The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises).
For documentation on the most recent version, go to the latest release.
default credentials, script options, and sample configuration files
This section has the default credentials, script options and example configuration files.
Default credentials
The default credentials on a new installation of are:
Web Interface
- Username: soar_local_admin
- password: password
On Splunk SOAR (On-premises) deployments which have been upgraded from earlier releases the user account admin becomes a normal user account with the Administrator role.
The default credentials of a new AMI installation of are:
SSH accounts:
- Username: phantom
- Password: None. You must use the SSH key created when deploying the AMI version of .
Web Interface
- Username: soar_local_admin
- Password: <full AWS instance ID>
You should change the default passwords immediately after the installation is complete.
Installation or configuration scripts
This section lists various installation scripts and their command line options.
soar-prepare-system.sh
Use these arguments to prepare your system to install . This script must be run by the root user or a user with sudo privileges.
General arguments
These options are information or intended to be used for debugging purposes.
| Argument | Description |
|---|---|
| -h, --help | Display the help message then exit. |
| Debugging options. These are not intended to be used in production systems. | |
| --no-color | Do not color log output |
| --dry-run | If this argument is specified, just print the install steps instead of running them. |
| -v, --verbose, --debug | Output debug-level logging to the console and the log file. |
Arguments for install, upgrade, or removal
These options are used for any case; install, upgrade, or removal.
| Argument | Description |
|---|---|
| -y, --no-prompt | If given, do not ask for confirmation before running the installation steps. |
| --log-format {json, plain, pretty-json} | Default logging format is JSON. Pretty-JSON logging decorates log messages with useful context, whereas plain text logging mirrors the console output more closely. |
| --no-spinners | If your terminal has problems with showing loading spinners, or you're automating the install and the spinner output is noisy, you can use this flag to disable them. |
Arguments for new installations
This set of options is only for installing a new deployment of Splunk SOAR (On-premises).
| Argument | Description |
|---|---|
| --splunk-soar-home <PHANTOM_HOME> | Path that should act as the Splunk SOAR installation directory. Defaults to the directory this script is located in, usually /opt/phantom. |
| --https-port <PHANTOM_PORT> | TCP port to which Splunk SOAR's webserver will bind for HTTPS. Must be between 1024 and 65535, and defaults to 8443 |
| --splunk-soar-user <PHANTOM_USER> | Name of the user which will own the Splunk SOAR installation |
Arguments for running optional steps without prompts
Use these arguments to run specific optional steps without prompting the user.
| Argument | Description |
|---|---|
| --gluster-fs | GlusterFS is only needed if you are using an external file share. This is common if you're constructing a Splunk SOAR cluster. |
| --chronyd-service | Activates the chronyd service to guarantee clock synchronization |
| --sysstat-service | Activate the sysstat service. Required if you want to forward data using the Splunk Addon For Linux Logs. |
| --firewall | Ensure that the required ports are opened in firewalld. Do not use this argument if you are not using firewalld. |
| --port-forward | Make Splunk SOAR available on the default HTTPS port (443) in addition to the configured port. Do not use this argument if you are not using firewalld or if you are creating a cluster. |
| --migrate-priv-to-unpriv | Use this argument to prepare your deployment to migrate a privileged deployment to an unprivileged deployment. |
soar-install.sh
This script is used to install, upgrade, or remove .
Optional arguments
These arguments can be used to manually specify which action soar-install.sh should perform, or to turn on debugging options.
| Argument | Description |
|---|---|
| -h, --help | Show the help message then exit. |
| --upgrade | If a lower version of Splunk SOAR is already installed then upgrade it. |
| --remove | If a lower version of Splunk SOAR is already installed then remove it. |
| --offline | If the installation environment doesn't have internet access, use this argument to skip installation checks that use the internet. |
| Debug arguments. These arguments are not intended to be used in production. | |
| --no-color | Do not color log output. |
| --dry-run | If this argument is specified, just print the install steps instead of running them. |
| -v, --verbose, --debug | Output debug-level logging to the log file and the console. |
| --version <VERSION> | Supply a custom Splunk SOAR version, rather than relying on the .soar file. |
Arguments for install, upgrade, or removal
These options are used for any case; install, upgrade, or removal.
| Argument | Description |
|---|---|
| -y, --no-prompt | If given, do not ask for confirmation before running the installation steps. |
| --log-format {json, plain, pretty-json} | Default logging format is JSON. Pretty-JSON logging decorates log messages with useful context, whereas plain text logging mirrors the console output more closely. |
| --no-spinners | If your terminal has problems with showing loading spinners, or you're automating the install and the spinner output is noisy, you can use this flag to disable them. |
Arguments for new installations
This set of options is only for installing a new deployment of .
| Argument | Description |
|---|---|
| -c <CONTINUE_FROM>, --continue-from <CONTINUE_FROM> |
<CONTINUE_FROM> must be a name for an installation step. Use this option for recovering from a failure. Start running from the named step, and assume that previous steps have already run. Note that removal steps are run in reverse. |
| -s <STOP_AT>, --stop-at <STOP_AT> | <STOP_AT> must be a name for an installation step. Use this option for recovering from a failure. Stop running before the named step. Note that removal steps are run in reverse. |
| --ova | Install Splunk SOAR for use in OVA format |
| --splunk-soar-home <PHANTOM_HOME>, --phantom-home <PHANTOM_HOME> |
Path that should act as the Splunk SOAR installation directory. Defaults to the directory this script is located in, usually /opt/phantom. |
| --https-port <PHANTOM_PORT>, --splunk-soar-port <PHANTOM_PORT>, --phantom-port <PHANTOM_PORT> |
TCP port to which Splunk SOAR's web server will bind for HTTPS. Must be between 1024 and 65535, and defaults to 8443 |
| --ignore-warnings | If specified, continue through any non-fatal warnings. This setting is only recommended if you've previously run with warnings enabled and determined, possibly with the assistance of Splunk SOAR support, that the warnings you see can be safely ignored. |
| --with-apps | If specified, install or upgrade apps at the same time as the platform. |
Arguments for upgrade installations
Use these arguments for soar-install.sh when performing an upgrade.
| Argument | Description |
|---|---|
| --splunk-indexer-token <SPLUNK_INDEXER_TOKEN> | (Optional) Use this argument to supply the Splunk TCP Token used to connect to your External Splunk Enterprise Indexers. Only use this argument when upgrading from a Splunk SOAR release 6.2.0 or higher. |
| --splunk-indexer-port <SPLUNK_INDEXER_PORT> | Use this argument to specify the TCP port on which your External Splunk Enterprise Indexers are listening. The default TCP port is 9997. Only use this argument when upgrading from a Splunk SOAR release 6.2.0 or higher. |
| --splunk-indexer-credentials-package <SPLUNK_INDEXER_CREDENTIALS_PACKAGE> | Use this argument to supply the credentials package for configuring a Splunk Universal Forwarder to forward data to your Splunk Cloud Platform deployment. Only use this argument when upgrading from a Splunk SOAR release 6.2.0 or higher. |
make_server_node.pyc options
Use these options to control the make_server_node.pyc command.
| Argument | Description |
|---|---|
| --version | Displays the program's version number. |
| --help | Display a list and description of arguments. |
| --no-prompt | Run the program. Do not display the warning prompt. |
Configuration files
This section contains example configuration files. Use these as a guide when configuring items for use in your deployment.
HAProxy Configuration
##--------------------------------------------------------------------
## HAPROXY 1.8.7 CONFIGURATION FILE
##--------------------------------------------------------------------
#---------------------------------------------------------------------
# global settings
#---------------------------------------------------------------------
global
tune.ssl.default-dh-param 2048
log 127.0.0.1:514 local0
#---------------------------------------------------------------------
# common defaults
#---------------------------------------------------------------------
defaults
mode http
timeout connect 0ms
timeout client 0ms
timeout server 0ms
log global
#---------------------------------------------------------------------
# SSL w/ redirect to HTTPS
#---------------------------------------------------------------------
frontend localhost
bind *:80
bind *:443 ssl crt /etc/haproxy/certificates no-sslv3 no-tlsv10 ciphers <ciphers go here>
# for unprivileged installs, add another declaration
# bind *:<your https port> ssl crt /etc/haproxy/certificates no-sslv3
# no-tlsv10 ciphers <ciphers go here>
redirect scheme https if !{ ssl_fc }
mode http
default_backend nodes
#---------------------------------------------------------------------
# backend (output)
#---------------------------------------------------------------------
backend nodes
mode http
balance roundrobin
option http-keep-alive
option forwardfor
cookie SRVNAME insert
option httpchk GET /check HTTP/1.1\r\nHost:\ www.example.com
http-check expect status 200
default-server fastinter 1s downinter 5s
server <phantom node UUID> <IP Address>:443 cookie <phantom node UUID> check ssl verify none
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
Last modified on 16 September, 2024
| Migrate from Splunk SOAR (On-premises) to Splunk SOAR (Cloud) |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.2
Download manual
Feedback submitted, thanks!