How SOAR (Cloud) uses Python
This topic provides high-level information about how and where Splunk SOAR Cloud uses Python.
Automation
Splunk SOAR (Cloud)'s automation is powered by Python.
Playbooks
Playbook code is written in Python. When you use the Visual Playbook Editor to build a playbook, each block you add represents code written in Python. In order to add your own Python code to a playbook, you use either the code block or a custom function.
Playbook code blocks and custom functions are run by a Python runner, while playbook actions are executed by a special version of the SOAR Automation Broker, called soar_internal_ab.
Apps or Connectors
Apps, also called Connectors, are written in Python and store data structures in JSON.
To learn how to build and deploy apps or connectors for Splunk SOAR (Cloud), see the Develop Apps manual, beginning with Splunk SOAR apps overview.
Python installation directory
Splunk SOAR (Cloud) release 7.0.0 uses Python 3.13. Support is included for Python 3.9 to help you maintain existing apps, playbooks, custom code, and custom functions and to facilitate the transition to Python 3.13.
Splunk SOAR (Cloud) deploys Python in the following paths:
-
Python 3.9 is installed in
<$SOAR_HOME>/usr/python39/bin/python3.9 -
Python 3.13 is installed in
<$SOAR_HOME>/usr/python313/bin/python3.13
For Splunk SOAR (Cloud), <$SOAR_HOME> is /opt/phantom.
With the release of Splunk SOAR (Cloud) 7.0, Python 3.13 is the default version of Python. Python 3.9 is supported, but deprecated, in order to facilitate transitioning Apps and playbooks to Python 3.13.
Python libraries
Splunk SOAR (Cloud) ships with the following libraries for use with automation. You can use these libraries in playbooks for custom code or custom functions. Some libraries appear in multiple sections.
To add other libraries to use in automation, such as playbooks and custom functions, see Manage automation dependencies later in this manual.
General purpose libraries
-
simplejson
-
python-dateutil
-
six
-
python-magic
-
distro
-
django
- requests-pkcs12
- pynacl
- psycopg2
- PyYAML
- hvac
- pylint
-
zeep
Libraries for App or Connector development
-
beautifulsoup4
-
soupsieve
-
parse
-
python_dateutil
-
six
-
requests
-
certifi
-
charset_normalizer
-
idna
-
urllib3
-
sh
-
xmltodict
Libraries included to continue support for features commonly used in Python 3.9
-
pytz
-
pudb
-
tabulate
-
markdown2
-
paramiko
Libraries for cloud service provider support
-
boto3
-
azure-core
-
azure-identity
-
azure-keyvault-secrets
-
azure-keyvault-keys
-
azure-mgmt-compute
-
azure-mgmt-rdbms
-
google-cloud-secret-manager
-
google-crc32c
How auto-migration of automation code works
During the upgrade to Splunk SOAR (Cloud) release 7.0.0, SOAR will attempt to automatically migrate automation code, that is Playbooks, custom functions, and apps from Python 3.9 to Python 3.13.
The steps of the process are;
Playbooks, custom functions, and apps are passed through pylint to validate they are supported in Python 3.13. Items that do not pass Python 3.13 validation through pylint stop here. Those items remain dependent on Python 3.9 in the Splunk SOAR database.
- Items that pass pylint validation for Python 3.13 are marked as python 3.13 ready in Splunk SOAR's database.
The Playbooks page has a column called Python Version, which shows an alert icon and the version text 3.9 for playbooks that use Python 3.9.
The Custom Functions page has a column called Python Version, which shows an alert icon and the version text 3.9 for custom functions that use Python 3.9.
In the Visual Playbook Editor, a block which uses Python 3.9 shows an alert icon in the block.
The Apps page now shows the Python version in each apps listing, with an alert icon for apps that use Python 3.9.
See also
For more detailed information on specific Python uses see these topics.