Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

Acrobat logo Download manual as PDF


Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.
Acrobat logo Download topic as PDF

Splunk Phantom upgrade overview and prerequisites

requires incremental upgrades from earlier versions. This means that you need to upgrade from the latest version of 4.8.x to the latest version of 4.9.x to the final Splunk Phantom version of 4.10.7. From release 4.10.7, it is possible to upgrade by skipping directly to later releases.

  • Privileged deployments upgrade directly to Splunk SOAR (On-premises) release 5.3.6, convert your privileged deployment to unprivileged, then finally upgrade to Splunk SOAR (On-premises) release 6.1.1.
  • Unprivileged deployments can upgrade directly to Splunk SOAR (On-premises) release 6.1.1.

The current upgrade path can go as follows:

  • 4.6.latest version -> 4.8.any version
  • 4.8.latest version -> 4.9.any version
  • 4.9.latest version -> 4.10.any version
  • 4.10.any version -> 4.10.any later version. You cannot go backwards.
  • 4.10.7
    • Privileged deployments upgrade directly to Splunk SOAR (On-premises) release 5.3.6, convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.
    • Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1


See the following table for latest build numbers.

Starting Splunk Phantom or release Build number Upgrade to version Build number
Splunk Phantom 4.6 4.6.19142 Splunk Phantom 4.8 patch 1 4.8.24304
Splunk Phantom 4.8 patch 1 4.8.24304 Splunk Phantom 4.9 Release 5 4.9.39220
Splunk Phantom 4.9 Release 5 4.9.39220 Splunk Phantom 4.10.7 4.10.7.63984
Splunk Phantom 4.10.7 4.10.7.63984 Privileged Splunk SOAR (On-premises) 5.3.6
See

Unprivileged Splunk SOAR (On-premises) 6.1.1
See

5.3.6.136158

6.1.1.211


Upgrade checklist

Follow these steps to prepare for and then perform an upgrade of Splunk Phantom.

Stage Tasks Description
1 Make a full back up of your Splunk Phantom deployment Make a full backup of your Splunk Phantom deployment before upgrading. See Backup or restore your Splunk Phantom instance in Administer Splunk Phantom.

For single instance deployments running as a virtual machine, you can create a snapshot of the virtual machine instead.

2 Do the prerequisites See Prerequisites for upgrading Splunk Phantom.
  1. Obtain logins
  2. Make sure the Splunk Phantom instance or cluster nodes have enough available space.
  3. If needed, add a local yum repository or create a satellite server for yum updates.
3 Prepare your Splunk Phantom deployment for upgrade See Prepare your Splunk Phantom deployment for upgrade.
  1. Update the operating system and installed software packages
  2. Install the Splunk Phantom repositories and signing keys
4 Upgrade Splunk Phantom See Upgrade Splunk Phantom
5 Conditional Rerun the setup command for ibackup. See Prepare Splunk Phantom for a backup in Back up a Splunk Phantom deployment in Administer Splunk Phantom.

After all the preparation stages are complete, you can upgrade your Splunk Phantom instance or cluster. For clustered deployments, after the preparation stages are complete, upgrading your Splunk Phantom cluster is done in a rolling fashion, one node at a time.

Prerequisites for upgrading Splunk Phantom

You need the following information before beginning your upgrade:

  • Logins
    • For privileged deployments, user accounts on the operating system for your Splunk Phantom instance or cluster nodes with sudo or root access on those systems.
    • For unprivileged deployments, you also need the login credentials for the user account that runs Splunk Phantom. For new AMI or OVA versions of Splunk Phantom 4.10, the user account is phantom.
    • Your Splunk Phantom Community portal login.
  • If your Splunk Phantom deployment has restricted internet access, you will need a local yum repository or a satellite server from which to get yum packages.
  • A minimum of 5GB of space available in the /tmp directory on the Splunk Phantom instance or cluster node.

For deployments with restricted internet access, add local yum repositories for upgrade

If your Splunk Phantom deployment has no access or restricted access to the internet, you must either create a satellite server or local YUM repository for operating system packages and other dependencies. See the Red Hat Knowledgebase article How can we regularly update a disconnected system (A system without internet connection)?

The required upgrade repositories are:

OS version CentOS RHEL
7 [base]

[updates]

[rhel-7-server-rpms]

[rhel-server-rhscl-7-rpms]
[rhel-7-server-optional-rpms]

Prepare your Splunk Phantom deployment for upgrade

Before you upgrade Splunk Phantom, you will need to prepare your instance or your cluster nodes by updating the operating system, installed packages, and adding the Splunk Phantom repositories and their signing keys.

Migrate a privileged deployment to an unprivileged deployment

In Splunk Phantom 4.10 and for future releases, the AMI and OVA versions of Splunk Phantom are unprivileged. New AMI and OVA installations run Splunk Phantom as the user account phantom rather than as root.

If your deployment intends to migrate an existing deployment from a privileged to an unprivileged deployment as part of your upgrade to from Splunk Phantom 4.9 to Splunk Phantom version 4.10, you will use the 'Official Unprivileged Tarball to complete your upgrade and conversion. See Upgrade a single unprivileged Splunk Phantom instance or Upgrade an unprivileged Splunk Phantom Cluster.

Update the operating system and installed packages

Follow these steps to update the operating system and otherwise prepare your deployment for the upgrade.

For a clustered deployment of Splunk Phantom, prepare cluster nodes in a rolling fashion, one cluster node at a time.

  1. Log in to the Splunk Phantom instance's operating system:
    1. For privileged deployments, log in as the root user or a user with sudo privileges.
    2. For unprivileged deployments, log in as the user account that runs Splunk Phantom.
  2. If you use a warm standby or use ibackup.pyc for backups, you must disable those features before proceeding. If you are not using either of those features, you may skip these sub-steps.
    1. On a single instance deployment of Splunk Phantom, disable warm standby. See Upgrade or maintain warm standby instances in Administer Splunk Phantom.
    2. If you are using automation to run ibackup.pyc to make backups, cancel backups that could run during your upgrade window. For example, if you have configured a cron job to run ibackup.pyc, disable that cron job.
    3. Disable WAL archiving for the PostgreSQL database. Set the archive_mode to "off" in the file /opt/phantom/data/db/postgresql.phantom.conf. If your PostgreSQL database is on its own server, you need to disable WAL archiving on that system, not the Splunk Phantom instance.
      sed -i -e 's/archive_mode = on/archive_mode = off/i' /<$PHANTOM_HOME>/data/db/postgresql.phantom.conf
    4. Restart PostgreSQL to make the configuration change take effect.
      /<$PHANTOM_HOME>/bin/phsvc restart postgresql-11
  3. Stop all Splunk Phantom services. For example, as the root user:
    /<$PHANTOM_HOME>/bin/stop_phantom.sh
  4. Clear the YUM caches. As the root user:
    yum clean all
  5. Update the installed software packages, excluding Nginx, and apply operating system patches. As the root user:
    yum update --exclude=nginx --disablerepo=phantom*
    Systems which cannot access YUM repositories over the internet need a satellite server. See For deployments with restricted internet access, add local yum repositories for upgrade.

    If you are using the EPEL repository some packages may be upgraded to a version higher than supported by Splunk Phantom. In this case, you want to use the Official Offline RPMs instead of using YUM to get the required versions of package dependencies for Splunk Phantom. See For Splunk Phantom deployments without internet access or unprivileged deployments for instructions.

  6. If a kernel update was included in your operating system updates, restart the operating system. As the root user:
    reboot
    If you did not need to restart the operating system, restart Splunk Phantom. As the root user:
    /<$PHANTOM_HOME>/bin/start_phantom.sh
  7. If a system restart was required, after the system restarts, log in to the operating system as either the root user or a user with sudo privileges.
  8. The install script requires the ability to create jobs in cron. See System requirements for production use. Check that the cron daemon is running.
    ps -ef | grep crond
    1. If the cron daemon is not running, start it.
      systemctl start crond.service

Install the Splunk Phantom repositories and signing keys

Upgrade Splunk Phantom

It is now possible to upgrade directly to later releases of Splunk SOAR (On-premises) from Splunk Phantom 4.10.7.

Privileged deployments upgrade directly to Splunk SOAR (On-premises) release 5.3.6, convert to unprivileged, then immediately upgrade to Splunk SOAR (On-premises) release 6.1.1.

Unprivileged deployments upgrade directly to Splunk SOAR (On-premises) release 6.1.1

See Splunk Phantom upgrade overview and prerequisites for more information.

When you are ready to upgrade Splunk Phantom, follow one of these sets of instructions, based on the type of your Splunk Phantom deployment.

Last modified on 26 September, 2023
PREVIOUS
Set up Splunk Enterprise
  NEXT
Splunk Phantom repositories and signing keys packages

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10.7


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters