Release Notes 11.3: Fixed Issues

Document created by RSA Information Design and Development Employee on Apr 10, 2019Last modified by RSA Information Design and Development Employee on Oct 8, 2019
Version 8Show Document
  • View in full screen mode

This section lists issues fixed since the last major release.

Issues Fixed in

Event Stream Analysis (ESA)

Tracking NumberDescription


The maximum memory for the ESA Correlation server has been changed to 164 GB.

ASOC-81823Converting arrays toLowerCase for use in GROUP BY or PARTITION BY function in Esper/ESA causes partitioning to malfunction.
ASOC-81752Health & Wellness shows that ESA Correlation is Unhealthy after a notification failure and does not resolve itself over time.


Unable to delete an endpoint bundle from an ESA deployment.


If the rules memory threshold is set to 60%, it needs tuning to avoid false Health & Wellness alerts.

ASOC-81373ESA rules with Context Hub lists get disabled during upgrade when there are duplicate Context Hub data sources.

Issues Fixed in 11.3 or


Tracking NumberDescription
ASOC-59254Kernel Security Update
ASOC-58383policycoreutils Security Update
ASOC-58382Openssl Security Update

Core Services (Broker, Concentrator, Decoder, Archiver)

Tracking NumberDescription

When you included a meta value in the Archiver configuration, the metakey word was also added.


SSL FIPS Mode (Checkbox) for Broker, Concentrator and Archiver needs to be disabled.


After upgrading to, Brokers failed to retrieve meta keys, which prevented visualization to load in Investigate. This affected second level and top level Brokers.


Tracking NumberDescription

Owner information is now available on the Hosts > Details > Process tab.


On Windows, the agent driver stopped when the agent mode was changed multiple times from Advanced to Insights.


The Endpoint agent was not able to communicate to the server using UDP when it went back to HTTP mode.


A complete list of Loaded Libraries was not displayed when investigating the process.


The default scan schedule is now set to 1 week for improved performance of the Endpoint Server.

Event Stream Analysis

Tracking NumberDescription


ESA rules with Context Hub lists get disabled during upgrade or ESA host reboot.


ESA Rules with custom meta keys do not deploy on the ESA Server.


Cannot set ESA compression level as in other appliances.

ASOC-14157ESA displays warning for array operators.
Disabled ESA rules get enabled after restarting the ESA Correlation service. (After the fix, disabled ESA rules remain disabled after restarting the ESA Correlation service.)

Health and Wellness

Tracking NumberDescription

The following NetWitness Database (NW DB) retention statistics are available in

  • Overall Meta Oldest File Time Retention
  • Overall Session Oldest File Time Retention
  • Overall Packet Oldest File Time Retention


Tracking NumberDescription

When you import Profiles to the Navigate view or the Events view using the Manage Profiles dialog, the newly imported profiles are not added to the Profiles drop-down menu.



Network and log events are interleaved and sorted in time order in the Events view, but in the Event Analysis view, events are sorted differently. In the Event Analysis view, the events are not interleaved as they should be; instead all log events sorted in time order are displayed before all network events sorted in time order.


If the URL for a drill point is very long and you use the query in the Event Analysis view, an error (414 Request error) is returned.
ASOC-49427The query builder in the Event Analysis view is unresponsive for filters that contain a space.


Tracking NumberDescription


When all alerts are deleted for an alert rule, the filter for the rule is not properly removed.

ASOC-37533When a custom In-memory table is created and added as an enrichment source in ESA, that information is not displayed for ESA alerts.

When you upgrade to, Respond's primary host property (/rsa/primary/host) was set to false by default, which had an adverse effect on some of the critical functionality. This is now set as true.


Tracking NumberDescription

The cache size for MongoDB is set to 20 GB for better performance.


The OOTB UEBA Incident Rule was missing UEBA values in the Source and GroupBy fields.


Tracking NumberDescription


Audit log templates are not getting updated in Logstash output conf file while upgrading to 11.x.

ASOC-42136Post-upgrade, the investigation links are disabled for static charts.

In cases where systems have gone through multiple kernel updates, the /boot directory contained multiple kernel images, which consumed the /boot partition.

You are here
Table of Contents > Release Notes 11.3: Introduction > Release Notes 11.3: Fixed Issues