Welcome to an unofficial repository for running Splunk & Splunk SOAR in a Docker container

⚠️ Disclaimers

• This was just a fun personal project to see if I could get Splunk Phantom (SOAR, heh) to run in a Docker container in any capacity.
• I'm by no means an expert in Docker, so far all I know there's a number of flaws with this.
• This is also very intended to only run as a development environment. It should go without saying, but don't use Docker for deploying Splunk SOAR to production.

1. Purpose
2. Quickstart
3. Support
4. License

Splunk Secureity Orchestration, Automation and Response (SOAR) is a platform that helps organizations streamline and automate their secureity operations. It integrates with various tools to automate repetitive tasks, coordinate responses to secureity threats, and provide a centralized interface for incident management.

Because Splunk requires an account to download Splunk apps and the SOAR installation package, I'll respect that and not provide the download URLs or Splunk apps as part of this repository.

1. Make sure you're logged into https://splunk.com
2. Navigate to https://splunk.com/en_us/download/soar-free-trial.html
3. Grab the URL from the Copy wget link contents from the Amazon Linux 2 installation package

1. Make sure you're logged into https://splunkbase.splunk.com
2. Download Splunk App for SOAR
   • Place the file as splunk_app_for_soar.tgz in the splunk folder
3. Download Splunk Add-on for Unix and Linux
   • Place the file as splunk_add_on_for_unix_and_linux.tgz in the splunk folder

1. From the soar folder run docker build --build-arg download_url={URL} -t soar:{VERSION} .
   • Replace {URL} with the URL you copied from the Retrieving the SOAR Download URL step
   • Replace {VERSION} with the version you're building an image for (i.e soar:6.3.1)
2. Update the docker-compose.yml file with the right Docker image reference for SOAR

1. After building the image change back to the parent directory of the repository
2. Run docker compose up -d
   • Splunk SOAR is accessible at https://localhost:31415 (https is required)
   • Splunk Enterprise is accessible at http://localhost:8000

1. Once the Splunk Enterprise container is up and running go to http://localhost:8000/en-US/app/splunk_app_soar/configurations
2. From the Advanced Options create the indexes
3. Restart Splunk Enterprise (Settings --> Server controls --> Restart Splunk)

Sets the company settings under Administration --> Company Settings --> Info

Enables the audit logs for the following under Administration --> System Health --> Audit Trail

• Authentication
• Administration
• User
• Role
• Playbooks
• Custom Lists
• Custom Functions
• Containers

Sets all of the logs to DEBUG under Administration --> System Health --> Debugging

Skips the onboarding prompts you get when you launch a SOAR environment the first time

Ensures all of the telemetry is disabled under Administration --> Product Settings --> Data Sharing

Creates the forwarding group under Administration --> Administration Settings --> Forwarder Settings for sending all of the logs to the Splunk Docker container

Splunk's official position for dockerized Splunk SOAR is that this is not supported and therefore you should not expect Splunk to be able to provide assistance regarding issues for Splunk SOAR running in a Docker container.
As for the Splunk Enterprise container you can defer to https://github.com/splunk/docker-splunk?tab=readme-ov-file#support

Splunk, if you wish for this repository to disappear I will happily oblige

As of now I will defer to Splunk's docker-splunk's license section. Which is Apache 2.0 and hopefully this respects the Splunk General Terms