Welcome to Splunk SOAR (On-premises)
The Splunk SOAR (On-premises) platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.
If you are new to Splunk SOAR (On-premises), read About Splunk SOAR (On-premises) in the Use Splunk SOAR (On-premises) manual to learn how you can use Splunk SOAR (On-premises) for security automation.
If your Splunk SOAR (On-premises) deployment uses the Splunk SOAR Automation Broker see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.
Documentation for earlier versions of Splunk SOAR (On-premises)
Where to find older versions of docs that aren't on the new help portal yet.
We are in the process of moving all versions of Splunk SOAR (On-premises) to this new documentation portal. In the interim, you can reach previous documentation versions in the docs.splunk.com portal. Follow this link to documentation for Splunk SOAR (On-premises) version 6.0.1. From there, use the version selector tool to view documentation for other versions. If you select a version that is already in the new documentation portal, you will be automatically redirected to the new portal.
February 18, 2026 Release 8.4.0
Enhancements for Splunk SOAR (On-premises) version 8.4.0
Important updates
Version numbers: Starting with this release, Splunk SOAR version numbers are aligning with Splunk SOAR Enterprise Security versions.
Python version support: Support for Python 3.9 will officially end in April 2026. After this release, Splunk SOAR will require all automations, including playbooks, custom functions, and apps, to be compatible with Python 3.13 or later. Automations that have not been updated to Python 3.13 will no longer run. For more information, see How Splunk SOAR (On-premises) uses Python, in Administer Splunk SOAR (On-premises) and November 6, 2025 Release 7.1.0.
FIPS 140-3 compliance: This release is compliant with FIPS 140-3. This FIPS version is used automatically for systems running Red Hat Enterprise Linux (RHEL) 9, Oracle Linux 9, or Amazon Linux 2023. For additional information on FIPS, see FIPS compliance in the Install and Upgrade Splunk SOAR (On-premises) manual.
The following apps are currently not compliant with FIPS 140-3:
Carbon Black Response, Cisco ESA, CylancePROTECT, Fidelis Network, ForeScout CounterACT, Microsoft SQL Server, MS Graph for Active Directory, PostgreSQL, ProtectWise, QRadar, Splunk, Symantec Security Analytics, Tanium REST, vSphere
What's new in Splunk SOAR (On-premises)
| Splunk Idea | Feature | Description |
|---|---|---|
| BETA: Action builder |
Use the Action Builder in the Visual Playbook Editor to create new endpoints for existing apps when a pre-built action does not exist. No code is required. For details, see Create a new action with the action builder . |
|
| Clustering improvement |
As of this release, Consul is no longer a required component of Splunk SOAR clusters. New clusters will no longer include Consul. When you upgrade to the latest release of Splunk SOAR, Consul is automatically removed from existing clusters. No additional action is required. Splunk SOAR cluster nodes no longer have “server” or “client” designations. All nodes participate equally in leadership determinations, regardless of cluster size. Splunk SOAR cluster nodes now have a “disable_reason” column, used by the system to specify why a node has been disabled. Leader changes no longer cancel any currently executing ingestion runs, scheduled reports, or approval notifications. |