What's New in 6.5.0

This document describes the additions for the FortiSIEM 6.5.0 release.

• New Features

• Key Enhancements

• New Device Support

• Bug Fixes and Minor Enhancements

• Rule and Report Modifications since 6.4.0

• Known Issues

New Features

• FortiSIEM Manager

• ClickHouse Event Database

• Elasticsearch Organization Grouping

• MITRE ATT&CK Framework for Industrial Control Systems

FortiSIEM Manager

This release introduces FortiSIEM Manager that can be used to monitor and manage multiple FortiSIEM instances. The FortiSIEM Manager needs to be installed on a separate Virtual Machine and requires a separate license.

Note: Only FortiSIEM Manager and FortiSIEM Supervisor instances 6.5.0+ are supported.

In this release, FortiSIEM Manager provides the following functionalities:

• Each FortiSIEM Instance needs to register to the FortiSIEM Manager. After successful registration, a 2-way HTTP(S) communication channel is set up between each Instance and the Manager.

• Incidents, License and Health information will be forwarded from each FortiSIEM instance to the FortiSIEM Manager. Incidents are forwarded in near-real time, Health information forwarded once every minute, and License information forwarded once every hour.

• FortiSIEM Manager retains Health information for the last 1 day. FortiSIEM Manager also stores Incidents and the latest License information in local PostGreSQL database. The number of incidents stored depends on the size of the local PostGreSQL database. Raw events are not stored in FortiSIEM Manager. When the user visits the Triggering Event tab on the INCIDENTS page, raw events are fetched on demand from the FortiSIEM Instance.

• All Incident status changes in each FortiSIEM instance are forwarded to the FortiSIEM Manager. If you create a new rule or make changes to a rule in a FortiSIEM instance, the changes are forwarded to the FortiSIEM Manager.

• From FortiSIEM Manager, you can do the following operations and the changes are propagated to the right FortiSIEM instance(s) with the right FortiSIEM Manager logged-in-user context:

  • Clear, Resolve and Add Comments to one or more Incidents

  • Disable one or more rules and change their severity.

  • Change the severity of an incident

  • Run FortiSOAR Playbooks and Connectors and update Incident Status and Comments

  • A one-click operation to log you into the appropriate FortiSIEM instance where an Incident occurred. This enables you quickly to investigate an Incident in depth.

Communication between FortiSIEM Manager and instances is via REST APIs over HTTP(S).

You have to upgrade FortiSIEM Manager first before upgrading all FortiSIEM Instances - this applies to both Content Update and Software Image Update.

For details in installing FortiSIEM Manager, see the VM or Hardware Installation Guides here.

For details on registering a FortiSIEM instance to the FortiSIEM Manager, see here.

For viewing health and license information in FortiSIEM Manager, see here.

ClickHouse Event Database

This release provides ClickHouse as a new embedded event database option. No separate install or support is required. ClickHouse provides significant query speed improvements compared to FortiSIEM EventDB while providing comparable event database compression. Currently, ClickHouse can be only used in Single node deployments for both hardware appliances and Virtual Machine based setups.

For details on enabling ClickHouse, see here.

For details on switching database to ClickHouse, see Changing Event Storage Options.

For storage and query performance comparison between FortiSIEM EventDB and ClickHouse, see Database Storage Efficiency, Query Performance, Ingestion Speed Comparison.

Elasticsearch Organization Grouping

Elasticsearch may not perform well when you choose a separate event index per Organization and the number of Organizations is large. Large number of Elasticsearch event indices increases Elasticsearch cluster state and may degrade performance after a point. This release allows you to group Organizations into a maximum of 10 Groups. This results in Elasticsearch event index per group. Event ingestion and queries work seamlessly as before as FortiSIEM queries the right group for results.

For details on creating Elasticsearch Organization groups, see Custom Organization Index for Elasticsearch.

MITRE ATT&CK Framework for Industrial Control Systems

This release enhances existing support for MITRE ATT&CK Framework by including Industrial Control Systems (ICS) (see https://collaborate.mitre.org/attackics/index.php/Main_Page). Support for Dragos and Nozomi ICS are extended. Rules are written using Dragos, Nozomi and FortiGate ICS events and mapped to ICS Attack Techniques and Tactics. Three new MITRE ATT&CK dashboards for ICS are created to show Rule coverage, Incident coverage and Kill Chain analysis for ICS Techniques. A discovery method is added for Nozomi ICS devices via Nozomi API and the discovered OT/IoT devices are shown in CMDB in a heads up display. Currently 84 ICS ATT&CK Technique detection rules are provided out of the box and similar support for other vendors can be added.

For details on how to use MITRE ATT&CK Dashboard for ICS, see MITRE ATT&CK® View.

Key Enhancements

• Enhanced Performance and Health Reporting and Visualization

• Windows OMI Support for FIPS Mode and Kerberos Based Deployments

• Automated Collector Content Update

• Generalized Log Pulling from any AWS S3 Bucket

• FortiSIEM Login Security Enhancements

• Elasticsearch Support Enhancements

• Automated SNMP V3 Trap Configuration

• UEBA based on Log

• Ability to Turn off FortiSIEM Elasticsearch ILM Control

• Integration API Updates

• System Upgrades

Enhanced Performance and Health Reporting and Visualization

In this release, Collectors and Workers periodically report granular performance metrics to the Supervisor node. The information is stored in PostGreSQL database for 1 day and displayed in ADMIN > Health > Cloud Health and Collector Health. Collectors report every 3 minutes and Workers report every 1 minute. If a FortiSIEM Instance is registered to FortiSIEM Manager, then this information is also forwarded to FortiSIEM Manager, which then displays across all registered instances. FortiSIEM Manager also stores this information for 1 day. An assessment of the node and cluster health is provided by combining various metrics and is shown in Cloud Health and Collector Health in both the FortiSIEM Instance (Supervisor) and FortiSIEM Manager.

An API is provided that can be used to retrieve this metric to be displayed in 3rd party systems. For details on the API, see the Integration API Guide located here.

For description of various metrics and thresholds, refer to the Appendices in the Integration API Guide located here.

Windows OMI Support for FIPS Mode and Kerberos Based Deployments

In FortiSIEM 6.4.0, Windows OMI does not work if FortiSIEM is installed in FIPS mode. This is because Windows OMI uses NTLM authentication by default, which uses non-FIPS compliant RC4 algorithm for encryption. For the same reason, Windows OMI in 6.4.0 does not work in Windows Server environments with Kerberos authentication.

In this release, we provide an option for FortiSIEM Windows OMI client to use FIPS compliant Kerberos authentication instead of NTLM authentication.

For details on configuring Windows OMI for Kerberos authentication, see here.

Automated Collector Content Update

In 6.4.0, Super and Worker Content updates were automated but Collectors had to updated manually. Collector Content update is now automated and is performed by the system immediately after Super and Worker content updates. When Collectors send task REST APIs to Supervisor, a Content update task is automatically created for the Collectors. Using this task, Collectors download and install new content.

Generalized Log Pulling from any AWS S3 Bucket

This feature allows FortiSIEM to collect logs written to any AWS S3 bucket. User needs to only write the JSON parser for that specific device type.

For details see AWS Simple Storage Service in the External Systems Configuration Guide.

FortiSIEM Login Security Enhancements

In this release, FortiSIEM GUI user login security is further improved by introducing the following features.

• User is not allowed to reuse last 10 passwords

• User password cannot contain user name or user full name (case insensitive match)

• 2 or more password changes within 1 day is not allowed

• For GUI Inactivity timeout, a global setting is provided that can be overridden on a per-user basis. This can be done from CMDB (See Adding Users or Editing User Information).

• An unlocking configuration is provided for users that have been locked out after excessive login failures. The options are:

  1. User can be unlocked by Administrator, or

  2. Next login is delayed for configurable time interval. This can be defined from CMDB (See Adding Users or Editing User Information).

Elasticsearch Support Enhancements

• A disk based buffering mechanism is introduced on each Super/Worker that can store events when FortiSIEM fails to insert events to Elasticsearch. Because of this buffer, Incidents can keep triggering, but the triggering events will only show when events are in Elasticsearch. For details on how to configure event buffer see Configuring Elasticsearch Buffer in the Appendix.

• An enhancement is introduced to optimize the shard usage during EPS surge using deeper Elasticsearch metrics. This allows Elasticsearch to scale better in high usage scenarios.

Automated SNMP V3 Trap Configuration

For receiving SNMP V3 Traps in 6.4.0, the customer has to manually add sender EngineIDs to the Collector's SNMP configuration. Manually adding a large number of device EngineIDs may be cumbersome. This step is automated in this release using SNMP V3 Discovery. FortiSIEM learns a device's Engine ID during SNMP V3 based discovery. Then, the Engine IDs are propagated to all FortiSIEM nodes. When a device sends SNMP V3 Traps after discovery, any FortiSIEM node can handle the traps.

For more information on configuration, see SNMP V3 Traps in the External Systems Configuration Guide.

UEBA based on Log

In earlier releases, User Entity Behavior Analytics (UEBA) was done based on proprietary logs collected by the FortiSIEM Windows UEBA Agent. In this release, the analytics is extended to the following regular logs. Note that regular logs only cover a subset of the user activities compared to the FortiSIEM UEBA Agent.

Windows Security logs

• Unusual machine on activity based on Win-Security-4608 log

• Unusual machine off activity based on Win-Security-4609 log

• Unusual host logon activity based on Win-Security-4624 log

• Unusual host logoff activity based on Win-Security-4634 log

• Unusual file deletion based on Win-Security-4660 log

• Unusual process created based on Win-Security-4688 log

• Unusual process stopped based on Win-Security-4689 log

Windows Sysmon

• Unusual process created based on Win-Sysmon-1-Create-Process log

• Unusual process stopped based on Win-Sysmon-5-Process-Terminated log

• Unusual file creation based on Win-Sysmon-11-FileCreate log

• Unusual file deletion based on Win-Sysmon-23-File-Delete-archived and Win-Sysmon-26-File-Delete-logged log

Linux Agent

• Unusual process created based on LINUX_PROCESS_EXEC log

• Unusual machine off activity based on Generic_Unix_System_Shutdown log

• Unusual host logon activity based on Generic_Unix_Successful_SSH_Login log

For detailed comparison of Windows UEBA Agent versus log based UEBA, see Appendix - Comparing UEBA Sources.

Ability to Turn off FortiSIEM Elasticsearch ILM Control

By default, FortiSIEM manages and deploys Elasticsearch Index Life Cycle Management (ILM) policies, e.g. 14 days in hot storage, 30 days in warm storage, etc.... If you want to manage ILM policies on you own, then set fsm_ilm_mode=0 in phoenix_config.txt on Supervisor node. No process restart is needed to make the change effective.

Notes:

1. If the ILM policy was stopped prior to 6.5.0, after upgrading to 6.5.0, the user must stop the ILM policy again. This will not be needed for 6.5.0 onwards.

2. Even if you turned off FortiSIEM ILM policy management, FortiSIEM still manages the disk spaces based on thresholds, so that the system can keep running.

[BEGIN Elasticsearch]

...

fsm_ilm_mode=0 # 0 - no control, 1 - set ilm for retention policies (default)

Integration API Updates

This release enhances external Integration REST APIs:

1. New Performance and Health API - can be run against FortiSIEM Supervisor or FortiSIEM Manager.

2. New Event and Query Worker Configuration APIs

3. Updates to CMDB Integration APIs

   • Add CMDB Device(s)

   • Get CMDB Device List

   • Delete CMDB Device(s)

   • Update Device by Id

   • Get Device Custom Property

   • Update Device Custom Property

For details, see the Integration API Guide located here.

System Upgrades

• Upgrade log4j used by App Server from 1.x to 2.17.1

• Upgrade to Rocky Linux 8.5 with patches released on March 30, 2022 (https://lists.resf.org/archives/list/rocky-announce@lists.resf.org/thread/H7FNZZUZQ7B2XEEOPIXPZVIMQNO6KTE2/)

New Device Support

• Dragos Worldview Threat Feed Integration

• Cybereason

• Nozomi Discovery

• VMware NSX-vSphere

Bug Fixes and Minor Enhancements

Bug ID	Severity	Module	Description
781951	Major	App Server	Users with custom Full Admin roles cannot login to FortiSIEM.
774397	Major	Data Manager	Event files upload to Elasticsearch is slow for Organizations with large org Id.
789843	Major	Performance Monitor	Fail to get running-config from Cisco IOS devices.
775718	Minor	Agent	Linux Agent and Windows Agent registration fails when the agent user's password contains a backslash character.
798635	Minor	Agent Manager	CyberArk Integration does not work for authenticating to Windows servers via WMI/OMI.
797841	Minor	Agent Manager	OMI may return corrupted data in class name.
795638	Minor	Agent Manager	Sophos log collection module may poll very frequently (quickly reaching API limit).
790512	Minor	Agent Manager	Cisco AMP stream does not collect very large events over 100K; These events contain multiple events inside.
795273	Minor	Agent Monitor	Enabling an AWS Cloudwatch pull event may cause phAgentManager to crash on collector.
797679	Minor	App Server	User cannot export multiple selected cases in RTF and CSV format.
794338	Minor	App Server	New Dashboards created in Global Dashboard no longer appear after a couple of hours.
792832	Minor	App Server	Glassfish password are stored in plain text and on a file under /opt/phoenix/deployment.
791114	Minor	App Server	ServiceNow Device Outbound Integration may fail if Installed Software Date was NULL.
790866	Minor	App Server	Incident Email does not have new lines between Raw Events if custom HTML Incident Email Template is used.
788973	Minor	App Server	Content Update Install may fail with generic "Operation failed" error if FortiGuard does not return content. Subsequent retries succeed without issue.
786289	Minor	App Server	Previewing a long running report bundle may fail.
784027	Minor	App Server	If UEBA expired, then new Windows Agent sometimes does not go from Registered to Running state.
782304	Minor	App Server	User with a cloned "Full Admin" role with Data Conditions defined cannot search for rules in RESOURCES > Rules.
781538	Minor	App Server	In ANALYTICS > Search for EventDB, inheritance does not work between Application Groups and Subgroups.
776600	Minor	App Server	When device count is 1 less than license, then Agent cannot become Running from Registered.
776214	Minor	App Server	Searching currently Active Incidents generated many months ago fails in INCIDENTS > Search.
773472	Minor	App Server	Trigger events are empty for some incidents in notification emails.
767265	Minor	App Server	Sometimes the Report Bundle cover page does not show the custom image.
766229	Minor	App Server	If an incident is open towards the next month, Incident Outbound Integration creates duplicate incidents in the help desk systems (e.g. ServiceNow, ConnectWise).
763531	Minor	App Server	Report Bundle Export displays "Export Error" message for very long running reports (e.g. report interval is 30 days or more in a system with lots of data).
785547	Minor	Data	The ADMIN > Health > Cloud Health page sometimes times out after upgrade to 6.4.0, if there are many workers.
784655	Minor	Data	MSDefAdvancedHuntingParser.xml Test Event has leading [ - bracket, breaking JSON format.
784155	Minor	Data	Definition for "Top Windows Process Created" is incorrect.
778129	Minor	Data	AppFlow reports should include event IOS-NETFLOW-BI.
777847	Minor	Data	Parsing for Microsoft-Windows-TerminalServices-Gateway and LocalSessionManager events needs to be fixed.
768672	Minor	Data	FortiSIEM is not parsing Cisco ASA events correctly when the host name contains "ASA-".
779548	Minor	Data Purger	phDataPurger incorrectly counts master nodes as hot nodes in AWS-managed Elasticsearch.
791321	Minor	Data Purger	Data Purger needs to handle error 404 when trying to purge non-existent ES indices.
802946	Minor	GUI	Virtual collector configuration in "Host To Template Associations" is not being saved.
790877	Minor	GUI	Columns "Avail Incidents", "Perf Incidents", and "Security Incidents" are empty in Summary Dashboard.
780737	Minor	GUI	In ANALYTICS > Search, Trend does not work properly when Group By has time related attributes (e.g. Event Receive Hour, Event receive Day).
780688	Minor	GUI	Sometimes, the user cannot reset their own password because of internal errors.
777518	Minor	GUI	FortiSOAR: If executing a playbook on an incident, then executing Connector > add to Comments overwrites the playbook results.
776295	Minor	GUI	GUI shows "Undefined" error when the user attempts to set a new password for a user created with the "Password Reset" field set.
775207	Minor	GUI	When executing a FortiSOAR playbook, the Details tab does not display data under some conditions.
773473	Minor	GUI	"Install Status" and "Upgrade Version" shows wrong values for collector health after continuous upgrade.
766510	Minor	GUI	ANALYTICS Filter: Inner CMDB Query fails, seemingly dependent on the name of the CMDB report.
790937	Minor	Identity and Location	Identity and location: Windows Kerberos Authentication followed by DHCP results in duplicate entries since the Workstation name is missing in Windows 4624 event.
783844	Minor	Java Query Server	Java Query Server sometimes uses older java libraries and is unable to connect to Elasticsearch.
765552	Minor	Java Query Server	Sometimes, the Java Query Server searches for 30 days of event indices instead of one day when there are no search filters.
763150	Minor	Java Query Server	Sometimes, reports misses in exported PDF for scheduled report bundle that use pre-compute.
802966	Minor	Parser	Event Forwarding of PH_AUDIT logs truncates the raw events.
780668	Minor	Parser	Parser Inbuilt Function: convertHexStrToInt () gives wrong results.
776350	Minor	Parser	External protocol error (PH_PARSER_INVALID_EXT_LOG_PROTO) from collectors occurrs when OMI was configured.
799016	Minor	Performance Monitor	MySQL performance monitoring events has hardcoded instance names instead of what is defined in Credential.
799002	Minor	Performance Monitor	Startup-config changes cannot be pulled in Cisco IOS XR.
768515	Minor	Performance Monitor	Several bug fixes and enhancements for FortiOS based devices collecting performance metrics (e.g. FortiGate, FortiAP, FortiSwitch) via REST API.
769414	Minor	QueryMaster	phQueryMaster memory usage increases when FortiSIEM collects performance metrics for a large number of devices when they are all included in the Summary dashboard. This summary data is held in memory and needs to be more aggressively purged.
777226	Minor	System	Using configFSM.sh to change Collector IP may result in failure due to DR_ROLE reference.
774030	Minor	System	Disable TRACE/TRACK HTTP method by default on HTTP port.
768018	Minor	System	Upgrade Log4j-core to latest stable version 2.17.
787121	Enhancement	App Server	Shorten the time for querying new entries in Lookup Table. Currently, there is a maximum 10 minute delay.
609622	Enhancement	App Server	Support needed for Arabic character set inside events in PDF and CSV reports.
779657	Enhancement	Data	Need to parse CEF formatted Palo Alto firewall logs.
773036	Enhancement	Data	CheckpointCEFParser does not parse URL filtering logs correctly.
770908	Enhancement	Data	PAN-OS-THREAT-virus-100000-deny is not parsed correctly.
770842	Enhancement	Data	Enhanced FortiWebParser to support FWB-VM-S and original source IP.
770561	Enhancement	Data	FortiAnalyzer internal alert events are not parsed.
770195	Enhancement	Data	Windows WMI Parser needs to parse Active Directory Federation Services (ADFS) events.
769325	Enhancement	Data	JunOS Parser needs to be updated.
766960	Enhancement	Data	Windows Parser does not extract the fields File Name and File Path for security event 6281.
766461	Enhancement	Data	Cisco StealthWatch Parser cannot parse Cisco StealthWatch logs from versions after 7 because the log format changed.
765158	Enhancement	Data	VMwareVCenterParser does not parse some VMware vCenter logs.
754088	Enhancement	Data	Need to enhance HP Procurve switch (essentially Aruba Switch) Parser as they have a different log format.
745967	Enhancement	Data	Service name is not parsed for Win-Security-4673 event.
745905	Enhancement	Data	The rule "Windows: Generic Password Dumper Activity on LSASS" needs adjustment.
787995	Enhancement	Data	Linux Threat Rules needs to be updated with correct parsed attributes.
787273	Enhancement	Data	Jenkins logs needs to be parsed.
793108	Enhancement	Data Purger	Provide the customer with the ability to turn off ILM and preserve this configuration after upgrade.
785761	Enhancement	GUI	Enhance the default NetFlow Dashboard by including various charts.
777776	Enhancement	GUI	No longer allow REGEX on IP fields in Search Filters.
777633	Enhancement	GUI	Lookup Table: Report Schedule Trend selector not needed when scheduling import via report.
777631	Enhancement	GUI	Need to only allow applicable operators for LookupTableGet().
777585	Enhancement	GUI	CASES > Action History > List > Incident Actions history shows action, but is missing action detail.
777570	Enhancement	GUI	Create Case/Ticket in INCIDENTS - Need auto-refresh of selected incident data after creation and consistent field naming.
777534	Enhancement	GUI	Incident Details - Quick Lookup button needed for user fields under triggering events.
777512	Enhancement	GUI	The FortiSOAR Playbook Execution Result dialog window on Incident tab > Actions > Add summary contains no line break between header and message.
777485	Enhancement	GUI	FortiGuard IOC Lookup in INCIDENTS page - On execute - is missing results in Incident > Action History e.g. IP x.x.x.x is malicious.
777149	Enhancement	GUI	Image upload failures shows incorrect error message: "Checksum error", when the actual error is a connection error to FortiGuard.
774594	Enhancement	GUI	The default Report Design Template for a Report Bundle is shown when the user attempts to edit the default template.
765339	Enhancement	Java Query Server	Speed up the exporting of 100k search records from Elasticsearch into a CSV file.
790052	Enhancement	Parser	Increase the number of concurrent TLS connections handled by Parser module for syslog over TLS.
782926	Enhancement	Parser	Add Parser for MS Defender for Endpoint Advanced Hunting events forwarded to Azure Event Hub.
644096	Enhancement	Performance Monitor	SNMP V3 Support includes AES256 and SHA256 (was currently supporting less secure AES128).
784753	Enhancement	System	Reduce upgrade time for large EventDB based FortiSIEM deployments (large /data/archive and SVN files).
773866	Enhancement	System	Azure VHD image update should not include a swap partition to be compliant with Azure marketplace.
770161	Enhancement	System	UDP port 6343 needs to be opened on all nodes for ingesting sFlow.

Rule and Report Modifications since 6.4.0

The following rules were added:

• Active Directory Privilege Escalation Exploit Detected on Host

• Active Directory Privilege Escalation Exploit Detected on Network

• FortiAnalyzer: No logs received from a device in 4 hours

• FortiGate ICS Alert: Exploitation of Remote Services

• HermeticWiper-Foxblade Malware Detected on Host

• HermeticWiper-Foxblade Malware Detected on Network

• ICS Alert: Activate Firmware Update Mode

• ICS Alert: Alarm Suppression

• ICS Alert: Automated Collection

• ICS Alert: Block Command Message

• ICS Alert: Block Reporting Message

• ICS Alert: Block Serial COM

• ICS Alert: Brute Force I/O

• ICS Alert: Change Operating Mode

• ICS Alert: Command-Line Interface

• ICS Alert: Commonly Used Port

• ICS Alert: Connection Proxy

• ICS Alert: Damage to Property

• ICS Alert: Data Destruction

• ICS Alert: Data from Information Repositories

• ICS Alert: Default Credentials

• ICS Alert: Denial of Control

• ICS Alert: Denial of Service

• ICS Alert: Denial of View

• ICS Alert: Detect Operating Mode

• ICS Alert: Device Restart/Shutdown

• ICS Alert: Drive-by Compromise

• ICS Alert: Execution through API

• ICS Alert: Exploit Public-Facing Application

• ICS Alert: Exploitation for Evasion

• ICS Alert: Exploitation for Privilege Escalation

• ICS Alert: Exploitation of Remote Services

• ICS Alert: External Remote Services

• ICS Alert: Graphical User Interface

• ICS Alert: Hooking

• ICS Alert: I/O Image

• ICS Alert: Indicator Removal on Host

• ICS Alert: Internet Accessible Device

• ICS Alert: Lateral Tool Transfer

• ICS Alert: Loss of Availability

• ICS Alert: Loss of Control

• ICS Alert: Loss of Productivity and Revenue

• ICS Alert: Loss of Protection

• ICS Alert: Loss of Safety

• ICS Alert: Loss of View

• ICS Alert: Man in the Middle

• ICS Alert: Manipulate I/O Image

• ICS Alert: Manipulation of Control

• ICS Alert: Manipulation of View

• ICS Alert: Masquerading

• ICS Alert: Modify Alarm Settings

• ICS Alert: Modify Controller Tasking

• ICS Alert: Modify Parameter

• ICS Alert: Modify Program

• ICS Alert: Module Firmware

• ICS Alert: Monitor Process State

• ICS Alert: Native API

• ICS Alert: Network Connection Enumeration

• ICS Alert: Network Sniffing

• ICS Alert: Point Tag Identification

• ICS Alert: Program Download

• ICS Alert: Program Upload

• ICS Alert: Project File Infection

• ICS Alert: Remote Services

• ICS Alert: Remote System Discovery

• ICS Alert: Remote System Information Discovery

• ICS Alert: Replication Through Removable Media

• ICS Alert: Rogue Master

• ICS Alert: Rootkit

• ICS Alert: Screen Capture

• ICS Alert: Scripting

• ICS Alert: Service Stop

• ICS Alert: Spearphishing Attachment

• ICS Alert: Spoof Reporting Message

• ICS Alert: Standard Application Layer Protocol

• ICS Alert: Supply Chain Compromise

• ICS Alert: System Firmware

• ICS Alert: Theft of Operational Information

• ICS Alert: Transient Cyber Asset

• ICS Alert: Unauthorized Command Message

• ICS Alert: User Execution

• ICS Alert: Valid Accounts

• ICS Alert: Wireless Compromise

• ICS Alert: Wireless Sniffing

• Ingress Tool Transfer - Execution Alert from MS Defender for Endpoint

• Linux: File Permission Modification in Writable Relative Directory By non-root user

• LSASS Memory - Credential Access Alert from MS Defender for Endpoint

• Masquerading - Execution Alert from MS Defender for Endpoint

• Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Network

• Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Host

• MS Defender for Endpoint Alert - Generic

• OS Credential Dumping - Suspicious Activity Alert from MS Defender for Endpoint

• Process Injection - Defense Evasion Alert from MS Defender for Endpoint

• Suspicious PowerShell command line - Execution Alert from MS Defender for Endpoint

• Suspicious Process Discovery - Discovery Alert from MS Defender for Endpoint

• Suspicious Task Scheduler activity - Persistence Alert from MS Defender for Endpoint

• System Network Configuration Discovery - Discovery Alert from MS Defender for Endpoint

• System Service Discovery - Discovery Alert from MS Defender for Endpoint

• UEBA AI detects unusual file deletion

• Win32k Elevation of Privilege Vulnerability Detected on Host

• Win32k Elevation of Privilege Vulnerability Detected on Network

• Windows HTTP Protocol Stack RCE Detected on Host

• Windows HTTP Protocol Stack RCE Detected on Network

• Windows Logging Service Shutdown

• Windows Security Log is Full

The following rules were renamed:

• Linux: Account Discovery via Built-In Tools on $hostName -> Linux Account Discovery via Built-In Tools

• Linux: File Permission Modification in Writable Directory By non-root user -> Linux: File Permission Modification in Writable Absolute Directory By non-root user

• UEBA AI detects unusual machine logoff -> UEBA AI detects unusual user logoff

The following reports were added:

• Active Directory Privilege Escalation Exploit Detected on Host

• Active Directory Privilege Escalation Exploit Detected on Network

• HermeticWiper-Foxblade Malware Detected on Host

• HermeticWiper-Foxblade Malware Detected on Network

• Jenkins Automation: Job Config Submit Audit Report

• Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Network

• Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Host

• MS Defender for Endpoint Alerts

• MS Defender for Endpoint Events

• NetFlow: Detailed Traffic Report

• NetFlow: Top Destination Countries by Total Bytes

• NetFlow: Top FortiGuard Malware IP Communication by Sent and Received Bytes

• NetFlow: Top FortiGuard Malware IP Communication by Source IP

• NetFlow: Top Protocols by Total Bytes

• NetFlow: Top Traffic by Source and Destination Countries

• NetFlow: Top Uncommon Outbound Protocols by Count

• NetFlow: Traffic Flow Details by Total Bytes

• Nutanix: API Requests Audit

• Nutanix: Top Consolidated Audit Events by Count

• Nutanix: Top Consolidated Audit Events by User

• Nutanix: Top Dropped Traffic Flows

• Nutanix: Top Dropped Traffic Flows by Destination

• Nutanix: Top Dropped Traffic Flows by Source

• Nutanix: Top Permitted Traffic Flows

• Nutanix: Top Permitted Traffic Flows by Destination

• Nutanix: Top Permitted Traffic Flows by Source

• Win32k Elevation of Privilege Vulnerability Detected on Host

• Win32k Elevation of Privilege Vulnerability Detected on Network

• Windows HTTP Protocol Stack RCE Detected on Host

• Windows HTTP Protocol Stack RCE Detected on Network

Known Issues

1. Currently, Policy based retention for EventDB does not cover two event categories: (a) System events with phCustId = 0, e.g. a FortiSIEM External Integration Error, FortiSIEM process crash etc., and (b) Super/Global customer audit events with phCustId = 3, e.g. audit log generated from a Super/Global user running an adhoc query. These events are purged when disk usage reaches high watermark.

2. On hardware appliances running FortiSIEM 6.6.0 or earlier, FortiSIEM execute shutdown CLI does not work correctly. Please use the Linux shutdown command instead.

3. App Server may fail to restart after FortiSIEM reboot or App Server restart. Perform the following workaround to bring up App Server.

   1. Clean up App Server cache by running the following commands.
      

      # su admin
      $ cd /opt/glassfish/domains/domain1/
      $ rm -rf generated/
      $ rm -rf osgi-cache/
      

   2. Restart App Server by running the following commands.
      

      $ cat /opt/glassfish/domains/domain1/config/pid
      $ kill -9 $(cat /opt/glassfish/domains/domain1/config/pid)
      

4. If you change the Supervisor IP address (using the recommended configFSM utility), there will be 2 entries for Supervisor in ADMIN > Health > Cloud Health: one for the new IP address and another for the old IP address. To remove the entry with the old IP address from the database, run the following SQL commands on the Supervisor node.
   

   delete from ph_health_status where host_ip='newIp' and nodetype=0;
   update ph_health_status set host_ip='newIp' where host_ip='oldIp' and nodetype=0;

   If the Supervisor Instance was registered to FortiSIEM Manager, then run these commands on FortiSIEM Manager node.

   delete from ph_health_status where host_ip='newIp' and nodetype=0 and cust_org_id=/*instanceID*/;
   update ph_health_status set host_ip='newIp' where host_ip='oldIp' and nodetype=0 and cust_org_id=/*instanceID*/;

5. FortiSIEM Manager cannot be installed in an IPV6 network.

6. There is a known issue with Elasticsearch rollup search API when sorting AVG (https://github.com/elastic/elasticsearch/issues/58967). Therefore, do not use pre-compute Elasticsearch queries that have ASC or DESC on AVG().

7. In Elasticsearch based deployments, queries containing "IN Group X" are handled using Elastic Terms Query. By default, the maximum number of terms that can be used in a Terms Query is set to 65,536. If a Group contains more than 65,536 entries, the query will fail.
   

   The workaround is to change the “max_terms_count” setting for each event index. Fortinet has tested up to 1 million entries. The query response time will be proportional to the size of the group.

   Case 1. For already existing indices, issue the REST API call to update the setting

   PUT fortisiem-event-*/_settings
   {
     "index" : {
       "max_terms_count" : "1000000"
     }
   }
   

   Case 2. For new indices that are going to be created in the future, update fortisiem-event-template so those new indices will have a higher max_terms_count setting

   1. cd /opt/phoenix/config/elastic/7.7

   2. Add "index.max_terms_count": 1000000 (including quotations) to the “settings” section of the fortisiem-event-template.
      

      Example:

      ...

      "settings": {
          "index.max_terms_count": 1000000,
      

      ...
      

   3. Navigate to ADMIN > Storage > Online and perform Test and Deploy.

   4. Test new indices have the updated terms limit by executing the following simple REST API call.
      

      GET fortisiem-event-*/_settings