RSA NetWitness Platform Known Issues

Document created by RSA Link Admin Employee on Feb 27, 2019Last modified by RSA Product Team on Jan 13, 2020
Version 166Show Document
  • View in full screen mode

To find out if any known issue is fixed, refer to the Fixed Issues section in the Release Notes for the appropriate release.




ComponentsTitle, Problem and WorkaroundFound In / Exists InTracking Number

Title: Updating "Effective Date" daily causes scan schedules to restart.

Problem: The default EDR policy does not specify an effective date. If a policy for an agent does not specify the effective date, then the current date is used instead. This causes the group policy document to be updated every day with the new effective date. Any agent using the default effective date setting will then receive an updated policy every day, causing it to restart its scan schedule everyday and resulting in the agent scanning every day regardless of what the actual policy is.

Workaround: Edit the default EDR policy and add an effective date.




Title: Cannot orchestrate an additional component host running on with NW Server host upgraded with

Problem: If you are upgrading your hosts from 11.0, 11.1, or 11.2 directly to, and you want to add a new host after the NW Server Host has been upgraded, the new host cannot be orchestrated.
Workaround: Refer to the Knowledge Base article located here:



Event Stream Analysis

Title: Aggregation stops on some Concentrators because of too many open files.

Problem: Occasionally, ESA Correlation will encounter an error when aggregating from a Concentrator resulting in a connection leak. Over time, this may result in the 'too many open files' error which will stop aggregation.

Workaround: You must restart the ESA Correlation service from the NetWitness Platform user interface.

  1. Log on to NetWitness Platform as Admin.
  2. Go to ADMIN > Services.
  3. Select the ESA Correlation service and then select the Actions icon > Restart.


Core Services

Title: Log Collector event processor does not get started after Log Decoder appliance reboot.
Problem: When you reboot Log Decoder appliance, the Log Collector event processor does not get started.
Workaround: To resolve this issue, do the following:

  1. Go to ADMIN > Services.
  2. Select a Log Collection service.
  3. Select the Actions icon > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Destinations tab.
  5. Select Log Decoder and click the Start icon.

ASOC- 83767

Event Stream Analysis

Title: Cannot Access Custom Esper Java Libraries
Problem: In NetWitness Platform version 11.3.x, it is slightly more difficult to enable custom Esper Java libraries for those customers who have built their own EPL extensions in Java. For those customers, upgrading to 11.3.x can create an issue with their alerts that previously used their custom EPL extensions. Without the extended rules (Esper + Java Libraries), customers do not have full visibility of some pattern detection which increases noise for their Analysts, decreasing their productivity.
Workaround: See Knowledge Base article “000038138 - Cannot Access Custom Esper Java Libraries for RSA NetWitness Platform's Event Stream Analysis” at



Event Stream Analysis

Title: Unable to add data source for a custom user.
Problem: A custom user role with ESA permissions, which is migrated to NetWitness Platform 11.3 from version 11.2 or earlier, cannot add data sources to an ESA rule deployment. The “Manage ATD Settings” permission is required in 11.3 and later. The Administrator, SOC Manager, and DPO roles have the required permissions to deploy rules to run on ESA.
The “Manage ATD Settings” permission is confusing since it is shared with ESA Analytics. Both ESA Analytics and ESA Correlation require the “Manage ATD Settings” permission. In ESA Analytics, this permission enables the user to modify the ATD (Automated Threat Detection) settings. In ESA Correlation, this permission enables the user to add or view data sources for ESA rule deployments.

Workaround: Add the “Manage ATD Settings” permission on the Administration tab to the custom ESA user role to enable the users with that role to add or view data sources in ESA rule deployments.

To update a custom role with the Manage ATD Settings permission:

  1. Go to ADMIN > Security > Roles tab, select the custom role, and click 
  2. In the Permissions section, click the Administration tab.
  3. Select the Manage ATD Settings permission and click Save.,



Event Stream Analysis

Title: Sample Enrichment ESA rules are being disabled on due to src_ip meta key error

Problem: In, the migrated Whitelist and Blacklist SAMPLE ESA rules use the src_ip meta key, which is invalid for 

Note: This issue is fixed in NetWitness Platform

Workaround: Edit the Whitelist and Blacklist SAMPLE rules to use ip_src:

  1. Go to CONFIGURE > ESA Rules > Rules tab.
  2. Double-click the “SAMPLE - Blacklist -From inside countries that are not the US, Non SMTP Traffic on TCP Port 25 Containing Executable” rule to edit it.
    1. In the Conditions section, select the “Non SMTP Traffic on TCP Port 25 Containing Executable” statement and click  to edit the statement.
    2. In the Build a Statement dialog, change the ipv4 key value from src_ip to ip_ src and click Save.
    3. In the Enrichments section, for GeoIP output, change the ESA Event Stream Meta value from src_ip to ip_src.
    4. Click Save to save the rule.
  3. Double-click the “SAMPLE - Whitelist -From outside of Germany, P2P Software as Detected by an Intrusion Detection Device” rule to edit it.
    1. In the Enrichments section, for GeoIP output, change the ESA Event Stream Meta value from src_ip to ip_src.
    2. Click Save to save the rule.


Event Stream Analysis

Title: Sometimes the status of an ESA rule deployment is incorrect.

Problem: When you deploy ESA rules, sometimes an error occurs that shows that the rules are disabled in the user interface (CONFIGURE > ESA Rules> Rules tab Deployment panel) when the ESA rule deployment is actually successful. Check the Services tab to see the actual status of the deployment.

Note: This issue is fixed in NetWitness Platform

Workaround: None.




Title: Default SSH timeout period 

Problem: In 11.3.1, there is a new default, three-minute timeout period for an SSH session (from the Browser or Console).  This brief timeout period may be inadequate for your needs.

Workaround: The following procedures are two options for changing this setting.

Disable the SSH Timeout Setting and Default to the Auth Timeout Setting
If you disable the SSH timeout setting, NetWitness Platform uses the auth timeout setting. The default value for the auth timeout setting is 10 minutes.
1. SSH to the NW Server host or use the Console from the NetWitness Platform User Interface.
2. Submit the following command string.
/opt/rsa/saTools/bin/manage-stig-controls --host-all --disable-control-groups 2

Remove the Timeout Setting (No Timeout for SSH)
If you disable both the SSH and Auth timeout settings, SSH sessions will not time out.
1. SSH to the NW Server host or use the Console from the NetWitness Platform User Interface.
2. Submit the following command string.
/opt/rsa/saTools/bin/manage-stig-controls --host-all --disable-control-groups 2,4

UpgradeTitle: Linux policy is not updated in the user interface after upgrading agents from 11.2.0 to 11.3.1.
Problem: In the NetWitness Platform user interface, Agent mode is displayed as INSIGHT after upgrading from 11.2.0 to 11.3.1. After scanning, Agent mode is moving to ADVANCED.
Workaround: None.

TitleThe default CEF and human-readable format audit templates are not updated after upgrading to 11.3.1.

Problem: In 11.3.1, notification templates were updated with additional fields. The updated templates are "Default Audit Human-Readable Format" and "Default Audit CEF Template." If you are using these templates, you must perform the steps below after you update to 11.3.1 to reflect the changes.

Workaround: Delete the default templates, restart the Jetty service, and reconfigure Global Auditing:

  1. Go to ADMIN > System > Notification template. Delete the "Default Audit Human-Readable Format" and "Default Audit CEF Template" templates.
  2. Run systemctl to restart Jetty.
  3. Reconfigure Global Auditing.
Event Stream Analysis

Title: Unable to delete an endpoint bundle from an ESA rule deployment
Problem: When creating an ESA rule deployment, if you add an Endpoint Risk Scoring Rule Bundle and then you decide to remove it from the deployment, you see the following error: Rule of type `Endpoint` is an internal rule and cannot be modified
Likewise, if an ESA rule deployment with an Endpoint Risk Scoring Rule Bundle is deployed, you cannot reuse the deployment by deleting the bundle and adding other ESA rules.
Workaround: Delete the ESA rule deployment containing the Endpoint Risk Scoring Rule Bundle and create a new ESA rule deployment. Do not combine the Endpoint Risk Scoring Rule Bundle with other ESA rules in the same deployment.


Title: Broker timeline does not render if Concentrator is offline.
Problem: The Investigate time-line graph is not displayed when one of the aggregated devices defined in Broker Configuration is offline.
Workaround: None

11.3.1, 11.3SACE-11365
Global Notifications

Title: Syslog server config updates are making entries in config.
Problem: Duplicate entries in rsa-audit-server- output.conf log file. If multiple changes in Global Notifications are made in a short time frame, NetWitness Platform appends multiple duplicate entries to the rsa-audit-server-output.conf file.


  1. Delete the duplicate entries from the rsa-audit-server- output.conf file.
  2. Go to ADMIN > System > Global Notifications.
  3. Select a notification server and click the Edit icon.
  4. Click Save.
    It takes about five minutes for the workaround to take effect.
11.3.1, 11.3ASOC-59607

Title: UEBA Service displays incorrect version

Problem: After you update NetWitness Platform to 11.2.1, the ADMIN > Hosts view displays an incorrect

UEBA version.

Workaround: Update the UEBA service:

  1. Go to ADMIN > Hosts.

  2. Select the UEBA host.

  3. Click Update > Update Host from the toolbar.

  4. Click Begin Update., 11.2.1ASOC-69605

Title: Commands issued after pressing the Tab key are not captured in Powershell for Windows 10 version 1809

Problem: In Windows 10 version 1809, when you execute a command in Powershell and press the Tab key, the Powershell console events that are captured contain only the characters entered before pressing Tab. Also, some of the Powershell console events that are captured may contain repeated characters.

Workaround: None


Title: In the Event Analysis view, the query console does not replace the information icon with an error icon when a service is offline.

Problem: When a queried service is offline, the information icon in the query console should change to an error icon (red triangle with an exclamation point). The border of the query console border turns red, but the information icon does not change to a error triangle.

Workaround: None


Title: When retrieval of events for a query is in progress in the Event Analysis view, events that are already displayed disappear if the query takes more than 5 minutes to finish

Problem: This can happen when querying a large set of data with a query that includes expensive operations. The query is auto-canceled after a 5-minute timeout, and an error message is displayed.

Workaround: To avoid the timeout, change the query parameters to filter a smaller data set and re-execute the query.


Title: Incidents are not flagged when a user manually adds alerts to an existing incident

Problem: Meta values in hover over values are not highlighted when alerts in Respond have manually been added to an incident. While alerts that are automatically or dynamically added to an incident are shown in hover over.

Workaround: None

11.3, 11.2, 11.1



Title: Matching files are not displayed in the Files tab.

Problem: From the Nodal Graph, when you pivot to Investigate > Hosts or Files tab for analyzing a file, if the file name in the event does not match with the global file name, no result is displayed in the Files tab.

Workaround: You must pivot to Investigate > Hosts or Files using the file hash.

  1. Go to RESPOND > Incidents.
  2. Click the ID (incident ID) associated with the file name.
  3. Click the Events List and search for the file name you want to analyze.
  4. Hover over on the file hash and click Pivot to Investigate > Hosts/Files.
11.3.1, 11.3ASOC-73173

Title: Respond stats reset after update.

Problem: After an update from NetWitness Platform 11.2 to 11.3, Respond statistics are reset in the Incident Rules view (CONFIGURE > Incident Rules). The rule counter for matched alerts and incidents resets to zero and the Last Matched, Matched Alerts, and Incidents columns show only 11.3 values.

Workaround: None.

Note: This is fixed for updates from 11.3 to 11.3.x, but is still an issue for updates from 11.2.x to 11.3.x.


Title: When there are 100+ events in an alert the scroll bar does not fit in properly.

Problem: The scroll bar is only partially visible when there are over 100 events in the Incident Details view Events List.

Workaround: You can continue scrolling to see all of the information.

11.3.1, 11.3.x, 11.3ASOC-71935

Title: Show proper message for Event Analysis not loading in a mixed-mode environment.

Problem: In a mixed-mode environment, when the Event Analysis does not load from the Respond Incident Details view, customers receive the following message: “An unexpected error has occurred attempting to retrieve this data.” Instead they should receive a message that this is expected behavior. Event Analysis requires all core services to be on NetWitness 11.1 or greater.

Workaround: None.

11.3, 11.2ASOC-60463

Title: Deleting an alert in Respond is not updating the High-Risk User List in Threat Aware Authentication

Problem: Applicable to customers who have enabled Threat Aware Authentication. When Alerts associated with an open incident are deleted from the Alerts view (Respond > Alerts), the email addresses associated with the deleted alerts are not removed automatically from the SecurID’s high-risk users list.

Workaround: None, but you can manually remove the user details from the high-risk users list.


Title: ESA Rules with severity as High or Low are not populated in the RSA Archer UI.

Problem: When ESA alerts with severity High or Low are forwarded to RSA Archer, the Security Alert Priority field is not populated in the RSA Archer UI.

Workaround: None

11.3.1, 11.3, 11.2, 11.1ARCHER-47101

Title: Generating and copying the *nwelcfg file does not update the timestamp.

Problem: After installing the Endpoint agent, if the administrator wants to update a new Log Collection configuration with any copy methods or with a third-party endpoint management tool, the config file timestamp remains as that of the Endpoint server time and not the agent time. As a result, if the endpoint agent is on a different timezone from the endpoint server, the timestamp does not get updated properly.

Workaround: After copying the file, run this command on the Endpoint Agent:
copy /b <filename.nwelcfg> +,,from the folder %programdata%\NWEAgent\ where the nwelcfg file is located.

11.3, 11.2, 11.1ASOC-49847
Event Stream Analysis

Title: For ESA rules that use enrichment sources, the Ignore Case option does not work for first statement

Problem: When creating an ESA rule that uses any enrichment source, if the Ignore Case option is enabled on the first enrichment statement, no results are returned. Note that this issue does not apply to any statements after the first statement (that is, substatements).

Workaround: When creating a new rule, the Ignore Case option is now disabled. For existing rules that have the Ignore Case option enabled for an enrichment statement, the option is still enabled but users will be prompted to disable the option when opening the rule in ESA and then save the updated rule.

11.3.1, 11.3, 11.2, 11.1ASOC-49906

Title: When a large PCAP is extracted from the Events view, if it times out after 5 minutes, the query time is displayed as 8 hours in the Jobs tray error message.

Problem: When exporting a PCAP with ~100000 sessions from the Events view using Export > Export All PCAP, the download may fail due to the 5-minute packets call timeout. If the call times out, the error message in the Jobs tray incorrectly displays the timeout as 8 hours (28800000 ms).

Workaround: None.

11.3, 11.2ASOC-60464

Title: Custom STIX Recurring feed URL field is editable

Problem: Live Feed configuration allows you to edit the STIX Recurring feed URL even after the configuration is successful. Upon editing custom feed, the custom feed creation does not change and uses the previous URL.

Workaround: None
Core Services

Title: Log Decoder service crashes when ESM Discovery auto mapping is enabled.

Problem: Log Decoder service crashes on ipdevice mapping updates from automated ESM discovery functionality on the Admin Server.

Workaround: Disable ESM automated ipdevice mapping updates and entries on Node 0.

  1. Login as root:

    /opt/rsa/sms/bin/automap –off

  2. Check if the feature is disabled using the command:

    /opt/rsa/sms/bin/automap -?

  3. Verify that the automatic mapping is disabled:

Remove the existing automated mapping settings on Log Decoder. The Automated mappings are identified with the entry:


  1. Select the Log Decoder service.
  2. In the Actions column, select View > Explore.
  3. In the node, select decoder/parsers.
  4. Right click on the parser node and click properties.
  5. Select ipdevice command from the dropdown and enter op=describe in the Parameters and click Send.

The list of mappings updated by ESM discovery with the soft=true setting are displayed.


<DeviceEntry ipv4="" device="foo" lastUpdated="1528487466" soft="true"/>

<DeviceEntry ipv4="" lastUpdated="1528489179" soft="true">

<DeviceSubEntry lcid="lcid" device="bar"/>



In the ipdevice command, enter the parameters op=remove entries=”<device ip1>=<device-name1> <device ip2>=<device-name2>" and click Send. This will remove the device mappings.

For Example: op=remove entries=""

Note: If there are soft mappings then you need to remove all the selections in the ipdevice command, enter the parameters op=remove entries=* and click Send. This removes all mappings.

Core Services

Title: The SSL FIPS Mode checkbox in the Services Config view should be disabled for Brokers, Concentrators, and Archivers, because changing the checkbox value does not turn off FIPS enforcement for the service.

Problem: In the Broker, Concentrator, and Archiver are always FIPS enforced and the administrator does not have the option to toggle between FIPS and Non-FIPS. The administrator can use the SSL FIPS Mode checkbox to toggle FIPS mode on and off on a Log Decoder, Packet Decoder, or Log Collector.

Workaround: None

11.2, 11.1ASOC-41902
Custom Feeds

Title: RSA Archer Recurring Feeds failing in SSL mode

Problem: RSA Archer recurring feeds do not work in SSL mode.

Workaround: You must create the RSA Archer recurring feeds in non-SSL mode.

11.3.1, 11.3, 11.2, 11.1ARCHER-41524

Title: Nginx rejects post requests exceeding request size 1 MB

Problem: The Nginx server is upgraded and the default payload size is set to 1 MB. This causes any data post request exceeding 1 MB to fail.

Workaround: Add the following setting to the Nginx configuration file (/etc/nginx/conf.d/nginx.conf) and restart the Nginx server:

client_max_body_size 100M


Title: After agent update, the agent version is not reflected in the user interface.

Problem: When you update the agent version from 11.1 to, the agent version shows 11.1 in the Hosts view.

Workaround: In the Investigate > Hosts view, select the host on which you installed the latest version of the agent, and click Start Scan. The agent version is updated to

Title: Unable to export files list to a CSV file.

Problem: While exporting data to a CSV file, the database query takes a longer time when the database is under a heavy load, and the user interface request times-out.

Workaround: Apply appropriate filters and use at least one indexed field with an Equals operator to reduce the files for export. For more information on Filtering Hosts and Files, see the NetWitness Investigate User Guide for RSA NetWitness Platform.


Title: Unable to generate Agent Packager if the auto uninstall is set in seconds

Problem: In the Auto Uninstall field, if the seconds value is more than 9, for example, 02/12/2018 12:00:10 PM, then click Generate Agent fails to generate the packager.

Workaround: Enter a value below 10 seconds in the Auto Uninstall field.


Title: Sorting on columns should not be case-sensitive

Problem: Sorting on columns in the Hosts and Files view is case-sensitive. It sorts the number first, uppercase, and then the lowercase.

Workaround: None

11.2, 11.1ASOC-32595

Title: No message is displayed when filtering the values takes more than 60 seconds.

Problem: In the Hosts and Files view, while filtering the values, if it takes more than 60 seconds, the user interface does not display any message or results.

Workaround: None


Title: Disable Log Collection in Windows Endpoint Agent is not supported.

Problem: Once an Endpoint Agent is installed with the Windows Log Collection feature enabled, the user is unable to disable Windows log collection.

Workaround: Run the uninstall command provided in the "Uninstall Agents" section in the NetWitness Endpoint Agent Install Guide for RSA NetWitness Platform. Reinstall an agent with Windows Log Collection disabled.


Title:  When the Endpoint Agent is configured to use the UDP protocol and the Primary Log Decoder/ Remote Log Collector is not reachable, the secondary Log Decoder or Log Collector is not functional. 

Problem: When the Primary Log Decoder/Remote Log Collector is not reachable and the Endpoint agent is configured to use UDP, the Secondary Log Decoder/Remote Log Collector is not used. The logs are not forwarded to the secondary  Log Decoder or Log Collector when the primary is down, thus resulting in  event loss.

Workaround: None


Title: Metered license does not flip back to an in compliance immediately when there are no services attached to that Metered license

Problem: As an example, if there is a Metered license available for a Log Decoder and you have one Log Decoder listed under it, the following conditions may occur:

  • You are over your entitled usage and marked as out of compliance.
  • You decide to move the Log Decoder into an available service-based license.
  • Your Metered license has no service under it.
  • Your Metered license flips back to an in-compliance state after seven days.

Workaround: None

Event Source Management

Title: SMS Service crashes with Out of Memory Error

Problem: On systems with a large number of active event sources, when the system cannot keep up with the processing of log statistics messages, the SMS service can crash with a java.lang.OutOfMemoryError: Java heap space error.

Workaround: If you experience this issue, please contact RSA support for details on how to address the issue.

Event Source Management

Title: Suggested mapping does not load when the Event Source is created manually

Problem: For an Event Source that is manually added without entering a value for Log Decoder, when the Manage Parser Mappings dialog is opened, the suggested Parser Mappings may not have a Display Name.

Workaround: Close the Manage Parser Mappings dialog, then reopen it and the Display Name is displayed as shown in the following example.

Event Stream Analysis

Title: ESA Rules with custom meta keys do not deploy on the ESA Server

Problem: If you add new custom meta keys in 11.2, ESA rules using those meta keys may not deploy. This happens because the Event Stream Analysis service needs information from the Concentrator.

Workaround: To deploy an ESA Correlation Rule with custom meta, do the following:

  1. Add the non-standard keys to the index-concentrator-custom.xml file (ADMIN > Services > Select a Concentrator and then select Actions > View > Config > Files tab).
  2. Restart the Concentrator (ADMIN > Services > Select a Concentrator and then select Actions > Restart).
  3. Ensure that the Concentrator is configured as a data source for the Event Stream Analysis service (ADMIN > Services > Select the Event Stream Analysis service and then select Actions > View > Config > Data Sources tab).
  4. Restart the Event Stream Analysis service (Actions > Restart).
  5. Ensure that the new meta keys are listed in the Meta Key References (CONFIGURE > ESA Rules > Settings tab > Meta Key References).
  6. Deploy the ESA Rule with custom meta keys.
Event Stream Analysis

Title: ESA CH rules get disabled during upgrade or ESA host reboot

Problem: If the ESA host restarts and Context Hub rules are deployed on ESA, the Context Hub rules may be disabled. This happens as a result of a race condition between the Context hub and Event Stream Analysis services startup order on the ESA host.

Workaround: To resolve this issue, do one of the following:

  • Go to the CONFIGURE > ESA Rules > Services tab and enable the disabled rules that are dependent on Context Hub.
  • Restart the Event Stream Analysis service.
Event Stream Analysis

Title: ESA Rules deployed not listed while creating policy using statistics ESA Rule Memory Usage

Problem: When you deploy new ESA rules in the Health and Wellness page and create a new policy under Event Stream Analytics using the statistic ESA Rule Memory usage, all ESA rules deployed are not listed.

Workaround: Run the following restart command on NetWitness Server:
systemctl restart rsa-sms

Event Stream Analysis

Title: ESA rule with meta entity does not get triggered

Problem: When meta entities are configured for use in the Investigate interface, they are not available for use in the ESA Correlation Rule Builder. Customers are not able to build ESA correlation rules using meta entity information, and they must specify the exact pieces of metadata to use in the rules.

Workaround: None

11.2, 11.1ASOC-47522
Event Stream Analysis

Title: Case-sensitive sorting is not working properly in the ESA All Rules grid

Problem: When rule names begin with lower and upper case letters, the sort does not work properly in the Rule Name column of ESA All Rules grid. For example, "Rule 1" is not followed by "rule 2" when you sort by name.

Workaround: None

11.3.1, 11.3, 11.2, 11.1SAENG-3605
Event Stream Analysis

Title: Cannot set ESA compression level as in other appliances

Problem: Administrators cannot set the compression level in ESA like they can with other appliances, even using the Explorer view

Workaround: Delete the Concentrator source from ESA and add it again so that the compression level changes are reflected:

  1. Remove the Concentrator data source from ESA. (Go to ADMIN > Services, select the Event Stream Analysis service, and from the actions menu select View > Config. On the Config view Data Sources tab, remove the Concentrator data source.)
  2. Set compression level in ESA. (Go to the Explore view, and in the node list, navigate to Workflow/Source/nextgenAggregationSource and set the CompressionLevel.)
  3. Add the Concentrator Data Source again to ESA. (Return to the Config view Data Sources tab and add the Concentrator data source.)
11.2, 11.1ASOC-26481
Event Stream Analysis

Title: Deployment fails if the server that hosts an external database goes down

Problem: You configure a database connection to use the database as an enrichment source for a rule. A reference to the data base is deployed on every ESA, even if the ESA does not deploy any rules that use the database. If the server that hosts the database goes down, any new deployment will fail.

Workaround: Restart the server that hosts the database.

11.2, 11.1ASOC-9011
General Application Issues

Title: The System Logs Off Idle Users in Respond and Some Investigate Views

Problem: In the Respond view and some Investigate views (Event Analysis, Hosts, and Files), if a user is not actively querying data, the system logs off the user after the Idle Period is reached. The default Idle Period is 600 seconds (10 minutes). This can cause the work of an Analyst to be interrupted.

Workaround: If this becomes an issue with the Analysts, in the global security settings (ADMIN > Security), consider increasing the values of the Session Timeout and the Idle Period.


Title: Users who have not been assigned investigate-server* permission do not get the proper error message explaining why they do not have access to the Event Analysis view

Problem: If the administrator has not assigned investigate-server* permission for a user, the user should see the permission denied error when attempting to view a session in the Event Analysis view. Instead, the internal server error is returned.

Workaround: None.


Title: In the Event Analysis view, log and network events are not interleaved

Problem: Network and log events are interleaved and sorted in time order in the Events view, but in the Event Analysis view, events are sorted differently. In the Event Analysis view, the events are not interleaved as they should be; instead all log events sorted in time order are displayed before all network events sorted in time order.

Workaround: Use the Events view to see interleaved network and log events.


Title: Imported Investigate profiles are not displayed in the Profiles drop-down menu

Problem: When you import Profiles to the Navigate view or the Events view using the Manage Profiles dialog, the newly imported profiles are not added to the Profiles drop-down menu.

Workaround: Refresh the browser window to see the recently added profiles.


Title: Unable to export logs from Events View for Log Decoder.

Problem: After you update the Admin Server to 11.1, and you export the logs for the Log Decoder, the exported file is empty even though the logs are available in the Log Decoder.

Note: The below mentioned workaround is not required if you do not have a specific reason to export logs from Log Decoder. You can continue to investigate and export logs from Log Decoder through Concentrator by applying the filters did= <decode_id>.

Workaround: You must index the medium meta if you want to export logs for the Log Decoder. The following steps indexes the new events and you can export these events.

  1. Update the custom index config file index-logdecoder-custom.xml:
    <key description=Medium"
    level="IndexValues" name="medium"
    format="UInt8" valueMax="100"
    <alias format="$alias"
    <alias format="$alias"
    <alias format="$alias"
    <alias format="$alias"
    <alias format="$alias"
    <alias format="$alias"
    <alias format="$alias" value="7">802.11
    <alias format="$alias" value="8">802.11
    <alias format="$alias" value="9">802.11
    <alias format="$alias" value="10">802.11
    <alias format="$alias" value="11">802.11
    <alias format="$alias" value="12">802.11
    <alias format="$alias" value="13">DLT
    <alias format="$alias"
    <alias format="$alias"
    <alias format="$alias"
  2. Restart the Log Decoder. If the Log Decoder is not restarted, you need to wait until the next index-save.


Title: If the URL for a drill point is very long and you use the query in the Event Analysis view, an error (414 Request error) is returned

Problem: Several situations create a very long query that the browser cannot handle, especially if you are using Internet Explorer, which has a much lower character limit than most browsers. Pivoting to Event Analysis from Reporting can result in a very long query, and a number of pivots in the Navigate view can create a very long query.

Workaround: Continue to work in the Navigate view or Events view when the URL becomes too long to render in the Event Analysis view.

11.2, 11.1ASOC-50196

Title: Attempting a direct query, or a query by using a link that uses an IPV6 meta value with unsupported special characters generates an error in the Event Analysis view and the Navigate view

Problem: Literal ipv6 addresses with a percent (%) sign and also UNC Path Names such as are not supported. The error in the Event Analysis view is Internal Server Error. The Navigate page shows a syntax error.

Workaround: None.


Title: If you got to Event Analysis by way of the Events view, either by clicking the Event Analysis link or by right-clicking one of the events, the right-click options on meta values do not work

Problem: If you clicked Event Analysis in the Detail View of the Events view, the Event Analysis view opens as usual. However, the right-click options on a meta value in the Event Meta panel do not work

Workaround: If you go through Navigate > Event Analysis, or if you go through Events and a reconstruction of an event, the right-click options function in Event Analysis.


Title: Cannot add meta entities to a custom column group in the Events view with the Optimize Investigation Page Loads option disabled

Problem: Meta keys belonging to meta entities are not displayed in custom column groups. This issue is seen in the Events view when you disable Optimize Investigate Page Loads in the Events view settings and then refresh the page.

Workaround: If you want to use meta entities in a custom column group, ensure that the Optimize Investigation Page Loads option is enabled


Title: Custom column groups that contain meta entities can be created in the Events view, but when the custom column group is used in the Event Analysis view, you cannot see the meta keys included in the meta entity in the results.

Problem: Custom column groups are not displaying meta keys that belong to meta entities. This issue is seen in the Events list in the Event Analysis view.

Workaround: Use a column group that does not contain meta entities. However, meta entities can still be queried and used in the query builder.


Title: The query builder in the Event Analysis view is unresponsive for filters that contain a space.

Problem: When adding a filter, if you add an extra space before <meta key>, between <meta key> and <operator>, and after <operator>, the query builder becomes unresponsive and the Query Events button is disabled so that you cannot continue adding filters.

Workaround: Click on an existing filter, and then click the query builder. If that does not work, refresh the page.

11.2, 11.1ASOC-49427

Title: When investigating in the Event Analysis view, the following error message is returned: “An Unexpected error has occurred.”

Problem: This error is displayed when the session you are attempting to access has been removed, rolled out, or you have insufficient permission to view the session.

Workaround: None.


Title: Issue with Interaction between Expand and Contract Icons in Investigate Event Analysis.

Problem: When you contract the left panel in the Event Analysis view, the right panel expands, but the expand/contract icon on right panel does not change to the contract icon. To contract the right panel using the expand/contract icon on the right panel you have to press it twice. The behavior should be that when you contract the left panel and the right panel expands, the expand/contract icon for right panel switches to contract or expand as appropriate. There is a similar issue with the Show/Hide Events panel icon. If the Event panel is contracted and you click on the Show/Hide Events Panel icon, the left panel disappears and the right panel expands. The expand/contract icon on the right (and now only) panel remains in expanded form. When you click on the expand icon in this configuration, the left panel reappears and the right panel effectively contracts. The behavior should be: after you hide the left panel, the expand/contract icon on the right panel should take its contract form.

Workaround: When the expand/contract icon in the right panel or the Show/Hide Events panel icon in the toolbar has not changed to the correct state, click the icon twice.


Title: Three new meta groups for 11.1 and the same column groups for 11.2 are not created when you upgrade from 10.6.x.x to 11.x: RSA Endpoint Analysis, RSA Outbound HTTP, RSA Outbound SSL/TLS.

Problem: When you upgrade from 10.6.x.x to 11.x, three out-of-the-box meta groups (RSA Endpoint Analysis, RSA Outbound HTTP, and RSA Outbound SSL/TLS) are not created due to a conflict with a column group added in Version 11.1. Also, three out-of-the-box column groups (RSA Endpoint Analysis, RSA Outbound HTTP, and RSA Outbound SSL/TLS) are not created. These meta groups should appear in the Manage Meta Groups dialog and the Manage Column Groups dialog.

Workaround: None.

11.2, 11.1ASOC-51011
Live Services

Title: The status of the STIX feed progress bar is Incomplete

Problem: Sometimes, the status of the progress bar for some of the STIX feeds are Incomplete even if the feeds are successfully pushed to the Decoder(s).

Workaround: None

11.2, 11.1ASOC-40642

Title: When all alerts are deleted for an alert rule, the filter for the rule is not properly removed

Problem: In the Alerts List view (Respond > Alerts), you can filter alerts by Alert Name and then delete all of the alerts that have that name. If you do not remove the alert name filter after deleting the alerts, the next time the Alerts List view loads, the filter will still be in place, but it will no longer be visible as a checkbox in the Filters panel because all alerts with that name have been deleted. You will continue to see zero results when visiting the Alerts List view.

Workaround: Before you refresh or reload the Alerts List view, you can remove the filter by clearing the checkbox by the alert name. If you already refreshed or reloaded the Alerts List view, the only way to remove the hidden filter is to press the Reset Filters button, which removes all filters, including the hidden alert name filter.


Title: Duplicate Alerts in Respond are observed from certain sources like Reporting Engine

Problem: Obsolete federated exchanges can cause duplicate alerts in Respond.

Workaround: Follow these steps to delete obsolete federated exchanges that would cause duplicate alerts in Respond:

  1. Login to the https://<adminServerIP>:15671/ Rabbitmq cluster with the following credentials.
    username: deploy_admin
    password: <deployment-password-used-during-NW-Server-host-11.x-setup>
  2. Go to Admin > Federation Upstream.
  3. Select the URI with NW Server host IP address to it. The Federation Upstream view is .displayed.
  4. Make sure the URI is similar to the following value
    amqps : // <adminServerIP>?auth_mechanism=external
  5. Click Delete the Upstream to delete the URI.

Title: Endpoint Incidents are not being created

Problem: Endpoint events with a source IP are working fine, but Endpoint events with a detector IP are not being aggregated by the Endpoint incident rule and do not create incidents. In RSA NetWitness Platform 11.1, the GroupBy field of the “High Risk Alerts: NetWitness Endpoint” incident rule was changed from “Risk Score” to “Source IP Address.”

Workaround: For upgrades from 10.6.x to 11.1:

  1. Go to CONFIGURE > Incident Rules. The Incident Rules List view is displayed.
  2. Click the link in the Name field of High Risk Alerts: NetWitness Endpoint incident rule to edit it.
  3. Change the GroupBy field value to Risk Score.

For fresh installs:

  1. Go to CONFIGURE > Incident Rules. The Incident Rules List view is displayed.
  2. Click the link in the Name field of High Risk Alerts: NetWitness Endpoint incident rule to edit it.
  3. Change the GroupBy field value to Risk Score or any other GroupBy field value.

Title: ESA Command and Control Aggregate Scores details are not populated in the RSA Archer user interface.

Problem: When ESA Command and Control Aggregate Scores details are forwarded from RSA NetWitness Platform to the RSA Archer user interface, fields such as Beaconing Behavior, Rare Domains, Rare User Agents, Missing Referrers, and Suspicious Domains Aggregate Score do not get populated.

Workaround: None


Title: Overlapping Relationship Data in the Nodal Graph for Certain Data

Problem: In the Respond Incident Details view nodal graph, when there are multiple relationships within an incident, the text can overlap on the arrows between the nodes, which is difficult to read. This issue appears in an incident when the source IP of the alert is also the destination IP of another alert and the destination IP of the first alert is the source IP of the second.

Workaround: None


Title: Related Links URL created for Malware Events is invalid

Problem: In the Respond Alert Details and Incident Details views, the URL link for a Malware Analysis alert is invalid. To view the URL link in the Alert Details view, go to RESPOND > Alerts and in the Alerts list, click the link in the NAME column for a Malware Analysis alert. In the Event Details, you can see the URL for the Malware Analysis alert.

To view the URL link in the Incident Details view, go to RESPOND > Incidents and in the Incidents list, click the link in the ID or NAME column for a Malware Analysis incident. In the Incident Details view, click the View Datasheet icon () to view the event details. If there are multiple events listed, click an event to view the event details. In the Event Details, you can see the URL for the Malware Analysis alert.

Workaround: None


Title: When the proxy is configured, and NetWitness Platform is updated to 11.2, the license details do not get refreshed automatically.

Problem: When the proxy is configured, and NetWitness Platform is updated to 11.2, the license details do not get refreshed automatically or even after clicking the Refresh button in the License Details view. This is because the communication to the license server is not established.

Workaround: The administrator has to manually download the license details using the offline mode and upload latest license details through the RSA NetWitness Platform UI. For more information, see the Licensing Management Guide for RSA NetWitness Platform.





Title: On upgrade to NetWitness Platform 11.2, license details are not retained on AWS cloud

Problem: When you upgrade from Security Analytics 10.6.6 to RSA NetWitness Platform 11.2, the license server ID is not retained. Admin server is thus unable to obtain the license server details from the external back-end system, due to which the services cannot be licensed.

Workaround: Follow the steps provided in “Access Download Central” and “Register the Server (Online)” topics in the Licensing Management Guide for RSA NetWitness Platform to obtain the license details from the external back-end system and register the new license server ID.


Title: STIX recurring feed fails on upgrade from 10.6.6 to 11.2

Problem: When you upgrade Security Analytics 10.6.6 to RSA NetWitness Platform 11.2, the STIX Recurring feed you created using HTTPS URL fails to work. This is because, in 10.6.x, by default, all the certificates are trusted. However, this is not the case in 11.2. In 11.2, the Trust All certificates option is provided and is disabled by default.

Workaround: Navigate to Configure > Custom Feeds and edit the failed feed. Either enable the Trust all option, or upload a valid SSL certificate to resolve the issue. In case of any further queries, contact the RSA Customer Support.


Title: After upgrading to 11.1, there is Concentrator Initialization error if you have 'stransaddr' and 'dtransaddr' enabled on the Log Decoder and you have the same fields indexed on the Concentrator.

Problem: This error occurs when you have customized meta keys on your Log Decoder and Concentrator.

Workaround: If you have 'stransaddr' and 'dtransaddr' enabled on the Log Decoder and you have the same fields indexed on the Concentrator, then you must change data type of these fields to IPv4 on both the Log Decoder and Concentrator.


Problem: After upgrading 11.0.0.x to, the integration-server service is missing on the user interface.

Workaround: None


Title: After upgrading from 10.6.x.x to or, offline licenses are not retained.

Problem: Even if you upload a new response bin file from Download Central, offline licenses still do not work. Though old files are restored in /var/lib/fneserver, the licenses still remain deactivated.

Workaround: Perform the following steps to restore the licenses:

  1. Generate a new response bin file from Download Central.
  2. Log in to Netwitness Server or (AdminServer).
  3. Move ra* files (3 files) out of /var/lib/fneserver/
  4. Log in to the RSA NetWitness or user interface with Admin user credentials and navigate to Admin > System > Licensing Overview tab.
  5. Under Licensing actions, click Refresh licenses.
  6. Upload the response file received from Download Central under Admin > System > Licensing > Settings Tab > Upload Response.
11.2, 11.1ASOC-41757

Title: After you upgrade to or, the logstash files are not updated in the logstash output configuration file

Problem: When you upgrade from 10.6.x.x to or, logstash files are not updated in the logstash output configuration file. This happens when you have a global audit setup.

Workaround: If global auditing is configured, you need to edit one of the syslog entries in the Global Notifications servers and click Save to apply the latest Audit log configuration.

11.2, 11.1ASOC-49843

Title: Notification Settings do not migrate from 10.6.x to 11.1

Problem: The Incident Management notification settings in RSA NetWitness Platform 10.6.5.x are different from the Respond notification settings available in 11.1, so your existing 10.6.5.x settings will not migrate to 11.1.

Workaround: Manually update the Respond Notification Settings in 11.1. To do this, go to CONFIGURE > Respond Notifications and set the notification settings. You must add the list of SOC Manager email addresses. See the “Configure Respond Email Notification Settings” procedure in the NetWitness Respond Configuration Guide for RSA NetWitness Platform. Notification Servers from previous releases will not display in the Email Server drop-down list. The email servers settings must be edited and saved in the Global Notification Servers (ADMIN > System > Global Notifications > Server tab). Custom Incident Management notification templates cannot be migrated to 11.1. No custom templates are supported in 11.1. To access these settings, you  need additional permissions. See “Respond Notification Settings Permissions” in the NetWitness Respond Configuration Guide for RSA NetWitness Platform. For detailed information about user permissions, see the System Security and User Management Guide for RSA NetWitness Platform.


Title: Unable to select Domain for Suspected C&C and Domain in the rule builder

Problem: When adding a condition to an Incident Rule, there is no option to select Domain for Suspected C&C from the match conditions drop-down list. Also, after upgrade to 11.1, for some incident rules, the Domain and Domain for Suspected C&C fields are blank.

Workaround:  Use Domain in the Match Conditions drop-down list for both Domain and Domain for Suspected C&C. Pre-upgrade, make note of the rules that contain the Domain and Domain for Suspected C&C match conditions including the operators and values. After upgrade, manually add the conditions to 11.1 using only Domain in the Match Conditions.

  1. Go to CONFIGURE > Incident Rules and click the link in the Name column for the rule that you want to update.
  2. In the Match Conditions section, select Domain in the drop-down list (instead of Domain for Suspected C&C) and enter the rest of the condition.
  3. Enter the remaining information for your rule and click Save. For more information about incident rules, see the NetWitness Respond Configuration Guide for RSA NetWitness Platform.



Title: Aggregation Stops after Reconnection to Mongo

Problem: After configuring the Mongo database and rebooting the ESA server, incidents are not being created. The ESA primary server acts the database host for NetWitness Respond application data. The NetWitness Server acts as the database host for NetWitness Respond control data. After the application database is configured on the ESA server and restarted, you must also restart the Respond service on the NetWitness Server.

Workaround: After configuring the Mongo database and rebooting the ESA server, restart the respond-server service.

From the command line:

systemctl restart rsa-nw-respond-server

Or from RSA NetWitness Platform:
Go to ADMIN > services, select the Respond Server service, and then select > Restart.



Title: On upgrade from 11.1 to 11.2, if you have been using the Entropy Parser and indexing payload, you must add the bucket flag to the index file so that the Entropy Parser can use index buckets.

Problem: When you upgrade to RSA NetWitness Platform 11.2, if you have been using the Entropy Parser on the Decoder (packets only) and are indexing payload, you must add the bucket flag to your index file to take advantage of the new index buckets feature.

Workaround: Add bucket flag to index file so Entropy Parser can use index buckets, as follows:

  1. In the RSA NetWitness Platform menu, select ADMIN > Services.
    The Services view is displayed.
  2. Select each Concentrator service that is aggregating traffic from the decoders.
  3. Under Actions icon (actions), select View > Config and select the Files tab.
  4. Select the index-concentrator.xml file and set the bucket flag to true for payload.req and payload.res. For example:
    <key description="Payload Size Request" format="UInt 32"
    level="IndexNone" bucket="true" name="payload.req"

    <key description="Payload Size Response" format=UInt32"
    level="IndexNone" bucket="true" name="payload.res"
  5. Click Apply.
  6. For changes in the index-concentrator.xml file to take effect, you must restart the jetty service on the NW Server:
    systemctl restart jetty.service
11.2, 11.1



Title: FIPS is disabled by default for the Log Collector Service

Problem: FIPS is disabled by default for the Log Collector service, even if FIPS was enabled in 10.6.4.

Workaround: To enable FIPS on the Log collector service, perform the following steps:

  1. Stop the Log Collector service.
  2. Open the /etc/systemd/system/nwlogcollector.service.d/
  3. Change the value of the following variable to off as described here:


  4. Reload the system daemon by running the systemctl daemon-reload command.

  5. Restart the Log Collector service.
  6. Set the FIPS mode for the Log Collector service on the UI:
    Note: This step is not required in case of upgrade, if FIPS was enabled on 10.6.4.
    1. Go to ADMIN > Services.
    2. Select the Log Collector service and go to View > Config.
    3. In SSL FIPS Mode, select the checkbox under Config Value and click Apply.
    Note: To enable for Packet, in /sys/config set ssl.fips to ON and restart the service.
11.2, 11.1ASOC-41841

Title: The investigation links are disabled for static charts during 10.6.x.x to 11.1 or 11.2 post-upgrade.

Problem: The investigation link is disabled for the static chart (the result of the report is in chart format) which has the datasource as RSA NetWitness Platform-Broker (This service is available by default).

Workaround: There are two workarounds for this issue:

  • The rules that have the result in static chart can be viewed in Tabular format and the investigation works as expected.
  • Or you can perform the following steps to fix the issue:
    1. Delete and add the RSA NetWitness Platform-Broker again as the datasource to Reporting Engine with the same name.
    2. If the reports with static chart are scheduled reports, then in the next run, the investigation link will work as expected.
    3. If the report is an Adhoc report then, then re-run the report for getting the investigation links.

11.2, 11.1