Splunk® Phantom (Legacy)

Install and Upgrade Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Install Splunk Phantom using the Amazon Marketplace Image

Install Splunk Phantom for AWS from the AWS Marketplace in the security category.

With the release of Splunk Phantom 4.10, the AMI version of Splunk Phantom is for an unprivileged installation, meaning the the application runs under the phantom user account, and not as root.

  • The base installation directory for the unprivileged AMI is /opt/phantom/.
  • The custom HTTPS port is 9999, but the Splunk Phantom UI is still available on port 443.


Your AWS instance must meet or exceed the requirements for either an evaluation system for evaluation or Proof of Value testing, or a production system for production use, and must include:

If you need to connect your organization's on-premises infrastructure to an installation of Splunk Phantom hosted in AWS, consult the article Connect Your Data Center to AWS on the AWS web site.


Perform the following tasks to install Splunk Phantom:

  1. Log in to your AWS EC2 account.
  2. From your EC2 dashboard, select Launch Instance.
  3. In the AWS Marketplace, search for Splunk Phantom.
  4. On the Amazon Machine Image entry, click Select.
  5. Click Continue.
  6. Select an instance size. The default is m5.xlarge. Splunk Phantom does not support using instances smaller than t2.xlarge.
  7. Click Next: Configure Instance Details.
  8. Configure the instance according to your organization's policies.
  9. Click Next: Add Storage.
  10. Add storage.

    You can increase disk size later, but you cannot decrease disk size.

  11. Click Next: Add Tags.
  12. Add tags to help identify your Splunk Phantom installation in your EC2 dashboard.
  13. Click Next: Configure Security Group.
  14. Configure Security Groups. By default, SSH, HTTP, and HTTPS are permitted from all IP addresses. Increase security by limiting access to your organization's IP addresses.
  15. Click Review and Launch.
  16. Generate or choose SSH keys.

    The SSH user account is phantom. This user account has sudo access for elevating to root.

  17. Click Launch Instances. The installation typically takes 15 minutes to complete.

Next step: log in to verify the installation

You can log in to the Splunk Phantom web interface after the setup script completes to configure user accounts and additional settings. See Log in to the Splunk Phantom web interface.

Last modified on 07 December, 2020
Splunk Phantom ports and endpoints   Install Splunk Phantom as a virtual machine image

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters