SPL 200: Installing Splunk SOAR (15 pts)

What you need:

A Red Hat Linux server with Splunk installed

Configuring the Firewall

Execute the command below:

systemctl status firewalld

You should see a status of "active (running)", as shown below.

Press Ctrl+C to exit the status report.

If the firewall is not running, see these instructions

Creating the "phantom" User

Execute the commands below to create a user account named "phantom", as shown below.

sudo adduser phantom sudo passwd phantom

Enter a password twice, such as R@bbit!!

Installing Splunk SOAR

Execute the commands below to install Splunk SOAR:

sudo mkdir /opt/phantom sudo chown phantom:phantom /opt/phantom cd /tmp wget https://download.splunk.com/products/splunk_soar-unpriv/releases/6.1.0/linux/splunk_soar-unpriv-6.1.0.131-3ed6d0e6-el8-x86_64.tgz tar -xzvf ./splunk_soar*.tgz sudo ./splunk-soar/soar-prepare-system --splunk-soar-home /opt/phantom --https-port 8443

Enter these responses to the questions that appear, as shown below.

Do you wish to proceed? (y/N): y
Download packages available in the default CentOS and RHEL repos (Y/n): y
This process will take about seven minutes.
GlusterFS is only needed if you are using an external file share. This is common if you're constructing a Splunk SOAR cluster. Do you want to run this step? (Y/n): n
Ensure that the required ports are opened in firewalld. Do not run if not using firewalld. Do you want to run this step? (Y/n): y
Make Splunk SOAR available on the default HTTPS port (443) in addition to the configured port. Do not run if not using firewalld or if creating a cluster. Do you want to run this step? (Y/n): n
Set system resource limits for Splunk SOAR user, particularly file descriptor limits, which are low by default. (Y/n): y

Execute the commands below to adjust permissions on the installation folder, and switch to the "phantom" user:

sudo chown -R phantom:phantom splunk-soar su phantom

Enter the password you chose above, which may be R@bbit!!

Execute the command below to install Splunk SOAR:

./splunk-soar/soar-install --splunk-soar-home /opt/phantom --https-port 8443 --ignore-warnings

Yellow warning messages will appear, saying you have less than 500 GB of disk space available. That's OK for training purposes.

When it asks if you want to proceed, answer y

Wait while the installation proceeds. It will take about seven minutes.

When the installation is done, you see a message saying as shown below.

Opening Port 8443 in the Google Cloud Firewall

In Google Cloud Console, at the top left, click the three-bar icon.

On the left side, point to "VPC network" and click Firewall, as shown below.

At the top center of the next page, click "CREATE FIREWALL RULE".

Enter these fields, as shown below:

Name: allow8443
Targets: "All instances on the network"
Source IPv4 Ranges: 0.0.0.0/0
TCP port: 8443

Leave all other values at their defaults. At the botton, click the blue CREATE button.

Finding your Public IP Address

In the Google Cloud console, on the left side, point to "Compute Engine" and click "VM instances".

Find the External IP of your Red Hat server, outlined in yellow in the image below.

Viewing the Splunk SOAR Web Page

Open a Web browser and enter a URL like this, replacing the IP address with the IP of your Red Hat server:

https://34.16.118.140:8443

You see a warning that the page is not secure. Accept the risk and continue to the page.

The Splunk SOAR Web login page opens, as shown below.

Click the "Terms & Conditions" link. Click the I ACCEPT" button.

A page appears saying "Helping You Get More Value...". Click "Got It!".

A "Welcome to Splunk SOAR" page appears, as shown below.

Click "Get Started".

In the "Generate Events" box, click 5.

Click "VIEW EVENT".

Click "RUN PLAYBOOK".

Click "VIEW PLAYBOOK".

Click "CONFIGURE SPLUNK SOAR".

On the "Let's configure a few administrative settings" page, enter these values:

Enter an administrative password of R@bbit!! in both fields
Company name: Example
Time zone: UTC
Contact email: admin@example.com
Base URL for this Splunk SOAR instance: https://phantom.example.com

Click "SAVE AND CONTINUE".

The next page is titled "Configure a Data Source", as shown below.

There seems to be no way to use this page to actually add a data source, however.

At the top right, click "Skip onboarding".

The SOAR home page opens, as shown below.

SPL 200.1: Splunk SOAR Home Page
The flag is covered by a green box in the image below.

Sources

Splunk Documentation

Splunk® SOAR (On-premises)

Posted 9-6-23