbooks, a SyntaxError results. Rename anything named "async" or "await" in your playbooks. Existing Python 3.6 playbooks continue to work in the new Python 3.9 environment.

As part of the Python upgrade, pylint has also been updated, and its import checks have been disabled because they were causing false positive ImportErrors.

Support updates for automation brokers Splunk supports only the current and last previously released version of automation brokers.
jq bundle jq is now bundled with Splunk SOAR (Cloud). jq is a command-line JSON processor that allows you to manipulate structured data.
Disconnected my.phantom.us All apps in Splunk SOAR (Cloud) now point to Splunkbase. The toggle that allows you switch the connection between Splunkbase and my.phantom.us has been removed.
Delete automation broker warning If you choose to delete an automation broker with active assets, Splunk SOAR (Cloud) warns you and requires confirmation.
New playbook APIs As of this version, there are two new playbook APIs for Splunk SOAR (Cloud):
  • html_file_to_pdf allows you to convert an HTML file to a PDF and save it.
  • html_string_to_pdf allows you to convert an HTML string to a PDF and save it.

Python 3 upgrade

The current versions of Splunk SOAR (Cloud) and Splunk SOAR (On-premises) now use Python 3.9 because the last version of Python used in the SOAR products is no longer supported by the Python Software Foundation. This upgrade ensures that the SOAR products can continue to rely on community support and maintain compatibility with many third-party projects that use Python.

In practice, what the change means is that all apps and playbooks now run using Python 3.9 by default. However, if you use an older automation broker, the SOAR products still use Python 3.6.

Python 3.9 impact on apps: You must upgrade apps to be compatible with with Python 3.9. If you don't, those apps might not run in the Python 3.9 environment.

Python 3.9 impact on apps: If you use the terms "async" or "await" as names of variables, functions, or other pieces of code in your playbooks, a SyntaxError results. Rename anything named "async" or "await" in your playbooks. Existing Python 3.6 playbooks continue to work in the new Python 3.9 environment.

As part of the Python upgrade, pylint has also been updated, and its import checks have been disabled because they were causing false positive ImportErrors.

February 18, 2022

Splunk SOAR (Cloud) does not provide access for outbound connections nor exceptions for TCP port 25.

The nature of the content and capabilities of the SOAR platform allow an unsecured connection to deliver email messages of a sensitive nature without a way to ensure a proper level of encryption or acceptable recovery processes.

Splunk SOAR does and will provide outbound access for cloud to cloud connections for appropriate SMTPS ports like 587, 465, or a customized port. Customers who still require TCP port 25 SMTP support can do so within their internal environments through the Automation Broker.

February 01, 2022

Feature Description
Update Parser app to to version 2.4.9 Users should immediately upgrade the Parser App to version 2.4.9 from Splunkbase or the Phantom Portal.
Test input playbooks in the Visual Playbook Editor debugger To test an input playbook:
  1. Open the playbook in the Visual Playbook Editor.
  2. Open the debugger from the tab in the lower right corner of the Visual Playbook Editor.
  3. In the top left corner of the debugger, click the adjustment bars icon.
  4. Add values for the playbook's inputs.
  5. Add the event id to test against.
  6. Click Test.

January 26, 2022

This release of includes the following enhancements.

Feature Description
App, asset, and playbook relationship changes In earlier releases, apps were linked to assets or playbooks in a many-to-many relationship using a combination of product_version, product_name, and product_vendor fields. In , apps each have a unique app_id and are linked to assets or playbooks in one-to-many relationships. During an upgrade to apps, assets, and playbooks are migrated to this new schema.

During an upgrade, if multiple apps share a single asset, each app after the first clones the associated asset, then the app uses that clone.

If a playbook used an asset which was cloned, the playbook is not automatically updated to use the new, cloned asset. You must manually identify and update playbooks to use the correct asset.

Assets that were cloned need any passwords or secret environment variables manually re-entered.

These Splunk supported apps are affected by this change:

The asset API has been updated to support using the app_id or app_guid. See REST Asset in the REST API Reference for .

New UI for assigning orphaned assets. You can now assign orphaned assets to an App from the user interface.
  1. From Home > Apps > Orphaned Assets select the orphaned asset.
  2. Click Assign App.
  3. In the dropdown menu, select the App, then click Assign.
Visual Playbook Editor: The Action Block supports formatting for input fields. In the Visual Playbook Editor you can set the "Formatted input" property on input fields, giving you most of the formatting capabilities of the Format Block.

This allows:

  • Multi-line and formatted text inputs.
  • An option to toggle between datapath inputs and formatted text input.
  • Most of the 'placeholder values' from the Format Block can be used.
  • Lists are not supported.
Automation Broker added health checks The automation broker now does several checks to determine the health of both the automation broker and its Docker container.

See Automation Broker's automatic pre-check and post checks in Set Up Automation in Splunk SOAR (Cloud).

Updated System Information UI There is an updated UI for displaying system information about your deployment. To access the new display, select Home > Administration > About.

The interface displays:

  • Splunk SOAR version
  • The embedded Splunk Enterprise version and build
  • Server name
  • Operation mode, either privileged or unprivileged.
  • Type of deployment, either cloud or on-premises.

December 3, 2021

This release is for the Splunk Automation Broker, release 5.1.2.

Feature Description
Splunk Automation Broker update to 5.1.2 The Splunk Automation Broker has been updated to 5.1.2 and is available to install. See Install Splunk Automation Broker.

November 17, 2021

This release of includes the following enhancements.

Feature Description
New App Wizard and Editor An updated version of the App Wizard with new editing features is available in this release. The new App Wizard streamlines the app creation process and allows you to directly edit an apps' Python code in the user interface.
Apps are available on Splunkbase! You can now install apps for your instance from splunkbase! The buttons for App Updates and New Apps now connect to splunkbase.
OpenSSL upgraded to version 1.1.1 In order to keep pace with required updates to OpenSSL, has implemented OpenSSL 1.1.1 in this release.
urllib3 upgraded to version 1.26.7 urllib3 has been upgraded to version 1.26.7 to address issues with https proxies.
New workbook templates added Two new workbook templates have been added:
  • Risk Investigation
  • Risk Response

After you have been upgraded to version 5.1.0, you can find these new templates in Home > Administration > Product Settings > Workbooks.

Classic playbook API block

You can fetch updated container data in the classic playbook API block.

See Advanced settings.

August 24, 2021

Update release of . Bug fixes.

Introducing an all new Playbook Editor in

This release introduces an all new playbook editor. This new playbook editor presents a vertical user interface, wider blocks for longer descriptions, labels for descriptions and filters, and UI-based configuration options for playbook APIs. Additionally, the new playbook editor introduces "input" playbooks which allow for configuring input parameters supporting modular playbook design. Finally, output parameters can be defined for all playbooks adding to the modularity of playbooks. You have the option to choose between these playbooks and the classic playbooks to ensure existing playbooks can still be edited as necessary.

For more information on playbooks and classic playbooks, see Choose between playbooks and classic playbooks in in Build Playbooks with the Playbook Editor.

SAML2 unsolicited responses

A check box is added in the authentication settings to allow unsolicited responses from the Identity Provider. The check box is visible in 5.0.0, but will not be active until a future release.

See Configure SSO authentication using SAML2.

July 28, 2021

Update release of . Bug fixes.

June 25, 2021

Update release of . Bug fixes.

June 10, 2021

First update release of . Bug fixes.


May 27, 2021

This is the first release of !

For a complete description of the service, see Service Description.

Splunk Automation Broker

Cloud uses an on-premises application, the Splunk Automation Broker, to securely run actions through connections to your on-premises tools and applications. Cloud sends an action request for a specific connector configuration to the Splunk Automation Broker. In combination with the connector, the Splunk Automation Broker dispatches the action to the relevant on-premises application.

The Splunk Automation Broker is delivered as a Docker container that you run on your organization's docker host.

For more information on the Splunk Automation Broker, see About Splunk Automation Broker in Set Up Automation in .

Migrating from Splunk Phantom to

For a complete guide on migrating from Splunk Phantom to , see Migrate from Splunk Phantom to .

Last modified on 17 May, 2023
  NEXT
Known issues for

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters