Splunk® SOAR (On-premises)

Release Notes

Acrobat logo Download manual as PDF


The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Acrobat logo Download topic as PDF

Welcome to Splunk SOAR (On-premises) 6.2.1

The Splunk SOAR (On-premises) platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.

If you are new to , read About in the Use manual to learn how you can use for security automation.

If your deployment uses the Splunk SOAR Automation Broker see see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.

What's New in Release 6.2.1

Deprecated Features

  • Classic Playbook Editor: The classic playbook editor will be deprecated soon. For information on converting your playbooks, see Convert classic playbooks to modern playbooks.
    Beginning with Splunk SOAR (Cloud) version 6.2.1, the Classic Playbook Editor permissions change. You can still run and edit existing playbooks, but you can no longer create new classic playbooks, because the + Classic Playbook button is removed.
    Even after the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
  • PostgreSQL: PostgreSQL 11.x reached End of Life status in November 2023. clustered deployments and deployments using an external PostgreSQL 11.x or 12.x database are encouraged to upgrade to PostgreSQL 15.x. For more information, see:
  • features REST API: release 6.2.1 deprecates the /rest/system_settings/features REST API. It is replaced by the rest/feature_flag REST API. For details, see REST Feature Flag.

Removed Features

  • DUO Support: release 6.2.1 ends support for DUO two-factor authentication. Duo was deprecated in release 5.5.0. User accounts that used DUO can now log in without using DUO.
  • Creating classic playbooks: As of release 6.2.1, you can no longer create new classic playbooks in the playbook editor. See additional details about the Classic Playbook Editor deprecation in the Deprecated Features section above.

Enhancements

This release of includes the following enhancements.

Splunk idea Feature Description
Severity independent for event and artifact You can now choose whether a container inherits the severity level from a newly added artifact. Previously, all containers inherited their severity level from a newly added artifact. For details, see Determine severity level of containers and artifacts.
Visual Playbook Editor (VPE) updates Classic VPE Playbooks
With this release, you can no longer create new Classic VPE playbooks. For details on migrating your existing playbooks, see Convert classic playbooks to modern playbooks.

Playbook migration tool
The playbook migration tool is updated. For details on migrating your existing playbooks, see Convert classic playbooks to modern playbooks.

Multiple conditions in Decision and Filter blocks
In a modern playbook, a filter or decision block can now have multiple conditions that connect to the same downstream block. For information on filter blocks, see Use filters in your playbook to specify a subset of artifacts before further processing. For information on decision blocks, see Use decisions to send artifacts to a specific downstream action in your playbook.

Added Artifact CEFs and Headers datapaths support
You can now see the datapath for an artifact's Common Event Format (CEF) and header in blocks downstream from an action block. For details, see CEF fields as action results in the Specify a datapath in your playbook article.

Investigation page usability improvement On the investigation page, the Artifacts tab is now the default tab. For information on the Investigation page, see Start with Investigation in .
Automation Broker (AB) operating system upgrade Upgrading the Automation Broker operating system to Ubuntu 20.04. For Automation Broker release notes, see What's new in Splunk SOAR Automation Broker in Set up and manage Splunk Automation Broker.
PPSID-I-462 Additional colors for HUD cards You can now create Heads-up Display (HUD) cards in several new colors. For information on HUD cards, see Track information about an event or case using HUD cards.
New Feature Flag REST API Added /rest/feature_flag, a new REST API for turning features on or off, or to modify the settings for a feature is now available. See REST Feature Flag.
Global search scope You can now control the scope of global search with the new restrict_global_search API. For details, see Configure the scope of global search using the REST API in the Configure search in article.
Playbook run data searchable You can now search for playbook run data, including searching by id and status, in the global search bar. For details, see Search within .
TLS support for Splunk Universal Forwarder Add transport layer security (TLS) certificates to secure connections between 's forwarders and the receiving indexers.

To add or edit the TLS certificate settings for your Universal Forwarder, see Configure transport layer security between your Splunk SOAR (On-premises) universal forwarder and the receiving indexer
Performance tuning for Splunk Universal Forwarder Settings for the Splunk Universal Forwarder were adjusted to increase performance.
  • In limits.conf, maxKBps was increased from 256 KB/s to unlimited KB/s.
  • In server.conf, server.conf was increased from 6MB to 50MB.
Reindexing access moved Reindex Search Data is renamed Reindex Data and is now located in a tab under Forwarder Settings because reindexing applies only to Forwarder Settings and not to Search Settings. Its former location, the Search Settings menu, is now obsolete and has been removed from Administration Settings. For details on reindexing, see Reindexing.
Remaining session time warning You can now warn users that their session will end soon, based on the number of minutes you specify. For details, see Set security parameters in the Manage users article.

See also

Last modified on 01 April, 2024
  NEXT
Known issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters