Splunk® SOAR (On-premises)

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Welcome to 5.0.1

As of this release, Splunk Phantom is .

If you are new to , read About in the Use manual to learn how you can use for security automation.

Begin your installation by reviewing the following documentation:

Planning to upgrade to from an earlier Splunk Phantom version?

If you plan to upgrade to this version from an earlier version of , read Prepare your deployment for upgrade in the Install and Upgrade manual.

requires incremental upgrades from earlier Splunk Phantom versions. Do not skip any required versions when upgrading .

For example, if you wish to upgrade to Splunk SOAR 5.0.1 from Splunk Phantom 4.9, you will first need to upgrade Splunk Phantom to 4.10.7.

What's new in 5.0.1

This release of includes the following enhancements.

Feature Description
Introducing an all new Playbook Editor This release introduces a new playbook editor. This playbook editor presents a vertical user interface, wider blocks for longer descriptions, labels for descriptions and filters, and UI-based configuration options for playbook APIs. Additionally, the playbook editor introduces "input" playbooks which allow for configuring input parameters supporting modular playbook design. Finally, output parameters can be defined for all playbooks adding to the modularity of playbooks. You have the option to choose between these playbooks and the classic playbooks to ensure existing playbooks can still be edited as necessary.

For more information on playbooks and classic playbooks, see Choose between playbooks and classic playbooks in in Build Playbooks with the Playbook Editor.

Telemetry for Playbook Editor The telemetry reports contain the following:
  • VPE version (Playbook or Classic Playbook)
  • The types of blocks in a playbook
  • The number of blocks in a playbook
  • Which hotkey shortcuts were used while editing a playbook
  • Specific SOAR (On-premises) features used in a playbook
  • Time in milliseconds it took for the Playbook Editor to load in the browser

See Share data from .

JSON logging format You can configure the logging format for JSON or plaintext.

See Configure the logging format.

Classic playbook API block You can fetch updated container data in the classic playbook API block.

See Advanced settings.

Global action concurrency limit The global action concurrency limit number now limits the maximum number of concurrent actions across . This number previously functioned in a per-asset way. The default is 150. If you're upgrading an existing instance, you'll notice that this number is automatically increased in your configuration to 150. You can tune this as needed for your environment. After changing this value, needs to be restarted for it to take effect.

See Set the global action concurrency limit.

Display playbook run input and output data in Investigation page Playbook run result, input and output data will be shown by clicking the playbook name in the Investigation page Activity panel.
Updated password requirements All new installations of require passwords to be at least 8 characters in length.
Increased the number of statuses for events and cases This release supports up to 30 statuses that can be applied to events and cases.
New configuration file During upgrade to this release, a new configuration file /opt/phantom/data/db/pg_ident.conf is created to allow the root user to connect to a local database as the postgres user. This enhancement addresses a permissions issue that exists in earlier releases when performing a privileged installation using a local database.
Elasticsearch support Added support for Elasticsearch version 7 as an external instance for search. See Configure to use an external Elasticsearch instance for search.
Last modified on 01 October, 2021
  NEXT
Known issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters