Install Splunk Phantom as a virtual machine image (2024)

Table of Contents
Install Splunk Phantom with VMware vSphere ESXi or VMware vSphere Install Splunk Phantom with VMware Fusion® or VMware Fusion Pro® Install Splunk Phantom with VMware Workstation Pro® Install Splunk Phantom with VMware Workstation Player® Complete the Splunk Phantom OVA install Set system passwords Configure the network settings for the virtual machine Next step: log in to verify the installation References

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Splunk Phantom is delivered as a virtual machine image in .OVA format.

With the release of Splunk Phantom 4.10, the virtual machine image of Splunk Phantom is for an unprivileged installation, meaning the the application runs under the phantom user account, not as the root user.

  • The base installation directory for the unprivileged virtual machine is /opt/phantom/. All Splunk Phantom files and logs will be located under this directory. For example, log files are in /opt/phantom/var/log/phantom. In the instructions for installing a virtual machine image, <PHANTOM_HOME> represents the /opt/phantom/ directory.
  • The user account phantom owns the the Splunk Phantom install, and should be used to do all Splunk Phantom operations.
  • The custom HTTPS port is 9999, but the Splunk Phantom UI is also available on port 443.

Download the virtual machine image from the Splunk Phantom Community site on the Products page.

For evaluation or test environments, use a hypervisor or virtual machine management application such as VMware Fusion®, VMware Fusion Pro®, VMware Workstation Player®, VMware Workstation Pro®, or Oracle® VirtualBox.

See Also
Installing Splunk Free in a virtual machine for log analysis | MattCASmithInstall Splunk Enterprise - Splunk DocumentationInstall the Splunk Add-on for VMware in an on-premises environmentInstall on Linux - Splunk Documentation

For production environments, use VMware ESXi™ or VMware vSphere® version 5 or higher.

Install Splunk Phantom with VMware vSphere ESXi or VMware vSphere

These instructions might not be an exact match for the way your VMware vSphere or ESXi products configured. Consult your vSphere administrator or the documentation on the VMware website for more options.

You can use thin provisioning and install VMware Tools with Splunk Phantom.

  1. Log in to the correct vSphere or vCenter asset.
  2. From the File menu, select Deploy OVF Template.
  3. Click Browse to locate the downloaded OVA file.
  4. Click Next.
  5. Fill out the remaining settings options. Consult the VMware documentation on the VMware website or your VMware administrator.
  6. Click Finish.

Install Splunk Phantom with VMware Fusion® or VMware Fusion Pro®

For more detailed information on installing virtual machine images, consult the VMware Fusion or VMware Fusion Pro documentation.

  1. Open VMware Fusion or VMware Fusion Pro.
  2. From the File menu, select New.
  3. Click More options.
  4. Click Import an existing virtual machine.
  5. Click Choose File. Navigate to the Splunk Phantom OVA file.
  6. Click Open.
  7. Follow the remaining prompts to launch the virtual appliance.

Install Splunk Phantom with VMware Workstation Pro®

For more detailed information on installing virtual machine images, consult the VMware Workstation Pro documentation.

  1. Open VMware Workstation Pro.
  2. Click Open a Virtual Machine.
  3. Navigate to the Splunk Phantom OVA file.
  4. Click Open.
  5. Type a name and storage path for the virtual appliance.
  6. Click Import.
  7. Click Power on this virtual machine.

Install Splunk Phantom with VMware Workstation Player®

For more detailed information on installing virtual machine images, consult the VMware Workstation Player documentation.

See Also
Step-By-Step Procedure To Install Splunk On Linux Server

  1. Open VMware Workstation Player.
  2. Click Open a Virtual Machine.
  3. Navigate to the Splunk Phantom OVA file.
  4. Click Open.
  5. Type a name and storage path for the virtual appliance.
  6. Click Import.
  7. Click Play virtual machine.

If you are prompted to connect additional devices, such as sound cards or USB ports to the virtual machine, decline. These devices are not required to run Splunk Phantom.

For more detailed information on using Oracle VirtualBox to run virtual machine images, consult the VirtualBox end-user documentation on VirtualBox.org.

  1. Start Oracle VirtualBox.
  2. From the File menu, select Import Appliance.
  3. Select the folder icon to navigate to the Splunk Phantom OVA.
  4. Click Open.
  5. Click Continue.
  6. Click base_vm_centos_7.
  7. Click Start.

Complete the Splunk Phantom OVA install

These steps must be completed after the Splunk Phantom virtual appliance has been installed in your virtual machine manager. Splunk Phantom will generate a self-signed SSL certificate when it launches for the first time.

Set system passwords

You must set a new password for the user account phantom. The user account phantom has SSH and sudo permissions.

  1. SSH to the Splunk Phantom instance's operating system with the user account phantom. The default password is 'password', and it must be changed immediately.
  2. Set a new password for the phantom user account using the command passwd phantom.

More information about passwords and user accounts:

  • SSH is disabled for the root user.
  • The password for the root user has been set to a randomly generated string. If you want to set the password to a known value, use the phantom user account, and run the command sudo passwd root.
  • You may remove sudo access from the phantom user account. If you choose to do that, you must create another user account that has NOPASSWD sudo access.

Configure the network settings for the virtual machine

The Splunk Phantom virtual machine requires a static IP address for production environments. In a test environment, you can use DHCP.

  1. SSH to the Splunk Phantom instance with the user account phantom.

    ssh phantom@<Splunk Phantom hostname or IP address>

  2. Elevate to root.

    sudo su -

  3. Edit the /etc/sysconfig/network-scripts/ifcfg-ens160 file. The file has these default settings:
    TYPE=EthernetONBOOT=yesBOOTPROTO=dhcpNM_CONTROLLED=NODEVICE=ens160
    Change BOOTPROTO and add entries for IPADDR, NETMASK, and GATEWAY. Your finished file looks something like this:
    TYPE=EthernetONBOOT=yesBOOTPROTO=staticNM_CONTROLLED=NODEVICE=ens160IPADDR=<static_ip>NETMASK=<netmask>GATEWAY=<gateway>
  4. Add name servers to your network configuration in /etc/resolv.conf. 
    echo "nameserver <nameserver_ip>" >> /etc/resolv.conf
  5. Restart networking on the virtual machine. 
    systemctl restart network

The custom HTTPS port for unprivileged OVA or AMI based installations is TCP port 9999. However, the UI is still accessible on TCP port 443.

Next step: log in to verify the installation

You can log in to the Splunk Phantom web interface after the setup script completes to configure user accounts and additional settings. See Log in to the Splunk Phantom web interface.

Install Splunk Phantom as a virtual machine image (2024)

References

Top Articles
The Best Recipe for Chicken Pot Pie Soup
Spicy Southern Hot Corn - Peas and Crayons Recipes
Sony's new X95L mini-LED TV gets closer to OLED contrast, but it's not there yet
Sony Bravia X95L mini-LED TV review: brilliance in LCD | Digital Trends
C13, C15, and C18 Engines Troubleshooting – Injector Solenoid – Test | Caterpillar Engines Troubleshooting
Leonard Funeral Home Dubuque Iowa
GE Refrigerators with Freezers | GE Appliances
A Definitive Timeline of Halsey and G-Eazy's PDA-Heavy, Drama-Filled Relationship
Hart Outduels Holbrook for Antioch Speedway Win
Sport Cub S 2 RTF mit SAFE-Technologie
Not Poetry Figgerits
Brokensilenze Rupaul
Latest Posts
Vegan Lentil Sloppy Joes Recipe on Food52
Candied Walnuts Recipe
Article information

Author: Velia Krajcik

Last Updated:

Views: 5631

Rating: 4.3 / 5 (74 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Velia Krajcik

Birthday: 1996-07-27

Address: 520 Balistreri Mount, South Armand, OR 60528

Phone: +466880739437

Job: Future Retail Associate

Hobby: Polo, Scouting, Worldbuilding, Cosplaying, Photography, Rowing, Nordic skating

Introduction: My name is Velia Krajcik, I am a handsome, clean, lucky, gleaming, magnificent, proud, glorious person who loves writing and wants to share my knowledge and understanding with you.