RN 11.3.1.1: Fixed Issues

Document created by RSA Information Design and Development Employee on Jul 9, 2019Last modified by RSA Information Design and Development Employee on Oct 3, 2019
Version 4Show Document
  • Comment0
  • View in full screen mode
 

Fixed Issues

This topic is divided into two sections, based on the version:

Issues fixed in 11.3.1.1

This section lists issues fixed in NetWitness Platform 11.3.1.1.

Event Stream Analysis (ESA)

                                       
Tracking NumberDescription

ASOC-82658

SACE-11759

When you deploy ESA rules, sometimes an error occurs that shows that the rules are disabled in the user interface (CONFIGURE > ESA Rules> Rules tab Deployment panel) when the ESA rule deployment is actually successful.

ASOC-82802

The maximum memory for the ESA Correlation server has been changed to 164 GB.

ASOC-82346

Unable to delete an endpoint bundle from an ESA deployment.

ASOC-82106

Converting arrays toLowerCase for use in GROUP BY or PARTITION BY function in Esper/ESA causes partitioning to malfunction.

ASOC-82105Health & Wellness shows that ESA Correlation is Unhealthy after a notification failure and does not resolve itself over time.
ASOC-82103 ESA rules with Context Hub lists get disabled during upgrade when there are duplicate Context Hub data sources.

ASOC-82102

If the rules memory threshold is set to 60%, it needs tuning to avoid false Health & Wellness alerts.

Investigate

                                     
Tracking NumberDescription
SACE-11800

If a max.unique.values.parameter is used for a single query on a Broker or Concentrator, an error is returned.

SACE-11226In the Events view, when you select a metadata, you are not able to drill-down to view the details.
ASOC-81394 In the Navigate view, when you type a query such as ip.src exists, the query changes to a different query.
ASOC-80919

Meta values for the <span.code>Directory<span.code> meta key are truncated, if it contains multiple forward slash (/) characters.

ASOC-80278 In the Event Analysis view, Guided Mode, you cannot specify a query filter with CIDR notation for an IP address as it is not supported.
ASOC-80275

When you click on View Files in the Reconstruction view, you cannot download a file with special Korean characters in the file name. The following error message is displayed: Unable to create temporary file, <filename with Korean characters>_temp_<nnnnnn>.tmp.

ASOC-80263 When you Pivot to Investigate from the dashboard using an IP address, an invalid query is created and an error message is displayed.

Core Services (Broker, Concentrator, Decoder, Archiver)

                     
Tracking NumberDescription
SACE-11945After upgrading from 11.2.1.1 to 11.3.1, Investigate searches from the Broker service are not working intemittenly.

SACE-11571

NetWitness appliance service crashes with SIGABRT during service monitoring on the Log Decoder.

ASOC-80266 CEF parser removes backslash (\) character.

Admin

                   
Tracking NumberDescription
ASOC-80280 On the Event Source Monitoring tab, if you sort by ascending or descending order, the Idle time column is not sorted.
ASOC-80270 Unable to log in to the Active Directory using UserPrincipalName.

Reporting Engine

                       
Tracking NumberDescription

SACE-11892

SFTP output action is not working properly.

SACE-11980

SACE-11491

Reports for the Respond server are not generating any results.

ASOC-81404 When multiple rules are applied in a single report and exported to PDF, data in the PDF is overlapped.

NetWitness Endpoint

                       
Tracking NumberDescription
ASOC-80796 Endpoint agent is not able to send Windows events when Event IDs more than 23 are configured in the log filter.
ASOC-80629Linux agent crashes during a scan when it encounters a particular ELF file with no sections
ASOC-80227

"Unsigned Reserved Name" rule is not tracking events correctly.

Archiver

                   
Tracking NumberDescription

SACE-11837

SACE-12018

Retention rule does not filters logs in Archiver collection properly.
SACE-10744Unable to push index-archiver-custom.xml from one Archiver to other Archiver services.

Upgrade

                   
Tracking NumberDescription
SACE-11954

After upgrading NetWitness Server to 11.3.1.0, the reports are failing due to std::bad_alloc error in the Reporting Engine.

SACE-11951
SACE-11895

After upgrading to 11.3.0.1, Brokers failed to retrieve meta keys, which prevented visualization to load in Investigate. This affected second level and top level Brokers.

Server

                 
Tracking NumberDescription

SACE-11362

SACE-11864

User credentials sometimes gets exchanged while performing a query on Investigate View.

ASOC-79876

When the Event Source Manage groups have the Idle time condition defined, alarms are not generated.

Issues fixed in 11.3.1

This section lists issues that were fixed in 11.3.1 release.

Security

               
Tracking NumberDescription
ASOC-75957Python Security Update https://access.redhat.com/errata/RHSA-2019:0710.

ESA

                   
Tracking NumberDescription

SACE-11668

ASOC-79640

Disabled rules were re-enabled after deployment and ESA Correlation service restart.
ASOC-83241 Sample Enrichment ESA rules are being disabled on 11.3.0.2 due to src_ip meta key error

Respond

                       
Tracking NumberDescription
ASOC-73743

Deleting an alert in Respond is not updating the High-Risk User List in Threat Aware Authentication.

ASOC-72759Respond statistics reset after update. This is fixed for updates from 11.3 to 11.3.x, but is still an issue for updates from 11.2.x to 11.3.x.
ASOC-60463

Proper message is not displayed when Event Analysis is not loading in a mixed-mode environment.

Investigate

                           
Tracking NumberDescription

ASOC-73894

In Print Mode, raw meta key and descriptive names are missing.

ASOC-73826

In the Event Analysis view, the query console does not replace the information icon with an error icon when a service is offline.

ASOC-73224When retrieval of events for a query is in progress in the Event Analysis view, events that are already displayed disappear if the query takes more than 5 minutes to finish.
ASOC-60464The error message displayed when a download from the user interface times out needs clarification.

NetWitness Endpoint

               
Tracking NumberDescription

ASOC-73120

ASOC-74872

Issues with the Powershell console events in Windows 10 1809 have been fixed in 11.3.1.

Core Services (Broker, Concentrator, Decoder, Archiver)

               
Tracking NumberDescription
ASOC-75007

Previously, if the Log Decoder was sent bad data that appeared to consist of a certain number of bytes, but the message contained fewer bytes, the Log Decoder waited indefinitely for data that never arrived. The number of bytes allowed for length-prefixed transmissions is now limited to address this issue.

Previous Topic:Introduction
Next Topic:Build Numbers
You are here
Table of Contents > Fixed Issues

Attachments

    Outcomes

      Visibility: RSA NetWitness Platform Online Documentation433 Views
      Last modified on Oct 3, 2019 12:37 PM
      Ratings: