Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Release Notes

    Home FortiSIEM 7.2.1 Release Notes
    7.2.1
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.8
    5.2.7
    5.2.6
    5.2.5
    5.2.5
    5.2.1
    5.1.2
    5.1.1
    5.1.0
    5.0.1
    4.10.0
    4.9.0

    What's New in 7.2.1

    What's New in 7.2.1

    This release contains the following bug fixes and known issues.

    Bug Fixes

    The following issues are resolved.

    Bug ID

    Severity

    Module

    Description

    1047223

    Major

    App Server

    If multiple Windows agents are associated with a template, the template will disappear if any one of the agents is uninstalled.

    1046931

    Major

    App Server

    Case formation by aggregating incidents may fail if one Incident Title is very long.

    1046177

    Major

    App Server

    (Service Provider Deployments) Appsvr does not correctly evaluate automation policy conditions, resulting in incorrect Incident notifications.

    1047238, 1040908

    Minor

    App Server

    Analytics query with custom attribute shows Invalid query XML error due to duplicates custom event attributes.

    1043296

    Minor

    App Server

    Fail to export Incident when Incident Detail values are null.

    1040907

    Minor

    App Server

    App Server error may happen during incident resolution inference processing if there are no new Incidents during a time period.

    1039294

    Minor

    App Server

    In Admin > Settings > Discovery > CMDB Group, the IP range in a policy does not handle CIDR (e.g. 172.30.56.1/22), IP ranges such as 172.30.56.1-172.30.56.3, 172.30.56.1,172.30.56.2,172.30.56.3.

    1040422

    Minor

    Data work

    Windows XML parser does not parse user correctly in Security Event 4624.

    1016469

    Minor

    Data work

    Sometimes Event Pulling API error logs may not be parsed correctly by FortiSIEM, the parsed event type and event name are 5830.

    1026325

    Minor

    GUI

    TypeError on console when navigating to Admin > Device Support > Parsers.

    1034648

    Minor

    Rule

    The Detection rule 'Windows: Active Directory User Backdoors' has incorrect logic.

    1041837

    Minor

    System

    Many Python IOC threatfeed scripts do not parse the datetime correctly.

    1037398

    Minor

    Windows Agent

    Sometimes Windows Agents show 'Disconnected' after power cycle.

    1037186

    Minor

    Windows Agent

    Double quotes are missing for some attributes in the AO-WUA-InstSw-Removed event.

    1038780

    Enhancement

    App Server

    Validate custId parameters for Watchlist Summary REST API: /phoenix/rest/watchlist/all/summary.

    1038267

    Enhancement

    App Server

    Add POST body validation for REST AI agentStatus/v2/all API.

    1039113

    Enhancement

    Data work

    Create outbreak rules and reports for Check Point Quantum Security Gateways Information Disclosure Attack.

    1037028

    Enhancement

    Data work

    Create outbreak rules and reports for D-link Multiple Devices Attack.

    1035123

    Enhancement

    Data work

    Improve FortiAuthenticator Parser to capture real src IP from msg section of log.

    1033867

    Enhancement

    Data work

    Support Hashicorp Vault via Syslog.

    1029606

    Enhancement

    Data work

    Create a separate FortiSandbox phishing detection rule.

    1029289

    Enhancement

    Data work

    Need to get rid of the double quotes from user when parsing the NetScreen event.

    1029153

    Enhancement

    Data work

    Enhance FortiNDR Parser to include On Prem missing fields.

    1028529

    Enhancement

    Data work

    WinOSWmiParser does not parse msg field on Security EventID 364.

    1035107

    Enhancement

    GUI

    Too much blank space in the Exported Report in PDF format, when there are no charts in the report template.

    1033132

    Enhancement

    Performance Monitoring

    Support Citrix SD-WAN link status monitoring via SNMP.

    Important Considerations

    PostGreSQL v13.14 Update

    FortiSIEM 7.2.1 includes PostGreSQL v13.14 containing the patch for CVE-2024-0985.

    • If you are doing a fresh install of FortiSIEM 7.2.1, then the patch is included and there is nothing to do.

    • If you have upgraded to FortiSIEM 7.1.5 or later, then the patch is included and there is nothing to do.

    • If you want to remain on FortiSIEM 7.1.4 or earlier, then you can't get this patch by running yum upgrade, since Postgres changed the repo gpg key as per this change
      (https://yum.postgresql.org/news/pgdg-rpm-repo-gpg-key-update/). To get this Postgres patch, on the Supervisor, run the following script:

    curl -s https://os-pkgs-cdn.fortisiem.fortinet.com/postgres/misc/switch-pgdg-repo-and-upgrade-to-pg13.14.sh | bash -xe

    Post-Upgrade ClickHouse IP Index Rebuilding

    If you are upgrading ClickHouse based deployment from pre-7.1.1 to 7.2.1, then after upgrading to 7.2.1, you need to run a script to rebuild ClickHouse indices. If you are running 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, or 7.2.0 and have already executed the rebuilding steps, then nothing more needs to be done.

    For details about this issue, see Release Notes 7.1.3 Known Issue.

    The rebuilding steps are available in Release Notes 7.1.4 - Script for Rebuilding/Recreating pre-7.1.1 ClickHouse Database Indices Involving IP Fields.

    Implementation Notes and Known Issues

    1. If you have FortiSIEM Windows/Linux Agents reporting through Collectors and you decide to form a HA Collector Group with those Collectors, then you need to add all the Collectors in the HA Group to Admin > Setup > Windows Agent > Host to Template Associations and click Apply.

    2. If you add a new Collector to an existing HA Collector Group, then the new Collector must be added as a Follower.

    3. If you are upgrading to 7.2.1, then please update the following entry in the /opt/phoenix/config/identityDef.xml file in Supervisor and Workers to get Identity and location entries populated for Microsoft Office365 events. Then restart IdentityWorker and IdentityMaster processes on Supervisor and Workers.

      Pre-7.2.1 Entry 

      <identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded</eventType>
     <eventAttributes>
        <eventAttribute name="userId" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

      7.2.1 Entry 

      <identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded,MS_OFFICE365_EntraID_UserLoggedIn,MS_OFFICE365_EntraID_StsLogon_UserLoggedIn</eventType>
     <eventAttributes>
        <eventAttribute name="user" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

    4. If a Collector is part of High Availability (HA) Cluster and you want to delete the Collector, then follow these procedures.

      Case 1: If the Collector is a Follower, then follow these steps:

      1. Remove the Collector from the High Availability (HA) Collector Cluster in Admin > Settings > System > Cluster Config.

      2. Click Save.

      3. Delete the Collector from CMDB.

      Case 2: If the Collector is a Leader, then follow these steps:

      1. Make the Collector a Follower Cluster in Admin > Settings > System > Cluster Config.

      2. Click Save.

      3. Remove the Collector from the High Availability (HA) Collector Cluster in Admin > Settings > System > Cluster Config.

      4. Click Save.

      5. Delete the Collector from CMDB.

    5. Collector High Availability (HA) Failover Triggers:

      • Logs are sent to a VIP in VRRP based Failover - In this case, when VRRP detects node failure, then Follower becomes a Leader and owns the VIP and events are sent to the new Leader. If a process is down on a node, then VRRP may not trigger a Failover.

      • Logs sent to Load Balancer - In this case, the Load balancing algorithm detects logs being sent to a different Collector. If a process is down on a node, then Failover may not trigger.

      • For event pulling and performance monitoring, App Server redistributes the jobs from a Collector if App Server failed to receive a task request in a 10 minute window.

    Previous
    Next

    What's New in 7.2.1

    What's New in 7.2.1

    This release contains the following bug fixes and known issues.

    Bug Fixes

    The following issues are resolved.

    Bug ID

    Severity

    Module

    Description

    1047223

    Major

    App Server

    If multiple Windows agents are associated with a template, the template will disappear if any one of the agents is uninstalled.

    1046931

    Major

    App Server

    Case formation by aggregating incidents may fail if one Incident Title is very long.

    1046177

    Major

    App Server

    (Service Provider Deployments) Appsvr does not correctly evaluate automation policy conditions, resulting in incorrect Incident notifications.

    1047238, 1040908

    Minor

    App Server

    Analytics query with custom attribute shows Invalid query XML error due to duplicates custom event attributes.

    1043296

    Minor

    App Server

    Fail to export Incident when Incident Detail values are null.

    1040907

    Minor

    App Server

    App Server error may happen during incident resolution inference processing if there are no new Incidents during a time period.

    1039294

    Minor

    App Server

    In Admin > Settings > Discovery > CMDB Group, the IP range in a policy does not handle CIDR (e.g. 172.30.56.1/22), IP ranges such as 172.30.56.1-172.30.56.3, 172.30.56.1,172.30.56.2,172.30.56.3.

    1040422

    Minor

    Data work

    Windows XML parser does not parse user correctly in Security Event 4624.

    1016469

    Minor

    Data work

    Sometimes Event Pulling API error logs may not be parsed correctly by FortiSIEM, the parsed event type and event name are 5830.

    1026325

    Minor

    GUI

    TypeError on console when navigating to Admin > Device Support > Parsers.

    1034648

    Minor

    Rule

    The Detection rule 'Windows: Active Directory User Backdoors' has incorrect logic.

    1041837

    Minor

    System

    Many Python IOC threatfeed scripts do not parse the datetime correctly.

    1037398

    Minor

    Windows Agent

    Sometimes Windows Agents show 'Disconnected' after power cycle.

    1037186

    Minor

    Windows Agent

    Double quotes are missing for some attributes in the AO-WUA-InstSw-Removed event.

    1038780

    Enhancement

    App Server

    Validate custId parameters for Watchlist Summary REST API: /phoenix/rest/watchlist/all/summary.

    1038267

    Enhancement

    App Server

    Add POST body validation for REST AI agentStatus/v2/all API.

    1039113

    Enhancement

    Data work

    Create outbreak rules and reports for Check Point Quantum Security Gateways Information Disclosure Attack.

    1037028

    Enhancement

    Data work

    Create outbreak rules and reports for D-link Multiple Devices Attack.

    1035123

    Enhancement

    Data work

    Improve FortiAuthenticator Parser to capture real src IP from msg section of log.

    1033867

    Enhancement

    Data work

    Support Hashicorp Vault via Syslog.

    1029606

    Enhancement

    Data work

    Create a separate FortiSandbox phishing detection rule.

    1029289

    Enhancement

    Data work

    Need to get rid of the double quotes from user when parsing the NetScreen event.

    1029153

    Enhancement

    Data work

    Enhance FortiNDR Parser to include On Prem missing fields.

    1028529

    Enhancement

    Data work

    WinOSWmiParser does not parse msg field on Security EventID 364.

    1035107

    Enhancement

    GUI

    Too much blank space in the Exported Report in PDF format, when there are no charts in the report template.

    1033132

    Enhancement

    Performance Monitoring

    Support Citrix SD-WAN link status monitoring via SNMP.

    Important Considerations

    PostGreSQL v13.14 Update

    FortiSIEM 7.2.1 includes PostGreSQL v13.14 containing the patch for CVE-2024-0985.

    • If you are doing a fresh install of FortiSIEM 7.2.1, then the patch is included and there is nothing to do.

    • If you have upgraded to FortiSIEM 7.1.5 or later, then the patch is included and there is nothing to do.

    • If you want to remain on FortiSIEM 7.1.4 or earlier, then you can't get this patch by running yum upgrade, since Postgres changed the repo gpg key as per this change
      (https://yum.postgresql.org/news/pgdg-rpm-repo-gpg-key-update/). To get this Postgres patch, on the Supervisor, run the following script:

    curl -s https://os-pkgs-cdn.fortisiem.fortinet.com/postgres/misc/switch-pgdg-repo-and-upgrade-to-pg13.14.sh | bash -xe

    Post-Upgrade ClickHouse IP Index Rebuilding

    If you are upgrading ClickHouse based deployment from pre-7.1.1 to 7.2.1, then after upgrading to 7.2.1, you need to run a script to rebuild ClickHouse indices. If you are running 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, or 7.2.0 and have already executed the rebuilding steps, then nothing more needs to be done.

    For details about this issue, see Release Notes 7.1.3 Known Issue.

    The rebuilding steps are available in Release Notes 7.1.4 - Script for Rebuilding/Recreating pre-7.1.1 ClickHouse Database Indices Involving IP Fields.

    Implementation Notes and Known Issues

    1. If you have FortiSIEM Windows/Linux Agents reporting through Collectors and you decide to form a HA Collector Group with those Collectors, then you need to add all the Collectors in the HA Group to Admin > Setup > Windows Agent > Host to Template Associations and click Apply.

    2. If you add a new Collector to an existing HA Collector Group, then the new Collector must be added as a Follower.

    3. If you are upgrading to 7.2.1, then please update the following entry in the /opt/phoenix/config/identityDef.xml file in Supervisor and Workers to get Identity and location entries populated for Microsoft Office365 events. Then restart IdentityWorker and IdentityMaster processes on Supervisor and Workers.

      Pre-7.2.1 Entry 

      <identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded</eventType>
     <eventAttributes>
        <eventAttribute name="userId" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

      7.2.1 Entry 

      <identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded,MS_OFFICE365_EntraID_UserLoggedIn,MS_OFFICE365_EntraID_StsLogon_UserLoggedIn</eventType>
     <eventAttributes>
        <eventAttribute name="user" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

    4. If a Collector is part of High Availability (HA) Cluster and you want to delete the Collector, then follow these procedures.

      Case 1: If the Collector is a Follower, then follow these steps:

      1. Remove the Collector from the High Availability (HA) Collector Cluster in Admin > Settings > System > Cluster Config.

      2. Click Save.

      3. Delete the Collector from CMDB.

      Case 2: If the Collector is a Leader, then follow these steps:

      1. Make the Collector a Follower Cluster in Admin > Settings > System > Cluster Config.

      2. Click Save.

      3. Remove the Collector from the High Availability (HA) Collector Cluster in Admin > Settings > System > Cluster Config.

      4. Click Save.

      5. Delete the Collector from CMDB.

    5. Collector High Availability (HA) Failover Triggers:

      • Logs are sent to a VIP in VRRP based Failover - In this case, when VRRP detects node failure, then Follower becomes a Leader and owns the VIP and events are sent to the new Leader. If a process is down on a node, then VRRP may not trigger a Failover.

      • Logs sent to Load Balancer - In this case, the Load balancing algorithm detects logs being sent to a different Collector. If a process is down on a node, then Failover may not trigger.

      • For event pulling and performance monitoring, App Server redistributes the jobs from a Collector if App Server failed to receive a task request in a 10 minute window.

    Previous
    Next