What’s New in 5.0.0
Read Before Installing or Upgrading to FortiSIEM Release 5.0.0
|
FortiSIEM 5.0.0 is a significant milestone release including the following features and functionality.
New Features
FortiSIEM 5.0.0 release includes the following new features:
- New HTML5 Based GUI with Online help Documentation
- Elasticsearch Event Database Option
- User Entity Behavior Anomaly Detection
- User Risk Scoring
- Incident Mitigation Framework and Library
Key Enhancements
FortiSIEM 5.0.0 release includes the following key enhancements:
- Event Insertion Performance Improvement
- Hardware Appliance Directly On Hardware without OpenStack
- Event Forwarding Enhancements
- Ability to Handle IPFIX Based Network Flow
- Ability to Handle EC2 VPC Logs
- Ability to Receive Logs via Kafka
- Policy-Based FortiSIEM Ticket Escalation
- Multiple Language Support in Reports
- ConnectWise Integration via REST API
- Ability to Add More User Context into Events in Real-time
- Ability to Handle AWS Terminated Instances in CMDB
- Ability to Include Multiple Incidents to a FortiSIEM Ticket
- NIST 800-171 Compliance Support
- Full Catalog of FortiSIEM System Errors Using Distinct Event Types
New Device Support
- FortiAuthenticator – discovery and log analysis
- Palo Alto Traps – log analysis
- EMC Isilon – log analysis
- Radware Network IPS – log analysis
- HyTrust CloudControl – log analysis
- Vormetric Data Security Manager – log analysis
- Cisco ASA Firepower SFR module – log analysis
- Checkpoint GAIA – log analysis
- CodeGreen DLP – log analysis
- TrendMicro Interscan Web Filter
- Language support for Windows security logs – Korean, German, Russian
- Microsoft Exchange Tracking – log analysis
HTML5 based GUI with Online Help Documentation
This release provides a fresh HTML5 based GUI that combines the best ideas from the current Adobe Flash based GUI with advances in JavaScript technology.
The following table provides a high level overview of the changes in the HTML5 GUI. For a complete mapping of Flash GUI to HTML5 GUI, see Appendix A.
Area | Enhancements |
---|---|
Overall |
|
CMDB |
|
Analytics |
|
Dashboard |
|
Incidents |
|
Resources |
|
Admin |
|
The following items are not available in the current HTML5 GUI release. Some of them may be added in future releases:
- Topology View
- Specific Incident dashboards - Fishbone View, Calendar View
- VM View
- IPS Vulnerability Map
- Incident > Add Rule exception Via Patches
- CMDB > Link Usage View
- Analytics > Audit
- Analytics > Display Column Sets, Filter Criteria Sets
- Event Database Management
- Dashboard Slideshow view
- Simple keyword based search
Elasticsearch Event Database Option
This release provides the Elasticsearch database option for storing events. Existing customers can continue using the FortiSIEM EventDB and decide to switch at some point. Data Migration procedures from FortiSIEM EventDB to Elasticsearch is not available. New customers can choose Elasticsearch.
Elasticsearch is a distributed database that provides linearly scalable event insertion speed and query response time improvement. However, you need to deploy more nodes and use more storage. The higher storage capacity applies to local disks on Elasticsearch nodes, which are relatively inexpensive. For details, see FortiSIEM - Sizing Guide here.
In earlier FortiSIEM releases, event database option (local disk or external NFS) was chosen during installation. Starting with release 5.0.0, user needs to choose event database option from the GUI – the additional Elasticsearch option is provided along with local disk and external NFS options.
In FortiSIEM 5.0.0, Elasticsearch will be a drop-in replacement – the system works seamlessly for NFS, local disk and Elasticsearch, with the following exceptions:
- Policy based data retention is currently not supported on Elasticsearch – FortiSIEM will just purge from Elasticsearch when a limit (10 GB by default and configurable) is reached.
- Percent Change aggregation function and CMDBDeviceToAttr look-up functions are currently not supported.
- Aggregation queries with multiple Group By conditions are interpreted differently – current event database considers multiple Group By as a tuple while Elasticsearch treats them as nested. So the sorted results are displayed differently in Elasticsearch. Consider a query with Group By A, B and display count in descending order. In current FortiSIEM event database, each row will be sorted descending by count. Elasticsearch will show the results sorted first by A and then by B. This is how Elasticsearch currently works, although there are plans to extend to tuple sorting in their later Elasticsearch releases.
For details about how FortiSIEM works with Elasticsearch, see Key Concepts.
User Entity Behavior Anomaly Detection
FortiSIEM already tracks IP addresses to user and geo-location in its User Identity and Location database. This information is now used as the foundation for machine learning techniques for the following two use cases:
- Login location anomaly detection – FortiSIEM will detect if the same user is simultaneously logging from two different locations at times that are not physically possible because of geographical distance and travel speed limitations. This covers various login scenarios:
- Logging into a server
- VPN into corporate network
- Logging into a Cloud SSO platform such as OKTA
- Logging onto a Cloud Service such as Google Apps, Office365, Salesforce
- Login pattern anomaly detection – FortiSIEM profiles user login behavior: users logging on to infrastructure devices using specific computers on specific hours of day and detect the following anomalies:
- User logging in to a server during times that he typically never logs on
- User logging in to a server that he typically never logs on
- Excessive user login to a server over the whole day
User Risk Scoring
FortiSIEM 4.10 provides a machine risk score by combining asset criticality, un-patched vulnerabilities and incident severity. This concept is now extended to users. Users may use multiple machines (mobile phone, tablet, laptops, workstations) and may trigger incidents on infrastructure devices. A user risk score is calculated by combining the associated user machine risk scores and users own risk scores. User and machine scores are now presented in a unified Entity Risk dashboard.
Incident Mitigation Framework and Library
In FortiSIEM 4.10, users could write their own remediation scripts and attach them as an Incident action. That required users to hard code credentials in the script even if FortiSIEM had the credentials in its CMDB. In this release, incident mitigation concept is formalized by eliminating that shortcoming.
- A REST API is provided to pull credentials from FortiSIEM CMDB
- A mitigation library is provided with 29 built-in mitigation actions that show the use of the API. Users can write their own mitigation scripts and include in the library from the GUI.
- A mitigation action can be taken on demand when an incident triggers or as part of a notification policy action.
FortiSIEM’s inbuilt multi-vendor and multi-function incident mitigation library includes:
- Blocking an IP on FortiGate, Palo Alto and Cisco ASA firewalls and FortiWeb
- Block a MAC on all FortiSwitches managed by FortiGate firewall
- Block a MAC on Cisco IOS router/switch device
- Quarantine end points via Fortinet EMS and FortiClient
- Disable an interface on Windows and Linux Servers
- Disable a port on Cisco IOS device
- Add an IP for fine-grained control to FortiADC and FortiCache
- Add source email address to FortiMail Session Profile
- Block a web domain on Infoblox and Microsoft Windows DNS
- De-authenticate a user on FortWLC, Cisco and Aruba WLAN Controllers
- De-authenticate a user on FortiAuthenticator, Linux Server and Microsoft Active Directory
- Delete a file with specific checksums on Windows and Linux Servers
- Delete a file by name on Linux Servers
- Restart a service on Windows and Linux Servers
- Reboot a Windows or Linux server
Event Insertion Performance Improvement
FortiSIEM event indexing and insertion performance is improved significantly (approximately 25-50%):
- FSM-2000F hardware appliance can now handle 15K EPS without loss.
- FSM-3500F hardware appliance can now handle 30K EPS without loss.
- A Single Supervisor and a Single Worker performance is also improved as follows:
- A node with 8 vCPU can handle 10K EPS without loss.
- A node with 16 vCPU can handle 15K EPS without loss.
These benchmarks were done with specific data set and the performance in your environment may differ. For details, see FortiSIEM - Sizing Guide here.
Hardware Appliance Directly On Hardware without OpenStack
FortiSIEM Hardware Appliances (FSM-2000F and FSM-3500F) now run directly on bare metal hardware without OpenStack. It is easier to install, configure and manage and gives better performance since OpenStack resources can now be used by FortiSIEM.
Existing customers have two options:
- Choose to stay on OpenStack and simply upgrade FortiSIEM guest from 4.10.0 to 5.0.0.
See the 'Upgrading FortiSIEM' section of the Hardware Configuration Guides by selecting the models here. - Migrate to 5.0.0 without losing their data.
See the Migration Guides for 2000F and 3500F.
Event Forwarding Enhancements
FortiSIEM can forward events to third-party systems. In this release, this feature is enhanced in the following ways:
- Event forwarding is now more robust by buffering events in files just like Collector to Worker event forwarding. If a forwarding destination is not temporarily reachable, events are stored locally and then attempted later for forwarding.
- Event forwarding criteria is now more fine grained including Reporting IP, Event Type, Source and Destination IP and Event payload.
- More event forwarding protocols are included:
- Syslog – UDP, TCP, TCP/SSL
- Netflow
- Kafka
- Kafka based event forwarding can now be controlled by filtering criteria.
- All event forwarding now happens from the FortiSIEM node that first receives the event from 3rd party system (typically a FortiSIEM Collector). In earlier releases, Kafka based event forwarding happened from Super/Worker nodes.
Ability to Handle IPFIX
FortiSIEM can handle high volume network flow data from firewalls and other network devices in the form of Netflow Version 5, Version 9, SFlow, JFlow, and Cisco AVC. This release enhances this support to include IPFIX.
Ability to Handle AWS EC2 VPC Traffic Log
In this release, FortiSIEM is able to receive, parse and analyze AWS EC2 VPC traffic like any other traffic log.
Ability to Receive Logs via Kafka
FortiSIEM can forward logs to an external system via Kafka. In this release, FortiSIEM can receive logs via Kafka. This allows FortiSIEM to have robust 2-way log exchange with 3rd party systems.
Policy-Based FortiSIEM Ticket Escalation
Administrators can now define ticket escalation policies for FortiSIEM internal ticketing system. After defining a ticket due date, user can define policies to escalate to the manager of the assignee when the ticket is not yet resolved and current time is 'close' to the due date.
Multiple Language Support in Event Report
Log data may contain certain log attribute values (for example, user name) in various languages. This release enables PDF and CSV reports to properly show these log values in various languages. Currently, out-of-the-box supported languages are English, Korean, Russian, Japanese and Chinese. User can add a language of their choice.
ConnectWise Ticketing System Integration via REST API
FortiSIEM has a built-in integration with ConnectWise ticketing system via a SOAP API. Since the SOAP API is being deprecated, FortiSIEM 5.0 release can now do the same functionality via the new REST API.
Ability to Add More User Context into Events in Real-time
FortiSIEM can discover users from Active Directory and OpenLDAP and add user context to events in real time. For example, when the user name matches in an event, FortiSIEM adds the full user name to the event to make the user identifiable. In this release, more user attributes such as employee serial number and membership groups are added to events in real time.
Ability to Handle AWS Terminated Instances in CMDB
FortiSIEM can discover server instances in AWS and populate it's CMDB. Until this release, the deletion from CMDB used to be a manual audit worthy event, since it is difficult to tell for sure, whether the server has been terminated or it is a network connectivity issue. In AWS, where instances are brought up and torn down quickly, stale server instances in CMDB causes license exhaustion. In this release, FortiSIEM is able to analyze the AWS CloudTrail log and delete the terminated devices from CMDB.
Ability to Include Multiple Incidents to a Ticket in FortiSIEM Internal Ticketing System
You can now add more than one (related) incident to a ticket in the FortiSIEM internal ticketing system.
NIST 800-171 Compliance Support
This release adds reports for NIST 800-171 Compliance.
Full Catalog of FortiSIEM System Errors Using Distinct Event Types
Stating this release, FortiSIEM internal errors are generated with proper event types and severity so they can be queried easily from FortiSIEM.