Splunk® SOAR (Cloud)

Splunk SOAR (Cloud) Service Description

The visual editor for classic playbooks is now removed. Convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:


Splunk SOAR (Cloud) introduction

Splunk SOAR (Cloud) delivers the benefits of SOAR as a cloud-based service. With Splunk SOAR (Cloud), you gain the functionality of a security orchestration, automation, and response (SOAR) system that is delivered as a software-as-a-service (SaaS) solution hosted and managed by Splunk.

The Splunk SOAR (Cloud) combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.

Use Splunk SOAR (Cloud) to perform the following tasks:

  • Ingest security events from Splunk Cloud Platform or other multiple products such as firewalls, or other security products.
  • Triage, analyze, and track events in a unified interface.
  • Automate responses to security events with automation playbooks.

Splunk manages and updates the Splunk SOAR (Cloud) service uniformly, so all Splunk SOAR (Cloud) customers receive access to the most current features and functionality. Your subscription to the Splunk SOAR (Cloud) service is sized for capacity and the number of individual users assigned to your purchased platform subscription. See Splunk Offerings Purchase Capacity and Limitations. Be sure to keep your Operational Contacts up-to-date to ensure you receive timely notifications for service updates; see Your maintenance responsibilities for more details.

This document describes the features, capabilities, limitations, and constraints of the Splunk SOAR (Cloud) service and our responsibilities to you as a SaaS provider. This document also notes your responsibilities as a subscriber to the service. Be sure to read the complete service description and the service terms and policies documents listed in the following section. If you have questions after reading any of this material, contact your Splunk sales representative.

Available regions

is available in the following global AWS regions:

  • US (Oregon, Virginia)
  • UK (London)
  • Europe (Dublin, Frankfurt, Milan, Paris)
  • Asia Pacific (Mumbai, Seoul, Singapore, Sydney, Tokyo)
  • Canada (Central)

is available in the following global Microsoft Azure regions:

  • US (Phoenix, Virginia)
  • UK (London)
  • Asia Pacific (Tokyo)

Compliance and certifications

Splunk has attained a number of compliance attestations and certifications from industry-leading auditors as part of our commitment to adhere to industry standards worldwide and part of our efforts to safeguard customer data. For current compliance information, see Compliance at Splunk.

The following compliance attestations/certifications are available:

  • SOC 2 Type II: Splunk SOAR (Cloud) has an annual SOC 2 Type 2 audit report issued. The SOC 2 audit assesses an organization's security, availability, and confidentiality processes to provide assurance about the systems that a company uses to protect customers' data. If you require the SOC 2 Type 2 attestation to review, contact your Splunk sales representative to request a copy.
  • ISO 27001: Splunk SOAR (Cloud) is ISO/IEC 27001:2022-certified. ISO/IEC 27001:2022 is a standard for an information security management system, specifying the policies and procedures for all legal, physical, and technical controls to help organizations minimize risk to information. Additionally, Splunk SOAR (Cloud) is ISO/IEC 27017:2015 and ISO/IEC 27018:2019 certified, which extends the information security management system to support security for cloud service providers and personally identifiable information (PII) in public cloud computing. If you require the ISO 27001, 27017, or 27018 certificates to review, contact your Splunk sales representative to request copies.
  • Health Insurance Portability and Accountability Act (HIPAA): Splunk SOAR (Cloud) is compliant with the HIPAA Security Rule and requirements. These regulations establish standards for safeguarding protected health information.
  • Information Security Registered Assessors Program (IRAP): Splunk attests Splunk SOAR (Cloud) against the PROTECT level of the IRAP standard. The IRAP standard allows the Commonwealth of Australia and commercial customers to run sensitive workloads by using an IRAP assessed Splunk Cloud Platform environment, inclusive of Splunk SOAR (Cloud), in Australia (AWS Sydney region).
  • Payment Card Industry Data Security Standard (PCI DSS): Splunk attests Splunk SOAR (Cloud) for compliance with the PCI DSS v4.0 standard. This standard applies to any entity that processes, transmits, or stores payment card data as well as their critical service providers.

If your data must be maintained in a regulated cloud environment to assist you with meeting your compliance needs, Splunk SOAR (Cloud) provides these optional subscriptions. Not all features may be available in regulated cloud environments. See feature-specific documentation for more details.

  • FedRAMP Moderate: Splunk SOAR (Cloud) FedRAMP is authorized by the General Services Administration FedRAMP PMO at the Moderate Impact Level. Splunk SOAR (Cloud) FedRAMP addresses the needs of the U.S. Government, State and Local customers, educational institutions, and commercial customers who seek FedRAMP authorized services, and allows them to run sensitive workloads in the cloud. This subscription is available in the AWS GovCloud region, which is an isolated region designed to address specific regulatory and compliance requirements. Cryptographic modules used in the Splunk SOAR (Cloud) FedRAMP offering are FIPS 140-2 validated encryption modules. If you require the FedRAMP compliance report to review, contact your Splunk sales representative to request a copy.

Data collection

Splunk SOAR (Cloud) provides software and APIs that let you ingest data from your applications, cloud services, servers, network devices, and sensors into the service. The following sections describe how you can send data to Splunk SOAR (Cloud).


Splunk App for SOAR Export

Splunk SOAR (Cloud), and Splunk SOAR (On-premises) can use the Splunk Cloud Platform as a source of data by ingesting events. The Splunk App for SOAR Export is required to configure Splunk Enterprise or Splunk Cloud Platform as a data source for getting data into Splunk SOAR (Cloud) or Splunk SOAR (On-premises). For additional information, see Splunk App for SOAR Export.

Splunk App for SOAR

Splunk SOAR (Cloud) and Splunk SOAR (On-premises) can use the Splunk Cloud Platform as a source of alerts, reporting, and dashboarding SOAR content. The Splunk App for SOAR is required to configure Splunk Enterprise or Splunk Cloud Platform to receive data from Splunk SOAR (Cloud) or Splunk SOAR (On-premises). For additional information, see Splunk App for SOAR.

Splunk SOAR Apps/Connectors

Splunk SOAR (Cloud), and Splunk SOAR (On-premises) have applications (also called connectors) that provide an on-poll capability to ingest data from an integration. This integration provides all the necessary information and creates the necessary items within Splunk SOAR. For more information, see Add and configure apps and assets to provide actions in Splunk SOAR (Cloud) or Develop Apps for Splunk SOAR (Cloud).

Splunk SOAR (Cloud) REST API

Splunk SOAR (Cloud) has REST API definitions to allow customers to build custom ingestion scenarios as needed. For more information, see REST API Reference for Splunk SOAR (Cloud).

Additional information about data collection

Encryption in transit

For security, data in transit is TLS 1.2+ encrypted. Senders and receivers authorize each other, and HTTP-based data collection is secured using token-based authentication.

Encryption at rest

Data stored in the database and files stored on disk are encrypted using AES 256-bit.


IP allow list

You can specify that data is collected only from allowed IP addresses. File a support ticket for Splunk to assist you with this task.

Differences Between Splunk SOAR (Cloud) and Splunk SOAR (On-premises)

Splunk SOAR (Cloud) delivers the benefits of Splunk SOAR (On-premises) as a cloud-based service, with some differences. Although Splunk SOAR (On-premises) (formerly, Splunk Phantom) and Splunk SOAR (Cloud) share many similarities, there are a few restrictions within Splunk SOAR (Cloud) to consider before deciding whether or not to purchase Splunk SOAR (Cloud). Consider the following restrictions before purchasing and migrating to Splunk SOAR (Cloud):

Area Difference
Restoring Splunk SOAR (On-premises) or Splunk Phantom Splunk SOAR (Cloud) does not currently allow migration of any native data from Splunk SOAR (On-premises) instances. This data includes containers, artifacts, notes, comments, and playbook and action runs data. A recommended alternative method is to use the Splunk App for SOAR to move relevant data to Splunk Cloud Platform for retention.
Playbook Execution Playbook execution settings are usually managed with the Splunk resource management processes. See Run playbooks in parallel with vertical scaling in the Administer Splunk SOAR (On-premises) manual. However, the resource management process capability has been removed from Splunk SOAR (Cloud). Splunk does manage these on behalf of the customer to ensure the maximum allowable performance within the configuration provided.
Clustering Splunk Cloud Platform controls the configuration and resources allocated to the Splunk SOAR (Cloud) environment. You can no longer configure or monitor a clustered environment.
Multitenancy Multitenancy is discontinued. Contact OnDemand Services for help reconfiguring your environment from multitenancy to using a robust role-based access control and appropriate container labels to mirror the functionality of multitenancy. See Splunk Expert and Adoption Services.
Telemetry Telemetry is necessary for Splunk Cloud Platform to provide an appropriate application environment. In Splunk SOAR (Cloud), telemetry is not user configurable. See Share data from Splunk SOAR in the Administer Splunk SOAR (Cloud) manual.
Authentication LDAP and OpenID options are removed. Splunk recommends that you use a SAML2 provider to give the best protection and security options for your authentication needs. For more information, see Users and authentication.
Mobile Mobile device configuration is removed from Splunk SOAR (Cloud).
TCP port 25 Splunk SOAR (Cloud) does not provide access for outbound connections nor exceptions for TCP port 25. The nature of the content and capabilities of the SOAR platform allow an unsecured connection to deliver email messages of a sensitive nature without a way to ensure a proper level of encryption or acceptable recovery processes. Splunk SOAR (On-premises) does and will provide outbound access for cloud to cloud connections for appropriate SMTPS ports like 587, 465, or a customized port. Customers who still require TCP port 25 SMTP support can do so within their internal environments through the Automation Broker.
No custom pip installations phenv python pip install installations aren't allowed in Splunk Cloud environments. This might impact your imported custom functions. Make sure you review the import statements in your custom functions. See Specifying pip dependencies in the Develop Apps for Splunk SOAR (Cloud) manual.
API endpoints Splunk SOAR (Cloud) supports additional API endpoints not available in Splunk SOAR (On-premises). See html_file_to_pdf and html_string_to_pdf in the Python Playbook API Reference for Splunk SOAR (Cloud) manual.

Maintenance

This section describes the maintenance responsibilities handled by Splunk or you, the customer.

Splunk maintenance responsibilities

The following sections describe the maintenance responsibilities and tasks that Splunk does on your behalf.

Gets you started

When you first subscribe to Splunk SOAR (Cloud), Splunk sends you a welcome email containing the information required for you to access your Splunk SOAR (Cloud) deployment and get started. This email contains a lot of important details, so keep it handy.

Assists you with supported tasks

Splunk SOAR (Cloud) allows you to customize the SOAR platform through the SOAR administration page along with installing apps/connectors and playbooks. However, there are features in Splunk SOAR (Cloud) that require assistance from Splunk to activate or make changes to your configurations, such as IP allow listing or data retention settings. When you file a support ticket, Splunk will perform such changes on your behalf. For these types of customer-initiated changes, it is performed per customer necessity and the customer contact in the Support Case will receive notice of customer-initiated changes once the work is scheduled. During these types of customer-initiated changes, services might be available but degraded. In most cases, login will be impacted for no more than 10 minutes. You will receive email notices from Splunk Support when such maintenance is starting and when it is complete.

Upgrades and expands your subscriptions

By default, you will receive the current version of Splunk SOAR (Cloud) and a current version of Splunk-certified SOAR Connectors (Apps) through Splunk-initiated Service Updates. Current Splunk Cloud Platform and Premium App versions are in the Supported versions section of this service description. To ensure efficiency and agility, you will be assigned to a cohort and an upgrade window where your SOAR deployment is located. This window is normally between 1:00 AM and 3:00 AM local to the SOAR deployment location. Example: A SOAR deployment located in the AWS Sydney region would be updated 1:00 AM Sydney time (+10 hours GMT). As Splunk releases new features of Splunk SOAR (Cloud), your cohort will be notified by Splunk of the upcoming maintenance window.
Note the following operational information regarding Splunk-initiated maintenance windows:

  • There is no modification of the upgrade delivery timeline from a customer request. All deployments will be updated and only delayed by the Splunk-initiated internal release change process from Product Engineering. Customers will be notified as soon as we know the delays.
  • There is normally a monthly Service Update when we deliver the latest features set for our customers and users OR a monthly Routine Maintenance for non-feature-related enhancements. Splunk reserves the right to not conduct an update if there isn't a need to do so.
  • Splunk will notify your Operational Contacts at least 14 days in advance for Service Updates OR Routine Maintenance. We will also try to include the nature of the features or fixes for the announced Service Update or Routine Maintenance notification.
  • Our communications will provide specifics whether any service will be degraded or unavailable during the maintenance window.
  • Splunk will make commercially reasonable efforts to notify your Operational Contacts in the rare occurrence of an unscheduled Emergency Maintenance. Our communications will provide specifics whether any customer action such as updates to data ingestion, automation mechanisms and applications is required.
  • We expect that newly provisioned customers will be upgraded to the latest features within 7 days of provisioning using our Emergency Maintenance process and will endeavor to notify customers of their upgrade. Those systems provisioned after the 7-day window should also be at the latest product version.

Monitors Splunk SOAR (Cloud) uptime and security

Splunk continuously monitors the status of your Splunk SOAR (Cloud) environment to ensure uptime and availability. We look at various health and performance variables such as the availability of the webserver, uptime of critical processes, and system resource utilization. Splunk maintains the following:

  • We aim for 100% uptime per the Splunk Cloud Service - Service Level Schedule
  • 5.3 days' worth of point-in-time snapshots, taken every 6 hours, of your Splunk SOAR (Cloud) database and filesystem
  • Historical application logs from Splunk SOAR (Cloud)
  • A rolling 7-day collection of live health metrics, which allow Splunk to proactively detect problems in your Splunk SOAR (Cloud) environment

See also the information in the Manage Splunk SOAR (Cloud) users regarding the Administrator and system user roles, and the certification of Splunk SOAR (Cloud) by independent third-party auditors to meet the SOC2 Type II security standard.

Your maintenance responsibilities

The following section describes your maintenance responsibilities and tasks.

Keep Operational Contacts up-to-date

Ensure that the Operational Contacts listed in your Splunk.com support portal are accurate and updated as necessary. Operational Contacts are notified when your Splunk SOAR (Cloud) environment undergoes maintenance, requires configuration awareness, or experiences a performance-impacting event. These contacts will receive regular notifications of planned and unplanned downtime, including scheduled maintenance window alerts and email updates related to incident-triggered cases.
For information on the Splunk Cloud Service Maintenance Policy see the Service terms and policies section.

Review Splunk SOAR (Cloud) documentation

Splunk will attempt to notify your Operational Contacts at least 14 days in advance for Service Updates and Routine Maintenance. To ensure your Splunk SOAR (Cloud) environment and your team are ready, review the following sections in the Splunk SOAR (Cloud) Release Notes prior to the maintenance:

Service terms and policies

Splunk SOAR (Cloud) is delivered through Splunk Cloud Platform. See Splunk Cloud Platform documentation to access important terms and policies that pertain to the Splunk Cloud Platform.

Network connectivity and data transfer

You access your Splunk SOAR (Cloud) environment via public endpoints, except for DoD IL5 environments. By default, for both Splunk SOAR (Cloud) access and sending your data, traffic from your network is encrypted, sent over the public internet and then routed to your Splunk (Cloud) environment in a Virtual Private Cloud (VPC). If you choose to use private connectivity instead of the public internet to access Splunk SOAR (Cloud) and send your data, you are responsible for ensuring connectivity between your users or data sources and the Splunk SOAR (Cloud) public endpoints. These public endpoints are protected using firewall rules and customers can also specify additional access control rules using their IP allow list. See the Splunk Cloud Platform service limits and constraints section for the available customer-defined rules and size limits.
You can restrict data collection from only allowed IP addresses; you can file a support ticket for Splunk to assist you with this task.

Security

The security and privacy of your data is of the utmost importance to you and your organization, and Splunk makes this a top priority. Splunk Cloud Platform service is designed and delivered using key security controls described in the following sections.

App security

All Splunk apps hosted on Splunk Cloud Platform by Splunk are examined by Splunk engineers to ensure that they comply with the Vet apps and add-ons for Splunk Cloud Platform. Splunk Cloud Platform vetting provides a set of best practices for app developers. For details about how to submit an app for evaluation for Splunk Cloud Platform readiness, see the Splunk Developer web page.
Splunk SOAR (Cloud) connectors (apps) also follow the process just described, but the submission process is slightly different. Refer to the Splunk SOAR Connectors for details. For information on how to build a Splunk SOAR (Cloud) connector (app), see the Develop Apps for Splunk SOAR (Cloud).

Data handling

You can store your data in one of the available AWS regions. See Available regions for global regions supported in the Splunk Cloud Platform service.

Data is kept in the region you choose. If you need to store your data in more than one region, you can purchase multiple subscriptions. Data is retained in Splunk Cloud Platform according to the volumes, durations, and index configurations you set. Expired data is deleted based on your pre-determined schedule.

For the purposes of disaster recovery, your configuration and recently-ingested data is backed up on a rolling seven-day window. If you require your ingested data to be moved into your control before the termination of your subscription, this is accomplished through a Splunk Professional Services engagement.

Instance security

Every Splunk Cloud Platform deployment runs in a secured environment on a stable operating system and in a network that is hardened to industry standards using a default-deny firewall policy, which permits access only to specific IP addresses and services. Your deployment is regularly scanned for host- and application-level threats.

Isolation of data and service

In the cloud, your data is logically isolated from other customers' data, so your performance and data integrity cannot be affected by other customers who are using the Splunk Cloud Platform service.

Security controls and background screening

Splunk security controls are described in our most recent Service Organization Control II, Type II Report (SOC 2/Type 2 Report). For more information about regions for which Splunk does not have SOC2 controls in place, see the Splunk Cloud Platform Security Addendum. Splunk conducts criminal background checks on its employees prior to hire, as permitted by law.

User authentication and access

You can configure authentication using local authentication provided by Splunk SOAR (Cloud) and single sign-on using any SAML v2 identity provider. To control what your Splunk SOAR (Cloud) Platform users can do, you assign them roles that have a defined set of specific capabilities. Splunk SOAR (Cloud) Platform allows you to configure account policies that require unique user names, minimum password length, and regular password resets with supported SAML v2 identity providers. To use multifactor authentication, customers must configure a SAML v2 identity provider that supports multifactor authentication. Only SHA-256 signatures in the SAML message between your IdP and Splunk Cloud Platform are supported.

See also

For more information about See
User authentication Users and authentication
Splunk data privacy, security and compliance Splunk Protects
Availability of service components between the AWS regions Available regions

Self-service capabilities

The table lists common Splunk SOAR (Cloud) self-service tasks. For more information regarding these self-service tasks, refer to the respective Splunk SOAR (Cloud) manual.

Area Example tasks Interface
Applications / Connectors Configure Integrations

Develop Applications

 Splunk SOAR (Cloud)
Health monitoring Platform performance

Active users

Ingestion

 Splunk SOAR (Cloud)
Ingestion Application On Poll

Splunk App for SOAR Export

 Splunk SOAR (Cloud)

Splunk Web

Network Connectivity and Data Transfer IP Allow List management

Outbound Port Management

Export Expired Data

 Via Splunk Support

Not Available

Not Available

Splunkbase and private app Installation and updates Splunk SOAR (Cloud)
Users and Authentication Manage user and roles

Configure central authentication

Manage authentication tokens

 Splunk SOAR (Cloud)

Splunk SOAR (Cloud)

Splunk SOAR (Cloud)

Service level agreement

Splunk provides an uptime SLA for Splunk Cloud Platform. You will receive service credits in the event of SLA failures, as set forth in our current SLA schedule. As Splunk SOAR (Cloud) is offered uniformly across all customers, the SLA cannot be modified on a customer by customer basis.

Splunk SOAR (Cloud) is considered available if you are able to log into your Splunk SOAR (Cloud) Service account and start using the Splunk SOAR software. Splunk continuously monitors the status of each Splunk SOAR (Cloud) environment to ensure the SLA. In addition, Splunk Cloud Platform monitors several additional health and performance variables, including but not limited to the following:

  • Ability to log into Splunk SOAR (Cloud) (non-SAML)
  • Ability to access Splunk SOAR (Cloud)
  • Ability to access a Splunk SOAR REST API endpoint

Splunk adds predefined system users and system roles to all Splunk SOAR (Cloud) environments. Splunk leverages system users or roles to perform essential monitoring and maintenance activities in Splunk SOAR (Cloud) environments. Customers are advised to not delete or edit system users or roles because they are essential to perform monitoring and maintenance activities in Splunk SOAR (Cloud) environments.

See also

For more information about See
Splunk SOAR (Cloud) system users Manage Splunk SOAR (Cloud) users and roles in the Splunk SOAR (Cloud) Admin manual
SLA for Splunk Cloud Platform Splunk Cloud Service - Service Level Schedule

Service limits and constraints

The following are Splunk SOAR (Cloud) service limits and constraints within Splunk Cloud Platform. You can use this list as guidance to help ensure the best Splunk SOAR (Cloud) experience. Keep in mind that some limits depend on a combination of configuration, automation designs, system load, performance, and available resources. Contact Splunk if your requirements are different or exceed what is recommended in this table.

Splunk Cloud Platform service limits and constraints

Category Service component Limitation Additional information
Connectors / Apps Private apps unlimited There is no limit to the number of connectors installed. Platform storage space is impacted by the app data and state of ingested objects until the app is removed.
Email notifications Maximum number of email recipients 50 This is a hard limit of the Splunk Cloud Platform email relay service. Use an email distribution list to increase the number of email recipients.
Email notifications Maximum email attachment size 10 MB This is a hard limit of the Splunk Cloud Platform email relay service.
Ingestion Maximum number of Events created per Splunk SOAR (Cloud) environment 750 events per hour The maximum limit to the number of events per hour for the Splunk SOAR (Cloud) environment. Events over this limit can be ingested and processed based on the automation used. Performance is dependent on a number of concurrent users, size and playbook design and customized code usage.

Note: The Splunk SOAR (Cloud) is regression tested to ensure

  • At least 61,000 events per hour with no automation
  • Approximately 4800 events per hour with automation
  • Automation consists of 2 playbooks and 5 actions per playbook per hour

Our acceptable regression is 100% processed. Tests for events and playbooks are processed serially.

Custom Lists Maximum collection size 256 MB The maximum size of a JSON Blob (JBLOB) that is tested with the Splunk SOAR (Cloud) environment.
Database Storage Total maximum size 600 GB The maximum size of RDS Database Store in each deployment per Splunk SOAR (Cloud) environment.

Note: This sizing is sufficient for at least two years of typical use. You can purchase additional storage by contacting your Splunk Account team.

Vault Storage Total maximum size 600 GB The maximum configured size of System File Store in each deployment per Splunk SOAR (Cloud) environment.
Other Splunk SOAR (Cloud) ID For AWS regions, a minimum of 2 characters and a maximum of 22 characters. Any lowercase letter from the alphabet, any number from 0 to 9, and the hyphen character are allowed. All other ASCII characters are not allowed. Unique Splunk SOAR (Cloud) name chosen by you that determines your URL at [Splunk Cloud Platform ID].soar.splunkcloud.com or [Splunk Cloud Platform ID].soar.splunkcloudgc.com

The Splunk SOAR (Cloud) ID should not be the same as your Splunk Cloud Platform ID. Splunk has discretion to decline a submitted Splunk SOAR (Cloud) ID and can request that an alternative be selected.

Security IP allow list address rules per Splunk Cloud Platform environment in AWS regions 230 This is the aggregate hard limit of the IP allow list groups for the Splunk SOAR (Cloud) service. For example, the service limit is the aggregate of the IP allow list for collecting data and for sending search queries. Customers specify the IP address or IP address range that is permitted to access Splunk SOAR (Cloud). These are generically referred to as IP allow list rules. These rules can be configured to use CIDR blocks to maximize the IP allow list coverage.

Splunk premium solutions

For more information on purchasing the Splunk SOAR (Cloud) premium solution, contact your Splunk sales representative. Configuration of Splunk SOAR (Cloud) can be done by you or through a Splunk Professional Services engagement. See the Splunk SOAR documentation.

For information on other optional Splunk apps and premium solutions subscriptions on Splunk Cloud Platform. See Splunk Premium Solutions for details.

Splunkbase and private apps

SOAR Connectors (Apps) include features and functionality ranging from data ingest to unique and valuable action integrations. To ensure security and minimize effects on performance, only vetted and compatible apps can run on Splunk Cloud Platform. Note the following:

  • Splunkbase is the system of record for app vetting and compatibility with Splunk SOAR (Cloud). Any app that is listed as compatible with Splunk SOAR (Cloud) can be installed, inclusive of FedRAMP Moderate and DoD IL5.
  • For FedRAMP Moderate and DoD IL5, Splunk's scope of responsibility for apps and add-ons pertains only to apps that meet all the following criteria:
    • Splunk Certified which are Splunk Authored and Splunk Supported
    • Splunk Community which are Cloud Platform Compatible
  • Splunk provides support and maintenance for Splunk Supported Apps. In addition, Splunk Cloud Platform ensures compatibility for any installed Splunk Supported Apps before commencing Splunk Cloud Platform upgrades.
  • Splunk does not provide support or maintenance for apps published by any third-party developers. For any Developer Supported or Not Supported Apps, you need to ensure compatibility with Splunk Cloud Platform.
  • Compatibility of Developer Supported or Not Supported Apps is asserted by the developers of those apps. Splunk does not perform compatibility testing of third-party apps with specific versions of Splunk Cloud Platform.
  • Splunk support will not be able to assist in tailoring the Splunkbase apps to your use case. For apps that grant you the license to customize, you will need to perform the customization yourself or through a Splunk Professional Services engagement.

For more information, see the following:


Apps that are Splunk SOAR (Cloud) vetted and compatible are listed in either the app browser in Splunk Web or through Splunkbase. For more information about self-service app installation, see Add and configure apps and assets to provide actions in Splunk SOAR (Cloud).

Apps you create to support your business needs are called private or custom apps and these apps can also be self-service installed on Splunk SOAR (Cloud). During the private app installation, Splunk will automatically validate your app for Splunk SOAR (Cloud). Private apps that are developed wholly by you are owned by you and any customization of your private app is outside the scope of the Splunk SOAR (Cloud) subscription.

For more information about apps, see the following topics in the Splunk Cloud Platform Admin manual:

Storage and Data Retention

This section describes the data retention policy. For database and vault storage limitations, see the Service limits and constraints section of this article.

When you send data to Splunk SOAR (Cloud), it is stored in a Block Storage and Database Storage. Splunk SOAR (Cloud) retains data based on SOAR retention settings that allow you to specify when data is to be deleted. By default, there are no retention levels set. To configure different data retention settings for different sources of data, store the data in separate areas according to the desired retention policy. You can configure different data retention policies for individual storage models according to your auditing and compliance requirements. For more information on Splunk SOAR (On-premises) Storage Models, see Use data retention strategies to schedule and manage your database cleanup. Data retention configuration in SOAR (Cloud) requires a Splunk support request.

Each model lets you specify the maximum age of events and units of measure in the model that the service uses to determine when to delete data. A cron job runs daily, pruning the model to the specified maximum size and, when events reach the specified maximum age, deleting the oldest event-related data. When data is deleted from the model, it is no longer searchable or visible by Splunk Cloud Platform.

Subscription types

Your subscription to the Splunk SOAR (Cloud) service is user-based. It includes either Standard Success Plan or Premium Success Plan. For more information, refer to the Splunk Success Plan.

User-based subscription

This subscription is based on the user capacity which aligns to the resource capacity consumed, rather than the data volume ingested. Your subscription entitles you to the user resources purchased. This subscription meters the number of named users, but does not limit the number of user accounts added to the system. You can add more users and/or load and operate the service to your desired performance objective. Splunk SOAR (Cloud) is configured with a finite amount of resources. There are many factors that go into performance. As necessary, you can purchase additional resource capacity by increasing your number of users to improve performance. You purchase units of storage blocks based on your data retention requirements for your user-based subscription.

For information on license types, see View your Splunk SOAR (Cloud) license.

Data policies

Splunk Cloud Platform administers your data according to the following policies:

  • Your user-based subscription entitles you to the purchased workload resources to adequately support that user base. This subscription meters the number of named users, but does not limit the number of user accounts added to the system.
  • Your user-based subscription has a finite amount of resources. Apps/Connectors, Playbooks, and Events forwarded to your Splunk SOAR (Cloud) all play a part in the performance of the resources assigned.

To see current and past daily data ingestion information in Splunk SOAR (Cloud) to monitor health and storage sizes. For more information, see View how much data is ingested in Splunk SOAR (Cloud) using ingestion summary and View your Splunk SOAR (Cloud) license. Splunk recommends you set up alerts in the Splunk system to monitor your license usage and system health. The Splunk App for SOAR and ITSI have integrations to monitor Splunk SOAR (Cloud) and Splunk SOAR software operational aspects.

Subscription expansions, renewals, and terminations

You can expand aspects of your Splunk SOAR (Cloud) subscription any time during the term of the subscription to meet your business needs. You can optionally add subscriptions to do the following:

  • Increase your user-based subscription level.
  • Add additional storage capacity in 500 GB increments to store more data.

You will receive renewal notifications starting 60 days prior to the end date of your current subscription term. For more information on subscription renewals, contact your Splunk sales representative. If your Splunk SOAR (Cloud) subscription expires, it is considered terminated. The policy for terminated Splunk SOAR (Cloud) subscriptions specifies:

  • Your ability to ingest data stops 7 days following termination.
  • Your data is deleted 31 days following termination.

If you require your SOAR data to be moved into your control before the termination of your subscription, this is accomplished through a Splunk Professional Services engagement.

Supported versions

This section lists the supported versions for Splunk SOAR (Cloud), along with Python interpreters. For supported versions of other Splunk products, refer to their individual service descriptions.

Current Splunk SOAR (Cloud) version

As of May 2025, the following is the supported Splunk SOAR (Cloud) version.

Date Splunk SOAR (Cloud) version
May 2025 6.4.1

Supported Python version

The following is the supported Python interpreter for current Splunk SOAR (Cloud) version.

For more information on Python 2.x deprecation and support on Splunk Cloud Platform, see Prerequisites for migrating from Splunk Phantom to Splunk SOAR (Cloud).

Splunk SOAR version Supported Python interpreters
Current 3.9

Technical support

Splunk SOAR (Cloud) subscriptions include either Standard Success Plan or Premium Success Plan. For more information regarding Splunk SOAR (Cloud) support terms and program options, see Splunk Support Programs. You should also note the following:

  • Splunk SOAR (Cloud) offers multiple options to automate your data so it is your responsibility to ensure the correct data model method is configured for your data sources.
  • Splunk SOAR (Cloud) allows you to perform user, playbook, and app management via Splunk SOAR (Cloud). Any customization of Splunk SOAR (Cloud) vetted and compatible apps is also your responsibility.
  • To use multifactor authentication for your Splunk SOAR (Cloud) user accounts, you must use a SAML v2 identity provider that supports multifactor authentication. It is your responsibility to ensure your Splunk SOAR (Cloud) user accounts are properly configured for multifactor authentication.
  • You can choose to leverage the optional Admin on Demand Services to quickly request technical adoption assistance from remote Splunk technical consultants. The Splunk technical consultants can assist you with tasks, such as index creation, building lookups and dashboards, assist with data on-boarding plus install Splunk Cloud Platform vetted and compatible apps.
  • There are features in Splunk Cloud Platform that require assistance from Splunk to activate or change your configuration, such as real-time search and allowing AWS Kinesis Data Firehose data to be received. When you file a support ticket, Splunk will activate such features on your behalf.

See also

For more information about See
Admin on Demand Services Admin On Demand data sheet and catalog
Performing user, playbook, and app management Splunk SOAR (Cloud) Admin Manual

Users and authentication

An initial global administration account is provided for access upon provisioning of the environment. Splunk SOAR (Cloud) that allows you to configure local account policies that require unique usernames, minimum password length, and password resets. You are responsible for creating and administering your users' accounts, the roles assigned to them, the authentication method they use, and global password policies. To control what your Splunk SOAR (Cloud) users can do, you assign them roles that have a defined set of specific capabilities or roles.

Roles give Splunk Cloud Platform users access to features in the service, and permission to perform tasks within the Splunk SOAR (Cloud) service. Each user account is assigned one or more roles. Splunk uses the Admin role and system user roles to perform essential monitoring and maintenance activities. You might observe the Admin and system user roles authenticating against your Splunk Cloud Platform environment as part of Splunk's performing monitoring and maintenance activities. These activities are performed in accordance with a comprehensive security program designed to protect your data's confidentiality, integrity, and availability in accordance with the highest industry standards. Splunk Cloud Platform has been certified by independent third-party auditors to meet the SOC2 Type II security standard, as described in Compliance and certifications. You should not delete or modify these system users or roles.

Splunk SOAR (Cloud) provides several default roles like the admin role, which has the capabilities required to administer Splunk SOAR (Cloud). You can learn more about all the roles available by reviewing Manage roles and permissions in Splunk SOAR (Cloud). Splunk SOAR (Cloud) does not support direct access to infrastructure, so you do not have command-line access to Splunk Cloud Platform. This means that any supported task that requires command-line access is performed by Splunk on your behalf.

Splunk recommends customers use the enterprise best practice to configure their user accounts to be authenticated using a centralized Identity Providers (IdP) that use SAML authentication for single sign-on (SSO). To use multifactor authentication for your Splunk Cloud Platform user accounts, you must use a SAML v2 identity provider that supports multifactor authentication. Token-based authentication is supported for automation-type users.

Only SHA-256 signatures in the SAML message between your IdP and Splunk SOAR software are supported. You are responsible for the SAML configuration of your IdP including the use of SHA-256 signatures.

See also

For more information about See
Users and roles Manage Splunk SOAR (Cloud) users and roles in the Splunk SOAR (Cloud) Admin manual
Single Sign On Configure Splunk SOAR (Cloud) to use SAML for authentication tokens in the Splunk SOAR (Cloud) Admin manual
Token-based authentication "Create an automation user in Splunk SOAR (Cloud)" in Configure Splunk SOAR (Cloud) to use SAML for authentication tokens in the Splunk SOAR (Cloud) Admin manual
Last modified on 27 May, 2025
 

This documentation applies to the following versions of Splunk® SOAR (Cloud): current

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters