Known issues for

Release 5.3.5

Date filed	Issue number	Description
2023-11-29	PSAAS-15638	Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively Workaround: If using the REST API directly, add a `sort` parameter to the URL: https://example-soar.com/rest/resource?page=X&sort=id If using the `phantom.get_tasks()` or `phantom.get_notes()` playbook APIs, you can use `phantom.requests` instead to query the REST API directly: # Instead of phantom.get_tasks(), use url = phantom.build_phantom_rest_url('workbook_task') # Or, instead of phantom.get_notes(), use url = phantom.build_phantom_rest_url('note') params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'} response = phantom.requests.get(url, params=params) tasks = response.json()['data']
2023-09-20	PSAAS-14855	The migration tool for privileged to unprivileged SOAR does not retain known_hosts file. Workaround: If any git repos are failing to sync after an privileged to unprivileged migration, follow the steps in Set up a playbook repository using SSH from Configure a source control repository for your Splunk SOAR (On-premises) playbooks in Administer Splunk SOAR (On-premises). These steps will add the git server to the known_hosts file of the phantom user in SOAR.
2023-08-24	PSAAS-14550	User unable to bulk edit/close the events due to missing unrelated required tag Workaround: I suggest customer temporarily create a new tag and assign to the label "audit". Then they should be able to bulk close all events with label "audit" by choosing the new tag as required tag.
2023-07-24	PSAAS-14158	In a SOAR cluster, playbook blocks using the playbook API that are downstream from a block using the HTTP connector may fail with status 401. Workaround: Due to a change in how SOAR user sessions are handled, if the HTTP connector authenticates using different credentials than the playbooks' automation user, the playbook runs' session token is logged out, resulting in further API requests getting a status of 401. This affects active playbooks triggered by ingestion. There are four possible workarounds. Update the HTTP connector's asset's authentication fields to use the same automation user that is running the active playbook. Update the HTTP connector's asset's "Base Url" to point one of the nodes in the cluster instead of the load balancer. Put the actions run with the HTTP connector in a child playbook. Use the `phantom.requests` playbook API without specifying any authentication mechanism instead of using the HTTP connector.
2023-07-19	PSAAS-14125	Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions. Workaround: Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-06-26	PSAAS-13898	Splunk SOAR's cron jobs generate output, which fills up mail boxes over time Workaround: Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is `phantom`, you can empty the mailbox by running `rm /var/mail/phantom` For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}}
2023-04-15	PSAAS-13091	SOAR upgrade from 5.2.1 to 5.3.x will fail if a python3 app has been uninstalled
2023-04-14	PSAAS-13082	upgrade SOAR unprivileged from version 5.3.1 to version 5.3.5. Encountered an issue 'Connection reset by peer' during ExternalServicesReachableCheck. at line 53 of external_services_reachable.py Workaround: Change line 53 from: `except urllib.error.URLError:` to `except:` it will ignore any and all errors from the previous line, allowing you to move forward using the `--ignore-warnings` command line option.
2023-03-09	PSAAS-12621	Missing cluster_phase handling in 5.3.5 and 5.4.0 installers Workaround: On all nodes: Edit the following file: `install/operations/deployment_operation.py` Add a new line after line 50, in the same code block with matching indentation to surrounding lines: `self.options.state.cluster_phase = self.options.cluster_phase` After you do this, the installer will no longer encounter the first error. To start the installer cleanly from scratch, we need to tell the installer to start from a clean state: Manually edit the `.soar` file. Set `cluster_phase` to `ClusterPhase.NONE` Run the installer again with the following flag: `--continue-from PrepSystem` If the `.soar` file has an invalid ClusterPhase parameter set, services will not start up correctly; the edit to cluster_phase must be run even on standalone on-premises deployments.
2023-03-06	PSAAS-12531	searchindex_retry_entries.db grows unbounded, consuming all available disk space on the soar vault partition Workaround: this behavior generally occurs because of some issue when soar attempts to connect to the search endpoint. ultimately the solution is to resolve any issue connecting to the search endpoint. in the meantime, to reclaim disk space on the vault filesystem: stop_phantom.sh mv /opt/phantom/vault/searchindex_retry_entries.db /opt/phantom/vault/searchindex_retry_entries.db.SAVE start_phantom.sh when searchindex_retry_entries.db has been recreated the searchindex_retry_entries.db.SAVE can be removed. this means that any events in searchindex_retry_entries.db at the time it is renamed to searchindex_retry_entries.db.OLD will not be retried and thus will not be sent to the search endpoint.
2023-03-02	PSAAS-12433	Priv to unpriv migration script can fail if the phantom log folder is/contains symlinks or resides on a different volume than the one /opt/phantom is on
2023-03-02	PSAAS-12434, PSAAS-12851, PSAAS-12548, PSAAS-12549	Priv to unpriv migration can fail if root is not allowed to sudo or if sudo is not present on the system
2023-02-03	PSAAS-12174	recreate_local_db.pyc fails with "FileNotFoundError: No such file or directory: '/opt/phantom/dependencies/systemconfigs/opt/phantom/data/db/pg_hba.conf'"
2023-02-01	PSAAS-12146	Cannot find process engine_runner_py3 in the list of running processes
2023-01-25	PSAAS-12051	Migration from Priv to Unpriv in v5.3.5 to v5.4.0 upgrade fails if firewalld is not present/running. Workaround: Enable/install firewalld so that firewall-cmd commands work.
2023-01-09	PSAAS-11797	App actions fail due to unescaped null characters (PSAAS-10127)
2022-11-29	PSAAS-11272	Upgrade: nginx failed to start due to dhparams file being deleted during upgrade Workaround: Run `phenv python ./bin/initialize.py --set-dhparams` Continue the installation with `./soar-install --continue-from=StartPhantom`
2022-11-28	PSAAS-11235	SOAR mobile feature is not FIPS compliant Workaround: If you require FIPS compliance, turn off the the SOAR Mobile feature in the SOAR Administration settings. From the Home menu, select Administration, then Mobile.
2022-11-23	PSAAS-11233	Cannot register mobile devices on SOAR instances running RHEL8
2022-11-18	PSAAS-11190	VPE: Block Names with Container - A block name with "container" cannot share its results in other blocks in the Visual Editor Workaround: Do not use the word 'container' in playbook block names.
2022-11-14	PSAAS-11138	cluster_phase is not correctly set when continuing an interrupted deployment
2022-11-11	PSAAS-11118, PSAAS-8901	VPE 2: Adding a parameter to an action block deletes another parameter. Workaround: Within the Visual Playbook Editor (VPE), populate a field in the action block configuration panel. When complete, close the configuration panel. Re-open the configuration panel to populate another field. Repeat until you have completed all necessary fields.
2022-11-08	PSAAS-11121	AppUpdate should continue to work with custom apps that have invalid versions Workaround: Uninstall the custom apps that are causing the blockage. To identify those custom apps, run the following script phenv phantom_shell apps = App.objects.filter(disabled=False) for app in apps: if not app.known_versions: print(app) print('done looking up custom apps') Use the AppUpdate wizard to update known app. See Splunk SOAR Connector for a list of apps that you can upgrade with the wizard. Reinstall those custom apps Repeat these steps each time you want to upgrade certified apps.
2022-10-31	PSAAS-11004, PSAAS-11658	VPE: Values entered into custom function/Utility input arguments are deleted or modified Workaround: Within the Visual Playbook Editor (VPE), populate a field in the utility block configuration panel. When complete, close the configuration panel. Re-open the configuration panel to populate another field. Repeat until you have completed all necessary fields.
2022-10-31	PSAAS-11001	Wrong results in PB: "NOT IN" clause wrongly returns FALSE in SOAR when there is a null value in its condition
2022-10-25	PSAAS-10917	App editor: pyarrow dependency not correctly installed in 5.3.x Workaround: No workaround found
2022-10-03	PSAAS-10503	Decided cancels running playbooks on ALL nodes after restarting
2022-09-26	PSAAS-10454	UI error when navigating to case evidence tab caused by linked container that was removed by retention. Workaround: None.
2022-09-26	PSAAS-10411	ibackup stores the entire PostgreSQL database in every incremental backup.
2022-09-20	PSAAS-10287	Interval/Schedule ingestion settings cannot be changed Workaround: Changing an asset's ingest settings does not correctly update the UI. The setting is changed, but the UI does not show the correct state. If you change the ingest settings on an app's asset from Interval to Schedule or Off the UI continues to show the setting as Interval. You can examine the JSON output of a REST request to determine the actual status of the asset's setting. Log in to your Splunk SOAR deployment. In a new browser tab, use this REST request. https://<Splunk SOAR deployment>/rest/asset?pretty=true&_special_app_info=true&page_size=0&_filter_id=<asset id> Replace `<Splunk SOAR deployment>` and `<asset id>` with the URL for your SOAR deployment and the asset id of the asset whose status you want to verify. Look for the `"configuration"` object and check the value of `"polling"`. {... "configuration": {"ingest": {"interval_mins": "30", "container_label": "events", "polling": false} } When the value is false, polling is disabled. When the value is true, polling is enabled.
2022-09-13	PSAAS-10213	Running soar-prepare-system fails when SOAR has already been installed
2022-09-07	PSAAS-10107	Status of Case is missing from Report Workaround: None known
2022-09-07	PSAAS-10127	Playbooks using Threat Grid or urlscan.io app hang on the detonation action Workaround: Upgrade the app you are using. From the Apps page, click App Updates. Upgrade the app to the appropriate version: Threat Grid: upgrade to version 2.3.1 or higher urlscan.io: upgrade to version 2.3.0 or higher
2022-08-17	PSAAS-9891	Indicators are visible with labels that roles do not allow
2022-08-01	PSAAS-9665, PSAAS-11327	VPE: SOAR UI hangs in VPE debug and UI will go blank and need refresh
2022-04-29	PSAAS-8776	Investigation page: Widget layout and visibility is not saved via "manage widgets" Workaround: none known at this time
2022-04-08	PSAAS-8541	Unreadable characters sporadically appear in UI Workaround: Refresh the browser to reload the page.
2021-09-30	PSAAS-5408	/rest/widget_data/top_playbooks_actions endpoint returns invalid playbook_name field with tags Workaround: Parse the result manually to exclude the `span` tags around the playbook name.

Related answers from Splunk Community

Known issues for

Release 5.3.5

Comments

Known issues for Splunk SOAR (On-premises)

Was this topic useful?