Splunk SOAR (formerly Phantom) is Splunk’s latest offering for security orchestration, automation, and response. This guide explains how to get started with installing a Splunk SOAR for your security ecosystem.

Getting Started

There are two ways to install Splunk SOAR (phantom):

  1. Using an ova file.
  2. Using a unprivileged tarball file.

Prerequisites

  1. Oracle Virtualbox (VM)
  2. Linux OS (preferably Ubuntu)

Install Splunk Phantom With OVA file

  1. Assuming you have VirtualBox installed, double-click the OVA file to import it into VirtualBox.
  2. Without changing any settings, launch the virtual machine.
  3. Upon boot, log in with username phantom and password password. Then use the screens to set up a root and admin user password. For version 4.10 and above, the user root cannot be accessed and hence to get IP address try with user as phantom and password as password  and run ifconfig.
  4. Use the Configure Networking option and use DHCP to set up the network.
  5. Go to the system shell and type ifconfig to get the assigned IP address. (e.g. 192.168.0.151).
  6. In a browser on your host machine, type https://<ip address>  to see the Splunk Phantom login screen. Username is admin and password is password. Upon first login, you will have to change the password.

Install Splunk Phantom With Unprivileged Tarball File

Creating the Centos machine

  • Download CentOS-7-x86_64-Minimal-2009.iso file from the centos website.
  • Create a Virtual Machine using VirtualBox with the following configuration:
  • 8 GB RAM
  • 300 GB dynamic VDI
  • 2CPUs
  • Select NatNetwork in Adapter 1 and BridgedAdapter in Adapter
  • Go to the Setting ->Storage->select empty->choose a disk file, select the downloaded iso and start the machine.
  • Select INSTALLATION SOURCER, INSTALLATION DESTINATION and click on  Begin Installation button.
  • Click on the ROOT PASSWORD and USER CREATION, create the user and password and click on finish configuration and reboot the system.
  • In the VM, give the username and password when the console asks you to login.

After following the above steps, Centos-7 will be installed on the machine.

Installing the Splunk Phantom in the centos machine

  • Download Unprivileged Splunk SOAR 5.4.0.101028 file from https://my.phantom.us/downloads/ (Use Credentials stored in the buttercup to login to the website)
  • SSH into Centos machine from any Ubuntu machine with the following command:
  • ssh root@<IP_Address>
  • Execute the following commands once we SSH into the terminal :
  • sudo yum clean all
  • sudo yum update
  • Copy the downloaded TAR file to the Centos machine run the following command:
  • scp -r ./splunk_soar-unpriv-<version>.tar <root>@<ip_address>:~/
  • Extract the TAR file by running the following command.
  • tar -xzvf ./splunk_soar-unpriv-<version>.tar (This will create a splunk-soar directory)
  • Navigate to the splunk-soar directory by using cd command. Inside this directory, there will be a pre-install script named soar-prepare-system. To prepare the system for the unprivileged installation, run the script using the following command:
  • sudo ./soar-prepare-system --splunk-soar-home <home_directory> (This script will  create a ‘phantom’ user in the machine)
  • Open new terminal and ssh into the phantom user:
  • ssh phantom@ip_address
  • Go to local terminal and copy the Tar file to the phantom terminal:
  • scp -r ./splunk_soar-unpriv-<version>.tar <phantom>@<ip_address>
  • Go to phantom terminal and extract file:
  • tar -xzvf ./splunk_soar-unpriv-<version>.tar
  • Go to  splunk-soar directory and run the installation script with the command:
  • sudo ./soar-install --splunk-soar-home <home_directory>

After these steps, Splunk phantom will be installed on the machine and we can access the Phantom UI by putting the ip address in any browser.

Change password of phantom user

The system has the default user called phantom. Set a new password for this user. This will be used to build and install the application when developing.

To do this:

  1. Log in to the Splunk Phantom server via command line sudo passwd phantom.
  2. Type in your new password and hit enter.
  3. Reboot the phantoms server and type ifconfig to get the IP - Copy the URL on your local browser → Hit ‘Advanced’ and proceed to phantom login page.
  4. Use default credentials to login for the first time : Username- admin & Password - password.
  5. The credentials can be changed later according to the user preferences.