After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Welcome to Splunk SOAR (On-premises) 6.2.0
The Splunk SOAR (On-premises) platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.
If you are new to , read About in the Use manual to learn how you can use for security automation.
If your deployment uses the Splunk SOAR Automation Broker see see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.
What's new in 6.2.0
Action required: GlusterFS repository update
The mirror for GlusterFS packages has moved, changing the URL Splunk SOAR (On-premises) uses download those packages. You will need to update the installer file install_common.py
before you can build or upgrade a clustered deployment, or use a GlusterFS external fileshare.
With a text editor, update install_common.py
.
On or around line 208, modify the GLUSTER_RPM_SOURCE_BASE_URL_EL8
declaration.
Change the word "mirror" in the URL to the word "vault."
Enhancements
This release of includes the following enhancements.
Splunk idea | New feature | Description |
---|---|---|
PPSID-I-681 | Logic Loops | Configure loops directly in the Visual Playbook Editor (VPE) with an intuitive user interface, eliminating the need for custom code. For details, see Repeat actions with logic loops. |
Upgraded local PostgreSQL database to 15.3 | In this release the PostgreSQL database used by Splunk SOAR (On-premises) has been updated to PostgreSQL version 15.3. Additional steps have been added to the upgrade process as part of this update. See Upgrade a Splunk SOAR (On-premises) instance. If your deployment uses an external PostgreSQL 11 or 12 database, you can still can still use PostgreSQL 11 or 12, but upgrading to release 15.3 is recommended. See:
| |
Replaced embedded Splunk Enterprise with Postgres 15 search |
Starting with this release, we have removed the embedded copy of Splunk Enterprise. The embedded copy of Splunk Enterprise handled internal search features for SOAR. Search for SOAR items is now handled by Postgres 15 search features. See Search within in Use for search syntax. | |
Added support for Universal Forwarders | Universal Forwarders now replace remote search for getting your SOAR data into your Splunk Cloud Platform or Splunk Enterprise deployment.
For details on Universal Forwarders, see Configure forwarders to send SOAR data to your Splunk deployment.
Mutual TLS authentication for forwarders is not yet available. If your Splunk Enterprise or Splunk Cloud deployment requires mutual TLS authentication in order to receive data from Universal Forwarders, do not upgrade to this release. | |
PPSID-I-365 | CyberArk integration | Integrate the Splunk SOAR (On-premises) environment with CyberARK's privileged access management (PAM) cloud-based API solution. Support for legacy on-premises CyberArk releases continues for Splunk SOAR (On-premises), available in the SOAR user interface as CyberArk Legacy. For details, see Use CyberArk Vault Privileged Access Manager with Splunk SOAR (On-premises) in the Manage your organization's credentials with a password vault topic. |
Classic to modern playbook migration | In preparation for the deprecation of the classic mode of the Visual Playbook Editor (VPE), you can now use a new user interface to convert playbooks developed in the classic VPE to modern playbooks. All users will see a banner about this deprecation when they open . You can remove this banner for all users. For details on converting playbooks and on removing the banner, see Convert classic playbooks to modern playbooks. | |
Playbook filter tabs | The modern Visual Playbook Editor (VPE) now has tabs to filter for specific types of playbooks: your organization's customized playbooks, community playbooks, active playbooks, and classic playbooks. For details, see Find playbooks by type in the Find existing playbooks article. | |
Browser tab differentiation | It is now easier to clearly identify browser tabs running Splunk SOAR from tabs running other Splunk products. | |
PPSID-I-627 internal idea |
Increased limit on actions per playbooks | Increased the default limit on number of actions per playbook from 50 to 500. To update this setting, see set_action_limit in the Session automation API article. |
New management commands | New management commands have been added for managing indicators, audit logs, and containers. These commands replace earlier standalone scripts.
See:
|
See also
- For known issues in this release, see Known issues for .
- For fixed issues in this release, see Fixed issues for .
- For release notes for the Splunk SOAR Automation Broker, see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.
Known issues for |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.0
Feedback submitted, thanks!