Skip to main content

Product Feature Details

Splunk SOAR

Work smarter, respond faster, and modernize your SOC with security orchestration, automation and response
*formerly Splunk Phantom

Splunk SOAR Features

splunk-soar-features splunk-soar-features

Main Dashboard

Splunk SOAR’s Main Dashboard provides an overview of all your data and activity, notable events, playbooks, connections with other security tools, workloads, ROI, and so much more.


Splunk SOAR apps are the integration points between Splunk SOAR and other security technologies. Through apps, Splunk SOAR directs your other security tools to perform actions, such as direct VirusTotal to check file reputation or Cisco Firewall to block an IP. Splunk SOAR’s app model supports integration with over 300 tools and over 2000 different actions. See available apps.


Splunk SOAR playbooks automate security and IT actions at machine speed. Playbooks execute a sequence of actions across your tools in seconds, vs hours or more if you perform them manually. Splunk SOAR comes with 100 pre-made playbooks out of the box, so you can start automating security tasks right away. Splunk SOAR’s visual playbook editor makes it easier than ever to create, edit, implement and scale automated playbooks to help your business eliminate security analyst grunt work. .

*Users can build and edit playbooks in the original horizontal visual playbook editor, or the vertical visual playbook editor introduced in August 2021.

Case Management

Case management functionality is built into Splunk SOAR. Using workbooks, you can codify your standard operating procedures into reusable templates. Splunk SOAR supports custom and industry standard workbooks such as the NIST-800 template for incident response. You can divide tasks into phases, assign tasks to team members, and document your work.

Event Management

Analysts are often overwhelmed with a large volume of security events. Splunk SOAR makes event management easy by consolidating all events from multiple sources into one place. Analysts can sort and filter events to identify high fidelity notable events and prioritize action.


Splunk SOAR’s orchestration, automation, response, collaboration, and case management capabilities are also available from your mobile device.

Custom Functions

Splunk SOAR’s custom functions allow shareable custom code across playbooks.

Contextual Action Launch

Splunk SOAR apps have a parameter for action inputs and outputs called "contains". These are used to enable contextual actions in the Splunk SOAR user interface. A common example is the contains type "ip". This is a powerful feature that the platform provides, as it allows the user to chain the output of one action as input to another.

Install/Update Apps

A common task on the Splunk SOAR platform is installing a new app, or updating existing apps. Apps extend the Splunk SOAR platform by integrating third-party security products and tools. We currently offer more than 350 premade apps that are accessible right now.

Investigation Command Line

When you're on the Splunk SOAR investigation page, there are several ways to run actions. One of the easiest ones is to use the command line, down where you would write comments in the event. If you start off with a slash (/) you get prompting for the action you would like to choose.

Create Manual Event

If you haven’t done anything on your Splunk SOAR instance yet you'll see zeros across the top in what we call the ROI summary. So how do you get started creating events in Splunk SOAR? You create one manually.

Configure Third Party Tools

To get started in Splunk SOAR, you will need to configure an asset. Assets are the security and infrastructure assets that you integrate with the Splunk SOAR platform, like firewalls and endpoint products. Splunk SOAR connects to these assets through apps. Apps extend the platform by integrating third-party security products and tools.

Splunk SOAR Playbooks

splunk-soar-playbooks splunk-soar-playbooks

Crowdstrike Malware Triage

This playbook walks through the steps that are performed automatically by Splunk SOAR to triage file hashes ingested from Crowdstrike and quarantine potentially infected devices.

Finding and Disabling Inactive Users on AWS

Splunk SOAR’s orchestration, automation, response, collaboration, and case management capabilities are also available from your mobile device.

Azure New User Census

Learn how you can use Splunk SOAR to automate account monitoring to ensure that threat actors are not exploiting vulnerabilities to access sensitive information through authenticated accounts.

Suspicious Email Domain Enrichment

This playbook uses Cisco Umbrella Investigate to add the risk score, risk status and domain category to the security event in Spunk SOAR. When an analyst is assigned an event, this will allow for faster recognition of the purpose of the email, and the domain enrichment will also provide a connection point to take further action on the output.

What can you do with Splunk SOAR?