Known issues for

Release 5.5.0

Date filed	Issue number	Description
2024-02-22	PSAAS-16477	Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes Workaround: Manually change the `image:` line in docker-compose.yaml to point to `docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.`
2024-02-15	PSAAS-16431, PSAAS-16962, PSAAS-16963	Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues Workaround: Check if the action completed successfully. Cancel the hanging action. If the action did not complete successfully, re-run the action. This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed.
2023-09-20	PSAAS-14855	The migration tool for privileged to unprivileged SOAR does not retain known_hosts file. Workaround: If any git repos are failing to sync after an privileged to unprivileged migration, follow the steps in Set up a playbook repository using SSH from Configure a source control repository for your Splunk SOAR (On-premises) playbooks in Administer Splunk SOAR (On-premises). These steps will add the git server to the known_hosts file of the phantom user in SOAR.
2023-09-14	PSAAS-14784	SOAR gives a "502 bad gateway" error for all SAML logins if a metadata endpoint fails to respond.
2023-07-24	PSAAS-14158	In a SOAR cluster, playbook blocks using the playbook API that are downstream from a block using the HTTP connector may fail with status 401. Workaround: Due to a change in how SOAR user sessions are handled, if the HTTP connector authenticates using different credentials than the playbooks' automation user, the playbook runs' session token is logged out, resulting in further API requests getting a status of 401. This affects active playbooks triggered by ingestion. There are four possible workarounds. Update the HTTP connector's asset's authentication fields to use the same automation user that is running the active playbook. Update the HTTP connector's asset's "Base Url" to point one of the nodes in the cluster instead of the load balancer. Put the actions run with the HTTP connector in a child playbook. Use the `phantom.requests` playbook API without specifying any authentication mechanism instead of using the HTTP connector.
2023-07-19	PSAAS-14125	Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions. Workaround: Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed.
2023-06-26	PSAAS-13898	Splunk SOAR's cron jobs generate output, which fills up mail boxes over time Workaround: Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is `phantom`, you can empty the mailbox by running `rm /var/mail/phantom` For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}}
2023-06-26	PSAAS-13892, PSAAS-13893	Improve Error Logging for Action OnPoll Workaround: Used app editor and polling from there to be able to find the true error.
2023-06-12	PSAAS-13720	Playbooks become unresponsive when using an input playbook with "" in the name Workaround: Give the Playbook Action Block in the Automation Playbook a Custom Name that does not contain "[]" chars before having a filter reference the output of the Playbook Action Block.
2023-05-02	PSAAS-13313	ui regression: "TypeError: this.state.appCategories.map is not a function" and blank screen when opening app in app editor Workaround: none at this time
2023-04-28	PSAAS-13290	Toggling delay timer in one block causes all other action blocks to toggle delay timer. Workaround: Avoid toggling delay timer for blocks that do not want delays. Instead, reduce the delay to 0 minutes.
2023-04-26	PSAAS-13255	Deleting a container with 1000+ artifacts causes UWSGI to run out of memory. Workaround: For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion. This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added. In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.
2023-04-17	PSAAS-13096	: SMTP app failure in connecting to MSGraph/Azure AD Workaround: None known at this time.
2023-04-06	PSAAS-12976	VPE: Manually selecting an asset deletes block configuration Workaround: Create a new block and copy the datapaths from the python editor view.
2023-04-05	PSAAS-13017	install/prepare_db fails with ImportError: /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b Workaround: engineering to confirm: rm -fr {soar_home}/usr/lib64
2023-04-05	PSAAS-12971	install/prepare_db fails with ImportError: /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b Workaround: rm -fr {soar_home}/usr/lib64
2023-03-27	PSAAS-12839	GitRepos Installer step can fail on upgrades if the community repo has been disabled and duplicate playbooks exist in the db.
2023-03-22	PSAAS-12767	App install with Chrome browser: Browser crashes when installing a TAR or TGZ file Workaround: This issue occurs when adding a new app using Chrome version 111.0.5563. To avoid this issue, use a different browser.
2023-03-20	PSAAS-12713	warm standby: archive_mode still on after --primary-mode off, resulting in unexpected wal segment accumulation and disk space usage Workaround: after 'phenv python setup_warm_standby.pyc --primary-mode --off' has completed processing, restart postgresql with {phantom_home}/bin/phsvc restart postgresql-11 (run as root on privileged installs, and as the soar user on non-root installs)
2023-03-13	PSAAS-12637	Documentation: Cannot render specific div's from README.md properly on documentation page
2023-03-09	PSAAS-12605	setup_warm_standby.pyc does not take nri into consideration when processing --convert-to-primary: "yum command failed"/"You need to be root" Workaround: [A] for each package not installed during "--standby-mode --convert-to-primary" which was identified with a "yum command failed when installing {package}" message, run, as the "root" user: yum install -y {package} or: [B] use "--standby-mode --convert-to-primary --ignore-package-updates" (but doing so may cause some playbooks to fail if they depend on the packages in question)
2023-03-09	PSAAS-12608	setup_warm_standby.pyc still tries to use python 2.7 when processing --convert-to-primary: "{phantom_home}/bin/phenv pip2.7 install -r {phantom_home}/var/log/phantom/pip_packages_primary.txt Workaround: none. failed attempts to install python2.7 packages are not fatal and can safely be ignored.
2023-03-07	PSAAS-12591	VPE: Artifact labels in datapaths are not universally supported Workaround: Use a format block to convert datapath results to strings then use the format block's output as the input to downstream action blocks.
2023-03-02	PSAAS-12427, PSAAS-12635	Python2 deprecation notice task in the installer fails if there are pipe characters in the repo/playbook/cf names. Workaround: Disable/delete any python 2 playbooks before upgrading to >= 5.3.4 or rename the playbooks/repos so that they no longer contain the pipe character.
2023-03-01	PSAAS-12397	App editor fails to load assets in edit mode for draft apps Workaround: Workaround 1: Publish the app so it is not longer a DRAFT, do the tests with the existing assets and then edit again to carry on with development. That generates a new version of the app for every test/publish action made Workaround 2: create a new asset while testing in DRAFT mode. That works as well but then when the app is published, that asset becomes an orphaned asset that can no longer be used unless reassigned. There is a new orphan asset for every time the app is published
2023-02-18	PSAAS-12347	VPE: Playbooks cannot be canceled by the customer
2023-02-16	PSAAS-12333	Playbooks that open with smart block context warnings will disable the debugger and display 'Discard Changes' button Workaround: Save the playbook. The debugger is re-enabled and the Discard Changes button no longer displays.
2023-02-15	PSAAS-12311, PSAAS-12328	Prompt block icon disappear after creating more than one empty questions
2023-02-13	PSAAS-12284	Playbook input variables are marked as invalid within an input playbook Workaround: There is no workaround for this at the moment, but playbooks with block warnings can still be saved/run as usual. The warnings do not impact basic playbook functionality in any way.
2023-02-06	PSAAS-12198	App action links within app documentation do not work Workaround: Scroll down the page to view the documents or find by using CTRL-F search function.
2023-02-02	PSAAS-12158	User filtering is using first/last name to filter events instead of just username Workaround: None
2023-01-26	PSAAS-12057	Automation Broker (AB) configuration is ignored in the app editor Workaround: If the asset you're using while debugging in the App Editor is configured to use an Automation Broker this setting is ignored. Launching the app/debugging will not route to the automation broker, instead it always runs locally in the cloud instance. To work around this issue: Publish the app. Run the published version of the app. Clone the published app so we can use the editor again. Manually change the cloned settings added to the json config. Delete the published app and its related asset. (Optional) create a new asset instead of deleting the previous one. Make the required code modifications. Repeat the process to debug again.
2023-01-23	PSAAS-11997	Questions regarding python pandas/tabulate library in SOAR 5.5 - Pandas requires version '0.8.3' or newer of 'tabulate' (version '0.8.1' currently installed) Workaround: None
2023-01-23	PSAAS-11995	phenv command does not produce expected results when telemetry is turned off
2023-01-20	PSAAS-11979	VPE: clicking on a block does not bring up the sidebar for editing conditions
2023-01-12	PSAAS-11874	Reindexing 'asset' index does not work on Elastic Search
2023-01-11	PSAAS-11841	Upgrading a SOAR instance to 5.5 does not change the community repo branch to 5.5 Workaround: Deleting the community repository and readding it with the correct branch.
2023-01-10	PSAAS-11799	Forwarding data to Elastic Search does not work
2023-01-10	PSAAS-11802	Artifact save invokes indicator extraction when indicator feature is disabled.
2023-01-09	PSAAS-11797	App actions fail due to unescaped null characters (PSAAS-10127)
2023-01-04	PSAAS-11694	VPE/prompt: "Could not find 'undefined' in users or roles" during playbook runs after upgrading from 5.4.0 and editing/saving the playbook Workaround: Edit the prompt block and re-select the user or role. The following error message displays, but you can save and run the playbook. approver must be a `object` type, but the final value was: `null` (cast from the value `"Administrator"`). If "null" is intended as an empty value be sure to mark the schema as `.nullable()`
2022-12-23	PSAAS-11658, PSAAS-11004	VPE: Utility blocks with more than one API call do not save parameter values Workaround: Use one utility block per API call.
2022-12-22	PSAAS-11638	VPE: delay in populating block outputs/datapath picker when playbook fully loaded Workaround: To fully populate the datapath picker list when configuring a block in the Visual Playbook Editor: Click outside the block configuration. Then click back into the block configuration.
2022-12-22	PSAAS-11650, PSAAS-12122	VPE : Existing input playbook blocks are not configurable to change the input source Workaround: Option 1: If the playbook exists, within the existing playbook, click the back arrow. Within the main playbook block's configuration panel, reconfigure the same sub playbook. This resets all existing configured inputs. It will also verify that you selected the correct playbook from the correct repo. After selection, the expected inputs appear. Option 2: To avoid resetting the playbook inputs: Select the playbook block and open the python editor. All known previous inputs should be configured via python. Make any necessary custom code edits directly to the python. Note that this will disable the configuration panel for that block.
2022-12-22	PSAAS-11648	Analyst Queue: When applying filters for owner for cases and events, the metrics at the top of the case screen do not change (containers are filtered) Workaround: none at this time
2022-12-15	PSAAS-11514	VPE smart block context not taking into account custom datapaths Workaround: Use custom code to manually add in the correct custom datapath into the python generation, if known.
2022-12-14	PSAAS-11509	Third-party license information is included in documentation, but not in the product UI Workaround: Third-party credits are located at Third-party credits in Splunk SOAR (On-premises).
2022-12-07	PSAAS-11389	Git app: Action git commit fails Workaround: The issue affects the `git push` command. Use HTTPS or git protocol instead of HTTP.
2022-12-05	PSAAS-11327, PSAAS-9665	VPE: Debugger hangs when running playbook; It goes blank and needs refresh
2022-12-05	PSAAS-11328	VPE Empty Variables with inconsistent use of quotes
2022-11-29	PSAAS-11272	Upgrade: nginx failed to start due to dhparams file being deleted during upgrade Workaround: Run `phenv python ./bin/initialize.py --set-dhparams` Continue the installation with `./soar-install --continue-from=StartPhantom`
2022-11-29	PSAAS-11245	Automation Broker: When getting new credentials for broker, UI gives incorrect docker command Workaround: Use the following command, instead of the one shown on the screen: `docker exec -ti <container_id> python3 /splunk/broker/bin/update_creds.py --new-creds "<copied_creds>"` `docker <container_id> restart`
2022-11-28	PSAAS-11237	Details for playbook runs don't update in window from the Investigation page Workaround: Click the "x" and then click on the desired playbook run in the queue
2022-11-28	PSAAS-11242	VPE: After correct reconfiguration, "invalid resource" warning persists within subplaybook block Workaround: The warning will not be shown if the user returns to the state 'Unconfigured' of the block and then proceeds to configure again
2022-11-18	PSAAS-11181	Fix page crash on load for blocks using external resources
2022-11-18	PSAAS-11190	VPE: Block Names with Container - A block name with "container" cannot share its results in other blocks in the Visual Editor Workaround: Do not use the word 'container' in playbook block names.
2022-11-08	PSAAS-11057	Ingestd Daemon can hang during poll now in rare scenarios.
2022-10-31	PSAAS-11001	Wrong results in PB: "NOT IN" clause wrongly returns FALSE in SOAR when there is a null value in its condition
2022-10-19	PSAAS-10817	Bulk edit of Python 2 playbook properties is not blocked
2022-09-07	PSAAS-10127	Playbooks using Threat Grid or urlscan.io app hang on the detonation action Workaround: Upgrade the app you are using. From the Apps page, click App Updates. Upgrade the app to the appropriate version: Threat Grid: upgrade to version 2.3.1 or higher urlscan.io: upgrade to version 2.3.0 or higher
2022-04-08	PSAAS-8541	Unreadable characters sporadically appear in UI Workaround: Refresh the browser to reload the page.
2021-09-30	PSAAS-5408	/rest/widget_data/top_playbooks_actions endpoint returns invalid playbook_name field with tags Workaround: Parse the result manually to exclude the `span` tags around the playbook name.

Related answers from Splunk Community

Known issues for

Release 5.5.0

Comments

Known issues for Splunk SOAR (On-premises)

Was this topic useful?