Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Welcome to 5.2.1

As of this release, Splunk Phantom is .

If you are new to , read About in the Use manual to learn how you can use for security automation.

Begin your installation by reviewing the following documentation:

Planning to upgrade to from an earlier Splunk Phantom version?

If you plan to upgrade to this version from an earlier version of , read Prepare your deployment for upgrade in the Install and Upgrade manual.

requires incremental upgrades from earlier Splunk Phantom versions. Do not skip any required versions when upgrading .

For example, if you wish to upgrade to Splunk SOAR 5.2.1 from Splunk SOAR 5.0.1, you will first need to upgrade Splunk SOAR to 5.1.0 before upgrading to Splunk SOAR 5.2.1.

What's new in 5.2.1

This release of includes the following enhancements.

Feature Description
Federal Information Processing Standard (FIPS) support New, unprivileged deployments of Splunk SOAR (On-premises) can be created in a FIPS compliant mode.

The underlying operating system kernel must be in FIPS mode.

To learn more, see:

App, asset, and playbook relationship changes In earlier releases, apps were linked to assets or playbooks in a many-to-many relationship using a combination of product_version, product_name, and product_vendor fields. In Splunk SOAR (On-premises) 5.2.1, apps each have a unique app_id and are linked to assets or playbooks in one-to-many relationships. During an upgrade to Splunk SOAR (On-premises) 5.2.1 apps, assets, and playbooks are migrated to this new schema.
  • During an upgrade, if multiple apps share a single asset, each app after the first clones the associated asset, then the app uses that clone.
  • If a playbook used an asset which was cloned, the playbook is not automatically updated to use the new, cloned asset. You must manually identify and update playbooks to use the correct asset, using a command line tool.
    The tool outputs a list of affected apps and playbooks.
    phenv python3 /opt/phantom/www/manage.py validate_app_asset_migration
  • Assets that were cloned need any passwords or secret environment variables manually re-entered.
  • These Splunk supported apps are affected by this change: LDAP assets are cloned for WMI because LDAP assets are WMI assets. The opposite is also true. What this means is you must reconfigure assets for both LDAP and WMI apps.
  • The asset API has been updated to support using the app_id or app_guid. See REST Asset in the REST API Reference for .
New UI for assigning orphaned assets. You can now assign orphaned assets to an App from the user interface.
  1. From Home > Apps > Orphaned Assets select the orphaned asset.
  2. Click Assign App.
  3. In the dropdown menu, select the App, then click Assign.
Visual Playbook Editor: The Action Block supports formatting for input fields. In the Visual Playbook Editor you can set the "Formatted input" property on input fields, giving you most of the formatting capabilities of the Format Block.

This allows:

  • Multi-line and formatted text inputs.
  • An option to toggle between datapath inputs and formatted text input.
  • Most of the 'placeholder values' from the Format Block can be used.
  • Lists are not supported.
Updated System Information UI There is an updated UI for displaying system information about your deployment. To access the new display, select Home > Administration > About.

The interface displays:

  • Splunk SOAR version
  • The embedded Splunk Enterprise version and build
  • Server name
  • Operation mode, either privileged or unprivileged.
  • Type of deployment, either cloud or on-premises.
  • FIPS status
Update Parser app to to version 2.4.9 Users should immediately upgrade the Parser App to version 2.4.9 from Splunkbase or the Phantom Portal.
Test input playbooks in the Visual Playbook Editor debugger To test an input playbook:
  1. Open the playbook in the Visual Playbook Editor.
  2. Open the debugger from the tab in the lower right corner of the Visual Playbook Editor.
  3. In the top left corner of the debugger, click the adjustment bars icon.
  4. Add values for the playbook's inputs.
  5. Add the event id to test against.
  6. Click Test.
Last modified on 22 April, 2022
  Known issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.2.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters