What’s New in 5.0.1
FortiSIEM 5.0.1 release includes the New Features and Enhancements described below.
If you are upgrading from FortiSIEM 4.1.0, refer to 'What's New in 5.0.0' for more information about the features in 5.0.0.
New Features
Windows Agent 2.2
Windows Agent 2.2 feature includes the following changes:
- Additional parsing of Windows DNS logs to include Source IP, Destination Name, Destination IP, Destination Canonical Name and Received Bytes.
- Source IP – name resolution requestor
- Destination Name and IP – resolved name and IP
- Destination Canonical Name – CNAME of the resolved entity
- Received Bytes – bytes in the DNS response
- Avoid Agent Configuration loss at Windows Agent Manager during Agent upgrade.
- Automatic clean-up of
.SVC
files when it reaches a certain size. - Do not erase log file after Agent restart.
- Monitor encrypted USB disks.
- Agent to perform SSL certificate checks.
- Flush log files during file rotation of a monitored file.
ServiceNow Event Management Integration
FortiSIEM Incidents can now be pushed to ServiceNow Event Management tables via the FortiSIEM integration framework. For more details about ServiceNow Event Management, see here.
Enhancements
FortiSIEM 5.0.1 release includes the following enhancements:
- The
phoenix_config.txt
merge upgrade process is improved - Thephoenix_config.txt
file on Supervisor and Worker stores system level configurations. In earlier releases, during the upgrade process, user is asked to merge thephoenix_config.txt
file from the new release with thephoenix_config.txt
file existing on the system. In this release, this process is simplified as follows:- User is never asked to merge
phoenix_config.txt
files. - The existing
phoenix_config.txt
file is backed up to:/opt/phoenix/config/phoenix_config.txt.<ver>
For example:/opt/phoenix/config/phoenix_config.txt 5.0.0.1201
- Selected entries from the existing
phoenix_config.txt
file are picked up to create thephoenix_config.txt
file used by the system and stored in/opt/phoenix/config/phoenix_config.txt
- User can examine the difference between the
phoenix_config.txt
files and modify the systemphoenix_config.txt
file if needed.
The following sections are merged from the existingphoenix_config.txt
file:Global - cainfo
- agent_key
- agent_cert
- ccm_ftp_directory
- avaya_sftp_directory
phParser - airline_sls_directory
- airline_sls_directory_high
- airline_thread
- incoming_log_cfg
phEventForwarder - tls_certificate_file
- tls_key_file
- tls_certificate_file
- tls_key_file
phQueryWorker - max_num_thread_per_task
- phReportMaster section
- num_merge_threads
Kafka - thread_num
Elasticsearch - Entire Elasticsearch section, if configured.
- User is never asked to merge
- Incident > Remediation – Enforce On and Run On fields are automatically populated based on Incident Reporting Device and Incident Target. Remediation Scripts are scoped down based on the Enforced On device type. Remediation results are shown on the Remediation page.
- Flex GUI is now disabled by default. You can turn on the Flex GUI by setting
Enable_Flex_UI = true
inphoenix_config.txt
on Supervisor.