Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

Splunk App for SOAR Export release notes

Welcome to release 4.3.22

This release of Splunk App for SOAR Export was released on February 27, 2025.

Updates

This release of Splunk App for SOAR Export includes the following updates:

Feature Description
phantom_*.log files Note: In release 4.3.21, this change was implemented for all phantom_*.log files, but was originally announced only for phantom_forwarding.log. Repeating the announcement here for visibility.

To limit their size, all phantom_*.log files create a new version when they reach a certain size. Note that there will now be multiple files named phantom_*.log, with sequential numbers appended (for example, phantom_forwarding.log.1, phantom_forwarding.log.2, and so on).
Splunklib 2.1.0 This version of Splunk App for SOAR Export is updated to use splunklib 2.1.0
Adaptive Response Actions procedure update To optimize throughput and performance and follow best practices, starting with Splunk App for SOAR 4.3.22, when running Adaptive Response Actions to send multiple artifacts to a Splunk SOAR, Splunk App for SOAR Export now automatically sets the playbook to run only after the last artifact is added to the container. Previously, the playbook would run when each artifact was added. Technically, Splunk App for SOAR automatically sets the Splunk SOAR /rest/artifact API endpoint parameter run_automation to false for all but the last artifact. It sets the last artifact to run_automation == true. For details on adaptive response actions, see Run adaptive response actions in Splunk ES to send notable events to Splunk SOAR.
Improved Adaptive Response Actions Starting in this release, Splunk App for SOAR Export uses both the sid (search ID) and rid (result ID) to find the associated Enterprise Security information to be sent to SOAR.

Fixed issues in this release

This version of Splunk App for SOAR Export is a maintenance release and fixes multiple issues, including the following issues:

Date resolved Issue number Description
2025-01-07 PAPP-35146 Adaptive Response Action "Send to SOAR" does not show as invoked in Adaptive Response Action list
2025-01-06 PAPP-34682 Adaptive response action "Run Playbook in SOAR" playbook listing does not support double quotes
2024-12-19 PAPP-35182 Random Adaptive Response Action failures with "IndexError: list index out of range" errors
2024-12-11 PAPP-34713 Event Forwarding failed sending events with error on Windows

Known issues in this release

This version of Splunk App for SOAR Export has the following known issues. If there are no issues listed, there are currently no known issues in this release.

Last modified on 27 February, 2025
  About Splunk App for SOAR Export

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.3.22

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters