The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises).
For documentation on the most recent version, go to the latest release.
Known issues for
Release 5.3.4
| Date filed | Issue number | Description |
|---|---|---|
| 2023-11-29 | PSAAS-15638 | Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively Workaround: If using the REST API directly, add a sort parameter to the URL:
https://example-soar.com/rest/resource?page=X&sort=id If using the
# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')
# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')
params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']
|
| 2023-09-20 | PSAAS-14855 | The migration tool for privileged to unprivileged SOAR does not retain known_hosts file. Workaround: If any git repos are failing to sync after an privileged to unprivileged migration, follow the steps in Set up a playbook repository using SSH from Configure a source control repository for your Splunk SOAR (On-premises) playbooks in Administer Splunk SOAR (On-premises). These steps will add the git server to the known_hosts file of the phantom user in SOAR. |
| 2023-07-19 | PSAAS-14125 | Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions. Workaround: Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed. |
| 2023-06-26 | PSAAS-13898 | Splunk SOAR's cron jobs generate output, which fills up mail boxes over time Workaround: Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is phantom, you can empty the mailbox by runningrm /var/mail/phantom
For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}} |
| 2023-04-15 | PSAAS-13091 | SOAR upgrade from 5.2.1 to 5.3.x will fail if a python3 app has been uninstalled |
| 2023-03-27 | PSAAS-12842 | When using an internal IdP for SAML2 auth, an error from incorrectly parsed XML prevents users from logging in |
| 2023-01-09 | PSAAS-11797 | App actions fail due to unescaped null characters (PSAAS-10127) |
| 2022-11-29 | PSAAS-11272 | Upgrade: nginx failed to start due to dhparams file being deleted during upgrade Workaround:
|
| 2022-11-28 | PSAAS-11235 | SOAR mobile feature is not FIPS compliant Workaround: If you require FIPS compliance, turn off the the SOAR Mobile feature in the SOAR Administration settings. From the Home menu, select Administration, then Mobile. |
| 2022-11-23 | PSAAS-11233 | Cannot register mobile devices on SOAR instances running RHEL8 |
| 2022-11-18 | PSAAS-11190 | VPE: Block Names with Container - A block name with "container" cannot share its results in other blocks in the Visual Editor Workaround: Do not use the word 'container' in playbook block names. |
| 2022-11-11 | PSAAS-11118, PSAAS-8901 | VPE 2: Adding a parameter to an action block deletes another parameter. Workaround:
|
| 2022-11-08 | PSAAS-11121 | AppUpdate should continue to work with custom apps that have invalid versions Workaround: Uninstall the custom apps that are causing the blockage.
Repeat these steps each time you want to upgrade certified apps. |
| 2022-10-31 | PSAAS-11004, PSAAS-11658 | VPE: Values entered into custom function/Utility input arguments are deleted or modified Workaround:
|
| 2022-10-31 | PSAAS-10997 | Playbook decision block convert boolean strings to boolean values Workaround: no workaround |
| 2022-10-31 | PSAAS-11001 | Wrong results in PB: "NOT IN" clause wrongly returns FALSE in SOAR when there is a null value in its condition |
| 2022-10-25 | PSAAS-10917 | App editor: pyarrow dependency not correctly installed in 5.3.x Workaround: No workaround found |
| 2022-10-04 | PSAAS-10582 | UI crash: opening container with a HUD CARD using a Custom Field and a list value leads to a blank page. Workaround: Use pin type = data instead of card |
| 2022-09-26 | PSAAS-10411 | ibackup stores the entire PostgreSQL database in every incremental backup. |
| 2022-09-26 | PSAAS-10454 | UI error when navigating to case evidence tab caused by linked container that was removed by retention. Workaround: None. |
| 2022-09-20 | PSAAS-10287 | Interval/Schedule ingestion settings cannot be changed Workaround: Changing an asset's ingest settings does not correctly update the UI. The setting is changed, but the UI does not show the correct state. If you change the ingest settings on an app's asset from Interval to Schedule or Off the UI continues to show the setting as Interval. You can examine the JSON output of a REST request to determine the actual status of the asset's setting.
|
| 2022-09-14 | PSAAS-10263 | "500 Server Error" when downloading vault file with name containing a line feed Workaround: rename it directly in the DB |
| 2022-09-13 | PSAAS-10213 | Running soar-prepare-system fails when SOAR has already been installed |
| 2022-09-08 | PSAAS-10158 | Upgrades may fail on PrepSystem step due to a cp failure with "Text File Busy" Workaround: This occurs when there's an active cron job for SOAR running when the upgrade starts. Wait for the processes using python3.9 to complete and then retry the upgrade |
| 2022-09-08 | PSAAS-10205 | Incorrect notification when connecting to Splunkbase |
| 2022-09-07 | PSAAS-10107 | Status of Case is missing from Report Workaround: None known |
| 2022-09-07 | PSAAS-10127 | Playbooks using Threat Grid or urlscan.io app hang on the detonation action Workaround: Upgrade the app you are using.
|
| 2022-08-19 | PSAAS-9935 | When running soar-prepare-system, the prompt for setting the Splunk SOAR user's password is overwritten by a progress spinner Workaround: The spinner does not prevent entering the password. Enter the password twice, as usual. Alternatively, run soar-prepare-system with the |
| 2022-08-18 | PSAAS-9898 | Add "Learn More" link to Playbook Bulk Edit Modal Results |
| 2022-08-11 | PSAAS-9793 | Custom field message has broken link to documentation Workaround: Follow these links to learn more about using custom fields in playbooks:
|
| 2022-08-10 | PSAAS-9781 | On privileged systems the phantom daemons may be started as the root user after a system reboot. Workaround: A crontab entry was incorrectly added by Splunk SOAR (On-premises) to the root user's account. Fix this issue by following these steps:
|
| 2022-08-01 | PSAAS-9665, PSAAS-11327 | VPE: SOAR UI hangs in VPE debug and UI will go blank and need refresh |
| 2022-04-29 | PSAAS-8776 | Investigation page: Widget layout and visibility is not saved via "manage widgets" Workaround: none known at this time |
| 2022-04-08 | PSAAS-8541 | Unreadable characters sporadically appear in UI Workaround: Refresh the browser to reload the page. |
Last modified on 30 October, 2024
| Welcome to 5.3.4 | Fixed issues for |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.4
Download manual
Feedback submitted, thanks!