To find out if any known issue is fixed, refer to the Fixed Issues section in the Release Notes for the appropriate release.
You can sort this list by clicking on the column headings.
Components | Title, Problem and Workaround | Found In / Exists In | Fixed Version | Tracking Number |
---|---|---|---|---|
Context Hub |
Title: Custom Feeds may enter a failed state after a restore operation during the S6 to S7 data migration.
Problem: This issue occurs because some files were not restored correctly during the data migration process for Custom Feeds, leading to the following functional loss impact on the end users:
Workaround: Perform the following steps:
|
12.5.1 |
SADOCS-2580 |
|
Endpoint |
Title: Agent installation time is less than command creation time
Problem: When initiating an upgrade via the UI, an error message stating “Agent install time is less than the command time” is displayed. This error typically occurs during agent upgrades through the UI, even though the upgrade completes successfully. The issue causes the command to be marked as expired with the agent install time being less than the command creation time.
Workaround:
|
12.5.1 |
ASOC-151558 |
|
Endpoint |
Title: Cannot run offline standalone scan on an air-gapped Linux machine
Workaround: There is no workaround. The agent must be connected to a network to communicate with the server.
|
12.5.1 |
ASOC-158518 |
|
Endpoint |
Title: Incorrect display of tags count
Problem: The tag count is not displaying correctly, even though the tags are being assigned as expected.
|
12.5.1 |
ASOC-158576 |
|
Home Page Widgets |
Title: Multiple Delete and Reset confirmation modals are displayed at the same time when the user tries to delete or reset the widgets in Edit Layout mode.
Workaround: To fix the issue, the user needs to perform one of the following actions:
|
12.5.1 |
ASOC-157893 |
|
Home Page Widgets |
Title: NetWitness Hosts/Devices widget fails to update host status due to a cache refresh issue.
|
12.5.1 |
ASOC-158458 |
|
UEBA |
Title: Incorrect display of None Feedback option in the Users > Alerts > Filters panel. |
12.5.1 |
ASOC-158455 |
|
UEBA |
Title: A high volume of Non-Standard Activity alerts generated on the Users > Alerts page after the UEBA upgrade. Problem: After upgrading UEBA to versions 12.5 or 12.5.1, a high volume of Non-Standard Activity alerts is generated on the Users > Alerts page for the Abnormal Activity for JA4 indicator, typically within the first two days. This issue occurs because new UEBA models introduced in version 12.5 require time to learn user behavior patterns. During this initial learning phase, the system may temporarily misclassify normal activities as anomalies, leading to an increase in alerts.
Important: This learning period will be completed within two to three days, and the UEBA models will be updated. As a result, you will not see such high number of alerts. Note: This issue occurs only in environments with the TLS schema enabled and does not affect the UEBA functionality.
Workaround: None |
12.5 and later versions |
ASOC-158458 |
|
Endpoint |
Title: Cannot run offline standalone scan on an air-gapped Linux machine
Workaround: There is no workaround. The agent must be connected to a network to communicate with the server.
|
12.5 |
ASOC-158518 |
|
UEBA |
Title: Users have encountered a persistent issue with the presidio configserver while upgrading the NetWitness UEBA server from the older versions to 12.5.
Problem: From 12.5, UEBA no longer uses the presidio config server for communication. Instead, uses a new service called UEBA-server. The presidio configserver service keeps restarting and the service file references to a non-existent jar file. For more information, refer to the following figure displaying the activating error log.
Note: This issue does not impact the functionality of UEBA.
To resolve the issue, perform the following steps:
|
12.5 |
12.5.1 |
ASOC-158028 |
Admin Server |
Title: Users are unable to log in to NetWitness using AD and AD SSO with Primary Group Mapping.
Problem: NetWitness login failures occur for users whose primary Active Directory (AD) group is mapped to any NetWitness external group. This issue affects both AD login and AD Single Sign-On (SSO) authentication methods. For example, if a user's primary AD group is Test123 and they are assigned the Administrator role within that group in NetWitness, login attempts fail. However, users with the same group as a secondary AD group can log in successfully.
|
12.5 |
12.5.1 |
ASOC-154386 |
Core |
Title: raidNew fails when using preferSecure=1 to configured PVs with SEDs.
Problem: When configuring raid on a Series 7 appliance with attached PowerVault and encryption Key set on the raid controller, raidNew is executed with preferSecure=1 parameter. The raidNew command execution fails with preferSecure=1.
Workaround: Use preferSecure=0 when creating raid using raidNew and complete the storage configuration. Use encryptSedVd.py script to enable encryption post storage configuration. Refer to Appendix B. Encrypt a Series 6E or Series 7 Core or Hybrid Host |
12.4.2 and 12.5 |
12.5.1 |
ASOC-157333 |
UEBA |
Title: Unable to add a large number of entities to the watchlist on the Users > Entities page due to size limit.
Workaround: None |
12.5 |
12.5.1 |
ASOC-156298 |
Home Page Widgets |
Title: Unable to view the Mitre ATT&CK Overview widget data in the Analyst UI after a fresh installation of the 12.5 version.
|
12.5 and later versions |
ASOC-157114 |
|
Home Page Widgets |
Title: An unhandled exception error occurs in the Resource Usage per Content Type widget when switching to an offline device. This error persists even after the device is reconnected or switched to another online device.
|
12.5 and later versions |
ASOC-152916 |
|
Home Page Widgets |
Title: Home page widgets display an additional day on the x-axis usage trend due to UTC time zone mismatch.
Workaround: Currently, there is no workaround. However, there is no functional impact on the widgets.
|
12.5 and later versions |
ASOC-154383 |
|
Platform
|
Title: Bubblewrap and Flatpak security update
Problem: CVE-2024-42472 is getting reported in Bubblewrap version installed in Netwitness.
Workaround: None The sandbox escape vulnerability in Flatpak is not applicable to NetWitness, as the Flatpak library is not installed in the environment. Therefore, the bubblewrap update aimed at addressing this vulnerability does not impact the system and will not influence the security. |
12.5 and earlier versions |
|
|
UEBA |
Title: Node.js Multiple Vulnerabilities for UEBA service
Problem: The version of Node.js installed on UEBA reports multiple vulnerabilities
Workaround: None The NW Platform is not affected by the multiple security vulnerabilities related to Node.js. The vulnerable version of Node.js is installed as part of Kibana, but no vulnerable functions or activities are associated with it. |
12.5 and earlier versions |
12.5.1.0 |
|
Reporting Engine
|
Title: Reporting Engine is down after fresh Installation of the NetWitness Platform 12.5
Problem: After Fresh Installation of the the NetWitness Platform 12.5, the Reporting Engine service attempts to restart continuously without success. The database files for live charts, alert status, or report status may not be loaded successfully as the files may be corrupted.
Workaround: Follow the Resolution mentioned in the KB Article - Reporting Engine restarts After upgrade to RSA NetWitness Platform 11.4 - NetWitness Community - 676705
|
12.5 and earlier versions |
ASOC-157136 |
|
Endpoint |
Title: All blocked hashes are showing source as Investigate after upgrade
Problem: After an upgrade, all the blocked hashes display "Investigate" as the source. Unable to delete the import hashes using the UI. Filtering by source is also ineffective.
Workaround: If the customer is on version 12.3 or higher and has imported blocked hashes into the deployment: Before the Upgrade:
If the Upgrade has already been completed:
|
12.5 |
12.5.1 |
ASOC-155882 |
Endpoint |
Title: Event summary for agent last seen is displayed as N/A.
Problem: The event summary is not generated for offline agents last seen in the events list view on the Investigate > Events page. It appears as N/A.
Workaround: The summary is displayed in the Endpoint Event Details screen and will be displayed in the events list view on the Investigate > Events page in the upcoming release. |
12.5 |
12.5.1 |
ASOC-154866 |
Home Page Widgets |
Title: The Default layout is not displayed automatically after the Reset
Problem: In the Manager, Admin and Analyst view, after you reset the layout in the landing page, the default layout is not automatically displayed.
Workaround: Refresh the page to view the default layout. |
12.5 |
12.5.1 |
ASOC-154993 |
Home Page Widgets |
Title: Service Unavailable Error on the Home pages
Problem: In the Home tab, while trying to view the widgets, some of them may show as service unavailable or not configured even if the service is running in the Admin -> Services page.
Workaround: Verify If the hostname for admin-server is default admin-node IP and domain-name in url used, to access the NetWitness setup, is different than admin-node IP. Then update the domain-name in hostname. (To check Admin -> HOSTS -> select admin-server and edit) |
12.5 |
12.5.1 |
ASOC-157181
|
Warehouse Connector (WC) |
Title: Incorrect Service Version number for Warehouse Connector in 12.5
Problem: The version of the Warehouse Connector (WC) displayed on the Admin > Services page and Warehouse Connector > System page is shown as 12.4 instead of 12.5.
Workaround: Currently, there's no workaround to rectify the version display discrepancy. However, there is no functional impact, and the system will perform similar as before.
|
12.5 |
12.6 |
ASOC-155376 |
Log Collector |
Title: The JDBC pipeline name with encrypted password of the DB are added under Logstash->Keystore management post service restart.
Problem: When creating JDBC pipelines, the user ID and password are automatically added under Logstash> Keystore management after the service is restarted.
Workaround: Currently, there's no workaround. However, there is no functional impact, and the system will perform similar as before.
|
12.5 |
12.5.1 |
ASOC-155356 |
Respond |
Title: Default Respond Syslog and Email Template does not work accurately for Created Incidents
Problem: When configuring Syslog or email notifications for incidents, the Default Respond Syslog or Email Template sends an notification that states UPDATED instead of CREATED, even for a new incident.
Workaround: Fixed in NetWitness 12.5.X. |
12.4.2 |
12.5.X |
SACE-22219 |
Platform |
Title: Default almalinux repositories are not cleared as part of NetWitness upgrade
Problem: Upgrade to NetWitness 12.4.2.0 fails as it cannot reach the default alma repository (mirrors.almalinux.org or a mirror).
Workaround: Remove the default repos using rm -f /etc/yum.repos.d/almalinux*.repo and re-trigger the upgrade.
|
12.4.2 |
SACE-21856 ASOC-156451 |
|
Admin Server |
Title: Users on NetWitness 12.4 or later versions using Single Sign-On (SSO) and accessing Legacy UI pages encounter an error when attempting to log out.
Problem: When users log in through SSO and navigate to legacy UI pages (such as Admin or Reporting), they encounter an error when attempting to log out from these Legacy pages. This occurs when the Enable Global Logout option is disabled on the Admin > Security > Single Sign-On Settings page.
Workaround: To resolve this issue, try one of the following steps:
In case these steps do not resolve the issue, it is recommended to contact NetWitness Customer Support as there is a hotfix available for this issue.
|
12.4 and later versions |
12.5.1 |
SACE-21794 |
Centralized Content Management |
Title: Duplicate Application/Network Rules getting added to the policy following the service migration after upgrading to version 12.4.0.0 or above.
Problem: After upgrading to version 12.4.0.0 or above, if service contents are migrated, then assigned Policy may contain duplicate Application/Network rules. This may cause duplicate alerts to be generated.
Workaround: Remove duplicate rules from Policy which got updated with content migration and publish the policy.
|
12.4 and later versions |
ASOC-148918 |
|
Endpoint |
Title: Endpoint Respond Alert Workflow Error
Problem: When the alerts are generated from the Log Decoder, errors appear while attempting to analyze the process of an endpoint alert on the Respond page. This issue is detected in NetWitness Platform 12.4.0 and later versions.
Workaround: Customers should continue to use Event Stream Analytics (ESA) rules to generate alerts instead of notifications within application rules.
|
12.4.0 and later versions |
ASOC-150954 |
|
Platform |
Title: "No media devices detected" While deploying from rsa-nw-12.4.0.0.20806.iso from OVA.
Problem: Fails to detect Media (ISO) while running nwsetup-tui.
Workaround: On the host where failure is seen, Perform the following steps to update /usr/bin/bootstrap and usr/bin/nwsetup-tui
|
12.4 |
12.4.1 |
SADOCS-2543 |
Platform |
Title: The network interface fails to start after rebooting the 12.4.0.0 host.
Problem: The host with the 12.4.0.0 version does not retain its IP after rebooting. This issue occurs because the NM_CONTROLLED parameter is set to no on the host.
Workaround: To resolve the issue, you must update the NM_CONTROLLED parameter to yes on the host where the failure occurs. You can do this by following these steps:
For example, vi /etc/sysconfig/network-scripts/ifcfg-em1
systemctl restart NetworkManager && systemctl restart network
|
12.4 |
12.4.1 |
ASOC-149880 |
Platform |
Title: STIG disabled with all the control groups failed on all the node-x on 12.4.0.0. Problem: When STIG is disabled with all the control groups, chronyd configuration parser misinterprets the line server <%= ntp_server %> iburst # maxpoll 10, incorrectly parsing maxpoll 10 as part of the server directive, causing chronyd service start failure.
Workaround: To resolve the issue, do the following:
|
12.4 |
SADOCS-2540 |
|
Source Server |
Title:Source-server Service Crashes Following Upgrade to Version 12.4.0.0
Problem: After upgrading to version 12.4, if custom LogDevices were uploaded by customers via the CCM-UI page in a previous 12.x version, the upgrade process will search for .xml and -custom.xml files. If any of these files do not adhere to a specific format, it will result in a crash of the source-server.
Workaround: The users have to recreate .envision file with the proper structure: |
12.4 and 12.4.1 |
SACE-21327, ASOC-151331, ASOC-151326 |
|
ESA Correlation Server |
Title:Java Exceptions for Memory usage, CPU % in the legacy page, and computation values set to 0 in the Deployment stats page.
Problem: After the Deployment is successfully deployed, some of the ESA Rules containing annotations and Windows are throwing Java exception errors for memory and CPU usage in the ESA rules service or showing up blank in the new Deployment stats page. This does not affect performance or functionality of ESA, however rule performance stats collection does not work.
Workaround: None |
12.4 |
ASOC-148285 |
|
Admin Server |
Title: Logs are not writing to /var/log/messages on all the nodes after the upgrade to 12.4.0.0. Problem: After the upgrade to 12.4.0.0, /var/log/messages are empty and logs are not generating to "/var/log/messages". Workaround: To resolve the issue, perform the following steps:
1. salt "*" cmd.run "sed -i 's@/bin/kill -HUP \`cat /var/run/syslogd.pid 2> /dev/null\` 2> /dev/null || true@/usr/bin/systemctl -s HUP kill rsyslog.service >/dev/null 2>\&1 || true@g' /var/netwitness/config-management/cookbooks/platform/rsa-audit/files/default/syslog.conf"
2. salt "*" cmd.run "chef-client -r "recipe[rsa-audit::config]" --config /var/lib/netwitness/config-management/client.rb --json-attributes /etc/netwitness/config-management/node.json"
3. salt "*" cmd.run "systemctl restart rsyslog"
3. Check if the log message file is available at the NW Admin server and hosts: /var/log/messages
|
12.4 |
SACE-21282, ASOC-150684 |
|
Reporting Engine |
Title: Duplicate Report emails are generated after the failback from the standby NW server to the primary NW server. Problem: When a user performs failover or failback, the Reporting Engine service in the standby NW server is still online, executing reports and producing duplicate reporting emails or reports. Workaround: To resolve the issue, perform the following steps:
systemctl stop rsasoc_re
|
12.4 and earlier versions |
SACE-20721, ASOC-147783 |
|
Ember UI - Home Page |
Title : Home Page is blank and visible as landing page option in 12.4
Problem : Under the user preference, in default landing page, there is a new option visible-”Home Page”.
Workaround: Respective user can click on the User Preference option and change the default landing page to Springboard, Investigate etc. [except for home page] and then relog in.
|
12.4 |
12.5 |
ASOC-148336 |
Response Action |
Title: Same keys can be entered multiple times in the Parameter Key field in Add Parameter window ( (CONFIGURE) > More > Response Actions > > Create Response Action > ) Problem: You can enter the same keys multiple times in the Parameter Key field in Add Parameter window while creating Response Actions in ((CONFIGURE) > More > Response Actions > > Create Response Action. As a result, the duplicate keys entered in the Parameter key field are sent to the connector after executing the Response Action. Workaround: None.
|
12.4 |
ASOC- 146230 |
|
Endpoint |
Title: Endpoint server upgrade failed during the upgrade from 12.3.1 to 12.4 Problem: During the upgrade from 12.3.1 to 12.4, the Endpoint Server upgrade failed since the relay server was enabled in the Endpoint server before configuring the IP, which gave a null value. Workaround: The current workaround is to delete the relay configuration from monogdb.
|
12.4 |
ASOC- 146805 |
|
UEBA |
Title: Unable to view data on the Users page after upgrading to version 12.4. Workaround:
|
12.4 |
12.4.1 |
ASOC-145668 |
Investigate |
Title: [Timeline-Chart] Selecting the first/last bar from the chart doesn't show the proper event count in the timeline text Problem: When selecting the date and time range for the first and last bar in the chart, the correct event count in the timeline text is not displayed. Workaround: Select a minimal time range between start and end to view the correct data.
|
12.4 and later versions |
ASOC-145468 |
|
Platform |
Title: Leapp upgrade fails due to Insufficient disk requirements Problem: In some instances, the leapp upgrade fails due to the following error. Error Summary
Disk Requirements:
At least x MB more space needed on the / filesystem.
Workaround:
|
12.4 |
12.4.1 |
ASOC-150789 |
Platform |
Title: /decoder/devices/message=prune failing with icap interface Problem: If you run the optional Prune command as part of the DPDK migration, you might see continuous failure messages related to some interfaces on the logs. Workaround: It has no functional impact, and a Decoder service restart fixes the issue. Refer to the KB Article “PF_RING Capture Devie KB Article” for more information.
|
12.4 |
ASOC-147188 |
|
Platform |
Title: Edge Case Scenario - Host fails to boot OS with EL8 Kernel 4.x Problem: In some instances, during upgrade to NW Version 12.4, the host fails to boot into el8 kernel after OS Migration is complete. Workaround: Check the logs in/var/log/salt/minion log file for “NodeRecovery” logs and if found, please refer the KB Article “Edge Case Scenario - Host fails to boot OS with EL8 Kernel 4.x” for more details.
|
12.4 |
ASOC-146908 |
|
Platform |
Title: SHA1 deprecated setting for SSH Problem: SHA1 algorithm is deprecated, SHA1 algorithm is enabled on core services node-x sshd config. It will be flagged for any Security scan. Workaround:
|
12.4 |
ASOC-142946 |
|
Platform |
Title: Secure UEFI boot causes leapp alma migration to fail Problem: In some instances, after executing the leapp upgrade command during Alma migration and rebooting the appliance, a GRUB menu appears and attempts to boot to an ‘elevate’ kickstart. Workaround: The current workaround is to just disable secure boot via BIOS settings.
|
12.4 |
ASOC-123786 |
|
UEBA |
Title: Data collected for versions 12.2 or lower are not displayed in the Adapter dashboard after upgrading the UEBA server to version 12.4 or later. Problem: After upgrading the UEBA server to version 12.4 or later from version 12.2 or older, the data collected before the upgrade are not visible in the Adapter dashboard. This issue occurs because, in version 12.2 or lower, the application name in the filter panel of the dashboard is the adapter. However, from version 12.3 or later, the application name is changed to presidio-adapter. Workaround: In the Adapter dashboard, perform the following steps:
|
12.4 and later versions |
ASOC-145667 |
|
SASE - CCM |
Title: The decoder is unable to process the latest configuration updates (for example, invalid bucket names) made in the Palo Alto instances. Problem: When you edit configurations for the Palo Alto instance, such as fixing a previously invalid bucket name to the correct one, the decoder fails to identify the latest changes. This issue occurs because the decoder does not recognize the recent updates made in the configuration. Workaround: The instance needs to be restarted after applying decoder configuration changes to consider the latest configuration changes. To update the Palo Alto instance properties manually using RestAPI, perform the following steps:
/decoder/hosted/paloalto/instances/paloalto
|
12.4 |
ASOC-145406 |
|
SASE |
Title: Hosted Plugin Framework - Delete command deletes the plugin type only from the UI Problem: The hosted plugin framework supports a delete command that deletes the plugin type from the UI. However, the associated filesystems are not deleted through this command as expected and require a separate cleanup. Workaround: The leftover filesystems from the previously deleted plugin type are located at /etc/netwitness/ng/hosted and /var/netwitness/decoder/hosted on the decoder. These need to be manually deleted to ensure the plugin type is completely uninstalled.
|
12.4 |
ASOC- 142526 |
|
SASE |
Title: Hosted plugin reload deletes the plugin instance from the decoder/hosted tree. Problem: On Hosted plugin reload, the plugin instance is getting deleted instead of reloading. On all future reloads, the user needs to add an instance and then reconfigure the plugin, which is not feasible for users. Workaround: The current workaround is to stop the plugin instances before reloading the plugin or uploading an updated version of the plugin. After performing this step, the plugin instance will not be deleted from the Decoder config tree.
|
12.4 |
ASOC- 144467 |
|
SASE |
Title: The decoder fails to remove Palo Alto Prisma Integration plugin details even after deleting the policy. Problem: Deleting a policy with the Palo Alto Prisma Integration plugin type does not remove the plugin from the Decoder due to the current system behavior. Workaround: To remove the Palo Alto Prisma Integration Plugin from the Decoder, perform the following steps:
systemctl stop nwdecoder
/etc/netwitness/ng/hosted
systemctl start nwdecoder
<decoder-ip>:50104
/decoder/hosted/paloalto
The plugin details are removed from the decoder.
|
12.4 |
ASOC-144688 |
|
CCM |
Title: Application rules are assigned incorrect order numbers during service content migration. Problem: Application rules have incorrect entries, where several Application rules on service migration have been tagged with an order value of 1. This problem occurs when the service content is deployed using RPM. By default, application rules of this type are assigned an order value of 1, leading to incorrect entries. Workaround: If the user redeploys the same content from NetWitness Live or redeploys any one of the contents, the correct order is placed.
|
12.4 and later versions |
ASOC-146940 |
|
CCM |
Title: Policy updated with re-migration might fail to publish due to duplicate application rule. Problem: If a user migrates and creates policy in 12.3 or 12.3.1 version and post upgrade to 12.4 they re-migrate the same service and update the pre-existing policy, there could be chances of getting duplicate application rule in the policy which can lead to a policy publication failure. Workaround: If there are duplicate application rules, they get pushed to the bottom of the application rule list on Policy Details page. Remove these duplicate application rules manually to proceed with the publication. Follow these steps to remove the duplicate application rules:
|
12.4 |
ASOC-145770 |
|
CCM |
Title: While importing a Custom Log Device, there is no control on content update if CL has multiple flavors of same content. Problem: When the user tries to import a Custom Log Device with Overwrite option selected and CL already has multiple flavors of same Custom Log Device, it is hard to predict which flavor of content will get overwritten. This import can lead to loss of customization made to Custom Log Device. Workaround: Follow these steps to update specific flavor content.
|
12.4 |
ASOC-143403 |
|
Respond |
Title: Service Unavailable Error When Trying to Incident Reports from Respond
Problem: In the Respond tab, while trying to create/schedule an incident report, the below error message is displayed: The Reporting Engine service may be offline or inaccessible. Try starting the service. This occurs when you have a domain name configured to access Netwitness and not via its IP.
Workaround: If a domain name is used instead of the node-zero’s IP, update the domain-name in “hostname” of the node-zero host. To update, go to Admin -> HOSTS -> select admin-server and edit, change to the domain name and save. Log out and log back in. |
12.3.1 |
12.5.1 |
ASOC-157181
|
Reporting Engine |
Title: Report generation fails on the Investigate > Events page due to mismatched service names. Problem: If a user changes the name of a service on the Services page (for example., "Log Decoder" to "Log Decoder_new") but does not update the corresponding data source name used on the Services > Reporting Engine > > View > Config > Sources page, they will encounter issues when creating or scheduling reports from the Investigate > Events page. This is because the data source name used in the report configuration no longer matches the actual name of the data source. As a result, the reports cannot be generated, and an error message will be displayed indicating that the data source is not configured. Workaround: To prevent this issue, ensure that the service name used as a data source in the Reporting Engine always matches the service name displayed on the Services page. Note: Before re-adding the renamed data source in Reporting Engine, ensure to delete the current data source by navigating to (Admin) > Services > Reporting Engine > > View > Config > Sources.
Follow these steps to re-add the renamed data source in the Reporting Engine:
The Services Config View of the Reporting Engine is displayed.
The Available Services dialog is displayed.
The service authentication dialog box is displayed. Note: The services with the Trust Model enabled must be added individually. You are prompted to provide a username and password for the selected service.
|
12.3.1, 12.4, 12.4.1 |
ASOC-129464 |
|
CCM, ESA, Source-server |
Title: The feed does not have an associated ID in the configured parameters of the policy.
Problem: The ESA rules were unable to be saved on editing or updating the ESA rule. Furthermore, a run time exception was shown in UI and SA logs while saving the rule. Further troubleshooting found that feed “RSA OSINT Non-IP Threat Intel Feed “did not have a unique ID associated with the policy and showed in multiple documents in the content policy collections.
Workaround: N/A |
12.3, 12.3.1 |
ASOC-141524 |
|
CCM |
Title: Log Devices are not getting disabled when content deletion is performed from CCM.
Problem: The Log Device contents published from CCM are not getting disabled when contents are deleted for a service. This is observed when a different policy is again published on the same service.
Workaround: Navigate to the Log Decoder Service Config view and disable Log Device contents that are not required. |
12.3.1 |
ASOC-142018 |
|
Health-Wellness, Metric Server, Security |
Title: RabbitMQ Warning Messages in All the Nodes
Problem: All the nodes encounter an error [warn] <0.16195.0> HTTP access denied: user 'guest' - invalid credentials every 5 minutes in the rabbitMQ logs. The NetWitness application services use the default guest account with the guest password or listening to the guest user in RabbitMQ.
Workaround: There is no impact on the system due to the error message. You can ignore the message. |
12.3.1 |
ASOC-141840 |
|
Admin server |
Title: Users cannot deploy or modify custom feeds when one or more decoders in the deployment group are offline.
Problem: When you are using the Groups option to deploy custom feeds, you may encounter an error message stating, "Failed to Retrieve Meta keys." This error occurs when one or more decoders in the group are offline, preventing the feeds from being deployed to that specific group. This issue occurs while creating new feeds or modifying an existing custom feed.
|
11.7.x, and 12.x |
SACE-20424 |
|
UEBA |
Title: Increased JA3 entities due to JA3 randomization caused DAGs delay on the UEBA server.
|
11.7.x, 12.0, 12.1, 12.2, 12.3 |
12.3.1 |
ASOC- 138953 |
Correlation-Server |
Title: InMemoryTable Adhoc Enrichment windows are not getting uploaded with data.
Problem: When the user adds the Adhoc In-Memory table enrichment under CONFIGURE > ESA > Enrichment Sources, the CSV file gets uploaded via UI, but upon using the enrichment in an ESA Rule and deployment, the contents are not read to the named window, and thus are not accessible for the rule to enrich the rule/alerts. There might be an impact of alerts not getting enriched, or the rule condition (if in-memory table enrichment reference is added to the rule) might not work as expected.
Workaround: Re-import the CSV file post-enrichment creation and deploy the rules again. Basically, the CSV file must be imported twice upon enrichment creation/update for the content to be reflected in the named window. Users can confirm if the data is uploaded to the named window under the “Named Windows” section of CONFIGURE > ESA Rules > Settings Page.
|
12.1.x, 12.2 and, 12.3 |
ASOC-138145 |
|
Central Content Management |
Title: Content Migration Failing for Logdevice Contents
Problem: When service contents are migrated from services to Centralized Content Management, if the syntax of one of the custom log device is invalid, it fails to migrate.
Workaround:
a) Navigate to CONFIGURE > POLICIES > CONTENT > Content Library > Log Device. b) Click on the "Import" button and select Logdevice, which fails to migrate.
|
12.3, 12.3.1 |
ASOC-138255 |
|
UEBA |
Title: Red banner errors are displayed on the Users page after the UEBA host upgrade
Problem: When you upgrade the UEBA host, you may encounter an issue where red banner errors are displayed on the Users page. A communication delay between the UEBA server and the Presidio UI service usually causes this issue.
Workaround: To resolve this issue, perform the following steps.
|
12.2, 12.3 |
12.3.1 |
ASOC-134234 |
UEBA |
Title: Airflow shows a warning message that the scheduler task is not running
Problem: Airflow UI warning message “The scheduler does not appear to be running. Last heartbeat was received xx seconds ago. The DAGs list may not update, and new tasks will not be scheduled”. This issue could occur due to a delayed response from the UEBA server.
Workaround: To resolve the issue, try refreshing the page a couple of times. If the issue persists, connect to the UEBA server to check the airflow scheduler services.
|
12.3 |
12.3.1 |
ASOC-133835 |
Reporting Engine |
Title: Generic error message is displayed for duplicate report names in Investigate > Events Page
Problem: When you create or schedule a report from the Investigate > Events page using a report name that already exists, an error message will be displayed. However, the error message displayed is generic and provides limited information. The error message states, "Error generating report. Please check respond-server.log/investigate-server.log and sa.log”
|
12.3 |
12.3.1 |
ASOC-134996 |
Reporting Engine |
Title: Generic error message is displayed when you create or schedule reports on the Investigate > Events page when the data source is not configured in Reporting Engine.
|
12.3 |
12.3.1 |
ASOC-134996 |
Reporting Engine |
Title: Use of future dates in the Custom date range option for Adhoc reports will result in incorrect date ranges in the output report.
|
12.3 |
12.3.1 |
ASOC-135074 |
Investigate |
Title: Use of Enter as a shortcut key to select a query suggestion in Advanced Query mode.
Problem: When you construct a query in Advanced Query Bar mode in the Investigate > Events view, pressing Enter key will select and execute the query instead of only selecting a suggestion from the query suggestions list. This action is not in line with the Guided Query Mode, where pressing Enter key selects a suggestion from the query suggestions list but does not execute the query.
Workaround: Use the Tab key to select a suggestion from the query suggestions list while you are in the Advanced Query Bar mode. |
12.3 |
12.3.1 |
134482 |
Investigate |
Title: Unable to load a saved query to the query bar in Advanced Query Bar mode.
Problem: When you select a saved query while you are in Advanced Query Bar mode in the Investigate > Events view, the selected saved query is not loaded into the query bar and is not applied to the executed query either.
Workaround: NetWitness recommends you use Guided Mode if you want to execute a saved query in Investigate > Events view. |
12.3 |
12.3.1 |
ASOC-133508 |
Investigate |
Title: Unable to execute a query when a service is updated to Decoder/Log decoder in Advanced Query Bar mode.
Problem: When you update a service to decoder/log decoder while you are in Advanced Query Bar mode in the Investigate > Events view, the search button is enabled but, clicking the search button does not execute the query or show an error. This happens because of unindexed keys in the query for the selected service which is the expected behavior with any unindexed keys. In Guided Mode, an error is displayed as soon as the service is updated using the service selection drop-down.
Workaround: You need to remove the unindexed keys from the query before executing it. |
12.3 |
12.3.1 |
ASOC-134481 |
CCM |
Title: Publish and Restart pop-up does not appear while publishing policy from Policy listing page.
Problem: When any configuration which requires service restart, is updated in Policy and it is being published from Policy listing page, pop-up does not appear for “Publish and Restart Now” option. Policy is being published with “Publish and Restart Later” option automatically and services need to be restarted later.
Workaround: a. Restart service(s) from Groups page 1. Go to Groups listing page. 2. Select Group in which service(s) require restart.
or b. Publish and restart from Edit Policy view.
|
12.3 |
ASOC-134862 |
|
Investigate |
Title: The most recent query is not populated while creating a new saved query in Advanced Query mode.
Problem: Usually, the most recently executed query is auto-populated in the Pre-Query Conditions field when you try to save a new query. But, while you are in Investigate > Events > Event Preferences > Advanced Query mode, the most recently executed query is not auto-populated in the Pre-Query Conditions field when you try to save the query (Saved Queries > New Saved Query).
Workaround: We recommend you switch to Guided Mode, run the same query, and then proceed with saving a new query. |
12.3 |
12.3.1 |
ASOC-135221 |
Log Parser Configuration |
Title: Missing list of Logparsers in Dropdown when trying to Add new Parser
Problem: The dropdown does not list existing Out of box (OOTB) Logparsers because UI is not able to sync with the previously synced Log Decoder service to fetch those OOTB Logparsers.
Workaround:
The dropdown list will start getting populated.
|
12.3 |
ASOC-135320 |
|
CCM |
Title: Unable to Access ESA Deployments
Problem: Users will not be able to access ESA deployments configurations in the Unified deployment view or policy details. Due to stale or invalid entries in source server mongo.
Workaround:Clean up the source-server mongo of invalid entries. Refer to KB article NetWitness ESA Deployments are not accessible in the Policies tab |
12.1 |
ASOC-131743 |
|
Decoder |
Title: The database stagger operation takes a long time to complete, resulting in a timeout from the UI Explore page.
Problem: If you perform the database stagger operation from the UI Explore page, it takes a long time to complete the operation based on the data and results in a timeout.
Workaround: To perform the database stagger operation, you must run the command using the RESTful API or NwConsole.
|
11.7.x, 12.0, 12.1, 12.2
|
ASOC-124339 |
|
UEBA |
Title: When UEBA receives a high volume of events, the root DAG becomes unresponsive as it awaits the completion of other associated DAGs.
Problem: Upon receiving a high volume of events, the root DAG of UEBA becomes unresponsive as it awaits the completion of other associated DAGs, resulting in failures in the model_ueba_flow DAGs for their respective schemas. These failures are followed by errors related to java.heap.memory, as shown below.
Workaround:
2. Click the DAG ID and then click Tree View.
3. In the Tree View, click the failed task instance and click View Log.
The log view is displayed. 4. SSH to the UEBA server. 5. Open 6. Increase the heap memory size of respective failing DAGs with their respective operator by two times. For example, if it is 2048, make it 4096. 7. In the Tree View, click the failed task instance and click Clear.
|
12.2 and later versions |
ASOC-128667 |
|
Source Server |
Title: Unable to load the Content Library.
Problem: After upgrade to 12.1, user will not be able to load Content Library for the created policies. The issue is due to the source-server not able to connect to Live CMS , even though the Live is configured and the source server is not able to resolve cms.netwitness.com. Following error is seen in the source server logs path
Workaround:
|
12.2 |
ASOC-124473 |
|
ESA Correlation Server |
Title: Enable / Disable of rules in Endpoint Risk Scoring bundle applies to all deployments.
Problem: When a rule in the Endpoint Risk Scoring Bundle is either enabled / disabled from the ESA Service Stats UI it throws an error on UI. However, in the backend, the rule gets enabled / disabled. The disabled list of rules is saved in the keyValueRuleSettings as a generic setting without any associated engine ID. As it doesn’t have any engine id associated with it, the config acts like a global configuration. In all the deployments, wherever the Endpoint Risk Scoring Bundle is deployed, the rules disabled in any one deployment get automatically disabled in all deployments.
Workaround: N/A |
11.7.x, 12.0, 12.1, 12.2 |
ASOC-127949 |
|
Endpoint Investigation |
Title: Event overview panel error or infinite loading.
Problem: The event overview panel throws an error or loads infinitely for endpoint events.
Workaround: Restart the investigating server to properly load the overview panel to display endpoint events. On re-enabling the meta forwarding, the issue will get resolved.
|
12.2 |
N/A |
ASOC-123671 |
SA Server |
Title: Floating Save button on Decoder Stats page in UI.
Problem: Whenever a user opens the Decoder Stats page, a Save button, originally under the Key Stats Settings, toggles on the top left corner of the screen, covering part of NetWitness branding. A click on the gear icon beside the Key Stats Settings will take the Save button to appear in its original place.
Workaround: N/A
Note: This cosmetic issue does not interfere with the service functionally.
|
12.2 |
N/A |
ASOC-114414 |