Install Splunk SOAR (On-premises) using the Amazon Marketplace Image

Install Splunk SOAR (On-premises) for AWS from the AWS Marketplace in the security category.

The AMI version of Splunk SOAR (On-premises) is for an unprivileged installation, meaning the the application runs under the phantom user account, and not as root.

  • The base installation directory for the AMI is /opt/phantom/.
  • The AMI uses a custom HTTPS port of 9999. A firewalld forwarding rule routes traffic directed to the standard HTTPS port 443 to the custom HTTPS port 9999.

Prerequisites

Your AWS instance must meet or exceed the requirements for either an evaluation system for evaluation or Proof of Value testing, or a production system for production use, and must include:

Note: If you need to connect your organization's on-premises infrastructure to an installation of Splunk SOAR (On-premises) hosted in AWS, consult the article Connect Your Data Center to AWS on the AWS web site.

Federal Information Processing Standard (FIPS) support

Splunk SOAR (On-premises) can be deployed in a FIPS compliant mode, if the operating system kernel is in FIPS mode.

  • Your operating system, either RHEL or CentOS must be in FIPS mode.
  • You must create a new, unprivileged deployment of Splunk SOAR (On-premises), either as a single instance or as a cluster.

Information about setting up RHEL 7.x or CentOS 7.x in Federal Information Processing Standard (FIPS) mode can be found in the Red Hat Security Guide in Chapter 9.

Information about setting up RHEL 8.x in Federal Information Processing Standard (FIPS) mode can be found in the Red Hat Security Guide in Chapter 2.

Installation

Perform the following tasks to install Splunk SOAR (On-premises):

  1. Log in to your AWS EC2 account.
  2. From your EC2 dashboard, select Launch Instance.
  3. In the AWS Marketplace, search for Splunk SOAR (On-premises).
  4. On the Amazon Machine Image entry, click Select.
  5. Click Continue.
  6. Select an instance size. The default is m5.xlarge. Splunk SOAR (On-premises) does not support using instances smaller than t2.xlarge.
  7. Click Next: Configure Instance Details.
  8. Configure the instance according to your organization's policies.
  9. Click Next: Add Storage.
  10. Add storage.

    Note: You can increase disk size later, but you cannot decrease disk size.
  11. Click Next: Add Tags.
  12. Add tags to help identify your Splunk SOAR (On-premises) installation in your EC2 dashboard.
  13. Click Next: Configure Security Group.
  14. Configure Security Groups. By default, SSH, HTTP, and HTTPS are permitted from all IP addresses. Increase security by limiting access to your organization's IP addresses.
  15. Click Review and Launch.
  16. Generate or choose SSH keys.
    Note: The SSH user account is phantom. This user account has sudo access for elevating to root.
  17. Click Launch Instances. The installation typically takes 15 minutes to complete.