Splunk App for SOAR Export release notes
The 4.1.117 version of the Splunk App for SOAR Export includes the following enhancements:
- The name of the app has been changed to Splunk App for SOAR Export. References to Phantom in the UI have been updated to SOAR, but references in the code still refer to Phantom.
- The app now removes items from the KV Store if the item has an invalid label in Splunk SOAR.
- The regular expression in event parsing now accommodates multiline values.
- Performance improvements for the searches in event forwarding.
- The default python.version is now python3.
Fixed issues in this release
This version of the Splunk App for SOAR Export was released on March 14, 2022 and fixes the following issues.
Date resolved | Issue number | Description |
---|---|---|
2022-02-09 | PAPP-22982 | phantom_forward.py does not handle multi-valued fields created with strcat and split() functions. |
2022-01-31 | PAPP-20810 | Events in KV Store phantom_retry only sent if container label is valid. |
2022-01-31 | PAPP-22054 | Upon successful phantom_retry, some artifacts end up in same container but should be unique. |
2022-01-28 | PAPP-19122 | The SplunkD path is not set correctly in some cases. |
2022-01-18 | PAPP-23657 | Upgrading from beta version 0.0.19 to release version 4.1.73 gave an error message related to earliest_time and latest_time parameters. |
2022-01-07 | PAPP-23255 | Misleading 403 Forbidden error when syncing workbooks with Splunk cloud. |
Known issues in this release
This version of the Splunk App for SOAR Export was released on March 14, 2022 and has the following known issues.
Date filed | Issue number | Description |
---|---|---|
2023-08-08 | PAPP-31554 | Artifact title missing in SOAR when posting via scheduled alert actions |
2023-07-19 | PAPP-31340 | ES Notable multiline comments are not exported to SOAR Workaround: No workaround is available. |
2022-08-13 | PAPP-27172 | Updating forwarding rule results in error "A saved search with that name already exists" Workaround: Searches and forwarding rule can be changed in conf and if you delete the underlying search update recreates it. Alternative workaround to change existing Event Forwarding:
1. Navigate to Event Forwarding page on SAS Export
2. Click "Clone" on rule you would like to modify
3. Modal to modify clone will open so you can make changes here
4. After making changes, click "Save and Close" or "Save and Preview" |
2022-08-08 | PAPP-27021 | ES Adaptive Response Action Recorded Success Twice Workaround: +Attach "dedup sid" to macro `modular_action_invocations` |
2022-07-15 | PAPP-26850 | ITSI - Event forwarding configurations were not being updated to either enabled or disabled. (SOAR EXPORT) Workaround: Work around from previous JIRA DID NOT work for ITSI stack |
2021-11-26 | PAPP-21689 | Send to SOAR sometime throws "IndexError: list index out of range". |
2021-05-19 | PAPP-17108 | Adaptive Response Relay produces error message in Cloud Workaround: Create a saved search report to invoke Send to SOAR or Run SOAR Playbook actions, as described in these steps:
If the key word | eval _phantom_workaround_description = [| rest /services/saved/searches/Test%20Alert%20Title | eval desc="\"".description."\"" |return $desc] |
About the Splunk App for SOAR Export | Check prerequisites for Splunk App for SOAR Export on Splunk Enterprise |
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117
Feedback submitted, thanks!