0% found this document useful (0 votes)

295 views

Splunk Phantom Validated Architectures

This document provides an overview of Splunk SOAR Validated Architectures (SSVAs), which are proven reference architectures for deploying Splunk SOAR. SSVAs are designed to provide optimized performance, scalability, security, availability and manageability. The document outlines a three-step process for selecting an SSVA topology including defining requirements, choosing a clustered or non-clustered topology option, and applying design principles and best practices. It also describes what SSVAs include, such as deployment diagrams and guidelines, as well as what they do not include, such as implementation choices and deployment sizing recommendations.

Uploaded by

true blast

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

295 views

Splunk Phantom Validated Architectures

Uploaded by

true blast

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 74

Splunk SOAR Validated Architectures

Version 2.0
Product Best Practices

Version 2 on June 3, 2021

SSVAs - 1 – v2.0
SSVAs - 2 – v2.0
Table of Contents

Splunk SOAR Validated Architectures Version 2.0 1

Introduction 4
1.1 Pillars of Splunk SOAR Validated Architectures 5
1.2 What to Expect from Splunk SOAR Validated Architectures 5
1.3 Roles and Responsibilities 6
1.4 Overview of the Splunk SOAR Validated Architectures Selection Process 7
1.5 Step 1: Define Your Requirements for Automation 7
1.5.1 Things to Keep Under Consideration 8
1.5.2 Topology Categories 8
1.5.2.1 Define Your Requirements for Automation 9
1.5.2.2 Questionnaire 1: Define your requirements for integrations: 12
1.5.3 How to Determine Your Topology Category Code 12
1.6 Step 2: Choose a Topology for Automation 13
1.6.1 Using Your Topology Category Code 13
1.6.2 Non-clustered deployment options 14
1.6.3 Clustered deployment options 24
1.7 Step 3: Apply Design Principles and Best Practices 29
1.7.1 Deployment and Integrations Architectural Diagrams 29
1.7.2 Aligning Your Topology with Best Practices 50
1.7.3 Best Practices: Tier-Specific Recommendations 50
Summary & Next Steps 52
1.8 Next Steps 52
1.9 Appendix "A": SSVA Pillars Explained 54
1.10 Appendix "B": Topology Components 55

SSVAs - 3 – v2.0
Introduction
Splunk SOAR Validated Architectures (SSVAs) are proven reference architectures for stable, efficient, and
repeatable Splunk SOAR deployments. Many of Splunk's existing customers have experienced rapid adoption
and expansion, leading to certain challenges as they attempt to scale. New Splunk SOAR customers are
increasingly looking for guidelines and certified architectures to ensure that their initial deployment is built on a
solid foundation. SSVAs have been developed to help our customers with these growing needs.
Whether you are a new or existing Splunk SOAR customer, SSVAs will help you build an environment that is
easier to maintain and simpler to troubleshoot. SSVAs are designed to provide you with the best possible results
while minimizing your total cost of ownership. Additionally, your entire Splunk SOAR foundation will be based on a
repeatable architecture which will allow you to scale your deployment as your needs evolve over time.
SSVAs offer topology options that consider a wide array of organizational requirements, so you can easily
understand and find a topology that is right for your requirements. The Splunk SOAR Validated Architectures
selection process will help you match your specific requirements to the topology that best meets your
organization's needs. If you are new to Splunk SOAR, we recommend implementing a Validated Architecture for
your initial deployment. If you are an existing customer, we recommend that you explore the option of aligning
with a Validated Architecture topology. Unless you have unique requirements that make it necessary to build a
custom architecture, it is very likely that a Validated Architecture will fulfill your requirements while remaining cost
effective.
This white paper will provide you with an overview of SSVAs. Within this whitepaper, you will find the resources
you need to go through the SSVA selection process, including the requirements questionnaire, deployment
topology diagrams, design principles, and general guidelines.
If you need assistance implementing a Splunk SOAR Validated Architecture, contact Splunk Professional
Services (https://www.splunk.com/en_us/support-and-services/splunk-services.html).
Document Structure
SSVAs are broken into three major content areas:
1. Automation and Case Management Tier
Automation and Case Management covers the architecture tier that provides the Splunk SOAR functionality –
front-end interface, playbook automation, and data storage.
2. Integrations Tier
The Integrations Tier section guides you in choosing the right integrations to meet your requirements.
3. Design Principles and Best Practices
Design Principles and Best Practices apply to your architecture as a whole and will help you make the correct
choices when working out the details of your deployment.

SSVAs - 4 – v2.0
Reasons to Use Splunk SOAR Validated Architectures
Implementing a Validated Architecture will empower you to design and deploy Splunk SOAR more confidently.
SSVAs will help you solve some of the most common challenges that organizations face, including:
Performance
● Organizations want to see improvements in performance and stability.
Complexity
● Organizations sometimes run into the pitfalls of custom-built deployments, especially when they have grown
too rapidly or organically. In such cases, unnecessary complexity may have been introduced into the
environment. This complexity can become a serious barrier when attempting to scale.
Efficiency
● To derive the maximum benefits from the Splunk deployment, organizations must improve the efficiency of
operations and accelerate time to value.
Cost
● Organizations are seeking ways to reduce total cost of ownership (TCO), while fulfilling all of their
requirements.
Agility
● Organizations will need to adapt to change as they scale and grow.
Maintenance
● Optimization of the environment is often necessary in order to reduce maintenance efforts.
Scalability
● Organizations must have the ability to scale efficiently and seamlessly.
Verification
● Stakeholders within the organization want the assurance that their Splunk deployment is built on best
practices.

1.1 Pillars of Splunk SOAR Validated Architectures

Splunk SOAR Validated Architectures are built on the following foundational pillars. For more information on these
design pillars, refer to Appendix "A" below.

AVAILABILITY PERFORMANCE SCALABILITY SECURITY MANAGEABILITY

The system meets The system can The system is The system is The system is
customer maintain an designed to scale designed to centrally operable
continuity optimal level of on all tiers, protect data, and manageable
requirements is service under allowing you to configurations, across all tiers.
able to recover varying usage handle increased and assets while
from planned and patterns. workloads continuing to
unplanned outages effectively. deliver value.
or disruptions.
These pillars are in direct support of the Platform Management & Support Service in the Splunk Center of
Excellence model.

1.2 What to Expect from Splunk SOAR Validated Architectures

Please note that SSVAs do not include deployment technologies or deployment sizing. The reasoning for this is
as follows:

SSVAs - 5 – v2.0
● Deployment technologies, such as operating systems and server hardware, are considered implementation
choices in the context of SSVAs. Different customers will have different choices, so a generalization is not
easily possible.
● Deployment sizing requires an evaluation of data ingest volume, data types, file volumes, and playbook use
cases, which tend to be very customer-specific and generally have no bearing on the fundamental
deployment architecture itself.
● Customer should engage with Professional Services to ensure that proper sizing and adequate loading is
configured. Currently, there is no formal sizing guides for Splunk SOAR. There is a recommended single
instance sizing for productions systems located here for on premise systems:
https://docs.splunk.com/Documentation/Phantom/latest/Install/ProdRequirements

SSVAs will provide: SSVAs do not provide:

Clustered and non-clustered Implementation choices (OS, bare metal vs. virtual vs. Cloud etc.).
deployment options.
Deployment sizing.
Diagrams of the reference
architecture. A prescriptive approval of your architecture. Note: SSVAs provide
recommendations and guidelines, so you can ultimately make the right
Guidelines to help you select decision for your organization.
the architecture that is right for you
A topology suggestion for every possible deployment scenario. In
Tier-specific recommendations. some cases, unique factors may require a custom architecture to be
developed. Splunk experts are available to help with any custom
Best practices for building out solutions you need. If you are an existing customer, reach out to your
your Splunk SOAR deployment Splunk Account Team. If you are new to Splunk, you can reach us here
(https://www.splunk.com/en_us/talk-to-sales.html).

1.3 Roles and Responsibilities

Splunk SOAR Validated Architectures are highly relevant to the concerns of decision makers and administrators.
Architects, consultants, Splunk SOAR administrators, and managed service providers should all be involved in the
SSVA selection process. You will find a description of each of these roles below:
Role Description

Architects Responsible for architecting Splunk deployments to meet enterprise needs.

Consultants Responsible for providing services for Splunk architecture, design, and implementation.

Splunk SOAR Responsible for managing the Splunk SOAR product lifecycle.
Specialists

Managed Service Entities that deploy and run Splunk as a service for customers.
Providers

SSVAs - 6 – v2.0
1.4 Overview of the Splunk SOAR Validated Architectures Selection
Process
The Splunk SOAR Validated Architectures selection process will help you identify the simplest and most
streamlined architecture that meets all of your organization's needs.

Steps in the Selection Goals Considerations

Process

Step 1: Define Requirements Define ● Decision-makers, stakeholders, and admins

for: requirements. should collaborate to identify and define your
organization's requirements.
a) Automation and Case
Management ● If you already have a deployment in place, you
can evaluate your current architecture to see
b) Integration Needs
what it would take to move to a validated model.
For a questionnaire that will help you define your
requirements, refer to Step 1.5 below.

Step 2: Choose a Topology Choose a ● You'll choose a topology that best meets your
for: topology that requirements.
meets
Automation and Case ● Keep things simple and in accordance with the
identified
Management SSVA, so you can appreciate the easier path to
requirements.
scalability.
For diagrams and descriptions of topology options,
refer to Step 2 below.

Step 3: Apply Design Prioritize your ● Each design principle reinforces one or more of
Principles and Best design the pillars of Splunk SOAR Validated
Practices principles and architectures.
review tier-
● You'll prioritize design principles in accordance
specific
with the needs of your organization.
implementation
best practices. ● Tier-specific recommendations will guide your
topology implementation.
For a breakdown of design principles, refer to Step
3 below.

1.5 Step 1: Define Your Requirements for Automation

To select the appropriate deployment topology, you will need to do a deep dive into your requirements. Once you
have defined your requirements you will be able to choose the simplest, most cost-effective way to deploy Splunk
SOAR. Below you will find a questionnaire that will help you define key requirements areas for the indexing and
search tiers of your deployment.
SSVAs - 7 – v2.0
The requirements questionnaire focuses on areas that will have a direct impact on your deployment topology.
Therefore, we highly recommend that you record your answers to the questions below before choosing a topology
in the next step.

1.5.1 Things to Keep Under Consideration

Review your use cases
Headless operation is considered only for design and playbook execution and very minimal if any customer
interaction other than design and administrative operations. Case Management operation is considered full-use
functionality of the platform and is measured by the number of concurrent customers using the platform. As you
define your requirements, you should think about the intended usage of Splunk SOAR. For example, the topology
for a "headless" deployment of Splunk SOAR acting as an automation backend will require far fewer interactive
users than a deployment in which Splunk SOAR will be the case management system of record. You should fully
consider use cases involving:
● Headless vs Case management operations
● Reporting
● Availability
● Disaster Recovery Requirements
● Other use case scenarios specific to your organization
Depending on your use case scenarios, your deployment may need to provide additional architectural
characteristics.
Think about future growth
You will need to think about your immediate needs in order to define your requirements. However, you should
also consider future growth and scalability. Scaling your deployment may require expenditures, additional staffing,
or other resources you may want to start planning for today. We have started this plan for the average use for a
customer to able to last at least 1 year of operations before modification should be considered. This will
dependent on the usage, volume, playbook and asset configurations. Since these vary greatly between
customers, please understand that this planning varies between customers and is an estimate.

1.5.2 Topology Categories

The following is a key to SSVA topology categories. These categories are used in the questionnaire below. You
will also find references to these categories in the next steps of the SSVA selection process.
Platform Topology Categories
Category Explanation
Code

S Category "S" indicates a single-server Splunk SOAR deployment

X Category “X” indicates an externalized single-instance Splunk SOAR deployment with

externalized shared services (e.g., file share, database)

D Category "D" indicates a distributed Splunk SOAR deployment across two sites configured in
Warm Standby Mode. Warm Standby is not supported with externalized shared services.

C Category "C" indicates the need for a clustered automation and case management tier (data
replication and high capacity for automation is required). Clustered SOAR deployments always
require externalized shared services.

SSVAs - 8 – v2.0
Instance Requirements Categories
Category Explanation
Number

0 Category "0" indicates a Software as a Service model and no physical hardware is required.

1 Category "1" indicates a single or up to 3 hardware/virtual instances* will meet requirements

2 Category "2" indicates the need for multiple hardware/virtual instances minimum of 3 and up to 8
separate hardware instances per site
* Instance is defined as a single-instance appliance (virtual or on physical hardware), single-instance with external
shared components, a SaaS tenant, or a single SOAR cluster
Integration Tier Categories
Category Explanation
Code

E Category “E” indicates that SOAR will leverage an external Splunk instance for custom reporting
capability

E+ Category “E+” indicates that SOAR will leverage one or all of the optional customer provided load
balancers, NFS, or utilize AWS Services

CE Category “CE” indicates that SOAR will leverage an external Splunk Cloud Enterprise instance
for custom reporting capability or ingestion source.

CE+ Category “CE+” indicates that SOAR will leverage an external Splunk Cloud Enterprise instance
for custom reporting capability and AWS Services

1.5.2.1 Define Your Requirements for Automation

♦ See the key above for an explanation of topology category codes. If you answer "yes" to multiple questions, use
the topology category code for the highest numbered question.

SSVAs - 9 – v2.0
# Core
Platform Instance
Question Considerations Impact on Topology Topology Requirements

1 Are you wanting Consideration for case Candidate for SaaS S 0

a solution that management or cloud- solution that provides
reduces your based automation. reduced maintenance
infrastructure & costs and managed
High volume > 750
maintenance infrastructure.
events per hour and
costs?
High-performance Certain on-premises
transactions is not capabilities are not
required. present.
Supports up to ~20 Constrained to regional
concurrent users deployments

2 Is your expected Considered short-term Candidate for a single S 1

daily data ingest growth in the daily server deployment,
up to 500 ingest (~6-12 month) depending on answers
forwarded to availability-related
These are forwarded
events/hour? questions
events to SOAR and not
These are ES or Splunk EPS
forwarded calculation
events to SOAR
and not ES or
Splunk EPS
calculations

3 Are you Need to consider long- Candidate for X 1

ingesting up to term growth of database externalizing shared
500 and file collections (~6- services like file and
events/hour 12 month) database to increase
and using case performance and local
If you have your own
management redundancy.
site replication
with less than
capabilities like VMware
10 personnel
Site Recovery Manager
continuously?
or in AWS region and
don't require multi-
regional support

4 Do you require If you are planning on Requires two SOAR D 1

Disaster using SOAR for data instances deployed in a
Recovery for enrichment only and/or warm standby
data ingestion or batched automation configuration to support
automation? jobs, an interruption of continuous ingest and
service may be automation
acceptable.
This is the most
common customer use
configuration. It provides
Active/Passive Warm
Standby services.

SSVAs - 10 – v2.0
# Core
Platform Instance
Question Considerations Impact on Topology Topology Requirements

5 Is your expected Automated playbook Requires a High- C 1

daily data ingest development greatly Capacity Clustered
greater than affects event ingestion. Automation and Case
~500 forwarded Default build can handle Management tier with
events/hour? ingestion of ~10,000 externalized shared
events a day. services.
These are
forwarded This configuration is
events to SOAR considered high volume
and not ES or and high availability. It is
Splunk EPS a horizontally scalable
calculations deployment.
If your continuous user
count is above 10 users
a day, you should
consider a clustered
deployment

6 Assuming an If your use case is Requires a High- D/C 1

available Splunk swiftly, responding to, Capacity Clustered
SOAR instance: and remediating issues Automation and Case
Does your data from ingested alerts, Management tier or a
need to ensure automated blocking or Distributed system with
active/active removal and local site Customer provided
availability for down time is not equipment.
automation acceptable.
D is TCO is less than C
execution?
TCO. With D customer
needs to provide
adequate application-
level load balancers and
must script the process
to fail over.

7 Do you operate Disaster recovery Failover will require two D/M 2

multiple data requirements may SOAR
centers and dictate continuous platforms operating in in
require recovery prescribe RTO/RPO warm standby mode.
of your Splunk goals for manual
Use "D" if SOAR is
SOAR disaster recovery
being used for case
environment in
management
case of a data
center outage? Use "M" if SOAR is not
being used for case
management

8 Do you need to Requirements for more Requires a clustered C 1

support many than ~10 concurrent Automation and Case
concurrent users typically require Management tier with
users? horizontal scaling of the externalized shared
Automation and Case services.
Management Tier

SSVAs - 11 – v2.0
1.5.2.2 Questionnaire 1: Define your requirements for integrations:
# Question Considerations Impact on Topology Integration
Requirements

1 Do you require SOAR Clustering requires the E

clustering (see above externalization of
questionnaire)? Splunk to act as the
SOAR Reporting Tier

2 Do you require the Standard reports & Custom reporting and E

ability to create custom metrics can be dashboards require an
dashboards and reports produced without any external Splunk
for SOAR metrics? external reporting Enterprise instance to
components or act as the SOAR
resources. Reporting Tier
Indicate a yes here, if
you have custom
metrics you want to
measure or detailed
reporting requirements.

3 Do you want to provide If the customer wants to Reduced cost of E+

your own external provide separate file ownership
infrastructure or utilize services or database
cloud infrastructures services.

4 Do you require the If you are using Splunk Requires the use of CE
ability to integrate Cloud or Cloud ES and Splunk SOAR in the
Splunk Cloud yet want SOAR on- DMZ or VPC
Infrastructure with premises only. connections to provide
customer provided cloud to premise
infrastructure (on connectivity.
premise)

5 Do you require the If the customer wants to Custom reporting and CE+
ability to integrate provide separate file dashboards require an
Splunk Cloud services or database external Splunk
Infrastructure with services. instance to act as the
customer provided or SOAR Reporting Tier
If you are using Splunk
other Cloud
Cloud or Cloud ES and
infrastructure
yet want to integrate
SOAR

1.5.3 How to Determine Your Topology Category Code

Based on your answers to the requirements questionnaire above, you will end up with a combined topology
category indicator that will allow you to identify the best topology for your needs. Instructions and examples are
provided below.
Instructions
1. Write down the questions to which you answered "yes".
2. If you answered "yes" to multiple questions, follow the topology recommendation for the highest numbered
question. If you see multiple topology options (for example, "S/C"), look at the previous questions to
determine which option is best suited for you.
3. Your reporting tier code will be the letter representing the question(s) to which you answered yes. If your
answer results are yes, then use E for your reporting tier code.

SSVAs - 12 – v2.0
Example #1
Let's say you answered "yes" to questions #4, #5 and #7, and you need custom reporting requirements (1b.
Question #2). You will end up with a topology category of "C1E", indicating the need for a clustered indexing tier
with an external reporting server.

Example #1
Let's say you answered "yes" to questions #4, #5 and #7, and you need custom reporting requirements (1b.
Question #2). You will end up with a topology category of "C1E", indicating the need for a clustered indexing tier
with an external reporting server(s).

1.6 Step 2: Choose a Topology for Automation

Topologies are generally split into non-clustered and clustered deployments. Non-clustered deployments require
the least number of distinct components and have excellent scalability characteristics.
Remember: The primary goal of the SSVA selection process is to allow you to build what you need without
introducing unnecessary components.
Note
While you may choose to implement a topology that provides additional benefits beyond your immediate
needs, keep in mind that this will likely result in unnecessary costs. Moreover, the introduction of additional
complexity is often counter-productive to operational efficiency.
Important Note about topology diagrams
The icons in the topology diagrams represent functional Splunk roles and do not imply dedicated
infrastructure to run them. Please see the Appendix for guidance as to which Splunk roles can be collocated on
the same infrastructure/server.

1.6.1 Using Your Topology Category Code

Before selecting a topology option, it is highly recommended that you complete the requirements questionnaire to
determine your topology category code. If you have not yet done this, please go back and complete the previous
step above. Once you have your topology category code you will be able to identify the deployment option that is
the best fit for your stated requirements. These Automation tier topologies have been matched and aligned to
your recommended Splunk Index and Search topologies.

SSVAs - 13 – v2.0
1.6.2 Non-clustered deployment options
Below you will find the following the available topology options:
Type of Deployment Topology Category Code(s)

Single Tenant Deployment using Software as a Service with S0

Splunk managed infrastructure

Single Tenant Deployment using Software as a Service with S0E

Splunk managed infrastructure with on premise integration

Single Tenant Deployment using Software as a Service with S0E+

Splunk managed infrastructure with hybrid cloud solution

Single Tenant Deployment using Software as a Service with S0CE

Splunk managed infrastructure with Splunk Cloud Integration

Single Server Deployment using embedded Splunk integration - S1

Single site

Single Server Deployment using Splunk Enterprise Integration - S1E

Single site

Single Server Deployment using external Shared Services with X1

embedded Splunk

Single Server Deployment using external Shared Services with X1E

Splunk Enterprise Integration

Distributed Warm Standby Deployment using embedded Splunk D2

integration - Multiple site

Distributed Warm Standby Deployment using embedded Splunk D2E

with customer provided infrastructure – Multiple site

Distributed Warm Standby Deployment using embedded Splunk D2E+

with customer provided infrastructure – Multiple site

Distributed Warm Standby Deployment with Splunk Cloud D2CE

Integration - Multiple site

Distributed Warm Standby Deployment with Splunk Cloud D2CE+

Integration - Multiple site

High Capacity Clustered Deployment - Single Site C1

High Capacity Clustered Deployment - Single Site C1E

High Capacity Clustered Deployment with AWS Integrations or C1E+

customer provided infrastructure – Single Site

High Capacity Clustered Deployment with Splunk Cloud – Single C1CE

Site

High Capacity Clustered Deployment with Splunk Cloud and C1CE+

AWS Integrations – Single Site

High Capacity Clustered Deployment - Multiple Site M2E

High Capacity Clustered Deployment with Splunk Cloud - M2CE

Multiple Site

High Capacity Clustered Deployment with Splunk Cloud and M2CE+

AWS Integrations - Multiple Site

SSVAs - 14 – v2.0
1.6.2.1 Single Server Deployment (S0)

Automation & Case Management Tier

SOAR
Automation Broker

For an explanation of topology components, refer to Appendix "B" below.

Description of the Single Server Deployment (S0) Limitations

This deployment topology provides you with a very cost-effective ● Scalability provided by Splunk
solution if your environment meets all the following criteria: managed infrastructure
a) you have requirements to provide high-availability or automatic ● Constrained to regional
disaster recovery for your Splunk SOAR Deployment, deployments
b) your daily event ingestion is < 750 events per day, and ● Limited to Internet accessible
integrations or Automation
c) you have approximately 20 concurrent users in your environment
Broker integrations
d) suitable for a production environment
The primary benefits of this topology include easy manageability, good
search performance for smaller ingest and concurrent user count.
This topology is commonly used in production environments and the
primary benefits of this topology include easy manageability and a
fixed TCO.

SSVAs - 15 – v2.0
1.6.2.2 Single Server Deployment (S0E)

Automation & Case Management Tier

SOAR
Automation Broker

Reporting Tier
Splunk

For an explanation of topology components, refer to Appendix "B" below.

Description of the Single Server Deployment (S0E) Limitations

This deployment topology provides you with a very cost-effective ● Scalability provided by Splunk
solution if your environment meets all the following criteria: managed infrastructure
a) you have requirements to provide high-availability or automatic ● Ingestion and reporting are
disaster recovery for your Splunk SOAR Deployment, mostly provided by Splunk
Integrations
b) your daily event ingestion is < 750 events per day, and
● Splunk forwarding will need
c) you have approximately 20 concurrent users in your environment
access to the public internet
d) suitable for a production environment
● Constrained to regional
The primary benefits of this topology include easy manageability, good deployments
search performance for smaller ingest and concurrent user count.
Common integration with SaaS and hybrid cloud integrations
This topology is commonly used in production environments and the
primary benefits of this topology include easy manageability and a
fixed TCO.

SSVAs - 16 – v2.0
1.6.2.3 Single Server Deployment (S0E+)

Automation & Case Management Tier

SOAR
Automation Broker

Reporting Tier
Splunk

For an explanation of topology components, refer to Appendix "B" below.

Description of the Single Server Deployment (S0E+) Limitations

This deployment topology provides you with a very cost-effective ● Scalability provided by Splunk
solution if your environment meets all the following criteria: managed infrastructure
a) you have requirements to provide high-availability or automatic ● Ingestion and reporting are
disaster recovery for your Splunk SOAR Deployment, mostly provided by Splunk
Integrations
b) your daily event ingestion is < 750 events per day, and
● Splunk forwarding will need
c) you have approximately 20 concurrent users in your environment
access to the public internet
d) suitable for a production environment
● Constrained to regional
The primary benefits of this topology include easy manageability, good deployments
search performance for smaller ingest and concurrent user count.
Common integration with SaaS and hybrid cloud integrations
This topology is commonly used in production environments and the
primary benefits of this topology include easy manageability and a
fixed TCO.

SSVAs - 17 – v2.0
1.6.2.4 Single Server Deployment (S0CE)

Automation & Case Management Tier

SOAR
Automation Broker

Reporting Tier
Splunk

For an explanation of topology components, refer to Appendix "B" below.

Description of the Single Server Deployment (S0CE) Limitations

This deployment topology provides you with a very cost-effective ● Scalability provided by Splunk
solution if your environment meets all the following criteria: managed infrastructure
a) you have requirements to provide high-availability or automatic ● Ingestion and reporting are
disaster recovery for your Splunk SOAR Deployment, mostly provided by Splunk
Cloud Integrations
b) your daily event ingestion is < 750 events per day, and
● Constrained to regional
c) you have approximately 20 concurrent users in your environment
deployments
d) suitable for a production environment
The primary benefits of this topology include easy manageability, good
search performance for smaller ingest and concurrent user count.
Common integration for SaaS to SaaS Splunk Components
This topology is commonly used in production environments and the
primary benefits of this topology include easy manageability and a
fixed TCO.

SSVAs - 18 – v2.0
1.6.2.5 Single Server Deployment (S1)

Automation & Case Management Tier

Splunk gFS DB

SOAR Reporting Shared Services

For an explanation of topology components, refer to Appendix "B" below.

Description of the Single Server Deployment (S1) Limitations

This deployment topology provides you with a very cost-effective ● No High Availability
solution if your environment meets all the following criteria:
● Scalability limited by hardware
a) you do not have any requirements to provide high-availability or capacity
automatic disaster recovery for your Splunk SOAR Deployment,
● Reporting limited to standard
b) your daily event ingestion is < ~100 events per day, and SOAR reports and/or API usage
c) you have a small number of users.
d) suitable for development environment
The primary benefits of this topology include easy manageability, good
search performance for smaller ingest and concurrent user count.
This topology is commonly used in development environments and the
primary benefits of this topology include easy manageability and a
fixed TCO.

SSVAs - 19 – v2.0
1.6.2.6 SOAR Server Deployment (S1E)

Automation & Case Management Tier

gFS DB

SOAR Shared Services

Reporting Tier
Splunk

For an explanation of topology components, refer to Appendix "B" below.

Description of the Single Server Limitations
Deployment (S1E)

This deployment topology provides you with a ● No High Availability for ingestion/automation/reporting
very cost-effective solution if your environment
● Scalability limited by hardware capacity
meets all of the following criteria:
a) you do not have any requirements to provide
high-availability or automatic disaster recovery
for your Splunk SOAR Deployment,
b) your daily event ingestion is < ~100 events
per hour, and
c) you have a small number of users.
d) suitable for development environment
and for developing external SOAR reporting
Externalizing the reporting tier facilitates the
creation of dashboards and custom reports in a
separate Splunk instance.
This topology should be leverage for small
environment that want a simple deployment but
still want the robust and flexible reporting
capabilities that an external reporting tier can
provide.

SSVAs - 20 – v2.0
1.6.2.7 SOAR Single Server deployment with external Shared Services and Internal Reporting (X1)
Automation & Case Management Tier

Splunk

SOAR
Reporting

Shared Services Tier gFS Ext DB

For an explanation of topology components, refer to Appendix "B" below.

Description of the SOAR Single Server deployment Limitations
with external Shared Services and Internal Reporting
(X1)

b) your daily data ingest is over ~100 events/hour, and

c) you have a less than 10 users with non-critical use
cases.
This topology is typically used for smaller, non-business-
critical use-cases (often departmental in nature).
By externalizing the shared services, some additional
flexibility in scaling is provided by distributing load across
multiple services.

SSVAs - 21 – v2.0
1.6.2.8 SOAR Single Server deployment with external Shared Services and Internal Reporting (X1E)
Automation & Case Management Tier

SOAR Node

Reporting Tier Shared Services Tier

Splunk gFS Ext DB

For an explanation of topology components, refer to Appendix "B" below.

Description of the SOAR Single Server deployment Limitations
with external Shared Services and Internal Reporting
(X1E)

This deployment topology provides you with a very cost- ● No High Availability for ingestion/automation
effective solution if your environment meets all of the
● Automation scalability limited by hardware
following criteria:
capacity
a) you do not have any requirements to provide high-
availability or automatic disaster recovery for your Splunk
SOAR deployment,
b) your daily data ingest is over ~100 events/hour, and
c) you have a less than 10 users with non-critical use
cases.
This topology is typically used for smaller, non-business-
critical use-cases (often departmental in nature).
By externalizing the shared services, some additional
flexibility in scaling is provided by distributing load across
multiple services.
Externalizing the reporting tier facilitates the creation of
dashboards and custom reports in a separate Splunk
instance.

SSVAs - 22 – v2.0
1.6.2.9 Distributed SOAR Deployment with Warm Standby and Internal Reporting (D1)
Site A Site B

Automation & Case Management Tier Automation & Case Management Tier
Splunk gFS DB Splunk gFS DB

SOAR Reporting Shared Services SOAR Reporting Shared Services

For an explanation of topology components, refer to Appendix "B" below.

Description of Distributed SOAR Deployment with Warm Standby Limitations
and Internal Reporting (D1)

This architecture is suitable for most organizations requiring full ● Limited High Availability
disaster recovery with high availability and multi-regional support.
● Scalability limited by hardware
Automation tier may need to move to a more resilient topology for capacity
environments where recovering from disaster scenarios is of high
importance. In this instance, the SOAR Warm Standby Deployment is
recommended. This architecture maintains the simplicity of keeping all ● Reporting limited to standard
of the SOAR services contained on one server while providing an SOAR reports and/or API usage
additional instance for failover in the event of a primary outage disaster
with recovery in minutes.
This topology is commonly used in production environments and the
primary benefits of this topology include easy manageability and a
fixed TCO.

SSVAs - 23 – v2.0
1.6.2.10 Distributed SOAR Deployment with Warm Standby and Internal Reporting (D2E)
Site A Site B

Automation & Case Management Tier Automation & Case Management Tier

gFS DB gFS DB

SOAR Shared Services SOAR Shared Services

Reporting Tier Splunk

For an explanation of topology components, refer to Appendix "B" below.

Description of Distributed SOAR Deployment with Warm Standby Limitations
and External Reporting (D2E)

This architecture is best suitable for most organizations requiring ● Limited High Availability
full disaster recovery with high availability and multi-regional support.
● Scalability limited by hardware
This supports customers using Splunk SOAR case management
capacity
capabilities.
Automation tier may need to move to a more resilient topology for
environments where recovering from disaster scenarios is of high
importance. In this instance, the SOAR Warm Standby Deployment is
recommended. This architecture maintains the simplicity of keeping all
of the SOAR services contained on one server while providing an
additional instance for failover in the event of a primary outage or site-
level disaster with recovery in minutes.
Optional configurations with a customer provided load balancer will
provide automated failover within seconds.
This automation tier topology is commonly used in production
environments and the primary benefits of this topology include easy
manageability and a fixed TCO.
Externalizing the reporting tier facilitates the creation of dashboards
and custom reports in a separate Splunk instance.

1.6.3 Clustered deployment options

Below you will find the following topology options:
Type of Deployment Topology Category Code(s)

Clustered SOAR Deployment C1E

SSVAs - 24 – v2.0
1.6.3.1 High Capacity Clustered Deployment - Single Site (C1E)

Automation & Case Management Tier

SOAR Cluster

Reporting Tier Shared Services Tier

Splunk
gFS HA Proxy Cluster DB

For an explanation of topology components, see Appendix "B" below.

Description of High Capacity Clustered Deployment - Single Site Limitations
(C1E)

This architecture is suitable for organizations that need High Capacity ● No High Availability for SOAR
and high availability for actions and ingestion. Customers should have platform search
an independent regional replication architecture with a recovery time
● No automatic DR capability in
objective of hours and minutes.
case of data center outage
This topology introduces automation high available and high capacity
processing in conjunction with no failover processes. This provides
high availability of data in case of automation peer node, database,
and file services failures. However, you should be aware that this
applies only to the automation tier and does not protect against search
head failure or provide for customized reporting.
A high availability proxy is provided that ensures ensure proper load
balancing of users across the site.
Note: If your category code is C/M1 (i.e., you intend to deploy Splunk
SOAR without any external Splunk instance), a single dedicated
search head is deployed with the appliance and will need to be
externalized also. However, this will only impact global searching on
the platform.

SSVAs - 25 – v2.0
1.6.3.2 Distributed Clustered Deployment - Multiple Site (M2E)
Site A Site B

Automation & Case Management Tier Automation & Case Management Tier

SOAR Cluster SOAR Cluster

Reporting Tier Shared Services Tier Reporting Tier Shared Services Tier
Splunk Splunk
gFS HA Proxy Cluster DB gFS HA Proxy Cluster DB

For an explanation of topology components, see Appendix "B" below.

Description of Distributed Clustered Deployment - Single Site Limitations
(M2E)

This architecture is best suitable for organizations that require High ● No automatic replication
Capacity and Availability requirements and don't have data persistence between sites
or case management requirements for Splunk SOAR and require near
● No automatic DR capability in
instantaneous recovery time objectives.
case of data center outage
This topology introduces automation high available and high capacity
● Limited HA with provided
processing in conjunction with regional failover processes. This
provides high availability of data in case of automation peer node, Splunk components
database, and file services failures. However, you should be aware that
this applies only to the automation tier and does not protect against
search head failure or provide for customized reporting.
Customer provided load balancers and CICD procedures can
provide automated failover with necessary application and playbook
replication between sites.
Note: No event data will be replicated between sites. Distributed
Splunk core architectures can support consistent and multi-site
reporting and data visibility.

SSVAs - 26 – v2.0
1.6.3.3 Distributed Clustered Deployment - Multiple Site (M2CE)
Site A Site B

Automation & Case Management Tier Automation & Case Management Tier

SOAR Cluster SOAR Cluster

Reporting Tier Shared Services Tier Reporting Tier Shared Services Tier
Splunk Splunk
gFS HA Proxy Cluster DB gFS HA Proxy Cluster DB

For an explanation of topology components, see Appendix "B" below.

Description of Distributed Clustered Deployment – Multiple Site Limitations
(M2CE)

This architecture will require consultation with your Splunk Architect ● No automatic replication
for a custom solution. between sites
There are workarounds for limitations with Splunk and customer ● No automatic DR capability in
provide infrastructure case of data center outage

SSVAs - 27 – v2.0
1.6.3.4 Distributed Clustered Deployment - Multiple Site (M2CE+)
Site A Site B

Automation & Case Management Tier Automation & Case Management Tier

SOAR Cluster SOAR Cluster

Reporting Tier Shared Services Tier Reporting Tier Shared Services Tier
Splunk Splunk
gFS HA Proxy Cluster DB gFS HA Proxy Cluster DB

For an explanation of topology components, see Appendix "B" below.

Description of Distributed Clustered Deployment – Multiple Site Limitations
(M2CE+)

SSVAs - 28 – v2.0
1.7 Step 3: Apply Design Principles and Best Practices

1.7.1 Deployment and Integrations Architectural Diagrams

Below you will find architectural designs and best practices separated by deployment model.
SSVA architectural designs cover all of the following deployment tiers and integrations.
Tier Definition

Automation and Case Management ● SOAR Node(s)

Shared Services ● HA Proxy / Network Load Balancer

● File Server
● Clustered Database (postgreSQL only)

Integrations ● Splunk Enterprise

● Splunk Cloud (and Cloud ES)
● AWS Cloud Services
● Cloud Integrations

SSVAs - 29 – v2.0
S0 - Single Tenant Deployment using Software as a Service with Splunk managed infrastructure
Intentionally left blank for diagram below

SSVAs - 30 – v2.0
Min 4 Cores 8 GBs

SpVA: S0
Automation
Recommended 8 Cores 16 GBs
Broker Sizing

SOAR Cloud region

SOAR Cloud region
us-west-2
Cloud Gateway service region
us-east-1 cloud soar
us-east-1 us-east-1
ca-central-1 us-east-1
eu-west-1 eu-central-1
eu-west-2 eu-central-1
eu-west-3 eu-central-1
ap-southeast-1 ap-southeast-2
ap-southeast-2 ap-southeast-2
ap-northeast-1 ap-southeast-2
ap-northeast-2 ap-southeast-2

Analyst, Admins

Splunk TCP 443

AB
Internet
TCP 443 Automation
Spacebridge gRPC Broker

REST App TCP TCP TCP 443 HTTP

APIs 80, 443 443 (or custom ports)
Data Firewall Data
Splunk> cloud
SOAR

PROS:
Least Administrative overhead
Infrastructure and upgrades managed for customer
Automation Broker Incoming
Port Purpose
CONS:
Used to receive activation notifications from Splunk SOAR Cloud via the gRPC tunnel. This is a
Performance constrained by number of users registration process from the Automation Broker to Spacebridge and provides secure transport to
TCP 443
Automation Broker. gRPC is a end to end encryption via TLS 1.2 from Cloud SOAR to Automation
Broker
Comments: REVISIONS

REV DESCRIPTION DATE APPROVED

Automation Broker Outbound

1.0 Initial Build 6 Aug 18 Port Purpose

Used by the automation broker to communicate to Cloud SOAR for action results data. This does not
TCP 443
pass through Splunk spacebridge

Standalone Instance
DRAWN Port Purpose
Architect
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
S0E - Single Tenant Deployment using Software as a Service with Splunk managed infrastructure with
Splunk Integrations with on premise integration
Intentionally left blank for diagram below

SSVAs - 31 – v2.0
Min 4 Cores 8 GBs

SpVA: S0E
Automation
Recommended 8 Cores 16 GBs
Broker Sizing

SOAR Cloud region

Forwarders

Search Head
Analyst, Admins

Indexers
Splunk
AB TCP 443
Internet
Splunk Infrastructure
Spacebridge
TCP 443 Automation
REST App TCP TCP gRPC Broker
APIs 80, 443 443
Data Firewall TCP 443 HTTP
Splunk> cloud (or custom ports)
SOAR Data

Automation Broker Incoming

Port Purpose
Used to receive activation notifications from Splunk SOAR Cloud via the gRPC tunnel. This is a
registration process from the Automation Broker to Spacebridge and provides secure transport to
TCP 443
Automation Broker. gRPC is a end to end encryption via TLS 1.2 from Cloud SOAR to Automation
PROS: Broker
Least Administrative overhead
Infrastructure and upgrades managed for customer
Automation Broker Outbound

CONS: Port Purpose

Used by the automation broker to communicate to Cloud SOAR for action results data. This does not
Performance constrained by number of users TCP 443
pass through Splunk spacebridge

Comments: REVISIONS
External Splunk Instance
REV DESCRIPTION DATE APPROVED Port Purpose
TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
1.0 Initial Build 6 Aug 18 TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
TCP
9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers

Standalone Instance
DRAWN Port Purpose
Architect
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
S0E+ - Single Tenant Deployment using Software as a Service with Splunk managed infrastructure with
Splunk Integrations either bring your own cloud
Intentionally left blank for diagram below

SSVAs - 32 – v2.0
Min 4 Cores 8 GBs

SpVA: S0E+
Automation
Recommended 8 Cores 16 GBs
Broker Sizing

SOAR Cloud region

Search Head

Customer Analyst, Admins

Indexers TCP 8088,
Cloud Splunk 8089, 9996-7
Mobile TCP 443 Or custom ports
Forwarders

Cloud infrastructure
Splunk TCP 443
AB
Internet
TCP 443 Automation
Spacebridge gRPC Broker

REST App TCP 443 TCP TCP 443 HTTP

APIs (or custom ports) 443 (or custom ports)
Data Firewall Data
Splunk> cloud
SOAR

Automation Broker Incoming

CONS: Port Purpose

Used by the automation broker to communicate to Cloud SOAR for action results data. This does not
Performance constrained by number of users TCP 443
pass through Splunk spacebridge

Standalone Instance
DRAWN Port Purpose
Architect
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
S0CE - Single Tenant Deployment using Software as a Service with Splunk managed infrastructure and
Splunk Cloud Integrations
Intentionally left blank for diagram below

SSVAs - 33 – v2.0
Min 4 Cores 8 GBs

SpVA: S0CE
Automation
Recommended 8 Cores 16 GBs
Broker Sizing

SOAR Cloud region

Search Head

Analyst, Admins
Indexers Splunk> cloud TCP 8088,
Splunk 8089, 9996-7
Mobile TCP 443 Or custom ports
Forwarders

Cloud infrastructure
Splunk TCP 443
AB
Internet
TCP 443 Automation
Spacebridge gRPC Broker

REST App TCP 443 TCP TCP 443 HTTP

APIs (or custom ports) 443 (or custom ports)
Data Firewall Data
Splunk> cloud
SOAR

Automation Broker Incoming

CONS: Port Purpose

Used by the automation broker to communicate to Cloud SOAR for action results data. This does not
Performance constrained by number of users TCP 443
pass through Splunk spacebridge

Standalone Instance
DRAWN Port Purpose
Architect
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
S1 - Single Server Deployment using embedded Splunk Integration
Intentionally left blank for diagram below

SSVAs - 34 – v2.0
Splunk Phantom Stand-Alone Sizing Chart
Instance Type

Large
Workloads with
active playbooks

>7000 events per

CPU
cores

32
Memory GB

64
SpVA: S1
hour

Medium 16 32
Up to 7000 events
per hour Default OVA Build Based on size (GB): 200
Device Mountpoint Size (GB)
Small
Up to 4000 events
8 16 Recommended /dev/mapper/centos-var / 40
Development ONLY
per hour Sizing /dev/mapper/centos-opt_phantom_vault
/dev/mapper/centos-opt_phantom_data
/opt/phantom/vault*
/opt/phantom/data*
45
45
Tiny 8 8 /dev/mapper/centos-tmp /tmp 10
< 4000 events per
Development ONLY hour /dev/mapper/centos-var /var 15
/dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 1
/dev/mapper/centos-var_tmp /var/tmp 15
/dev/mapper/centos-home /home 20
Analyst, Admins

TCP 443, 22

Internet

REST App
TCP 80, 443
APIs Phantom
Data

Firewall

TCP 443
(or custom ports)

HTTP

Data

PROS:
Least Administrative overhead
Least TCO going towards production

CONS:
Performance constrained by number of available connections
Backup and Recover is customer responsibility
No failover mechanisms

Comments: REVISIONS

REV DESCRIPTION DATE APPROVED

1.0 Initial Build 6 Aug 18

Standalone Instance
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
S1E - Single Server Deployment using Splunk Enterprise Integration
Intentionally left blank for diagram below

SSVAs - 35 – v2.0
Splunk Phantom Stand-Alone Sizing Chart
Instance Type

Large
Workloads with
active playbooks

>7000 events per

CPU
cores

32
Memory GB

64
SpVA: S1E
hour

Medium 16 32
Up to 7000 events
Production Build Recommend Drive Mappings Based on size (GB): 1024
per hour Device Mountpoint Size (GB)
Small
Up to 4000 events
8 16 Recommended /dev/mapper/centos-root / 204.8
Development ONLY /dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 245.8
per hour Sizing /dev/mapper/centos-opt_phantom_data /opt/phantom/data* 307.2
Tiny 8 8 /dev/mapper/centos-tmp /tmp 51.2
< 4000 events per
Development ONLY /dev/mapper/centos-var /var 51.2
hour /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 5.1
/dev/mapper/centos-var_tmp /var/tmp 51.2
/dev/mapper/centos-home /home 102.4
Total: 1018.9

External Splunk Instance

Standalone
Internet Phantom

Forwarders
REST App TCP
APIs 80, 443
Data

Firewall
Indexers

TCP 443
(or custom ports)

Splunk
Search Head

REST
Analyst, Admins
Data

PROS:
Least Administrative overhead with improved UI performance
NFS Server
Least number of resource contention
Easiest to manage and gradual expansion increase process Port Purpose
TCP 2049 NFS Service
CONS: UDP 111 Portmapper service, needed for NFS
TCP 111 Portmapper service, needed for NFS
Performance constrained by number of available connections
No failover mechanisms
External Splunk Instance

Comments: This is our Default PS Recommendation for Single Instance deployments Port Purpose
REVISIONS
TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
REV DESCRIPTION DATE APPROVED TCP
9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
Initial Build capable for most loads < 1500 events per day and for teams using
1.0 6 Aug 18
Case Management and Headless usage
Standalone Instance
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
X1 - Single Server Deployment using external Shared Services with embedded Splunk
Intentionally left blank for diagram below

SSVAs - 36 – v2.0
Splunk Phantom Stand-Alone Sizing Chart
Instance Type

Large
Workloads with
active playbooks

>7000 events per

CPU
cores

32
Memory GB

64
SpVA: X1
hour

Medium 16 32
Up to 7000 events
per hour Default OVA Build Based on size (GB): 200
Small
Up to 4000 events
8 16 Recommended Device
/dev/mapper/centos-var
Mountpoint
/
Size (GB)
40
per hour Sizing /dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 45
Tiny 8 8
/dev/mapper/centos-opt_phantom_data /opt/phantom/data* 45
< 4000 events per /dev/mapper/centos-tmp /tmp 10
hour /dev/mapper/centos-var /var 15
/dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 1
/dev/mapper/centos-var_tmp /var/tmp 15
REST /dev/mapper/centos-home /home 20
Data

TCP 443
(or custom ports)

Standalone
Internet Phantom

REST App TCP

APIs 80, 443
Data

Firewall Future Expansion

External
PostgrSQL
Database

Analyst, Admins NFS Server NFS Server

Vault Mount
Point Port Purpose
TCP 2049 NFS Service
UDP 111 Portmapper service, needed for NFS
TCP 111 Portmapper service, needed for NFS

PROS:
Least Administrative overhead with improved UI performance
Least number of resource contention External Splunk Instance
Easiest to manage and gradual expansion increase process Port Purpose
TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
CONS: TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
Performance constrained by number of available connections TCP
9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
No failover mechanisms

POSTGRES Instance
Comments: This model is only used for prior to clustering and single instance support REVISIONS
without warm standby. Port Purpose
TCP 22 Used for administering the OS that POSTGRES is running on
REV DESCRIPTION DATE APPROVED TCP 5432 PostgreSQL Service. Can be blocked if the DB server is a different host than the shared services node.

Initial Build capable for most loads < 1500 events per day and for teams using
1.0 6 Aug 18
Case Management and Headless usage
Standalone Instance
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
TCP 80
DRAWN only to redirect connections to TCP 443. Can be blocked.
Architect
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
X1E - Single Server Deployment using external Shared Services with Splunk Enterprise Integration
Intentionally left blank for diagram below

SSVAs - 37 – v2.0
Splunk Phantom Stand-Alone Sizing Chart
Instance Type

Large
Workloads with
active playbooks

>7000 events per

CPU
cores

32
Memory GB

64
SpVA: X1E
hour

Medium 16 32
Up to 7000 events
per hour Default OVA Build Based on size (GB): 200
Small
Up to 4000 events
8 16 Recommended Device
/dev/mapper/centos-var
Mountpoint
/
Size (GB)
40
per hour Sizing /dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 45
Tiny 8 8 External Splunk Instance /dev/mapper/centos-opt_phantom_data /opt/phantom/data* 45
< 4000 events per /dev/mapper/centos-tmp /tmp 10
hour /dev/mapper/centos-var /var 15
/dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 1
/dev/mapper/centos-var_tmp /var/tmp 15
REST /dev/mapper/centos-home /home 20
Data
Forwarders

TCP 443
(or custom ports)
Indexers

Standalone
Internet Phantom

Splunk
REST App TCP Search Head
APIs 80, 443
Data

Firewall Future Expansion

External
PostgrSQL
Database

Analyst, Admins NFS Server NFS Server

Vault Mount
Point Port Purpose
TCP 2049 NFS Service
UDP 111 Portmapper service, needed for NFS
TCP 111 Portmapper service, needed for NFS

Initial Build capable for most loads < 1500 events per day and for teams using
1.0 6 Aug 18
Case Management and Headless usage
Standalone Instance
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
TCP 80
DRAWN only to redirect connections to TCP 443. Can be blocked.
Architect
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
D2 - Distributed Warm Standby Deployment using embedded Splunk integration
Intentionally left blank for diagram below

SSVAs - 38 – v2.0
Splunk Phantom Stand-Alone Sizing Chart

SpVA: D2
Instance Type Workloads with CPU Memory GB
active playbooks cores

Large 32 64
>7000 events per
hour

Medium
Up to 7000 events
16 32 Recommended Production Build Recommend Drive Mappings Based on size (GB): 1024
per hour Sizing Device Mountpoint Size (GB)
Small 8 16 /dev/mapper/centos-root / 204.8
Up to 4000 events
Development ONLY
/dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 245.8
per hour /dev/mapper/centos-opt_phantom_data /opt/phantom/data* 307.2
Tiny 8 8 /dev/mapper/centos-tmp /tmp 51.2
< 4000 events per
Development ONLY
/dev/mapper/centos-var /var 51.2
hour /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 5.1
/dev/mapper/centos-var_tmp /var/tmp 51.2
/dev/mapper/centos-home /home 102.4
Total: 1018.9

Analyst, Admins Phantom

Standby
DC 1
Warm Standby Process Site A Site B
TCP 443, 22

DNS Phantom Server

Balancer Standby

Syncronization

Internet Warm-Standby Phantom Server

Primary Failover
REST HTTP RSync
App TCP Event
postgreSQL Standby
APIs 80, 443
DB Transaction (Prior Primary)
Data Data
TCP 443 TCP 22, 5432
Firewall (or custom
ports) Syncronization

Primary
Failover (Prior Standby)
DNS Event
Balancer

Phantom
Primary Syncronization
DC 2

Primary Standby
Analyst, Admins
PROS:
Least number of resources NFS Server
Native multi-site redundancy and high availability Port Purpose
Easiest to manage and gradual expansion increase process TCP 2049 NFS Service
UDP 111 Portmapper service, needed for NFS
CONS: TCP 111 Portmapper service, needed for NFS
Performance constrained by number of available connections
Failover is scripted and can be semi-automated or manual
External Splunk Instance

Comments: This is our Default PS Recommendation for Multiple Site Survivability Port Purpose
REVISIONS
TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
REV DESCRIPTION DATE APPROVED TCP
9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
Initial Build capable for most loads < 1500 events per day and for teams using
1.0 3 MAR 19
Case Management
Standalone Instance
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Customer
TO Company Company Confidential
D2E - Distributed Warm Standby Deployment using embedded Splunk with customer provided
Infrastructure
Intentionally left blank for diagram below

SSVAs - 39 – v2.0
Splunk Phantom Stand-Alone Sizing Chart

SpVA: D2E
Instance Type Workloads with CPU Memory GB
active playbooks cores

Large 32 64
>7000 events per
hour

Analyst, Admins Phantom

Standby
DC 1
Warm Standby Process Site A Site B
TCP 443, 22

DNS Phantom Server

Forwarders Standby
Balancer

Syncronization

Indexers
Internet Warm-Standby Phantom Server
Primary Failover
REST HTTP RSync
App TCP Event
postgreSQL Standby
APIs 80, 443
DB Transaction (Prior Primary)
Data Data Splunk
Search Head
TCP 443 TCP 22, 5432
Firewall (or custom
ports) Syncronization

Primary
Failover (Prior Standby)
DNS Event
Balancer

Phantom
Primary Syncronization
DC 2

Comments: This is our Default PS Recommendation for Multiple Site Survivability Port Purpose
REVISIONS
TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
REV DESCRIPTION DATE APPROVED TCP
9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
Initial Build capable for most loads < 1500 events per day and for teams using
1.0 3 MAR 19
Case Management
Standalone Instance
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Customer
TO Company Company Confidential
D2E+ - Distributed Warm Standby Deployment using embedded Splunk with customer provided
Infrastructure
Intentionally left blank for diagram below

SSVAs - 40 – v2.0
Splunk Phantom Stand-Alone Sizing Chart

SpVA: D2E+
Instance Type Workloads with CPU Memory GB
active playbooks cores

Large 32 64
>7000 events per
hour

Medium
Up to 7000 events
16 32 Recommended Production Build Recommend Drive Mappings Based on size (GB): 1024
per hour Sizing Device Mountpoint Size (GB)
Small 8 16 /dev/mapper/centos-root / 204.8
Up to 4000 events
/dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 245.8
per hour /dev/mapper/centos-opt_phantom_data /opt/phantom/data* 307.2
Tiny 8 8 /dev/mapper/centos-tmp /tmp 51.2
< 4000 events per
/dev/mapper/centos-var /var 51.2
hour /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 5.1
/dev/mapper/centos-var_tmp /var/tmp 51.2
External Splunk Instance /dev/mapper/centos-home /home 102.4
Total: 1018.9

Analyst, Admins Phantom

Standby
DC 1
Warm Standby Process Site A Site B
TCP 443, 22

DNS Phantom Server

Forwarders Standby
Balancer

Syncronization
TCP 443
Indexers
Internet (or custom
ports) Warm-Standby Phantom Server
Primary Failover
REST HTTP RSync
App TCP Event
postgreSQL Standby
APIs 80, 443
DB Transaction (Prior Primary)
Data Data Splunk
Search Head
Firewall TCP 22, 5432
Syncronization

Primary
Failover (Prior Standby)
DNS Event
Balancer

Phantom
Primary Syncronization
DC 2
NFS Server
Vault Mount
Point Primary Standby
Analyst, Admins
PROS:
Least number of resources NFS Server
Native multi-site redundancy and high availability Port Purpose
Easiest to manage and gradual expansion increase process TCP 2049 NFS Service
UDP 111 Portmapper service, needed for NFS
CONS: TCP 111 Portmapper service, needed for NFS
Performance constrained by number of available connections
Failover is scripted and can be semi-automated or manual
External Splunk Instance

Comments: This is our Default PS Recommendation for Multiple Site Survivability Port Purpose
REVISIONS
TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
REV DESCRIPTION DATE APPROVED TCP
9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
Initial Build capable for most loads < 1500 events per day and for teams using
1.0 3 MAR 19
Case Management
Standalone Instance
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Customer
TO Company Company Confidential
D2CE - Distributed Warm Standby Deployment with Splunk Cloud Integration
Intentionally left blank for diagram below

SSVAs - 41 – v2.0
SpVA: D2CE
Splunk Phantom Single Instance Sizing for Amazon Web Services
Instance Type Workloads with an EC2 Instance
active playbook Sizing

Large c5.12xlarge
>7000 events per hour

Medium
Recommended Production from
Up to 7000 events per
c5.4xlarge Recommended
Production Build Recommend Drive Mappings Based on size (GB): 1024
public website hour Sizing Device Mountpoint Size (GB)
Small c5.2xlarge /dev/mapper/centos-root / 204.8
Up to 4000 events per
Recommended Development from /dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 245.8
public website hour
Bare minimum from configuration
/dev/mapper/centos-opt_phantom_data /opt/phantom/data* 307.2
/dev/mapper/centos-tmp /tmp 51.2
Tiny c5.2xlarge /dev/mapper/centos-var /var 51.2
< 4000 events per
Development ONLY /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 5.1
hour
/dev/mapper/centos-var_tmp /var/tmp 51.2
/dev/mapper/centos-home /home 102.4
Total: 1018.9
External Splunk Instance
Search Head
Phantom
Standby Warm Standby Process Site A Site B
DC 1
Phantom Server
Standby
Inside
Firewall

Syncronization
TCP
443, 22
Indexers Splunk> cloud
TCP Analyst, Admins
Phantom Server
Elastic Load Primary Failover
8088, 8089, 9996-7
Balancers Event
Forwarders Standby
Warm-Standby (Prior Primary)

RSync HTTP Internal

REST postgreSQL Apps Syncronization
App TCP Load DB Transaction Data
APIs 80, 443 Balancer
Data
Elastic. File TCP 22, 5432
External Services Primary
Firewall Failover (Prior Standby)
Event

Syncronization

Inside Analyst, Admins

TCP 443/22
Firewall
(or custom
Primary Standby
ports)

PROS: NFS Server

Phantom
Least number of resources
Primary Native multi-site redundancy and high availability
Port Purpose
DC 2 TCP 2049 NFS Service
Easiest to manage and gradual expansion increase process UDP 111 Portmapper service, needed for NFS
TCP 111 Portmapper service, needed for NFS
CONS:
Performance constrained by number of available connections
Failover is scripted and can be semi-automated or manual External Splunk Instance
Port Purpose
Comments: This is our Default PS Recommendation for Splunk Phantom and Cloud TCP 443 Used for sending Alerts to Phantom from Splunk> Cloud Phantom Add-On
REVISIONS
implementations. Phantom can be internalized (inside the DMZ), however some features will TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
be reduced. TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
REV DESCRIPTION DATE APPROVED TCP
9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
Initial Build capable for most loads < 1500 events per day and for teams using
1.0 3 MAR 19
Case Management

Default access to Phantom on Internal infrastructure. Splunk Cloud must have the Standalone Instance
1.2 26 NOV 19
Phantom app and API access. Phantom is in the DMZ or DMZ like
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
1.3 Updated ports and localized External Splunk architecture 27 APR 20 TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Customer
TO Company Company Confidential
D2CE+ - Distributed Warm Standby Deployment with Splunk Cloud Integration
Intentionally left blank for diagram below

SSVAs - 42 – v2.0
SpVA: D2CE+
Splunk Phantom Single Instance Sizing for Amazon Web Services
Instance Type Workloads with an EC2 Instance
active playbook Sizing

Large c5.12xlarge
>7000 events per hour

Medium
Recommended Production from
Up to 7000 events per
c5.4xlarge Recommended
Production Build Recommend Drive Mappings Based on size (GB): 1024
public website hour Sizing Device Mountpoint Size (GB)
Small
Up to 4000 events per
c5.2xlarge /dev/mapper/centos-root / 204.8
Recommended Development from /dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 245.8
public website hour
/dev/mapper/centos-opt_phantom_data /opt/phantom/data* 307.2
Bare minimum from configuration
/dev/mapper/centos-tmp /tmp 51.2
Tiny c5.2xlarge /dev/mapper/centos-var /var 51.2
< 4000 events per
Development ONLY /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 5.1
hour
/dev/mapper/centos-var_tmp /var/tmp 51.2
/dev/mapper/centos-home /home 102.4
Total: 1018.9
External Splunk Instance Phantom
Search Head Standby
DC 1
Warm Standby Process Site A Site B

Phantom Server
Standby
Inside
Firewall

Syncronization
TCP
TCP 443, 22
Indexers Splunk> cloud 8088, 8089, Elastic Load
9996-7 Balancers Phantom Server
Analyst, Admins Primary Failover
Forwarders Standby Event
Warm-Standby (Prior Primary)

Load RSync HTTP Internal

REST App TCP Balancer postgreSQL Apps Syncronization
80, 443 DB Transaction Data
APIs
Data
Elastic. File
TCP 22, 5432
External Primary
Firewall Services Failover (Prior Standby)
Event

Syncronization
TCP 443/22
(or custom Inside Analyst, Admins
ports) Firewall
Primary Standby
Phantom
Primary PROS: NFS Server
DC 2 Least number of resources
Port Purpose
Native multi-site redundancy and high availability TCP 2049 NFS Service
Easiest to manage and gradual expansion increase process UDP 111 Portmapper service, needed for NFS
TCP 111 Portmapper service, needed for NFS
CONS:
Performance constrained by number of available connections
Failover is scripted and can be semi-automated or manual External Splunk Instance
Port Purpose
Comments: This is our Default PS Recommendation for Splunk Phantom and Cloud TCP 443 Used for sending Alerts to Phantom from Splunk> Cloud Phantom Add-On
REVISIONS
implementations. Phantom can be internalized (inside the DMZ), however some features will TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
be reduced. TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
REV DESCRIPTION DATE APPROVED TCP
9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
Initial Build capable for most loads < 1500 events per day and for teams using
1.0 3 MAR 19
Case Management

Default access to Phantom on Internal infrastructure. Splunk Cloud must have the Standalone Instance
1.2 26 NOV 19
Phantom app and API access. Phantom is in the DMZ or DMZ like
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
1.3 Updated ports and localized External Splunk architecture 27 APR 20 TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Customer
TO Company Company Confidential
C1 - High Capacity Clustered Deployment
Intentionally left blank for diagram below

SSVAs - 43 – v2.0
Splunk Phantom Cluster Sizing Plan
Cluster Type Workloads with
active playbooks
DB/
Common
Node
CPU
DB/Common
Node Memory
GB
Phantom
Node CPU
cores
Phantom
Node Memory
GB
Number of
Phantom
Nodes SpVA: C1
cores

XLarge 32 64 16-32 32 8
>50,000
Production Node Drive Mappings Based on size (GB): 200
Large 16 64 8 16 8 Device Mountpoint Size (GB)
Up to
/dev/mapper/centos-root / 40.0
25,000-50,000 per /dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 20.0
/dev/mapper/centos-opt_phantom_data /opt/phantom/data* 100.0
hour
/dev/mapper/centos-tmp /tmp 10.0
/dev/mapper/centos-var /var 10.0
Medium 16 32 8 16 5
Up to 25,000 /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 1.0
/dev/mapper/centos-var_tmp /var/tmp 10.0
events per hour
/dev/mapper/centos-home /home 20.0
Small
Up to 10,000
8 32 4 8 3 Recommended Total: 211.0

events per hour Sizing Production Database Drive Mappings

Device Mountpoint
Based on size (GB):
Size (GB)
1536

/dev/mapper/centos-root / 307.2
/dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 0.0
/dev/mapper/centos-opt_phantom_data /opt/phantom/data* 460.8
/dev/mapper/centos-tmp /tmp 76.8
TCP 443, /dev/mapper/centos-var /var 76.8
8088-89 /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 7.7
9996-97 /dev/mapper/centos-var_tmp /var/tmp 76.8
Phantom
Node /dev/mapper/centos-home /home 153.6
Splunk Total: 1159.7
Embeded
Production File Drive Mappings Based on size (GB): 1536
Device Mountpoint Size (GB)
<glusterfs_hostname>:/apps /<phantom_install_dir>/apps 153.6
<glusterfs_hostname>:/app_states /<phantom_install_dir>/apps 153.6
Internet <glusterfs_hostname>:/scm /<phantom_install_dir>/local_data/app_states 153.6
HAProxy
<glusterfs_hostname>:/tmp /<phantom_install_dir>/scm 153.6
<glusterfs_hostname>:/tmp /<phantom_install_dir>/tmp/shared 153.6
REST App TCP 80, <glusterfs_hostname>:/vault /<phantom_install_dir>/vault 768.0
APIs 443 Total: 1536.0
Phantom NFS Server
Data Node
NFS Server
Firewall
TCP 4369,5671, Port Purpose
8300,8301,8302, TCP 2049 TCP 2049 NFS Service
UDP 111 Portmapper service, needed for NFS
15672, 25672 UDP/TCP 111
TCP 443 TCP 111 Portmapper service, needed for NFS
(or custom ports)
TCP 22
TCP 5432 External Splunk Instance
POSTGRES Port Purpose
Phantom Database TCP 443 Use for Sending Notables to Phantom
Master Cluster TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
REST TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
TCP
Analyst, Admins
9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
Data
PROS:
Future Proofed for performance and no additional configuration required
Highest capacity design possible POSTGRES Instance
Port Purpose
TCP 22 Used for administering the OS that POSTGRES is running on
CONS: TCP 5432 PostgreSQL Service. Can be blocked if the DB server is a different host than the shared services node.
Complicated implementation
Requires a lot of unused resource until load is realized
Cluster Message Queue
Site to Site Sync isn’t possible data is single homed to the regional infrastructure
Data is single homed to the sent site. Port Purpose
TCP 4369 RabbitMQ / Erlang port mapper. All cluster nodes must be able to talk to each-other on this port.
TCP 5671 RabbitMQ service. All cluster nodes must be able to talk to each-other on this port.
TCP 8300 Consul RPC services. All cluster nodes must be able to talk to each-other on this port.
Comments: REVISIONS TCP 8301 Consul internode communication. All cluster nodes must be able to talk to each-other on this port.
TCP 8302 Consul internode communication. All cluster nodes must be able to talk to each-other on this port.
RabbitMQ admin UI and HTTP api service. UI is disabled by default. All cluster nodes must be able to
REV DESCRIPTION DATE APPROVED TCP 15672
talk to each-other on this port.
TCP 25672 RabbitMQ internode communications. All cluster nodes must be able to talk to each-other on this port.
1.0 Initial Build 6 Aug 18

Cluster Node
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
C1E - High Capacity Clustered Deployment with Splunk Enterprise Integration
Intentionally left blank for diagram below

SSVAs - 44 – v2.0
Splunk Phantom Cluster Sizing Plan
Cluster Type Workloads with
active playbooks
DB/
Common
Node
CPU
DB/Common
Node Memory
GB
Phantom
Node CPU
cores
Phantom
Node Memory
GB
Number of
Phantom
Nodes SpVA: C1E
cores

events per hour Sizing Production Database Drive Mappings

Device Mountpoint
Based on size (GB):
Size (GB)
1536

/dev/mapper/centos-root / 307.2
/dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 0.0
/dev/mapper/centos-opt_phantom_data /opt/phantom/data* 460.8
/dev/mapper/centos-tmp /tmp 76.8
TCP 443, /dev/mapper/centos-var /var 76.8
Forwarders /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 7.7
8088-89
Phantom 9996-97 /dev/mapper/centos-var_tmp /var/tmp 76.8
Node /dev/mapper/centos-home /home 153.6
Total: 1159.7
Indexers
Production File Drive Mappings Based on size (GB): 1536
Device Mountpoint Size (GB)
<glusterfs_hostname>:/apps /<phantom_install_dir>/apps 153.6
Splunk <glusterfs_hostname>:/app_states /<phantom_install_dir>/apps 153.6
Internet <glusterfs_hostname>:/scm /<phantom_install_dir>/local_data/app_states 153.6
HAProxy Search Head
<glusterfs_hostname>:/tmp /<phantom_install_dir>/scm 153.6
<glusterfs_hostname>:/tmp /<phantom_install_dir>/tmp/shared 153.6
REST App TCP 80, <glusterfs_hostname>:/vault /<phantom_install_dir>/vault 768.0
APIs 443 Total: 1536.0
Phantom NFS Server
Data Node
NFS Server
Firewall
TCP 4369,5671, Port Purpose
8300,8301,8302, TCP 2049 TCP 2049 NFS Service
UDP 111 Portmapper service, needed for NFS
15672, 25672 UDP/TCP 111
TCP 443 TCP 111 Portmapper service, needed for NFS
(or custom ports)
TCP 22
TCP 5432 External Splunk Instance
POSTGRES Port Purpose
Phantom Database TCP 443 Use for Sending Notables to Phantom
Master Cluster TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
REST TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
TCP
Analyst, Admins
9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
Data
PROS:
Future Proofed for performance and no additional configuration required
Highest capacity design possible POSTGRES Instance
Port Purpose
TCP 22 Used for administering the OS that POSTGRES is running on
CONS: TCP 5432 PostgreSQL Service. Can be blocked if the DB server is a different host than the shared services node.
Complicated implementation
Requires a lot of unused resource until load is realized
Cluster Message Queue
Site to Site Sync isn’t possible data is single homed to the regional infrastructure
Data is single homed to the sent site. Port Purpose
TCP 4369 RabbitMQ / Erlang port mapper. All cluster nodes must be able to talk to each-other on this port.
TCP 5671 RabbitMQ service. All cluster nodes must be able to talk to each-other on this port.
TCP 8300 Consul RPC services. All cluster nodes must be able to talk to each-other on this port.
Comments: REVISIONS TCP 8301 Consul internode communication. All cluster nodes must be able to talk to each-other on this port.
TCP 8302 Consul internode communication. All cluster nodes must be able to talk to each-other on this port.
RabbitMQ admin UI and HTTP api service. UI is disabled by default. All cluster nodes must be able to
REV DESCRIPTION DATE APPROVED TCP 15672
talk to each-other on this port.
TCP 25672 RabbitMQ internode communications. All cluster nodes must be able to talk to each-other on this port.
1.0 Initial Build 6 Aug 18

Cluster Node
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
C1E+ - High Capacity Clustered Deployment with AWS Integrations or customer provided infrastructure
Intentionally left blank for diagram below

SSVAs - 45 – v2.0
Splunk Phantom Cluster Sizing for Amazon Web Services
Cluster
Type
Workloads with an
active playbook
DB/
Common
Node RDS
Phantom
Node AWS
EC2 size
Number of
Phantom
Nodes
SpVA: C1E+
size
XLarge >50,000 db.m5.16xla c5.4xlarge 8
Production Node Drive Mappings Based on size (GB): 200
rge Device Mountpoint Size (GB)
/dev/mapper/centos-root / 40.0
Large Up to 25,000-50,000 db.m5.4xlar c5.2xlarge 8 /dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 20.0
/dev/mapper/centos-opt_phantom_data /opt/phantom/data* 100.0
per hour ge /dev/mapper/centos-tmp /tmp 10.0
/dev/mapper/centos-var /var 10.0
Medium Up to 25,000 events db.r4.8xlarg c5.2xlarge 5 External Splunk Instance
/dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 1.0
/dev/mapper/centos-var_tmp /var/tmp 10.0
per hour e /dev/mapper/centos-home /home 20.0
Total: 211.0
Small Up to 10,000 events db.m5.2xlar c5.xlarge 3 Recommended Production Database Drive Mappings Based on size (GB): 1536
ge
per hour Sizing Device
/dev/mapper/centos-root
Mountpoint
/
Size (GB)
307.2
/dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 0.0
Forwarders /dev/mapper/centos-opt_phantom_data /opt/phantom/data* 460.8
Phantom /dev/mapper/centos-tmp /tmp 76.8
Node TCP 443 /dev/mapper/centos-var /var 76.8
8088, 8089 /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 7.7
TCP 9996-7 Indexers /dev/mapper/centos-var_tmp /var/tmp 76.8
/dev/mapper/centos-home /home 153.6
TCP 2049 Total: 1159.7
UDP/TCP 111
Elastic Load Production File Drive Mappings Based on size (GB): 1536
Splunk
Balancers Device Mountpoint Size (GB)
Search Head
<glusterfs_hostname>:/apps /<phantom_install_dir>/apps 153.6
<glusterfs_hostname>:/app_states /<phantom_install_dir>/apps 153.6
<glusterfs_hostname>:/scm /<phantom_install_dir>/local_data/app_states 153.6
<glusterfs_hostname>:/tmp /<phantom_install_dir>/scm 153.6
<glusterfs_hostname>:/tmp /<phantom_install_dir>/tmp/shared 153.6
Load <glusterfs_hostname>:/vault /<phantom_install_dir>/vault 768.0
Balancer Phantom Elastic File Total: 1536.0
Node Services

Internet NFS Server

TCP 4369,5671, Port Purpose
8300,8301,8302, TCP 2049 NFS Service
REST App TCP 15672, 25672 UDP 111 Portmapper service, needed for NFS
APIs 80,443 TCP 111 Portmapper service, needed for NFS
Data

Firewall External Splunk Instance

TCP 22
TCP 5432 Port Purpose
Phantom TCP 443 Use for Sending Notables to Phantom
Master TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
RDS postgres
TCP 443 SQL Database TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
TCP
(or custom ports) TCP 9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
443,22
PROS:
Future Proofed for performance and no additional configuration required
Highest capacity design possible POSTGRES Instance
Port Purpose
REST TCP 22 Used for administering the OS that POSTGRES is running on
CONS: TCP 5432 PostgreSQL Service. Can be blocked if the DB server is a different host than the shared services node.
Data Complicated implementation
Analyst, Admins
Requires a lot of unused resource until load is realized
Cluster Message Queue
Site to Site Sync isn’t possible data is single homed to the regional infrastructure
Data is single homed to the sent site. Port Purpose
TCP 4369 RabbitMQ / Erlang port mapper. All cluster nodes must be able to talk to each-other on this port.
TCP 5671 RabbitMQ service. All cluster nodes must be able to talk to each-other on this port.
TCP 8300 Consul RPC services. All cluster nodes must be able to talk to each-other on this port.
Comments: This is our Default PS Recommendation REVISIONS TCP 8301 Consul internode communication. All cluster nodes must be able to talk to each-other on this port.
TCP 8302 Consul internode communication. All cluster nodes must be able to talk to each-other on this port.
RabbitMQ admin UI and HTTP api service. UI is disabled by default. All cluster nodes must be able to
REV DESCRIPTION DATE APPROVED TCP 15672
talk to each-other on this port.
TCP 25672 RabbitMQ internode communications. All cluster nodes must be able to talk to each-other on this port.
1.0 Initial Build 6 Aug 18

Cluster Node
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
Splunk Phantom Cluster Sizing Plan
Cluster Type Workloads with
active playbooks
DB/
Common
Node
CPU
DB/Common
Node Memory
GB
Phantom
Node CPU
cores
Phantom
Node Memory
GB
Number of
Phantom
Nodes SpVA: C1E+
cores

XLarge 32 64 16-32 32 8
>50,000
Production Node Drive Mappings Based on size (GB): 200
Large 16 64 8 16 8 Device Mountpoint Size (GB)
Up to /dev/mapper/centos-root / 40.0
25,000-50,000 per /dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 20.0
/dev/mapper/centos-opt_phantom_data /opt/phantom/data* 100.0
hour /dev/mapper/centos-tmp /tmp 10.0
/dev/mapper/centos-var /var 10.0
Medium 16 32 8 16 5 /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 1.0
Up to 25,000
/dev/mapper/centos-var_tmp /var/tmp 10.0
events per hour /dev/mapper/centos-home /home 20.0

Small
Up to 10,000
8 32 4 8 3 Recommended External Splunk Instance Total: 211.0

External Splunk Instance

TCP 22
TCP 5432 Port Purpose
Phantom TCP 443 Use for Sending Notables to Phantom
Master POSTGRES TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
TCP 443 Database
TCP
(or custom ports) TCP Cluster
9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
443,22
PROS:
Future Proofed for performance and no additional configuration required
Highest capacity design possible POSTGRES Instance
Port Purpose
REST TCP 22 Used for administering the OS that POSTGRES is running on
CONS: TCP 5432 PostgreSQL Service. Can be blocked if the DB server is a different host than the shared services node.
Data Complicated implementation
Analyst, Admins
Requires a lot of unused resource until load is realized
Cluster Message Queue
Site to Site Sync isn’t possible data is single homed to the regional infrastructure
Data is single homed to the sent site. Port Purpose
TCP 4369 RabbitMQ / Erlang port mapper. All cluster nodes must be able to talk to each-other on this port.
TCP 5671 RabbitMQ service. All cluster nodes must be able to talk to each-other on this port.
TCP 8300 Consul RPC services. All cluster nodes must be able to talk to each-other on this port.
Comments: This is our Default PS Recommendation REVISIONS TCP 8301 Consul internode communication. All cluster nodes must be able to talk to each-other on this port.
TCP 8302 Consul internode communication. All cluster nodes must be able to talk to each-other on this port.
RabbitMQ admin UI and HTTP api service. UI is disabled by default. All cluster nodes must be able to
REV DESCRIPTION DATE APPROVED TCP 15672
talk to each-other on this port.
TCP 25672 RabbitMQ internode communications. All cluster nodes must be able to talk to each-other on this port.
1.0 Initial Build 6 Aug 18

Cluster Node
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
C1CE - High Capacity Clustered Deployment with Splunk Cloud
Intentionally left blank for diagram below

SSVAs - 46 – v2.0
Splunk Phantom Cluster Sizing Plan
Cluster Type Workloads with
active playbooks
DB/
Common
Node
CPU
DB/Common
Node Memory
GB
Phantom
Node CPU
cores
Phantom
Node Memory
GB
Number of
Phantom
Nodes SpVA: C1CE
cores

XLarge 32 64 16-32 32 8
>50,000
Production Node Drive Mappings Based on size (GB): 200
Large 16 64 8 16 8 Device Mountpoint Size (GB)
Up to /dev/mapper/centos-root / 40.0
25,000-50,000 per /dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 20.0
/dev/mapper/centos-opt_phantom_data /opt/phantom/data* 100.0
hour /dev/mapper/centos-tmp /tmp 10.0
/dev/mapper/centos-var /var 10.0
Medium 16 32 8 16 5 /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 1.0
Up to 25,000
/dev/mapper/centos-var_tmp /var/tmp 10.0
events per hour /dev/mapper/centos-home /home 20.0

Small
Up to 10,000
8 32 4 8 3 Recommended Total: 211.0

Sizing
Production Database Drive Mappings Based on size (GB): 1536
events per hour Device Mountpoint Size (GB)
/dev/mapper/centos-root / 307.2
/dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 0.0
External Splunk Instance /dev/mapper/centos-opt_phantom_data /opt/phantom/data* 460.8
Search Head /dev/mapper/centos-tmp /tmp 76.8
/dev/mapper/centos-var /var 76.8
TCP 443, /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 7.7
8088-89 /dev/mapper/centos-var_tmp /var/tmp 76.8
9996-97 /dev/mapper/centos-home /home 153.6
Phantom
Node Total: 1159.7
Splunk
Embeded Production File Drive Mappings Based on size (GB): 1536
Device Mountpoint Size (GB)
<glusterfs_hostname>:/apps /<phantom_install_dir>/apps 153.6
<glusterfs_hostname>:/app_states /<phantom_install_dir>/apps 153.6
<glusterfs_hostname>:/scm /<phantom_install_dir>/local_data/app_states 153.6
Indexers Splunk> cloud HAProxy <glusterfs_hostname>:/tmp /<phantom_install_dir>/scm 153.6
<glusterfs_hostname>:/tmp /<phantom_install_dir>/tmp/shared 153.6
<glusterfs_hostname>:/vault /<phantom_install_dir>/vault 768.0
Forwarders Total: 1536.0
Phantom NFS Server
Internet Node NFS Server
Port Purpose
REST App TCP TCP 4369,5671, TCP 2049 NFS Service
TCP 2049 UDP 111 Portmapper service, needed for NFS
APIs 80,443 8300,8301,8302,
TCP 111 Portmapper service, needed for NFS
Data 15672, 25672 UDP/TCP 111
TCP 443
(or custom ports)
Firewall TCP 22 External Splunk Instance
TCP 5432
Port Purpose
POSTGRES TCP 443 Use for Sending Notables to Phantom
Phantom Database TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
Cluster TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
Master
REST TCP
9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
Analyst, Admins
Data PROS:
Future Proofed for performance and no additional configuration required
Highest capacity design possible POSTGRES Instance
Port Purpose
TCP 22 Used for administering the OS that POSTGRES is running on
CONS: TCP 5432 PostgreSQL Service. Can be blocked if the DB server is a different host than the shared services node.
Complicated implementation
Requires a lot of unused resource until load is realized
Cluster Message Queue
Site to Site Sync isn’t possible data is single homed to the regional infrastructure
Data is single homed to the sent site. Port Purpose
TCP 4369 RabbitMQ / Erlang port mapper. All cluster nodes must be able to talk to each-other on this port.
TCP 5671 RabbitMQ service. All cluster nodes must be able to talk to each-other on this port.
TCP 8300 Consul RPC services. All cluster nodes must be able to talk to each-other on this port.
Comments: This is our Default PS Recommendation REVISIONS TCP 8301 Consul internode communication. All cluster nodes must be able to talk to each-other on this port.
TCP 8302 Consul internode communication. All cluster nodes must be able to talk to each-other on this port.
RabbitMQ admin UI and HTTP api service. UI is disabled by default. All cluster nodes must be able to
REV DESCRIPTION DATE APPROVED TCP 15672
talk to each-other on this port.
TCP 25672 RabbitMQ internode communications. All cluster nodes must be able to talk to each-other on this port.
1.0 Initial Build 6 Aug 18

Cluster Node
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
C1CE+ - High Capacity Clustered Deployment with Splunk Cloud and AWS Integrations
Intentionally left blank for diagram below

SSVAs - 47 – v2.0
Splunk Phantom Cluster Sizing for Amazon Web Services
Cluster
Type
Workloads with an
active playbook
DB/
Common
Node RDS
Phantom
Node AWS
EC2 size
Number of
Phantom
Nodes
SpVA: C1CE+
size
XLarge >50,000 db.m5.16xla c5.4xlarge 8
rge Production Node Drive Mappings Based on size (GB): 200
Device Mountpoint Size (GB)
/dev/mapper/centos-root / 40.0
Large Up to 25,000-50,000 db.m5.4xlar c5.2xlarge 8 /dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 20.0
per hour ge /dev/mapper/centos-opt_phantom_data /opt/phantom/data* 100.0
/dev/mapper/centos-tmp /tmp 10.0
/dev/mapper/centos-var /var 10.0
Medium Up to 25,000 events db.r4.8xlarg c5.2xlarge 5 /dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 1.0
per hour e /dev/mapper/centos-var_tmp /var/tmp 10.0
/dev/mapper/centos-home /home 20.0

Small Up to 10,000 events db.m5.2xlar c5.xlarge 3 Recommended Total: 211.0

ge
per hour Sizing Production Database Drive Mappings
Device Mountpoint
Based on size (GB):
Size (GB)
1536

/dev/mapper/centos-root / 307.2
/dev/mapper/centos-opt_phantom_vault /opt/phantom/vault* 0.0
External Splunk Instance /dev/mapper/centos-opt_phantom_data /opt/phantom/data* 460.8
Search Head /dev/mapper/centos-tmp /tmp 76.8
/dev/mapper/centos-var /var 76.8
/dev/mapper/centos-opt_phantom_keystore /opt/phantom/keystore 7.7
Phantom TCP 2049
/dev/mapper/centos-var_tmp /var/tmp 76.8
Node UDP/TCP 111
/dev/mapper/centos-home /home 153.6
Total: 1159.7

Elastic Load Production File Drive Mappings Based on size (GB): 1536
Balancers Device Mountpoint Size (GB)
<glusterfs_hostname>:/apps /<phantom_install_dir>/apps 153.6
<glusterfs_hostname>:/app_states /<phantom_install_dir>/apps 153.6
Elastic File <glusterfs_hostname>:/scm /<phantom_install_dir>/local_data/app_states 153.6
Indexers Splunk> cloud Services <glusterfs_hostname>:/tmp /<phantom_install_dir>/scm 153.6
<glusterfs_hostname>:/tmp /<phantom_install_dir>/tmp/shared 153.6
Load <glusterfs_hostname>:/vault /<phantom_install_dir>/vault 768.0
Balancer Phantom
Forwarders Total: 1536.0
Node
Internet NFS Server
TCP 4369,5671, Port Purpose
8300,8301,8302, TCP 2049 NFS Service
REST App TCP 15672, 25672 UDP 111 Portmapper service, needed for NFS
APIs 80,443 TCP 111 Portmapper service, needed for NFS
Data TCP 22
TCP 5432
Firewall RDS postgres External Splunk Instance
SQL Database
Port Purpose
Phantom TCP 443 Use for Sending Notables to Phantom
Master TCP 8088 Used as the HTTP Event Collector (HEC) and provides searching capabilities
TCP 443 TCP 8089 Used for the REST endpoint to send information to the Splunk Instances
TCP
(or custom ports) TCP 9996-9997 Used for Universal Forwarder to either a forwarder or direct to the indexers
443,22
PROS:
Future Proofed for performance and no additional configuration required
Highest capacity design possible POSTGRES Instance
Port Purpose
REST TCP 22 Used for administering the OS that POSTGRES is running on
CONS: TCP 5432 PostgreSQL Service. Can be blocked if the DB server is a different host than the shared services node.
Data Complicated implementation
Analyst, Admins
Requires a lot of unused resource until load is realized
Cluster Message Queue
Site to Site Sync isn’t possible data is single homed to the regional infrastructure
Data is single homed to the sent site. Port Purpose
TCP 4369 RabbitMQ / Erlang port mapper. All cluster nodes must be able to talk to each-other on this port.
TCP 5671 RabbitMQ service. All cluster nodes must be able to talk to each-other on this port.
TCP 8300 Consul RPC services. All cluster nodes must be able to talk to each-other on this port.
Comments: This is our Default PS Recommendation REVISIONS TCP 8301 Consul internode communication. All cluster nodes must be able to talk to each-other on this port.
TCP 8302 Consul internode communication. All cluster nodes must be able to talk to each-other on this port.
RabbitMQ admin UI and HTTP api service. UI is disabled by default. All cluster nodes must be able to
REV DESCRIPTION DATE APPROVED TCP 15672
talk to each-other on this port.
TCP 25672 RabbitMQ internode communications. All cluster nodes must be able to talk to each-other on this port.
1.0 Initial Build 6 Aug 18

Cluster Node
Port Purpose
Used for administering the OS that Phantom is running on. Can be limited to authorized administration
TCP 22
networks, or blocked if you wish to use the OS console exclusively.
Convenience port for users who do not specify HTTPS when connecting to Phantom instance. Exists
DRAWN TCP 80
Architect only to redirect connections to TCP 443. Can be blocked.
BY HTTPS interface for the web UI for Phantom, as well as REST access. Must be exposed to anything
TCP 443
ISSUED accessing the Phantom services.
Approver
TO Company Name
M2E - High Capacity Clustered Deployment - Consult your Splunk Architect for a custom solution
Intentionally left blank for diagram below

SSVAs - 48 – v2.0
M2CE – Consult your Splunk Architect for a custom solution
M2CE+ - Consult your Splunk Architect for a custom solution

SSVAs - 49 – v2.0
1.7.2 Aligning Your Topology with Best Practices
You will need to keep your requirements and topology in mind in order to select the appropriate design principles
and best practices for your deployment. Therefore, you should consider best practices only after you have
completed Steps 1 and 2 of the Splunk SOAR Validated Architectures selection process above.

1.7.3 Best Practices: Tier-Specific Recommendations

Below you will find design principles and best practices recommendation for each deployment tier. Each design
principle reinforces one or more of the SSVA pillars: Availability, Performance, Scalability, Security, and
Manageability.

1.7.3.1 Automation and Case Management Tier Recommendations

SSVA PILLARS

DESIGN PRINCIPLES / BEST PRACTICES

MANAGEABILITY
PERFORMANCE
AVAILABILITY

SCALABILITY
(Your requirements will determine which practices apply to you)

SECURITY
1 Consider using SSDs for data volumes
SSDs have reached economical prices and remove any possible IO
limitations that are often the cause for unsatisfactory search
performance.

2 Keep automation tier close (in network terms) to the user base
Lowest possible network latency will have positive effect on user
experience when using case management.

3 Use warm standby replication to minimize configuration and

maintenance
Warm standby ensures a copy of every event in the SOAR platform is
protected against SOAR node failure.

4 Consider using LDAP/SAML auth whenever possible

Centrally managing user identities for authentication purposes is a
general enterprise best practice, simplifies management of your
Splunk deployment and increases security.

5 Ensure enough cores and memory to cover automation needs (start

with 32GBs and 16 Cores, for a single instance)
Every automation workflow requires Memory and CPU cores to
execute. If there is memory pressure or no cores are available to run a
playbook, the playbook will be queued, resulting in playbook and
action delays for the user.

6 Avoid using multiple independent SOAR instances

Independent SOAR instances do not allow sharing of Splunk artifacts
created by users.

7 Utilize git services for playbook replication between development and

production automation tiers

8 Monitor critical automation metrics

SSVAs - 50 – v2.0
Splunk provides you with a monitoring console that provides key
performance metrics on how your automation tier is performing. This
includes disk usage, CPU and memory utilization, as well as detailed
metrics of internal Splunk components (processes, process utilization,
and queues).

SSVAs - 51 – v2.0
Summary & Next Steps
This white paper provided a general introduction to Splunk SOAR Validated Architectures and ensures that your
organization's requirements are being met in the most cost-effective, manageable, and scalable way
possible. SSVAs offer best practices and design principles built upon the following foundational pillars:
● Availability
● Performance
● Scalability
● Security
● Manageability
This white paper has also covered the 3-step Splunk SOAR Validated Architectures selection process:
1) Definition of requirements,
2) Choosing a topology, and
3) Applying design principles and best practices.
Now that you are familiar with the multiple benefits of Splunk SOAR Validated Architectures, we hope you are
ready to move forward with the process of choosing a suitable deployment topology for your organization.

1.8 Next Steps

So, what comes after choosing a Validated Architecture? The next steps on your journey to a working
environment include:
Customizations
● Consider any necessary customizations your chosen topology may need to meet specific requirements.
Deployment Model
● Decide on deployment model (bare metal, virtual, cloud). We highly recommend virtual whether they are “on
premise” or cloud based.
System
● Select your technology (servers, storage, operating systems) according to Splunk system requirements.
(https://docs.splunk.com/Documentation/SOAR/4.8/Install/Requirements)
Sizing
● Gather all the relevant data you will need to size your deployment (data ingest, expected playbook volume,
data retention needs, replication, etc.) Discuss these requirements with your assigned Splunk SOAR Security
Solutions Architect.
Staffing
● Evaluate your staffing needs to implement and manage your deployment. This is an essential part of building
out a Splunk Center of Excellence.
We are here to assist you throughout the Validated Architectures process and with next steps. Please feel free to
engage your Splunk Account Team with any questions you might have. Your Account Team will have access to
the full suite of technical and architecture resources within Splunk and will be happy to provide you with further
information.

Happy Splunking!

SSVAs - 52 – v2.0
Appendix
This section contains additional reference information used in the SSVAs.

1.9 Appendix "A": SSVA Pillars Explained

Pillar Description Primary Goals / Design Principles

Availability The ability to be continuously 1. Eliminate single points of failure / Add

operational and able to recover from redundancy
planned and unplanned outages or
2. Detect planned and unplanned
disruptions.
failures/outages
3. Tolerate planned/unplanned outages,
ideally automatically
4. Plan for rolling upgrades

Performance The ability to effectively use available 1. Add hardware to improve performance;
resources to maintain optimal level of compute, storage, memory.
service under varying usage patterns.
2. Eliminate bottlenecks 'from the bottom up'
3. Exploit all means of concurrent
processing
4. Exploit locality (i.e. minimize distribution of
components)
5. Optimize for the common case (80/20
rule)
6. Avoid unnecessary generality
7. Time shift computation (pre-compute,
lazily compute, share/batch compute)
8. Trade certainty and accuracy for time
(randomization, sampling)

Scalability The ability to ensure that the system is 1. Scale vertically and horizontally
designed to scale on all tiers and handle
2. Separate functional components that
increased workloads effectively.
need to be scaled individually
3. Minimize dependencies between
components
4. Design for known future growth as early
as possible
5. Introduce hierarchy in the overall system
design

Security The ability to ensure that the system is 1. Design for a secure system from the start
designed to protect data as well as
2. Employ state-of-the art protocols for all
configurations/assets while continuing to
communications
deliver value.
3. Allow for broad-level and granular access
to event data
4. Employ centralized authentication
5. Implement auditing procedures
6. Reduce attack or malicious use surface
area

SSVAs - 53 – v2.0
Manageability The ability to ensure the system is 1. Provide a centralized management
designed to be centrally operable and function
manageable across all tiers.
2. Manage configuration object lifecycle
(source control)
3. Measure and monitor/profile application
(Splunk) usage
4. Measure and monitor system health

1.10 Appendix "B": Topology Components

Tier Component Icon Description Notes

Automation SOAR (PH) A SOAR tenant or SOAR tenant is software as a service

and Case Node node provides the instance for your organization.
Management UI for Splunk users
SOAR Node is a dedicated Splunk
and provides case
SOAR appliance in distributed
management and
deployments.
playbook
development SOAR Node is frequently virtualized to
activities. provide vertical scalability and easy
failure recovery, provided they are
deployed with the appropriate CPU
and memory resources.

SOAR A SOAR cluster SOAR clusters require dedicated

Cluster provides the UI for servers of ideally identical system
Splunk users and specifications.
provides case
SOAR clusters are frequently
management and
virtualized, provided they are deployed
playbook
with the appropriate CPU and memory
development
resources.
activities.

Automation A docker container SOAR Automation Broker provides

Broker that loads access to systems and resources for
applications and on premise or non-internet accessible
allows SOAR to resources.
interact with on
SOAR Automation Broker requires
premise systems or
internet access to communicate to
services.
SOAR services.

Shared Gluster File Gluster file server Gluster file servers provide file storage
Services Server provides an open- activities for the case management
(gFS) source secure file capabilities or playbook automation.
server.

External External database Externalizing the PostgreSQL

Database is a PostgreSQL database will improve SOAR
(Ext DB) database or performance but will keep the data to
database server only one site. This database can be
that provides the clustered also to improve data
core UI data and resiliency.
storage for all the
actions.

SSVAs - 54 – v2.0
clustered
environments.

HA Proxy HA Proxy is an HA Proxy is easily configured and

open-source load maintains its node relationship
balancer for the automatically. However, it does have
SOAR Clustered limited enterprise functionality. For
configurations. robust cluster configurations, Splunk
recommends appropriate enterprise
network load balances for mission
critical cluster operations.

Reporting Search The search head Search heads are dedicated Splunk
Head (SH) provides the UI for instances in distributed deployments.
Splunk users and Search heads can be virtualized for
coordinates easy failure recovery, provided they
scheduled search are deployed with appropriate CPU
activity. and memory resources.

Search A search head Search head clusters require

Head cluster is a pool of dedicated servers of ideally identical
Cluster at least three system specifications. Search head
(SHC) clustered Search cluster members can be virtualized for
Heads. It provides easy failure recovery, provided they
horizontal are deployed with appropriate CPU
scalability for the and memory resources.
search head tier
and transparent
user failover in
case of outages.

SSVAs - 56 – v2.0

SPLK-2003 Updated Dumps - Splunk SOAR Certified Automation Developer Exam
0% (1)
SPLK-2003 Updated Dumps - Splunk SOAR Certified Automation Developer Exam
11 pages
14411
100% (1)
14411
70 pages
Splunk SOAR: Five Automation Use Cases For
No ratings yet
Splunk SOAR: Five Automation Use Cases For
13 pages
Splunk Enterprise Security Installation and Upgrade Manual 6.0.0
No ratings yet
Splunk Enterprise Security Installation and Upgrade Manual 6.0.0
41 pages
Thor / Spark Log Analysis: Version 1.0, November 2017 Florian Roth, Nextron Systems GMBH
No ratings yet
Thor / Spark Log Analysis: Version 1.0, November 2017 Florian Roth, Nextron Systems GMBH
41 pages
Qualys Multi-Vector EDR: Lab Tutorial Supplement
No ratings yet
Qualys Multi-Vector EDR: Lab Tutorial Supplement
24 pages
Splunk-7 2 1-Indexer
No ratings yet
Splunk-7 2 1-Indexer
446 pages
SPLNK ADM Splunk Certified Administrator
No ratings yet
SPLNK ADM Splunk Certified Administrator
1 page
Rep 1110110404 PDF
0% (1)
Rep 1110110404 PDF
1,400 pages
Allotment of Shares Pursuant To A Contract
0% (1)
Allotment of Shares Pursuant To A Contract
2 pages
Customer Contract Quote Number Quote Date: Total For Freight USD 3030
No ratings yet
Customer Contract Quote Number Quote Date: Total For Freight USD 3030
2 pages
Splunk Validated Architectures: October 2020
100% (1)
Splunk Validated Architectures: October 2020
48 pages
Splunk Deployment Guidelines
No ratings yet
Splunk Deployment Guidelines
12 pages
Simulating, Detecting, and Responding To Log4Shell With Splunk - Splunk
No ratings yet
Simulating, Detecting, and Responding To Log4Shell With Splunk - Splunk
1 page
SIEM Trends: To Watch in 2021
No ratings yet
SIEM Trends: To Watch in 2021
8 pages
Enterprise Security Script: Splunk Security Solutions Marketing October 2019
No ratings yet
Enterprise Security Script: Splunk Security Solutions Marketing October 2019
26 pages
Setting Up Splunk For Vmware Monitoring: Proven Practice Guide
No ratings yet
Setting Up Splunk For Vmware Monitoring: Proven Practice Guide
18 pages
Analytics-Based Investigation & Automated Response With AWS + Splunk Security Solutions
No ratings yet
Analytics-Based Investigation & Automated Response With AWS + Splunk Security Solutions
37 pages
Lab Exercises: Lab Module 4 - Ingesting Data
No ratings yet
Lab Exercises: Lab Module 4 - Ingesting Data
8 pages
Splunk Test Blueprint Soar Automation Developer
No ratings yet
Splunk Test Blueprint Soar Automation Developer
5 pages
Splunk-7.0.0-Knowledge - Knowledge Manager Manual 2
No ratings yet
Splunk-7.0.0-Knowledge - Knowledge Manager Manual 2
426 pages
Elastic Endpoint Security Fundamentals PDF
No ratings yet
Elastic Endpoint Security Fundamentals PDF
93 pages
Using ES 5.0 Labs
50% (2)
Using ES 5.0 Labs
28 pages
How To Use Splunk For Automated Regulatory Compliance PDF
No ratings yet
How To Use Splunk For Automated Regulatory Compliance PDF
74 pages
NEW Security4Rookiesv1.3
No ratings yet
NEW Security4Rookiesv1.3
98 pages
Splunk Enterprise Security Implementation Success
No ratings yet
Splunk Enterprise Security Implementation Success
3 pages
Common TTPs of The Modern Ransomware Low Res
No ratings yet
Common TTPs of The Modern Ransomware Low Res
137 pages
Splunk AdminES - Slides
No ratings yet
Splunk AdminES - Slides
385 pages
Strategy Document for SOC Setup as an MSSP
No ratings yet
Strategy Document for SOC Setup as an MSSP
34 pages
Security Monitoring: Amit Kumar Gupta Security Analyst
No ratings yet
Security Monitoring: Amit Kumar Gupta Security Analyst
17 pages
SplunkCloud-6 6 3-SearchTutorial PDF
No ratings yet
SplunkCloud-6 6 3-SearchTutorial PDF
103 pages
310 Red Teaming MS SQL Server PDF
No ratings yet
310 Red Teaming MS SQL Server PDF
139 pages
Building Correlation Searches With Splunk Enterprise Security Takeaway
No ratings yet
Building Correlation Searches With Splunk Enterprise Security Takeaway
4 pages
Akamai Splunk SIEM Splunk Connector
100% (1)
Akamai Splunk SIEM Splunk Connector
12 pages
Splunk troubleshooting
No ratings yet
Splunk troubleshooting
7 pages
APAC Splunk Attack Analyzer Webinar
No ratings yet
APAC Splunk Attack Analyzer Webinar
47 pages
Splunk-Overview - SIEM
No ratings yet
Splunk-Overview - SIEM
44 pages
Cyops1.1 Chp07-Dts Oa
No ratings yet
Cyops1.1 Chp07-Dts Oa
49 pages
Courses For Cloud Customers
No ratings yet
Courses For Cloud Customers
1 page
DZone TR Data Pipelines 2022 Spotlight Dremio
No ratings yet
DZone TR Data Pipelines 2022 Spotlight Dremio
42 pages
Tenable and Splunk Integration Guide
No ratings yet
Tenable and Splunk Integration Guide
66 pages
Creating Splunk Knowledge - Labs
No ratings yet
Creating Splunk Knowledge - Labs
25 pages
IT2184 Tunning
No ratings yet
IT2184 Tunning
36 pages
Fortisiem 4.10.0 User Guide
50% (2)
Fortisiem 4.10.0 User Guide
555 pages
Elastic Siem Fundamentals: An Elastic Training Course
No ratings yet
Elastic Siem Fundamentals: An Elastic Training Course
32 pages
Nuevo Blueteam
No ratings yet
Nuevo Blueteam
100 pages
Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs
No ratings yet
Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs
6 pages
Soar in Soc
No ratings yet
Soar in Soc
38 pages
Best Practices and Better Practices For Admins Latest Slides: Collaborate: #Bestpractices Sign Up at HTTP://SPLK - It/slack
No ratings yet
Best Practices and Better Practices For Admins Latest Slides: Collaborate: #Bestpractices Sign Up at HTTP://SPLK - It/slack
105 pages
Defend Against Malicious Insiders Using Splunk Enterprise Security, Splunk's Machine Learning Toolkit, and Statistics
No ratings yet
Defend Against Malicious Insiders Using Splunk Enterprise Security, Splunk's Machine Learning Toolkit, and Statistics
36 pages
Sample Data Into Splunk Enterprise
No ratings yet
Sample Data Into Splunk Enterprise
58 pages
Security Information and Event Management: Category 7
No ratings yet
Security Information and Event Management: Category 7
33 pages
Splunk 6.0.1 SearchTutorial
No ratings yet
Splunk 6.0.1 SearchTutorial
70 pages
Cortex XSOAR: Redefining Security Orchestration, Automation, and Response
No ratings yet
Cortex XSOAR: Redefining Security Orchestration, Automation, and Response
7 pages
Dataonboarding
No ratings yet
Dataonboarding
17 pages
SplunkAdminManual 3.4.6
No ratings yet
SplunkAdminManual 3.4.6
408 pages
© 2018 Caendra, Inc. - Hera For PTP - SNMP Analysis
No ratings yet
© 2018 Caendra, Inc. - Hera For PTP - SNMP Analysis
13 pages
Endpoint Security 10.7.x Installation Guide Windows - en Us
No ratings yet
Endpoint Security 10.7.x Installation Guide Windows - en Us
70 pages
Qualys Patch Management Getting Started Guide
No ratings yet
Qualys Patch Management Getting Started Guide
40 pages
The Absolute Guide To Siem
No ratings yet
The Absolute Guide To Siem
13 pages
AlienVault PCI DSS 3.0 Compliance
No ratings yet
AlienVault PCI DSS 3.0 Compliance
5 pages
Mastering Splunk for Cybersecurity: Advanced Threat Detection and Analysis
From Everand
Mastering Splunk for Cybersecurity: Advanced Threat Detection and Analysis
Robert Johnson
No ratings yet
Ultimate Splunk for Cybersecurity: Practical Strategies for SIEM Using Splunk’s Enterprise Security (ES) for Threat Detection, Forensic Investigation, and Cloud Security (English Edition)
From Everand
Ultimate Splunk for Cybersecurity: Practical Strategies for SIEM Using Splunk’s Enterprise Security (ES) for Threat Detection, Forensic Investigation, and Cloud Security (English Edition)
Jit Sinha
No ratings yet
Disaster Recovery Using VMware vSphere Replication and vCenter Site Recovery Manager
From Everand
Disaster Recovery Using VMware vSphere Replication and vCenter Site Recovery Manager
Abhilash GB
No ratings yet
Additional Consolidation Reporting Issues: Douglas Cloud
No ratings yet
Additional Consolidation Reporting Issues: Douglas Cloud
21 pages
Business Presentation On Patanjali
100% (1)
Business Presentation On Patanjali
29 pages
Lesson Plan
No ratings yet
Lesson Plan
7 pages
Interfaith Marriage in Islam - An Examination of The Legal Theory PDF
No ratings yet
Interfaith Marriage in Islam - An Examination of The Legal Theory PDF
31 pages
2035-Wanjau Kabuchi Kabuchi
No ratings yet
2035-Wanjau Kabuchi Kabuchi
1 page
Author Colette Fadel Awad’s New Book, "Miracle and Hope," is a Powerful Memoir That Documents How She and Her Family Endured in the Face of a Medical Emergency
No ratings yet
Author Colette Fadel Awad’s New Book, "Miracle and Hope," is a Powerful Memoir That Documents How She and Her Family Endured in the Face of a Medical Emergency
3 pages
Mutual Protection in A Cloud Computing Environment
No ratings yet
Mutual Protection in A Cloud Computing Environment
6 pages
ThanjavurRegion
No ratings yet
ThanjavurRegion
6 pages
Lesson 4 - MTF1 - Energy, Energy Transfer and General Energy Analysis - 2021
No ratings yet
Lesson 4 - MTF1 - Energy, Energy Transfer and General Energy Analysis - 2021
11 pages
Smart Everything, Everywhere: Mobile Consumer Survey 2017 The Australian Cut
No ratings yet
Smart Everything, Everywhere: Mobile Consumer Survey 2017 The Australian Cut
51 pages
CHAPTER VIII: Women's Movement in The Philippines: Study Guide For Module No. 8
No ratings yet
CHAPTER VIII: Women's Movement in The Philippines: Study Guide For Module No. 8
8 pages
HTB1eKezGpXXXXcuXFXX PRXFXXXD
No ratings yet
HTB1eKezGpXXXXcuXFXX PRXFXXXD
4 pages
1629888174-Xam Idea Geography Solutions Class 9 Chapter 5 Natural Vegetation and Wildlife
0% (1)
1629888174-Xam Idea Geography Solutions Class 9 Chapter 5 Natural Vegetation and Wildlife
11 pages
CoalTrans Asia Convention 2014
No ratings yet
CoalTrans Asia Convention 2014
14 pages
Dewatering Method Statement For Waste Water Network System
No ratings yet
Dewatering Method Statement For Waste Water Network System
13 pages
Network Design
No ratings yet
Network Design
42 pages
Sweet Potatoes
100% (2)
Sweet Potatoes
8 pages
ARIIX Pricelist (US & CA)
No ratings yet
ARIIX Pricelist (US & CA)
2 pages
Pet, Farm and Wild Animals - Quizizz
No ratings yet
Pet, Farm and Wild Animals - Quizizz
3 pages
Integrating Oracle Fixed Assets with other modules in Oracle E
No ratings yet
Integrating Oracle Fixed Assets with other modules in Oracle E
2 pages
Areas of MAS Part 2
No ratings yet
Areas of MAS Part 2
13 pages
Complete Download The Missing Link: From College to Career and Beyond 6th Edition Fred Selinger PDF All Chapters
100% (1)
Complete Download The Missing Link: From College to Career and Beyond 6th Edition Fred Selinger PDF All Chapters
55 pages
Recruitment Agencies - Singapore
No ratings yet
Recruitment Agencies - Singapore
288 pages
Rhetorical Analysis Essay
No ratings yet
Rhetorical Analysis Essay
4 pages
Salient Features of 9700
100% (2)
Salient Features of 9700
16 pages
Sample Submission Procedures Rev13
No ratings yet
Sample Submission Procedures Rev13
41 pages