docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.

1. Check if the action completed successfully.
2. Cancel the hanging action.
3. If the action did not complete successfully, re-run the action.

This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed.

https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly:

# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

When using Update From Source Control, always select Force Update.

If you have already encountered this issue:

You have playbooks you didn't create, with names very similar to the custom function name, like custom_functions/<my_custom_function>.

Do not delete these extra playbooks, because that will also delete the custom function. Delete the Source Control repository and recreate it to remove the extra playbooks.

Any updates you make in this section will not affect your input playbooks.

Users who need to remove containers from their SOAR deployments can use the data retention and management tools described in the topic Use data retention strategies to schedule and manage your database cleanup in Administer Splunk SOAR (Cloud).

• https://docs.splunk.com/Documentation/SOARonprem/latest/Admin/DataRetention

To fix this issue, perform either of these actions:

• In the asset settings, select Verify server certificate.
• Pair the Automation Broker without TLS certificate check by using the -e PHANTOM_HTTPS_STRICT_TLS_AUTODETECT=0 -e PHANTOM_HTTPS_STRICT_TLS=0  option.

1. Click your account name on the top right, then select Account Settings.
2. Select the Light Theme, then select Save Changes.

• Zoom app, version 2.1.0
• MS Graph for Office365, version 2.8.0
• EWS for Office 365, version 2.15.0

For each of the cron jobs installed during soar installation, edit the soar user's crontab (with "crontab -e") and append the following to the end of each command line: {{> /dev/null 2>&1}}

This disables the 'playbook loading' screen.

Reverted to the last playbook revision: Select settings then revision history.

Now reapply your reversed changes to the playbook.

For EWS for Office365 version 2.14.0 or lower, use Azure authentication mechanism instead of Azure Interactive authentication.

1. Clear the local cache on the Automation Broker for the given app. This example shows steps to clear the local cache on Automation Broker for a sample maxmind app:

   splunk_user@518d6331a46d:/splunk_data/apps$ cd maxmind_c566e153-3118-4033-abda-14dd9748c91a/
   splunk_user@518d6331a46d:/splunk_data/apps/maxmind_c566e153-3118-4033-abda-14dd9748c91a$ ls -l total 4 drwxr-xr-x 6 splunk_user splunk_user 4096 Jun 7 15:43 2.2.5 splunk_user@518d6331a46d:/splunk_data/apps/maxmind_c566e153-3118-4033-abda-14dd9748c91a$ rm -rf 2.2.5 
   
                                               

2. After you clear the cache, run a test connection or any action to re-download the app to the Automation Broker from SOAR.

This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.

In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the delete_db_containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.

Workaround 2: create a new asset while testing in DRAFT mode. That works as well but then when the app is published, that asset becomes an orphaned asset that can no longer be used unless reassigned. There is a new orphan asset for every time the app is published

/opt/phantom/var/log/phantom/*.log {
  copytruncate
  rotate 10
  size 50M
  start 1
  create 0660
}

1. Configure an asset for that app.
2. Return to the Apps list.
3. Click App Updates to see any available updates for that configured app.

1. Use debug custom function to find soar_container_id
2. Go to SOAR Container and delete the artifact.

1. Edit the custom function again. Click Generate. Two function headers display.
2. Manually delete the old function header, located between the ## Custom Code Goes Below This Line ## comment lines. You cannot delete the new function header, because it is locked.

   The custom function will use the newly generated function header and function properly.

To work around this issue:

1. Publish the app.
2. Run the published version of the app.
3. Clone the published app so we can use the editor again.
4. Manually change the cloned settings added to the json config.
5. Delete the published app and its related asset.
6. (Optional) create a new asset instead of deleting the previous one.
7. Make the required code modifications.
8. Repeat the process to debug again.

docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.

1. Check if the action completed successfully.
2. Cancel the hanging action.
3. If the action did not complete successfully, re-run the action.

This problem is usually intermittent. Once connection issues have been resolved, retrying the action should succeed.

This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.

In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the delete_db_containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.

To avoid this issue, use a different browser.

To work around this issue:

1. Publish the app.
2. Run the published version of the app.
3. Clone the published app so we can use the editor again.
4. Manually change the cloned settings added to the json config.
5. Delete the published app and its related asset.
6. (Optional) create a new asset instead of deleting the previous one.
7. Make the required code modifications.
8. Repeat the process to debug again.

The following error message displays, but you can save and run the playbook.

approver must be a `object` type, but the final value was: `null` (cast from the value `"Administrator"`). If "null" is intended as an empty value be sure to mark the schema as `.nullable()`

1. Click outside the block configuration.
2. Then click back into the block configuration.

docker exec -ti <container_id> python3 /splunk/broker/bin/update_creds.py --new-creds "<copied_creds>"

docker <container_id> restart

1. From the Apps page, click App Updates.
2. Upgrade the app to the appropriate version:
   • Threat Grid: upgrade to version 2.3.1 or higher
   • urlscan.io: upgrade to version 2.3.0 or higher

docker.io/phantomsaas/automation_broker:<$SOAR_VERSION>.

This helps us avoid OOMing in Django while preserving audit capability when performing a deletion thanks to a new pg trigger that was added.

In SOAR versions pre 6.3.0, customers running into an OOM when deleting a container with 1000+ artifacts should delete the container via a raw delete using the delete_db_containers management command. If this is a cloud customer, then SOAR on-call will need to delete the container for them with their permission.

To work around this issue:

1. Publish the app.
2. Run the published version of the app.
3. Clone the published app so we can use the editor again.
4. Manually change the cloned settings added to the json config.
5. Delete the published app and its related asset.
6. (Optional) create a new asset instead of deleting the previous one.
7. Make the required code modifications.
8. Repeat the process to debug again.

1. To identify those custom apps, run the following script

   
   
   phenv phantom_shell
   apps = App.objects.filter(disabled=False)
   for app in apps:
     if not app.known_versions:
       print(app)
   
   print('done looking up custom apps')
   
   

2. Use the AppUpdate wizard to update known app. See Splunk SOAR Connector for a list of apps that you can upgrade with the wizard.
3. Reinstall those custom apps

Repeat these steps each time you want to upgrade certified apps.

1. Within the Visual Playbook Editor (VPE), populate a field in the utility block configuration panel.
2. When complete, close the configuration panel.
3. Re-open the configuration panel to populate another field.
4. Repeat until you have completed all necessary fields.

1. From the Apps page, click App Updates.
2. Upgrade the app to the appropriate version:
   • Threat Grid: upgrade to version 2.3.1 or higher
   • urlscan.io: upgrade to version 2.3.0 or higher

https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly:

# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

1. Within the Visual Playbook Editor (VPE), populate a field in the action block configuration panel.
2. When complete, close the configuration panel.
3. Re-open the configuration panel to populate another field.
4. Repeat until you have completed all necessary fields.

1. To identify those custom apps, run the following script

   
   
   phenv phantom_shell
   apps = App.objects.filter(disabled=False)
   for app in apps:
     if not app.known_versions:
       print(app)
   
   print('done looking up custom apps')
   
   

2. Use the AppUpdate wizard to update known app. See Splunk SOAR Connector for a list of apps that you can upgrade with the wizard.
3. Reinstall those custom apps

Repeat these steps each time you want to upgrade certified apps.

1. Within the Visual Playbook Editor (VPE), populate a field in the utility block configuration panel.
2. When complete, close the configuration panel.
3. Re-open the configuration panel to populate another field.
4. Repeat until you have completed all necessary fields.

You can examine the JSON output of a REST request to determine the actual status of the asset's setting.

1. Log in to your Splunk SOAR deployment.
2. In a new browser tab, use this REST request.

   https://<Splunk SOAR deployment>/rest/asset?pretty=true&_special_app_info=true&page_size=0&_filter_id=<asset id>
   

   <Splunk SOAR deployment> and <asset id> with the URL for your SOAR deployment and the asset id of the asset whose status you want to verify.
3. Look for the "configuration" object and check the value of "polling".

   {...
   "configuration": {"ingest": {"interval_mins": "30", "container_label": "events", "polling": false}
   }
   

1. From the Apps page, click App Updates.
2. Upgrade the app to the appropriate version:
   • Threat Grid: upgrade to version 2.3.1 or higher
   • urlscan.io: upgrade to version 2.3.0 or higher

https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly:

# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

1. Within the Visual Playbook Editor (VPE), populate a field in the action block configuration panel.
2. When complete, close the configuration panel.
3. Re-open the configuration panel to populate another field.
4. Repeat until you have completed all necessary fields.

1. To identify those custom apps, run the following script

   
   
   phenv phantom_shell
   apps = App.objects.filter(disabled=False)
   for app in apps:
     if not app.known_versions:
       print(app)
   
   print('done looking up custom apps')
   
   

2. Use the AppUpdate wizard to update known app. See Splunk SOAR Connector for a list of apps that you can upgrade with the wizard.
3. Reinstall those custom apps

Repeat these steps each time you want to upgrade certified apps.

1. Within the Visual Playbook Editor (VPE), populate a field in the utility block configuration panel.
2. When complete, close the configuration panel.
3. Re-open the configuration panel to populate another field.
4. Repeat until you have completed all necessary fields.

You can examine the JSON output of a REST request to determine the actual status of the asset's setting.

1. Log in to your Splunk SOAR deployment.
2. In a new browser tab, use this REST request.

   https://<Splunk SOAR deployment>/rest/asset?pretty=true&_special_app_info=true&page_size=0&_filter_id=<asset id>
   

   <Splunk SOAR deployment> and <asset id> with the URL for your SOAR deployment and the asset id of the asset whose status you want to verify.
3. Look for the "configuration" object and check the value of "polling".

   {...
   "configuration": {"ingest": {"interval_mins": "30", "container_label": "events", "polling": false}
   }
   

Note that this is probably unsupported by us.

1. From the Apps page, click App Updates.
2. Upgrade the app to the appropriate version:
   • Threat Grid: upgrade to version 2.3.1 or higher
   • urlscan.io: upgrade to version 2.3.0 or higher

• Cloud: Update and read custom field values

• On-premises: Update and read custom field values

1. Quit the pending run of soar-prepare-system using ctrl+c
2. Run soar-prepare-system again, this time with either the --no-spinners flag to disable the spinners, or the --no-prompt flag to skip the prompts

1. Edit install/install_steps/git_repos.py. Change lines 37 and 46. Wrap {git_repo} in escaped quotes.

   
   
   37     cmd=f"config --global --unset safe.directory \"{git_repo}\"",
   
   46     cmd=f"config --global --add safe.directory \"{git_repo}\"",
   
   

   Other versions may have similar code that needs to be wrapped in escaped quotes.

2. Verify .soar-continue contains {"continue_from": "GitRepos", "cluster_phase": "NONE"}
3. Re-run the soar-install command.

Workaround: If the ingestd daemon is still running on the instance but ingestion has stopped, contact Support. The ingestd daemon will be restarted on the instance.

Workaround: Perform one of these two operations (up to customer discretion):

1. Look into the {{<PHANTOM_HOME>/usr/local/customer_requirements.txt}} file and acquire all the packages therein; it's likely they were installed for a reason by the customer, so this is probably the most correct action. The commands for acquiring the package may vary depending on the customer's environment; however, it should generally be a pip install: {noformat}phenv python3 -m pip install -r customer_requirements.txt{noformat}
2. OR, you can delete the entire {{<PHANTOM_HOME>/usr/local/customer_requirements.txt}} file (or any package listed in it) so the system does not attempt to install anything. This action may result in customer playbooks, custom functions, or even locally-written apps to fail since they might expect pip packages to exist that are no longer installed

Regardless of whether action (a) or action (b) was taken, the customer can continue the upgrade by re-running Template:Soar-install after performing either remediation above

Workaround: If customer has command line access:

1. Verify that the repo is marked as Template:Disabled=t in the Template:Scm table (SELECT * FROM scm;)
2. Verify that associated playbooks are marked as Template:Disabled=t and Template:Disabled=f in the Template:Playbook table (SELECT * FROM playbook WHERE id=<scm_id>;)
3. Mark all associated playbooks as Template:Disabled=t (UPDATE playbook SET disabled=t WHERE scm_id=<scm_id>;)

https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly:

# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

You can also use "search" to search for a specific custom function.

The behavior was intended to enforce that apps must implement an action besides "test connectivity", but it failed to account for special circumstances and that not all apps support any actions at all

Avoid creating actions with the same lowercase name. If you do create actions with the same lowercase name, you must manually change the name of one of the misnamed actions and update the code of your app to match the new function names. 

https://example-soar.com/rest/resource?page=X&sort=id

If using the phantom.get_tasks() or phantom.get_notes() playbook APIs, you can use phantom.requests instead to query the REST API directly:

# Instead of phantom.get_tasks(), use
url = phantom.build_phantom_rest_url('workbook_task')



# Or, instead of phantom.get_notes(), use
url = phantom.build_phantom_rest_url('note')

params = {'_filter_container': container['id'], 'page_size': 0, 'sort': 'id'}
response = phantom.requests.get(url, params=params)
tasks = response.json()['data']

• If you have an HTTP proxy and your asset settings have proxy variables starting with https://<proxy_ip>, replace them with http://<proxy_ip>
• If you have an HTTPS proxy and your asset settings have proxy variables starting with http://<proxy_ip>, replace them with https://<proxy_ip>