What's New in 7.2.4

This release includes Rocky Linux OS 8.10 patches until October 3, 2024. Details can be found at https://rockylinux.org/news/rocky-linux-8-10-ga-release. FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include Rocky Linux 8.10. FortiSIEM customers in versions 6.4.1 and above, can upgrade their Rocky Linux versions by following the FortiSIEM OS Update Procedure.

In addition, this release contains the following bug fixes.

• Bug Fixes
• Implementation Notes

Bug Fixes

The following issues are resolved.

Bug ID	Severity	Module	Description
1080505	Major	App Server	For SAML authenticated users, Role based Access Control (RBAC) is not handled correctly.
1077989	Major	App Server	App Server optimization to reduce database contention while computing Entity Risk. Sometimes idle PostgreSQL transactions in wait are observed.
1058126	Major	App Server	Duplicate application packages were added to CMDB by Windows agent discovery.
1091334	Major	Parser	Duplicated Cloud Service EPS events (PH_SYSTEM_IP_EVENTS_PER_SEC and PH_SYSTEM_DEVAPP_NO_EVENTS) can cause high QueryMaster memory.
1081670	Major	System	phParser crashes every 30 seconds while handling snmptrap, when /opt/phoenix/config/snmptrapd.conf file is empty.
1087122	Minor	App Server	Rule exception won't be deleted when its rule is deleted.
1086254	Minor	App Server	Upgrade 7.2.3 EventDB may hang if there are a large number of user contact entries in CMDB (ph_user2contact table).
1076214	Minor	App Server	Ability to turn off Incident relationship creation. If you generate lots of new Incidents and do not close them regularly, then this data may contribute significantly towards CMDB disk usage. If you are never going to use Cases, then you can use set generate_incident_story=false. Note that by turning off Incident relationship creation, your created Case will not automatically have all related Incidents.
1041315	Minor	App Server	LDAP Discovery of subdomains moves all users under ungrouped and doesn't discover all users from these domains.
1089970	Minor	GUI	Donut chart is not showing in widget dashboard.
1088008	Minor	GUI	Avoid truncation in PDF Report for large number of columns and raw event columns by using Summary mode display.
1087139	Minor	GUI	Subpattern relationships are missing after saving a rule once you modify these relationships.
1081959	Minor	GUI	Display field attributes from custom report are not added to filter attributes when adding the report to dashboard.
1075502	Minor	GUI	GUI does not retain users after clicking Add User in Notification/Automation Policy.
1083995	Minor	Parser	Duplicated events may be generated from SNMP trap.
1083285	Minor	Parser	"FortiGateParser" does not parse DNS query information for event type Fortigate-event-dns-ftgd-cat-allow.
1075098	Minor	Parser	Unable to query unified_audit_trail table from Oracle Database due to case sensitivity in audit table name comparison.
1064013	Minor	Parser	Windows Event Parser does not convert IP to DNS host name even if DNS Server is defined.
1087276	Minor	Rule	RuleMaster and RuleWorker processes crash if a rule is imported with unknown event attributes being used in rule global constraint. Note that such a rule cannot be defined from GUI. Import process does not catch the unknown event attributes.
1084553	Minor	Threat Intel Import	CertPL malware domain imports domains marked deleted.
1063488	Enhancement	GUI	FortiSIEM GUI Idle timeout should be user configurable instead of fixed 15 minutes.

Implementation Notes

• Linux Agent Related
• PostGreSQL Related
• Collector HA Related
• Identity and Location Related
• Post-Upgrade ClickHouse IP Index Rebuilding
• Upgrade Related

Linux Agent Related

If you are running Linux Agent on Ubuntu 24, then Custom Log File monitoring may not work because of App Armor configuration. Take the following steps to configure App Armor to enable FortiSIEM Linux Agent to monitor custom files.

1. Login as root user.

2. Check if rsyslogd is protected by AppArmor by running the following command.

   aa-status | grep rsyslogd

   If the output displays rsyslogd, then you need to modify AppArmor configuration as follows.

3. Verify that the following line exists in the file /etc/apparmor.d/usr.sbin.rsyslogd

   include if exists <rsyslog.d>

   If it does not, then add the above line to the file.

4. Create or modify the file /etc/apparmor.d/rsyslog.d/custom-rules and add rules for the monitored log file as needed.

   Examples:

   If you want to monitor /testLinuxAgent/testLog.log file, then add the following line that allows rsyslogd to read the file:

   /testLinuxAgent/testLog.log r,

   Always add the following line that allows rsyslogd to read the FortiSIEM log file. This is needed:

   /opt/fortinet/fortisiem/linux-agent/log/phoenix.log r,

5. Run the following command to reload the rsyslogd AppArmor profile and apply the changes above.

   apparmor_parser -r /etc/apparmor.d/usr.sbin.rsyslogd

PostGreSQL Related

FortiSIEM 7.2.4 includes PostGreSQL v13.14 containing the patch for CVE-2024-0985.

• If you are doing a fresh install of FortiSIEM 7.2.4, then the patch is included and there is nothing to do.

• If you have upgraded to FortiSIEM 7.1.5 or later, then the patch is included and there is nothing to do.

• If you want to remain on FortiSIEM 7.1.4 or earlier, then you can't get this patch by running yum upgrade, since Postgres changed the repo gpg key as per this change
  (https://yum.postgresql.org/news/pgdg-rpm-repo-gpg-key-update/). To get this Postgres patch, on the Supervisor, run the following script:

curl -s https://os-pkgs-cdn.fortisiem.fortinet.com/postgres/misc/switch-pgdg-repo-and-upgrade-to-pg13.14.sh | bash -xe

Collector HA Related

1. If you have FortiSIEM Windows/Linux Agents reporting through Collectors and you decide to form a HA Collector Group with those Collectors, then you need to add all the Collectors in the HA Group to Admin > Setup > Windows Agent > Host to Template Associations and click Apply.

2. If you add a new Collector to an existing HA Collector Group, then the new Collector must be added as a Follower.

3. If a Collector is part of High Availability (HA) Cluster and you want to delete the Collector, then follow these procedures.

   Case 1: If the Collector is a Follower, then follow these steps:

   1. Remove the Collector from the High Availability (HA) Collector Cluster in Admin > Settings > System > Cluster Config.

   2. Click Save.

   3. Delete the Collector from CMDB.

   Case 2: If the Collector is a Leader, then follow these steps:

   1. Make the Collector a Follower Cluster in Admin > Settings > System > Cluster Config.

   2. Click Save.

   3. Remove the Collector from the High Availability (HA) Collector Cluster in Admin > Settings > System > Cluster Config.

   4. Click Save.

   5. Delete the Collector from CMDB.

4. Collector High Availability (HA) Failover Triggers:

   • Logs are sent to a VIP in VRRP based Failover - In this case, when VRRP detects node failure, then Follower becomes a Leader and owns the VIP and events are sent to the new Leader. If a process is down on a node, then VRRP may not trigger a Failover.

   • Logs sent to Load Balancer - In this case, the Load balancing algorithm detects logs being sent to a different Collector. If a process is down on a node, then Failover may not trigger.

   • For event pulling and performance monitoring, App Server redistributes the jobs from a Collector if App Server failed to receive a task request in a 10 minute window.

Identity and Location Related

If you are upgrading to 7.2.4, then please update the following entry in the /opt/phoenix/config/identityDef.xml file in Supervisor and Workers to get Identity and location entries populated for Microsoft Office365 events. Then restart IdentityWorker and IdentityMaster processes on Supervisor and Workers.

Pre-7.2.4 Entry

<identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded</eventType>
     <eventAttributes>
        <eventAttribute name="userId" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

7.2.4 Entry

<identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded,MS_OFFICE365_EntraID_UserLoggedIn,MS_OFFICE365_EntraID_StsLogon_UserLoggedIn</eventType>
     <eventAttributes>
        <eventAttribute name="user" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

Post-Upgrade ClickHouse IP Index Rebuilding

If you are upgrading ClickHouse based deployment from pre-7.1.1 to 7.2.4, then after upgrading to 7.2.4, you need to run a script to rebuild ClickHouse indices. If you are running 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, or 7.2.3 and have already executed the rebuilding steps, then nothing more needs to be done.

For details about this issue, see Release Notes 7.1.3 Known Issue.

The rebuilding steps are available in Release Notes 7.1.4 - Script for Rebuilding/Recreating pre-7.1.1 ClickHouse Database Indices Involving IP Fields.

Upgrade Related

If you encounter this error during App Server deployment part of the upgrade process, then take the remediation steps below:

Error:

stderr: remote failure: Error occurred during deployment: Exception while loading the app : java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: org.apache.catalina.LifecycleException: java.lang.StackOverflowError. Please see server.log for more details

Remediation Step

Option 1: Increase Java stack size to 2M.

1. Login to Supervisor via SSH.

2. su - admin

3. vi /opt/glassfish/domains/domain1/config/domain.xml

4. add -Xss2m in jvm-options session:
   

   <jvm-options>-Xss2m</jvm-options>

Option 2: Remove the Device to Parser association for Parsers that are towards the bottom of the Parser list, e.g. UnixParser.

1. Login to Supervisor GUI.

2. Go to CMDB and from the Columns drop-down list, add Parser Name.

3. If you see a Parser towards the bottom of the Parser list, e.g. UnixParser, then take the following steps:

   1. Select the Device and click Edit.

   2. Click the Parsers tab.

   3. Remove the selected Parser.

4. Complete the upgrade process.

5. Login to GUI and add back the Device to Parser association.