The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises).
For documentation on the most recent version, go to the latest release.
Known issues for
Release 6.0.2
| Date filed | Issue number | Description |
|---|---|---|
| 2024-03-04 | PSAAS-16565 | Upgrade failed at step GitRepos -- Failed to bootstrap playbook repos |
| 2024-02-22 | PSAAS-16477 | Podman does not currently work with redirected image URLs due to Docker Hub authentication token changes Workaround: Manually change the image: line in docker-compose.yaml to point to docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>. |
| 2024-02-15 | PSAAS-16431, PSAAS-16962, PSAAS-16963 | Automation Broker: Actions intermittently hang for Automation Broker when there are connection issues Workaround:
This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed. |
| 2024-01-22 | PSAAS-16112 | Playbook Converter: Case sensitivity and variable differences are not handled properly |
| 2023-09-20 | PSAAS-14855 | The migration tool for privileged to unprivileged SOAR does not retain known_hosts file. Workaround: If any git repos are failing to sync after an privileged to unprivileged migration, follow the steps in Set up a playbook repository using SSH from Configure a source control repository for your Splunk SOAR (On-premises) playbooks in Administer Splunk SOAR (On-premises). These steps will add the git server to the known_hosts file of the phantom user in SOAR. |
| 2023-09-14 | PSAAS-14784 | SOAR gives a "502 bad gateway" error for all SAML logins if a metadata endpoint fails to respond. |
| 2023-08-29 | PSAAS-14627 | VPE: Code from one utility block might be copied into another utility block in the same playbook Workaround: In the Python Playbook Editor of the VPE, manually edit the affected blocks to remove duplicate codes.
|
| 2023-07-24 | PSAAS-14158 | In a SOAR cluster, playbook blocks using the playbook API that are downstream from a block using the HTTP connector may fail with status 401. Workaround: Due to a change in how SOAR user sessions are handled, if the HTTP connector authenticates using different credentials than the playbooks' automation user, the playbook runs' session token is logged out, resulting in further API requests getting a status of 401. This affects active playbooks triggered by ingestion. There are four possible workarounds.
|
| 2023-07-07 | PSAAS-13995 | An artifact CEF field not editable when created using REST API call if value is 0 Workaround: None |
| 2023-06-30 | PSAAS-13970 | phenv crashes because it cannot connect to the database when invoked while pgbouncer is not running Workaround: Start Splunk SOAR On Premises by running PHANTOM_HOME/bin/start_phantom.sh before running any commands with phenv |
| 2023-06-26 | PSAAS-13898 | Splunk SOAR's cron jobs generate output, which fills up mail boxes over time Workaround: Empty the Splunk SOAR user's mailbox. For example, if the Splunk SOAR user is phantom, you can empty the mailbox by runningrm /var/mail/phantom
For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}} |
| 2023-06-22 | PSAAS-13858 | spawn.log could stop working if telemetry is off for new install or upgrade from 5.5.0 Workaround:
|
| 2023-06-16 | PSAAS-13794 | VPE: utility block could contain hidden actions |
| 2023-06-14 | PSAAS-13760 | Automation Broker for SOAR version 6.0.2: use AB version 6.0.1 or 6.0.0; no new AB release for 6.0.2 Workaround: This ticket is informational - there is no issue. When using SOAR version 6.0.2, use the Automation Broker versions tagged 6.0.1.123902 or 6.0.0.114895 |
| 2023-06-12 | PSAAS-13720 | Playbooks become unresponsive when using an input playbook with "" in the name Workaround: Give the Playbook Action Block in the Automation Playbook a Custom Name that does not contain "[]" chars before having a filter reference the output of the Playbook Action Block. |
| 2023-06-12 | PSAAS-13722 | Issue with Utility setting for playbook is not being refresh Workaround: Need to click on the background page and click back to the set status utility to show the correct setting |
| 2023-06-05 | PSAAS-13766 | Microsoft AD LDAP app fails with "No module named 'adldap_consts'" error message Workaround:
|
| 2023-05-31 | PSAAS-13589 | Installation error (FileNotFoundError: (Errno 2) No such file or directory: 'openssl') Workaround: Install the openssl package. sudo yum update sudo yum install openssl |
| 2023-05-30 | PSAAS-13579 | Password reset email does not prominently display the reset page URL. Need to update URL manually. Workaround: To reset your password, follow these steps:
|
| 2023-05-25 | PSAAS-13546 | App Viewer attempts to load but crashes on lower permission user Workaround: Login as user with an increased level of permissions. |
| 2023-05-23 | PSAAS-13512 | Settings up shared services with make_server_node.py will fail if using a ssh keyfile instead of a user and a password for authentication. |
| 2023-05-16 | PSAAS-13425 | Log level changes don't get applied to uwsgi mules without a uwsgi restart Workaround: To change the uwsgi log level, restart uwsgi by running the following command:
|
| 2023-05-11 | PSAAS-13398 | After upgrading from 6.0.0 to 6.0.1/6.0.2, configuring a new asset fails with the error message, "Cannot complete installing <app name>. Return to the Apps page and try installing again." Workaround: Run the following commands as the phantom user, then create the new asset: mkdir -p /tmp/ph-apps tar xvf <SOAR release file untarred directory>/splunk-soar/soar_component_apps.tar -C /tmp/ph-apps phenv install_apps /tmp/ph-apps/dependencies/apps/*.tgz |
| 2023-04-28 | PSAAS-13290 | Toggling delay timer in one block causes all other action blocks to toggle delay timer. Workaround: Avoid toggling delay timer for blocks that do not want delays. Instead, reduce the delay to 0 minutes. |
| 2023-04-28 | PSAAS-13285 | Asset mapper fails to remap all blocks |
| 2023-04-26 | PSAAS-13255 | Deleting a container with 1000+ artifacts causes UWSGI to run out of memory. Workaround: For Waterspout we have swapped the deletion mechanism of containers in the UI from a django deletion to a raw deletion. This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.
In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the Template:Delete db containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission. |
| 2023-04-24 | PSAAS-13176 | Conditional installer tasks can fail to execute when retrying a failed upgrade |
| 2023-04-20 | PSAAS-13156, PSAAS-12705 | VPE: Condition blocks treat "False" and "True" as strings, not Boolean values Workaround: N/A |
| 2023-04-20 | PSAAS-13154 | VPE: When opening playbooks, 'Invalid Resource' appears incorrectly on some blocks Workaround: This incorrect warning is caused by an issue with the Smart Block Context, conveying information from early playbook blocks to later blocks. Reconfigure the affected block to remove the warning.
|
| 2023-04-14 | PSAAS-13089, PSAAS-14740 | Unable to see console output in light mode from app editor view |
| 2023-04-13 | PSAAS-13069 | Py2_deprecation check fails loudly if you run the unpriv installer as root |
| 2023-04-07 | PSAAS-12993 | Upgrade fails due to communication failure with grpc.prod1-cloudgateway.spl.mobi Workaround: use flag --ignore-warnings |
| 2023-04-06 | PSAAS-12976 | VPE: Manually selecting an asset deletes block configuration Workaround: Create a new block and copy the datapaths from the python editor view. |
| 2023-04-05 | PSAAS-12968 | License is removed from SOAR if too many seats are used Workaround: Delete the old admin ID. This will reduce seats used by 1 and allow the license to be installed. It also allows for restarting/running SOAR without the license being removed. |
| 2023-03-22 | PSAAS-12782 | VPE: phantom.collect2 fails if using a filter block that contains an action name Workaround: Rename the filter block to not include the preceding action name or rename the action block to something different than the filter. |
| 2023-03-01 | PSAAS-12397 | App editor fails to load assets in edit mode for draft apps Workaround: Workaround 1: Publish the app so it is not longer a DRAFT, do the tests with the existing assets and then edit again to carry on with development. That generates a new version of the app for every test/publish action made
Workaround 2: create a new asset while testing in DRAFT mode. That works as well but then when the app is published, that asset becomes an orphaned asset that can no longer be used unless reassigned. There is a new orphan asset for every time the app is published |
| 2023-02-28 | PSAAS-12376 | Duplicate entries for SOAR related variables in the environment can cause Restore environment check to fail in Backup and Restore procedure Workaround: Use the --ignore-env-check option when doing a restore after verifying that the environment check fails due to duplicates and not because of some value being actually different (aka source system having PHANTOM_FIPS_MODE=0 and target system having PHANTOM_FIPS_MODE=1) |
| 2023-02-16 | PSAAS-12331 | VPE: Naming blocks the same for utility block causes the blocks to sync |
| 2023-02-15 | PSAAS-12299 | Apps Update does not display available new versions of unconfigured bundled apps Workaround: Applies to apps included with Splunk SOAR that are unconfigured (listed under the Unconfigured Apps tab). This does not apply to apps you manually installed by clicking Install App.
|
| 2023-02-06 | PSAAS-12198 | App action links within app documentation do not work Workaround: Scroll down the page to view the documents or find by using CTRL-F search function. |
| 2023-02-02 | PSAAS-12158 | User filtering is using first/last name to filter events instead of just username Workaround: None |
| 2022-11-28 | PSAAS-11237 | Details for playbook runs don't update in window from the Investigation page Workaround: Click the "x" and then click on the desired playbook run in the queue |
| 2022-11-18 | PSAAS-11190 | VPE: Block Names with Container - A block name with "container" cannot share its results in other blocks in the Visual Editor Workaround: Do not use the word 'container' in playbook block names. |
| 2022-07-07 | PSAAS-9417, PSAAS-9599 | Data/Graphs missing on Executive Report after 5.3.2 upgrade |
| 2022-06-13 | PSAAS-9149 | Issues with environment variables when "Secret" is checked Workaround: Not available workaround |
| 2022-04-08 | PSAAS-8541 | Unreadable characters sporadically appear in UI Workaround: Refresh the browser to reload the page. |
Last modified on 30 October, 2024
| Welcome to Splunk SOAR (On-premises) 6.0.2 | Fixed issues for |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.2
Download manual
Feedback submitted, thanks!