Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Welcome to 5.5.0

If you are new to , read About in the Use manual to learn how you can use for security automation.

If your deployment uses the Splunk SOAR Automation Broker see the Release Notes for the concurrent release.

Deprecated features

The following features are deprecated as of release 5.5.0. Although these features continue to function, support might be removed in a future release.

  • Support for DUO 2FA is deprecated.
  • Support for OpenID as a identity provider is deprecated.

What's new in 5.5.0

This release of includes the following enhancements.

Feature Description
Support for Red Hat Enterprise Linux 8 You can now install 5.5.0 and higher on hosts running Red Hat Enterprise Linux 8.0 through 8.7.

Organizations which use CyberArk for credential management must use RHEL 8 for Splunk SOAR (On-premises) release 5.5.0 or later in order to use CyberArk release 12.6. See Use CyberArk with Splunk SOAR (On-premises).

Support for Amazon Linux 2 You can now install 5.5.0 and higher on hosts running Amazon Linux 2.
Performance improvement for Indicators To improve performance a change was made to polling and filtering data for the Indicators feature.

If an event contains an artifact larger than 4KB then no Indicator is created or displayed in Home menu > Indicators for the event.
This change only affects new deployments of .

User-based data paths In Prompt playbook blocks, you can now choose to prompt newly defined, dynamic users and roles. New prompt options include Event owner and Playbook run owner. For details, see Require user input using the Prompt block in your playbook and prompt2 in the Playbook automation API article.
Custom Functions - List output type Custom functions now have the concept of output types. There are now two output types:
  • Item - The original, and now default, output type.
  • List - New output type. Creates and returns a list of items.

Existing playbooks and code using existing custom functions are not affected.
If you have existing custom functions that use the item output type, you can edit and resave the custom functions to use the list output type. For details, see Add custom code to your playbook with a custom function.

Smart block context for playbooks in the Visual Playbook Editor If you change the name of a block, that changed name will now automatically update in any downstream datapaths that refer to that block.

If you make configuration changes to a block that modify its output datapaths, a warning message displays on any downstream blocks that used the affected datapaths before they were modified. The message notifies you that you must update those downstream blocks to account for the affected datapaths.

Automation Broker key rotation A new menu item was added to the user interface to get new credentials for Automation Brokers whose credentials have expired. See Rotate the encryption keys for the Splunk SOAR Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker for more information.


See also

Last modified on 30 October, 2024
  Known issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.5.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters