Installing SOAR (Phantom)
SOAR stands for Security Orchestration Automation & Response. It's a product formerly known as Phantom, but was re-branded after being acquired by Splunk. Splunk takes in the logs, makes beautiful dashboards, and triggers alerts and reports based on the logs. SOAR comes in after those triggers and alerts, and takes action through API integrations.
Bla bla bla fill this part in in a bit
Get on linux. You need CentOS 8 or RHEL 8, or you have to manipulate some parts of the install script later to bypass the checks. OK.... some port stuff first, if we don't have firewalld, get firewalld. Open terminal and run:
sudo yum install firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --permanent --zone public --add-port 22/tcp
sudo firewall-cmd --permanent --zone public --add-port 2222/tcp
sudo firewall-cmd --reload
sudo localectl set-locale LANG=en_US.UTF-8
sudo localectl set-keymap us
Ok if you need to mess with fips mode check it at
cat /proc/sys/crypto/fips_enabled
Ok time to get cooking, if you don't have wget, get it:
sudo yum install wget
sudo yum clean all
sudo yum update
move to /opt
cd /opt
mkdir phantom
cd /opt/phantom
sudo wget -O soar.tgz "https://shorturl.at/79vg8"
tar the file
sudo tar -xvzf ./soar.tgz
cd splunk-soar``sudo ./soar-prepare-system --splunk-soar-home /opt/phantom -https-port 9999`
The mirror for GlusterFS packages has moved, changing the URL Splunk SOAR (On-premises) uses download those packages. You will need to update the fileĀ install_common.py
Ā before you can build or upgrade a clustered deployment, or use a GlusterFS external fileshare.
With a text editor, updateĀ install_common.py
.
On or around line 208, modify theĀ GLUSTER_RPM_SOURCE_BASE_URL_EL8
Ā declaration.
Change the word "mirror" in the URL to the word "vault."
GLUSTER_RPM_SOURCE_BASE_URL_EL8 = ("https://vault.centos.org/centos/8-stream/storage/x86_64/gluster-9/Packages/")
Best practice is unprivileged install, so maybe make a non-root user like phantom
useradd phantom
sudo chown phantom:phantom -R /opt/phantom
su - phantom
cd /opt/phantom/splunk-soar
./soar-install --splunk-soar-home /opt/phantom --https-port 9999