Splunk SOAR Automation Broker system requirements
The Splunk SOAR Automation Broker is delivered as a container.
The Splunk SOAR Automation Broker must be installed on one of the following containerization solutions:
- A host running Docker and Docker Compose. For documentation on Docker and Docker Compose, see https://docs.docker.com.
- A host running Podman, and Docker Compose. For documentation on Podman, see https://podman.io/docs.
For security reasons, only allow admin users to access the machine where the Splunk SOAR Automation Broker is installed and make sure to locate this machine behind a firewall.
Docker or Podman version requirements
If you are using Docker, you must use a supported version of Docker. Docker versions 20.10.2 and later are supported.
If you are using Podman, you must use a version that supports Docker Compose. Podman versions 4.1.0 and later are supported.
Operating system requirements
The Splunk SOAR Automation Broker containers runs on a Docker or Podman host. Your Docker or Podman host can be any operating system supported by Docker or Podman.
- If you are using CentOS use CentOS 7.2009 or later.
- If you are using Ubuntu use version 14.04.6 LTS or later.
- If your organization must comply with FIPS requirements, you must use a version of Red Hat Enterprise Linux, CentOS, or Amazon Linux that supports FIPS mode. See FIPS compliance later in this topic.
Hardware requirements
To run the Splunk SOAR Automation Broker, your Docker or Podman host must have at least:
- 4 CPU cores
- 8GB of RAM
- 20GB or more of available storage
For best practices, host the Splunk SOAR Automation Broker on a different host than your deployment of Splunk SOAR (On-premises).
Network Connectivity Requirements
The Splunk SOAR Automation Broker does not require inbound network connections. The Splunk SOAR Automation Broker initiates all communications.
The Splunk SOAR Automation Broker requires outbound/egress connectivity to your Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance. The Splunk SOAR Automation Broker must be able to connect to TCP port 443 (HTTPS) on your Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.
If you use the Splunk SOAR Automation Broker in with other services, the Splunk SOAR Automation Broker will need outbound connectivity on the port needed to communicate with those services. For example, if you use Splunk SOAR Automation Broker in conjunction with Microsoft's Active Directory for LDAP, then the Automation Broker needs outbound access on TCP port 389.
TLS Certificates
The Splunk SOAR Automation Broker always validates the TLS certificate received from your Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance. If your enterprise is using a TLS intercepting proxy that replaces or modifies such certificates you might need to add the CA certificates for that proxy to the Automation Broker's list of trusted Certificate Authorities. See Add a Certificate Authority to the Splunk SOAR Automation Broker.
FIPS compliance
In order for a security application such as to be considered FIPS compliant it must meet the standards specified by the National Institute of Standards and Technology (NIST) in the standard FIPS 140-2.
The Splunk SOAR Automation Broker will run in FIPS mode, provided the underlying operating system is in FIPS mode. If you need the Splunk SOAR Automation Broker to run in FIPS mode, your containerization solution, either Docker or Podman, must be running on an operating system that supports and is running in FIPS mode.
If your containerization host's operating system is running in FIPS mode, the Splunk SOAR Automation Broker will automatically run in FIPS mode.
This is a list of operating systems which can be run in FIPS mode. However any operating system, even if it is not on this list, that is running in FIPS mode and runs your containerization solution can be used.
- Red Hat Enterprise Linux 7.6 through 7.9
- Red Hat Enterprise Linux 8.0 through 8.7
- CentOS 7.6 through 7.9
- Ubuntu
- Amazon Linux 2
- Windows
Docker only offers s390x (IBM Z) packages for RHEL 7 and 8. You may be be able to use the CentOS packages on RHEL. See https://docs.docker.com/engine/install/rhel/ for more information.
You can learn more about setting your operating system to use FIPS mode from the operating system vendor's websites:
- RHEL 7.x or CentOS 7.x in the Red Hat Security Guide in Chapter 9.
- RHEL 8.x in the Red Hat Security Guide in Chapter 3.
- Ubuntu FIPS for Ubuntu.
- Amazon Linux 2 in the AWS Public Sector blog post Enabling FIPS mode in Amazon Linux 2.
- Windows FIPS 140-2 Validation.
About Splunk SOAR Automation Broker | Prepare to install the Splunk SOAR Automation Broker |
This documentation applies to the following versions of Splunk® Automation Broker: current
Feedback submitted, thanks!