To find out if any known issue is fixed, refer to the Fixed Issues section in the Release Notes for the appropriate release.
|Components||Title, Problem and Workaround||Found In / Exists In||Tracking Number|
Title: Default SSH timeout period
Problem: In 11.3.1, there is a new default, three-minute timeout period for an SSH session (from the Browser or Console). This brief timeout period may be inadequate for your needs.
Workaround: The following procedures are two options for changing this setting.
Disable the SSH Timeout Setting and Default to the Auth Timeout Setting
Remove the Timeout Setting (No Timeout for SSH)
|Upgrade||Title: Linux policy is not updated in the user interface after upgrading agents from 11.2.0 to 11.3.1.|
Problem: In the NetWitness Platform user interface, Agent mode is displayed as INSIGHT after upgrading from 11.2.0 to 11.3.1. After scanning, Agent mode is moving to ADVANCED.
Title: The default CEF and human-readable format audit templates are not updated after upgrading to 11.3.1.
Problem: In 11.3.1, notification templates were updated with additional fields. The updated templates are "Default Audit Human-Readable Format" and "Default Audit CEF Template." If you are using these templates, you must perform the steps below after you update to 11.3.1 to reflect the changes.
Workaround: Delete the default templates, restart the Jetty service, and reconfigure Global Auditing:
|Event Stream Analysis|
Title: Unable to delete an endpoint bundle from an ESA rule deployment
Title: Broker timeline does not render if Concentrator is offline.
|Endpoint Windows Agent||Title: "Unsigned Reserved Name Rule" triggers unexpectedly. |
Problem: This issue can cause a file to be incorrectly reported as unsigned.
Workaround: Disable the "Unsigned Reserved Name Rule".
Title: Syslog server config updates are making entries in config.
Title: UEBA Service displays incorrect version
Problem: After you update NetWitness Platform to 11.2.1, the ADMIN > Hosts view displays an incorrect
Workaround: Update the UEBA service:
Title: Commands issued after pressing the Tab key are not captured in Powershell for Windows 10 version 1809
Problem: In Windows 10 version 1809, when you execute a command in Powershell and press the Tab key, the Powershell console events that are captured contain only the characters entered before pressing Tab. Also, some of the Powershell console events that are captured may contain repeated characters.
Title: In the Event Analysis view, the query console does not replace the information icon with an error icon when a service is offline.
Problem: When a queried service is offline, the information icon in the query console should change to an error icon (red triangle with an exclamation point). The border of the query console border turns red, but the information icon does not change to a error triangle.
Title: Using custom.source, custom.destination, or custom.logdata columns in a column group works in the Events view, but no data for those columns is displayed in the Event Analysis view.
Problem: If the custom columns named above are used in a custom column group created in the Events view, the columns are available in the Events view, but not displayed in the Event Analysis view.
Workaround: View these columns in the Events view.
|11.3.1, 11.3, 11.2, 11.1||ASOC-72012|
Title: When retrieval of events for a query is in progress in the Event Analysis view, events that are already displayed disappear if the query takes more than 5 minutes to finish
Problem: This can happen when querying a large set of data with a query that includes expensive operations. The query is auto-canceled after a 5-minute timeout, and an error message is displayed.
Workaround: To avoid the timeout, change the query parameters to filter a smaller data set and re-execute the query.
Title: Incidents are not flagged when a user manually adds alerts to an existing incident
Problem: Meta values in hover over values are not highlighted when alerts in Respond have manually been added to an incident. While alerts that are automatically or dynamically added to an incident are shown in hover over.
|11.3, 11.2, 11.1|
Title: Matching files are not displayed in the Files tab.
Problem: From the Nodal Graph, when you pivot to Investigate > Hosts or Files tab for analyzing a file, if the file name in the event does not match with the global file name, no result is displayed in the Files tab.
Workaround: You must pivot to Investigate > Hosts or Files using the file hash.
Title: Respond stats reset after update.
Problem: After an update from NetWitness Platform 11.2 to 11.3, Respond statistics are reset in the Incident Rules view (CONFIGURE > Incident Rules). The rule counter for matched alerts and incidents resets to zero and the Last Matched, Matched Alerts, and Incidents columns show only 11.3 values.
Note: This is fixed for updates from 11.3 to 11.3.x, but is still an issue for updates from 11.2.x to 11.3.x.
Title: When there are 100+ events in an alert the scroll bar does not fit in properly.
Problem: The scroll bar is only partially visible when there are over 100 events in the Incident Details view Events List.
Workaround: You can continue scrolling to see all of the information.
|11.3.1, 11.3.x, 11.3||ASOC-71935|
Title: Show proper message for Event Analysis not loading in a mixed-mode environment.
Problem: In a mixed-mode environment, when the Event Analysis does not load from the Respond Incident Details view, customers receive the following message: “An unexpected error has occurred attempting to retrieve this data.” Instead they should receive a message that this is expected behavior. Event Analysis requires all core services to be on NetWitness 11.1 or greater.
Title: Unable to view pre-upgrade live charts results and alerts executed by reporting engine on upgrade to 11.3.
Problem: When upgrading to 11.3, the live charts results and alerts that were executed before the upgrade are not displayed in View > Charts and View > Alerts. For example, if you upgrade to 11.3 on the 21st of February, all the live charts results and alerts that were executed before the 21st February will not be displayed.
Workaround: Run a historical chart or test chart and specify the date range to view the same information for a specific time period.
|11.3.1, 11.3, 11.2.1||ASOC-73052|
Title: Deleting an alert in Respond is not updating the High-Risk User List in Threat Aware Authentication
Problem: Applicable to customers who have enabled Threat Aware Authentication. When Alerts associated with an open incident are deleted from the Alerts view (Respond > Alerts), the email addresses associated with the deleted alerts are not removed automatically from the SecurID’s high-risk users list.
Workaround: None, but you can manually remove the user details from the high-risk users list.
Title: ESA Rules with severity as High or Low are not populated in the RSA Archer UI.
Problem: When ESA alerts with severity High or Low are forwarded to RSA Archer, the Security Alert Priority field is not populated in the RSA Archer UI.
|11.3.1, 11.3, 11.2, 11.1||ARCHER-47101|
Title: Generating and copying the *nwelcfg file does not update the timestamp.
Problem: After installing the Endpoint agent, if the administrator wants to update a new Log Collection configuration with any copy methods or with a third-party endpoint management tool, the config file timestamp remains as that of the Endpoint server time and not the agent time. As a result, if the endpoint agent is on a different timezone from the endpoint server, the timestamp does not get updated properly.
Workaround: After copying the file, run this command on the Endpoint Agent:
|11.3, 11.2, 11.1||ASOC-49847|
|Event Stream Analysis|
Title: For ESA rules that use enrichment sources, the Ignore Case option does not work for first statement
Problem: When creating an ESA rule that uses any enrichment source, if the Ignore Case option is enabled on the first enrichment statement, no results are returned. Note that this issue does not apply to any statements after the first statement (that is, substatements).
Workaround: When creating a new rule, the Ignore Case option is now disabled. For existing rules that have the Ignore Case option enabled for an enrichment statement, the option is still enabled but users will be prompted to disable the option when opening the rule in ESA and then save the updated rule.
|11.3.1, 11.3, 11.2, 11.1||ASOC-49906|
|Event Stream Analysis|
Title: Unable to deploy ESA rule with array meta in Enrichment
Problem: If a user configures an In-Memory table as an Enrichment Source in ESA where a table column has type as string, creates an ESA rule with a whitelist condition, and maps the string list column to a string array event meta key, when the rule is deployed, the rule is disabled as the datatype conversion from String to String is not allowed.
|11.3.1, 11.3, 11.2, 11.1||ASOC-47584|
Title: When a large PCAP is extracted from the Events view, if it times out after 5 minutes, the query time is displayed as 8 hours in the Jobs tray error message.
Problem: When exporting a PCAP with ~100000 sessions from the Events view using Export > Export All PCAP, the download may fail due to the 5-minute packets call timeout. If the call times out, the error message in the Jobs tray incorrectly displays the timeout as 8 hours (28800000 ms).
|Event Source Management|
Title: The Manage Parser Mappings window has an empty Display Name for Log Parsers if the Event Source was created manually
Problem: When you open the Manage Parser Mappings window from the ADMIN > Event Sources > Discovery view, the display name for mapped event sources is empty for event sources that were created manually.
Workaround: Close the mapping window and re-open it.
|11.3.1, 11.3, 11.2||ASOC-53914|
Title: Custom STIX Recurring feed URL field is editable
Problem: Live Feed configuration allows you to edit the STIX Recurring feed URL even after the configuration is successful. Upon editing custom feed, the custom feed creation does not change and uses the previous URL.
Title: Log Decoder service crashes when ESM Discovery auto mapping is enabled.
Problem: Log Decoder service crashes on ipdevice mapping updates from automated ESM discovery functionality on the Admin Server.
Workaround: Disable ESM automated ipdevice mapping updates and entries on Node 0.
Remove the existing automated mapping settings on Log Decoder. The Automated mappings are identified with the entry:
Title: The SSL FIPS Mode checkbox in the Services Config view should be disabled for Brokers, Concentrators, and Archivers, because changing the checkbox value does not turn off FIPS enforcement for the service.
Problem: In 126.96.36.199 the Broker, Concentrator, and Archiver are always FIPS enforced and the administrator does not have the option to toggle between FIPS and Non-FIPS. The administrator can use the SSL FIPS Mode checkbox to toggle FIPS mode on and off on a Log Decoder, Packet Decoder, or Log Collector.
Title: RSA Archer Recurring Feeds failing in SSL mode
Problem: RSA Archer recurring feeds do not work in SSL mode.
Workaround: You must create the RSA Archer recurring feeds in non-SSL mode.
|11.3.1, 11.3, 11.2, 11.1||ARCHER-41524|
Title: Nginx rejects post requests exceeding request size 1 MB
Problem: The Nginx server is upgraded and the default payload size is set to 1 MB. This causes any data post request exceeding 1 MB to fail.
Workaround: Add the following setting to the Nginx configuration file (/etc/nginx/conf.d/nginx.conf) and restart the Nginx server:
Title: After agent update, the agent version is not reflected in the user interface.
Problem: When you update the agent version from 11.1 to 188.8.131.52, the agent version shows 11.1 in the Hosts view.
Workaround: In the Investigate > Hosts view, select the host on which you installed the latest version of the agent, and click Start Scan. The agent version is updated to 184.108.40.206.
Title: Unable to export files list to a CSV file.
Problem: While exporting data to a CSV file, the database query takes a longer time when the database is under a heavy load, and the user interface request times-out.
Workaround: Apply appropriate filters and use at least one indexed field with an Equals operator to reduce the files for export. For more information on Filtering Hosts and Files, see the NetWitness Investigate User Guide for RSA NetWitness Platform.
Title: Unable to generate Agent Packager if the auto uninstall is set in seconds
Problem: In the Auto Uninstall field, if the seconds value is more than 9, for example, 02/12/2018 12:00:10 PM, then click Generate Agent fails to generate the packager.
Workaround: Enter a value below 10 seconds in the Auto Uninstall field.
Title: Sorting on columns should not be case-sensitive
Problem: Sorting on columns in the Hosts and Files view is case-sensitive. It sorts the number first, uppercase, and then the lowercase.
Title: No message is displayed when filtering the values takes more than 60 seconds.
Problem: In the Hosts and Files view, while filtering the values, if it takes more than 60 seconds, the user interface does not display any message or results.
Title: Disable Log Collection in Windows Endpoint Agent is not supported.
Problem: Once an Endpoint Agent is installed with the Windows Log Collection feature enabled, the user is unable to disable Windows log collection.
Workaround: Run the uninstall command provided in the "Uninstall Agents" section in the NetWitness Endpoint Agent Install Guide for RSA NetWitness Platform. Reinstall an agent with Windows Log Collection disabled.
Title: When the Endpoint Agent is configured to use the UDP protocol and the Primary Log Decoder/ Remote Log Collector is not reachable, the secondary Log Decoder or Log Collector is not functional.
Problem: When the Primary Log Decoder/Remote Log Collector is not reachable and the Endpoint agent is configured to use UDP, the Secondary Log Decoder/Remote Log Collector is not used. The logs are not forwarded to the secondary Log Decoder or Log Collector when the primary is down, thus resulting in event loss.
Title: Metered license does not flip back to an in compliance immediately when there are no services attached to that Metered license
Problem: As an example, if there is a Metered license available for a Log Decoder and you have one Log Decoder listed under it, the following conditions may occur:
|Event Source Management|
Title: SMS Service crashes with Out of Memory Error
Problem: On systems with a large number of active event sources, when the system cannot keep up with the processing of log statistics messages, the SMS service can crash with a java.lang.OutOfMemoryError: Java heap space error.
Workaround: If you experience this issue, please contact RSA support for details on how to address the issue.
|Event Source Management|
Title: Suggested mapping does not load when the Event Source is created manually
Problem: For an Event Source that is manually added without entering a value for Log Decoder, when the Manage Parser Mappings dialog is opened, the suggested Parser Mappings may not have a Display Name.
Workaround: Close the Manage Parser Mappings dialog, then reopen it and the Display Name is displayed as shown in the following example.
|Event Stream Analysis|
Title: ESA Rules with custom meta keys do not deploy on the ESA Server
Problem: If you add new custom meta keys in 11.2, ESA rules using those meta keys may not deploy. This happens because the Event Stream Analysis service needs information from the Concentrator.
Workaround: To deploy an ESA Correlation Rule with custom meta, do the following:
|Event Stream Analysis|
Title: ESA CH rules get disabled during upgrade or ESA host reboot
Problem: If the ESA host restarts and Context Hub rules are deployed on ESA, the Context Hub rules may be disabled. This happens as a result of a race condition between the Context hub and Event Stream Analysis services startup order on the ESA host.
Workaround: To resolve this issue, do one of the following:
|Event Stream Analysis|
Title: ESA Rules deployed not listed while creating policy using statistics ESA Rule Memory Usage
Problem: When you deploy new ESA rules in the Health and Wellness page and create a new policy under Event Stream Analytics using the statistic ESA Rule Memory usage, all ESA rules deployed are not listed.
Workaround: Run the following restart command on NetWitness Server:
|Event Stream Analysis|
Title: ESA rule with meta entity does not get triggered
Problem: When meta entities are configured for use in the Investigate interface, they are not available for use in the ESA Correlation Rule Builder. Customers are not able to build ESA correlation rules using meta entity information, and they must specify the exact pieces of metadata to use in the rules.
|Event Stream Analysis|
Title: Case-sensitive sorting is not working properly in the ESA All Rules grid
Problem: When rule names begin with lower and upper case letters, the sort does not work properly in the Rule Name column of ESA All Rules grid. For example, "Rule 1" is not followed by "rule 2" when you sort by name.
|11.3.1, 11.3, 11.2, 11.1||SAENG-3605|
|Event Stream Analysis|
Title: Cannot set ESA compression level as in other appliances
Problem: Administrators cannot set the compression level in ESA like they can with other appliances, even using the Explorer view
Workaround: Delete the Concentrator source from ESA and add it again so that the compression level changes are reflected:
|Event Stream Analysis|
Title: Deployment fails if the server that hosts an external database goes down
Problem: You configure a database connection to use the database as an enrichment source for a rule. A reference to the data base is deployed on every ESA, even if the ESA does not deploy any rules that use the database. If the server that hosts the database goes down, any new deployment will fail.
Workaround: Restart the server that hosts the database.
|General Application Issues|
Title: The System Logs Off Idle Users in Respond and Some Investigate Views
Problem: In the Respond view and some Investigate views (Event Analysis, Hosts, and Files), if a user is not actively querying data, the system logs off the user after the Idle Period is reached. The default Idle Period is 600 seconds (10 minutes). This can cause the work of an Analyst to be interrupted.
Workaround: If this becomes an issue with the Analysts, in the global security settings (ADMIN > Security), consider increasing the values of the Session Timeout and the Idle Period.
Title: Users who have not been assigned investigate-server* permission do not get the proper error message explaining why they do not have access to the Event Analysis view
Problem: If the administrator has not assigned investigate-server* permission for a user, the user should see the permission denied error when attempting to view a session in the Event Analysis view. Instead, the internal server error is returned.
Title: In the Event Analysis view, log and network events are not interleaved
Problem: Network and log events are interleaved and sorted in time order in the Events view, but in the Event Analysis view, events are sorted differently. In the Event Analysis view, the events are not interleaved as they should be; instead all log events sorted in time order are displayed before all network events sorted in time order.
Workaround: Use the Events view to see interleaved network and log events.
Title: Imported Investigate profiles are not displayed in the Profiles drop-down menu
Problem: When you import Profiles to the Navigate view or the Events view using the Manage Profiles dialog, the newly imported profiles are not added to the Profiles drop-down menu.
Workaround: Refresh the browser window to see the recently added profiles.
Title: Unable to export logs from Events View for Log Decoder.
Problem: After you update the Admin Server to 11.1, and you export the logs for the Log Decoder, the exported file is empty even though the logs are available in the Log Decoder.
Note: The below mentioned workaround is not required if you do not have a specific reason to export logs from Log Decoder. You can continue to investigate and export logs from Log Decoder through Concentrator by applying the filters did= <decode_id>.
Workaround: You must index the medium meta if you want to export logs for the Log Decoder. The following steps indexes the new events and you can export these events.
Title: If the URL for a drill point is very long and you use the query in the Event Analysis view, an error (414 Request error) is returned
Problem: Several situations create a very long query that the browser cannot handle, especially if you are using Internet Explorer, which has a much lower character limit than most browsers. Pivoting to Event Analysis from Reporting can result in a very long query, and a number of pivots in the Navigate view can create a very long query.
Workaround: Continue to work in the Navigate view or Events view when the URL becomes too long to render in the Event Analysis view.
Title: Attempting a direct query, or a query by using a link that uses an IPV6 meta value with unsupported special characters generates an error in the Event Analysis view and the Navigate view
Problem: Literal ipv6 addresses with a percent (%) sign and also UNC Path Names such as 2001-db8-85a3-8d3-1319-8a2e-370-7348.ipv6-literal.net are not supported. The error in the Event Analysis view is Internal Server Error. The Navigate page shows a syntax error.
Title: If you got to Event Analysis by way of the Events view, either by clicking the Event Analysis link or by right-clicking one of the events, the right-click options on meta values do not work
Problem: If you clicked Event Analysis in the Detail View of the Events view, the Event Analysis view opens as usual. However, the right-click options on a meta value in the Event Meta panel do not work
Workaround: If you go through Navigate > Event Analysis, or if you go through Events and a reconstruction of an event, the right-click options function in Event Analysis.
Title: Cannot add meta entities to a custom column group in the Events view with the Optimize Investigation Page Loads option disabled
Problem: Meta keys belonging to meta entities are not displayed in custom column groups. This issue is seen in the Events view when you disable Optimize Investigate Page Loads in the Events view settings and then refresh the page.
Workaround: If you want to use meta entities in a custom column group, ensure that the Optimize Investigation Page Loads option is enabled
Title: Custom column groups that contain meta entities can be created in the Events view, but when the custom column group is used in the Event Analysis view, you cannot see the meta keys included in the meta entity in the results.
Problem: Custom column groups are not displaying meta keys that belong to meta entities. This issue is seen in the Events list in the Event Analysis view.
Workaround: Use a column group that does not contain meta entities. However, meta entities can still be queried and used in the query builder.
Title: The query builder in the Event Analysis view is unresponsive for filters that contain a space.
Problem: When adding a filter, if you add an extra space before <meta key>, between <meta key> and <operator>, and after <operator>, the query builder becomes unresponsive and the Query Events button is disabled so that you cannot continue adding filters.
Workaround: Click on an existing filter, and then click the query builder. If that does not work, refresh the page.
Title: When investigating in the Event Analysis view, the following error message is returned: “An Unexpected error has occurred.”
Problem: This error is displayed when the session you are attempting to access has been removed, rolled out, or you have insufficient permission to view the session.
Title: Issue with Interaction between Expand and Contract Icons in Investigate Event Analysis.
Problem: When you contract the left panel in the Event Analysis view, the right panel expands, but the expand/contract icon on right panel does not change to the contract icon. To contract the right panel using the expand/contract icon on the right panel you have to press it twice. The behavior should be that when you contract the left panel and the right panel expands, the expand/contract icon for right panel switches to contract or expand as appropriate. There is a similar issue with the Show/Hide Events panel icon. If the Event panel is contracted and you click on the Show/Hide Events Panel icon, the left panel disappears and the right panel expands. The expand/contract icon on the right (and now only) panel remains in expanded form. When you click on the expand icon in this configuration, the left panel reappears and the right panel effectively contracts. The behavior should be: after you hide the left panel, the expand/contract icon on the right panel should take its contract form.
Workaround: When the expand/contract icon in the right panel or the Show/Hide Events panel icon in the toolbar has not changed to the correct state, click the icon twice.
Title: Three new meta groups for 11.1 and the same column groups for 11.2 are not created when you upgrade from 10.6.x.x to 11.x: RSA Endpoint Analysis, RSA Outbound HTTP, RSA Outbound SSL/TLS.
Problem: When you upgrade from 10.6.x.x to 11.x, three out-of-the-box meta groups (RSA Endpoint Analysis, RSA Outbound HTTP, and RSA Outbound SSL/TLS) are not created due to a conflict with a column group added in Version 11.1. Also, three out-of-the-box column groups (RSA Endpoint Analysis, RSA Outbound HTTP, and RSA Outbound SSL/TLS) are not created. These meta groups should appear in the Manage Meta Groups dialog and the Manage Column Groups dialog.
Title: The status of the STIX feed progress bar is Incomplete
Problem: Sometimes, the status of the progress bar for some of the STIX feeds are Incomplete even if the feeds are successfully pushed to the Decoder(s).
Title: When all alerts are deleted for an alert rule, the filter for the rule is not properly removed
Problem: In the Alerts List view (Respond > Alerts), you can filter alerts by Alert Name and then delete all of the alerts that have that name. If you do not remove the alert name filter after deleting the alerts, the next time the Alerts List view loads, the filter will still be in place, but it will no longer be visible as a checkbox in the Filters panel because all alerts with that name have been deleted. You will continue to see zero results when visiting the Alerts List view.
Workaround: Before you refresh or reload the Alerts List view, you can remove the filter by clearing the checkbox by the alert name. If you already refreshed or reloaded the Alerts List view, the only way to remove the hidden filter is to press the Reset Filters button, which removes all filters, including the hidden alert name filter.
Title: Duplicate Alerts in Respond are observed from certain sources like Reporting Engine
Problem: Obsolete federated exchanges can cause duplicate alerts in Respond.
Workaround: Follow these steps to delete obsolete federated exchanges that would cause duplicate alerts in Respond:
Title: Endpoint Incidents are not being created
Problem: Endpoint events with a source IP are working fine, but Endpoint events with a detector IP are not being aggregated by the Endpoint incident rule and do not create incidents. In RSA NetWitness Platform 11.1, the GroupBy field of the “High Risk Alerts: NetWitness Endpoint” incident rule was changed from “Risk Score” to “Source IP Address.”
Workaround: For upgrades from 10.6.x to 11.1:
For fresh installs:
Title: ESA Command and Control Aggregate Scores details are not populated in the RSA Archer user interface.
Problem: When ESA Command and Control Aggregate Scores details are forwarded from RSA NetWitness Platform to the RSA Archer user interface, fields such as Beaconing Behavior, Rare Domains, Rare User Agents, Missing Referrers, and Suspicious Domains Aggregate Score do not get populated.
Title: Overlapping Relationship Data in the Nodal Graph for Certain Data
Problem: In the Respond Incident Details view nodal graph, when there are multiple relationships within an incident, the text can overlap on the arrows between the nodes, which is difficult to read. This issue appears in an incident when the source IP of the alert is also the destination IP of another alert and the destination IP of the first alert is the source IP of the second.
Title: Related Links URL created for Malware Events is invalid
Problem: In the Respond Alert Details and Incident Details views, the URL link for a Malware Analysis alert is invalid. To view the URL link in the Alert Details view, go to RESPOND > Alerts and in the Alerts list, click the link in the NAME column for a Malware Analysis alert. In the Event Details, you can see the URL for the Malware Analysis alert.
To view the URL link in the Incident Details view, go to RESPOND > Incidents and in the Incidents list, click the link in the ID or NAME column for a Malware Analysis incident. In the Incident Details view, click the View Datasheet icon () to view the event details. If there are multiple events listed, click an event to view the event details. In the Event Details, you can see the URL for the Malware Analysis alert.
Title: When the proxy is configured, and NetWitness Platform is updated to 11.2, the license details do not get refreshed automatically.
Problem: When the proxy is configured, and NetWitness Platform is updated to 11.2, the license details do not get refreshed automatically or even after clicking the Refresh button in the License Details view. This is because the communication to the license server is not established.
Workaround: The administrator has to manually download the license details using the offline mode and upload latest license details through the RSA NetWitness Platform UI. For more information, see the Licensing Management Guide for RSA NetWitness Platform.
Title: On upgrade to NetWitness Platform 11.2, license details are not retained on AWS cloud
Problem: When you upgrade from Security Analytics 10.6.6 to RSA NetWitness Platform 11.2, the license server ID is not retained. Admin server is thus unable to obtain the license server details from the external back-end system, due to which the services cannot be licensed.
Workaround: Follow the steps provided in “Access Download Central” and “Register the Server (Online)” topics in the Licensing Management Guide for RSA NetWitness Platform to obtain the license details from the external back-end system and register the new license server ID.
Title: STIX recurring feed fails on upgrade from 10.6.6 to 11.2
Problem: When you upgrade Security Analytics 10.6.6 to RSA NetWitness Platform 11.2, the STIX Recurring feed you created using HTTPS URL fails to work. This is because, in 10.6.x, by default, all the certificates are trusted. However, this is not the case in 11.2. In 11.2, the Trust All certificates option is provided and is disabled by default.
Workaround: Navigate to Configure > Custom Feeds and edit the failed feed. Either enable the Trust all option, or upload a valid SSL certificate to resolve the issue. In case of any further queries, contact the RSA Customer Support.
Title: After upgrading to 11.1, there is Concentrator Initialization error if you have 'stransaddr' and 'dtransaddr' enabled on the Log Decoder and you have the same fields indexed on the Concentrator.
Problem: This error occurs when you have customized meta keys on your Log Decoder and Concentrator.
Workaround: If you have 'stransaddr' and 'dtransaddr' enabled on the Log Decoder and you have the same fields indexed on the Concentrator, then you must change data type of these fields to IPv4 on both the Log Decoder and Concentrator.
Problem: After upgrading 11.0.0.x to 220.127.116.11, the integration-server service is missing on the user interface.
Title: After upgrading from 10.6.x.x to 18.104.22.168 or 22.214.171.124, offline licenses are not retained.
Problem: Even if you upload a new response bin file from Download Central, offline licenses still do not work. Though old files are restored in /var/lib/fneserver, the licenses still remain deactivated.
Workaround: Perform the following steps to restore the licenses:
Title: After you upgrade to 126.96.36.199 or 188.8.131.52, the logstash files are not updated in the logstash output configuration file
Problem: When you upgrade from 10.6.x.x to 184.108.40.206 or 220.127.116.11, logstash files are not updated in the logstash output configuration file. This happens when you have a global audit setup.
Workaround: If global auditing is configured, you need to edit one of the syslog entries in the Global Notifications servers and click Save to apply the latest Audit log configuration.
Title: Notification Settings do not migrate from 10.6.x to 11.1
Problem: The Incident Management notification settings in RSA NetWitness Platform 10.6.5.x are different from the Respond notification settings available in 11.1, so your existing 10.6.5.x settings will not migrate to 11.1.
Workaround: Manually update the Respond Notification Settings in 11.1. To do this, go to CONFIGURE > Respond Notifications and set the notification settings. You must add the list of SOC Manager email addresses. See the “Configure Respond Email Notification Settings” procedure in the NetWitness Respond Configuration Guide for RSA NetWitness Platform. Notification Servers from previous releases will not display in the Email Server drop-down list. The email servers settings must be edited and saved in the Global Notification Servers (ADMIN > System > Global Notifications > Server tab). Custom Incident Management notification templates cannot be migrated to 11.1. No custom templates are supported in 11.1. To access these settings, you need additional permissions. See “Respond Notification Settings Permissions” in the NetWitness Respond Configuration Guide for RSA NetWitness Platform. For detailed information about user permissions, see the System Security and User Management Guide for RSA NetWitness Platform.
Title: Unable to select Domain for Suspected C&C and Domain in the rule builder
Problem: When adding a condition to an Incident Rule, there is no option to select Domain for Suspected C&C from the match conditions drop-down list. Also, after upgrade to 11.1, for some incident rules, the Domain and Domain for Suspected C&C fields are blank.
Workaround: Use Domain in the Match Conditions drop-down list for both Domain and Domain for Suspected C&C. Pre-upgrade, make note of the rules that contain the Domain and Domain for Suspected C&C match conditions including the operators and values. After upgrade, manually add the conditions to 11.1 using only Domain in the Match Conditions.
Title: Aggregation Stops after Reconnection to Mongo
Problem: After configuring the Mongo database and rebooting the ESA server, incidents are not being created. The ESA primary server acts the database host for NetWitness Respond application data. The NetWitness Server acts as the database host for NetWitness Respond control data. After the application database is configured on the ESA server and restarted, you must also restart the Respond service on the NetWitness Server.
Workaround: After configuring the Mongo database and rebooting the ESA server, restart the respond-server service.
From the command line:
systemctl restart rsa-nw-respond-server
Title: On upgrade from 11.1 to 11.2, if you have been using the Entropy Parser and indexing payload, you must add the bucket flag to the index file so that the Entropy Parser can use index buckets.
Problem: When you upgrade to RSA NetWitness Platform 11.2, if you have been using the Entropy Parser on the Decoder (packets only) and are indexing payload, you must add the bucket flag to your index file to take advantage of the new index buckets feature.
Workaround: Add bucket flag to index file so Entropy Parser can use index buckets, as follows:
Title: FIPS is disabled by default for the Log Collector Service
Problem: FIPS is disabled by default for the Log Collector service, even if FIPS was enabled in 10.6.4.
Workaround: To enable FIPS on the Log collector service, perform the following steps:
Title: The investigation links are disabled for static charts during 10.6.x.x to 11.1 or 11.2 post-upgrade.
Problem: The investigation link is disabled for the static chart (the result of the report is in chart format) which has the datasource as RSA NetWitness Platform-Broker (This service is available by default).
Workaround: There are two workarounds for this issue: