Whats New in 6.3.0
This document describes the additions for the FortiSIEM 6.3.0 release.
New Features
-
Load Balancing Inserts across Multiple Elasticsearch Coordinator Nodes
-
FortiSIEM Collector as Management Extension Application (MEA) on FortiAnalyzer
Customizable GUI Login Banner
FortiSIEM administrators can now define a login banner page that GUI users will view, after entering their credentials. This page displays the last successful login time, changes to the user’s account since their last successful login, along with an administrator defined message. This message is typically used to warn against unauthorized system access. A default message is provided, but users with full admin privileges can change the message, create a new message, or completely disable this banner. This system setting applies for all users.
For details on how to set up and customize a login banner, located at ADMIN > Settings > System > UI, see Administrator UI Settings.
Notes:
-
This is a system wide screen for all users.
-
Some simple BBCode tags are allowed in this message input - “b” - bold, “i” - italic, “u” - underline, and “url”.
-
HTML tags are not allowed.
-
Nested tags are not allowed.
UTC and ISO8601 Formatted Dates
Earlier releases displayed dates (e.g. in the INCIDENTS page) in local time format. In this release, two other time format options are added – UTC and ISO 8601. This is a per-user setting and the chosen time format is honored in the GUI for that user as well as for report exports, and scheduled reports done by that user and Incident email notification.
For details on how to set up date display format, located at User Profile > UI Settings, see User Profile UI Settings.
Ability to Tags Incidents and Search Incidents by Tag
This release allows you to define Tags and then associate one or more Tags to Rules. Incidents triggered by that rule will have the associated Tags attribute as an Incident attribute. You can display Tags from the INCIDENTS page and search/filter Incidents by Tags. For MSSP deployments, Tags are globally defined for all Organizations.
For details on how to define tags, see Tags.
For details on how to set tags in rules, see Creating a Rule: Step 3: Define Actions.
For details on how to display tags in INCIDENTS, see Acting on Incidents on how to add the Tags column to the INCIDENTS page.
For details on how to search Incidents by tags, see Searching Incidents. From the Actions drop-down list, click Search. Use the Incident Tag filter in the same panel to locate tags.
Report Export in RTF Format
In earlier releases, reports could be exported in PDF and CSV formats. This release adds Rich Text Format (RTF) format that can be viewed using Microsoft Word.
For setting RTF format for adhoc reports, see Email Results, Exporting Report Results, and Exporting Results.
For setting RTF format for scheduled reports, see Scheduling a Report and Scheduling CMDB Reports.
For more information on creating a report template, which can be sent in RTF format, see Designing a Report Template.
Trend Chart for Hourly/Daily/weekly Aggregates
In earlier releases, the granularity of time axis in trend charts was chosen automatically by the system. Therefore, user cannot have hourly, daily and weekly values plotted in Report Trend Charts. This release allows users this option. Because daily, weekly queries can take a long time to run, this works best in pre-computed queries and in dashboards where results are computed inline mode.
In ANALYTICS, you can choose the trend option as part of Filter conditions. See Specifying a Trend Interval.
In DASHBOARD, you can select Line chart as the display type, and then choose a trend option as part of a Widget Dashboard. See Modifying Widget Display Information.
Trend Attributes can be added to scheduled reports, report bundles and through a real-time search.
Email Encryption via S/MIME
This release allows you to send encrypted emails from FortiSIEM using S/MIME. Examples of emails send from FortiSIEM includes Incident notification emails, Scheduled Report emails, Adhoc Query Result email, etc...
To first set up S/MIME, see Email Settings.
After the S/MIME configuration, add the S/MIME certificate for a new user or to an existing one at CMDB > Users.
Load Balancing Inserts across Multiple Elasticsearch Coordinator Nodes
This release enables you to add multiple Elasticsearch Coordinator nodes in GUI. Then phDataManager process on each Worker will load balance event inserts across multiple Elasticsearch Coordinator nodes. This design allows faster parallel inserts and also protects against Coordinator node failures.
The Coordinator nodes can be configured in the URL field for Native Elasticsearch configuration.
Watchlist Management API
This release allows you to view, add, edit Watchlist folders and entries (RESOURCES > Watchlist). See Watchlist Integration in the API Integration Guide.
JSON Incident API
This release allows you to integrate incidents from FortiSIEM with a JSON REST API. This is used for the ServiceNow SecOps integration. See JSON API Incident Integration in the API Integration Guide.
FortiSIEM Collector as Management Extension Application (MEA) on FortiAnalyzer
You can now run a FortiSIEM Collector as a management extension application (MEA) image on FortiAnalyzer 7.0.1 or higher. This alleviates the need for a separate FortiSIEM Collector node (Virtual machine or appliance), when you already have a FortiAnalyzer deployed, and it has sufficiently spare CPU, Memory and Disk available to run a FortiSIEM Collector.
A FortiSIEM MEA Collector functionally works the same way as a regular virtual machine based FortiSIEM Collector or a hardware appliance 500F, but the set up and upgrade processes are slightly different.
For general setup, troubleshooting, event collection, discovery and performance monitoring using a FortiSIEM MEA Collector, see the FortiSIEM MEA Collector Administration Guide in FortiAnalyzer 7.0 docs. The FortiSIEM MEA Administration Guide also covers upgrade issues and general differences between a FortiSIEM MEA Collector and a virtual machine/hardware appliance Collector.
Note: To collect FortiSIEM Windows or Linux Agent logs via FortiSIEM MEA Collector, you need to run Windows Agent 4.1.2 or higher and Linux Agent 6.3.0 or higher.
Key Enhancements
Infrastructure Upgrade
This release upgrades the underlying CentOS version to 8.4.
Elasticsearch 7.12.1 Support
This release extends native Elasticsearch event database support to 7.12.1.
MITRE ATT&CK Framework Update to V0.9
This release imports the MITRE ATT&CK Techniques and Tactics as found in V9 released on April 29, 2021.
Authentication for Kafka based Event Forwarding
FortiSIEM allows events to be forwarded via Kafka. This release adds the ability for FortiSIEM to authenticate to the Kafka receiver.
To set up Kafka authentication, see step 9 under Kafka Settings.
Report Design Template Enhancements
This release covers the following Report Design enhancements
-
A Rich Text editor so that user does not have to type in raw HTML text in Text Area in Report Design.
-
Allow user to insert a Page Break
-
Make the Cover page and Table of Contents optional
For details see Designing a Report Template.
Selective Role based Raw Message Obfuscation
FortiSIEM user roles allows per-user obfuscation of certain event attributes like Source IP, Host IP, User etc. In earlier releases, if one event attribute was obfuscated, then the entire raw message was not shown to that user. This restriction is removed in this release. As an example, this means that if a user role has obfuscated User name, then that user can see the entire raw message except the specific user name in the message.
For configuration information, see Adding a New Role.
Shared Dashboard Ownership Transfer
FortiSIEM allows dashboards to be shared between the creator (owner) and several other users. However, in earlier releases, when the shared dashboard owner was not available, no one else could modify the shared dashboard. This release allows the shared dashboard owner to transfer ownership to another user with exactly the same role. Then that person becomes the new owner and can edit the dashboard.
For details on how to change ownership, see Dashboard Ownership.
Custom Elasticsearch Mapping Template
FortiSIEM uses an Event Attribute Mapping Template file to map each of the 3,000+ FortiSIEM Event Attributes to Elasticsearch data types. This explicit mapping is done to conserve Elasticsearch event storage.
Our research (using the Elasticsearch Rally Tool) has shown that Elasticsearch performance can be improved by choosing a smaller Event Attribute Template file relevant to events seen in the customer's environment. This release allows customers to use the right Event Attribute Template file for their environment and improve Elasticsearch performance.
A tool is provided that customers can use to create an Event Attribute Template file based on last N (configurable) days of data in Elasticsearch. Details can be found in Administrator Tools.
The user can import this custom Event Attribute Template file from the Supervisor GUI and click Test and Save to deploy to Elasticsearch. Details can be found in Configuring a Native, AWS, or Cloud Elasticsearch database.
Note: If a new log appears and has new event attributes not present in the Event Attribute Template file, then Elasticsearch will auto-detect the type. If you wish to change the type, you will need to run the tool again and upload the new Event Attribute Custom Template. The custom Event Attribute template will take effect for the new index.
This release has been tested in native Elasticsearch 7.8, 7.12.1, AWS Elasticsearch 7.8, and Elastic Cloud 6.8.
Elasticsearch to EventDB Archive Performance Improvement
For high EPS situations, FortiSIEM recommends the Real time Archive option, because reading events from Elasticsearch and copying to EventDB on NFS is an expensive operation that can slow down real time event ingestion. However, if you require the non-real time archiving option, this release optimizes the code to reduce pressure on Elasticsearch and archive faster. No user configuration is required.
Optimize PostgreSQL Incident Query
Incidents can span multiple partitions and SQL queries to multiple partitions, which can be expensive. This release optimizes such queries by only going over the minimum necessary partitions. Users will see less disk IOPS for CMDB partition and faster GUI response times.
New Device Support
Device Support Extensions
Bug Fixes and Minor Enhancements
|
Bug ID |
Severity |
Module |
Description |
|---|---|---|---|
|
719210 |
Major |
App Server |
Choosing Malware IOC (IP/Domain/URL/Hash) when there are many Malware IOC groups, would result in a sluggish GUI. A full download is recommended for faster FortiSIEM processing. Do not choose incremental download when the website does not provide incremental download. |
|
718253 |
Major |
App Server |
Any customer defined rule cannot be approved for deployment in the TASKS > Approval page |
|
650020 |
Major |
GUI |
If a user navigated to RESOURCES > Reports > Baseline, selected a Reporting EPS Profile and clicked Run, the visualization would not appear, and showed a "stuck" loading indicator. A workaround was to navigate to ANALYTICS, go to the folder option, navigate to Reports > Baseline, select a Reporting EPS Profile and click Run. |
|
715377 |
Minor |
App Server |
If a primary contact admin user was saved with an incorrect organization, the ADMIN > License > General and Usage pages would not display any data. |
|
711680 |
Minor |
App Server |
On a 6.2.0 upgraded FortiSIEM, if an ANALYTICS query result spanned many pages (over 199), then later pages might not show any results. |
|
705642 |
Minor |
App Server |
If a SAML response did not carry the signature and X509 Certificates attributes, the AppServer would throw a NullPointerException. |
|
685195 |
Minor |
App Server |
Occasionally, after a few weeks or months, the STM job would automatically change from HTTP type to TCP. |
|
719795 |
Minor |
Data |
The Source IP was incorrectly set for Windows Security Event ID 4624 event. |
|
719331 |
Minor |
Data |
The FortiGateParser set Event Action as 0(permit) even when Firewall action=block in event logs; it should be 1. Note: The keyword "blocked" was handled correctly. |
|
717349 |
Minor |
Data |
The Zscaler parser was not correctly handling events with quotes in the URL. |
|
715951 |
Minor |
Data |
The Checkpoint parser created spurious CMDB devices due to incorrect parsing of origin field. |
|
713156 |
Minor |
Data |
Office365 Authentication events incorrectly parsed "Authentication success" when "UserKey" is "Not Available" and "Actor" is "Unknown". |
|
712384 |
Minor |
Data |
Windows Security Event 4728 had the incorrect target User field. |
|
712153 |
Minor |
Data |
The FortiClient EMS parser sometimes failed when there was no clientfeature field. |
|
709663 |
Minor |
Data |
The Nginx parser would not work when a log contained a negative GMT time value. |
|
709182 |
Minor |
Data |
Occasionally, the Windows Log parser would not parse the correct Destination Host Name. |
|
708681 |
Minor |
Data |
Maldives is incorrectly in RESOURCES > Country Groups > Europe instead of RESOURCES > Country Groups > Asia. |
|
708638 |
Minor |
Data |
The Cisco ASA parser and Cisco FWSM parser had incorrect mapping of the Destination and Source IP/Ports. |
|
706898 |
Minor |
Data |
Windows Security log parsing enhanced to include Kerberos Cipher name. |
|
697112 |
Minor |
Data |
The Palo Alto Firewall parser showed the "flowEndReason" attribute value as 0. |
|
694642 |
Minor |
Data |
Uruguay was incorrectly included in the Europe Country Group instead of the South America Country Group. |
|
694259 |
Minor |
Data |
The FortiAuthenticator logs forwarded through FortiAnalyzer provided the incorrect Reporting Device IP. |
|
692909 |
Minor |
Data |
For WatchGuard Firebox firewall, HTTPS certificate attributes were not parsed. |
|
645187 |
Minor |
Data |
Country name mismatches caused rules to trigger. |
|
715304 |
Minor |
Data |
The Palo Alto Firewall log parser did not work for global protect system logs. |
|
685952 |
Minor |
Data |
The Palo Alto parser enhanced to handle additional log types, including multiple WildFire events. |
|
716961 |
Minor |
Data |
The FortiAuthenticator Failed Login was parsed as Successful Login. |
|
724187 |
Minor |
Data |
SQL Injection Attack detected by NIPS rule logic corrected to match rule description. |
|
724187 |
Minor |
Data |
Palo Alto event type PAN-IDP-31914 categorization corrected to match trigger behavior. Event type PAN-IDP-55873 added. |
|
718372 |
Minor |
GUI |
When creating a new report under Org, a "unknown Error" warning would pop up after saving. |
|
717183 |
Minor |
GUI |
With a large number of CMDB users defined in FortiSIEM, in the CASES tab, the New and Edit operations would sometimes timeout. |
|
712019 |
Minor |
GUI |
The auto-load feature would re-load at 4 am every day, even when an active query was running. |
|
698621 |
Minor |
GUI |
In Report Schedule, multiple email addresses could not be added. |
|
689328 |
Minor |
GUI |
In the Interface Usage Dashboard, user changes to the Application Usage chart were not saved. |
|
681160 |
Minor |
GUI |
From the CMDB page, installed software could not be detected when discovered. |
|
677375 |
Minor |
GUI |
When saving or copying into a parser window, the ">" and "< "characters were getting encoded and translated. |
|
668386 |
Minor |
GUI |
In MSSP mode, if the user was in CMDB, the device group could not be changed. |
|
688542 |
Minor |
Log Collection |
Azure Audit logs only pulled from one subscription, even when multiple subscriptions were configured. |
|
719190 |
Minor |
Parser |
The Cisco ASA built/teardown parsing was sometimes sluggish when matching connection ids. |
|
707125 |
Minor |
Performance Monitoring |
The VMware cluster level CPU and memory utilization calculations were not accurate. |
|
714176 |
Minor |
Performance Monitoring |
In CMDB > Device > Monitor, the Last Successful attribute was not reset properly, causing flapping between Normal and Warning. |
|
700690 |
Minor |
Performance Monitoring |
HTTPS based STM did not work correctly when different IPs in different STMs were mapped to the same host name. |
|
694596 |
Minor |
Performance Monitoring |
FortiSIEM could not monitor a metric via SNMP when there were more than two alternative OIDS for that metric and another method like SSH was simultaneously used to monitor other metrics. |
|
712602 |
Minor |
Query |
Query failed if there were parentheses in the nested query with attributes like "Destination TCP/UDP Port". |
|
684647 |
Minor |
Query |
In ANALYTICS search, a filter on TCP flag would make the query work incorrectly. |
|
682137 |
Minor |
System |
The /etc/hosts file needed to be preserved across upgrades. |
|
690781 |
Enhancement |
App Server |
When an incident is cleared in FortiSIEM, it is now cleared on ConnectWise. |
|
712012 |
Enhancement |
Data |
Geo-IP database updated to handle more IPs. |
|
705478 |
Enhancement |
Data |
FortiSandbox parser now extracts virusid and attack name in a better way to parse malware name attribute. |
|
705471 |
Enhancement |
Data |
FortiMail parser now extracts virus attribute. |
|
705468 |
Enhancement |
Data |
FortiClient parser now maps threat to malware name attribute. |
|
702603 |
Enhancement |
Data |
Extend Windows Security log parser now supports Sysmon v13. |
|
692796 |
Enhancement |
Data |
UnixParser extended to parse SFTP Open file, SFTP Close file, and internal-sftp logs. |
|
689608 |
Enhancement |
Data |
Meraki Firewall parser enhanced to include Flow Start and Flow End events. |
|
684254 |
Enhancement |
Data |
Extreme switch logs parser enhanced. |
|
682424 |
Enhancement |
Data |
Parsing improved for Windows Event ID 5145. |
|
680432 |
Enhancement |
Data |
Cisco Callmanager and Cisco IMP servers parsers enhanced to handle more event types. |
|
668492 |
Enhancement |
Data |
Windows log parser for French Language Windows enhanced. Note: Enhancement primarily for security log 4728. |
|
725618 |
Enhancement |
Data |
Parsing enhanced to handle Cisco Nexus AUTHPRIV syslog messages. |
|
704115 |
Enhancement |
Data |
The Palo Alto parser extended to parse global protect system logs. |
|
684897 |
Enhancement |
Data |
The rule "Traffic to FortiGuard Malware IP List" is now able to trigger on valid non-firewall logs. |
|
696237 |
Enhancement |
GUI |
Port number under External Authentication can now be changed. |
|
705100 |
Enhancement |
Log Collection |
Windows BitDefender REST API now allows different regions to be selected. Note: Originally, it defaulted hostname to the US. |
|
703881 |
Enhancement |
Rule Engine |
PH_REPORT_PACK_FAILED log (that indicates event dropped during packing from Worker to Supervisor) now includes groupby and aggregate attributes. |
|
712034 |
Enhancement |
System |
pHEventExport and TestESSplitter backend tools updated to run in FortiSIEM 6.x. |
Known Issues
Shutting Down Hardware
On hardware appliances running FortiSIEM 6.6.0 or earlier, FortiSIEM execute shutdown CLI does not work correctly. Please use the Linux shutdown command instead.
Remediation Steps for CVE-2021-44228
Three FortiSIEM modules (SVNLite, phFortiInsightAI and 3rd party ThreatConnect SDK) use Apache log4j version 2.14, 2.13 and 2.8 respectively for logging purposes, and hence are vulnerable to the recently discovered Remote Code Execution vulnerability (CVE-2021-44228).
These instructions specify the steps needed to mitigate this vulnerability without upgrading Apache log4j to the latest stable version 2.16 or higher. Actions need to be taken on the Supervisor and Worker nodes only.
On Supervisor Node
-
Logon via SSH as root.
-
Mitigating SVNLite module:
-
Run the script
fix-svnlite-log4j2.sh(here). It will restart SVNlite module withDlog4j2.formatMsgNoLookups=trueoption and print the success/failed status.
-
-
Mitigating 3rd party ThreatConnect SDK module:
-
Delete these log4j jar files under
/opt/glassfish/domains/domain1/applications/phoenix/lib-
log4j-core-2.8.2.jar
-
log4j-api-2.8.2.jar
-
log4j-slf4j-impl-2.6.1.jar
-
-
-
Mitigating phFortiInsightAI module:
-
Delete these log4j jar files under
/opt/fortiinsight-ai/lib/-
log4j-core-2.13.0.jar
-
log4j-api-2.13.0.jar
-
-
-
Restart all Java Processes by running:
“killall -9 java”
On Worker Node
-
Logon via SSH as root.
-
Mitigating phFortiInsightAI module:
-
Delete these log4j jar files under
/opt/fortiinsight-ai/lib/-
log4j-core-2.13.0.jar
-
log4j-api-2.13.0.jar
-
-
-
Restart all Java Processes by running:
“killall -9 java”
Slow Event Database Operations Using Azure Managed NFS File Share Service
If you are running a FortiSIEM 6.3.0 Cluster in Microsoft Azure Cloud using Azure Managed NFS File Share Service, then FortiSIEM will not work correctly. Symptoms are file build up in the /data directory and slow GUI queries. A bug was introduced in the Linux kernel (affecting Redhat CentOS 8.4 and FortiSIEM 6.3.0) that slows NFS operations. For details, see the section titled "ls hangs for large directory enumeration on some kernels" in this URL document: https://docs.microsoft.com/en-us/azure/storage/files/storage-troubleshooting-files-nfs
Note: If you deploy your own NFS V3 or V4, then FortiSIEM 6.3.0 is not impacted.
Redhat has not yet published a patch for this issue. The current workaround is to manually downgrade the Linux kernel from 8.4 to 8.3.
Download and install the Linux 8.3 kernel by following these steps on each Supervisor and all your Worker nodes.
-
On your system, login as user root, and run the following commands.
Note: The order of the commands is important. If your system is offline without internet access, you can download the RPM to a flash drive or file share to upload to the Supervisor and Workers.-
cd /tmp -
mkdir downgrade -
cd downgrade -
wget https://os-pkgs-cdn.fortisiem.fortinet.com/centos83/baseos/Packages/kernel-core-4.18.0-240.10.1.el8_3.x86_64.rpm -
yum localinstall kernel-core-4.18.0-240.10.1.el8_3.x86_64.rpm
Click 'y' to confirm when prompted.
-
grub2-mkconfig -o /boot/grub2/grub.cfg -
awk -F\' '$1=="menuentry" {print $2}' /boot/grub2/grub.cfg
Note: Entries are ordered 0,1,2,3,4 from top to bottom.
If the kernel
4.18.0-240.10.1.el8_3.x86_64is third in the list, use the command below to set it as the default. -
grub2-set-default 2 -
Reboot the system with the following command:
reboot
-
-
Log back in as user root and check the kernel version that is running with the following command:
uname –rIn the
uname –routput, notate the new kernel. It should be:4.18.0-240.10.1.el8_3.x86_64
After the Linux kernel downgrade is done for the Supervisor and Workers, take the following steps:
-
Login to the Supervisor FortiSIEM GUI.
-
Go to the ANALYTICS tab.
-
Run a query for 10-30 minutes and confirm that the speed of the query execution is relatively fast.
Need to Re-Configure Open Tunnel After Upgrade/Install of 6.3.0
After upgrading or doing a fresh install of 6.3.0, the feature - "Connect to" a CMDB device via 'Open Tunnel' will no longer work without a configuration change. When users connect via a tunnel, it will appear that the tunnel is opened. However, the displayed Supervisor's port on which the tunneled connection is running is actually not open so users will not be able to connect either via plugin or directly.
To re-enable this feature, take the following steps:
-
Edit
sshd_config.tunneluseron the Supervisor by changing the entryAllowTcpForwardingtoyes.AllowTcpForwarding yes -
Reload the tunnel sshd configuration using the following command:
kill -HUP $(pgrep -f sshd_config.tunneluser) -
If you have tunnels you had opened after the upgrade, but prior to making the above change, you will need to click on the Close All button from ADMIN > Health > Collector Health > Tunnels page.
Note: This fix was done to address bug 602294: CVE-2004-1653 SSH port forwarding exposes unprotected internal services.
Need to set Account Environment in Azure Cloud Support Access Credentials after Upgrade
Prior to the 6.3.0 FortiSIEM release, the Azure CLI agent only supported Global Azure (AzureCloud). It did not support Azure Government Cloud, Azure China Cloud, or Azure German Cloud. In 6.3.0 and later releases, the 4 types of Azure Clouds listed here are supported by the Azure CLI agent.
When you need to upgrade the collector to 6.3.0 for Azure CLI jobs, make sure the Supervisor is also 6.3.0, and enter the Account Env as part of its Access Credentials.
| Account Environment | Azure Portal URL |
|---|---|
| AzureCloud | https://portal.azure.com |
| AzureChinaCloud | https://portal.azure.cn |
| AzureUSGovernmentCloud | https://portal.azure.us |
| AzureGermanCloud | https://portal.microsoftazure.de/ |
Cut and Paste Issue into Report Designer Text Editor
If you cut and paste text from an external document into the Report Designer Text Editor, then you need to select all copied text, click "Clear Format" and then add your own formatting within the Editor. Otherwise, Export will fail.
Elasticsearch Based Deployments Terms Query Limit
In Elasticsearch based deployments, queries containing "IN Group X" are handled using Elastic Terms Query. By default, the maximum number of terms that can be used in a Terms Query is set to 65,536. If a Group contains more than 65,536 entries, the query will fail.
The workaround is to change the “max_terms_count” setting for each event index. Fortinet has tested up to 1 million entries. The query response time will be proportional to the size of the group.
Case 1. For already existing indices, issue the REST API call to update the setting
PUT fortisiem-event-*/_settings
{
"index" : {
"max_terms_count" : "1000000"
}
}
Case 2. For new indices that are going to be created in the future, update fortisiem-event-template so those new indices will have a higher max_terms_count setting
-
cd /opt/phoenix/config/elastic/7.7 -
Add
"index.max_terms_count": 1000000(including quotations) to the “settings” section of thefortisiem-event-template.Example:
...
"settings": { "index.max_terms_count": 1000000,...
-
Navigate to ADMIN > Storage > Online and perform Test and Deploy.
-
Test new indices have the updated terms limit by executing the following simple REST API call.
GET fortisiem-event-*/_settings
Rule and Report Modifications since 6.2.1
The following rules were added:
-
ES Coordinator Node Staying Down
-
ES Coordinator Node Down
-
Cortex XDR Alert Detected
-
Cortex XDR Alert Prevented
-
F5 BIG-IP TMM Attack - FortiGate IPS Exploit Permitted
-
FortiAI: Attack Chain Blocked
-
FortiAI: Attack Chain Permitted
-
CyberX Malware Detected
-
Windows Process Tampering Detected
-
SUNBURST Suspicious File Hash match by Source and Destination
-
DEARCRY Infected File Detected on Network
-
DEARCRY Infected File Detected on Host
-
DARKSIDE Domain Traffic Detected
-
DARKSIDE Ransomware File Activity Detected on Network
-
DARKSIDE Ransomware File Activity Detected on Host
-
DARKSIDE Ransomware Outbound Network Traffic Detected
-
DARKSIDE Ransomware Inbound Network Traffic Detected
-
DARKSIDE Suspicious File Hash Found on Network
-
DARKSIDE Suspicious File Hash Found on Host
The following rules were deleted:
-
Excessive Malware Domain Name Queries
-
DNS Traffic to Malware Domains
The following rules were renamed:
-
Windows: Unidentified Attacker November 2018 Activity 1 -> Windows: Unidentified Attacker November 2018 Activity 1
-
SUNBURST Suspicious File MD5 match -> SUNBURST Suspicious File Hash Match
The following reports were added:
-
AWS ELB - Top HTTP Methods by Count
-
AWS ELB - Top HTTP Status Codes by Count
-
AWS ELB - Top Requests by Source Country
-
AWS ELB - Top Source IPs by Count
-
AWS ELB - Top Request URLs by Count
-
F5 BIG-IP TMM Attack - FortiGate IPS Exploit Permitted
-
FortiAI: Attack-Chain Blocked
-
FortiAI: Attack-Chain Permitted
-
FortiAI: Dashboard Attack-Chain Blocked
-
FortiAI: Dashboard Attack-Chain Permitted
-
FortiAI: Dashboard Incidents
-
FortiAI: Top Attacker IPs by Count
-
FortiAI: Top Malware Family by Count
-
FortiAI: Top Victim IPs by Count
-
Cases Created - Daily
-
DARKSIDE Domain Traffic Detected
-
DARKSIDE Ransomware File Activity Detected on Network
-
DARKSIDE Ransomware File Activity Detected on Host
-
DARKSIDE Ransomware Traffic Detected
-
DARKSIDE Suspicious File Hash Found
-
DEARCRY Infected File Detected on Network
-
DEARCRY Infected File Detected on Host
-
CyberX Security Alerts
-
ZOS: SMF 14/15/17 Dataset Open/Update/Delete Activity
-
ZOS: SMF 18 Dataset Rename Activity
-
ZOS: SMF 30 JES Job/STC start/end Activity
-
ZOS: SMF 32 JES TSO Termination Activity
-
ZOS: SMF 42 SMS Add/Delete/Rename/Reuse Activity
-
ZOS: SMF 62 VSAM Open Dataset Activity
-
ZOS: SMF 80 Security Violations
-
ZOS: SMF 81 Initialization and SETROPTS events
-
ZOS: SMF 83 Security Changes
-
ZOS: SMF 90:37 APF List Changes
-
ZOS: SMF 119: TSO Logon
-
ZOS: SMF 119: TN3270 Logon
-
ZOS: SMF 119: FTP Completion
-
ZOS: SMF 119: TCP Connection Termination
The following reports were deleted:
-
Incident Trend By Severity - Monthly
-
SANS CC5: DNS Traffic To Malware Domains
The following reports were renamed:
-
Incident Resolution Time Trend By Severity - Monthly "Mean Time to Resolution" -> Incidents By Location and Category
-
Monthly Assigned Incident User Trend -> Cases Created - Weekly
-
Incidents By Location and Category -> Cases Closed - Weekly
-
Cases Created - Daily -> Cases Closed By User - Weekly
-
Cases Created - Monthly -> Incident Trend By Severity - Monthly
-
Cases Created - Weekly -> Incident Resolution Time Trend By Severity - Monthly "Mean Time to Resolution"
-
Cases Closed - Weekly -> Monthly Assigned Incident User Trend
-
Cases Closed By User - Weekly -> Cases Created - Monthly
-
SUNBURST Suspicious File MD5 match -> SUNBURST Suspicious File Hash match