To find out if any known issue is fixed, refer to the Fixed Issues section in the Release Notes for the appropriate release.
| Components | Title, Problem and Workaround | Found In / Exists In | Tracking Number |
|---|---|---|---|
| NW Server | Title: Malware service is displayed as offline in the user interface (UI). Problem: In rare occasions, the Malware service is shown as offline in the UI, even though the service is working as intended. Workaround: Restart the Jetty server by running the following command: systemctl restart jetty | 11.4 | ASOC-86631 |
| Legacy Windows Collector | Title: WLC Cert renewal script does not run. Problem: The WLC Cert Renewal Script, packaged as part of 11.4 and located at /var/netwitness/root-ca- update/wlc/, should not be run. RSA plans to provide a fix in a future NetWitness Platform patch release. Workaround: None | 11.4 | ASOC-87953 |
| Event Stream Analysis | Title: Some ESA Rule Deployments migrated from versions before 11.3 can cause ESA Rule Deployment issues during the 11.4 upgrade. Problem: Unused ESA rule deployments left over from the migration from the 10.6 or 11.2 legacy Event Stream Analysis service, which do not contain an ESA Correlation service, cause ESA rule deployments to not deploy after upgrading to NetWitness Platform 11.4. Workaround: Before you upgrade to 11.4, delete ESA rule deployments that do not contain an ESA Correlation service. The remaining ESA rule deployments should have been deployed at least once with the ESA Correlation service. To delete an ESA rule deployment:
| 11.4 | ASOC-87859 |
| Event Stream Analysis | Title: An ESA Rule Deployment name with a Colon (:) throws a failed to start stream error Problem: If an ESA rule deployment name contains a colon (:), data aggregation fails to start during deployment. Workaround: Edit the ESA rule deployment name to remove the colon (:) and then redeploy the deployment.
| 11.4 | ASOC-87778 |
| Event Stream Analysis | Title: Esper metrics collection can impact performance in some environments with ESA rules that consume large amounts of memory. Problem: Metric collection in Esper version 8.2.0 is different than the previous 7.1.0 version. For an ESA Correlation server with rules that consume a lot of memory, the gathering of metrics can consume significant CPU, leading to a drop in EPS when the metrics are being collected. To avoid the drop in EPS, the default interval to collect metrics in NetWitness Platform 11.4 is set to a very large value (999999 days). This prevents the Esper metrics from being collected. Workaround: If you need metrics collected at a more frequent interval, you can update the background-metrics-frequency parameter on the ESA Correlation service. Do not set the metrics collection interval lower than 5 minutes.
| 11.4 | ASOC-87517 |
| Event Stream Analysis | Title: When a rule is shared between multiple ESA deployments, there is a discrepancy with the Enabled and Disabled ESA rule statuses after an upgrade. Problem: If an ESA rule is used in multiple deployments, then after an upgrade it is possible that the Enabled or Disabled status of that rule in those deployments may not be as expected. Workaround: Check the ESA rule deployments that contain the rule and change the rule status as needed. To change the ESA rule status in a deployment:
| 11.4, 11.3.x | ASOC-87858 |
| Event Stream Analysis | Title: Named Window with @RSAPersist is not retained after the upgrade to 11.4 or 11.3.x. Problem: Data in Esper Named Windows persisted by enrichments and rules using the @RSAPersist annotation is not restored after the upgrade to 11.4 or 11.3.x. These data windows will be empty to start and will be populated with new data as it is processed. Workaround: None | 11.4, 11.3.x | ASOC-85928 |
| Event Stream Analysis | Title: Recurring In-Memory Table enrichments are not updating. Problem: Recurring In-Memory Table enrichments do not update when the .CSV file changes. If you use Ad Hoc In-Memory Tables, this is not an issue. Recurring In-Memory Table enrichments are no longer supported. It is preferable to use Context Hub List enrichment sources instead of In-Memory Table enrichment sources. You can share Context Hub List enrichment sources across the NetWitness Platform. You can only use the In-Memory Table with ESA Workaround: Change your Recurring In- Memory Tables to Context Hub lists. For each Recurring In-Memory table, do the following:
For information on how to configure a Context Hub List as an enrichment source, see the Alerting with ESA Correlation Rules User Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. | 11.4, 11.3.x | ASOC-86887 |
| Investigate | Title: When the NOT operator is used in Free-Form Mode without parenthesis, as in NOT medium = 1 vs NOT(medium = 1), the free-form query will fail. Problem: When the NOT operator is placed before an expression like (NOT service = 80), Free-Form Mode is transforming the expression by adding an open parentheses in front of the expression following the NOT; this imbalances the query and produces an error. Workaround: Use this syntax when creating a query in Free-Form Mode: NOT (service = 80). Also, be sure to fix any pre-query or query prefix that has the NOT operator in this form: (NOT service = 80) so that pivoting from Navigate to Events view does not break the flow. | 11.4 | ASOC-87633 |
| Investigate | Title: Packets are not rendered properly and the expected data is not displayed in the Events view packet reconstruction. Problem: Sometimes when reconstructing larger events with multi-page data in the packet reconstruction, the request or response field is blank and no data is loaded. Workaround: Click the Web reconstruction icon above the packet reconstruction. After the web reconstruction opens in the Legacy Events view, switch back to the packet reconstruction. | 11.4 | ASOC-87549 |
| Investigate | Title: The packet reconstruction being viewed does not have data loaded after leaving the Events view for the Hosts, Files, or Entities view, and then returns to the Events view using the Events option in the Investigate submenu. Problem: If the packet reconstruction is open and the user moves away from Events view by clicking on the Hosts view, Files view, or Entities view, and comes back to the Events view by clicking Events in the Investigate submenu, there is an issue with the reconstruction. The previous query is executed, but the reconstruction that was open does not load the packet reconstruction as expected. Workaround: Refresh the browser page. | 11.4 | ASOC-87516 |
| Investigate | Title: After upgrading to Version 11.4, there may be issues in the Navigate view and Legacy Events view because the column groups, meta groups, or profile groups permission is disabled for custom user roles. Problem: When the column groups, meta groups, or profile groups permission is disabled for a user, the Load Values button is not displayed in the Navigate view. When column groups permission is disabled, there is an additional issue in the Legacy Events view: Only the Detail view is visible and you cannot select different views and column groups. The issue occurs most frequently after upgrading to 11.4 because new built-in permissions are not automatically applied to custom user roles. Workaround: After completing the upgrade, the administrator needs to enable the required permissions as described in the System Security and User Management Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. A quick workaround for analysts: To load values in the Navigate view, you can select a different time range to load meta values. There is no workaround for the issue with the Legacy Events view. | 11.4 | ASOC-87378 |
| Investigate | Title: Queries created in Free-From Mode in the Events view always use OR and AND instead of the symbols. Problem: If you type or paste the || and && operators into the Free-Form query builder, the typed text is changed to OR and AND. Workaround: None | 11.4 | ASOC-86728 |
| Investigate | Title: Unable to query meta keys with values and meta values are truncated for some characters like ®. Problem: When some meta values include special characters like ®, analysts cannot drill down using that meta key in the Navigate view. Meta values are also truncated in the Events view. Workaround: Remove the special character if creating a feed, or encode it properly at the source of the feed. | 11.4 | ASOC-85375 |
| Investigate | Title: When initiating a download, Investigate fails to connect to the browser job tray and the download spinner remains indefinitely. Problem: If you type or paste the || and && operators into the Free-Form query builder, the typed text is changed to OR and AND. Workaround: Retrieve the download from the job queue under <Your Name> > Profile > Jobs. | 11.4 | ASOC-50412 |
| Log Decoder | Title: Log Decoder may not start data aggregation after upgrade. Problem: There can be two reasons that Log Decoder may not start data aggregation:
Workaround: In Log Decoder configuration, the parameter save.session.count=0 or save.session.count=600000000, which was set by default in previous releases, must be set to AUTO.
| 11.4, 11.3.x, 11.2, 11.1 | SADOCS-1784, SACE-12300 |
| Endpoint Server | Title: Endpoint server is often found in Unhealthy state after a day of deployment. Problem: If you are running an Endpoint Server in an environment that does not contain a Context Hub server, the file status and file reputation features will not work, and the status of the Endpoint Server shows Unhealthy in Health and Wellness. Other Endpoint features will work without the Context Hub Server. Workaround: None | 11.4 | ASOC-86942 |
| Dashboard | Title: Built-in charts are not enabled by default for multi analyst UI. Problem: When the Admin enables the built-in dashboards on any node, the dashboards and the corresponding charts are enabled only on the selected node. On the other nodes, the corresponding built-in charts are not enabled by default. The built-in dashboards are enabled with an error message, "No active execution details available for chart (chart name)" displayed on the UI. Workaround: The user must login as an Admin on every node and manually enable the built-in charts. | 11.4 | ASOC-79538 |
| Respond | Title: When there are 100+ events in an alert, the scroll bar does not display all the alert information in a clear format. Problem: The scroll bar is only partially visible when there are over 100 events in the Incident Details view Events List.
Workaround: You can continue scrolling to see all of the information. | 11.4, 11.3.x | ASOC-71935 |
| Audit Logging | Title: logstash does not reconnect to RabbitMQ if RabbitMQ is reset. Problem: If RabbitMQ is reset for any reason, logstash does not connect to RabbitMQ for aggregating Audit logs. Workaround: Restart logstash to reconnect to RabbitMQ. | 11.4 | ASOC-85468 |
| USM | Title: Updating "Effective Date" daily causes scan schedules to restart. Problem: The default EDR policy does not specify an effective date. If a policy for an agent does not specify the effective date, then the current date is used instead. This causes the group policy document to be updated every day with the new effective date. Any agent using the default effective date setting will then receive an updated policy every day, causing it to restart its scan schedule everyday and resulting in the agent scanning every day regardless of what the actual policy is. Workaround: Edit the default EDR policy and add an effective date. | 11.3.x | ASOC-87065 |
| Upgrade | Title: Cannot orchestrate an additional component host running on 11.3.0.2 with NW Server host upgraded with 11.3.1.1. Problem: If you are upgrading your hosts from 11.0, 11.1, or 11.2 directly to 11.3.1.1, and you want to add a new host after the NW Server Host has been upgraded, the new host cannot be orchestrated. | 11.3.x | ASOC-83941 |
| Event Stream Analysis | Title: Aggregation stops on some Concentrators because of too many open files. Problem: Occasionally, ESA Correlation will encounter an error when aggregating from a Concentrator resulting in a connection leak. Over time, this may result in the 'too many open files' error which will stop aggregation. Workaround: You must restart the ESA Correlation service from the NetWitness Platform user interface.
| 11.3.2 | ASOC-86412 |
| Core Services | Title: Log Collector event processor does not get started after Log Decoder appliance reboot.
| 11.3.2 | ASOC- 83767 |
| Event Stream Analysis | Title: Cannot Access Custom Esper Java Libraries | 11.4, 11.3.x | ASOC-86358, ASOC-85770 |
| Event Stream Analysis | Title: Unable to add data source for a custom user. Workaround: Add the “Manage ATD Settings” permission on the Administration tab to the custom ESA user role to enable the users with that role to add or view data sources in ESA rule deployments. To update a custom role with the Manage ATD Settings permission:
| 11.3.1.1, 11.3.0.2 | ASOC-82815 SACE-12124 |
| Event Stream Analysis | Title: Sample Enrichment ESA rules are being disabled on 11.3.0.2 due to Problem: In 11.3.0.2, the migrated Whitelist and Blacklist SAMPLE ESA rules use the Note: This issue is fixed in NetWitness Platform 11.3.1.0. Workaround: Edit the Whitelist and Blacklist SAMPLE rules to use
| 11.3.0.2 | ASOC-83241 |
| Event Stream Analysis | Title: Sometimes the status of an ESA rule deployment is incorrect. Problem: When you deploy ESA rules, sometimes an error occurs that shows that the rules are disabled in the user interface (CONFIGURE > ESA Rules> Rules tab Deployment panel) when the ESA rule deployment is actually successful. Check the Services tab to see the actual status of the deployment. Note: This issue is fixed in NetWitness Platform 11.3.1.1. Workaround: None. | 11.3.0.2 | ASOC-82658 SACE-11759 |
| Administration | Title: Default SSH timeout period Problem: In 11.3.1, there is a new default, three-minute timeout period for an SSH session (from the Browser or Console). This brief timeout period may be inadequate for your needs. Workaround: The following procedures are two options for changing this setting. Disable the SSH Timeout Setting and Default to the Auth Timeout Setting Remove the Timeout Setting (No Timeout for SSH) | 11.3.1 | ASOC-80695 |
| Upgrade | Title: Linux policy is not updated in the user interface after upgrading agents from 11.2.0 to 11.3.1. Problem: In the NetWitness Platform user interface, Agent mode is displayed as INSIGHT after upgrading from 11.2.0 to 11.3.1. After scanning, Agent mode is moving to ADVANCED. Workaround: None. | 11.3.1 | ASOC-79638 |
| Upgrade | Title: The default CEF and human-readable format audit templates are not updated after upgrading to 11.3.1. Problem: In 11.3.1, notification templates were updated with additional fields. The updated templates are "Default Audit Human-Readable Format" and "Default Audit CEF Template." If you are using these templates, you must perform the steps below after you update to 11.3.1 to reflect the changes. Workaround: Delete the default templates, restart the Jetty service, and reconfigure Global Auditing:
| 11.3.1 | ASOC-79110 |
| Event Stream Analysis | Title: Unable to delete an endpoint bundle from an ESA rule deployment | 11.3.1 | ASOC-76364 |
| Investigate | Title: Broker timeline does not render if Concentrator is offline. | 11.3.1, 11.3 | SACE-11365 |
| Global Notifications | Title: Syslog server config updates are making entries in config. Workaround:
| 11.3.1, 11.3 | ASOC-59607 |
| UEBA | Title: UEBA Service displays incorrect version Problem: After you update NetWitness Platform to 11.2.1, the ADMIN > Hosts view displays an incorrect UEBA version. Workaround: Update the UEBA service:
| 11.3.0.1, 11.2.1 | ASOC-69605 |
| Event Stream Analysis | Title: Meta keys marked as sensitive for Data Privacy are still included in notifications and alerts for some ESA rules. Problem: In ESA rules that do not select every piece of metadata from the session (that is, using ‘select *’), you may see that data privacy (if enabled) and the Pivot to Investigate > Navigate link accessed from a context tooltip in Respond does not work. Workaround: For 11.4, you can perform the steps that are documented in “Update any ESA Rule that Selects Only Certain Meta Keys from the Session to Include event_ source_id” in the Alerting with ESA Correlation Rules User Guide. Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents. | 11.3.x | ASOC-80898 |
| Event Stream Analysis | Title: The available data sources in an ESA rule deployment show details of a deleted host. Problem: If a Concentrator is added to the available data sources for ESA rule deployments and then the host is removed from the NetWitness server, you can still see that host in the available data sources list. Workaround: Remove the host from the available data sources for ESA rule deployments and then redeploy any existing ESA rule deployments that were using that host. To remove the host from the available configured data sources:
| 11.3.1, 11.3 | ASOC-82076 |
| Endpoint | Title: Commands issued after pressing the Tab key are not captured in Powershell for Windows 10 version 1809 Problem: In Windows 10 version 1809, when you execute a command in Powershell and press the Tab key, the Powershell console events that are captured contain only the characters entered before pressing Tab. Also, some of the Powershell console events that are captured may contain repeated characters. Workaround: None | 11.3 | ASOC-73120 |
| Investigate | Title: In the Event Analysis view, the query console does not replace the information icon with an error icon when a service is offline. Problem: When a queried service is offline, the information icon in the query console should change to an error icon (red triangle with an exclamation point). The border of the query console border turns red, but the information icon does not change to a error triangle.
Workaround: None | 11.3 | ASOC-73826 |
| Investigate | Title: When retrieval of events for a query is in progress in the Event Analysis view, events that are already displayed disappear if the query takes more than 5 minutes to finish Problem: This can happen when querying a large set of data with a query that includes expensive operations. The query is auto-canceled after a 5-minute timeout, and an error message is displayed. Workaround: To avoid the timeout, change the query parameters to filter a smaller data set and re-execute the query. | 11.3 | ASOC-73224 |
| Respond | Title: Incidents are not flagged when a user manually adds alerts to an existing incident Problem: Meta values in hover over values are not highlighted when alerts in Respond have manually been added to an incident. While alerts that are automatically or dynamically added to an incident are shown in hover over. Workaround: None | 11.3, 11.2, 11.1 | ASOC-52428 |
| Respond | Title: Matching files are not displayed in the Files tab. Problem: From the Nodal Graph, when you pivot to Investigate > Hosts or Files tab for analyzing a file, if the file name in the event does not match with the global file name, no result is displayed in the Files tab. Workaround: You must pivot to Investigate > Hosts or Files using the file hash.
| 11.4, 11.3.x | ASOC-73173 |
| Respond | Title: Respond stats reset after update. Problem: After an update from NetWitness Platform 11.2 to 11.3, Respond statistics are reset in the Incident Rules view (CONFIGURE > Incident Rules). The rule counter for matched alerts and incidents resets to zero and the Last Matched, Matched Alerts, and Incidents columns show only 11.3 values. Workaround: None. Note: This is fixed for updates from 11.3 to 11.3.x, but is still an issue for updates from 11.2.x to 11.3.x. | 11.3 | ASOC-72759 |
| Respond | Title: When there are 100+ events in an alert the scroll bar does not fit in properly. Problem: The scroll bar is only partially visible when there are over 100 events in the Incident Details view Events List. Workaround: You can continue scrolling to see all of the information. | 11.3.1, 11.3.x, 11.3 | ASOC-71935 |
| Respond | Title: Show proper message for Event Analysis not loading in a mixed-mode environment. Problem: In a mixed-mode environment, when the Event Analysis does not load from the Respond Incident Details view, customers receive the following message: “An unexpected error has occurred attempting to retrieve this data.” Instead they should receive a message that this is expected behavior. Event Analysis requires all core services to be on NetWitness 11.1 or greater. Workaround: None. | 11.3, 11.2 | ASOC-60463 |
| Respond | Title: Deleting an alert in Respond is not updating the High-Risk User List in Threat Aware Authentication Problem: Applicable to customers who have enabled Threat Aware Authentication. When Alerts associated with an open incident are deleted from the Alerts view (Respond > Alerts), the email addresses associated with the deleted alerts are not removed automatically from the SecurID’s high-risk users list. Workaround: None, but you can manually remove the user details from the high-risk users list. | 11.3 | ASOC-73743 |
| Respond | Title: ESA Rules with severity as High or Low are not populated in the RSA Archer UI. Problem: When ESA alerts with severity High or Low are forwarded to RSA Archer, the Security Alert Priority field is not populated in the RSA Archer UI. Workaround: None | 11.3.1, 11.3, 11.2, 11.1 | ARCHER-47101 |
| Endpoint | Title: Generating and copying the *nwelcfg file does not update the timestamp. Problem: After installing the Endpoint agent, if the administrator wants to update a new Log Collection configuration with any copy methods or with a third-party endpoint management tool, the config file timestamp remains as that of the Endpoint server time and not the agent time. As a result, if the endpoint agent is on a different timezone from the endpoint server, the timestamp does not get updated properly. Workaround: After copying the file, run this command on the Endpoint Agent: | 11.3, 11.2, 11.1 | ASOC-49847 |
| Event Stream Analysis | Title: For ESA rules that use enrichment sources, the Ignore Case option does not work for first statement Problem: When creating an ESA rule that uses any enrichment source, if the Ignore Case option is enabled on the first enrichment statement, no results are returned. Note that this issue does not apply to any statements after the first statement (that is, substatements). Workaround: When creating a new rule, the Ignore Case option is now disabled. For existing rules that have the Ignore Case option enabled for an enrichment statement, the option is still enabled but users will be prompted to disable the option when opening the rule in ESA and then save the updated rule. | 11.4, 11.3.x, 11.2.x, 11.1 | ASOC-49906 |
| Investigate | Title: When a large PCAP is extracted from the Events view, if it times out after 5 minutes, the query time is displayed as 8 hours in the Jobs tray error message. Problem: When exporting a PCAP with ~100000 sessions from the Events view using Export > Export All PCAP, the download may fail due to the 5-minute packets call timeout. If the call times out, the error message in the Jobs tray incorrectly displays the timeout as 8 hours (28800000 ms). Workaround: None. | 11.3, 11.2 | ASOC-60464 |
| Administration | Title: Custom STIX Recurring feed URL field is editable Problem: Live Feed configuration allows you to edit the STIX Recurring feed URL even after the configuration is successful. Upon editing custom feed, the custom feed creation does not change and uses the previous URL. Workaround: None | 11.1.1.3 | ASOC-62361 |
| Core Services | Title: Log Decoder service crashes when ESM Discovery auto mapping is enabled. Problem: Log Decoder service crashes on ipdevice mapping updates from automated ESM discovery functionality on the Admin Server. Workaround: Disable ESM automated ipdevice mapping updates and entries on Node 0.
Remove the existing automated mapping settings on Log Decoder. The Automated mappings are identified with the entry: soft=true
| 11.1, 11.1.0.2 | SACE-9550 |
| Core Services | Title: The SSL FIPS Mode checkbox in the Services Config view should be disabled for Brokers, Concentrators, and Archivers, because changing the checkbox value does not turn off FIPS enforcement for the service. Problem: In 11.1.0.0 the Broker, Concentrator, and Archiver are always FIPS enforced and the administrator does not have the option to toggle between FIPS and Non-FIPS. The administrator can use the SSL FIPS Mode checkbox to toggle FIPS mode on and off on a Log Decoder, Packet Decoder, or Log Collector. Workaround: None | 11.2, 11.1 | ASOC-41902 |
| Custom Feeds | Title: RSA Archer Recurring Feeds failing in SSL mode Problem: RSA Archer recurring feeds do not work in SSL mode. Workaround: You must create the RSA Archer recurring feeds in non-SSL mode. | 11.3.1, 11.3, 11.2, 11.1 | ARCHER-41524 |
| Endpoint | Title: Nginx rejects post requests exceeding request size 1 MB Problem: The Nginx server is upgraded and the default payload size is set to 1 MB. This causes any data post request exceeding 1 MB to fail. Workaround: Add the following setting to the Nginx configuration file (/etc/nginx/conf.d/nginx.conf) and restart the Nginx server: client_max_body_size 100M | 11.2 | ASOC-56236 |
| Endpoint | Title: After agent update, the agent version is not reflected in the user interface. Problem: When you update the agent version from 11.1 to 11.1.0.1, the agent version shows 11.1 in the Hosts view. Workaround: In the Investigate > Hosts view, select the host on which you installed the latest version of the agent, and click Start Scan. The agent version is updated to 11.1.0.1. | 11.1.0.1 | ASOC-52761 |
| Endpoint | Title: Unable to export files list to a CSV file. Problem: While exporting data to a CSV file, the database query takes a longer time when the database is under a heavy load, and the user interface request times-out. Workaround: Apply appropriate filters and use at least one indexed field with an Equals operator to reduce the files for export. For more information on Filtering Hosts and Files, see the NetWitness Investigate User Guide for RSA NetWitness Platform. | 11.1 | ASOC-47549 |
| Endpoint | Title: Unable to generate Agent Packager if the auto uninstall is set in seconds Problem: In the Auto Uninstall field, if the seconds value is more than 9, for example, 02/12/2018 12:00:10 PM, then click Generate Agent fails to generate the packager. Workaround: Enter a value below 10 seconds in the Auto Uninstall field. | 11.1 | ASOC-49324 |
| Endpoint | Title: Sorting on columns should not be case-sensitive Problem: Sorting on columns in the Hosts and Files view is case-sensitive. It sorts the number first, uppercase, and then the lowercase. Workaround: None | 11.2, 11.1 | ASOC-32595 |
| Endpoint | Title: No message is displayed when filtering the values takes more than 60 seconds. Problem: In the Hosts and Files view, while filtering the values, if it takes more than 60 seconds, the user interface does not display any message or results. Workaround: None | 11.1 | ASOC-50197 |
| Endpoint | Title: Disable Log Collection in Windows Endpoint Agent is not supported. Problem: Once an Endpoint Agent is installed with the Windows Log Collection feature enabled, the user is unable to disable Windows log collection. Workaround: Run the uninstall command provided in the "Uninstall Agents" section in the NetWitness Endpoint Agent Install Guide for RSA NetWitness Platform. Reinstall an agent with Windows Log Collection disabled. | 11.1 | ASOC-49846 |
| Endpoint | Title: When the Endpoint Agent is configured to use the UDP protocol and the Primary Log Decoder/ Remote Log Collector is not reachable, the secondary Log Decoder or Log Collector is not functional. Problem: When the Primary Log Decoder/Remote Log Collector is not reachable and the Endpoint agent is configured to use UDP, the Secondary Log Decoder/Remote Log Collector is not used. The logs are not forwarded to the secondary Log Decoder or Log Collector when the primary is down, thus resulting in event loss. Workaround: None | 11.1 | ASOC-40844 |
| Entitlements | Title: Metered license does not flip back to an in compliance immediately when there are no services attached to that Metered license Problem: As an example, if there is a Metered license available for a Log Decoder and you have one Log Decoder listed under it, the following conditions may occur:
Workaround: None | 11.1 | ASOC-9078 |
| Event Source Management | Title: SMS Service crashes with Out of Memory Error Problem: On systems with a large number of active event sources, when the system cannot keep up with the processing of log statistics messages, the SMS service can crash with a java.lang.OutOfMemoryError: Java heap space error. Workaround: If you experience this issue, please contact RSA support for details on how to address the issue. | 11.2 | ASOC-62575 |
| Event Source Management | Title: Suggested mapping does not load when the Event Source is created manually Problem: For an Event Source that is manually added without entering a value for Log Decoder, when the Manage Parser Mappings dialog is opened, the suggested Parser Mappings may not have a Display Name. Workaround: Close the Manage Parser Mappings dialog, then reopen it and the Display Name is displayed as shown in the following example.
| 11.1 | ASOC-49492 |
| Event Stream Analysis | Title: ESA Rules with custom meta keys do not deploy on the ESA Server Problem: If you add new custom meta keys in 11.2, ESA rules using those meta keys may not deploy. This happens because the Event Stream Analysis service needs information from the Concentrator. Workaround: To deploy an ESA Correlation Rule with custom meta, do the following:
| 11.2 | ASOC-60367 |
| Event Stream Analysis | Title: ESA CH rules get disabled during upgrade or ESA host reboot Problem: If the ESA host restarts and Context Hub rules are deployed on ESA, the Context Hub rules may be disabled. This happens as a result of a race condition between the Context hub and Event Stream Analysis services startup order on the ESA host. Workaround: To resolve this issue, do one of the following:
| 11.2 | ASOC-60511 |
| Event Stream Analysis | Title: ESA Rules deployed not listed while creating policy using statistics ESA Rule Memory Usage Problem: When you deploy new ESA rules in the Health and Wellness page and create a new policy under Event Stream Analytics using the statistic ESA Rule Memory usage, all ESA rules deployed are not listed. Workaround: Run the following restart command on NetWitness Server: | 11.1 | ASOC-50201 |
| Event Stream Analysis | Title: ESA rule with meta entity does not get triggered Problem: When meta entities are configured for use in the Investigate interface, they are not available for use in the ESA Correlation Rule Builder. Customers are not able to build ESA correlation rules using meta entity information, and they must specify the exact pieces of metadata to use in the rules. Workaround: None | 11.2, 11.1 | ASOC-47522 |
| Event Stream Analysis | Title: Case-sensitive sorting is not working properly in the ESA All Rules grid Problem: When rule names begin with lower and upper case letters, the sort does not work properly in the Rule Name column of ESA All Rules grid. For example, "Rule 1" is not followed by "rule 2" when you sort by name. Workaround: None | 11.3.1, 11.3, 11.2, 11.1 | SAENG-3605 |
| Event Stream Analysis | Title: Cannot set ESA compression level as in other appliances Problem: Administrators cannot set the compression level in ESA like they can with other appliances, even using the Explorer view Workaround: Delete the Concentrator source from ESA and add it again so that the compression level changes are reflected:
| 11.2, 11.1 | ASOC-26481 |
| Event Stream Analysis | Title: Deployment fails if the server that hosts an external database goes down Problem: You configure a database connection to use the database as an enrichment source for a rule. A reference to the data base is deployed on every ESA, even if the ESA does not deploy any rules that use the database. If the server that hosts the database goes down, any new deployment will fail. Workaround: Restart the server that hosts the database. | 11.2, 11.1 | ASOC-9011 |
| General Application Issues | Title: The System Logs Off Idle Users in Respond and Some Investigate Views Problem: In the Respond view and some Investigate views (Event Analysis, Hosts, and Files), if a user is not actively querying data, the system logs off the user after the Idle Period is reached. The default Idle Period is 600 seconds (10 minutes). This can cause the work of an Analyst to be interrupted. Workaround: If this becomes an issue with the Analysts, in the global security settings (ADMIN > Security), consider increasing the values of the Session Timeout and the Idle Period. | 11.1 | ASOC-46483 |
| Investigate | Title: Users who have not been assigned investigate-server* permission do not get the proper error message explaining why they do not have access to the Event Analysis view Problem: If the administrator has not assigned investigate-server* permission for a user, the user should see the permission denied error when attempting to view a session in the Event Analysis view. Instead, the internal server error is returned. Workaround: None. | 11.2 | ASOC-60366 |
| Investigate | Title: In the Event Analysis view, log and network events are not interleaved Problem: Network and log events are interleaved and sorted in time order in the Events view, but in the Event Analysis view, events are sorted differently. In the Event Analysis view, the events are not interleaved as they should be; instead all log events sorted in time order are displayed before all network events sorted in time order. Workaround: Use the Events view to see interleaved network and log events. | 11.2 | ASOC-60941 |
| Investigate | Title: Imported Investigate profiles are not displayed in the Profiles drop-down menu Problem: When you import Profiles to the Navigate view or the Events view using the Manage Profiles dialog, the newly imported profiles are not added to the Profiles drop-down menu. Workaround: Refresh the browser window to see the recently added profiles. | 11.2 | ASOC-61230 |
| Investigate | Title: Unable to export logs from Events View for Log Decoder. Problem: After you update the Admin Server to 11.1, and you export the logs for the Log Decoder, the exported file is empty even though the logs are available in the Log Decoder. Note: The below mentioned workaround is not required if you do not have a specific reason to export logs from Log Decoder. You can continue to investigate and export logs from Log Decoder through Concentrator by applying the filters did= <decode_id>. Workaround: You must index the medium meta if you want to export logs for the Log Decoder. The following steps indexes the new events and you can export these events.
| 11.1 | ASOC-59145 |
| Investigate | Title: If the URL for a drill point is very long and you use the query in the Event Analysis view, an error (414 Request error) is returned Problem: Several situations create a very long query that the browser cannot handle, especially if you are using Internet Explorer, which has a much lower character limit than most browsers. Pivoting to Event Analysis from Reporting can result in a very long query, and a number of pivots in the Navigate view can create a very long query. Workaround: Continue to work in the Navigate view or Events view when the URL becomes too long to render in the Event Analysis view. | 11.2, 11.1 | ASOC-50196 |
| Investigate | Title: Attempting a direct query, or a query by using a link that uses an IPV6 meta value with unsupported special characters generates an error in the Event Analysis view and the Navigate view Problem: Literal ipv6 addresses with a percent (%) sign and also UNC Path Names such as 2001-db8-85a3-8d3-1319-8a2e-370-7348.ipv6-literal.net are not supported. The error in the Event Analysis view is Internal Server Error. The Navigate page shows a syntax error. Workaround: None. | 11.1 | ASOC-50924 |
| Investigate | Title: If you got to Event Analysis by way of the Events view, either by clicking the Event Analysis link or by right-clicking one of the events, the right-click options on meta values do not work Problem: If you clicked Event Analysis in the Detail View of the Events view, the Event Analysis view opens as usual. However, the right-click options on a meta value in the Event Meta panel do not work Workaround: If you go through Navigate > Event Analysis, or if you go through Events and a reconstruction of an event, the right-click options function in Event Analysis. | 11.1 | ASOC-50771 |
| Investigate | Title: Cannot add meta entities to a custom column group in the Events view with the Optimize Investigation Page Loads option disabled Problem: Meta keys belonging to meta entities are not displayed in custom column groups. This issue is seen in the Events view when you disable Optimize Investigate Page Loads in the Events view settings and then refresh the page. Workaround: If you want to use meta entities in a custom column group, ensure that the Optimize Investigation Page Loads option is enabled | 11.1 | ASOC-50712 |
| Investigate | Title: Custom column groups that contain meta entities can be created in the Events view, but when the custom column group is used in the Event Analysis view, you cannot see the meta keys included in the meta entity in the results. Problem: Custom column groups are not displaying meta keys that belong to meta entities. This issue is seen in the Events list in the Event Analysis view. Workaround: Use a column group that does not contain meta entities. However, meta entities can still be queried and used in the query builder. | 11.1 | ASOC-50349 |
| Investigate | Title: The query builder in the Event Analysis view is unresponsive for filters that contain a space. Problem: When adding a filter, if you add an extra space before <meta key>, between <meta key> and <operator>, and after <operator>, the query builder becomes unresponsive and the Query Events button is disabled so that you cannot continue adding filters. Workaround: Click on an existing filter, and then click the query builder. If that does not work, refresh the page. | 11.2, 11.1 | ASOC-49427 |
| Investigate | Title: When investigating in the Event Analysis view, the following error message is returned: “An Unexpected error has occurred.” Problem: This error is displayed when the session you are attempting to access has been removed, rolled out, or you have insufficient permission to view the session. Workaround: None. | 11.1 | ASOC-48710 |
| Investigate | Title: Issue with Interaction between Expand and Contract Icons in Investigate Event Analysis. Problem: When you contract the left panel in the Event Analysis view, the right panel expands, but the expand/contract icon on right panel does not change to the contract icon. To contract the right panel using the expand/contract icon on the right panel you have to press it twice. The behavior should be that when you contract the left panel and the right panel expands, the expand/contract icon for right panel switches to contract or expand as appropriate. There is a similar issue with the Show/Hide Events panel icon. If the Event panel is contracted and you click on the Show/Hide Events Panel icon, the left panel disappears and the right panel expands. The expand/contract icon on the right (and now only) panel remains in expanded form. When you click on the expand icon in this configuration, the left panel reappears and the right panel effectively contracts. The behavior should be: after you hide the left panel, the expand/contract icon on the right panel should take its contract form. Workaround: When the expand/contract icon in the right panel or the Show/Hide Events panel icon in the toolbar has not changed to the correct state, click the icon twice. | 11.1 | ASOC-47670 |
| Investigate | Title: Three new meta groups for 11.1 and the same column groups for 11.2 are not created when you upgrade from 10.6.x.x to 11.x: RSA Endpoint Analysis, RSA Outbound HTTP, RSA Outbound SSL/TLS. Problem: When you upgrade from 10.6.x.x to 11.x, three out-of-the-box meta groups (RSA Endpoint Analysis, RSA Outbound HTTP, and RSA Outbound SSL/TLS) are not created due to a conflict with a column group added in Version 11.1. Also, three out-of-the-box column groups (RSA Endpoint Analysis, RSA Outbound HTTP, and RSA Outbound SSL/TLS) are not created. These meta groups should appear in the Manage Meta Groups dialog and the Manage Column Groups dialog. Workaround: None. | 11.2, 11.1 | ASOC-51011 |
| Live Services | Title: The status of the STIX feed progress bar is Incomplete Problem: Sometimes, the status of the progress bar for some of the STIX feeds are Incomplete even if the feeds are successfully pushed to the Decoder(s). Workaround: None | 11.2, 11.1 | ASOC-40642 |
| Respond | Title: When all alerts are deleted for an alert rule, the filter for the rule is not properly removed Problem: In the Alerts List view (Respond > Alerts), you can filter alerts by Alert Name and then delete all of the alerts that have that name. If you do not remove the alert name filter after deleting the alerts, the next time the Alerts List view loads, the filter will still be in place, but it will no longer be visible as a checkbox in the Filters panel because all alerts with that name have been deleted. You will continue to see zero results when visiting the Alerts List view. Workaround: Before you refresh or reload the Alerts List view, you can remove the filter by clearing the checkbox by the alert name. If you already refreshed or reloaded the Alerts List view, the only way to remove the hidden filter is to press the Reset Filters button, which removes all filters, including the hidden alert name filter. | 11.2 | ASOC-59243 |
| Respond | Title: Duplicate Alerts in Respond are observed from certain sources like Reporting Engine Problem: Obsolete federated exchanges can cause duplicate alerts in Respond. Workaround: Follow these steps to delete obsolete federated exchanges that would cause duplicate alerts in Respond:
| 11.1.0.1 | ASOC-50994 |
| Respond | Title: Endpoint Incidents are not being created Problem: Endpoint events with a source IP are working fine, but Endpoint events with a detector IP are not being aggregated by the Endpoint incident rule and do not create incidents. In RSA NetWitness Platform 11.1, the GroupBy field of the “High Risk Alerts: NetWitness Endpoint” incident rule was changed from “Risk Score” to “Source IP Address.” Workaround: For upgrades from 10.6.x to 11.1:
For fresh installs:
| 11.1 | ASOC-51480 |
| Respond | Title: ESA Command and Control Aggregate Scores details are not populated in the RSA Archer user interface. Problem: When ESA Command and Control Aggregate Scores details are forwarded from RSA NetWitness Platform to the RSA Archer user interface, fields such as Beaconing Behavior, Rare Domains, Rare User Agents, Missing Referrers, and Suspicious Domains Aggregate Score do not get populated. Workaround: None | 11.1 | ASOC-50183 |
| Respond | Title: Overlapping Relationship Data in the Nodal Graph for Certain Data Problem: In the Respond Incident Details view nodal graph, when there are multiple relationships within an incident, the text can overlap on the arrows between the nodes, which is difficult to read. This issue appears in an incident when the source IP of the alert is also the destination IP of another alert and the destination IP of the first alert is the source IP of the second. Workaround: None | 11.1 | ASOC-48034 |
| Respond | Title: Related Links URL created for Malware Events is invalid Problem: In the Respond Alert Details and Incident Details views, the URL link for a Malware Analysis alert is invalid. To view the URL link in the Alert Details view, go to RESPOND > Alerts and in the Alerts list, click the link in the NAME column for a Malware Analysis alert. In the Event Details, you can see the URL for the Malware Analysis alert. To view the URL link in the Incident Details view, go to RESPOND > Incidents and in the Incidents list, click the link in the ID or NAME column for a Malware Analysis incident. In the Incident Details view, click the View Datasheet icon ( Workaround: None | 11.1 | ASOC-48392 |
| UEBA | Title: When the proxy is configured, and NetWitness Platform is updated to 11.2, the license details do not get refreshed automatically. Problem: When the proxy is configured, and NetWitness Platform is updated to 11.2, the license details do not get refreshed automatically or even after clicking the Refresh button in the License Details view. This is because the communication to the license server is not established. Workaround: The administrator has to manually download the license details using the offline mode and upload latest license details through the RSA NetWitness Platform UI. For more information, see the Licensing Management Guide for RSA NetWitness Platform. | 11.2 | ASOC-60042, ASOC-52366 |
| Upgrade | Title: On upgrade to NetWitness Platform 11.2, license details are not retained on AWS cloud Problem: When you upgrade from Security Analytics 10.6.6 to RSA NetWitness Platform 11.2, the license server ID is not retained. Admin server is thus unable to obtain the license server details from the external back-end system, due to which the services cannot be licensed. Workaround: Follow the steps provided in “Access Download Central” and “Register the Server (Online)” topics in the Licensing Management Guide for RSA NetWitness Platform to obtain the license details from the external back-end system and register the new license server ID. | 11.2 | ASOC-61614 |
| Upgrade | Title: STIX recurring feed fails on upgrade from 10.6.6 to 11.2 Problem: When you upgrade Security Analytics 10.6.6 to RSA NetWitness Platform 11.2, the STIX Recurring feed you created using HTTPS URL fails to work. This is because, in 10.6.x, by default, all the certificates are trusted. However, this is not the case in 11.2. In 11.2, the Trust All certificates option is provided and is disabled by default. Workaround: Navigate to Configure > Custom Feeds and edit the failed feed. Either enable the Trust all option, or upload a valid SSL certificate to resolve the issue. In case of any further queries, contact the RSA Customer Support. | 11.2 | ASOC-61227 |
| Upgrade | Title: After upgrading to 11.1, there is Concentrator Initialization error if you have 'stransaddr' and 'dtransaddr' enabled on the Log Decoder and you have the same fields indexed on the Concentrator. Problem: This error occurs when you have customized meta keys on your Log Decoder and Concentrator. Workaround: If you have 'stransaddr' and 'dtransaddr' enabled on the Log Decoder and you have the same fields indexed on the Concentrator, then you must change data type of these fields to IPv4 on both the Log Decoder and Concentrator. | 11.1 | ASOC-50702 |
| Upgrade | Problem: After upgrading 11.0.0.x to 11.1.0.0, the integration-server service is missing on the user interface. Workaround: None | 11.1 | ASOC-50835 |
| Upgrade | Title: After upgrading from 10.6.x.x to 11.1.0.0 or 11.2.0.0, offline licenses are not retained. Problem: Even if you upload a new response bin file from Download Central, offline licenses still do not work. Though old files are restored in /var/lib/fneserver, the licenses still remain deactivated. Workaround: Perform the following steps to restore the licenses:
| 11.2, 11.1 | ASOC-41757 |
| Upgrade | Title: After you upgrade to 11.1.0.0 or 11.2.0.0, the logstash files are not updated in the logstash output configuration file Problem: When you upgrade from 10.6.x.x to 11.1.0.0 or 11.2.0.0, logstash files are not updated in the logstash output configuration file. This happens when you have a global audit setup. Workaround: If global auditing is configured, you need to edit one of the syslog entries in the Global Notifications servers and click Save to apply the latest Audit log configuration. | 11.2, 11.1 | ASOC-49843 |
| Upgrade | Title: Notification Settings do not migrate from 10.6.x to 11.1 Problem: The Incident Management notification settings in RSA NetWitness Platform 10.6.5.x are different from the Respond notification settings available in 11.1, so your existing 10.6.5.x settings will not migrate to 11.1. Workaround: Manually update the Respond Notification Settings in 11.1. To do this, go to CONFIGURE > Respond Notifications and set the notification settings. You must add the list of SOC Manager email addresses. See the “Configure Respond Email Notification Settings” procedure in the NetWitness Respond Configuration Guide for RSA NetWitness Platform. Notification Servers from previous releases will not display in the Email Server drop-down list. The email servers settings must be edited and saved in the Global Notification Servers (ADMIN > System > Global Notifications > Server tab). Custom Incident Management notification templates cannot be migrated to 11.1. No custom templates are supported in 11.1. To access these settings, you need additional permissions. See “Respond Notification Settings Permissions” in the NetWitness Respond Configuration Guide for RSA NetWitness Platform. For detailed information about user permissions, see the System Security and User Management Guide for RSA NetWitness Platform. | 11.1 | ASOC-49390 |
| Upgrade | Title: Unable to select Domain for Suspected C&C and Domain in the rule builder Problem: When adding a condition to an Incident Rule, there is no option to select Domain for Suspected C&C from the match conditions drop-down list. Also, after upgrade to 11.1, for some incident rules, the Domain and Domain for Suspected C&C fields are blank. Workaround: Use Domain in the Match Conditions drop-down list for both Domain and Domain for Suspected C&C. Pre-upgrade, make note of the rules that contain the Domain and Domain for Suspected C&C match conditions including the operators and values. After upgrade, manually add the conditions to 11.1 using only Domain in the Match Conditions.
| 11.1 | ASOC-46834 |
| Upgrade | Title: Aggregation Stops after Reconnection to Mongo Problem: After configuring the Mongo database and rebooting the ESA server, incidents are not being created. The ESA primary server acts the database host for NetWitness Respond application data. The NetWitness Server acts as the database host for NetWitness Respond control data. After the application database is configured on the ESA server and restarted, you must also restart the Respond service on the NetWitness Server. Workaround: After configuring the Mongo database and rebooting the ESA server, restart the respond-server service. From the command line: systemctl restart rsa-nw-respond-server Or from RSA NetWitness Platform: | 11.1 | ASOC-50911 |
| Upgrade | Title: On upgrade from 11.1 to 11.2, if you have been using the Entropy Parser and indexing payload, you must add the bucket flag to the index file so that the Entropy Parser can use index buckets. Problem: When you upgrade to RSA NetWitness Platform 11.2, if you have been using the Entropy Parser on the Decoder (packets only) and are indexing payload, you must add the bucket flag to your index file to take advantage of the new index buckets feature. Workaround: Add bucket flag to index file so Entropy Parser can use index buckets, as follows:
| 11.2, 11.1 | ASOC-45721 |
| Upgrade | Title: FIPS is disabled by default for the Log Collector Service Problem: FIPS is disabled by default for the Log Collector service, even if FIPS was enabled in 10.6.4. Workaround: To enable FIPS on the Log collector service, perform the following steps:
| 11.2, 11.1 | ASOC-41841 |
| Upgrade | Title: The investigation links are disabled for static charts during 10.6.x.x to 11.1 or 11.2 post-upgrade. Problem: The investigation link is disabled for the static chart (the result of the report is in chart format) which has the datasource as RSA NetWitness Platform-Broker (This service is available by default). Workaround: There are two workarounds for this issue:
| 11.2, 11.1 | ASOC-42136 |
Loading...
