Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dncrypter/splunk-soar-phantom-lab

In this Lab I will try to cover how can we install Splunk SOAR, and how we can configure it to play automation of threat response.
https://github.com/dncrypter/splunk-soar-phantom-lab

lab-setup playbooks splunk-phantom splunk-soar

Last synced: 2 months ago
JSON representation

In this Lab I will try to cover how can we install Splunk SOAR, and how we can configure it to play automation of threat response.

Awesome Lists containing this project

README 

        

## 🍁Splunk SOAR (Phantom) : Home-Lab



[![MIT License](https://img.shields.io/badge/License-MIT-green.svg)](https://choosealicense.com/licenses/mit/)

        [![LinkedIn](https://img.shields.io/badge/LinkedIn-Profile-blue)](https://www.linkedin.com/in/nikhil--chaudhari/)

        [![Medium](https://img.shields.io/badge/Medium-Writeups-black)](https://medium.com/@nikhil-c)



## 🍁Introduction

In this Lab I will try to cover how can we install Splunk SOAR, and how we can configure it to play automation of threat response.



![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/soar%20banner.jpeg)



## 🍁What is SOAR ?

The SOAR stands for security orchestration, automation, and response. The SOAR platform provided by Splunk is known as Phantom. Earlier it used to have a different website but now has been integrated into the Splunk’s official website itself.



## 🍁Prerequisites

- Basic knowledge of command-line

- Familiar with Centos or RHEL operating system



## 🍁Requirements

- Requires centos 7 / RHEL 8 or later

- VMware or Virtualbox



## 🍁Install the Splunk SOAR

**Step 1**: Create a RHEL 8 machine with the user name phantom.



**Step 2**: During the installation of RHEL 8, on the UI while creating a user enter the user name and password but don’t give it administrative rights at the beginning.



**Step 3**: Install the splunk-soar-unpriv file.

ou can Download the unprivileged installer from “https://www.splunk.com/en_us/download/soar-free-trial.html?locale=en_us” after creating an account and starting the free trial.



You can directly copy the wget link and run it on the linux machine or follow **Step 3**.



![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/Images/img%201.jpeg)



**Step 4**: Go to directory where you downloaded splunk SOAR file. By default it is in Download directory.

```

cd Download

```

**Step 5**: Unzip the tar file.

```

tar -xzvf ./

```

Now wait for one or two minutes until it get unzip the file.



**Step 6**: Move uzipped file to /opt/soar/ path.

```

cp ./ /opt/soar/

```

As we installed the RHEL and unzipped the unprivileged splunk soar package on our system.



## 🍁Configure the SOAR



**Step 1**: I used “chmod -R 777 /opt/” because it is a test environment and permissions are essential for unprivileged installation.



![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/Images/img%202.jpeg)



**Step 2**: This step might be optional but if you have encountered a problem, you may need to disable SELinux.



![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/Images/img%203.jpeg)



**Step 3**: Check firewalls daemon is running “systemctl status firewalld” . If the daemon is not running use the following commands:

```

sudo yum install firewalls

sudo systemctl start firewalls

sudo systemctl enable firewalld

```



![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/Images/img%204.jpeg)



**Step 4**: Update operating system:

```

sudo yum clean all

```

```

sudo yum update

```



Login as a root and start the script using the following command for unprivileged installation.

```

./soar-prepare-system — splunk-soar-home /opt/soar/ — https-port 8443

```



![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/Images/img%205.jpeg)



**Step 5**: In the script, it will ask for the creation of a user. give username and password.



which port will be used (default is 8443)?



**Step 6**: You can give “Y” for all options except cluster options. you can give different answers according to question asked.



![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/Images/img%206.jpeg)

Give “n” this question.



![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/Images/img%207.jpeg)



**Step 7**: This is an unprivileged installation, therefore switch the user that you were created during the installation phase. Note that, do NOT install SOAR as a root user.

```

./soar-install — splunk-soar-home /opt/soar — https-port 8443



```

![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/Images/img%208.jpeg)



**Step 8**: You can Ignore errors and give “y”.



![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/Images/img%209.jpeg)



At the end you will get completed installation message.



![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/Images/img%2010.jpeg)



**Step 9**: Start phantom services via “./start.phantom.sh”. Scripts are in the bin folder.



![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/Images/img%2011.jpeg)



**Step 10**: You can access the SOAR interface “localhost:8443”.



![](https://github.com/DNcrypter/Splunk-SOAR-Phantom-Lab/blob/main/Images/img%2012.jpeg)



```

username: Nikhil

password : password

```

## 🍁Conclusion

Now we have successfully installed and cofigured splunk SOAR. And we are ready to create playbooks and automate the system threats response.



If you like Project, follow me for such content.