Welcome to Splunk SOAR (On-premises) 6.4.0
The Splunk SOAR (On-premises) platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.
If you are new to Splunk SOAR (On-premises), read About Splunk SOAR (On-premises) in the Use Splunk SOAR (On-premises) manual to learn how you can use Splunk SOAR (On-premises) for security automation.
If your Splunk SOAR (On-premises) deployment uses the Splunk SOAR Automation Broker see see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.
February 25, 2025 Release 6.4.0
Early downloaders: Download updated version 6.4.0.92
To correct a potential issue where the Automation Broker might have been forced to reauthenticate, Splunk released an updated version, Splunk SOAR (On-premises) 6.4.0.92, March 21, 2025, Pacific Daylight Time.
Use the following lists to determine what action, if any, you must take.
- If you downloaded 6.4.0.90, but did not yet upgrade your system, download version 6.4.0.92 and follow the standard installation or upgrade steps provided in Install and Upgrade Splunk SOAR (On-premises).
- If you downloaded 6.4.0.90 and already upgraded your system, follow the instructions for the SOAR on-prem ver 6.4.0.90 Automation Broker patch in the Splunk Support Portal.
- If you downloaded, or plan to download, after March 21, 2025 Pacific Daylight Time.
- If you have already successfully upgraded to Splunk SOAR (On-premises) release 6.4.0.92.
Removed feature
Classic Playbook Editor: As of this release, Splunk SOAR no longer includes the classic visual editor. Your existing classic playbooks still run. To view or edit your classic playbooks visually, convert them to modern mode. For details, see Convert classic playbooks to modern playbooks.
All articles about the classic playbook editor are also removed from the Splunk SOAR product documentation.
Deprecated features
Splunk Mobile App for Splunk SOAR (On-premises): As of this release, this feature is deprecated and will be removed in late 2025.
Amazon Linux 2: As of this release, support for Amazon Linux 2 is deprecated. Amazon Linux 2023 is supported. For migration information, see Migrate a Splunk SOAR (On-premises) install from Amazon Linux 2 to Amazon Linux 2023.
Upgrade information for APIs
If you are upgrading from a previous version, be aware that playbooks you create in Splunk SOAR version 6.4.0 and beyond are not backward compatible with previous versions of Splunk SOAR. In Splunk SOAR version 6.4.0, playbooks introduced two new API endpoints:
- get_block_result (replaces
get_run_data) - save_block_result (replaces
save_run_data)
The new APIs function similarly to the former APIs, but also provide more information needed for the data preview panel.
What's new in Splunk SOAR (On-premises)
This release of Splunk SOAR (On-premises) includes the following enhancements.
| Splunk idea | Feature | Description |
|---|---|---|
| Guided automation | Guided Automation, also known as Data Preview, now supports additional playbook blocks, including Prompt, Format, Code, and Utility (Custom Function) blocks. For details, see Use Data Preview to build, test, and edit Splunk SOAR (On-premises) playbooks. | |
| Expanded operating system support | Splunk SOAR now includes support for Red Hat Enterprise Linux 9, Oracle Linux 9, and Amazon Linux 2023. For information on migrating Splunk SOAR to a newer operating system see: | |
| Pylint updates | In preparation for the future support of Python 3.13, the Python linter in the visual playbook editor (VPE) is updated to include warnings and alerts for features that will change between Python 3.9 (currently supported) and Python 3.13 (supported soon). | |
| Improved throughput | All new assets will now have a default concurrency limit of 50. The default limit for your existing assets has been raised to 50. For details, see the Set the global action concurrency limit section of the Set global environment settings for Splunk SOAR article. | |
| Focused playbook debugging | The data preview panel now includes a sub-tab called "Logs" for each block within a playbook. The new Logs tab displays a subset of the Debugger output for the highlighted block. For details, see the View logs for a specific playbook block section of the Use Data Preview to build, test, and edit Splunk SOAR (On-premises) playbooks article. | |
| Python code editor: find and replace | New functionality to accurately find and replace strings in the Python Editor tab of Data Preview. The find and replace function supports Python regex patterns and keyboard shortcuts. For details, see View or edit the Python code in Splunk SOAR (Cloud) playbooks. | |
| Data preview block order | The Data Preview panel now displays playbook blocks in order of appearance in the playbook, rather than the order in which they were added to the canvas. For details about the Data Preview panel, see Use Data Preview to build, test, and edit Splunk SOAR (On-premises) playbooks. |
This version of Splunk SOAR uses Splunk Universal Forwarder version 9.3.0.
See also
- For known issues in this release, see Known issues for Splunk SOAR (On-premises).
- For fixed issues in this release, see Fixed issues for Splunk SOAR (On-premises).
- For release notes for the Splunk SOAR Automation Broker, see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.