System requirements for production use

Systems for production must meet or exceed the listed requirements:

System Area Requirement
Operating system
  • Red Hat Enterprise Linux 7.6 through 7.9
  • Red Hat Enterprise Linux 8.0 and any of the minor versions of 8.
  • CentOS 7.6 through 7.9
  • Amazon Linux 2
Note: If Splunk SOAR (On-premises) is deployed on Red Hat Enterprise Linux 8.x you must use TLS 1.2 or higher on all apps, connectors, or assets connecting to Splunk SOAR (On-premises). For more information, search for "Planning and implementing TLS" on https://access.redhat.com.
Processor1 server-class CPU, 4 to 8 cores
MemoryMinimum of 16GB RAM, 32GB recommended
StorageSplunk SOAR (On-premises) needs storage for multiple volumes:
  • Splunk SOAR (On-premises) home directory also known as <$PHANTOM_HOME>: 500GiB
    • mounted as either /opt/phantom/ or as <$PHANTOM_HOME>
  • Phantom data: 500GiB
    • mounted as either /opt/phantom/data or <$PHANTOM_HOME>/data
      The PostgreSQL database will be stored underneath the Phantom Data mount at: <$PHANTOM_HOME>/data/db
  • File share volumes: 500GiB
    • mounted as /opt/phantom/vault or <$PHANTOM_HOME>/vault

Disk space requirements vary depending on the volume of data ingested and the size of your production environment.

NetworkA one-gigabit network interface
System utilities
  • cron
    • The user account that runs Splunk SOAR (On-premises) must have permission to create cron jobs.
  • ntp or chrony
CAUTION: If you use the Files feature to store virtual machine snapshots or other large-format data, it is recommended you use a larger volume for storage.