Release Notes 11.3: Fixed Issues

Document created by RSA Information Design and Development Employee on Apr 10, 2019Last modified by RSA Information Design and Development Employee on Oct 8, 2019
Version 8Show Document
  • View in full screen mode
 

This section lists issues fixed since the last major release.

Issues Fixed in 11.3.0.2

Event Stream Analysis (ESA)

                                   
Tracking NumberDescription

ASOC-82690

The maximum memory for the ESA Correlation server has been changed to 164 GB.

ASOC-81823Converting arrays toLowerCase for use in GROUP BY or PARTITION BY function in Esper/ESA causes partitioning to malfunction.
ASOC-81752Health & Wellness shows that ESA Correlation is Unhealthy after a notification failure and does not resolve itself over time.

ASOC-81672
ASOC-76364

Unable to delete an endpoint bundle from an ESA deployment.

ASOC-81375

If the rules memory threshold is set to 60%, it needs tuning to avoid false Health & Wellness alerts.

ASOC-81373ESA rules with Context Hub lists get disabled during upgrade when there are duplicate Context Hub data sources.

Issues Fixed in 11.3 or 11.3.0.1

Security

                       
Tracking NumberDescription
ASOC-59254Kernel Security Update https://access.redhat.com/errata/RHSA-2018:1965.
ASOC-58383policycoreutils Security Update https://access.redhat.com/errata/RHSA-2018:0913.
ASOC-58382Openssl Security Update https://access.redhat.com/errata/RHSA-2018:0998.

Core Services (Broker, Concentrator, Decoder, Archiver)

                       
Tracking NumberDescription
ASOC-74691

When you included a meta value in the Archiver configuration, the metakey word was also added.

ASOC-41902

SSL FIPS Mode (Checkbox) for Broker, Concentrator and Archiver needs to be disabled.

SACE-11951
SACE-11895

After upgrading to 11.3.0.1, Brokers failed to retrieve meta keys, which prevented visualization to load in Investigate. This affected second level and top level Brokers.

Endpoint

                               
Tracking NumberDescription
ASOC-74735

Owner information is now available on the Hosts > Details > Process tab.

ASOC-74199

On Windows, the agent driver stopped when the agent mode was changed multiple times from Advanced to Insights.

ASOC-74025

The Endpoint agent was not able to communicate to the server using UDP when it went back to HTTP mode.

ASOC-73742

A complete list of Loaded Libraries was not displayed when investigating the process.

ASOC-72823

The default scan schedule is now set to 1 week for improved performance of the Endpoint Server.

Event Stream Analysis

                               
Tracking NumberDescription

ASOC-60511

ESA rules with Context Hub lists get disabled during upgrade or ESA host reboot.

ASOC-60367

ESA Rules with custom meta keys do not deploy on the ESA Server.

ASOC-26481

Cannot set ESA compression level as in other appliances.

ASOC-14157ESA displays warning for array operators.
SACE-11668
ASOC-79640
Disabled ESA rules get enabled after restarting the ESA Correlation service. (After the fix, disabled ESA rules remain disabled after restarting the ESA Correlation service.)

Health and Wellness

               
Tracking NumberDescription
SACE-10840

The following NetWitness Database (NW DB) retention statistics are available in 11.3.0.2.

  • Overall Meta Oldest File Time Retention
  • Overall Session Oldest File Time Retention
  • Overall Packet Oldest File Time Retention

Investigate

                           
Tracking NumberDescription
ASOC-61230

When you import Profiles to the Navigate view or the Events view using the Manage Profiles dialog, the newly imported profiles are not added to the Profiles drop-down menu.

 

ASOC-60941

Network and log events are interleaved and sorted in time order in the Events view, but in the Event Analysis view, events are sorted differently. In the Event Analysis view, the events are not interleaved as they should be; instead all log events sorted in time order are displayed before all network events sorted in time order.

ASOC-50196

If the URL for a drill point is very long and you use the query in the Event Analysis view, an error (414 Request error) is returned.
ASOC-49427The query builder in the Event Analysis view is unresponsive for filters that contain a space.

Respond

                       
Tracking NumberDescription

ASOC-59243

When all alerts are deleted for an alert rule, the filter for the rule is not properly removed.

ASOC-37533When a custom In-memory table is created and added as an enrichment source in ESA, that information is not displayed for ESA alerts.
ASOC-75674

When you upgrade to 11.3.0.2, Respond's primary host property (/rsa/primary/host) was set to false by default, which had an adverse effect on some of the critical functionality. This is now set as true.

UEBA

                 
Tracking NumberDescription
ASOC-75673

The cache size for MongoDB is set to 20 GB for better performance.

ASOC-73271

The OOTB UEBA Incident Rule was missing UEBA values in the Source and GroupBy fields.

Upgrade

                       
Tracking NumberDescription

ASOC-49843

Audit log templates are not getting updated in Logstash output conf file while upgrading to 11.x.

ASOC-42136Post-upgrade, the investigation links are disabled for static charts.
SACE-11250

In cases where systems have gone through multiple kernel updates, the /boot directory contained multiple kernel images, which consumed the /boot partition.

You are here
Table of Contents > Release Notes 11.3: Introduction > Release Notes 11.3: Fixed Issues

Attachments

    Outcomes