Splunk® Automation Broker

Set Up and Manage the Splunk SOAR Automation Broker

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Prepare to install the Splunk SOAR Automation Broker

Use the Splunk SOAR Automation Broker to run actions from Splunk SOAR (Cloud) in your on-premises environment. You can also use the Splunk SOAR Automation Broker to connect assets in a complex network to a Splunk SOAR (On-premises) instance. To view a diagram of how the Splunk SOAR Automation Broker works, see About the Splunk SOAR Automation Broker.

Number Task Description
1 Set up either a Docker or Podman host

Your host must be running a containerization solution in order to use the container that runs the Splunk SOAR Automation Broker. You must have either:

  • Docker and Docker Compose
  • Podman and podman-compose

For best practices, host the Splunk SOAR Automation Broker on a different host than your deployment of Splunk SOAR (On-premises).

2 Complete the prerequisites

Be sure to work with your network administrators to allow access to Docker Hub through your environment's firewall. If you cannot connect to Docker Hub for policy reasons, see Install Splunk Automation Broker when you cannot use DockerHub in step 3.

3 Install the Automation Broker on your Docker or Podman host

Installation prerequisites

Before you install the Splunk SOAR Automation Broker, make sure that you meet the following prerequisites:

  • Your host must be running Docker or Podman and Docker Compose in order to support the container for the Splunk SOAR Automation Broker.
    • If you intend to user Docker as your containerization solution, search for "Download and Install" on the Docker website.
    • If you intend to use Podman as your containerization solution, search for "Get Started" on the Podman website.
    If you already have either Docker or Podman installed and configured, skip this step.
  • Your user account must be a member of the "docker" permissions group on the docker host. Search for "docker permissions" on the Docker website for more information.
  • You must be, or be working with, a Splunk SOAR administrator. This is the person in your organization who is responsible for adding new users and configurations to your Splunk SOAR (Cloud) or Splunk SOAR (On-premises) deployment.
  • You need the <PHANTOM_BASE_URL> which is the URL to your Splunk SOAR deployment. Find the <PHANTOM_BASE_URL> in Splunk SOAR from the Home menu then Administration then Company Settings then Info in the Base URL for Splunk SOAR field.
  • If you use a proxy server for outgoing traffic, you need the IP address and port for your HTTPS or HTTP proxy server.
  • Conditional: Splunk SOAR (On-premises) users, reset the stored version information about the Splunk SOAR Automation Broker by doing these steps:
    • Using SSH, log in to your Splunk SOAR (On-premises) deployment as the user account that runs Splunk SOAR (On-premises).
    • Run the following commands: 
      1. <$PHANTOM_HOME>/bin/phenv python <$PHANTOM_HOME>/www/manage.py change_ab_version --no-ab-version
      2. <$PHANTOM_HOME>/bin/phsvc reload uwsgi
Last modified on 08 November, 2023
PREVIOUS
Splunk SOAR Automation Broker system requirements 		  NEXT
Install Splunk Automation Broker on a Docker host

This documentation applies to the following versions of Splunk® Automation Broker: current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters