What’s New
FortiSIEM 5.1.0 release includes the following new features, enhancements and device support.
New Features
- IPv6 Support
- Custom PDF Reports
- Incident Subcategory
- Incident Resolution
- Analyze log files from a directory on FortiSIEM nodes
Enhancements
- Custom time zone support in PDF reports
- Ability to associate specific parsers to a device
- Ability to drop specific parsed event attributes
- Windows Agent 2.3
IPv6 Support
This release enables FortiSIEM deployment in IPv6 networks including the following features:
- FortiSIEM components - Supervisor, Worker, Collector, Report Server can be installed in IPv6 networks.
- Receive, parse and analyze IPv6 syslog, Netflow.
- Discovery of IPv6 devices via Simple Network Management Protocol (SNMP).
- Discovery of configuration from IPv6 devices via Secure Shell (SSH).
- GUI, Search, Report and Correlation functions with both IPv6 and IPv4 formatted addresses. You can enter addresses in various IPv6 formats in the GUI. FortiSIEM displays the addresses in standard IPv6 notation.
- FortiSIEM supports both Mixed and Dual IPv4 and IPv6 environments.
Currently, the following features do NOT work with IPv6 systems:
- Log collection and monitoring via Protocols other than Syslog, SNMP, SSH, and Netflow
- Windows Agent and Windows Agent Manager (These can only run in IPv4 networks.)
- Geo-location look-up for IPv6 addresses
Custom PDF Report
In earlier releases, FortiSIEM supported a fixed PDF Report format. This release enables you to format a PDF Report and Report Bundle by adding:
- Cover Page with custom image
- Table of Contents
- Sections and Subsections with Titles
- Custom content in each section including notes, charts, tables and images
- One or more CMDB reports along with Event reports
You can customize both scheduled and ad-hoc reports. The PDF Report templates can be defined at folder level in RESOURCES > Reports to avoid defining the format for each and every Report in the folder.
For more information about customizing a PDF Report Output, see here.
|
Incident Subcategory
FortiSIEM Incidents are grouped into different categories – Availability, Change, Performance, Security and Other. A Category is assigned to every Rule and you can search any Incidents using these Categories.
This release extends this concept to include Subcategories. A Subcategory is defined for every system-defined rule. You can add a Subcategory for custom rules and also create new Subcategories. Incidents can be searched using both Categories and Subcategories.
For more information about creating Subcategories, see the section 'Setting Rule Subcategory' here.
Incident Resolution
This release adds Incident Resolution attribute for Incidents. Incident Resolution can be set to 'True Positive', 'False Positive' or 'Open'. Incidents can be searched using the Incident Resolution values.
For more information about Incident Resolution settings, see the desciption for 'Resolution' in the table here.
Ability to analyze log files from a directory on FortiSIEM nodes
Currently, FortiSIEM handles logs either (a) sent to it via Protocols such as Syslog, SNMP trap and so on or (b) pulled from devices via Protocols such as WMI, Checkpoint LEA and so on.
In this release, FortiSIEM can process log files copied to a directory on one of the FortiSIEM nodes:
- Copy the files to a specific directory named by the reporting device IP. For Service Provider installations, create this directory on the Collector of the Organization to which these log files belong. The attribute
event_sftp_directory
inphoenix_config.txt
defines the path. For example, to handle logs from a device with IP:1.2.3.4
, create log files in<event_sftp_directory>/1.2.3.4
. A typical example is opt/phoenix/cache/syslog/1.2.3.4. - Each log in the files should be formatted exactly in the same way as sent by the device. If this is a new log source, a new parser may need to be defined.
- Each file should have a distinct time stamp to prevent files from being overwritten.
- Set
event_eps_limit_controls in phoenix_config.txt
to control the EPS burst.- If
event_eps_limit_controls
is set to '10', FortiSIEM will process 30 events from this file in three seconds. - If
event_eps_limit_controls
is set to '0', FortiSIEM will process as many log files as possible and this may inhibit the overall EPS license usage.
- If
- If you change a
phoenix_config.txt
parameter, then reload the parser on that node.
Note the following:
- The log file is deleted once it has been read. Keep a separate backup if required.
- The system requires write access to the log file directory in order to delete the log file once read. This is important because if the log file cannot be deleted, it is repeatedly read and consumed by FortiSIEM resulting in many duplicate events and extra EPS consumption.
Custom time zone support in PDF reports
In earlier releases, the time zone of Supervisor was used to report event receive time. Now, you can choose the required time zone. If the devices are in a different time zone from the Supervisor, you can choose the time zone of the devices while configuring the PDF report.
For more information about adding custom time zone in reports, see Step #6 here.
Ability to associate specific parsers to a device
Currently, upon receiving an event, the system tries the list of parsers in a specific order looking for Event Format Recognizer match defined in each parser. Syslog from some devices are too generic and do not have a proper Event Format Recognizer and causes parsing issues.
To overcome this issue, this release enables you to attach a list of parsers to a device in CMDB. This overrides the default parser selection mechanism based on Event Format Recognizer. When a device with a list of attached parsers sends a log, the specified parsers are attempted first.
For more information about associating a set of parsers to a device, see here.
Ability to drop specific parsed event attributes
FortiSIEM adds many meta data to events such as geo-location for every IP field, user name, user full name. FortiSIEM also adds a message for its self-generated events. This can contribute to storage costs especially for frequently occurring events.
This release allows you to not store such meta data if you want to minimize storage costs.
For more information about dropping specific parsed event attributes, see 'Event Dropping' - Step #8 here.
Windows Agent 2.3
This release includes Windows Agent 2.3 with the following enhancements:
- Ability to install Windows Agent and Windows Agent Manager where only TLS 1.2 is enabled for Security reasons (Mantis id: 0441466)
- Extended Date and Time format parsing for Windows DNS logs (Mantis id: 0470398)
For more information about working with Windows Agent, see here.
New Device Support
This release includes support for the following devices:
- Azure Identity Protection
- Azure Advanced Threat Protection (ATP) via Syslog (CEF)
- Azure Logs - Data Plane logs, Processed event via Syslog (CEF)
- Cisco Stealthwatch log parser
- Microsoft Cloud App Security via Syslog (CEF)
Device Support Enhancements
This release includes the following device support enhancements:
Mantis Id | Summary |
---|---|
430995 | Huawei Firewall log parser extension |
433018 | ESXi log parsing extension |
433100 | F5 log parser extension |
433308 | Dell S-Series Switch performance monitoring via SNMP |
447872 | Aruba OS log parser extension |
449028 | Huawei Router/Switch log parser extension |
469708 | Cisco ISE performance monitoring extension |
471431 | FortiDDoS performance monitoring extension |
472384 | FortiSandbox discovery and performance monitoring extension |
473490 | FireEye Email Malware Protection System (MPS) log parser extensions |
475500 | Cisco IronPort Mail parser extension |
493483 | FortiGate Syslog action field parsing |
494321 | Private external threat intelligence for Threat Stream |
494445 | Barracuda Spam Firewall log parser extensions |
496052 | SNMP Sys Object Ids to cover discovery and performance monitoring for more HP Switch models |
501370 | FortiClient Parser enhancement to Include Vulnerability Scanning fix and Risk Score Integration |
503933 | FortiAuthenticator performance monitoring extension |
503935 | FortiMail discovery and performance monitoring extension |
Resolved Issues
This release includes the following resolved issues:
Mantis Id | Severity | Keyword | Summary |
---|---|---|---|
494980 | Major | App Server | Scheduled Report Bundle PDF Reports may not contain data for all reports if one query takes a long time to complete. |
481042 | Major | Rule Engine | Rule Engine may crash when there are too many active Incidents in the CMDB. |
474074 | Minor | App Server | FortiSIEM LDAP user is not discovered for Korean language Active Directory. |
494457 | Minor | App Server | The Last received Syslog time updates may lag in CMDB > Device > Monitor Status tab. |
496946 | Minor | App Server | Remove Session id from App Server log. |
496953 | Minor | App Server | Incident Overview page sometimes fail due to the lack of information from PostgreSQL queries. |
497363 | Minor | App Server | New Organization creation may show 'Null Pointer Exception' against Business Services. |
501040 | Minor | App Server | CMDB Device Risk calculation consumes lots of resources when the number of CMDB devices is large. |
504259 | Minor | App Server | ConnectWise Integration - unable to close tickets outside of time Constraint Window. |
505476 | Minor | App Server | App Server looks for expiration time being updated when it's not necessary. This happens only when there is a Report Server installed and the login user has a role which doesn't have write permission on License page. |
505528 | Minor | App Server | Too many 'No Entity found for query' exception is shown in the log. |
506947 | Minor | App Server | Monitoring Event pulling Status Update is slow and cannot keep with a very large number of devices and jobs. |
498600 | Minor | Discovery | CMDB Device Filter does not consider AWS Log Discovery and Netflow Log Discovery. |
488388 | Minor | GUI | HTML GUI does not create and save CheckPoint Certificates. |
490587 | Minor | GUI | Baseline reporting for the interface does not show data in HTML GUI. |
491271 | Minor | GUI | Watch List Device Health pop-up does not show data. |
498876 | Minor | GUI | GUI does not correctly save CyberArk credential configurations. |
501707 | Minor | GUI | Changes to the Watch List is saved even if the user clicks 'Cancel' button. |
501719 | Minor | GUI | CSV file import fails under RESOURCES > User Agent. |
503941 | Minor | GUI | CMDB > Network Devices > Router/Switch Group under System folder cannot be modified. |
504584 | Minor | GUI | Business Service Dashboard does not show full device name as it appears in CMDB. |
504593 | Minor | GUI | Ticket status name is inconsistent between CASES and INCIDENTS tab. |
505745 | Minor | GUI | Organization list is empty if user selects an Organization with Collector under Business Services and switch to CMDB > Devices. |
458679 | Minor | Analytics | Analytics page does not show Event Details for events without raw event log (such as Netflow). |
462749 | Minor | Parser | Log discovery increases the load on App Server causing discoveries to be missed. |
501370 | Minor | Parser | FortiClient Vulnerability Scanning logs do not contribute to Risk Scores in CMDB. |
504518 | Minor | Parser | Parser generates excessive logs when it's log discovery cache is full. |
489792 | Enhancement | App Server | Add an alert message to confirm before deleting Organization or Collector. |
490788 | Enhancement | App Server | Incident Remediation is not supported for groups of devices. |
494321 | Enhancement | App Server | ThreatStream Private Collection cannot be collected. |
497768 | Enhancement | App Server | FortiSIEM Super and Worker can become Unmanaged devices when License limit is reached - preventing rules from being triggered. |
506508 | Enhancement | App Server | Monitor and truncate App Server discovery files so that it does not grow. A large number of discovery files may cause future discoveries to fail. |
472999 | Enhancement | GUI | HTML GUI does not provide the ability to search 'Sync only' reports. |
490089 | Enhancement | GUI | Incident List View is missing External Integration. |
490405 | Enhancement | GUI | Some Incident Detail attributes are not correctly formatted. |
491073 | Enhancement | GUI | Windows WMI installed software description shows 'null'. |
501689 | Enhancement | GUI | In Elasticsearch environment, Report Export in CSV format shows infinity for missing numerical fields. |
501693 | Enhancement | GUI | While adding a network interface for a device in CMDB, the GUI does not alert for missing network mask. |
502806 | Enhancement | GUI | In Incident PDF Export, 'Incident Ticket Status' shows '6' (meaning null) when no ticket exists for Incident. |
493483 | Enhancement | Parser | FortiGate Parser does not parse the dropped attack field and rules trigger unnecessarily. |
505461 | Enhancement | Rule | Enhance IPS rules to exclude blocked attacks from outside. |
506512 | Enhancement | System | Limit the size of Analytics
phoenix_log files. |