Splunk SOAR (formerly Phantom) is Splunk’s latest offering for security orchestration, automation, and response. It can be a key component in any enterprise's security ecosystem as they move away from manual processes to more advanced playbook usage and automation.

This guide explains how to get started with installing a Splunk SOAR for your security ecosystem using two different methods.

Getting Started

There are two ways to install Splunk SOAR (phantom):

1. Using an ova file.
2. Using an unprivileged tarball file.

Prerequisites

1. Oracle Virtualbox (VM)
2. Linux OS (preferably Ubuntu)

Install Splunk SOAR with the OVA file

1. Assuming you have VirtualBox installed, double-click the OVA file to import it into VirtualBox.
2. Without changing any settings, launch the virtual machine.
3. Upon boot, log in with username phantom and password password. Then, use the screens to set up a root and admin user password. For version 4.10 and above, the user root cannot be accessed, and hence, to get the IP address try with the user as phantom and the password as password and run ifconfig.
4. Use the Configure Networking option and use DHCP to set up the network.
5. Go to the system shell and type ifconfig to get the assigned IP address (e.g. 192.168.0.151).
6. In a browser on your host machine, type https://<ip address> to see the Splunk SOAR login screen. The username is admin and the password is password. Upon first login, you will have to change the password.

Install Splunk SOAR with Unprivileged Tarball File

Creating the CentOS machine

• Download the CentOS-7-x86_64-Minimal-2009.iso file from the CentOS website.
• Create a Virtual Machine using VirtualBox with the following configuration:

a. 8 GB RAM

b. 300 GB dynamic VDI

c. 2CPUs

• Select NatNetwork in Adapter 1 and BridgedAdapter in Adapter
• Go to Settings -> Storage -> Select empty-> Choose a disk file -> Select the downloaded iso and start the machine.
• Select INSTALLATION SOURCE, INSTALLATION DESTINATION, and click on the Begin Installation button.
• Click on the ROOT PASSWORD and USER CREATION, create the user and password, click on finish configuration, and reboot the system.
• In the VM, give the username and password when the console asks you to log in.

After following the above steps, CentOS-7 will be installed on the machine.

Installing Splunk SOAR in the CentOS Machine

• Download Unprivileged Splunk SOAR 5.4.0.101028 file from https://my.phantom.us/downloads/ (Use Credentials stored in the buttercup to login to the website)
• SSH into CentOS machine from any Ubuntu machine with the following command:

ssh root@<IP_Address>

• Execute the following commands once we SSH into the terminal :

sudo yum clean all

sudo yum update

• Copy the downloaded TAR file to the CentOS machine and run the following command:

scp -r ./splunk_soar-unpriv-<version>.tar <root>@<ip_address>:~/

• Extract the TAR file by running the following command:

tar -xzvf ./splunk_soar-unpriv-<version>.tar

(This will create a splunk-soar directory)

• Navigate to the splunk-soar directory by using the cd command. Inside this directory, there will be a pre-install script named soar-prepare-system. To prepare the system for the unprivileged installation, run the script using the following command:

sudo ./soar-prepare-system --splunk-soar-home <home_directory>

(This script will create a ‘phantom’ user in the machine)

• Open new terminal and ssh into the phantom user:

ssh phantom@ip_address

• Go to local terminal and copy the Tar file to the phantom terminal:

scp -r ./splunk_soar-unpriv-<version>.tar <phantom>@<ip_address>

• Go to phantom terminal and extract file:

tar -xzvf ./splunk_soar-unpriv-<version>.tar

• Go to splunk-soar directory and run the installation script with the command:

sudo ./soar-install --splunk-soar-home <home_directory>

After these steps, Splunk SOAR will be installed on the machine and we can access the Splunk SOAR UI by putting the IP address in any browser.

Change the Password of the Splunk SOAR User

The system has a default user called "phantom." Set a new password for this user. This will be used to build and install the application when developing.

To do this:

1. Log in to the Splunk SOAR server via command line sudo passwd phantom.
2. Type in your new password and hit enter.
3. Reboot the Splunk SOAR server and type ifconfig to get the IP - Copy the URL on your local browser → Hit ‘Advanced’ and proceed to phantom login page.
4. Use default credentials to login for the first time: Username- admin & Password - password.
5. The credentials can be changed later according to the user's preference.

And there you have it - if you were able to follow these steps correctly, your copy of Splunk SOAR should have been successfully deployed with your new user credentials set up and ready to proceed.

If you or your team have any issues with the processes outlined above, don't hesitate to reach out - we'd be more than happy to clarify any steps or discuss troubleshooting where needed.

About Metron:

Metron is a trusted provider of on-demand and effective approaches to managing third-party integrations for security ecosystems. With extensive experience in delivering automation solutions for over 200 security applications, including Spunk SOAR, Metron has earned the trust of numerous fast-growing security companies and managed security service providers (MSSPs).

Metron’s transparent development processes, deep understanding of security products, and fixed-cost model have resulted in shorter development times and significant cost savings for clients compared to deploying internal engineering teams for similar tasks. Headquartered in Novato, CA, with development offices in Bangalore and Pune, India.

Connect with Metron at connect@metronlabs.com.