Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 6.0.0

High priority issue

Date filed Issue number Description
2023-05-23 PSAAS-13519, PSAAS-13538 Auth tokens expire after 30 days; tokens should not expire

The ph-auth-token for any automation user account will expire 30 days after it is generated. In releases prior to 6.0.0, these tokens did not expire. You might see a 401 Invalid Token error when using these tokens to call the Splunk SOAR API or running actions using an app with an asset configurations that uses these tokens.


Affected deployments
New installations of Splunk SOAR version 6.0.0
Your deployment is affected if you have created automation user authentication tokens in installations of Splunk SOAR version 6.0.0.
Upgrades to Splunk SOAR version 6.0.0
If you created any authentication tokens in an earlier Splunk SOAR version before upgrading to version 6.0.0:

  • Your deployment is affected if you update the tokens in version 6.0.0,
  • Your deployment is not affected if you do not update the tokens after upgrading.

Workaround
To rotate the key at any time (before or after it expires), generate a new one by by following these steps:

  1. Within Splunk SOAR, navigate to Administration, then User Management, then Users.
  2. Select the user you want to edit and select Re-Generate Auth Token.
  3. Select Show Token, then copy the token to your clipboard.
  4. Use that token to update any affected Splunk SOAR assets or external scripts that use the SOAR API.

Additional known issues

Date filed Issue number Description
2024-03-14 PSAAS-16703 Playbook hangs when action license is exceeded
2024-02-22 PSAAS-16477 Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes

Workaround:
Manually change the image: line in docker-compose.yaml to point to docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.
2024-02-15 PSAAS-16431, PSAAS-16962, PSAAS-16963 Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues

Workaround:
  1. Check if the action completed successfully.
  2. Cancel the hanging action.
  3. If the action did not complete successfully, re-run the action.

This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed.

2023-11-29 PSAAS-15638 Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively

Workaround:
If using the REST API directly, add a sort parameter to the URL: 
https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly: 


# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

2023-09-20 PSAAS-14855 The migration tool for privileged to unprivileged SOAR does not retain known_hosts file.

Workaround:
If any git repos are failing to sync after an privileged to unprivileged migration, follow the steps in Set up a playbook repository using SSH from

Configure a source control repository for your Splunk SOAR (On-premises) playbooks in Administer Splunk SOAR (On-premises).

These steps will add the git server to the known_hosts file of the phantom user in SOAR.

2023-09-14 PSAAS-14784 SOAR gives a "502 bad gateway" error for all SAML logins if a metadata endpoint fails to respond.
2023-08-25 PSAAS-14608 Images are not visible in app documentation
2023-07-24 PSAAS-14158 In a SOAR cluster, playbook blocks using the playbook API that are downstream from a block using the HTTP connector may fail with status 401.

Workaround:
Due to a change in how SOAR user sessions are handled, if the HTTP connector authenticates using different credentials than the playbooks' automation user, the playbook runs' session token is logged out, resulting in further API requests getting a status of 401. This affects active playbooks triggered by ingestion.

There are four possible workarounds.

  1. Update the HTTP connector's asset's authentication fields to use the same automation user that is running the active playbook.
  2. Update the HTTP connector's asset's "Base Url" to point one of the nodes in the cluster instead of the load balancer.
  3. Put the actions run with the HTTP connector in a child playbook.
  4. Use the phantom.requests playbook API without specifying any authentication mechanism instead of using the HTTP connector.

2023-06-26 PSAAS-13898 Splunk SOAR's cron jobs generate output, which fills up mail boxes over time

Workaround:
Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is phantom, you can empty the mailbox by running
rm /var/mail/phantom

For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}}

2023-06-22 PSAAS-13858 spawn.log could stop working if telemetry is off for new install or upgrade from 5.5.0

Workaround:
  1. Turn on the telemetry feature in the Home menu then Administration, then Product Settings in the web-based UI.
  2. Restart phantom_watchdogd from the web-based UI or using the command line. 
     <$PHANTOM_HOME>/bin/phsvc restart phantom_watchdogd
  3. If you are able to use the command line, make sure <$PHANTOM_HOME>/var/log/phantom/spawn_telemetry_pipe was created
  4. Once spawn.log is running it is safe to turn off the telemetry feature. The spawn_telemetry_pipe stays even if telemetry is off, which lets the spawn logger process run.

2023-05-07 PSAAS-13362 Playbook Run History: Need to add 'Pending' to Status column filter
2023-04-28 PSAAS-13290 Toggling delay timer in one block causes all other action blocks to toggle delay timer.

Workaround:
Avoid toggling delay timer for blocks that do not want delays. Instead, reduce the delay to 0 minutes.
2023-04-28 PSAAS-13285 Asset mapper fails to remap all blocks
2023-04-26 PSAAS-13255 Deleting a container with 1000+ artifacts causes UWSGI to run out of memory.

Workaround:
For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion.

This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.


In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.

2023-04-24 PSAAS-13176 Conditional installer tasks can fail to execute when retrying a failed upgrade
2023-04-20 PSAAS-13156, PSAAS-12705 VPE: Condition blocks treat "False" and "True" as strings, not Boolean values

Workaround:
N/A
2023-04-20 PSAAS-13154 VPE: When opening playbooks, 'Invalid Resource' appears incorrectly on some blocks

Workaround:
This incorrect warning is caused by an issue with the Smart Block Context, conveying information from early playbook blocks to later blocks.

Reconfigure the affected block to remove the warning.

  1. Select the affected block to open its configuration panel.
  2. If needed, select the back button until the datapath selection panel list is visible.
  3. From the selection panel, select the correct resource again.
  4. Select Done. The warning should no longer appear.

2023-04-14 PSAAS-13089, PSAAS-14740 Unable to see console output in light mode from app editor view
2023-04-12 PSAAS-13062 Reverts PSAAS-11066 in 6.0.0 - User with the "view" permission in one tenant is able to edit assets in other tenants
2023-04-06 PSAAS-12976 VPE: Manually selecting an asset deletes block configuration

Workaround:
Create a new block and copy the datapaths from the python editor view.
2023-04-05 PSAAS-12968 License is removed from SOAR if too many seats are used

Workaround:
Delete the old admin ID. This will reduce seats used by 1 and allow the license to be installed. It also allows for restarting/running SOAR without the license being removed.
2023-03-27 PSAAS-12842 When using an internal IdP for SAML2 auth, an error from incorrectly parsed XML prevents users from logging in
2023-03-27 PSAAS-12839 GitRepos Installer step can fail on upgrades if the community repo has been disabled and duplicate playbooks exist in the db.
2023-03-22 PSAAS-12772 Automation Broker sometimes failed to reconnect
2023-03-22 PSAAS-12767 App install with Chrome browser: Browser crashes when installing a TAR or TGZ file

Workaround:
This issue occurs when adding a new app using Chrome version 111.0.5563.

To avoid this issue, use a different browser.

2023-03-22 PSAAS-12766 Cannot Subscribe to more than one scheduled report in UI
2023-03-22 PSAAS-12773 Automation Broker: phantom_broker_proxy terminates websocket connections
2023-03-22 PSAAS-12782 VPE: phantom.collect2 fails if using a filter block that contains an action name

Workaround:
Rename the filter block to not include the preceding action name or rename the action block to something different than the filter.
2023-03-13 PSAAS-12637 Documentation: Cannot render specific div's from README.md properly on documentation page
2023-03-07 PSAAS-12592 VPE: Screen goes blank when loading playbook in v6.0 worked in v5.5

Workaround:
None Found
2023-03-03 PSAAS-12470 custom app install fails with "Multiple app directories detected." after upgrading from 5.5.0 to 6.0.0

Workaround:
recompile the app under soar 6.0.0 via the command line using "phenv compile_app -t -a {app_directory}"
2023-03-02 PSAAS-12427, PSAAS-12635 Python2 deprecation notice task in the installer fails if there are pipe characters in the repo/playbook/cf names.

Workaround:
Disable/delete any python 2 playbooks before upgrading to >= 5.3.4 or rename the playbooks/repos so that they no longer contain the pipe character.
2023-03-01 PSAAS-12397 App editor fails to load assets in edit mode for draft apps

Workaround:
Workaround 1: Publish the app so it is not longer a DRAFT, do the tests with the existing assets and then edit again to carry on with development. That generates a new version of the app for every test/publish action made


Workaround 2: create a new asset while testing in DRAFT mode. That works as well but then when the app is published, that asset becomes an orphaned asset that can no longer be used unless reassigned. There is a new orphan asset for every time the app is published

2023-02-28 PSAAS-12376 Duplicate entries for SOAR related variables in the environment can cause Restore environment check to fail in Backup and Restore procedure

Workaround:
Use the --ignore-env-check option when doing a restore after verifying that the environment check fails due to duplicates and not because of some value being actually different (aka source system having PHANTOM_FIPS_MODE=0 and target system having PHANTOM_FIPS_MODE=1)
2023-02-28 PSAAS-12378 6.0.0. upgrade script bypasses creating soar_local_admin step even if existing soar_local_admin users have bee deleted
2023-02-27 PSAAS-12370 VPE: Downstream datapath variable values are replaced with variable name in various block types after upgrade

Workaround:
Manually discover the incorrect datapath and re-select all datapaths that were renamed.
2023-02-27 PSAAS-12369 Logrotate fails because of syntax error in the config file

Workaround:
Change the prerotate section of opt/phantom/etc/logrotate.d/phantom_logrotate.conf to the following: 

/opt/phantom/var/log/phantom/*.log {
  copytruncate
  rotate 10
  size 50M
  start 1
  create 0660
}

2023-02-18 PSAAS-12347 VPE: Playbooks cannot be canceled by the customer
2023-02-16 PSAAS-12331 VPE: Naming blocks the same for utility block causes the blocks to sync
2023-02-16 PSAAS-12333 Playbooks that open with smart block context warnings will disable the debugger and display 'Discard Changes' button

Workaround:
Save the playbook. The debugger is re-enabled and the Discard Changes button no longer displays.
2023-02-16 PSAAS-12319 update_certificates status command should not fail on clusters that are not using glusterfs for shared filesystem

Workaround:
Query certificate statuses with an explicit scope

phenv update_certificates status --scope nginx

phenv update_certificates status --scope consul_and_rabbitmq

2023-02-16 PSAAS-12320 VPE: Assigning a custom name to a utility block breaks the configuration panel
2023-02-15 PSAAS-12299 Apps Update does not display available new versions of unconfigured bundled apps

Workaround:
Applies to apps included with Splunk SOAR that are unconfigured (listed under the Unconfigured Apps tab). This does not apply to apps you manually installed by clicking Install App.
  1. Configure an asset for that app.
  2. Return to the Apps list.
  3. Click App Updates to see any available updates for that configured app.

2023-02-15 PSAAS-12317 API block, Custom Function with list type inputs do not update datapaths when upstream block custom name is changed

Workaround:
Configure the datapath manually.
2023-02-15 PSAAS-12311, PSAAS-12328 Prompt block icon disappear after creating more than one empty questions
2023-02-15 PSAAS-12307 VPE: Playbook Block: After multi-selecting inputs, deleting all selections and adding new selection has a comma prepended to datapath
2023-02-13 PSAAS-12286 VPE: Missing warning for unconfigured datapaths in custom function code blocks or utility blocks
2023-02-13 PSAAS-12284 Playbook input variables are marked as invalid within an input playbook

Workaround:
There is no workaround for this at the moment, but playbooks with block warnings can still be saved/run as usual. The warnings do not impact basic playbook functionality in any way.
2023-02-10 PSAAS-12266 Apps: Non compliant FIPS staged app fails to install

Workaround:
Install the app manually by using Install App button.
2023-02-06 PSAAS-12198 App action links within app documentation do not work

Workaround:
Scroll down the page to view the documents or find by using CTRL-F search function.
2023-02-02 PSAAS-12158 User filtering is using first/last name to filter events instead of just username

Workaround:
None
2023-02-01 PSAAS-12155 Adding multiple inputs to a previously saved custom function - not in alphabetical order - invalidates custom function.

Workaround:
  1. Edit the custom function again. Click Generate. Two function headers display.
  2. Manually delete the old function header, located between the ## Custom Code Goes Below This Line ## comment lines. You cannot delete the new function header, because it is locked.

    3. The custom function will use the newly generated function header and function properly.


2023-01-17 PSAAS-11908, PSAAS-11910 Script "port_forward configure" flag "--no-prompt" doesn't work
2023-01-09 PSAAS-11797 App actions fail due to unescaped null characters (PSAAS-10127)
2022-12-14 PSAAS-11509 Third-party license information is included in documentation, but not in the product UI

Workaround:
Third-party credits are located at Third-party credits in Splunk SOAR (On-premises).
2022-12-07 PSAAS-11389 Git app: Action git commit fails

Workaround:
The issue affects the git push command. Use HTTPS or git protocol instead of HTTP.
2022-11-28 PSAAS-11237 Details for playbook runs don't update in window from the Investigation page

Workaround:
Click the "x" and then click on the desired playbook run in the queue
2022-11-18 PSAAS-11190 VPE: Block Names with Container - A block name with "container" cannot share its results in other blocks in the Visual Editor

Workaround:
Do not use the word 'container' in playbook block names.
2022-10-31 PSAAS-11001 Wrong results in PB: "NOT IN" clause wrongly returns FALSE in SOAR when there is a null value in its condition
2022-09-07 PSAAS-10127 Playbooks using Threat Grid or urlscan.io app hang on the detonation action

Workaround:
Upgrade the app you are using.
  1. From the Apps page, click App Updates.
  2. Upgrade the app to the appropriate version:
    • Threat Grid: upgrade to version 2.3.1 or higher
    • urlscan.io: upgrade to version 2.3.0 or higher

2022-07-07 PSAAS-9417, PSAAS-9599 Data/Graphs missing on Executive Report after 5.3.2 upgrade
2022-04-08 PSAAS-8541 Unreadable characters sporadically appear in UI

Workaround:
Refresh the browser to reload the page.
Last modified on 30 October, 2024
Welcome to 6.0.0   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters