What’s New in 5.0.1

FortiSIEM 5.0.1 release includes the New Features and Enhancements described below.

If you are upgrading from FortiSIEM 4.1.0, refer to 'What's New in 5.0.0' for more information about the features in 5.0.0.

New Features

Windows Agent 2.2

Windows Agent 2.2 feature includes the following changes:

      1. Additional parsing of Windows DNS logs to include Source IP, Destination Name, Destination IP, Destination Canonical Name and Received Bytes.
        • Source IP – name resolution requestor
        • Destination Name and IP – resolved name and IP
        • Destination Canonical Name – CNAME of the resolved entity
        • Received Bytes – bytes in the DNS response
      2. Avoid Agent Configuration loss at Windows Agent Manager during Agent upgrade.
      3. Automatic clean-up of .SVC files when it reaches a certain size.
      4. Do not erase log file after Agent restart.
      5. Monitor encrypted USB disks.
      6. Agent to perform SSL certificate checks.
      7. Flush log files during file rotation of a monitored file.

ServiceNow Event Management Integration

FortiSIEM Incidents can now be pushed to ServiceNow Event Management tables via the FortiSIEM integration framework. For more details about ServiceNow Event Management, see here.

Enhancements

FortiSIEM 5.0.1 release includes the following enhancements:

  • The phoenix_config.txt merge upgrade process is improved - The phoenix_config.txt file on Supervisor and Worker stores system level configurations. In earlier releases, during the upgrade process, user is asked to merge the phoenix_config.txt file from the new release with the phoenix_config.txt file existing on the system. In this release, this process is simplified as follows:
    • User is never asked to merge phoenix_config.txt files.
    • The existing phoenix_config.txt file is backed up to:
      /opt/phoenix/config/phoenix_config.txt.<ver>
      For example: /opt/phoenix/config/phoenix_config.txt 5.0.0.1201
    • Selected entries from the existing phoenix_config.txt file are picked up to create the phoenix_config.txt file used by the system and stored in /opt/phoenix/config/phoenix_config.txt
    • User can examine the difference between the phoenix_config.txt files and modify the system phoenix_config.txt file if needed.

    The following sections are merged from the existing phoenix_config.txt file:

    Global
    • cainfo
    • agent_key
    • agent_cert
    • ccm_ftp_directory
    • avaya_sftp_directory
    phParser
    • airline_sls_directory
    • airline_sls_directory_high
    • airline_thread
    • incoming_log_cfg
    phEventForwarder
    • tls_certificate_file
    • tls_key_file
    • tls_certificate_file
    • tls_key_file
    phQueryWorker
    • max_num_thread_per_task
    • phReportMaster section
    • num_merge_threads
    Kafka
    • thread_num
    Elasticsearch
    • Entire Elasticsearch section, if configured.

  • Incident > Remediation – Enforce On and Run On fields are automatically populated based on Incident Reporting Device and Incident Target. Remediation Scripts are scoped down based on the Enforced On device type. Remediation results are shown on the Remediation page.
  • Flex GUI is now disabled by default. You can turn on the Flex GUI by setting Enable_Flex_UI = true in phoenix_config.txt on Supervisor.