Fortinet white logo
Fortinet white logo

What's New in 6.5.0

What's New in 6.5.0

This document describes the additions for the FortiSIEM 6.5.0 release.

New Features

FortiSIEM Manager

This release introduces FortiSIEM Manager that can be used to monitor and manage multiple FortiSIEM instances. The FortiSIEM Manager needs to be installed on a separate Virtual Machine and requires a separate license.

Note: Only FortiSIEM Manager and FortiSIEM Supervisor instances 6.5.0+ are supported.

In this release, FortiSIEM Manager provides the following functionalities:

  • Each FortiSIEM Instance needs to register to the FortiSIEM Manager. After successful registration, a 2-way HTTP(S) communication channel is set up between each Instance and the Manager.

  • Incidents, License and Health information will be forwarded from each FortiSIEM instance to the FortiSIEM Manager. Incidents are forwarded in near-real time, Health information forwarded once every minute, and License information forwarded once every hour.

  • FortiSIEM Manager retains Health information for the last 1 day. FortiSIEM Manager also stores Incidents and the latest License information in local PostGreSQL database. The number of incidents stored depends on the size of the local PostGreSQL database. Raw events are not stored in FortiSIEM Manager. When the user visits the Triggering Event tab on the INCIDENTS page, raw events are fetched on demand from the FortiSIEM Instance.

  • All Incident status changes in each FortiSIEM instance are forwarded to the FortiSIEM Manager. If you create a new rule or make changes to a rule in a FortiSIEM instance, the changes are forwarded to the FortiSIEM Manager.

  • From FortiSIEM Manager, you can do the following operations and the changes are propagated to the right FortiSIEM instance(s) with the right FortiSIEM Manager logged-in-user context:

    • Clear, Resolve and Add Comments to one or more Incidents

    • Disable one or more rules and change their severity.

    • Change the severity of an incident

    • Run FortiSOAR Playbooks and Connectors and update Incident Status and Comments

    • A one-click operation to log you into the appropriate FortiSIEM instance where an Incident occurred. This enables you quickly to investigate an Incident in depth.

Communication between FortiSIEM Manager and instances is via REST APIs over HTTP(S).

You have to upgrade FortiSIEM Manager first before upgrading all FortiSIEM Instances - this applies to both Content Update and Software Image Update.

For details in installing FortiSIEM Manager, see the VM or Hardware Installation Guides here.

For details on registering a FortiSIEM instance to the FortiSIEM Manager, see here.

For viewing health and license information in FortiSIEM Manager, see here.

ClickHouse Event Database

This release provides ClickHouse as a new embedded event database option. No separate install or support is required. ClickHouse provides significant query speed improvements compared to FortiSIEM EventDB while providing comparable event database compression. Currently, ClickHouse can be only used in Single node deployments for both hardware appliances and Virtual Machine based setups.

For details on enabling ClickHouse, see here.

For details on switching database to ClickHouse, see Changing Event Storage Options.

For storage and query performance comparison between FortiSIEM EventDB and ClickHouse, see Database Storage Efficiency, Query Performance, Ingestion Speed Comparison.

Elasticsearch Organization Grouping

Elasticsearch may not perform well when you choose a separate event index per Organization and the number of Organizations is large. Large number of Elasticsearch event indices increases Elasticsearch cluster state and may degrade performance after a point. This release allows you to group Organizations into a maximum of 10 Groups. This results in Elasticsearch event index per group. Event ingestion and queries work seamlessly as before as FortiSIEM queries the right group for results.

For details on creating Elasticsearch Organization groups, see Custom Organization Index for Elasticsearch.

MITRE ATT&CK Framework for Industrial Control Systems

This release enhances existing support for MITRE ATT&CK Framework by including Industrial Control Systems (ICS) (see https://collaborate.mitre.org/attackics/index.php/Main_Page). Support for Dragos and Nozomi ICS are extended. Rules are written using Dragos, Nozomi and FortiGate ICS events and mapped to ICS Attack Techniques and Tactics. Three new MITRE ATT&CK dashboards for ICS are created to show Rule coverage, Incident coverage and Kill Chain analysis for ICS Techniques. A discovery method is added for Nozomi ICS devices via Nozomi API and the discovered OT/IoT devices are shown in CMDB in a heads up display. Currently 84 ICS ATT&CK Technique detection rules are provided out of the box and similar support for other vendors can be added.

For details on how to use MITRE ATT&CK Dashboard for ICS, see MITRE ATT&CK® View.

Key Enhancements

Enhanced Performance and Health Reporting and Visualization

In this release, Collectors and Workers periodically report granular performance metrics to the Supervisor node. The information is stored in PostGreSQL database for 1 day and displayed in ADMIN > Health > Cloud Health and Collector Health. Collectors report every 3 minutes and Workers report every 1 minute. If a FortiSIEM Instance is registered to FortiSIEM Manager, then this information is also forwarded to FortiSIEM Manager, which then displays across all registered instances. FortiSIEM Manager also stores this information for 1 day. An assessment of the node and cluster health is provided by combining various metrics and is shown in Cloud Health and Collector Health in both the FortiSIEM Instance (Supervisor) and FortiSIEM Manager.

An API is provided that can be used to retrieve this metric to be displayed in 3rd party systems. For details on the API, see the Integration API Guide located here.

For description of various metrics and thresholds, refer to the Appendices in the Integration API Guide located here.

Windows OMI Support for FIPS Mode and Kerberos Based Deployments

In FortiSIEM 6.4.0, Windows OMI does not work if FortiSIEM is installed in FIPS mode. This is because Windows OMI uses NTLM authentication by default, which uses non-FIPS compliant RC4 algorithm for encryption. For the same reason, Windows OMI in 6.4.0 does not work in Windows Server environments with Kerberos authentication.

In this release, we provide an option for FortiSIEM Windows OMI client to use FIPS compliant Kerberos authentication instead of NTLM authentication.

For details on configuring Windows OMI for Kerberos authentication, see here.

Automated Collector Content Update

In 6.4.0, Super and Worker Content updates were automated but Collectors had to updated manually. Collector Content update is now automated and is performed by the system immediately after Super and Worker content updates. When Collectors send task REST APIs to Supervisor, a Content update task is automatically created for the Collectors. Using this task, Collectors download and install new content.

Generalized Log Pulling from any AWS S3 Bucket

This feature allows FortiSIEM to collect logs written to any AWS S3 bucket. User needs to only write the JSON parser for that specific device type.

For details see AWS Simple Storage Service in the External Systems Configuration Guide.

FortiSIEM Login Security Enhancements

In this release, FortiSIEM GUI user login security is further improved by introducing the following features.

  • User is not allowed to reuse last 10 passwords

  • User password cannot contain user name or user full name (case insensitive match)

  • 2 or more password changes within 1 day is not allowed

  • For GUI Inactivity timeout, a global setting is provided that can be overridden on a per-user basis. This can be done from CMDB (See Adding Users or Editing User Information).

  • An unlocking configuration is provided for users that have been locked out after excessive login failures. The options are:

    1. User can be unlocked by Administrator, or

    2. Next login is delayed for configurable time interval. This can be defined from CMDB (See Adding Users or Editing User Information).

Elasticsearch Support Enhancements

  • A disk based buffering mechanism is introduced on each Super/Worker that can store events when FortiSIEM fails to insert events to Elasticsearch. Because of this buffer, Incidents can keep triggering, but the triggering events will only show when events are in Elasticsearch. For details on how to configure event buffer see Configuring Elasticsearch Buffer in the Appendix.

  • An enhancement is introduced to optimize the shard usage during EPS surge using deeper Elasticsearch metrics. This allows Elasticsearch to scale better in high usage scenarios.

Automated SNMP V3 Trap Configuration

For receiving SNMP V3 Traps in 6.4.0, the customer has to manually add sender EngineIDs to the Collector's SNMP configuration. Manually adding a large number of device EngineIDs may be cumbersome. This step is automated in this release using SNMP V3 Discovery. FortiSIEM learns a device's Engine ID during SNMP V3 based discovery. Then, the Engine IDs are propagated to all FortiSIEM nodes. When a device sends SNMP V3 Traps after discovery, any FortiSIEM node can handle the traps.

For more information on configuration, see SNMP V3 Traps in the External Systems Configuration Guide.

UEBA based on Log

In earlier releases, User Entity Behavior Analytics (UEBA) was done based on proprietary logs collected by the FortiSIEM Windows UEBA Agent. In this release, the analytics is extended to the following regular logs. Note that regular logs only cover a subset of the user activities compared to the FortiSIEM UEBA Agent.

Windows Security logs

  • Unusual machine on activity based on Win-Security-4608 log

  • Unusual machine off activity based on Win-Security-4609 log

  • Unusual host logon activity based on Win-Security-4624 log

  • Unusual host logoff activity based on Win-Security-4634 log

  • Unusual file deletion based on Win-Security-4660 log

  • Unusual process created based on Win-Security-4688 log

  • Unusual process stopped based on Win-Security-4689 log

Windows Sysmon

  • Unusual process created based on Win-Sysmon-1-Create-Process log

  • Unusual process stopped based on Win-Sysmon-5-Process-Terminated log

  • Unusual file creation based on Win-Sysmon-11-FileCreate log

  • Unusual file deletion based on Win-Sysmon-23-File-Delete-archived and Win-Sysmon-26-File-Delete-logged log

Linux Agent

  • Unusual process created based on LINUX_PROCESS_EXEC log

  • Unusual machine off activity based on Generic_Unix_System_Shutdown log

  • Unusual host logon activity based on Generic_Unix_Successful_SSH_Login log

For detailed comparison of Windows UEBA Agent versus log based UEBA, see Appendix - Comparing UEBA Sources.

Ability to Turn off FortiSIEM Elasticsearch ILM Control

By default, FortiSIEM manages and deploys Elasticsearch Index Life Cycle Management (ILM) policies, e.g. 14 days in hot storage, 30 days in warm storage, etc.... If you want to manage ILM policies on you own, then set fsm_ilm_mode=0 in phoenix_config.txt on Supervisor node. No process restart is needed to make the change effective.

Notes:

  1. If the ILM policy was stopped prior to 6.5.0, after upgrading to 6.5.0, the user must stop the ILM policy again. This will not be needed for 6.5.0 onwards.

  2. Even if you turned off FortiSIEM ILM policy management, FortiSIEM still manages the disk spaces based on thresholds, so that the system can keep running.

[BEGIN Elasticsearch]

...

fsm_ilm_mode=0 # 0 - no control, 1 - set ilm for retention policies (default)

Integration API Updates

This release enhances external Integration REST APIs:

  1. New Performance and Health API - can be run against FortiSIEM Supervisor or FortiSIEM Manager.

  2. New Event and Query Worker Configuration APIs

  3. Updates to CMDB Integration APIs

    • Add CMDB Device(s)

    • Get CMDB Device List

    • Delete CMDB Device(s)

    • Update Device by Id

    • Get Device Custom Property

    • Update Device Custom Property

For details, see the Integration API Guide located here.

System Upgrades

New Device Support

Bug Fixes and Minor Enhancements

Bug ID

Severity

Module

Description

781951

Major

App Server

Users with custom Full Admin roles cannot login to FortiSIEM.

774397

Major

Data Manager

Event files upload to Elasticsearch is slow for Organizations with large org Id.

789843

Major

Performance Monitor

Fail to get running-config from Cisco IOS devices.

775718

Minor

Agent

Linux Agent and Windows Agent registration fails when the agent user's password contains a backslash character.

798635

Minor

Agent Manager

CyberArk Integration does not work for authenticating to Windows servers via WMI/OMI.

797841

Minor

Agent Manager

OMI may return corrupted data in class name.

795638

Minor

Agent Manager

Sophos log collection module may poll very frequently (quickly reaching API limit).

790512

Minor

Agent Manager

Cisco AMP stream does not collect very large events over 100K; These events contain multiple events inside.

795273

Minor

Agent Monitor

Enabling an AWS Cloudwatch pull event may cause phAgentManager to crash on collector.

797679

Minor

App Server

User cannot export multiple selected cases in RTF and CSV format.

794338

Minor

App Server

New Dashboards created in Global Dashboard no longer appear after a couple of hours.

792832

Minor

App Server

Glassfish password are stored in plain text and on a file under /opt/phoenix/deployment.

791114

Minor

App Server

ServiceNow Device Outbound Integration may fail if Installed Software Date was NULL.

790866

Minor

App Server

Incident Email does not have new lines between Raw Events if custom HTML Incident Email Template is used.

788973

Minor

App Server

Content Update Install may fail with generic "Operation failed" error if FortiGuard does not return content. Subsequent retries succeed without issue.

786289

Minor

App Server

Previewing a long running report bundle may fail.

784027

Minor

App Server

If UEBA expired, then new Windows Agent sometimes does not go from Registered to Running state.

782304

Minor

App Server

User with a cloned "Full Admin" role with Data Conditions defined cannot search for rules in RESOURCES > Rules.

781538

Minor

App Server

In ANALYTICS > Search for EventDB, inheritance does not work between Application Groups and Subgroups.

776600

Minor

App Server

When device count is 1 less than license, then Agent cannot become Running from Registered.

776214

Minor

App Server

Searching currently Active Incidents generated many months ago fails in INCIDENTS > Search.

773472

Minor

App Server

Trigger events are empty for some incidents in notification emails.

767265

Minor

App Server

Sometimes the Report Bundle cover page does not show the custom image.

766229

Minor

App Server

If an incident is open towards the next month, Incident Outbound Integration creates duplicate incidents in the help desk systems (e.g. ServiceNow, ConnectWise).

763531

Minor

App Server

Report Bundle Export displays "Export Error" message for very long running reports (e.g. report interval is 30 days or more in a system with lots of data).

785547

Minor

Data

The ADMIN > Health > Cloud Health page sometimes times out after upgrade to 6.4.0, if there are many workers.

784655

Minor

Data

MSDefAdvancedHuntingParser.xml Test Event has leading [ - bracket, breaking JSON format.

784155

Minor

Data

Definition for "Top Windows Process Created" is incorrect.

778129

Minor

Data

AppFlow reports should include event IOS-NETFLOW-BI.

777847

Minor

Data

Parsing for Microsoft-Windows-TerminalServices-Gateway and LocalSessionManager events needs to be fixed.

768672

Minor

Data

FortiSIEM is not parsing Cisco ASA events correctly when the host name contains "ASA-".

779548

Minor

Data Purger

phDataPurger incorrectly counts master nodes as hot nodes in AWS-managed Elasticsearch.

791321

Minor

Data Purger

Data Purger needs to handle error 404 when trying to purge non-existent ES indices.

802946

Minor

GUI

Virtual collector configuration in "Host To Template Associations" is not being saved.

790877

Minor

GUI

Columns "Avail Incidents", "Perf Incidents", and "Security Incidents" are empty in Summary Dashboard.

780737

Minor

GUI

In ANALYTICS > Search, Trend does not work properly when Group By has time related attributes (e.g. Event Receive Hour, Event receive Day).

780688

Minor

GUI

Sometimes, the user cannot reset their own password because of internal errors.

777518

Minor

GUI

FortiSOAR: If executing a playbook on an incident, then executing Connector > add to Comments overwrites the playbook results.

776295

Minor

GUI

GUI shows "Undefined" error when the user attempts to set a new password for a user created with the "Password Reset" field set.

775207

Minor

GUI

When executing a FortiSOAR playbook, the Details tab does not display data under some conditions.

773473

Minor

GUI

"Install Status" and "Upgrade Version" shows wrong values for collector health after continuous upgrade.

766510

Minor

GUI

ANALYTICS Filter: Inner CMDB Query fails, seemingly dependent on the name of the CMDB report.

790937

Minor

Identity and Location

Identity and location: Windows Kerberos Authentication followed by DHCP results in duplicate entries since the Workstation name is missing in Windows 4624 event.

783844

Minor

Java Query Server

Java Query Server sometimes uses older java libraries and is unable to connect to Elasticsearch.

765552

Minor

Java Query Server

Sometimes, the Java Query Server searches for 30 days of event indices instead of one day when there are no search filters.

763150

Minor

Java Query Server

Sometimes, reports misses in exported PDF for scheduled report bundle that use pre-compute.

802966

Minor

Parser

Event Forwarding of PH_AUDIT logs truncates the raw events.

780668

Minor

Parser

Parser Inbuilt Function: convertHexStrToInt () gives wrong results.

776350

Minor

Parser

External protocol error (PH_PARSER_INVALID_EXT_LOG_PROTO) from collectors occurrs when OMI was configured.

799016

Minor

Performance Monitor

MySQL performance monitoring events has hardcoded instance names instead of what is defined in Credential.

799002

Minor

Performance Monitor

Startup-config changes cannot be pulled in Cisco IOS XR.

768515

Minor

Performance Monitor

Several bug fixes and enhancements for FortiOS based devices collecting performance metrics (e.g. FortiGate, FortiAP, FortiSwitch) via REST API.

769414

Minor

QueryMaster

phQueryMaster memory usage increases when FortiSIEM collects performance metrics for a large number of devices when they are all included in the Summary dashboard. This summary data is held in memory and needs to be more aggressively purged.

777226

Minor

System

Using configFSM.sh to change Collector IP may result in failure due to DR_ROLE reference.

774030

Minor

System

Disable TRACE/TRACK HTTP method by default on HTTP port.

768018

Minor

System

Upgrade Log4j-core to latest stable version 2.17.

787121

Enhancement

App Server

Shorten the time for querying new entries in Lookup Table. Currently, there is a maximum 10 minute delay.

609622

Enhancement

App Server

Support needed for Arabic character set inside events in PDF and CSV reports.

779657

Enhancement

Data

Need to parse CEF formatted Palo Alto firewall logs.

773036

Enhancement

Data

CheckpointCEFParser does not parse URL filtering logs correctly.

770908

Enhancement

Data

PAN-OS-THREAT-virus-100000-deny is not parsed correctly.

770842

Enhancement

Data

Enhanced FortiWebParser to support FWB-VM-S and original source IP.

770561

Enhancement

Data

FortiAnalyzer internal alert events are not parsed.

770195

Enhancement

Data

Windows WMI Parser needs to parse Active Directory Federation Services (ADFS) events.

769325

Enhancement

Data

JunOS Parser needs to be updated.

766960

Enhancement

Data

Windows Parser does not extract the fields File Name and File Path for security event 6281.

766461

Enhancement

Data

Cisco StealthWatch Parser cannot parse Cisco StealthWatch logs from versions after 7 because the log format changed.

765158

Enhancement

Data

VMwareVCenterParser does not parse some VMware vCenter logs.

754088

Enhancement

Data

Need to enhance HP Procurve switch (essentially Aruba Switch) Parser as they have a different log format.

745967

Enhancement

Data

Service name is not parsed for Win-Security-4673 event.

745905

Enhancement

Data

The rule "Windows: Generic Password Dumper Activity on LSASS" needs adjustment.

787995

Enhancement

Data

Linux Threat Rules needs to be updated with correct parsed attributes.

787273

Enhancement

Data

Jenkins logs needs to be parsed.

793108

Enhancement

Data Purger

Provide the customer with the ability to turn off ILM and preserve this configuration after upgrade.

785761

Enhancement

GUI

Enhance the default NetFlow Dashboard by including various charts.

777776

Enhancement

GUI

No longer allow REGEX on IP fields in Search Filters.

777633

Enhancement

GUI

Lookup Table: Report Schedule Trend selector not needed when scheduling import via report.

777631

Enhancement

GUI

Need to only allow applicable operators for LookupTableGet().

777585

Enhancement

GUI

CASES > Action History > List > Incident Actions history shows action, but is missing action detail.

777570

Enhancement

GUI

Create Case/Ticket in INCIDENTS - Need auto-refresh of selected incident data after creation and consistent field naming.

777534

Enhancement

GUI

Incident Details - Quick Lookup button needed for user fields under triggering events.

777512

Enhancement

GUI

The FortiSOAR Playbook Execution Result dialog window on Incident tab > Actions > Add summary contains no line break between header and message.

777485

Enhancement

GUI

FortiGuard IOC Lookup in INCIDENTS page - On execute - is missing results in Incident > Action History e.g. IP x.x.x.x is malicious.

777149

Enhancement

GUI

Image upload failures shows incorrect error message: "Checksum error", when the actual error is a connection error to FortiGuard.

774594

Enhancement

GUI

The default Report Design Template for a Report Bundle is shown when the user attempts to edit the default template.

765339

Enhancement

Java Query Server

Speed up the exporting of 100k search records from Elasticsearch into a CSV file.

790052

Enhancement

Parser

Increase the number of concurrent TLS connections handled by Parser module for syslog over TLS.

782926

Enhancement

Parser

Add Parser for MS Defender for Endpoint Advanced Hunting events forwarded to Azure Event Hub.

644096

Enhancement

Performance Monitor

SNMP V3 Support includes AES256 and SHA256 (was currently supporting less secure AES128).

784753

Enhancement

System

Reduce upgrade time for large EventDB based FortiSIEM deployments (large /data/archive and SVN files).

773866

Enhancement

System

Azure VHD image update should not include a swap partition to be compliant with Azure marketplace.

770161

Enhancement

System

UDP port 6343 needs to be opened on all nodes for ingesting sFlow.

Rule and Report Modifications since 6.4.0

The following rules were added:

  • Active Directory Privilege Escalation Exploit Detected on Host

  • Active Directory Privilege Escalation Exploit Detected on Network

  • FortiAnalyzer: No logs received from a device in 4 hours

  • FortiGate ICS Alert: Exploitation of Remote Services

  • HermeticWiper-Foxblade Malware Detected on Host

  • HermeticWiper-Foxblade Malware Detected on Network

  • ICS Alert: Activate Firmware Update Mode

  • ICS Alert: Alarm Suppression

  • ICS Alert: Automated Collection

  • ICS Alert: Block Command Message

  • ICS Alert: Block Reporting Message

  • ICS Alert: Block Serial COM

  • ICS Alert: Brute Force I/O

  • ICS Alert: Change Operating Mode

  • ICS Alert: Command-Line Interface

  • ICS Alert: Commonly Used Port

  • ICS Alert: Connection Proxy

  • ICS Alert: Damage to Property

  • ICS Alert: Data Destruction

  • ICS Alert: Data from Information Repositories

  • ICS Alert: Default Credentials

  • ICS Alert: Denial of Control

  • ICS Alert: Denial of Service

  • ICS Alert: Denial of View

  • ICS Alert: Detect Operating Mode

  • ICS Alert: Device Restart/Shutdown

  • ICS Alert: Drive-by Compromise

  • ICS Alert: Execution through API

  • ICS Alert: Exploit Public-Facing Application

  • ICS Alert: Exploitation for Evasion

  • ICS Alert: Exploitation for Privilege Escalation

  • ICS Alert: Exploitation of Remote Services

  • ICS Alert: External Remote Services

  • ICS Alert: Graphical User Interface

  • ICS Alert: Hooking

  • ICS Alert: I/O Image

  • ICS Alert: Indicator Removal on Host

  • ICS Alert: Internet Accessible Device

  • ICS Alert: Lateral Tool Transfer

  • ICS Alert: Loss of Availability

  • ICS Alert: Loss of Control

  • ICS Alert: Loss of Productivity and Revenue

  • ICS Alert: Loss of Protection

  • ICS Alert: Loss of Safety

  • ICS Alert: Loss of View

  • ICS Alert: Man in the Middle

  • ICS Alert: Manipulate I/O Image

  • ICS Alert: Manipulation of Control

  • ICS Alert: Manipulation of View

  • ICS Alert: Masquerading

  • ICS Alert: Modify Alarm Settings

  • ICS Alert: Modify Controller Tasking

  • ICS Alert: Modify Parameter

  • ICS Alert: Modify Program

  • ICS Alert: Module Firmware

  • ICS Alert: Monitor Process State

  • ICS Alert: Native API

  • ICS Alert: Network Connection Enumeration

  • ICS Alert: Network Sniffing

  • ICS Alert: Point Tag Identification

  • ICS Alert: Program Download

  • ICS Alert: Program Upload

  • ICS Alert: Project File Infection

  • ICS Alert: Remote Services

  • ICS Alert: Remote System Discovery

  • ICS Alert: Remote System Information Discovery

  • ICS Alert: Replication Through Removable Media

  • ICS Alert: Rogue Master

  • ICS Alert: Rootkit

  • ICS Alert: Screen Capture

  • ICS Alert: Scripting

  • ICS Alert: Service Stop

  • ICS Alert: Spearphishing Attachment

  • ICS Alert: Spoof Reporting Message

  • ICS Alert: Standard Application Layer Protocol

  • ICS Alert: Supply Chain Compromise

  • ICS Alert: System Firmware

  • ICS Alert: Theft of Operational Information

  • ICS Alert: Transient Cyber Asset

  • ICS Alert: Unauthorized Command Message

  • ICS Alert: User Execution

  • ICS Alert: Valid Accounts

  • ICS Alert: Wireless Compromise

  • ICS Alert: Wireless Sniffing

  • Ingress Tool Transfer - Execution Alert from MS Defender for Endpoint

  • Linux: File Permission Modification in Writable Relative Directory By non-root user

  • LSASS Memory - Credential Access Alert from MS Defender for Endpoint

  • Masquerading - Execution Alert from MS Defender for Endpoint

  • Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Network

  • Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Host

  • MS Defender for Endpoint Alert - Generic

  • OS Credential Dumping - Suspicious Activity Alert from MS Defender for Endpoint

  • Process Injection - Defense Evasion Alert from MS Defender for Endpoint

  • Suspicious PowerShell command line - Execution Alert from MS Defender for Endpoint

  • Suspicious Process Discovery - Discovery Alert from MS Defender for Endpoint

  • Suspicious Task Scheduler activity - Persistence Alert from MS Defender for Endpoint

  • System Network Configuration Discovery - Discovery Alert from MS Defender for Endpoint

  • System Service Discovery - Discovery Alert from MS Defender for Endpoint

  • UEBA AI detects unusual file deletion

  • Win32k Elevation of Privilege Vulnerability Detected on Host

  • Win32k Elevation of Privilege Vulnerability Detected on Network

  • Windows HTTP Protocol Stack RCE Detected on Host

  • Windows HTTP Protocol Stack RCE Detected on Network

  • Windows Logging Service Shutdown

  • Windows Security Log is Full

The following rules were renamed:

  • Linux: Account Discovery via Built-In Tools on $hostName -> Linux Account Discovery via Built-In Tools

  • Linux: File Permission Modification in Writable Directory By non-root user -> Linux: File Permission Modification in Writable Absolute Directory By non-root user

  • UEBA AI detects unusual machine logoff -> UEBA AI detects unusual user logoff

The following reports were added:

  • Active Directory Privilege Escalation Exploit Detected on Host

  • Active Directory Privilege Escalation Exploit Detected on Network

  • HermeticWiper-Foxblade Malware Detected on Host

  • HermeticWiper-Foxblade Malware Detected on Network

  • Jenkins Automation: Job Config Submit Audit Report

  • Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Network

  • Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Host

  • MS Defender for Endpoint Alerts

  • MS Defender for Endpoint Events

  • NetFlow: Detailed Traffic Report

  • NetFlow: Top Destination Countries by Total Bytes

  • NetFlow: Top FortiGuard Malware IP Communication by Sent and Received Bytes

  • NetFlow: Top FortiGuard Malware IP Communication by Source IP

  • NetFlow: Top Protocols by Total Bytes

  • NetFlow: Top Traffic by Source and Destination Countries

  • NetFlow: Top Uncommon Outbound Protocols by Count

  • NetFlow: Traffic Flow Details by Total Bytes

  • Nutanix: API Requests Audit

  • Nutanix: Top Consolidated Audit Events by Count

  • Nutanix: Top Consolidated Audit Events by User

  • Nutanix: Top Dropped Traffic Flows

  • Nutanix: Top Dropped Traffic Flows by Destination

  • Nutanix: Top Dropped Traffic Flows by Source

  • Nutanix: Top Permitted Traffic Flows

  • Nutanix: Top Permitted Traffic Flows by Destination

  • Nutanix: Top Permitted Traffic Flows by Source

  • Win32k Elevation of Privilege Vulnerability Detected on Host

  • Win32k Elevation of Privilege Vulnerability Detected on Network

  • Windows HTTP Protocol Stack RCE Detected on Host

  • Windows HTTP Protocol Stack RCE Detected on Network

Known Issues

  1. Currently, Policy based retention for EventDB does not cover two event categories: (a) System events with phCustId = 0, e.g. a FortiSIEM External Integration Error, FortiSIEM process crash etc., and (b) Super/Global customer audit events with phCustId = 3, e.g. audit log generated from a Super/Global user running an adhoc query. These events are purged when disk usage reaches high watermark.

  2. On hardware appliances running FortiSIEM 6.6.0 or earlier, FortiSIEM execute shutdown CLI does not work correctly. Please use the Linux shutdown command instead.

  3. App Server may fail to restart after FortiSIEM reboot or App Server restart. Perform the following workaround to bring up App Server.

    1. Clean up App Server cache by running the following commands.

      # su admin
      $ cd /opt/glassfish/domains/domain1/
      $ rm -rf generated/
      $ rm -rf osgi-cache/
      
    2. Restart App Server by running the following commands.

      $ cat /opt/glassfish/domains/domain1/config/pid
      $ kill -9 $(cat /opt/glassfish/domains/domain1/config/pid)
      
  4. If you change the Supervisor IP address (using the recommended configFSM utility), there will be 2 entries for Supervisor in ADMIN > Health > Cloud Health: one for the new IP address and another for the old IP address. To remove the entry with the old IP address from the database, run the following SQL commands on the Supervisor node.

    delete from ph_health_status where host_ip='newIp' and nodetype=0;
    update ph_health_status set host_ip='newIp' where host_ip='oldIp' and nodetype=0;

    If the Supervisor Instance was registered to FortiSIEM Manager, then run these commands on FortiSIEM Manager node.

    delete from ph_health_status where host_ip='newIp' and nodetype=0 and cust_org_id=/*instanceID*/;
    update ph_health_status set host_ip='newIp' where host_ip='oldIp' and nodetype=0 and cust_org_id=/*instanceID*/;
  5. FortiSIEM Manager cannot be installed in an IPV6 network.

  6. There is a known issue with Elasticsearch rollup search API when sorting AVG (https://github.com/elastic/elasticsearch/issues/58967). Therefore, do not use pre-compute Elasticsearch queries that have ASC or DESC on AVG().

  7. In Elasticsearch based deployments, queries containing "IN Group X" are handled using Elastic Terms Query. By default, the maximum number of terms that can be used in a Terms Query is set to 65,536. If a Group contains more than 65,536 entries, the query will fail.

    The workaround is to change the “max_terms_count” setting for each event index. Fortinet has tested up to 1 million entries. The query response time will be proportional to the size of the group.

    Case 1. For already existing indices, issue the REST API call to update the setting

    PUT fortisiem-event-*/_settings
    {
      "index" : {
        "max_terms_count" : "1000000"
      }
    }
    

    Case 2. For new indices that are going to be created in the future, update fortisiem-event-template so those new indices will have a higher max_terms_count setting

    1. cd /opt/phoenix/config/elastic/7.7

    2. Add "index.max_terms_count": 1000000 (including quotations) to the “settings” section of the fortisiem-event-template.

      Example:

      ...

      "settings": {
          "index.max_terms_count": 1000000,
      

      ...

    3. Navigate to ADMIN > Storage > Online and perform Test and Deploy.

    4. Test new indices have the updated terms limit by executing the following simple REST API call.

      GET fortisiem-event-*/_settings

What's New in 6.5.0

What's New in 6.5.0

This document describes the additions for the FortiSIEM 6.5.0 release.

New Features

FortiSIEM Manager

This release introduces FortiSIEM Manager that can be used to monitor and manage multiple FortiSIEM instances. The FortiSIEM Manager needs to be installed on a separate Virtual Machine and requires a separate license.

Note: Only FortiSIEM Manager and FortiSIEM Supervisor instances 6.5.0+ are supported.

In this release, FortiSIEM Manager provides the following functionalities:

  • Each FortiSIEM Instance needs to register to the FortiSIEM Manager. After successful registration, a 2-way HTTP(S) communication channel is set up between each Instance and the Manager.

  • Incidents, License and Health information will be forwarded from each FortiSIEM instance to the FortiSIEM Manager. Incidents are forwarded in near-real time, Health information forwarded once every minute, and License information forwarded once every hour.

  • FortiSIEM Manager retains Health information for the last 1 day. FortiSIEM Manager also stores Incidents and the latest License information in local PostGreSQL database. The number of incidents stored depends on the size of the local PostGreSQL database. Raw events are not stored in FortiSIEM Manager. When the user visits the Triggering Event tab on the INCIDENTS page, raw events are fetched on demand from the FortiSIEM Instance.

  • All Incident status changes in each FortiSIEM instance are forwarded to the FortiSIEM Manager. If you create a new rule or make changes to a rule in a FortiSIEM instance, the changes are forwarded to the FortiSIEM Manager.

  • From FortiSIEM Manager, you can do the following operations and the changes are propagated to the right FortiSIEM instance(s) with the right FortiSIEM Manager logged-in-user context:

    • Clear, Resolve and Add Comments to one or more Incidents

    • Disable one or more rules and change their severity.

    • Change the severity of an incident

    • Run FortiSOAR Playbooks and Connectors and update Incident Status and Comments

    • A one-click operation to log you into the appropriate FortiSIEM instance where an Incident occurred. This enables you quickly to investigate an Incident in depth.

Communication between FortiSIEM Manager and instances is via REST APIs over HTTP(S).

You have to upgrade FortiSIEM Manager first before upgrading all FortiSIEM Instances - this applies to both Content Update and Software Image Update.

For details in installing FortiSIEM Manager, see the VM or Hardware Installation Guides here.

For details on registering a FortiSIEM instance to the FortiSIEM Manager, see here.

For viewing health and license information in FortiSIEM Manager, see here.

ClickHouse Event Database

This release provides ClickHouse as a new embedded event database option. No separate install or support is required. ClickHouse provides significant query speed improvements compared to FortiSIEM EventDB while providing comparable event database compression. Currently, ClickHouse can be only used in Single node deployments for both hardware appliances and Virtual Machine based setups.

For details on enabling ClickHouse, see here.

For details on switching database to ClickHouse, see Changing Event Storage Options.

For storage and query performance comparison between FortiSIEM EventDB and ClickHouse, see Database Storage Efficiency, Query Performance, Ingestion Speed Comparison.

Elasticsearch Organization Grouping

Elasticsearch may not perform well when you choose a separate event index per Organization and the number of Organizations is large. Large number of Elasticsearch event indices increases Elasticsearch cluster state and may degrade performance after a point. This release allows you to group Organizations into a maximum of 10 Groups. This results in Elasticsearch event index per group. Event ingestion and queries work seamlessly as before as FortiSIEM queries the right group for results.

For details on creating Elasticsearch Organization groups, see Custom Organization Index for Elasticsearch.

MITRE ATT&CK Framework for Industrial Control Systems

This release enhances existing support for MITRE ATT&CK Framework by including Industrial Control Systems (ICS) (see https://collaborate.mitre.org/attackics/index.php/Main_Page). Support for Dragos and Nozomi ICS are extended. Rules are written using Dragos, Nozomi and FortiGate ICS events and mapped to ICS Attack Techniques and Tactics. Three new MITRE ATT&CK dashboards for ICS are created to show Rule coverage, Incident coverage and Kill Chain analysis for ICS Techniques. A discovery method is added for Nozomi ICS devices via Nozomi API and the discovered OT/IoT devices are shown in CMDB in a heads up display. Currently 84 ICS ATT&CK Technique detection rules are provided out of the box and similar support for other vendors can be added.

For details on how to use MITRE ATT&CK Dashboard for ICS, see MITRE ATT&CK® View.

Key Enhancements

Enhanced Performance and Health Reporting and Visualization

In this release, Collectors and Workers periodically report granular performance metrics to the Supervisor node. The information is stored in PostGreSQL database for 1 day and displayed in ADMIN > Health > Cloud Health and Collector Health. Collectors report every 3 minutes and Workers report every 1 minute. If a FortiSIEM Instance is registered to FortiSIEM Manager, then this information is also forwarded to FortiSIEM Manager, which then displays across all registered instances. FortiSIEM Manager also stores this information for 1 day. An assessment of the node and cluster health is provided by combining various metrics and is shown in Cloud Health and Collector Health in both the FortiSIEM Instance (Supervisor) and FortiSIEM Manager.

An API is provided that can be used to retrieve this metric to be displayed in 3rd party systems. For details on the API, see the Integration API Guide located here.

For description of various metrics and thresholds, refer to the Appendices in the Integration API Guide located here.

Windows OMI Support for FIPS Mode and Kerberos Based Deployments

In FortiSIEM 6.4.0, Windows OMI does not work if FortiSIEM is installed in FIPS mode. This is because Windows OMI uses NTLM authentication by default, which uses non-FIPS compliant RC4 algorithm for encryption. For the same reason, Windows OMI in 6.4.0 does not work in Windows Server environments with Kerberos authentication.

In this release, we provide an option for FortiSIEM Windows OMI client to use FIPS compliant Kerberos authentication instead of NTLM authentication.

For details on configuring Windows OMI for Kerberos authentication, see here.

Automated Collector Content Update

In 6.4.0, Super and Worker Content updates were automated but Collectors had to updated manually. Collector Content update is now automated and is performed by the system immediately after Super and Worker content updates. When Collectors send task REST APIs to Supervisor, a Content update task is automatically created for the Collectors. Using this task, Collectors download and install new content.

Generalized Log Pulling from any AWS S3 Bucket

This feature allows FortiSIEM to collect logs written to any AWS S3 bucket. User needs to only write the JSON parser for that specific device type.

For details see AWS Simple Storage Service in the External Systems Configuration Guide.

FortiSIEM Login Security Enhancements

In this release, FortiSIEM GUI user login security is further improved by introducing the following features.

  • User is not allowed to reuse last 10 passwords

  • User password cannot contain user name or user full name (case insensitive match)

  • 2 or more password changes within 1 day is not allowed

  • For GUI Inactivity timeout, a global setting is provided that can be overridden on a per-user basis. This can be done from CMDB (See Adding Users or Editing User Information).

  • An unlocking configuration is provided for users that have been locked out after excessive login failures. The options are:

    1. User can be unlocked by Administrator, or

    2. Next login is delayed for configurable time interval. This can be defined from CMDB (See Adding Users or Editing User Information).

Elasticsearch Support Enhancements

  • A disk based buffering mechanism is introduced on each Super/Worker that can store events when FortiSIEM fails to insert events to Elasticsearch. Because of this buffer, Incidents can keep triggering, but the triggering events will only show when events are in Elasticsearch. For details on how to configure event buffer see Configuring Elasticsearch Buffer in the Appendix.

  • An enhancement is introduced to optimize the shard usage during EPS surge using deeper Elasticsearch metrics. This allows Elasticsearch to scale better in high usage scenarios.

Automated SNMP V3 Trap Configuration

For receiving SNMP V3 Traps in 6.4.0, the customer has to manually add sender EngineIDs to the Collector's SNMP configuration. Manually adding a large number of device EngineIDs may be cumbersome. This step is automated in this release using SNMP V3 Discovery. FortiSIEM learns a device's Engine ID during SNMP V3 based discovery. Then, the Engine IDs are propagated to all FortiSIEM nodes. When a device sends SNMP V3 Traps after discovery, any FortiSIEM node can handle the traps.

For more information on configuration, see SNMP V3 Traps in the External Systems Configuration Guide.

UEBA based on Log

In earlier releases, User Entity Behavior Analytics (UEBA) was done based on proprietary logs collected by the FortiSIEM Windows UEBA Agent. In this release, the analytics is extended to the following regular logs. Note that regular logs only cover a subset of the user activities compared to the FortiSIEM UEBA Agent.

Windows Security logs

  • Unusual machine on activity based on Win-Security-4608 log

  • Unusual machine off activity based on Win-Security-4609 log

  • Unusual host logon activity based on Win-Security-4624 log

  • Unusual host logoff activity based on Win-Security-4634 log

  • Unusual file deletion based on Win-Security-4660 log

  • Unusual process created based on Win-Security-4688 log

  • Unusual process stopped based on Win-Security-4689 log

Windows Sysmon

  • Unusual process created based on Win-Sysmon-1-Create-Process log

  • Unusual process stopped based on Win-Sysmon-5-Process-Terminated log

  • Unusual file creation based on Win-Sysmon-11-FileCreate log

  • Unusual file deletion based on Win-Sysmon-23-File-Delete-archived and Win-Sysmon-26-File-Delete-logged log

Linux Agent

  • Unusual process created based on LINUX_PROCESS_EXEC log

  • Unusual machine off activity based on Generic_Unix_System_Shutdown log

  • Unusual host logon activity based on Generic_Unix_Successful_SSH_Login log

For detailed comparison of Windows UEBA Agent versus log based UEBA, see Appendix - Comparing UEBA Sources.

Ability to Turn off FortiSIEM Elasticsearch ILM Control

By default, FortiSIEM manages and deploys Elasticsearch Index Life Cycle Management (ILM) policies, e.g. 14 days in hot storage, 30 days in warm storage, etc.... If you want to manage ILM policies on you own, then set fsm_ilm_mode=0 in phoenix_config.txt on Supervisor node. No process restart is needed to make the change effective.

Notes:

  1. If the ILM policy was stopped prior to 6.5.0, after upgrading to 6.5.0, the user must stop the ILM policy again. This will not be needed for 6.5.0 onwards.

  2. Even if you turned off FortiSIEM ILM policy management, FortiSIEM still manages the disk spaces based on thresholds, so that the system can keep running.

[BEGIN Elasticsearch]

...

fsm_ilm_mode=0 # 0 - no control, 1 - set ilm for retention policies (default)

Integration API Updates

This release enhances external Integration REST APIs:

  1. New Performance and Health API - can be run against FortiSIEM Supervisor or FortiSIEM Manager.

  2. New Event and Query Worker Configuration APIs

  3. Updates to CMDB Integration APIs

    • Add CMDB Device(s)

    • Get CMDB Device List

    • Delete CMDB Device(s)

    • Update Device by Id

    • Get Device Custom Property

    • Update Device Custom Property

For details, see the Integration API Guide located here.

System Upgrades

New Device Support

Bug Fixes and Minor Enhancements

Bug ID

Severity

Module

Description

781951

Major

App Server

Users with custom Full Admin roles cannot login to FortiSIEM.

774397

Major

Data Manager

Event files upload to Elasticsearch is slow for Organizations with large org Id.

789843

Major

Performance Monitor

Fail to get running-config from Cisco IOS devices.

775718

Minor

Agent

Linux Agent and Windows Agent registration fails when the agent user's password contains a backslash character.

798635

Minor

Agent Manager

CyberArk Integration does not work for authenticating to Windows servers via WMI/OMI.

797841

Minor

Agent Manager

OMI may return corrupted data in class name.

795638

Minor

Agent Manager

Sophos log collection module may poll very frequently (quickly reaching API limit).

790512

Minor

Agent Manager

Cisco AMP stream does not collect very large events over 100K; These events contain multiple events inside.

795273

Minor

Agent Monitor

Enabling an AWS Cloudwatch pull event may cause phAgentManager to crash on collector.

797679

Minor

App Server

User cannot export multiple selected cases in RTF and CSV format.

794338

Minor

App Server

New Dashboards created in Global Dashboard no longer appear after a couple of hours.

792832

Minor

App Server

Glassfish password are stored in plain text and on a file under /opt/phoenix/deployment.

791114

Minor

App Server

ServiceNow Device Outbound Integration may fail if Installed Software Date was NULL.

790866

Minor

App Server

Incident Email does not have new lines between Raw Events if custom HTML Incident Email Template is used.

788973

Minor

App Server

Content Update Install may fail with generic "Operation failed" error if FortiGuard does not return content. Subsequent retries succeed without issue.

786289

Minor

App Server

Previewing a long running report bundle may fail.

784027

Minor

App Server

If UEBA expired, then new Windows Agent sometimes does not go from Registered to Running state.

782304

Minor

App Server

User with a cloned "Full Admin" role with Data Conditions defined cannot search for rules in RESOURCES > Rules.

781538

Minor

App Server

In ANALYTICS > Search for EventDB, inheritance does not work between Application Groups and Subgroups.

776600

Minor

App Server

When device count is 1 less than license, then Agent cannot become Running from Registered.

776214

Minor

App Server

Searching currently Active Incidents generated many months ago fails in INCIDENTS > Search.

773472

Minor

App Server

Trigger events are empty for some incidents in notification emails.

767265

Minor

App Server

Sometimes the Report Bundle cover page does not show the custom image.

766229

Minor

App Server

If an incident is open towards the next month, Incident Outbound Integration creates duplicate incidents in the help desk systems (e.g. ServiceNow, ConnectWise).

763531

Minor

App Server

Report Bundle Export displays "Export Error" message for very long running reports (e.g. report interval is 30 days or more in a system with lots of data).

785547

Minor

Data

The ADMIN > Health > Cloud Health page sometimes times out after upgrade to 6.4.0, if there are many workers.

784655

Minor

Data

MSDefAdvancedHuntingParser.xml Test Event has leading [ - bracket, breaking JSON format.

784155

Minor

Data

Definition for "Top Windows Process Created" is incorrect.

778129

Minor

Data

AppFlow reports should include event IOS-NETFLOW-BI.

777847

Minor

Data

Parsing for Microsoft-Windows-TerminalServices-Gateway and LocalSessionManager events needs to be fixed.

768672

Minor

Data

FortiSIEM is not parsing Cisco ASA events correctly when the host name contains "ASA-".

779548

Minor

Data Purger

phDataPurger incorrectly counts master nodes as hot nodes in AWS-managed Elasticsearch.

791321

Minor

Data Purger

Data Purger needs to handle error 404 when trying to purge non-existent ES indices.

802946

Minor

GUI

Virtual collector configuration in "Host To Template Associations" is not being saved.

790877

Minor

GUI

Columns "Avail Incidents", "Perf Incidents", and "Security Incidents" are empty in Summary Dashboard.

780737

Minor

GUI

In ANALYTICS > Search, Trend does not work properly when Group By has time related attributes (e.g. Event Receive Hour, Event receive Day).

780688

Minor

GUI

Sometimes, the user cannot reset their own password because of internal errors.

777518

Minor

GUI

FortiSOAR: If executing a playbook on an incident, then executing Connector > add to Comments overwrites the playbook results.

776295

Minor

GUI

GUI shows "Undefined" error when the user attempts to set a new password for a user created with the "Password Reset" field set.

775207

Minor

GUI

When executing a FortiSOAR playbook, the Details tab does not display data under some conditions.

773473

Minor

GUI

"Install Status" and "Upgrade Version" shows wrong values for collector health after continuous upgrade.

766510

Minor

GUI

ANALYTICS Filter: Inner CMDB Query fails, seemingly dependent on the name of the CMDB report.

790937

Minor

Identity and Location

Identity and location: Windows Kerberos Authentication followed by DHCP results in duplicate entries since the Workstation name is missing in Windows 4624 event.

783844

Minor

Java Query Server

Java Query Server sometimes uses older java libraries and is unable to connect to Elasticsearch.

765552

Minor

Java Query Server

Sometimes, the Java Query Server searches for 30 days of event indices instead of one day when there are no search filters.

763150

Minor

Java Query Server

Sometimes, reports misses in exported PDF for scheduled report bundle that use pre-compute.

802966

Minor

Parser

Event Forwarding of PH_AUDIT logs truncates the raw events.

780668

Minor

Parser

Parser Inbuilt Function: convertHexStrToInt () gives wrong results.

776350

Minor

Parser

External protocol error (PH_PARSER_INVALID_EXT_LOG_PROTO) from collectors occurrs when OMI was configured.

799016

Minor

Performance Monitor

MySQL performance monitoring events has hardcoded instance names instead of what is defined in Credential.

799002

Minor

Performance Monitor

Startup-config changes cannot be pulled in Cisco IOS XR.

768515

Minor

Performance Monitor

Several bug fixes and enhancements for FortiOS based devices collecting performance metrics (e.g. FortiGate, FortiAP, FortiSwitch) via REST API.

769414

Minor

QueryMaster

phQueryMaster memory usage increases when FortiSIEM collects performance metrics for a large number of devices when they are all included in the Summary dashboard. This summary data is held in memory and needs to be more aggressively purged.

777226

Minor

System

Using configFSM.sh to change Collector IP may result in failure due to DR_ROLE reference.

774030

Minor

System

Disable TRACE/TRACK HTTP method by default on HTTP port.

768018

Minor

System

Upgrade Log4j-core to latest stable version 2.17.

787121

Enhancement

App Server

Shorten the time for querying new entries in Lookup Table. Currently, there is a maximum 10 minute delay.

609622

Enhancement

App Server

Support needed for Arabic character set inside events in PDF and CSV reports.

779657

Enhancement

Data

Need to parse CEF formatted Palo Alto firewall logs.

773036

Enhancement

Data

CheckpointCEFParser does not parse URL filtering logs correctly.

770908

Enhancement

Data

PAN-OS-THREAT-virus-100000-deny is not parsed correctly.

770842

Enhancement

Data

Enhanced FortiWebParser to support FWB-VM-S and original source IP.

770561

Enhancement

Data

FortiAnalyzer internal alert events are not parsed.

770195

Enhancement

Data

Windows WMI Parser needs to parse Active Directory Federation Services (ADFS) events.

769325

Enhancement

Data

JunOS Parser needs to be updated.

766960

Enhancement

Data

Windows Parser does not extract the fields File Name and File Path for security event 6281.

766461

Enhancement

Data

Cisco StealthWatch Parser cannot parse Cisco StealthWatch logs from versions after 7 because the log format changed.

765158

Enhancement

Data

VMwareVCenterParser does not parse some VMware vCenter logs.

754088

Enhancement

Data

Need to enhance HP Procurve switch (essentially Aruba Switch) Parser as they have a different log format.

745967

Enhancement

Data

Service name is not parsed for Win-Security-4673 event.

745905

Enhancement

Data

The rule "Windows: Generic Password Dumper Activity on LSASS" needs adjustment.

787995

Enhancement

Data

Linux Threat Rules needs to be updated with correct parsed attributes.

787273

Enhancement

Data

Jenkins logs needs to be parsed.

793108

Enhancement

Data Purger

Provide the customer with the ability to turn off ILM and preserve this configuration after upgrade.

785761

Enhancement

GUI

Enhance the default NetFlow Dashboard by including various charts.

777776

Enhancement

GUI

No longer allow REGEX on IP fields in Search Filters.

777633

Enhancement

GUI

Lookup Table: Report Schedule Trend selector not needed when scheduling import via report.

777631

Enhancement

GUI

Need to only allow applicable operators for LookupTableGet().

777585

Enhancement

GUI

CASES > Action History > List > Incident Actions history shows action, but is missing action detail.

777570

Enhancement

GUI

Create Case/Ticket in INCIDENTS - Need auto-refresh of selected incident data after creation and consistent field naming.

777534

Enhancement

GUI

Incident Details - Quick Lookup button needed for user fields under triggering events.

777512

Enhancement

GUI

The FortiSOAR Playbook Execution Result dialog window on Incident tab > Actions > Add summary contains no line break between header and message.

777485

Enhancement

GUI

FortiGuard IOC Lookup in INCIDENTS page - On execute - is missing results in Incident > Action History e.g. IP x.x.x.x is malicious.

777149

Enhancement

GUI

Image upload failures shows incorrect error message: "Checksum error", when the actual error is a connection error to FortiGuard.

774594

Enhancement

GUI

The default Report Design Template for a Report Bundle is shown when the user attempts to edit the default template.

765339

Enhancement

Java Query Server

Speed up the exporting of 100k search records from Elasticsearch into a CSV file.

790052

Enhancement

Parser

Increase the number of concurrent TLS connections handled by Parser module for syslog over TLS.

782926

Enhancement

Parser

Add Parser for MS Defender for Endpoint Advanced Hunting events forwarded to Azure Event Hub.

644096

Enhancement

Performance Monitor

SNMP V3 Support includes AES256 and SHA256 (was currently supporting less secure AES128).

784753

Enhancement

System

Reduce upgrade time for large EventDB based FortiSIEM deployments (large /data/archive and SVN files).

773866

Enhancement

System

Azure VHD image update should not include a swap partition to be compliant with Azure marketplace.

770161

Enhancement

System

UDP port 6343 needs to be opened on all nodes for ingesting sFlow.

Rule and Report Modifications since 6.4.0

The following rules were added:

  • Active Directory Privilege Escalation Exploit Detected on Host

  • Active Directory Privilege Escalation Exploit Detected on Network

  • FortiAnalyzer: No logs received from a device in 4 hours

  • FortiGate ICS Alert: Exploitation of Remote Services

  • HermeticWiper-Foxblade Malware Detected on Host

  • HermeticWiper-Foxblade Malware Detected on Network

  • ICS Alert: Activate Firmware Update Mode

  • ICS Alert: Alarm Suppression

  • ICS Alert: Automated Collection

  • ICS Alert: Block Command Message

  • ICS Alert: Block Reporting Message

  • ICS Alert: Block Serial COM

  • ICS Alert: Brute Force I/O

  • ICS Alert: Change Operating Mode

  • ICS Alert: Command-Line Interface

  • ICS Alert: Commonly Used Port

  • ICS Alert: Connection Proxy

  • ICS Alert: Damage to Property

  • ICS Alert: Data Destruction

  • ICS Alert: Data from Information Repositories

  • ICS Alert: Default Credentials

  • ICS Alert: Denial of Control

  • ICS Alert: Denial of Service

  • ICS Alert: Denial of View

  • ICS Alert: Detect Operating Mode

  • ICS Alert: Device Restart/Shutdown

  • ICS Alert: Drive-by Compromise

  • ICS Alert: Execution through API

  • ICS Alert: Exploit Public-Facing Application

  • ICS Alert: Exploitation for Evasion

  • ICS Alert: Exploitation for Privilege Escalation

  • ICS Alert: Exploitation of Remote Services

  • ICS Alert: External Remote Services

  • ICS Alert: Graphical User Interface

  • ICS Alert: Hooking

  • ICS Alert: I/O Image

  • ICS Alert: Indicator Removal on Host

  • ICS Alert: Internet Accessible Device

  • ICS Alert: Lateral Tool Transfer

  • ICS Alert: Loss of Availability

  • ICS Alert: Loss of Control

  • ICS Alert: Loss of Productivity and Revenue

  • ICS Alert: Loss of Protection

  • ICS Alert: Loss of Safety

  • ICS Alert: Loss of View

  • ICS Alert: Man in the Middle

  • ICS Alert: Manipulate I/O Image

  • ICS Alert: Manipulation of Control

  • ICS Alert: Manipulation of View

  • ICS Alert: Masquerading

  • ICS Alert: Modify Alarm Settings

  • ICS Alert: Modify Controller Tasking

  • ICS Alert: Modify Parameter

  • ICS Alert: Modify Program

  • ICS Alert: Module Firmware

  • ICS Alert: Monitor Process State

  • ICS Alert: Native API

  • ICS Alert: Network Connection Enumeration

  • ICS Alert: Network Sniffing

  • ICS Alert: Point Tag Identification

  • ICS Alert: Program Download

  • ICS Alert: Program Upload

  • ICS Alert: Project File Infection

  • ICS Alert: Remote Services

  • ICS Alert: Remote System Discovery

  • ICS Alert: Remote System Information Discovery

  • ICS Alert: Replication Through Removable Media

  • ICS Alert: Rogue Master

  • ICS Alert: Rootkit

  • ICS Alert: Screen Capture

  • ICS Alert: Scripting

  • ICS Alert: Service Stop

  • ICS Alert: Spearphishing Attachment

  • ICS Alert: Spoof Reporting Message

  • ICS Alert: Standard Application Layer Protocol

  • ICS Alert: Supply Chain Compromise

  • ICS Alert: System Firmware

  • ICS Alert: Theft of Operational Information

  • ICS Alert: Transient Cyber Asset

  • ICS Alert: Unauthorized Command Message

  • ICS Alert: User Execution

  • ICS Alert: Valid Accounts

  • ICS Alert: Wireless Compromise

  • ICS Alert: Wireless Sniffing

  • Ingress Tool Transfer - Execution Alert from MS Defender for Endpoint

  • Linux: File Permission Modification in Writable Relative Directory By non-root user

  • LSASS Memory - Credential Access Alert from MS Defender for Endpoint

  • Masquerading - Execution Alert from MS Defender for Endpoint

  • Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Network

  • Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Host

  • MS Defender for Endpoint Alert - Generic

  • OS Credential Dumping - Suspicious Activity Alert from MS Defender for Endpoint

  • Process Injection - Defense Evasion Alert from MS Defender for Endpoint

  • Suspicious PowerShell command line - Execution Alert from MS Defender for Endpoint

  • Suspicious Process Discovery - Discovery Alert from MS Defender for Endpoint

  • Suspicious Task Scheduler activity - Persistence Alert from MS Defender for Endpoint

  • System Network Configuration Discovery - Discovery Alert from MS Defender for Endpoint

  • System Service Discovery - Discovery Alert from MS Defender for Endpoint

  • UEBA AI detects unusual file deletion

  • Win32k Elevation of Privilege Vulnerability Detected on Host

  • Win32k Elevation of Privilege Vulnerability Detected on Network

  • Windows HTTP Protocol Stack RCE Detected on Host

  • Windows HTTP Protocol Stack RCE Detected on Network

  • Windows Logging Service Shutdown

  • Windows Security Log is Full

The following rules were renamed:

  • Linux: Account Discovery via Built-In Tools on $hostName -> Linux Account Discovery via Built-In Tools

  • Linux: File Permission Modification in Writable Directory By non-root user -> Linux: File Permission Modification in Writable Absolute Directory By non-root user

  • UEBA AI detects unusual machine logoff -> UEBA AI detects unusual user logoff

The following reports were added:

  • Active Directory Privilege Escalation Exploit Detected on Host

  • Active Directory Privilege Escalation Exploit Detected on Network

  • HermeticWiper-Foxblade Malware Detected on Host

  • HermeticWiper-Foxblade Malware Detected on Network

  • Jenkins Automation: Job Config Submit Audit Report

  • Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Network

  • Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Host

  • MS Defender for Endpoint Alerts

  • MS Defender for Endpoint Events

  • NetFlow: Detailed Traffic Report

  • NetFlow: Top Destination Countries by Total Bytes

  • NetFlow: Top FortiGuard Malware IP Communication by Sent and Received Bytes

  • NetFlow: Top FortiGuard Malware IP Communication by Source IP

  • NetFlow: Top Protocols by Total Bytes

  • NetFlow: Top Traffic by Source and Destination Countries

  • NetFlow: Top Uncommon Outbound Protocols by Count

  • NetFlow: Traffic Flow Details by Total Bytes

  • Nutanix: API Requests Audit

  • Nutanix: Top Consolidated Audit Events by Count

  • Nutanix: Top Consolidated Audit Events by User

  • Nutanix: Top Dropped Traffic Flows

  • Nutanix: Top Dropped Traffic Flows by Destination

  • Nutanix: Top Dropped Traffic Flows by Source

  • Nutanix: Top Permitted Traffic Flows

  • Nutanix: Top Permitted Traffic Flows by Destination

  • Nutanix: Top Permitted Traffic Flows by Source

  • Win32k Elevation of Privilege Vulnerability Detected on Host

  • Win32k Elevation of Privilege Vulnerability Detected on Network

  • Windows HTTP Protocol Stack RCE Detected on Host

  • Windows HTTP Protocol Stack RCE Detected on Network

Known Issues

  1. Currently, Policy based retention for EventDB does not cover two event categories: (a) System events with phCustId = 0, e.g. a FortiSIEM External Integration Error, FortiSIEM process crash etc., and (b) Super/Global customer audit events with phCustId = 3, e.g. audit log generated from a Super/Global user running an adhoc query. These events are purged when disk usage reaches high watermark.

  2. On hardware appliances running FortiSIEM 6.6.0 or earlier, FortiSIEM execute shutdown CLI does not work correctly. Please use the Linux shutdown command instead.

  3. App Server may fail to restart after FortiSIEM reboot or App Server restart. Perform the following workaround to bring up App Server.

    1. Clean up App Server cache by running the following commands.

      # su admin
      $ cd /opt/glassfish/domains/domain1/
      $ rm -rf generated/
      $ rm -rf osgi-cache/
      
    2. Restart App Server by running the following commands.

      $ cat /opt/glassfish/domains/domain1/config/pid
      $ kill -9 $(cat /opt/glassfish/domains/domain1/config/pid)
      
  4. If you change the Supervisor IP address (using the recommended configFSM utility), there will be 2 entries for Supervisor in ADMIN > Health > Cloud Health: one for the new IP address and another for the old IP address. To remove the entry with the old IP address from the database, run the following SQL commands on the Supervisor node.

    delete from ph_health_status where host_ip='newIp' and nodetype=0;
    update ph_health_status set host_ip='newIp' where host_ip='oldIp' and nodetype=0;

    If the Supervisor Instance was registered to FortiSIEM Manager, then run these commands on FortiSIEM Manager node.

    delete from ph_health_status where host_ip='newIp' and nodetype=0 and cust_org_id=/*instanceID*/;
    update ph_health_status set host_ip='newIp' where host_ip='oldIp' and nodetype=0 and cust_org_id=/*instanceID*/;
  5. FortiSIEM Manager cannot be installed in an IPV6 network.

  6. There is a known issue with Elasticsearch rollup search API when sorting AVG (https://github.com/elastic/elasticsearch/issues/58967). Therefore, do not use pre-compute Elasticsearch queries that have ASC or DESC on AVG().

  7. In Elasticsearch based deployments, queries containing "IN Group X" are handled using Elastic Terms Query. By default, the maximum number of terms that can be used in a Terms Query is set to 65,536. If a Group contains more than 65,536 entries, the query will fail.

    The workaround is to change the “max_terms_count” setting for each event index. Fortinet has tested up to 1 million entries. The query response time will be proportional to the size of the group.

    Case 1. For already existing indices, issue the REST API call to update the setting

    PUT fortisiem-event-*/_settings
    {
      "index" : {
        "max_terms_count" : "1000000"
      }
    }
    

    Case 2. For new indices that are going to be created in the future, update fortisiem-event-template so those new indices will have a higher max_terms_count setting

    1. cd /opt/phoenix/config/elastic/7.7

    2. Add "index.max_terms_count": 1000000 (including quotations) to the “settings” section of the fortisiem-event-template.

      Example:

      ...

      "settings": {
          "index.max_terms_count": 1000000,
      

      ...

    3. Navigate to ADMIN > Storage > Online and perform Test and Deploy.

    4. Test new indices have the updated terms limit by executing the following simple REST API call.

      GET fortisiem-event-*/_settings