RN Fixed Issues

Document created by RSA Information Design and Development Employee on Jul 9, 2019Last modified by RSA Information Design and Development Employee on Oct 3, 2019
Version 4Show Document
  • View in full screen mode

Fixed Issues

This topic is divided into two sections, based on the version:

Issues fixed in

This section lists issues fixed in NetWitness Platform

Event Stream Analysis (ESA)

Tracking NumberDescription



When you deploy ESA rules, sometimes an error occurs that shows that the rules are disabled in the user interface (CONFIGURE > ESA Rules> Rules tab Deployment panel) when the ESA rule deployment is actually successful.


The maximum memory for the ESA Correlation server has been changed to 164 GB.


Unable to delete an endpoint bundle from an ESA deployment.


Converting arrays toLowerCase for use in GROUP BY or PARTITION BY function in Esper/ESA causes partitioning to malfunction.

ASOC-82105Health & Wellness shows that ESA Correlation is Unhealthy after a notification failure and does not resolve itself over time.
ASOC-82103 ESA rules with Context Hub lists get disabled during upgrade when there are duplicate Context Hub data sources.


If the rules memory threshold is set to 60%, it needs tuning to avoid false Health & Wellness alerts.


Tracking NumberDescription

If a max.unique.values.parameter is used for a single query on a Broker or Concentrator, an error is returned.

SACE-11226In the Events view, when you select a metadata, you are not able to drill-down to view the details.
ASOC-81394 In the Navigate view, when you type a query such as ip.src exists, the query changes to a different query.

Meta values for the <span.code>Directory<span.code> meta key are truncated, if it contains multiple forward slash (/) characters.

ASOC-80278 In the Event Analysis view, Guided Mode, you cannot specify a query filter with CIDR notation for an IP address as it is not supported.

When you click on View Files in the Reconstruction view, you cannot download a file with special Korean characters in the file name. The following error message is displayed: Unable to create temporary file, <filename with Korean characters>_temp_<nnnnnn>.tmp.

ASOC-80263 When you Pivot to Investigate from the dashboard using an IP address, an invalid query is created and an error message is displayed.

Core Services (Broker, Concentrator, Decoder, Archiver)

Tracking NumberDescription
SACE-11945After upgrading from to 11.3.1, Investigate searches from the Broker service are not working intemittenly.


NetWitness appliance service crashes with SIGABRT during service monitoring on the Log Decoder.

ASOC-80266 CEF parser removes backslash (\) character.


Tracking NumberDescription
ASOC-80280 On the Event Source Monitoring tab, if you sort by ascending or descending order, the Idle time column is not sorted.
ASOC-80270 Unable to log in to the Active Directory using UserPrincipalName.

Reporting Engine

Tracking NumberDescription


SFTP output action is not working properly.



Reports for the Respond server are not generating any results.

ASOC-81404 When multiple rules are applied in a single report and exported to PDF, data in the PDF is overlapped.

NetWitness Endpoint

Tracking NumberDescription
ASOC-80796 Endpoint agent is not able to send Windows events when Event IDs more than 23 are configured in the log filter.
ASOC-80629Linux agent crashes during a scan when it encounters a particular ELF file with no sections

"Unsigned Reserved Name" rule is not tracking events correctly.


Tracking NumberDescription



Retention rule does not filters logs in Archiver collection properly.
SACE-10744Unable to push index-archiver-custom.xml from one Archiver to other Archiver services.


Tracking NumberDescription

After upgrading NetWitness Server to, the reports are failing due to std::bad_alloc error in the Reporting Engine.


After upgrading to, Brokers failed to retrieve meta keys, which prevented visualization to load in Investigate. This affected second level and top level Brokers.


Tracking NumberDescription



User credentials sometimes gets exchanged while performing a query on Investigate View.


When the Event Source Manage groups have the Idle time condition defined, alarms are not generated.

Issues fixed in 11.3.1

This section lists issues that were fixed in 11.3.1 release.


Tracking NumberDescription
ASOC-75957Python Security Update https://access.redhat.com/errata/RHSA-2019:0710.


Tracking NumberDescription



Disabled rules were re-enabled after deployment and ESA Correlation service restart.
ASOC-83241 Sample Enrichment ESA rules are being disabled on due to src_ip meta key error


Tracking NumberDescription

Deleting an alert in Respond is not updating the High-Risk User List in Threat Aware Authentication.

ASOC-72759Respond statistics reset after update. This is fixed for updates from 11.3 to 11.3.x, but is still an issue for updates from 11.2.x to 11.3.x.

Proper message is not displayed when Event Analysis is not loading in a mixed-mode environment.


Tracking NumberDescription


In Print Mode, raw meta key and descriptive names are missing.


In the Event Analysis view, the query console does not replace the information icon with an error icon when a service is offline.

ASOC-73224When retrieval of events for a query is in progress in the Event Analysis view, events that are already displayed disappear if the query takes more than 5 minutes to finish.
ASOC-60464The error message displayed when a download from the user interface times out needs clarification.

NetWitness Endpoint

Tracking NumberDescription



Issues with the Powershell console events in Windows 10 1809 have been fixed in 11.3.1.

Core Services (Broker, Concentrator, Decoder, Archiver)

Tracking NumberDescription

Previously, if the Log Decoder was sent bad data that appeared to consist of a certain number of bytes, but the message contained fewer bytes, the Log Decoder waited indefinitely for data that never arrived. The number of bytes allowed for length-prefixed transmissions is now limited to address this issue.

Previous Topic:Introduction
Next Topic:Build Numbers
You are here
Table of Contents > Fixed Issues