Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Platform Known Issues

The following article contains a summary of the NetWitness® Platform Known Issues. To see the full list, go to Attachments on this article and download the associated PDF.

Summary of the NetWitness® Platform Known Issues

This is the a summary of known issues for the Netwitness® Platform. The issues are categorized by component by may only apply to a specific version of NetWitness®. Please review the attached PDF to see which version each issue applies as well as more detail and potential workarounds.

This document was last updated March 20, 2026.

Context Hub

  • Custom Feeds may fail after a restore during S6 to S7 migration due to incomplete file restoration. This results in recurring feeds stopping and inability to edit or push feeds.

Endpoint

  • Agent installation time may be less than command creation time during upgrades, causing errors even if the upgrade succeeds.
  • Offline standalone scan cannot run on air-gapped Linux machines; scan progress errors occur.
  • Incorrect tag count display Tags are assigned but counts are not shown correctly.
  • All blocked hashes show "Investigate" as the source after upgrade, and import hashes cannot be deleted via UI.
  • Event summary for agent last seen is displayed as N/A for offline agents in the events list view.

Home Page Widgets

  • Multiple confirmation modals appear when deleting or resetting widgets in Edit Layout mode due to UI cancel state not clearing.
  • Hosts/Devices widget fails to update host status due to cache refresh issues.
  • Mitre ATT&CK Overview widget displays a "Widget Data Retrieve Error" after fresh installation.
  • Resource Usage per Content Type widget shows unhandled exception errors when switching to offline devices.
  • Widgets display an extra day on usage trend graphs due to UTC time zone mismatch.
  • Default layout is not displayed automatically after reset.
  • Service Unavailable Error may appear on widgets even if the service is running.

User/Entity Behavior Analytics (UEBA)

  • Incorrect display of None Feedback option in Alerts > Filters panel shows as Missing Translation “investigateUsers.feedback.none” for locale “en-us”.
  • High volume of Non-Standard Activity alerts after upgrade due to new models needing time to learn user behavior.
  • Presidio configserver issues: Users have encountered a persistent issue with the presidio configserver while upgrading the NetWitness UEBA server from older versions to 12.5. This is due to UEBA utilizing a new service called UEBA-server.
  • Unable to add large number of entities to watchlist due to payload size limits on the Users > Entities page.
  • Node.js vulnerabilities reported for UEBA service however the platform is not affected by these vulnerabilities.
  • Red banner errors on Users page after upgrade due to communication delay.
  • Airflow scheduler warning: Scheduler task not running, may delay DAGs.
  • Root DAG unresponsive when receiving high volume of events, leading to failures and memory errors.
  • Data collected in older versions not displayed in Adapter dashboard after upgrade due to application name change.
  • Version displaying incorrectly  in the Services page in the Admin area.

Admin Server

  • AD and AD SSO login failures for users whose primary AD group is mapped to a NetWitness external group.
  • Logs not written to /var/log/messages after upgrade.
  • SSO logout errors on legacy UI pages when Enable Global Logout is disabled.
  • Custom feeds deployment errors when one or more decoders are offline.

Core

  • raidNew fails when using preferSecure=1 with SEDs on Series 7 appliances.

Platform

  • /decoder/devices/message=prune failure during DPDK migration.
  • Edge case: Host fails to boot OS with EL8 Kernel 4.x after migration.
  • SHA1 deprecated for SSH: Security scans flag SHA1 algorithm enabled on core services.
  • Secure UEFI boot causes leapp alma migration to fail.
  • Bubblewrap and Flatpak security update: CVE-2024-42472 reported in Bubblewrap and Flatpak is not installed.
  • Logback and Spring Warning Message is displayed while upgrading to 12.5.2.0.

Warehouse Connector

  • Incorrect Service Version number displayed for Warehouse Connector in 12.5 as it shows 12.4 instead.

Log Collector

  • JDBC pipeline name and encrypted password added under Logstash->Keystore management after service restart.

Respond

  • Default Respond Syslog and Email Template sends "UPDATED" instead of "CREATED" for new incidents.
  • Service Unavailable Error when trying to create/schedule incident reports from Respond tab.

Reporting Engine

  • Reporting Engine down after fresh installation as service restarts continuously due to corrupted database files.
  • Duplicate report emails generated after failback from standby to primary NW server.
  • Report generation fails on Investigate > Events page due to mismatched service names.
  • Generic error for duplicate report names in Investigate > Events page.
  • Generic error when data source not configured in Reporting Engine.
  • Incorrect date ranges in Adhoc reports when using future dates.

Centralized Content Management (CCM)

  • Duplicate Application/Network Rules added to policy after service migration.
  • Policy publication failure due to duplicate application rules after re-migration.
  • Log Devices not disabled when content deletion is performed from CCM.
  • Application rules assigned incorrect order numbers during service content migration.
  • No control on content update when importing Custom Log Device with multiple flavors.
  • ESA Deployments inaccessible due to stale/invalid entries in source server mongo.
  • Content Migration Failing for Logdevice contents due to invalid syntax in custom log device XML.

ESA Correlation Server

  • Java Exceptions for Memory/CPU usage in legacy page and computation values set to 0 in Deployment stats page.
  • Enable/Disable of rules in Endpoint Risk Scoring bundle applies to all deployments; config acts globally.
  • InMemoryTable Adhoc Enrichment windows not uploaded with data; CSV not read to named window.

Source Server

  • Service crashes after upgrade if custom LogDevices do not adhere to format.
  • Unable to load Content Library after upgrade due to inability to resolve cms.netwitness.com.

Decoder

  • Database stagger operation takes too long, resulting in UI timeout.

Investigate

  • Timeline-Chart: Selecting first/last bar does not show correct event count.
  • Enter key in Advanced Query mode executes query instead of selecting suggestion.
  • Unable to load saved query in Advanced Query Bar mode.
  • Unable to execute query when service updated to Decoder/Log decoder in Advanced Query Bar mode.
  • Most recent query not populated when creating new saved query in Advanced Query mode.

HealthWellness, Metric Server, Security

  • RabbitMQ warning messages: HTTP access denied for guest user; error appears every 5 minutes.

Ember UI Home Page

  • Home Page blank when selected as default landing page in user preferences.

Response Action

  • Duplicate keys can be entered in Parameter Key field when creating Response Actions.

The following article contains a summary of the NetWitness® Platform Known Issues. To see the full list, go to Attachments on this article and download the associated PDF.



Attachments:
NetWitness Platform Known Issues.pdf