Skip to main content

New-Scale Security Operations PlatformNew-Scale Security Operations Platform Release Notes

Known Issues

The New-Scale Security Operations Platform includes the following known issues.

Attack Surface Insights

There are no known issues in Attack Surface Insights

Automation Management

ID

Description

ENG-71726

When you select an action in an advanced playbook, the action details become unresponsive and fail to load. To resolve this issue:

  1. Edit the action and make a minor change in the code editor; for example, add a space.

  2. Deploy the action.

  3. Reopen the advanced playbook and ensure the action loads correctly.

Cloud Collectors

There are no known issues in Cloud Collectors.

Context Management

There are no known issues in Context Mangement.

Correlation Rules

ID

Description

CRB-2368

If you enter a description containing multiple lines, Case Manager incidents created using Correlation Rules may contain \n escape sequences in the incident description because \n represents "end of line".

CRB-2767

If a sequence detects the absence of a specific field value and you use the Group by Field functionality on that field, the correlation rule incorrectly triggers on the absence of grouped fields for which the sequence doesn't query.

For example, if you use the Group by Field functionality on the host field, and the sequence queries for host:"2.2.2.2", the rule triggers on the absence of host:"2.2.2.2" but also on the absence of host:"1.1.1.1" and host:"3.3.3.3".

Dashboards

ID

Description

NGR-2560

When dashboards are exported or imported, the size and position of the visualization tiles is not maintained.

NGR-595

Filters applying the is in the last operator to the Approx Log Time field yield inaccurate results when the time unit is equal to our greater than hours.

As a workaround to this issue, express time lengths in seconds or minutes.

Dash-Filter-Known-Issue.png

Log Sources

There are no known issues for Log Sources.

Log Stream

There are no known issues in Log Stream.

New-Scale Platform

There are no known issues in New-Scale Platform.

Outcomes Navigator

ID

Description

NGCM-309

Outcomes Navigator doesn't properly calculate coverage for Advanced Analytics rules whose rule expressions include session-end or sequence-end events. Affected Advanced Analytics rules include:

  • A-AL-DhU-count

  • A-DNS-ABSum-A

  • A-DNS-AQCount-A

  • A-DNS-AQNXCount-A

  • A-DNS-OBSum-A

  • A-DNS-OQNXCount-A

  • A-DNS-ZBSum-A

  • A-EPA-UP-CENUM

  • A-EPA-UP-HENUM

  • A-FLDh-Count-A

  • A-FLDz-Count-A

  • A-FLSh-Count-A

  • A-HBytes-Failed-Outbound

  • A-HBytes-Failed-Outbound-IOT

  • A-HBytes-Outbound

  • A-HBytes-Outbound-IOT

  • AL-GHcount

  • AL-OHcount

  • AL-UHcount

  • AL-UHcount-L

  • AL-UHcount-M

  • AL-UHcount-S

  • A-NETFLOW-dZBytes-Inbound

  • A-NETFLOW-sH22Bytes-Outbound

  • A-NETFLOW-sH23Bytes-Outbound

  • A-NETFLOW-sH25Bytes-Outbound

  • A-NETFLOW-sH443Bytes-Outbound

  • A-NETFLOW-sH53Bytes-Outbound

  • A-NETFLOW-sH80Bytes-Outbound

  • A-NETFLOW-sHFTPBytes-Outbound

  • A-NEW-ASSET

  • A-NEW-ASSET-src

  • APP-UAgC-F

  • APP-UFL-COUNT

  • APP-UOb-Number

  • A-SEQ-UH-16-L

  • A-SEQ-UH-16-M

  • A-SEQ-UH-16-S

  • AS-PV-GSize-A

  • AS-PV-OSize-A

  • AS-PV-PCWoL

  • AS-PV-USCOUNT-A

  • AS-PV-USize-A

  • AUTH-F-COUNT

  • A-WEB-Count-A

  • A-WEB-DLP-A

  • A-WEB-GETBytes-In

  • AWS-DistinctRoleAssumptionsCount-User-A

  • AWS-PermEnumCount-User-A

  • A-ZBytes-Outbound

  • A-ZBytes-Outbound-IOT

  • B-CS-Bucket-Bytes-A

  • DB-FL-COUNT

  • DB-OPCOUNT

  • DB-OPCOUNT-NEW

  • DB-OPCOUNT-TOTAL

  • DB-URSum

  • DB-URSum-New

  • DC08d-new

  • DC14g-new

  • DC17d

  • DC17e

  • DC17f

  • DC17j

  • DC17j-new

  • DC17k

  • DC17l

  • DLP-BSum

  • DLP-GPCOUNT

  • DLP-UPCOUNT

  • DS-Count

  • DS-GCount

  • DS-UCount

  • EM-BSum

  • EM-BSum-in

  • EM-BSum-personal

  • EM-DNum

  • EM-FNum

  • EM-FNum-in

  • EM-FNum-personal

  • EM-InB-Perm-A

  • EPA-GSequenceSize-PS

  • EPA-HI-COUNT

  • EPA-OSequenceSize-PS

  • EPA-UP-CENUM

  • EPA-UP-HENUM

  • EPA-USequenceSize-PS

  • EPA-USequenceSize-WC

  • FA-GDBytes-A

  • FA-ODBytes-A

  • FA-UDBytes-A

  • FA-UFCOUNT

  • FA-UFCOUNT-DELETE

  • FA-UH-DELETE

  • FA-UR-A

  • FA-URCOUNT-A

  • FA-UWCOUNT-A

  • FDS-Count

  • FDS-GCount

  • FDS-UCount

  • GCP-DistinctOperationCount-User-A

  • GCP-StorageGetCount-User-A

  • GCP-StorageListCount-User-A

  • GCP-UnauthorizedOperationCount-User-A

  • KL-GSnCOUNT-A

  • KL-USnCOUNT-A

  • MFA-Failure-Count-A

  • PA-COUNT

  • PA-NoIT

  • Powershell-Advanced-F

  • Powershell-Invoke-Count

  • Powershell-Web-A

  • PR-BSum

  • PR-NPSum

  • RA-GHcount

  • RA-OHcount

  • RA-UHcount

  • RA-UHcount-L

  • RA-UHcount-M

  • RA-UHcount-S

  • SA-US-AA

  • SA-US-AU

  • SEQ-UH-16

  • SEQ-UH-16-L

  • SEQ-UH-16-M

  • SEQ-UH-16-S

  • SEQ-UH-17

  • SEQ-UH-18

  • SERVICE-ACCOUNT

  • UW-BSum

  • UW-FNum

  • VPN-BSum

  • WEB-GBytes-A-FS

  • WEB-GBytes-A-JS

  • WEB-GBytesSum-EWD

  • WEB-GSequenceSize-JS

  • WEB-OBytes-A-FS

  • WEB-OBytesSum-EWD

  • WEB-OSequenceSize-JS

  • WEB-RCCount

  • WEB-UBlock

  • WEB-UBytes-A-JS

  • WEB-UBytesSum-EWD

  • WEB-UBytesSum-In-FS

  • WEB-UBytesSum-In-FS-PU

  • WEB-UBytesSum-Out-FS

  • WEB-UDLP-A

  • WEB-UDLP-A-FS

  • WEB-UDLP-A-JS

  • WEB-UGETDLP-A

  • WEB-URank-DLP

  • WEB-USequenceSize

  • WEB-USequenceSize-Denied

  • WEB-USequenceSize-JS

  • WPA-UACount

Search

ID

Description

ENG-75846

When using Exabeam Query Language (EQL) in advance search mode, usage of a NOT operator without an accompanying OR or AND operator does not result in an error, despite this syntax being invalid and not officially supported.

For example, although the following EQL syntax is invalid, it is unintentionally successful: subject:"app" NOT vendor:"Exabeam"

known-issue-eql-error.png

When this issue is resolved, searches that use this invalid syntax will stop working. Therefore, it is highly recommended to always use the explicit operators: AND NOT or OR NOT

NGS-4325

Occasionally, when using advanced query language operators in Search to generate results in the Table view, the generated table is displayed with a misalignment. The header row is displayed to the left of the column data. This issue appears to be intermittent and has not been reliably reproduced for analysis and resolution.

If you encounter this table misalignment issue, and can provide consistent steps to reproduce it, please contact your Exabeam account manager.

NGS-3376

Some users are experiencing the interface freezing and becoming unresponsive if they have their “Rows per view” setting set to 100.

NGS-3137

When testing a long search query in the Correlation Rules Builder, the Search service does not load as expected, and a message is displayed: URI too large. This issue occurs because of a URI character limit in web browsers. As a work around, copy the search query from the Correlation Rules Builder and paste it into the Search service manually to run the search.

NGS-1104

When using Safari, the field summary initial event count is inconsistent.

Service Health and Consumption

ID

Description

CC-1350

Legacy cloud collector names are incorrectly displaying as unknown and unspecified on consumption details charts.

Example:

NGT-367.png

N/A

Service Health and Consumption dashboards are only available at this time for customers with Exabeam Security Operations Portfolio Licenses

Site Collectors

Issue ID

Description

NGSCL-1517

Site Collector installation fails on RHEL 9 because of lack of network support for TLS v1.3 more secured ciphers, without a clear warning.

NGSCL-1558

A Site Collector instance occasionally produces an uninstallation failed error and shows the status as Uninstalling.

NGSCL-2447

The search filters on the Site Collectors Overview page are case sensitive. Currently, search results are not displayed if you do not match the case with the collector instance name for the key words that you use for searching for collector instances.

NGSCL-2569

While editing a Site Collector instance, in Advanced Settings, the Timezone field after initial configuration displays the first city name of the time zone such as UTC/PST on the user interface instead of the exact city name which you selected.

NGSCL-3674

While upgrading a Site Collector instance to its latest version, the Windows Event Log agent collector pulls duplicate logs when historic log fetch is enabled.

NGSCL-3961

After upgrading a Site Collector instance from version 1.x to 2.x, the server side collectors Splunk, Oracle, MySQL, MSSQL, QRadar, and EStreamer start to fetch historical data based on an old start fetch timestamp.

Workaround – If you are using Site Collector version 1.x with the server side collectors installed, and want to upgrade to 2.x version, ensure that you update the Start Fetch Date for the Splunk collector and Iterator column initial value for Oracle, MSSQL, and MySQL collectors to the current time or to the value based on the iterator you defined. Alternatively, you can choose to wait to upgrade the Site Collector instance from 1.x to 2.x version until this issue is fixed.

Threat Center

There are no known issues in Threat Center.

Threat Detection Management

There are no known issues in Threat Detection Management.