These issues apply to common or several components in your ArcSight Platform deploy. For more information about issues related to a specific product, please see that product's release notes, as applicable.
OCTCR33I160009 – Reporting - Chart Wizard Now Correctly Displays the Convert to Measure Button
OCTCR33I242328 – On Node Management, the Filtering Option Does Not Work Correctly in Some Columns
OCTCR33I276138 – Data Timeseries Chart Fails to Update after Changing Categories
OCTCR33I349068 – Exported Tables No Longer Show Squeezed Columns
OCTCR33I409215 – Database in 22.1 Release Will Not Support FIPS
OCTCR33I500006 – The Insights Tab Disappears From the Fusion Dashboard After the License Expires
This release includes the security fixes previously available with ArcSight Platform 23.1. For more information about these security fixes, see the Release Notes for ArcSight Platform 22.1.2.
The button occasionally became unavailable if you tried to create a chart using the after you changed from "convert" to "dimension."
Issue: In the chart editor, when you remove an X or Y field, the Reports Portal display an error message. This intermittent issue was resolved by a software fix.
On Node Management page under the Container tab, the columns: Name and Parser Ver are not filtering. A code fix was applied to resolve the issue.
A software fix resolved the issue where, when viewing the Data Timeseries Chart in the Data Quality dashboard, the stacked area chart failed to automatically update as soon as you selected an event category, such as Future Events, Past Events, or Active Events.
Issue: A code change resolved the problem where some dashboard table columns displayed squeezed columns when they were exported using specific formats like HTML
A code fix resolved the issue where the database did not support FIPS mode due to a defect.
After you undeploy the Fusion capability and then redeploy Fusion into the same cluster, pods might remain in CrashLoopBackOff or PodInitializing status. The root cause of the issue is that the redeploy causes the system to forget the password for the rethinkdb database. A software change fixed this issue.
A code fix was applied to resolve the issue related to the Insights tab disappearing from the dashboard due to an expired license.
Previously, storage of log files history from /opt/arcsight/arcmc/userdata/logs/tomcat/ were occupying sizable amount of space. A software fix resolved this issue.
The issue of the pre-upgrade CTH not being displayed in ArcMC after the upgrade has been executed is caused by the loss of information or data during the upgrade process. The upgrade process may have overwritten or altered the data that was stored in the pre-upgrade CTH, causing it to not be displayed in ArcMC. A code fix was applied to resolve the issue.
Information concerning installation that can only be found in the Admin Guide is displayed in the ArcMC Online help. A code fix was applied to resolve the issue.
Prior to a code change, ArcMC could experience backup restoration failures, as described below. A code fix resolved the issue.
ArcMC's backup restoration is crucial for protecting data and configurations. However, if the restore script is executed with the -o option, it may fail. The -o option specifies options during the restoration process, and its incorrect usage can cause the backup to not be properly restored.
Prior to a code change, ArcMC postgres database experienced backup and restore issues, as described below:
The ArcMC postgres database is a critical component for storing and managing data within the Arcsight Management Center system. However, if the database is not automatically registered with the ITOM pg-backup service, it may not be properly backed up and protected. This can lead to potential data loss or corruption in the event of a system failure or other emergency.
A software fix was applied to the following issue:
Logging (especially from the fusion-arcmc-web-app container) is quickly depleting disk space, these logs are in ArcMC backup directory within the arcsight-volume/ArcMC/backups directory. This increase in size can lead to several problems such as a lack of storage space, slow backups, and slow restore operations. Additionally, it can also make it difficult to manage the backup data and identify which backups are essential and which can be deleted.
OCTCR33I174130 – Scheduled Searches No Longer Fail to Export to CSV
OCTCR33I178795 – Fieldsets No Longer Default to Base Event Fields After an Upgrade
OCTCR33I341227 – You May Now Use Search Operators in the Name of a Saved Query or Criteria
OCTCR33I408155 – Backup Failures in S3 While Deleting Obsolete Files From S3 Has Been Resolved
A code change resolved the issue of a user being able to accidentally save a scheduled task after closing the dialog box (and intending to not save the work).
Issue: A software change resolved the occasional problem where the CSV file of an exported scheduled search failed to display any data.
Issue: A code change addressed the problem of the Public Default Fieldset defaulting to Base Event Fields after you upgraded the software.
Issue: A code fix resolved the issue of the Search field returning incorrect search results due to a query not being written explicitly. You no longer have to be as careful about stating the query. For example, the query is more forgiving about the use of spaces.
Issue: A code change now allows you to include a search operator in the name of a saved query or criteria. Search no longer erroneously includes that part of the saved name in the query. For example, if you save a query with the name Users and Devices, Search does not include "and Devices" in the query field. The code now recognizes the difference between "and" as a word and "and as a search operator.
Issue: Previously, an error occurred (SlowDown) when calling the DeleteObjects operation. Part of the backup operation was clearing obsolete backup files that were older than the backup retention configuration setting. Due to this issue, the cleanup of obsolete files did not complete successfully and some obsolete files remained, resulting in higher than necessary backup storage utilization.
A code change resolved the issue where the user interface did not allow you to rerun custom time range searches that had no changes since the previous run.
The UI no longer prevents triggering searches that do not have any changes since last run.
OCTCR33I427039 – Action History Page Filters Have Multiple Entry With Same Name
OCTCR33I428078 – No Entries Displayed for Failed Enrichment Activities on Cases Timeline
OCTCR33I430016 – Unable to Delete the Column that was Added First to the List
OCTCR33I454142 – WinRM Logoff User Capability Does Not Get Username From Scope
OCTCR33I467084 – Unable to Add File to Case Scope in Automation
OCTCR33I504024 – Large Java Stack Trace is Found When Dispatching Case to a UserGroup
OCTCR33I530023 – SOAR MISP Integration Fetches all the Events For Device Connectivity
OCTCR33I553001 – Username Query is Missing in Parameter Definition
OCTCR33I554081 – Unable to Save Playbooks With Alert Source as the Starting Condition
OCTCR33I555096 – New Notifications are Not Displayed Properly
OCTCR33I569001 – Scope Item Property List – Paging is Broken
In the InetSoft Reports the links are correctly forwarding to SOAR Case
SOAR crashes while restarting if protocol name provided for Arcsight Listener Protocol Parameter is wrongIf a wrong protocol name is specified for the ArcSight Listener Protocol an error message is displayed, but the name gets saved. However, while restarting the soar-web-app crashes with an error message.Resolution: A code fix was applied to resolve the issue. A code fix was applied to resolve the issue.
Some action history integrations have same capability names. This results in the same capability name being displayed multiple times. A software fix addressed this issue.
After a failed enrichment, there is no related 'enrichment failed' entry on the activity timeline. The Cases timeline does not show entries for failed enrichment activities. A code fix resolved this issue.
A software fix allows you to delete the column that was added first to the list
A software fix allows the value for username to logoff parameter to be selected from the case scope items for WinRM plugin.
When a file is added as a comment, it is automatically added to case scope. However, it is not possible to add the file in automation. A code fix was applied to resolve the issue.
If you try adding a comment to a Case without adding a file, an error is displayed. A code fix was applied to resolve the issue.
As a result of a code change, the replacement editor now displays when you try to delete a case in open status.
In SOAR, when creating a dispatch rule and assigning an alert to a UserGroup (Salesforce Case ID: 02337357) a large stack trace is noted in the 'soar-web-app' pod. A code fix was applied to resolve the issue.
A code fix resolved the problem of Cisco Firepower's API, returning data that is paginated and contains 25 records by default. Now all the records display.
In SOAR, Country Scope item property for IP addresses are displayed as unknown. A code fix was applied to resolve the issue.
SOAR MISP Integration fetches all events for device connectivity. For the MISP server with lots of events, it takes minutes to complete the test. A code fix was applied to resolve the issue.
The parameter definition for username is missing in the username query. A code fix was applied to resolve the issue. With the changes, a new dropdown is displayed, which enables you to select usernames from the case scope.
Liquibase Migration Error is displayed because of syntax errors in the tag. A code fix was applied to resolve the issue.
The alert source can now be chosen as a starting condition.
When a new notification arrives, clicking on the notification bell shows just the company logo. A code fix was applied to resolve the issue.
The Scope Item Property List page now displays the actual count of items.
OCTCR33I360046 – Incorrect TH Hostnames Displayed on ArcMC in Cloud
OCTCR33I376076 – Fusion Password with Backslash (\) Can Cause TH Web Services to Crash
OCTCR33I410157 and OCTCR33I561027 – New Parameters Added to Prevent ArcMC-TH Timeout
OCTCR33I491188 – C2AV Processor Failed With Specific Events and Configuration
An issue has been resolved where incorrect Transformation Hub hostnames and CPU/memory values (0) were presented on ArcMC in AWS and Azure in ArcSight suite deployments which include the Intelligence capability.
On the pre-deployment/Reconfigure page for Fusion Single Sign-on Configuration, entering a Fusion password (Client Secret) that includes a backslash character (\) could cause Transformation Hub web services to crash and not restart. This issue has been resolved.
Previously, the ARCMC_CONNECTION_TIMEOUT_MS property value was hardcoded and not configurable, which could cause TH-to-ArcMC communication timeouts.
For more flexibility, the following new environment variables have been defined.
|
|
30000 |
The amount of time (milliseconds) before a request to connect to ArcMC is retried due to ArcMC timeout. |
|
|
2 |
The number of times that TH retries to connect ArcMC due to ArcMC timeout. |
Adjust the values of these parameters by creating or editing the file arcsight-env-override.properties under the folder <NFS_root_DIRECTORY>/transformationhub/config in a text editor. Prefix the names of these properties with arcsight.th.web-service. to create an override. Then, restart the Web Services Pod. For more information, see Overriding Application Properties.
The C2AV Stream Processor was failing when processing some specific Powershell events provided by the customer with the field truncation flag as true. The failure caused Stream Threads to terminate, ultimately causing the entire C2AV processor to fail and restart.
A code change fixed the issue, and now the stream processing threads are no longer failing when processing the specific problematic events when the truncation flag is enabled.
When routing events between CEF topics, event flow to a destination topic would stop if the route's rule tested a field with the operators "contains", "starts with" or "ends with", and the source topic received an event that had no value for the field. This issue has been resolved and event flow to the destination will not stop.