# Splunk SOAR SDK - the official tool for Splunk SOAR app development
<!-- NOTE: Coverage is not dynamically generated, but it is true because CI fails below 100% coverage -->
[](https://github.com/phantomcyber/splunk-soar-sdk)
[](https://github.com/phantomcyber/splunk-soar-sdk)
[](https://github.com/phantomcyber/splunk-soar-sdk/deployments)
[](https://github.com/phantomcyber/splunk-soar-sdk)
[](https://github.com/phantomcyber/splunk-soar-sdk/releases)
[](https://pypi.org/project/splunk-soar-sdk/)
[](https://pypi.org/project/splunk-soar-sdk/)
[](https://pypi.org/project/splunk-soar-sdk/)
[](https://opensource.org/licenses/Apache-2.0)
## Documentation
Detailed documentation can be found [here](https://phantomcyber.github.io/splunk-soar-sdk/index.html)
## Installation
The Splunk SOAR SDK is available as [a package on PyPI](https://pypi.org/project/splunk-soar-sdk/).
The recommended installation method is via [uv](https://docs.astral.sh/uv/).
## Installing the SDK as a tool
This package defines the `soarapps` command line interface. To use it, [install as a uv tool](https://docs.astral.sh/uv/guides/tools/):
```shell
uv tool install splunk-soar-sdk
soarapps --help
```
## Quick Start
**Create a new, empty app**: Run `soarapps init`.
**Migrate an existing app to the SDK**: Run `soarapps convert myapp`, where `myapp` is your app written using BaseConnector. This will convert asset configuration, action declarations, and inputs and outputs. You'll still need to re-implement your action code, as well as any custom views and webhooks.
## Installing the SDK as an app dependency
When developing a new Splunk SOAR app using the SDK, you should use [uv](https://docs.astral.sh/uv/) as your project management tool:
```shell
uv add splunk-soar-sdk
```
Running the above command will add `splunk-soar-sdk` as a dependency of your Splunk SOAR app, in your `pyproject.toml` file.
## Usage
In order to start using SDK and build your first Splunk SOAR App, follow the [Getting Started guide](https://github.com/phantomcyber/splunk-soar-sdk/blob/-/docs/getting_started.md).
A Splunk SOAR app developed with the SDK will look something like this:
Project structure:
```text
string_reverser/
├─ src/
│ ├─ __init__.py
│ ├─ app.py
├─ tests/
│ ├─ __init__.py
│ ├─ test_app.py
├─ .pre-commit-config.yaml
├─ logo.svg
├─ logo_dark.svg
├─ pyproject.toml
```
With `app.py` containing:
```python
from soar_sdk.abstract import SOARClient
from soar_sdk.app import App
from soar_sdk.asset import AssetField, BaseAsset
from soar_sdk.params import Params
from soar_sdk.action_results import ActionOutput
class Asset(BaseAsset):
base_url: str
api_key: str = AssetField(sensitive=True, description="API key for authentication")
app = App(name="test_app", asset_cls=Asset, appid="1e1618e7-2f70-4fc0-916a-f96facc2d2e4", app_type="sandbox", logo="logo.svg", logo_dark="logo_dark.svg", product_vendor="Splunk", product_name="Example App", publisher="Splunk")
@app.test_connectivity()
def test_connectivity(client: SOARClient, asset: Asset) -> None:
client.debug(f"testing connectivity against {asset.base_url}")
class ReverseStringParams(Params):
input_string: str
class ReverseStringOutput(ActionOutput):
reversed_string: str
@app.action(action_type="test", verbose="Reverses a string.")
def reverse_string(
param: ReverseStringParams, client: SOARClient
) -> ReverseStringOutput:
reversed_string = param.input_string[::-1]
return ReverseStringOutput(reversed_string=reversed_string)
if __name__ == "__main__":
app.cli()
```
## Requirements
* [uv](https://docs.astral.sh/uv/getting-started/installation/)
* Python >=3.9
* Python may be installed locally [with uv](https://docs.astral.sh/uv/guides/install-python/)
* Splunk SOAR >=6.4.0
* You can get Splunk SOAR Community Edition from [the Splunk website](https://www.splunk.com/en_us/products/splunk-security-orchestration-and-automation.html)
---
Copyright 2025 Splunk Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
<http://www.apache.org/licenses/LICENSE-2.0>
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and limitations under the License.
Raw data
{
"_id": null,
"home_page": null,
"name": "splunk-soar-sdk",
"maintainer": null,
"docs_url": null,
"requires_python": "<3.14,>=3.9",
"maintainer_email": null,
"keywords": "app, cisco, connector, phantom, sdk, soar, splunk",
"author": null,
"author_email": "Jacob Davis <jacobd@splunk.com>, Tapish Jain <tapishj@splunk.com>, Janusz Kamie\u0144ski <jkamienski@splunk.com>, Michael Nordby <mnordby@splunk.com>, Scott Odle <sodle@splunk.com>, Micha\u0142 Pos\u0142uszny <mposluszny@splunk.com>, Ian Rokas <grokas@splunk.com>",
"download_url": "https://files.pythonhosted.org/packages/25/e8/5d4a4f20f24a25b5fb7bdebf9e30862e6169a782b586506660c7b8dda995/splunk_soar_sdk-1.0.0b51.tar.gz",
"platform": null,
"description": "# Splunk SOAR SDK - the official tool for Splunk SOAR app development\n\n<!-- NOTE: Coverage is not dynamically generated, but it is true because CI fails below 100% coverage -->\n[](https://github.com/phantomcyber/splunk-soar-sdk)\n[](https://github.com/phantomcyber/splunk-soar-sdk)\n[](https://github.com/phantomcyber/splunk-soar-sdk/deployments)\n[](https://github.com/phantomcyber/splunk-soar-sdk)\n[](https://github.com/phantomcyber/splunk-soar-sdk/releases)\n[](https://pypi.org/project/splunk-soar-sdk/)\n[](https://pypi.org/project/splunk-soar-sdk/)\n[](https://pypi.org/project/splunk-soar-sdk/)\n[](https://opensource.org/licenses/Apache-2.0)\n\n## Documentation\n\nDetailed documentation can be found [here](https://phantomcyber.github.io/splunk-soar-sdk/index.html)\n\n## Installation\n\nThe Splunk SOAR SDK is available as [a package on PyPI](https://pypi.org/project/splunk-soar-sdk/).\n\nThe recommended installation method is via [uv](https://docs.astral.sh/uv/).\n\n## Installing the SDK as a tool\n\nThis package defines the `soarapps` command line interface. To use it, [install as a uv tool](https://docs.astral.sh/uv/guides/tools/):\n\n```shell\nuv tool install splunk-soar-sdk\nsoarapps --help\n```\n\n## Quick Start\n\n**Create a new, empty app**: Run `soarapps init`.\n\n**Migrate an existing app to the SDK**: Run `soarapps convert myapp`, where `myapp` is your app written using BaseConnector. This will convert asset configuration, action declarations, and inputs and outputs. You'll still need to re-implement your action code, as well as any custom views and webhooks.\n\n## Installing the SDK as an app dependency\n\nWhen developing a new Splunk SOAR app using the SDK, you should use [uv](https://docs.astral.sh/uv/) as your project management tool:\n\n```shell\nuv add splunk-soar-sdk\n```\n\nRunning the above command will add `splunk-soar-sdk` as a dependency of your Splunk SOAR app, in your `pyproject.toml` file.\n\n## Usage\n\nIn order to start using SDK and build your first Splunk SOAR App, follow the [Getting Started guide](https://github.com/phantomcyber/splunk-soar-sdk/blob/-/docs/getting_started.md).\n\nA Splunk SOAR app developed with the SDK will look something like this:\n\nProject structure:\n\n```text\nstring_reverser/\n\u251c\u2500 src/\n\u2502 \u251c\u2500 __init__.py\n\u2502 \u251c\u2500 app.py\n\u251c\u2500 tests/\n\u2502 \u251c\u2500 __init__.py\n\u2502 \u251c\u2500 test_app.py\n\u251c\u2500 .pre-commit-config.yaml\n\u251c\u2500 logo.svg\n\u251c\u2500 logo_dark.svg\n\u251c\u2500 pyproject.toml\n```\n\nWith `app.py` containing:\n\n```python\nfrom soar_sdk.abstract import SOARClient\nfrom soar_sdk.app import App\nfrom soar_sdk.asset import AssetField, BaseAsset\nfrom soar_sdk.params import Params\nfrom soar_sdk.action_results import ActionOutput\n\n\nclass Asset(BaseAsset):\n base_url: str\n api_key: str = AssetField(sensitive=True, description=\"API key for authentication\")\n\n\napp = App(name=\"test_app\", asset_cls=Asset, appid=\"1e1618e7-2f70-4fc0-916a-f96facc2d2e4\", app_type=\"sandbox\", logo=\"logo.svg\", logo_dark=\"logo_dark.svg\", product_vendor=\"Splunk\", product_name=\"Example App\", publisher=\"Splunk\")\n\n\n@app.test_connectivity()\ndef test_connectivity(client: SOARClient, asset: Asset) -> None:\n client.debug(f\"testing connectivity against {asset.base_url}\")\n\n\nclass ReverseStringParams(Params):\n input_string: str\n\n\nclass ReverseStringOutput(ActionOutput):\n reversed_string: str\n\n\n@app.action(action_type=\"test\", verbose=\"Reverses a string.\")\ndef reverse_string(\n param: ReverseStringParams, client: SOARClient\n) -> ReverseStringOutput:\n reversed_string = param.input_string[::-1]\n return ReverseStringOutput(reversed_string=reversed_string)\n\n\nif __name__ == \"__main__\":\n app.cli()\n```\n\n## Requirements\n\n* [uv](https://docs.astral.sh/uv/getting-started/installation/)\n* Python >=3.9\n * Python may be installed locally [with uv](https://docs.astral.sh/uv/guides/install-python/)\n* Splunk SOAR >=6.4.0\n * You can get Splunk SOAR Community Edition from [the Splunk website](https://www.splunk.com/en_us/products/splunk-security-orchestration-and-automation.html)\n\n---\n\nCopyright 2025 Splunk Inc.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n<http://www.apache.org/licenses/LICENSE-2.0>\n\nUnless required by applicable law or agreed to in writing,\nsoftware distributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and limitations under the License.\n",
"bugtrack_url": null,
"license": null,
"summary": "The official framework for developing and testing Splunk SOAR Apps",
"version": "1.0.0b51",
"project_urls": {
"Documentation": "https://github.com/phantomcyber/splunk-soar-sdk",
"Homepage": "https://github.com/phantomcyber/splunk-soar-sdk",
"Repository": "https://github.com/phantomcyber/splunk-soar-sdk"
},
"split_keywords": [
"app",
" cisco",
" connector",
" phantom",
" sdk",
" soar",
" splunk"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "e41d7193efe54ac7cf1344492a3eca4dbace74fefa484af9ab15b817981da27c",
"md5": "fe76dff6d90629eb14e9accebd2dae12",
"sha256": "a5f3ea876278ab3d695af33fbbb8824b1701c43d6eb23921798fbab8a66875c7"
},
"downloads": -1,
"filename": "splunk_soar_sdk-1.0.0b51-py3-none-any.whl",
"has_sig": false,
"md5_digest": "fe76dff6d90629eb14e9accebd2dae12",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<3.14,>=3.9",
"size": 146409,
"upload_time": "2025-07-28T19:16:52",
"upload_time_iso_8601": "2025-07-28T19:16:52.084569Z",
"url": "https://files.pythonhosted.org/packages/e4/1d/7193efe54ac7cf1344492a3eca4dbace74fefa484af9ab15b817981da27c/splunk_soar_sdk-1.0.0b51-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "25e85d4a4f20f24a25b5fb7bdebf9e30862e6169a782b586506660c7b8dda995",
"md5": "210f6caed3d9dc41061ec93d709ec55d",
"sha256": "cc84811eed9bb0afc4286ddb84c793c9c8bc534ec40cb100d946b1961228d57f"
},
"downloads": -1,
"filename": "splunk_soar_sdk-1.0.0b51.tar.gz",
"has_sig": false,
"md5_digest": "210f6caed3d9dc41061ec93d709ec55d",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<3.14,>=3.9",
"size": 371495,
"upload_time": "2025-07-28T19:16:53",
"upload_time_iso_8601": "2025-07-28T19:16:53.633678Z",
"url": "https://files.pythonhosted.org/packages/25/e8/5d4a4f20f24a25b5fb7bdebf9e30862e6169a782b586506660c7b8dda995/splunk_soar_sdk-1.0.0b51.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-07-28 19:16:53",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "phantomcyber",
"github_project": "splunk-soar-sdk",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "splunk-soar-sdk"
}
JSON
