Welcome to Splunk SOAR (On-premises) 6.4.1
The Splunk SOAR (On-premises) platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.
If you are new to Splunk SOAR (On-premises), read About Splunk SOAR (On-premises) in the Use Splunk SOAR (On-premises) manual to learn how you can use Splunk SOAR (On-premises) for security automation.
If your Splunk SOAR (On-premises) deployment uses the Splunk SOAR Automation Broker see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.
June 10, 2025 Updated Release 6.4.1.361
PSASS-23968: Check if playbook update is required
Enhancements for this release are described in the What's New in Splunk SOAR (On-premises) version 6.4.1 section later in this article. Known issues and fixed issues are updated in their corresponding pages for the main Splunk SOAR (On-premises) version 6.4.1 release.
This is an updated release of Splunk SOAR (On-premises) version 6.4.1 to fix two issues.
- PSASS-23968: An issue with how the system connects blocks in a playbook, known as joins. For most users, no action is required. To determine if you must take action to update your playbooks, continue reading the section PSASS-23968: Check if playbook update is required.
- PSASS-23878: A deadlock can occur in the IngestD daemon due to an issue in the
cleanup ingestion_status recordslogic which can cause excessive deletes.
If you have previously upgraded your Splunk SOAR (On-premises) deployment to release 6.4.1.356 you must upgrade to release 6.4.1.361.
No update requiredAn emergency update was emailed to you on May 30, 2025. If you already updated your affected playbooks by following the instructions in that email, no further action is required.
Update requiredIf you have playbooks that meet both of the following criteria, you must take further action:
- Created in a version earlier than version 6.4.1 AND
- Configured or updated join settings and saved after upgrading to version 6.4.1
For additional details on join settings, see Advanced settings in the Add a new block to your Splunk SOAR (On-premises) playbook document.
To update playbooks that meet the criteria just described, follow these steps.
- Open a playbook that meets the criteria.
- In the Visual Playbook Editor, review playbook blocks for which you configured or updated join settings. Ensure that the join settings are configured appropriately.
- Save the playbook.
- Repeat these steps for each affected playbook.
May 27, 2025 Release 6.4.1
Automation Broker requirement notice
Splunk SOAR (On-premises) release 6.4.1 and higher enforce versioning for the Splunk SOAR Automation Broker. You must use a release of the Splunk SOAR Automation Broker that is supported for use with your release of Splunk SOAR (Cloud) or Splunk SOAR (On-premises). See Matching the Splunk SOAR Automation Broker with Splunk SOAR releases in About Splunk SOAR Automation Broker from Set Up and Manage the Splunk SOAR Automation Broker. Splunk SOAR (On-premises) may disconnect from Splunk SOAR Automation Brokers which are outside of the supported versions.
Supported releases for the Splunk SOAR Automation Broker are calculated as "N-1" where "N" is the current release of Splunk SOAR.
- N: The Splunk SOAR Automation Broker release version matching the release version of Splunk SOAR.
- N-1: The previous release version of Splunk SOAR Automation Broker.
Example: If you are using Splunk SOAR (On-premises) release 6.4.1, then you must use either the matching 6.4.1 or the 6.4.0 tagged release of the Splunk SOAR Automation Broker.
Removed feature
Amazon Linux 2: Support for Amazon Linux 2 has been removed. Amazon Linux 2023 is supported. For migration information, see Migrate a Splunk SOAR (On-premises) install from Amazon Linux 2 to Amazon Linux 2023.
Deprecated features
Splunk Mobile App for Splunk SOAR (On-premises): As of this release, this feature is deprecated and will be removed in late 2025.
phantom_scheduler: The phantom_scheduler component is deprecated and will be removed in a future release. The phantom_scheduler is an internal component used by Splunk SOAR (On-premises) for task scheduling. The component is only accessible from a command line and was never intended for use other than by internal systems.
To schedule automatic tasks for your Splunk SOAR (On-premises) deployment, use an operating system tool such as cron. You can add scheduled tasks for Splunk SOAR (On-premises) to your deployment's crontab outside of the block for phantom jobs, labeled like this: ### START OF PHANTOM JOBS - KEEP THEM AS THEY ARE ###. Consult the instructions for your deployment's operating system for information about using cron.
Updated code blocks and join settings
As part of the Visual Playbook Editor code block updates for Splunk SOAR version 6.4.1, code blocks now behave like other playbook blocks. As part of these updates, code blocks have a new effect on downstream blocks. When configuring join settings in a specific block, you will not be able to see certain upstream blocks if there is a code block between those upstream blocks and your location. You will only see the join options for the directly connected blocks.
Existing playbooks will continue to work as expected, until you edit and save them in Splunk SOAR version 6.4.1.
If you have playbooks that meet both of the following criteria, check that your join settings are configured as expected.
- Created in a version earlier than version 6.4.1 AND
- Edited and saved the playbook after upgrading to version 6.4.1
Depending on the configurations of the blocks in your playbook, you can reveal upstream blocks within your downstream join settings by using one of these methods:
- Configure join settings for the hidden blocks earlier in the playbook, further upstream from those hidden blocks.
- Bypass the code block by adding extra connections between the upstream blocks and downstream block where you are configuring join settings
- Temporarily move the code block further downstream, so the block where you are configuring join settings has access to every desired upstream block. After you configure the join settings, you can move the code block back to its original position.
What's new in Splunk SOAR (On-premises)
This release of Splunk SOAR (On-premises) includes the following enhancements.
| Splunk idea | Feature | Description |
|---|---|---|
| Guided automation enhancements | Guided Automation, also known as Data Preview, now supports Filter and Decision blocks. For details, see Use Data Preview to build, test, and edit Splunk SOAR (On-premises) playbooks. | |
| PPSID-I-448 | Visual Playbook Editor copy-paste shortcuts | New shortcuts allow users to copy and paste multiple blocks within a playbook or across playbooks, preserving data paths and block settings for quick, accurate playbook design. For details, see Use Data Preview to build, test, and edit Splunk SOAR (On-premises) playbooks. |
| Pairing with Splunk Enterprise Security* | Information on how to pair your Splunk SOAR instance with your Splunk Enterprise Security instance. For details, see Pair Splunk SOAR with Splunk Enterprise Security. | |
| Visual Playbook Editor changes for ES pairing* |
| |
| Automation rules framework* | You can trigger SOAR playbooks for event-based detections or finding-based detections in Splunk Enterprise Security. For details, see Configure automation rules to run playbooks based on detections in Splunk Enterprise Security. | |
| Improved Python efficiency | Real-time custom code validation is now available in SOAR code editors, significantly improving the speed and ease of using custom code across the Splunk SOAR UI. | |
| Ingestion status enhancements | The Ingestion status page now includes a time range selector to focus on data you want to see and to improve performance. For details, see View ingested container statistics using Ingestion Status. | |
| Webhooks support for Apps | Apps can define webhooks to extend Splunk SOAR (On-premises) with new HTTP endpoints. These webhooks can be used by apps to define callback URLs for other services to use. This new feature is used by the Microsoft Teams connector to enable the "ask question" action, and other apps may soon implement webhooks of their own. For information on how to manage and configure webhooks defined by assets, see Configure webhooks settings for a Splunk SOAR (On-premises) asset. |
* This feature will be available when your Enterprise Security stack is upgraded to 8.1.
This version of Splunk SOAR uses Splunk Universal Forwarder version 9.4.1
See also
- For known issues in this release, see Known issues for Splunk SOAR (On-premises).
- For fixed issues in this release, see Fixed issues for Splunk SOAR (On-premises).
- For release notes for the Splunk SOAR Automation Broker, see What's new in Splunk SOAR Automation Broker in the Set up and manage Splunk Automation Broker documentation.