Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Manage your organization's credentials with a password vault

Use credential vaults to centrally manage and monitor credential usage in your organization. supports the following password vaults:

  • CyberArk Vault Privileged Access Manager
  • CyberArk Enterprise Password Vault
  • Hashicorp Vault
  • Thycotic Secret Server

As an administrator, you can configure to retrieve credentials from these vaults and use them with in assets.

  • When used in conjunction with the Splunk SOAR Automation Broker, the Automation Broker will authenticate directly with your supported privileged access manager and retrieve credentials to use with assets.
  • If an asset is configured on the Splunk SOAR instance and does not require the Automation Broker, then Splunk SOAR will authenticate with the supported privileged access manager and retrieve credentials to use with assets.

Use CyberArk Privileged Access Manager

Integrate with CyberArk's Vault feature to retrieve passwords or other fields for assets. This allows you to utilize CyberArk account management features to change passwords on managed products and services without having to manually update assets after a password change.

users can use either:

  • CyberArk Enterprise Password Vault version 12.6 for deployed on Red Hat Enterprise Linux version 8. No other operating systems are supported.
  • CyberArk Vault's API-based Privileged Access Manager solution.

For more information on installing and configuring CyberArk Vault see the CyberArk website.

Use CyberArk Vault Privileged Access Manager with

users can integrate CyberArk's API-based Privileged Access Manager.

Before you begin, you need to be or be working with your organization's CyberArk administrator. Collect the following items:

  • The URL to your organizations CyberArk Vault.
  • Your organizations CyberArk Vault username and password.
  • The pkcs12 certificate and certificate password for your organizations CyberArk Vault.
    • This certificate file must be located on the file system.

To use CyberArk Vault with , perform the following steps:

  1. From the main menu, select Administration.
  2. Select Administration Settings, then Password Vault.
  3. In the Manager field, select CyberArk Vault.
  4. Type the entries for the following fields:
    1. URL
    2. Username
    3. Password
    4. Certificate password
  5. Upload your certificate file:
    1. Click Choose File then select the pkcs12 certificate file from your filesystem.
  6. Click Save Changes.

Use CyberArk Enterprise Password Vault version 12.6 with

For security purposes, utilizing CyberArk Enterprise Password Vault version 12.6 can greatly simplify password management but may not significantly change the security stance of the deployment. would no longer be the primary store for CyberArk-managed account passwords, but still has the ability to retrieve the same passwords from CyberArk Vault in order to authenticate itself to other resources. Therefore, someone with administrative control over the server can gain access to those passwords.

Perform the following tasks to use CyberArk Enterprise Password Vault version 12.6 with :

  1. From the main menu, select Administration.
  2. Select Administration Settings > Password Vault.
  3. Select Cyberark Legacy from the drop-down list in the Manager field. The CyberArk option in the drop-down list is inactive until the CyberArk components are installed. determines the presence of CyberArk in your environment by looking for the /opt/CARKaim directory.
  4. Click Save Changes.

After the CyberArk options become visible, check the Enable credential management at startup check box to have the watchdogd daemon start CyberArk when is started. This is useful if you have disabled the system from starting CyberArk by removing the startup file from /etc/init.d.

To require a administrator to log in to perform an action in before CyberArk is available after a system restart, uncheck Enable credential management at startup and click Save Changes. An administrator is any user account that has the specific Administrator role. Click Authorize to require the logged-in administrative user to supply their own password to re-authenticate themselves, then the credential management service will be started.

To use CyberArk to automatically supply credentials under authentication configuration, perform the following steps:

  1. From the main menu, select User Management.
  2. Select Authentication.
  3. Select an identity provider such as LDAP.
  4. Toggle the LDAP switch to enable LDAP authentication.
  5. Check the Manage password using CyberArk check box.
  6. Fill in the CyberArk Safe, Safe Path, and Object Name fields the same way you do for an Asset to select the CyberArk object that CyberArk is going to use to get the password field value.
  7. Click Save Changes.

Use Hashicorp Vault with

supports Hashicorp Vault's KV store REST API version 2.

To use Hashicorp Vault with , perform the following steps:

  1. From the main menu, select Administration.
  2. Select Administration Settings > Password Vault.
  3. Get the URL and Token from your Hashicorp administrator.
  4. Select the Verify server certificate checkbox to verify that the HTTPS certificate is trusted. If the certificate is not trusted by default, see Manage the certificate store for information about adding your own trusted certificate.
  5. Click Save Changes.

Once you have Hashicorp access configured, you need to know the paths and names of the secrets you want to use from the Hashicorp Vault. You can use Hashicorp to supply credentials under OpenID and LDAP authentication configuration and with assets.

Use Hashicorp to provide credentials during authentication configuration

You can use Hashicorp to automatically supply credentials under OpenID and LDAP authentication configuration.

  1. From the main menu, select User Management.
  2. Select Authentication.
  3. Select an identity provider such as LDAP.
  4. Toggle the LDAP switch to enable LDAP authentication.
  5. Check the Manage password using Hashicorp Vault check box.
  6. Provide the value and key you want to retrieve from the vault.
  7. (Optional) Click Test Authentication to verify authentication.
  8. Click Save Changes.

Use Hashicorp to provide credentials with assets

You can use Hashicorp to automatically supply credentials when working with assets.

  1. From the main menu, select Apps.
  2. In the list of apps, find one to configure such as the Palo Alto Networks Firewall and click Configure New Asset.
  3. Open the Asset Settings tab for that asset.
  4. Click Advanced to expand the advanced configuration section.
  5. In the Credential Management section, select the fields you want to get from Hashicorp Vault, and the path and key to use. For example, you can specify /secret/autofocus in the Path field and apikey in the Key field to retrieve an API key used to authenticate to the AutoFocus service.
  6. Click Save.


Use Thycotic Secret Server with

can use Thycotic's API to access secrets managed by Secret Server. Usernames and passwords can be stored in Thycotic Secret Server for both users and assets which require a login to use.

Splunk SOAR (On-premises) does not support Delinea Secret Server, a product which replaces Thycotic Secret Server.

In order for to use secrets managed by Thycotic Secret Server you must provide:

  • The URL to your organization's Thycotic Secret Server. Depending on your organization's DNS configuration, you may need to include the port number.
    https://<your.organization's.secret.server>:<port number>
  • The username and password of the account which will retrieve secrets using the API.
  • Optional: The Organization ID set in Secret Server for use in the Thycotic Secret Server API.

These values are used to make an oauth2 token for Thycotic Secret Server. Once authenticated, uses the SearchSecretsByFolder API to access the managed secrets.

Set the login secret in Thycotic Secret Server

You will need to setup the login information in Secret Server before it can be used to access . For more information on Thycotic Secret Server, see the documentation on the Thycotic website.

  1. Create the required folders.
  2. Use the Create Secret widget, selecting the template as Password.
  3. Enter the required items in the mandatory fields of secret and Password.

Set the Thycotic Secret Server settings in

Add the required information to create the oauth2 token for Thycotic Secret Server in 's administration settings. This token is for connecting to Thycotic Secret Server.

  1. From the Main Menu, select Administration.
  2. Select Administration Settings > Password Vault.
  3. Select Thycotic Secret Server from the drop-down list in the Manager field.
  4. Set the URL for your Thycotic Secret Server instance.
  5. Specify the username and password will use to access secrets.
  6. Optional: Set the organization id.
  7. Click Save Changes.

Add the authentication settings in User Management. These will be the actual secrets for each user or asset. Only LDAP authentication is supported.

  1. From the Main Menu, select Administration.
  2. Select User Management > Authentication.
  3. Select the LDAP tab.
  4. Set LDAP to ON.
  5. Add the information for your LDAP provider, server, domain, usernames, and passwords.
  6. Check Manage password using Thycotic Secret Server.
  7. Add the Folder, Key, and Thycotic FieldName that store the user credentials.
  8. Test your LDAP integration by clicking Test Authentication.

For more information about configuring LDAP see Configure single sign-on authentication for .

If you have assets which require logins and those logins are managed by Thycotic Secret Server, then you need to set credential management in the asset's configuration, in Apps > <Asset Name> > Asset Settings > Advanced.

Last modified on 23 October, 2024
Run playbooks in parallel with vertical scaling   Set global environment variables

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters