Splunk® Automation Broker

Set Up and Manage the Splunk SOAR Automation Broker

Splunk SOAR Automation Broker system requirements

The Splunk SOAR Automation Broker is delivered as a container.

The Splunk SOAR Automation Broker must be installed on one of the following containerization solutions:

For security reasons, only allow admin users to access the machine where the Splunk SOAR Automation Broker is installed and make sure to locate this machine behind a firewall.

Docker or Podman version requirements

If you are using Docker, you must use a supported version of Docker. Docker versions 20.10.2 and later are supported.

If you are using Podman, you must use a version that supports Docker Compose. Podman versions 4.1.0 and later are supported.

Operating system requirements

The Splunk SOAR Automation Broker containers runs on a Docker or Podman host. Your Docker or Podman host can be any operating system supported by Docker or Podman.

  • If you are using CentOS use CentOS 7.2009 or later.
  • If you are using Ubuntu use version 14.04.6 LTS or later.
  • If your organization must comply with FIPS requirements, you must use a version of Red Hat Enterprise Linux, CentOS, or Amazon Linux that supports FIPS mode. See FIPS compliance later in this topic.

Hardware requirements

To run the Splunk SOAR Automation Broker, your Docker or Podman host must have at least:

  • 4 CPU cores
  • 8GB of RAM
  • 20GB or more of available storage

For best practices, host the Splunk SOAR Automation Broker on a different host than your deployment of Splunk SOAR (On-premises).

Network Connectivity Requirements

The Splunk SOAR Automation Broker does not require inbound network connections. The Splunk SOAR Automation Broker initiates all communications.

The Splunk SOAR Automation Broker requires outbound/egress connectivity to your Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance. The Splunk SOAR Automation Broker must be able to connect to TCP port 443 (HTTPS) on your Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

If you use the Splunk SOAR Automation Broker in with other services, the Splunk SOAR Automation Broker will need outbound connectivity on the port needed to communicate with those services. For example, if you use Splunk SOAR Automation Broker in conjunction with Microsoft's Active Directory for LDAP, then the Automation Broker needs outbound access on TCP port 389.

TLS Certificates

The Splunk SOAR Automation Broker always validates the TLS certificate received from your Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance. If your enterprise is using a TLS intercepting proxy that replaces or modifies such certificates you might need to add the CA certificates for that proxy to the Automation Broker's list of trusted Certificate Authorities. See Add a Certificate Authority to the Splunk SOAR Automation Broker.

FIPS compliance

In order for a security application such as to be considered FIPS compliant it must meet the standards specified by the National Institute of Standards and Technology (NIST) in the standard FIPS 140-2.

The Splunk SOAR Automation Broker will run in FIPS mode, provided the underlying operating system is in FIPS mode. If you need the Splunk SOAR Automation Broker to run in FIPS mode, your containerization solution, either Docker or Podman, must be running on an operating system that supports and is running in FIPS mode.

If your containerization host's operating system is running in FIPS mode, the Splunk SOAR Automation Broker will automatically run in FIPS mode.

This is a list of operating systems which can be run in FIPS mode. However any operating system, even if it is not on this list, that is running in FIPS mode and runs your containerization solution can be used.

  • Red Hat Enterprise Linux 7.6 through 7.9
  • Red Hat Enterprise Linux 8.0 through 8.7
  • CentOS 7.6 through 7.9
  • Ubuntu
  • Amazon Linux 2
  • Windows

Docker only offers s390x (IBM Z) packages for RHEL 7 and 8. You may be be able to use the CentOS packages on RHEL. See https://docs.docker.com/engine/install/rhel/ for more information.

You can learn more about setting your operating system to use FIPS mode from the operating system vendor's websites:

Last modified on 29 May, 2024
About Splunk SOAR Automation Broker   Prepare to install the Splunk SOAR Automation Broker

This documentation applies to the following versions of Splunk® Automation Broker: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters