Splunk SOAR (On-premises) upgrade overview and prerequisites

Splunk Phantom and Splunk SOAR (On-premises) releases are numbered as <major>.<minor>.<patch>.<build>.

Examples:

  • Splunk SOAR (On-premises) 6.4.0.92 major version 6, minor version 4, patch version 0, build number 92.

  • Splunk SOAR (On-premises) 6.4.1.356 major version 6, minor version 4, patch version 1, build number 356.

  • Splunk SOAR (On-premises) 7.0.0 major version 7, minor version 0, patch version 0, build number 197.

  • Splunk SOAR (On-premises) 7.0.0 major version 7, minor version 0, patch version 0, build number 198.

Upgrade overview checklist

Follow these steps to prepare for and then upgrade Splunk SOAR (On-premises):

Step Tasks Description
1 Identify your upgrade path. See:

You will need to plan your upgrades by identifying your currently installed Splunk Phantom or Splunk SOAR (On-premises) release, then path to your destination release. You must follow the path from your currently installed release to the desired destination release.

If your upgrade path requires a change to a supported operating system, upgrade to the newly supported operating system immediately before upgrading Splunk SOAR (On-premises).
2 Make a full backup of your Splunk SOAR (On-premises) deployment Make a full backup of your Splunk SOAR (On-premises) deployment before upgrading. See Backup or restore your Splunk SOAR (On-premises) instance in Administer Splunk SOAR (On-premises).

For single instance deployments running as a virtual machine, you can create a snapshot of the virtual machine instead.
3 Perform the prerequisites See Prerequisites for upgrading Splunk SOAR (On-premises).
  1. Obtain logins
  2. Make sure the Splunk SOAR (On-premises) instance or cluster nodes have enough available space.
  3. Conditional: Turn off warm standby. See Warm standby feature overview
  4. Conditional: Turn off scheduled backups. For example, if you scheduled backups with a cron job, deactivate the cron job to turn them off.
4 Prepare your system for upgrade See Prepare your Splunk SOAR (On-premises) deployment for upgrade.
5 Conditional: Convert a privileged deployment to an unprivileged deployment. See Convert a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment.
6 Upgrade Splunk SOAR (On-premises) See Upgrade Splunk SOAR (On-premises).

After all the preparation stages are complete, you can upgrade your Splunk SOAR (On-premises) instance or cluster. For clustered deployments, after the preparation stages are complete, upgrade your Splunk SOAR (On-premises) cluster in a rolling fashion, one node at a time.
7 Conditional: Repair indicator hashes for non-federal information processing standards (FIPS) deployments. If you are upgrading a non-FIPS instance, you must run the following script after running the installation script: repair_520_indicators.sh. That script is located in <$PHANTOM_HOME>/bin/. You may optionally pass the batch size as an argument: repair_520_indicators.sh <batch_size>. The default batch size is 1000. You can restart the script at any time. The script terminates after execution.
  • In clustered configurations, run this script on any single Splunk SOAR (On-premises) node.
  • In configurations using warm standby, run this script only on the primary system.
8 Conditional: Rerun the setup command for ibackup See Prepare Splunk SOAR (On-premises) for a backup in Administer Splunk SOAR (On-premises).
9 Conditional: Reestablish warm standby. See Warm standby feature overview.

Important changes between releases

This table lists versions of Splunk Phantom and Splunk SOAR (On-premises) product where important changes are introduced. Some of these changes may impact your upgrade plans. Review this table carefully before planning your upgrade.

Release Important changes
4.8.24304
  • Added support for Python 3.6 for apps
4.9.39220
  • Removed support for PostgreSQL 9.6
  • Added support for PostgreSQL 11.6
4.10.x
  • Major.minor.patch.build numbering system introduced
  • End of support for RHEL and CentOS 6
  • Added support for Python 3.6 for playbooks
  • Support for TLS 1.1 ends with Splunk Phantom 4.10.5
5.0.1
  • The name of the product changed from Splunk Phantom to Splunk SOAR (On-premises)
5.2.1
  • FIPS support becomes available for new, unprivileged deployments of Splunk SOAR (On-premises) 5.2.1. Splunk SOAR (On-premises) deployments installed in FIPS-compatible mode can only be upgraded in FIPS-compatible mode.
5.3.0
  • Python upgraded from 3.6 to 3.9
  • The format for Splunk SOAR (On-premises) installation packages and scripts were overhauled in 5.3.0
  • There is no longer a separate installation package for systems with limited Internet access, the TAR file for installations contains all required dependencies.
  • Expanded support for PostgreSQL versions to 11.x
5.3.3
  • Support for Python 2 was deprecated
5.3.4
  • Support for Python 2 was removed. Playbooks and apps written in python 2 are disabled.
5.3.5
  • Support for privileged installation of Splunk SOAR (on-premises) ends. Any privileged installations must be converted to unprivileged for further upgrades.
5.3.6
  • 5.3.6 includes improvements to the upgrade process. You can upgrade privileged deployments of Splunk Phantom release 4.10.7 or Splunk SOAR (On-premises) releases 5.0.1 through 5.3.5 directly to release 5.3.6.
  • 5.3.6 includes improvements to the tools for migrating a privileged deployments to unprivileged.
  • Support for privileged installation of Splunk SOAR (on-premises) ends. Any privileged installations must be converted to unprivileged for further upgrades.
5.5.0
  • Support added for Red Hat Enterprise Linux 8
  • Support added for Amazon Linux 2
6.0.0
6.0.1
  • You can now upgrade directly to the latest Splunk SOAR (On-premises) version.
  • Encryption algorithm for SAML updated from rsa-1_5 to rsa-oaep-mgf1p.
6.0.2
  • Includes all updates found in 6.0.0 and 6.0.1. Fixes issues with 6.0.0 and 6.0.1.
6.1.0
  • Unprivileged deployments of Splunk Phantom 4.10.7 and all unprivileged deployments of Splunk SOAR (On-premises) can now upgrade from any earlier release directly to release 6.1.0.
6.1.1
  • Added support for external PostgreSQL 15.x databases.
  • Unprivileged deployments of Splunk Phantom 4.10.7 and all unprivileged deployments of Splunk SOAR (On-premises) can now upgrade from any earlier release directly to release 6.1.1 or later.
6.2.0
  • Upgraded internal PostgreSQL databases to version 15.
  • Replaced embedded copy of Splunk Enterprise with Universal Forwarders.
6.2.1
  • End of support for DUO two-factor authentication.
  • Classic Playbook Editor permissions change. You can still run and edit your existing classic playbooks, but you can no longer create new classic playbooks.
  • Final release supporting PostgreSQL 11.x for clustered deployments, or deployments with an externalized PostgreSQL databases.
CAUTION: If you have an external PostgreSQL 11.x database, you must upgrade PostgreSQL to release 15.x before you can upgrade Splunk SOAR (On-premises) to a higher release.
6.2.2
  • Removed support for PostgreSQL 11.x
  • Django updated to release 4.2
  • Nginx updated to release 1.25.3
  • RabbitMQ updated to release 3.13.1
  • Erlang updated to release 26.2.2
6.3.0
  • Removed support CentOS 7.x
6.3.1
  • New Administration menu options.
6.4.0
  • Added support for the following operating systems
    • Red Hat Enterprise Linux 9
    • Oracle Linux 9
    • Amazon Linux 2023
  • Removed Classic Playbook Editor.
6.4.1
  • Removed support for Amazon Linux 2.
  • Added webhooks support for apps.

  • Added support for pairing Splunk SOAR (On-premises) with Splunk Enterprise Security
7.0.0
  • Added support for Python 3.13

  • Added support for IPv6

  • Consolidated automation engine, folded ActionD into DecideD
7.1.0

  • Python support: Splunk SOAR will automatically attempt to migrate your automation code in Playbooks and Custom Functions to Python 3.13 within 24 hours of when your deployment is upgraded.

    Note: The Python migration process runs separately from the update process. It begins at approximately 3:00 AM UTC, after your Splunk SOAR instance has been updated.
    For additional details, see "Important update" in Splunk SOAR (On-premises) 7.1.0 release notes.

  • Removed support for the Splunk Connected Experiences (Splunk SOAR Mobile) app.
8.4.0
  • Announcement of end of support of Python 3.9 in the next release of Splunk SOAR.

  • Enhanced list of requirements in General system requirements.

Prerequisites for upgrading Splunk SOAR (On-premises)

You need the following information before beginning your upgrade:

  • Logins
    • For unprivileged deployments, you need the login credentials for the user account that runs Splunk SOAR (On-premises).
    • Your Splunk Phantom Community portal login.
  • A minimum of 5GB of space available in the /tmp directory on the Splunk SOAR (On-premises) instance or cluster node.
  • Enough free disk space in <$PHANTOM_HOME>/data/ and its subdirectories to allow for the upgrade of PostgreSQL.
  • Make note of the directory where Splunk SOAR (On-premises) is installed. This is referred to as <$PHANTOM_HOME> and is often /opt/phantom.
  • Conditional: If your deployment uses the warm standby feature, turn off warm standby. See Warm standby feature overview.
  • Conditional: Turn off scheduled backups. For example, if you scheduled backups with a cron job, deactivate the cron job to turn them off.