Splunk® Automation Broker

Set Up and Manage the Splunk SOAR Automation Broker

Customize the Splunk SOAR Automation Broker

The Splunk SOAR Automation Broker can be customized by using environment variables.

Supported environment variables

Environment variables can be passed to the Splunk SOAR Automation Broker container either in the docker-compose.yaml file or as command line arguments to the docker run or podman run commands.

Argument Description
PHANTOM_HTTPS_STRICT_TLS_AUTODETECT Turns or or off auto-detection of strict TLS checking. Valid values are 0 for "off" or 1 for "on."
PHANTOM_HTTPS_STRICT_TLS Turns on or off strict TLS checking. Valid values are 0 for "off" or 1 for "on."
https_proxy Use this setting to specify an HTTPS proxy. Specify with the format <PROXY IP ADDRESS>:<PROXY PORT>

This variable is case sensitive. Type the variable name in lowercase.

http_proxy Use this setting to specify an HTTP proxy. Specify with the format <PROXY IP ADDRESS>:<PROXY PORT>

This variable is case sensitive. Type the variable name in lowercase.

PHANTOM_BASE_URL Sets the base URL to your Splunk SOAR (Cloud) or Splunk SOAR (On-premises) deployment.

Add a certificate authority

You can add a custom certificate authority to the Splunk SOAR Automation Broker. For instructions, see Add a Certificate Authority to the Splunk SOAR Automation Broker.

Add a custom hosts entry for name resolution

Containers do not use the Docker or Podman host's hosts file. You can specify host entires using the extra_hosts docker compose configuration item in your docker-compose.yaml file. Search for "extra_hosts" in the compose-spec project on github.com.

Change Splunk SOAR Automation Broker settings by editing brokerd.conf

Several settings for the Splunk SOAR Automation Broker can be changed by editing the file brokerd.conf. Access the brokerd.conf file in the data directory on the host operating system, or in the Splunk SOAR Automation Broker Docker container in the /broker directory.

You must restart the Splunk SOAR Automation Broker docker container to apply any changes you make to settings in brokerd.conf.

Setting Description
debug_level The level of detail the Automation Broker writes to brokerd.log.
  • error
  • warning
  • debug
  • silent
  • trace
data_dir The path to the data directory shared with the docker host operating system.
socket_path Path to the brokerd.sock file. Do not modify this line.
global_concurrency_limit The maximum number of concurrent actions the Automation Broker will handle. The default value is 50. Setting this value higher than the global action limit on the SOAR platform does nothing.
global_lock_time_out Specifies the number of milliseconds to wait to acquire the lock for an action, before reporting an error. The default value is 6000.
keydir The directory where the Automation Broker's encryption and authorization key are stored.
broker_uuid The UUID of the Splunk SOAR Automation Broker. Do not modify this line.
Last modified on 29 May, 2024
Configure Connectors to use the Splunk SOAR Automation Broker   Upgrade or update the Splunk SOAR Automation Broker

This documentation applies to the following versions of Splunk® Automation Broker: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters