What's New in 7.2.7

This release contains the following bug fixes and enhancements.

• System Updates
• Bug Fixes and Enhancements
• Implementation Notes

If you are running 7.2.7, then you must upgrade to 7.4.2 or later. There was a security fix in 7.2.7, but it was not included in earlier 7.4.1, causing the upgrades to fail.

System Updates

This release includes Rocky Linux OS 8.10 patches until September 18, 2025. Details can be found at https://rockylinux.org/news/rocky-linux-8-10-ga-release. FortiSIEM Rocky Linux Repositories (os-pkgs-cdn.fortisiem.fortinet.com and os-pkgs-r8.fortisiem.fortinet.com) have also been updated to include Rocky Linux 8.10. FortiSIEM customers in versions 6.4.1 and above, can upgrade their Rocky Linux versions by following the FortiSIEM OS Update Procedure.

Bug Fixes and Enhancements

The following bugs are resolved in this release.

Bug ID	Severity	Module	Description
1209180	Major	App Server	If a report bundle is scheduled separately for each org, then reports are only received for Super/Local, but not from other orgs.
1196070	Major	App Server	Optimize performance of handling Windows Agent > Host Template Association > Apply operation. With large number of Agents, this operation may return 503/504 errors.
1193567	Major	App Server	Improve performance of Public Incident REST API - /phoenix/rest/pub/incident.
1179987	Major	App Server	Agent Status update API causes High CPU.
1173926	Major	App Server	Optimize performance of Delete device operation from GUI. With large number of devices, this operation may return 502 errors.
1171669	Major	App Server	Optimize performance of loading and re-ordering parsers.
1170625	Major	App Server	With many devices in CMDB, device update operation may cause GUI timeout. Optimize App Server performance while handling this operation.
1176881	Major	GUI	Org level reports from Super/Global are not delivered.
1089195	Major	Query Engine	In high EPS env, QueryMaster may consume significant memory to handle Summary dashboard in ClickHouse deployments.
1169431	Major	System	phMonitor may crash on Collector during Download Image if taskId is very large.
1209282	Minor	App Server	Get incidents by page number public REST API may fail to return result in HA environment.
1208997	Minor	App Server	In Report PDFs, the report logo doesn't display on the footer of the page.
1208039	Minor	App Server	Event CMDB nested query failed to return all results.
1208007	Minor	App Server	Some public APIs failed to return results - Create lookup table, Get summarized watchlists by Id.
1148520	Minor	App Server	Analytics page > Check Reputation > FortiGuard IOC Lookup may not return results because of inability to parse error message.
1140285	Minor	App Server	Public REST API '/phoenix/rest/pub/incident/triggeringEvents' does not return ALL event attributes for ClickHouse.
1169951	Minor	Event Pulling Agents	Not all CrowdStrike events are always pulled, when server sends incomplete events.
1156003	Minor	GUI	Email Template Configuration when saved, strips color style.
1142995	Minor	GUI	Allow $ character for Credential > Event Hub - Consumer Group.
1209988	Minor	System	"configFSM.sh" run may fail to run on HW appliances during re-installation after factory reset.
1206464	Minor	System	"configFSM.sh" run failed on HW during re-installation.
1131523	Enhancement	Event Pulling Agents	Enhance Sophos Central API to use ClientId and ClientSecret.
1034251	Enhancement	System	Charting Redis should not be running on Worker and Collector.

Implementation Notes

• Linux Agent Related
• Identity and Location Related
• Post-Upgrade ClickHouse IP Index Rebuilding

Linux Agent Related

If you are running Linux Agent on Ubuntu 24, then Custom Log File monitoring may not work because of App Armor configuration. Take the following steps to configure App Armor to enable FortiSIEM Linux Agent to monitor custom files.

1. Login as root user.

2. Check if rsyslogd is protected by AppArmor by running the following command.

   aa-status | grep rsyslogd

   If the output displays rsyslogd, then you need to modify AppArmor configuration as follows.

3. Verify that the following line exists in the file /etc/apparmor.d/usr.sbin.rsyslogd

   include if exists <rsyslog.d>

   If it does not, then add the above line to the file.

4. Create or modify the file /etc/apparmor.d/rsyslog.d/custom-rules and add rules for the monitored log file as needed.

   Examples:

   If you want to monitor /testLinuxAgent/testLog.log file, then add the following line that allows rsyslogd to read the file:

   /testLinuxAgent/testLog.log r,

   Always add the following line that allows rsyslogd to read the FortiSIEM log file. This is needed:

   /opt/fortinet/fortisiem/linux-agent/log/phoenix.log r,

5. Run the following command to reload the rsyslogd AppArmor profile and apply the changes above.

   apparmor_parser -r /etc/apparmor.d/usr.sbin.rsyslogd

Identity and Location Related

If you are upgrading to 7.2.7, then please update the following entry in the /opt/phoenix/config/identityDef.xml file in Supervisor and Workers to get Identity and location entries populated for Microsoft Office365 events. Then restart IdentityWorker and IdentityMaster processes on Supervisor and Workers.

Pre-7.2.7 Entry

<identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded</eventType>
     <eventAttributes>
        <eventAttribute name="userId" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

7.2.7 Entry

<identityEvent>
     <eventType>MS_OFFICE365_UserLoggedIn_Succeeded,MS_OFFICE365_EntraID_UserLoggedIn,MS_OFFICE365_EntraID_StsLogon_UserLoggedIn</eventType>
     <eventAttributes>
        <eventAttribute name="user" identityAttrib="office365User" reqd="yes"/>
        <eventAttribute name="srcDomain" identityAttrib="domain" reqd="no"/>
        <eventAttribute name="srcIpAddr" identityAttrib="ipAddr" reqd="yes"/>
        <eventAttribute name="srcGeoCountry" identityAttrib="geoCountry" reqd="no"/>
        <eventAttribute name="srcGeoCountryCodeStr" identityAttrib="geoCountryCode" reqd="no"/>
        <eventAttribute name="srcGeoState" identityAttrib="geoState" reqd="no"/>
        <eventAttribute name="srcGeoCity" identityAttrib="geoCity" reqd="no"/>
        <eventAttribute name="srcGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
        <eventAttribute name="srcGeoLongitude" identityAttrib="geoLongitude" reqd="no"/>
     </eventAttributes>
  </identityEvent>

Post-Upgrade ClickHouse IP Index Rebuilding

If you are upgrading ClickHouse based deployment from pre-7.1.1 to 7.2.7, then after upgrading to 7.2.7, you need to run a script to rebuild ClickHouse indices. If you are running 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, or 7.2.6 and have already executed the rebuilding steps, then nothing more needs to be done.

For details about this issue, see Release Notes 7.1.3 Known Issue.

The rebuilding steps are available in Release Notes 7.1.4 - Script for Rebuilding/Recreating pre-7.1.1 ClickHouse Database Indices Involving IP Fields.