NetWitness Community

Title: Agent installation time is less than command creation time

Problem: When initiating an upgrade via the UI, an error message stating “Agent install time is less than the command time” is displayed. This error typically occurs during agent upgrades through the UI, even though the upgrade completes successfully. The issue causes the command to be marked as expired with the agent install time being less than the command creation time.

Workaround:
This issue may or may not occur. If the agent upgrade does not succeed, the user must manually upgrade the agent.

12.5.1

ASOC-151558

Title: Cannot run offline standalone scan on an air-gapped Linux machine

Problem: When attempting to run the standalone scan, an error was encountered stating “Couldn’t get scan progress message,” possibly due to a problem with the standalone scan functionality in this version.

Workaround: There is no workaround. The agent must be connected to a network to communicate with the server.

12.5.1

ASOC-158518

Title: Incorrect display of tags count

Problem: The tag count is not displaying correctly, even though the tags are being assigned as expected.

Workaround: Currently, there's no workaround. However, there is no functional impact, and the system will perform similar as before.

12.5.1

ASOC-158576

Title: Multiple Delete and Reset confirmation modals are displayed at the same time when the user tries to delete or reset the widgets in Edit Layout mode.

Problem: In Edit Layout mode, the following issues occur:

• When a user attempts to delete a widget and then cancels the action, trying to delete another widget causes two confirmation modals to appear.

• Similarly, if the user tries to reset the layout, both the reset and delete confirmation modals appear at the same time.
  This issue occurs because the cancel state is not cleared in the UI.
  
  

Workaround: To fix the issue, the user needs to perform one of the following actions:

• While in Edit Layout mode on the Home page, click the Cancel button.

• Refresh the Home page.

12.5.1

ASOC-157893

Title: NetWitness Hosts/Devices widget fails to update host status due to a cache refresh issue.

Problem: When a new host is added or an existing host goes offline, the NetWitness Hosts/Devices widget does not update to reflect the new status or show the newly added host. This issue occurs because the cache does not refresh automatically.

Workaround: To resolve the issue, perform the following steps:

1. Go to  (Admin) > Services page.

    

2. In the Services list, select the Admin Server service.

3. Click  > Restart.

4. A dialog requests confirmation. To restart the service, click Yes.

12.5.1

ASOC-158458

Title: Incorrect display of None Feedback option in the Users > Alerts > Filters panel.

Problem: The Feedback option for None is incorrectly displayed in the Filters panel on the Users > Alerts page. Currently, it shows as Missing Translation “investigateUsers.feedback.none” for locale “en-us”.

Note: This issue does not impact the functionality of UEBA. The filter functionality is working properly and on selecting this option, the corresponding alerts are displayed correctly.

Workaround: None

12.5.1

ASOC-158455

Title: A high volume of Non-Standard Activity alerts generated on the Users > Alerts page after the UEBA upgrade.

Problem: After upgrading UEBA to versions 12.5 or 12.5.1, a high volume of Non-Standard Activity alerts is generated on the Users > Alerts page for the Abnormal Activity for JA4 indicator, typically within the first two days. This issue occurs because new UEBA models introduced in version 12.5 require time to learn user behavior patterns. During this initial learning phase, the system may temporarily misclassify normal activities as anomalies, leading to an increase in alerts.

Important: This learning period will be completed within two to three days, and the UEBA models will be updated. As a result, you will not see such high number of alerts.

Note: This issue occurs only in environments with the TLS schema enabled and does not affect the UEBA functionality.

Workaround: None

12.5 and later versions

ASOC-158458

Title: Cannot run offline standalone scan on an air-gapped Linux machine

Problem: When attempting to run the standalone scan, an error was encountered stating “Couldn’t get scan progress message,” possibly due to a problem with the standalone scan functionality in this version.

Workaround: There is no workaround. The agent must be connected to a network to communicate with the server.

12.5

ASOC-158518 

Title: Users have encountered a persistent issue with the presidio configserver while upgrading the NetWitness UEBA server from the older versions to 12.5.

Problem: From 12.5, UEBA no longer uses the presidio config server for communication. Instead, uses a new service called UEBA-server. The presidio configserver service keeps restarting and the service file references to a non-existent jar file.

For more information, refer to the following figure displaying the activating error log.

Note: This issue does not impact the functionality of UEBA.

Workaround:

To resolve the issue, perform the following steps:

1. SSH to the UEBA server.
2. Run the following commands to stop and disable the presidio-configserver service:
   • systemctl stop presidio-configserver
   • systemctl disable presidio-configserver

12.5 

ASOC-158028

Title: Users are unable to log in to NetWitness using AD and AD SSO with Primary Group Mapping.

Problem: NetWitness login failures occur for users whose primary Active Directory (AD) group is mapped to any NetWitness external group. This issue affects both AD login and AD Single Sign-On (SSO) authentication methods. For example, if a user's primary AD group is Test123 and they are assigned the Administrator role within that group in NetWitness, login attempts fail. However, users with the same group as a secondary AD group can log in successfully.

Workaround:
As a temporary solution for this issue, users can change their primary group in Active Directory (e.g. Test123) to a secondary group, allowing users to log in using this group.

12.5

ASOC-154386

Title: raidNew fails when using preferSecure=1 to configured PVs with SEDs.

Problem: When configuring raid on a Series 7 appliance with attached PowerVault and encryption Key set on the raid controller, raidNew is executed with preferSecure=1 parameter. The raidNew command execution fails with preferSecure=1.

Workaround: Use preferSecure=0 when creating raid using raidNew and complete the storage configuration. Use encryptSedVd.py script to enable encryption post storage configuration. Refer to Appendix B. Encrypt a Series 6E or Series 7 Core or Hybrid Host
(encryptSedVd.py).

12.4.2 and 12.5

ASOC-157333

Title: Unable to add a large number of entities to the watchlist on the Users > Entities page due to size limit.

Problem: When you try to add all entities to the watchlist from the Users > Entities page using the Add All To Watchlist button, the system fails to add them if the environment contains an exceptionally high number of entities. The issue occurs due to exceeding the payload size limit when processing a very high number of entities.

Note: Adding individual users to the watchlist remains unaffected by this issue. To add a user, navigate to the Users page, select a username, and then click Watch Profile in the user's profile view.

Workaround: None

12.5

ASOC-156298

Title: Unable to view the Mitre ATT&CK Overview widget data in the Analyst UI after a fresh installation of the 12.5 version.

Problem: The Mitre ATT&CK Overview widget displays a "Widget Data Retrieve Error" upon logging into the Analyst UI. This issue occurs due to the absence of the mitre-explorer-content.js file in the Analyst node.

Workaround:
To resolve this issue, perform the following steps:
1.SSH to the Admin Server.
2. Copy this file /var/netwitness/common/repo/mitre-data/mitre-explorer-content.js from the admin node to the analyst node.
3. After the file is copied to the same location on the analyst node, all data for the Mitre ATT&CK Overview widget will load without any errors.

12.5 and later versions

ASOC-157114

Title: An unhandled exception error occurs in the Resource Usage per Content Type widget when switching to an offline device. This error persists even after the device is reconnected or switched to another online device.

Problem: The Resource Usage per Content Type widget within the Admin view of the Home page displays an unhandled exception error when an offline device is selected from the drop-down list. This issue continues to occur even after the device is back online or switched to another online device.

Workaround: Refresh the Home page to view the data for the selected device.

12.5 and later versions

ASOC-152916

Title: Home page widgets display an additional day on the x-axis usage trend due to UTC time zone mismatch.

Problem: A few of the widgets on the Home page are displaying an extra day at the beginning of the usage trend on the x-axis graph. This is because the widgets are using UTC time instead of the time zone specified in the user's preferences panel.

Workaround: Currently, there is no workaround. However, there is no functional impact on the widgets.

12.5 and later versions

ASOC-154383

Title: Bubblewrap and Flatpak security update

Problem: CVE-2024-42472 is getting reported in Bubblewrap version installed in Netwitness.

Workaround: None

The sandbox escape vulnerability in Flatpak is not applicable to NetWitness, as the Flatpak library is not installed in the environment. Therefore, the bubblewrap update aimed at addressing this vulnerability does not impact the system and will not influence the security.

12.5 and earlier versions

Title: Node.js Multiple Vulnerabilities for UEBA service

Problem: The version of Node.js installed on UEBA reports multiple vulnerabilities

Workaround: None

The NW Platform is not affected by the multiple security vulnerabilities related to Node.js. The vulnerable version of Node.js is installed as part of Kibana, but no vulnerable functions or activities are associated with it.

12.5 and earlier versions

Title: Reporting Engine is down after fresh Installation of the NetWitness Platform 12.5

Problem: After Fresh Installation of the the NetWitness Platform 12.5, the Reporting Engine service attempts to restart continuously without success. The database files for live charts, alert status, or report status may not be loaded successfully as the files may be corrupted.

Workaround:

Follow the Resolution mentioned in the KB Article - Reporting Engine restarts After upgrade to RSA NetWitness Platform 11.4 - NetWitness Community - 676705

12.5 and earlier versions

ASOC-157136

Endpoint

Title: All blocked hashes are showing source as Investigate after upgrade

Problem: After an upgrade, all the blocked hashes display "Investigate" as the source. Unable to delete the import hashes using the UI. Filtering by source is also ineffective.

Workaround:

If the customer is on version 12.3 or higher and has imported blocked hashes into the deployment:

Before the Upgrade:

• Navigate to the Blocked Hashes User Interface.

• Filter the list by selecting "Import" as the source.

• Delete all the listed entries.

• After the upgrade, re-import the same set of checksums either via CSV or individually.

If the Upgrade has already been completed:

• Connect to the context-hub collection on the ESA primary node.

• Locate the ds_entries collection related to fileStatus.

• Filter the checksums using the import comment or review them one by one.
  (eg: db.getCollection('ds_entries_65a0e7aa22f4dd07f02d3125').find({"data_lower.comment" : " blocked files via import in 12.4.1"}))

• Delete the relevant entries from the database.

• Re-import the CSV file containing the blocked hashes through the UI.

12.5

ASOC-155882

Endpoint

Title: Event summary for agent last seen is displayed as N/A.

Problem: The event summary is not generated for offline agents last seen in the events list view on the Investigate > Events page. It appears as N/A.

Workaround: The summary is displayed in the Endpoint Event Details screen and will be displayed in the events list view on the Investigate > Events page in the upcoming release.

12.5

ASOC-154866

Home Page Widgets

Title: The Default layout is not displayed automatically after the Reset

Problem: In the Manager, Admin and Analyst view, after you reset the layout in the landing page, the default layout is not automatically displayed.

Workaround: Refresh the page to view the default layout.

12.5

ASOC-154993

Home Page  Widgets 

Title: Service Unavailable Error on the Home pages

Problem: In the Home tab, while trying to view the widgets, some of them may show as service unavailable or not configured even if the service is running in the Admin -> Services page.

Workaround: Verify If the hostname for admin-server is default admin-node IP and domain-name in url used, to access the NetWitness setup, is different than admin-node IP. Then update the domain-name in hostname. (To check Admin -> HOSTS -> select admin-server and edit)

12.5

ASOC-157181

Warehouse Connector (WC)

Title: Incorrect Service Version number for Warehouse Connector in 12.5

Problem: The version of the Warehouse Connector (WC) displayed on the Admin > Services page and Warehouse Connector > System page is shown as 12.4 instead of 12.5.

Workaround: Currently, there's no workaround to rectify the version display discrepancy. However, there is no functional impact, and the system will perform similar as before.

12.5

ASOC-155376

Log Collector

Title: The JDBC pipeline name with encrypted password of the DB are added under Logstash->Keystore management post service restart.

Problem: When creating JDBC pipelines, the user ID and password are automatically added under Logstash> Keystore management after the service is restarted.

Workaround: Currently, there's no workaround. However, there is no functional impact, and the system will perform similar as before.

12.5

ASOC-155356

Platform

Title: Default almalinux repositories are not cleared as part of NetWitness upgrade

Problem: Upgrade to NetWitness 12.4.2.0 fails as it cannot reach the default alma repository (mirrors.almalinux.org or a mirror).

Workaround: Remove the default repos using rm -f /etc/yum.repos.d/almalinux*.repo and re-trigger the upgrade.

12.4.2

SACE-21856
SACE-21878

ASOC-156451

Admin Server

Title: Users on NetWitness 12.4 or later versions using Single Sign-On (SSO) and accessing Legacy UI pages encounter an error when attempting to log out.

Problem: When users log in through SSO and navigate to legacy UI pages (such as Admin or Reporting), they encounter an error when attempting to log out from these Legacy pages. This occurs when the Enable Global Logout option is disabled on the Admin > Security > Single Sign-On Settings page.

Workaround:

To resolve this issue, try one of the following steps:

1. Try turning on the Enable Global Logout option:

   • Go to Admin > Security > Single Sign-On Settings.

   • Enable the Enable Global Logout option.

   • Log out of the UI.

2. Access NetWitness Classic UI:

   • Go to the Classic UI pages (e.g., Investigate or Respond).

   • Log out of the UI.

In case these steps do not resolve the issue, it is recommended to contact NetWitness Customer Support as there is a hotfix available for this issue.

12.4 and later versions

SACE-21794

Centralized Content Management

Title: Duplicate Application/Network Rules getting added to the policy following the service migration after upgrading to version 12.4.0.0 or above.

Problem: After upgrading to version 12.4.0.0 or above, if service contents are migrated, then assigned Policy may contain duplicate Application/Network rules. This may cause duplicate alerts to be generated.

Workaround: Remove duplicate rules from Policy which got updated with content migration and publish the policy.

12.4 and later versions

ASOC-148918

Endpoint

Title: Endpoint Respond Alert Workflow Error

Problem: When the alerts are generated from the Log Decoder, errors appear while attempting to analyze the process of an endpoint alert on the Respond page.

This issue is detected in NetWitness Platform 12.4.0 and later versions.

Workaround: Customers should continue to use Event Stream Analytics (ESA) rules to generate alerts instead of notifications within application rules.

12.4.0 and later versions

ASOC-150954

Platform

Title: "No media devices detected" While deploying from rsa-nw-12.4.0.0.20806.iso from OVA.

Problem: Fails to detect Media (ISO) while running nwsetup-tui.

Workaround: On the host where failure is seen, Perform the following steps to update /usr/bin/bootstrap and usr/bin/nwsetup-tui

• vi usr/bin/bootstrap
  Update the following:

• cp -a "$mountPoint/Packages/"* "$NW_REPO_LOCAL_BASE/" to cp -a "$mountPoint/Minimal/Packages/"* "$NW_REPO_LOCAL_BASE/"

• local blockDeviceDetect=$(blkid | grep '"OEMDRV"\|"CentOS 7 x86_64"') to local blockDeviceDetect=$(blkid | grep '"OEMDRV"\|"AlmaLinux-8-9-x86_64-dvd"')

• local blockDeviceCount=$(blkid | grep -c '"OEMDRV"\|"CentOS 7 x86_64"') to local blockDeviceCount=$(blkid | grep -c '"OEMDRV"\|"AlmaLinux-8-9-x86_64-dvd"')

• elif [[ "${blockDeviceDetect}" == *"CentOS 7 x86_64"* ]]; then to elif [[ "${blockDeviceDetect}" == *"AlmaLinux-8-9-x86_64-dvd"* ]]; then

• vi /usr/bin/nwsetup-tui

• if [ "$(blkid | grep -ci '"OEMDRV"\|"CentOS')" -gt 0 ]; then to if [ "$(blkid | grep -ci '"OEMDRV"\|"Alma')" -gt 0 ]; then

12.4

SADOCS-2543

Platform

Title: The network interface fails to start after rebooting the 12.4.0.0 host.

Problem: The host with the 12.4.0.0 version does not retain its IP after rebooting. This issue occurs because the NM_CONTROLLED parameter is set to no on the host.

Workaround:

To resolve the issue, you must update the NM_CONTROLLED parameter to yes on the host where the failure occurs. You can do this by following these steps:

1. vi /etc/sysconfig/network-scripts/ifcfg-<INTERFACE>

              For example,  vi /etc/sysconfig/network-scripts/ifcfg-em1

2. Set the NM_CONTROLLED parameter to yes (NM_CONTROLLED=yes)
3. Restart the NetworkManager and network services by running the following command:

    systemctl restart NetworkManager && systemctl restart network

12.4

ASOC-149880

Platform

Title: STIG disabled with all the control groups failed on all the node-x on 12.4.0.0.

Problem: When STIG is disabled with all the control groups, chronyd configuration parser misinterprets the line server <%= ntp_server %> iburst # maxpoll 10, incorrectly parsing maxpoll 10 as part of the server directive, causing chronyd service start failure.

Workaround: To resolve the issue, do the following:

1. SSH to the NW server.

2. Run the following command to update "# maxpoll" in the next line on all the nodes in the chrony.conf.erb file:

    

   salt '*' cmd.run "sed -i 's/server <%= ntp_server %> iburst # maxpoll 10/server <%= ntp_server %> iburst\\n# maxpoll 10/' /var/netwitness/config-management/cookbooks/platform/nw-ntp/templates/default/chrony.conf.erb"

12.4

SADOCS-2540

Source Server

Title:Source-server Service Crashes Following Upgrade to Version 12.4.0.0

Problem: After upgrading to version 12.4, if custom LogDevices were uploaded by customers via the CCM-UI page in a previous 12.x version, the upgrade process will search for .xml and -custom.xml files. If any of these files do not adhere to a specific format, it will result in a crash of the source-server.

Workaround: The users have to recreate .envision file with the proper structure:
envision File Structure: /etc/devices/<LogDevice Name>/<LogDevice>.xml
For example: /etc/devices/accurev/accurevmsg.xml
Reference: Import Content to Content Library

12.4 and 12.4.1

 SACE-21327, ASOC-151331, ASOC-151326

ESA

Correlation Server

Title:Java Exceptions for Memory usage, CPU % in the legacy page, and computation values set to 0 in the Deployment stats page.

Problem: After the Deployment is successfully deployed, some of the ESA Rules containing annotations and Windows are throwing Java exception errors for memory and CPU usage in the ESA rules service or showing up blank in the new Deployment stats page. This does not affect performance or functionality of ESA, however rule performance stats collection does not work. 

Workaround: None

12.4

ASOC-148285

Admin Server

Title: Logs are not writing to /var/log/messages on all the nodes after the upgrade to 12.4.0.0.

Problem: After the upgrade to 12.4.0.0, /var/log/messages are empty and logs are not generating to "/var/log/messages".

Workaround: To resolve the issue, perform the following steps:

1. SSH to the NW Admin server.
2. Run the following three commands to update new configuration file of rsyslog that aligns to new log rotate call:

1. salt "*" cmd.run "sed -i 's@/bin/kill -HUP \`cat /var/run/syslogd.pid 2> /dev/null\` 2> /dev/null || true@/usr/bin/systemctl -s HUP kill rsyslog.service >/dev/null 2>\&1 || true@g' /var/netwitness/config-management/cookbooks/platform/rsa-audit/files/default/syslog.conf"

2. salt "*" cmd.run "chef-client -r "recipe[rsa-audit::config]" --config /var/lib/netwitness/config-management/client.rb --json-attributes /etc/netwitness/config-management/node.json"

3. salt "*" cmd.run "systemctl restart rsyslog"

       3.  Check if the log message file is available at the NW Admin server and hosts:

/var/log/messages

12.4

SACE-21282, ASOC-150684

Reporting Engine

Title: Duplicate Report emails are generated after the failback from the standby NW server to the primary NW server.

Problem: When a user performs failover or failback, the Reporting Engine service in the standby NW server is still online, executing reports and producing duplicate reporting emails or reports.

Workaround:

To resolve the issue, perform the following steps:

1. SSH to the Standby NW server.
2. Run the following command to stop the Reporting Engine service:

    systemctl stop rsasoc_re

12.4 and earlier versions

SACE-20721, ASOC-147783

Title : Home Page is blank and visible as landing page option in 12.4

Problem : Under the user preference, in default landing page, there is a new option visible-”Home Page”.
On selecting that option and relogging in, the user lands onto a blank page.

Workaround: Respective user can click on the User Preference option and change the default landing page to Springboard, Investigate etc. [except for home page] and then relog in.

12.4

ASOC-148336

Response Action

Title: Same keys can be entered multiple times in the Parameter Key field in Add Parameter window (  (CONFIGURE) > More > Response Actions >  > Create Response Action > )

Problem: You can enter the same keys multiple times in the Parameter Key field in Add Parameter window while creating Response Actions in ((CONFIGURE) > More > Response Actions >  > Create Response Action. As a result, the duplicate keys entered in the Parameter key field are sent to the connector after executing the Response Action.

Workaround: None.

12.4

ASOC- 146230

Endpoint

Title: Endpoint server upgrade failed during the upgrade from 12.3.1 to 12.4

Problem: During the upgrade from 12.3.1 to 12.4, the Endpoint Server upgrade failed since the relay server was enabled in the Endpoint server before configuring the IP, which gave a null value.

Workaround: The current workaround is to delete the relay configuration from monogdb.

12.4

ASOC- 146805

UEBA

Title: Unable to view data on the Users page after upgrading to version 12.4.
Problem: When you upgrade the UEBA server to version 12.4 from lower versions, you may encounter an issue where red banner errors are displayed on the Users page. This issue occurs because presidio-ui fails to connect with presidio-output for fetching the data required to be displayed on the Users page.

Workaround:
To resolve this issue, perform the following steps:

1. SSH to the UEBA server.

2. Run the following commands to restart the presidio-output and presidio-ui services:

   • systemctl restart presidio-output

   • systemctl restart presidio-ui

12.4

ASOC-145668

Investigate

Title: [Timeline-Chart] Selecting the first/last bar from the chart doesn't show the proper event count in the timeline text

Problem: When selecting the date and time range for the first and last bar in the chart, the correct event count in the timeline text is not displayed.

Workaround: Select a minimal time range between start and end to view the correct data.

12.4 and later versions

ASOC-145468

Title: Leapp upgrade fails due to Insufficient disk requirements

Problem: In some instances, the leapp upgrade fails due to the following error.

Workaround:

• Run the following command to update the default value for LEAPP_OVL_SIZE variable, so that it creates overlay mounts with size 4GB instead of 2GB.
  sed -i 's/2048/4096/g' /usr/share/leapp-repository/repositories/system_upgrade/common/libraries/overlaygen.py

• Run the following command to update the default base directory for leapp to /var/netwitness which has more available space.
  sed -i s#/var/lib/leapp#/var/netwitness#g /usr/share/leapp-repository/repositories/system_upgrade/common/actors/targetuserspacecreator/libraries/constants.py

• Proceed to re-trigger the upgrade for the respective host from the Admin Server.

 12.4

 ASOC-150789

Title: /decoder/devices/message=prune failing with icap interface

Problem: If you run the optional Prune command as part of the DPDK migration, you might see continuous failure messages related to some interfaces on the logs.

Workaround: It has no functional impact, and a Decoder service restart fixes the issue. Refer to the KB Article “PF_RING Capture Devie KB Article” for more information.

12.4

ASOC-147188

Title: Edge Case Scenario - Host fails to boot OS with EL8 Kernel 4.x

 Problem: In some instances, during upgrade to NW Version 12.4, the host fails to boot into el8 kernel after OS Migration is complete.

 Workaround: Check the logs in/var/log/salt/minion log file for “NodeRecovery” logs and if found, please refer the KB Article “Edge Case Scenario - Host fails to boot OS with EL8 Kernel 4.x” for more details.

12.4

ASOC-146908

Title: SHA1 deprecated setting for SSH

Problem: SHA1 algorithm is deprecated, SHA1 algorithm is enabled on core services node-x sshd config. It will be flagged for any Security scan.

Workaround:

1. Open file "/etc/ssh/sshd_config"

2. Comment out the following entry by adding "#" as prefix to below line
   a. HostKey /etc/ssh/ssh_host_rsa_key

3. systemctl restart sshd      

12.4

ASOC-142946

Title: Secure UEFI boot causes leapp alma migration to fail

Problem: In some instances, after executing the leapp upgrade command during Alma migration and rebooting the appliance, a GRUB menu appears and attempts to boot to an ‘elevate’ kickstart.

Workaround: The current workaround is to just disable secure boot via BIOS settings. 

12.4

ASOC-123786

Title: Data collected for versions 12.2 or lower are not displayed in the Adapter dashboard after upgrading the UEBA server to version 12.4 or later.

Problem: After upgrading the UEBA server to version 12.4 or later from version 12.2 or older, the data collected before the upgrade are not visible in the Adapter dashboard. This issue occurs because, in version 12.2 or lower, the application name in the filter panel of the dashboard is the adapter. However, from version 12.3 or later, the application name is changed to presidio-adapter.

Workaround: In the Adapter dashboard, perform the following steps:

• To view the older data collected before 12.2, you need to edit the visualization of the dashboard and update the application name in the filter panel of the dashboard as an adapter.

• To view the newly collected data in the Adapter dashboard, you need to update the application name to presidio-adapter.

12.4 and later versions

ASOC-145667

Title: The decoder is unable to process the latest configuration updates (for example, invalid bucket names) made in the Palo Alto instances.

Problem: When you edit configurations for the Palo Alto instance, such as fixing a previously invalid bucket name to the correct one, the decoder fails to identify the latest changes. This issue occurs because the decoder does not recognize the recent updates made in the configuration.

Workaround: The instance needs to be restarted after applying decoder configuration changes to consider the latest configuration changes.

To update the Palo Alto instance properties manually using RestAPI, perform the following steps:

1. Connect to the Decoder host by using the Decoder IP address and Port 50104 as follows: <decoder-ip>:50104

2. Enter the username and password for the decoder host.

3. Navigate to the following path: /decoder/hosted/paloalto

4. Click Instances, and under the Properties section, select stop from the drop-down list. In the parameters field, type name=paloalto and click the Send button.

5. In the Properties section, select start from the drop-down list, and in the parameters field, type name=paloalto and click the Send button.

6. To verify that the instance state is Running, navigate to the following path:

              /decoder/hosted/paloalto/instances/paloalto

12.4

ASOC-145406

Title: Hosted Plugin Framework - Delete command deletes the plugin type only from the UI

Problem: The hosted plugin framework supports a delete command that deletes the plugin type from the UI. However, the associated filesystems are not deleted through this command as expected and require a separate cleanup.

Workaround: The leftover filesystems from the previously deleted plugin type are located at /etc/netwitness/ng/hosted and /var/netwitness/decoder/hosted on the decoder. These need to be manually deleted to ensure the plugin type is completely uninstalled.

12.4

ASOC- 142526

Title: Hosted plugin reload deletes the plugin instance from the decoder/hosted tree.

Problem: On Hosted plugin reload, the plugin instance is getting deleted instead of reloading. On all future reloads, the user needs to add an instance and then reconfigure the plugin, which is not feasible for users.

Workaround: The current workaround is to stop the plugin instances before reloading the plugin or uploading an updated version of the plugin. After performing this step, the plugin instance will not be deleted from the Decoder config tree.

12.4

ASOC- 144467

Title: The decoder fails to remove Palo Alto Prisma Integration plugin details even after deleting the policy.

Problem: Deleting a policy with the Palo Alto Prisma Integration plugin type does not remove the plugin from the Decoder due to the current system behavior.

Workaround:

To remove the Palo Alto Prisma Integration Plugin from the Decoder, perform the following steps:

1. SSH to the Packet Decoder Host.
2. Run the following command to stop the Decoder service:

             systemctl stop nwdecoder

3. Navigate to the following path:

              /etc/netwitness/ng/hosted

4. Delete the paloalto folder.

5. Run the following command to start the Decoder service:

              systemctl start nwdecoder

6. Connect to the Decoder host by using the Decoder IP address and Port 50104 as follows:

             <decoder-ip>:50104

7. Navigate to the following path:

             /decoder/hosted/paloalto

8. Select the delete operation from the drop-down list and click Send.

The plugin details are removed from the decoder.

12.4

ASOC-144688

Title: Application rules are assigned incorrect order numbers during service content migration.

Problem: Application rules have incorrect entries, where several Application rules on service migration have been tagged with an order value of 1. This problem occurs when the service content is deployed using RPM. By default, application rules of this type are assigned an order value of 1, leading to incorrect entries.

Workaround:

If the user redeploys the same content from NetWitness Live or redeploys any one of the contents, the correct order is placed.

12.4 and later versions

ASOC-146940

Title: Policy updated with re-migration might fail to publish due to duplicate application rule.

Problem: If a user migrates and creates policy in 12.3 or 12.3.1 version and post upgrade to 12.4 they re-migrate the same service and update the pre-existing policy, there could be chances of getting duplicate application rule in the policy which can lead to a policy publication failure.

Workaround: If there are duplicate application rules, they get pushed to the bottom of the application rule list on Policy Details page. Remove these duplicate application rules manually to proceed with the publication. Follow these steps to remove the duplicate application rules:

1. Identify the duplicate rules in the Policy Details page by checking the orders.

2. Click Edit Policy to edit the policy.

3. Navigate to the Define Policy section.

4. Remove the duplicate contents from selected content list by searching the contents by name.

12.4

ASOC-145770

Title: While importing a Custom Log Device, there is no control on content update if CL has multiple flavors of same content.

Problem: When the user tries to import a Custom Log Device with Overwrite option selected and CL already has multiple flavors of same Custom Log Device, it is hard to predict which flavor of content will get overwritten. This import can lead to loss of customization made to Custom Log Device.

Workaround: Follow these steps to update specific flavor content.

1. Search specific flavor of content in Content Library collection in mongoDB and copy its path.

2. ssh to SA node and navigate to path copied from mongo.

3. Replace XML present in this location with updated XML.

4. Restart the source server.

12.4

ASOC-143403

Title: Service Unavailable Error When Trying to Incident Reports from Respond

Problem: In the Respond tab, while trying to create/schedule an incident report, the below error message is displayed:

The Reporting Engine service may be offline or inaccessible. Try starting the service.

This occurs when you have a domain name configured to access Netwitness and not via its IP.

Workaround:

If a domain name is used instead of the node-zero’s IP, update the domain-name in “hostname” of the node-zero host. To update, go to Admin -> HOSTS -> select admin-server and edit, change to the domain name and save. Log out and log back in.

12.3.1

ASOC-157181

Title: Report generation fails on the Investigate > Events page due to mismatched service names.

Problem: If a user changes the name of a service on the Services page (for example., "Log Decoder" to "Log Decoder_new") but does not update the corresponding data source name used on the Services > Reporting Engine >   > View > Config > Sources page, they will encounter issues when creating or scheduling reports from the Investigate > Events page. This is because the data source name used in the report configuration no longer matches the actual name of the data source. As a result, the reports cannot be generated, and an error message will be displayed indicating that the data source is not configured.

Workaround: To prevent this issue, ensure that the service name used as a data source in the Reporting Engine always matches the service name displayed on the Services page.

Note: Before re-adding the renamed data source in Reporting Engine, ensure to delete the current data source by navigating to  (Admin) > Services > Reporting Engine >  > View > Config > Sources.

Follow these steps to re-add the renamed data source in the Reporting Engine:

1. Go to  (Admin) > Services.
2. In the Services list, select the Reporting Engine service.
3. Click  > View > Config. 

            The Services Config View of the Reporting Engine is displayed.

4. Select the Sources tab.
5. Click  and select Available Services.

              The Available Services dialog is displayed.

6. Select the renamed service (for example, Log Decoder_new) and click OK.

The service authentication dialog box is displayed.

Note:

The services with the Trust Model enabled must be added individually. You are prompted to provide a username and password for the selected service.

7. Enter the Username and Password for the service.
8. Click OK.

 12.3.1, 12.4, 12.4.1

 ASOC-129464

Title: The feed does not have an associated ID in the configured parameters of the policy.

Problem: The ESA rules were unable to be saved on editing or updating the ESA rule. Furthermore, a run time exception was shown in UI and SA logs while saving the rule. Further troubleshooting found that feed “RSA OSINT Non-IP Threat Intel Feed “did not have a unique ID associated with the policy and showed in multiple documents in the content policy collections.

Workaround: N/A

12.3, 12.3.1

ASOC-141524

Title: Log Devices are not getting disabled when content deletion is performed from CCM.

Problem: The Log Device contents published from CCM are not getting disabled when contents are deleted for a service. This is observed when a different policy is again published on the same service.

Workaround: Navigate to the Log Decoder Service Config view and disable Log Device contents that are not required.

12.3.1

ASOC-142018

Title: RabbitMQ Warning Messages in All the Nodes

Problem: All the nodes encounter an error [warn] <0.16195.0> HTTP access denied: user 'guest' - invalid credentials every 5 minutes in the rabbitMQ logs. The NetWitness application services use the default guest account with the guest password or listening to the guest user in RabbitMQ.

Workaround: There is no impact on the system due to the error message. You can ignore the message.

12.3.1

ASOC-141840

Title: Users cannot deploy or modify custom feeds when one or more decoders in the deployment group are offline.

Problem: When you are using the Groups option to deploy custom feeds, you may encounter an error message stating, "Failed to Retrieve Meta keys." This error occurs when one or more decoders in the group are offline, preventing the feeds from being deployed to that specific group. This issue occurs while creating new feeds or modifying an existing custom feed.

Workaround: When configuring custom feeds, do not use the Groups tab. Instead, use the Services tab. Unselect the offline decoder and select all the required decoders. Then, proceed with the configuration settings.

11.7.x, and 12.x

SACE-20424

Title: Increased JA3 entities due to JA3 randomization caused DAGs delay on the UEBA server.

Problem: The implementation of JA3 randomization in applications such as Chrome has resulted in a significant increase in the number of JA3 entities on the UEBA server, causing delays in the DAGs.

Workaround: To resolve this issue, please contact your NetWitness Customer Support team.

11.7.x, 12.0, 12.1, 12.2, 12.3

ASOC- 138953

Title: InMemoryTable Adhoc Enrichment windows are not getting uploaded with data.

Problem: When the user adds the Adhoc In-Memory table enrichment under CONFIGURE > ESA > Enrichment Sources, the CSV file gets uploaded via UI, but upon using the enrichment in an ESA Rule and deployment, the contents are not read to the named window, and thus are not accessible for the rule to enrich the rule/alerts. There might be an impact of alerts not getting enriched, or the rule condition (if in-memory table enrichment reference is added to the rule) might not work as expected.

Workaround: Re-import the CSV file post-enrichment creation and deploy the rules again. Basically, the CSV file must be imported twice upon enrichment creation/update for the content to be reflected in the named window. Users can confirm if the data is uploaded to the named window under the “Named Windows” section of CONFIGURE > ESA Rules > Settings Page.

12.1.x, 12.2 and, 12.3

ASOC-138145

Title: Content Migration Failing for Logdevice Contents

Problem: When service contents are migrated from services to Centralized Content Management, if the syntax of one of the custom log device is invalid, it fails to migrate.

Workaround:

1. Make sure there are no syntax errors inside the XML file of the custom base parser and deploy it again on the service.

2. Import Logdevice directly into Content-Library.

              a) Navigate to CONFIGURE > POLICIES > CONTENT > Content Library > Log Device.

              b) Click on the "Import" button and select Logdevice, which fails to migrate.

12.3, 12.3.1

ASOC-138255

Title: Red banner errors are displayed on the Users page after the UEBA host upgrade

Problem: When you upgrade the UEBA host, you may encounter an issue where red banner errors are displayed on the Users page. A communication delay between the UEBA server and the Presidio UI service usually causes this issue.

Workaround: To resolve this issue, perform the following steps.

1. SSH to the UEBA server.

2. Run the following command:
   systemctl restart presidio-ui

12.2, 12.3

 ASOC-134234

Title: Airflow shows a warning message that the scheduler task is not running

Problem: Airflow UI warning message “The scheduler does not appear to be running. Last heartbeat was received xx seconds ago. The DAGs list may not update, and new tasks will not be scheduled”. This issue could occur due to a delayed response from the UEBA server.

Note: This warning message does not affect any functionality.

Workaround: To resolve the issue, try refreshing the page a couple of times. If the issue persists, connect to the UEBA server to check the airflow scheduler services.

12.3

ASOC-133835

Title: Generic error message is displayed for duplicate report names in Investigate > Events Page

Problem: When you create or schedule a report from the Investigate > Events page using a report name that already exists, an error message will be displayed. However, the error message displayed is generic and provides limited information. The error message states, "Error generating report. Please check respond-server.log/investigate-server.log and sa.log”

Workaround: To resolve this issue, always create or schedule the reports with a unique name.

12.3

ASOC-134996

Title: Generic error message is displayed when you create or schedule reports on the Investigate > Events page when the data source is not configured in Reporting Engine.
Problem: When you create or schedule a report from the Investigate > Events page, an error message is displayed if the data source is not configured in the reporting engine. However, the error message displayed is generic and provides limited information. The error message states, "Error generating report. Please check respond-server.log/investigate-server.log and sa.log”
Workaround: To resolve this issue, perform the following steps:

1. Go to   (Admin) > Services.

    

2. In the Services list, select the Reporting Engine service.

3. Click  > View > Config.

    

   The Services Config View of Reporting Engine is displayed.

4. Select the Sources tab.

5. Click the   and select Available Services.

    

   The Available Services dialog is displayed.

6. Select the required service (for example, Log Decoder) and click OK.
   The service authentication dialog box is displayed.
   Note: The services with the Trust Model enabled must be added individually. You are prompted to provide a username and password for the selected service.

7. Enter the Username and Password for the service.

8. Click OK.
   The selected service is listed in the Aggregate Services pane.

12.3

ASOC-134996

Title: Use of future dates in the Custom date range option for Adhoc reports will result in incorrect date ranges in the output report.

Problem: If you choose future dates using the Custom date range option to create Adhoc reports from the Investigate > Events page, the report generated will display an invalid date range. This issue occurs whenever a future date is detected. The system recognizes it as an invalid date.

Workaround: NetWitness recommends avoiding the use of future dates when configuring the Adhoc reports.

12.3

ASOC-135074

 Title: Use of Enter as a shortcut key to select a query suggestion in Advanced Query mode.

Problem: When you construct a query in Advanced Query Bar mode in the Investigate > Events view, pressing Enter key will select and execute the query instead of only selecting a suggestion from the query suggestions list. This action is not in line with the Guided Query Mode, where pressing Enter key selects a suggestion from the query suggestions list but does not execute the query.

Workaround: Use the Tab key to select a suggestion from the query suggestions list while you are in the Advanced Query Bar mode.

 12.3

 134482

 Title: Unable to load a saved query to the query bar in Advanced Query Bar mode.

Problem: When you select a saved query while you are in Advanced Query Bar mode in the Investigate > Events view, the selected saved query is not loaded into the query bar and is not applied to the executed query either.

Workaround: NetWitness recommends you use Guided Mode if you want to execute a saved query in Investigate > Events view.

 12.3

 ASOC-133508

 Title: Unable to execute a query when a service is updated to Decoder/Log decoder in Advanced Query Bar mode.

Problem: When you update a service to decoder/log decoder while you are in Advanced Query Bar mode in the Investigate > Events view, the search button is enabled but, clicking the search button does not execute the query or show an error. This happens because of unindexed keys in the query for the selected service which is the expected behavior with any unindexed keys. In Guided Mode, an error is displayed as soon as the service is updated using the service selection drop-down.

Workaround: You need to remove the unindexed keys from the query before executing it.

 12.3

 ASOC-134481

Title: Publish and Restart pop-up does not appear while publishing policy from Policy listing page.

Problem: When any configuration which requires service restart, is updated in Policy and it is being published from Policy listing page, pop-up does not appear for “Publish and Restart Now” option. Policy is being published with “Publish and Restart Later” option automatically and services need to be restarted later.

Workaround:

a. Restart service(s) from Groups page

1. Go to Groups listing page.

2. Select Group in which service(s) require restart.

3. Click “Restart Service” button.

or

b. Publish and restart from Edit Policy view.

1. Edit the Policy.

2. Click “Save and Publish” button.

3. Click “Publish and Restart Now” button.

 12.3

 ASOC-134862

Title: The most recent query is not populated while creating a new saved query in Advanced Query mode.

Problem: Usually, the most recently executed query is auto-populated in the Pre-Query Conditions field when you try to save a new query. But, while you are in Investigate > Events > Event Preferences > Advanced Query mode, the most recently executed query is not auto-populated in the Pre-Query Conditions field when you try to save the query (Saved Queries > New Saved Query).

Workaround: We recommend you switch to Guided Mode, run the same query, and then proceed with saving a new query.

12.3

ASOC-135221

Title: Missing list of Logparsers in Dropdown when trying to Add new Parser

Problem: The dropdown does not list existing Out of box (OOTB) Logparsers because UI is not able to sync with the previously synced Log Decoder service to fetch those OOTB Logparsers.

Workaround:

1. Go to Admin > Services page

2. Click on the Service name of a Log Decoder in a working state to open its System View.

3. Now, Copy the UUID of that service from the URL of the service’s System page.
   Example - UUID of service will look like this in URL: https://<AdminServerIP>/admin/services/e099b4bb-a7f6-4149-ae31-a453797d8c25/info

4. Go to Admin > Services page, open the explore view of content-server.

5. Go to >  content > parser.

6. Update the value of “previously-synced-log-decoder-id” with the UUID of the new Log decoder.

7. Go to CONFIGURE > LOG PARSER RULES page.

8. Click the [+ADD] button.

The dropdown list will start getting populated.

12.3

ASOC-135320

Title: Unable to Access ESA Deployments

Problem: Users will not be able to access ESA deployments configurations in the Unified deployment view or policy details. Due to stale or invalid entries in source server mongo.

Workaround:Clean up the source-server mongo of invalid entries. Refer to KB article

NetWitness ESA Deployments are not accessible in the Policies tab

12.1

ASOC-131743

Title: The database stagger operation takes a long time to complete, resulting in a timeout from the UI Explore page.

Problem: If you perform the database stagger operation from the UI Explore page, it takes a long time to complete the operation based on the data and results in a timeout.

Workaround: To perform the database stagger operation, you must run the command using the RESTful API or NwConsole.

11.7.x,

12.0, 12.1, 12.2

ASOC-124339

Title: When UEBA receives a high volume of events, the root DAG becomes unresponsive as it awaits the completion of other associated DAGs.

Problem: Upon receiving a high volume of events, the root DAG of UEBA becomes unresponsive as it awaits the completion of other associated DAGs, resulting in failures in the model_ueba_flow DAGs for their respective schemas. These failures are followed by errors related to java.heap.memory, as shown below.

1. [2023-02-19 08:02:09,178] {bash_operator.py:126} INFO - java.lang.OutOfMemoryError: Java heap space
2. [2023-02-19 08:02:09,178] {bash_operator.py:126} INFO - java.lang.OutOfMemoryError: Java heap space
3. [2023-02-19 08:02:09,179] {bash_operator.py:126} INFO - at java.base/java.util.concurrent.ConcurrentHashMap$KeySetView.iterator(ConcurrentHashMap.java:4625)
4. [2023-02-19 08:02:09,179] {bash_operator.py:126} INFO - at java.base/java.util.Collections$UnmodifiableCollection$1.<init>(Collections.java:1044)
5. [2023-02-19 08:02:09,179] {bash_operator.py:126} INFO - at java.base/java.util.Collections$UnmodifiableCollection.iterator(Collections.java:1043)
6. [2023-02-19 08:02:09,179] {bash_operator.py:126} INFO - at org.apache.http.impl.nio.reactor.BaseIOReactor.validate(BaseIOReactor.java:210)
7. [2023-02-19 08:02:09,179] {bash_operator.py:126} INFO - at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:280)

Workaround:

1. In the DAGs tab, click the failed Dag (circle with red) that takes you to Task Instances page.

2. Click the DAG ID and then click Tree View.

3. In the Tree View, click the failed task instance and click View Log.
Note: Hover over the failed task instance to view the operator of the task instance.

The log view is displayed.
You will see the executed jar in the logs in the running command section.
For example, presidio -output processor.jar.

4. SSH to the UEBA server.

5. Open /etc/netwitness/presidio/configserver/configurations/airflow/workflows-default.json file.

6. Increase the heap memory size of respective failing DAGs with their respective operator by two times. For example, if it is 2048, make it 4096.

7. In the Tree View, click the failed task instance and click Clear.
This solution will help to run the DAGs successfully.

12.2 and later versions

ASOC-128667

Title: Unable to load the Content Library.

Problem: After upgrade to 12.1, user will not be able to load Content Library for the created policies. The issue is due to the source-server not able to connect to Live CMS , even though the Live is configured and the source server is not able to resolve cms.netwitness.com.

Following error is seen in the source server logs path /var/log/netwitness/source-server/source-server.log

ERROR CentralContent|Failed to authenticate with CMS Server. 2org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://cms.netwitness.com:443/authlive/authenticate/CMS": cms.netwitness.com; nested exception is java.net.UnknownHostException: cms.netwitness.com

Workaround:

1. If the affected netwitness environment can reach out to any of the DNS servers internal or external, then the user could add the DNS IP entry as nameserver to /etc/resolve.conf on Node-Zero.

2. If the above workaround is not feasible, then the user can add a manual entry of the “<ip-address> cms.netwitness.com” into /etc/hosts.user file and refresh the host using the "nw-manage -r --host-key <admin-server-ip>". The IP address of cms.netwitness.com can be found by pinging cms.netwitness.com from a system that can be connected to cms.netwitness.com.

3. Restart the source server using the command service rsa-nw-source-server restart.

12.2

ASOC-124473

Title: Enable / Disable of rules in Endpoint Risk Scoring bundle applies to all deployments.

Problem:  When a rule in the Endpoint Risk Scoring Bundle is either enabled / disabled from the ESA Service Stats UI it throws an error on UI. However, in the backend, the rule gets enabled / disabled. 

The disabled list of rules is saved in the keyValueRuleSettings as a generic setting without any associated engine ID. As it doesn’t have any engine id associated with it, the config acts like a global configuration.

In all the deployments, wherever the Endpoint Risk Scoring Bundle is deployed, the rules disabled in any one deployment get automatically disabled in all deployments.

Workaround: N/A

11.7.x,

12.0, 12.1, 12.2

ASOC-127949

Title: Event overview panel error or infinite loading.

Problem: The event overview panel throws an error or loads infinitely for endpoint events.

Workaround: Restart the investigating server to properly load the overview panel to display endpoint events. On re-enabling the meta forwarding, the issue will get resolved.

12.2

ASOC-123671

Title: Floating Save button on Decoder Stats page in UI.

Problem: Whenever a user opens the Decoder Stats page, a Save button, originally under the Key Stats Settings, toggles on the top left corner of the screen, covering part of NetWitness branding. A click on the gear icon beside the Key Stats Settings will take the Save button to appear in its original place.

Workaround: N/A

Note: This cosmetic issue does not interfere with the service functionally.

12.2

ASOC-114414