Splunk SOAR MCP Server
Provides tools to interact with Splunk SOAR (formerly Phantom), enabling AI agents to manage containers (cases), playbooks, artifacts, actions, custom lists, and assets via the SOAR REST API.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Splunk SOAR MCP Serversearch containers with status 'new' limit 10"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Splunk SOAR MCP Server
An MCP (Model Context Protocol) server for Splunk SOAR (formerly Phantom). It lets AI assistants like Claude Code operate a SOAR instance headlessly — no browser needed. Every call goes straight to the SOAR REST API using a ph-auth-token (or HTTP Basic auth).
What you can do with it:
Triage containers (cases): search, read fields/artifacts, add analyst notes
Author and deploy playbooks programmatically (the
import_playbookbundle path — the only write path that actually works for modern playbooks)Run playbooks and single app actions, then poll status, action runs, and debug logs
Manage custom lists and asset configurations
Fall back to any raw REST call via the
restescape hatch
Tested against Splunk SOAR 6.4.x.
Requirements
Python 3.10+
uv(recommended) orpip install fastmcpNetwork access to your SOAR instance
A SOAR automation user with an auth token (see below)
Related MCP server: MCP Server for Splunk
Step 1 — Create an automation user & token in SOAR
Log in to your SOAR web UI as an admin.
Go to Administration → User Management → Users → + User.
Set User Type = Automation. Give it a name like
mcp-auto.Grant a role with the permissions you need (at minimum: view containers/playbooks; add Edit/Import Playbooks and Execute Actions if you want deploy/run capability).
Save the user, then open it — the Authorization Configuration for REST API section shows the JSON with the
ph-auth-tokenvalue. Copy that token.Note the user's numeric id (visible in the URL when viewing the user, or via
GET /rest/ph_user?_filter_type="automation"). You'll use it asSOAR_OWNER_ID— it is required when running single actions viarun_action.
Alternatively, you can skip the token and use HTTP Basic auth with
SOAR_USER/SOAR_PASS, but a scoped automation token is strongly recommended.
Step 2 — Configure environment variables
Variable | Required | Description |
| ✅ | Base URL of your SOAR instance, e.g. |
| ✅ (or user/pass) | The |
| — | HTTP Basic fallback, used only when |
| — | Numeric |
| — |
|
Step 3 — Register with your MCP client
Claude Code (project scope)
Create .mcp.json in your project root (see .mcp.json.example):
{
"mcpServers": {
"soar": {
"command": "uv",
"args": ["run", "--with", "fastmcp", "python", "/absolute/path/to/splunk-soar-mcp/server.py"],
"env": {
"SOAR_HOST": "https://YOUR-SOAR-HOST",
"SOAR_TOKEN": "YOUR-PH-AUTH-TOKEN",
"SOAR_OWNER_ID": "1"
}
}
}
}Then start Claude Code in that project and approve the server when prompted (or run /mcp to check the connection).
Don't commit your real
.mcp.json— it contains your token. Keep it in.gitignoreor use an env-var reference your client supports.
Claude Desktop
Add the same block to claude_desktop_config.json:
macOS:
~/Library/Application Support/Claude/claude_desktop_config.jsonWindows:
%APPDATA%\Claude\claude_desktop_config.json
Plain pip instead of uv
"command": "python3",
"args": ["/absolute/path/to/splunk-soar-mcp/server.py"]with pip install fastmcp done beforehand.
Step 4 — Verify the connection
Ask your assistant to call the whoami tool. Expected output:
{
"host": "https://YOUR-SOAR-HOST",
"auth_mode": "token",
"auth_ok": true,
"version": "6.4.1.361",
"run_as": {"id": 1, "username": "mcp-auto", "type": "automation"}
}If auth_ok is false, the token is wrong or lacks REST access. If the server fails to start with SOAR_HOST is not set, fix your env block.
Tool reference
Connection & generic
Tool | Purpose |
| Check credentials, SOAR version, and which automation user actions run as |
| Generic REST escape hatch ( |
Containers (cases)
Tool | Purpose |
| Find containers by name substring / status / tenant |
| Key fields + |
| List artifacts with their full CEF dict |
| Merge keys into an artifact's CEF (a bare POST would silently wipe every other key — this tool reads-then-merges) |
| Update a container's |
| Add a note to a container |
Playbooks — read & author
Tool | Purpose |
| Find playbooks by name |
| Metadata: name, |
| The generated Python + input/output spec — read the real datapaths before transforming a playbook |
| Build a tgz bundle from |
| Import a pre-built base64 gzip-tarball bundle |
Why bundles? Modern (
is_modern: true) playbooks are not writable via plainPOST /rest/playbook/{id}— that endpoint returnssuccessbut silently changes nothing.POST /rest/import_playbookwith a tar.gz bundle is the real write path.
Playbooks & actions — run and debug
Tool | Purpose |
| Trigger a playbook run (supports input playbooks) |
| Poll one run: status + message |
| Poll until the run finishes, return final status + its action runs |
| List the action runs a playbook run produced |
| Per-app-run parameters + result message — shows the exact parameters sent to the app |
| The run's debug log — where SOAR reports the real failure (e.g. "phantom.collect2() returned an empty list") |
| Run a single app action outside any playbook and wait for the result |
Custom lists & assets
Tool | Purpose |
| Read a custom list ( |
| Replace whole rows ( |
| Merge keys into an asset config (e.g. rotate a password). Reads-then-merges — a partial POST would drop the other keys. Secrets are never echoed back |
Typical workflow: build → deploy → test a playbook
1. Produce out_dir/{NAME}.py and out_dir/{NAME}.json (playbook source + graph)
2. deploy_playbook("out_dir", "NAME") → imported id + passed_validation
3. run_playbook(container_id, id, {..inputs..}) → playbook_run_id
4. wait_for_playbook_run(run_id) → final status + action runs
5. playbook_run_log(run_id) → debug the failure if anyGotchas learned the hard way
import_playbookalways creates a new playbook id — it never overwrites by name.REST
DELETE /rest/playbook/{id}returns 405 — playbooks can only be deleted in the UI.A bare
POST /rest/artifact/{id} {"cef": {...}}replaces the whole CEF and destroys every other key. Same for asset configurations. Use the merge tools here.Write semantics differ per object: container
custom_fieldsmerge (partial write safe), artifact top-level fields (name/label/severity) merge, butartifact.cefandasset.configurationreplace.Container
statusvalues are picky —"in progress"is rejected; the valid value isin-progress(with hyphen).run_actionrequiresownerandapp_idboth at the top level and inside the target, or SOAR rejects the request with a misleading error.One
phantom.collect2()call collects over ONE block — never span twoplaybook_input:*fields in a single datapath list.
Security notes
Use a dedicated automation user with the minimum role, never a personal admin account.
Keep the token out of version control (
.mcp.jsonis in this repo's.gitignore).TLS verification is off by default (self-signed certs are the norm on-prem). Set
SOAR_VERIFY_SSL=trueif your instance has a valid certificate.Rotate the token from User Management if it ever leaks.
License
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Ewiges-M/splunk-soar-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server