After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Welcome to Splunk SOAR (On-premises) 6.2.1
The Splunk SOAR (On-premises) platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.
If you are new to , read About in the Use manual to learn how you can use for security automation.
If your deployment uses the Splunk SOAR Automation Broker see see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.
What's New in Release 6.2.1
Action required: GlusterFS repository update
The mirror for GlusterFS packages has moved, changing the URL Splunk SOAR (On-premises) uses download those packages. You will need to update the installer file install_common.py
before you can build or upgrade a clustered deployment, or use a GlusterFS external fileshare.
With a text editor, update install_common.py
.
On or around line 208, modify the GLUSTER_RPM_SOURCE_BASE_URL_EL8
declaration.
Change the word "mirror" in the URL to the word "vault."
Deprecated Features
- Classic Playbook Editor: The classic playbook editor will be deprecated soon. For information on converting your playbooks, see Convert classic playbooks to modern playbooks.
Beginning with Splunk SOAR (Cloud) version 6.2.1, the Classic Playbook Editor permissions change. You can still run and edit existing playbooks, but you can no longer create new classic playbooks, because the + Classic Playbook button is removed.
Even after the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks. - PostgreSQL: PostgreSQL 11.x reached End of Life status in November 2023. clustered deployments and deployments using an external PostgreSQL 11.x or 12.x database are encouraged to upgrade to PostgreSQL 15.x. For more information, see:
- features REST API: release 6.2.1 deprecates the /rest/system_settings/features REST API. It is replaced by the rest/feature_flag REST API. For details, see REST Feature Flag.
Removed Features
- DUO Support: release 6.2.1 ends support for DUO two-factor authentication. Duo was deprecated in release 5.5.0. User accounts that used DUO can now log in without using DUO.
- OpenID Support: release 6.2.1 ends support for OpenID authentication. OpenID support was deprecated in release 5.5.0. When you upgrade to release 6.2.1, any OpenID user accounts will be converted to local users. A administrator can either set a password for those accounts to allow them to log in, or those accounts can be deleted. Use the Home menu, Administration, User Management, Users screen to manage the local user accounts.
- Creating classic playbooks: As of release 6.2.1, you can no longer create new classic playbooks in the playbook editor. See additional details about the Classic Playbook Editor deprecation in the Deprecated Features section above.
Enhancements
This release of includes the following enhancements.
Splunk idea | Feature | Description |
---|---|---|
Severity independent for event and artifact | You can now choose whether a container inherits the severity level from a newly added artifact. Previously, all containers inherited their severity level from a newly added artifact. For details, see Determine severity level of containers and artifacts. | |
Visual Playbook Editor (VPE) updates | Classic VPE Playbooks With this release, you can no longer create new Classic VPE playbooks. For details on migrating your existing playbooks, see Convert classic playbooks to modern playbooks. Playbook migration tool | |
Investigation page usability improvement | On the investigation page, the Artifacts tab is now the default tab. For information on the Investigation page, see Start with Investigation in . | |
Automation Broker (AB) operating system upgrade | Upgrading the Automation Broker operating system to Ubuntu 20.04. For Automation Broker release notes, see What's new in Splunk SOAR Automation Broker in Set up and manage Splunk Automation Broker. | |
PPSID-I-462 | Additional colors for HUD cards | You can now create Heads-up Display (HUD) cards in several new colors. For information on HUD cards, see Track information about an event or case using HUD cards. |
New Feature Flag REST API | Added /rest/feature_flag, a new REST API for turning features on or off, or to modify the settings for a feature is now available. See REST Feature Flag. | |
Global search scope | You can now control the scope of global search with the new restrict_global_search API. For details, see Configure the scope of global search using the REST API in the Configure search in article. | |
Playbook run data searchable | You can now search for playbook run data, including searching by id and status, in the global search bar. For details, see Search within . | |
TLS support for Splunk Universal Forwarder | Add transport layer security (TLS) certificates to secure connections between 's forwarders and the receiving indexers. To add or edit the TLS certificate settings for your Universal Forwarder, see Configure transport layer security between your Splunk SOAR (On-premises) universal forwarder and the receiving indexer | |
Performance tuning for Splunk Universal Forwarder | Settings for the Splunk Universal Forwarder were adjusted to increase performance.
| |
Reindexing access moved | Reindex Search Data is renamed Reindex Data and is now located in a tab under Forwarder Settings because reindexing applies only to Forwarder Settings and not to Search Settings. Its former location, the Search Settings menu, is now obsolete and has been removed from Administration Settings. For details on reindexing, see Reindexing. | |
Remaining session time warning | You can now warn users that their session will end soon, based on the number of minutes you specify. For details, see Set security parameters in the Manage users article. |
See also
- For known issues in this release, see Known issues for .
- For fixed issues in this release, see Fixed issues for .
- For release notes for the Splunk SOAR Automation Broker, see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.
Known issues for |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.1
Feedback submitted, thanks!