Fortinet black logo

Whats New in 6.3.0

Whats New in 6.3.0

This document describes the additions for the FortiSIEM 6.3.0 release.

New Features

Customizable GUI Login Banner

FortiSIEM administrators can now define a login banner page that GUI users will view, after entering their credentials. This page displays the last successful login time, changes to the user’s account since their last successful login, along with an administrator defined message. This message is typically used to warn against unauthorized system access. A default message is provided, but users with full admin privileges can change the message, create a new message, or completely disable this banner. This system setting applies for all users.

For details on how to set up and customize a login banner, located at ADMIN > Settings > System > UI, see Administrator UI Settings.

Notes:

  • This is a system wide screen for all users.

  • Some simple BBCode tags are allowed in this message input - “b” - bold, “i” - italic, “u” - underline, and “url”.

  • HTML tags are not allowed.

  • Nested tags are not allowed.

UTC and ISO8601 Formatted Dates

Earlier releases displayed dates (e.g. in the INCIDENTS page) in local time format. In this release, two other time format options are added – UTC and ISO 8601. This is a per-user setting and the chosen time format is honored in the GUI for that user as well as for report exports, and scheduled reports done by that user and Incident email notification.

For details on how to set up date display format, located at User Profile > UI Settings, see User Profile UI Settings.

Ability to Tags Incidents and Search Incidents by Tag

This release allows you to define Tags and then associate one or more Tags to Rules. Incidents triggered by that rule will have the associated Tags attribute as an Incident attribute. You can display Tags from the INCIDENTS page and search/filter Incidents by Tags. For MSSP deployments, Tags are globally defined for all Organizations.

For details on how to define tags, see Tags.

For details on how to set tags in rules, see Creating a Rule: Step 3: Define Actions.

For details on how to display tags in INCIDENTS, see Acting on Incidents on how to add the Tags column to the INCIDENTS page.

For details on how to search Incidents by tags, see Searching Incidents. From the Actions drop-down list, click Search. Use the Incident Tag filter in the same panel to locate tags.

Report Export in RTF Format

In earlier releases, reports could be exported in PDF and CSV formats. This release adds Rich Text Format (RTF) format that can be viewed using Microsoft Word.

For setting RTF format for adhoc reports, see Email Results, Exporting Report Results, and Exporting Results.

For setting RTF format for scheduled reports, see Scheduling a Report and Scheduling CMDB Reports.

For more information on creating a report template, which can be sent in RTF format, see Designing a Report Template.

Trend Chart for Hourly/Daily/weekly Aggregates

In earlier releases, the granularity of time axis in trend charts was chosen automatically by the system. Therefore, user cannot have hourly, daily and weekly values plotted in Report Trend Charts. This release allows users this option. Because daily, weekly queries can take a long time to run, this works best in pre-computed queries and in dashboards where results are computed inline mode.

In ANALYTICS, you can choose the trend option as part of Filter conditions. See Specifying a Trend Interval.

In DASHBOARD, you can select Line chart as the display type, and then choose a trend option as part of a Widget Dashboard. See Modifying Widget Display Information.

Trend Attributes can be added to scheduled reports, report bundles and through a real-time search.

Email Encryption via S/MIME

This release allows you to send encrypted emails from FortiSIEM using S/MIME. Examples of emails send from FortiSIEM includes Incident notification emails, Scheduled Report emails, Adhoc Query Result email, etc...

To first set up S/MIME, see Email Settings.

After the S/MIME configuration, add the S/MIME certificate for a new user or to an existing one at CMDB > Users.

Load Balancing Inserts across Multiple Elasticsearch Coordinator Nodes

This release enables you to add multiple Elasticsearch Coordinator nodes in GUI. Then phDataManager process on each Worker will load balance event inserts across multiple Elasticsearch Coordinator nodes. This design allows faster parallel inserts and also protects against Coordinator node failures.

The Coordinator nodes can be configured in the URL field for Native Elasticsearch configuration.

Watchlist Management API

This release allows you to view, add, edit Watchlist folders and entries (RESOURCES > Watchlist). See Watchlist Integration in the API Integration Guide.

JSON Incident API

This release allows you to integrate incidents from FortiSIEM with a JSON REST API. This is used for the ServiceNow SecOps integration. See JSON API Incident Integration in the API Integration Guide.

FortiSIEM Collector as Management Extension Application (MEA) on FortiAnalyzer

You can now run a FortiSIEM Collector as a management extension application (MEA) image on FortiAnalyzer 7.0.1 or higher. This alleviates the need for a separate FortiSIEM Collector node (Virtual machine or appliance), when you already have a FortiAnalyzer deployed, and it has sufficiently spare CPU, Memory and Disk available to run a FortiSIEM Collector.

A FortiSIEM MEA Collector functionally works the same way as a regular virtual machine based FortiSIEM Collector or a hardware appliance 500F, but the set up and upgrade processes are slightly different.

For general setup, troubleshooting, event collection, discovery and performance monitoring using a FortiSIEM MEA Collector, see the FortiSIEM MEA Collector Administration Guide in FortiAnalyzer 7.0 docs. The FortiSIEM MEA Administration Guide also covers upgrade issues and general differences between a FortiSIEM MEA Collector and a virtual machine/hardware appliance Collector.

Note: To collect FortiSIEM Windows or Linux Agent logs via FortiSIEM MEA Collector, you need to run Windows Agent 4.1.2 or higher and Linux Agent 6.3.0 or higher.

Key Enhancements

Infrastructure Upgrade

This release upgrades the underlying CentOS version to 8.4.

Elasticsearch 7.12.1 Support

This release extends native Elasticsearch event database support to 7.12.1.

MITRE ATT&CK Framework Update to V0.9

This release imports the MITRE ATT&CK Techniques and Tactics as found in V9 released on April 29, 2021.

Authentication for Kafka based Event Forwarding

FortiSIEM allows events to be forwarded via Kafka. This release adds the ability for FortiSIEM to authenticate to the Kafka receiver.

To set up Kafka authentication, see step 9 under Kafka Settings.

Report Design Template Enhancements

This release covers the following Report Design enhancements

  • A Rich Text editor so that user does not have to type in raw HTML text in Text Area in Report Design.

  • Allow user to insert a Page Break

  • Make the Cover page and Table of Contents optional

For details see Designing a Report Template.

Selective Role based Raw Message Obfuscation

FortiSIEM user roles allows per-user obfuscation of certain event attributes like Source IP, Host IP, User etc. In earlier releases, if one event attribute was obfuscated, then the entire raw message was not shown to that user. This restriction is removed in this release. As an example, this means that if a user role has obfuscated User name, then that user can see the entire raw message except the specific user name in the message.

For configuration information, see Adding a New Role.

Shared Dashboard Ownership Transfer

FortiSIEM allows dashboards to be shared between the creator (owner) and several other users. However, in earlier releases, when the shared dashboard owner was not available, no one else could modify the shared dashboard. This release allows the shared dashboard owner to transfer ownership to another user with exactly the same role. Then that person becomes the new owner and can edit the dashboard.

For details on how to change ownership, see Dashboard Ownership.

Custom Elasticsearch Mapping Template

FortiSIEM uses an Event Attribute Mapping Template file to map each of the 3,000+ FortiSIEM Event Attributes to Elasticsearch data types. This explicit mapping is done to conserve Elasticsearch event storage.

Our research (using the Elasticsearch Rally Tool) has shown that Elasticsearch performance can be improved by choosing a smaller Event Attribute Template file relevant to events seen in the customer's environment. This release allows customers to use the right Event Attribute Template file for their environment and improve Elasticsearch performance.

A tool is provided that customers can use to create an Event Attribute Template file based on last N (configurable) days of data in Elasticsearch. Details can be found in Administrator Tools.

The user can import this custom Event Attribute Template file from the Supervisor GUI and click Test and Save to deploy to Elasticsearch. Details can be found in Configuring a Native, AWS, or Cloud Elasticsearch database.

Note: If a new log appears and has new event attributes not present in the Event Attribute Template file, then Elasticsearch will auto-detect the type. If you wish to change the type, you will need to run the tool again and upload the new Event Attribute Custom Template. The custom Event Attribute template will take effect for the new index.

This release has been tested in native Elasticsearch 7.8, 7.12.1, AWS Elasticsearch 7.8, and Elastic Cloud 6.8.

Elasticsearch to EventDB Archive Performance Improvement

For high EPS situations, FortiSIEM recommends the Real time Archive option, because reading events from Elasticsearch and copying to EventDB on NFS is an expensive operation that can slow down real time event ingestion. However, if you require the non-real time archiving option, this release optimizes the code to reduce pressure on Elasticsearch and archive faster. No user configuration is required.

Optimize PostgreSQL Incident Query

Incidents can span multiple partitions and SQL queries to multiple partitions, which can be expensive. This release optimizes such queries by only going over the minimum necessary partitions. Users will see less disk IOPS for CMDB partition and faster GUI response times.

New Device Support

Device Support Extensions

Bug Fixes and Minor Enhancements

Bug ID

Severity

Module

Description

719210

Major

App Server

Choosing Malware IOC (IP/Domain/URL/Hash) when there are many Malware IOC groups, would result in a sluggish GUI. A full download is recommended for faster FortiSIEM processing. Do not choose incremental download when the website does not provide incremental download.

718253

Major

App Server

Any customer defined rule cannot be approved for deployment in the TASKS > Approval page

650020

Major

GUI

If a user navigated to RESOURCES > Reports > Baseline, selected a Reporting EPS Profile and clicked Run, the visualization would not appear, and showed a "stuck" loading indicator. A workaround was to navigate to ANALYTICS, go to the folder option, navigate to Reports > Baseline, select a Reporting EPS Profile and click Run.

715377

Minor

App Server

If a primary contact admin user was saved with an incorrect organization, the ADMIN > License > General and Usage pages would not display any data.

711680

Minor

App Server

On a 6.2.0 upgraded FortiSIEM, if an ANALYTICS query result spanned many pages (over 199), then later pages might not show any results.

705642

Minor

App Server

If a SAML response did not carry the signature and X509 Certificates attributes, the AppServer would throw a NullPointerException.

685195

Minor

App Server

Occasionally, after a few weeks or months, the STM job would automatically change from HTTP type to TCP.

719795

Minor

Data

The Source IP was incorrectly set for Windows Security Event ID 4624 event.

719331

Minor

Data

The FortiGateParser set Event Action as 0(permit) even when Firewall action=block in event logs; it should be 1.

Note: The keyword "blocked" was handled correctly.

717349

Minor

Data

The Zscaler parser was not correctly handling events with quotes in the URL.

715951

Minor

Data

The Checkpoint parser created spurious CMDB devices due to incorrect parsing of origin field.

713156

Minor

Data

Office365 Authentication events incorrectly parsed "Authentication success" when "UserKey" is "Not Available" and "Actor" is "Unknown".

712384

Minor

Data

Windows Security Event 4728 had the incorrect target User field.

712153

Minor

Data

The FortiClient EMS parser sometimes failed when there was no clientfeature field.

709663

Minor

Data

The Nginx parser would not work when a log contained a negative GMT time value.

709182

Minor

Data

Occasionally, the Windows Log parser would not parse the correct Destination Host Name.

708681

Minor

Data

Maldives is incorrectly in RESOURCES > Country Groups > Europe instead of RESOURCES > Country Groups > Asia.

708638

Minor

Data

The Cisco ASA parser and Cisco FWSM parser had incorrect mapping of the Destination and Source IP/Ports.

706898

Minor

Data

Windows Security log parsing enhanced to include Kerberos Cipher name.

697112

Minor

Data

The Palo Alto Firewall parser showed the "flowEndReason" attribute value as 0.

694642

Minor

Data

Uruguay was incorrectly included in the Europe Country Group instead of the South America Country Group.

694259

Minor

Data

The FortiAuthenticator logs forwarded through FortiAnalyzer provided the incorrect Reporting Device IP.

692909

Minor

Data

For WatchGuard Firebox firewall, HTTPS certificate attributes were not parsed.

645187

Minor

Data

Country name mismatches caused rules to trigger.

715304

Minor

Data

The Palo Alto Firewall log parser did not work for global protect system logs.

685952

Minor

Data

The Palo Alto parser enhanced to handle additional log types, including multiple WildFire events.

716961

Minor

Data

The FortiAuthenticator Failed Login was parsed as Successful Login.

724187

Minor

Data

SQL Injection Attack detected by NIPS rule logic corrected to match rule description.

724187

Minor

Data

Palo Alto event type PAN-IDP-31914 categorization corrected to match trigger behavior. Event type PAN-IDP-55873 added.

718372

Minor

GUI

When creating a new report under Org, a "unknown Error" warning would pop up after saving.

717183

Minor

GUI

With a large number of CMDB users defined in FortiSIEM, in the CASES tab, the New and Edit operations would sometimes timeout.

712019

Minor

GUI

The auto-load feature would re-load at 4 am every day, even when an active query was running.

698621

Minor

GUI

In Report Schedule, multiple email addresses could not be added.

689328

Minor

GUI

In the Interface Usage Dashboard, user changes to the Application Usage chart were not saved.

681160

Minor

GUI

From the CMDB page, installed software could not be detected when discovered.

677375

Minor

GUI

When saving or copying into a parser window, the ">" and "< "characters were getting encoded and translated.

668386

Minor

GUI

In MSSP mode, if the user was in CMDB, the device group could not be changed.

688542

Minor

Log Collection

Azure Audit logs only pulled from one subscription, even when multiple subscriptions were configured.

719190

Minor

Parser

The Cisco ASA built/teardown parsing was sometimes sluggish when matching connection ids.

707125

Minor

Performance Monitoring

The VMware cluster level CPU and memory utilization calculations were not accurate.

714176

Minor

Performance Monitoring

In CMDB > Device > Monitor, the Last Successful attribute was not reset properly, causing flapping between Normal and Warning.

700690

Minor

Performance Monitoring

HTTPS based STM did not work correctly when different IPs in different STMs were mapped to the same host name.

694596

Minor

Performance Monitoring

FortiSIEM could not monitor a metric via SNMP when there were more than two alternative OIDS for that metric and another method like SSH was simultaneously used to monitor other metrics.

712602

Minor

Query

Query failed if there were parentheses in the nested query with attributes like "Destination TCP/UDP Port".

684647

Minor

Query

In ANALYTICS search, a filter on TCP flag would make the query work incorrectly.

682137

Minor

System

The /etc/hosts file needed to be preserved across upgrades.

690781

Enhancement

App Server

When an incident is cleared in FortiSIEM, it is now cleared on ConnectWise.

712012

Enhancement

Data

Geo-IP database updated to handle more IPs.

705478

Enhancement

Data

FortiSandbox parser now extracts virusid and attack name in a better way to parse malware name attribute.

705471

Enhancement

Data

FortiMail parser now extracts virus attribute.

705468

Enhancement

Data

FortiClient parser now maps threat to malware name attribute.

702603

Enhancement

Data

Extend Windows Security log parser now supports Sysmon v13.

692796

Enhancement

Data

UnixParser extended to parse SFTP Open file, SFTP Close file, and internal-sftp logs.

689608

Enhancement

Data

Meraki Firewall parser enhanced to include Flow Start and Flow End events.

684254

Enhancement

Data

Extreme switch logs parser enhanced.

682424

Enhancement

Data

Parsing improved for Windows Event ID 5145.

680432

Enhancement

Data

Cisco Callmanager and Cisco IMP servers parsers enhanced to handle more event types.

668492

Enhancement

Data

Windows log parser for French Language Windows enhanced. Note: Enhancement primarily for security log 4728.

725618

Enhancement

Data

Parsing enhanced to handle Cisco Nexus AUTHPRIV syslog messages.

704115

Enhancement

Data

The Palo Alto parser extended to parse global protect system logs.

684897

Enhancement

Data

The rule "Traffic to FortiGuard Malware IP List" is now able to trigger on valid non-firewall logs.

696237

Enhancement

GUI

Port number under External Authentication can now be changed.

705100

Enhancement

Log Collection

Windows BitDefender REST API now allows different regions to be selected. Note: Originally, it defaulted hostname to the US.

703881

Enhancement

Rule Engine

PH_REPORT_PACK_FAILED log (that indicates event dropped during packing from Worker to Supervisor) now includes groupby and aggregate attributes.

712034

Enhancement

System

pHEventExport and TestESSplitter backend tools updated to run in FortiSIEM 6.x.

Known Issues

Shutting Down Hardware

On hardware appliances running FortiSIEM 6.6.0 or earlier, FortiSIEM execute shutdown CLI does not work correctly. Please use the Linux shutdown command instead.

Remediation Steps for CVE-2021-44228

Three FortiSIEM modules (SVNLite, phFortiInsightAI and 3rd party ThreatConnect SDK) use Apache log4j version 2.14, 2.13 and 2.8 respectively for logging purposes, and hence are vulnerable to the recently discovered Remote Code Execution vulnerability (CVE-2021-44228).

These instructions specify the steps needed to mitigate this vulnerability without upgrading Apache log4j to the latest stable version 2.16 or higher. Actions need to be taken on the Supervisor and Worker nodes only.

On Supervisor Node

  1. Logon via SSH as root.

  2. Mitigating SVNLite module:

    1. Run the script fix-svnlite-log4j2.sh (here). It will restart SVNlite module with Dlog4j2.formatMsgNoLookups=true option and print the success/failed status.

  3. Mitigating 3rd party ThreatConnect SDK module:

    1. Delete these log4j jar files under /opt/glassfish/domains/domain1/applications/phoenix/lib

      1. log4j-core-2.8.2.jar

      2. log4j-api-2.8.2.jar

      3. log4j-slf4j-impl-2.6.1.jar

  4. Mitigating phFortiInsightAI module:

    1. Delete these log4j jar files under /opt/fortiinsight-ai/lib/

      1. log4j-core-2.13.0.jar

      2. log4j-api-2.13.0.jar

  5. Restart all Java Processes by running: “killall -9 java”

On Worker Node

  1. Logon via SSH as root.

  2. Mitigating phFortiInsightAI module:

    1. Delete these log4j jar files under /opt/fortiinsight-ai/lib/

      1. log4j-core-2.13.0.jar

      2. log4j-api-2.13.0.jar

  3. Restart all Java Processes by running: “killall -9 java”

Slow Event Database Operations Using Azure Managed NFS File Share Service

If you are running a FortiSIEM 6.3.0 Cluster in Microsoft Azure Cloud using Azure Managed NFS File Share Service, then FortiSIEM will not work correctly. Symptoms are file build up in the /data directory and slow GUI queries. A bug was introduced in the Linux kernel (affecting Redhat CentOS 8.4 and FortiSIEM 6.3.0) that slows NFS operations. For details, see the section titled "ls hangs for large directory enumeration on some kernels" in this URL document: https://docs.microsoft.com/en-us/azure/storage/files/storage-troubleshooting-files-nfs

Note: If you deploy your own NFS V3 or V4, then FortiSIEM 6.3.0 is not impacted.

Redhat has not yet published a patch for this issue. The current workaround is to manually downgrade the Linux kernel from 8.4 to 8.3.

Download and install the Linux 8.3 kernel by following these steps on each Supervisor and all your Worker nodes.

  1. On your system, login as user root, and run the following commands.
    Note: The order of the commands is important. If your system is offline without internet access, you can download the RPM to a flash drive or file share to upload to the Supervisor and Workers.

    1. cd /tmp

    2. mkdir downgrade

    3. cd downgrade

    4. wget https://os-pkgs-cdn.fortisiem.fortinet.com/centos83/baseos/Packages/kernel-core-4.18.0-240.10.1.el8_3.x86_64.rpm

    5. yum localinstall kernel-core-4.18.0-240.10.1.el8_3.x86_64.rpm

      Click 'y' to confirm when prompted.

    6. grub2-mkconfig -o /boot/grub2/grub.cfg

    7. awk -F\' '$1=="menuentry" {print $2}' /boot/grub2/grub.cfg

      Note: Entries are ordered 0,1,2,3,4 from top to bottom.

      If the kernel 4.18.0-240.10.1.el8_3.x86_64 is third in the list, use the command below to set it as the default.

    8. grub2-set-default 2

    9. Reboot the system with the following command:

      reboot

  2. Log back in as user root and check the kernel version that is running with the following command:

    uname –r

    In the uname –r output, notate the new kernel. It should be:

    4.18.0-240.10.1.el8_3.x86_64

After the Linux kernel downgrade is done for the Supervisor and Workers, take the following steps:

  1. Login to the Supervisor FortiSIEM GUI.

  2. Go to the ANALYTICS tab.

  3. Run a query for 10-30 minutes and confirm that the speed of the query execution is relatively fast.

Need to Re-Configure Open Tunnel After Upgrade/Install of 6.3.0

After upgrading or doing a fresh install of 6.3.0, the feature - "Connect to" a CMDB device via 'Open Tunnel' will no longer work without a configuration change. When users connect via a tunnel, it will appear that the tunnel is opened. However, the displayed Supervisor's port on which the tunneled connection is running is actually not open so users will not be able to connect either via plugin or directly.

To re-enable this feature, take the following steps:

  1. Edit sshd_config.tunneluser on the Supervisor by changing the entry AllowTcpForwarding to yes.
    AllowTcpForwarding yes

  2. Reload the tunnel sshd configuration using the following command:
    kill -HUP $(pgrep -f sshd_config.tunneluser)

  3. If you have tunnels you had opened after the upgrade, but prior to making the above change, you will need to click on the Close All button from ADMIN > Health > Collector Health > Tunnels page.

Note: This fix was done to address bug 602294: CVE-2004-1653 SSH port forwarding exposes unprotected internal services.

Need to set Account Environment in Azure Cloud Support Access Credentials after Upgrade

Prior to the 6.3.0 FortiSIEM release, the Azure CLI agent only supported Global Azure (AzureCloud). It did not support Azure Government Cloud, Azure China Cloud, or Azure German Cloud. In 6.3.0 and later releases, the 4 types of Azure Clouds listed here are supported by the Azure CLI agent.

When you need to upgrade the collector to 6.3.0 for Azure CLI jobs, make sure the Supervisor is also 6.3.0, and enter the Account Env as part of its Access Credentials.

Account Environment Azure Portal URL
AzureCloud https://portal.azure.com
AzureChinaCloud https://portal.azure.cn
AzureUSGovernmentCloud https://portal.azure.us
AzureGermanCloud https://portal.microsoftazure.de/

Cut and Paste Issue into Report Designer Text Editor

If you cut and paste text from an external document into the Report Designer Text Editor, then you need to select all copied text, click "Clear Format" and then add your own formatting within the Editor. Otherwise, Export will fail.

Elasticsearch Based Deployments Terms Query Limit

In Elasticsearch based deployments, queries containing "IN Group X" are handled using Elastic Terms Query. By default, the maximum number of terms that can be used in a Terms Query is set to 65,536. If a Group contains more than 65,536 entries, the query will fail.

The workaround is to change the “max_terms_count” setting for each event index. Fortinet has tested up to 1 million entries. The query response time will be proportional to the size of the group.

Case 1. For already existing indices, issue the REST API call to update the setting

PUT fortisiem-event-*/_settings
{
  "index" : {
    "max_terms_count" : "1000000"
  }
}

Case 2. For new indices that are going to be created in the future, update fortisiem-event-template so those new indices will have a higher max_terms_count setting

  1. cd /opt/phoenix/config/elastic/7.7

  2. Add "index.max_terms_count": 1000000 (including quotations) to the “settings” section of the fortisiem-event-template.

    Example:

    ...

      "settings": {
        "index.max_terms_count": 1000000,
    

    ...

  3. Navigate to ADMIN > Storage > Online and perform Test and Deploy.

  4. Test new indices have the updated terms limit by executing the following simple REST API call.

    GET fortisiem-event-*/_settings

Rule and Report Modifications since 6.2.1

The following rules were added:

  • ES Coordinator Node Staying Down

  • ES Coordinator Node Down

  • Cortex XDR Alert Detected

  • Cortex XDR Alert Prevented

  • F5 BIG-IP TMM Attack - FortiGate IPS Exploit Permitted

  • FortiAI: Attack Chain Blocked

  • FortiAI: Attack Chain Permitted

  • CyberX Malware Detected

  • Windows Process Tampering Detected

  • SUNBURST Suspicious File Hash match by Source and Destination

  • DEARCRY Infected File Detected on Network

  • DEARCRY Infected File Detected on Host

  • DARKSIDE Domain Traffic Detected

  • DARKSIDE Ransomware File Activity Detected on Network

  • DARKSIDE Ransomware File Activity Detected on Host

  • DARKSIDE Ransomware Outbound Network Traffic Detected

  • DARKSIDE Ransomware Inbound Network Traffic Detected

  • DARKSIDE Suspicious File Hash Found on Network

  • DARKSIDE Suspicious File Hash Found on Host

The following rules were deleted:

  • Excessive Malware Domain Name Queries

  • DNS Traffic to Malware Domains

The following rules were renamed:

  • Windows: Unidentified Attacker November 2018 Activity 1 -> Windows: Unidentified Attacker November 2018 Activity 1

  • SUNBURST Suspicious File MD5 match -> SUNBURST Suspicious File Hash Match

The following reports were added:

  • AWS ELB - Top HTTP Methods by Count

  • AWS ELB - Top HTTP Status Codes by Count

  • AWS ELB - Top Requests by Source Country

  • AWS ELB - Top Source IPs by Count

  • AWS ELB - Top Request URLs by Count

  • F5 BIG-IP TMM Attack - FortiGate IPS Exploit Permitted

  • FortiAI: Attack-Chain Blocked

  • FortiAI: Attack-Chain Permitted

  • FortiAI: Dashboard Attack-Chain Blocked

  • FortiAI: Dashboard Attack-Chain Permitted

  • FortiAI: Dashboard Incidents

  • FortiAI: Top Attacker IPs by Count

  • FortiAI: Top Malware Family by Count

  • FortiAI: Top Victim IPs by Count

  • Cases Created - Daily

  • DARKSIDE Domain Traffic Detected

  • DARKSIDE Ransomware File Activity Detected on Network

  • DARKSIDE Ransomware File Activity Detected on Host

  • DARKSIDE Ransomware Traffic Detected

  • DARKSIDE Suspicious File Hash Found

  • DEARCRY Infected File Detected on Network

  • DEARCRY Infected File Detected on Host

  • CyberX Security Alerts

  • ZOS: SMF 14/15/17 Dataset Open/Update/Delete Activity

  • ZOS: SMF 18 Dataset Rename Activity

  • ZOS: SMF 30 JES Job/STC start/end Activity

  • ZOS: SMF 32 JES TSO Termination Activity

  • ZOS: SMF 42 SMS Add/Delete/Rename/Reuse Activity

  • ZOS: SMF 62 VSAM Open Dataset Activity

  • ZOS: SMF 80 Security Violations

  • ZOS: SMF 81 Initialization and SETROPTS events

  • ZOS: SMF 83 Security Changes

  • ZOS: SMF 90:37 APF List Changes

  • ZOS: SMF 119: TSO Logon

  • ZOS: SMF 119: TN3270 Logon

  • ZOS: SMF 119: FTP Completion

  • ZOS: SMF 119: TCP Connection Termination

The following reports were deleted:

  • Incident Trend By Severity - Monthly

  • SANS CC5: DNS Traffic To Malware Domains

The following reports were renamed:

  • Incident Resolution Time Trend By Severity - Monthly "Mean Time to Resolution" -> Incidents By Location and Category

  • Monthly Assigned Incident User Trend -> Cases Created - Weekly

  • Incidents By Location and Category -> Cases Closed - Weekly

  • Cases Created - Daily -> Cases Closed By User - Weekly

  • Cases Created - Monthly -> Incident Trend By Severity - Monthly

  • Cases Created - Weekly -> Incident Resolution Time Trend By Severity - Monthly "Mean Time to Resolution"

  • Cases Closed - Weekly -> Monthly Assigned Incident User Trend

  • Cases Closed By User - Weekly -> Cases Created - Monthly

  • SUNBURST Suspicious File MD5 match -> SUNBURST Suspicious File Hash match

Whats New in 6.3.0

This document describes the additions for the FortiSIEM 6.3.0 release.

New Features

Customizable GUI Login Banner

FortiSIEM administrators can now define a login banner page that GUI users will view, after entering their credentials. This page displays the last successful login time, changes to the user’s account since their last successful login, along with an administrator defined message. This message is typically used to warn against unauthorized system access. A default message is provided, but users with full admin privileges can change the message, create a new message, or completely disable this banner. This system setting applies for all users.

For details on how to set up and customize a login banner, located at ADMIN > Settings > System > UI, see Administrator UI Settings.

Notes:

  • This is a system wide screen for all users.

  • Some simple BBCode tags are allowed in this message input - “b” - bold, “i” - italic, “u” - underline, and “url”.

  • HTML tags are not allowed.

  • Nested tags are not allowed.

UTC and ISO8601 Formatted Dates

Earlier releases displayed dates (e.g. in the INCIDENTS page) in local time format. In this release, two other time format options are added – UTC and ISO 8601. This is a per-user setting and the chosen time format is honored in the GUI for that user as well as for report exports, and scheduled reports done by that user and Incident email notification.

For details on how to set up date display format, located at User Profile > UI Settings, see User Profile UI Settings.

Ability to Tags Incidents and Search Incidents by Tag

This release allows you to define Tags and then associate one or more Tags to Rules. Incidents triggered by that rule will have the associated Tags attribute as an Incident attribute. You can display Tags from the INCIDENTS page and search/filter Incidents by Tags. For MSSP deployments, Tags are globally defined for all Organizations.

For details on how to define tags, see Tags.

For details on how to set tags in rules, see Creating a Rule: Step 3: Define Actions.

For details on how to display tags in INCIDENTS, see Acting on Incidents on how to add the Tags column to the INCIDENTS page.

For details on how to search Incidents by tags, see Searching Incidents. From the Actions drop-down list, click Search. Use the Incident Tag filter in the same panel to locate tags.

Report Export in RTF Format

In earlier releases, reports could be exported in PDF and CSV formats. This release adds Rich Text Format (RTF) format that can be viewed using Microsoft Word.

For setting RTF format for adhoc reports, see Email Results, Exporting Report Results, and Exporting Results.

For setting RTF format for scheduled reports, see Scheduling a Report and Scheduling CMDB Reports.

For more information on creating a report template, which can be sent in RTF format, see Designing a Report Template.

Trend Chart for Hourly/Daily/weekly Aggregates

In earlier releases, the granularity of time axis in trend charts was chosen automatically by the system. Therefore, user cannot have hourly, daily and weekly values plotted in Report Trend Charts. This release allows users this option. Because daily, weekly queries can take a long time to run, this works best in pre-computed queries and in dashboards where results are computed inline mode.

In ANALYTICS, you can choose the trend option as part of Filter conditions. See Specifying a Trend Interval.

In DASHBOARD, you can select Line chart as the display type, and then choose a trend option as part of a Widget Dashboard. See Modifying Widget Display Information.

Trend Attributes can be added to scheduled reports, report bundles and through a real-time search.

Email Encryption via S/MIME

This release allows you to send encrypted emails from FortiSIEM using S/MIME. Examples of emails send from FortiSIEM includes Incident notification emails, Scheduled Report emails, Adhoc Query Result email, etc...

To first set up S/MIME, see Email Settings.

After the S/MIME configuration, add the S/MIME certificate for a new user or to an existing one at CMDB > Users.

Load Balancing Inserts across Multiple Elasticsearch Coordinator Nodes

This release enables you to add multiple Elasticsearch Coordinator nodes in GUI. Then phDataManager process on each Worker will load balance event inserts across multiple Elasticsearch Coordinator nodes. This design allows faster parallel inserts and also protects against Coordinator node failures.

The Coordinator nodes can be configured in the URL field for Native Elasticsearch configuration.

Watchlist Management API

This release allows you to view, add, edit Watchlist folders and entries (RESOURCES > Watchlist). See Watchlist Integration in the API Integration Guide.

JSON Incident API

This release allows you to integrate incidents from FortiSIEM with a JSON REST API. This is used for the ServiceNow SecOps integration. See JSON API Incident Integration in the API Integration Guide.

FortiSIEM Collector as Management Extension Application (MEA) on FortiAnalyzer

You can now run a FortiSIEM Collector as a management extension application (MEA) image on FortiAnalyzer 7.0.1 or higher. This alleviates the need for a separate FortiSIEM Collector node (Virtual machine or appliance), when you already have a FortiAnalyzer deployed, and it has sufficiently spare CPU, Memory and Disk available to run a FortiSIEM Collector.

A FortiSIEM MEA Collector functionally works the same way as a regular virtual machine based FortiSIEM Collector or a hardware appliance 500F, but the set up and upgrade processes are slightly different.

For general setup, troubleshooting, event collection, discovery and performance monitoring using a FortiSIEM MEA Collector, see the FortiSIEM MEA Collector Administration Guide in FortiAnalyzer 7.0 docs. The FortiSIEM MEA Administration Guide also covers upgrade issues and general differences between a FortiSIEM MEA Collector and a virtual machine/hardware appliance Collector.

Note: To collect FortiSIEM Windows or Linux Agent logs via FortiSIEM MEA Collector, you need to run Windows Agent 4.1.2 or higher and Linux Agent 6.3.0 or higher.

Key Enhancements

Infrastructure Upgrade

This release upgrades the underlying CentOS version to 8.4.

Elasticsearch 7.12.1 Support

This release extends native Elasticsearch event database support to 7.12.1.

MITRE ATT&CK Framework Update to V0.9

This release imports the MITRE ATT&CK Techniques and Tactics as found in V9 released on April 29, 2021.

Authentication for Kafka based Event Forwarding

FortiSIEM allows events to be forwarded via Kafka. This release adds the ability for FortiSIEM to authenticate to the Kafka receiver.

To set up Kafka authentication, see step 9 under Kafka Settings.

Report Design Template Enhancements

This release covers the following Report Design enhancements

  • A Rich Text editor so that user does not have to type in raw HTML text in Text Area in Report Design.

  • Allow user to insert a Page Break

  • Make the Cover page and Table of Contents optional

For details see Designing a Report Template.

Selective Role based Raw Message Obfuscation

FortiSIEM user roles allows per-user obfuscation of certain event attributes like Source IP, Host IP, User etc. In earlier releases, if one event attribute was obfuscated, then the entire raw message was not shown to that user. This restriction is removed in this release. As an example, this means that if a user role has obfuscated User name, then that user can see the entire raw message except the specific user name in the message.

For configuration information, see Adding a New Role.

Shared Dashboard Ownership Transfer

FortiSIEM allows dashboards to be shared between the creator (owner) and several other users. However, in earlier releases, when the shared dashboard owner was not available, no one else could modify the shared dashboard. This release allows the shared dashboard owner to transfer ownership to another user with exactly the same role. Then that person becomes the new owner and can edit the dashboard.

For details on how to change ownership, see Dashboard Ownership.

Custom Elasticsearch Mapping Template

FortiSIEM uses an Event Attribute Mapping Template file to map each of the 3,000+ FortiSIEM Event Attributes to Elasticsearch data types. This explicit mapping is done to conserve Elasticsearch event storage.

Our research (using the Elasticsearch Rally Tool) has shown that Elasticsearch performance can be improved by choosing a smaller Event Attribute Template file relevant to events seen in the customer's environment. This release allows customers to use the right Event Attribute Template file for their environment and improve Elasticsearch performance.

A tool is provided that customers can use to create an Event Attribute Template file based on last N (configurable) days of data in Elasticsearch. Details can be found in Administrator Tools.

The user can import this custom Event Attribute Template file from the Supervisor GUI and click Test and Save to deploy to Elasticsearch. Details can be found in Configuring a Native, AWS, or Cloud Elasticsearch database.

Note: If a new log appears and has new event attributes not present in the Event Attribute Template file, then Elasticsearch will auto-detect the type. If you wish to change the type, you will need to run the tool again and upload the new Event Attribute Custom Template. The custom Event Attribute template will take effect for the new index.

This release has been tested in native Elasticsearch 7.8, 7.12.1, AWS Elasticsearch 7.8, and Elastic Cloud 6.8.

Elasticsearch to EventDB Archive Performance Improvement

For high EPS situations, FortiSIEM recommends the Real time Archive option, because reading events from Elasticsearch and copying to EventDB on NFS is an expensive operation that can slow down real time event ingestion. However, if you require the non-real time archiving option, this release optimizes the code to reduce pressure on Elasticsearch and archive faster. No user configuration is required.

Optimize PostgreSQL Incident Query

Incidents can span multiple partitions and SQL queries to multiple partitions, which can be expensive. This release optimizes such queries by only going over the minimum necessary partitions. Users will see less disk IOPS for CMDB partition and faster GUI response times.

New Device Support

Device Support Extensions

Bug Fixes and Minor Enhancements

Bug ID

Severity

Module

Description

719210

Major

App Server

Choosing Malware IOC (IP/Domain/URL/Hash) when there are many Malware IOC groups, would result in a sluggish GUI. A full download is recommended for faster FortiSIEM processing. Do not choose incremental download when the website does not provide incremental download.

718253

Major

App Server

Any customer defined rule cannot be approved for deployment in the TASKS > Approval page

650020

Major

GUI

If a user navigated to RESOURCES > Reports > Baseline, selected a Reporting EPS Profile and clicked Run, the visualization would not appear, and showed a "stuck" loading indicator. A workaround was to navigate to ANALYTICS, go to the folder option, navigate to Reports > Baseline, select a Reporting EPS Profile and click Run.

715377

Minor

App Server

If a primary contact admin user was saved with an incorrect organization, the ADMIN > License > General and Usage pages would not display any data.

711680

Minor

App Server

On a 6.2.0 upgraded FortiSIEM, if an ANALYTICS query result spanned many pages (over 199), then later pages might not show any results.

705642

Minor

App Server

If a SAML response did not carry the signature and X509 Certificates attributes, the AppServer would throw a NullPointerException.

685195

Minor

App Server

Occasionally, after a few weeks or months, the STM job would automatically change from HTTP type to TCP.

719795

Minor

Data

The Source IP was incorrectly set for Windows Security Event ID 4624 event.

719331

Minor

Data

The FortiGateParser set Event Action as 0(permit) even when Firewall action=block in event logs; it should be 1.

Note: The keyword "blocked" was handled correctly.

717349

Minor

Data

The Zscaler parser was not correctly handling events with quotes in the URL.

715951

Minor

Data

The Checkpoint parser created spurious CMDB devices due to incorrect parsing of origin field.

713156

Minor

Data

Office365 Authentication events incorrectly parsed "Authentication success" when "UserKey" is "Not Available" and "Actor" is "Unknown".

712384

Minor

Data

Windows Security Event 4728 had the incorrect target User field.

712153

Minor

Data

The FortiClient EMS parser sometimes failed when there was no clientfeature field.

709663

Minor

Data

The Nginx parser would not work when a log contained a negative GMT time value.

709182

Minor

Data

Occasionally, the Windows Log parser would not parse the correct Destination Host Name.

708681

Minor

Data

Maldives is incorrectly in RESOURCES > Country Groups > Europe instead of RESOURCES > Country Groups > Asia.

708638

Minor

Data

The Cisco ASA parser and Cisco FWSM parser had incorrect mapping of the Destination and Source IP/Ports.

706898

Minor

Data

Windows Security log parsing enhanced to include Kerberos Cipher name.

697112

Minor

Data

The Palo Alto Firewall parser showed the "flowEndReason" attribute value as 0.

694642

Minor

Data

Uruguay was incorrectly included in the Europe Country Group instead of the South America Country Group.

694259

Minor

Data

The FortiAuthenticator logs forwarded through FortiAnalyzer provided the incorrect Reporting Device IP.

692909

Minor

Data

For WatchGuard Firebox firewall, HTTPS certificate attributes were not parsed.

645187

Minor

Data

Country name mismatches caused rules to trigger.

715304

Minor

Data

The Palo Alto Firewall log parser did not work for global protect system logs.

685952

Minor

Data

The Palo Alto parser enhanced to handle additional log types, including multiple WildFire events.

716961

Minor

Data

The FortiAuthenticator Failed Login was parsed as Successful Login.

724187

Minor

Data

SQL Injection Attack detected by NIPS rule logic corrected to match rule description.

724187

Minor

Data

Palo Alto event type PAN-IDP-31914 categorization corrected to match trigger behavior. Event type PAN-IDP-55873 added.

718372

Minor

GUI

When creating a new report under Org, a "unknown Error" warning would pop up after saving.

717183

Minor

GUI

With a large number of CMDB users defined in FortiSIEM, in the CASES tab, the New and Edit operations would sometimes timeout.

712019

Minor

GUI

The auto-load feature would re-load at 4 am every day, even when an active query was running.

698621

Minor

GUI

In Report Schedule, multiple email addresses could not be added.

689328

Minor

GUI

In the Interface Usage Dashboard, user changes to the Application Usage chart were not saved.

681160

Minor

GUI

From the CMDB page, installed software could not be detected when discovered.

677375

Minor

GUI

When saving or copying into a parser window, the ">" and "< "characters were getting encoded and translated.

668386

Minor

GUI

In MSSP mode, if the user was in CMDB, the device group could not be changed.

688542

Minor

Log Collection

Azure Audit logs only pulled from one subscription, even when multiple subscriptions were configured.

719190

Minor

Parser

The Cisco ASA built/teardown parsing was sometimes sluggish when matching connection ids.

707125

Minor

Performance Monitoring

The VMware cluster level CPU and memory utilization calculations were not accurate.

714176

Minor

Performance Monitoring

In CMDB > Device > Monitor, the Last Successful attribute was not reset properly, causing flapping between Normal and Warning.

700690

Minor

Performance Monitoring

HTTPS based STM did not work correctly when different IPs in different STMs were mapped to the same host name.

694596

Minor

Performance Monitoring

FortiSIEM could not monitor a metric via SNMP when there were more than two alternative OIDS for that metric and another method like SSH was simultaneously used to monitor other metrics.

712602

Minor

Query

Query failed if there were parentheses in the nested query with attributes like "Destination TCP/UDP Port".

684647

Minor

Query

In ANALYTICS search, a filter on TCP flag would make the query work incorrectly.

682137

Minor

System

The /etc/hosts file needed to be preserved across upgrades.

690781

Enhancement

App Server

When an incident is cleared in FortiSIEM, it is now cleared on ConnectWise.

712012

Enhancement

Data

Geo-IP database updated to handle more IPs.

705478

Enhancement

Data

FortiSandbox parser now extracts virusid and attack name in a better way to parse malware name attribute.

705471

Enhancement

Data

FortiMail parser now extracts virus attribute.

705468

Enhancement

Data

FortiClient parser now maps threat to malware name attribute.

702603

Enhancement

Data

Extend Windows Security log parser now supports Sysmon v13.

692796

Enhancement

Data

UnixParser extended to parse SFTP Open file, SFTP Close file, and internal-sftp logs.

689608

Enhancement

Data

Meraki Firewall parser enhanced to include Flow Start and Flow End events.

684254

Enhancement

Data

Extreme switch logs parser enhanced.

682424

Enhancement

Data

Parsing improved for Windows Event ID 5145.

680432

Enhancement

Data

Cisco Callmanager and Cisco IMP servers parsers enhanced to handle more event types.

668492

Enhancement

Data

Windows log parser for French Language Windows enhanced. Note: Enhancement primarily for security log 4728.

725618

Enhancement

Data

Parsing enhanced to handle Cisco Nexus AUTHPRIV syslog messages.

704115

Enhancement

Data

The Palo Alto parser extended to parse global protect system logs.

684897

Enhancement

Data

The rule "Traffic to FortiGuard Malware IP List" is now able to trigger on valid non-firewall logs.

696237

Enhancement

GUI

Port number under External Authentication can now be changed.

705100

Enhancement

Log Collection

Windows BitDefender REST API now allows different regions to be selected. Note: Originally, it defaulted hostname to the US.

703881

Enhancement

Rule Engine

PH_REPORT_PACK_FAILED log (that indicates event dropped during packing from Worker to Supervisor) now includes groupby and aggregate attributes.

712034

Enhancement

System

pHEventExport and TestESSplitter backend tools updated to run in FortiSIEM 6.x.

Known Issues

Shutting Down Hardware

On hardware appliances running FortiSIEM 6.6.0 or earlier, FortiSIEM execute shutdown CLI does not work correctly. Please use the Linux shutdown command instead.

Remediation Steps for CVE-2021-44228

Three FortiSIEM modules (SVNLite, phFortiInsightAI and 3rd party ThreatConnect SDK) use Apache log4j version 2.14, 2.13 and 2.8 respectively for logging purposes, and hence are vulnerable to the recently discovered Remote Code Execution vulnerability (CVE-2021-44228).

These instructions specify the steps needed to mitigate this vulnerability without upgrading Apache log4j to the latest stable version 2.16 or higher. Actions need to be taken on the Supervisor and Worker nodes only.

On Supervisor Node

  1. Logon via SSH as root.

  2. Mitigating SVNLite module:

    1. Run the script fix-svnlite-log4j2.sh (here). It will restart SVNlite module with Dlog4j2.formatMsgNoLookups=true option and print the success/failed status.

  3. Mitigating 3rd party ThreatConnect SDK module:

    1. Delete these log4j jar files under /opt/glassfish/domains/domain1/applications/phoenix/lib

      1. log4j-core-2.8.2.jar

      2. log4j-api-2.8.2.jar

      3. log4j-slf4j-impl-2.6.1.jar

  4. Mitigating phFortiInsightAI module:

    1. Delete these log4j jar files under /opt/fortiinsight-ai/lib/

      1. log4j-core-2.13.0.jar

      2. log4j-api-2.13.0.jar

  5. Restart all Java Processes by running: “killall -9 java”

On Worker Node

  1. Logon via SSH as root.

  2. Mitigating phFortiInsightAI module:

    1. Delete these log4j jar files under /opt/fortiinsight-ai/lib/

      1. log4j-core-2.13.0.jar

      2. log4j-api-2.13.0.jar

  3. Restart all Java Processes by running: “killall -9 java”

Slow Event Database Operations Using Azure Managed NFS File Share Service

If you are running a FortiSIEM 6.3.0 Cluster in Microsoft Azure Cloud using Azure Managed NFS File Share Service, then FortiSIEM will not work correctly. Symptoms are file build up in the /data directory and slow GUI queries. A bug was introduced in the Linux kernel (affecting Redhat CentOS 8.4 and FortiSIEM 6.3.0) that slows NFS operations. For details, see the section titled "ls hangs for large directory enumeration on some kernels" in this URL document: https://docs.microsoft.com/en-us/azure/storage/files/storage-troubleshooting-files-nfs

Note: If you deploy your own NFS V3 or V4, then FortiSIEM 6.3.0 is not impacted.

Redhat has not yet published a patch for this issue. The current workaround is to manually downgrade the Linux kernel from 8.4 to 8.3.

Download and install the Linux 8.3 kernel by following these steps on each Supervisor and all your Worker nodes.

  1. On your system, login as user root, and run the following commands.
    Note: The order of the commands is important. If your system is offline without internet access, you can download the RPM to a flash drive or file share to upload to the Supervisor and Workers.

    1. cd /tmp

    2. mkdir downgrade

    3. cd downgrade

    4. wget https://os-pkgs-cdn.fortisiem.fortinet.com/centos83/baseos/Packages/kernel-core-4.18.0-240.10.1.el8_3.x86_64.rpm

    5. yum localinstall kernel-core-4.18.0-240.10.1.el8_3.x86_64.rpm

      Click 'y' to confirm when prompted.

    6. grub2-mkconfig -o /boot/grub2/grub.cfg

    7. awk -F\' '$1=="menuentry" {print $2}' /boot/grub2/grub.cfg

      Note: Entries are ordered 0,1,2,3,4 from top to bottom.

      If the kernel 4.18.0-240.10.1.el8_3.x86_64 is third in the list, use the command below to set it as the default.

    8. grub2-set-default 2

    9. Reboot the system with the following command:

      reboot

  2. Log back in as user root and check the kernel version that is running with the following command:

    uname –r

    In the uname –r output, notate the new kernel. It should be:

    4.18.0-240.10.1.el8_3.x86_64

After the Linux kernel downgrade is done for the Supervisor and Workers, take the following steps:

  1. Login to the Supervisor FortiSIEM GUI.

  2. Go to the ANALYTICS tab.

  3. Run a query for 10-30 minutes and confirm that the speed of the query execution is relatively fast.

Need to Re-Configure Open Tunnel After Upgrade/Install of 6.3.0

After upgrading or doing a fresh install of 6.3.0, the feature - "Connect to" a CMDB device via 'Open Tunnel' will no longer work without a configuration change. When users connect via a tunnel, it will appear that the tunnel is opened. However, the displayed Supervisor's port on which the tunneled connection is running is actually not open so users will not be able to connect either via plugin or directly.

To re-enable this feature, take the following steps:

  1. Edit sshd_config.tunneluser on the Supervisor by changing the entry AllowTcpForwarding to yes.
    AllowTcpForwarding yes

  2. Reload the tunnel sshd configuration using the following command:
    kill -HUP $(pgrep -f sshd_config.tunneluser)

  3. If you have tunnels you had opened after the upgrade, but prior to making the above change, you will need to click on the Close All button from ADMIN > Health > Collector Health > Tunnels page.

Note: This fix was done to address bug 602294: CVE-2004-1653 SSH port forwarding exposes unprotected internal services.

Need to set Account Environment in Azure Cloud Support Access Credentials after Upgrade

Prior to the 6.3.0 FortiSIEM release, the Azure CLI agent only supported Global Azure (AzureCloud). It did not support Azure Government Cloud, Azure China Cloud, or Azure German Cloud. In 6.3.0 and later releases, the 4 types of Azure Clouds listed here are supported by the Azure CLI agent.

When you need to upgrade the collector to 6.3.0 for Azure CLI jobs, make sure the Supervisor is also 6.3.0, and enter the Account Env as part of its Access Credentials.

Account Environment Azure Portal URL
AzureCloud https://portal.azure.com
AzureChinaCloud https://portal.azure.cn
AzureUSGovernmentCloud https://portal.azure.us
AzureGermanCloud https://portal.microsoftazure.de/

Cut and Paste Issue into Report Designer Text Editor

If you cut and paste text from an external document into the Report Designer Text Editor, then you need to select all copied text, click "Clear Format" and then add your own formatting within the Editor. Otherwise, Export will fail.

Elasticsearch Based Deployments Terms Query Limit

In Elasticsearch based deployments, queries containing "IN Group X" are handled using Elastic Terms Query. By default, the maximum number of terms that can be used in a Terms Query is set to 65,536. If a Group contains more than 65,536 entries, the query will fail.

The workaround is to change the “max_terms_count” setting for each event index. Fortinet has tested up to 1 million entries. The query response time will be proportional to the size of the group.

Case 1. For already existing indices, issue the REST API call to update the setting

PUT fortisiem-event-*/_settings
{
  "index" : {
    "max_terms_count" : "1000000"
  }
}

Case 2. For new indices that are going to be created in the future, update fortisiem-event-template so those new indices will have a higher max_terms_count setting

  1. cd /opt/phoenix/config/elastic/7.7

  2. Add "index.max_terms_count": 1000000 (including quotations) to the “settings” section of the fortisiem-event-template.

    Example:

    ...

      "settings": {
        "index.max_terms_count": 1000000,
    

    ...

  3. Navigate to ADMIN > Storage > Online and perform Test and Deploy.

  4. Test new indices have the updated terms limit by executing the following simple REST API call.

    GET fortisiem-event-*/_settings

Rule and Report Modifications since 6.2.1

The following rules were added:

  • ES Coordinator Node Staying Down

  • ES Coordinator Node Down

  • Cortex XDR Alert Detected

  • Cortex XDR Alert Prevented

  • F5 BIG-IP TMM Attack - FortiGate IPS Exploit Permitted

  • FortiAI: Attack Chain Blocked

  • FortiAI: Attack Chain Permitted

  • CyberX Malware Detected

  • Windows Process Tampering Detected

  • SUNBURST Suspicious File Hash match by Source and Destination

  • DEARCRY Infected File Detected on Network

  • DEARCRY Infected File Detected on Host

  • DARKSIDE Domain Traffic Detected

  • DARKSIDE Ransomware File Activity Detected on Network

  • DARKSIDE Ransomware File Activity Detected on Host

  • DARKSIDE Ransomware Outbound Network Traffic Detected

  • DARKSIDE Ransomware Inbound Network Traffic Detected

  • DARKSIDE Suspicious File Hash Found on Network

  • DARKSIDE Suspicious File Hash Found on Host

The following rules were deleted:

  • Excessive Malware Domain Name Queries

  • DNS Traffic to Malware Domains

The following rules were renamed:

  • Windows: Unidentified Attacker November 2018 Activity 1 -> Windows: Unidentified Attacker November 2018 Activity 1

  • SUNBURST Suspicious File MD5 match -> SUNBURST Suspicious File Hash Match

The following reports were added:

  • AWS ELB - Top HTTP Methods by Count

  • AWS ELB - Top HTTP Status Codes by Count

  • AWS ELB - Top Requests by Source Country

  • AWS ELB - Top Source IPs by Count

  • AWS ELB - Top Request URLs by Count

  • F5 BIG-IP TMM Attack - FortiGate IPS Exploit Permitted

  • FortiAI: Attack-Chain Blocked

  • FortiAI: Attack-Chain Permitted

  • FortiAI: Dashboard Attack-Chain Blocked

  • FortiAI: Dashboard Attack-Chain Permitted

  • FortiAI: Dashboard Incidents

  • FortiAI: Top Attacker IPs by Count

  • FortiAI: Top Malware Family by Count

  • FortiAI: Top Victim IPs by Count

  • Cases Created - Daily

  • DARKSIDE Domain Traffic Detected

  • DARKSIDE Ransomware File Activity Detected on Network

  • DARKSIDE Ransomware File Activity Detected on Host

  • DARKSIDE Ransomware Traffic Detected

  • DARKSIDE Suspicious File Hash Found

  • DEARCRY Infected File Detected on Network

  • DEARCRY Infected File Detected on Host

  • CyberX Security Alerts

  • ZOS: SMF 14/15/17 Dataset Open/Update/Delete Activity

  • ZOS: SMF 18 Dataset Rename Activity

  • ZOS: SMF 30 JES Job/STC start/end Activity

  • ZOS: SMF 32 JES TSO Termination Activity

  • ZOS: SMF 42 SMS Add/Delete/Rename/Reuse Activity

  • ZOS: SMF 62 VSAM Open Dataset Activity

  • ZOS: SMF 80 Security Violations

  • ZOS: SMF 81 Initialization and SETROPTS events

  • ZOS: SMF 83 Security Changes

  • ZOS: SMF 90:37 APF List Changes

  • ZOS: SMF 119: TSO Logon

  • ZOS: SMF 119: TN3270 Logon

  • ZOS: SMF 119: FTP Completion

  • ZOS: SMF 119: TCP Connection Termination

The following reports were deleted:

  • Incident Trend By Severity - Monthly

  • SANS CC5: DNS Traffic To Malware Domains

The following reports were renamed:

  • Incident Resolution Time Trend By Severity - Monthly "Mean Time to Resolution" -> Incidents By Location and Category

  • Monthly Assigned Incident User Trend -> Cases Created - Weekly

  • Incidents By Location and Category -> Cases Closed - Weekly

  • Cases Created - Daily -> Cases Closed By User - Weekly

  • Cases Created - Monthly -> Incident Trend By Severity - Monthly

  • Cases Created - Weekly -> Incident Resolution Time Trend By Severity - Monthly "Mean Time to Resolution"

  • Cases Closed - Weekly -> Monthly Assigned Incident User Trend

  • Cases Closed By User - Weekly -> Cases Created - Monthly

  • SUNBURST Suspicious File MD5 match -> SUNBURST Suspicious File Hash match