What's New in 7.2.2

This release contains the following features, enhancements, and bug fixes.

• New Features
• Enhancements
• Bug Fixes
• Implementation Notes

New Features

• Raw Event Size based Licensing
• Exporting QRadar Logs to FortiSIEM

Raw Event Size based Licensing

This release supports a new licensing scheme for on-premises VM based deployments. License is based on:

• Total Raw event size per day (GB/Day)
• Number of Agents
• Number of UEBA Agents
• FortiGuard IOC

Important Notes:

1. The user is allowed to have 11 violations in a rolling 30-day window. After that, the Analytics and Dashboard pages are disabled for 1 day.
2. In this license scheme, users can have as many devices and events per second (EPS) as can be supported by their deployed hardware, without violating the Total Raw event size per day (GB/Day) limits.
3. If a device was Unmanaged because of the previous device and EPS-based license, then after applying the new GB/Day license, the user must re-discover the device as Managed for these devices to become managed.
4. To apply this new license type, the user must get a new license from FortiCare and upload that license to FortiSIEM Supervisor, following the same normal license procedure.

Exporting QRadar Logs to FortiSIEM

This release provides a script that can be used to export logs from IBM QRadar SIEM to FortiSIEM. The script connects to the QRadar SIEM via API on port 443 and collects raw logs along with the Reporting Device IP or Host Name and the time at which the log was received in QRadar. The script then sends the logs to a FortiSIEM Collector via HTTPS POST. The Collector parses the logs as if they were directly received from the external device and stores them in FortiSIEM.

For details see here.

Enhancements

• Dashboard Query Optimization (for ClickHouse)
• Rocky Linux Update

Dashboard Query Optimization (for ClickHouse)

In current releases, every time a user visits a Dashboard, for ClickHouse, Elasticsearch and EventDB based deployments, a separate query is run for each report in that dashboard. This may result in too many queries being submitted to the event database.

This release provides an optimization for ClickHouse based deployments. Query results are cached for a duration and users visiting a dashboard are shown the cached query results (if available). Caching duration is set by the refresh interval defined for a Dashboard report. In this release, the minimum refresh interval is set to 5 minutes.

The following queries are not cached:

1. CMDB Report Queries
2. Absolute Time Range Queries

Rocky Linux Update

This release updates FortiSIEM OS to Rocky Linux OS 8.10 and includes fixes and enhancements until July 15, 2024. Details can be found at https://rockylinux.org/news/rocky-linux-8-10-ga-release. FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include Rocky Linux 8.10. FortiSIEM customers in versions 6.4.1 and above, can upgrade their Rocky Linux versions by following the FortiSIEM OS Update Procedure.

Bug Fixes

The following issues are resolved.

Bug ID	Severity	Module	Description
1052724	Major	App Server	LDAP Re-discovery will remove externally authenticated users from FortiSIEM Analysts Group.
1063551	Minor	App Server	For an external authentication user, FortiSIEM role is not enforced correctly after upgrade to 7.1.7 or higher.
1056534	Minor	App Server	HTTP Incident notification delivery obfuscates raw events in XML automatically.
1059078	Minor	App Server	CMDB report using custom user defined properties does not work.
1059053	Minor	App Server	Rule sync error happens for user defined rule involving lookup table.
1054941	Minor	App Server	SQL query statement is incorrectly escaped in Performance Object Definition page.
1052883	Minor	App Server	PostgreSQL may throw shared memory error if there are Incidents over 1 year.
1051271	Minor	App Server	Failed to export CMDB report 'Rules with Exceptions' to both PDF and CSV.
1050861	Minor	App Server	Skip invalid data types from being added as an IOC to a malware list.
1047662	Minor	App Server	Upgrade overwrites user modified Rule Severity.
1045942	Minor	App Server	Parenthesis in filter not saved correctly in report/rules.
1045541	Minor	App Server	Cannot use special characters in Host Name field on CMDB Group Definition page (Admin > Settings > Discovery > CMDB Groups).
1013450	Minor	App Server	PAYG Report throws array out of bounds on report completion.
921322	Minor	App Server	Unable to configure FortiGuard Connectivity via Proxy without FortiGuard IOC License.
1037081	Minor	ClickHouse	Need to slow down ClickHouse insertion attempts when ClickHouse insertion fails. Otherwise, too many ClickHouse data parts may be generated, and the table may become read only.
1032484	Minor	ClickHouse Backend	Retry interval for ClickHouse data insertion failure is too short.
1059077	Minor	Data Work	The Rule "Uncommon Windows process via Sysmon" definition is incorrect with respect to LookupTable mappings.
1043134	Minor	Data Work	Notification Action Time in GitHubWebhooksJson event is not parsed correctly.
883182	Minor	Data Work	FortiSIEM FortiEDR Dashboard doesn't display information correctly.
1038259	Minor	Discovery	Discovery of large vCenter environment failing for 19k + assets.
1047317	Minor	Event Pulling Agents	Oracle DB Service name is not inserted into event when events are being pulled.
1038661	Minor	Event Pulling Agents	Mimecast support: Update argument in SIEM API; reduce logging and better error handling.
1055340	Minor	Generative AI	Sometimes, temporary files created by Generative AI may not be cleaned up and lead to /opt becoming full.
1047666	Minor	Generative AI	phGenerativeAI doesn't start in closed environment (without access to Internet).
1053453,1053095	Minor	GUI	GUI does not show Rule Incident Attributes: COUNT (Matched Events), COUNT(DISTINCT <attribute>).
1042605	Minor	GUI	Should not create a risk for a malware Domain.
1055926	Minor	GUI	Editing the Worker during EventDB to ClickHouse migration and saving the configuration throws an invalid IPV4 address error.
1054050	Minor	GUI	After software upgrade, GUI should show a pending content update if true.
1036286	Minor	GUI	Unable to save any modification in Active Directory if the user belongs to more than one LDAP group.
1030444	Minor	GUI	FortiSOAR Block IP Address Connector is missing IP address & Address group field.
1063250	Minor	Linux Agent	Linux Agent sends empty device id after restart.
1035413	Minor	REST API	For Public REST API query at /phoenix/rest/agentStatus/all, the value LastEventReceiveTime always shows 0.
1055964	Minor	Threat Intel Integration	Python STIX2.1 Threatfeed can sometimes fail if invalid ip/url/domain object is encountered.
1053245	Minor	Upgrade	Upgrade script needs to be more exact while referencing fsiem.summary table.
1049788	Minor	Upgrade	Upgrade from 6.6.4/6.7.8 failed due to 'Unknown storage policy `fsiem_storage_policy`'.
1047472	Minor	Upgrade	During upgrade, connection to ClickHouseKeeper could be lost resulting in ClickHouse database upgrade failure.
1047414	Minor	Upgrade	Upgrade from 6.7.3 to 7.2.1 failed due to 'Coordination error: Connection loss'.
1043635	Minor	Upgrade	Content Update resets to base version when upgrading between any minor version. Workaround is to immediately do a content update to the latest on the current software version.
1053996	Enhancement	App Server	Incident Queries issued by QueryMaster may be slow when there are a lot of incident partition tables.
1047969	Enhancement	ClickHouse Backend	Do not restart ClickHouse after certain configuration changes.
1053391	Enhancement	Data Work	WinOSXMLParser needs update for Event IDs 4720 & 4738.
1050300	Enhancement	Data Work	Update Oracle DB parser to parse serviceName.
1044846	Enhancement	Data Work	IOC Rules missing for CertPL Malware Domains.
1044798	Enhancement	Data work	Some FortiGate Events are missing Event Type Groups.
1040767	Enhancement	Data Work	Update VMWare VCenter Parser and VMEventParser.
1040765	Enhancement	Data Work	Add Dell Unity and Dell PowerShell Custom Parsers for Authentication Events.
1039612	Enhancement	Data Work	Update Carbon Black CEF Parser.
1033866	Enhancement	Data Work	Update FortiPAM Parser.
1023114	Enhancement	Data Work	Need a parser for FortiGate Events From SASE.
1022941	Enhancement	Data Work	Update Cisco ACI log support.
1022371	Enhancement	Data Work	Update Trend Vision One CEF event support.
1045499	Enhancement	Event Pulling Agents	Support additional date format YYYY-MM-DD hh:mm:ss in Generic Poller to support ServiceNow event pulling.
1037893	Enhancement	Event Pulling Agents	Tenable Security Center Integration requires additional API to fetch CVSS scores.
1029563	Enhancement	GUI, Query	Improved Dashboard Query Management for ClickHouse.
1027612	Enhancement	Machine Learning	Add data normalization for all ML algorithms as a standard pre-processing step.
1044001	Enhancement	New Feature	Enhancement - Provide a HTTP POST based method to import QRadar logs into FortiSIEM.
1028322	Enhancement	Remediation	Develop FortiEDR Remediation via API to Quarantine a host.
1012778	Enhancement	System	Change pgdump from gzip to pigz for multi-CPU zip processing.

Implementation Notes

• PostGreSQL Related
• Collector HA Related

• Identity and Location Related

• Post-Upgrade ClickHouse IP Index Rebuilding

PostGreSQL Related

FortiSIEM 7.2.2 includes PostGreSQL v13.14 containing the patch for CVE-2024-0985.

• If you are doing a fresh install of FortiSIEM 7.2.2, then the patch is included and there is nothing to do.

• If you have upgraded to FortiSIEM 7.1.5 or later, then the patch is included and there is nothing to do.

• If you want to remain on FortiSIEM 7.1.4 or earlier, then you can't get this patch by running yum upgrade, since Postgres changed the repo gpg key as per this change
  (https://yum.postgresql.org/news/pgdg-rpm-repo-gpg-key-update/). To get this Postgres patch, on the Supervisor, run the following script:

curl -s https://os-pkgs-cdn.fortisiem.fortinet.com/postgres/misc/switch-pgdg-repo-and-upgrade-to-pg13.14.sh | bash -xe

Collector HA Related

1. If you have FortiSIEM Windows/Linux Agents reporting through Collectors and you decide to form a HA Collector Group with those Collectors, then you need to add all the Collectors in the HA Group to Admin > Setup > Windows Agent > Host to Template Associations and click Apply.

2. If you add a new Collector to an existing HA Collector Group, then the new Collector must be added as a Follower.

3. If a Collector is part of High Availability (HA) Cluster and you want to delete the Collector, then follow these procedures.

   Case 1: If the Collector is a Follower, then follow these steps:

   1. Remove the Collector from the High Availability (HA) Collector Cluster in Admin > Settings > System > Cluster Config.

   2. Click Save.

   3. Delete the Collector from CMDB.

   Case 2: If the Collector is a Leader, then follow these steps:

   1. Make the Collector a Follower Cluster in Admin > Settings > System > Cluster Config.

   2. Click Save.

   3. Remove the Collector from the High Availability (HA) Collector Cluster in Admin > Settings > System > Cluster Config.

   4. Click Save.

   5. Delete the Collector from CMDB.

4. Collector High Availability (HA) Failover Triggers:

   • Logs are sent to a VIP in VRRP based Failover - In this case, when VRRP detects node failure, then Follower becomes a Leader and owns the VIP and events are sent to the new Leader. If a process is down on a node, then VRRP may not trigger a Failover.

   • Logs sent to Load Balancer - In this case, the Load balancing algorithm detects logs being sent to a different Collector. If a process is down on a node, then Failover may not trigger.

   • For event pulling and performance monitoring, App Server redistributes the jobs from a Collector if App Server failed to receive a task request in a 10 minute window.

Identity and Location Related

If you are upgrading to 7.2.2, then please update the following entry in the /opt/phoenix/config/identityDef.xml file in Supervisor and Workers to get Identity and location entries populated for Microsoft Office365 events. Then restart IdentityWorker and IdentityMaster processes on Supervisor and Workers.

Pre-7.2.2 Entry

<identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded</eventType>
     <eventAttributes>
        <eventAttribute name="userId" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

7.2.2 Entry

<identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded,MS_OFFICE365_EntraID_UserLoggedIn,MS_OFFICE365_EntraID_StsLogon_UserLoggedIn</eventType>
     <eventAttributes>
        <eventAttribute name="user" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

Post-Upgrade ClickHouse IP Index Rebuilding

If you are upgrading ClickHouse based deployment from pre-7.1.1 to 7.2.2, then after upgrading to 7.2.2, you need to run a script to rebuild ClickHouse indices. If you are running 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, or 7.2.1 and have already executed the rebuilding steps, then nothing more needs to be done.

For details about this issue, see Release Notes 7.1.3 Known Issue.

The rebuilding steps are available in Release Notes 7.1.4 - Script for Rebuilding/Recreating pre-7.1.1 ClickHouse Database Indices Involving IP Fields.