Welcome to Splunk SOAR (On-premises) 6.2.2

The Splunk SOAR (On-premises) platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.

If you are new to Splunk SOAR (On-premises), read About Splunk SOAR (On-premises) in the Use Splunk SOAR (On-premises) manual to learn how you can use Splunk SOAR (On-premises) for security automation.

If your Splunk SOAR (On-premises) deployment uses the Splunk SOAR Automation Broker see see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.

June 04, 2024 Release 6.2.2

Action required: GlusterFS repository update

The mirror for GlusterFS packages has moved, changing the URL Splunk SOAR (On-premises) uses download those packages. You will need to update the installer file install_common.py before you can build or upgrade a clustered deployment, or use a GlusterFS external fileshare.

With a text editor, update install_common.py.

On or around line 208, modify the GLUSTER_RPM_SOURCE_BASE_URL_EL8 declaration.
Change the word "mirror" in the URL to the word "vault."

Removed Features

Enhancements

This release of Splunk SOAR (On-premises) includes the following enhancements.

Splunk idea Feature Description
PPSID-I-400
PPSID-I-660
PPSID-I-216 		Visual Playbook Editor updates Operators for playbook conditions
Added operators for use in playbook decision, filter, and logic loop blocks. New operators include matches regex, is true, is false, is none, is empty, and is list, among others. For details, see Operators for conditions in the Use filters in your Splunk SOAR (Cloud) playbook to specify a subset of artifacts before further processing article and condition in the Playbook automation API article.

Updated prompts functionality
You can now specify a prompt block response type, even if no question is included. For details, see Require user input using the Prompt block in your Splunk SOAR (On-premises) playbook.
Performance improvements
Made significant improvements to VPE performance, resulting in a 15-30x speed increase when loading and editing large playbooks.
Reading long datapaths
You can now hover over the datapath in the configuration panel to see the entire datapath displayed in a tooltip.
Drag-and-drop playbook blocks
You can now add a playbook block to the canvas by selecting a block from the side panel, dragging it to the canvas, and dropping it on top of the block you want it to follow.

Universal Forwarder improvements Added support for using HTTP forwarders, which support HTTP load balancers and the use of HEC. See Customize your forwarder configuration in Administer Splunk SOAR (On-premises).
Library updates Updated the following libraries:
  • Django updated to release 4.2
  • Nginx updated to 1.25.3
  • RabbitMQ updated to release 3.13.1
  • Erlang updated to release 26.2.2
New default value for asset action concurrency limit When you create an asset, one of its settings is its action concurrency limit, which controls how many actions the asset can run at one time. In earlier releases, an asset's action concurrency limit defaulted to one. In Splunk SOAR (On-premises) release 6.2.2 and higher, the default for new assets has been set to five. Existing assets have not been modified.
Note: Make sure any custom app you write or install can support multiple concurrent actions. If an app you use does not support multiple concurrent actions, set the action concurrency limit to 1 for any new assets you create for that app.

For information on setting or editing an assets concurrent action limit, see Set the concurrent action limit in Administer Splunk SOAR (On-premises).

Updated Automation Broker permissions Automation Broker permissions for user roles

A new permission set automation_broker has been added for roles which need to manage Automation Brokers. This permission set has been added to existing roles which had system_settings permissions.

  • If a role had system_settings with the edit option, the automation_broker permissions will have edit and delete options.
  • If a role had system_settings view option, the automation_broker permissions will have the view option.
  • If a role had system_settings view and edit option, the automation_broker permissions will have the view, edit, delete options.

To add automation_broker permissions to a role, see Add a role to Splunk SOAR (On-premises) in Manage roles and permissions in Splunk SOAR (On-premises).

Customize the UID and GID for the Automation Broker

You can customize the UID and GID for the Automation broker by setting these new environment variables in the docker-compose.yaml.

  • PUID - This variable is the UID for the Automation Broker. The default is 1000.
  • PGID - This variable is the GID for the Automation Broker. The default is 1000.
UX performance enhancements Several updates have been made to improve the performance of the Splunk SOAR (On-premises) user interface.
  • Dashboard widgets now load "on request." Widgets which are not visible in the user's current view are not refreshed.
  • The investigations page has been updated, reducing duplicated queries and adding configurable refresh intervals. The refresh interval for the investigations page can be set using a series of POSTs to /rest/system_settings/refresh_intervals. 
    /rest/system_settings/refresh_intervals { "type": "investigations_page", "duration": 4 }

/rest/system_settings/refresh_intervals { "type": "investigations_page_max_wait", "duration": 8 }
    /rest/system_settings in REST API Reference for Splunk SOAR (On-premises).
Search improvements The search interface was improved, making filtering options more obvious. See Search within Splunk SOAR (On-premises) in Use Splunk SOAR (On-premises).

See also