Splunk® SOAR (On-premises)

Release Notes

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Welcome to Splunk SOAR (On-premises) 6.0.2

If you are new to , read About in the Use manual to learn how you can use for security automation.

If your deployment uses the Splunk SOAR Automation Broker see the Release Notes for the concurrent release.

What's new in 6.0.2

This release of is a patch release, fixing an issue found in 6.0.0 and 6.0.1.

Along with the fixed issue, this release includes the enhancements present in versions 6.0.0 and 6.0.1, listed in the next sections.

What's new in 6.0.1

Feature Description
Updated encryption algorithm
Action might be required
Encryption algorithm for SAML updated from rsa-1_5 to rsa-oaep-mgf1p.

If you have not done so already, update the configured SAML encryption algorithm on your IDP to rsa-oaep-mgf1p. For information, see Configure single sign-on authentication for in the Administer documentation.

On-premises upgrade improvements You can now upgrade directly to the latest SOAR version to get the latest SOAR features. For details on the upgrade process, see Splunk SOAR (On-premises) upgrade overview and prerequisites.
New behavior in asset configuration when changing app versions As part of an app upgrade, downgrade, or reinstall, automatically performs the following actions for any asset configurations associated with that app:
  • adds new fields present in the version you are changing to, along with their default values if the app provides a default value
  • removes fields not present in the version you are changing to, along with any values associated with them

Note when switching back and forth between versions: If you set a configuration setting to a custom value, then switch to a version of the app that removes that configuration setting, then switch back to the original version, your custom value will either:

  • revert to the default value, if the app provides a default value, or
  • not be present in the asset configuration, if the app does not provide a default value.

For more information on app configurations see Configure metadata in a JSON schema to define your app's configuration in Develop Apps for Splunk SOAR (On-premises).

Comma splitting in Decision and Filter playbook blocks When configuring Decision and Filter blocks, you can now choose whether you want to use a delimiter and, if so, specify the string you want to use as a delimiter. For additional details, see Specify a datapath in your playbook in the Build Playbooks with the Playbook Editor manual.
Custom status label length increased Custom status labels can now be up to 128 characters long. For additional details, see Create custom status labels in in Administer .
Improved visual playbook editor experience Additional background block output calculations run automatically when you open a playbook, providing increased reliability.

What's new in 6.0.0

This release of includes the following enhancements.

Feature Description
New SOAR default administrative user
Starting with this release, the default administrative user is called soar_local_admin. This change is to support user accounts with the user name admin in single sign-on systems.
  • On new deployments of version 6.0.0 and higher, the administrator account is created as soar_local_admin.
  • On deployments which have upgraded from versions 5.5.0 or earlier:
    • The existing user account admin will be automatically renamed to soar_local_admin.
    • A copy of the existing user account admin will be created with the user name admin. This copy is for your convenience, and may be deleted.

Action needed

  • Before you upgrade: If you already have a user account named soar_local_admin, you must rename that user account.
  • After you upgrade: Anywhere you are explicitly using the user id admin, for example, in asset configurations, playbooks, scripts using the REST API, or custom apps, you should change to soar_local_admin. You must make this change manually.
Find related playbooks Find existing playbooks associated with your installed apps. You can use an existing playbook from the community or from your instance, so you do not have to create playbooks from scratch. For details, see Find existing playbooks for your apps.
Custom Functions and Custom Lists location update Custom Functions and Custom Lists now have their own menu selections under the Home menu. They are no longer located within the Playbooks section. For details, see Add custom code to your playbook with a custom function and Create custom lists for use in playbooks.
User-based data paths You can now specify the user who launched the current playbook run, either by id or name, when configuring datapaths in the following playbook blocks: action, code, custom function, decision, and filter. These options appear in the datapath picker under playbook . For details, see Specifying data in your playbook and Understanding datapaths in the Python playbook API Reference.
Nested values in custom fields You can now access values nested inside custom fields using datapaths instead of writing custom code. For details, see Important datapaths in the Playbook API in the Python Playbook API Reference for documentation.
Pending icon for playbooks waiting to run A new icon helps distinguish between playbooks that are currently running and those that are waiting. In the Sources view/Analyst queue, the Activity panel displays the following icons for the running playbook:

Icon of arrows turning in a circle - Playbook is currently running
Icon of a clock face - Playbook is waiting its turn to run, or is waiting for user input in a Prompt block.
The Pending status is now an option for the /rest/action_run/<id>/app_runs API. For details, see the /rest/action_run/<id> section of the REST Run Action article.

New delimiter option for Playbook Automation API For the condition and decision endpoints, you can now specify any string as a delimiter to split field values in artifacts (CEF fields) by that string and treat the results as a list. For details, see condition and decision in the Playbook API article.
Playbook API decision endpoint Boolean values automatically converts true and false strings to their Boolean values in the Playbook API decision endpoint. For details, see decision in the Playbook API article.
Performance improvement - loading apps Default apps that are a part of Splunk SOAR install and upgrade are not fully installed until an asset is configured against them.

See also

  • For known issues in this release, see Known issues for .
  • For fixed issues in this release, see Fixed issues for .
  • For release notes for the Splunk SOAR Automation Broker, see Release Notes in the Set up and manage Splunk Automation Broker documentation.
Last modified on 14 June, 2023
Known issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.2

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters