SIEM Advanced Correlation Engine (ACE) |
| Reference Number |
Related Article |
Found in Version |
Resolved in Version |
Issue Description |
| SIEM-21131 |
- |
11.3.0 |
11.4.2 |
Issue: After you create a custom correlation rule, the rule is enabled at all policy levels and in all correlation managers.
Resolution: Newly added correlation rules are disabled by default. |
| SIEMSFX-1775 |
- |
11.3.0 |
11.4.2 |
Issue: The IPSDBServer on an ACE does not load events to the databus. |
| 1247149 |
- |
10.2.0 |
11.2.0 |
Issue: Correlation Rule with Flows Nested Variable not working correctly. |
| 1253508 |
- |
10.3.2 |
11.1.1 |
Issue: Some correlated files get tagged as bad. |
| 1243534 |
- |
10.2.0 |
- |
Issue: Sometimes a correlated event could not be triggered. |
SIEM Enterprise Security Manager (ESM) |
Reference
Number |
Related Article |
Found in Version |
Resolved in Version |
Issue Description |
| SIEM-24648 |
- |
11.4.2 |
- |
Issue: After a new deployment or an upgrade, you are not able to collect events from devices.
Also, this error in /var/log/messages might be encountered: Could not set broker list for ESM Node Local ESM AddlInfo: Server '<GUID>' is unavailable.
Workaround: If you experience this issue, contact Technical Support and provide this reference. |
| SIEM-22404 |
- |
11.4.0 |
11.4.2 |
Issue: (Backup/Restore) Assigning an alarm to a group causes the alarm to trigger.
|
| SIEM-22515 |
- |
11.4.0 |
11.4.2 |
Issue: You see a flash error seen when you add or edit a client data source with no port value or associated time zone. |
| SIEM-22260 |
- |
11.4.0 |
11.4.2 |
Issue: When the Index_hd becomes full, it can cause the database to crash.
Resolution: Reduce the amount of space that the database uses for the index_hd (SS1) hard drive. |
| SIEM-19125 |
- |
11.3.0 |
11.4.2 |
Issue: The source port, destination port, and protocol name map settings are not honored. |
| SIEM-20104 |
- |
11.3.2 |
11.4.2 |
Issue: The HTML User Interface does not correctly sort custom fields. |
| SIEM-22703 |
- |
11.4.1 |
11.4.2 |
Issue: Administrator is unable to log on to ESM after a system timeout occurs and leads to a session lock. |
| SIEM-21839 |
- |
11.4.0 |
11.4.2 |
Issue: When you try to set the Audit log level, you see the error:
EC252 Error: Unable to abort the Network Discovery process
Workaround: Close and reopen the manager. You then see in System Information, the changes have been made. |
| SIEM-22033 |
- |
11.4.0 |
11.4.1
Hotfix 1
(RTS) |
Issue: In Incident Management and Case Management Views, return no results..Seen when filtering by Signature ID and String fields. For example such as Source User or Application,
NOTE: To obtain a Released To Support (RTS) release. See the Related Information section below for details. |
| SIEM-22032 |
- |
11.4.0 |
11.4.1
Hotfix 1
(RTS)1 |
Issue: In Vulnerability Assessment Views, Vulnerability Name filter does not return results
NOTE: To obtain a Released To Support (RTS) release. See the Related Information section below for details. |
1266312
SIEM-11269 |
- |
11.1.3 |
11.4.0 |
Issue: Under certain network conditions, keying a device from either the Add Device wizard or the Key Management properties of ESM 11.1.3 (hosted in Amazon Web Services or Azure) can result in an error message. This result can happen even though the operation completed successfully.
Workaround: To acknowledge the error, click OK and then click the X in the top-right corner of the window to dismiss the screen instead of clicking the Cancel button. Click refresh on the system tree and the device is ready. |
| SIEM-12686 |
- |
11.2.0 HF4 |
11.3.0 11.2.1 HF7 11.2.0 HF7 |
Issue: [Snowflex] After you upgrade to SIEM 11, 3xxx errors occur and indicate issues retrieving query results from the new database architecture. |
| SIEM-11330 |
- |
11.1.3 |
11.2.1 |
Issue: The Event Forwarding function experiences performance issues. |
| 1225160 |
- |
10.2.0 |
11.2.0 |
Issue: Redundant ESM (RESM). Communication Troubleshooting Help does not mention proper devices. |
| 1219107 |
- |
11.0.0 |
11.2.0 |
Issue: CreateAndExecuteCommands run one database query for each record returned, which slows performance. |
| 1266321 |
KB94053 |
11.1.3 |
11.2.0 |
Issue: Manual interaction with the appliance is needed when reboots occur during the upgrade process to ESM 10.3.4 or 11.1.3.
Workaround: See the Related Article for details.
|
| 1231157 |
- |
10.2.0 |
11.2.0 |
Issue: "Possible Event Time Mismatch" alarm triggers when a device is not selected. |
| 1227617 |
- |
10.2.0 |
11.2.0 |
Issue: Devices still query NTP servers when "Use NTP servers for time synchronization and save settings" is not selected. |
| 1222461 |
- |
10.2.0 |
11.1.3 |
Issue: HTML5, Custom type name is not displayed correctly on the dashboard unless the database is restarted. |
| 1253595 |
- |
10.2.0 |
11.1.3 |
Issue: Specified Event Rate alarms do not work as expected. |
| 1232282 |
- |
11.0.0 |
11.1.3 |
Issue: [Localization]. In some languages, when creating Benchmark group names, a corrupted character is introduced at the end of the name. |
| 1253247 |
- |
10.2.0 |
11.1.2 |
Issue: No data when filtering Palo Alto on some rule_name on HTML5. |
| 1250794 |
- |
11.0.3 |
11.1.2 |
Issue: Enterprise Log Manager Kernel panic RIP: kmem_cache_alloc+0X00/0x140 RSP: fffc900004439f0 boots into new kernel. |
| 1253684 |
- |
11.0.3 |
11.1.2 |
Issue: No events in UI on ENMELM with 0 Alerts loaded, but the Alerts table is growing. |
| 1257763 |
- |
10.3.2 |
11.1.2 |
Issue: Can't search by File_hash in HTML5 (but works in Flash). Error:
Invalid GUID value. Must be hexadecimal digits (0–9 A-F). Dashes are also allowed. Must contain 32 digits. |
| 1256391 |
- |
10.3.2 |
11.1.2 |
Issue: VM data addition is successful, but the user interface reports the error below when trying to view it: "[ER254]". |
| 1255805 |
- |
10.3.2 |
11.1.2 |
Issue: Several ESM Redundancy (RESM) issues. |
| 1255653, 1256255, 1255512 |
- |
11.0.1 |
11.1.2 |
Issue: [Reporting] Exporting to CSV from Dashboard incorrectly shows usersource. |
1255652
1259176 |
- |
11.0.3 |
11.1.2 |
Issue: Snowflex issues in 11.0.3 Update 3 and 11.1.1. Can't run views during background rebuild + 238. |
| 1254749 |
- |
10.3.2 |
11.1.2 |
Issue: Wrong device_ip was added to the watchlist. |
| 1248382 |
- |
11.0.2 |
11.1.2 |
Issue: Last Event times in Device Summary Reports are not accurate. |
| 1247141 |
- |
10.2.1 |
11.1.2 |
Issue: Table component shows No Results at the 'Physical Display Level'. |
| 1233043 |
- |
11.0.0 |
11.1.2
|
Issue: After you add or delete a data source in the HTML5 dashboard, the device tree on the Physical Device tab does not refresh. |
| 1249322 |
- |
11.0.3 |
11.1.1 |
Issue: The server errors below are seen after you upgrade to 11.0.3:
[EC-1][ER238][ER1387] |
| 1248451 |
- |
10.2.0 |
11.1.1 |
Issue: Over-used allocation reporting available space in exabytes. |
| 1250991 |
- |
10.2.0 |
11.1.1 |
Issue: Primary is unable to complete Sync to redundant (log table). |
| 1252673 |
- |
10.2.0 |
11.1.1 |
Issue: JSON API to close case causes it to be deleted in SIEM user interface. |
| 1254585 |
- |
10.3.2 |
11.1.1 |
Issue: Redundant ESM (RESM)fails to get notified of a ELM failover. |
| 1255151 |
- |
11.0.3 |
11.1.0 |
Issue: EC238 errors seen after you upgrade to 11.0.3 Update 3. |
| 1253623 |
- |
11.0.3 |
11.1.0 |
Issue: The errors below are seen in Flash and HTML5:
Errorcode=238
[ER-1][ER238]
|
| 1234565 |
- |
11.0.0 |
11.1.0 |
Issue: In CyberScorecard, Severity values on the Executive view are not changed properly. |
| 1232247 |
- |
11.0.0 |
11.1.0 |
Issue: [Localization]. When selecting devices, some of the strings displayed are not localized. |
| 1273430 |
-
|
11.1.3 |
- |
Issue: Invalid data sources might be created when including leading zero's in the octets of the IP address. |
| 1234302 |
- |
11.0.0 |
- |
Issue: [Reports] Bar charts are not included in the exported reports. |
SIEM-11166
1233936 |
- |
11.0.0 |
- |
Issue: [Reports]. When viewing the 'Event Time Mismatch' report, no devices are selected by default. |
| 1233089 |
- |
11.0.0 |
- |
Issue: In FIPS mode, users who have Key and Certificate permission can't download or view certificates. |
| 1248631 |
- |
10.3.1 |
- |
Issue: In SIEM-MAR Integration, Active Response appears only for five seconds in the drop-down list of the 'Type' option in the Source tab for the Data Enrichment Wizard. |
SIEM Event Receiver (RECEIVER) |
| Reference Number |
Related Article |
Found in Version |
Resolved in Version |
Issue Description |
| SIEM-21683 |
- |
11.3.2 |
11.4.2 |
Issue: Unable to 'write out' data source to one of the receivers (high availability receiver pair).
Resolution: Updated SNMP control scripts to better handle shutting down and restarting. |
| SIEM-22057 |
- |
11.3.0 |
11.4.2 |
Issue: Backlog of events accumulates and impacts server performance.
Resolution. Event Reduced disk contention when parsers fall behind current time. |
| SIEM-21554 |
- |
11.3.2 |
11.4.2 |
Issue: (Collectors) The Mimecast collector sleeps for days and not seconds, when the rate limit is hit. |
| SIEM-22356 |
- |
11.3.2 |
11.4.2 |
Issue: (Collectors) MVISION ePO collector is not receiving events.
Resolution: The MVISION ePO collector now uses minimum permissions. |
| SIEM-22391 |
- |
11.3.0 |
11.4.2 |
Issue: Install scripts generate the error:
Access keys would seem to be incorrect.
The new AMI tools do not have the old commands that the script is trying to execute. |
| 1254216 |
- |
10.3.2 |
11.1.3
|
Issue: High availability Receiver deletes community for SNMP Request in /etc/snmp/snmpd.conf after return to service. |
| 1222182 |
- |
10.2.0 |
11.1.3 |
Issue: Sourcefire estreamer stopped collecting because of an error. |
| 1255633 |
- |
10.3.1 |
11.1.2 |
Issue: cURL data source is changed to syslog by “Write.” |
| 1253439 |
- |
9.6.1 MR1 |
11.1.2 |
Issue: Refresh device button throws an error after you upgrade to ePO 5.10. |
| 1229417 |
- |
11.0.0 |
11.1.1 |
Issue: Turning data source parsing off while Enterprise Log Search logging is on disables the data source. |
| 1251834 |
- |
11.0.3 |
11.1.1 |
Issue: Issues with SetClusterConfig and start of active collectors in high availability after upgrade to v11. |
| 1250483 |
- |
10.3.1 |
11.1.1 |
Issue: Directory /usr/local/ace/incoming/bad is growing to a large size on the Receiver without correlation engine. |
| 1247952 |
- |
10.3.1 |
11.1.1 |
Issue: The /usr/local/ace/incoming/bad folder fills after upgrade to 10.3.1. |
| 1245611 |
- |
11.0.3 |
11.1.1 |
Issue: Kafka topics are not created on a recently installed ENMELM combo (data is not sent). |
| 1221397 |
- |
10.1.0 |
- |
Issue: You can't add datasources with a FIPS-enabled ENMELM VM.
Workaround: Log on to the ESM database back-end, update the IPSversion field of the Local-Receiver in the IPS table, and restart the system. |
SIEM Enterprise Log Manager (ELM) |
| Reference Number |
Related Article |
Found in Version |
Resolved in Version |
Issue Description |
| SIEM-18551 |
- |
11.3.0 |
11.4.2 |
Issue: (Collectors) The backup feature is not disabled for a redundant ELM. After ta backup completes, it tries to start the ELM services. iI the redundant ELM is syncing data from a mirrored device, it fails to unmount the existing storage (because it is in use). |
| SIEM-19489 |
- |
11.1.0 |
11.4.2 |
Issue: API calls that have a space in the name generates a large pool size.
Resolution: The API calls changed to reduce a pool size when the pool has spaces in its name. |
| SIEM-22312 |
- |
11.3.0 |
11.4.2 |
Issue: Upgrade fails, unable to handle AWS NVME drives. Error recorded in the log:
Failed: ss1 not 0 - could be a complicated setup at /usr/local/ess/update/updates/check_resizevm line 93. The drive configuration is incorrect |
| 1254583 SIEM-11205 |
- |
10.3.2 |
11.3.0 |
Issue: ELM search results that are saved as links are not copied to Redundant ELM (RELM) |
| 1252818 |
- |
10.2.0 |
11.1.1 |
Issue: ELM Integrity Check Function Broken. |
| 1235498 |
- |
10.2.0 |
11.2.0 |
Issue: [Redundant ELM (RELM)]. Data written to the mount point without a mounted mirror is not copied correctly to the mirror. |
| 1254592 |
- |
10.3.2 |
11.1.3 |
Issue: Redundant ESM (RESM) and Primary ESM (PESM) using wrong key to talk to ELM. |
| 1252041 |
- |
11.0.3 |
- |
Issue: Unable to migrate the ELM mgtdb a second time. |
| 1254543 |
- |
10.2.0 |
11.1.3 |
Issue: User interface shows wrong data storage device for the MGTDB. |
Enterprise Log Search (ELS) |
| SIEM-22203 |
- |
11.4.0 |
11.4.2 |
Issue: After you perform an upgrade, Elasticsearch nodes start with the default cluster configuration.
NOTE: The cluster configuration was correctly updated. |
| 1252531 |
- |
10.3.0 |
11.2.0 |
Issue: Enterprise Log Search (ELS) fills up disk with elastic search logs. |
| 1232284 |
- |
11.0.0 |
11.1.0 |
Issue: [Localization] Some localized User Interface elements are truncated in the Enterprise Log Search (ELS) Search history. |
| 1234993 |
- |
11.0.0 |
Expected
Behavior |
Issue: After you upgrade from 10.2.0, Enterprise Log Search (ELS) tries to connect to the local kafka.
Solution: Follow the proper upgrade procedure documented in current release notes. |
SIEM Data Streaming Bus (DSB) |
1264218
SIEM-11238 |
- |
11.1.3 |
11.4.0 |
Issue: Upgrading a DSB using a file uploaded through the “ESM File Maintenance” option prevents the upgrade from starting.
Workaround: Upload the file for the DSB during the upgrade process.
|
| Other |
| SIEMSFX-1822 |
- |
11.4.1 |
11.4.4 |
Issue: A missing socket causes Snowflex to shut down.
The log records the below errors:
- An invalid handle was encountered.
- Could not read from socket.
- CML Client API Socket error in recv, failed to get message size.
|
| SIEM-22188 |
- |
11.4.0 |
11.4.2 |
Issue: Using an external API returns totalRows when it is not expected to do so.
Resolution: Removed totalRows return value from the executeQuery API. |
