Splunk SOAR (Cloud) in restricted environments

Splunk SOAR (Cloud) is available for restricted environments, such as FedRAMP Moderate (IL2), Health Insurance Portability and Accountability Act (HIPAA), Information Security Registered Assessors Program (IRAP), and Payment Card Industry Data Security Standard (PCI DSS).

Splunk SOAR (Cloud) FedRAMP Moderate

Note: This section applies only to Splunk SOAR (Cloud) in FedRAMP Moderate environments.

Splunk SOAR (Cloud) is available for customers who must meet United States Federal Information Processing Standard (FIPS) 199 Moderate Impact Level requirements.

Splunk SOAR (Cloud) FedRAMP Moderate is different from Splunk SOAR (Cloud) in these areas:

Area Difference
Hosting Splunk SOAR (Cloud) FedRAMP Moderate is hosted in AWS GovCloud (US) regions.
FIPS mode FIPS mode is turned on for all Splunk SOAR (Cloud) FedRAMP Moderate deployments.

Note: Any Splunk SOAR Automation Brokers that you use in conjunction with your deployment must also run in FIPS mode.
Playbooks Splunk SOAR (Cloud) FedRAMP Moderate playbooks have additional restrictions over Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instances.
  • Playbooks cannot modify declared global variables.
  • Playbooks cannot open direct connections to the the PostgreSQL database. Playbooks must use the playbook automation APIs.
  • Playbooks cannot share information between playbook runs by using the host's file system.
  • The directories /tmp and /opt/phantom/tmp cannot be used to share information between playbook runs. These directories can still be used to share information in the context of a single playbook run.
  • Playbooks cannot read or modify the directory /opt/phantom/vault by using the file system. Playbooks that interact with the vault must use the Vault automation API.
  • Playbooks should not create subprocesses, either by using the built-in os.system python function or the built-in subprocess python module.
Automation isolation Playbook code run in Splunk SOAR (Cloud) FedRAMP Moderate environments is run in isolation using dynamically managed containers. These containers are connected to Splunk SOAR (Cloud) FedRAMP Moderate through an internal automation broker.
Internal automation broker Splunk SOAR (Cloud) FedRAMP Moderate uses an internal Splunk SOAR Automation Broker to run actions.
  • The internal automation broker is called soar_internal_ab, and cannot be edited or deleted.
  • You can see the status of the internal automation broker from the Home menu, Administration, Product settings, Automation Broker.

For more information about the Splunk SOAR Automation Broker, see About Splunk SOAR Automation Broker.

Restoring from Splunk SOAR (On-premises) or Splunk SOAR (Cloud) Splunk SOAR (Cloud) FedRAMP Moderate does not currently allow migration of any native data from Splunk SOAR (On-premises) or existing Splunk SOAR (Cloud) instances. This data includes containers, artifacts, notes, comments, and playbook and action runs data. A recommended alternative method is to use the Splunk App for SOAR to move relevant data to Splunk Cloud Platform for retention.