Skip to main content

Product Feature Details

Splunk SOAR Features

Work smarter, respond faster, and modernize your SOC with security orchestration, automation and response
*formerly Splunk Phantom

Splunk SOAR Features


Main Dashboard

Splunk SOAR’s Main Dashboard provides an overview of all your data and activity, notable events, playbooks, connections with other security tools, workloads, ROI, and so much more.


Splunk SOAR apps are the integration points between Splunk SOAR and other security technologies. Through apps, Splunk SOAR directs your other security tools to perform actions, such as direct VirusTotal to check file reputation or Cisco Firewall to block an IP. Splunk SOAR’s app model supports integration with over 300 tools and over 2800 different actions. All Splunk SOAR apps are available on Splunkbase.

App Editor

App development is easier and faster than ever when you can create, edit and test apps all from one place. In Splunk SOAR's App Editor, you can easily view and add code, test actions, see log results and troubleshoot — plus, gain additional visibility into how well your app is working and change it to suit your needs.


Splunk SOAR playbooks automate security and IT actions at machine speed. Playbooks execute a sequence of actions across your tools in seconds, vs hours or more if you perform them manually. Splunk SOAR comes with 100 pre-made playbooks out of the box, so you can start automating security tasks right away. Splunk SOAR’s visual playbook editor makes it easier than ever to create, edit, implement and scale automated playbooks to help your business eliminate security analyst grunt work.

*Users can build and edit playbooks in the original horizontal visual playbook editor, or the vertical visual playbook editor introduced in August 2021.

Visual Playbook Editor + Input Playbooks

Splunk SOAR’s new, modern visual playbook editor makes it easier than ever to create, edit, implement and scale automated playbooks to help your team eliminate security analyst grunt work, and respond to security incidents at machine speed. Now, anyone can automate, allowing your team to achieve faster time to value from your SOAR tool. In this demo, we'll show you how to build an "input playbook". Input playbooks are used to automate simple IT and security tasks, and can then be leveraged as part of larger, more complex playbooks for a more modular approach to automation. For a more in-depth look at the new visual playbook editor and input playbooks.

Case Management

Case management functionality is built into Splunk SOAR. Using workbooks, you can codify your standard operating procedures into reusable templates. Splunk SOAR supports custom and industry standard workbooks such as the NIST-800 template for incident response. You can divide tasks into phases, assign tasks to team members, and document your work.

Event Management

Analysts are often overwhelmed with a large volume of security events. Splunk SOAR makes event management easy by consolidating all events from multiple sources into one place. Analysts can sort and filter events to identify high fidelity notable events and prioritize action.


Splunk SOAR’s orchestration, automation, response, collaboration, and case management capabilities are also available from your mobile device.

Custom Functions

Splunk SOAR’s custom functions allow you to share custom code across playbooks while introducing complex data objects into the execution path. These aren’t just out-of-the-box playbooks, but out-of-the-box custom blocks that save you time and effort. These capabilities provide the building blocks for scaling your automation, even to those without coding capabilities.

Contextual Action Launch

Splunk SOAR apps have a parameter for action inputs and outputs called "contains". These are used to enable contextual actions in the Splunk SOAR user interface. A common example is the contains type "ip". This is a powerful feature that the platform provides, as it allows the user to chain the output of one action as input to another.

Install/Update Apps

A common task on the Splunk SOAR platform is installing a new app, or updating existing apps. Apps extend the Splunk SOAR platform by integrating third-party security products and tools. With the Splunk SOAR App Editor, you can create, edit, and test apps all from one place, making the app development experience easier and faster than ever. We currently offer more than 350 premade apps that are accessible right now.

Investigation Command Line

When you're on the Splunk SOAR investigation page, there are several ways to run actions. One of the easiest ones is to use the command line, down where you would write comments in the event. If you start off with a slash (/) you get prompting for the action you would like to choose.

Create Manual Event

If you haven’t done anything on your Splunk SOAR instance yet you'll see zeros across the top in what we call the ROI summary. So how do you get started creating events in Splunk SOAR? You create one manually.

Configure Third Party Tools

To get started in Splunk SOAR, you will need to configure an asset. Assets are the security and infrastructure assets that you integrate with the Splunk SOAR platform, like firewalls and endpoint products. Splunk SOAR connects to these assets through apps. Apps extend the platform by integrating third-party security products and tools.

Splunk SOAR Playbooks


Threat Intelligence Management (TruSTAR) Indicator Enrichment

This playbook uses Threat Intelligence Management (formerly TruSTAR) normalized indicator enrichment, which is captured within the notes of a container, for an analyst to view details and specify subsequent actions directly within a single Splunk SOAR prompt for rapid manual response.

Crowdstrike Malware Triage

This playbook walks through the steps that are performed automatically by Splunk SOAR to triage file hashes ingested from Crowdstrike and quarantine potentially infected devices.

Finding and Disabling Inactive Users on AWS

Splunk SOAR’s orchestration, automation, response, collaboration, and case management capabilities are also available from your mobile device.

Azure New User Census

Learn how you can use Splunk SOAR to automate account monitoring to ensure that threat actors are not exploiting vulnerabilities to access sensitive information through authenticated accounts.

Suspicious Email Domain Enrichment

This playbook uses Cisco Umbrella Investigate to add the risk score, risk status and domain category to the security event in Spunk SOAR. When an analyst is assigned an event, this will allow for faster recognition of the purpose of the email, and the domain enrichment will also provide a connection point to take further action on the output.

What can you do with Splunk SOAR?