Splunk® Phantom (Legacy)

Release Notes

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Known Issues in this release of Splunk Phantom

These are the known issues for this release of Splunk Phantom.

Date filed Issue number Description
2023-11-29 PSAAS-15638 Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively

Workaround:
If using the REST API directly, add a sort parameter to the URL: 
https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly: 


# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

2022-09-26 PSAAS-10411 ibackup stores the entire PostgreSQL database in every incremental backup.
2022-09-07 PSAAS-10107 Status of Case is missing from Report

Workaround:
None known
2022-04-14 PSAAS-8615 Search for numbers only does not work

Workaround:
Utilize global search

or append a letter identifier before case names to include when searching.

2021-12-16 PSAAS-7020 Investigation page: permitted_users_roles calls DB excessively causing poor performance
2021-12-06 PSAAS-6865 Playbook Listing page crashes in Chrome & Edge browsers when filtering

Workaround:
Use firefox or safari.
2021-11-29 PSAAS-6730 "Invalid Authorization Configuration input" error when pasting a copied authorization configuration from automation user page
2021-11-22 PSAAS-6684, PSAAS-6908 In external Search setting, data is not present after error happens

Workaround:
Assisted a customer with a db query to directly pull the information required by their auditing team. We verified the values they needed were located in the container tables.

Passed them this query will extract specific rows from the container table and output to a csv.

{code:java}# \copy (select <customer_filter> from container) to '/tmp/audit_data.csv' with csv;{code}

Customer will construct the exact filter to pull just the rows they are interested in. Auditors have requested data from approx 120,000 containers.

2021-11-18 PSAAS-6595 Container updates sent to external Splunk after case is closed (closed:event in audit) are not honoring case status (close_time = null)

Workaround:
None at the moment. I don't believe so as some containers/tickets are reopened for genuine reasons, so we need to be able to distinguish between these and ones that just report as open due to the behaviour
2021-11-15 PSAAS-6463 Externalized Search : maxchar limit error doesn't log event info containing ID

Workaround:
No workaround.
2021-10-18 PSAAS-5904 In SAML, OIDC and LDAP Auth, group delimiter was not applied if group list was provided by the IDP as a comma separated string

Workaround:
None
2021-10-06 PSAAS-5542 Issue with allowing roles to pass permission checks in unauthorized areas when performing reporting operations
2021-08-23 PSAAS-3289 Can't Delete Value from Org Id/Set Domain for Thycotic password vault
2021-08-21 PSAAS-3277 Even though Warm Standby is disabled, upgrade failed due to enabled archive mode

Workaround:
The workaround is to run these commands: 
sed -i -e 's/archive_mode = on/archive_mode = off/i' /<PHANTOM_HOME>/data/db/postgresql.phantom.conf

/<PHANTOM_HOME>/bin/phsvc restart postgresql-11
2021-07-16 PSAAS-2591 Asset Proxy Settings: Previously configured HTTP or HTTPS Proxy not working as intended

Workaround:
* Determine if your proxy is an HTTP or HTTPS proxy.
  • If you have an HTTP proxy and your asset settings have proxy variables starting with https://<proxy_ip>, replace them with http://<proxy_ip>
  • If you have an HTTPS proxy and your asset settings have proxy variables starting with http://<proxy_ip>, replace them with https://<proxy_ip>


2019-10-16 PSAAS-5305 Playbook API: phantom.condition excessively slow on large action_results
Last modified on 10 January, 2024
Welcome to Splunk Phantom 4.10.7   Fixed Issues in this release of Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.10.7

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters