Splunk® SOAR (On-premises)

Release Notes

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Known issues for

Release 6.0.2

Date filed Issue number Description
2024-03-04 PSAAS-16565 Upgrade failed at step GitRepos -- Failed to bootstrap playbook repos
2024-02-22 PSAAS-16477 Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes

Workaround:
Manually change the image: line in docker-compose.yaml to point to docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.
2024-02-15 PSAAS-16431, PSAAS-16963, PSAAS-16962 Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues

Workaround:
# Check if the action completed successfully
  1. Cancel the hanging action
  2. If the action did not complete successfully, re-run the action.
2023-09-20 PSAAS-14855 The migration tool for privileged to unprivileged SOAR does not retain known_hosts file.

Workaround:
If any git repos are failing to sync after an privileged to unprivileged migration, follow the steps in Set up a playbook repository using SSH from

Configure a source control repository for your Splunk SOAR (On-premises) playbooks in Administer Splunk SOAR (On-premises).

These steps will add the git server to the known_hosts file of the phantom user in SOAR.

2023-09-14 PSAAS-14784 SOAR gives a "502 bad gateway" error for all SAML logins if a metadata endpoint fails to respond.
2023-08-29 PSAAS-14627 VPE: Code from one utility block might be copied into another utility block in the same playbook

Workaround:
In the Python Playbook Editor of the VPE, manually edit the affected blocks to remove duplicate codes.


To keep track of changes you make, clone the playbook before each edit.

2023-07-24 PSAAS-14158 In a SOAR cluster, playbook blocks using the playbook API that are downstream from a block using the HTTP connector may fail with status 401.

Workaround:
Due to a change in how SOAR user sessions are handled, if the HTTP connector authenticates using different credentials than the playbooks' automation user, the playbook runs' session token is logged out, resulting in further API requests getting a status of 401. This affects active playbooks triggered by ingestion.

There are four possible workarounds.

  1. Update the HTTP connector's asset's authentication fields to use the same automation user that is running the active playbook.
  2. Update the HTTP connector's asset's "Base Url" to point one of the nodes in the cluster instead of the load balancer.
  3. Put the actions run with the HTTP connector in a child playbook.
  4. Use the phantom.requests playbook API without specifying any authentication mechanism instead of using the HTTP connector.

2023-07-07 PSAAS-13995 CEF field not editable when created using REST API call if value is 0

Workaround:
None
2023-06-30 PSAAS-13970 phenv crashes because it cannot connect to the database when invoked while pgbouncer is not running

Workaround:
Start Splunk SOAR On Premises by running PHANTOM_HOME/bin/start_phantom.sh before running any commands with phenv
2023-06-26 PSAAS-13898 Splunk SOAR's cron jobs generate output, which fills up mail boxes over time

Workaround:
Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is phantom, you can empty the mailbox by running
rm /var/mail/phantom
2023-06-22 PSAAS-13858 spawn.log could stop working if telemetry is off for new install or upgrade from 5.5.0

Workaround:
  1. Turn on the telemetry feature in the Home menu then Administration, then Product Settings in the web-based UI.
  2. Restart phantom_watchdogd from the web-based UI or using the command line. 
     <$PHANTOM_HOME>/bin/phsvc restart phantom_watchdogd
  3. If you are able to use the command line, make sure <$PHANTOM_HOME>/var/log/phantom/spawn_telemetry_pipe was created
  4. Once spawn.log is running it is safe to turn off the telemetry feature. The spawn_telemetry_pipe stays even if telemetry is off, which lets the spawn logger process run.

2023-06-16 PSAAS-13794 VPE: utility block could contain hidden actions
2023-06-14 PSAAS-13760 Automation Broker for SOAR version 6.0.2: use AB version 6.0.1 or 6.0.0; no new AB release for 6.0.2

Workaround:
This ticket is informational - there is no issue.

When using SOAR version 6.0.2, use the Automation Broker versions tagged 6.0.1.123902 or 6.0.0.114895

2023-06-12 PSAAS-13720 Playbooks become unresponsive when using an input playbook with "" in the name

Workaround:
Give the Playbook Action Block in the Automation Playbook a Custom Name that does not contain "[]" chars before having a filter reference the output of the Playbook Action Block.
2023-06-12 PSAAS-13722 Issue with Utility setting for playbook is not being refresh

Workaround:
Need to click on the background page and click back to the set status utility to show the correct setting
2023-06-05 PSAAS-13766 Microsoft AD LDAP app fails with "No module named 'adldap_consts'" error message

Workaround:
# Clear the local cache on the Automation Broker for the given app. This example shows steps to clear the local cache on Automation Broker for a sample maxmind app:

{noformat}splunk_user@518d6331a46d:/splunk_data/apps$ cd maxmind_c566e153-3118-4033-abda-14dd9748c91a/ splunk_user@518d6331a46d:/splunk_data/apps/maxmind_c566e153-3118-4033-abda-14dd9748c91a$ ls -l total 4 drwxr-xr-x 6 splunk_user splunk_user 4096 Jun 7 15:43 2.2.5 splunk_user@518d6331a46d:/splunk_data/apps/maxmind_c566e153-3118-4033-abda-14dd9748c91a$ rm -rf 2.2.5{noformat}

  1. After you clear the cache, run a test conn or any action to re-download the app to the Automation Broker from SOAR.
2023-05-31 PSAAS-13589 Installation error (FileNotFoundError: (Errno 2) No such file or directory: 'openssl')

Workaround:
Install the openssl package. 
sudo yum update
sudo yum install openssl

2023-05-30 PSAAS-13579 Password reset email does not prominently display the reset page URL. Need to update URL manually.

Workaround:
To reset your password, follow these steps:
  1. After completing the Forgot your password form, select Go back to signin.
  2. In the address bar of your browser, update the last part of the Splunk SOAR URL.
    Replace /login?next=/ with /reset.
    The Reset your password screen appears.
  3. Open the Password reset request email you received from Splunk. Copy the token to your clipboard.
  4. Paste the token from the previous step into Password Reset Token field on the Reset your password page. Enter and confirm your new password, then select Submit.

2023-05-25 PSAAS-13546 App Viewer attempts to load but crashes on lower permission user

Workaround:
Login as user with an increased level of permissions.
2023-05-23 PSAAS-13512 Settings up shared services with make_server_node.py will fail if using a ssh keyfile instead of a user and a password for authentication.
2023-05-16 PSAAS-13425 Log level changes don't get applied to uwsgi mules without a uwsgi restart

Workaround:
To change the uwsgi log level, restart uwsgi by running the following command:

<PHANTOM_HOME>/bin/phsvc restart uwsgi

2023-05-11 PSAAS-13398 After upgrading from 6.0.0 to 6.0.1/6.0.2, configuring a new asset fails with the error message, "Cannot complete installing <app name>. Return to the Apps page and try installing again."

Workaround:
Run the following commands as the phantom user, then create the new asset: 
mkdir -p /tmp/ph-apps
tar xvf <SOAR release file untarred directory>/splunk-soar/soar_component_apps.tar -C /tmp/ph-apps
phenv install_apps /tmp/ph-apps/dependencies/apps/*.tgz

2023-04-28 PSAAS-13285 Asset mapper fails to remap all blocks
2023-04-28 PSAAS-13290 Toggling delay timer in one block causes all other action blocks to toggle delay timer.

Workaround:
Avoid toggling delay timer for blocks that do not want delays. Instead, reduce the delay to 0 minutes.
2023-04-24 PSAAS-13176 Conditional installer tasks can fail to execute when retrying a failed upgrade
2023-04-20 PSAAS-13156, PSAAS-12705 VPE: Condition blocks treat "False" and "True" as strings, not Boolean values

Workaround:
N/A
2023-04-20 PSAAS-13154 VPE: When opening playbooks, 'Invalid Resource' appears incorrectly on some blocks

Workaround:
This incorrect warning is caused by an issue with the Smart Block Context, conveying information from early playbook blocks to later blocks.

Reconfigure the affected block to remove the warning.

  1. Select the affected block to open its configuration panel.
  2. If needed, select the back button until the datapath selection panel list is visible.
  3. From the selection panel, select the correct resource again.
  4. Select Done. The warning should no longer appear.

2023-04-14 PSAAS-13089 Unable to see console output in light mode from app editor view
2023-04-13 PSAAS-13069 Py2_deprecation check fails loudly if you run the unpriv installer as root
2023-04-07 PSAAS-12993 Upgrade fails due to communication failure with grpc.prod1-cloudgateway.spl.mobi

Workaround:
use flag --ignore-warnings
2023-04-06 PSAAS-12976 VPE: Manually selecting an asset deletes block configuration

Workaround:
Create a new block and copy the datapaths from the python editor view.
2023-04-05 PSAAS-12968 License is removed from SOAR if too many seats are used

Workaround:
Delete the old admin ID. This will reduce seats used by 1 and allow the license to be installed. It also allows for restarting/running SOAR without the license being removed.
2023-03-22 PSAAS-12782 VPE: phantom.collect2 fails if using a filter block that contains an action name

Workaround:
Rename the filter block to not include the preceding action name or rename the action block to something different than the filter.
2023-03-01 PSAAS-12397 App editor fails to load assets in edit mode for draft apps

Workaround:
Workaround 1: Publish the app so it is not longer a DRAFT, do the tests with the existing assets and then edit again to carry on with development. That generates a new version of the app for every test/publish action made


Workaround 2: create a new asset while testing in DRAFT mode. That works as well but then when the app is published, that asset becomes an orphaned asset that can no longer be used unless reassigned. There is a new orphan asset for every time the app is published

2023-02-28 PSAAS-12376 Duplicate entries for SOAR related variables in the environment can cause Restore environment check to fail in Backup and Restore procedure

Workaround:
Use the --ignore-env-check option when doing a restore after verifying that the environment check fails due to duplicates and not because of some value being actually different (aka source system having PHANTOM_FIPS_MODE=0 and target system having PHANTOM_FIPS_MODE=1)
2023-02-16 PSAAS-12331 VPE: Naming blocks the same for utility block causes the blocks to sync
2023-02-15 PSAAS-12299 Apps Update does not display available new versions of unconfigured bundled apps

Workaround:
Applies to apps included with Splunk SOAR that are unconfigured (listed under the Unconfigured Apps tab). This does not apply to apps you manually installed by clicking Install App.
  1. Configure an asset for that app.
  2. Return to the Apps list.
  3. Click App Updates to see any available updates for that configured app.

2023-02-06 PSAAS-12198 App action links within app documentation do not work

Workaround:
Scroll down the page to view the documents or find by using CTRL-F search function.
2022-11-28 PSAAS-11237 Details for playbook runs don't update in window from the Investigation page

Workaround:
Click the "x" and then click on the desired playbook run in the queue
2022-11-18 PSAAS-11190 VPE: Block Names with Container - A block name with "container" cannot share its results in other blocks in the Visual Editor

Workaround:
Do not use the word 'container' in playbook block names.
2022-07-07 PSAAS-9417, PSAAS-9599 Data/Graphs missing on Executive Report after 5.3.2 upgrade
2022-04-08 PSAAS-8541 Unreadable characters sporadically appear in UI

Workaround:
Refresh the browser to reload the page.
Last modified on 27 March, 2024
Welcome to Splunk SOAR (On-premises) 6.0.2   Fixed issues for

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.2

Acrobat logo Download manual
Acrobat logo Download this page







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters