Splunk® Phantom (Legacy)

Administer Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Reset the admin and root passwords in

You can reset the passwords for the following accounts to meet your organization's hardening requirements, or if you misplace or forget them:

  • The admin user for the web interface. This is a default account in that can't be deleted. It must always be available so that you can access in cases where other authentication methods such as LDAP fail. See Reset the admin password in .
  • The root user for the underlying CentOS Linux operating system. This account is required for maintenance tasks such as upgrades, and is also used to reset the admin password.

Reset the admin password in

To reset the admin user password, perform the following tasks:

  1. Log in to the operating system with your normal user account.
  2. Run the sudo su command to switch to the root user.
  3. Run the following command in {phantom_home}/www:
    phenv python manage.py changepassword admin
  4. Enter a new password, then enter it again to confirm. Both passwords must match.
  5. To verify, access the web interface and log in as the admin user using the new password.

If the admin account has Duo two factor authentication enabled and is no longer working properly, perform the following steps to temporarily disable the two factor authentication:

  1. Run the following command as root:
    phenv set_preference --disable-admin-2fa
  2. Confirm that you want to disable two factor authentication for the admin account.

Reset the root password in

To reset the root password in , perform the following tasks:

  1. Configure the virtual machine to boot from a CD.
  2. Mount the virtual machine root disk.
  3. Edit the password file.
  4. Mark the disk for re-labeling.
  5. Set a new password.

Configure the virtual machine to boot from a CD

Perform the following steps to configure the virtual machine (VM) to boot from a CD.

  1. Take a snapshot of the VM before performing this kind of recovery operation.
  2. Obtain a Linux boot CD ISO that has the LVM tools on it. This has been successfully tested with SystemRescueCd-x86-4.7.2.
  3. Configure the VM in your virtualization environment to boot from this ISO image.
  4. Once configured, reset the VM so that it reboots.
  5. Boot the VM from the CD image.

VMware products typically require that you press a key at the brief BIOS screen to make the VM boot from the CD rather than the virtual hard drive. This might take very careful timing. If you are unable to get it to boot from the CD image by manually pressing the button quickly enough, go to this VMware community page and search for "bios.bootDelay."

  1. Follow the prompts for your boot CD until you are able to get to a shell.

Mount the virtual machine root disk

When you have a root shell, perform the following tasks to mount the VM drive.

  1. Run the lvscan command to make sure you can see the LVM drives.
  2. Use the following command to mount the drive:
    mount /dev/VolGroup/lv_root /mnt

If your boot CD doesn't have a /mnt directory for mounting, substitute an appropriate mount location.

Edit the password file

Perform the following tasks to edit the /etc/passwd file:

  1. Use a text editor to open the file. For example, to use vi type the following at the command line:
    vi /mnt/etc/passwd
  2. Find the line for the root user, which looks like the following:
  3. Remove the "x" between the first two colons, so it looks like the following:
    The "x" normally tells the operating system to look in /etc/shadow for the password hash. Having it blank means root has no password at all.

Mark the disk for relabeling

Because the virtual machine uses SELinux, perform the following steps to mark the disk for relabeling:

  1. Run the following command to have Linux relabel the drives when they are booted:
    touch /mnt/.autorelabel
  2. To make sure the changes are written out, unmount the disk and reboot:
    umount /mnt

Set a new root password

To set a new root password, follow these steps:

  1. Login as root to the VM console. You will not be prompted for a password.
  2. When you are logged in, set a new root password immediately.
  3. After setting the password, log out and then log back in with the new password to verify that a password is correct.
Last modified on 07 September, 2021
Create custom CEF fields in Splunk Phantom   Enable clickable URLs in CEF data

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters