Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Log in to the web interface

Perform the following tasks to log in to the web interface after installation is complete.

  1. Using a web browser, go to the IP address you assigned to .
    • If you installed as an unprivileged user, log in to 's web interface at the custom HTTPS port.
      https://<ip address or hostname>:<your https port>

      The custom HTTPS port for unprivileged AMI based installations is 9999. However, the UI is still accessible on port 443.

    • If you installed from the AWS Marketplace, get the public IP address for the instance from the EC2 Management Console and the full AWS instance ID for the EC2 instance. Log in to the web interface by using the public IP address.
  2. Log in using the default credentials. Use soar_local_admin as the username and password as the password. If you installed from the AWS Marketplace, use soar_local_admin as the username and the full AWS instance ID as the password.

    AWS requires about 20 minutes to complete the setup. After the setup is complete, you can use your full AWS instance ID as the password. Attempting to login before that will result in a login error.

  3. Change the soar_local_admin user's password:
    1. Click the user name soar_local_admin, then select Account Settings.
    2. Click the Change Password tab.
    3. Type the current password.
    4. Type a new password.
    5. Type a new password a second time to confirm.
    6. Click Change Password.

Log in to using SSH

To SSH into the instance perform the following steps:

  1. Open a terminal window.
  2. SSH to your instance's operating system ssh phantom@<hostname or IP address of >.

Remote SSH is disabled for the root user. The accounts user and phantom have sudo permissions. You can use the account user to administer the operating system.

In order to log in to the operating system of your AMI-based installation using SSH, use the user id phantom. If you need root access, use sudo su -.

Last modified on 16 September, 2024
Install as an unprivileged user   About clusters

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters