Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 5.1.0

Date filed Issue number Description
2023-11-29 PSAAS-15638 Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively

Workaround:
If using the REST API directly, add a sort parameter to the URL:
https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly:


# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']


2023-07-19 PSAAS-14125 Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.

Workaround:
Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-06-26 PSAAS-13898 Splunk SOAR's cron jobs generate output, which fills up mail boxes over time

Workaround:
Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is phantom, you can empty the mailbox by running
rm /var/mail/phantom

For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}}

2023-02-21 PSAAS-12357 Upgrade from 5.0.1 to v5.1 failing for nginx - libprofiler.so.0()(64bit) dependency.

Workaround:
Manually install the package gperftools-libs, which is available in the base OS repos for CentOS and RedHat 7:

yum install gperftools-libs

Alternatively, download an RPM for gperftools-libs-2.6.1-1.el7.x86_64, use scp to get the RPM file onto your system, and then install it with rpm -Uvh

2022-11-08 PSAAS-11121 AppUpdate should continue to work with custom apps that have invalid versions

Workaround:
Uninstall the custom apps that are causing the blockage.
  1. To identify those custom apps, run the following script
    
    phenv phantom_shell
    apps = App.objects.filter(disabled=False)
    for app in apps:
      if not app.known_versions:
        print(app)
    
    print('done looking up custom apps')
    
    
  2. Use the AppUpdate wizard to update known app. See Splunk SOAR Connector for a list of apps that you can upgrade with the wizard.
  3. Reinstall those custom apps

Repeat these steps each time you want to upgrade certified apps.

2022-09-26 PSAAS-10411 ibackup stores the entire PostgreSQL database in every incremental backup.
2022-09-14 PSAAS-10239 When 2 activated LDAP configurations are present, login fails with the second LDAP configuration

Workaround:
Use only one LDAP configuration.
2022-09-07 PSAAS-10107 Status of Case is missing from Report

Workaround:
None known
2022-08-01 PSAAS-9678 app_interface.log can grow to large size because it does not roll over and is in debug

Workaround:
none.
2022-07-20 PSAAS-9535 after --standby-mode --off postgresql.phantom.conf not cleaned up

Workaround:
manually disable archive_mode by removing postgresql.phantom.conf and editing postgresql.conf to delete the include_if_exists 'postgresql.phantom.conf' (for thoroughness).

restart postgresql

2022-07-19 PSAAS-9533 setup_warm_standby on standby fails with "String does not contain a date" when pg_last_xact_replay_timestamp() returns empty results and --status or --convert-to-primary specified
2022-05-03 PSAAS-8810 VPE: Not consistent on handling blank inputs passed to playbooks vs deleting inputs passed to playbooks

Workaround:
enter input and delete on each playbook to ensure consistency
2022-04-14 PSAAS-8615 Search for numbers only does not work

Workaround:
Utilize global search

or append a letter identifier before case names to include when searching.

2022-03-17 PSAAS-8132 Saving an event without change increases/decreases event SLA
2022-02-22 PSAAS-7681 VPE 2.0: Saving an existing playbook should default to the repo of the playbook
2022-02-22 PSAAS-7682 VPE2: Action block panel lists apps and actions with Z-A sort order
2022-02-08 PSAAS-7557 VPE2: Action Parameter order is not honored
2022-01-20 PSAAS-7300 Investigation page Workbook pane: "run playbook" dialog box incorrectly placed upon clicking 2nd and subsequent playbooks to launch

Workaround:
even though the "run playbook" dialog box's placement is incorrect and the dialog box's 'cancel' button does not function, the "run playbook" button does function and does launch the designated playbook
2022-01-12 PSAAS-7222 Privileged installations of Splunk SOAR on systems where IPv6 is disabled fail to start nginx

Workaround:
Current workaround is to remove the server block from the nginx.conf file or copy in the nginx.conf file that was deployed with nginx 1.21.1
2022-01-10 PSAAS-7173 Analyst Queue: Event filtering only allows one user at a time

Workaround:
Craft filter in browser URL using SOAR user ID's.
2022-01-05 PSAAS-7132 Triggering playbook runs from the UI can hang the webserver if only one worker is available
2021-12-17 PSAAS-7028 VPE 2.0 - UI issue causing dot separation in playbooks which worsens over time
2021-12-17 PSAAS-7042 Search: Checking category box on result does not work
2021-12-13 PSAAS-6946 VPE 2.0 - format block as_list does not work with playbook inputs
2021-12-10 PSAAS-6918 Python Playbook API block "add note" is missing data path option for note_title parameter
2021-11-30 PSAAS-6737 Cannot upgrade 5.0.1 (using online RPM) to 5.1.0 (using offline RPM)

Workaround:
If you encounter this issue, do following steps:

1. Remove the Nginx package. rpm -e --nodeps nginx

2. Run the offline upgrade script again. ./phantom_offline_setup_centos.sh upgrade

The error message "error: File not found by glob: dependencies/nginx-1.21.1*.rpm" is displayed when running the upgrade. The error is harmless.

You can suppress this error by editing line 409 in the file phantom_offline_setup_centos.sh , changing it from 'dependencies/nginx-1.21.1*.rpm' to 'dependencies/nginx-1.20.1*.rpm' .


2021-11-23 PSAAS-6709 Rest API /rest/search query categories not filtering properly when container is specified.
2021-11-18 PSAAS-6604 Apps Updates popup modal missing release notes link

Workaround:
If Release Notes are needed during app update, disable Splunkbase toggle in Administration Settings.
2021-11-18 PSAAS-6603 IDP-initiated SAML authentication succeeds, but presents an error to the user

Workaround:
-
2021-11-15 PSAAS-6469 VPE 2.0: Accessing formatted data as a list no longer generates "for" loop
2021-11-12 PSAAS-6440 App Wizard UI does not fully display when using the light UI theme.

Workaround:
Use the dark UI theme instead of the light UI theme.
2021-11-05 PSAAS-6253 On an upgraded instance, updating the Maxmind app returns error.

Workaround:
Edit the apps' asset settings. Select a label in the Ingest Settings tab.
2021-10-15 PSAAS-5765 Splunkbase: Login And Install button in Login modal only does the login, not installation.

Workaround:
Use the Install button to install a single app or click the Install All button to install all the displayed apps.
2021-10-15 PSAAS-5768 phantom.get_run_data() sometimes returns invalid JSON

Workaround:
Compare the output of phantom.get_run_data to the empty string, and set the value to "null" if they match. Requires custom code.
2021-10-14 PSAAS-5764 Apps page: After splunkbase login, available updates are replaced by newer list of apps.

Workaround:
Click the Apps Update button again.
2021-10-12 PSAAS-5674, PSAAS-8570 VPE 2.0 - Only shows first 19 custom functions in the Utility block custom function list

Workaround:
Change the order of "sort-by". Changing it once, you'll see Z-A. If you want to see A-Z, change the sort order again.  

You can also use "search" to search for a specific custom function.

2021-10-12 PSAAS-5681 Global environment variables are not honored when debugging actions in the App Wizard's editor.
2021-10-12 PSAAS-5682 App Wizard's editor prevents a user from saving apps that have fewer than two actions.

Workaround:
You can create at least two no-op actions for an app and the editor's validation will pass.

The behavior was intended to enforce that apps must implement an action besides "test connectivity", but it failed to account for special circumstances and that not all apps support any actions at all

2021-10-07 PSAAS-5597, PSAAS-5592, PSAAS-5606 App Wizard's editor: Misconfiguring a new action in the "Add Action" modal may cause subsequent usages of the modal to generate TypeErrors.

Workaround:
Exit and restart the App Wizard's editor reset the modal window state.
2021-10-07 PSAAS-5598 The App Wizard's editor allows the user to create multiple actions with the same name, which generates conflicting function names.

Workaround:
All function names are converted to lowercase.

Avoid creating actions with the same lowercase name. If you do create actions with the same lowercase name, you must manually change the name of one of the misnamed actions and update the code of your app to match the new function names. 

2021-10-07 PSAAS-5600 Changing app versions in the App Wizard's editor changes the behavior of edit & clone workflows by leaving old versions of the draft app on the system instead of overwriting them.
2021-10-07 PSAAS-5602, PSAAS-5595 App Wizard's editor is missing support for configuring ingestion assets and testing ingestion actions.
2021-10-07 PSAAS-5572 In the App Wizard's editor, the "Draft Apps" listing does not accurately report the number of supported actions.
2021-10-06 PSAAS-5509 VPE 2: Block mode Python code should show the actual line number
2021-09-30 PSAAS-5408 /rest/widget_data/top_playbooks_actions endpoint returns invalid playbook_name field with tags

Workaround:
Parse the result manually to exclude the span tags around the playbook name.
2021-09-17 PSAAS-3594 Upgrades to 5.0.1 may show errors with "role_id not found" which are benign and can be ignored
2021-07-21 PSAAS-3827 VPE 2.0: Changing block name doesn't change its downstream datapath
Last modified on 19 December, 2024
Welcome to 5.1.0   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters