Splunk® SOAR (Cloud)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Welcome to

is a cloud-based Security Orchestration, Automation, and Response (SOAR) system that is delivered as a SaaS (software-as-a-service) solution hosted and managed by Splunk Inc.

The platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.

If you are new to , read About in the Use manual to learn how you can use for security automation.

If your deployment uses the Splunk SOAR Automation Broker see the topic What's new in Splunk SOAR Automation Broker for more information.


November 6, 2024 Release 6.3.1

What's new in

This release of includes the following enhancements.

Splunk idea Feature Description
PPSID-I-180, PPSID-I-483  Guided automation Introducing a new streamlined workflow for building playbooks. The new data preview panel overlays real incident and playbook data directly onto the playbook editor for faster, more accurate automation. For details, see Use Data Preview to build, test, and edit playbooks.
Change playbook types* You can now change a playbook type while you are editing the playbook. You can now change a SOAR playbook to an Enterprise Security playbook or the other way around. For details, see Manage settings for a playbook in .
Playbook debugger and Python editor updates The playbook debugger and Python editor have moved; they are now included as tabs in the new Data Preview panel. For details, see Use Data Preview to build, test, and edit playbooks.

The Python editor now has additional functionality, including the ability to wrap lines of code, focus on a specific block, and view looping functionality for a specific block. For details, see View or edit the Python code in playbooks.
Performance improvements This release features up to a 2x improvement in automation throughput. can now handle more playbooks, custom functions, and actions simultaneously.**
Deactivate dashboard widgets You can now deactivate individual home dashboard widgets for all users. For details, see Manage dashboard widgets in .
Home menu Administration section reorganized The Administration menu has been reworked.
  • The Product Settings menu has been changed to better group settings by their function. Some items have been moved.
    • The Investigations menu item consolidates toggling the Authorized Users and Clickable URLs into one page, while adding a new UI toggle for Indicators.
    • New entries for Connectors, Investigations, Manage Widgets, and Playbook Automation have been added.

For details, see the relevant sections of Administer .

New settings toggles You can now toggle many features on or off from the reorganized Product Settings section of the Administration menu. Several new items have been added.
  • Enable Indicators, available under Investigations
  • Enable Multiple Conditions for VPE Blocks, available under Playbook Automation
  • Enable Playbook Resource Scoring, available under Playbook Automation
  • Enable Check SOAR Connector Version, available under Connectors

For details, see the relevant sections of Administer .

* This feature will be available when Enterprise Security 8.0 becomes generally available.
* * Based on internal testing when compared with Splunk SOAR (Cloud) version 6.2.2. Results cited are for illustration. Performance depends on individual use, configuration, and other factors.

September 19, 2024 Release 6.3.0

What's new in

This release of includes the following enhancements.

Splunk idea Feature Description
PPSID-I-69 Prompt-driven automation (External prompts) You can now design playbooks to send prompts to individuals and groups who do not use , requiring their response before the playbook continues. Require user input using the Prompt block in your playbook.
The Wayfinder Splunk SOAR's new discovery and navigation experience. Use shortcuts to access destinations within Splunk SOAR and specific information that's important to you. For details, see Navigate with the Wayfinder in the Use documentation.
FedRAMP Moderate certification now has FedRAMP Moderate certification. See the details in the August 28, 2024 FedRAMP Moderate section later in this article.
Pairing with Splunk Enterprise Security* Information on how to pair your Splunk SOAR instance with your Splunk Enterprise Security instance. For details, see Pair Splunk SOAR with Splunk Enterprise Security.
Visual Playbook Editor changes*
Automation rules framework* You can trigger SOAR playbooks for event-based detections or finding-based detections in Splunk Enterprise Security. For details, see Configure automation rules to run playbooks based on detections in Splunk Enterprise Security.
Expanded region availability Splunk SOAR (Cloud) is now available in Milan. See Available regions and region differences in the Splunk SOAR (Cloud) Service Description.
Automation broker supports just-in-time credential asset settings You can create assets that use "just in time" credentials with an Automation Broker. See Configure Just In Time Credentials for a Splunk SOAR (Cloud) asset in Add and configure apps and assets to provide actions in Splunk SOAR (Cloud).
PPSID-I-50 Prompts questions can require responses or not You can now specify that questions in prompts either require or do not require a response. For details, see Require user input using the Prompt block in your playbook.
Custom index for universal forwarder You can now customize into which Splunk indexes you want to forward SOAR data. For details, see Configure forwarding a data type to a specific Splunk index in the Configure forwarders to send SOAR data to your Splunk deployment article.
Notes now support all markdown syntax You can now use all available markdown syntax in notes. For details, see Using Markdown in notes in the Create, sort, and filter notes in article.
Sources is now called Events The Sources page and Sources menu pick from the Home menu are now both called Events, which more closely aligns with the content of that page.
Playbooks cannot modify declared global variables Playbook execution has changed. A playbook can no longer modify declared global variables. For details, see Use local variables instead of global variables in the Write better playbooks by following these guidelines article.

* These features will be available when Enterprise Security 8.0 becomes generally available.

Deprecated features

Python playbook API phantom.set_action_limit()

This python playbook API is deprecated. This API no longer applies because there is no longer a limit for the number of actions a playbook can run. Existing playbooks which use this APIs will continue to perform the playbooks' function, but will display a deprecation warning about the API.

See also

August 28, 2024 FedRAMP Moderate

Splunk SOAR (Cloud) FedRAMP Moderate is now available.

Splunk SOAR (Cloud) FedRAMP Moderate meets Federal Information Processing Standard (FIPS) 199 Moderate Impact Level standards.

Deprecated features

Python playbook API phantom.set_action_limit()

This python playbook API is deprecated. This API no longer applies because there is no longer a limit for the number of actions a playbook can run. Existing playbooks which use this APIs will continue to perform the playbooks' function, but will display a deprecation warning about the API.

Removed features

This only applies to Splunk SOAR (Cloud) FedRAMP environments.

  • Classic Visual Playbook Editor: Splunk SOAR (Cloud) FedRAMP deployments do not have access to the Classic Visual Playbook Editor. You can still run playbooks that were created in the Classic Visual Playbook editor, and convert those playbooks to the modern format. For instructions on converting playbooks from the classic to the modern format, see Convert classic playbooks to modern playbooks in Build Playbooks with the Playbook Editor.

Enhancements

Splunk idea Feature Description
FIPS mode FIPS mode is turned on for all Splunk SOAR (Cloud) FedRAMP deployments.

Any Splunk SOAR Automation Brokers that you use in conjunction with your deployment must also run in FIPS mode.

Playbooks cannot modify declared global variables Playbook execution has changed. A playbook can no longer modify declared global variables. See Write better playbooks by following these guidelines.
Automation isolation

This feature is only available in Splunk SOAR (Cloud) FedRAMP Moderate environments.

Playbook code run in Splunk SOAR (Cloud) FedRAMP Moderate environments is run in isolation using dynamically managed containers. These containers are connected to Splunk SOAR (Cloud) FedRAMP Moderate through an internal automation broker.

Due to automation isolation, playbooks have the following restrictions:

  • Playbooks cannot share information between playbook runs by using the host's file system.
  • The directories /tmp and /opt/phantom/tmp cannot be used to share information between playbook runs. These directories can still be used to share information in the context of a single playbook run.
  • Playbooks cannot read or modify the directory /opt/phantom/vault by using the file system. Playbooks that interact with the vault must use the Vault automation API.
  • Playbooks should not create subprocesses, either by using the built-in os.system python function or the built-in subprocess python module.
Internal automation broker

This feature is only available in Splunk SOAR (Cloud) FedRAMP Moderate environments.

Splunk SOAR (Cloud) FedRAMP Moderate uses an internal Splunk SOAR Automation Broker to run actions.
  • The internal automation broker is called soar_internal_ab, and cannot be edited or deleted.
  • You can see the status of the internal automation broker from the Home menu, Administration, Product settings, Automation Broker.

For more information about the Splunk SOAR Automation Broker, see About Splunk SOAR Automation Broker.

Assets can use "just in time" credentials with an Automation Broker You can create assets that use "just in time" credentials with an Automation Broker. See Configure Just In Time Credentials for a Splunk SOAR (Cloud) asset in Add and configure apps and assets to provide actions in Splunk SOAR (Cloud).

For more information about SOAR (Cloud) in restricted environments, see Splunk SOAR (Cloud) in restricted environments.


May 29, 2024 Release 6.2.2

Enhancements

This release of includes the following enhancements.

Splunk idea Feature Description
PPSID-I-400
PPSID-I-660
PPSID-I-216 		Visual Playbook Editor updates Operators for playbook conditions
Added operators for use in playbook decision, filter, and logic loop blocks. New operators include matches regex, is true, is false, is none, is empty, and is list, among others. For details, see Operators for conditions in the Use filters in your Splunk SOAR (Cloud) playbook to specify a subset of artifacts before further processing article and condition in the Playbook automation API article.


Updated prompts functionality
You can now specify a prompt block response type, even if no question is included. For details, see Require user input using the Prompt block in your playbook.

Performance improvements
Made significant improvements to VPE performance, resulting in a 15-30x speed increase when loading and editing large playbooks.

Reading long datapaths
You can now hover over the datapath in the configuration panel to see the entire datapath displayed in a tooltip.

Drag-and-drop playbook blocks
You can now add a playbook block to the canvas by selecting a block from the side panel, dragging it to the canvas, and dropping it on top of the block you want it to follow.

Universal Forwarder improvements Added support for using HTTP forwarders, which support HTTP load balancers and the use of HEC. See Customize your forwarder configuration in Administer .
Library updates Updated the following libraries:
  • Django updated to release 4.2
  • Nginx updated to 1.25.3
  • RabbitMQ updated to release 3.13.1
  • Erlang updated to release 26.2.2
New default value for asset action concurrency limit When you create an asset, one of its settings is its action concurrency limit, which controls how many actions the asset can run at one time. In earlier releases, an asset's action concurrency limit defaulted to one. In release 6.2.2 and higher, the default for new assets has been set to five. Existing assets have not been modified.

Make sure any custom app you write or install can support multiple concurrent actions. If an app you use does not support multiple concurrent actions, set the action concurrency limit to 1 for any new assets you create for that app.

For information on setting or editing an assets concurrent action limit, see Set the concurrent action limit in Administer .

Internal SMTP asset updates Splunk SOAR (Cloud) comes preconfigured with an SMTP asset called internal_smtp.
  • The sender address of the internal_smtp asset cannot be changed.
  • You cannot set any SMTP asset to have a sender address from the Splunk, phantom, or Cisco domains.

If you want Splunk SOAR (Cloud) to send emails from another address and domain, configure a new SMTP asset for the included Splunk> SMTP app or install and configure an SMTP app.

Updated Automation Broker permissions Automation Broker permissions for user roles

A new permission set automation_broker has been added for roles which need to manage Automation Brokers. This permission set has been added to existing roles which had system_settings permissions.

  • If a role had system_settings with the edit option, the automation_broker permissions will have edit and delete options.
  • If a role had system_settings view option, the automation_broker permissions will have the view option.
  • If a role had system_settings view and edit option, the automation_broker permissions will have the view, edit, delete options.

To add automation_broker permissions to a role, see Add a role to in Manage roles and permissions in .

Customize the UID and GID for the Automation Broker
You can customize the UID and GID for the Automation broker by setting these new environment variables in the docker-compose.yaml.

  • PUID - This variable is the UID for the Automation Broker. The default is 1000.
  • PGID - This variable is the GID for the Automation Broker. The default is 1000.
UX performance enhancements Several updates have been made to improve the performance of the user interface.
  • Dashboard widgets now load "on request." Widgets which are not visible in the user's current view are not refreshed.
  • The investigations page has been updated, reducing duplicated queries and adding configurable refresh intervals. The refresh interval for the investigations page can be set using a series of POSTs to /rest/system_settings/refresh_intervals. 
     /rest/system_settings/refresh_intervals { "type": "investigations_page", "duration": 4 }

/rest/system_settings/refresh_intervals { "type": "investigations_page_max_wait", "duration": 8 }
    See /rest/system_settings in REST API Reference for .
Search improvements The search interface was improved, making filtering options more obvious. See Search within in Use .

March 28, 2024 Release 6.2.1

Deprecated Features

  • Classic Playbook Editor: The classic playbook editor will be deprecated soon. For information on converting your playbooks, see Convert classic playbooks to modern playbooks.
    Beginning with Splunk SOAR (Cloud) version 6.2.1, the Classic Playbook Editor permissions change. You can still run and edit existing playbooks, but you can no longer create new classic playbooks, because the + Classic Playbook button is removed.
    Even after the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
  • features REST API: release 6.2.1 deprecates the /rest/system_settings/features REST API. It is replaced by the rest/feature_flag REST API. For details, see REST Feature Flag.

Removed Features

  • DUO support: release 6.2.1 ends support for DUO two-factor authentication. Duo was deprecated in release 5.5.0. User accounts that used DUO can now log in without using DUO.
  • Creating classic playbooks: As of release 6.2.1, you can no longer create new classic playbooks in the playbook editor. See additional details about the Classic Playbook Editor deprecation in the Deprecated Features section above.

Enhancements

This release of includes the following enhancements.

Splunk idea Feature Description
Independent severity levels for events and artifacts You can now choose whether a container inherits the severity level from a newly added artifact. Previously, all containers inherited their severity level from a newly added artifact. For details, see Determine severity level of containers and artifacts.
Visual Playbook Editor (VPE) updates Classic VPE Playbooks
With this release, you can no longer create new Classic VPE playbooks. For details on migrating your existing playbooks, see Convert classic playbooks to modern playbooks.

Playbook migration tool
The playbook migration tool is updated. For details on migrating your existing playbooks, see Convert classic playbooks to modern playbooks.

Multiple conditions in Decision and Filter blocks
In a modern playbook, a filter or decision block can now have multiple conditions that connect to the same downstream block. For information on filter blocks, see Use filters in your playbook to specify a subset of artifacts before further processing. For information on decision blocks, see Use decisions to send artifacts to a specific downstream action in your playbook.

Added Artifact CEFs and Headers datapaths support
You can now see the datapath for an artifact's Common Event Format (CEF) and header in blocks downstream from an action block. For details, see CEF fields as action results in the Specify a datapath in your playbook article.

Investigation page usability improvement On the investigation page, the Artifacts tab is now the default tab. For information on the Investigation page, see Start with Investigation in .
Automation Broker (AB) operating system upgrade Upgrading the Automation Broker operating system to Ubuntu 20.04. For Automation Broker release notes, see What's new in Splunk SOAR Automation Broker in Set up and manage Splunk Automation Broker.
PPSID-I-462 Additional colors for HUD cards You can now create Heads-up Display (HUD) cards in several new colors. For information on HUD cards, see Track information about an event or case using HUD cards.
New Feature Flag REST API Added /rest/feature_flag, a new REST API for turning features on or off, or to modify the settings for a feature is now available. See REST Feature Flag.
Global search scope You can now control the scope of global search with the new restrict_global_search API. For details, see Configure the scope of global search using the REST API in the Configure search in article.
Playbook run data searchable You can now search for playbook run data, including searching by id and status, in the global search bar. For details, see Search within .
TLS support for Splunk Universal Forwarder Add transport layer security (TLS) certificates to secure connections between 's forwarders and the receiving indexers.

To add or edit the TLS certificate settings for your Universal Forwarder, see Configure transport layer security between your Splunk SOAR (Cloud) universal forwarder and the receiving indexer
Performance tuning for Splunk Universal Forwarder Settings for the Splunk Universal Forwarder were adjusted to increase performance.
  • In limits.conf, maxKBps was increased from 256 KB/s to unlimited KB/s.
  • In server.conf, server.conf was increased from 6MB to 50MB.
Reindexing Data - new name and location Reindex Search Data is renamed Reindex Data and is now located in a tab under Forwarder Settings because reindexing applies only to Forwarder Settings and not to Search Settings. Its former location, the Search Settings menu, is now obsolete and has been removed from Administration Settings. For details, see Reindexing.
Remaining session time warning You can now warn users that their session will end soon, based on the number of minutes you specify. For details, see Set security parameters in the Manage users article.
Optional timeout in phantom.html_file_to_pdf and phantom.html_string_to_pdf APIs In playbooks that use the phantom.html_file_to_pdf or phantom.html_string_to_pdf API, you can now optionally specify a timeout. For details, see html_file_to_pdf and html_string_to_pdf in the Playbook Automation API article.

November 30, 2023 Release 6.2.0

Enhancements

This release of includes the following enhancements.

Splunk idea New feature Description
PPSID-I-681 Logic Loops Configure loops directly in the Visual Playbook Editor (VPE) with an intuitive user interface, eliminating the need for custom code. For details, see Repeat actions with logic loops.
PPSID-I-365 CyberArk integration Integrate the Splunk SOAR (Cloud) environment with CyberARK's privileged access management (PAM) solution, while also simplifying the experience for on-premises CyberARK installation and upgrades. For details, see Use CyberArk Privileged Access Manager with in the Manage your organization's credentials with a password vault topic.
Replaced embedded Splunk Enterprise
with Postgres 15 search 		Starting with this release, we have removed the embedded copy of Splunk Enterprise. The embedded copy of Splunk Enterprise handled internal search features for SOAR.

Search for SOAR items is now handled by Postgres 15 search features. See Search within in Use for search syntax.

Added support for Universal Forwarders Universal Forwarders now replace remote search for getting your SOAR data into your Splunk Cloud Platform or Splunk Enterprise deployment.

For details on Universal Forwarders, see Configure forwarders to send SOAR data to your Splunk deployment.
Splunk App for SOAR users: For updated setup instructions, see Set up the universal forwarder using Splunk SOAR version 6.2.0 and higher.

PostgreSQL 15 upgrade Splunk SOAR (Cloud) now supports PostgreSQL version 15 as its default internal database.
Classic to modern playbook migration In preparation for the deprecation of the classic mode of the Visual Playbook Editor (VPE), you can now use a new user interface to convert playbooks developed in the classic VPE to modern playbooks. For details, see Convert classic playbooks to modern playbooks.
Playbook filter tabs The modern Visual Playbook Editor (VPE) now has tabs to filter for specific types of playbooks: your organization's customized playbooks, community playbooks, active playbooks, and classic playbooks. For details, see Find playbooks by type in the Find existing playbooks article.
PPSID-I-627
internal idea 		Browser tab differentiation It is now easier to clearly identify browser tabs running Splunk SOAR from tabs running other Splunk products.
Increased limit on actions per playbook Increased the default limit on number of actions per playbook from 50 to 500. To update this setting, see set_action_limit in the Session automation API article.

Versions 6.0.0 - 6.1.1

September 6, 2023 Release 6.1.1

Action required: Cryptography library update

In version 6.1.1 of , Splunk upgraded the Python cryptography library to version 41.0.1 to address a known security vulnerability in earlier libraries, as described in Splunk SOAR Cryptography Python Package Upgrade Incompatibility.

Check your specified pip dependencies for your connectors (also called apps) and update as needed. Splunk Inc recommends that you do not specify a version number to avoid possible future compatibility issues. If you require a specific version of the Python cryptography library package, specify a version that is at least 40.0.0 or later. See the Specifying pip dependencies section of Configure metadata in a JSON schema to define your app's configuration for details on where you specified the cryptography library.

Enhancements

This release of includes the following enhancements.

Feature Description
Updated telemetry Splunk collects and uses data to help with future product development and to better support your deployment. For more details see Share data from Splunk SOAR (Cloud).
Visual Playbook Editor: Update to Decision blocks In the modern Visual Playbook Editor, you can now continue to add Else If conditions even after you have added an Else condition. For information on the Decision block in the modern Visual Playbook Editor, see Use decisions to send artifacts to a specific downstream action in your playbook.
Updated debug logging Added the ability to generate and upload a diagnostic TAR file to Splunk Support. See Create and download or upload a diagnostic file.

July 11, 2023 Release 6.1.0

Enhancements

This release of includes the following enhancements.

Splunk idea New feature Description
PPSID-I-146 Paste images from clipboard into notes You can now paste an image within the text area of the note editor component, so that the image is automatically uploaded and added to the note, and is visible in the note preview. For details, see View and create notes in .
PPSID-I-6 Additional playbook triggers Added new conditions to trigger a playbook to run automatically. The new conditions that can trigger a playbook to run automatically are creating an event and changing a container status to Resolved. These conditions are in addition to using an event label to determine whether a playbook should run. For details, see Manage settings for a playbook in .
Separate directory for playbooks You can now specify the path to a separate directory for playbooks and custom functions within your repository. For details, see Configure a source control repository for your playbooks.
Extended version support with apps You can now install an unsupported version of an application with the current version. For details, see Add and configure apps and assets to provide actions in .
Sample data added to data path picker Added the option to preview possible values for each artifact and container field in the data path picker. For details, see Specify data in your playbook.

May 17, 2023 Release 6.0.1

Enhancements

This release of includes the following enhancements.

Feature Description
Updated encryption algorithm
Action might be required 		Encryption algorithm for SAML updated from rsa-1_5 to rsa-oaep-mgf1p.


If you have not done so already, update the configured SAML encryption algorithm on your IDP to rsa-oaep-mgf1p. For information, see Configure single sign-on authentication for in the Administer documentation.

New behavior in asset configuration when changing app versions As part of an app upgrade, downgrade, or reinstall, automatically performs the following actions for any asset configurations associated with that app:
  • adds new fields present in the version you are changing to, along with their default values if the app provides a default value
  • removes fields not present in the version you are changing to, along with any values associated with them

Note when switching back and forth between versions: If you set a configuration setting to a custom value, then switch to a version of the app that removes that configuration setting, then switch back to the original version, your custom value will either:

  • revert to the default value, if the app provides a default value, or
  • not be present in the asset configuration, if the app does not provide a default value.

For more information on app configurations see Configure metadata in a JSON schema to define your app's configuration in Develop Apps for Splunk SOAR (Cloud).

Comma splitting in Decision and Filter playbook blocks When configuring Decision and Filter blocks, you can now choose whether you want to use a delimiter and, if so, specify the string you want to use as a delimiter. For additional details, see Specify a datapath in your playbook in the Build Playbooks with the Playbook Editor manual.
Custom status label length increased Custom status labels can now be up to 128 characters long. For additional details, see Create custom status labels in in the Administer documentation.
Improved visual playbook editor experience Additional background block output calculations run automatically when you open a playbook, providing increased reliability.

See also




February 22, 2023 Release 6.0.0

Enhancements

This release of includes the following enhancements.

Feature Description
Important:
New SOAR default administrative user 		Starting with this release, the default administrative user is called soar_local_admin. This change is to support user accounts with the user name admin in single sign-on systems.
  • On new deployments of version 6.0.0 and higher, the administrator account is created as soar_local_admin.
  • On deployments which have been upgraded from versions 5.5.0 or earlier:
    • The existing user account admin will be automatically renamed to soar_local_admin.
    • A copy of the existing user account admin will be created with the user name admin. This copy is for your convenience, and may be deleted.


Action needed

  • After you upgrade: Anywhere you are explicitly using the user id admin, for example, in asset configurations, playbooks, scripts using the REST API, or custom apps, you should change to soar_local_admin. You must make this change manually.
Integration with Splunk Mission Control If you have Splunk Mission Control installed, you can now use Splunk SOAR (Cloud) playbooks to automate against your Splunk Mission Control incidents. Add Mission Control blocks to your playbooks to write a playbook that uses data from Splunk Mission Control. For details, see Investigate and Respond to Threats in Splunk Mission Control.
Find related playbooks Find existing playbooks associated with your installed apps. You can use an existing playbook from the community or from your instance, so you do not have to create playbooks from scratch. For details, see Find existing playbooks for your apps.
Custom Functions and Custom Lists location update Custom Functions and Custom Lists now have their own menu selections under the Home menu. They are no longer located within the Playbooks section. For details, see Add custom code to your playbook with a custom function and Create custom lists for use in playbooks.
User-based data paths You can now specify the user who launched the current playbook run, either by id or name, when configuring datapaths in the following playbook blocks: action, code, custom function, decision, and filter. These options appear in the datapath picker under playbook . For details, see Specify data in your playbook and Understanding datapaths in the Python playbook API Reference.
Pending icon for playbooks waiting to run A new icon helps distinguish between playbooks that are currently running and those that are waiting. In the Sources view/Analyst queue, the Activity panel displays the following icons for the running playbook:

Icon of arrows turning in a circle - Playbook is currently running
Icon of a clock face - Playbook is waiting its turn to run, or is waiting for user input in a Prompt block.
The Pending status is now an option for the /rest/action_run/<id>/app_runs API. For details, see the /rest/action_run/<id> section of the REST Run Action article.

New delimiter option for Playbook Automation API For the condition and decision endpoints, you can now specify any string as a delimiter to split field values in artifacts (CEF fields) by that string and treat the results as a list. For details, see condition and decision in the Playbook API article.
Playbook API decision endpoint Boolean values automatically converts true and false strings to their Boolean values in the Playbook API decision endpoint. For details, see decision in the Playbook automation API article.
Performance improvement - loading apps Default apps that are a part of Splunk SOAR install and upgrade are not fully installed until an asset is configured against them.

Versions 5.0.0 - 5.5.0

January 4, 2023

There are no new enhancements in this release.

This release is a patch for the December 14 release. Refer to the Fixed Issues page for details on issues fixed in this patch release.

December 14, 2022

Deprecated features

The following features are deprecated as of release 5.5.0. Although these features continue to function, support might be removed in a future release.

  • Support for DUO 2FA is deprecated.
  • Support for OpenID as a identity provider is deprecated.

Enhancements

This release of includes the following enhancements.

Feature Description
Performance improvement for Indicators To improve performance a change was made to polling and filtering data for the Indicators feature.

If an event contains an artifact larger than 4KB then no Indicator is created or displayed in Home menu > Indicators for the event.
This change only affects new deployments of .

User-based data paths In Prompt playbook blocks, you can now choose to prompt newly defined, dynamic users and roles. New prompt options include Event owner and Playbook run owner. For details, see Require user input using the Prompt block in your playbook and prompt2 in the Playbook automation API article.
Custom Functions - List output type Custom functions now have the concept of output types. There are now two output types:
  • Item - The original output type. This is the default when creating the data type.
  • List - New output type. Creates and returns a list of items.

Existing playbooks and code using existing custom functions are not affected. If you have existing custom functions that use the item output type, you can edit and resave the custom functions to use the list output type. Note that you might have to change the datapaths that use this output type. For details, see Add custom code to your playbook with a custom function

Smart block context for playbooks in the Visual Playbook Editor If you change the name of a block, that changed name will now automatically update in any downstream datapaths that refer to that block.

If you make configuration changes to a block that modify its output datapaths, a warning message displays on any downstream blocks that used the affected datapaths before they were modified. The message notifies you that you must update those downstream blocks to account for the affected datapaths.

Automation Broker key rotation A new menu item was added to the user interface to get new credentials for Automation Brokers whose credentials have expired. See Rotate the encryption keys for the Splunk SOAR Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker for more information.

October 27, 2022

This release of includes the following enhancements.

Feature Description
Automatic update for Splunk SOAR Automation Broker Once upgraded to this release, the Splunk SOAR Automation Broker can automatically upgrade itself when new versions are released. See Upgrade or update the Splunk SOAR Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker.
Simplified install process for Splunk SOAR Automation Broker The process for installing and configuring the Splunk SOAR Automation Broker has been simplified. See Install Splunk SOAR Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker.

September 28, 2022

This release of includes the following enhancements.

Feature Description
New button to view reports New button to view Executive Summary reports within the browser, in addition to generating a report PDF. See Create Executive Summary reports and view all reports in Splunk SOAR.
Splunk SOAR Automation Broker no longer depends on Splunk Cloud Gateway Service. The newest release of the Splunk SOAR Automation Broker no longer requires the Splunk Cloud Gateway Service. See: What's new in Splunk SOAR Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker.

August 31, 2022

This release of includes the following enhancements.

Feature Description
Simplified adding CA certificates to the Splunk Automation Broker. The process for adding TLS/SSL certificates from a Certificate Authority was simplified. See Add a Certificate Authority to the Splunk Automation Broker in Set Up Automation in .

If you have previously installed custom CA certificates for your Splunk SOAR Automation Broker, you must add them again.

Asset Mapper for the Visual Playbook Editor Enables you to map missing assets when importing playbooks from other environments. See Missing configurations in imported playbooks in the Build Playbooks with the Playbook Editor manual.

July 28, 2022

This release of includes the following enhancements.

Feature Description
View playbook run statistics You can now view statistics about playbook runs in the Visual Playbook Editor. See View Playbook Run Statistics in Administer .

You can also access the playbook run statistics through the API. See Playbook Resource Usage in REST API Reference for Splunk SOAR.

June 22, 2022

This release of includes fixes to known issues from previous versions.

April 11, 2022

This release of includes the following enhancements.

Feature Description
Improved telemetry To help improve Splunk SOAR (Cloud), Splunk now collects playbook names, playbook descriptions, and custom-function names in telemetry.

Due to this change, don't include any personally identifiable or sensitive information in playbook names, playbook descriptions, and custom-function names.

Python upgrade Python has been upgraded from version 3.6 to 3.9. For detailed information, see the Python 3 upgrade section.

Python 3.9 impact on apps: You must upgrade apps to be compatible with with Python 3.9. If you don't, those apps might not run in the Python 3.9 environment.

Python 3.9 impact on apps: If you use the terms "async" or "await" as names of variables, functions, or other pieces of code in your playbooks, a SyntaxError results. Rename anything named "async" or "await" in your playbooks. Existing Python 3.6 playbooks continue to work in the new Python 3.9 environment.

As part of the Python upgrade, pylint has also been updated, and its import checks have been disabled because they were causing false positive ImportErrors.

Support updates for automation brokers Splunk supports only the current and last previously released version of automation brokers.
jq bundle jq is now bundled with Splunk SOAR (Cloud). jq is a command-line JSON processor that allows you to manipulate structured data.
Disconnected my.phantom.us All apps in Splunk SOAR (Cloud) now point to Splunkbase. The toggle that allows you switch the connection between Splunkbase and my.phantom.us has been removed.
Delete automation broker warning If you choose to delete an automation broker with active assets, Splunk SOAR (Cloud) warns you and requires confirmation.
New playbook APIs As of this version, there are two new playbook APIs for Splunk SOAR (Cloud):
  • html_file_to_pdf allows you to convert an HTML file to a PDF and save it.
  • html_string_to_pdf allows you to convert an HTML string to a PDF and save it.

Python 3 upgrade

The current versions of Splunk SOAR (Cloud) and Splunk SOAR (On-premises) now use Python 3.9 because the last version of Python used in the SOAR products is no longer supported by the Python Software Foundation. This upgrade ensures that the SOAR products can continue to rely on community support and maintain compatibility with many third-party projects that use Python.

In practice, what the change means is that all apps and playbooks now run using Python 3.9 by default. However, if you use an older automation broker, the SOAR products still use Python 3.6.

Python 3.9 impact on apps: You must upgrade apps to be compatible with with Python 3.9. If you don't, those apps might not run in the Python 3.9 environment.

Python 3.9 impact on apps: If you use the terms "async" or "await" as names of variables, functions, or other pieces of code in your playbooks, a SyntaxError results. Rename anything named "async" or "await" in your playbooks. Existing Python 3.6 playbooks continue to work in the new Python 3.9 environment.

As part of the Python upgrade, pylint has also been updated, and its import checks have been disabled because they were causing false positive ImportErrors.

February 18, 2022

Splunk SOAR (Cloud) does not provide access for outbound connections nor exceptions for TCP port 25.

The nature of the content and capabilities of the SOAR platform allow an unsecured connection to deliver email messages of a sensitive nature without a way to ensure a proper level of encryption or acceptable recovery processes.

Splunk SOAR does and will provide outbound access for cloud to cloud connections for appropriate SMTPS ports like 587, 465, or a customized port. Customers who still require TCP port 25 SMTP support can do so within their internal environments through the Automation Broker.

February 01, 2022

Feature Description
Update Parser app to to version 2.4.9 Users should immediately upgrade the Parser App to version 2.4.9 from Splunkbase or the Phantom Portal.
Test input playbooks in the Visual Playbook Editor debugger To test an input playbook:
  1. Open the playbook in the Visual Playbook Editor.
  2. Open the debugger from the tab in the lower right corner of the Visual Playbook Editor.
  3. In the top left corner of the debugger, click the adjustment bars icon.
  4. Add values for the playbook's inputs.
  5. Add the event id to test against.
  6. Click Test.

January 26, 2022

This release of includes the following enhancements.

Feature Description
App, asset, and playbook relationship changes In earlier releases, apps were linked to assets or playbooks in a many-to-many relationship using a combination of product_version, product_name, and product_vendor fields. In , apps each have a unique app_id and are linked to assets or playbooks in one-to-many relationships. During an upgrade to apps, assets, and playbooks are migrated to this new schema.

During an upgrade, if multiple apps share a single asset, each app after the first clones the associated asset, then the app uses that clone.

If a playbook used an asset which was cloned, the playbook is not automatically updated to use the new, cloned asset. You must manually identify and update playbooks to use the correct asset.

Assets that were cloned need any passwords or secret environment variables manually re-entered.

These Splunk supported apps are affected by this change:

The asset API has been updated to support using the app_id or app_guid. See REST Asset in the REST API Reference for .

New UI for assigning orphaned assets. You can now assign orphaned assets to an App from the user interface.
  1. From Home > Apps > Orphaned Assets select the orphaned asset.
  2. Click Assign App.
  3. In the dropdown menu, select the App, then click Assign.
Visual Playbook Editor: The Action Block supports formatting for input fields. In the Visual Playbook Editor you can set the "Formatted input" property on input fields, giving you most of the formatting capabilities of the Format Block.

This allows:

  • Multi-line and formatted text inputs.
  • An option to toggle between datapath inputs and formatted text input.
  • Most of the 'placeholder values' from the Format Block can be used.
  • Lists are not supported.
Automation Broker added health checks The automation broker now does several checks to determine the health of both the automation broker and its Docker container.

See Automation Broker's automatic pre-check and post checks in Set Up Automation in Splunk SOAR (Cloud).

Updated System Information UI There is an updated UI for displaying system information about your deployment. To access the new display, select Home > Administration > About.

The interface displays:

  • Splunk SOAR version
  • The embedded Splunk Enterprise version and build
  • Server name
  • Operation mode, either privileged or unprivileged.
  • Type of deployment, either cloud or on-premises.

December 3, 2021

This release is for the Splunk Automation Broker, release 5.1.2.

Feature Description
Splunk Automation Broker update to 5.1.2 The Splunk Automation Broker has been updated to 5.1.2 and is available to install. See Install Splunk Automation Broker.

November 17, 2021

This release of includes the following enhancements.

Feature Description
New App Wizard and Editor An updated version of the App Wizard with new editing features is available in this release. The new App Wizard streamlines the app creation process and allows you to directly edit an apps' Python code in the user interface.
Apps are available on Splunkbase! You can now install apps for your instance from splunkbase! The buttons for App Updates and New Apps now connect to splunkbase.
OpenSSL upgraded to version 1.1.1 In order to keep pace with required updates to OpenSSL, has implemented OpenSSL 1.1.1 in this release.
urllib3 upgraded to version 1.26.7 urllib3 has been upgraded to version 1.26.7 to address issues with https proxies.
New workbook templates added Two new workbook templates have been added:
  • Risk Investigation
  • Risk Response

After you have been upgraded to version 5.1.0, you can find these new templates in Home > Administration > Product Settings > Workbooks.

Classic playbook API block

You can fetch updated container data in the classic playbook API block.

See Advanced settings.

August 24, 2021

Update release of . Bug fixes.

Introducing an all new Playbook Editor in

This release introduces an all new playbook editor. This new playbook editor presents a vertical user interface, wider blocks for longer descriptions, labels for descriptions and filters, and UI-based configuration options for playbook APIs. Additionally, the new playbook editor introduces "input" playbooks which allow for configuring input parameters supporting modular playbook design. Finally, output parameters can be defined for all playbooks adding to the modularity of playbooks. You have the option to choose between these playbooks and the classic playbooks to ensure existing playbooks can still be edited as necessary.

For more information on playbooks and classic playbooks, see Choose between playbooks and classic playbooks in in Build Playbooks with the Playbook Editor.

SAML2 unsolicited responses

A check box is added in the authentication settings to allow unsolicited responses from the Identity Provider. The check box is visible in 5.0.0, but will not be active until a future release.

See Configure SSO authentication using SAML2.

Versions 4.12.0 - 4.12.3

July 28, 2021

Update release of . Bug fixes.

June 25, 2021

Update release of . Bug fixes.

June 10, 2021

First update release of . Bug fixes.


May 27, 2021

This is the first release of !

For a complete description of the service, see Service Description.

Splunk Automation Broker

Cloud uses an on-premises application, the Splunk Automation Broker, to securely run actions through connections to your on-premises tools and applications. Cloud sends an action request for a specific connector configuration to the Splunk Automation Broker. In combination with the connector, the Splunk Automation Broker dispatches the action to the relevant on-premises application.

The Splunk Automation Broker is delivered as a Docker container that you run on your organization's docker host.

For more information on the Splunk Automation Broker, see About Splunk Automation Broker in Set Up Automation in .

Migrating from Splunk Phantom to

For a complete guide on migrating from Splunk Phantom to , see Migrate from Splunk Phantom to .

Last modified on 06 November, 2024
  Known issues for

This documentation applies to the following versions of Splunk® SOAR (Cloud): current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters