How SOAR (On-premises) Uses Python

This topic provides high-level information about how and where Splunk SOAR (On-premises) uses Python.

Automation

Splunk SOAR (Cloud)'s automation is powered by Python.

Playbooks

Playbook code is written in Python. When you use the Visual Playbook Editor to build a playbook, each block you add represents code written in Python. In order to add your own Python code to a playbook, you use either the code block or a custom function.

Python installation directory

Splunk SOAR (On-premises) release 7.0.0 uses Python 3.13. Support is included for Python 3.9 to help you maintain existing apps, playbooks, custom code, and custom functions and to facilitate the transition to Python 3.13.

CAUTION: Although Python 3.9 is scheduled to reach its End of Life in October of 2025, Splunk SOAR (On-premises) release 7.0.0 supports Python 3.9 and Python 3.13. Where possible, automation code is auto-migrated from Python 3.9 to Python 3.13 during the upgrade process. Automation code which does not successfully auto-migrate to Python 3.13 remains on Python 3.9. A future release of Splunk SOAR may remove support for Python 3.9.

Splunk SOAR (On-premises deploys Python in the following paths:

  • Python 3.9 is installed in <$SOAR_HOME>/usr/python39/bin/python3.9

  • Python 3.13 is installed in <$SOAR_HOME>/usr/python313/bin/python3.13

For Splunk SOAR (Cloud), <$SOAR_HOME> is /opt/phantom.

With the release of Splunk SOAR (On-premises) 7.0, Python 3.13 is the default version of Python. Python 3.9 is supported, but deprecated, in order to facilitate transitioning Apps and playbooks to Python 3.13.

Python libraries

Splunk SOAR (On-premises) ships with the following libraries for use with automation. You can use these libraries in playbooks for custom code or custom functions. Some libraries appear in multiple sections.

To add other libraries to use in automation, such as playbooks and custom functions, see Manage automation dependencies later in this manual.

General purpose libraries

  • simplejson

  • python-dateutil

  • six

  • python-magic

  • distro

  • django

  • requests-pkcs12
  • pynacl
  • psycopg2
  • PyYAML
  • hvac
  • pylint

  • zeep

Libraries for App or Connector development

  • beautifulsoup4

  • soupsieve

  • parse

  • python_dateutil

  • six

  • requests

  • certifi

  • charset_normalizer

  • idna

  • urllib3

  • sh

  • xmltodict

Libraries included to continue support for features commonly used in Python 3.9

  • pytz

  • pudb

  • tabulate

  • markdown2

  • paramiko

Libraries for cloud service provider support

  • boto3

  • azure-core

  • azure-identity

  • azure-keyvault-secrets

  • azure-keyvault-keys

  • azure-mgmt-compute

  • azure-mgmt-rdbms

  • google-cloud-secret-manager

  • google-crc32c

How auto-migration of automation code works

During the upgrade to Splunk SOAR (Cloud) release 7.0.0, SOAR will attempt to automatically migrate automation code, that is Playbooks, custom functions, and apps from Python 3.9 to Python 3.13.

The steps of the process are;

  1. Playbooks, custom functions, and apps are passed through pylint to validate they are supported in Python 3.13. Items that do not pass Python 3.13 validation through pylint stop here. Those items remain dependent on Python 3.9 in the Splunk SOAR database.

  2. Items that pass pylint validation for Python 3.13 are marked as python 3.13 ready in Splunk SOAR's database.

The Playbooks page has a column called Python Version, which shows an alert icon and the version text 3.9 for playbooks that use Python 3.9.

The Custom Functions page has a column called Python Version, which shows an alert icon and the version text 3.9 for custom functions that use Python 3.9.

In the Visual Playbook Editor, a block which uses Python 3.9 shows an alert icon in the block.

The Apps page now shows the Python version in each apps listing, with an alert icon for apps that use Python 3.9.

See also

For more detailed information on specific Python uses see these topics.