Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Welcome to Splunk SOAR (On-premises) 6.2.2

The Splunk SOAR (On-premises) platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.

If you are new to , read About in the Use manual to learn how you can use for security automation.

If your deployment uses the Splunk SOAR Automation Broker see see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.

June 04, 2024 Release 6.2.2

Action required: GlusterFS repository update

The mirror for GlusterFS packages has moved, changing the URL Splunk SOAR (On-premises) uses download those packages. You will need to update the installer file install_common.py before you can build or upgrade a clustered deployment, or use a GlusterFS external fileshare.

With a text editor, update install_common.py.
On or around line 208, modify the GLUSTER_RPM_SOURCE_BASE_URL_EL8 declaration.
Change the word "mirror" in the URL to the word "vault."

GLUSTER_RPM_SOURCE_BASE_URL_EL8 = ("https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/")

Removed Features

Enhancements

This release of includes the following enhancements.

Splunk idea Feature Description
PPSID-I-400
PPSID-I-660
PPSID-I-216 		Visual Playbook Editor updates Operators for playbook conditions
Added operators for use in playbook decision, filter, and logic loop blocks. New operators include matches regex, is true, is false, is none, is empty, and is list, among others. For details, see Operators for conditions in the Use filters in your Splunk SOAR (Cloud) playbook to specify a subset of artifacts before further processing article and condition in the Playbook automation API article.


Updated prompts functionality
You can now specify a prompt block response type, even if no question is included. For details, see Require user input using the Prompt block in your playbook.

Performance improvements
Made significant improvements to VPE performance, resulting in a 15-30x speed increase when loading and editing large playbooks.

Reading long datapaths
You can now hover over the datapath in the configuration panel to see the entire datapath displayed in a tooltip.

Drag-and-drop playbook blocks
You can now add a playbook block to the canvas by selecting a block from the side panel, dragging it to the canvas, and dropping it on top of the block you want it to follow.

Universal Forwarder improvements Added support for using HTTP forwarders, which support HTTP load balancers and the use of HEC. See Customize your forwarder configuration in Administer .
Library updates Updated the following libraries:
  • Django updated to release 4.2
  • Nginx updated to 1.25.3
  • RabbitMQ updated to release 3.13.1
  • Erlang updated to release 26.2.2
New default value for asset action concurrency limit When you create an asset, one of its settings is its action concurrency limit, which controls how many actions the asset can run at one time. In earlier releases, an asset's action concurrency limit defaulted to one. In release 6.2.2 and higher, the default for new assets has been set to five. Existing assets have not been modified.

Make sure any custom app you write or install can support multiple concurrent actions. If an app you use does not support multiple concurrent actions, set the action concurrency limit to 1 for any new assets you create for that app.

For information on setting or editing an assets concurrent action limit, see Set the concurrent action limit in Administer .

Updated Automation Broker permissions Automation Broker permissions for user roles

A new permission set automation_broker has been added for roles which need to manage Automation Brokers. This permission set has been added to existing roles which had system_settings permissions.

  • If a role had system_settings with the edit option, the automation_broker permissions will have edit and delete options.
  • If a role had system_settings view option, the automation_broker permissions will have the view option.
  • If a role had system_settings view and edit option, the automation_broker permissions will have the view, edit, delete options.

To add automation_broker permissions to a role, see Add a role to in Manage roles and permissions in .

Customize the UID and GID for the Automation Broker
You can customize the UID and GID for the Automation broker by setting these new environment variables in the docker-compose.yaml.

  • PUID - This variable is the UID for the Automation Broker. The default is 1000.
  • PGID - This variable is the GID for the Automation Broker. The default is 1000.
UX performance enhancements Several updates have been made to improve the performance of the user interface.
  • Dashboard widgets now load "on request." Widgets which are not visible in the user's current view are not refreshed.
  • The investigations page has been updated, reducing duplicated queries and adding configurable refresh intervals. The refresh interval for the investigations page can be set using a series of POSTs to /rest/system_settings/refresh_intervals. 
     /rest/system_settings/refresh_intervals { "type": "investigations_page", "duration": 4 }

/rest/system_settings/refresh_intervals { "type": "investigations_page_max_wait", "duration": 8 }
    See /rest/system_settings in REST API Reference for .
Search improvements The search interface was improved, making filtering options more obvious. See Search within in Use .

See also

Last modified on 19 August, 2024
  Known issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters