SPL 200: Installing Splunk SOAR (15 pts)

What you need:

Configuring the Firewall

Execute the command below:
systemctl status firewalld
You should see a status of "active (running)", as shown below.

Press Ctrl+C to exit the status report.

If the firewall is not running, see these instructions

Creating the "phantom" User

Execute the commands below to create a user account named "phantom", as shown below.
sudo adduser phantom
sudo passwd phantom
Enter a password twice, such as R@bbit!!

Installing Splunk SOAR

Execute the commands below to install Splunk SOAR:
sudo mkdir /opt/phantom
sudo chown phantom:phantom /opt/phantom

cd /tmp

wget https://download.splunk.com/products/splunk_soar-unpriv/releases/6.1.0/linux/splunk_soar-unpriv-

tar -xzvf ./splunk_soar*.tgz

sudo ./splunk-soar/soar-prepare-system --splunk-soar-home /opt/phantom --https-port 8443
Enter these responses to the questions that appear, as shown below.

Execute the commands below to adjust permissions on the installation folder, and switch to the "phantom" user:

sudo chown -R phantom:phantom splunk-soar
su phantom
Enter the password you chose above, which may be R@bbit!!

Execute the command below to install Splunk SOAR:

./splunk-soar/soar-install --splunk-soar-home /opt/phantom --https-port 8443 --ignore-warnings 
Yellow warning messages will appear, saying you have less than 500 GB of disk space available. That's OK for training purposes.

When it asks if you want to proceed, answer y

Wait while the installation proceeds. It will take about seven minutes.

When the installation is done, you see a message saying as shown below.

Opening Port 8443 in the Google Cloud Firewall

In Google Cloud Console, at the top left, click the three-bar icon.

On the left side, point to "VPC network" and click Firewall, as shown below.

At the top center of the next page, click "CREATE FIREWALL RULE".

Enter these fields, as shown below:

Leave all other values at their defaults. At the botton, click the blue CREATE button.

Finding your Public IP Address

In the Google Cloud console, on the left side, point to "Compute Engine" and click "VM instances".

Find the External IP of your Red Hat server, outlined in yellow in the image below.

Viewing the Splunk SOAR Web Page

Open a Web browser and enter a URL like this, replacing the IP address with the IP of your Red Hat server:
You see a warning that the page is not secure. Accept the risk and continue to the page.

The Splunk SOAR Web login page opens, as shown below.

Log in with a username of soar_local_admin and a password of password

Click the "Terms & Conditions" link. Click the I ACCEPT" button.

A page appears saying "Helping You Get More Value...". Click "Got It!".

A "Welcome to Splunk SOAR" page appears, as shown below.

Click "Get Started".

In the "Generate Events" box, click 5.





On the "Let's configure a few administrative settings" page, enter these values:


The next page is titled "Configure a Data Source", as shown below.

There seems to be no way to use this page to actually add a data source, however.

At the top right, click "Skip onboarding".

The SOAR home page opens, as shown below.

SPL 200.1: Splunk SOAR Home Page

The flag is covered by a green box in the image below.


Splunk Documentation

SplunkĀ® SOAR (On-premises)

Posted 9-6-23