This section lists issues fixed after the last major release. For additional information on fixed issues, see the Fixed Version column in the RSA NetWitness Platform Known Issues list on RSA Link: 
https://community.rsa.com/community/products/netwitness/documentation/known-issues

Log Collection Fixes

Tracking Number Description
ASOC-94276 Improved TCP Syslog Performance.

Administration Fixes

Tracking Number Description
SACE-13620 In version 11.4, unable to deploy recursive feeds on the Decoder group.
SACE-13572 When querying using the msearch option, it displays "Year is out of valid range: 1400..9999" error.
SACE-13278 After upgrading to 11.4, the Login Banner does not display while logging in to the NetWitness Platform.
SACE-13124 Raid Tool Script fails if a disk in a 15 drive Viper Shelf is in a 'UBad' state.
SACE-13060 In the Define Email Notifications panel, unable to enter an email address with domain name, if the domain name has letters after (.) symbol. For example, XXX@innotec.security.com

Audit Logging

Tracking Number Description
ASOC-85468 / ASOC-86055 Logstash does not reconnect to RabbitMQ, if RabbitMQ is reset.
ASOC-77307 Audit Logs do not have enough context when an ESA rule is created, duplicated, or deleted on the Rule Builder.
In NetWitness Platform 11.5, in addition to the audit logs available on ESA Correlation-server, new audit logs on the NW Server show when users add, modify, filter, delete, export, and import ESA rules in the Rule Library. The NW Server audit logs also show when users add, modify, and deploy ESA rule deployments. Modifications to an ESA rule deployment include adding, deleting, or updating a rule in a deployment as well as adding a data source or an ESA Correlation service to a deployment.

Investigate Fixes

Tracking Number Description
ASOC-92642 Refocusing a value that contains the backslash (\) character in the Events view does not return results.
ASOC-92534 In the email reconstruction, the Download button for attachments is not enabled due to a filename mismatch.
ASOC-85375 Unable to query meta keys with values and meta values are truncated for some characters like .
ASOC-50412 When initiating a download, Investigate fails to connect to the browser job tray and the download spinner remains indefinitely.

Respond Fixes

Tracking Number Description
ASOC-83210 Incident email notifications are missing "Changed by" fields. In NetWitness Platform 11.4, when an automatically generated incident was updated, the email notification failed to display the "Change By" field showing the timestamp and user associated with the update. This is fixed in 11.5.
ASOC-80896 Incidents generated by Reporting Engine alerts display cleartext values despite Data Privacy being enabled. Previously, in deployments where data privacy is enabled, incidents aggregated from Reporting Engine alerts were displaying cleartext metadata due to both cleartext and hashed values getting published. Now, when data privacy is enabled, the Reporting Engine only sends hashed / obfuscated values to Respond, which maintains data privacy when analysts view incidents.
ASOC-73173 Matching files are not displayed in the Files tab if the file name in the event does not match the global file name. Previously, when you pivoted to the Investigate > Hosts or Files tab from the Nodal Graph to analyze a file, if the file name in the event did not match the case of the global file name, no results were displayed. Now, case sensitivity is no longer an issue when pivoting to the Investigate > Hosts or Files tab.

Core Services (Broker, Concentrator, Decoder, Archiver) Fixes

Tracking Number Description
ASOC-90740 Log Decoder service was core-dumping at restart.
SACE-13702 When querying the Broker through Rest API, it displays incorrect results.
SACE-13597 For a TLS session, the meta keys for Ja3/Ja3s and cert.thumbprint are generated.

Event Stream Analysis (ESA) Fixes

Tracking Number Description
ASOC-87778 An ESA Rule Deployment name with a colon (:) throws a failed to start stream error. If an ESA rule deployment name contains a colon (:), data aggregation fails to start during deployment. This is not an issue in NetWitness Platform 11.5.
ASOC-77307 Audit Logs do not have enough context when an ESA rule is created, duplicated, or deleted on the Rule Builder.
In NetWitness Platform 11.5, in addition to the audit logs available on ESA Correlation-server, new audit logs on the NW Server show when users add, modify, filter, delete, export, and import ESA rules in the Rule Library. The NW Server audit logs also show when users add, modify, and deploy ESA rule deployments. Modifications to an ESA rule deployment include adding, deleting, or updating a rule in a deployment as well as adding a data source or an ESA Correlation service to a deployment.
SACE-12736 Multiple users can edit an ESA rule deployment at the same time and overwrite changes. If two users modify the same ESA rule deployment by adding or removing rules, whoever clicks Deploy Now first overwrites the changes of the other user.
In NetWitness Platform 11.5, multiple users can edit an ESA rule deployment at the same time and not overwrite changes.

Reporting Engine Fixes

Tracking Number Description
SACE-12893 Reports > Alert tab, does not display all the alerts when queried for a custom time range.

Endpoint Fixes

Tracking Number Description
ASOC-86942 Endpoint server is often found in Unhealthy state after a day of deployment.
SACE-13763 Unable to install NetWitness Endpoint Agent on Redhat 8.x system.
SACE-13529 Test connection fails for Relay Server with Endpoint Log Hybrid.

Upgrade Fixes

Tracking Number Description
SACE-12658 When running the nwsetup-tui command on the CLI for configuring the static IP address , it fails.
SADOCS-1883 Request for pre-upgrade steps to clear out repositories from previous releases. These instructions have been added to the Upgrade Guide for RSA NetWitness Platform 11.5.