Micro Focus Security

ArcSight ArcSight Platform

Software Version: 22.1

ArcSight Platform Release Notes

Document Release Date: February 2022

Software Release Date: February 2022

Page 1 of 36
Legal Notices
Copyright Notice
© Copyright 2001 - 2022 Micro Focus or one of its affiliates
Confidential computer software. Valid license from Micro Focus required for possession, use or copying. The information
contained herein is subject to change without notice.
The only warranties for Micro Focus products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be
liable for technical or editorial errors or omissions contained herein.
No portion of this product's documentation may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose other than the
purchaser's internal use, without the express written permission of Micro Focus.
Notwithstanding anything to the contrary in your license agreement for Micro Focus ArcSight software, you may reverse
engineer and modify certain open source components of the software in accordance with the license terms for those particular
components. See below for the applicable terms.
U.S. Governmental Rights. For purposes of your license to Micro Focus ArcSight software, “commercial computer software” is
defined at FAR 2.101. If acquired by or on behalf of a civilian agency, the U.S. Government acquires this commercial computer
software and/or commercial computer software documentation and other technical data subject to the terms of the
Agreement as specified in 48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal Acquisition
Regulation (“FAR”) and its successors. If acquired by or on behalf of any agency within the Department of Defense (“DOD”), the
U.S. Government acquires this commercial computer software and/or commercial computer software documentation subject
to the terms of the Agreement as specified in 48 C.F.R. 227.7202-3 of the DOD FAR Supplement (“DFARS”) and its successors.
This U.S. Government Rights Section 18.11 is in lieu of, and supersedes, any other FAR, DFARS, or other clause or provision that
addresses government rights in computer software or technical data.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S.Government
rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/.

Support
Contact Information
Phone A list of phone numbers is available on the Technical Support
Page: https://softwaresupport.softwaregrp.com/support-contact-information

Support Web Site https://softwaresupport.softwaregrp.com/

ArcSight Product Documentation https://www.microfocus.com/documentation/arcsight/

Page 2 of 36
ArcSight Platform Release Notes

Contents
What's New 7
ArcSight Database Has Now Become Smarter! 7
Updates for ArcSight Command Center for Enterprise Security Manager 8
Updates for ArcSight Intelligence 9
Non-MSSP Licensing Enhancements 9
Overall Risk Page Updates 9
Common ArcSight Masthead 9
Updates for ArcSight Management Center 9
Updates for ArcSight Recon 9
Updates for ArcSight SOAR 10
Updates for ArcSight Fusion 10
Widget for Database Storage Utilization 10
Updates Related to ArcMC 10
Updates Related to SOAR 10
Updates for ArcSight Platform Installer 11
Updates for ArcSight Transformation Hub 11
Reporting EPS Usage for MSSPs 11
Backing Up and Restoring Configuration Data for Deployed Capabilities 12
Technical Requirements 12
Downloading the ArcSight Platform Installation Files 13
Understanding the Files to Download 13
Downloading the Installation Files 15
Deploying or Upgrading Intelligence and Recon with the Enhanced Database 16
Upgrading from Intelligence 6.3 or Recon 1.2 16
Deploying Intelligence or Recon for the First Time in an Upgraded ArcSight Platform
Environment 17
Deploying Intelligence or Recon in a New ArcSight Platform Environment 17
Licensing Information 18
Known Issues 18
Database in 22.1 Release Will Not Support FIPS 19
ArcSight Post-installation Command Fails with Errors 19
Deploying Fusion in AWS Environment with a Load Balancer Requires Proxy Host
Configuration 19
Pods Might Not Run During Fusion Reinstall 20

Page 3 of 36
ArcSight Platform Release Notes

Installation, Upgrade, or Adding Additional Capabilities Fails Due to Comma

Character in On-Premises Docker Container Registry Admin Password 21
CDF Management Portal Admin Password Change Fails to Update Registry Admin
Password 21
On Multi-master Non-root Install, itom-cdf-keepalived Pod Restarting and Suite
Fails to Deploy 21
After an Upgrade from the Patch Release, Error Returned: "Failed to upgrade.
Internal Server Error." 22
Accessing the CDF Management Portal Reconfigure Page 22
Contract & Usage Page Throws an Ingress Router Error and Does Not Load 23
Displays an Erroneous Warning about a Recon License 23
Backup Failures in S3 While Deleting Obsolete Files 24
Event Integrity Query for Large Time Range Indicates Insufficient Disk Space
(AWS/Azure) 24
Event Integrity Query Indicates Insufficient Disk Space (AWS/Azure) 24
Issues Related to Storage Groups 24
Fails to Change Storage Groups 25
Issues Related to the Data Quality Dashboard 25
Data Quality Chart Fails to Update after You Change Time to a Dynamic Value 25
Data Timeseries Chart Fails to Update after Changing Categories 25
Specified Sizes for Dashboard Table Cells do not Work in a SaaS Environment 26
Issues Related to Reports Portal 26
Reporting Shows an Error When Single Sign On Secrets are Changed (Azure) 26
Cannot Save Items in the Custom Content Folder 27
Edit Wizard Preview is Unavailable 27
My Reports Folder Cannot Be Used for Exporting 27
After Hours Access Activity on GDPR Systems Summary Report Fails to Run 27
An Exported Report Might Have Format Issues 27
Some Exported Tables Show Squeezed Columns 28
Cannot Remove X/Y Fields from a Graph 28
Dashboard Wizard Fails to Load all Data 28
Cannot View Text in a Chart 28
Reports and Dashboards Use UTC Time Zone 28
Issues Related to Search 28
Fieldsets Default to Base Event Fields After an Upgrade 29
Fieldsets Display Database Names 29
Scheduled Tasks Do Not Allow Default Printer Selection 30
Scheduled Tasks Can be Saved Even if the User Closes the Dialog Box 30
Load Modal Does Not Load Search Criteria When the Fieldset is Deleted 30

Page 4 of 36
ArcSight Platform Release Notes

Saved Query or Criteria Can Overwrite the Query in a Saved Results that Has the
Same Name 30
Time Range Loads Incorrectly When Selecting the Default Option “DD/MM/YY
hh:mm:ss:ms” 31
Search Fails to Load All Saved Search Criteria Settings 31
Scheduled Searches Sometimes Fail to Export to CSV 31
CSV File Export Fails after You Change the Date and Time Format 32
Fieldset Fails to Revert to its Original Setting 32
Cannot Change the Time Range if Your Preferred Time Range is a Static Value 32
Scheduled Search Appends Erroneous Values to the Run Interval 32
Search Join Fails when Lookup List has 'User' as a Value 33
Cannot Change the Start or End Date While a Notification Banner is Present 33
Cannot Use Search Operators in the Name of a Saved Query or Criteria 33
Search Query Might Return Incorrect Results if the Query is not Explicitly Stated 34
Resolved Issues 34
Post Upgrade fusion-metadata-rethinkdb Pod Might Go Into a Crash Loop 34
Contacting Micro Focus 34
Additional Documentation 34

Send Documentation Feedback 36

Page 5 of 36
ArcSight Platform Release Notes

Release Notes for the ArcSight Platform 22.1

Friday, January 27, 2023
ArcSight Platform 22.1 enables you to deploy a combination of security, user, and entity
solutions into a single cluster within the Container Deployment Foundation (CDF) environment.
The core services for this CDF environment, including the Dashboard and user management,
are provided by a common layer called Fusion.
l " What's New" on the next page
l "Technical Requirements" on page 12
l "Downloading the ArcSight Platform Installation Files" on page 13
l "Deploying or Upgrading Intelligence and Recon with the Enhanced Database" on page 16
l "Licensing Information" on page 18
l "Known Issues" on page 18
l "Resolved Issues" on page 34
l "Contacting Micro Focus" on page 34

This release includes the following versions of the ArcSight Platform primary components:

Component Version

ArcSight Command Center for Enterprise Security Manager 7.6.0

ArcSight Fusion 1.5.0

ArcSight Intelligence 6.4.0

ArcSight Management Center 3.0

ArcSight Recon 1.4.0

ArcSight SOAR 3.2

ArcSight Transformation Hub 3.6.0

ArcSight Platform Installer 22.1

Layered Analytics 1.2.0

The documentation for this product is available on the documentation website in HTML and
PDF formats. If you have suggestions for documentation improvements, click comment or
support on this topic at the bottom of any page in the HTML version of the documentation

Page 6 of 36
ArcSight Platform Release Notes

posted at the ArcSight Platform Documentation page or the documentation pages for the
included products.

What's New
The following sections outline the key features and functions provided in this release. For more
information about these enhancements, please see the release notes for the specific product
solution.

ArcSight Database Has Now Become Smarter!

This version of the ArcSight Database separates computing from storage to provide an
intelligent and cost-effective way of storing security event data for the long term. Basically,
instead of storing data locally, the database will use a single communal storage location for all
data and metadata. Communal storage is the database's centralized storage location, shared
among the database nodes. Communal storage is based on an object store, such as Amazon's
S3 bucket in the cloud or a storage device for an on-premises deployment. The database relies
on the object store to maintain the durable copy of the data.
Why is this new solution better? When using traditional database storage, the database nodes
in your cluster store all the data for the retention period. Traditionally, as the ingestion rate
and retention period increases, you must increase the number of database nodes. However,
with this new solution, you don't need to add more database nodes as the retention period
grows. Instead, you can increase the size of the communal storage, which is significantly less
expensive to expand than adding database nodes. To expand communal storage, you purchase
additional storage devices without purchasing additional CPU and memory.

What's New Page 7 of 36

ArcSight Platform Release Notes

The database keeps the primary copy of your data in the communal storage, and the local
cache serves as the secondary copy. This means that adding and removing nodes does not
redistribute the primary copy. This shared storage model enables elasticity, meaning it is both
time and cost effective to adapt the cluster resources to fit the usage pattern of the cluster. If a
node goes down, other nodes are not impacted because of shared storage. Node restarts are
fast and no recovery is needed. Thus, you do not need to keep track of and load/unload long-
term retention event data explicitly. The ArcSight Database can bring them to the cache on
demand automatically then move data out when not in use.
Within communal storage, data is divided into portions called shards. Shards are how the
database divides the data among the nodes. Nodes subscribe to particular shards, with
subscriptions balanced among the nodes. When loading or querying data, each node is
responsible for the data in the shards it subscribes to.

To take advantage of this capability, you must install a new version of the database. You cannot
upgrade from a previous version.

Updates for ArcSight Command Center for Enterprise

Security Manager
For information about ESM updates, see the ArcSight Enterprise Security Manager (ESM) 7.6
Release Notes.

Updates for ArcSight Command Center for Enterprise Security Manager Page 8 of 36
ArcSight Platform Release Notes

Updates for ArcSight Intelligence

This release includes the following updates for Intelligence:
l Non-MSSP Licensing Enhancements
l Overall Risk Page Updates
l Common ArcSight Masthead
For more information on the Intelligence release updates, see the ArcSight Intelligence 6.4
Release Notes.

Non-MSSP Licensing Enhancements

Enhancements have been made to differentiate between human users and machine users. The
existing Non-MSSP license is now measured against the number of human users that
Intelligence runs analytics on. The license information in the Intelligence UI now includes the
number of analyzed human users and the total number of analyzed users (human and
machine), in addition to other license details.

Overall Risk Page Updates

The Overall Risk page no longer exists in the Intelligence UI. Instead, the functionality is part of
the Entity Risk dashboard, which is an out-of-the-box dashboard in the Fusion UI. The Fusion
UI includes the new widgets that make up the Entity Risk dashboard.

Common ArcSight Masthead

The masthead of the Intelligence UI has been updated to align with the ArcSight masthead.

Updates for ArcSight Management Center

ArcSight Management Center (ArcMC) is now part of Fusion. For information on the ArcMC
release updates, see Updates for ArcSight Fusion.

Updates for ArcSight Recon

For information on the Recon 1.4 release updates, see the ArcSight Recon 1.4 Release Notes.

Updates for ArcSight Intelligence Page 9 of 36

ArcSight Platform Release Notes

Updates for ArcSight SOAR

SOAR is now part of Fusion. For information on the SOAR release updates, see Updates for
ArcSight Fusion.

Updates for ArcSight Fusion

This release includes the following updates for Fusion:

Widget for Database Storage Utilization

The Database Storage Utilization widget helps SOC managers and IT administrators ensure
that disk use does not overload the database nodes, the Database Storage Utilization widget
displays storage utilization data for up to five database nodes. The ArcSight Database supports
use of a third party storage location technology, shared among its database nodes on premises
or cloud. The widget has been updated to display the storage utilization for the ArcSight
Database's new Communal Storage capability.
For more information, see "Database Storage Utilization" in the ArcSight Platform Help or in
the User's Guide for Fusion 1.5 in the ArcSight Platform.

Updates Related to ArcMC

For information on the ArcMC release updates, see the ArcSight Management Center 3.1
Release Notes.

Updates Related to SOAR

For information on the SOAR release updates, see the ArcSight SOAR 3.2 Release Notes.

Updates for ArcSight SOAR Page 10 of 36

ArcSight Platform Release Notes

Updates for ArcSight Platform Installer

This release includes the following updates for the platform installer:
l Enhanced and simplified cdf-updateRE.sh script
l Installation of rng-tools as a prerequisite for FIPS mode
l Removed static cipher suites from the Suite NGINX configuration
l Log4j hotfix for CDF IDM container
l Autopass log4j fix
l Extended the list of DB properties in install config yaml.
l Fixed a bug for the hostnames containing the uppercase characters.
l NFS precheck forcing v4 to be enabled
l SELinux is automatically set to permissive mode for DB nodes
l Improved passwordless communication setup for arcsight-install
l Improved yum precheck message for arcsight-install

Updates for ArcSight Transformation Hub

This release includes the following updates for Transformation Hub:
l Resolved several security vulnerabilities, including log4j.
l Supported third-party platforms have been updated including RHEL 8.4, JRE 8u312,
Confluent Platform 6.1.3 (Apache Kafka 2.7.x).
l TLS and FIPS communications are fully supported by platform components.
l Zookeeper now supports TLS, CA, and FIPS.
l Miscellaneous resolved issues described in the Transformation Hub 3.6.0 Closed Issues.
For more information on Transformation Hub release updates, see the Transformation Hub
Release Notes.

Reporting EPS Usage for MSSPs

Micro Focus provides a pay-per-use program for Managed Security Service Providers (MSSPs)
that offers our Partners a more affordable "pay as you go" option instead of a perpetual license
that requires a substantial initial purchase. If you are an MSSP and have a valid pay-per-use
contract with an ArcSight Platform entitlement, you can use ArcSight Fusion to submit monthly
usage reports to ArcSight for invoicing. The Pay-per-use program charges, are based on

Updates for ArcSight Platform Installer Page 11 of 36

ArcSight Platform Release Notes

average EPS (events per second) ingested and referred to as usage. Micro Focus bases the
usage fee on a tiered rate. The more usage you have, the less each event costs. You must
configure an SMTP server for emails to work and distribute Fusion usage reports.
In the Platform, you can view daily and monthly average EPS usage and enable the feature to
automatically send reports to Micro Focus. You simply enable the Managed Security Services
Provider (MSSP) feature, create an MSSP profile, and add your pay-per-use contracts.
For more information, see "Managing Your Service Provider Contracts" in the ArcSight Platform
Help or in the User's Guide for Fusion in the ArcSight Platform. For more information about the
Partner Pay Per Use Program, see the Reporting EPS Usage Quick Start Guide.

Backing Up and Restoring Configuration Data for

Deployed Capabilities
Certain components deployed on the ArcSight Platform use NFS (or EFS when deployed to
AWS) to store some of their data, such as Fusion credentials, dashboard widgets, and search
preferences. You can configure automatic backups of NFS or EFS as a protection in the event of
data corruption or loss. Backups are carried out at two levels: pod and NFS.
Each pod backs up its own data on an hourly basis, placing the data in a backup staging
directory related to the pod's mount location under /<Server mount path>/arcsight-volume.
This automated backup process ensures that the pod stores a backup of its data in a complete
state. The pod retains a maximum of 24 backups in the staging directory.
You must configure an NFS level backup to store the pod-level backup in a reliable, external
storage system. For the backup, you must configure a scheduled job to back up the backup
staging directory updated by the pod-level backups. The schedule should be less frequent than
the hourly interval for pod-level backups.
For more information, see "Backing Up and Restoring Configuration Data for Deployed
Capabilities" in the Administrator's Guide to ArcSight Platform.

Technical Requirements
For more information about the software and hardware requirements required for a successful
deployment, see theTechnical Requirements for ArcSight Platform.
These Technical Requirements include guidance for the size of your environment based on
expected workload. Micro Focus recommends the tested platforms listed in this document.

Backing Up and Restoring Configuration Data for Deployed Capabilities Page 12 of 36

ArcSight Platform Release Notes

Customers running on platforms not provided in this document or with untested configurations
will be supported until the point Micro Focus determines the root cause is the untested platform
or configuration. According to the standard defect-handling policies, Micro Focus will prioritize
and fix issues we can reproduce on the tested platforms.

Downloading the ArcSight Platform Installation Files

You can download the installation packages for the products in the ArcSight Platform from the
Micro Focus Downloads website. The installation packages include their respective signature
files for validating that the downloaded software is authentic and has not been tampered with
by a third party.
Micro Focus provides several options for deploying products in your environment. For more
information about deploying a product, see the Administrator’s Guide for ArcSight Platform.
l "Understanding the Files to Download" below
l "Downloading the Installation Files" on page 15

Understanding the Files to Download

Download the installation packages described below. You only need one copy of each file,
regardless of the products that you intend to deploy. For example, the Transformation Hub-
based files are available with the ESM, Intelligence, and Recon software downloads, but you
only need to download the files once. The Transformation Hub file set includes the packages
for the CDF installer, the ArcSight Platform Installer, and the ArcSight database.

Downloading the ArcSight Platform Installation Files Page 13 of 36

ArcSight Platform Release Notes

To understand the files that you might need for your ArcSight Platform deployment, review the
descriptions in the following table:

Understanding the Files to Download Page 14 of 36

ArcSight Platform Release Notes

File Type File Name Description

All Deployments - arcsight-installer-metadata- Contains metadata for deployment of the

Metadata 22.1.0.37.tar CDF Management Portal

All Deployments - Images esm-7.6.0.37.tar Contains the images for deploying ESM
Command Center

fusion-1.5.0.37.tar and arcsight- Contains the images for deploying the Fusion
fusion-1.5.0-license.txt capability

intelligence-6.4.0.37.tar and Contains the images for deploying the

intelligence-6.4.0.37-License.txt Intelligence capability

layered-analytics-1.3.0.37.tar Contains the images for deploying the

Layered Analytics capability

recon-1.4.0.37.tar Contains the images for deploying the Recon

capability

transformationhub-3.6.0.37.tar Contains the images for deploying the

Transformation Hub capability

All Deployments - widget-sdk-3.2.5.tgz (Optional) Provides the Widget Software

Dashboard Widgets Development Kit (the Widget SDK) that
enables you to build new widgets or modify
existing widgets for deployed applications
such as ESM and Intelligence

On-premises Deployments arcsight-platform-installer- Contains files for installing the infrastructure

22.1.0.16.zip where you want to deploy capabilities,
including the following content:
l CDF installer
l ArcSight Database installer - db-installer_
x.x.x.x.tar.gz
l Configuration files for the ArcSight
Installation Tool and its example scripts
You can find this file under Transformation
Hub on the Software Downloads page

Cloud Deployments arcsight-platform-cloud-installer- Contains the installation files for deploying

22.1.0.16.zip capabilities to Amazon Web Services and
Azure

Downloading the Installation Files

To download and verify the signature of the downloaded files:
1. Log in to the computer where you want to begin the installation process.
2. Change to the directory where you want to download the installer files.

Downloading the Installation Files Page 15 of 36

ArcSight Platform Release Notes

3. Download all the necessary product installer files from the Micro Focus Downloads
website along with their associated signature files (.sig). Micro Focus provides a digital
public key that is used to verify that the software you downloaded from the Micro Focus
software entitlement site is indeed from Micro Focus and has not been tampered with by a
third party. For more information and instructions on validating the downloaded software,
visit the Micro Focus Code Signing site. If you discover a file does not match its
corresponding signature (.sig), attempt the download again in case there was a file transfer
error. If the problem persists, please contact Micro Focus Customer Support.
4. Begin the installation. For more information, see "Using the ArcSight Platform Installer" in
the Administrator’s Guide for ArcSight Platform.

Deploying or Upgrading Intelligence and Recon with the Enhanced

Database

Because this release significantly changes the ArcSight Database, you cannot upgrade the
database. It must be installed as new. However, this release does allow you to upgrade Recon
and Intelligence in your environment, as well as install either capability for the first time. This
section provides guidance for upgrading or deploying these capabilities:
l "Upgrading from Intelligence 6.3 or Recon 1.2" below
l "Deploying Intelligence or Recon for the First Time in an Upgraded ArcSight Platform
Environment" on the next page
l Deploying Intelligence or Recon in a New ArcSight Platform Environment
l "Deploying or Upgrading Intelligence and Recon with the Enhanced Database" above

Upgrading from Intelligence 6.3 or Recon 1.2

Micro Focus does not recommend that ArcSight Intelligence customers attempt to upgrade
without consulting with Micro Focus as upgrading at this time will result in loss of baseline data.
We are aware that this is inconvenient for customers, and we are currently working on
addressing this limitation in an future release.

You can upgrade to this release from Intelligence 6.3 and Recon 1.2. However, you cannot
upgrade the ArcSight Database because this release supports a cost-effective long-term
storage solution that is not available with the previous database version.

Deploying or Upgrading Intelligence and Recon with the Enhanced Database Page 16 of 36
ArcSight Platform Release Notes

For more information about installing this new version of the database, see the following
sections in the Administrator’s Guide for ArcSight Platform provided at the ArcSight
Documentation site:
l For an automated installation in an on-premises environment, see Using the ArcSight
Platform Installer
l For a manual installation in an on-premises environment, see Installing the Database
l For an AWS environment, see Installing the Database in AWS
l For an Azure environment, see Installing the Database in Azure

To prevent the current and new databases from ingesting duplicate data, complete the steps
outlined for Stopping Event Ingestion on the current database.

To start data ingestion on the new database after upgrading the ArcSight Platform, continue to
Completing the Database and Kafka Setup.

Deploying Intelligence or Recon for the First Time in an

Upgraded ArcSight Platform Environment
If you currently have the previous release of ArcSight Platform, you can deploy this release of
Intelligence and Recon after upgrading ArcSight Platform to 22.1.
Perform the upgrade and installation in the following order:
1. Upgrade the ArcSight Platform.
2. Install the new ArcSight Database.
3. Deploy Intelligence or Recon. For more information, see the Release Notes for
ArcSight Platform 22.1 and the Administrator’s Guide for ArcSight Platform.

Deploying Intelligence or Recon in a New ArcSight

Platform Environment
To perform a first-time installation of the ArcSight Platform environment including Intelligence
6.4 or Recon 1.4, see the Administrator’s Guide for ArcSight Platform.

Deploying Intelligence or Recon for the First Time in an Upgraded ArcSight Page 17 of 36
ArcSight Platform Release Notes

Licensing Information
For information about activating a new license, see Installing Your License Key in the
Administrator’s Guide for ArcSight Platform.

Known Issues
These issues apply to common or several components in your ArcSight Platform deploy. For
more information about issues related to a specific product, please see that product's release
notes.
Micro Focus strives to ensure that our products provide quality solutions for your enterprise
software needs. If you need assistance with any issue, visit Micro Focus Support
(https://www.microfocus.com/support-and-services/), then select the appropriate product
category.
l "Database in 22.1 Release Will Not Support FIPS" on the next page
l "ArcSight Post-installation Command Fails with Errors" on the next page
l "Deploying Fusion in AWS Environment with a Load Balancer Requires Proxy Host
Configuration" on the next page
l "Pods Might Not Run During Fusion Reinstall" on page 20
l "Installation, Upgrade, or Adding Additional Capabilities Fails Due to Comma Character in
On-Premises Docker Container Registry Admin Password" on page 21
l "CDF Management Portal Admin Password Change Fails to Update Registry Admin
Password" on page 21
l "On Multi-master Non-root Install, itom-cdf-keepalived Pod Restarting and Suite Fails
to Deploy" on page 21
l After Upgrade from Patch, Error Message Returned: Failed to upgrade Internal Server Error
l "Accessing the CDF Management Portal Reconfigure Page" on page 22
l "Contract & Usage Page Throws an Ingress Router Error and Does Not Load" on page 23
l Displays an Erroneous Warning about a Recon License
l "Backup Failures in S3 While Deleting Obsolete Files" on page 24
l "Event Integrity Query for Large Time Range Indicates Insufficient Disk Space (AWS/Azure)"
on page 24
l "Event Integrity Query Indicates Insufficient Disk Space (AWS/Azure) " on page 24

Licensing Information Page 18 of 36

ArcSight Platform Release Notes

l "Issues Related to Storage Groups" on page 24

l "Issues Related to the Data Quality Dashboard" on page 25
l "Issues Related to Reports Portal" on page 26
l "Issues Related to Search" on page 28

Database in 22.1 Release Will Not Support FIPS

Issue: In the initial 22.1.0 release, the database does not support FIPS mode due to a defect. A
fix is already being worked on and will be released soon after 22.1.0. In the meantime, FIPS
mode must be disabled on the database server in order for the database to function properly.
(OCTCR33I409215)
Workaround: There is no workaround.

ArcSight Post-installation Command Fails with Errors

Issue: Pre-installation and installation processes work properly, but post-installation processes
generate errors. This issue is related to ArcSight not supporting FIPS for the Platform 22.1
release. (OCTCR33I342207).
Workaround: There is no workaround.

Deploying Fusion in AWS Environment with a Load

Balancer Requires Proxy Host Configuration
Issue:In AWS Deployments with Application Load Balancers (ALB), OSP authentication between
Fusion and other ArcSight capabilities might fail. (OCTCR33I164044)
Workaround:Add proxyPort, proxyTls and proxyDomain information to the Fusion tenant
configuration file tenantcfg.xml on the NFS server as in the snippet below, where external-
access-host is the ALB’s host name
arcsight-nfs/arcsight-volume/sso/default/WEB-INF/conf/current/default/tenantcfg.xml

<Tenant
xmlns="uri.osp.xml.config.05.2015"
id="default"
displayName="Hercules Tenant"
>

Database in 22.1 Release Will Not Support FIPS Page 19 of 36

ArcSight Platform Release Notes

<HTTPInterface
id="default-http-domain"
displayName="Hercules HTTP"
path="/osp"
port="${HTTP_INTERFACE_PORT:443}"
tls="${HTTP_INTERFACE_SSL:true}"
domainName="${HTTP_INTERFACE_DOMAIN}"
cookieDomain="${HTTP_INTERFACE_DOMAIN}"
proxyPort="443"
proxyTls="true"
proxyDomain="{--external-access-host}"
/>

<HTTPInterface
id="default-http-svc"
displayName="Hercules HTTP"
path="/osp"
port="${HTTP_INTERFACE_PORT:443}"
tls="${HTTP_INTERFACE_SSL:true}"
ipAddress="${HTTP_INTERFACE_IP}"
cookieDomain="${HTTP_INTERFACE_IP}"
proxyPort="443"
proxyTls="true"
proxyDomain="{--external-access-host}"
/>

Pods Might Not Run During Fusion Reinstall

Issue: After you undeploy the Fusion capability and then redeploy Fusion into the same cluster,
pods might remain in CrashLoopBackOff or PodInitializing status. The root cause of the issue is
that the redeploy causes the system to forget the password for the rethinkdb database.
(OCTCR33I112042)
Workaround: Delete all of the files in the NFS folder before redeploying Fusion: arcsight-
nfs/arcsight-volume/investigate/search/rethinkdb/hercules-rethinkdb-0. This will cause the
rethinkdb database to be automatically recreated when Fusion is redeployed.

Pods Might Not Run During Fusion Reinstall Page 20 of 36

ArcSight Platform Release Notes

Installation, Upgrade, or Adding Additional Capabilities

Fails Due to Comma Character in On-Premises Docker
Container Registry Admin Password
Issue: For on-premises deployments, if the Docker container registry-admin password includes
a comma (,) character, the image upload phase fails due to a bug in the container registry. The
registry-admin password is initially set to the same password as the admin user for the CDF
Management Portal during installation. However, later changing the CDF Management Portal
admin password does not change the registry-admin password because it is managed
separately. (INST-2464)
Workaround: Log in to the master node console and use the
/opt/arcsight/kubernetes/scripts/updateLocalRegistryInfo.sh script to change the registry-
admin password to a new one that does not include the restricted comma character.

CDF Management Portal Admin Password Change Fails

to Update Registry Admin Password
Issue: For on-premises deployments, the registry-admin password is initially set to the same
password as the admin user for the CDF Management Portal during installation. However, later
changing the CDF Management Portal admin password does not change the registry-admin
password because it is managed separately. The registry-admin password is used during
upgrades and when adding capabilities to an existing cluster during the phase of image upload.
(INST-2464)
Workaround: Log in to the master node console and use the
/opt/arcsight/kubernetes/scripts/updateLocalRegistryInfo.sh script to change the registry-
admin password.

On Multi-master Non-root Install, itom-cdf-keepalived

Pod Restarting and Suite Fails to Deploy
Issue: If sudo installing a multi-master cluster through the arcsight-install tool, you will notice
all capability pods are marked as pending, and itom-cdf-keepalived pod is existing only in
single replica and crashing. In addition, the kubectl get nodes command returns all of your
worker nodes in a NotReady stats. If the sudo installation for multi-master was executed

Installation, Upgrade, or Adding Additional Capabilities Fails Due to Comma Page 21 of 36

ArcSight Platform Release Notes

manually via install.sh, you will notice only the itom-cdf-keepalived pod in single replica
count and crashing, even before you try to deploy the capabilities.
Workaround: Use kubectl edit ds/itom-cdf-keepalived -n kube-system to edit the
daemonset definition of cdf-keepalived. Locate the "nodeSelector" section and change its
value (make sure to honor the spacing) to master: "true". Save and exit as a normal vi session.
Make sure command kubectl get ds/itom-cdf-keepalived -n kube-system returns now
the current/desired replica count of 3.

After an Upgrade from the Patch Release, Error

Returned: "Failed to upgrade. Internal Server Error."
After upgrading to 22.1 from the 21.1, in some cases, the error message might be returned in
the upgrade's final stages: "Failed to Upgrade. Internal Server Error." The issue can also be
detected in logs if some resources are not upgraded. If encountering this, delete the old
upgrade pod and then run the following command:
kubectl delete deployment suite-upgrade-pod-arcsight-installer -n `kubectl get
namespaces | grep arcsight-installer | awk ' {print $1}

Then run the upgrade again.

Accessing the CDF Management Portal Reconfigure

Page
Issue: At times, you might not be able to access the CDF Management Portal Reconfigure page.
For example, this issue might occur when you are trying to perform an upgrade.
Workaround: Follow these steps:
1. Verify the status of the nginx-ingress-controller DaemonSet :

NS=$(kubectl get namespaces | awk '/arcsight/{print $1}');kubectl get

daemonset nginx-ingress-controller -n $NS

2. Create a new nginx-ingress-controller.yaml file:

cd ${K8S_HOME};kubectl get daemonset nginx-ingress-controller -n `kubectl

get namespaces | grep arcsight-installer | awk '{print $1}'` -o yaml > \
nginx-ingress-controller.yaml

3. Ensure that the saved nginx-ingress-controller.yaml file exist in the ${K8S_HOME}home

directory (/opt/arcsight/kubernetes) and contains definitions in yaml format.
4. Delete the current nginx-ingress-controller configuration:

After an Upgrade from the Patch Release, Error Returned: "Failed to upgrade. Page 22 of 36
ArcSight Platform Release Notes

kubectl delete -f ./nginx-ingress-controller.yaml

5. Apply the new nginx-ingress-controller configuration:

kubectl apply -f ./nginx-ingress-controller.yaml

6. Wait until the nginx-ingress-controller pods are up and running:

kubectl get pods -n $NS --watch | grep nginx-ingress-controller

7. Verify the nginx-ingress-controller controller daemonset status:

kubectl get daemonset nginx-ingress-controller -n $NS

8. To continue to upgrade deployed capabilities, see "Accepting the Certificate" in the

Administrator’s Guide for ArcSight Platform.

Contract & Usage Page Throws an Ingress Router Error

and Does Not Load
Issue: When the user tries to navigate from My Profile to Contract & Usage, the page throws
an ingress router error message as follows and does not load:

The Route You Reach Does not Exist

Please check your router configuration and the path in your address bar

(OCTCR33I372067)
Workaround: Refresh the page to load the Contract & Usage page.

Displays an Erroneous Warning about a Recon License

Issue: In an ArcSight Platform deployment that has Intelligence with an MSSP license, you will
receive the usual notifications that the licenses are about to expire. However, if the MSSP
license expires, the Platform erroneously displays a warning that the Recon license has expired
even though Recon is not deployed. This issue does not occur when Recon is deployed, with or
without the MSSP license. (OCTCR33I378083)
Workaround: There is no workaround for this issue.

Contract & Usage Page Throws an Ingress Router Error and Does Not Load Page 23 of 36
ArcSight Platform Release Notes

Backup Failures in S3 While Deleting Obsolete Files

Issue: Part of the backup operation is clearing obsolete backup files that are older than the
backup retention configuration setting. Due to this issue, the cleanup of obsolete files might
not completed successfully and some obsolete files might remain, resulting in higher than
necessary backup storage utilization. (OCTCR33I408155)
Workaround: A patch will be released to fix this issue so that the cleanup operation reliably
completes. However, if you need to resolve this issue sooner than the patch release, contact
Technical Support to obtain a modified /opt/vertica/bin/vbr.py file that contains a fix
that can be applied immediately. Also, edit the config/backup_restore_cloud_
storage_base.ini file by uncommenting and setting cloud_storage_
concurrency_delete = 1.

Event Integrity Query for Large Time Range Indicates

Insufficient Disk Space (AWS/Azure)
Issue: If a large time range is selected (e.g., 1/31-2/22), there is an intermittent error of "Other"
when running an Event Integrity query in an Amazon Web Service (AWS) or Azure
environment. There is a related issue for insufficient disk space behavior.
(OCTCR33I414022)
Workaround: We recommend to select one day for event integrity check.

Event Integrity Query Indicates Insufficient Disk Space

(AWS/Azure)
Issue: There is an intermittent error of "insufficient disk space" when running an Event Integrity
query in an Amazon Web Service (AWS) or Azure environment. There is a related issue for
insufficient disk space. (OCTCR33I411123)
Workaround: See View Event Integrity Check Results to help troubleshoot this issue.

Issues Related to Storage Groups

l "Fails to Change Storage Groups" on the next page

Backup Failures in S3 While Deleting Obsolete Files Page 24 of 36

ArcSight Platform Release Notes

Fails to Change Storage Groups

Issue: Sometimes when data ingestion is in progress, the system fails to make your changes to
storage groups because the system cannot lock the affected events table.
(OCTCR33I180085)
Workaround: Stop data ingestion (the scheduler) before applying your changes to storage
groups. Then start data ingestion again.

Issues Related to the Data Quality Dashboard

l "Data Quality Chart Fails to Update after You Change Time to a Dynamic Value" below
l "Data Timeseries Chart Fails to Update after Changing Categories" below
l "Specified Sizes for Dashboard Table Cells do not Work in a SaaS Environment" on the next
page

Data Quality Chart Fails to Update after You Change

Time to a Dynamic Value
Issue: When you change a time setting for charts in the Data Quality dashboard, the charts
automatically update as soon as you pick the new value. However, if you change the Start Time
or End Time to a dynamic value, the charts fail to update automatically. (HERC-9913)
Workaround: To refresh the charts, click outside the time selection that you just changed. For
example, if you changed the End Time to a dynamic value, click either on a chart or on the Start
Time.

Data Timeseries Chart Fails to Update after Changing

Categories
Issue: When viewing the Data Timeseries Chart in the Data Quality dashboard, the stacked area
chart should automatically update as soon as you select an event category, such as Future
Events, Past Events, or Active Events. However, when you select an event category, the stacked
area chart fails to update automatically. (OCTCR33I276138)
Workaround: To refresh the Data Timeseries Chart, clear all the event categories and select
them again in this order: Future Events, Past Events, and Active Events.

Fails to Change Storage Groups Page 25 of 36

ArcSight Platform Release Notes

Specified Sizes for Dashboard Table Cells do not Work

in a SaaS Environment
Issue: On your dashboard, when you manually change a table cell size, the emerging window
does not show the values you entered in the fields, and the table cells cannot be resized. (This
issue only affects SaaS environments.) (OCTCR33I339016)
Workaround:Even though the values are not visible, you can still modify them inside the fields
and use them as intended. One way to do this is to use the shortcut Ctrl + A to select values in
the field and then copy or replace them, as needed.

Issues Related to Reports Portal

l "Reporting Shows an Error When Single Sign On Secrets are Changed (Azure)" below
l "Cannot Save Items in the Custom Content Folder" on the next page
l "Edit Wizard Preview is Unavailable" on the next page
l "My Reports Folder Cannot Be Used for Exporting" on the next page
l "After Hours Access Activity on GDPR Systems Summary Report Fails to Run" on the next
page
l "An Exported Report Might Have Format Issues" on the next page
l "Some Exported Tables Show Squeezed Columns" on page 28
l "Cannot Remove X/Y Fields from a Graph" on page 28
l "Dashboard Wizard Fails to Load all Data" on page 28
l "Cannot View Text in a Chart" on page 28
l "Reports and Dashboards Use UTC Time Zone" on page 28

Reporting Shows an Error When Single Sign On Secrets

are Changed (Azure)
Issue: Reporting runs into an Open id or HTTP 500 error when single sign on secrets are
changed. The reporting app can take a few minutes to fully start, so this error does not happen
right after applying the change. (OCTCR33I409268)

Specified Sizes for Dashboard Table Cells do not Work in a SaaS Environment Page 26 of 36
ArcSight Platform Release Notes

Cannot Save Items in the Custom Content Folder

Issue: After creating an asset, report or dashboard, an error displays when you try to save it to
the Custom Content folder. (OCTCR33I188143)
Workaround: Contact Support for help with this issue.

Edit Wizard Preview is Unavailable

Issue: When you edit an asset using the Edit Wizard option, you cannot preview the report or
dashboard.(OCTCR33I134098)
Workaround: To preview your changes, select the metadata option from the Edit Wizard.

My Reports Folder Cannot Be Used for Exporting

Issue: You cannot export content from the My Reports folder. (OCTCR33I186200)
Workaround: Contact Support for help with this issue.

After Hours Access Activity on GDPR Systems Summary

Report Fails to Run
Issue: When you specify a long time range for the After Hours Access Activity on GDPR Systems
Summary report, the report fails to run. (OCTCR33I186011)
Workaround: You must remove the Day of the Week variable. Complete the following steps:
1. Right-click the report.
2. Select Edit Table.
3. Right-click the dayOfWeek variable.
4. Select Remove.

An Exported Report Might Have Format Issues

Issue: When using the Export Asset feature, the formatting for the reports might have issues
such as dark backgrounds, dark fonts, and dark table cells. (OCTCR33I186007)
Workaround: You can change the formatting manually for the exported report.

Cannot Save Items in the Custom Content Folder Page 27 of 36

ArcSight Platform Release Notes

Some Exported Tables Show Squeezed Columns

Issue: Some dashboard table columns display squeezed columns when they are exported using
specific formats like HTML. (OCTCR33I349068)
Workaround: There is no workaround.

Cannot Remove X/Y Fields from a Graph

Issue: In the chart editor, when you remove an X or Y field, the Reports Portal display an error
message. This issue occurs intermittently. (OCTCR33I162021)
Workaround: When this issue occurs, try again or avoid removing fields from the Axis.

Dashboard Wizard Fails to Load all Data

Issue: If you create a dashboard using the Dashboard Wizard, when the chart is not loading,
there is data that cannot be selected at the same time. This issue occurs intermittently.
(OCTCR33I161014)
Workaround: When this issue occurs, try again or avoid removing fields from the Axis.

Cannot View Text in a Chart

Issue: If you select the Multiple Styles checkbox, the whole area of chart selection displays
white with text in the middle that cannot be read. (OCTCR33I141023)
Workaround: To read the text, highlight the text inside the white space.

Reports and Dashboards Use UTC Time Zone

Issue: The start and end times for your reports and dashboards use UTC time instead of your
local time zone. (OCTCR33I331194)
Workaround: There is no workaround for this issue.

Issues Related to Search

l "Fieldsets Default to Base Event Fields After an Upgrade" on the next page
l "Fieldsets Display Database Names" on the next page

Some Exported Tables Show Squeezed Columns Page 28 of 36

ArcSight Platform Release Notes

l "Scheduled Tasks Do Not Allow Default Printer Selection" on the next page
l "Scheduled Tasks Can be Saved Even if the User Closes the Dialog Box" on the next page
l "Load Modal Does Not Load Search Criteria When the Fieldset is Deleted" on the next page
l "Saved Query or Criteria Can Overwrite the Query in a Saved Results that Has the Same
Name" on the next page
l "Time Range Loads Incorrectly When Selecting the Default Option “DD/MM/YY
hh:mm:ss:ms”" on page 31
l "Search Fails to Load All Saved Search Criteria Settings" on page 31
l "Scheduled Searches Sometimes Fail to Export to CSV" on page 31
l "CSV File Export Fails after You Change the Date and Time Format" on page 32
l "Fieldset Fails to Revert to its Original Setting" on page 32
l "Cannot Change the Time Range if Your Preferred Time Range is a Static Value" on page 32
l "Scheduled Search Appends Erroneous Values to the Run Interval" on page 32
l "Search Join Fails when Lookup List has 'User' as a Value" on page 33
l "Cannot Change the Start or End Date While a Notification Banner is Present" on page 33
l "Cannot Use Search Operators in the Name of a Saved Query or Criteria" on page 33
l "Search Query Might Return Incorrect Results if the Query is not Explicitly Stated" on
page 34
l "Fieldsets Default to Base Event Fields After an Upgrade" below
l "Fieldsets Display Database Names" below

Fieldsets Default to Base Event Fields After an Upgrade

Issue: After upgrading to this release, the Public Default Fieldset defaults to Base Event Fields.
(OCTCR33I178795)
Workaround: In User Preferences, specify the fieldset that you want and set it as default again.

Fieldsets Display Database Names

Issue: When you create a fieldset, Search displays the coding-style name for the fields instead
of the human-readable names that you see when creating a search query. For example, in a
query you can enter or select Agent Address. However, in the fieldsets selection, this same
field appears as agent AddressBin.
This issue also occurs when you’re adding queries to a report. (OCTCR33I181059)

Fieldsets Default to Base Event Fields After an Upgrade Page 29 of 36

ArcSight Platform Release Notes

Workaround: To identify the coding-style names, see “Mapping Database Names to their
Appropriate Search Fields” in the Help or the User Guide for ArcSight Recon.

Scheduled Tasks Do Not Allow Default Printer Selection

Issue: The default printer field is a textbox that allows any value instead of being a list of valid
entries. (OCTCR33I71158)
Workaround: There is no workaround

Scheduled Tasks Can be Saved Even if the User Closes

the Dialog Box
Issue: When you click the Close button during the scheduler task creation process, the modal
dialog box closes, but the task is still being saved. (OCTCR33I167004)
Workaround: If you do not intend to save the task in the scheduler table, select the task and
manually delete it.

Load Modal Does Not Load Search Criteria When the

Fieldset is Deleted
Issue: Search criteria does not load under the circumstances described below.
(OCTCR33I369029)
1. The customer creates his or her own fieldset.
2. The customer creates a search criteria and assigns his or her custom fieldset to it.
3. The customer deletes the fieldset that was just created.
4. The search criteria fieldset returns to the one set in the user preferences.
5. The customer tries to load the Search Criteria from the Feature Table, but it will not load
and displays a red "Failed to load search list" error message.
Workaround: Load the search criteria from the Load modal dialog box in the main search page.

Saved Query or Criteria Can Overwrite the Query in a

Saved Results that Has the Same Name
Issue: If you save a Query or Criteria and use the same name as a previously saved search
Results, the system overwrites the query in that saved search results rather than saving a new

Scheduled Tasks Do Not Allow Default Printer Selection Page 30 of 36

ArcSight Platform Release Notes

Query or Criteria with the specified name. For example, you execute a search and save the
results as Checking Log4J Vulnerabilities. If you create and save a new search Query or
Criteria with that same name, you have changed the query in the saved Results. The next time
that you run Checking Log4J Vulnerabilities, Search will use the newly saved query
instead of your original query. (OCTCR33I369158)
Workaround: Before saving a new Query or Criteria, review the existing saved Results to ensure
that you do not use the same name.

Time Range Loads Incorrectly When Selecting the

Default Option “DD/MM/YY hh:mm:ss:ms”
Issue: When the User sets DD/MM/YY hh:mm:ss:ms in user preferences and loads a search
criteria, the time range is reported incorrectly. (OCTCR33I411211)
Workaround: Manually change the time range that was set in the search criteria.

Search Fails to Load All Saved Search Criteria Settings

Issue: If you load a saved search Criteria from the Search page, the system fails to load the
saved fieldset or time range. (OCTCR33I385042) and (OCTCR33I174130)
Workaround: Load the saved Criteria from the Saved Search Criteria page:
1. Select Search > Criteria.
2. Click the box next to the search criteria that you want to load.
3. Click Load

Scheduled Searches Sometimes Fail to Export to CSV

Issue: On occasion, when you export a completed run of a scheduled search, the CSV file fails
to display any data. (OCTCR33I174130)
Workaround: If this issue occurs, view the results of the run. Then, from the Events table,
export the data to a CSV file.

Time Range Loads Incorrectly When Selecting the Default Option “DD/MM/YY Page 31 of 36
ArcSight Platform Release Notes

CSV File Export Fails after You Change the Date and
Time Format
Issue: After modifying the date and time format in preferences, the CSV export function for
saved searches runs before the preference change fails. (OCTCR33I113040)
Workaround: Run the scheduled search again, then save it. Select the CSV icon to download
the file.

Fieldset Fails to Revert to its Original Setting

Issue: If you change the fieldset after running a search, then leave the Search web page or
navigate to a different feature, Search fails to revert the fieldset to the original setting. For
example, you choose the Base Event Fields fieldset and run the search, then change the fieldset
to All Fields. Next you navigate to the Saved Searches page. When you return to the Search
page, the fieldset is still All Fields rather than reverting to Base Event Fields as it should.
(HERC-9865)
Workaround: To revert the fieldset to its original setting, press F5 while viewing the Search.

Cannot Change the Time Range if Your Preferred Time

Range is a Static Value
Issue: In User Preferences, if your preferred Default Time Setting is Static, you cannot use the
date picker to quickly change the time range for a search. (OCTCR33I174128)
Workaround: In a Search, manually enter the date and time values. Alternatively, change your
preferred Default Time Setting to a Dynamic or Preset value. For more information about
configuring your user preferences, see the Help or User's Guide for Fusion 1.5 in the ArcSight
Platform

Scheduled Search Appends Erroneous Values to the

Run Interval
Issue: When creating a scheduled search, if you select Every 2 hours in the Pattern section, the
search runs every two hours, at every even hour, such as 0, 2, 4, 6, etc and appending the
minutes setting in Starting From value. The system ignores the hour setting in Starting From.
(OCTCR33I179782)

CSV File Export Fails after You Change the Date and Time Format Page 32 of 36
ArcSight Platform Release Notes

For example, you might select Every 2 hours and choose Starting From at 01:15 am. Search
will run every 2 hours at 2:15 am, 4:15 am, 6:15 am, and so on.
Workaround: To run the Search at a selected hour and minutes, specify a specific hour for the
Starting From setting.

Search Join Fails when Lookup List has 'User' as a Value

Issue: Search displays an error and fails to apply a join if an associated lookup list includes the
word “user” for a data value. (HERC-8283)
Workaround: Contact Support for help with this issue.

Cannot Change the Start or End Date While a

Notification Banner is Present
Issue: If the application currently displays a notification banner, Search fails to accept a change
to the Start time or End time for a custom date range. (OCTCR33I379056)
Workaround: Clear the notifications, then change the date range.

Cannot Use Search Operators in the Name of a

Saved Query or Criteria
Issue: If you include a search operator in the name of a saved query or criteria, Search includes
that part of the saved name in the query. For example, you save a query with the name Users
and Devices. When you load that query, Search adds "and Devices" to the query field. This
occurs because "and" is also a search operator. (OCTCR33I341227)
Workaround: Avoid the following terms in the name of a saved search query or criteria:

Term to Avoid Workaround

& No workaround

| No workaround

and Use without spaces before or after the term. For example: UsersAndDevices

or Use without spaces before or after the term. For example: UsersORdevices

Search Join Fails when Lookup List has 'User' as a Value Page 33 of 36
ArcSight Platform Release Notes

Search Query Might Return Incorrect Results if the

Query is not Explicitly Stated
Issue: The Search field should return the correct results from a search. If you do not get the
results you expect, you might need to restate the query. For example, if your query is written
with spaces, only the first word is shown in the results. (OCTCR33I324035)
Workaround: State the query using explicit phrasing without any spaces.

Resolved Issues
These issues apply to common or several components in your ArcSight Platform deploy. For
more information about issues related to a specific product, please see that product's release
notes.

Post Upgrade fusion-metadata-rethinkdb Pod Might Go

Into a Crash Loop
Issue: This release resovled an issue where the fusion-metadata-rethinkdb pot would go into a
crash loop. When this occurred, Kubernetes created two instances of the pod, allowing one to
run and to delete the other. This causes one pod to hold the mount location and the other to
fail. (OCTCR33I408147)
Resolution: A code fix was applied to resolve the issue.

Contacting Micro Focus

For specific product issues, contact Micro Focus Support.
Additional technical information or advice is available from several sources:
l Product documentation, Knowledge Base articles, and videos.
l The Micro Focus Community pages.

Additional Documentation
The ArcSight Platform documentation library includes the following resources.

Search Query Might Return Incorrect Results if the Query is not Explicitly Page 34 of 36
ArcSight Platform Release Notes

l Administrator's Guide for ArcSight Platform, which contains installation, user, and
deployment guidance for the ArcSight software products and components that you deploy
in the containerized platform.
l Technical Requirements for ArcSight Platform, which provides information about the
hardware and software requirements and tuning guidelines for the ArcSight Platform and
the deployed capabilities.
l User’s Guide for Fusion 1.5 in the ArcSight Platform, which is embedded in the product to
provide both context-sensitive Help and conceptual information.
l Product Support Lifecycle Policy, which provides information on product support policies.

Additional Documentation Page 35 of 36

Send Documentation Feedback
If you have comments about this document, you can contact the documentation team by
email. If an email client is configured on this computer, click the link above and an email
window opens with the following information in the subject line:
Feedback on ArcSight Platform Release Notes (ArcSight Platform 22.1)
Just add your feedback to the email and click send.
If no email client is available, copy the information above to a new message in a web mail
client, and send your feedback to Documentation-Feedback@microfocus.com.
We appreciate your feedback!

Send Documentation Feedback Page 36 of 36