000038500 - RSA NetWitness Platform 11.4.x Known Issues List

Document created by RSA Customer Support Employee on Mar 16, 2020Last modified by RSA Customer Support Employee on May 22, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000038500
Applies ToRSA Product Set: NetWitness Platform and NetWitness Endpoint
RSA Version/Condition: 11.4
Platform: CentOS
O/S Version: EL7
IssueBelow is a list of known issues in RSA NetWitness Logs & Network and NetWitness Endpoint 11.4.x, including those listed in the Release Notes.  
Click the links to go directly to the articles where applicable.

General Platform
Issue IDIssue TitleFix version or StatusRelated article
ASOC-86055Global Audit Logging Stops after Rabbitmq Service Restart on the Admin Server in RSA NetWitness PlatformUnder development. Targeted for 11.5.x release. 
SACE-13124Raid Tool Script Fails When Bad Disk Present11.5 


General UI

Issue IDIssue TitleFix version or StatusRelated article
SACE-12563Feed Selection for Groups does not have previously pushed out groups check marked.11.4.1 
SACE-12964Unable to add the "accessInvestigateUsers" to a role via the GUIUnder testing. Targeted for 11.4.1 
SACE-12753Adding/Editing a recurring feed only validates the hostname in the URL path, not the filename, or path when clicking Verify.11.4.1. 
SACE-13125PAM-based authentication not functioning after upgrade to RSA NetWitness Platform 11.4.0.0 and 11.4.0.1Under development. Targeted for 11.4.1/11.5.x release. 
SACE-13260NW 11.4.0.0 - Not able to deploy recursive feed on Decoders group11.4.1 and 11.5 
SACE-13264NW 11.3.1.1 - credential mismatch - mixing users of different roles between admin and non-admin functions11.4.1 
SACE-12969
   ASOC-90751
When the user logs in to NetWitness Platform, the permissions of the user who previously logged in is applied.11.4.1 
SACE-12753Custom feed verifies only the hostname in the URL path and not the filename or path.11.4.1 
SACE-12563When you edit the feed, the previously selected and deployed device groups are not selected, making it difficult to understand which are deployed.11.4.1 
SACE-11456
   ASOC-89259
The NetWitness Platform user interface response is slow and takes up to 30-45 seconds to work.11.4.1 


Installation/Upgrade

Issue IDIssue TitleFix version or StatusRelated article
SACE-13024Rabbitmq service on Endpoint Hybrid fails to start in NetWitness 11.4Contact RSA Support
ASOC-92601Unable to upgrade the NW Server host to version 11.4.1.0 using the Offline User Interface method. This issue occurs when upgrading from 11.4.0.0 or 11.4.0.1 to 11.4.1. For a workaround, see Known Issue ASOC-92601.This issue is fixed when upgrading from 11.4.1 to a later release.11.4.1
    
 
SACE-13125
   ASOC-90992
PAM Kerberos authentication fails after upgrading to 11.4.0.0.11.4.1
    
 
SACE-12586
   ASOC-86468
After running the backup script version 4.5 on a 10.6.6 system, an error "verify Puppet Certs validity on SA Server" is displayed.11.4.1
    
 
SACE-12138
   ASOC-84298
When running the NetWitness Recovery Tool (NRT), the custom Meta Groups and Profiles are not imported as a part of the restoration process.11.4.1
    
 
SACE-11531
   ASOC-79467
(Malware Analysis) After upgrading to 11.2.1.1, the Threatgrid module is not working and the RSA Cloud connection is not working via HTTP Proxy.11.4.1
    
 
SACE-11196
   ASOC-77071
After installing version 11.2.0.0, the mongo sa.repo table does not show that the 11.2.0.0 repo is downloaded even though /var/netwitness/common/repo/11.2.0.0 is available.11.4.1
    
 


Security

Issue IDIssue TitleFix version or StatusRelated article


Core Services

Issue IDIssue TitleFix version or StatusRelated article
SACE-12827
   ASOC-87236
Not able to extract the email attachment if the Content-disposition header is in upper case.11.4.0.1 
SACE-12387
   ASOC-87236
Unable to extract files from an SMB2 session due to the recent changes in the SMB2 protocol.11.4.0.1 
SACE-13098
   ASOC-87266
Packet Decoder has very low session rates and capturing at 9.6G.11.4.1
    
 
SACE-8177
   ASOC-47223
Syslog forwarder forwards only the logs that have meta attached to them and have the forward flag set in the Application Rule.11.4.1
    
 
SACE-13409Upgrade to 11.4.0.1 is causing an impact when rebooting Series 6 packet decoders and packet hybrids.Under testing for 11.4.1.2 


Log Collection

Issue IDIssue TitleFix version or StatusRelated article
ASOC-87953
   ASOC-78604
Windows Legacy Collector (WLC) certificate renewal script that is packaged as part of 11.4 and located at /var/netwitness/root-ca- update/wlc/ does not run.11.4.0.1 
SACE-12649After upgrading to 11.3 or later, Log Collector does not receive logs from the Proofpoint event source.11.4.1 
SACE-12961WinRM bookmarks returning 1 for a certain event channel stops collection across all channels.11.4.1 
SACE-12750using ssl syslog for logstash event source , crashes the nwlogcollector on VLC11.4.1.2 


ESA

Issue IDIssue TitleFix version or StatusRelated article
ASOC-87859Some ESA Rule Deployments migrated from versions before 11.3 can cause ESA Rule Deployment issues during the 11.4 upgrade.11.4.0.1 
SACE-11831NW 11.3 - Needed API improvements to obtain actual sessions.behind per node (conc/decoder) on ESAs11.4.1 
ASOC-87468
   ASOC-87517
Esper metrics collection can impact performance in some environments with ESA rules that consume large amounts of memory for RSA NetWitness Platform 11.4.x11.5 RSA KB #38369
SACE-12839A Context Hub enrichment in an ESA Rule creates alerts for the older values that are deleted. This issue occurs when the list from which the Context Hub Enrichment is created is a recurring one with the Overwrite option. When the values are overwritten by new values, ESA alerts should not be triggered for the older values.11.4.1
    
 


Respond

Issue IDIssue TitleFix version or StatusRelated article
ASOC-90551Compressed payloads not displayed when using text reconstruction in Respond. In 11.3.2 and 11.4, you may encounter a scenario when using packet reconstruction within Respond for network sessions containing compressed (for example, gzip) payloads.11.4.1
    
 
ASOC-88665Respond may stop processing alerts when Endpoint file alerts do not contain a SHA256 Checksum. In 11.3.2 and 11.4, you may encounter Respond stopping the processing of alerts when handling certain alerts containing Endpoint events not containing a SHA256 hash of the offending file. This results in a failure to calculate risk scores for alerts and, subsequently, errors when attempting to process subsequent alerts.11.4.1
    
 


Warehouse Connector

Issue IDIssue TitleFix version or StatusRelated article
SACE-12864Warehouse Connector - Add SFTP Destination with SSH Key PassphraseUnder testing for 11.4.1.2 


Health & Wellness

Issue IDIssue TitleFix version or StatusRelated article
SACE-10378
   ASOC-74763
PSU shows incorrect status on the Health & Wellness view, when one PSU fails on the S5 Hybrid.11.4.0.1 
SACE-1291011.3.2.0 - H&W alarm on Endpoint Loghybrid Logcollector - LogCollector Virtual System Resources Exhausted11.4.1 
SACE-12973ADMIN > Health & Wellness > System Stats Browser tab, does not display Fan status and System Temperature.11.4.1
    
 


Investigate

Issue IDIssue TitleFix version or StatusRelated article
SACE-12498Brasil No longer follows Daylight Savings Time - Update Moment Timezone Libraries for investigation.11.4.1
    
 
SACE-13028Wrong closing xml tag when exporting logs from the UI11.4.0.2
    
 
SACE-11659
   ASOC-88050
When investigating an offline Archiver collection, it does not display metadata with events but displays only the events count.11.4.0.1
    
 
SACE-11706
   ASOC-88025
Event export fails when investigating for a custom time frame and profile with no prequery.11.4.0.1
    
 
SACE-12803
   ASOC-87643
Unable to export logs in the Investigate view when the user language setting is not English or French.11.4.0.1
    
 
ASOC-87633When the NOT operator is used in Event view Free-Form Mode without parenthesis, as in NOT medium = 1 vs NOT(medium = 1), the free-form query fails.11.4.0.1
    
 
ASOC-87549Packets are not rendered properly, and the expected data is not displayed in the Events view packet reconstruction.11.4.0.1
    
 
ASOC-87516The packet reconstruction being viewed does not have data loaded after leaving the Events view for the Hosts, Files, or Entities view, and then returns to the Events view using the Events option in the Investigate submenu.11.4.0.1
    
 
ASOC-87378After upgrading to Version 11.4, there may be issues in the Navigate view and Legacy Events view because the column groups, meta groups, or profile groups' permission is disabled for custom user roles.11.4.0.1
    
 
SACE-13119After upgrading to 11.4 and reconstructing an event in the Legacy Events view, the metadata drill-down options are missing under the View Meta option in the event reconstruction toolbar.11.4.0.1 HF and 11.4.1
    
 
ASOC-92592From UEBA, when you pivot on a meta value containing a slash, the Investigate > Events view, does not display any results.11.4.1
    
 
ASOC-88157The event reconstruction for a filename in the Investigate > Events view is querying the wrong meta key (ip.src) instead of ip.dst in the FTP system parser.11.4.1
    
 
SACE-13028When logs are exported in XML format from the Events view or the Legacy Events view, the logs have incorrect closing tags. The closing tag is instead of the correct closing tag.11.4.1
    
 
SACE-12498After Brazil stopped using Daylight Saving Time, there is a one-hour discrepancy between the configured Profile time zone (Americas/Sao Paulo GMT -3) and the time zone used to display time in the Investigate and Respond views (Americas/Sao Paulo GMT -2).11.4.1
    
 


Malware Analysis

Issue IDIssue TitleFix version or StatusRelated article
SACE-10302
   ASOC-88023
AV tab in Admin > Services > Malware > Config, does not display AV Vendor results.11.4.0.1 


ESM

Issue IDIssue TitleFix version or StatusRelated article


Context Hub

Issue IDIssue TitleFix version or StatusRelated article
SACE-11272
   ASOC-84841
When STIX data is converted to CSV format, some of the STIX fields are not available in the CSV file.11.4.0.1 
ASOC-87937Connection for Threat Insights (Live Connect) and File Reputation data source fails as the password gets saved as blank.11.4.0.1 
SACE-12839Enrichment utilizing context hub list does not remove values which no longer exist in the list.11.4.1 
SACE-13086
   ASOC-90987
When converting a recurring feed to a Context Hub list, it displays a failed status.11.4.1
    
 
SACE-13606Converting Feed to ContextHub List failed.Under testing for 11.4.1 


Endpoint

Issue IDIssue TitleFix version or StatusRelated article
SACE-12888
   ASOC-90565
In the Investigate > Hosts view, duplicate hosts are displayed for the same hostname but with different agent IDs as the agent was installed multiple times.11.4.1
    
 


Reporting Engine

Issue IDIssue TitleFix version or StatusRelated article
SACE-11897
   ASOC-87262
When you edit an existing schedule of a report, you cannot select a data source if a data source was not previously selected.11.4.1
    
 
SACE-12893
   ASOC-87262
Discrepancy in Reporting Engine Alert Count11.5
    
 


UEBA

Issue IDIssue TitleFix version or StatusRelated article
SACE-12843UEBA UI unable to access after installation11.4.0.1 


Licensing

Issue IDIssue TitleFix version or StatusRelated article


Content

Issue IDIssue TitleFix version or StatusRelated article

 

NotesSome of the product issues that are discovered by RSA Engineering are available from RSA NetWitness® Platform Known Issues.

Attachments

    Outcomes