Splunk® Automation Broker

Set Up and Manage the Splunk SOAR Automation Broker

Install Splunk Automation Broker on a Podman host

Use the Splunk SOAR Automation Broker to run actions from Splunk SOAR (Cloud) in your on-premises environment. Use the Splunk SOAR Automation Broker to connect assets in a complex network to a Splunk SOAR (On-premises) instance.

To view a diagram of how the Splunk SOAR Automation Broker works, see About the Splunk SOAR Automation Broker.

Install and set up the Splunk SOAR Automation Broker

Perform these steps in combination with the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) administrator if you are not the Splunk SOAR administrator.

  1. Install the Splunk SOAR Automation Broker container.
  2. Register the Splunk SOAR Automation Broker with Splunk SOAR (Cloud) or Splunk SOAR (On-premises).
  3. Verify that setup and registration are complete.
  4. Start the Splunk SOAR Automation Broker and verify that the connection is active.

If you get an error such as mkdir: cannot create directory '/splunk_data/broker': Permission denied, verify that the logged-in user has permissions to write to the mounted directory on the host machine. See the manual page for the chmod *nix system utility, man chmod for more information about changing directory permissions.

Install the Splunk SOAR Automation Broker container

Before you can install the Splunk SOAR Automation Broker container on your host, you must install and configure Podman and Podman Compose. See Prepare to install the Splunk SOAR Automation Broker in this manual.

It is better to install your containerization solution on a separate virtual machine or separate physical hardware from your Splunk SOAR (On-premises) deployment.

If your Pdoman host cannot use Docker Hub to retrieve container images, please follow the instructions in the topic Install Splunk Automation Broker when you cannot use DockerHub in this manual.

Once Podman and Podman Compose have been installed on your Podman host, install the Splunk SOAR Automation Broker container.

  1. Create the yaml configuration file to get the Podman image. Save it as 'docker-compose.yml'.
    version: "3"
    services:
        automation_broker:
            image: psaas-cd-stg-marathon.stg.soar.splunkcloud.com/phantomsaas/automation_broker
            # Podman does not support the auto-update feature.
            # To deploy Automation Broker in Podman deployments use the image below and manually update the version on future SOAR releases.
            # image: docker.io/phantomsaas/automation_broker:6.2.2
            environment:
                # The Base URL for SOAR
                - PHANTOM_BASE_URL=https://psaas-cd-stg-marathon.stg.soar.splunkcloud.com
                - PUID=1000
                - PGID=1000
                # Optional: Proxy Settings for AB
                # - http_proxy=http://<proxy_ip>:<proxy_port>
                # - https_proxy=https://<proxy_ip>:<proxy_port>
    
            # /splunk_data directory needs to be mounted
            # somewhere for persistent storage. If it's not specified, a default
            # source folder will be created.
            volumes:
               - type: bind
                 source: ./splunk_data
                 target: /splunk_data
                 bind:
                   create_host_path: true
    
            labels:
                com.centurylinklabs.watchtower.enable: "true"
                com.centurylinklabs.watchtower.lifecycle.pre-check: "/splunk/broker/bin/pre-check.sh"
                com.centurylinklabs.watchtower.lifecycle.pre-update: "/splunk/broker/bin/pre-update.sh"
                com.centurylinklabs.watchtower.lifecycle.post-update: "/splunk/broker/bin/post-update.sh"
                com.centurylinklabs.watchtower.lifecycle.post-check: "/splunk/broker/bin/post-check.sh"
    
        watchtower:
            image: containrrr/watchtower
            volumes:
                - /var/run/docker.sock:/var/run/docker.sock
            environment:
                - WATCHTOWER_LIFECYCLE_HOOKS=true
                # This environment variable will force watchtower to only
                # watch containers with com.centurylinklabs.watchtower.enable
                # label set to true
                - WATCHTOWER_LABEL_ENABLE=true
            command: --interval 600
    
    1. Specify the path to your data directory in the source and target entries.
    2. Specify the UID and GUID of the user account that will run the Automation Broker on the PUID= and PGID= entires.

    For podman hosts, you must specify the version number to install in the image: line. Docker hosts can take advantage of a redirect to the latest release, but that feature is not currently supported by Podman.

  2. Copy the docker-compose.yml file to your Podman host.
  3. On your Podman host, create a directory for the Splunk SOAR Automation Broker to store persistent data, such as logs and authentication tokens. The rest of this document will call that directory /splunk_data.
    mkdir <data_directory>
    • This directory must be on the Docker host's file system, not inside the container.
    • You are responsible for setting the appropriate file system permissions on this directory to prevent unauthorized access.
    • This directory must be accessible to the UID and GID of the accounts that run Automation Broker.

    If you intend to run multiple Splunk SOAR Automation Brokers each instance of Automation Broker requires its own data directory. Do not share data directories with between Automation Brokers.

  4. Edit the docker-compose.yml file to set environment variables as needed. Environment variables are in the environment section. Each environment variable in the file is listed as a comment using a pound sign ( # ). To use an environment variable, remove the pound sign.
    1. Set the PHANTOM_BASE_URL.
    2. Set the path to the data directory on the Podman host's file system that you created earlier:
      - </path/to/splunk_data>:/splunk_data
    3. (Conditional) If you need to use an HTTP proxy server for outgoing HTTP traffic, set the https_proxy=http environment variable.
    4. (Conditional) If you need to use an HTTPS proxy server for outgoing HTTPS traffic, set the https_proxy=https environment variable.
    5. Both the https_proxy and http_proxy environment variables are case sensitive.

  5. Launch the Splunk SOAR Automation Broker container.
    /usr/local/bin/podman-compose -f docker-compose.yml up
  6. As a user with pdoman permissions, use the podman logs command to see the startup output of the Splunk SOAR Automation Broker, including the encryption key.
    podman logs <container name or container ID>
  7. Copy the key and provide it to the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) administrator.
    ********************************************
    Automation Broker Encryption Key:
    ENCRYPTIONKEYISVISIBLEHERE
    ********************************************
    
  8. The log output also contains a Splunk SOAR Authorization Code. Copy the code and provide it to the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) administrator.
    ****************************************************************************************
    Splunk SOAR Authorization Code:
         AUTOGENERATEDCODEISVISIBLEHERE
    Please provide this code to your Splunk SOAR administrator to continue setup.
    ****************************************************************************************
    

    The authorization code expires after 15 minutes.

  9. (Conditional) If your authorization code expires before you can use it to authorize your Splunk SOAR Automation Broker, as a user with podman permissions, do the following steps:
    1. Get the name of your running automation broker by listing running containers.
      podman ps
    2. Stop the Splunk SOAR Automation Broker container.
      podman stop <container name or container ID>
    3. Launch a new container.
      /usr/local/bin/podman-compose -f docker-compose.yml up

Register the Splunk SOAR Automation Broker with Splunk SOAR (Cloud) or Splunk SOAR (On-premises)

The Splunk SOAR administrator performs these steps.

  1. Log in to Splunk SOAR (Cloud) or Splunk SOAR (On-premises).
  2. In Splunk SOAR, click Home then Administration, then navigate to Product Settings and select Automation Broker.
  3. Click + Automation Broker.
  4. Paste the encryption key in the Enter encryption key obtained from the Automation Broker field to encrypt the credentials used in the connection to the Splunk SOAR Automation Broker.
  5. Take the Splunk SOAR Authorization Code provided by the broker during installation and add it in the Enter authorization code obtained from the Automation Broker field.
  6. Enter a unique name for the Splunk SOAR Automation Broker to help you identify it. Each Automation Broker must have its own, unique name.
  7. Select Complete to save the configuration.

Verify that setup and registration are complete

Confirm successful setup and registration with Splunk SOAR (Cloud) or Splunk SOAR (On-premises).

  1. Use the Podman logs command to see the log output for the Splunk SOAR Automation Broker container:
    podman logs <container ID>
  2. Confirm that a message like the following appears:
    Waiting for Splunk SOAR registration......................Successfully paired broker.
    Automation Broker pairing succeeded.

Start the Splunk SOAR Automation Broker and verify that the connection is active

Confirm that the connection between Splunk SOAR (Cloud) or Splunk SOAR (On-premises) and the Splunk SOAR Automation Broker works.

After installing the Splunk SOAR Automation Broker, confirm that the connection is active.

  1. In Splunk SOAR, select Home and navigate to Administration then Product Settings then select Automation Broker.
  2. Locate the Splunk SOAR Automation Broker configuration that you added and confirm that the broker status is Active.
Last modified on 29 May, 2024
Install Splunk Automation Broker on a Docker host   Install Splunk Automation Broker when you cannot use DockerHub

This documentation applies to the following versions of Splunk® Automation Broker: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters