To find out if any known issue is fixed, refer to the Fixed Issues section in the Release Notes for the appropriate release.
You can sort this list by clicking on the column headings.
Components | Title, Problem and Workaround | Found In / Exists In | Fixed Version | Tracking Number |
---|---|---|---|---|
UEBA |
Title: Increased JA3 entities due to JA3 randomization caused DAGs delay on the UEBA server.
|
11.7.x, 12.0, 12.1, 12.2, 12.3 |
ASOC- 138953 |
|
Correlation-Server |
Title: InMemoryTable Adhoc Enrichment windows are not getting uploaded with data.
Problem: When the user adds the Adhoc In-Memory table enrichment under CONFIGURE > ESA > Enrichment Sources, the CSV file gets uploaded via UI, but upon using the enrichment in an ESA Rule and deployment, the contents are not read to the named window, and thus are not accessible for the rule to enrich the rule/alerts. There might be an impact of alerts not getting enriched, or the rule condition (if in-memory table enrichment reference is added to the rule) might not work as expected.
Workaround: Re-import the CSV file post-enrichment creation and deploy the rules again. Basically, the CSV file must be imported twice upon enrichment creation/update for the content to be reflected in the named window. Users can confirm if the data is uploaded to the named window under the “Named Windows” section of CONFIGURE > ESA Rules > Settings Page.
|
12.1.x, 12.2 and, 12.3 |
ASOC-138145 |
|
Central Content Management |
Title: Content Migration Failing for Logdevice Contents
Problem: When service contents are migrated from services to Centralized Content Management, if the syntax of one of the custom log device is invalid, it fails to migrate.
Workaround:
a) Navigate to CONFIGURE > POLICIES > CONTENT > Content Library > Log Device. b) Click on the "Import" button and select Logdevice, which fails to migrate.
|
12.3, 12.3.1 |
ASOC-138255 |
|
UEBA |
Title: Red banner errors are displayed on the Users page after the UEBA host upgrade
Problem: When you upgrade the UEBA host, you may encounter an issue where red banner errors are displayed on the Users page. A communication delay between the UEBA server and the Presidio UI service usually causes this issue.
Workaround: To resolve this issue, perform the following steps.
|
12.2, 12.3 |
ASOC-134234 |
|
UEBA |
Title: Airflow shows a warning message that the scheduler task is not running
Problem: Airflow UI warning message “The scheduler does not appear to be running. Last heartbeat was received xx seconds ago. The DAGs list may not update, and new tasks will not be scheduled”. This issue could occur due to a delayed response from the UEBA server.
Workaround: To resolve the issue, try refreshing the page a couple of times. If the issue persists, connect to the UEBA server to check the airflow scheduler services.
|
12.3 |
ASOC-133835 |
|
Reporting Engine |
Title: Generic error message is displayed for duplicate report names in Investigate > Events Page
Problem: When you create or schedule a report from the Investigate > Events page using a report name that already exists, an error message will be displayed. However, the error message displayed is generic and provides limited information. The error message states, "Error generating report. Please check respond-server.log/investigate-server.log and sa.log”
|
12.3 |
ASOC-134996 |
|
Reporting Engine |
Title: Generic error message is displayed when you create or schedule reports on the Investigate > Events page when the data source is not configured in Reporting Engine.
|
12.3 |
ASOC-134996 |
|
Reporting Engine |
Title: Use of future dates in the Custom date range option for Adhoc reports will result in incorrect date ranges in the output report.
|
12.3 |
ASOC-135074 |
|
Investigate |
Title: Use of Enter as a shortcut key to select a query suggestion in Advanced Query mode.
Problem: When you construct a query in Advanced Query Bar mode in the Investigate > Events view, pressing Enter key will select and execute the query instead of only selecting a suggestion from the query suggestions list. This action is not in line with the Guided Query Mode, where pressing Enter key selects a suggestion from the query suggestions list but does not execute the query.
Workaround: Use the Tab key to select a suggestion from the query suggestions list while you are in the Advanced Query Bar mode. |
12.3 |
134482 |
|
Investigate |
Title: Unable to load a saved query to the query bar in Advanced Query Bar mode.
Problem: When you select a saved query while you are in Advanced Query Bar mode in the Investigate > Events view, the selected saved query is not loaded into the query bar and is not applied to the executed query either.
Workaround: NetWitness recommends you use Guided Mode if you want to execute a saved query in Investigate > Events view. |
12.3 |
ASOC-133508 |
|
Investigate |
Title: Unable to execute a query when a service is updated to Decoder/Log decoder in Advanced Query Bar mode.
Problem: When you update a service to decoder/log decoder while you are in Advanced Query Bar mode in the Investigate > Events view, the search button is enabled but, clicking the search button does not execute the query or show an error. This happens because of unindexed keys in the query for the selected service which is the expected behavior with any unindexed keys. In Guided Mode, an error is displayed as soon as the service is updated using the service selection drop-down.
Workaround: You need to remove the unindexed keys from the query before executing it. |
12.3 |
ASOC-134481 |
|
CCM |
Title: Publish and Restart pop-up does not appear while publishing policy from Policy listing page.
Problem: When any configuration which requires service restart, is updated in Policy and it is being published from Policy listing page, pop-up does not appear for “Publish and Restart Now” option. Policy is being published with “Publish and Restart Later” option automatically and services need to be restarted later.
Workaround: a. Restart service(s) from Groups page 1. Go to Groups listing page. 2. Select Group in which service(s) require restart.
or b. Publish and restart from Edit Policy view.
|
12.3 |
ASOC-134862 |
|
Investigate |
Title: The most recent query is not populated while creating a new saved query in Advanced Query mode.
Problem: Usually, the most recently executed query is auto-populated in the Pre-Query Conditions field when you try to save a new query. But, while you are in Investigate > Events > Event Preferences > Advanced Query mode, the most recently executed query is not auto-populated in the Pre-Query Conditions field when you try to save the query (Saved Queries > New Saved Query).
Workaround: We recommend you switch to Guided Mode, run the same query, and then proceed with saving a new query. |
12.3 |
ASOC-135221 |
|
Log Parser Configuration |
Title: Missing list of Logparsers in Dropdown when trying to Add new Parser
Problem: The dropdown does not list existing Out of box (OOTB) Logparsers because UI is not able to sync with the previously synced Log Decoder service to fetch those OOTB Logparsers.
Workaround:
The dropdown list will start getting populated. |
12.3 |
ASOC-135320 |
|
CCM |
Title: Unable to Access ESA Deployments
Problem: Users will not be able to access ESA deployments configurations in the Unified deployment view or policy details. Due to stale or invalid entries in source server mongo.
Workaround:Clean up the source-server mongo of invalid entries. Refer to KB article NetWitness ESA Deployments are not accessible in the Policies tab |
12.1 |
ASOC-131743 |
|
Log Collector |
Title: VMware Collection
Problem:An error 'Failed to parse event' was reported by vmware collector process causing dropping of vmware event logs.
Workaround:Gave a Hotfix patch to the customer in 11.7.1.1
Note: Same fix has to be applied in 12.3.1 (ASOC-129720) and 12.4 (ASOC-134863) |
11.7.1.1 |
ASOC - 129720 |
|
Decoder |
Title: The database stagger operation takes a long time to complete, resulting in a timeout from the UI Explore page.
Problem: If you perform the database stagger operation from the UI Explore page, it takes a long time to complete the operation based on the data and results in a timeout.
Workaround: To perform the database stagger operation, you must run the command using the RESTful API or NwConsole.
|
11.7.x, 12.0, 12.1, 12.2
|
ASOC-124339 |
|
UEBA |
Title: When UEBA receives a high volume of events, the root DAG becomes unresponsive as it awaits the completion of other associated DAGs.
Problem: Upon receiving a high volume of events, the root DAG of UEBA becomes unresponsive as it awaits the completion of other associated DAGs, resulting in failures in the model_ueba_flow DAGs for their respective schemas. These failures are followed by errors related to java.heap.memory, as shown below.
Workaround:
2. Click the DAG ID and then click Tree View. 3. In the Tree View, click the failed task instance and click View Log. The log view is displayed. 4. SSH to the UEBA server. 5. Open 6. Increase the heap memory size of respective failing DAGs with their respective operator by two times. For example, if it is 2048, make it 4096. 7. In the Tree View, click the failed task instance and click Clear.
|
12.2 |
ASOC-128667 |
|
Source Server |
Title: Unable to load the Content Library.
Problem: After upgrade to 12.1, user will not be able to load Content Library for the created policies. The issue is due to the source-server not able to connect to Live CMS , even though the Live is configured and the source server is not able to resolve cms.netwitness.com. Following error is seen in the source server logs path
Workaround:
|
12.2 |
ASOC-124473 |
|
ESA Correlation Server |
Title: Enable / Disable of rules in Endpoint Risk Scoring bundle applies to all deployments.
Problem: When a rule in the Endpoint Risk Scoring Bundle is either enabled / disabled from the ESA Service Stats UI it throws an error on UI. However, in the backend, the rule gets enabled / disabled. The disabled list of rules is saved in the keyValueRuleSettings as a generic setting without any associated engine ID. As it doesn’t have any engine id associated with it, the config acts like a global configuration. In all the deployments, wherever the Endpoint Risk Scoring Bundle is deployed, the rules disabled in any one deployment get automatically disabled in all deployments.
Workaround: N/A |
11.7.x, 12.0, 12.1, 12.2 |
ASOC-127949 |
|
Endpoint Investigation |
Title: Event overview panel error or infinite loading.
Problem: The event overview panel throws an error or loads infinitely for endpoint events.
Workaround: Restart the investigating server to properly load the overview panel to display endpoint events. On re-enabling the meta forwarding, the issue will get resolved.
|
12.2 |
N/A |
ASOC-123671 |
SA Server |
Title: Floating Save button on Decoder Stats page in UI.
Problem: Whenever a user opens the Decoder Stats page, a Save button, originally under the Key Stats Settings, toggles on the top left corner of the screen, covering part of NetWitness branding. A click on the gear icon beside the Key Stats Settings will take the Save button to appear in its original place.
Workaround: N/A
Note: This cosmetic issue does not interfere with the service functionally.
|
12.2 |
N/A |
ASOC-114414 |
Endpoint |
Title: The Agent performs the YARA scan only for the YARA Rule files with .yar extension in their filenames.
Problem: The Agent performs the YARA scan only for the YARA Rule files with .yar extension in their filenames and ignores the YARA Rule files with the filenames ending with the other extensions such as .txt and .yara. As a result, the YARA Rule files with any other extension except .yar are not scanned. This issue occurs due to the Agent's Rule file extensions validation check.
Workaround: You must rename the file extension of the YARA Rule files to .yar to perform Agent YARA scan. |
12.1, 12.1.1 |
12.2 |
ASOC-125096 |
Admin |
Title: The Context Hub Server Config page keeps loading if the RSA Endpoint (ECAT Data Sources) is not removed before upgrading from 11.7 and older versions to 12.0, 12.1, or 12.1.x.x versions
Problem: The Context Hub Server Config page ((Admin) > Services > select the ContextHub Server > View > Config) keeps loading if the RSA Endpoint (ECAT Data Sources) is not removed from the Context Hub Server before upgrading from 11.7 and older versions to 12.0, 12.1, or 12.1.x.x versions. Therefore, you cannot access the Data Sources.
Workaround:
service mongod restart 6. Restart the Context Hub service. Run the following command. service rsa-nw-contexthub-server restart The Config page is loaded properly.
Note: You must restart the Context Hub service from the ESA box. |
12.0, 12.1, 12.1.X.X |
12.2 |
ASOC-124151 |
Platform |
Title: WLC Services not reachable in IP Failover Scenario
Problem: During IP Failover, WLC service was not reachable from the Secondary SA but working with Primary SA.
Error: 1.
2. Workaround: 1. Copy the certificate manually from or Copy the 2. Restart WLC and the jetty service to make SA connections appear active. |
12.1.1 |
ASOC-127365 |
|
Platform |
Title: Core services in 12.1.0.0 are found inactive under the Services column in the Admin > Hosts view after deploying and upgrading a fresh-Installed 12.1.0.0 Admin Server to 12.1.0.1.
Problem: When you deploy and upgrade a fresh-Installed 12.1.0.0 Admin Server to 12.1.0.1, the core services such as Concentrator, Log Decoder, Log Collector, Archiver, Decoder, Appliance, Workbench, Warehouse Connector, and Broker appear inactive under the Services column in the Admin > Hosts view. As a result, you cannot access the core services in the UI.
Workaround: 1. Run the following command on all the 12.1.0.0 core Node-X hosts. touch /etc/netwitness/platform/nw-upgrade-mode 2. Run the following command on the 12.1.0.1 Admin Server. nw-manage --refresh-host --host-key <core-node-x-salt-minion-uuid> Note: Refer the file /etc/salt/minion to find <core-node-x-salt-minion-uuid>. 3. Run the following command on all the respective 12.1.0.0 core Node-X hosts. systemctl restart <core-service-name> Note: You must enter the core service name such as nwarchiver (Archiver), nwdecoder (Decoder), nwlogcollector (Log Collector), nwappliance (Appliance), nwconcentrator (Concentrator), nwlogdecoder (Log Decoder), nwbroker (Broker), nwworkbench (Workbench), and nwwarehouseconnector (Warehouse Connector) in <core-service-name>. |
12.1.0.1 |
12.1.1 |
SADOCS-2355 |
Platform |
Title: Core services in 12.1.0.0 are found inactive under the Services column in the Admin > Hosts view after deploying a new Node-X with 12.1 Image to an Older Admin Server ( which is upgraded from 11.x to 12.1)
Problem: When you deploy a fresh-Installed 12.1.0.0 Node-X to an existing older Admin Server ( which has been upgraded from 11.x to 12.1) , the core services such as Concentrator, Log Decoder, Log Collector, Archiver, Decoder, Appliance, Workbench, Warehouse Connector, and Broker appear inactive under the Services column in the Admin > Hosts view. As a result, you cannot access the core services in the UI.
Workaround:
ln -s /etc/pki/nw/peer/admin-cert.pem /root/templink ; find /etc/netwitness/ng/ -name "trustpeers" -exec cp -av /root/templink {}/"$(openssl x509 -hash -in /etc/pki/nw/peer/admin-cert.pem -noout).0" \; && rm -vf /root/templink |
12.1 |
SADOCS-2368 |
|
UEBA |
Title: Model DAG's are failing after upgrade to 12.1.1
Problem: DAG's are failing due to invalid entries in the management_store_metadata collection of the presidio database.
Workaround: None |
12.1, 12.1.1 |
12.2 |
ASOC-127311 |
Admin |
Title: Active Directory authentication fails after the removal of few Ciphers in the NetWitness Platform.
Problem: When you authenticate the Active Directory in (Admin) > Security > Settings > Active Directory Configurations view, the authentication fails with the following error message :
Error:
This issue occurs due to the removal of CBC (Cipher-Block-Chaining) Ciphers. Workaround: Change the size of the modulus by adding the registry key value. Warning: Ensure you use Registry Editor properly to avoid reinstalling your operating system. Do the following:
3. Update the DWORD value to
For more information, see Microsoft Security Advisory - 3174644 |
12.1 |
12.1.1 |
ASOC-125945 |
Endpoint |
Title: The Agent performs the YARA scan only for the YARA Rule files with .yar extension in their filenames.
Problem: The Agent performs the YARA scan only for the YARA Rule files with .yar extension in their filenames and ignores the YARA Rule files with the filenames ending with the other extensions such as .txt and .yara. As a result, the YARA Rule files with any other extension except .yar are not scanned. This issue occurs due to the Agent's Rule file extensions validation check.
Workaround: You must rename the file extension of the YARA Rule files to .yar to perform Agent YARA scan. |
12.1 |
ASOC-125096 |
|
Source Server |
Title: Unable to load the Content Library.
Problem: After upgrade to 12.1, user will not be able to load Content Library for the created policies. The issue is due to the source-server not able to connect to Live CMS , even though the Live is configured and the source server is not able to resolve cms.netwitness.com. Following error is seen in the source server logs path /var/log/netwitness/source-server/source-server.log
ERROR CentralContent|Failed to authenticate with CMS Server. 2org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://cms.netwitness.com:443/authlive/authenticate/CMS": cms.netwitness.com; nested exception is java.net.UnknownHostException: cms.netwitness.com
Workaround:
|
12.1 |
SADOCS-124473 |
|
Health & Wellness |
Title: The Hosts details are not displayed in the Health & Wellness > Monitoring.
Problem: The Hosts section under Health & Wellness > Monitoring doesn’t display the Physical drive, logical drive, and adapter details due to an upgrade of the perccli library to the newer version.
Workaround: Note: Perform the following procedure for all the configured hosts.
|
11.5.x, 11.6.x 11.7.1.x, 12.0.x |
SADOCS-2330 |
|
Platform |
Title: Core services are found inactive under the Services column in the Admin > Hosts view after orchestrating a fresh 12.1 core Node-X to an upgraded Admin server (Node-0).
Problem: When you install and orchestrate a fresh 12.1 core Node-X to the Admin server (Node-0) upgraded from 12.0 or older versions to 12.1, the core services such as Concentrator, Log Decoder, Log Collector, Archiver, Decoder, Appliance, Workbench, Warehouse Connector, and Broker appear inactive under the Services column in the Admin > Hosts view. As a result, you cannot access the core services in the UI. This is not applicable if you are orchestrating a fresh 12.1 core Node-X to the fresh-Installed 12.1 Admin Server (not upgraded from 12.0 or older versions to 12.1).
Workaround: 1. Before you bootstrap and orchestrate the 12.1 core Node-X host, run the following commands.
2. Perform this workaround only if you skip the above workaround (Workaround 1). Run the following commands after you bootstrap and orchestrate the 12.1 core Node-X host.
Note:
|
12.1 and later versions. |
SADOCS-2309 |
|
Endpoint |
Title: Administrators can set any value (Strings, Booleans, and Variables) in the fields such as validate-yara-rules, enabled, and index-creation-enabled in the Endpoint Server Explore page.
Problem: Any value such as Strings, Booleans, and Variables can be set in the fields such as validate-yara-rules, enabled, and index-creation-enabled in the Admin > Services > Endpoint Server > View > Explore page as these fields are not validated. If you set any non-Boolean value in these fields and refresh the page, the values are set back to false.
|
12.1 |
ASOC-122949 |
|
NetWitness Health and Wellness |
Title: Observing Telemetry failed to parse meta field error logs on all core services.
Problem: Due to the newly added metric aggregate_buffer_size added in the config page of all the core services, the telemetry is trying to add this metric in the json. But, the telemetry is not receiving any value.
|
12.1 |
ASOC-123267 |
|
Admin / Investigate |
Title: The When Created column in the URL Integration view displays an Invalid date.
|
12.1 |
ASOC-123883 |
|
Log Collector |
Title: After upgrade to 12.1, the export connector trusted authentication pipeline fails.
When logs were checked in /var/log/logstash/pipeline_export_connector_decoder.log, warning logs were observed for login failures.
|
12.1 |
SADOCS-2322 |
|
Log Collector |
Title: The Logstash pipelines are not being created due to Stalled threads.
When logs were checked in /var/log/logstash/logstash-plain.log, warning logs were observed stating pipeline threads are being stalled.
Workaround: Restart Logstash with command on same node.
|
12.1 |
SADOCS-2321 |
|
Investigate |
Title: Recent queries are not displayed in the Investigate > Navigate > Query > Recent view while investigating any service.
Problem: Recent queries are not displayed in the Investigate > Navigate > Query > Recent view when you try to apply historical query filters. As a result, the historical queries cannot be used.
Workaround:
|
12.0 |
ASOC-122718 |
|
Endpoint |
Title: Upgrade fails when trying to upgrade Mac M1 agents via UI.
Problem: When the users try to upgrade the Mac M1 agent via UI, the upgrade fails and shows the following error message: "ERROR EndpointManagement|Unable to find installer file for mac arm64bit"
Tracked by: ASOC-121714
|
12.0 |
12.1 |
ASOC-121714 |
Reporting Engine / Respond |
Title: The 0 value for mtta.time, mttd.time, mtta.count, and mttd.count attributes are not fetched from Mongo.
Problem: After closing incidents directly without assigning from the new state and creating a reporting chart for incidentStats, the 0 value for mtta.time, mttd.time, mtta.count, and mttd.count attributes displayed in the chart are not fetched from Mongo.
Workaround:
|
12.0 |
ASOC-120978 |
|
Log Decoder |
Title: JSON UI is misidentifying the ‘Scanned’ format type as a ‘Variant’.
Problem: The JSON Log Parsing Rules UI is misidentifying the new ‘Scanned’ format data type as a ‘Variant’ (a collection of format types).
|
12.0 |
ASOC-119697 |
|
Decoder |
Issue: Enabling the following OpenAppID detectors mentioned with SSLCertPattern causes high CPU usage in Decoder NON-FIPS.
Cause: The SSL Certificate details extract crypto operation in OpenSSL 3.0 causes high CPU usage in a multi-threaded environment and results in packet drops.
Recommendation: It is recommended NOT to enable the following list of OpenAppID detectors when using Decoder NON-FIPS service for TLS 1.3 decryption.
Note: This issue doesn’t affect the default Decoder (FIPS) service.
List of OpenAppID detectors
|
12.0 |
ASOC-118432 |
|
Admin |
Title: The Cert-reissue on NW server host is not processed only when the user installs Cloud Connector Service on the Admin Server and performs the failover.
Problem: The Cloud Connector Server (a part of Admin > Services > Admin Server) is found inactive after performing the failover. As a result, when you run the Cert-reissue command to renew the certificates on the Admin Server, the command fails and the Cert-reissue on NW server host is not processed.
Workaround: After failover, you must uninstall and re-install the Cloud Connector Sensor to work properly.
|
12.0 |
SADOCS-2284 |
|
Malware |
Title: The Malware Analytics service configurations are set to the default values after you configure and restart the service.
Problem: After configuring the Malware Analytics service in the Malware Config view (Admin > Services > Malware Analytics > View > Config > General), when you restart the service, the configurations are overwritten with the default values.
Workaround: Reconfigure the Malware Analytics service after restarting it. For more information on reconfiguring the service, see NetWitness Malware Analysis Configuration Guide.
|
12.0 |
12.1 |
ASOC-121654 |
Platform |
Title: NRWT misses configuration backup with --include-mongo option in 11.7.x
Problem: When utilizing the NetWitness Recovery Wrapper Tool (NRWT) in version 11.7.x along with the --include-mongo option, it has been observed that the NRWT is collecting only the mongo backup and not taking a backup of the configuration.
This issue is with the wrapper scripts that run over and above the core NRT. Hence there is no loss in basic functionality.
Workaround: Use the following NRT commands to take backups of both configuration and mongo.
Export: nw-recovery-tool --export --dump-dir /var/netwitness/backup --category ESAPrimary --component mongo
Import: nw-recovery-tool --import --dump-dir /var/netwitness/backup --category ESAPrimary --component mongo
Category List - ESA Primary, ESA Secondary, Endpoint Log Hybrid, UEBA |
11.7.x |
11.7.3 |
SADOCS-2387 |
Admin |
Title: Aggregate services configuration fails after selecting multiple services in the Services Config view.
Problem: After adding the services in the Aggregate Services list using Trusted Authentication, if you select multiple services at a time in the Services Config view and click Apply, an error is displayed. As a result, the configuration fails.
Workaround: Select one service at a time and click Apply to save the changes.
|
11.6 and 11.7 |
12.0 |
SADOCS-2273 |
Admin |
Title: Live Content resource types are not downloaded when they exceed a certain size limit.
Problem: In the Live Content view, when you try to create or deploy any resource type (exceeding a certain size limit) such as Bundle, an error message Error retrieving live resources is displayed. As a result, the resources are not downloaded.
Workaround: Avoid bulk deployment of the resources. Deploy the resource types in smaller batches.
|
11.7.1.1 |
ASOC-119777 |
|
Log Collection |
Title: Export Connector and netwitness codec upgrade fails when you upgrade from 11.6 to 11.6.1.3 or 11.7 to 11.7.0.1 or 11.7 to 11.7.1 to fix the Log4j vulnerability
Problem: When you upgrade from 11.6 to 11.6.1.3 or 11.7 to 11.7.0.1 or 11.7 to 11.7.1 for the Log4j fix and have export-connector and netwitness-codec plugin in your deployment, then it is not installed correctly. This occurs only if you have Logstash installed as part of the NetWitness installation on the Log Collector service as the Export Connector plugin will be automatically installed during the patch upgrade. Workaround: 1. Remove the stale plugin after the upgrade. Do the following:
2. Install the new plugin after the upgrade. Do the following:
file:////opt/netwitness/logstash/logstash-codec-netwitness-offline-1.0.0.zip
For stack with the Upgrade path 11.6.0.0 to 11.6.1.3, do the following:
file:////opt/netwitness/logstash/logstash-input-netwitness_export_connector-offline-2.1.0.zip
For stack with the upgrade paths 11.7.0.0 to 11.7.0.1, 11.7.0.0 to 11.7.1.0, do the following:
file:////opt/netwitness/logstash/logstash-input-netwitness_export_connector-offline-3.0.0.zip
3. Restart Log Collector service service nwlogcollector restart |
11.6.1.3, 11.7.0.1, and 11.7.1 |
ASOC-118763 |
|
Packet Decoder |
Title: 10G Packet Decoder restarts continuously when it is configured with the DPDK interface.
Problem: When the 10G Packet Decoder (configured with the DPDK interface) is stopped due to the crash or process kill, and the service is started back, it continues to restart until you reboot the host machine. This issue occurs when the huge page files in the decoder are not removed.
Workaround:
The Decoder service and the DPDK capture starts.
|
11.6.1.3 |
11.7.1.1 |
ASOC-118647 |
Platform |
Title: Unable to publish the configuration policy on Core Services due to authentication error. Problem: Publishing policy fails as the default admin password to authenticate core service is changed. Workaround: You must reset the admin credentials to their default credentials. |
11.7 |
ASOC-116010 |
|
Log Collection |
Title: Export Connector and netwitness codec upgrade fails when you upgrade from 11.6 to 11.6.1.3 or 11.7 to 11.7.0.1to fix the Log4j vulnerability 1. Install the new plugin after the upgrade. Do the following: 2. Restart Log Collector |
11.6.1.3, 11.7.0.1 |
ASOC-116523 |
|
Platform |
Title: Service Topology Tab is not displayed correctly. |
11.7 |
ASOC-113314 |
|
Threat Connect |
Title: NWO-TC connection is lost when the server name is changed. |
11.7 |
ASOC-107060 |
|
Respond |
Title: Incident rules are not displayed correctly. |
11.6 and 11.7 |
ASOC-113076 |
|
SMS |
Title: Logs are not published to sms.log.
|
11.6, 11.6.1 and 11.7 |
ASOC-111141 |
|
Investigation |
Title: When a user pivots to an original event the page keeps loading. Problem: When the user whose role does not have permissions in the core services, tries to pivot from the original event by clicking the Investigate Original Event option from the Respond alerts and events page it keeps loading. Workaround: You must create the user and role in the core services. |
11.5, 11.6 and 11.7 |
ASOC-112766 |
|
Concentrator |
Title: Concentrator service crashes intermittently, after upgrading to version 11.5.2. Problem: After upgrading to version 11.5.2, the Concentrator service crashes intermittently and the errors are displayed in the logs. Workaround: To fix this issue, do the following:
|
11.5 |
ASOC- 109672 |
|
UEBA |
Title: Kibana plugins fail to load. Problem: After UEBA upgrade to 11.6.1, the kibana plugins don’t work properly and result in loss of functionality. Workaround: To resolve this issue SSH to the UEBA and run the following commands:
|
11.6.1 |
ASOC -112191 |
|
UEBA |
Title: Incorrect time Indicator charts and titles are displayed on the UI. Workaround: None |
11.5, 11.6, 11.6.1.0 |
ASOC-110272 |
|
Heath and Wellness |
Title: Health and Wellness displayed irrelevant services. Workaround: Configure the enterprise certificates as per the requirement. |
11.5.3.1, 11.6.1.0 |
ASOC-110559 | |
Live Connect |
Title: An error is displayed due to Live Connect data source discontinuation in NetWitness Platform 11.4.1.4. |
11.4.1.4 |
ASOC-112342 | |
Platform |
Title: Data-sync job fails. Workaround: You must disable mongo authorization. Perform the following.
|
11.6.1.0 |
ASOC-111925 | |
Admin |
Title: An error message is displayed while creating new roles in Roles tab. While creating new roles in Services > Security > Roles tab, the error "Failed to set /users/groups/API with value sdk.content,sdk.meta,sdk.packets,sdk.manage,connections.manage,sdk.meta.event.time:com.rsa.netwitness.carlos.transport.TransportExc eption: Invalid role ’sdk.meta.event.time" is displayed. Role permissions such as sdk.content, sdk.meta, logs.manage are not accessible as a result of this error. To resolve this issue, go to Explore > Users > Groups and add the new role. |
11.6, 11.6.0.1 |
11.6.1 |
ASOC-110790 |
UEBA |
Title: UEBA fails to create users containing a backslash on ElasticSearch. When events with usernames containing a backslash character is passed through UEBA, then the userId_output_entities task fails. To resolve this issue, contact the customer support team. |
11.6 |
ASOC-109418 | |
UEBA |
Title: UEBA fails to create features for users containing a hashtag. When events with usernames containing a hashtag character is passed through UEBA, then the AUTHENTICATION_userId_build_feature_historical_data task fails. To resolve this issue, contact customer support team. |
11.6 |
ASOC-109124 | |
UEBA |
Title: After 11.6 upgrade, the dotted chart displays only one value on X-axis for indicators that were triggered in previous versions. In version 11.6, the pie chart has been updated to display a dotted chart. On upgrade from previous versions to 11.6, the dotted chart displays only one value on the X-axis. This happens in case of existing indicators which did not have dates mentioned in the pie chart. However, for new indicators the dotted chart will be displayed appropriately. None. |
11.6 |
ASOC-109081 | |
ESA Correlation Service |
Title: The ESA Basic Rule Builder (BRB) does not allow you to add array type meta keys. It displays the error: Join conditions must match. You can define a rule condition by adding one or more statements. For each of the statement, when you define the keys, operators and values, the ESA BRB does not support array type meta keys. Use the advanced rule builder to build your Advanced Event Processing Language (EPL) statement with array meta keys. |
11.6 |
ASOC-105905 | |
ESA Correlation Service |
Title: The ESA meta entities does not support any array data type other than string [] array. Example: Integer [] is not supported. When you create a rule using the ESA Basic Rule Builder (BRB) with meta keys comprising of array data types other than string [] (example: integer[]), it displays the error: Cannot compare primitive type "int" with "null". Check your rule and remove all the non-string[] data type array meta keys, and re-deploy the rule. |
11.6 |
ASOC-105789 | |
ESA Correlation Service |
Title: Error Notification on Admin Server while processing ESA Correlation rules. NetWitness displays the RSAContext annotation error onError = STOP_ALL_RULE_PROCESSING_AND_WAIT when reclaim_group_aged annotation is used in the ESA rule. None |
11.6 |
ASOC- 108914 |
|
Platform |
Title: After upgrading to NetWitness Platform 11.6, Warm standby server failover fails. After you upgrade to NetWitness Platform 11.6.x.x, Warm standby failover fails with the below error:The version of the export : 11.x.x.x is not the same as current system version:11.6.0.0. This is not recommended way to restore and may leave the system in an unsupported configuration. Perform the following. cd /var/netwitness/standby-data command: cat version.info rm -f version.info nw-failover --make-active |
11.6 |
ASOC-109847 | |
Log Collector |
Title: When you upgrade to NetWitness Platform 11.6.0.0, the RabbitMQ server on a Virtual Log Collector or Log Collector fails to load or enable the nw_admin plugin. The shovel (which forwards logs from Virtual Log Collector to Log Collector) entry disappears in the UI and logs are not be forwarded to Log Collector. After you upgrade to NetWitness Platform 11.6.0.0, the shovel entry disappears in the UI and logs are not forwarded to Log Collector due to a system reboot or restart of the RabbitMQ Server. Perform the following: [root@VLC ~]# rabbitmq-plugins list <snip> the following command: [root@VLC ~]# rabbitmq-plugins enable nw_admin The shovel is displayed with green status in the UI. |
|
ASOC-108600 | |
New Health and Wellness |
Title: Unable to logout from the New Health and Wellness dashboards. If you log out from the New Health and Wellness dashboard (Kibana), the request is not processed and returns an error. You are logged off after the session time out. |
11.6 |
ASOC-108413 | |
ESA |
Title: Data privacy mapping behavior with protected meta keys. The ESA Correlation service does not honor the meta set property when <protected> is set to true in the data source. Add the protected meta keys in the global-private-fields file as comma-separated values. |
11.5.2, 11.5.3 |
11.6 | ASOC-107558 |
Investigation |
Title: Syntax error when and, or, and not operators used in lower case. Syntax error occurs when query is run with and, or, and not operators in lower case in Events view. For example, when a query ip.src exists and ip.dst exists is run, the and operator is not recognized and syntax error is displayed. Use uppercase operators (AND, OR, NOT) while writing query. |
11.5, 11.5.0.1, 11.5.1, 11.5.2 |
11.5.3 | ASOC-107557 |
Title: Certificate reissue fails with NullPointer Exception. In NetWitness Platform 11.3.0.2 or later, when you reissue certificates for all the hosts, cert-reissue fails with NullPointer exception if the Syslog service is configured and enabled on one or more node x. Workaround: You must delete the Global Audit Logging configuration corresponding to the syslog audit notification server before running cert-reissue on all the hosts. Server. IMPORTANT: Save the selected configuration such as Name, Notification Server and Notification Template before deleting the configuration. 3. Click - to delete the configuration. cert-reissue --host-all -v Once the cert-reissue command is completed, you must add the deleted configuration in the NetWitness Platform UI. |
11.5.3 |
11.6 | ASOC-108030 | |
UEBA |
Title: Airflow-webserver service failed on upgrade from 11.3.x to 11.5.3. |
11.5.3 |
ASOC-107451 | |
Springboard |
Title: Risky Users information will not be displayed in Top Risky Users panel and custom panels in the Springboard. When you have configured NetWitness Detect AI in your environment, Springboard is not able to fetch and show data for user panels. To view the Risky Users, perform the following: Log in to the NetWitness Platform and go to Users.
|
11.5.3 |
ASOC-106350 | |
Context Hub |
Title: The STIX TI button in Context Lookup contains information with errors even when it's grayed out. When you add only STIX TAXII as a data source in Context Hub, the STIX TI button displays information with errors even when it is grayed out. While this issue does not result in any functional loss, you will see the associated warning message displayed on the UI. You must add another data source such as STIX REST or File along with STIX TAXII data source to resolve this issue. |
11.5.2 |
11.5.3 | ASOC-106067/ ASOC-105995 |
Admin |
Title: After upgrading from 11.3.0.2 to 11.5.1, unable to log in to NetWitness Platform. After you upgrade from version 11.3.0.2 to 11.5.1 and reboot NetWitness Platform, NetWitness login fails with Admin server not reachable error. Workaround: To resolve the issue, do the following steps. 1. Stop rsa-nw-admin-server service. The output looks like below. server.chain file server/keystore.p12.new reconstructed keystore at /etc/netwitness/admin-server/keystore.p12.new |
11.5.1 |
ASOC-104750 | |
UEBA |
Title: UEBA Azure AD Logs events cannot be queried. Problem: The device.type = 'microsoft_azure_signin_events' cannot be queried as it is not supported. Workaround: None |
11.5.1 |
11.5.2 | ASOC-104956 |
NW Server |
Title: Unable to push feeds with a feed definition XML file in 11.5 Problem: Custom feed deployment fails when an XML Feed File is used. The same XML file used to work in the previous versions. |
11.5.x | 11.5.2 |
SACE-14462 |
Admin |
Title: Cursor No Longer Shows On Login Page Problem: When the log in page loaded, there is no cursor in any fields while some of the previous versions have the username field in focus. |
11.4.x, 11.5.x |
11.6 | SACE-14521 |
Packet Decoder |
Title: Verification of packetdb compression that we aren't observing working Problem: Packetdb compression does not work for pcapng format. This is expected behavior as compression only works with the native NetWitness databse format. A warning will be added to 11.5.2 to indicate that compression is not supported with pcapng format. |
11.4.x, 11.5.x |
11.5.2 | SACE-14578 |
Security |
Title: UI Text Does Not Make Sense For PKI Certificates Problem: On the Admin > Security > PKI Settings tab, below the PKI Authentication Based Status window, the following text appears: "Please Note: Before you enable PKI Authentication, you must have at least one Trusted CA configured. At least one external authentication system/method must also be enabled with an external group and mapped to an Administrator role." |
11.4.x, 11.5.x |
11.5.2 |
SACE-14665/ ASOC-104534 |
Investigate |
Title: As of 11.4.1.2, exporting meta from Investigate includes all fields instead of limiting to selected meta group Problem: Exporting meta from Investigate includes all meta fields while it should only export the meta data for the currently selected meta group. |
11.4.x, 11.5.x |
11.5.2 |
SACE-14163/ ASOC-104207 |
Packet Decoder |
Title: TLS decryption to support RFC 7627 (extended master secret) Problem: Decrypting sessions with a private key which uses TLS_RSA_WITH_AES_256_CBC_SHA, returns "Encountered bad padding while decoding record." |
11.4.x, 11.5.x | 11.5.2 |
SACE-14406/ ASOC-104391 |
Broker |
Title: Customer is seeing performance issues on new broker will hang during investigation. Problem: The UI hangs when trying to run a query under Investigate and sometimes it fails to load meta keys. The issue goes away for a while when the broker service is restarted. |
11.4.1.x |
11.4.1.3, 11.5.0.1, 11.5.1 |
SACE-13955/ SACE-14294/ SACE-14165/ ASOC-102071/ ASOC-102072 |
New Health and Wellness |
Title: New Health and Wellness dashboard view is not displayed when you log in to NetWitness Platform as an Active Directory (AD) user. If an AD group is configured with an Administrator role in NetWitness Platform and you log in as an AD user (associated with the AD group), the New Health and Wellness dashboard is not displayed when you pivot to Dashboards. Workaround: None |
11.5.1 |
11.5.2 | ASOC-101652 |
Investigate |
Title: Legacy Events View does not process event time. Legacy Events View uses collection time and not the event time. Now, when the user preference for Query Time is set to Event Time and the user issues a text search, if the link in the body of the page or the table footer is used for a refined search in Legacy Events View then the Start Time and End Time passed to Legacy Events View will be for the event time. The search might not display the desired results as Legacy Events View does not use the event time. Workaround: It is recommended that you modify the time to the desired time range in order to see the expected results. |
11.5.1 |
ASOC-103344 | |
UEBA |
Title: The User Profile view displays data for inactive users. If a user is not active for the past 30 days, no new data is displayed in the Modeled Behavior tab. However, the last days older data is not deleted and is displayed for the inactive user. Workaround: None |
11.5 |
11.5.1 | ASOC-102780 |
Upgrade |
Title: Update status stays in “In Queue for Update” state and does not change. While upgrading the NetWitness Platform hosts, for one or more hosts the update status remains in “In Queue for Update” state and does not change. Workaround: To resolve the issue, do the following steps.
|
11.4.x, 11.5, 11.5.0.1 |
11.6 | ASOC-103126 |
Investigator - Thick Client |
Title: SSL Packet Decryption not working on Investigator Thick Client v11.4 Problem: Investigator Thick Client 11.4 fails to decrypt SSL packets as 1024 bit private keys are not supported. |
11.4.x | 11.4.1.3 |
SACE-13924/ SACE-14408 |
Investigation |
Title: Events not displayed when using query prefix Problem: Events are not displayed when using a query prefix. The issue in only noticed when investigating into a broker. |
11.4.x | 11.4.1.3 | SACE-14412 |
Packet Decoder |
Title: cert.thumbprint and ja3 not always computed Problem: The meta keys Ja3/Ja3s and cert.thumbprint are not getting generated for TLS sessions after enabling SSL fingerprint by adding HTTPS="cert.sha1=true ja3=true ja3s=true" to the parser options. |
11.4.x | 11.5 |
SACE-13597/ ASOC-96566 |
Install |
Title: warm standby - nwsetup-tui failed and does not set the IP address configured Problem: nwsetup-tui script on warm/standby server fails to run, and does not set the IP address configured. |
11.3.x, 11.4.x | 11.5 |
SACE-12658/ ASOC-91271 |
Log Decoder |
Title: Invalid EPOC Timestamp with a year outside of range 1400-9999 breaks Msearch Problem: Msearch breaks and returns "Year is out of valid range: 1400..9999" when the raw log has incorrected formatted EPOC timestamp. |
11.3.x, 11.4.x | 11.5 | SACE-13572 |
Context hub |
Title: Converting Feed to ContextHub List failed Problem: Deploying a custom feed using a csv fails with an error "Converting Feed to ContextHub List". Workaround: disable mongo authentication in /etc/mongod.conf and set the flag " failIndexKeyTooLong" to false, restart the mongo service and then deploy the feed. Contact RSA Support. A custom hot fix may be required. |
11.4 |
11.4.1.1 |
SACE-13151/ SACE-13606/ ASOC-94746 |
Log Collector |
Title: 11.3 LC has significant TCP Syslog performance problems compared to 10.6.6 LD using the same source Problem: 11.3 Log Collector shows around one quarter of syslog collection rate compare to 10.6 Log Collector. |
11.3.x, 11.4.x |
11.4.1.2, 11.5 |
SACE-12098/ ASOC-94276 |
UEBA |
Title: Problem in the UEBA backup-restore script Problem: UEBA backup script fails due to the elasticsearch dump file being temporaily created in /etc/elasticsearch/backup causing the / partition to be 100% full. |
11.3.2, 11.4.x | 11.5 |
SACE-13558/ ASOC-59891/ ASOC-96786 |
Platform |
Title: NW 11.4.0 - Admin server rabbitmq serviec runs out of file descriptors Problem: The RSA NetWitness appliance's RabbitMQ service appears not to be processing even though the service is still running. When performing a netstat on the server there are a large number of connections, possibly in the thousands, associated with RabbitMQ (beam.smp) process. Refer to 000038886 - RabbitMQ file descriptor limit reached in RSA NetWitness Platform 11.4.x |
11.4 | 11.5 |
SACE-13168/ ASOC-96680/ ASOC-96683 |
Log Decoder |
Title: Issues doing full search text in investigation Problem: Log Decoder service crashes while running msearch query on raw logs |
11.4 |
11.4.1.2, 11.5 |
SACE-13568/ SACE-13291 |
Endpoint Agent |
Title: 11.4.1 Advanced Agent causing Windows Pseudo Console apps to hang Problem: After Endpoint agent is running for a few minutes, any appplications that use the Windows Pseudo Console, CONpty, stop working unless they are run as an administrator. Restarting the deviceep service, uninstall the Endpoint agent, or rebooting the host fix the issue for a short whileuntil the issue recurs. |
11.3.2.1, 11.4.1 | 11.4.1HF, 11.5.1 |
SACE-13294/ ASOC-98427 |
NW Server |
Title: Login Banner not working after upgrade to 11.4 Problem: After upgrading to 11.4, the configured login banner does not pop up. |
11.4.x |
11.4.1.2, 11.5 |
SACE-13278/ ASOC-98030/ ASOC-102439 |
Packet Decoder |
Title: Query on the content of mail returns an error. Problem: Email content msearch query fails with "ERROR Message: An error occurred searching service: Connection to service is closed …" |
11.4.x | 11.4.1.2HF, 11.5.1 |
SACE-13400/ ASOC-102074 |
ESA Correlation Service |
Title: Esper behavior with helper functions isOneOfIgnoreCase / isNotOneOfIgnoreCase Problem: The helper function, 'isOneOfIgnoreCase' or 'isNotOneOfIgnoreCase', for array meta key 'email_src' cause the rule deployment to fail using the rule builder. Advanced EPL rule can be deployed but causes some false positives. |
11.3.x, 11.4.x | 11.5.1 |
SACE-12773/ ASOC-103988 |
Log Decoder |
Title: Log Decoder service is core-dumping at restart. Problem: Some parsers or app rules(e.g. for log forwarding) cause the log decoder service to crash during a service restart. |
11.3.x, 11.4.x | 11.4.1.3, 11.5 |
SACE-12898/ ASOC-90740 |
Health and Wellness |
Title: Historical graph not showing graph yet showing numbers when you hover the mouse Problem: Selecting other than 'Current Day' from a Historical Graph in Health & Wellness->System Stats Browser does not draw graph although hovering the mouse in this white space displays the expected numbers. |
11.4.x | 11.5.1 |
SACE-13666/ ASOC-101606 |
ESA Correlation Service |
Title: Test Rule does not generate alert for the event. When testing a Rule in the New Advanced EPL panel, does not generate alert for the event. Cause: If you are testing any Rule that has meta key defined as type 'short', the Test Rule will not generate alert for the event. Workaround: None |
11.5, 11.5.0.1, 11.5.1, 11.5.2 | 11.6 | ASOC-103061 |
Event Stream Analysis |
Title: After upgrading to version 11.5, the ESA correlation server does not aggregate events from the configured data sources. To resolve the issue, do the following steps.
|
11.5 | 11.5.0.1, 11.5.1 | ASOC-103097 |
UEBA | Title: When performing a rerun, UEBA deployments with the TLS schema will not trigger alerts for two weeks. Problem: When your UEBA deployment contains the TLS schema and you add any other schema to it or if you add the TLS schema to your UEBA deployment, a UEBA rerun is required. During the UEBA rerun, no alerts are generated for any data sources. For UEBA deployments with TLS, the historical data processed is limited to 14 days and thus the data collected in these two weeks (14 days) becomes a part of the learning period and will be used to build the baseline for the models. For example, if you are processing data for a period of time, and then decide to add another schema such as authentication and your deployment contains TLS, a UEBA rerun is required. The rerun is performed on all existing schemas along with the newly added schema and so during these two weeks of rerun, no alerts are triggered. Workaround: None |
11.5 | 11.5.1 | ASOC-101686 |
Context Hub |
Title: Context Hub service goes offline when multiple users load the Investigate > Navigate view
|
11.5 | 11.5.1 | ASOC-96500 |
Event Stream Analysis / Upgrade | Title: Position tracking does not get migrated for data sources with a deployment name that contains @ or _ characters at the end of the deployment name. Problem: If you have an ESA rule deployment that is sessions behind and the deployment name contains @ or _ characters at the end of the name, during the migration to 11.5.0, position tracking gets lost and the sessions that were behind do not get analyzed. Workarounds: If the sessions in your ESA rule deployment are up to date, you can remove @ or _ from the end of the deployment name, redeploy the deployment, and then upgrade to 11.5.0. If the sessions in your ESA rule deployment are always behind and you cannot change the deployment name, wait until this position tracking issue is fixed before you upgrade. |
11.5 | 11.5.1 | ASOC-101423 |
Upgrade |
Title: The Classic user interface fails to start if the NW Server is rebooted after performing an upgrade init command. Problem: After performing the upgrade init command on the NW Server and rebooting the NW Server, the Classic user interface does not start up. Solution: Perform the upgrade on the NW Server again using the command line instructions described in "Appendix A. Offline Upgrade Using CLI" in the "Upgrade Guide for RSA NetWitness Platform 11.5". Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. |
11.5 | 11.6 | ASOC-100295 |
UEBA | Title: After upgrading UEBA from 11.3 to 11.5, the saved filters in the UI do not work. Problem: After you upgrade, the entities that were saved as filters in NetWitness Platform Version 11.3 are displayed in version 11.5 (User > Entities), but the data cannot be retrieved and the user interface does not respond when clicked. Workaround: To solve this issue, you must delete the old filters and create them again, if needed. |
11.5 | 11.5.1 | ASOC-100389 |
UEBA | Title: After upgrade from 11.2 or 11.3 to 11.5, adapter logs are not written. Problem: After you upgrade from NetWitness Platform Version 11.2 or 11.3 to 11.5, flume uses an incorrect library to write logs. The logs are written to slf4j-log4j12-1.7.25.jar instead of logback-classic-1.2.3.jar due to which the adaptor logs are not written. Workaround: To solve this issue, you must delete the slf4j-log4j12-1.7.25.jar libraries from the flume library directory available on the UEBA machine using the following commands: rm /var/netwitness/presidio/flume/plugins.d/PresidioStreamingSource/libext/slf4j-log4j12-1.7.25.jar and rm /var/netwitness/presidio/flume/lib/slf4j-log4j12-1.7.25.jar |
11.5 | 11.5.1 | ASOC-100310 |
Threat Intelligence | Title: Post failover recurring custom feeds are failing. Problem: On failover, recurring custom feeds that were created before the failover are failing and are not getting pushed to the core. Workaround: Edit and save the failed recurring feeds. |
11.5, 11.5.1, 11.5.2 | ASOC-100727 | |
New Health and Wellness |
Title: Logging out from the New Health and Wellness dashboard logs you out from the NetWitness UI. Workaround: None. Log in to NetWitness Platform again. |
11.5 | ASOC-98032 | |
Malware |
Title: Continuous scans fail if the host name is used for the source host. Problem: If the continuous scan configuration uses the host name for the source host instead of the host's IP address, the Malware continuous scan fails. Workaround: Change the source host name to the IP address in the Source Host field on the Malware Analysis configuration page on the General tab in Continuous Scan Configuration. For more information, see the "Malware Analysis Configuration Guide". |
11.5 | 11.5.1 | ASOC-101096 |
Core Services |
Title: Issue with logging UUID's or obsolete IP addresses in core services system log files. Problem: A core service (for example, a Broker or Concentrator service) that has been configured to aggregate or connect to another NetWitness Platform component host may not reflect the latest IP address or hostname of the remote host in the service's system logs. This can occur after configuring an aggregation connection to a newly installed NetWitness Platform component host, or after updating the IP address or hostname of an existing NetWitness Platform component host. |
11.5 | 11.5.1 | ASOC-101087/ ASOC-101107 |
Event Stream Management | Title: On upgrade from 11.3 to 11.5, there is inaccurate data on ESM manage page. Problem: When you upgrade from 11.3 to 11.5, the last update time gets updated internally, but changes are not propagated to the ESM Manage page. This can cause event count to be inaccurate, which can also impact any alarms that are set. Workaround: Restart the collectd service. |
11.5 | 11.6 | ASOC-100368 |
Investigate |
Title: Filter Events Panel Shows Unexpected Results for Query Containing an Unwrapped OR Problem: When you use OR in a query in the Events view and then drill into the result using a left-click option from the Events Filter panel, the new filter is added with an AND, without adding parentheses around the existing filters that use a logical OR. This gives different results than expected when compared to Navigate view and Legacy Events view results. Workaround: When adding to a query in the Events panel, whether via left or right click in the Filter Events panel or linking from outside Events, the existing filter must be enclosed in parentheses if there is a top-level, unwrapped OR, either as its own operator or inside a complex filter. For example, service = 80 OR service = 443 AND sourcefile = 'email.pcap' will not return expected results. Edit the filter to enclose the logical OR statement in parentheses as follows: (service = 80 OR service = 443) AND sourcefile = 'email.pcap'. If the filter is service = 80,25 AND filename = ‘invoice’, enclose it in parentheses as follows: (service 80,25) AND filename =‘invoice’. To enclose the logical OR expression in an additional set of parentheses; select the two filters in the query bar, right-click one of them, and select Wrap in parentheses in the drop-down menu. |
11.5 | 11.5.1 | ASOC-100133 |
NW Server | Title: NetWitness Platform User Interface Disconnects During Host Discovery Problem: During host discovery and when services are updating, the UI disconnects briefly. This is caused by nginx restarting. Workaround: Wait for a few minutes for the UI to reconnect when nginx is restarted. |
11.4.x, 11.5 | 11.6 | ASOC-100247 |
Core Services | Title: Customizing the index level to IndexNone for keys that are part of entities can result in errors during index lookup. Problem: Customizing the index level from IndexValues to IndexNone for meta keys that are part of entities requires that those meta keys be excluded from the entities. Failing to exclude the meta keys results in errors during index search operations (for example, msearch). Workaround: For example, if the context meta key index level is changed from IndexValues to IndexNone, then exclude the context meta key from the corresponding entities (for example, context.all). Since context is a default meta key, you would override the context.all entity in the index-concentrator-custom.xml file and exclude the context meta key from the entity. After this update, the context meta key and the context.all entity would be displayed as shown in the following example in the index-concentrator-custom.xml file. <key description="Context" name="context" format="Text" level="IndexNone" defaultAction="Closed"/> <entity description="All Context Keys" name="context.all"><keyref name="context.src"/><keyref name="context.dst"/></entity> |
11.3.x, 11.4.x, 11.5 | SACE-13570/ SADOCS-1891 |
|
Administration | Title: RabbitMQ Erlang Process and Memory SpikeProblem: RabbitMQ memory, connections, and Erlang process leaks occur if one or more component hosts are offline or shut down, or if federation links were not deleted on the RabbitMQ server for component hosts that were removed from the UI. Workaround:
3. When the offline hosts are brought back online or powered on, log in to NW Server and refresh the component hosts that were brought online using nw- manage: nw-manage --refresh-host --host-key <Component Host IP/UUID/Name> |
11.4.x.x, 11.5 | ASOC-93699 | |
Log Decoder | Title: Log parse rule highlighting is not working for Analysts and Data Privacy Officers Problem: Analysts and Data Privacy Officers role users don't have the parsers.manage permission and as a result are restricted from viewing log highlighting and getting log device types from the log decoder. Workaround: To be able to view log parse rule highlighting in the Log Parser Rules view, grant the parsers.manage permission on all Log Decoders to all users who require this ability. To be able to add, deploy, update, and delete parsers in the Log Parser Rules view, users must be granted the parsers.manage permission on all Log Decoders. Use Admin > Log Decoder service > View > Security Users and Roles to manage privileges. |
11.5 | 11.5.1 | ASOC-98432 |
Event Stream Analysis | Title: Multiple Users Can Edit an ESA Rule Deployment at the Same Time and Overwrite Changes Problem: If two users modify the same ESA rule deployment by adding or removing rules, whoever clicks Deploy Now first overwrites the changes of the other user. Workaround: Ensure that only one user at a time is making changes to an ESA rule deployment. |
11.4.x and earlier versions | 11.5 | SACE-12736 |
Investigate |
Title: Permissions to manage meta groups and column groups in Investigate do not apply in Investigate. Workaround: None. |
11.5 | 11.5.1 | ASOC-97975 |
Respond | Title: UEBA Sends Alerts to Respond After Decommissioning the UEBA Host Problem: In NetWitness Platform 11.5, if a UEBA host is decommissioned (such as removed from (Admin > Hosts) but remains powered on, if UEBA alerts are generated they will continue to be forwarded to Respond. Workaround: Administrators should power off the decommissioned UEBA host as soon as possible after decommissioning it from the user interface. |
11.5 | ASOC-97259 | |
Raid Tool Script |
Title: Raid Script Tool "nwraidtool.py" fails when encounters a bad drive. Problem: Raid Script Tool "nwraidtol.py" fails when it encounters a drive is in a 'UBad' state. |
11.3.2 | 11.5 | SACE-13124 |
Event Source Management |
Title: Event Source Monitoring tracking wrongly after upgrading to 11.4.1.0. Problem: After upgrading to 11.4.1.x, false alarms are triggered for High threshold and no alarm is triggered for Low threshold. |
11.4.1 | 11.4.1.3 |
SACE-13616/ SACE-13812/ SACE-13879/ SACE-13908/ SACE-13935/ ASOC-100351 |
Endpoint |
Title: Endpoint agent not being assigned a policy when more than 3 IPs are assigned to same NIC on endpoint. Problem: Endpoint agent is not being assigned a policy when more than 3 IP addresses are assigned to the same NIC on the endpoint agent host. |
11.3.x 11.4 |
11.3.2.1HF 11.4.1HF 11.5.1 |
SACE-13670 |
Licensing |
Title: Malware Analysis License appears to be expired on UI. Problem: The license server fails to parse the Malware-Analyis entitlements as it expects a different feature name, and so the license appears to be expired on the Admin UI. |
11.3.x 11.4 |
11.4.1.3 |
SACE-13682/ SACE-13818/ SACE-14061/ ASOC-86674 |
Broker |
Title: REST API Results for Countdistinct are not complete on Broker. Problem: On a 'passthrough' Broker ( a Broker connected to just one upstream device) the countdistinct aggregate function does not work correctly in when used in the SDK query API. |
11.4.1 |
11.4.1.2 11.5 |
SACE-13702/ ASOC-97826 |
Endpoint |
Title: Endpoint Server does not detect process at Z drive. Problem: Scanning Endpoint hosts does not find processes that are run from the drive letter "Z". |
11.4.1 |
11.4.1HF 11.5.1 |
SACE-13721/ ASOC-97733 |
Security |
Title: Single Sign-On authentication Implementation Failure Problem: Single Sign-On authentication does not work although the Admin server is correctly configured. |
11.4 | 11.4.1.2HF |
SACE-13731/ ASOC-101328/ ASOC-101327 |
Endpoint |
Title: Endpoint Agent in Insights mode crashes on Red Hat/CentOS 8.x Problem: Endpoint agent in Insights mode crashes when installed on Redhat/CentOS 8.1. When the agent is switched to Advanced mode, it starts to work normally. |
11.4.1 |
11.4.1HF 11.5 |
SACE-13763/ ASOC-96290 |
Decoder |
Title: Packet Decoder's capture process stops with the 'packet pool depletion' alarm. Problem: When HTTP2 header parsing is turned on, then Decoder would hang on HTTP2 parser causing packet capture to go down. |
11.4.1 |
11.4.1.2HF 11.4.1.3 11.5 |
SACE-13775/ SACE-13977/ SACE-14065/ ASOC-100350 |
Decoder |
Title: Higher entitled usage for throughput licenses is noticed after upgrading to 11.4.1.0. Problem: Data filtered by App rules is still counted as captured bytes causing higher entitled usage for throughput licenses after upgrading to 11.4.1.0. /decoder/stats/capture.appfilter.bytes does not increment. |
11.4.1 |
11.4.1.3 11.5.1 |
SACE-13928/ ASOC-101847 |
Endpoint |
Title: Investigate-HOSTS page does not show all IP addresses of Endpoint agent on Mac. Problem: Investigate-HOSTS page does not display the IP address if its interface has MAC address, 00:00:00:00:00:00. This can occur when the Mac host is connected via VPN. |
11.4.1 |
11.4.1HF 11.4.1.3 |
SACE-13963 |
Log Decoder |
Title: Index Language merge handler doesn't update entities from Index definition files on Log Hybrid Retention Problem: The language merge handler which exists for decoder during /index save () call doesn't merge entities which are loaded from Index definition files. Due to this problem, the changes made to index keys are reverted back to the old settings. Workaround: Remove the index save scheduler entry and use automatic Index save using /index/config/save.session.count. |
11.4.1.2 |
11.4.1.3 11.5.1 |
SACE-13985/ ASOC-101191/ ASOC-101454 |
Custom Feeds |
Title: The first line in a CSV file is removed when a custom feed is deployed as Non IP type. Problem: When a custom feed is deployed as Non IP type, the first line in the source csv file is missing from the deployed csv file under /etc/netwitness/ng/upload/tempxxx. |
11.4.1.2 |
11.4.1.3 11.5.1 |
SACE-14051 |
Administration |
Title: Feed Selection for Groups does not have previously pushed out groups check marked. Problem: When you edit the feed, the previously selected and deployed device groups are not selected, making it difficult to understand which are deployed. |
11.3.1.1 | 11.4.1 | SACE-12563 |
Administration |
Title: Unable to add the "accessInvestigateUsers" to a role via the GUI. Problem: When tried to add "accessInvestigateUsers" permission to the user in Admin>Security>Roles tab, the permission "accessInvestigateUsers" does not available. |
11.x | SACE-12964 | |
Administration |
Title: adding/Editing a recurring feed only validates the hostname in the URL path, not the filename or path when clicking Verify. Problem: Custom feed verifies only the host name in the URL path and does not verify the filename or path. |
11.3.2 | 11.4.1 | SACE-12753 |
Administration |
Title: PAM Kerberos authentication fails after upgrading to 11.4.0.0. Problem: After upgrading to 11.4, unable to login to NetWitness Platform user interface using PAM authentication. |
11.4 | 11.4.1 | SACE-13125 |
Administration |
Title: NW 11.4.0.0 - Not able to deploy recursive feed on Decoders group. Problem: After upgrading to 11.4, unable to deploy the recursive feeds on the Decoder group. |
11.4 | 11.5 | SACE-13260 |
Administration |
Title: NW 11.3.1.1 - credential mismatch - mixing users of different roles between admin and non-admin functions. Problem: When the user logs in to NetWitness Platform, the permissions of the user who previously logged in is applied. |
11.3.1.1 | 11.4.1 | SACE-13264/ SACE-12969 |
Administration |
Title: UI is sometimes very slow. Problem:The NetWitness Platform user interface response is very slow and takes up to 30-45 seconds to work. |
11.2.0.1 | 11.4.1 | SACE-11456/ ASOC-89259 |
Upgrade |
Title: Rabbitmq service on Endpoint Hybrid fails to start in NetWitness 11.4. Problem:After upgrading to 11.4, Rabbitmq service does not start. |
11.4 | SACE-13024 | |
Upgrade |
Title: Backup script v 4.4 and 4.5 gives verify puppet cert validity on SA 10.6.6. |
10.6.X | 11.4.1 | SACE-12586/ ASOC-86468 |
Upgrade |
Title: NW Recovery Tool ignore Custom Meta Group and Investigation Profiles. |
11.3.1 | 11.4.1 | SACE-12138/ ASOC-84298 |
Upgrade |
Title: Threatgrid and RSA Cloud connection not working post upgrade to NW 11.2.1.1. |
11.2.1.1 | 11.4.1 | SACE-11531/ ASOC-79467 |
Upgrade |
Title: On new 11.2.0.0 install, the mongo sa.repo table does not show 11.2.0.0 repo is downloaded. |
11.2 | 11.4.1 | SACE-11196/ ASOC-77071 |
Decoder |
Title: Content issue possible customer is seeing HTTP 400 Errors. |
11.3.1.1 | 11.3.2.1 11.4.0.1 |
SACE-12827/ ASOC-87236 |
Decoder |
Title: Files not extracted from SMB Session. |
11.3 | 11.3.2.1 11.4.0.1 |
SACE-12387/ 87236 |
Decoder |
Title: Packet Decoder with very low session rates and capturing at 9.6G. |
11.3.1.1 | 11.4.1 | SACE-13098/ ASOC-87266 |
Log Decoder |
Title: Log Decoder Forwarding Configuration Issue. |
10.6.x | 10.6.6 11.4.1 |
SACE-8177/ ASOC-47223 |
Decoder |
Title: Upgrade to 11.4.0.1 is causing an impact when rebooting Series 6 packet Decoders and packet Hybrids. |
11.4.0.1 11.4.1 |
11.4.1.2 | SACE-13409 |
Log Decoder |
Title: issues with proofpoint collection since upgrade from 10.6 to 11.3. |
11.3.0.2 | 11.4.1 | SACE-12649 |
Log Decoder |
Title: WinRM bookmarks returning 1 for a certain event channel stops collection across all channels. |
11.3.2 | 11.4.1 | SACE-12961 |
Log Decoder |
Title: using ssl syslog for logstash event source , crashes the nwlogcollector on VLC. |
11.3 | 11.4.1.2 | SACE-12750 |
Event Stream Analysis |
Title: Needed API improvements to obtain actual sessions.behind per node (conc/decoder) on ESAs. |
11.3 11.3.0.1 |
11.4.1 | SACE-11831 |
Event Stream Analysis |
Title: Enrichment utilizing context hub list does not remove values which no longer exist in the list. A Context Hub enrichment in an ESA Rule creates alerts for the older values that are deleted. This issue occurs when the list from which the Context Hub Enrichment is created is a recurring one with the Overwrite option. When the values are overwritten by new values, ESA alerts should not be triggered for the older values. |
11.3.1.1 | 11.4.1 | SACE-12839 |
Respond |
Title: Compressed payload not displayed in Respond for text recon. Compressed payloads not displayed when using text reconstruction in Respond. In 11.3.2 and 11.4, you may encounter a scenario when using packet reconstruction within Respond for network sessions containing compressed (for example, gzip) payloads. |
11.3.2 11.4 |
11.4.1 | ASOC-90551 |
Respond |
Title: Risk Score is not getting calculated as the event generated in Respond doesn't have a Checksumsha256. Respond may stop processing alerts when Endpoint file alerts do not contain a SHA256 Checksum. In 11.3.2 and 11.4, you may encounter Respond stopping the processing of alerts when handling certain alerts containing Endpoint events not containing a SHA256 hash of the offending file. This results in a failure to calculate risk scores for alerts and, subsequently, errors when attempting to process subsequent alerts. |
11.3.2 11.4 |
11.4.1 | ASOC-88665 |
Warehouse Connector |
Title: Warehouse Connector - Add SFTP Destination with SSH Key Passphrase. |
11.2 | 11.4.1.2 | SACE-12864 |
Health and Wellness |
Title: Incorrect PSU status on H&W when actually one PSU is failed on S5 Hybrid. |
11.2 | 11.4.0.1 | SACE-10378/ ASOC-74763 |
Health and Wellness |
Title: 11.3.2.0 - H&W alarm on Endpoint Loghybrid Logcollector - LogCollector Virtual System Resources Exhausted. |
11.3.2 | 11.4.1 11.5 |
SACE-12910/ ASOC-89532 |
Health and Wellness |
Title: Fan/Temperature information doesn't display on H&W System Stats Browser using Series 6 hardware. |
11.3.1 | 11.4.1 | SACE-12973 |
Investigate |
Title: Brasil No longer follows Daylight Savings Time - Update Moment Timezone Libraries for investigation. |
11.2.1.1 | 11.4.1 | SACE-12498 |
Investigate |
Title: Wrong closing xml tag when exporting logs from the UI. |
11.4 | 11.4.1 | SACE-13028 |
Investigate |
Title: Issues investigating off of a archiver collection. |
11.3 | 11.3.2.1 11.4.0.1 |
SACE-11659/ ASOC-88050 |
Investigate |
Title: Unable to export logs using a custom time frame from event view when a profile is in place. Problem: Event export fails when investigating for a custom time frame and profile with no prequery. |
11.3.0.1 | 11.3.2.1 11.4.0.1 |
SACE-11706/ ASOC-88025 |
Investigate |
Title: Cannot export logs by Japanese users. Problem: Unable to export logs in the Investigate view, when the user language setting is not English or French. |
11.3 | 11.3.2.1 11.4.0.1 |
SACE-12803/ ASOC-87643 |
Investigate |
Title: In NetWitness 11.4 it removes pivoting in to meta on legacy views. Problem: After upgrading to 11.4 and reconstructing an event in the Legacy Events view, the metadata drill down options are missing under the View Meta option in the event reconstruction toolbar. |
11.4.0.1 | 11.4.1 | SACE-13119 |
Investigate |
Title: Investigate Event, searching value with slash character don't work, need to add extra slash to get the correct result. Problem: From UEBA, when you pivot on a meta value containing a slash, the Investigate > Events view, does not display any results. |
11.4 | 11.4.1 | ASOC-92592 |
Investigate |
Title: Pivoting into the investigation of an event reconstruction is querying the wrong ip.src in FTP system parser. Problem: The event reconstruction for a filename in the Investigate > Events view is querying the wrong meta key (ip.src ) instead of ip.dst in the FTP system parser. |
11.x | 11.4.1 | ASOC-88157 |
Malware Analysis |
Title: "HTTP/1.1 500 Internal Server Error" from MA cloud. Problem: AV tab in Admin > Services > Malware > Config, does not display AV Vendor results. |
10.6.x | 11.4.0.1 | SACE-10302/ ASOC-88023 |
Context Hub |
Title: Some STIX fields are not there when converted to CSV. Problem: When STIX data is converted to CSV format, some of the STIX fields are not available in the CSV file. |
11.2.1 11.3 |
11.4.0.1 | SACE-11272/ ASOC-84841 |
Context Hub |
Title: Password for Live Connect and File Reputation datasource gets saved empty on edit config. Problem: Connection for Threat Insights (Live Connect) and File Reputation data source fails as the password gets saved as blank. |
11.4 | 11.4.0.1 | ASOC-87937 |
Context Hub |
Title: Recurring feed producing 'Failed' status when 'Converting Feed to Context Hub List'. Problem: When converting a recurring feed to a Context Hub list, it displays a failed status. |
11.3.1 | 11.4.1 | SACE-13086/ ASOC-90987 |
Endpoint |
Title: Duplicate Hosts in Endpoint Log Hybrid. Problem: In the Investigate > Hosts view, duplicate hosts are displayed for the same host name but with different agent IDs as the agent was installed multiple times. |
11.3.1.1 | 11.4.1 | SACE-12888/ ASOC-90565 |
Reporting Engine |
Title: Reports on Alerts/Incidents from ESA alerts not generating. Problem: When you edit an existing schedule of a report, you cannot select a data source if a data source was not previously selected. |
11.3.1 | 11.4.1 | SACE-11897/ ASOC-87262 |
Reporting Engine |
Title: Discrepancy in Reporting Engine Alert Count. Problem: When querying against a time range, it does not load any alerts and does not display all the alerts when queried for the custom time range. |
11.3.2 | 11.5 | SACE-12893 |
UEBA |
Title: UEBA UI unable to access after installation. Problem: After upgrading, UEBA page shows the default user interface instead of the latest UEBA page. |
11.3.2 | Documentation | SACE-12843 |
Log Decoder |
Title: Log Decoder service crashes if changes are done to the log forwarding configuration fields logs.forwarding.enabled and logs.forwarding.destination
|
11.4.1.2, 11.5 |
11.5.1 | ASOC-95972 |
Endpoint |
Title: Test connection fails for Relay Server with Endpoint Log Hybrid.
|
11.4.1.2 | 11.5 | SACE-13529 |
UEBA | Title: Incorrect object metadata is parsed in UEBA Problem: The UEBA Object Name pivot link in the Investigate > Entities view is populated with an incorrect meta key. Due to this issue, no matching events are displayed when pivoting to the Events view because the query includes the obj.name meta key. Workaround: Run the query without obj.name, group, and user source. |
11.4.1 | 11.4.1.2 | ASOC-92627 |
UEBA | Title: Pivoting from the Entities view to the Events view with the event.time meta key results in a query with invalid event time. Problem: When you query the event.time meta key on any UEBA pivot link in the Entities view, the query added to the query bar in the Events view has an invalid filter (marked by a red outline) for event.time expressing the time in EPOCH format, and the query cannot be submitted. A tooltip on the invalid query explains the problem, but the suggested solution does not work: You entered '1585216020-1585216080'. Times must be quoted with single or double quotes. Workaround: Copy the EPOCH time value and create a new free-form filter without quoting the EPOCH time. See "Add a Free-Form Filter" in the Investigate User Guide. |
11.4.1 | 11.4.1.2 | ASOC-92943 |
Upgrade |
Title: Unable to upgrade the NW Server host to version 11.4.1.0 using the Offline User Interface method.
You can update all the other hosts using the offline user interface method, following the instructions in "User Interface Method with No Connectivity to the Internet" in the Upgrade Guide for RSA NetWitness Platfrom 11.4.1. |
11.4.0.0, 11.4.0.1 | 11.4.1 | ASOC-92601 |
Investigate |
Title: Refocusing a value that contains the backslash (\) character in the Events view does not return results |
11.4.1 | 11.5 | ASOC-92642 |
Investigate |
Title: In the email reconstruction, the Download button for attachments is not enabled due to a filename mismatch |
11.4.1 | 11.5 | ASOC-92534 |
Investigate |
Title: Paging through results while packets are rendered causes the new page to load fewer packets |
11.4.1, 11.5 |
ASOC-92293 | |
Investigate |
Title: The Download menu in the Events view remains in the “Downloading…” state after a timeout during the download operation. Problem: When downloading a large number of network events from the Events list, the Download menu remains in the Downloading state ( Workaround: To clear the exception and restore the Download menu, go to the Events view and refresh the browser window. |
11.4.1, 11.4.0.1, 11.4, 11.5 |
ASOC-86905 | |
Legacy Windows Collector |
Title: WLC Cert renewal script does not run. Problem: The WLC Cert Renewal Script, packaged as part of 11.4 and located at /var/netwitness/root-ca- update/wlc/, should not be run. RSA plans to provide a fix in a future NetWitness Platform patch release. Workaround: None |
11.4.0.0 | 11.4.0.1, 11.4.1 | ASOC-87953/ ASOC-78604 |
Event Stream Analysis |
Title: Some ESA Rule Deployments migrated from versions before 11.3 can cause ESA Rule Deployment issues during the 11.4 upgrade. Problem: Unused ESA rule deployments left over from the migration from the 10.6 or 11.2 legacy Event Stream Analysis service, which do not contain an ESA Correlation service, cause ESA rule deployments to not deploy after upgrading to NetWitness Platform 11.4. Workaround: Before you upgrade to 11.4, delete ESA rule deployments that do not contain an ESA Correlation service. The remaining ESA rule deployments should have been deployed at least once with the ESA Correlation service. To delete an ESA rule deployment:
|
11.4.0.0 | 11.4.0.1 | ASOC-87859 |
Event Stream Analysis |
Title: When a rule is shared between multiple ESA deployments, there is a discrepancy with the Enabled and Disabled ESA rule statuses after an upgrade
|
11.4.x, 11.3.x, 11.5 |
ASOC-87858 | |
Event Stream Analysis |
Title: An ESA Rule Deployment name with a Colon (:) throws a failed to start stream error Problem: If an ESA rule deployment name contains a colon (:), data aggregation fails to start during deployment. Workaround: Edit the ESA rule deployment name to remove the colon (:) and then redeploy the deployment.
|
11.4.x | 11.5 | ASOC-87778 |
Event Stream Analysis |
Title: Esper metrics collection can impact performance in some environments with ESA rules that consume large amounts of memory. Problem (11.4.0.x): Metric collection in Esper version 8.2.0 is different than the previous 7.1.0 version. For an ESA Correlation server with rules that consume a lot of memory, the gathering of metrics can consume significant CPU, leading to a drop in EPS when the metrics are being collected. To avoid the drop in EPS, the default interval to collect metrics in NetWitness Platform 11.4 is set to a very large value (999999 days). This prevents the Esper metrics from being collected. Workaround (11.4.0.x): If you need metrics collected at a more frequent interval, you can update the background-metrics-frequency parameter on the ESA Correlation service. Do not set the metrics collection interval lower than 5 minutes.
Problem (11.4.1): Metric collection in Esper version 8.2.0 is different than the previous 7.1.0 version. In a typical deployment, rule metrics calculation finishes very quickly, within seconds. If a rule uses a significant amount of memory, it may take a long time to calculate metrics. During this time, ESA Correlation does not analyze events and this will result in an overall EPS drop. ESA Correlation will attempt to calculate metrics for a maximum of 15 seconds (default) and if any rules have metrics which cannot be calculated in this time, an error will be shown in the logs and ESA Correlation will abort the calculation to avoid further EPS drop. This will result in a maximum of 15 seconds of analysis lost every 5 minutes (background-metrics-frequency). Workaround (11.4.1): If you need metrics collected at a more frequent interval, you can update the background-metrics-frequency and metrics-timeout parameters on the ESA Correlation service. For example, if you have a rule that is using a lot memory and it cannot be optimized, you can reduce the overall EPS drop by increasing the frequency and / or lowering the timeout.
|
11.4.1, 11.4.0.x |
11.5 RSA KB #38369 |
ASOC-87517/ ASOC-87468 |
Event Stream Analysis |
Title: Recurring In-Memory Table enrichments are not updating. Problem: Recurring In-Memory Table enrichments do not update when the .CSV file changes. If you use Ad Hoc In-Memory Tables, this is not an issue. Recurring In-Memory Table enrichments are no longer supported. It is preferable to use Context Hub List enrichment sources instead of In-Memory Table enrichment sources. You can share Context Hub List enrichment sources across the NetWitness Platform. You can only use the In-Memory Table with ESA Workaround: Change your Recurring In- Memory Tables to Context Hub lists. For each Recurring In-Memory table, do the following:
For information on how to configure a Context Hub List as an enrichment source, see the Alerting with ESA Correlation Rules User Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. |
11.4.x, 11.3.x | Won't fix | ASOC-86887 |
Investigate |
Title: When the NOT operator is used in Free-Form Mode without parenthesis, as in NOT medium = 1 vs NOT(medium = 1), the free-form query will fail. Problem: When the NOT operator is placed before an expression like (NOT service = 80), Free-Form Mode is transforming the expression by adding an open parentheses in front of the expression following the NOT; this imbalances the query and produces an error. Workaround: Use this syntax when creating a query in Free-Form Mode: NOT (service = 80). Also, be sure to fix any pre-query or query prefix that has the NOT operator in this form: (NOT service = 80) so that pivoting from Navigate to Events view does not break the flow. |
11.4.0.0 | 11.4.0.1 | ASOC-87633 |
Investigate |
Title: Packets are not rendered properly and the expected data is not displayed in the Events view packet reconstruction. Problem: Sometimes when reconstructing larger events with multi-page data in the packet reconstruction, the request or response field is blank and no data is loaded. Workaround: Click the Web reconstruction icon above the packet reconstruction. After the web reconstruction opens in the Legacy Events view, switch back to the packet reconstruction. |
11.4.0.0 | 11.4.0.1 | ASOC-87549 |
Investigate |
Title: The packet reconstruction being viewed does not have data loaded after leaving the Events view for the Hosts, Files, or Entities view, and then returns to the Events view using the Events option in the Investigate submenu. Problem: If the packet reconstruction is open and the user moves away from Events view by clicking on the Hosts view, Files view, or Entities view, and comes back to the Events view by clicking Events in the Investigate submenu, there is an issue with the reconstruction. The previous query is executed, but the reconstruction that was open does not load the packet reconstruction as expected. Workaround: Refresh the browser page. |
11.4.0.0 | 11.4.0.1 | ASOC-87516 |
Investigate |
Title: After upgrading to Version 11.4, there may be issues in the Navigate view and Legacy Events view because the column groups, meta groups, or profile groups permission is disabled for custom user roles. Problem: When the column groups, meta groups, or profile groups permission is disabled for a user, the Load Values button is not displayed in the Navigate view. When column groups permission is disabled, there is an additional issue in the Legacy Events view: Only the Detail view is visible and you cannot select different views and column groups. The issue occurs most frequently after upgrading to 11.4 because new built-in permissions are not automatically applied to custom user roles. Workaround: After completing the upgrade, the administrator needs to enable the required permissions as described in the System Security and User Management Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. A quick workaround for analysts: To load values in the Navigate view, you can select a different time range to load meta values. There is no workaround for the issue with the Legacy Events view. |
11.4.0.0 | 11.4.0.1 | ASOC-87378 |
Investigate |
Title: Unable to query meta keys with values and meta values are truncated for some characters like ®. Problem: When some meta values include special characters like ®, analysts cannot drill down using that meta key in the Navigate view. Meta values are also truncated in the Events view. Workaround: Remove the special character if creating a feed, or encode it properly at the source of the feed. |
11.4.1, 11.4.0.1, 11.4 | 11.5 | ASOC-85375 |
Investigate |
Title: When initiating a download, Investigate fails to connect to the browser job tray and the download spinner remains indefinitely. Problem: The download job fails to connect to the browser job tray, but the download job does initiate and can be retrieved from the link shown in the flash message at the top of the screen. Workaround: Retrieve the download from the job queue under <Your Name> > Profile > Jobs. |
11.4.1, 11.4 | 11.5 | ASOC-50412 |
Log Decoder |
Title: Log Decoder may not start data aggregation after upgrade. Problem: There can be two reasons that Log Decoder may not start data aggregation:
Workaround: In Log Decoder configuration, the parameter save.session.count=0 or save.session.count=600000000, which was set by default in previous releases, must be set to AUTO.
|
11.4.x, 11.3.x, 11.2, 11.1 | Won't fix | SADOCS-1784, SACE-12300 |
Endpoint Server |
Title: Endpoint server is often found in Unhealthy state after a day of deployment. Problem: If you are running an Endpoint Server in an environment that does not contain a Context Hub server, the file status and file reputation features will not work, and the status of the Endpoint Server shows Unhealthy in Health and Wellness. Other Endpoint features will work without the Context Hub Server. Workaround: None |
11.4 | 11.5 | ASOC-86942 |
Dashboard |
Title: Built-in charts are not enabled by default for multi analyst UI. Problem: When the Admin enables the built-in dashboards on any node, the dashboards and the corresponding charts are enabled only on the selected node. On the other nodes, the corresponding built-in charts are not enabled by default. The built-in dashboards are enabled with an error message, "No active execution details available for chart (chart name)" displayed on the UI. Workaround: The user must login as an Admin on every node and manually enable the built-in charts. |
11.4, 11.5 | ASOC-79538 | |
Respond |
Title: When there are 100+ events in an alert, the scroll bar does not display all the alert information in a clear format. Problem: The scroll bar is only partially visible when there are over 100 events in the Incident Details view Events List. Workaround: You can continue scrolling to see all of the information. |
11.4.x, 11.3.x | Won't fix | ASOC-71935 |
Audit Logging |
Title: logstash does not reconnect to RabbitMQ if RabbitMQ is reset. Problem: If RabbitMQ is reset for any reason, logstash does not connect to RabbitMQ for aggregating Audit logs. Workaround: Restart logstash to reconnect to RabbitMQ. |
11.4 | 11.5 | SACE-12348/ ASOC-85468 |
USM |
Title: Updating "Effective Date" daily causes scan schedules to restart. Problem: The default EDR policy does not specify an effective date. If a policy for an agent does not specify the effective date, then the current date is used instead. This causes the group policy document to be updated every day with the new effective date. Any agent using the default effective date setting will then receive an updated policy every day, causing it to restart its scan schedule everyday and resulting in the agent scanning every day regardless of what the actual policy is. Workaround: Edit the default EDR policy and add an effective date. |
11.3.x | 11.4 |
ASOC-87065 |
Upgrade |
Title: Cannot orchestrate an additional component host if the NW Server host was upgraded to 11.3.1.1 without an intermediate upgrade to 11.3.0.2. Problem: If you are upgrading your hosts from 11.0, 11.1, or 11.2 directly to 11.3.1.1, and you want to add a new host after the NW Server Host has been upgraded, the new host cannot be orchestrated. |
11.3.x | 11.4 |
ASOC-83941 |
Event Stream Analysis |
Title: Aggregation stops on some Concentrators because of too many open files. Problem: Occasionally, ESA Correlation will encounter an error when aggregating from a Concentrator resulting in a connection leak. Over time, this may result in the 'too many open files' error which will stop aggregation. Workaround: You must restart the ESA Correlation service from the NetWitness Platform user interface.
|
11.3.2 | 11.3.2.1 |
ASOC-86412 |
Core Services |
Title: Log Collector event processor does not get started after Log Decoder appliance reboot.
|
11.3.2 | 11.4 |
ASOC- 83767 |
Event Stream Analysis |
Title: Cannot Access Custom Esper Java Libraries |
11.4, 11.3.x, 11.5 |
See the KB articles. |
ASOC-86358, ASOC-85770 |
Event Stream Analysis |
Title: Sample Enrichment ESA rules are being disabled on 11.3.0.2 due to Problem: In 11.3.0.2, the migrated Whitelist and Blacklist SAMPLE ESA rules use the Workaround: Edit the Whitelist and Blacklist SAMPLE rules to use
|
11.3.0.2 | 11.3.1.0 |
ASOC-83241 |
Event Stream Analysis |
Title: Sometimes the status of an ESA rule deployment is incorrect. Problem: When you deploy ESA rules, sometimes an error occurs that shows that the rules are disabled in the user interface (CONFIGURE > ESA Rules> Rules tab Deployment panel) when the ESA rule deployment is actually successful. Check the Services tab to see the actual status of the deployment. Note: This issue is fixed in NetWitness Platform 11.3.1.1. Workaround: None. |
11.3.0.2 | 11.3.1.1 |
ASOC-82658 SACE-11759 |
Administration |
Title: Default SSH timeout period Problem: In 11.3.1, there is a new default, three-minute timeout period for an SSH session (from the Browser or Console). This brief timeout period may be inadequate for your needs. Workaround: The following procedures are two options for changing this setting. Disable the SSH Timeout Setting and Default to the Auth Timeout Setting Remove the Timeout Setting (No Timeout for SSH) |
11.3.1 | 11.4, 11.3.2 | ASOC-80695 |
Upgrade | Title: Linux policy is not updated in the user interface after upgrading agents from 11.2.0 to 11.3.1. Problem: In the NetWitness Platform user interface, Agent mode is displayed as INSIGHT after upgrading from 11.2.0 to 11.3.1. After scanning, Agent mode is moving to ADVANCED. Workaround: None. |
11.3.1 | 11.4 | ASOC-79638 |
Upgrade |
Title: The default CEF and human-readable format audit templates are not updated after upgrading to 11.3.1. Problem: In 11.3.1, notification templates were updated with additional fields. The updated templates are "Default Audit Human-Readable Format" and "Default Audit CEF Template." If you are using these templates, you must perform the steps below after you update to 11.3.1 to reflect the changes. Workaround: Delete the default templates, restart the Jetty service, and reconfigure Global Auditing:
|
11.3.1 | 11.4 | ASOC-79110 |
Event Stream Analysis |
Title: Unable to delete an endpoint bundle from an ESA rule deployment |
11.3.x | 11.4 | ASOC-76364 |
Investigate |
Title: Broker timeline does not render if Concentrator is offline. |
11.3.1, 11.3 | SACE-11365 | |
Global Notifications |
Title: Syslog server config updates are making entries in config. Workaround:
|
11.3.1, 11.x | 11.4 | ASOC-59607 |
Event Stream Analysis |
Title: Meta keys marked as sensitive for Data Privacy are still included in notifications and alerts for some ESA rules. Problem: In ESA rules that do not select every piece of metadata from the session (that is, using ‘select *’), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in Respond does not work. Workaround: For 11.4, you can perform the steps that are documented in “Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_ source_id” in the Alerting with ESA Correlation Rules User Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. |
11.3.x | 11.4 | ASOC-80898 |
Event Stream Analysis |
Title: The available data sources in an ESA rule deployment show details of a deleted host. Problem: If a Concentrator is added to the available data sources for ESA rule deployments and then the host is removed from the NetWitness server, you can still see that host in the available data sources list. Workaround: Remove the host from the available data sources for ESA rule deployments and then redeploy any existing ESA rule deployments that were using that host. To remove the host from the available configured data sources:
|
11.3.1.0, 11.3.0.0 | 11.3.2 | ASOC-82076 |
Endpoint |
Title: Commands issued after pressing the Tab key are not captured in Powershell for Windows 10 version 1809 Problem: In Windows 10 version 1809, when you execute a command in Powershell and press the Tab key, the Powershell console events that are captured contain only the characters entered before pressing Tab. Also, some of the Powershell console events that are captured may contain repeated characters. Workaround: None |
11.3 | 11.3.1.1 | ASOC-73120 |
Investigate |
Title: In the Event Analysis view, the query console does not replace the information icon with an error icon when a service is offline. Problem: When a queried service is offline, the information icon in the query console should change to an error icon (red triangle with an exclamation point). The border of the query console border turns red, but the information icon does not change to a error triangle. Workaround: None |
11.3 | 11.3.1.1 | ASOC-73826 |
Investigate |
Title: When retrieval of events for a query is in progress in the Event Analysis view, events that are already displayed disappear if the query takes more than 5 minutes to finish Problem: This can happen when querying a large set of data with a query that includes expensive operations. The query is auto-canceled after a 5-minute timeout, and an error message is displayed. Workaround: To avoid the timeout, change the query parameters to filter a smaller data set and re-execute the query. |
11.3 | 11.3.1.1 | ASOC-73224 |
Respond |
Title: Matching files are not displayed in the Files tab if the file name in the event does not match the global file name. Problem: From the Nodal Graph, when you pivot to Investigate > Hosts or Files tab for analyzing a file, if the file name in the event does not match with the global file name, no result is displayed in the Files tab. Workaround: You must pivot to Investigate > Hosts or Files using the file hash.
|
11.4.x, 11.3.x | 11.5 | ASOC-73173 |
Respond |
Title: Respond stats reset after update. Problem: After an update from NetWitness Platform 11.2 to 11.3, Respond statistics are reset in the Incident Rules view (CONFIGURE > Incident Rules). The rule counter for matched alerts and incidents resets to zero and the Last Matched, Matched Alerts, and Incidents columns show only 11.3 values. Workaround: None. Note: This is fixed for updates from 11.3 to 11.3.x or 11.4.x, but is still an issue for updates from 11.2.x to 11.3.x. |
11.3.x, 11.2.x | 11.3.1.1 | ASOC-72759 |
Respond |
Title: Show proper message for Event Analysis not loading in a mixed-mode environment. Problem: In a mixed-mode environment, when the Event Analysis does not load from the Respond Incident Details view, customers receive the following message: “An unexpected error has occurred attempting to retrieve this data.” Instead they should receive a message that this is expected behavior. Event Analysis requires all core services to be on NetWitness 11.1 or greater. Workaround: None. |
11.3.0.2, 11.3.0.1, 11.3.0.0, 11.2.x.x | 11.3.1.1 | ASOC-60463 |
Respond |
Title: Deleting an alert in Respond is not updating the High-Risk User List in Threat Aware Authentication Problem: Applicable to customers who have enabled Threat Aware Authentication. When Alerts associated with an open incident are deleted from the Alerts view (Respond > Alerts), the email addresses associated with the deleted alerts are not removed automatically from the SecurID’s high-risk users list. Workaround: None, but you can manually remove the user details from the high-risk users list. |
11.3.0.2, 11.3.0.1, 11.3.0.0 | 11.3.1.1 | ASOC-73743 |
Respond |
Title: ESA Rules with severity as High or Low are not populated in the RSA Archer user interface. Problem: When ESA alerts with severity High or Low are forwarded to RSA Archer, the Security Alert Priority field is not populated in the RSA Archer user interface. Workaround: None |
11.5, 11.4.x,11.3.x, 11.2.x | ARCHER-47100 | |
Event Stream Analysis |
Title: For ESA rules that use enrichment sources, the Ignore Case option does not work for first statement Problem: When creating an ESA rule that uses any enrichment source, if the Ignore Case option is enabled on the first enrichment statement, no results are returned. Note that this issue does not apply to any statements after the first statement (that is, substatements). Workaround: When creating a new rule, the Ignore Case option is now disabled. For existing rules that have the Ignore Case option enabled for an enrichment statement, the option is still enabled but users will be prompted to disable the option when opening the rule in ESA and then save the updated rule. |
11.5, 11.4.x, 11.3.x, 11.2.x | ASOC-49906 | |
Investigate |
Title: When a large PCAP is extracted from the Events view, if it times out after 5 minutes, the query time is displayed as 8 hours in the Jobs tray error message. Problem: When exporting a PCAP with ~100000 sessions from the Events view using Export > Export All PCAP, the download may fail due to the 5-minute packets call timeout. If the call times out, the error message in the Jobs tray incorrectly displays the timeout as 8 hours (28800000 ms). Workaround: None. |
11.3, 11.2 | 11.3.1.1 | ASOC-60464 |
Endpoint |
Title: Nginx rejects post requests exceeding request size 1 MB Problem: The Nginx server is upgraded and the default payload size is set to 1 MB. This causes any data post request exceeding 1 MB to fail. Workaround: Add the following setting to the Nginx configuration file (/etc/nginx/conf.d/nginx.conf) and restart the Nginx server: client_max_body_size 100M |
11.2 | 11.3 | ASOC-56236 |
Event Source Management |
Title: SMS Service crashes with Out of Memory Error Problem: On systems with a large number of active event sources, when the system cannot keep up with the processing of log statistics messages, the SMS service can crash with a java.lang.OutOfMemoryError: Java heap space error. Workaround: If you experience this issue, please contact RSA support for details on how to address the issue. |
11.2 | 11.2.0.1 | ASOC-62575 |
Event Stream Analysis |
Title: ESA CH rules get disabled during upgrade or ESA host reboot Problem: If the ESA host restarts and Context Hub rules are deployed on ESA, the Context Hub rules may be disabled. This happens as a result of a race condition between the Context hub and Event Stream Analysis services startup order on the ESA host. Workaround: To resolve this issue, do one of the following:
|
11.2 | 11.3 | ASOC-60511 |
Event Stream Analysis |
Title: Case-sensitive sorting is not working properly in the ESA All Rules grid Problem: When rule names begin with lower and upper case letters, the sort does not work properly in the Rule Name column of ESA All Rules grid. For example, "Rule 1" is not followed by "rule 2" when you sort by name. Workaround: None |
11.3.1, 11.3, 11.2 | Won't fix | SAENG-3605 |
Investigate |
Title: In the Event Analysis view, log and network events are not interleaved Problem: Network and log events are interleaved and sorted in time order in the Events view, but in the Event Analysis view, events are sorted differently. In the Event Analysis view, the events are not interleaved as they should be; instead all log events sorted in time order are displayed before all network events sorted in time order. Workaround: Use the Events view to see interleaved network and log events. |
11.2 | 11.3 | ASOC-60941 |
Investigate |
Title: Imported Investigate profiles are not displayed in the Profiles drop-down menu Problem: When you import Profiles to the Navigate view or the Events view using the Manage Profiles dialog, the newly imported profiles are not added to the Profiles drop-down menu. Workaround: Refresh the browser window to see the recently added profiles. |
11.2 | 11.3 | ASOC-61230 |
Investigate |
Title: If the URL for a drill point is very long and you use the query in the Event Analysis view, an error (414 Request error) is returned Problem: Several situations create a very long query that the browser cannot handle, especially if you are using Internet Explorer, which has a much lower character limit than most browsers. Pivoting to Event Analysis from Reporting can result in a very long query, and a number of pivots in the Navigate view can create a very long query. Workaround: Continue to work in the Navigate view or Events view when the URL becomes too long to render in the Event Analysis view. |
11.2 | 11.3 | ASOC-50196 |
Respond |
Title: When all alerts are deleted for an alert rule, the filter for the rule is not properly removed Problem: In the Alerts List view (Respond > Alerts), you can filter alerts by Alert Name and then delete all of the alerts that have that name. If you do not remove the alert name filter after deleting the alerts, the next time the Alerts List view loads, the filter will still be in place, but it will no longer be visible as a checkbox in the Filters panel because all alerts with that name have been deleted. You will continue to see zero results when visiting the Alerts List view. Workaround: Before you refresh or reload the Alerts List view, you can remove the filter by clearing the checkbox by the alert name. If you already refreshed or reloaded the Alerts List view, the only way to remove the hidden filter is to press the Reset Filters button, which removes all filters, including the hidden alert name filter. |
11.2 | 11.3 | ASOC-59243 |
UEBA |
Title: When the proxy is configured, and NetWitness Platform is updated to 11.2, the license details do not get refreshed automatically. Problem: When the proxy is configured, and NetWitness Platform is updated to 11.2, the license details do not get refreshed automatically or even after clicking the Refresh button in the License Details view. This is because the communication to the license server is not established. Workaround: The administrator has to manually download the license details using the offline mode and upload latest license details through the RSA NetWitness Platform UI. For more information, see the Licensing Management Guide for RSA NetWitness Platform. |
11.2 | 11.3 |
ASOC-60042, ASOC-52366 |
Upgrade |
Title: STIX recurring feed fails on upgrade from 10.6.6 to 11.2 Problem: When you upgrade Security Analytics 10.6.6 to RSA NetWitness Platform 11.2, the STIX Recurring feed you created using HTTPS URL fails to work. This is because, in 10.6.x, by default, all the certificates are trusted. However, this is not the case in 11.2. In 11.2, the Trust All certificates option is provided and is disabled by default. Workaround: Navigate to Configure > Custom Feeds and edit the failed feed. Either enable the Trust all option, or upload a valid SSL certificate to resolve the issue. In case of any further queries, contact the RSA Customer Support. |
11.2 | 11.3 | ASOC-61227 |
Upgrade |
Title: After you upgrade to 11.1.0.0 or 11.2.0.0, the logstash files are not updated in the logstash output configuration file Problem: When you upgrade from 10.6.x.x to 11.1.0.0 or 11.2.0.0, logstash files are not updated in the logstash output configuration file. This happens when you have a global audit setup. Workaround: If global auditing is configured, you need to edit one of the syslog entries in the Global Notifications servers and click Save to apply the latest Audit log configuration. |
11.2 | 11.3 | ASOC-49843 |
Upgrade |
Title: The investigation links are disabled for static charts during 10.6.x.x to 11.1 or 11.2 post-upgrade. Problem: The investigation link is disabled for the static chart (the result of the report is in chart format) which has the datasource as RSA NetWitness Platform-Broker (This service is available by default). Workaround: There are two workarounds for this issue:
|
11.2 |
11.3 |
ASOC-42136 |