In earlier releases, FortiSIEM supported a fixed PDF Report format. This release enables you to format a PDF Report and Report Bundle by adding:

• Cover Page with custom image
• Table of Contents
• Sections and Subsections with Titles
• Custom content in each section including notes, charts, tables and images
• One or more CMDB reports along with Event reports

You can customize both scheduled and ad-hoc reports. The PDF Report templates can be defined at folder level in RESOURCES > Reports to avoid defining the format for each and every Report in the folder.

For more information about customizing a PDF Report Output, see here.

FortiSIEM Flash GUI does not support the 'Custom PDF Report' feature. To customize PDF reports and export, use the HTML GUI. After upgrading to FortiSIEM 5.1.0, you must reimport all the Report Bundle reports because the report template has to be created. Otherwise, the Report Bundles may fail.

Incident Subcategory

FortiSIEM Incidents are grouped into different categories – Availability, Change, Performance, Security and Other. A Category is assigned to every Rule and you can search any Incidents using these Categories.

This release extends this concept to include Subcategories. A Subcategory is defined for every system-defined rule. You can add a Subcategory for custom rules and also create new Subcategories. Incidents can be searched using both Categories and Subcategories.

For more information about creating Subcategories, see the section 'Setting Rule Subcategory' here.

Incident Resolution

This release adds Incident Resolution attribute for Incidents. Incident Resolution can be set to 'True Positive', 'False Positive' or 'Open'. Incidents can be searched using the Incident Resolution values.

For more information about Incident Resolution settings, see the desciption for 'Resolution' in the table here.

Ability to analyze log files from a directory on FortiSIEM nodes

Currently, FortiSIEM handles logs either (a) sent to it via Protocols such as Syslog, SNMP trap and so on or (b) pulled from devices via Protocols such as WMI, Checkpoint LEA and so on.

In this release, FortiSIEM can process log files copied to a directory on one of the FortiSIEM nodes:

• Copy the files to a specific directory named by the reporting device IP. For Service Provider installations, create this directory on the Collector of the Organization to which these log files belong. The attribute event_sftp_directory in phoenix_config.txt defines the path. For example, to handle logs from a device with IP: 1.2.3.4, create log files in <event_sftp_directory>/1.2.3.4. A typical example is opt/phoenix/cache/syslog/1.2.3.4.
• Each log in the files should be formatted exactly in the same way as sent by the device. If this is a new log source, a new parser may need to be defined.
• Each file should have a distinct time stamp to prevent files from being overwritten.
• Set event_eps_limit_controls in phoenix_config.txt to control the EPS burst.
  • If event_eps_limit_controls is set to '10', FortiSIEM will process 30 events from this file in three seconds.
  • If event_eps_limit_controls is set to '0', FortiSIEM will process as many log files as possible and this may inhibit the overall EPS license usage.
• If you change a phoenix_config.txt parameter, then reload the parser on that node.

Note the following:

• The log file is deleted once it has been read. Keep a separate backup if required.
• The system requires write access to the log file directory in order to delete the log file once read. This is important because if the log file cannot be deleted, it is repeatedly read and consumed by FortiSIEM resulting in many duplicate events and extra EPS consumption.

Custom time zone support in PDF reports

In earlier releases, the time zone of Supervisor was used to report event receive time. Now, you can choose the required time zone. If the devices are in a different time zone from the Supervisor, you can choose the time zone of the devices while configuring the PDF report.

For more information about adding custom time zone in reports, see Step #6 here.

Ability to associate specific parsers to a device

Currently, upon receiving an event, the system tries the list of parsers in a specific order looking for Event Format Recognizer match defined in each parser. Syslog from some devices are too generic and do not have a proper Event Format Recognizer and causes parsing issues.

To overcome this issue, this release enables you to attach a list of parsers to a device in CMDB. This overrides the default parser selection mechanism based on Event Format Recognizer. When a device with a list of attached parsers sends a log, the specified parsers are attempted first.

For more information about associating a set of parsers to a device, see here.

Ability to drop specific parsed event attributes

FortiSIEM adds many meta data to events such as geo-location for every IP field, user name, user full name. FortiSIEM also adds a message for its self-generated events. This can contribute to storage costs especially for frequently occurring events.

This release allows you to not store such meta data if you want to minimize storage costs.

For more information about dropping specific parsed event attributes, see 'Event Dropping' - Step #8 here.

Windows Agent 2.3

This release includes Windows Agent 2.3 with the following enhancements:

• Ability to install Windows Agent and Windows Agent Manager where only TLS 1.2 is enabled for Security reasons (Mantis id: 0441466)
• Extended Date and Time format parsing for Windows DNS logs (Mantis id: 0470398)

For more information about working with Windows Agent, see here.

New Device Support

This release includes support for the following devices:

• Azure Identity Protection
• Azure Advanced Threat Protection (ATP) via Syslog (CEF)
• Azure Logs - Data Plane logs, Processed event via Syslog (CEF)
• Cisco Stealthwatch log parser
• Microsoft Cloud App Security via Syslog (CEF)

Device Support Enhancements

This release includes the following device support enhancements:

Mantis Id	Summary
430995	Huawei Firewall log parser extension
433018	ESXi log parsing extension
433100	F5 log parser extension
433308	Dell S-Series Switch performance monitoring via SNMP
447872	Aruba OS log parser extension
449028	Huawei Router/Switch log parser extension
469708	Cisco ISE performance monitoring extension
471431	FortiDDoS performance monitoring extension
472384	FortiSandbox discovery and performance monitoring extension
473490	FireEye Email Malware Protection System (MPS) log parser extensions
475500	Cisco IronPort Mail parser extension
493483	FortiGate Syslog action field parsing
494321	Private external threat intelligence for Threat Stream
494445	Barracuda Spam Firewall log parser extensions
496052	SNMP Sys Object Ids to cover discovery and performance monitoring for more HP Switch models
501370	FortiClient Parser enhancement to Include Vulnerability Scanning fix and Risk Score Integration
503933	FortiAuthenticator performance monitoring extension
503935	FortiMail discovery and performance monitoring extension

Resolved Issues

This release includes the following resolved issues:

Mantis Id	Severity	Keyword	Summary
494980	Major	App Server	Scheduled Report Bundle PDF Reports may not contain data for all reports if one query takes a long time to complete.
481042	Major	Rule Engine	Rule Engine may crash when there are too many active Incidents in the CMDB.
474074	Minor	App Server	FortiSIEM LDAP user is not discovered for Korean language Active Directory.
494457	Minor	App Server	The Last received Syslog time updates may lag in CMDB > Device > Monitor Status tab.
496946	Minor	App Server	Remove Session id from App Server log.
496953	Minor	App Server	Incident Overview page sometimes fail due to the lack of information from PostgreSQL queries.
497363	Minor	App Server	New Organization creation may show 'Null Pointer Exception' against Business Services.
501040	Minor	App Server	CMDB Device Risk calculation consumes lots of resources when the number of CMDB devices is large.
504259	Minor	App Server	ConnectWise Integration - unable to close tickets outside of time Constraint Window.
505476	Minor	App Server	App Server looks for expiration time being updated when it's not necessary. This happens only when there is a Report Server installed and the login user has a role which doesn't have write permission on License page.
505528	Minor	App Server	Too many 'No Entity found for query' exception is shown in the log.
506947	Minor	App Server	Monitoring Event pulling Status Update is slow and cannot keep with a very large number of devices and jobs.
498600	Minor	Discovery	CMDB Device Filter does not consider AWS Log Discovery and Netflow Log Discovery.
488388	Minor	GUI	HTML GUI does not create and save CheckPoint Certificates.
490587	Minor	GUI	Baseline reporting for the interface does not show data in HTML GUI.
491271	Minor	GUI	Watch List Device Health pop-up does not show data.
498876	Minor	GUI	GUI does not correctly save CyberArk credential configurations.
501707	Minor	GUI	Changes to the Watch List is saved even if the user clicks 'Cancel' button.
501719	Minor	GUI	CSV file import fails under RESOURCES > User Agent.
503941	Minor	GUI	CMDB > Network Devices > Router/Switch Group under System folder cannot be modified.
504584	Minor	GUI	Business Service Dashboard does not show full device name as it appears in CMDB.
504593	Minor	GUI	Ticket status name is inconsistent between CASES and INCIDENTS tab.
505745	Minor	GUI	Organization list is empty if user selects an Organization with Collector under Business Services and switch to CMDB > Devices.
458679	Minor	Analytics	Analytics page does not show Event Details for events without raw event log (such as Netflow).
462749	Minor	Parser	Log discovery increases the load on App Server causing discoveries to be missed.
501370	Minor	Parser	FortiClient Vulnerability Scanning logs do not contribute to Risk Scores in CMDB.
504518	Minor	Parser	Parser generates excessive logs when it's log discovery cache is full.
489792	Enhancement	App Server	Add an alert message to confirm before deleting Organization or Collector.
490788	Enhancement	App Server	Incident Remediation is not supported for groups of devices.
494321	Enhancement	App Server	ThreatStream Private Collection cannot be collected.
497768	Enhancement	App Server	FortiSIEM Super and Worker can become Unmanaged devices when License limit is reached - preventing rules from being triggered.
506508	Enhancement	App Server	Monitor and truncate App Server discovery files so that it does not grow. A large number of discovery files may cause future discoveries to fail.
472999	Enhancement	GUI	HTML GUI does not provide the ability to search 'Sync only' reports.
490089	Enhancement	GUI	Incident List View is missing External Integration.
490405	Enhancement	GUI	Some Incident Detail attributes are not correctly formatted.
491073	Enhancement	GUI	Windows WMI installed software description shows 'null'.
501689	Enhancement	GUI	In Elasticsearch environment, Report Export in CSV format shows infinity for missing numerical fields.
501693	Enhancement	GUI	While adding a network interface for a device in CMDB, the GUI does not alert for missing network mask.
502806	Enhancement	GUI	In Incident PDF Export, 'Incident Ticket Status' shows '6' (meaning null) when no ticket exists for Incident.
493483	Enhancement	Parser	FortiGate Parser does not parse the dropped attack field and rules trigger unnecessarily.
505461	Enhancement	Rule	Enhance IPS rules to exclude blocked attacks from outside.
506512	Enhancement	System	Limit the size of Analytics phoenix_log files.