After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Known issues for
Release 6.0.1
High priority issue
Date filed | Issue number | Description |
---|---|---|
2023-05-23 | PSAAS-13519, PSAAS-13538 | Auth tokens expire after 30 days; tokens should not expire The ph-auth-token for any automation user account will expire 30 days after it is generated. In releases prior to 6.0.0, these tokens did not expire. You might see a 401 Invalid Token error when using these tokens to call the Splunk SOAR API or running actions using an app with an asset configurations that uses these tokens.
Workaround
|
Additional known issues
Date filed | Issue number | Description |
---|---|---|
2024-11-20 | PSAAS-20761 | set non-synchronous child playbook run status to failed if due to label mismatch |
2024-10-21 | PSAAS-20167 | Child Playbook gets stuck running when run against label it does not pertain to |
2024-03-14 | PSAAS-16703 | Playbook hangs when action license is exceeded |
2024-03-04 | PSAAS-16565 | Upgrade failed at step GitRepos -- Failed to bootstrap playbook repos |
2024-02-22 | PSAAS-16477 | Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes Workaround: Manually change the image: line in docker-compose.yaml to point to docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>. |
2024-02-15 | PSAAS-16431, PSAAS-16962, PSAAS-16963 | Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues Workaround:
This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed. |
2023-11-29 | PSAAS-15638 | Paginating REST APIs without sorting may give duplicate results across pages. Also affects phantom.get_tasks() and phantom.get_notes() playbook APIs, when containers have >10 tasks or >10 notes, respectively Workaround: If using the REST API directly, add a sort parameter to the URL:
https://example-soar.com/rest/resource?page=X&sort=id If using the # Instead of phantom.get_tasks(), use url = phantom.build_phantom_rest_url('workbook_task') # Or, instead of phantom.get_notes(), use url = phantom.build_phantom_rest_url('note') params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'} response = phantom.requests.get(url, params=params) tasks = response.json()['data'] |
2023-10-22 | PSAAS-15123 | Assets table in Password Vault, sorting after search does not show all the assets Workaround: Refresh page |
2023-09-20 | PSAAS-14855 | The migration tool for privileged to unprivileged SOAR does not retain known_hosts file. Workaround: If any git repos are failing to sync after an privileged to unprivileged migration, follow the steps in Set up a playbook repository using SSH from Configure a source control repository for your Splunk SOAR (On-premises) playbooks in Administer Splunk SOAR (On-premises). These steps will add the git server to the known_hosts file of the phantom user in SOAR. |
2023-09-14 | PSAAS-14784 | SOAR gives a "502 bad gateway" error for all SAML logins if a metadata endpoint fails to respond. |
2023-08-25 | PSAAS-14608 | Images are not visible in app documentation |
2023-07-24 | PSAAS-14152 | No indicators are displayed when all labels are selected in role permissions |
2023-07-24 | PSAAS-14158 | In a SOAR cluster, playbook blocks using the playbook API that are downstream from a block using the HTTP connector may fail with status 401. Workaround: Due to a change in how SOAR user sessions are handled, if the HTTP connector authenticates using different credentials than the playbooks' automation user, the playbook runs' session token is logged out, resulting in further API requests getting a status of 401. This affects active playbooks triggered by ingestion. There are four possible workarounds.
|
2023-07-19 | PSAAS-14125 | Users without the "Administrator" role cannot delete an Automation Broker, even when given appropriate permissions. Workaround: Use an account with the Administrator role to delete any Splunk SOAR Automation Brokers as needed. |
2023-07-18 | PSAAS-14102 | The original State file is replicated with app dir's state file Workaround: Remove the state file from the app dir. |
2023-07-18 | PSAAS-14107 | Command make_server_node.pyc changes DB ownership to postgres on NRI install and then cannot start |
2023-06-27 | PSAAS-13913 | VPE: After clicking Discard Changes button, blocks show error "Reconfigure Invalid Data Path" Workaround: Need to not save the playbook and refresh the page |
2023-06-26 | PSAAS-13898 | Splunk SOAR's cron jobs generate output, which fills up mail boxes over time Workaround: Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is phantom , you can empty the mailbox by runningrm /var/mail/phantom
For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}} |
2023-06-23 | PSAAS-13889 | Images within app documentation are not being rendered |
2023-06-21 | PSAAS-13845 | VPE stuck in 'Loading Playbook Editor' after minor playbook change. Workaround: Right click on VPE and then select inspect then display none. This disables the 'playbook loading' screen. Reverted to the last playbook revision: Select settings then revision history. Now reapply your reversed changes to the playbook. |
2023-06-21 | PSAAS-13850 | WarnOfflineInstallCustomerPipPackages install step fails for offline installs if ".tmp_pip_failure.txt" does not exist Workaround: Create an empty file called .tmp_pip_failure.txt in the location where the installer is being run from and retry the install/upgrade. |
2023-06-12 | PSAAS-13720 | Playbooks become unresponsive when using an input playbook with "" in the name Workaround: Give the Playbook Action Block in the Automation Playbook a Custom Name that does not contain "[]" chars before having a filter reference the output of the Playbook Action Block. |
2023-06-12 | PSAAS-13722 | Issue with Utility setting for playbook is not being refresh Workaround: Need to click on the background page and click back to the set status utility to show the correct setting |
2023-06-05 | PSAAS-13766 | Microsoft AD LDAP app fails with "No module named 'adldap_consts'" error message Workaround:
|
2023-05-31 | PSAAS-13589 | Installation error (FileNotFoundError: (Errno 2) No such file or directory: 'openssl') Workaround: Install the openssl package. sudo yum update sudo yum install openssl |
2023-05-30 | PSAAS-13579 | Password reset email does not prominently display the reset page URL. Need to update URL manually. Workaround: To reset your password, follow these steps:
|
2023-05-25 | PSAAS-13546 | App Viewer attempts to load but crashes on lower permission user Workaround: Login as user with an increased level of permissions. |
2023-05-23 | PSAAS-13512 | Settings up shared services with make_server_node.py will fail if using a ssh keyfile instead of a user and a password for authentication. |
2023-05-22 | PSAAS-13503 | When a user without system_settings view permission switches tabs from the SOAR homepage, the SOAR UI and apps become unresponsive. Workaround:
|
2023-05-16 | PSAAS-13425 | Log level changes don't get applied to uwsgi mules without a uwsgi restart Workaround: To change the uwsgi log level, restart uwsgi by running the following command:
|
2023-05-11 | PSAAS-13398 | After upgrading from 6.0.0 to 6.0.1/6.0.2, configuring a new asset fails with the error message, "Cannot complete installing <app name>. Return to the Apps page and try installing again." Workaround: Run the following commands as the phantom user, then create the new asset: mkdir -p /tmp/ph-apps tar xvf <SOAR release file untarred directory>/splunk-soar/soar_component_apps.tar -C /tmp/ph-apps phenv install_apps /tmp/ph-apps/dependencies/apps/*.tgz |
2023-04-28 | PSAAS-13290 | Toggling delay timer in one block causes all other action blocks to toggle delay timer. Workaround: Avoid toggling delay timer for blocks that do not want delays. Instead, reduce the delay to 0 minutes. |
2023-04-28 | PSAAS-13285 | Asset mapper fails to remap all blocks |
2023-04-26 | PSAAS-13255 | Deleting a container with 1000+ artifacts causes UWSGI to run out of memory. Workaround: For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion. This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.
In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission. |
2023-04-24 | PSAAS-13176 | Conditional installer tasks can fail to execute when retrying a failed upgrade |
2023-04-24 | PSAAS-13177 | VPE: Playbook input elements in Configure panel is not shown due to repo ID mismatch Workaround: Use the Python editor and make the changes (or check the values) directly in the code. Adding another block in the PB sometimes shows the fields but not always. See attached video. |
2023-04-20 | PSAAS-13156, PSAAS-12705 | VPE: Condition blocks treat "False" and "True" as strings, not Boolean values Workaround: N/A |
2023-04-20 | PSAAS-13154 | VPE: When opening playbooks, 'Invalid Resource' appears incorrectly on some blocks Workaround: This incorrect warning is caused by an issue with the Smart Block Context, conveying information from early playbook blocks to later blocks. Reconfigure the affected block to remove the warning.
|
2023-04-14 | PSAAS-13089, PSAAS-14740 | Unable to see console output in light mode from app editor view |
2023-04-13 | PSAAS-13069 | Py2_deprecation check fails loudly if you run the unpriv installer as root |
2023-04-07 | PSAAS-12993 | Upgrade fails due to communication failure with grpc.prod1-cloudgateway.spl.mobi Workaround: use flag --ignore-warnings |
2023-04-06 | PSAAS-12976 | VPE: Manually selecting an asset deletes block configuration Workaround: Create a new block and copy the datapaths from the python editor view. |
2023-04-05 | PSAAS-12968 | License is removed from SOAR if too many seats are used Workaround: Delete the old admin ID. This will reduce seats used by 1 and allow the license to be installed. It also allows for restarting/running SOAR without the license being removed. |
2023-03-22 | PSAAS-12782 | VPE: phantom.collect2 fails if using a filter block that contains an action name Workaround: Rename the filter block to not include the preceding action name or rename the action block to something different than the filter. |
2023-03-01 | PSAAS-12397 | App editor fails to load assets in edit mode for draft apps Workaround: Workaround 1: Publish the app so it is not longer a DRAFT, do the tests with the existing assets and then edit again to carry on with development. That generates a new version of the app for every test/publish action made
Workaround 2: create a new asset while testing in DRAFT mode. That works as well but then when the app is published, that asset becomes an orphaned asset that can no longer be used unless reassigned. There is a new orphan asset for every time the app is published |
2023-02-28 | PSAAS-12376 | Duplicate entries for SOAR related variables in the environment can cause Restore environment check to fail in Backup and Restore procedure Workaround: Use the --ignore-env-check option when doing a restore after verifying that the environment check fails due to duplicates and not because of some value being actually different (aka source system having PHANTOM_FIPS_MODE=0 and target system having PHANTOM_FIPS_MODE=1) |
2023-02-16 | PSAAS-12331 | VPE: Naming blocks the same for utility block causes the blocks to sync |
2023-02-15 | PSAAS-12299 | Apps Update does not display available new versions of unconfigured bundled apps Workaround: Applies to apps included with Splunk SOAR that are unconfigured (listed under the Unconfigured Apps tab). This does not apply to apps you manually installed by clicking Install App.
|
2023-02-06 | PSAAS-12198 | App action links within app documentation do not work Workaround: Scroll down the page to view the documents or find by using CTRL-F search function. |
2023-02-02 | PSAAS-12158 | User filtering is using first/last name to filter events instead of just username Workaround: None |
2022-11-28 | PSAAS-11237 | Details for playbook runs don't update in window from the Investigation page Workaround: Click the "x" and then click on the desired playbook run in the queue |
2022-11-18 | PSAAS-11190 | VPE: Block Names with Container - A block name with "container" cannot share its results in other blocks in the Visual Editor Workaround: Do not use the word 'container' in playbook block names. |
2022-07-07 | PSAAS-9417, PSAAS-9599 | Data/Graphs missing on Executive Report after 5.3.2 upgrade |
2022-04-08 | PSAAS-8541 | Unreadable characters sporadically appear in UI Workaround: Refresh the browser to reload the page. |
Welcome to Splunk SOAR (On-premises) 6.0.1 | Fixed issues for |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.1
Feedback submitted, thanks!