SOAR deployment issues

[ddriddle]

Tried the following during the 8/11 afternoon ensemble:

• rolled back version and hash commits (where we started getting the 'failed to import' error)
  • Continued to get the same error
• SOAR Playbooks will not run version 0.0.0, even if selected in the configuration screen drop down
  • We tried pushing newer versions (4.0.1) but that didn't help either
  • Created a new NCSA BHR app in SOAR (the old one was renamed to NCSA BHR OLD)
  • We then pushed existing code to the new app
  • Was able to block on the test server from an event, but still not from the app configuration screen at https://automate-illinois.soar.splunkcloud.com/app_editor/view/225/
    • Error:
• We also got AWS secret manager errors when BHR_TOKEN was configured as a secret
  • AWS Secret manager errors happened when running test block from app config screen
  • When we added it as plain text it worked (we think that's what fixed it but not sure)

Questions for Splunk:

• How do we configure playbooks to use a particular app version?
• How do we delete or unpublish old app versions?
• How do we determine the app version being used by a playbook?

Originally posted by @zdc217 in https://github.com/techservicesillinois/secops-splunk-null-router/issues/15#issuecomment-1212460463

[ddriddle]

Daniel Federschmidt, a Splunk developer, previously answered one of our questions on 5/25/2022 in an email thread:

Thanks for reaching out! Unfortunately, there is no direct UI / API way to "unrelease" an app. Most users prefer being able to swiftly role back to the old app if they encounter issues. ... If you really want to "unrelease" an app, there is a workaround, although it's a little cumbersome. You can use a custom function within a playbook to delete the app bundle for the specific version on the file system. I attached a custom function that performs that so you could drop it into a playbook (which could be called: remove_soar_app_by_version)

[edthedev]

I'm going to document our answers and close this issue.

How do we configure playbooks to use a particular app version?

Each playbook can choose which configured 'asset' to use. We have one for test and and one for production. Moving the app version in the configured app for production will move all production playbooks.

How do we delete or unpublish old app versions?

We do not. We are currently (2022 Oct) working around the concern of too many test versions being published by always publishing test code as version 0.0.0.

How do we determine the app version being used by a playbook?

In addition to reviewing the asset configuration as described above- we have also started storing the git hash and tag version (if any) in our source code so that it can be output to the log file during a playbook run.