Release Notes

RSA enVision Event Explorer 4.0.2

August 25, 2010

Introduction
This document lists what is new and changed in RSA enVision Event Explorer 4.0.2. It includes workarounds for known
issues. Read this document before installing the software. This document contains the following sections:
• What's New in This Release
• Product Documentation
• Fixed Issues
• Known Issues
• Getting Support and Service
These Release Notes may be updated. The most current version can be found on RSA SecurCare Online at
https://knowledge.rsasecurity.com.

What's New in This Release

Important: RSA enVision Event Explorer 4.0.2 is supported only on a client running Microsoft Windows XP, Windows 7
64-bit, or Windows Server 2008 64-bit (R1 or R2) or Macintosh OS X 10.4.6. It is compatible only with
RSA enVision 4.0 Service Pack 3 or later.

This section describes the major changes introduced in this release. For detailed information on each change, see the
Event Explorer Help.
Redesign of interface. RSA enVision Event Explorer 4.0.2 features a major redesign of the former Task Triage
interface and functionality. Now called Incident Management mode, this feature provides the entry point to the incident
(task) handling process performed by a security analyst. Incident Management mode supports the operations that an
analyst needs to perform during an incident investigation, such as triaging and assigning incidents and viewing the
events that triggered an alert.
Application modes. The new incident management features and the existing event trace and trace view features have
been separated into two distinct application modes, Incident Management mode and Event Trace Library mode.
Incident Management. Incident Management includes the following new features:
Queries. You use incident queries to define the parameters for which you want to retrieve incidents created by
the RSA enVision NIC Alerter Service. You view and manage your queries in the Queries panel.
Incident List. You view and manage the incidents retrieved by an incident query in the Incident List panel. You
can customize which information about incidents to display in the Incident List. You can perform actions on
incidents by using the toolbar buttons.
Incident Details. You use the Incident Details panel to display the raw or parsed events that triggered an alert,
display and add attachments, display incident properties, and display the incident history.

August 2010
RSA enVision Event Explorer 4.0.2 Release Notes

Product Documentation
The following documentation is included in the RSA enVision Event Explorer 4.0.2 downloadable package:
• RSA enVision Event Explorer 4.0.2 Installation Guide
• RSA enVision Event Explorer 4.0.2 Installation Guide for Mac OS X (Intel)
• RSA enVision Event Explorer 4.0.2 Help

Note: The complete RSA enVision documentation set is available on RSA SecurCare Online. Click Products >
RSA enVision > Product Documentation.

Fixed Issues
This section lists the issues that have been fixed in this release.

Tracking Number Description Resolution

32315 Difficulties displaying pie chart content. Pie chart presentation has been improved,
especially when displaying multiple pie charts in a
single Trace View.

32316 After you use Event Explorer for a prolonged period Graphic object management has been improved so
of time, UI objects may fail to draw because the that the program no longer runs out of graphic
program runs out of graphic objects. objects.

Known Issues
This section describes known issues in this release and, where possible, provides workarounds.

Found in 4.0.2
The following issues were found during the development of RSA enVision Event Explorer 4.0.2.

In the Events tab of the Incident Details panel, the Check for Asset Details menu command is unavailable.
Tracking Number: 33662
Problem: In the Events tab of the Incident Details panel, when you right-click a cell that has an associated asset, the
Check for Asset Details menu command is not available.
Workaround: Create a new event trace, and for the IP addresses listed in the event payload, select the corresponding
event sources. You can then open a standard table trace view and display asset details through the right-click menu
command.

When you use Add Comment from the context menu in the Incident List, the comment does not appear
immediately in the incident history.
Tracking Number: 33861
Problem: If you right-click an incident in the Incident List, select Add Comment, add a new comment, and click OK,
the comment is saved but does not immediately appear in the incident history. If you select another incident and then
reselect the first incident, the comment appears. The comment also appears if you perform another action on the
incident, such as changing the priority.
Workaround: Use the Add Comment field in the Incident Details panel instead.

2 August 2010
 RSA enVision Event Explorer 4.0.2 Release Notes

Macintosh only: You must click twice on an incident in the Incident List for the details to appear in the Incident
Details panel.
Tracking Number: 34061
Problem: If you click an incident in the Incident List, the details are slow to appear in the Incident Details panel.
Workaround: Click twice on an incident in the Incident List to display the details in the Incident Details panel.

Read/unread status not accurate across enVision appliances.

Tracking Number: 34103
Problem: Event Explorer uses the incident ID to track which incidents you have read, and incident IDs are unique to
the enVision appliance. If you log on to one enVision appliance and retrieve incidents and then log on to a second
enVision appliance and retrieve incidents with the same IDs, the incidents read on the first appliance are displayed as
read on the second appliance even though the incidents may not be the same.
Workaround: None.

Macintosh only: Event trace options are not available or are not showing properly.
Tracking Number: 34378
Problem: When you right-click the tree nodes in the Event Trace panel, the correct menu commands do not always
appear. This problem only occurs on Macintosh systems.
Workaround: First select the tree node, and then right-click to display the correct menu commands.

Changing the user filter for the Owner field on the New Query or Query Properties window clears your
selection.
Tracking Number: 34441
Problem: When you create a new query or modify a custom incident query and change the user filter type, your owner
selection is cleared. On the Query Properties window, even though no owner is selected, you can click OK, and you
receive an error message.
Workaround: Ensure that you select an incident owner before you click OK.

Macintosh only: The Since field in the New Query Wizard can only be updated through the calendar control.
Tracking Number: 34495
Problem: On the Incident Details page of the New Query Wizard, if you manually enter a value in the Since field, the
value is not saved when you finish the query, and the time frame reverts back to the previous value. The problem only
occurs on Macintosh systems.
Workaround: Use the calendar control to select the value for the Since time frame.

Incident counts do not update immediately when an incident moves from one query to another query.
Tracking Number: 34752
Problem: When you update an incident and it moves from one query into another query, the incident count for both
queries may not immediately update.
Workaround: Select the query to which the incident moved to update the query count.

Date Added column for incident attachments may incorrectly show the incident creation date.
Tracking Number: 34813
Problem: When you add an attachment to an incident, the date displayed on the Attachments tab in the Date Added
column is sometimes the incident creation date, not the date that you added the attachment.
Workaround: View the correct date in the History tab.

August 2010 3
RSA enVision Event Explorer 4.0.2 Release Notes

Macintosh only: May encounter problem when opening the Help in Safari.
Tracking Number: 34976
Problem: The Help may not open in some versions of Safari. The browser window may start to open and then
immediately close. This problem only occurs on Macintosh systems.
Workaround: Verify that you are running the latest version of Safari or change your default browser to Mozilla Firefox.

If trace views do not refresh properly after an event trace is left running overnight, the event trace must be
restarted.
Tracking Number: 34985
Problem: If you leave an event trace running overnight, any associated trace views may not refresh properly after
midnight (local time).
Workaround: Restart the event trace in the morning.

Custom query owner selection is cleared if you switch enVision appliances.

Tracking Number: 35132
Problem: If you create a custom query and then log on to a different enVision appliance, any owners that do not exist
on the new appliance are cleared and the query is saved. When you log back on to the appliance on which the query
was created, the cleared owners remain cleared.
Workaround: Each time you switch appliances, edit your custom queries to ensure that they contain the correct owner
selections.

Event Explorer may run out of memory.

Tracking Number: 35177
Problem: Depending on how you are using Event Explorer, the application may run out of memory. You may receive
an out of memory error message, the application may hang, or you may see unpredictable results. You can verify that
the problem is a memory issue by checking the log files. The common reasons for running out of memory are:
1. Retrieving too much data from an event trace into memory. For example, if you create multiple event traces
that each retrieve 500 MB of data and then you open trace views that display all the data, you can quickly use
up more than a gigabyte of memory.
2. Having too many unique event source types. For each event source type, Event Explorer must build up a
cache, in memory, of associated event sources and messages.
3. Retrieving incidents for too many custom queries that retrieve the maximum 25,000 incidents. Even if you
cancel incident retrieval for a query, the incidents that have been retrieved are stored in memory for a brief
period before being discarded.
Workaround: Restart Event Explorer. Preventative steps that can be taken to avoid out of memory issues in the future
are:
1. Close unused trace views or clear the event buffer for unused event traces.
2. The NIC_ALL device group grants users access to all event source types. Unless necessary, remove the
NIC_ALL device group for each user and instead use device group filtering to minimize the number of event
source types that each Event Explorer user retrieves upon logon. For more information, see the enVision Help
topic “Device Group Filters.”
3. Only run the queries from which you currently need to retrieve incidents, and avoid frequently cancelling
incident retrieval. After you have run a query, you must restart Event Explorer to clear the retrieved data.

4 August 2010
 RSA enVision Event Explorer 4.0.2 Release Notes

Installation Guides and Help are missing note that trace view layout is reset upon upgrade to 4.0.2.
Tracking Number: 35219
Problem: The Installation Guides and the Help should include the following note: “When you upgrade from either
RSA enVision Event Explorer 4.0 or 4.0.1 to 4.0.2, your trace view layout is reset. If you currently have trace views
arranged into a dashboard layout, you must recreate your layout after you have installed RSA enVision Event Explorer
4.0.2.”
Workaround: None.

Event Explorer can become unresponsive when retrieving a significant amount of historical data into an event
trace.
Tracking Number: 35272
Problem: When you start an event trace with a large event buffer capacity and display the data in a trace view, Event
Explorer can become unresponsive. This situation can occur because the trace view refresh rate conflicts with the rate
at which the data is being added to the event trace. The problem usually occurs when you are retrieving historical data
from multiple event sources and rarely occurs when you are retrieving data either in real time or from a single event
source.
Workaround: Before you start the event trace, on the Trace Views page of the Event Trace Wizard, set the Refresh
the above trace views every setting to a value greater than one minute or select Do Not Refresh. If you select Do
Not Refresh, you must double-click the trace view to manually refresh it.

Files that you attach to an incident must be under 10 MB and have a proper filename.
Tracking Number: 35276, 35278
Problem: Files that you attach to an incident must be under 10 MB and must have a proper filename and extension. If
you attempt to attach a file that does not meet these requirements, you may receive an error or see unpredictable
behavior in the application.
Workaround: Avoid attaching files that do not meet these requirements.

Cancelling initial incident retrieval from a predefined query after logging on to Event Explorer clears all
incidents from your predefined queries.
Tracking Number: 35287
Problem: After logging on to Event Explorer, if you run any predefined query and then cancel the incident retrieval,
your predefined queries are cleared, and you cannot run any of them.
Workaround: Avoid cancelling your initial incident retrieval after opening Event Explorer. If you must cancel the
retrieval, you can perform one of the following workarounds so that you can run your predefined queries again:
• If you have a custom query already created, select the custom query, and then select one of your predefined
queries. If you do not have a custom query created, create a new custom query, and then select one of your
predefined queries.
• Restart Event Explorer, and wait for the retrieval to complete. If you want this retrieval to complete faster, you
can change your default time frame in the Preferences window so that you retrieve fewer incidents.

Found in 4.0.1
The following issues were found during the development of RSA enVision Event Explorer 4.0.1.

Panning and zooming functions do not have set limits.

Tracking Number: 31424
Problem: The panning and zooming functions do not have set limits. If you zoom or pan too many times you can hang
the application.
Workaround: Only zoom and pan as much as you need to work with the data displayed.

August 2010 5
RSA enVision Event Explorer 4.0.2 Release Notes

Pie chart label text can fall outside of the background box.
Tracking Number: 31506
Problem: Depending on your screen resolution and the size of your Event Explorer window, pie chart label text can
spill outside of its background box.
Workaround: None.

Area chart does not display a triangle when the X-axis variable only has a single value.
Tracking Number: 31526
Problem: When you select an X-axis variable that only has a single value, the area triangle is not displayed on the
chart.
Workaround: None.

Y-axis does not rescale after the largest area of a stacked area chart is hidden.
Tracking Number: 31527
Problem: When you hide the largest area of a stacked area chart, the Y-axis does not rescale.
Workaround: None.

When using the datastore data model, selecting either ‘count’ or ‘group’ for the Y-axis function in the standard
chart editor, or entering ‘count’ or ‘group’ without double quotes in an advanced chart SQL statement, causes
a SQL error.
Tracking Number: 31834
Problem: When using the datastore data model, if you select either the ‘count’ or ‘group’ column from the Y-axis
function drop-down list in the standard chart editor, you will receive a SQL error because ‘count’ and ‘group’ are also
SQL keywords. Likewise, if you use the datastore ‘count’ or ‘group’ column in an advanced chart SQL statement and do
not enclose them in double quotes, you will receive a SQL error.
Workaround: When using the datastore data model, avoid using the ‘count’ or ‘group’ column names when using a
standard chart. If those column names are needed, create an advanced chart, and enclose the ‘count’ or ‘group’
column name with double quotes. For example, SELECT “Count” FROM Stream.

Getting Support and Service

RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.rsa.com/support

RSA Secured Partner Solutions Directory www.rsasecured.com

Copyright © 1996-2010 EMC Corporation. All Rights Reserved.

Trademarks
RSA, the RSA logo and EMC are either registered trademarks or trademarks of EMC corporation in the United States
and/or other countries. All other trademarks herein are the property of their respective owners. For a list of RSA
trademarks, go to www.rsa.com/legal/trademarks_list.pdf

6 August 2010