What's New in 7.2.0

This release contains the following features, enhancements, device support and bug fixes.

• New Features
• Key Enhancements
• External Log Source Integration
• Bug Fixes
• Important Considerations
• Implementation Notes and Known Issues

New Features

• Automated Case Management

• Collector High Availability

• Search Field Analytics

• Custom SIGMA Rule Import

Automated Case Management

In FortiSIEM, administrator can create a Case consisting of one or more incidents and assign the Case to a user to resolve the case. Currently the Case creation and assignment process is manual. This release provides an option to automate this process.

Automated Case Management involves the following steps:

1. Create Analyst Teams under CMDB > Users. Each Team has a Team Lead, a Team Queue along with FortiSIEM users as team members. Work schedule and Time off schedule can be defined for each team member.

2. Create Case Management Policy Templates under Admin > Settings > Case Management. A policy involves specifying the following aspects:

   • SLA Violation and Escalation policy

   • Auto-assignment policy

   • Case Change Notifications policy

   • Case Change Permissions policy

   • Case Auto Close policy

3. Create one or more Case Assignment Policies under Admin > Settings > Automation Policy. A Case Assignment Policy determines how the Case should be assigned and managed. A policy involves specifying a Condition and an Action.

   • A Case Assignment Policy Condition is specified in terms of Incident Severity, Rule Name, Time Range, Affected Items, Affected Orgs (for Service Provider deployments).

   • A Case Assignment Policy Action specifies a Case Management Policy and an ordered list of Teams.

Automated Case Creation and Assignment works as follows: When an Incident triggers, FortiSIEM will attempt to find an existing Open Case with matching IP address or host name. If found, then the Incident is simply added to that Case. Otherwise, FortiSIEM goes through the list of Case Assignment Policy Conditions in rank order looking for a match. If a match is found, then a new Case is created:

• An Assignee is found from the list of Teams in the matching Case Management Policy.

• Subsequently, the Case is managed following the Case Assignment Policy templates.

A Case can also be created manually as follows:

1. Create Analyst Teams under CMDB > Users.

2. Create Case Management Policy Templates under Admin > Settings > Case Management. The Auto-Assignment rules do not need to be specified.

3. Pick an Incident and create a Case or assign to an existing Case. The Assignee needs to be chose from the Analyst team and a Case Management Policy Template should be chosen, but is optional. During the assignment process, the list of related Incidents is provided to help the user to group related incidents into one Case.

All Cases can be viewed in Cases > List View. Each Case has a Drill Down View that includes Explore Dashboard, Investigation Dashboard and MITRE ATT&CK Dashboard specific for the Incidents included in this Case.

Cases > Overview provides 3 dashboards to view Overall Case Health, Case KPIs, Case Handling Statistics.

Other features include:

• In User Profile > UI Settings, user can customize the Case Home page.

• Audit events prefixed by PH_AUDIT_CASE with System Event Category = 2, which can be seen from Resources > Event Types by searching for PH_AUDIT_CASE.

• CMDB Reports to report on Case Progress, e.g. all cases that are open for more than 15 days.

• Ability to export and import a Case.

• Ability to create a Case from events only.

• Use FortiAI (previously Fortinet Advisor) to analyze a Case and add the analysis to Case Comments.

See here for details.

Collector High Availability

A FortiSIEM Collector plays the critical role of communicating with the end devices and Cloud Services for collecting logs and performance monitoring metrics, configurations, and other data. Currently if a Collector goes down, then:

• Logs sent to this Collector need to be manually resent to another Collector unless there is a Load Balancer in front.

• Events being pulled by Collector stops, until a new Collector is onboarded, and discovery is repeated to create an event pulling job for the new Collector.

This release adds the ability to deploy Collectors in High Availability mode – this enables Collector data collection to continue uninterrupted even when a Collector fails. This feature works differently in these environments:

• Case 1 - On premise and AWS deployments via VRRP

• Case 2 – On Azure and GCP deployments via Load Balancer

Case 1: On premise and AWS deployments via VRRP

If your Collectors are deployed on On-premise hypervisors, or on AWS, or they are hardware appliances, then High Availability (HA) is enabled via Virtual Router Redundancy Protocol (VRRP). A Collector HA Cluster needs to be created with one Leader and one or more Followers and a Virtual IP (VIP) that is always owned by the Leader.

During normal operations:

• Logs sent to the VIP are handled by the Leader Collector (which owns the VIP).

• FortiSIEM Supervisor node distributes event pulling and performance monitoring jobs among all Collectors in the Cluster.

If the Leader Collector goes down:

• The Follower node with highest priority will become the Leader and own the VIP. No human intervention is needed.

• Logs previously sent to the (failed) Leader Collector will automatically reach the new Leader Collector.

• FortiSIEM Supervisor node will automatically re-distribute event pulling and performance monitoring jobs previously assigned to the failed Leader Collector, to other Collectors in the HA Cluster.

If a Follower Collector goes down:

• App Server will distribute event pulling and performance monitoring jobs assigned to the failed Collector to other Collectors in the HA Cluster.

• If a failed Collector comes back up, then it will stay a Follower, but the event pulling jobs will be re-distributed among all the working Collectors in the HA Cluster.

Failure and Recovery:

• If the Leader Collector goes down, then the Follower with the highest priority takes over. If the Leader Collector comes back up, then it will resume the Leader role due to its higher priority.

• If a Follower Collector goes down, the Leader will continue to operate. If the Follower comes back up, then it will remain a Follower while the Leader is operational.

Case 2: On Azure and GCP deployments via Load Balancer

If your Collectors are deployed on Azure or GCP, then High Availability is achieved via Load balancing mechanisms. A Collector HA Cluster needs to be created with a Load Balancer in front of the Collectors. The disadvantage of this approach is that the Customer needs to deploy a Load Balancer. However,

During normal operations:

• Logs sent to the Load Balancer are distributed among the Collectors in the Cluster.

• FortiSIEM Supervisor node distributes event pulling and performance monitoring jobs among all Collectors in the Cluster.

If a Collector goes down, then:

• Load Balancer will skip the failed Collector and distribute logs among other Collectors.

• FortiSIEM Supervisor node will automatically re-distribute event pulling and performance monitoring jobs previously assigned to the failed Collector, to other Collectors in the Cluster.

Defining the Collector Cluster is here, and for AWS, here.

Steps to set up Load Balancer in Azure are here, and for GCP, here.

Search Field Analytics

When an Analytics Search result spans multiple pages, it is difficult to know the values and their frequency for a Query result field, without scrolling multiple pages.

In this release, the Top and Bottom 100 values for each display field (other than Date fields and Raw Event Log, see instructions for more information on some exceptions) are shown in a separate left pane next to the Query result. User can also select one or more values and see the related search results and the trends for selected values. This feature enables the user to quickly sharpen the Search results for creating effective rules and reports.

This feature is available for ClickHouse based deployments only. Instructions on how to use this feature is here.

Custom SIGMA Rule Import

FortiSIEM already includes many SIGMA security rules as described here. However, the SIGMA rules change frequently. This release enables you to import a new SIGMA rule from the FortiSIEM GUI. FortiSIEM will automatically convert the SIGMA rule format to FortiSIEM Rule format. It is always advisable to check the correctness of the imported rule and test the rule before deploying.

You can import in one of 3 ways:

• By providing the URL for the SIGMA Rule.

• By uploading a SIGMA Rule file.

• By typing in a rule in SIGMA YAML file format as specified here.

Instructions on how to import a SIGMA Rule is here.

Key Enhancements

• Rocky Linux Update

• Enhanced Host and User Risk Scoring

• Increase Non-aggregated Search Result limit up to 1 Million (ClickHouse only)

• Enable FortiSIEM 500G Hardware Appliance to run as a ClickHouse Keeper

• GUI Improvements

• FortiAI (previously Fortinet Advisor) Improvements

• Support for 34 Additional External Threat Intelligence Sources

• Miscellaneous Enhancements

Rocky Linux Update

This release updates FortiSIEM OS to Rocky Linux OS 8.10 and includes fixes and enhancements until May 30, 2024. Details can be found at https://rockylinux.org/news/rocky-linux-8-10-ga-release. FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include Rocky Linux 8.10. FortiSIEM customers in versions 6.4.1 and above, can upgrade their Rocky Linux versions by following the FortiSIEM OS Update Procedure.

Enhanced Host and User Risk Scoring

The current Risk scoring framework is enhanced by including Incident Rarity, which captures how often an incident happens in the network. Rare incidents contribute more towards the risk score than frequent incidents. Other factors in the Risk score are Incident Severity, Incident Resolution and Asset Criticality.

Both Device and Host Risk Scores are calculated and displayed in the GUI when a host and user information are displayed. Case Risk score is shown in the Cases page. A Risk explanation is also provided. The Incidents > Risk page is also updated to show this information.

Increase Non-aggregated Search Result limit up to 1 Million (ClickHouse only)

Currently, up to 100K results can be displayed in the GUI and exported as CSV files. This limit is increased to 1 million for ClickHouse based deployments. This feature needs at least 32GB of RAM in Supervisor.

Enable FortiSIEM 500G Hardware Appliance to run as a ClickHouse Keeper

Currently, only FortiSIEM 2000F, 2000G, 2200G, 3500F, 3500G, and 3600G hardware appliances can be run as a Worker node and deployed as ClickHouse Keeper. These appliances have a large amount of storage and compute resources that a ClickHouse Keeper node does not need. This release enables you to deploy a FortiSIEM 500G hardware appliance as a stand-alone ClickHouse Keeper node.

To do this, install FortiSIEM 500G appliance as a FortiSIEM Worker node and add to ClickHouse Keeper cluster.

GUI Improvements

This release provides several GUI improvements:

• Vertical Slide in for CMDB pages.

• Threat Analysis tab on the Incident detail slide in . This includes automated analysis of an IOC (IP, Domain, URL, Hash) based on External Threat Intel sources, including FortiGuard IOC Lookup, VirusTotal, configured Resources > Malware IP/Domain/URL/Hash, FortiSIEM Incidents, Watch Lists, Fortinet GeoDB and Whois Information.

• Risk Score display for Hosts and Users throughout the GUI.

• Threat Analysis Result display throughout GUI for IP, Domain, URL and Hash fields.

• Redesigned Risk page.

• Improved PDF Reports – charts and tables.

• Fortinet Advisor - Ability to clear old conversations and show anonymized OpenAI requests before sending out to OpenAI.

• Allow Osquery execution from CMDB and add a device filter on the Resources Osquery section.

FortiAI (previously Fortinet Advisor) Improvements

This release provides more use cases to use Generative AI to respond to the following SOC questions:

• Get Incidents involving specific IP, host, user, domain in the last 1 day.

• Tell me what you know about a specific IP, host, user, domain.

• What is the health of specific IP, host, user based on Incidents seen in the last 1 day

• Elaborate on Incident <id> and give me details about the entities involved.

• Get more details about a CVE ID.

• Are there are any logs or Incidents related to a specific CVE in my environment?

Support for 34 Additional External Threat Intelligence Sources

IP Threat Feeds:

1. Blocklist DE - https://lists.blocklist.de/lists/all.txt

2. C2 Tracker - https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt

3. CINS Score blacklist - https://cinsscore.com/list/ci-badguys.txt

4. Cisco Talos blacklist - http://www.talosintelligence.com/documents/ip-blacklist
   

5. Firehol Github based feed - https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset

6. Greensnow blocklist - https://blocklist.greensnow.co/greensnow.txt

7. IPSum threat Intelligence - https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt

8. Proofpoint compromised IP - https://rules.emergingthreats.net/blockrules/compromised-ips.txt

9. Snort IP blocklist - https://snort.org/downloads/ip-block-list
   

10. Abuse.ch Botnet C2 IP Blacklist - https://sslbl.abuse.ch/blacklist/sslipblacklist.txt

11. DigitalSide Threat-Intel IPs - https://osint.digitalside.it/Threat-Intel/lists/latesturls.txt

12. MISP IP threat feed

13. FortiSOAR IP threat feed

14. OpenCTI Threat Intel framework via STIXV2

15. FortiRecon Malware IP

URL Threat Feeds:

1. OpenPhish threat URLs - https://openphish.com/feed.txt

2. Abuse.ch - https://threatfox.abuse.ch/export/csv/urls/recent/

3. Tweetfeed.live IOCs shared by the infosec community at Twitter

   1. (Today) https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv

   2. (Last week) https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv

4. DigitalSide Threat-Intel URLs - https://osint.digitalside.it/Threat-Intel/lists/latesturls.txt

5. MISP URL threat feed

6. FortiSOAR URL threat feed

7. OpenCTI Threat Intel framework via STIXV2

8. FortiRecon Malware URL

Domain Threat Feeds:

1. Cert.PL Phishing Domains - https://hole.cert.pl/domains/domains.csv

2. DigitalSide Threat-Intel DNS - https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt

3. MISP Domain threat feed

4. FortiSOAR Domain threat feed

5. OpenCTI Threat Intel framework via STIXV2

6. FortiRecon Malware Domain

Hash Threat Feeds:

1. Abuse.ch SHA256 hashes - https://bazaar.abuse.ch/export/txt/sha256/recent/

2. MISP Hash threat feed

3. FortiSOAR Hash threat feed

4. OpenCTI Threat Intel framework via STIXV2

5. FortiRecon Malware Hash

Miscellaneous Enhancements

• API
• Rules and Reports

API

1. REST API /phoenix/rest/watchlist/all/summary to list all Watchlist IDs

2. REST API /phoenix/rest/agentStatus/v2/all to return all agent status

Rules and Reports

Changes to Rules and Reports from FortiSIEM 7.1.0 to FortiSIEM 7.2.0 are provided as .csv files

See here for rule changes.

See here for report changes.

External Log Source Integration

1. Generic Support for Webhooks for importing logs. Earlier releases would accept only webhooks with basic authentication using a strict set of POST parameters. This release expands to a generic solution. Any application or SaaS product that supports push events/notifications via Webhooks can utilize this method to send data to FortiSIEM. See here.

2. Updated GitHub support using Webhook. See here.

3. Updated GitLab support using Webhook. See here.

4. Updated Atlassian Beacon support using Webhook. See here.

5. Akamai Support. See here.

6. Mimecast API Support. See here.

7. MS SQL Server 2022 Support. See here.

8. Eliminate the need for SNMP/WMI/OMI for JDBC Monitoring

9. Update Sysmon to v14.13

10. New reports for GCP VM and Firewall related events

    1. GCP: Set Machine Type

    2. GCP: Set Tag Activity

    3. GCP: VM Start Activity

    4. GCP: VM Stop Activity

    5. GCP: Firewall Allowed Traffic Details

    6. GCP: Firewall Denied Traffic Details

11. FortiPAM Device Support. See here.

Bug Fixes

This release includes all the bug fixes for 7.1.6. In addition, the following issues are resolved.

Bug ID	Severity	Module	Description
1029792	Minor	App Server	OpenCTI Threat Feed integration via STIX/TAXII is not working.
1012458	Minor	App Server	After disabling Disaster Recovery in (High Availability + Disaster Recovery) environment, the Secondary node would show duplicated Supervisor node in Admin > Cloud Health.
979524	Minor	App Server	LDAP Discovery missing certain groups in certain AD environment.
876788	Minor	App Server	Data obfuscation of custom attribute results in errors in Analytics page.
906336	Minor	Data Manager	Online Data Display sometimes shows multiple Supervisors.
1034161	Minor	Data work	For 4625 and 4771 windows security events, - -success and -failure gets appended to event type.
1033622	Minor	Data work	Report Bundle may not always show same results as Adhoc Reports from Analytics page.
1005257	Minor	Data work	One FortiGate Event (logid="0103020300") fails to be parsed.
1004458	Minor	Data work	Rule '\Office365: Mailbox SendAs or SendOnBehalf has occurred' not functioning as intended.
999336	Minor	Data work	Windows event 4740 parsing is case-sensitive. Some unusual windows server condition results in log channel values being in lower case rather than pascal case.
995788	Minor	Data work	Rule 'Successful Windows Dormant Account Logon' does not trigger.
993844	Minor	Data work	Rule 'Windows: External Remote SMB Logon from Public IP' triggered by server's own IPv6 address.
991684	Minor	Data work	Ransomware detected rule triggers falsely during Windows Update.
987200	Minor	Data work	"Threat Detection" event types from CiscoAMPStream fail to parse due to bp_data field having a very long value.
982483	Minor	Data work	FortiWeb event name does not match with FortiWeb log message reference id 10000017 and 11005901.
992462	Minor	Discovery	Onboarding Oracle Acme Packet Controller scz9.1.0 device via SSH fails with “Wrong Protocol Data”.
982101	Minor	Discovery	FGT recompute security posture report is not always returned as FortiSIEM requests this data to be generated every time.
985943	Minor	Event Pulling Agents	JDBC event pulling times out error for large tables.
1002849	Minor	GUI	[ClickHouse] Online Data displayed starting 1 day before the oldest data available in ClickHouse DB.
995861	Minor	GUI	Baseline rules > Step 3: Incident definition shows attribute type mismatch.
995642	Minor	GUI	Incident Title allows to save '.' even when incident definition is backed out and rule is resaved.
991653	Minor	GUI	Subpattern filter is disabled when viewing Incident details - Triggering Events tab for the first time.
976014	Minor	Parser	SFLOW packets not parsed because of unsupported BCM counter type and IPv6.
989058	Minor	Performance Monitoring	Checkpoint FW Network Interface Monitoring does not support with Real Interfaces.
932787	Minor	Performance Monitoring	In Synthetic Transaction Monitoring, HTTP type doesn't work for the response codes 3xx, 4xx, and 5xx.
818860	Minor	Performance Monitoring	Net Intf Stat missing for Cisco ASR 1000 switch.
1002448	Minor	phMonitor	phMonitor crashes when file permission for httpd.conf differs than what is expected.
954599	Minor	Query	LookupTableGet is missed in Group BY in Query XML when it is Before Last(Event Receive Time).
954731	Minor	Rule	Global constraint using simple function in rule is not working properly.
1010184	Minor	System	Unused events_non_replicated table may prevent ClickHouse from restarting - this table should be cleaned up.
938659	Minor	System	Worker upgrade may fail when Supervisor's license is renewed, but workers had expired license.
1016411	Enhancement	App Server	Deleting CMDB Device is slow.
1008053	Enhancement	App Server	HTTP to HTTPS redirect exposing URLs along with http protocol/method in access logs.
995771	Enhancement	App Server	Org admin user cannot change the report logo from Settings > UI.
970039	Enhancement	App Server	For Disaster recovery, monitor Secondary Supervisor health from Primary Supervisor GUI.
1011352	Enhancement	Data work	Fail to parse Dell Nseries switches Raw Events.
1008784	Enhancement	Data work	Cyxtera Parser - events are being parser as unknown.
1004260	Enhancement	Data work	FortiDeceptor eventFormatRecognizer does not pickup the devid for VMs.
1002977	Enhancement	Data work	Some Unix logs not recognized.
990592	Enhancement	Data work	Parser Update for RSAAuthenticationServerParser.
989000	Enhancement	Data work	Some Aruba ClearPass Policy Manager events not parsed.
988034	Enhancement	Data work	Some Cisco FirePower threat defence events are not parsed.
987122	Enhancement	Data work	Cisco Firepower Management Center events not parsed.
987108	Enhancement	Data work	Some of the events received from Palo Alto Firewall are not parsed.
984778	Enhancement	Data work	Logs received from FortiDeceptor through FAZ on FortiSIEM are showing as 'Unknown_EventType'.
978121	Enhancement	Data work	Parser Enhancements required for Cisco Firepower Defense Parser.
959604	Enhancement	Data work	Some TippingPoint SMS Events failing to be parsed.
952101	Enhancement	Data work	Added parser and event types for Microsoft Graph List Risky Users API.
927787	Enhancement	Discovery	Discovering FortiGate using DNS first name resolution will set hostname to _gateway if the FortiGate is the default gateway of discovery node.
1006187	Enhancement	Event Pulling Agents	Enable API token for GitHub Device Support.
572554	Enhancement	Event Pulling Agents	Easily support defining AWS CloudWatch multiple log streams by enabling wildcards in the logStream field of the AWS CloudWatch credential.
1030134	Enhancement	GUI	Rules with numbers as sub-pattern names causes rule editing problems for the target rule.
1000173	Enhancement	GUI	Increase the font size of table and chart legends in PDF reports.
997065	Enhancement	GUI	User scope rules do not contain a hyperlink to the MITRE technique like system scope rules have.
992653	Enhancement	GUI	Disable the ability to modify User Idle Timeout. Currently hard coded to 15 minutes for Security purposes.
992253	Enhancement	GUI	When adding an Incident to a Closed Case, show error message and ask user to reopen the Case first.
973026	Enhancement	GUI	PG_WAL file size monitoring needs to be added to Health > Replication health.
969929	Enhancement	GUI	After configuring AWS S3 archive, tell user to go to Admin > Settings > Database > ClickHouse Config and click Test and Deploy.
696734	Enhancement	GUI	Allow Import/Export and Bulk Delete of Resources > Networks.
987571	Enhancement	Parser	Parse the Group Security ID in Windows Security Event 4732 and 4728.
1008125	Enhancement	Query	Unable to use Expressions inside LookupTable functions.
1007180	Enhancement	Query	Unable to query TO_LOWER / TO_UPPER / REPLACE(user) IN/NOT IN CMDB_GROUP.
960316	Enhancement	Query	Remove the log 'Summary data missing attribute custId' as there is no impact.
995155	Enhancement	System	Elasticsearch To ClickHouse Conversion tool: Enhance phExportESEventToClickHouse to provide a --retentionDays option.
938676	Enhancement	System	Provide a very clear, actionable error message when download upgrade image fails on collector.
1017189	Enhancement	Windows Agent	For Windows User log file monitoring, Wildcard is not supported for system files.

Important Considerations

• PostGreSQL v13.14 Update

• Post-Upgrade ClickHouse IP Index Rebuilding

PostGreSQL v13.14 Update

FortiSIEM 7.2.0 includes PostGreSQL v13.14 containing the patch for CVE-2024-0985.

• If you are doing a fresh install of FortiSIEM 7.2, then the patch is included and there is nothing to do.

• If you are upgrading to FortiSIEM 7.2, then the patch is included and there is nothing to do.

• If you want to remain on FortiSIEM 7.1.4 or earlier, then you can't get this patch by running yum upgrade, since Postgres changed the repo gpg key as per this change
  (https://yum.postgresql.org/news/pgdg-rpm-repo-gpg-key-update/). To get this Postgres patch, on the Supervisor, run the following script:

curl -s https://os-pkgs-cdn.fortisiem.fortinet.com/postgres/misc/switch-pgdg-repo-and-upgrade-to-pg13.14.sh | bash -xe

Post-Upgrade ClickHouse IP Index Rebuilding

If you are upgrading ClickHouse based deployment from pre-7.1.1 to 7.2.0, then after upgrading to 7.2.0, you need to run a script to rebuild ClickHouse indices. If you are running 7.1.2, 7.1.3, 7.1.4, 7.1.5 or 7.1.6, and have already executed the rebuilding steps, then nothing more needs to be done.

For details about this issue, see Release Notes 7.1.3 Known Issue.

The rebuilding steps are available in Release Notes 7.1.4 - Script for Rebuilding/Recreating pre-7.1.1 ClickHouse Database Indices Involving IP Fields.

Implementation Notes and Known Issues

1. For Service Provider deployments, Automation Policies (formerly known as Notification policy) may be executed for incidents that do not meet the policy definition.
   

   If using Service Provider mode, before newly deploying or upgrading, please contact support to obtain the necessary patch. If FortiSIEM has already been newly deployed or upgraded to FortiSIEM 7.2.0, please contact support to apply the patch as soon as possible.
   

2. If you have FortiSIEM Windows/Linux Agents reporting through Collectors and you decide to form a HA Collector Group with those Collectors, then you need to add all the Collectors in the HA Group to Admin > Setup > Windows Agent > Host to Template Associations and click Apply.

3. If you add a new Collector to an existing HA Collector Group, then the new Collector must be added as a Follower.

4. In Admin > Settings > Discovery > CMDB Groups, when you create a new mapping definition, the IP Range field currently only handles a single IP address.

5. If you are upgrading to 7.2.0, then please update the following entry in the /opt/phoenix/config/identityDef.xml file in Supervisor and Workers to get Identity and location entries populated for Microsoft Office365 events. Then restart IdentityWorker and IdentityMaster processes on Supervisor and Workers.
   

   Pre-7.2.0 Entry

   <identityEvent>
        <eventType>MS_OFFICE365_UserLoggedIn_Succeeded</eventType>
        <eventAttributes>
           <eventAttribute name="userId" identityAttrib="office365User" reqd="yes"/>
           <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
           <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
           <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
           <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
           <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
           <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
           <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
           <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
        </eventAttributes>
     </identityEvent>
   
   

   7.2.0 Entry

   <identityEvent>
        <eventType>MS_OFFICE365_UserLoggedIn_Succeeded,MS_OFFICE365_EntraID_UserLoggedIn,MS_OFFICE365_EntraID_StsLogon_UserLoggedIn</eventType>
        <eventAttributes>
           <eventAttribute name="user" identityAttrib="office365User" reqd="yes"/>
           <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
           <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
           <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
           <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
           <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
           <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
           <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
           <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
        </eventAttributes>
     </identityEvent>
   
   

6. If a Collector is part of High Availability (HA) Cluster and you want to delete the Collector, then follow these procedures.

   Case 1: If the Collector is a Follower, then follow these steps:

   1. Remove the Collector from the High Availability (HA) Collector Cluster in Admin > Settings > System > Cluster Config.

   2. Click Save.

   3. Delete the Collector from CMDB.

   Case 2: If the Collector is a Leader, then follow these steps:

   1. Make the Collector a Follower Cluster in Admin > Settings > System > Cluster Config.

   2. Click Save.

   3. Remove the Collector from the High Availability (HA) Collector Cluster in Admin > Settings > System > Cluster Config.

   4. Click Save.

   5. Delete the Collector from CMDB.

7. Collector High Availability (HA) Failover Triggers:

   • Logs are sent to a VIP in VRRP based Failover - In this case, when VRRP detects node failure, then Follower becomes a Leader and owns the VIP and events are sent to the new Leader. If a process is down on a node, then VRRP may not trigger a Failover.

   • Logs sent to Load Balancer - In this case, the Load balancing algorithm detects logs being sent to a different Collector. If a process is down on a node, then Failover may not trigger.

   • For event pulling and performance monitoring, App Server redistributes the jobs from a Collector if App Server failed to receive a task request in a 10 minute window.