What's New in 7.1.4

This document describes the additions for the FortiSIEM 7.1.4 release

• New Feature
• Key Enhancements
• Bug Fixes and Enhancements

New Feature

ClickHouse Archive to Google Cloud Storage (GCS)

This release enables you to archive ClickHouse to Google Cloud Storage (GCS) in FortiSIEM Google Cloud Platform (GCP) deployments. For setting up ClickHouse Archive on GCS, see here.

Key Enhancements

• Rocky Linux Update
• Windows Agent 7.1.4 Log Handling Performance Improvement
• ClickHouse Data Movement Algorithm Change
• Incident Actions Added to all Incident Pages
• Script for Rebuilding/Recreating pre-7.1.1 ClickHouse Database Indices Involving IP Fields

Rocky Linux Update

This release includes published Rocky Linux OS 8.9 updates until February 15, 2024. The list of updates can be found at https://errata.rockylinux.org/. FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include fixes until February 15, 2024. Therefore, FortiSIEM customers in versions 6.4.1 and above, can upgrade only their Rocky Linux versions by following the procedures described in FortiSIEM OS Update Procedure.

Windows Agent 7.1.4 Log Handling Performance Improvement

To better handle larger volume of events (specially Windows forwarded events), FortiSIEM Windows Agent 7.1.4 now uses the Windows native XML format to transfer all Windows logs (Security, System, Application, Forwarded Events, etc.) to Collector. A new FortiSIEM Windows event parser (WinOSXmlParser) now parses event attributes directly from XML fields. By transferring the parsing load from Windows Agent to Collector, Agent CPU load is reduced, and the Collector CPU load is slightly increased. Fortinet has not noticed any significant load increases in Collector. From user perspective, only Windows raw message structure changes from FortiSIEM "[Attribute]:Value, [Attribute]:Value" format to Windows XML format.

Since Windows event log structure has changed, all user-written custom Windows parsers should be upgraded to parse XML fields, prior to upgrading Windows Agent. Please follow the parsing logic in WinOSXmlParser to adapt your custom Windows parsers.

An example Security log format change is below. For other examples, see here.

Current Format:

2024-02-22T01:07:51Z Win10.acme.com 172.30.56.127 AccelOps-WUA-WinLog-Security [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="72f70ae7-fedf-4dc0-92e7-0c953f46f87e" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [eventName]="Security" [eventSource]="Microsoft-Windows-Security-Auditing" [eventId]="4703" [eventType]="Information" [domain]="" [computer]="Win10.acme.com" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Feb 22 2024 01:07:51" [deviceTime]="Feb 22 2024 01:07:51" [msg]="A token right was adjusted." [[Subject]][Security ID]="S-1-5-18" [Account Name]="GFU-WIN10$" [Account Domain]="ACME" [Logon ID]="0x3E7" [[Target Account]][Security ID]="S-1-5-18" [Account Name]="ACME-WIN10$" [Account Domain]="ACME" [Logon ID]="0x3E7" [[Process Information]][Process ID]="0x3348" [Process Name]="C:\\Windows\\System32\\msiexec.exe" [Enabled Privileges]="" [Disabled Privileges]="SeRestorePrivilege,SeTakeOwnershipPrivilege"

New Format:

2024-02-27T21:19:33Z Win10.acme.com 172.30.56.129 FSM-WUA-WinLog-Security [phCustId]="2000" [customer]="org1" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="1e749ab9-bf6e-4052-806b-02068b2d4465" [timeZone]="-0800" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4703</EventID><Version>0</Version><Level>0</Level><Task>13317</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-27T21:19:32.430796700Z'/><EventRecordID>9064813051</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='5944'/><Channel>Security</Channel><Computer>FSM-GFU-Windows2019-WIN2019-172-30-56-129</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>FSM-GFU-WINDOWS$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>FSM-GFU-WINDOWS$</Data><Data Name='TargetDomainName'>WORKGROUP</Data><Data Name='TargetLogonId'>0x3e7</Data><Data Name='ProcessName'>C:\\Windows\\System32\\svchost.exe</Data><Data Name='ProcessId'>0xbdc</Data><Data Name='EnabledPrivilegeList'>SeAssignPrimaryTokenPrivilege
   SeIncreaseQuotaPrivilege
   SeSecurityPrivilege
   SeTakeOwnershipPrivilege
   SeLoadDriverPrivilege
   SeSystemtimePrivilege
   SeBackupPrivilege
   SeRestorePrivilege
   SeShutdownPrivilege
   SeSystemEnvironmentPrivilege
   SeUndockPrivilege
   SeManageVolumePrivilege</Data><Data Name='DisabledPrivilegeList'>-</Data></EventData></Event>

ClickHouse Data Movement Algorithm Change

Currently when a storage tier becomes 90% full, then the earliest data partition from each retention policy bucket (chosen in a round robin manner) is moved to the next storage tier, until the utilization reaches 80%. This policy may be unfair to recently created retention policies. The data movement algorithm is changed to global earliest data partition first. That means, when a storage tier becomes 90% full, then the earliest data partitions across all retention policy buckets are moved to the next storage tier, until the utilization reaches 80%.

Incident Actions Added to all Incident Pages

Currently, the Incident Action menu is available on the Incident List View and Risk pages. This menu is now added to the following pages.

• Incidents > UEBA
• Incidents > Explorer
• Incidents > MITRE ATT&CK > IT: Incident Explorer
• Incidents > MITRE ATT&CK > ICS: Incident Explorer

Script for Rebuilding/Recreating pre-7.1.1 ClickHouse Database Indices Involving IP Fields

As noted in 7.1.3 Known Issue, after upgrading pre-7.1.1 to 7.1.2 or later, searching on IP fields in ClickHouse based deployments does not show correct results for events stored prior to upgrade. IP fields include Reporting IP, Source IP, Destination IP, and Host IP. This release provides a simple script to replace the set of commands detailed in 7.1.3 Known Issue.

If you are running FortiSIEM 7.1.2 or 7.1.3 on ClickHouse and already executed the rebuilding steps in 7.1.3 Known Issue, then nothing more needs to be done. However, if you are running FortiSIEM 7.1.1 or earlier on ClickHouse, then after upgrading to 7.1.4, you can use the following command to automate the ClickHouse index rebuilding steps:

/opt/phoenix/phscripts/clickhouse/rebuild_ip_bloom_filter.sh -h

Usage: ./script [-h for help] [-p for 10 oldest partitions] [-m manual commands] [-r <index id> index to be rebuilt]

Here are indexes available for rebuild. Please choose one and specify the id in -r option.

-r <index id> option is mandatory.

1. reptDevIpAddr
2. srcIpAddr
3. destIpAddr
4. hostIpAddr

For example, to rebuild reptDevIpAddr index, issue the following command.

$ ./rebuild_ip_bloom_filter.sh -r 1

Notes before running the script: The script should be run on only one node per shard. Only one instance of the script can be run at one time on a host. This is checked and enforced by the script. The rebuilding of bloom filter index is a table-wide operation and it could take some time to complete, based on the amount of data and resources available. Since the script could be long-running, please use screen or tmux sessions to launch the script. During the rebuilding of bloom filter index, there will be a temporary spike in storage usage as ClickHouse goes through the existing data and rebuilds indexes for the whole table. The rebuilding of bloom filter index is a non-intrusive operation. After the DROP, ADD, MATERIALIZE requests are submitted to ClickHouse, ClickHouse will schedule the various tasks in an optimized way. The user has no control over the process. All nodes in the target shard should have at least 10% free space on /data-clickhouse-hot-1. The script will also check the 10% space requirement on all nodes of the shard and suggests partitions that should be moved to a different tier to create space. If there are no more tiers to move the partitions to, please consult with Fortinet support to identify a reasonable solution. The script will show the remaining parts to be processed for both DROP and MATERIALIZE phase. If the "parts to be processed" is stuck at a specific count for more than 24 hours, please contact Fortinet support to check if there are any underlying conditions that would have prevented the DROP or MATERIALIZE command to proceed further.

Detailed Steps are as follows:

1. Go to root shell by running the following command:
   sudo -s
2. Run the following command:
   /opt/phoenix/phscripts/clickhouse/rebuild_ip_bloom_filter.sh -r 1
   The script will produce output similar to the following:

   [root@server]# /opt/phoenix/phscripts/clickhouse/rebuild_ip_bloom_filter.sh -r 1
   current attr is reptDevIpAddr
   Materialize in progress "false" for reptDevIpAddr with 0 parts to process
   Materialize in progress "false" for srcIpAddr with 0 parts to process
   Materialize in progress "false" for destIpAddr with 0 parts to process
   Materialize in progress "false" for hostIpAddr with 0 parts to process
   drop in progress "false" for reptDevIpAddr
   drop in progress "false" for srcIpAddr
   drop in progress "false" for destIpAddr
   drop in progress "false" for hostIpAddr
   Processing index index_reptDevIpAddr_bloom_filter
   Trying to rebuild index_reptDevIpAddr_bloom_filter
   drop in progress "false"
   There is enough storage on host 172.30.56.206.
   done checking storage for index index_reptDevIpAddr_bloom_filter
   dropping index index_reptDevIpAddr_bloom_filter
   dropping index command issued
   Start monitoring index index_reptDevIpAddr_bloom_filter for drop operation
   drop index_reptDevIpAddr_bloom_filter done. Total time taken: 0 seconds
   Total time to drop index_reptDevIpAddr_bloom_filter is 1 seconds
   adding index_reptDevIpAddr_bloom_filter
   Start monitoring index index_reptDevIpAddr_bloom_filter for materialize operation
   parts left to materialize reptDevIpAddr index : 6 - time taken 0 seconds
   materialize index_reptDevIpAddr_bloom_filter done. Total time taken: 10 seconds
   Rebuilding index for reptDevIpAddr done. Total time taken for rebuild 13 seconds
   

3. Run the following command:
   /opt/phoenix/phscripts/clickhouse/rebuild_ip_bloom_filter.sh -r 2
4. Run the following command:
   /opt/phoenix/phscripts/clickhouse/rebuild_ip_bloom_filter.sh -r 3
5. Run the following command:
   /opt/phoenix/phscripts/clickhouse/rebuild_ip_bloom_filter.sh -r 4
   

Bug Fixes and Enhancements

This release contains the following fixes and enhancements.

Bug ID	Severity	Module	Description
1000328	Major	App Server	With large (500+) number of parsers, App Server may encounter stack overflow, and fail to start up.
986665	Major	App Server	During Agent upgrade with a large number of large number of Agents, some Agents would get hung up and not finish the upgrade process.
1004319	Major	GUI	Clear condition in a Rule is not saved correctly. This may cause the correct clear conditions to be displayed correctly in GUI and may not be enforced correctly in a rule. This bug was introduced in FortiSIEM 7.1.0.
991851	Major	Performance Monitoring	phPerfMonitor module may crash when both STM and perf monitoring are defined.
1004357	Major	phMonitor	Adding a Worker node fails in the scenario where NFS is chosen as event archive destination.
1001969	Major	Rule Engine	With a large Malware IOC feed and high EPS, the phRuleWorker module may be dropping events, and Incidents may not trigger.
997357	Major	System	snmpd.conf has default 'public' community string enabled in the image.
990219	Minor	App Server	Adding more than 20 Incidents to a Case throws request-uri too long error.
984002	Minor	App Server	Duplicate Device with different Vendor/Model/Versions may be seen in CMDB after Agent registration.
982928	Minor	App Server	Running investigations in the GUI can cause Appserver to crash if App Server is unable to reach external servers (e.g. Whois, FortiGuard).
992974	Minor	Data Purger	ClickHouse data management module moves or purges 10% more data than it should. Instead of free disk utilization fluctuating between 10% and 20% (as needed by design), it fluctuates between 10% and 30%.
953268	Minor	Data Purger	In EventDB environment, Online data for Org 0 and Org 2 did not get purged after archive.
987019	Minor	Data work	Office365 Reports API Parser has flipped source and destination domain for Office365 Message Trace events.
994833	Minor	Discovery	Configuration pull for FortiOS via Rest API integration does not work if FQDN obtained via IP reverse lookup, and CMDB hostname are different.
1001664	Minor	Event Pulling Agents	Google App event pulling fails (caused by 3rd party library google-api-client.jar upgraded to version 2.1.4).
988310	Minor	Event Pulling Agents	phAgentManager may crash while handling incorrect Office365 credentials.
993615	Minor	GUI	In Incident List View, event attributes inside incidentDetail are not shown correctly if value contains ':'.
992843	Minor	GUI	Test Connectivity does not work in 7.1.x Enterprise mode.
989124	Minor	GUI	Windows Agent type in Agent health page is empty after upgrading to 7.1.2.
979734	Minor	GUI	"Set Activation Scope" from Super org does not correctly update rule status for organizations.
977174	Minor	GUI	Export PDF Report Results fails if Supervisor can't reach Internet over port 443.
992940	Minor	Machine Learning	Incident Resolution Recommendation Engine is learning from its own actions instead of only learning for user's action.
995423	Minor	Parser	phParser module crashes (instead of restarting) after content update on Workers.
993240	Minor	Parser	After content update to version 602, parsers are not applied correctly.
980410	Minor	Parser	Elasticsearch index creation fails when parser generates internal events for Orgs that do not exist in CMDB.
1003091	Minor	phAnomaly	The /opt/phoenix/MachineLearning folder size is increasing with .csv files, and may eventually fill up /opt partition.
990369	Minor	Query	User with full access to Analytics and View access to CMDB need additional view permission to see all parsed events.
989855	Minor	Query	Analytical searches with Raw Event Log and CONTAIN 'Code' does not run.
989751	Minor	Query	There is a known issue in release 7.1.1 or later. After upgrading to any of these releases from a pre-7.1.1 release, in ClickHouse based deployments, searching on IP fields (namely, Reporting IP, Source IP, Destination IP, and Host IP) does not show correct results for events stored prior to upgrade. Release notes provides manual steps. A script is needed to replace the manual steps.
1003621	Minor	System	FortiSIEM hardware appliance factoryreset --force fails when system does not have Internet access to OS repo servers.
992756	Minor	System	phshowVersion.sh script output does not show the data for Archive correctly if Archive and Online disk mount point uses the same disk name.
986922	Minor	System	The phMonitor process in Supervisor node may sometimes restart during adding Workers.
1001157	Minor	Windows Agent	In Windows Event Forwarding environment, Windows Agent which receives forwarded events and sends to Collector, may get overloaded with events and the latency for events to reach FortiSIEM Collector may increase.
972454, 975763	Minor	Windows Agent	Windows Agent has high CPU usage when it handles high volume of Windows Forwarded events.
984787	Minor	Windows Agent	Windows Agent performance monitoring shows wrong disk latency metrics.
939919	Minor	Windows Agent	File Integrity Monitoring (FIM) Event for non-Windows network drive mounted on Windows server does not contain user id and domain info.
1002302	Enhancement	Data Work	FortiMail reported "Antivirus Phishing URL found in email" is not specifically handled by existing rules.
985480	Enhancement	Data Work	Update FortiGate IPS Signatures to the latest.
975379	Enhancement	Data Work	Add Rules, Reports, Dashboard for Trend Micro Vision One integration.
998288	Enhancement	GUI	Add Action menu to Incident Explorer view, UEBA view and MITRE ATT&CK Incident Explorer view.
989845	Enhancement	GUI	In Incident slide-in display, Incident First Occur Time and Last Occur Time values need to show the full exact date.
991315	Enhancement	Machine Learning	Currently, FortiSIEM automatically clears an Incident if Machine Learning algorithm detects 'False positive' resolution with confidence greater than 90%. Provide a user option to disable this.
984748	Enhancement	Parser	For HTTPS Advanced Poller, support dot notation for JSON response key as the array of events is sometimes nested under several structure not at the top level.