Known issues for

November 6, 2024 Release 6.3.1

Date filed	Issue number	Description
2025-02-06	PSAAS-21951	"markdown supported" is appended to question for response type "1-100" and "Custom Range"
2025-01-30	PSAAS-21652	cloud apps depend on modules that use Google authentication failing on cloud instance with AB
2025-01-28	PSAAS-21598	SOAR local settings stored in the DB require a commit when in playbook view, but not when in listing page Workaround: Change settings on the playbook listing page instead of the Visual Playbook Editor view.
2025-01-21	PSAAS-21473	Unable to see top of app_run table in container action_run page when arguments are very long
2025-01-16	PSAAS-21440	Blocks in top left area of VPE cannot be selected when there is an error message Workaround: Move the canvas to not have the block you want to select in the non clickable area
2025-01-10	PSAAS-21345	Data preview is not refreshing the start block information when a new playbook is ran Workaround: Refresh the page after running a playbook to observe a change in the container.
2025-01-09	PSAAS-21330	Renaming the first action block makes it necessary to edit the next block.
2024-12-19	PSAAS-21155	VPE: Python editor and canvas are disabled when all python code is removed
2024-12-09	PSAAS-21016	Page does not refresh/show event assignment after opening an event, pressing back button, and then entering any event and assigning it
2024-11-26	PSAAS-20825	intermittent lag refreshing browser data when manually updating container data by editing from the analyst queue. since upgrade to 6.3.1.176
2024-11-18	PSAAS-20667	Creating a new CEF field in datapath menu doesn't appear editable
2024-11-06	PSAAS-20437	VPE: 'Key' field not editable Workaround: Copy the information you want to add and paste it into the key field. Right-click or control-click your mouse and select the Paste option from the context menu. Keyboard shortcuts do not work to paste information into this field.
2024-10-28	PSAAS-20299	VPE: Slider bar in Debugger tab is too tiny to control
2024-10-21	PSAAS-20147	VPE doesn't prevent user from spamming "Save and run" button, which can overload SOAR
2024-10-18	PSAAS-20123	ES Connector Associated Playbooks missing
2024-10-18	PSAAS-20124	Currently selected block in VPE may not be highlighted correctly
2024-10-15	PSAAS-20040	Order of blocks within Block results tab is incorrect Workaround: Customer can still accomplish flow
2024-09-27	PSAAS-19843	Playbook-type blocks: cannot filter on known data types, some input datapaths cannot be copied Workaround: Do not use the known data types filter. To copy a datapath, use the datapath picker in the configuration panel on the left of the screen.
2024-04-17	PSAAS-17305	REST APIs with pagination give a 400 error
2024-03-25	PSAAS-16959	Enabling the Secret Flag in Global Environment Variables Causes AB Test Connectivity/Poll Now to Fail Workaround: Remove the secret flag from all global environment variables for Test Connectivity to work with AB.
2024-03-13	PSAAS-16695	VPE: Action block using Splunk app marked unconfigured when optional parameters not specified
2024-03-06	PSAAS-16642	VPE: Deleting conditions from a filter block changes the conditions for downstream blocks instead of deleting them Workaround: If you have already deleted multiple conditions in the filter block configuration panel: If you have multiple condition labels on the connections downstream from the filter block, check to see if the labels match the conditions you specified in the filter block configuration panel. If the conditions match: No further action is required. If the conditions do not match: For all downstream connections, re-select the condition labels to match the conditions in the filter block configuration panel.
2024-02-22	PSAAS-16477	Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes Workaround: Manually change the `image:` line in docker-compose.yaml to point to `docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.`
2024-01-30	PSAAS-16206	Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named as all lowercase letters Workaround: Use uppercase letters only.
2023-09-13	PSAAS-14783	UI becoming unresponsive when adding or interacting with notes that has alphanumeric strings in Summary view Workaround: Issue seems to be part of the special characters {{<>}} with text in between. The workaround is try to avoid those characters in the note.
2023-08-25	PSAAS-14609	Automation Broker: Broker status should be updated if the broker directory is no longer present

September 12, 2024 Release 6.3.0

Date filed	Issue number	Description
2025-01-28	PSAAS-21598	SOAR local settings stored in the DB require a commit when in playbook view, but not when in listing page Workaround: Change settings on the playbook listing page instead of the Visual Playbook Editor view.
2024-11-20	PSAAS-20761	Non-synchronous child playbook run status stays as 'pending' when label mismatch occurs
2024-11-06	PSAAS-20435	Looping functionality does not wait during "empty parameters list was passed to phantom.act()." error
2024-10-21	PSAAS-20167	Child Playbook gets stuck running when run against label it does not pertain to
2024-10-21	PSAAS-20142	VPE: Discarding changes doesn't reset the playbook editor for unconfigured action block
2024-10-09	PSAAS-19993	Automation Broker healthcheck does not work due to ModuleNotFoundError: No module named 'phantom'
2024-10-07	PSAAS-19962	Automation Broker does not pair due to ModuleNotFoundError: No module named 'phantom'
2024-10-02	PSAAS-19905	Filter condition fails to process empty list if it comes from action block
2024-10-02	PSAAS-19917, PSAAS-20071	Reports page drop down results in 500 Server Error Workaround: You can work around this issue by changing your user settings for SOAR. From the User Account Menu, select Account Settings. Uncheck the box marked Display Relative Time. Click Save Changes.
2024-09-26	PSAAS-19811	save_progress method not outputting to Playbook Debugger when bound to Automation Broker
2024-09-25	PSAAS-19798	VPE: Action block not updating certain actions after unconfiguring Workaround: Add a new action block and reconfigure
2024-09-24	PSAAS-19708	Playbooks might remain in pending status
2024-09-10	PSAAS-19362	Placeholder values for custom indexes in the Forwarder Settings modal don't match the actual default indexes
2024-08-21	PSAAS-19137	No playbook run created when playbook label differs from container label instead of failing playbook run
2024-08-09	PSAAS-18994	Intermittent issues dragging new block connections
2024-08-09	PSAAS-18993	VPE creates join function between blocks with no callbacks, resulting in functions being called twice
2024-07-31	PSAAS-18866, PSAAS-19037	No redirection or toast if two tabs opened
2024-06-24	PSAAS-18174	VPE: Error message "'NoneType' object has no attribute 'scm_id'" on first playbook save
2024-04-17	PSAAS-17305	REST APIs with pagination give a 400 error
2024-03-25	PSAAS-16959	Enabling the Secret Flag in Global Environment Variables Causes AB Test Connectivity/Poll Now to Fail Workaround: Remove the secret flag from all global environment variables for Test Connectivity to work with AB.
2024-03-13	PSAAS-16695	VPE: Action block using Splunk app marked unconfigured when optional parameters not specified
2024-03-06	PSAAS-16642	VPE: Deleting conditions from a filter block changes the conditions for downstream blocks instead of deleting them Workaround: If you have already deleted multiple conditions in the filter block configuration panel: If you have multiple condition labels on the connections downstream from the filter block, check to see if the labels match the conditions you specified in the filter block configuration panel. If the conditions match: No further action is required. If the conditions do not match: For all downstream connections, re-select the condition labels to match the conditions in the filter block configuration panel.
2024-02-22	PSAAS-16477	Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes Workaround: Manually change the `image:` line in docker-compose.yaml to point to `docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.`
2024-01-30	PSAAS-16206	Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named as all lowercase letters Workaround: Use uppercase letters only.
2023-08-25	PSAAS-14609	Automation Broker: Broker status should be updated if the broker directory is no longer present
2022-02-03	PSAAS-7499	VPE: Playbook name field should be longer

May 29, 2024 Release 6.2.2

Date filed	Issue number	Description
2025-01-28	PSAAS-21598	SOAR local settings stored in the DB require a commit when in playbook view, but not when in listing page Workaround: Change settings on the playbook listing page instead of the Visual Playbook Editor view.
2025-01-09	PSAAS-21330	Renaming the first action block makes it necessary to edit the next block.
2024-11-20	PSAAS-20761	Non-synchronous child playbook run status stays as 'pending' when label mismatch occurs
2024-10-21	PSAAS-20167	Child Playbook gets stuck running when run against label it does not pertain to
2024-10-21	PSAAS-20142	VPE: Discarding changes doesn't reset the playbook editor for unconfigured action block
2024-09-27	PSAAS-19836	Input playbooks, missing menu to provide the inputs to test the playbook in the debugger Workaround: The feature is missing, user cannot test the playbook
2024-09-20	PSAAS-19696	"First positional parameter 'message' must be a string of non-zero length" from phantom.debug() when first parameter is empty variable
2024-08-13	PSAAS-19036	About page shows "Splunk Version" and "Splunk Build", which are not accurate as Splunk no longer ships with SOAR
2024-08-08	PSAAS-18975	High baseline RDS load
2024-07-25	PSAAS-18798	Missing data paths in prompt block
2024-07-03	PSAAS-18317	Deleting the Playbook Run, or removing from the database the Asset, User, or App which created a container may cascade into deleting that container and its associated data Workaround: Upgrade to Splunk SOAR 6.3.0 or higher to remove the possibility of unintended container loss by any cause. If you cannot upgrade to Splunk SOAR 6.3.0 or higher at this time, you can use the SOAR's shell, (`phenv phantom_shell`) to manually prepare for the deletion of playbok_runs, for which you will need a list of affected playbook_run IDs. For assets, users, or ingestion apps, deleting via the REST API is a "soft delete" and is generally safe, with one notable exception for apps listed below Playbook Runs phenv phantom_shell >>> ids = [<list>, <of>, <playbook_run>, <ids>] >>> Container.objects.filter(closing_rule_run_id__in=ids).update(closing_rule_run=None) <pre></code></li> <li>Apps <p>Normally, apps are soft deleted. However, there is an edge case to be aware of: installing a previously deleted app for which all assets have been deleted or orphaned may delete containers and associated data originally created by the app, if and only if the app reinstallation process fails. This can be prevented by incrementing an app package's version in order to upgrade, instead of performing a delete and reinstall of the same app version.</p> </li></ul><br/> \|- \| 2024-07-01\|\|PSAAS-18277\|\|When cloning apps, automation broker of assets is not cloned \|- \| 2024-06-28\|\|PSAAS-18272\|\|Classic to Modern playbook conversion should have warnings for invalid playbook block name and customer code revert \|- \| 2024-06-24\|\|PSAAS-18172\|\|VPE crashes with TypeError when opening a playbook \|- \| 2024-06-12\|\|PSAAS-18082\|\|VPE: Blocks invisible when using Safari Version 17.5 \|- \| 2024-06-10\|\|PSAAS-17997\|\|Playbook Listing page tabs show incorrect list, except "All" tab \|- \| 2024-05-14\|\|PSAAS-17715\|\|VPE CF block resource warning not being removed upon reconfiguring<br/><br/>Workaround:<br/>The warning is only cosmetic and will not impact playbook run. To remove the warning, instead of reconfiguring the block just completely delete and re-add a utility block.<br/> \|- \| 2024-03-13\|\|PSAAS-16695\|\|VPE: Action block using Splunk app marked unconfigured when optional parameters not specified \|- \| 2024-03-06\|\|PSAAS-16642\|\|VPE: Deleting conditions from a filter block changes the conditions for downstream blocks instead of deleting them<br/><br/>Workaround:<br/><b>If you have already deleted multiple conditions in the filter block configuration panel:</b> If you have multiple condition labels on the connections downstream from the filter block, check to see if the labels match the conditions you specified in the filter block configuration panel. <ul> <li>If the conditions match: No further action is required.</li> <li>If the conditions do not match: For all downstream connections, re-select the condition labels to match the conditions in the filter block configuration panel.</li> </ul><br/> \|- \| 2024-02-22\|\|PSAAS-16477\|\|Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes<br/><br/>Workaround:<br/>Manually change the <code>image:</code> line in docker-compose.yaml to point to <code>docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.<br/> \|- \| 2024-01-30\|\|PSAAS-16206\|\|Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named as all lowercase letters<br/><br/>Workaround:<br/>Use uppercase letters only.<br/> \|- \| 2023-08-25\|\|PSAAS-14609\|\|Automation Broker: Broker status should be updated if the broker directory is no longer present \|- \| 2023-04-26\|\|PSAAS-13255\|\|Deleting a container with 1000+ artifacts causes UWSGI to run out of memory.<br/><br/>Workaround:<br/>For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion. This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added. In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the [[:Template:Delete db containers]] management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.<br/> \|} ==March 28, 2024 Release 6.2.1== {\| [[:Template:Table]] !Date filed !Issue number !Description \|- \| 2025-01-28\|\|PSAAS-21598\|\|SOAR local settings stored in the DB require a commit when in playbook view, but not when in listing page<br/><br/>Workaround:<br/>Change settings on the playbook listing page instead of the Visual Playbook Editor view.<br/> \|- \| 2024-08-13\|\|PSAAS-19036\|\|About page shows "Splunk Version" and "Splunk Build", which are not accurate as Splunk no longer ships with SOAR \|- \| 2024-05-23\|\|PSAAS-17857\|\|Update from source control failing due to playbook name with square braket and colon in its name \|- \| 2024-05-21\|\|PSAAS-17823\|\|Incident types not syncing between MC and SOAR<br/><br/>Workaround:<br/>As a workaround, the customer can manually create the label (via REST Call because UI is disabled) on the SOAR side with the same name as the incident type. <ol> <li>Make a POST call to [https:brsoar-ro.soar.splunkcloud.com/rest/system_settings/events brsoar-ro.soar.splunkcloud.com/rest/system_settings/events] with the payload <div class="samplecode"> {"add_label":true,"label_name":"test"} </div> </li> <li>Observe on the administration page, the label <code>test</code> should display when you navigate to <b>Administration</b>, then select <b>Label settings</b>. </li> </ol><br/> \|- \| 2024-05-01\|\|PSAAS-17559\|\|"0: command not found" error is printed to the console when running start_phantom.sh<br/><br/>Workaround:<br/>This workaround is optional. The error is cosmetic and does not indicate any deeper issue with the Splunk SOAR system. To stop the error from printing entirely, copy the following code and replace line 13 of the existing start_phantom.sh code. <div class="samplecode"> if remote_db_in_install_conf && ! dev_in_install_conf && [ ${PHANTOM_IS_CLOUD} != 1 ]; then must_have_minimum_postgresql_version fi </div><br/> \|- \| 2024-04-29\|\|PSAAS-17498\|\|uwsgi lock is not released when credential package already exists \|- \| 2024-04-25\|\|PSAAS-17454\|\|slow API requests lead to missing VPE block outputs upon initial load<br/><br/>Workaround:<br/>Manually re-generate outputs by deleting and/or reconfiguring the whole block.<br/> \|- \| 2024-04-17\|\|PSAAS-17305\|\|REST APIs with pagination give a 400 error \|- \| 2024-04-08\|\|PSAAS-17198\|\|Unable to close containers receiving the error 'str' object has no attribute 'get' \|- \| 2024-04-05\|\|PSAAS-17194\|\|Password reset email has un-clickable URL \|- \| 2024-04-05\|\|PSAAS-17189\|\|Playbook deletion is not logged in the audit trail<br/><br/>Workaround:<br/>On-prem customers can monitor the git log for playbook and other git related deletions.<br/> \|- \| 2024-04-03\|\|PSAAS-17135\|\|Investigation page: Playbook run tab is broken for playbook with empty inputs \|- \| 2024-04-03\|\|PSAAS-17165\|\|VPE: Datapath within loop block doesn't reflect block name change<br/><br/>Workaround:<br/>Before running a playbook that contains a looped block, make sure that all internal datapath configurations of the looped block are accurate and up-to-date by manually checking that each datapath refers to the correct block name.<br/> \|- \| 2024-03-26\|\|PSAAS-16961\|\|Licensing extension not available<br/><br/>Workaround:<br/>Contact Splunk Support at least 30 days before your license is set to expire. <br/> \|- \| 2024-03-25\|\|PSAAS-16959\|\|Enabling the Secret Flag in Global Environment Variables Causes AB Test Connectivity/Poll Now to Fail<br/><br/>Workaround:<br/>Remove the secret flag from all global environment variables for Test Connectivity to work with AB.<br/> \|- \| 2024-03-22\|\|PSAAS-16934\|\|Evidence tab screen goes blank if artifact is marked as evidence<br/><br/>Workaround:<br/>use a different CEF field name that's not "tags"<br/> \|- \| 2024-03-13\|\|PSAAS-16695\|\|VPE: Action block using Splunk app marked unconfigured when optional parameters not specified \|- \| 2024-03-06\|\|PSAAS-16641\|\|Global seach checkbox for "Playbook Run" gets unselected when selecting other options<br/><br/>Workaround:<br/>If you are selecting multiple search options, select all other options first, then select the Playbook Run option.<br/> \|- \| 2024-03-06\|\|PSAAS-16642\|\|VPE: Deleting conditions from a filter block changes the conditions for downstream blocks instead of deleting them<br/><br/>Workaround:<br/><b>If you have already deleted multiple conditions in the filter block configuration panel:</b> If you have multiple condition labels on the connections downstream from the filter block, check to see if the labels match the conditions you specified in the filter block configuration panel. <ul> <li>If the conditions match: No further action is required.</li> <li>If the conditions do not match: For all downstream connections, re-select the condition labels to match the conditions in the filter block configuration panel.</li> </ul><br/> \|- \| 2024-02-22\|\|PSAAS-16477\|\|Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes<br/><br/>Workaround:<br/>Manually change the <code>image:</code> line in docker-compose.yaml to point to <code>docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.<br/> \|- \| 2024-01-30\|\|PSAAS-16206\|\|Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named as all lowercase letters<br/><br/>Workaround:<br/>Use uppercase letters only.<br/> \|- \| 2023-08-25\|\|PSAAS-14609\|\|Automation Broker: Broker status should be updated if the broker directory is no longer present \|- \| 2023-07-19\|\|PSAAS-14125\|\|Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.<br/><br/>Workaround:<br/>Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.<br/> \|- \| 2023-04-26\|\|PSAAS-13255\|\|Deleting a container with 1000+ artifacts causes UWSGI to run out of memory.<br/><br/>Workaround:<br/>For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion. This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added. In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the [[:Template:Delete db containers]] management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.<br/> \|- \| 2023-02-02\|\|PSAAS-12158\|\|User filtering is using first/last name to filter events instead of just username<br/><br/>Workaround:<br/>None<br/> \|} ==November 30, 2023 Release 6.2.0== {\| [[:Template:Table]] !Date filed !Issue number !Description \|- \| 2025-01-28\|\|PSAAS-21598\|\|SOAR local settings stored in the DB require a commit when in playbook view, but not when in listing page<br/><br/>Workaround:<br/>Change settings on the playbook listing page instead of the Visual Playbook Editor view.<br/> \|- \| 2024-05-09\|\|PSAAS-17655\|\|Memory leak in handling of custom function results \|- \| 2024-05-01\|\|PSAAS-17560\|\|Playbook converter cannot convert playbooks with set_owner or add_note<br/><br/>Workaround:<br/>If you will run the playbook without making any changes, no action is required. If you need to update the playbook, take the following action: After you migrate the playbook, delete the affected utility block, then re-add the block and make any updates.<br/> \|- \| 2024-04-03\|\|PSAAS-17165\|\|VPE: Datapath within loop block doesn't reflect block name change<br/><br/>Workaround:<br/>Before running a playbook that contains a looped block, make sure that all internal datapath configurations of the looped block are accurate and up-to-date by manually checking that each datapath refers to the correct block name.<br/> \|- \| 2024-04-01\|\|PSAAS-17112, PSAAS-16933\|\|Container updates are not atomic<br/><br/>Workaround:<br/>The issue occurs when multiple playbooks are attempting to update a single container at the same time. Here are two ways of avoiding this issue: <ul> <li>If you have a parent and child playbook that each update fields in the container, call those child playbooks synchronously, so they are not able to perform updates at the same time.</li> <li>Bundle your container updates into a single playbook.</li> </ul><br/> \|- \| 2024-03-13\|\|PSAAS-16695\|\|VPE: Action block using Splunk app marked unconfigured when optional parameters not specified \|- \| 2024-02-29\|\|PSAAS-16538\|\|Generated reports: Cannot sort on Generated column \|- \| 2024-02-28\|\|PSAAS-16529\|\|When navigating back from investigation page to the analyst queue, stale filters are selected \|- \| 2024-02-21\|\|PSAAS-16467\|\|Investigation for actiond down for the stack acn-soar \|- \| 2024-02-20\|\|PSAAS-16452, PSAAS-16372\|\|Classic to Modern Playbook conversion errors<br/><br/>Workaround:<br/>* Layout completely jumbled in Modern playbook (MINOR, But annoying) this can should be resolved by clicking auto-arrange<br/> \|- \| 2024-02-15\|\|PSAAS-16431, PSAAS-16962, PSAAS-16963\|\|Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues<br/><br/>Workaround:<br/><ol> <li>Check if the action completed successfully.</li> <li>Cancel the hanging action.</li> <li>If the action did not complete successfully, re-run the action.</li> </ol> This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed.<br/> \|- \| 2024-02-09\|\|PSAAS-16357\|\|Playbook Converter: Datapaths not present in modern datapath picker for custom function and playbook blocks<br/><br/>Workaround:<br/>Rename the affected block to be the same as the function name. For example, if the function name is "cf_local_generated_1", change the block name to "cf_local_generated_1".<br/> \|- \| 2024-02-06\|\|PSAAS-16309\|\|Health checks show as login attempts in production \|- \| 2024-01-30\|\|PSAAS-16209\|\|Ability to change user id and group id of Automation Broker's runtime user \|- \| 2024-01-30\|\|PSAAS-16206\|\|Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named as all lowercase letters<br/><br/>Workaround:<br/>Use uppercase letters only.<br/> \|- \| 2024-01-22\|\|PSAAS-16122\|\|Saving playbooks to a local repo fails with 'Push master failed: (branch is currently checked out)'<br/><br/>Workaround:<br/>Operate in repo configured with external resources <br/> \|- \| 2024-01-22\|\|PSAAS-16112\|\|Playbook Converter: Case sensitivity and variable differences are not handled properly \|- \| 2024-01-19\|\|PSAAS-16089\|\|Missing notification for inactivity timeout \|- \| 2024-01-18\|\|PSAAS-16087\|\|MC Setup: SOAR Repo roles failed to be created<br/><br/>Workaround:<br/>The customers will need to manually create the repo roles listed in the doc {noformat}mc_soar_repo_edit_<repo_name> mc_soar_repo_execute_<repo_name> mc_soar_repo_view_<repo_name>{noformat} Once the appropriate roles are assigned to the user, they can run the actions/playbooks<br/> \|- \| 2024-01-16\|\|PSAAS-16049\|\|Playbook converter: Asset name is incorrect in the converted playbook \|- \| 2024-01-16\|\|PSAAS-16048\|\|Fix asset name for playbook converter \|- \| 2024-01-09\|\|PSAAS-15999\|\|SOAR Cloud : UF forwarding not honoring indexer port configuration \|- \| 2024-01-03\|\|PSAAS-15959\|\|ForwarderGroup TCP token can be accidentally cleaned up if forwarder group is inactive<br/><br/>Workaround:<br/>If a SOAR Cloud customer has a Splunk Enterprise forwarder group which is not working due to a deleted tcp token they can recreate the group and the tcp token will be recreated<br/> \|- \| 2023-12-12\|\|PSAAS-15821\|\|Global search not working for custom fields \|- \| 2023-12-11\|\|PSAAS-15750\|\|VPE: Downstream block invoked twice from two upstream code blocks join<br/><br/>Workaround:<br/>Detach one of the upstream blocks and run the blocks in sequence to avoid a join.<br/> \|- \| 2023-12-08\|\|PSAAS-15709\|\|Playbook API: phantom.format throws error when a value is not found on the datapath \|- \| 2023-12-06\|\|PSAAS-15694\|\|Indicators page shows empty table for non-admin users \|- \| 2023-12-06\|\|PSAAS-15695\|\|JSON viewer for input playbooks - analyst view- has clickable URLs<br/><br/>Workaround:<br/>None<br/> \|- \| 2023-12-05\|\|PSAAS-15685\|\|Naming a forwarder group "splunk" breaks forwarding<br/><br/>Workaround:<br/>Delete the forwarder group named "splunk" and recreate it with some other name.<br/> \|- \| 2023-11-30\|\|PSAAS-15648\|\|MC SOAR customers are not able to modify the data types of the MC Forwarder Group<br/><br/>Workaround:<br/>If a customer wants to enable more data types for forwarding to their MC Splunk, SOAR engineers must enable them manually by ssh-ing to the stack and updating the forwarder group via python shell. If forwarding doesn't work, it may be due to issue 3. To fix that we need a credentials package from MC and we need to update the MC forwarder group's 'credentials_package'{{ }}field with the credentials package and we need to reinstall the app on the forwarder. See [https://splunk.slack.com/archives/C041FNWNP5E/p1702677969590999\|https://splunk.slack.com/archives/C041FNWNP5E/p1702677969590999\|smart-link] [https://splunk.slack.com/archives/CCN2FEJG7/p1702651110754149\|https://splunk.slack.com/archives/CCN2FEJG7/p1702651110754149\|smart-link] <br/> \|- \| 2023-11-29\|\|PSAAS-15638\|\|Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively<br/><br/>Workaround:<br/>If using the REST API directly, add a <code>sort</code> parameter to the URL: <div class="samplecode">https://example-soar.com/rest/resource?page=X&sort=id </div> If using the <code>phantom.get_tasks()</code> or <code>phantom.get_notes()</code> playbook APIs, you can use <code>phantom.requests</code> instead to query the REST API directly: <div class="samplecode"> # Instead of phantom.get_tasks(), use url = phantom.build_phantom_rest_url('workbook_task') # Or, instead of phantom.get_notes(), use url = phantom.build_phantom_rest_url('note') params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'} response = phantom.requests.get(url, params=params) tasks = response.json()['data'] </div><br/> \|- \| 2023-11-29\|\|PSAAS-15640\|\|Cannot delete or move playbooks with name that starts with ":" \|- \| 2023-11-28\|\|PSAAS-15612\|\|Changing multiple incident fields in Mission Control results in duplicate SOAR update messages \|- \| 2023-11-28\|\|PSAAS-15610\|\|Widget visibility is not saved via "manage widgets" \|- \| 2023-11-22\|\|PSAAS-15543\|\|Test connectivity for asset might result in "failed to send" and HTTP 500 "internal server" error for POST to /rest/asset/{id}<br/><br/>Workaround:<br/>If your connectivity test runs longer than 30 seconds: <ul> <li>Keep the "Test Connectivity" window open and wait for the test to complete.</li> <li>Ignore the 500 "internal server error" and the "Failed to send" notification.</li> </ul><br/> \|- \| 2023-11-21\|\|PSAAS-15528, PSAAS-13668\|\|Home Page: Open event widget has overlapping characters for SLA and Severity \|- \| 2023-11-09\|\|PSAAS-15392\|\|Playbook Converter: Synchronous playbook fails to run for converted playbooks<br/><br/>Workaround:<br/>The user can go into the converted modern playbook and save the playbook. This should work for most cases. If the above does not work, the user should see if the function header is editable. Usually this is guarded by a lock, but if not, then modify the function header to have **kwargs as a parameter at the end. !image-20231110-033611.png\|width=1633,height=53! If the function header is not editable, copy the code for the callback block, delete the synchronous playbook block, readd the synchronous playbook block and readd the function body code.<br/> \|- \| 2023-11-07\|\|PSAAS-15338\|\|The Repo Permissions in the user modal does not show permissions<br/><br/>Workaround:<br/>Check for the assigned roles permissions for the repos<br/> \|- \| 2023-10-27\|\|PSAAS-15211\|\|MC block: Action 'get task file' is no longer available in MC 3.0<br/><br/>Workaround:<br/>Use get task action instead.<br/> \|- \| 2023-10-27\|\|PSAAS-15201\|\|Password Vault: "Assets with enabled password manager" table can lead to Apps page without an asset selected<br/><br/>Workaround:<br/>This issue occurs when you select the Edit button to view an asset from the "Assets with enabled password manager" table, then, after viewing its App configuration page, you use the browser's back button to return to the table. When you select Edit to view another asset from the table, the Apps configuration page for that asset is not pre-filled with the asset name and information. After you have viewed one asset configuration page, use one of the following workarounds to avoid the issue: <ul> <li>Refresh the Password Vault browser page before selecting the Edit button for each asset you want to view.</li> <li>Remember the name of the asset you want to view. Select the Edit button for that asset to open its Apps page. The Asset field will be blank. Select the name of the asset you want to view.</li> <li>Right-click or Control-click the <b>Edit</b> button next to an asset to open it in a new tab.</li> </ul><br/> \|- \| 2023-10-27\|\|PSAAS-15202\|\|Password Vault: Asset not removed from "Assets with enabled password manager" table if all credential fields removed<br/><br/>Workaround:<br/>No workaround. If an asset in the "Assets with enabled password manager" table is empty, it is not available for use. It still exists in the table because a credential management field was deleted, preventing deletion of the asset from the table. <br/> \|- \| 2023-10-26\|\|PSAAS-15199\|\|If the CyberArk instance is down and an action is run, the response message is not clear \|- \| 2023-10-25\|\|PSAAS-15176\|\|VPE Playbook Conversion: Opening some of the converted PBs show "Discard Changes" button without changes made<br/><br/>Workaround:<br/>When you open a newly converted playbook, select <b>Save</b> to regenerate and save the new code. If you select <b>Discard Changes</b> before you have made any changes, the playbook code and JSON files are not changed.<br/> \|- \| 2023-10-20\|\|PSAAS-15120\|\|Adding an empty repository on SOAR fails<br/><br/>Workaround:<br/>Ensure that at least one commit is pushed to the playbook repo before adding it to SOAR<br/> \|- \| 2023-10-20\|\|PSAAS-15119\|\|VPE Playbook conversion: Extra path added when converting classic VPE playbook to modern playbook<br/><br/>Workaround:<br/>If your classic playbook has connections that are very close to each other, the modern playbook might create an extra connection. Before you convert a playbook, spread out your playbook blocks so your connections are not close or overlapping. Then convert the playbook. Review and test newly converted playbooks before marking them as active to ensure blocks and connectors appear and work correctly. <br/> \|- \| 2023-10-18\|\|PSAAS-15100\|\|PB Converter: Asset Mapper modal is not shown in the converted playbook \|- \| 2023-09-05\|\|PSAAS-14697, PSAAS-14655, PAPP-32725\|\|Images are not appearing in action's custom view on SOAR (Cloud) and (On-premises) versions 6.1.1 and higher \|- \| 2023-08-25\|\|PSAAS-14609\|\|Automation Broker: Broker status should be updated if the broker directory is no longer present \|- \| 2023-07-19\|\|PSAAS-14125\|\|Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.<br/><br/>Workaround:<br/>Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.<br/> \|- \| 2023-06-27\|\|PSAAS-13913\|\|VPE: After clicking Discard Changes button, blocks show error "Reconfigure Invalid Data Path"<br/><br/>Workaround:<br/>Need to not save the playbook and refresh the page<br/> \|- \| 2023-05-22\|\|PSAAS-13496\|\|App Editor: Setting default app action booleans to 'false' does not work. \|- \| 2023-04-26\|\|PSAAS-13255\|\|Deleting a container with 1000+ artifacts causes UWSGI to run out of memory.<br/><br/>Workaround:<br/>For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion. This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added. In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the [[:Template:Delete db containers]] management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.<br/> \|- \| 2023-02-02\|\|PSAAS-12158\|\|User filtering is using first/last name to filter events instead of just username<br/><br/>Workaround:<br/>None<br/> \|- \| 2022-04-08\|\|PSAAS-8541\|\|Unreadable characters sporadically appear in UI<br/><br/>Workaround:<br/>Refresh the browser to reload the page.<br/> \|} ==Versions 6.0.0 - 6.1.1== <div class="mw-collapsible mw-collapsed"> ===September 6, 2023 Release 6.1.1=== {\| [[:Template:Table]] !Date filed !Issue number !Description \|- \| 2023-08-25\|\|PSAAS-14609\|\|AB: Broker status should be updated if the broker directory is no longer present \|} ===July 11, 2023 Release 6.1.0=== {\| [[:Template:Table]] !Date filed !Issue number !Description \|- \| 2024-02-22\|\|PSAAS-16477\|\|Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes<br/><br/>Workaround:<br/>Manually change the <code>image:</code> line in docker-compose.yaml to point to <code>docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.<br/> \|- \| 2024-02-15\|\|PSAAS-16431, PSAAS-16962, PSAAS-16963\|\|Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues<br/><br/>Workaround:<br/><ol> <li>Check if the action completed successfully.</li> <li>Cancel the hanging action.</li> <li>If the action did not complete successfully, re-run the action.</li> </ol> This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed.<br/> \|- \| 2024-02-06\|\|PSAAS-16309\|\|Health checks show as login attempts in production \|- \| 2024-01-30\|\|PSAAS-16206\|\|Global Environment Variables are incorrectly applied by the Automation Broker when the variable is named as all lowercase letters<br/><br/>Workaround:<br/>Use uppercase letters only.<br/> \|- \| 2023-12-11\|\|PSAAS-15750\|\|VPE: Downstream block invoked twice from two upstream code blocks join<br/><br/>Workaround:<br/>Detach one of the upstream blocks and run the blocks in sequence to avoid a join.<br/> \|- \| 2023-11-29\|\|PSAAS-15638\|\|Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively<br/><br/>Workaround:<br/>If using the REST API directly, add a <code>sort</code> parameter to the URL: <div class="samplecode">https://example-soar.com/rest/resource?page=X&sort=id </div> If using the <code>phantom.get_tasks()</code> or <code>phantom.get_notes()</code> playbook APIs, you can use <code>phantom.requests</code> instead to query the REST API directly: <div class="samplecode"> # Instead of phantom.get_tasks(), use url = phantom.build_phantom_rest_url('workbook_task') # Or, instead of phantom.get_notes(), use url = phantom.build_phantom_rest_url('note') params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'} response = phantom.requests.get(url, params=params) tasks = response.json()['data'] </div><br/> \|- \| 2023-11-21\|\|PSAAS-15528, PSAAS-13668\|\|Home Page: Open event widget has overlapping characters for SLA and Severity \|- \| 2023-10-06\|\|PSAAS-14969\|\|Update from source control of external repo to pull a new Custom Function also creates a new playbook<br/><br/>Workaround:<br/><b>To avoid this issue: </b> When using <i>Update From Source Control</i>, always select <i>Force Update</i>. <b>If you have already encountered this issue:</b> You have playbooks you didn't create, with names very similar to the custom function name, like <i>custom_functions/<my_custom_function></i>. Do not delete these extra playbooks, because that will also delete the custom function. Delete the Source Control repository and recreate it to remove the extra playbooks. <br/> \|- \| 2023-10-04\|\|PSAAS-14948\|\|"validate parameters" button in action modal says "save" instead \|- \| 2023-09-14\|\|PSAAS-14784\|\|SOAR gives a "502 bad gateway" error for all SAML logins if a metadata endpoint fails to respond. \|- \| 2023-09-08\|\|PSAAS-14740, PSAAS-13089\|\|In App editor, Console output is not visible properly in Dark Theme<br/><br/>Workaround:<br/><br/> \|- \| 2023-08-29\|\|PSAAS-14627\|\|VPE: Code from one utility block might be copied into another utility block in the same playbook<br/><br/>Workaround:<br/>In the Python Playbook Editor of the VPE, manually edit the affected blocks to remove duplicate codes. To keep track of changes you make, clone the playbook before each edit.<br/> \|- \| 2023-08-24\|\|PSAAS-14607\|\|Boolean parameter in playbook considered as string \|- \| 2023-08-24\|\|PSAAS-14550\|\|User unable to bulk edit/close the events due to missing unrelated required tag<br/><br/>Workaround:<br/>I suggest customer temporarily create a new tag and assign to the label "audit". Then they should be able to bulk close all events with label "audit" by choosing the new tag as required tag.<br/> \|- \| 2023-08-21\|\|PSAAS-14497, PSAAS-14560\|\|VPE: Reversion fails for playbooks with periods in their names<br/><br/>Workaround:<br/>Do not use periods in playbook names. If you have a period in the playbook name, reversion will fail.<br/> \|- \| 2023-08-15\|\|PSAAS-14461\|\|Playbooks not running on container. psycopg2.errors.UntranslatableCharacter is observed in logs. \|- \| 2023-08-14\|\|PSAAS-14440\|\|Cannot delete all custom fields from UI<br/><br/>Workaround:<br/>When deleting custom fields, leave at least one custom field in the list. <br/> \|- \| 2023-08-11\|\|PSAAS-14413\|\|Special characters are removed while downloading the file from Vault \|- \| 2023-08-02\|\|PSAAS-14223\|\|"Run automatically when" appears on input playbooks; designed only for automation playbooks<br/><br/>Workaround:<br/>This feature is designed to work on automation playbooks, not input playbooks. <br> Any updates you make in this section will not affect your input playbooks. <br/> \|- \| 2023-07-26\|\|PSAAS-14172, PSAAS-14173\|\|The delete_containers.pyc script omitted from SOAR 6.1.0 builds.<br/><br/>Workaround:<br/>The <code>delete_containers.pyc</code> script was omitted from SOAR 6.1.0 builds. Users who need to remove containers from their SOAR deployments can use the data retention and management tools described in the topic ''Use data retention strategies to schedule and manage your database cleanup'' in '''Administer <span class='plnnnn'> </span>. https://docs.splunk.com/Documentation/SOARonprem/latest/Admin/DataRetention<br/> \|- \| 2023-07-24\|\|PSAAS-14152\|\|No indicators are displayed when all labels are selected in role permissions \|- \| 2023-07-24\|\|PSAAS-14159\|\|Automation Broker: Jira 'get attachment' action fails over AB due to SSL check error<br/><br/>Workaround:<br/>When the Jira onPrem asset is configured without "Verify server certificate" parameter and the asset is connected over an Automation Broker on a SOAR Cloud instance, <code>get attachments</code> action will fail with SSL certificate error. To fix this issue, perform either of these actions: <ul> <li>In the asset settings, select <b>Verify server certificate</b>. </li> <li>Pair the Automation Broker without TLS certificate check by using the <b>-e PHANTOM_HTTPS_STRICT_TLS_AUTODETECT=0 -e PHANTOM_HTTPS_STRICT_TLS=0 </b> option.</li> </ul><br/> \|- \| 2023-07-19\|\|PSAAS-14125\|\|Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.<br/><br/>Workaround:<br/>Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.<br/> \|- \| 2023-07-18\|\|PSAAS-14102\|\|The original State file is replicated with app dir's state file<br/><br/>Workaround:<br/>Remove the state file from the app dir.<br/> \|- \| 2023-07-18\|\|PSAAS-14116\|\|App Editor Console Output has black fonts in dark theme<br/><br/>Workaround:<br/>Use the light theme. <ol> <li>Click your account name on the top right, then select Account Settings. </li> <li>Select the Light Theme, then select Save Changes.</li> </ol><br/> \|- \| 2023-07-14\|\|PSAAS-14056\|\|Community repo playbooks updated from source control give error "Ref '6.1' did not resolve to an object"<br/><br/>Workaround:<br/>Select the <b>Force Update</b> checkbox, then select <b>Update</b>.<br/> \|- \| 2023-07-11\|\|PSAAS-14004, PAPP-31256\|\|Zoom, MS Graph, EWS for Office apps not installed/upgraded on SOAR 6.1.0<br/><br/>Workaround:<br/>If you are using one of the following apps, manually reinstall or upgrade it from Splunkbase. Zoom app, version 2.1.0 MS Graph for Office365, version 2.8.0 EWS for Office 365, version 2.15.0<br/> \|- \| 2023-07-09\|\|PSAAS-13990\|\|: Test connectivity over Automation Broker is not working after setting the public key in ssh repository \|- \| 2023-06-30\|\|PSAAS-13971\|\|VPE: opening playbook hangs on "loading playbook editor"; console shows error messages "TypeError: Cannot destructure property '{property}' of '{value}' as it is undefined." \|- \| 2023-06-26\|\|PSAAS-13898\|\|Splunk SOAR's cron jobs generate output, which fills up mail boxes over time<br/><br/>Workaround:<br/>Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is <code>phantom</code>, you can empty the mailbox by running<br /><code>rm /var/mail/phantom</code> For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}}<br/> \|- \| 2023-06-23\|\|PSAAS-13889, PSAAS-21309\|\|Images within app documentation are not being rendered \|- \| 2023-06-21\|\|PSAAS-13845\|\|VPE stuck in 'Loading Playbook Editor' after minor playbook change.<br/><br/>Workaround:<br/>Right click on VPE and then select '''inspect''' then '''display none'''. This disables the 'playbook loading' screen. Reverted to the last playbook revision: Select '''settings''' then '''revision history'''. Now reapply your reversed changes to the playbook.<br/> \|- \| 2023-06-17\|\|PSAAS-13813\|\|encryption_helper.encrypt fails when encrypting data larger than 4096 bytes<br/><br/>Workaround:<br/> For EWS for Office365 version 2.14.0 or lower, use Azure authentication mechanism instead of Azure Interactive authentication.<br/> \|- \| 2023-06-12\|\|PSAAS-13723\|\|Playbooks Listing Page: Slow to load when there are many playbook runs record \|- \| 2023-06-07\|\|PSAAS-13666\|\|VPE: Blocks custom named 'container' and 'container_0' produce the same python function name<br/><br/>Workaround:<br/>Avoid using custom block names that end in "container" and "container_0".<br/> \|- \| 2023-06-05\|\|PSAAS-13766\|\|Microsoft AD LDAP app fails with "No module named 'adldap_consts'" error message<br/><br/>Workaround:<br/><ol> <li>Clear the local cache on the Automation Broker for the given app. This example shows steps to clear the local cache on Automation Broker for a sample maxmind app: <div class="samplecode">splunk_user@518d6331a46d:/splunk_data/apps$ cd maxmind_c566e153-3118-4033-abda-14dd9748c91a/ splunk_user@518d6331a46d:/splunk_data/apps/maxmind_c566e153-3118-4033-abda-14dd9748c91a$ ls -l total 4 drwxr-xr-x 6 splunk_user splunk_user 4096 Jun 7 15:43 2.2.5 splunk_user@518d6331a46d:/splunk_data/apps/maxmind_c566e153-3118-4033-abda-14dd9748c91a$ rm -rf 2.2.5 `After you clear the cache, run a test connection or any action to re-download the app to the Automation Broker from SOAR.`
2023-05-22	PSAAS-13496	App Editor: Setting default app action booleans to 'false' does not work.
2023-04-26	PSAAS-13255	Deleting a container with 1000+ artifacts causes UWSGI to run out of memory. Workaround: For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion. This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added. In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.
2023-03-07	PSAAS-12591	VPE: Artifact labels in datapaths are not universally supported Workaround: Use a format block to convert datapath results to strings then use the format block's output as the input to downstream action blocks.
2023-02-02	PSAAS-12158	User filtering is using first/last name to filter events instead of just username Workaround: None
2022-11-28	PSAAS-11237	Details for playbook runs don't update in window from the Investigation page Workaround: Click the "x" and then click on the desired playbook run in the queue
2022-04-08	PSAAS-8541	Unreadable characters sporadically appear in UI Workaround: Refresh the browser to reload the page.

February 22, 2023 Release 6.0.0

Date filed	Issue number	Description
2023-03-03	PSAAS-12470	custom app install fails with "Multiple app directories detected." after upgrading from 5.5.0 to 6.0.0 Workaround: recompile the app under soar 6.0.0 via the command line using "phenv compile_app -t -a {app_directory}"
2023-03-02	PSAAS-12445	Nginx '502 Bad Gateway' after submitting a large batch of events
2023-03-01	PSAAS-12397	App editor fails to load assets in edit mode for draft apps Workaround: Workaround 1: Publish the app so it is not longer a DRAFT, do the tests with the existing assets and then edit again to carry on with development. That generates a new version of the app for every test/publish action made Workaround 2: create a new asset while testing in DRAFT mode. That works as well but then when the app is published, that asset becomes an orphaned asset that can no longer be used unless reassigned. There is a new orphan asset for every time the app is published
2023-02-27	PSAAS-12369	Logrotate fails because of syntax error in the config file Workaround: Change the prerotate section of `opt/phantom/etc/logrotate.d/phantom_logrotate.conf` to the following: /opt/phantom/var/log/phantom/*.log { copytruncate rotate 10 size 50M start 1 create 0660 }
2023-02-27	PSAAS-12370	Playbook output variables replaced with {outputPath} after upgrade Workaround: Manually discover the incorrect datapath and re-select all datapaths that were renamed.
2023-02-20	PSAAS-12349	Mission Control: Splunk users without an email address cannot change their user settings in SOAR Workaround: For affected users in a paired Mission Control + SOAR environment, add an email address to the user's account in your Splunk Cloud deployment .
2023-02-16	PSAAS-12333	Playbooks that open with smart block context warnings will disable the debugger and display 'Discard Changes' button Workaround: Save the playbook. The debugger is re-enabled and the Discard Changes button no longer displays.
2023-02-16	PSAAS-12331	Naming blocks the same for utility block causes the blocks to sync
2023-02-15	PSAAS-12299	Apps Update does not display available new versions of unconfigured bundled apps Workaround: Applies to apps included with Splunk SOAR that are unconfigured (listed under the Unconfigured Apps tab). This does not apply to apps you manually installed by clicking Install App. Configure an asset for that app. Return to the Apps list. Click App Updates to see any available updates for that configured app.
2023-02-15	PSAAS-12317	API block, Custom Function with list type inputs do not update datapaths when upstream block custom name is changed Workaround: Configure the datapath manually.
2023-02-13	PSAAS-12282	Mission Control: Using "delete_event" in MC Block does not delete the artifact on SOAR Workaround: *After an event was deleted: Use debug custom function to find soar_container_id Go to SOAR Container and delete the artifact.
2023-02-13	PSAAS-12284	Playbook input variables are marked as invalid within an input playbook Workaround: There is no workaround for this at the moment, but playbooks with block warnings can still be saved/run as usual. The warnings do not impact basic playbook functionality in any way.
2023-02-06	PSAAS-12198	App action links within app documentation do not work Workaround: Scroll down the page to view the documents or find by using CTRL-F search function.
2023-02-01	PSAAS-12155	Adding multiple inputs to a previously saved custom function - not in alphabetical order - invalidates custom function. Workaround: Edit the custom function again. Click Generate. Two function headers display. Manually delete the old function header, located between the ## Custom Code Goes Below This Line ## comment lines. You cannot delete the new function header, because it is locked. The custom function will use the newly generated function header and function properly.
2023-01-26	PSAAS-12057	Document known issue / Workaround In App Editor, the AB(Automation Broker) configuration is ignored Workaround: If the asset you're using while debugging in the App Editor is configured to use an Automation Broker this setting is ignored. Launching the app/debugging will not route to the automation broker, instead it always runs locally in the cloud instance. To work around this issue: Publish the app. Run the published version of the app. Clone the published app so we can use the editor again. Manually change the cloned settings added to the json config. Delete the published app and its related asset. (Optional) create a new asset instead of deleting the previous one. Make the required code modifications. Repeat the process to debug again.
2023-01-25	PSAAS-12052	Mission Control:VPE: Action block cannot add top-level custom field for Event Workaround: Type the custom field in the action block input field.
2022-11-28	PSAAS-11237	Details for playbook runs don't update in window from the Investigation page Workaround: Click the "x" and then click on the desired playbook run in the queue

Versions 5.0.0 - 5.5.0

January 4, 2023 release 5.5.0 update

This is an update to the 5.5.0 release. Known issues are included in the table for the December 14 release.

December 14, 2022 release 5.5.0

Date filed	Issue number	Description
2024-02-22	PSAAS-16477	Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes Workaround: Manually change the `image:` line in docker-compose.yaml to point to `docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.`
2024-02-15	PSAAS-16431, PSAAS-16962, PSAAS-16963	Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues Workaround: Check if the action completed successfully. Cancel the hanging action. If the action did not complete successfully, re-run the action. This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed.
2023-07-19	PSAAS-14125	Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions. Workaround: Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-05-02	PSAAS-13313	ui regression: "TypeError: this.state.appCategories.map is not a function" and blank screen when opening app in app editor Workaround: none at this time
2023-04-28	PSAAS-13290	Toggling delay timer in one block causes all other action blocks to toggle delay timer. Workaround: Avoid toggling delay timer for blocks that do not want delays. Instead, reduce the delay to 0 minutes.
2023-04-26	PSAAS-13255	Deleting a container with 1000+ artifacts causes UWSGI to run out of memory. Workaround: For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion. This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added. In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.
2023-04-06	PSAAS-12976	VPE: Manually selecting an asset deletes block configuration Workaround: Create a new block and copy the datapaths from the python editor view.
2023-03-22	PSAAS-12767	App install with Chrome browser: Browser crashes when installing a TAR or TGZ file Workaround: This issue occurs when adding a new app using Chrome version 111.0.5563. To avoid this issue, use a different browser.
2023-03-13	PSAAS-12637	Documentation: Cannot render specific div's from README.md properly on documentation page
2023-03-07	PSAAS-12591	VPE: Artifact labels in datapaths are not universally supported Workaround: Use a format block to convert datapath results to strings then use the format block's output as the input to downstream action blocks.
2023-02-18	PSAAS-12347	VPE: Playbooks cannot be canceled by the customer
2023-02-16	PSAAS-12333	Playbooks that open with smart block context warnings will disable the debugger and display 'Discard Changes' button Workaround: Save the playbook. The debugger is re-enabled and the Discard Changes button no longer displays.
2023-02-15	PSAAS-12311, PSAAS-12328	Prompt block icon disappear after creating more than one empty questions
2023-02-13	PSAAS-12284	Playbook input variables are marked as invalid within an input playbook Workaround: There is no workaround for this at the moment, but playbooks with block warnings can still be saved/run as usual. The warnings do not impact basic playbook functionality in any way.
2023-02-06	PSAAS-12198	App action links within app documentation do not work Workaround: Scroll down the page to view the documents or find by using CTRL-F search function.
2023-01-31	PSAAS-12122, PSAAS-11650	VPE missing inputs issue affecting playbook blocks Workaround: None
2023-01-26	PSAAS-12057	Automation Broker (AB) configuration is ignored in the app editor Workaround: If the asset you're using while debugging in the App Editor is configured to use an Automation Broker this setting is ignored. Launching the app/debugging will not route to the automation broker, instead it always runs locally in the cloud instance. To work around this issue: Publish the app. Run the published version of the app. Clone the published app so we can use the editor again. Manually change the cloned settings added to the json config. Delete the published app and its related asset. (Optional) create a new asset instead of deleting the previous one. Make the required code modifications. Repeat the process to debug again.
2023-01-20	PSAAS-11979	VPE: clicking on a block does not bring up the sidebar for editing conditions
2023-01-20	PSAAS-11965	Splunk app "run query" action runs infinitely on PSaaS instance
2023-01-11	PSAAS-11841	Upgrading a SOAR instance to 5.5 does not change the community repo branch to 5.5 Workaround: Deleting the community repository and readding it with the correct branch.
2023-01-10	PSAAS-11802	Artifact save invokes indicator extraction when indicator feature is disabled.
2023-01-09	PSAAS-11797	App actions fail due to unescaped null characters (PSAAS-10127)
2023-01-04	PSAAS-11694	VPE/prompt: "Could not find 'undefined' in users or roles" during playbook runs after upgrading from 5.4.0 and editing/saving the playbook Workaround: Edit the prompt block and re-select the user or role. The following error message displays, but you can save and run the playbook. approver must be a `object` type, but the final value was: `null` (cast from the value `"Administrator"`). If "null" is intended as an empty value be sure to mark the schema as `.nullable()`
2022-12-23	PSAAS-11658, PSAAS-11004	VPE: Utility blocks with more than one API call do not save parameter values Workaround: Use one utility block per API call.
2022-12-22	PSAAS-11638	VPE: delay in populating block outputs/datapath picker when playbook fully loaded Workaround: To fully populate the datapath picker list when configuring a block in the Visual Playbook Editor: Click outside the block configuration. Then click back into the block configuration.
2022-12-22	PSAAS-11648	Analyst Queue: When applying filters for owner for cases and events, the metrics at the top of the case screen do not change (containers are filtered) Workaround: none at this time
2022-12-15	PSAAS-11514	VPE smart block context not taking into account custom datapaths Workaround: Use custom code to manually add in the correct custom datapath into the python generation, if known.
2022-12-07	PSAAS-11389	Git app: Action git commit fails Workaround: The issue affects the `git push` command. Use HTTPS or git protocol instead of HTTP.
2022-12-05	PSAAS-11327, PSAAS-9665	VPE: Debugger hangs when running playbook; It goes blank and needs refresh
2022-12-05	PSAAS-11328	VPE Empty Variables with inconsistent use of quotes
2022-11-29	PSAAS-11245	Automation Broker: When getting new credentials for broker, UI gives incorrect docker command Workaround: Use the following command, instead of the one shown on the screen: `docker exec -ti <container_id> python3 /splunk/broker/bin/update_creds.py --new-creds "<copied_creds>"` `docker <container_id> restart`
2022-11-28	PSAAS-11237	Details for playbook runs don't update in window from the Investigation page Workaround: Click the "x" and then click on the desired playbook run in the queue
2022-11-28	PSAAS-11242	VPE: After correct reconfiguration, "invalid resource" warning persists within subplaybook block Workaround: The warning will not be shown if the user returns to the state 'Unconfigured' of the block and then proceeds to configure again
2022-11-18	PSAAS-11181	Fix page crash on load for blocks using external resources
2022-11-18	PSAAS-11190	VPE: Block Names with Container - A block name with "container" cannot share its results in other blocks in the Visual Editor Workaround: Do not use the word 'container' in playbook block names.
2022-10-31	PSAAS-11001	Wrong results in PB: "NOT IN" clause wrongly returns FALSE in SOAR when there is a null value in its condition
2022-09-07	PSAAS-10127	Playbooks using Threat Grid or urlscan.io app hang on the detonation action Workaround: Upgrade the app you are using. From the Apps page, click App Updates. Upgrade the app to the appropriate version: Threat Grid: upgrade to version 2.3.1 or higher urlscan.io: upgrade to version 2.3.0 or higher
2022-07-07	PSAAS-9417, PSAAS-9599	Data/Graphs missing on Executive Report after 5.3.2 upgrade
2022-04-08	PSAAS-8541	Unreadable characters sporadically appear in UI Workaround: Refresh the browser to reload the page.
2021-09-30	PSAAS-5408	/rest/widget_data/top_playbooks_actions endpoint returns invalid playbook_name field with tags Workaround: Parse the result manually to exclude the `span` tags around the playbook name.

October 27, 2022 release 5.4.0

Date filed	Issue number	Description
2024-02-22	PSAAS-16477	Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes Workaround: Manually change the `image:` line in docker-compose.yaml to point to `docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.`
2023-09-14	PSAAS-14784	SOAR gives a "502 bad gateway" error for all SAML logins if a metadata endpoint fails to respond.
2023-08-11	PSAAS-14413	Special characters are removed while downloading the file from Vault
2023-07-19	PSAAS-14125	Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions. Workaround: Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-05-02	PSAAS-13313	ui regression: "TypeError: this.state.appCategories.map is not a function" and blank screen when opening app in app editor Workaround: none at this time
2023-04-28	PSAAS-13290	Toggling delay timer in one block causes all other action blocks to toggle delay timer. Workaround: Avoid toggling delay timer for blocks that do not want delays. Instead, reduce the delay to 0 minutes.
2023-04-26	PSAAS-13255	Deleting a container with 1000+ artifacts causes UWSGI to run out of memory. Workaround: For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion. This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added. In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.
2023-04-06	PSAAS-12976	VPE: Manually selecting an asset deletes block configuration Workaround: Create a new block and copy the datapaths from the python editor view.
2023-02-16	PSAAS-12333	Playbooks that open with smart block context warnings will disable the debugger and display 'Discard Changes' button Workaround: Save the playbook. The debugger is re-enabled and the Discard Changes button no longer displays.
2023-02-15	PSAAS-12311, PSAAS-12328	Prompt block icon disappear after creating more than one empty questions
2023-02-01	PSAAS-12147	System health charts truncate values
2023-01-26	PSAAS-12057	Automation Broker (AB) configuration is ignored in the app editor Workaround: If the asset you're using while debugging in the App Editor is configured to use an Automation Broker this setting is ignored. Launching the app/debugging will not route to the automation broker, instead it always runs locally in the cloud instance. To work around this issue: Publish the app. Run the published version of the app. Clone the published app so we can use the editor again. Manually change the cloned settings added to the json config. Delete the published app and its related asset. (Optional) create a new asset instead of deleting the previous one. Make the required code modifications. Repeat the process to debug again.
2023-01-13	PSAAS-11884	analyst queue: unexpected behavior when clearing previously added 'owner' filters
2023-01-09	PSAAS-11797	App actions fail due to unescaped null characters (PSAAS-10127)
2022-12-20	PSAAS-11587	A successful completion of called playbook in Synchronous mode, over-writes failure result in calling playbook Workaround: None
2022-12-20	PSAAS-11581	PlaybookRunEx::UpdateStatus fails to update when playbook run is very old.
2022-12-16	PSAAS-11546	Numeric input is parsed as integer and does not match the data type specified by the spec
2022-12-09	PSAAS-11423	Custom Function Editor: Not saving data type change Workaround: Changing the code forces the type update.
2022-12-08	PSAAS-11401	Automation Broker generates a high volume of extraneous audit log records.
2022-12-05	PSAAS-11328	VPE Empty Variables with inconsistent use of quotes
2022-11-30	PSAAS-11293	VPE: Debugger crashed in 5.4.0; Playbook run fails if it has an action with a 2+ minutes timer Workaround: No workaround, you could not use the timer but there are actions taking more than 2 minutes to complete and that cannot be changed.
2022-11-18	PSAAS-11182	"New events" counter increasing when Dynamic Updates are turned off
2022-11-18	PSAAS-11190	VPE: Block Names with Container - A block name with "container" cannot share its results in other blocks in the Visual Editor Workaround: Do not use the word 'container' in playbook block names.
2022-11-09	PSAAS-11068	Port forward from NRI port to 443 doesn't work on local machine.
2022-11-09	PSAAS-11077	Cloud : Remote search indexing : One event per day is missed Workaround: n/a
2022-11-09	PSAAS-11073	Action run limit not enforced before server restart
2022-11-08	PSAAS-11121	AppUpdate should continue to work with custom apps that have invalid versions Workaround: Uninstall the custom apps that are causing the blockage. To identify those custom apps, run the following script phenv phantom_shell apps = App.objects.filter(disabled=False) for app in apps: if not app.known_versions: print(app) print('done looking up custom apps') Use the AppUpdate wizard to update known app. See Splunk SOAR Connector for a list of apps that you can upgrade with the wizard. Reinstall those custom apps Repeat these steps each time you want to upgrade certified apps.
2022-11-03	PSAAS-11049	Search setting failing on test connection.
2022-10-31	PSAAS-11004, PSAAS-11658	VPE: Values entered into custom function/Utility input arguments are deleted or modified Workaround: Within the Visual Playbook Editor (VPE), populate a field in the utility block configuration panel. When complete, close the configuration panel. Re-open the configuration panel to populate another field. Repeat until you have completed all necessary fields.
2022-10-31	PSAAS-11001	Wrong results in PB: "NOT IN" clause wrongly returns FALSE in SOAR when there is a null value in its condition
2022-10-13	PSAAS-10703	Default workbook is reset on upgrade if the original default has been removed
2022-09-26	PSAAS-10454	UI error when navigating to case evidence tab caused by linked container that was removed by retention. Workaround: None.
2022-09-07	PSAAS-10107	Status of Case is missing from Report Workaround: None known
2022-09-07	PSAAS-10127	Playbooks using Threat Grid or urlscan.io app hang on the detonation action Workaround: Upgrade the app you are using. From the Apps page, click App Updates. Upgrade the app to the appropriate version: Threat Grid: upgrade to version 2.3.1 or higher urlscan.io: upgrade to version 2.3.0 or higher
2022-08-17	PSAAS-9891	Indicators are visible with labels that roles do not allow
2022-07-07	PSAAS-9417, PSAAS-9599	Data/Graphs missing on Executive Report after 5.3.2 upgrade
2022-04-29	PSAAS-8776	Investigation page: Widget layout and visibility is not saved via "manage widgets" Workaround: none known at this time
2022-04-08	PSAAS-8541	Unreadable characters sporadically appear in UI Workaround: Refresh the browser to reload the page.
2021-09-30	PSAAS-5408	/rest/widget_data/top_playbooks_actions endpoint returns invalid playbook_name field with tags Workaround: Parse the result manually to exclude the `span` tags around the playbook name.

September 28, 2022 release 5.3.5

Date filed	Issue number	Description
2023-11-29	PSAAS-15638	Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively Workaround: If using the REST API directly, add a `sort` parameter to the URL: https://example-soar.com/rest/resource?page=X&sort=id If using the `phantom.get_tasks()` or `phantom.get_notes()` playbook APIs, you can use `phantom.requests` instead to query the REST API directly: # Instead of phantom.get_tasks(), use url = phantom.build_phantom_rest_url('workbook_task') # Or, instead of phantom.get_notes(), use url = phantom.build_phantom_rest_url('note') params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'} response = phantom.requests.get(url, params=params) tasks = response.json()['data']
2023-07-19	PSAAS-14125	Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions. Workaround: Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-01-09	PSAAS-11797	App actions fail due to unescaped null characters (PSAAS-10127)
2022-11-18	PSAAS-11190	VPE: Block Names with Container - A block name with "container" cannot share its results in other blocks in the Visual Editor Workaround: Do not use the word 'container' in playbook block names.
2022-11-11	PSAAS-11118, PSAAS-8901	VPE 2: Adding a parameter to an action block deletes another parameter. Workaround: Within the Visual Playbook Editor (VPE), populate a field in the action block configuration panel. When complete, close the configuration panel. Re-open the configuration panel to populate another field. Repeat until you have completed all necessary fields.
2022-11-08	PSAAS-11121	AppUpdate should continue to work with custom apps that have invalid versions Workaround: Uninstall the custom apps that are causing the blockage. To identify those custom apps, run the following script phenv phantom_shell apps = App.objects.filter(disabled=False) for app in apps: if not app.known_versions: print(app) print('done looking up custom apps') Use the AppUpdate wizard to update known app. See Splunk SOAR Connector for a list of apps that you can upgrade with the wizard. Reinstall those custom apps Repeat these steps each time you want to upgrade certified apps.
2022-10-31	PSAAS-11004, PSAAS-11658	VPE: Values entered into custom function/Utility input arguments are deleted or modified Workaround: Within the Visual Playbook Editor (VPE), populate a field in the utility block configuration panel. When complete, close the configuration panel. Re-open the configuration panel to populate another field. Repeat until you have completed all necessary fields.
2022-10-31	PSAAS-11001	Wrong results in PB: "NOT IN" clause wrongly returns FALSE in SOAR when there is a null value in its condition
2022-10-20	PSAAS-10820	Receiving system generated emails with Account Notifications turned off Workaround: Email filter.
2022-09-26	PSAAS-10454	UI error when navigating to case evidence tab caused by linked container that was removed by retention. Workaround: None.
2022-09-20	PSAAS-10287	Interval/Schedule ingestion settings cannot be changed Workaround: Changing an asset's ingest settings does not correctly update the UI. The setting is changed, but the UI does not show the correct state. If you change the ingest settings on an app's asset from Interval to Schedule or Off the UI continues to show the setting as Interval. You can examine the JSON output of a REST request to determine the actual status of the asset's setting. Log in to your Splunk SOAR deployment. In a new browser tab, use this REST request. https://<Splunk SOAR deployment>/rest/asset?pretty=true&_special_app_info=true&page_size=0&_filter_id=<asset id> Replace `<Splunk SOAR deployment>` and `<asset id>` with the URL for your SOAR deployment and the asset id of the asset whose status you want to verify. Look for the `"configuration"` object and check the value of `"polling"`. {... "configuration": {"ingest": {"interval_mins": "30", "container_label": "events", "polling": false} } When the value is false, polling is disabled. When the value is true, polling is enabled.
2022-09-07	PSAAS-10107	Status of Case is missing from Report Workaround: None known
2022-09-07	PSAAS-10127	Playbooks using Threat Grid or urlscan.io app hang on the detonation action Workaround: Upgrade the app you are using. From the Apps page, click App Updates. Upgrade the app to the appropriate version: Threat Grid: upgrade to version 2.3.1 or higher urlscan.io: upgrade to version 2.3.0 or higher
2022-08-17	PSAAS-9891	Indicators are visible with labels that roles do not allow
2022-08-01	PSAAS-9665, PSAAS-11327	VPE: SOAR UI hangs in VPE debug and UI will go blank and need refresh
2022-07-07	PSAAS-9417, PSAAS-9599	Data/Graphs missing on Executive Report after 5.3.2 upgrade
2022-04-29	PSAAS-8776	Investigation page: Widget layout and visibility is not saved via "manage widgets" Workaround: none known at this time
2022-04-08	PSAAS-8541	Unreadable characters sporadically appear in UI Workaround: Refresh the browser to reload the page.
2021-09-30	PSAAS-5408	/rest/widget_data/top_playbooks_actions endpoint returns invalid playbook_name field with tags Workaround: Parse the result manually to exclude the `span` tags around the playbook name.

August 31, 2022 release 5.3.4

Date filed	Issue number	Description
2023-11-29	PSAAS-15638	Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively Workaround: If using the REST API directly, add a `sort` parameter to the URL: https://example-soar.com/rest/resource?page=X&sort=id If using the `phantom.get_tasks()` or `phantom.get_notes()` playbook APIs, you can use `phantom.requests` instead to query the REST API directly: # Instead of phantom.get_tasks(), use url = phantom.build_phantom_rest_url('workbook_task') # Or, instead of phantom.get_notes(), use url = phantom.build_phantom_rest_url('note') params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'} response = phantom.requests.get(url, params=params) tasks = response.json()['data']
2023-07-19	PSAAS-14125	Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions. Workaround: Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-01-09	PSAAS-11797	App actions fail due to unescaped null characters (PSAAS-10127)
2022-11-18	PSAAS-11190	VPE: Block Names with Container - A block name with "container" cannot share its results in other blocks in the Visual Editor Workaround: Do not use the word 'container' in playbook block names.
2022-11-11	PSAAS-11118, PSAAS-8901	VPE 2: Adding a parameter to an action block deletes another parameter. Workaround: Within the Visual Playbook Editor (VPE), populate a field in the action block configuration panel. When complete, close the configuration panel. Re-open the configuration panel to populate another field. Repeat until you have completed all necessary fields.
2022-11-08	PSAAS-11121	AppUpdate should continue to work with custom apps that have invalid versions Workaround: Uninstall the custom apps that are causing the blockage. To identify those custom apps, run the following script phenv phantom_shell apps = App.objects.filter(disabled=False) for app in apps: if not app.known_versions: print(app) print('done looking up custom apps') Use the AppUpdate wizard to update known app. See Splunk SOAR Connector for a list of apps that you can upgrade with the wizard. Reinstall those custom apps Repeat these steps each time you want to upgrade certified apps.
2022-10-31	PSAAS-11004, PSAAS-11658	VPE: Values entered into custom function/Utility input arguments are deleted or modified Workaround: Within the Visual Playbook Editor (VPE), populate a field in the utility block configuration panel. When complete, close the configuration panel. Re-open the configuration panel to populate another field. Repeat until you have completed all necessary fields.
2022-10-31	PSAAS-10997	Playbook decision block convert boolean strings to boolean values Workaround: no workaround
2022-10-31	PSAAS-11001	Wrong results in PB: "NOT IN" clause wrongly returns FALSE in SOAR when there is a null value in its condition
2022-10-04	PSAAS-10582	UI crash: opening container with a HUD CARD using a Custom Field and a list value leads to a blank page. Workaround: Use pin type = data instead of card
2022-09-26	PSAAS-10454	UI error when navigating to case evidence tab caused by linked container that was removed by retention. Workaround: None.
2022-09-20	PSAAS-10287	Interval/Schedule ingestion settings cannot be changed Workaround: Changing an asset's ingest settings does not correctly update the UI. The setting is changed, but the UI does not show the correct state. If you change the ingest settings on an app's asset from Interval to Schedule or Off the UI continues to show the setting as Interval. You can examine the JSON output of a REST request to determine the actual status of the asset's setting. Log in to your Splunk SOAR deployment. In a new browser tab, use this REST request. https://<Splunk SOAR deployment>/rest/asset?pretty=true&_special_app_info=true&page_size=0&_filter_id=<asset id> Replace `<Splunk SOAR deployment>` and `<asset id>` with the URL for your SOAR deployment and the asset id of the asset whose status you want to verify. Look for the `"configuration"` object and check the value of `"polling"`. {... "configuration": {"ingest": {"interval_mins": "30", "container_label": "events", "polling": false} } When the value is false, polling is disabled. When the value is true, polling is enabled.
2022-09-16	PSAAS-10265	NMAP App not compatible with Automation Broker Workaround: Build a custom automation broker image with nmap installed and run the App via AB. Note that this is probably unsupported by us.
2022-09-14	PSAAS-10263	"500 Server Error" when downloading vault file with name containing a line feed Workaround: rename it directly in the DB
2022-09-08	PSAAS-10158	Upgrades may fail on PrepSystem step due to a cp failure with "Text File Busy" Workaround: This occurs when there's an active cron job for SOAR running when the upgrade starts. Wait for the processes using `python3.9` to complete and then retry the upgrade
2022-09-08	PSAAS-10205	Incorrect notification when connecting to Splunkbase
2022-09-07	PSAAS-10107	Status of Case is missing from Report Workaround: None known
2022-09-07	PSAAS-10127	Playbooks using Threat Grid or urlscan.io app hang on the detonation action Workaround: Upgrade the app you are using. From the Apps page, click App Updates. Upgrade the app to the appropriate version: Threat Grid: upgrade to version 2.3.1 or higher urlscan.io: upgrade to version 2.3.0 or higher
2022-08-11	PSAAS-9793	Custom field message has broken link to documentation Workaround: Follow these links to learn more about using custom fields in playbooks: Cloud: Update and read custom field values On-premises: Update and read custom field values
2022-08-01	PSAAS-9665, PSAAS-11327	VPE: SOAR UI hangs in VPE debug and UI will go blank and need refresh
2022-07-07	PSAAS-9417, PSAAS-9599	Data/Graphs missing on Executive Report after 5.3.2 upgrade
2022-04-29	PSAAS-8776	Investigation page: Widget layout and visibility is not saved via "manage widgets" Workaround: none known at this time
2022-04-08	PSAAS-8541	Unreadable characters sporadically appear in UI Workaround: Refresh the browser to reload the page.

July 28, 2022 release 5.3.3

Date filed	Issue number	Description
2022-07-22	PSAAS-9574	soar-prepare-system appears to get stuck after InstallPhantomDependencies Workaround: The problem is that the progress spinner is overwriting a prompt asking if you'd like to run an optional step. To resolve, Quit the pending run of soar-prepare-system using ctrl+c Run soar-prepare-system again, this time with either the --no-spinners flag to disable the spinners, or the --no-prompt flag to skip the prompts
2022-07-19	PSAAS-9531	Upgrades fail with error "Failed to trust git directory" when there exist playbook repos with spaces in their names Workaround: Follow these steps to mitigate this issue during your upgrade to version 5.3.2. Edit install/install_steps/git_repos.py. Change lines 37 and 46. Wrap {git_repo} in escaped quotes. 37 cmd=f"config --global --unset safe.directory \"{git_repo}\"", 46 cmd=f"config --global --add safe.directory \"{git_repo}\"", Other versions may have similar code that needs to be wrapped in escaped quotes. Verify .soar-continue contains `{"continue_from": "GitRepos", "cluster_phase": "NONE"}` Re-run the soar-install command.

June 22, 2022 release 5.3.2

This release of Splunk SOAR (Cloud) has no known issues.

April 11, 2022 release 5.3.1

Date filed

Issue number

Description

2022-04-14

PSAAS-8617

Ingestion failures

Workaround: If the ingestd daemon is still running on the instance but ingestion has stopped, contact Support. The ingestd daemon will be restarted on the instance.

2022-04-12

PSAAS-8569

5.2.1 -> 5.3.x upgrades fail if custom pip packages have been installed and the system cannot directly reach pypi.org without a proxy

Workaround: Perform one of these two operations (up to customer discretion):

Look into the {{<PHANTOM_HOME>/usr/local/customer_requirements.txt}} file and acquire all the packages therein; it's likely they were installed for a reason by the customer, so this is probably the most correct action. The commands for acquiring the package may vary depending on the customer's environment; however, it should generally be a pip install: {noformat}phenv python3 -m pip install -r customer_requirements.txt{noformat}
OR, you can delete the entire {{<PHANTOM_HOME>/usr/local/customer_requirements.txt}} file (or any package listed in it) so the system does not attempt to install anything. This action may result in customer playbooks, custom functions, or even locally-written apps to fail since they might expect pip packages to exist that are no longer installed

Regardless of whether action (a) or action (b) was taken, the customer can continue the upgrade by re-running Template:Soar-install after performing either remediation above

2022-02-11

PSAAS-7604

Deleting Source Control repo doesn't remove the playbooks

Workaround: If customer has command line access:

Verify that the repo is marked as Template:Disabled=t in the Template:Scm table (SELECT * FROM scm;)
Verify that associated playbooks are marked as Template:Disabled=t and Template:Disabled=f in the Template:Playbook table (SELECT * FROM playbook WHERE id=<scm_id>;)
Mark all associated playbooks as Template:Disabled=t (UPDATE playbook SET disabled=t WHERE scm_id=<scm_id>;)

January 26, 2022 release 5.2.1

Date filed	Issue number	Description
2022-01-20	PSAAS-7307	Cloned Assets after upgrade will have secrets encrypted incorrectly.After upgrade, for any cloned assets, you will need to manually re-enter any passwords or secret environment variables. Of the Splunk certified apps this will only happen for a shared asset on the WMI and LDAP apps.
2021-12-17	PSAAS-7028	VPE 2.0 - UI issue causing dot separation in playbooks which worsens over time

November 17, 2021 release 5.1.0

Date filed	Issue number	Description
2023-11-29	PSAAS-15638	Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively Workaround: If using the REST API directly, add a `sort` parameter to the URL: https://example-soar.com/rest/resource?page=X&sort=id If using the `phantom.get_tasks()` or `phantom.get_notes()` playbook APIs, you can use `phantom.requests` instead to query the REST API directly: # Instead of phantom.get_tasks(), use url = phantom.build_phantom_rest_url('workbook_task') # Or, instead of phantom.get_notes(), use url = phantom.build_phantom_rest_url('note') params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'} response = phantom.requests.get(url, params=params) tasks = response.json()['data']
2023-07-19	PSAAS-14125	Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions. Workaround: Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2022-03-17	PSAAS-8132	Saving an event without change increases/decreases event SLA
2022-02-18	PSAAS-7649	uwsgi stops handling requests with SIGNAL QUEUE IS FULL error Workaround: Restart uwsgi
2022-02-15	PSAAS-7633	C++ log truncation can result in bad json for very long messages
2022-01-27	PSAAS-7399	Ingestion stalls when assets are modified while ingesting
2022-01-20	PSAAS-7300	Investigation page Workbook pane: "run playbook" dialog box incorrectly placed upon clicking 2nd and subsequent playbooks to launch Workaround: even though the "run playbook" dialog box's placement is incorrect and the dialog box's 'cancel' button does not function, the "run playbook" button does function and does launch the designated playbook
2022-01-10	PSAAS-7173	Analyst Queue: Event filtering only allows one user at a time Workaround: Craft filter in browser URL using SOAR user ID's.
2022-01-05	PSAAS-7132	Triggering playbook runs from the UI can hang the webserver if only one worker is available
2021-12-29	PSAAS-7069	Phantom App: Automation Broker not able to add empty file into the Vault
2021-12-09	PSAAS-6899	VPE - Boolean parameter in action block does not display as 'set'(checked) for a default value of 'true' in JSON
2021-11-18	PSAAS-6603	IDP-initiated SAML authentication succeeds, but presents an error to the user Workaround: -
2021-11-12	PSAAS-6440	App Wizard UI does not fully display when using the light UI theme. Workaround: Use the dark UI theme instead of the light UI theme.
2021-11-05	PSAAS-6253	On an upgraded instance, updating the Maxmind app returns error. Workaround: Edit the apps' asset settings. Select a label in the Ingest Settings tab.
2021-10-15	PSAAS-5765	Splunkbase: Login And Install button in Login modal only does the login, not installation. Workaround: Use the Install button to install a single app or click the Install All button to install all the displayed apps.
2021-10-15	PSAAS-5768	phantom.get_run_data() sometimes returns invalid JSON Workaround: Compare the output of `phantom.get_run_data` to the empty string, and set the value to `"null"` if they match. Requires custom code.
2021-10-12	PSAAS-5674, PSAAS-8570	VPE 2.0 - Only shows first 19 custom functions in the Utility block custom function list Workaround: Change the order of "sort-by". Changing it once, you'll see Z-A. If you want to see A-Z, change the sort order again. You can also use "search" to search for a specific custom function.
2021-10-12	PSAAS-5681	Global environment variables are not honored when debugging actions in the App Wizard's editor.
2021-10-12	PSAAS-5682	App Wizard's editor prevents a user from saving apps that have fewer than two actions. Workaround: You can create at least two no-op actions for an app and the editor's validation will pass. The behavior was intended to enforce that apps must implement an action besides "test connectivity", but it failed to account for special circumstances and that not all apps support any actions at all
2021-10-07	PSAAS-5598	The App Wizard's editor allows the user to create multiple actions with the same name, which generates conflicting function names. Workaround: All function names are converted to lowercase. Avoid creating actions with the same lowercase name. If you do create actions with the same lowercase name, you must manually change the name of one of the misnamed actions and update the code of your app to match the new function names.
2021-10-07	PSAAS-5600	Changing app versions in the App Wizard's editor changes the behavior of edit & clone workflows by leaving old versions of the draft app on the system instead of overwriting them.
2021-10-07	PSAAS-5602, PSAAS-5595	App Wizard's editor is missing support for configuring ingestion assets and testing ingestion actions.
2021-10-07	PSAAS-5572	In the App Wizard's editor, the "Draft Apps" listing does not accurately report the number of supported actions.
2021-10-07	PSAAS-5597, PSAAS-5592, PSAAS-5606	App Wizard's editor: Misconfiguring a new action in the "Add Action" modal may cause subsequent usages of the modal to generate TypeErrors. Workaround: Exit and restart the App Wizard's editor reset the modal window state.
2021-10-07	PSAAS-5622, PSAAS-5588	APP Editor: Jump to code doesn't work when errors are present in source (Documentation)
2021-10-06	PSAAS-5509	VPE 2: Block mode Python code should show the actual line number
2021-09-30	PSAAS-5408	/rest/widget_data/top_playbooks_actions endpoint returns invalid playbook_name field with tags Workaround: Parse the result manually to exclude the `span` tags around the playbook name.
2021-07-21	PSAAS-3827	VPE 2.0: Changing block name doesn't change its downstream datapath

August 24, 2021 release 5.0

Date filed	Issue number	Description
2023-11-29	PSAAS-15638	Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively Workaround: If using the REST API directly, add a `sort` parameter to the URL: https://example-soar.com/rest/resource?page=X&sort=id If using the `phantom.get_tasks()` or `phantom.get_notes()` playbook APIs, you can use `phantom.requests` instead to query the REST API directly: # Instead of phantom.get_tasks(), use url = phantom.build_phantom_rest_url('workbook_task') # Or, instead of phantom.get_notes(), use url = phantom.build_phantom_rest_url('note') params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'} response = phantom.requests.get(url, params=params) tasks = response.json()['data']
2023-07-19	PSAAS-14125	Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions. Workaround: Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2022-02-15	PSAAS-7633	C++ log truncation can result in bad json for very long messages
2021-10-15	PSAAS-5768	phantom.get_run_data() sometimes returns invalid JSON Workaround: Compare the output of `phantom.get_run_data` to the empty string, and set the value to `"null"` if they match. Requires custom code.
2021-10-07	PSAAS-5573, PSAAS-6581	Investigation page: Related Events modal has Permission Error
2021-10-06	PSAAS-5542	Issue with allowing roles to pass permission checks in unauthorized areas when performing reporting operations
2021-09-30	PSAAS-5408	/rest/widget_data/top_playbooks_actions endpoint returns invalid playbook_name field with tags Workaround: Parse the result manually to exclude the `span` tags around the playbook name.
2021-09-15	PSAAS-3564	Automation Broker: Unable to pair broker: brokerd caught in some endless loop preventing pairing
2021-08-30	PSAAS-3375	Garbage string printed for client id in AB logs during unregistration Workaround: This is because client_id is a hash and needs to be printed with %x. We are instead using %s which is causing the issue.
2021-08-25	PSAAS-3343	Some actions fail with "failed to send request to AB" on AB 64172
2021-08-24	PSAAS-3311	VPE - Classic editor throws uncaught reference. Clear cache and refresh to fix. Workaround: Empty cache and hard reload
2021-08-23	PSAAS-3289	Can't Delete Value from Org Id/Set Domain for Thycotic password vault
2021-08-19	PSAAS-3246	Calling playbook APIs get_tasks, add_task, and set_owner raise an error Workaround: None at this time
2021-08-18	PSAAS-3232, PSAAS-3271	When an admin is configuring source control, it is unclear that a github personal access token is valid input.
2021-08-02	PSAAS-2782	Unable to rotate encryption keys in the Automation Broker
2021-08-02	PSAAS-2781	Broker sometimes fail to pair with Cloud SOAR instance
2021-07-14	PSAAS-2558	Approval - two different status after stopping approval process
2021-07-13	PSAAS-2548	Add related_category and remove tenant_info from ActionRun's deletion audit records
2021-07-09	PSAAS-2510	App RSA Archer: Unable to see the app's custom view for the "list ticket" action when the result count is 100 or more items.

Date filed	Issue number	Description
2021-08-19	MCSOAR-4367	VPE 2.0 - Playbook version in settings doesn't update
2021-08-13	MCSOAR-4328	VPE 2.0 - Keyboard shortcuts don't work with code focused
2021-08-13	MCSOAR-4336	VPE 2.0 - Fullscreen in playbook editor hides the debugger/editor button
2021-07-29	MCSOAR-4216	VPE 2.0 - Debug console output should scroll down automatically when running
2021-07-29	MCSOAR-4207	VPE 2.0 - Unable to select "keyword arguments" to pass into utility custom function
2021-07-29	MCSOAR-4197	VPE 2.0 - Playbook Save fails when Unicode is used in Commit Message
2021-07-21	MCSOAR-4143	VPE 2.0 - Changing block name doesn't change its downstream datapath
2021-07-20	MCSOAR-4140	VPE 2.0 - No warning on block that has deleted/invalid datapath
2021-07-16	MCSOAR-4122	VPE 2.0 - Hotkeys: Shortcut for showing available hotkeys only works when Settings is open
2021-06-30	MCSOAR-4106	VPE 2.0 - No warning when asset in action block is not available
2021-06-30	MCSOAR-4100	VPE 2.0 - After dragging an arrow from the start block in Firefox, there's no pop-up to create a new block.
2021-06-30	MCSOAR-4097	VPE 2.0 - Visual errors in Safari
2021-06-30	MCSOAR-4101	VPE 2.0 - Unicode not working on playbook title

Versions 4.12.0 - 4.12.3

July 28, 2021 release 4.12.3

Date filed	Issue number	Description
2022-05-05	PSAAS-8830	Excessive DB usage during asset or ingestion settings updates.
2021-08-19	PSAAS-3246	Calling playbook APIs get_tasks, add_task, and set_owner raise an error Workaround: None at this time
2021-07-28	PSAAS-2735	Connectors are unable to execute java related commands using run_ext_command() in SOAR (cloud).
2021-07-22	PSAAS-2681	Playbook action hangs for over 30m then fails on broker
2021-07-16	PSAAS-2591	Asset Proxy Settings: Previously configured HTTP or HTTPS Proxy not working as intended Workaround: * Determine if your proxy is an HTTP or HTTPS proxy. If you have an HTTP proxy and your asset settings have proxy variables starting with `https://<proxy_ip>`, replace them with `http://<proxy_ip>` If you have an HTTPS proxy and your asset settings have proxy variables starting with `http://<proxy_ip>`, replace them with `https://<proxy_ip>`
2021-06-07	PSAAS-2054	VPE: Naming block name "Summary" makes Decision/Filter block throws error Workaround: Don't use use the word "Summary" in investigate blocks
2021-06-07	PSAAS-2056, PSAAS-2157	Home Page: Uses pull-down list populated with multiple duplicate names because it includes deleted users
2021-05-05	PSAAS-2436	Changing an artifact's tenancy will not update it in the indicator table

June 25, 2021 release 4.12.2

Date filed	Issue number	Description
2021-07-16	PSAAS-2597, PSAAS-2689	Playbook Editor: Error returns a JSON block instead of a formatted error message.
2021-07-09	PSAAS-2510	App RSA Archer: Unable to see the app's custom view for the "list ticket" action when the result count is 100 or more items.
2021-06-15	PSAAS-2226, PSAAS-1798	Playbook action fails with "Timed out waiting for connector to bind back on port!" during performance longevity test
2021-06-08	PSAAS-2081, PSAAS-1798, PSAAS-2242	Playbook action fails intermittently with error message"Failed to send request to Automation Broker."
2021-05-20	PSAAS-1881	Action Broker action concurrency: asset concurrency limit changes are only applied when broker is restarted.
2021-05-07	PSAAS-1758	Playbook debug output doesn't print the playbook, repo, and user names on the first statement

June 10, 2021 release 4.12.1

Date filed	Issue number	Description
2021-06-15	PSAAS-2226, PSAAS-1798	Playbook action fails with "Timed out waiting for connector to bind back on port!" during performance longevity test
2021-06-08	PSAAS-2081, PSAAS-1798, PSAAS-2242	Playbook action fails intermittently with error message"Failed to send request to Automation Broker."
2021-06-01	PSAAS-2028	Investigation - Artifacts dropdown list not closed after selection
2021-05-25	PSAAS-1947	Onboarding artifact with IP 60.163.90.8 leads to app error message
2021-05-25	PSAAS-1960	Automation Broker: Cannot handle very large downloads or POSTs
2021-05-20	PSAAS-1881	Action Broker action concurrency: asset concurrency limit changes are only applied when broker is restarted.
2021-05-07	PSAAS-1758	Playbook debug output doesn't print the playbook, repo, and user names on the first statement
2021-03-05	PSAAS-2281	Containers are being opened even if an artifact submission fails

May 27, 2021 release 4.12.0

Date filed	Issue number	Description
2021-06-11	PSAAS-2126	REST API rest/artifact returns empty cef_type for defaults CEFs
2021-06-08	PSAAS-2081, PSAAS-1798, PSAAS-2242	Playbook action fails intermittently with error message"Failed to send request to Automation Broker."
2021-06-01	PSAAS-2028	Investigation - Artifacts dropdown list not closed after selection
2021-05-27	PSAAS-1985	Automation Broker does not support internal proxies.
2021-05-25	PSAAS-1947	Onboarding artifact with IP 60.163.90.8 leads to app error message
2021-05-25	PSAAS-1960	Automation Broker: Cannot handle very large downloads or POSTs
2021-05-20	PSAAS-1881	Action Broker action concurrency: asset concurrency limit changes are only applied when broker is restarted.
2021-05-20	PSAAS-1894	Investigation page: Action Widget sorting is not working
2021-05-14	PSAAS-1798, PSAAS-2226, PSAAS-2081	Playbook action fails with error message"Failed to send request to Automation Broker."
2021-05-07	PSAAS-1758	Playbook debug output doesn't print the playbook, repo, and user names on the first statement
2021-04-01	PSAAS-1240	SAML: Improve logging the message for why a user is not authorized

Related answers from Splunk Community