Splunk® Automation Broker

Set Up and Manage the Splunk SOAR Automation Broker

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install Splunk Automation Broker when you cannot use DockerHub

Use the Splunk SOAR Automation Broker to run actions from Splunk SOAR (Cloud) in your on-premises environment. Use the Splunk SOAR Automation Broker to connect assets in a complex network to a Splunk SOAR (On-premises) instance.

To view a diagram of how the Splunk SOAR Automation Broker works, see About the Splunk SOAR Automation Broker.

Get the Splunk SOAR Automation Broker manually

If your container host cannot connect to Docker Hub, because of access limitations or policy reasons, you will need to get the Splunk SOAR Automation Broker image manually.

Follow these steps to get the Splunk SOAR Automation Broker:

  • Download the Splunk SOAR Automation container image from the Splunk SOAR Free Trial page.
    1. Login and get the Splunk SOAR Automation Broker container image from the Splunk SOAR Free Trial page.
    2. Copy the image file to your Docker or Podman host.
  • If you cannot access the Splunk SOAR Free Trial page, do the these steps:
    1. On a system which can reach Docker Hub, find the latest Splunk SOAR Automation Broker image from Docker Hub: Docker Hub. The examples that follow use <version> to stand in for the broker image version.
    2. Load the Docker image into the local Docker or Podman repository by pulling it from Docker Hub.
      For Docker:
      docker pull phantomsaas/automation_broker:<version>
      For Podman:
      podman pull phantomsaas/automation_broker:<version>
      Output that includes the following two lines indicates that the image was downloaded successfully:
      Status: Downloaded newer image for phantomsaas/automation_broker:<version>
      docker.io/phantomsaas/automation_broker:<version>
      
    3. Save the image using the Docker or Podman save command. Search for 'docker save' on Docker Docs or 'podman save' on Podman Docs for more information.
      For Docker:
      docker save -o <path/to/file/<filename-version>.tar phantomsaas/automation_broker:<version>
      For Podman:
      podman save -o <path/to/file/<filename-version>.tar phantomsaas/automation_broker:<version>
    4. Copy the image file to your Docker or Podman host.

Install the Splunk SOAR Automation Broker image without docker or podman compose

Once you have the Splunk SOAR Automation Broker image copied to your Docker or Podman host follow the steps for your containerization solution.

Manually install on a Docker host

Follow these steps to install the Splunk SOAR Automation Broker on your Docker host without using docker compose.

  1. On the Docker host where you intend to run the Splunk SOAR Automation Broker, load the docker image you just copied into the local Docker repository using the docker load command. Search for 'docker load' on Docker Docs for more information.
    docker load -i <path/to/file/<filename-version>.tar
  2. Create a directory on the container host filesystem, and set the directory's permissions. The Splunk Automation Broker will use this directory to store persistent data, such as logs and authentication tokens.
    1. Create the directory
      mkdir <data_directory>
      The rest of these instructions call this directory /splunk_data.
    2. Set the /splunk_data directory's owner and permissions. The directory must be owned by the containerization user.
      chown 1000:1000 <path/to/your/data_directory>/splunk_data
      chmod 770 <path/to/your/data_directory>/splunk_data
      

      You are responsible for setting the appropriate filesystem permissions on this directory to prevent unauthorized access.

  3. As a user with docker permissions, run the Docker command to start the Splunk SOAR Automation Broker in detached mode. Make sure to specify your data directory for persistent data. Environment variables can be added to the command with the --env flag.
    docker run --env PHANTOM_BASE_URL=<PHANTOM_BASE_URL> -v <path/to/your/data_directory>/splunk_data -d phantomsaas/automation_broker:<version>

    The output is the container ID. You need the container ID later.

    • (Conditional) If you need to use a proxy server for outgoing HTTPS traffic, you must add the proxy as an environment variable in the docker run command.
      --env https_proxy=<PROXY IP ADDRESS>:<PROXY PORT>
    • (Conditional) If you need to use a proxy server for outgoing HTTP traffic, you must add the proxy as an environment variable in the docker run command.
      --env http_proxy=<PROXY IP ADDRESS>:<PROXY PORT>

    Both the https_proxy and http_proxy environment variable names are case sensitive. They must be typed as lowercase letters.

  4. As a user with docker permissions, use the docker logs command to see the startup output of the Splunk SOAR Automation Broker, including its encryption key.
    For Docker:
    docker logs <container ID>
  5. Copy the key and provide it to the Splunk SOAR administrator.
    ********************************************
    Automation Broker Encryption Key:
    ENCRYPTIONKEYISVISIBLEHERE
    ********************************************
    
  6. The log output also contains a Splunk SOAR Authorization Code. Copy the code and provide it to the Splunk SOAR administrator.
    ****************************************************************************************
    Splunk SOAR Authorization Code:
         AUTOGENERATEDCODEISVISIBLEHERE
    Please provide this code to your Splunk SOAR administrator to continue setup.
    ****************************************************************************************
    

    The authorization code expires after 15 minutes.

  7. (Conditional) If your authorization code expires before you can use it to authorize your Splunk Automation Broker, do the following steps as a user with docker permissions:
    1. Get the name of your running automation broker by listing running docker containers.
      docker ps
    2. Stop the Splunk Automation Broker container.
      docker stop <container_name>
    3. Launch a new container. Include any environment variables as needed.
      docker run --env PHANTOM_BASE_URL=<PHANTOM_BASE_URL> -v <path/to/your/data_directory>/splunk_data -d phantomsaas/automation_broker:<version>

Manually install on a Podman host

Follow these steps to install the Splunk SOAR Automation Broker on your Podman host without using podman compose.

  1. On the Podman host where you intend to run the Splunk SOAR Automation Broker, load the docker image you just copied into the local Podman repository using the docker load command. Search for 'podman load' on Podman Docs for more information.
    podman load -i <path/to/file/<filename-version>.tar
  2. Create a directory on the container host filesystem, and set the directory's permissions. The Splunk Automation Broker will use this directory to store persistent data, such as logs and authentication tokens.
    1. Create the directory
      mkdir <data_directory>
      The rest of these instructions call this directory /splunk_data.
    2. Set the /splunk_data directory's owner and permissions. The directory must be owned by the containerization user.
      chown 1000:1000 <path/to/your/data_directory>/splunk_data
      chmod 770 <path/to/your/data_directory>/splunk_data
      

      You are responsible for setting the appropriate filesystem permissions on this directory to prevent unauthorized access.

  3. As a user with podman permissions, run the Podman command to start the Splunk SOAR Automation Broker in detached mode. Make sure to specify your data directory for persistent data. Environment variables can be added to the command with the --env flag.
    podman run --env PHANTOM_BASE_URL=<PHANTOM_BASE_URL> -v <path/to/your/data_directory>/splunk_data -d phantomsaas/automation_broker:<version>

    The output is the container ID. You need the container ID later.

    • (Conditional) If you need to use a proxy server for outgoing HTTPS traffic, you must add the proxy as an environment variable in the podman run command.
      --env https_proxy=<PROXY IP ADDRESS>:<PROXY PORT>
    • (Conditional) If you need to use a proxy server for outgoing HTTP traffic, you must add the proxy as an environment variable in the podman run command.
      --env http_proxy=<PROXY IP ADDRESS>:<PROXY PORT>

    Both the https_proxy and http_proxy environment variable names are case sensitive. They must be typed as lowercase letters.

  4. As a user with podman permissions, use the podman logs command to see the startup output of the Splunk SOAR Automation Broker, including its encryption key.
    podman logs <container PID>
  5. Copy the key and provide it to the Splunk SOAR administrator.
    ********************************************
    Automation Broker Encryption Key:
    ENCRYPTIONKEYISVISIBLEHERE
    ********************************************
    
  6. The log output also contains a Splunk SOAR Authorization Code. Copy the code and provide it to the Splunk SOAR administrator.
    ****************************************************************************************
    Splunk SOAR Authorization Code:
         AUTOGENERATEDCODEISVISIBLEHERE
    Please provide this code to your Splunk SOAR administrator to continue setup.
    ****************************************************************************************
    

    The authorization code expires after 15 minutes.

  7. (Conditional) If your authorization code expires before you can use it to authorize your Splunk Automation Broker, do the following steps as a user with docker permissions:
    1. Get the name of your running automation broker by listing running docker containers.
      podman ps
    2. Stop the Splunk Automation Broker container.
      podman stop <container_PID>
    3. Launch a new container. Include any environment variables as needed.
      podman run --env PHANTOM_BASE_URL=<PHANTOM_BASE_URL> -v <path/to/your/data_directory>/splunk_data -d phantomsaas/automation_broker:<version>

See also

Last modified on 30 October, 2023
PREVIOUS
Install Splunk Automation Broker on a Podman host
  NEXT
Interact with the Splunk SOAR Automation Broker

This documentation applies to the following versions of Splunk® Automation Broker: current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters