Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 5.3.3

Date filed Issue number Description
2023-11-29 PSAAS-15638 Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively

Workaround:
If using the REST API directly, add a sort parameter to the URL: 
https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly: 


# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

2023-09-20 PSAAS-14855 The migration tool for privileged to unprivileged SOAR does not retain known_hosts file.

Workaround:
If any git repos are failing to sync after an privileged to unprivileged migration, follow the steps in Set up a playbook repository using SSH from

Configure a source control repository for your Splunk SOAR (On-premises) playbooks in Administer Splunk SOAR (On-premises).

These steps will add the git server to the known_hosts file of the phantom user in SOAR.

2023-07-19 PSAAS-14125 Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions.

Workaround:
Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-06-26 PSAAS-13898 Splunk SOAR's cron jobs generate output, which fills up mail boxes over time

Workaround:
Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is phantom, you can empty the mailbox by running
rm /var/mail/phantom

For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}}

2023-05-02 PSAAS-13312 regression: app editor: "Error in 'python3': free(): invalid pointer:" when running test connectivity; similar code does not throw error when run from command line via phenv

Workaround:
none known
2023-04-27 PSAAS-13280 app editor: "Error in 'python3': free(): invalid pointer:" when running test connectivity; similar code does not throw error when run from command line via phenv

Workaround:
Edit the code without the app editor.
2023-04-15 PSAAS-13091 SOAR upgrade from 5.2.1 to 5.3.x will fail if a python3 app has been uninstalled
2023-02-02 PSAAS-12158 User filtering is using first/last name to filter events instead of just username

Workaround:
None
2023-01-19 PSAAS-11960 VPE: "Refresh Event Data" in Utility block removes some of the original container information

Workaround:
The container json field "url" is essentially the SOAR base url + "/mission/" + container["id"].

If container["url"] field is needed and refresh event data is selected, the customer can do something like the following to add "url" to container json:

container = phantom.get_container(container.get('id', None)) #this line is auto generated when refresh data is selected container["url"] = phantom.get_base_url() + "/mission/" + str(container.get('id')) #add this line, this will add url field to container

This will result in the same behavior.

2023-01-09 PSAAS-11797 App actions fail due to unescaped null characters (PSAAS-10127)
2022-12-13 PSAAS-11458 Cleaning up containers via Data Retention causing excessive disk space usage

Workaround:
Customer has turned off data retention
2022-12-13 PSAAS-11472 test_connectivity action fails with an asset using hashicorp vault credential manager on app editor
2022-11-29 PSAAS-11272 Upgrade: nginx failed to start due to dhparams file being deleted during upgrade

Workaround:
  1. Run phenv python ./bin/initialize.py --set-dhparams
  2. Continue the installation with ./soar-install --continue-from=StartPhantom

2022-11-11 PSAAS-11118, PSAAS-8901 VPE 2: Adding a parameter to an action block deletes another parameter.

Workaround:
  1. Within the Visual Playbook Editor (VPE), populate a field in the action block configuration panel.
  2. When complete, close the configuration panel.
  3. Re-open the configuration panel to populate another field.
  4. Repeat until you have completed all necessary fields.

2022-11-08 PSAAS-11121 AppUpdate should continue to work with custom apps that have invalid versions

Workaround:
Uninstall the custom apps that are causing the blockage.
  1. To identify those custom apps, run the following script 
    
phenv phantom_shell
apps = App.objects.filter(disabled=False)
for app in apps:
  if not app.known_versions:
    print(app)

print('done looking up custom apps')
  2. Use the AppUpdate wizard to update known app. See Splunk SOAR Connector for a list of apps that you can upgrade with the wizard.
  3. Reinstall those custom apps

Repeat these steps each time you want to upgrade certified apps.

2022-10-27 PSAAS-10965 AB Auto Update does not work on upgraded stacks to 5.4.0

Workaround:
Run the following commands: 
<PHANTOM_HOME>/bin/phenv python <PHANTOM_HOME>/www/manage.py change_ab_version --no-ab-version
<PHANTOM_HOME>/bin/phsvc reload uwsgi

2022-10-25 PSAAS-10917 App editor: pyarrow dependency not correctly installed in 5.3.x

Workaround:
No workaround found
2022-10-17 PSAAS-10745 Cleaning up containers via Data Retention or the delete_containers.pyc script doesn't work

Workaround:
No current workaround.
2022-10-03 PSAAS-10516 Custom Function Python 3 converter: Not taking the latest revision to convert
2022-09-26 PSAAS-10454 UI error when navigating to case evidence tab caused by linked container that was removed by retention.

Workaround:
None.
2022-09-26 PSAAS-10411 ibackup stores the entire PostgreSQL database in every incremental backup.
2022-09-22 PSAAS-10340 Screenshot Machine app does not show screenshot in app widget after running action
2022-09-20 PSAAS-10287 Interval/Schedule ingestion settings cannot be changed

Workaround:
Changing an asset's ingest settings does not correctly update the UI. The setting is changed, but the UI does not show the correct state. If you change the ingest settings on an app's asset from Interval to Schedule or Off the UI continues to show the setting as Interval.

You can examine the JSON output of a REST request to determine the actual status of the asset's setting.

  1. Log in to your Splunk SOAR deployment.
  2. In a new browser tab, use this REST request. 
    https://<Splunk SOAR deployment>/rest/asset?pretty=true&_special_app_info=true&page_size=0&_filter_id=<asset id>
    Replace <Splunk SOAR deployment> and <asset id> with the URL for your SOAR deployment and the asset id of the asset whose status you want to verify.
  3. Look for the "configuration" object and check the value of "polling". 
    {...
"configuration": {"ingest": {"interval_mins": "30", "container_label": "events", "polling": false}
}
    When the value is false, polling is disabled. When the value is true, polling is enabled.

2022-09-14 PSAAS-10263 "500 Server Error" when downloading vault file with name containing a line feed

Workaround:
rename it directly in the DB
2022-09-13 PSAAS-10213 Running soar-prepare-system fails when SOAR has already been installed
2022-09-09 PSAAS-10183 Scheduled pg_views and db_maintenance can run concurrently potentially causing high database load
2022-09-08 PSAAS-10158 Upgrades may fail on PrepSystem step due to a cp failure with "Text File Busy"

Workaround:
This occurs when there's an active cron job for SOAR running when the upgrade starts. Wait for the processes using python3.9 to complete and then retry the upgrade
2022-09-07 PSAAS-10107 Status of Case is missing from Report

Workaround:
None known
2022-09-07 PSAAS-10127 Playbooks using Threat Grid or urlscan.io app hang on the detonation action

Workaround:
Upgrade the app you are using.
  1. From the Apps page, click App Updates.
  2. Upgrade the app to the appropriate version:
    • Threat Grid: upgrade to version 2.3.1 or higher
    • urlscan.io: upgrade to version 2.3.0 or higher

2022-08-24 PSAAS-9968 Enabling Duo 2FA makes it impossible for non-automation users to authenticate to the REST API, effectively breaking UI functionality

Workaround:
If you have any users with Edit System Settings permissions for which Duo 2FA is disabled, they can log in and disable Two-Factor authentication via the Administration settings.


If all users have 2FA enabled, you may need to first disable Duo 2FA for the admin user. SSH into the system and run phenv set_preference --disable-admin-2fa. Then, the admin user should be able to disable Duo 2FA for all users by logging in and disabling the setting in the UI

2022-08-17 PSAAS-9891 Indicators are visible with labels that roles do not allow
2022-08-11 PSAAS-9793 Custom field message has broken link to documentation

Workaround:
Follow these links to learn more about using custom fields in playbooks:
2022-08-11 PSAAS-9798 Extremely large floating point numbers could not be returned from actions (affecting MS Graph for SharePoint)
2022-08-10 PSAAS-9781 On privileged systems the phantom daemons may be started as the root user after a system reboot.

Workaround:
A crontab entry was incorrectly added by Splunk SOAR (On-premises) to the root user's account. Fix this issue by following these steps:
  1. Use SSH to log into the affected Splunk SOAR (On-premises) instance and become the root user:
    sudo su -
  2. As the root user, edit the crontab with crontab -e
  3. In the editor, delete the line that looks like this:
    @reboot /opt/phantom/bin/start_phantom.sh
  4. Restart Splunk SOAR (On-premises) instance. When the system restarts the processes run as the correct user:
    /opt/phantom/bin/stop_phantom.sh
    /opt/phantom/bin/start_phantom.sh
  5. Finally, make sure that future reboots will start Splunk SOAR (On-premises) properly with /opt/phantom/bin/phsvc enable phantom_watchdogd

2022-08-09 PSAAS-9731 Splunk app 'run query' action runs infinitely
2022-08-04 PSAAS-9718 Visual Playbook Editor: Phantom.completed callback missing and causing the join block not waiting for upstream blocks to complete
2022-08-02 PSAAS-9681 Some apps action failed to run on ver 5.3.3 due to Json payload data=None
2022-08-02 PSAAS-9687 Logging around the Splunk Forwarder is insufficient (add-es-index-stdout.log)

Workaround:
n/a
2022-08-01 PSAAS-9679 Massive spikes in spooler errors in set_indicators
2022-08-01 PSAAS-9665, PSAAS-11327 VPE: SOAR UI hangs in VPE debug and UI will go blank and need refresh
2022-07-22 PSAAS-9574 soar-prepare-system appears to get stuck after InstallPhantomDependencies

Workaround:
The problem is that the progress spinner is overwriting a prompt asking if you'd like to run an optional step. To resolve,
  1. Quit the pending run of soar-prepare-system using ctrl+c
  2. Run soar-prepare-system again, this time with either the --no-spinners flag to disable the spinners, or the --no-prompt flag to skip the prompts
2022-07-19 PSAAS-9531 Upgrades fail with error "Failed to trust git directory" when there exist playbook repos with spaces in their names

Workaround:
Follow these steps to mitigate this issue during your upgrade:
  1. Edit the file for the version you're upgrading. See the list.
    • For version 5.3.2, edit the file install/install_steps/git_repos.py
    • For version 5.3.3, edit the file install/operations/tasks/git_repos.py.

    Change lines 37 and 46. Wrap {git_repo} in escaped quotes. 

    
37     cmd=f"config --global --unset safe.directory \"{git_repo}\"",

46     cmd=f"config --global --add safe.directory \"{git_repo}\"",

    Other versions may have similar code that needs to be wrapped in escaped quotes.

  2. Verify .soar-continue contains {"continue_from": "GitRepos", "cluster_phase": "NONE"}
  3. Re-run the soar-install command.

2022-06-24 PSAAS-9316 Visual Playbook Editor: A 'false' value in artifact CEF is not evaluated correctly in decision and filter blocks

Workaround:
Use the in operator to evaluate whether a condition is 'true' or 'false', as shown in this example:["artifact:*.cef.cn1", "in", "'false'"]
2022-06-24 PSAAS-9319 Webserver log level setting in admin UI is not respected
2022-05-17 PSAAS-8933 JIT does not work when Automation Broker is configured which should be disabled
2022-04-29 PSAAS-8778 Python 3 playbook converter fails for some misformatted legacy custom functions

Workaround:
none
2022-04-08 PSAAS-8541 Unreadable characters sporadically appear in UI

Workaround:
Refresh the browser to reload the page.
Last modified on 30 October, 2024
Welcome to 5.3.3   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters