This section lists issues fixed since the last major release.
Issues Fixed in 220.127.116.11
Event Stream Analysis (ESA)
The maximum memory for the ESA Correlation server has been changed to 164 GB.
|ASOC-81823||Converting arrays toLowerCase for use in GROUP BY or PARTITION BY function in Esper/ESA causes partitioning to malfunction.|
|ASOC-81752||Health & Wellness shows that ESA Correlation is Unhealthy after a notification failure and does not resolve itself over time.|
Unable to delete an endpoint bundle from an ESA deployment.
If the rules memory threshold is set to 60%, it needs tuning to avoid false Health & Wellness alerts.
|ASOC-81373||ESA rules with Context Hub lists get disabled during upgrade when there are duplicate Context Hub data sources.|
Issues Fixed in 11.3 or 18.104.22.168
|ASOC-59254||Kernel Security Update https://access.redhat.com/errata/RHSA-2018:1965.|
|ASOC-58383||policycoreutils Security Update https://access.redhat.com/errata/RHSA-2018:0913.|
|ASOC-58382||Openssl Security Update https://access.redhat.com/errata/RHSA-2018:0998.|
Core Services (Broker, Concentrator, Decoder, Archiver)
When you included a meta value in the Archiver configuration, the metakey word was also added.
SSL FIPS Mode (Checkbox) for Broker, Concentrator and Archiver needs to be disabled.
|After upgrading to 22.214.171.124, Brokers failed to retrieve meta keys, which prevented visualization to load in Investigate. This affected second level and top level Brokers.|
Owner information is now available on the Hosts > Details > Process tab.
On Windows, the agent driver stopped when the agent mode was changed multiple times from Advanced to Insights.
The Endpoint agent was not able to communicate to the server using UDP when it went back to HTTP mode.
A complete list of Loaded Libraries was not displayed when investigating the process.
The default scan schedule is now set to 1 week for improved performance of the Endpoint Server.
Event Stream Analysis
ESA rules with Context Hub lists get disabled during upgrade or ESA host reboot.
ESA Rules with custom meta keys do not deploy on the ESA Server.
Cannot set ESA compression level as in other appliances.
|ASOC-14157||ESA displays warning for array operators.|
|Disabled ESA rules get enabled after restarting the ESA Correlation service. (After the fix, disabled ESA rules remain disabled after restarting the ESA Correlation service.)|
Health and Wellness
The following NetWitness Database (NW DB) retention statistics are available in 126.96.36.199.
When you import Profiles to the Navigate view or the Events view using the Manage Profiles dialog, the newly imported profiles are not added to the Profiles drop-down menu.
Network and log events are interleaved and sorted in time order in the Events view, but in the Event Analysis view, events are sorted differently. In the Event Analysis view, the events are not interleaved as they should be; instead all log events sorted in time order are displayed before all network events sorted in time order.
|If the URL for a drill point is very long and you use the query in the Event Analysis view, an error (414 Request error) is returned.|
|ASOC-49427||The query builder in the Event Analysis view is unresponsive for filters that contain a space.|
When all alerts are deleted for an alert rule, the filter for the rule is not properly removed.
|ASOC-37533||When a custom In-memory table is created and added as an enrichment source in ESA, that information is not displayed for ESA alerts.|
When you upgrade to 188.8.131.52, Respond's primary host property (/rsa/primary/host) was set to false by default, which had an adverse effect on some of the critical functionality. This is now set as true.
The cache size for MongoDB is set to 20 GB for better performance.
The OOTB UEBA Incident Rule was missing UEBA values in the Source and GroupBy fields.
Audit log templates are not getting updated in Logstash output conf file while upgrading to 11.x.
|ASOC-42136||Post-upgrade, the investigation links are disabled for static charts.|
In cases where systems have gone through multiple kernel updates, the /boot directory contained multiple kernel images, which consumed the /boot partition.