About Splunk SOAR Automation Broker
You can run actions in playbooks or on an ad hoc basis while investigating a notable in Splunk SOAR. If those actions involve on-premises applications or assets, you must set up and install the Splunk SOAR Automation Broker in order to run those actions. You can use the Splunk SOAR Automation Broker to run actions from Splunk SOAR in your on-premises environment.
Splunk SOAR Automation Broker can be used with either Splunk SOAR (Cloud) or Splunk SOAR (On-premises).
Diagram showing Splunk SOAR Automation Broker used with Splunk SOAR (Cloud): 
Diagram showing Splunk SOAR Automation Broker used with Splunk SOAR (On-premises): 
Splunk SOAR uses an on-premises application, the Splunk SOAR Automation Broker, to securely run actions through connections to your on-premises tools and applications. Splunk SOAR sends an action request for a specific connector configuration to the Splunk SOAR Automation Broker. In combination with the connector, the Splunk SOAR Automation Broker dispatches the action to the relevant on-premises application.
After the action run completes, the action results are securely communicated to Splunk SOAR using REST and HTTPS.
About the Splunk SOAR Automation Broker container
The Splunk SOAR Automation Broker is delivered as a Docker container.
- In release 6.4.0.93 and higher, the base operating system inside the container is fully updated Ubuntu 22.04.
- In release 6.2.1 and higher, the base operating system inside the container is fully updated Ubuntu 20.04.
- In release 6.1.0 through 6.2.0, the base operating system inside the container is fully updated Ubuntu 18.04.
- In releases 6.0.2 and lower, the base operating system inside the container is fully updated CentOS 7.2009.
Each Splunk SOAR Automation Broker release has all operating system patches applied when it is built.
Matching the Splunk SOAR Automation Broker with Splunk SOAR releases
Splunk SOAR (Cloud) and Splunk SOAR (On-premises) releases 6.4.1 and higher enforce versioning for the Splunk SOAR Automation Broker. You must use a release of the Splunk SOAR Automation Broker that is supported for use with your release of Splunk SOAR (Cloud) or Splunk SOAR (On-premises). Splunk SOAR versions may disconnect from Splunk SOAR Automation Brokers which are outside of the supported versions.
Supported releases for the Splunk SOAR Automation Broker are calculated as "N-1" where "N" is the current release of Splunk SOAR.
- N: The Splunk SOAR Automation Broker release version matching the release version of Splunk SOAR.
- N-1: The previous release version of Splunk SOAR Automation Broker.
Example: If you are using Splunk SOAR (Cloud) release 6.4.1, then you must use either the matching 6.4.1 or the 6.4.0 tagged release of the Splunk SOAR Automation Broker.
See these topics for more information on installing, upgrading, or interacting with the Automation Broker.
Communications limits
The Splunk SOAR Automation Broker supports transferring action requests or action results and logs up to 100MB in size.
See also
- Docker documentation website: https://docs.docker.com
- Install Docker on CentOS: https://docs.centos.org/en-US/docs/
- Install Docker on Ubuntu: https://docs.docker.com/engine/install/ubuntu/
- Install Docker on Amazon Linux 2: Creating a container image for use on Amazon ECS
- Podman documentation website: Podman Docs
- Installing Podman: Podman Installation