NetWitness Community

Title: When UEBA receives a high volume of events, the root DAG becomes unresponsive as it awaits the completion of other associated DAGs.

Problem: Upon receiving a high volume of events, the root DAG of UEBA becomes unresponsive as it awaits the completion of other associated DAGs, resulting in failures in the model_ueba_flow DAGs for their respective schemas. These failures are followed by errors related to java.heap.memory, as shown below.

1. [2023-02-19 08:02:09,178] {bash_operator.py:126} INFO - java.lang.OutOfMemoryError: Java heap space
2. [2023-02-19 08:02:09,178] {bash_operator.py:126} INFO - java.lang.OutOfMemoryError: Java heap space
3. [2023-02-19 08:02:09,179] {bash_operator.py:126} INFO - at java.base/java.util.concurrent.ConcurrentHashMap$KeySetView.iterator(ConcurrentHashMap.java:4625)
4. [2023-02-19 08:02:09,179] {bash_operator.py:126} INFO - at java.base/java.util.Collections$UnmodifiableCollection$1.<init>(Collections.java:1044)
5. [2023-02-19 08:02:09,179] {bash_operator.py:126} INFO - at java.base/java.util.Collections$UnmodifiableCollection.iterator(Collections.java:1043)
6. [2023-02-19 08:02:09,179] {bash_operator.py:126} INFO - at org.apache.http.impl.nio.reactor.BaseIOReactor.validate(BaseIOReactor.java:210)
7. [2023-02-19 08:02:09,179] {bash_operator.py:126} INFO - at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:280)

Workaround:

1. In the DAGs tab, click the failed Dag (circle with red) that takes you to Task Instances page.

2. Click the DAG ID and then click Tree View.

3. In the Tree View, click the failed task instance and click View Log.
Note: Hover over the failed task instance to view the operator of the task instance.

The log view is displayed.
You will see the executed jar in the logs in the running command section.
For example, presidio -output processor.jar.

4. SSH to the UEBA server.

5. Open /etc/netwitness/presidio/configserver/configurations/airflow/workflows-default.json file.

6. Increase the heap memory size of respective failing DAGs with their respective operator by two times. For example, if it is 2048, make it 4096.

7. In the Tree View, click the failed task instance and click Clear.
This solution will help to run the DAGs successfully.

12.2

ASOC-128667

Title: Unable to load the Content Library.

Problem: After upgrade to 12.1, user will not be able to load Content Library for the created policies. The issue is due to the source-server not able to connect to Live CMS , even though the Live is configured and the source server is not able to resolve cms.netwitness.com.

Following error is seen in the source server logs path /var/log/netwitness/source-server/source-server.log

ERROR CentralContent|Failed to authenticate with CMS Server. 2org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://cms.netwitness.com:443/authlive/authenticate/CMS": cms.netwitness.com; nested exception is java.net.UnknownHostException: cms.netwitness.com

Workaround:

1. If the affected netwitness environment can reach out to any of the DNS servers internal or external, then the user could add the DNS IP entry as nameserver to /etc/resolve.conf on Node-Zero.

2. If the above workaround is not feasible, then the user can add a manual entry of the “<ip-address> cms.netwitness.com” into /etc/hosts.user file and refresh the host using the "nw-manage -r --host-key <admin-server-ip>". The IP address of cms.netwitness.com can be found by pinging cms.netwitness.com from a system that can be connected to cms.netwitness.com.

3. Restart the source server using the command service rsa-nw-source-server restart.

12.2

ASOC-124473

Title: Enable / Disable of rules in Endpoint Risk Scoring bundle applies to all deployments.

Problem:  When a rule in the Endpoint Risk Scoring Bundle is either enabled / disabled from the ESA Service Stats UI it throws an error on UI. However, in the backend, the rule gets enabled / disabled. 

The disabled list of rules is saved in the keyValueRuleSettings as a generic setting without any associated engine ID. As it doesn’t have any engine id associated with it, the config acts like a global configuration.

In all the deployments, wherever the Endpoint Risk Scoring Bundle is deployed, the rules disabled in any one deployment get automatically disabled in all deployments.

Workaround: N/A

11.7.x,

12.0, 12.1, 12.2

ASOC-127949

Title: Event overview panel error or infinite loading.

Problem: The event overview panel throws an error or loads infinitely for endpoint events.

Workaround: Restart the investigating server to properly load the overview panel to display endpoint events. On re-enabling the meta forwarding, the issue will get resolved.

12.2

ASOC-123671

Title: Floating Save button on Decoder Stats page in UI.

Problem: Whenever a user opens the Decoder Stats page, a Save button, originally under the Key Stats Settings, toggles on the top left corner of the screen, covering part of NetWitness branding. A click on the gear icon beside the Key Stats Settings will take the Save button to appear in its original place.

Workaround: N/A

Note: This cosmetic issue does not interfere with the service functionally.

12.2

ASOC-114414

Title: The Agent performs the YARA scan only for the YARA Rule files with .yar extension in their filenames.

Problem: The Agent performs the YARA scan only for the YARA Rule files with .yar extension in their filenames and ignores the YARA Rule files with the filenames ending with the other extensions such as .txt and .yara. As a result, the YARA Rule files with any other extension except .yar are not scanned. This issue occurs due to the Agent's Rule file extensions validation check.

Workaround: You must rename the file extension of the YARA Rule files to .yar to perform Agent YARA scan.

12.1, 12.1.1

ASOC-125096

Title: The Context Hub Server Config page keeps loading if the RSA Endpoint (ECAT Data Sources) is not removed before upgrading from 11.7 and older versions to 12.0, 12.1, or 12.1.x.x versions

Problem: The Context Hub Server Config page ((Admin) > Services > select the ContextHub Server > View > Config) keeps loading if the RSA Endpoint (ECAT Data Sources) is not removed from the Context Hub Server before upgrading from 11.7 and older versions to 12.0, 12.1, or 12.1.x.x versions. Therefore, you cannot access the Data Sources.

Workaround:

1. SSH to the Admin Server.

2. Log in to the MongoDB.

3. Go to the ContextHub collection and search for the RSA Endpoint document.

4. Delete the entry RSA Endpoint from the Admin Server Mongo.

5. Restart the Mongo. Run the following command.

service mongod restart

6. Restart the Context Hub service. Run the following command.

service rsa-nw-contexthub-server restart

The Config page is loaded properly.

Note: You must restart the Context Hub service from the ESA box.

12.0, 12.1, 12.1.X.X

ASOC-124151

Title: WLC Services not reachable in IP Failover Scenario

Problem: During IP Failover, WLC service was not reachable from the Secondary SA but working with Primary SA.
Since WLC as a Windows service does not have a Secondary SA server cert hence not reachable.

Error:

1.[Endpoint Availability Monitor 591327187] WARN com.rsa.netwitness.carlos.clients.nextgen.nw.NwClientPipeBase - bf90b17a-7b8e-4798-8c2e-8fb58d213c7d:56001 received error: Invalid username or password, uuid : 22023-01-23 07:14:28,478

2.[Endpoint Availability Monitor 591327187] WARN com.rsa.netwitness.carlos.clients.nextgen.nw.NwClientPipeBase - bf90b17a-7b8e-4798-8c2e-8fb58d213c7d:56001 received error: Invalid username or password, uuid :

Workaround:

1. Copy the certificate manually from /etc/pki/nw/carlos/rsa-nw-sa-server-cert.pem to C:\ProgramData\netwitness\ng\logcollector\trustpeers in WLC.

or Copy the /etc/pki/nw/carlos/rsa-nw-sa-server-cert.pem and update the cert using WLC rest http://<wlc-ip>:50101/sys/trustpeer

2. Restart WLC and the jetty service to make SA connections appear active.

12.1.1

ASOC-127365

12.1.0.1

SADOCS-2355

Title: Core services in 12.1.0.0 are found inactive under the Services column in the Admin > Hosts view after deploying a new Node-X with 12.1 Image to an Older Admin Server ( which is upgraded from 11.x to 12.1)

Problem: When you deploy a fresh-Installed 12.1.0.0 Node-X to an existing older Admin Server ( which has been upgraded from 11.x to 12.1) , the core services such as Concentrator, Log Decoder, Log Collector, Archiver, Decoder, Appliance, Workbench, Warehouse Connector, and Broker appear inactive under the Services column in the Admin > Hosts view. As a result, you cannot access the core services in the UI.

Workaround:

1. Run the following command on the new Node-X to create the symlink for admin-cert.pem in trustpeers

ln -s /etc/pki/nw/peer/admin-cert.pem /root/templink ; find /etc/netwitness/ng/ -name "trustpeers" -exec cp -av /root/templink {}/"$(openssl x509 -hash -in /etc/pki/nw/peer/admin-cert.pem -noout).0" \; && rm -vf /root/templink

12.1

SADOCS-2368

Title:  Model DAG's are failing after upgrade to 12.1.1

Problem: DAG's are failing due to invalid entries in the management_store_metadata collection of the presidio database.
This is causing DAG to clean the invalid store, which doesn't exist in the local cache, throwing a null point exception.

Workaround: None

12.1, 12.1.1, 12.2

ASOC-127311

Title: Active Directory authentication fails after the removal of few Ciphers in the NetWitness Platform XDR.

Problem: When you authenticate the Active Directory in (Admin) > Security > Settings > Active Directory Configurations view, the authentication fails with the following error message :

Error:

com.rsa.smc.sa.admin.web.controller.ajax.AuthenticationProviderController - Test connection failed com.rsa.asoc.launch.api.transport.client.TransportClientException: Accepted DH prime length is 2048 or higher.

This issue occurs due to the removal of CBC (Cipher-Block-Chaining) Ciphers.

Workaround: Change the size of the modulus by adding the registry key value.

Warning: Ensure you use Registry Editor properly to avoid reinstalling your operating system.

Do the following:

1. Open Registry Editor.

2. Access the following registry location:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman].

3. Update the DWORD value to "ServerMinKeyBitLength"=dword:00000800.

For more information, see Microsoft Security Advisory - 3174644

12.1

ASOC-125945

Title: The Agent performs the YARA scan only for the YARA Rule files with .yar extension in their filenames.

Problem: The Agent performs the YARA scan only for the YARA Rule files with .yar extension in their filenames and ignores the YARA Rule files with the filenames ending with the other extensions such as .txt and .yara. As a result, the YARA Rule files with any other extension except .yar are not scanned. This issue occurs due to the Agent's Rule file extensions validation check.

Workaround: You must rename the file extension of the YARA Rule files to .yar to perform Agent YARA scan.

12.1

ASOC-125096

Title: Unable to load the Content Library.

Problem: After upgrade to 12.1, user will not be able to load Content Library for the created policies. The issue is due to the source-server not able to connect to Live CMS , even though the Live is configured and the source server is not able to resolve cms.netwitness.com.

Following error is seen in the source server logs path /var/log/netwitness/source-server/source-server.log

ERROR CentralContent|Failed to authenticate with CMS Server. 2org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://cms.netwitness.com:443/authlive/authenticate/CMS": cms.netwitness.com; nested exception is java.net.UnknownHostException: cms.netwitness.com

Workaround:

1. If the affected netwitness environment can reach out to any of the DNS servers internal or external, then the user could add the DNS IP entry as nameserver to /etc/resolve.conf on Node-Zero.

2. If the above workaround is not feasible, then the user can add a manual entry of the “<ip-address> cms.netwitness.com” into /etc/hosts.user file and refresh the host using the "nw-manage -r --host-key <admin-server-ip>". The IP address of cms.netwitness.com can be found by pinging cms.netwitness.com from a system that can be connected to cms.netwitness.com.

3. Restart the source server using the command service rsa-nw-source-server restart.

12.1

SADOCS-124473

Title: The Hosts details are not displayed in the Health & Wellness > Monitoring.

Problem: The Hosts section under Health & Wellness > Monitoring doesn’t display the Physical drive, logical drive, and adapter details due to an upgrade of the perccli library to the newer version.

Workaround:

Note: Perform the following procedure for all the configured hosts.

1. Download the Nwraidutil.py file from the following URL: https://community.netwitness.com/t5/netwitness-knowledge-base/host-details-under-monitoring-in-h-w-are-not-populated-properly/ta-p/689408.
2. SSH to the Admin Server or the node on which you are copying this file.
3. Copy the Nwraidutil.py file to the host where the host details for the node were not displayed in the UI.
4. Stop the collectd service by running the following command: systemctl stop collectd
5. Take a backup of the existing python file located at /usr/lib/collectd/python/nwraidutil.py. In case of any issues, you can roll back.
6.  Replace the file /usr/lib/collectd/python/nwraidutil.py with the new file.
7.  Start the collectd service by running the following command: systemctl start collectd

11.5.x, 11.6.x 11.7.1.x, 12.0.x

SADOCS-2330

Title: Core services are found inactive under the Services column in the Admin > Hosts view after orchestrating a fresh 12.1 core Node-X to an upgraded Admin server (Node-0).

Problem: When you install and orchestrate a fresh 12.1 core Node-X to the Admin server (Node-0) upgraded from 12.0 or older versions to 12.1, the core services such as Concentrator, Log Decoder, Log Collector, Archiver, Decoder, Appliance, Workbench, Warehouse Connector, and Broker appear inactive under the Services column in the Admin > Hosts view. As a result, you cannot access the core services in the UI.

This is not applicable if you are orchestrating a fresh 12.1 core Node-X to the fresh-Installed 12.1 Admin Server (not upgraded from 12.0 or older versions to 12.1).

Workaround:

1. Before you bootstrap and orchestrate the 12.1 core Node-X host, run the following commands.

• mkdir -p /etc/netwitness/platform
• touch /etc/netwitness/platform/nw-upgrade-mode 

2. Perform this workaround only if you skip the above workaround (Workaround 1). Run the following commands after you bootstrap and orchestrate the 12.1 core Node-X host.

• touch /etc/netwitness/platform/nw-upgrade-mode
• nw-manage --refresh-host --host-key <core-node-x-salt-minion-uuid>
• systemctl restart <core-service-name>

Note:

• Refer the file /etc/salt/minion to find <core-node-x-salt-minion-uuid>.

• You must enter the core service name such as nwarchiver (Archiver), nwdecoder (Decoder), nwlogcollector (Log Collector), nwappliance (Appliance), nwconcentrator (Concentrator), nwlogdecoder (Log Decoder), nwbroker (Broker), nwworkbench (Workbench), and nwwarehouseconnector (Warehouse Connector) in <core-service-name>.

12.1 and later versions.

SADOCS-2309

Title: Administrators can set any value (Strings, Booleans, and Variables) in the fields such as validate-yara-rules, enabled, and index-creation-enabled in the Endpoint Server Explore page.

Problem: Any value such as Strings, Booleans, and Variables can be set in the fields such as validate-yara-rules, enabled, and index-creation-enabled in the Admin > Services > Endpoint Server > View > Explore page as these fields are not validated. If you set any non-Boolean value in these fields and refresh the page, the values are set back to false.

12.1

ASOC-122949

Title: Observing Telemetry failed to parse meta field error logs on all core services.

Problem: Due to the newly added metric aggregate_buffer_size added in the config page of all the core services, the telemetry is trying to add this metric in the json. But, the telemetry is not receiving any value.

12.1

ASOC-123267

Title: The When Created column in the URL Integration view displays an Invalid date.

Problem: The When Created column in the Admin > System > URL Integration view displays an Invalid date instead of the actual query creation date and time. This happens when the query you run in the Investigate > Events page is recorded in the Admin > System > URL Integration view.

Workaround: None.

12.1

ASOC-123883

Title: After upgrade to 12.1, the export connector trusted authentication pipeline fails.

Problem: After upgrading setup from 11.6.1.3 to 12.1.0.0 , it was observed that the export connector pipeline created through trusted authentication for a decoder is not co-located on same host. The UI test configuration fails and also dataflow stops for those pipelines.

When logs were checked in /var/log/logstash/pipeline_export_connector_decoder.log, warning logs were observed for login failures.

Workaround: Add the logcollector /etc/pki/nw/node/node-cert.pem the source Decoders REST APIs (/sys/trustpeer and /sys/caupload) and perform test connection.

12.1

SADOCS-2322

Title: The Logstash pipelines are not being created due to Stalled threads.

Problem: After upgrading setup from 11.6.0.0 to 11.6.1.4 and 11.6.0.0 to 12.1.0.0 , it was observed that Test configuration for pipelines passed and they got created successfully on UI, but dataflow was not started yet for those pipelines. This was observed on Remote Logcollector node.

When logs were checked in /var/log/logstash/logstash-plain.log, warning logs were observed stating pipeline threads are being stalled.

Workaround: Restart Logstash with command on same node.
service logstash restart

12.1

SADOCS-2321

Title: Recent queries are not displayed in the Investigate > Navigate > Query > Recent view while investigating any service.

Problem: Recent queries are not displayed in the Investigate > Navigate > Query > Recent view when you try to apply historical query filters. As a result, the historical queries cannot be used.

Workaround:

1. Go to Investigate > Events view.
2. Click Recent Queries under Search suggestions drop-down to view the recent queries. All the historical queries are still displayed.

12.0

ASOC-122718

Title: Upgrade fails when trying to upgrade Mac M1 agents via UI.

Problem: When the users try to upgrade the Mac M1 agent via UI, the upgrade fails and shows the following error message: "ERROR EndpointManagement|Unable to find installer file for mac arm64bit"

Tracked by:

ASOC-121714

12.0

ASOC-121714

Title: The 0 value for mtta.time, mttd.time, mtta.count, and mttd.count attributes are not fetched from Mongo.

Problem: After closing incidents directly without assigning from the new state and creating a reporting chart for incidentStats, the 0 value for mtta.time, mttd.time, mtta.count, and mttd.count attributes displayed in the chart are not fetched from Mongo.

Workaround:

1. Create an Incident.

2. Close the Incident without assigning. Only mttr.time and mttr.count values are displayed in Mongo.

3. Go to Reports > Manage > Rules. Select Respond DB in the Rules view.

4. Create and schedule the Respond DB rule.

12.0

ASOC-120978

Title: JSON UI is misidentifying the ‘Scanned’ format type as a ‘Variant’.

Problem: The JSON Log Parsing Rules UI is misidentifying the new ‘Scanned’ format data type as a ‘Variant’ (a collection of format types).

12.0

ASOC-119697

Issue: Enabling the following OpenAppID detectors mentioned with SSLCertPattern causes high CPU usage in Decoder NON-FIPS.

Cause: The SSL Certificate details extract crypto operation in OpenSSL 3.0 causes high CPU usage in a multi-threaded environment and results in packet drops.

Recommendation: It is recommended NOT to enable the following list of OpenAppID detectors when using Decoder NON-FIPS service for TLS 1.3 decryption.

Note: This issue doesn’t affect the default Decoder (FIPS) service.

List of OpenAppID detectors

12.0

ASOC-118432

Title: The Cert-reissue on NW server host is not processed only when the user installs Cloud Connector Service on the Admin Server and performs the failover.

Problem: The Cloud Connector Server (a part of  Admin > Services > Admin Server) is found inactive after performing the failover. As a result, when you run the Cert-reissue command to renew the certificates on the Admin Server, the command fails and the Cert-reissue on NW server host is not processed.

Workaround: After failover, you must uninstall and re-install the Cloud Connector Sensor to work properly.

12.0

SADOCS-2284

Title: The Malware Analytics service configurations are set to the default values after you configure and restart the service.

Problem: After configuring the Malware Analytics service in the Malware Config view (Admin > Services > Malware Analytics > View > Config > General), when you restart the service, the configurations are overwritten with the default values.

Workaround: Reconfigure the Malware Analytics service after restarting it. For more information on reconfiguring the service, see NetWitness Malware Analysis Configuration Guide.

12.0

ASOC-121654

Title: NRWT misses configuration backup with --include-mongo option in 11.7.x

Problem: When utilizing the NetWitness Recovery Wrapper Tool (NRWT) in version 11.7.x along with the --include-mongo option, it has been observed that the NRWT is collecting only the mongo backup and not taking a backup of the configuration.

This issue is with the wrapper scripts that run over and above the core NRT. Hence there is no loss in basic functionality.

Workaround: Use the following NRT commands to take backups of both configuration and mongo.

Export:

nw-recovery-tool --export --dump-dir /var/netwitness/backup --category ESAPrimary --component mongo

Import:

nw-recovery-tool --import --dump-dir /var/netwitness/backup --category ESAPrimary --component mongo

Category List - ESA Primary, ESA Secondary, Endpoint Log Hybrid, UEBA

11.7.x

SADOCS-2387

Title: Aggregate services configuration fails after selecting multiple services in the Services Config view.

Problem: After adding the services in the Aggregate Services list using Trusted Authentication, if you select multiple services at a time in the Services Config view and click Apply, an error is displayed. As a result, the configuration fails.

Workaround: Select one service at a time and click Apply to save the changes.

11.6 and 11.7

SADOCS-2273

Title: Live Content resource types are not downloaded when they exceed a certain size limit.

Problem: In the Live Content view, when you try to create or deploy any resource type (exceeding a certain size limit) such as Bundle, an error message Error retrieving live resources is displayed. As a result, the resources are not downloaded.

Workaround: Avoid bulk deployment of the resources. Deploy the resource types in smaller batches.

11.7.1.1

ASOC-119777

Title: Export Connector and netwitness codec upgrade fails when you upgrade from 11.6 to 11.6.1.3 or 11.7 to 11.7.0.1 or 11.7 to 11.7.1 to fix the Log4j vulnerability

Problem: When you upgrade from 11.6 to 11.6.1.3  or 11.7 to 11.7.0.1 or 11.7 to 11.7.1 for the Log4j fix and have export-connector and netwitness-codec plugin in your deployment, then it is not installed correctly. This occurs only if you have Logstash installed as part of the NetWitness installation on the Log Collector service as the Export Connector plugin will be automatically installed during the patch upgrade.

Workaround:

1. Remove the stale plugin after the upgrade. Do the following:

• cd /usr/share/logstash
• ./bin/logstash-plugin remove logstash-input-netwitness_export_connector
• rm -rf /usr/share/logstash/vendor/bundle/jruby/2.5.0/logstash-input-netwitness_export_connector-2.0.0
• rm -rf /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-netwitness_export_connector-2.0.0

2. Install the new plugin after the upgrade. Do the following:

• cd /usr/share/logstash/bin
• ./logstash-plugin install

file:////opt/netwitness/logstash/logstash-codec-netwitness-offline-1.0.0.zip

For stack with the Upgrade path 11.6.0.0 to 11.6.1.3, do the following:

• ./logstash-plugin install

file:////opt/netwitness/logstash/logstash-input-netwitness_export_connector-offline-2.1.0.zip

For stack with the upgrade paths 11.7.0.0 to 11.7.0.1, 11.7.0.0 to 11.7.1.0, do the following:

• ./logstash-plugin install

file:////opt/netwitness/logstash/logstash-input-netwitness_export_connector-offline-3.0.0.zip

3.  Restart Log Collector service

   service nwlogcollector restart

11.6.1.3, 11.7.0.1, and 11.7.1

ASOC-118763

Title: 10G Packet Decoder restarts continuously when it is configured with the DPDK interface.

Problem: When the 10G Packet Decoder (configured with the DPDK interface) is stopped due to the crash or process kill, and the service is started back, it continues to restart until you reboot the host machine. This issue occurs when the huge page files in the decoder are not removed.

Workaround:

1. Stop the Decoder service.

2. Delete

   /dev/hugepages/rsa_nw_decoder_session file.

3. Start the Decoder service.

The Decoder service and the DPDK capture starts.

11.6.1.3

ASOC-118647

Title: Unable to publish the configuration policy on Core Services due to authentication error.

Problem: Publishing policy fails as the default admin password to authenticate core service is changed.

Workaround: 

You must reset the admin credentials to their default credentials.

11.7

ASOC-116010

Title: Export Connector and netwitness codec upgrade fails when you upgrade from 11.6 to 11.6.1.3 or 11.7 to 11.7.0.1to fix the Log4j vulnerability
Problem: When you upgrade from 11.6 to 11.6.1.3  or 11.7 to 11.7.0.1 for the Log4j fix and have export-connector and netwitness-codec plugin in your deployment, then it is not installed correctly. This occurs only if you have Logstash installed as part of the NetWitness installation on the Log Collector service as the Export Connector plugin will be automatically installed during the patch upgrade. 
Workaround: 

1. Install the new plugin after the upgrade. Do the following:
    cd /usr/share/logstash
    ./bin/logstash-plugin remove logstash-input-netwitness_export_connector
   cd /usr/share/logstash/bin
   ./logstash-plugin install file:////opt/netwitness/logstash/logstash-input-netwitness_export_connector-offline-2.1.0.zip
   ./logstash-plugin install file:////opt/netwitness/logstash/logstash-codec-netwitness-offline-1.0.0.zip

2. Restart Log Collector
    service nwlogcollector restart

11.6.1.3, 11.7.0.1

ASOC-116523

Title: Service Topology Tab is not displayed correctly.
Problem: NetWitness Service Topology Tab is not displayed correctly in the config page when the user is in non-ember pages like Live Content/ ESA rules/ Subscriptions/ Custom Feeds. 
Workaround: None

11.7

ASOC-113314

Title: NWO-TC connection is lost when the server name is changed.
Problem: When the Orchestrator-TC App server name is changed from the 11default name which is threatconnect, the connection to the Respond Server fails.
Workaround: You must retain the Orchestrator-TC App server name as threatconnect.

11.7

ASOC-107060

Title: Incident rules are not displayed correctly.
Problem: In some cases, the incident rules on the UI are not in the correct order, and duplicates are displayed.
Workaround: None

11.6 and 11.7

ASOC-113076

Title: Logs are not published to sms.log.
Problem: After upgrading or installing 11.6, 11.6.1 and 11.7 versions, the logs are not written to sms.log and instead written to wrapper.log. This is because multiple libraries were updated in these versions.
Workaround: To resolve this issue use the wrapper.log which contains all the logs and increase the log file size of the wrapper.log by editing the wrapper.conf file as mentioned below:
1. Open /opt/rsa/sms/conf/wrapper.conf
2. Edit the following:

• wrapper.logfile.maxsize=50m
• wrapper.logfile.maxfiles=9

11.6, 11.6.1 and 11.7

ASOC-111141

Title: When a user pivots to an original event the page keeps loading.

Problem: When the user whose role does not have permissions in the core services, tries to pivot from the original event by clicking the Investigate Original Event option from the Respond alerts and events page it keeps loading.

Workaround: You must create the user and role in the core services. 

11.5, 11.6 and 11.7

ASOC-112766

Title: Concentrator service crashes intermittently, after upgrading to version 11.5.2.

Problem: After upgrading to version 11.5.2, the Concentrator service crashes intermittently and the errors are displayed in the logs.

Workaround: To fix this issue, do the following:

• Stop concentrator service
  <service nwconcentrator stop>

• Edit the index- concentrator-custom.xml and add the below line. (If the line for ‘’word” already exists, change it so that ‘’ngrams’’ has a value of ‘’none”.)
  <key description="Text Token" name="word" format="Text" level="IndexValues" valueMax="12000000" defaultAction="Hidden" maxLength="3" minLength="3" ngrams="none"/>

• Start the service

 11.5

ASOC- 109672

Title: Kibana plugins fail to load.

Problem: After UEBA upgrade to 11.6.1, the kibana plugins don’t work properly and result in loss of functionality.

Workaround: To resolve this issue SSH to the UEBA and run the following commands:

1. systemctl stop kibana
2. sed -i '7 s/5.6.9/5.6.16/' /usr/share/kibana/plugins/kibana_dropdown/package.json
3. sed -i '8 s/5.6.9/5.6.16/' /usr/share/kibana/plugins/prelert_swimlane_vis/package.json
4. systemctl start kibana

11.6.1

ASOC -112191

Title: Incorrect time Indicator charts and titles are displayed on the UI.
Problem: In the admin server, after you configure the required time zone, the time indicator charts and titles are not updated causing incorrect data to be displayed in the UI.

Workaround: None

11.5, 11.6, 11.6.1.0

ASOC-110272

Title:  Health and Wellness displayed irrelevant services.
Problem: The New Health and Wellness service displays information about Kibana, nw-metrics, and Elastic search with TLS and uses self-signed certificates issued by the NetWitness server.

Workaround: Configure the enterprise certificates as per the requirement.

11.5.3.1, 11.6.1.0

Title: An error is displayed due to Live Connect data source discontinuation in NetWitness Platform 11.4.1.4.
Problem: An error ‘Context lookup failed for this datasource since it returned an error’ is displayed due to Live Connect data source discontinuation in NetWitness Platform 11.4.1.4.
Workaround: None.

11.4.1.4

Title: Data-sync job fails.
Problem:When you upgrade from NetWitness Platform 11.5.3.2 to 11.6.1.0, the data-sync job fails due to a mongo error.

Workaround: You must disable mongo authorization. Perform the following.

1. SSH to the Admin Server or the node on which you are taking backup.
2. Go to /etc/mongod.conf file.
3. Change the authorization configuration to disabled.
   For example,
   security:
   authorization: disabled
4. Sync the data job using the following command:
   /opt/rsa/saTools/bin/schedule-standby-admin-data-sync -di <stand-by-admin-server-ip>

11.6.1.0

Title: An error message is displayed while creating new roles in Roles tab.
Problem:

While creating new roles in Services > Security > Roles tab, the error "Failed to set /users/groups/API with value sdk.content,sdk.meta,sdk.packets,sdk.manage,connections.manage,sdk.meta.event.time:com.rsa.netwitness.carlos.transport.TransportExc eption: Invalid role ’sdk.meta.event.time" is displayed. Role permissions such as sdk.content, sdk.meta, logs.manage are not accessible as a result of this error. 
Workaround:

To resolve this issue, go to Explore > Users > Groups and add the new role.

 11.6, 11.6.0.1

ASOC-110790

Title: UEBA fails to create users containing a backslash on ElasticSearch.
Problem:

When events with usernames containing a backslash character is passed through UEBA, then the userId_output_entities task fails.
Workaround:

To resolve this issue, contact the customer support team.

11.6

Title: UEBA fails to create features for users containing a hashtag.
Problem:

When events with usernames containing a hashtag character is passed through UEBA, then the AUTHENTICATION_userId_build_feature_historical_data task fails.
Workaround:

To resolve this issue, contact customer support team.

11.6

Title: After 11.6 upgrade, the dotted chart displays only one value on X-axis for indicators that were triggered in previous versions.
Problem:

In version 11.6, the pie chart has been updated to display a dotted chart. On upgrade from previous versions to 11.6, the dotted chart displays only one value on the X-axis. This happens in case of existing indicators which did not have dates mentioned in the pie chart. However, for new indicators the dotted chart will be displayed appropriately.
Workaround:

None.

11.6

Title: The ESA Basic Rule Builder (BRB) does not allow you to add array type meta keys. It displays the error: Join conditions must match.
Problem:

You can define a rule condition by adding one or more statements. For each of the statement, when you define the keys, operators and values, the ESA BRB does not support array type meta keys.
You can use the enrichment values as whitelist and blacklist within the rule builder to construct and process rules and alerts. However, the rule builder does not accept string [] meta keys from the enrichment sources (whitelist or blacklist conditions)
Workaround:

Use the advanced rule builder to build your Advanced Event Processing Language (EPL) statement with array meta keys.

11.6

Title: The ESA meta entities does not support any array data type other than string [] array. Example: Integer [] is not supported.
Problem:

When you create a rule using the ESA Basic Rule Builder (BRB) with meta keys comprising of array data types other than string [] (example: integer[]), it displays the error: Cannot compare primitive type "int" with "null".
Workaround:

Check your rule and remove all the non-string[] data type array meta keys, and re-deploy the rule.

11.6

Title: Error Notification on Admin Server while processing ESA Correlation rules.
Problem:

NetWitness displays the RSAContext annotation error onError = STOP_ALL_RULE_PROCESSING_AND_WAIT when reclaim_group_aged annotation is used in the ESA rule.
Workaround:

None

11.6

Title: After upgrading to NetWitness Platform 11.6, Warm standby server failover fails.
Problem:

After you upgrade to NetWitness Platform 11.6.x.x, Warm standby failover fails with the below error:The version of the export : 11.x.x.x is not the same as current system version:11.6.0.0. This is not recommended way to restore and may leave the system in an unsupported configuration.
Workaround:

Perform the following.
1. Go to standby-data directory using the following command:

    cd /var/netwitness/standby-data
2.Make sure version.info content is not 11.6.0.0 using the following       

   command:

   cat version.info
3.Remove the version.info file using the following command:

   rm -f version.info
4.Run the following command:

   nw-failover --make-active

11.6

Title: When you upgrade to NetWitness Platform 11.6.0.0, the RabbitMQ server on a Virtual Log Collector or Log Collector fails to load or enable the nw_admin plugin. The shovel (which forwards logs from Virtual Log Collector to Log Collector) entry disappears in the UI and logs are not be forwarded to Log Collector.
Problem:

After you upgrade to NetWitness Platform 11.6.0.0, the shovel entry disappears in the UI and logs are not forwarded to Log Collector due to a system reboot or restart of the RabbitMQ Server.
Workaround:

Perform the following:
1. SSH to Virtual Log Collector or Log Collector as a root.
2. Run the following command:

    [root@VLC ~]# rabbitmq-plugins list
  OutputListing plugins with pattern ".*" ...Configured: E = explicitly enabled; e = implicitly enabled| Status: * = running on rabbit@f823d35e-970b-4ac2-a055-13ca8dea210a|/[E ] nw_admin 11.6.0.0[ ] rabbitmq_amqp1_0 3.8.9

<snip>
3. If the status is "E*" there is no issue with the plugin, if the status is "E", run

   the following command:

 [root@VLC ~]# rabbitmq-plugins enable nw_admin

The shovel is displayed with green status in the UI.

Title: Unable to logout from the New Health and Wellness dashboards.
Problem:

If you log out from the New Health and Wellness dashboard (Kibana), the request is not processed and returns an error.
Workaround:

You are logged off after the session time out.

11.6

Title: Data privacy mapping behavior with protected meta keys.
Problem:

The ESA Correlation service does not honor the meta set property when <protected> is set to true in the data source.
Workaround:

Add the protected meta keys in the global-private-fields file as comma-separated values.

11.5.2, 11.5.3

Title: Syntax error when and, or, and not operators used in lower case.
Problem:

Syntax error occurs when query is run with and, or, and not operators in lower case in Events view. For example, when a query ip.src exists and ip.dst exists is run, the and operator is not recognized and syntax error is displayed.
Workaround:

Use uppercase operators (AND, OR, NOT) while writing query.

11.5, 11.5.0.1, 11.5.1, 11.5.2

Title: Certificate reissue fails with NullPointer Exception.
Problem:

In NetWitness Platform 11.3.0.2 or later, when you reissue certificates for all the hosts, cert-reissue fails with NullPointer exception if the Syslog service is configured and enabled on one or more node x.

Workaround:

You must delete the Global Audit Logging configuration corresponding to the syslog audit notification server before running cert-reissue on all the hosts.
1.  Log into NetWitness Platform and go to System > Global Auditing.
2.  Select the check box corresponding to the syslog-audit Notification

     Server.

      IMPORTANT: Save the selected configuration such as Name,

      Notification Server and Notification Template before deleting the

      configuration.

3. Click - to delete the configuration.
4. Run the below certificate reissue command on node-z.

     cert-reissue --host-all -v

     Once the cert-reissue command is completed, you must add the

     deleted configuration in the NetWitness Platform UI.
5. Go to System > Global Auditing.
6. Click + to add the configuration saved in step 2.
7. Click Save.

11.5.3

Title: Airflow-webserver service failed on upgrade from 11.3.x to 11.5.3.
Problem:
On upgrade from 11.3.x to 11.5.3, the airflow-webserver service failed to start as it was unable to load the previous DAGs parameters from PostgreSQL.
Workaround:
To resolve this issue perform the following:
• Perform step 1 to step 3 from the Post Upgrade Tasks for UEBA section in the Upgrade Instructions for RSA NetWitness Platform 11.x to 11.5 guide.
• Perform the “Airflow-webserver service failed on upgrade” steps in the Troubleshooting topic the UEBA Configuration Guide.

11.5.3

Title: Risky Users information will not be displayed in Top Risky Users panel and custom panels in the Springboard.
Problem:

When you have configured NetWitness Detect AI in your environment, Springboard is not able to fetch and show data for user panels.
Workaround:

To view the Risky Users, perform the following:

Log in to the NetWitness Platform and go to Users.
The Overview tab is displayed with the Top Risky Users.

11.5.3

Title: The STIX TI button in Context Lookup contains information with errors even when it's grayed out.
Problem:

When you add only STIX TAXII as a data source in Context Hub, the STIX TI button displays information with errors even when it is grayed out. While this issue does not result in any functional loss, you will see the associated warning message displayed on the UI.
Workaround:

You must add another data source such as STIX REST or File along with STIX TAXII data source to resolve this issue.

11.5.2 

Title: After upgrading from 11.3.0.2 to 11.5.1, unable to log in to NetWitness Platform.
Problem:

After you upgrade from version 11.3.0.2 to 11.5.1 and reboot NetWitness Platform, NetWitness login fails with Admin server not reachable error.

Workaround:

To resolve the issue, do the following steps.

   1. Stop rsa-nw-admin-server service.
       systemctl stop rsa-nw-admin-server.service
   2. Log in to nw-shell.
       nw-shell
   3. Run the bellow command.
       offline » reconstruct-keystore --service admin-server

       The output looks like below.
       Added service alias for admin-server chain from /etc/pki/nw/service/rsa-nw-admin-       

       server.chain file
       Key entry with alias netwitness ca is not found in the admin-server keystore
       Adding key entry for alias nw-saml in the new keystore
       Saving the keystore - [OK]
       Successfully reconstructed keystore. New file is located at: /etc/netwitness/admin-     

       server/keystore.p12.new
   4. Exit from nw-shell.
       exit
   5. Change the directory to admin-server.
       cd /etc/netwitness/admin-server
   6. Backup the existing keystore file.
       mv keystore.p12 keystore.p12.backup
   7. Replace keystore.p12 with successfully

       reconstructed keystore at

       /etc/netwitness/admin-server/keystore.p12.new
       cp keystore.p12.new keystore.p12
   8. Set permissions to keystore.p12.
       chmod 640 keystore.p12
       chown netwitness:netwitness keystore.p12
  9. Start rsa-nw-admin-server service.
      systemctl start rsa-nw-admin-server.service
 10. Restart the web application server service jetty.
       systemctl restart jetty

11.5.1

Title: UEBA Azure AD Logs events cannot be queried.

Problem: The device.type = 'microsoft_azure_signin_events' cannot be queried as it is not supported.

Workaround: None

11.5.1

Title: Unable to push feeds with a feed definition XML file in 11.5

Problem: Custom feed deployment fails when an XML Feed File is used. The same XML file used to work in the previous versions.

SACE-14462

Title: Cursor No Longer Shows On Login Page

Problem: When the log in page loaded, there is no cursor in any fields while some of the previous versions have the username field in focus.

11.4.x, 11.5.x

Title: Verification of packetdb compression that we aren't observing working

Problem: Packetdb compression does not work for pcapng format. This is expected behavior as compression only works with the native NetWitness databse format. A warning will be added to 11.5.2 to indicate that compression is not supported with pcapng format.

11.4.x, 11.5.x

Title: UI Text Does Not Make Sense For PKI Certificates

Problem: On the Admin > Security > PKI Settings tab, below the PKI Authentication Based Status window, the following text appears:
"Before you enable PKI Authentication, you must add the configure Server CA Certificate in the trust store. At least one external authentication system/method must be enabled with an external group and mapped to an Administrator role."
To avoid the confusion, the text will be changed as

"Please Note: Before you enable PKI Authentication, you must have at least one Trusted CA configured. At least one external authentication system/method must also be enabled with an external group and mapped to an Administrator role."

11.4.x, 11.5.x

SACE-14665/

ASOC-104534

Title: As of 11.4.1.2, exporting meta from Investigate includes all fields instead of limiting to selected meta group

Problem: Exporting meta from Investigate includes all meta fields while it should only export the meta data for the currently selected meta group.

11.4.x, 11.5.x

SACE-14163/

ASOC-104207

Title: TLS decryption to support RFC 7627 (extended master secret)

Problem: Decrypting sessions with a private key which uses TLS_RSA_WITH_AES_256_CBC_SHA, returns "Encountered bad padding while decoding record."

SACE-14406/

ASOC-104391

Title: Customer is seeing performance issues on new broker will hang during investigation.

Problem: The UI hangs when trying to run a query under Investigate and sometimes it fails to load meta keys. The issue goes away for a while when the broker service is restarted.

11.4.1.3, 11.5.0.1,

11.5.1

SACE-13955/

SACE-14294/

SACE-14165/

ASOC-102071/

ASOC-102072

Title: New Health and Wellness dashboard view is not displayed when you log in to NetWitness Platform as an Active Directory (AD) user.
Problem:

If an AD group is configured with an Administrator role in NetWitness Platform and you log in as an AD user (associated with the AD group), the New Health and Wellness dashboard is not displayed when you pivot to Dashboards.

Workaround: None 

11.5.1

Title: Legacy Events View does not process event time.
Problem:

Legacy Events View uses collection time and not the event time. Now, when the user preference for Query Time is set to Event Time and the user issues a text search, if the link in the body of the page or the table footer is used for a refined search in Legacy Events View then the Start Time and End Time passed to Legacy Events View will be for the event time. The search might not display the desired results as Legacy Events View does not use the event time.

Workaround: It is recommended that you modify the time to the desired time range in order to see the expected results.

11.5.1

Title: The User Profile view displays data for inactive users.
Problem:

If a user is not active for the past 30 days, no new data is displayed in the Modeled Behavior tab. However, the last days older data is not deleted and is displayed for the inactive user.

Workaround: None

11.5

Title: Update status stays in “In Queue for Update” state and does not change.
Problem:

While upgrading the NetWitness Platform hosts, for one or more hosts the update status remains in “In Queue for Update” state and does not change.

Workaround: 

To resolve the issue, do the following steps.

1. SSH to NW Admin Server.
2. Run the following command on the NW Admin Server for the host that is in “In Queue for Update” state for long time.
   upgrade-cli-client --upgrade --host-addr <host-ip> --version <version number>
   
   

   <host ip>: IP address of the host displayed in the NetWitness Platform user interface for the host that is in “In Queue for Update”.

   <version number>: Version to which you want to upgrade. If you are upgrading to version 11.5.1.0, the version number will be 11.5.1.0

11.4.x, 11.5,

11.5.0.1

Title: SSL Packet Decryption not working on Investigator Thick Client v11.4

Problem:

Investigator Thick Client 11.4 fails to decrypt SSL packets as 1024 bit private keys are not supported.

SACE-13924/

SACE-14408

Title: Events not displayed when using query prefix

Problem: Events are not displayed when using a query prefix. The issue in only noticed when investigating into a broker.

Title: cert.thumbprint and ja3 not always computed

Problem: The meta keys Ja3/Ja3s and cert.thumbprint are not getting generated for TLS sessions after enabling SSL fingerprint by adding HTTPS="cert.sha1=true ja3=true ja3s=true" to the parser options.

SACE-13597/

ASOC-96566

Title: warm standby - nwsetup-tui failed and does not set the IP address configured

Problem: nwsetup-tui script on warm/standby server fails to run, and does not set the IP address configured.

SACE-12658/

ASOC-91271

Title: Invalid EPOC Timestamp with a year outside of range 1400-9999 breaks Msearch

Problem: Msearch breaks and returns "Year is out of valid range: 1400..9999" when the raw log has incorrected formatted EPOC timestamp.

Title: Converting Feed to ContextHub List failed

Problem: Deploying a custom feed using a csv fails with an error "Converting Feed to ContextHub List". Workaround: disable mongo authentication in /etc/mongod.conf and set the flag " failIndexKeyTooLong" to false, restart the mongo service and then deploy the feed. Contact RSA Support. A custom hot fix may be required.

11.4.1.1

SACE-13151/

SACE-13606/

ASOC-94746

Title: 11.3 LC has significant TCP Syslog performance problems compared to 10.6.6 LD using the same source

Problem: 11.3 Log Collector shows around one quarter of syslog collection rate compare to 10.6 Log Collector.

11.3.x, 11.4.x

SACE-12098/

ASOC-94276

Title: Problem in the UEBA backup-restore script

Problem: UEBA backup script fails due to the elasticsearch dump file being temporaily created in /etc/elasticsearch/backup causing the / partition to be 100% full.

SACE-13558/

ASOC-59891/

ASOC-96786

Title: NW 11.4.0 - Admin server rabbitmq serviec runs out of file descriptors

Problem: The RSA NetWitness appliance's RabbitMQ service appears not to be processing even though the service is still running. When performing a netstat on the server there are a large number of connections, possibly in the thousands, associated with RabbitMQ (beam.smp) process.

Refer to 000038886 - RabbitMQ file descriptor limit reached in RSA NetWitness Platform 11.4.x 

SACE-13168/

ASOC-96680/

ASOC-96683

Title: Issues doing full search text in investigation

Problem: Log Decoder service crashes while running msearch query on raw logs

11.4.1.2, 11.5

SACE-13568/

SACE-13291

Title: 11.4.1 Advanced Agent causing Windows Pseudo Console apps to hang

Problem: After Endpoint agent is running for a few minutes, any appplications that use  the Windows Pseudo Console, CONpty, stop working unless they are run as an administrator. Restarting the deviceep service, uninstall the Endpoint agent, or rebooting the host fix the issue for a short whileuntil the issue recurs.

SACE-13294/

ASOC-98427

Title: Login Banner not working after upgrade to 11.4

Problem: After upgrading to 11.4, the configured login banner does not pop up.

11.4.1.2, 11.5

SACE-13278/

ASOC-98030/

ASOC-102439

Title: Query on the content of mail returns an error.

Problem: Email content msearch query fails with "ERROR Message: An error occurred searching service: Connection to service is closed …"

SACE-13400/

ASOC-102074

Title: Esper behavior with helper functions isOneOfIgnoreCase / isNotOneOfIgnoreCase

Problem: The helper function, 'isOneOfIgnoreCase' or 'isNotOneOfIgnoreCase', for array meta key 'email_src' cause the rule deployment to fail using the rule builder. Advanced EPL rule can be deployed but causes some false positives.

SACE-12773/

ASOC-103988

Title: Log Decoder service is core-dumping at restart. 

Problem: Some parsers or app rules(e.g. for log forwarding) cause the log decoder service to crash during a service restart.

SACE-12898/

ASOC-90740

Title: Historical graph not showing graph yet showing numbers when you hover the mouse

Problem: Selecting other than 'Current Day' from a Historical Graph in Health & Wellness->System Stats Browser does not draw graph although hovering the mouse in this white space displays the expected numbers.

SACE-13666/

ASOC-101606

Title: Test Rule does not generate alert for the event.
Problem:

When testing a Rule in the New Advanced EPL panel, does not generate alert for the event.

Cause: If you are testing any Rule that has meta key defined as type 'short', the Test Rule will not generate alert for the event.

Workaround: None

Title: After upgrading to version 11.5, the ESA correlation server does not aggregate events from the configured data sources.
Workaround: 

To resolve the issue, do the following steps.
In the NetWitness Platform user interface,

1. Go to Configure > ESA Rules.
   ESA Rules panel is displayed with Rules tab open.
2. In the Rules tab options panel, under Deployments, select a deployment.
3. In the Data Sources section, select the data source and click the edit icon in the toolbar.
4. In the Edit Service dialog, type the password for that data source.
5. Click the Test Connection button to make sure that it can communicate with the ESA service and then click OK.
   Note: Do the above procedure for all the configured data sources.
6. After you finish making changes to the deployment, click Deploy Now to redeploy the ESA rule deployment.

Title: Context Hub service goes offline when multiple users load the Investigate > Navigate view
Problem: If multiple users try to load the Investigate > Navigate view, the Context Hub service goes offline. This is because RabbitMQ queues Context Hub messages resulting in the service to go offline.
Workaround: You must check the contexthub-server logs (/var/log/netwitness/contexthub-server/contexthub-server.log) and do any one of the following:

• If there is an Out of Memory issue:
     - Increase the RAM of the Context Hub service Java process to 16 GB by editing the -Xmx option available in /etc/netwitness/contexthub-server/contexthub-server.conf
  In JAVA_OPTS, search for the -Xmx option.”For example, edit the entry as follows:
  Xmx16G
  Where 16G represents 16GB space.
     - Restart the Context Hub service.
• If there is no Out of Memory issue, you must restart the Context Hub service.

Title: The Classic user interface fails to start if the NW Server is rebooted after performing an upgrade init command.

Problem: After performing the upgrade init command on the NW Server and rebooting the NW Server, the Classic user interface does not start up.

Solution: Perform the upgrade on the NW Server again using the command line instructions described in "Appendix A. Offline Upgrade Using CLI" in the "Upgrade Guide for RSA NetWitness Platform 11.5". Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.

Title: Logging out from the New Health and Wellness dashboard logs you out from the NetWitness UI.
Problem: If you log out from the New Health and Wellness dashboard, it also logs you out from the NetWitness Platform UI.

Workaround: None. Log in to NetWitness Platform again.

Title: Continuous scans fail if the host name is used for the source host.

Problem: If the continuous scan configuration uses the host name for the source host instead of the host's IP address, the Malware continuous scan fails.

Workaround: Change the source host name to the IP address in the Source Host field on the Malware Analysis configuration page on the General tab in Continuous Scan Configuration. For more information, see the "Malware Analysis Configuration Guide".

Title: Issue with logging UUID's or obsolete IP addresses in core services system log files.

Problem: A core service (for example, a Broker or Concentrator service) that has been configured to aggregate or connect to another NetWitness Platform component host may not reflect the latest IP address or hostname of the remote host in the service's system logs. This can occur after configuring an aggregation connection to a newly installed NetWitness Platform component host, or after updating the IP address or hostname of an existing NetWitness Platform component host.
Workaround: Restart the affected core service hosts which have an aggregation connection to either the newly-installed host or the host whose IP address or hostname has changed.
After a core service IP changes, it may be necessary to restart the ESA Correlation service or redeploy the ESA rule deployments for the logs to reflect the correct IP.

Title: Filter Events Panel Shows Unexpected Results for Query Containing an Unwrapped OR

Problem: When you use OR in a query in the Events view and then drill into the result using a left-click option from the Events Filter panel, the new filter is added with an AND, without adding parentheses around the existing filters that use a logical OR. This gives different results than expected when compared to Navigate view and Legacy Events view results.

Workaround: When adding to a query in the Events panel, whether via left or right click in the Filter Events panel or linking from outside Events, the existing filter must be enclosed in parentheses if there is a top-level, unwrapped OR, either as its own operator or inside a complex filter. For example, service = 80 OR service = 443 AND sourcefile = 'email.pcap' will not return expected results. Edit the filter to enclose the logical OR statement in parentheses as follows: (service = 80 OR service = 443) AND sourcefile = 'email.pcap'. If the filter is service = 80,25 AND filename = ‘invoice’, enclose it in parentheses as follows: (service 80,25) AND filename =‘invoice’.

To enclose the logical OR expression in an additional set of parentheses; select the two filters in the query bar, right-click one of them, and select Wrap in parentheses in the drop-down menu.

1. Remove federation links corresponding to component hosts that are offline, shutdown or deleted:
   a. Log into https:<IP of NW Server>:15671 and go to Admin > Federation Upstreams.
   b. Select the upstream name corresponding to the component host that is either removed from the UI or that was taken offline or shutdown, and select Delete this Upstream.

Title: Permissions to manage meta groups and column groups in Investigate do not apply in Investigate.
Problem: The investigate-server.metagroup.manage and investigate-server.columngroup.manage permissions should control the ability of a user role to add, delete, edit, and clone meta groups and column groups. However, users are not prevented from adding, deleting, editing, and cloning meta groups and column groups in Investigate.

Workaround: None.

Title: Raid Script Tool "nwraidtool.py" fails when encounters a bad drive.

Problem: Raid Script Tool "nwraidtol.py" fails when it encounters a drive is in a 'UBad' state.

Title: Event Source Monitoring tracking wrongly after upgrading to 11.4.1.0.

Problem: After upgrading to 11.4.1.x, false alarms are triggered for High threshold and no alarm is triggered for Low threshold.

SACE-13616/

SACE-13812/

SACE-13879/

SACE-13908/

SACE-13935/

ASOC-100351

Title: Endpoint agent not being assigned a policy when more than 3 IPs are assigned to same NIC on endpoint.

Problem: Endpoint agent is not being assigned a policy when more than 3 IP addresses are assigned to the same NIC on the endpoint agent host.

11.3.x

11.4

11.3.2.1HF

11.4.1HF

11.5.1

Title: Malware Analysis License appears to be expired on UI.

Problem: The license server fails to parse the Malware-Analyis entitlements as it expects a different feature name, and so the license appears to be expired on the Admin UI.

11.3.x

11.4

SACE-13682/

SACE-13818/

SACE-14061/

ASOC-86674

Title: REST API Results for Countdistinct are not complete on Broker.

Problem: On a 'passthrough' Broker ( a Broker connected to just one upstream device) the countdistinct aggregate function does not work correctly in when used in the SDK query API.

11.4.1.2

11.5

SACE-13702/

ASOC-97826

Title: Endpoint Server does not detect process at Z drive.

Problem: Scanning Endpoint hosts does not find processes that are run from the drive letter "Z".

11.4.1HF

11.5.1

SACE-13721/

ASOC-97733

Title:  Single Sign-On authentication Implementation Failure

Problem:  Single Sign-On authentication does not work although the Admin server is correctly configured.

SACE-13731/

ASOC-101328/

ASOC-101327

Title: Endpoint Agent in Insights mode crashes on Red Hat/CentOS 8.x

Problem: Endpoint agent in Insights mode crashes when installed on Redhat/CentOS 8.1. When the agent is switched to Advanced mode, it starts to work normally.

11.4.1HF

11.5

SACE-13763/

ASOC-96290

Title: Packet Decoder's capture process stops with the 'packet pool depletion' alarm.

Problem: When HTTP2 header parsing is turned on, then Decoder would hang on HTTP2 parser causing packet capture to go down.

11.4.1.2HF

11.4.1.3

11.5

SACE-13775/

SACE-13977/

SACE-14065/

ASOC-100350

Title: Higher entitled usage for throughput licenses is noticed after upgrading to 11.4.1.0.

Problem: Data filtered by App rules is still counted as captured bytes causing higher entitled usage for throughput licenses after upgrading to 11.4.1.0. /decoder/stats/capture.appfilter.bytes does not increment.

11.4.1.3

11.5.1

SACE-13928/

ASOC-101847

Title: Investigate-HOSTS page does not show all IP addresses of Endpoint agent on Mac.

Problem: Investigate-HOSTS page does not display the IP address if its interface has MAC address, 00:00:00:00:00:00. This can occur when the Mac host is connected via VPN.

11.4.1HF

11.4.1.3

Title: Index Language merge handler doesn't update entities from Index definition files on Log Hybrid Retention 

Problem: The language merge handler which exists for decoder during /index save () call doesn't merge entities which are loaded from Index definition files. Due to this problem, the changes made to index keys are reverted back to the old settings.

Workaround: Remove the index save scheduler entry and use automatic Index save using /index/config/save.session.count.

11.4.1.3

11.5.1

SACE-13985/

ASOC-101191/

ASOC-101454

Title: The first line in a CSV file is removed when a custom feed is deployed as Non IP type.

Problem: When a custom feed is deployed as Non IP type, the first line in the source csv file is missing from the deployed csv file under /etc/netwitness/ng/upload/tempxxx.

11.4.1.3

11.5.1

Title: Feed Selection for Groups does not have previously pushed out groups check marked.

Problem: When you edit the feed, the previously selected and deployed device groups are not selected, making it difficult to understand which are deployed.

Title: Unable to add the "accessInvestigateUsers" to a role via the GUI.

Problem: When tried to add  "accessInvestigateUsers" permission to the user in  Admin>Security>Roles tab, the permission "accessInvestigateUsers" does not available.

Title: adding/Editing a recurring feed only validates the hostname in the URL path, not the filename or path when clicking Verify.

Problem: Custom feed verifies only the host name in the URL path and does not verify the filename or path.

Title: PAM Kerberos authentication fails after upgrading to 11.4.0.0.

Problem: After upgrading to 11.4, unable to login to NetWitness Platform user interface using PAM authentication.

Title: NW 11.4.0.0 - Not able to deploy recursive feed on Decoders group.

Problem: After upgrading to 11.4, unable to deploy the recursive feeds on the Decoder group.

Title: NW 11.3.1.1 - credential mismatch - mixing users of different roles between admin and non-admin functions.

Problem: When the user logs in to NetWitness Platform, the permissions of the user who previously logged in is applied.

Title: UI is sometimes very slow.

Problem:The NetWitness Platform user interface response is very slow and takes up to 30-45 seconds to work.

Title: Rabbitmq service on Endpoint Hybrid fails to start in NetWitness 11.4.

Problem:After upgrading to 11.4, Rabbitmq service does not start.
Work Around: To resolve the issue, follow the below steps. 
1. On the UI of the NwAdmin, remove the failed Endpoint Log Hybrid from the hosts page
- Ensure that the UUID of the failed Endpoint Log Hybrid is no longer present in the output of the command orchestration-cli-client --list-hosts
2. Via ssh session on the failed Endpoint Log Hybrid
- Execute the command tar -zcvf /tmp/endpoint-ng-bkup.tar.gz /etc/netwitness/ng
- SCP this file to a safe location that is not on the failed Endpoint Log Hybrid
- Execute the command cat /proc/scsi/scsi and save the output
- Execute the command ls -ld /sys/block/sd*/device and save the output
- Execute the command pvscan and save the output
 -Execute the command lsblk and save the output
- Execute the command cat /etc/fstab and save the output
3. On the esxi/vcenter open the main information page for the failed Endpoint Log Hybrid
- Under the 'Hardware Configuration' window expand all the virtual hard drives and note the 'Controller' entry for each as well as the Capacity.
- We now need to compare the SSH commands we captured as well as the capacity and SCSI controller IDs so we know exactly which VMDKs need to be brought over. We do not need the VMDKs that contain the VGs 'netwitness_vg00*' or 'VolGroup00*'.
4. Politely Power off the failed Endpoint Log Hybrid
5. Create a new VM using 11.4.0.0 OVA
6. Via console session execute the command nwsetup-tui and follow on screen prompts
- During this the user will be prompted for network information, at this point please enter the IP of the failed Endpoint Log Hybrid
7. After nwsetup-tui run is completed go to the UI of the NwAdmin and discover the service.
- After the service is discovered, install the new Endpoint Log Hybrid from the UI
8. Once the new Endpoint Log Hybrid is installed politely power off the device.
9. Copy/move the VMDKs from the failed Endpoint Log Hybrid to the new Endpoint Log Hybrid
- Should only be moving 10 VMDKs total
- A copy would be best here, but may not be possible because of capacity constraints. If this is the case a move is accetable.
10. Once the copy/move of the VMDKs to the new Endpoint Log Hybrid is completed we need to add these hard drives to the VM.
- On the vcenter/esxi going to 'edit settings' on the vm and selecting 'add hard disk' -> 'existing hard disk'
 - do this for all the available hard disks that were moved over, should be 10 total.
11. After the 10 VMDKs have been added to the new Endpoint Log Hybrid power it on and SSH to it
12. A pvscan should show the added VMDKs
13. Append the lines from the failed Endpoint Log Hybrid output of /etc/fstab that contain the additional drive information to the new Endpoint Log Hybrid /etc/fstab
- Test this configuration with mount -a to ensure no errors occur
14. Run the command df -hP and ensure all mount points are present and sizes are expected.
15. [Optional] Stop the concentrator and logdecoder services
systemctl stop nwconcentrator
systemctl stop nwappliance
systemctl stop nwlogdecoder
systemctl stop nwlogcollector
16. [Optional] From the earlier tar.gz file, extract whatever backup information the customer feels is important (NOTICE: DO NOT BRING ANY OLD CERTS/KEYS/PKI THINGS FROM OLD VM).
- They can bring over things like /etc/netwitness/ng/NwConcentrator.cfg if they would like. Up to them.
17. [Optional] Start the concentrator and logdecoder services
systemctl start nwconcentrator
systemctl start nwlogdecoder
systemctl start nwlogcollector
systemctl start nwappliance

Title: Backup script v 4.4 and 4.5 gives verify puppet cert validity on SA 10.6.6.
Problem: After running the backup script version 4.5 on a 10.6.6 system, an error "verify Puppet Certs validity on SA Server" is displayed.

Title: NW Recovery Tool ignore Custom Meta Group and Investigation Profiles.
Problem: When running the NetWitness Recovery Tool (NRT), the custom Meta Groups and Profiles are not imported as a part of the restoration process.

Title: Threatgrid and RSA Cloud connection not working post upgrade to NW 11.2.1.1.
Problem: (Malware Analysis) After upgrading to 11.2.1.1, the Threatgrid module is not working and the RSA Cloud connection is not working via HTTP Proxy.

Title: On new 11.2.0.0 install, the mongo sa.repo table does not show 11.2.0.0 repo is downloaded.
Problem: After installing version 11.2.0.0, the mongo sa.repo table does not show that the 11.2.0.0 repo is downloaded even though /var/netwitness/common/repo/11.2.0.0 is available.

Title: Content issue possible customer is seeing HTTP 400 Errors.
Problem: Not able to extract file in the NetWitness Platform user interface, if the file is an attachment of a mail.

Title: Files not extracted from SMB Session.
Problem: Unable to extract files from an SMB2 session due to the recent changes in the SMB2 protocol.

Title: Packet Decoder with very low session rates and capturing at 9.6G.
Problem: Packet Decoder has very low session rates and capturing at 9.6G.

Title: Log Decoder Forwarding Configuration Issue.
Problem: Syslog forwarder forwards only the logs that have meta attached to them and have the forward flag set in the Application Rule.

Title: Upgrade to 11.4.0.1 is causing an impact when rebooting Series 6 packet Decoders and packet Hybrids.
Problem: Some times, when rebooting the Decoder or Decoder Hybrids, the Decoder service hangs during restart and becomes unresponsive.

Title: issues with proofpoint collection since upgrade from 10.6 to 11.3.
Problem: After upgrading to 11.3 or later, Log Collector does not receive logs from the Proofpoint event source.

Title: WinRM bookmarks returning 1 for a certain event channel stops collection across all channels.
Problem: WinRM channel bookmark is returning 1 as the PULL response and corrupts the bookmark file.

Title: using ssl syslog for logstash event source , crashes the nwlogcollector on VLC.
Problem: When the syslog event source is changed to syslog over SSL from Logstash, Log Collection service crashes.

Title: Needed API improvements to obtain actual sessions.behind per node (conc/decoder) on ESAs.
Problem: Users are able to retrieve the actual number of sessions.behind per data source on an ESA using esa-client on version 10.6.x. But this feature is no longer available in 11.3.

Title: Enrichment utilizing context hub list does not remove values which no longer exist in the list.
Problem:

A Context Hub enrichment in an ESA Rule creates alerts for the older values that are deleted.

This issue occurs when the list from which the Context Hub Enrichment is created is a recurring one with the Overwrite option. When the values are overwritten by new values, ESA alerts should not be triggered for the older values.

Title: Compressed payload not displayed in Respond for text recon.
Problem:

Compressed payloads not displayed when using text reconstruction in Respond. In 11.3.2 and 11.4, you may encounter a scenario when using packet reconstruction within Respond for network sessions containing compressed (for example, gzip) payloads.

Title: Risk Score is not getting calculated as the event generated in Respond doesn't have a Checksumsha256.
Problem:

Respond may stop processing alerts when Endpoint file alerts do not contain a SHA256 Checksum. In 11.3.2 and 11.4, you may encounter Respond stopping the processing of alerts when handling certain alerts containing Endpoint events not containing a SHA256 hash of the offending file. This results in a failure to calculate risk scores for alerts and, subsequently, errors when attempting to process subsequent alerts.

Title: Warehouse Connector - Add SFTP Destination with SSH Key Passphrase.
Problem: Unable to connect to the destination when the Warehouse Connector uses SFTP passphrase.

Title: Incorrect PSU status on H&W when actually one PSU is failed on S5 Hybrid.
Problem: PSU shows incorrect status on the Health & Wellness view, when one PSU fails on the S5 Hybrid.

Title: 11.3.2.0 - H&W alarm on Endpoint Loghybrid Logcollector - LogCollector Virtual System Resources Exhausted.
Problem: 11.3.2.0 - H&W alarm on Endpoint Loghybrid Logcollector - LogCollector Virtual System Resources Exhausted.

Title: Fan/Temperature information doesn't display on H&W System Stats Browser using Series 6 hardware.
Problem: ADMIN > Health & Wellness > System Stats Browser tab, does not display Fan status and System Temperature.

Title: Brasil No longer follows Daylight Savings Time - Update Moment Timezone Libraries for investigation.
Problem: After Brazil stopped using Daylight Saving Time, there is a one-hour discrepancy between the configured Profile timezone (Americas/Sao Paulo GMT -3) and the timezone used to display time in the Investigate and Respond views (Americas/Sao Paulo GMT -2).

Title: Wrong closing xml tag when exporting logs from the UI.
Problem: When logs are exported in XML format from the Events view or the Legacy Events view, the logs have incorrect closing tags. The closing tag is <Logs/> instead of the correct closing tag, </Logs>.

Title: Issues investigating off of a archiver collection.
Problem: When investigating an offline Archiver collection, it does not display metadata with events but displays only the events count.

Title: Unable to export logs using a custom time frame from event view when a profile is in place.

Problem: Event export fails when investigating for a custom time frame and profile with no prequery.

Title: Cannot export logs by Japanese users.

Problem: Unable to export logs in the Investigate view, when the user language setting is not English or French.

Title: In NetWitness 11.4 it removes pivoting in to meta on legacy views.

Problem: After upgrading to 11.4 and reconstructing an event in the Legacy Events view, the metadata drill down options are missing under the View Meta option in the event reconstruction toolbar.

Title: Investigate Event, searching value with slash character don't work, need to add extra slash to get the correct result.

Problem: From UEBA, when you pivot on a meta value containing a slash, the Investigate > Events view, does not display any results.

Title: Pivoting into the investigation of an event reconstruction is querying the wrong ip.src in FTP system parser.

Problem:

The event reconstruction for a filename in the Investigate > Events view is querying the wrong meta key (ip.src ) instead of ip.dst in the FTP system parser.

Title: "HTTP/1.1 500 Internal Server Error" from MA cloud.

Problem:

AV tab in Admin > Services > Malware > Config, does not display AV Vendor results.

Title: Some STIX fields are not there when converted to CSV.

Problem: When STIX data is converted to CSV format, some of the STIX fields are not available in the CSV file.

Title: Password for Live Connect and File Reputation datasource gets saved empty on edit config.

Problem: Connection for Threat Insights (Live Connect) and File Reputation data source fails as the password gets saved as blank.

Title: Recurring feed producing 'Failed' status when 'Converting Feed to Context Hub List'.

Problem:

When converting a recurring feed to a Context Hub list, it displays a failed status.

Title: Duplicate Hosts in Endpoint Log Hybrid.

Problem: In the Investigate > Hosts view, duplicate hosts are displayed for the same host name but with different agent IDs as the agent was installed multiple times.

Title: Reports on Alerts/Incidents from ESA alerts not generating.

Problem: When you edit an existing schedule of a report, you cannot select a data source if a data source was not previously selected.

Title: Discrepancy in Reporting Engine Alert Count.

Problem: When querying against a time range, it does not load any alerts and does not display all the alerts  when queried for the custom time range.

Title: UEBA UI unable to access after installation.

Problem: After upgrading, UEBA page shows the default user interface instead of the latest UEBA page.