Last script updates: 30/01/2024
- Overview
- Features
- Prerequisites
- Usage Instructions
- Script Action Summary
- Safety Notes
- References
- License
This Bash script automates the preparation and upgrade of Splunk SOAR (On-Premises) on Red Hat systems. It provides:
- System checks and preparation
- Optional OS updates and patching
- Service management (stop/start)
- Installer extraction and upgrade execution
- Safe prompts for each critical action
It is ideal for administrators performing maintenance on Splunk SOAR environments.
- Step-by-step upgrade prompts
- OS verification (
rpm -q redhat-release) - PHANTOM_HOME validation
- YUM cache cleaning and OS package updates
- Service stop/start automation (
stop_phantom.sh/start_phantom.sh) - Cron daemon validation
- SOAR installer extraction and upgrade
- Automatic update of critical files (
install_common.py)
-
User & Permissions
- Ensure a
phantomuser exists and owns the SOAR installation folder.
- Ensure a
-
Installation Path
- Default:
/opt/phantom/ - Custom paths can be provided when prompted.
- Default:
-
Installer File
- Must match pattern:
splunk_soar-unpriv-*-x86_64.tgz - Place it in the script’s directory before execution.
- Must match pattern:
-
System Requirements
- Red Hat Enterprise Linux (or compatible)
- Sudo privileges
# Clone repository
git clone https://github.com/N0rdicSec/soar.git
cd soar
# Rename the script for easy usage. Make the script executable
chmod +x "Splunk SOAR Update.sh"
# Run the script
sudo ./Splunk\ SOAR\ Update.sh- Follow all interactive prompts.
- Each step can be skipped if already completed or unnecessary.
-
Log in as the
phantomuser Ensure the correct user owns the installation folder. -
Disable warm standby or automated backups Stop
ibackup.pyccron jobs or warm standby features if used. -
Stop all Splunk SOAR services
sudo $PHANTOM_HOME/bin/stop_phantom.sh- Clear YUM caches
sudo yum clean all- Update OS packages
sudo yum update -y- Restart system (optional)
sudo reboot- Check cron daemon
pgrep -x crond || sudo systemctl start crond.service- Run
soar-prepare-systemscript
sudo ./soar-prepare-system- Installer extraction and upgrade
tar -xvf splunk_soar-unpriv-*-x86_64.tgz -C "$PHANTOM_HOME"
cd "$PHANTOM_HOME/splunk-soar"
./soar-install --upgrade --with-apps-
Update
install_common.pyReplacemirrorURLs withvaultin the installer folder. -
Verify upgrade Log in to the web interface to confirm.
-
Optional: Remove installer file
rm -f splunk_soar-unpriv-*-x86_64.tgz- Always back up your SOAR environment before starting.
- Stop all SOAR services before extraction.
- Perform OS updates and reboots in a maintenance window.
- Confirm warm standby/backup scripts are disabled.
This project is licensed under the MIT License. See the LICENSE file for details.
flowchart TD
A[Start: Run Splunk SOAR Update Script] --> B[Verify PHANTOM_HOME & User Permissions]
B --> C[Disable Warm Standby / Backup Scripts]
C --> D[Stop Splunk SOAR Services]
D --> E[Clear YUM Cache]
E --> F[Update OS & Packages]
F --> G{Restart System?}
G -->|Yes| H[System Reboot]
G -->|No| I[Check Cron Daemon]
I --> J[Run soar-prepare-system Script]
J --> K[Locate Installer File]
K --> L{Remove Existing Installation?}
L -->|Yes| M[Delete Old Splunk SOAR Folder]
L -->|No| N[Keep Old Installation]
M --> O[Extract Installer to PHANTOM_HOME]
N --> O
O --> P[Update install_common.py]
P --> Q[Run soar-install --upgrade --with-apps]
Q --> R[Start Splunk SOAR Services]
R --> S[Verify Upgrade via Web Interface]
S --> T{Remove Installer File?}
T -->|Yes| U[Delete Installer]
T -->|No| V[Keep Installer]
U --> W[End]
V --> W[End]
Legend:
- Rectangles = Action steps
- Diamonds = Decision points / prompts
- Flow is top-down, showing sequential script steps