Content Pack Updates

This document provides details about Content updates for various 6.4.x releases.

Deployment Notes

Content Pack Updates require the use of FortiSIEM version 6.4.0 or later. Procedures related to Content Updates can be found here.

Content Pack Updates must be done in the following order:

  1. Update FortiSIEM Supervisor.

  2. Update FortiSIEM Worker.

Content Updates for 6.4.0, 6.4.1, 6.4.2

Content Update 124

Published May 16, 2023

This content update contains the following:

  1. FortiNAC parser enhancement.

  2. PaloAlto parser enhancement.

  3. 4 x Outbreak Rules and Reports:

    • Outbreak: PaperCut MF/NG Improper Access Control Vulnerability Detected on Network

    • Outbreak: PaperCut MF/NG Improper Access Control Vulnerability Detected on Host

    • Outbreak: TBK DVR Authentication Bypass Attack Detected on Network

    • Outbreak: Oracle WebLogic Server Vuln Detected on Network

  4. Latest GeoDB updates.

Content Update 123

Published April 27, 2023

This content update contains the following:

  1. Fixed several dashboard reports for FortiDeceptor and FortiGate

  2. Fixed FortiGate Parser issue for some models

  3. 5 x Outbreak Rules and Reports:

    • Outbreak: Zoho ManageEngine RCE Vulnerability Detected on Network

    • Outbreak: ThinkPHP Remote Code Execution Vulnerability Detected on Network

    • Outbreak: ThinkPHP Remote Code Execution Vulnerability Detected on Host

    • Outbreak: Realtek SDK Attack Detected on Network

    • Outbreak: Realtek SDK Attack Detected on Host

  4. Latest GeoDB updates.

Content Update 122

Published April 04, 2023

This content update contains the following:

  1. 10 x Outbreak Rules and Reports:

    • Outbreak: IBM Aspera Faspex Code Execution Vulnerability Detected on Network

    • Outbreak: IBM Aspera Faspex Code Execution Vulnerability Detected on Host

    • Outbreak: Joomla! CMS Improper Access Check Vulnerability Detected on Network

    • Outbreak: Teclib GLPI Remote Code Execution Vulnerability Detected on Network

    • Outbreak: Progress Telerik UI Attack Detected on Network

    • Outbreak: Progress Telerik UI Attack Detected on Host

    • Outbreak: Microsoft Outlook Elevation of Privilege Vulnerability Detected on Network

    • Outbreak: Microsoft Outlook Elevation of Privilege Vulnerability Detected on Host

    • Outbreak: 3CX Supply Chain Attack Detected on Network

    • Outbreak: 3CX Supply Chain Attack Detected on Host

  2. Latest GeoDB Updates.

Content Update 121

Published March 14, 2023

This content update contains the following:

  1. FortiGateParser update.

  2. 5 x Outbreak Rules and Reports:

    • Outbreak: VMware ESXi Server Ransomware Attack Detected on Network

    • Outbreak: Cacti Server Command Injection Attack Detected on Network

    • Outbreak: Cacti Server Command Injection Vulnerability Detected on Host

    • Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on Host

    • Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on Network

  3. All outbreak network rules updated to not trigger when source is public and is blocked by a firewall.

  4. Latest GeoDB Updates.

Content Update 120

Published February 7, 2023

This content update contains the following:

  1. 4 x Outbreak Rules and Reports

    • Outbreak: Control Web Panel Login Exploit Detected on Host

    • Outbreak: Control Web Panel Login Exploit Detected on Network

    • Outbreak: Router Malware Attack Detected on Host

    • Outbreak: Router Malware Attack Detected on Network

  2. Latest GeoDB Updates

Content Update 119

Published January 12, 2023

This content update contains the following:

  • Windows Parsing Enhancements

  • 9 x Outbreak Rules and Reports

    • Outbreak: Atlassian Pre-Auth Arbitrary File Read Vuln detected on Network

    • Outbreak: Atlassian Pre-Auth Arbitrary File Read Vuln detected on Host

    • Outbreak: BURNTCIGAR MS Signed Driver Malware detected on Network

    • Outbreak: BURNTCIGAR MS Signed Driver Malware detected on Host

    • Outbreak: FortiWeb detected VMware Spring Cloud Func RCE Vulnerability on Network

    • Outbreak: VMware Spring Cloud Func RCE Vulnerability on Network

    • Outbreak: FortiWeb detected Zerobot Botnet Activity on Network

    • Outbreak: Zerobot Botnet Activity Detected on Host

    • Outbreak: Zerobot Botnet Activity Detected on Network

  • UnixParser support for Chronyd events

  • Dedicated rules for detecting FortiGate admin user creation/deletion

    • FortiGate: Admin User Added

    • FortiGate: Admin User Deleted

  • PaloAlto Parser updated to parse additional attributes for some log types

  • Latest GeoDB Updates

Content Update 118

Published December 20, 2022

This content update contains Outbreak rules and reports, and the latest GEO database updates.

Note: 6.4.2 begins with Content Update 118 being available. It contains content from prior updates for 6.4.2, so older Content Updates do not need to be downloaded.

Added Rules

  • Outbreak: VMWare Workspace ONE Vulnerability - CVE-2022-22954 on Network

  • Outbreak: Redigo Malware Detected on Network

  • Outbreak: Redigo Malware Detected on Host

  • Outbreak: FortiOS SSLVPN Heap Buffer Overflow Attack - CVE-2022-42475 Detected on Network

Added Reports

  • Outbreak: VMWare Workspace ONE Vulnerability - CVE-2022-22954 on Network

  • Outbreak: Redigo Malware Detected on Network

  • Outbreak: Redigo Malware Detected on Host

  • Outbreak: FortiOS SSLVPN Heap Buffer Overflow Attack - CVE-2022-42475 Detected on Network

Content Updates for 6.4.0, 6.4.1

Content Update 117

Published November 30, 2022

This content update contains Outbreak rules and reports, updated FortiGate and FortiProxy regular IPS signatures, updated FortiGate and FortiProxy Industrial Operational Technology (OT) IPS signatures, and the latest GEO database updates.

Added Rules

  • Outbreak: ABB Flow Computer Path Traversal Vulnerability Detected on Network

  • Outbreak: Sandbreak vm2 sandbox module RCE Vulnerability Detected on Network

  • Outbreak: Hive Ransomware Detected on Network

  • Outbreak: Hive Ransomware Detected on Host

  • Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on Network

  • Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on Host

  • Outbreak: CISA Top 20 Vulnerability detected on Host

  • Outbreak: FortiGate detected CISA Top 20 Vulnerability on Network

  • Outbreak: FortiWeb detected CISA Top 20 Vulnerability on Network

Added Reports

  • Outbreak: ABB Flow Computer Path Traversal Vulnerability Detected on Network

  • Outbreak: Sandbreak vm2 sandbox module RCE Vulnerability Detected on Network

  • Outbreak: Hive Ransomware Detected on Network

  • Outbreak: Hive Ransomware Detected on Host

  • Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on Network

  • Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on Host

  • Outbreak: CISA Top 20 Vulnerability detected on Host

  • Outbreak: FortiGate detected CISA Top 20 Vulnerability on Network

  • Outbreak: FortiWeb detected CISA Top 20 Vulnerability on Network

Content Update 116

Published October 26, 2022

This content update contains rules and reports for Prestige Ransomware, Apache Commons Text RCE (CVE-2022-42889, CVE-2022-33980), and an enhanced FortiSandbox parser.

Added Rules

  • Prestige Ransomware Detected on Network

  • Prestige Ransomware Detected on Host

  • Apache Commons Text RCE Vulnerability Detected on Network

  • Apache Commons Text RCE Vulnerability Detected on Host

Added Reports

  • Prestige Ransomware Detected on Network

  • Prestige Ransomware Detected on Host

  • Apache Commons Text RCE Vulnerability Detected on Network

  • Apache Commons Text RCE Vulnerability Detected on Host

Parser Update

  • FortiSandboxParser - Parse sha1 checksum

Content Update 115

Published October 14, 2022

This content update contains a rule and report for FGT Auth Bypass on Administrative Interface (CVE-2022-40684), enhanced parsers, and the latest GEO database updates.

Added Rule

  • FortiGate Authentication bypass on Administrative Interface

Added Report

  • FortiGate Authentication bypass on Administrative Interface Detected

Parser Updates

  • AOWUA_DNSParser - Parse event severity

  • FortiGate- Detection for CVE-2022-40684

  • FortiProxy - Detection for CVE-2022-40684

Content Update 114

Published October 6, 2022

This content update contains rules and reports for Microsoft Exchange ProxyNotShell RCE Vulnerability (CVE-2022-41040, CVE-2022-41082), enhanced parsers, an enhanced "Concurrent VPN Authentications To Same Account From Different Cities" rule, and the latest GEO database updates.

Added Rules

  • Microsoft Exchange Autodiscover RCE ProxyNotShell Detected on Host

  • Microsoft Exchange Autodiscover RCE ProxyNotShell Detected on Network

Added Reports

  • Microsoft Exchange Autodiscover RCE ProxyNotShell Detected on Host

  • Microsoft Exchange Autodiscover RCE ProxyNotShell Detected on Network

Modified Rules

  • Concurrent VPN Authentications to same account from different cities, excluded user “N/A” seen in some FortiGate VPN logs

Parser Updates

  • ImpervaParser – Event types generalized to reflect that SecureSphere does more than just DB monitoring

  • FireEyeParsers – Test modified/corrected events

  • FortiSandbox – Enhanced to handle additional fields, and re-structured to allow ease of expansion

Content Update 113

Published September 23, 2022

This content update contains rules and reports for Apache Path Traversal Vulnerability (CVE-2021-42013, CVE-2021-41773), Wordpress WPGateway Plugin Vulnerability (CVE-2022-3180), an added parser, and latest GEO database updates.

Rules

  • Apache Path Traversal Vuln Detected on Network

  • Apache Path Traversal Vuln Detected on Host

  • Wordpress WPGateway Plugin Vuln Detected on Network

  • Wordpress WPGateway Plugin Vuln Detected on Host

Reports

  • Apache Path Traversal Vuln Detected on Network

  • Apache Path Traversal Vuln Detected on Host

  • Wordpress WPGateway Plugin Vuln Detected on Network

  • Wordpress WPGateway Plugin Vuln Detected on Host

Parser Update

  • MSDefAdvancedHuntingParser

    Note: This update corrects an issue by re-adding this missing parser.

Content Update 112

Published September 12, 2022

This content update contains rules and reports for Hikvision Command Injection Vulnerability (CVE-2021-36260), and FortiDeceptor parser updates.

Rules

  • Hikvision IP Camera Command Injection Vulnerability CVE-2021-36260 on Network

Reports

  • Hikvision IP Camera Command Injection Vulnerability CVE-2021-36260 on Network

Parser Updates

  • FortiDeceptorParser

Content Update 111

Published August 30, 2022

This content update contains rules and reports for Zimbra Collaboration Mboximport Vulnerability (CVE-2022-27925, CVE-2022-37042) and several parser updates.

Rules

  • Zimbra Collaboration Mboximport Vulnerability Detected on Host

  • Zimbra Collaboration Mboximport Vulnerability on Network

Reports

  • Zimbra Collaboration Mboximport Vulnerability Detected on Host

  • Zimbra Collaboration Mboximport Vulnerability on Network

Parser Updates

  • AwsSecurityHubParser

  • BarracudaCloudGenFWParser

  • BitdefenderGravityZoneParser

  • BroadcomSSLParser

  • CheckpointCEFParser

  • CiscoAMPParser

  • CiscoIOSParser

  • CiscoMerakiParser

  • CiscoNxOSParser

  • ClarotyParser

  • ExtremeSwitchParser

  • F5Big-IP-LTMParser

  • FalconDataRepParser

  • FalconStreamingParser

  • FortiGateParser

  • FortiInsightAPIParser

  • FortiInsightNativeParser

  • FortiMailParser

  • FortiNDRParser

  • FortiWebParser

  • FoundryIronwareParser

  • GeneralPatternDefinitions

  • GoogleGCPParser

  • H3CComwareParser

  • HPProCurveParser

  • HuaweiVRPParser

  • InfoBloxAppParser

  • InfoBloxAuditParser

  • IPswitchWS_FTPParser

  • IronportMailParser

  • JenkinsParser

  • JunipNSM-IDP

  • JunipSSGFirewallLog

  • MikroTikFirewallParser

  • MotorolaWiNGParser

  • MSDefAdvancedHuntingParser

  • NCircleVAParser

  • NginxParser

  • OracleAuditParser

  • OracleCASBParser

  • PacketFence2Parser

  • PaloAltoCEFParser

  • parserOrder.csv

  • PCAPPacketsDataParser

  • PHBoxParser

  • PHGenericLogParser

  • PostfixParser

  • RadiusParser

  • ReconnextLogParser

  • RSAAuthenticationServerParser

  • SAPEnterpriseThreatDetectionParser

  • SnortParser

  • SophosUTMParser

  • UbiquityParser

  • UnixParser

  • VeeamBackupParser

  • VMwareVCenterParser

  • WatchGuardFirewallParser

  • WinDefATPParser

  • WinOSPullParser

  • WinOSWmiParser

  • WinSyslogParser

  • ZyxelUSGParser

Content Update 110

Published August 25, 2022

This content updates contains an added parser, several parser updates, and latest GEO database updates.

Added Parser

  • BarracudaWebSecGWParser.xml

Parser Updates

  • ApacheParser.xml

  • AOWUA_WinParser.xml

  • AwsSecurityHubParser.xml

  • BitdefenderGravityZoneParser.xml

  • CiscoASAParser.xml

  • CiscoIOSParser.xml

  • CiscoISEParser.xml

  • CloudTrailParser.xml

  • FireAMPCloudParser.xml

  • Office365Parser.xml

  • PHBoxParser.xml

  • Rapid7InsightVMVulnParser.xml

  • RuckusParser.xml

  • WinDefATPParser.xml

  • WinOSWmiParser.xml

Content Update 109

Published June 7, 2022

This content update contains 2 new rules and reports for detecting Atlassian Confluence Vulnerability (CVE-2022-26134).

Rules

  • Atlassian Confluence CVE-2022-26134 Vuln Detected on Host

  • Atlassian Confluence CVE-2022-26134 Vuln Detected on Network

Reports

  • Atlassian Confluence CVE-2022-26134 Vuln Detected on Host

  • Atlassian Confluence CVE-2022-26134 Vuln Detected on Network

Content Update 108

Published June 3, 2022

This content update contains 2 new rules and reports for detecting Microsoft Office Follina Vulnerability (CVE-2022-30190), ExtremeSwitch Parser updates, and latest Geo database updates.

Rules

  • Microsoft Office Follina Vuln Detected on Host

  • Microsoft Office Follina Vuln Detected on Network

Reports

  • Microsoft Office Follina Vuln Detected on Host

  • Microsoft Office Follina Vuln Detected on Network

Parser Update

  • ExtremeSwitch

Content Update 107

Published May 19, 2022

This content update contains 2 new rules and reports for detecting Sysrv-K Botnet Activity which exploits CVE-2022-22947 and other vulnerabilities in the Spring Framework and WordPress plugins.

Rules

  • Sysrv-K Botnet Activity Detected on Network

  • Sysrv-K Botnet Activity Detected on Host

Reports

  • Sysrv-K Botnet Activity Detected on Network

  • Sysrv-K Botnet Activity Detected on Host

Content Update 106

Published April 18, 2022

This content update contains 2 new rules and reports for detecting Microsoft Driver RCE vulnerability (CVE-2022-26809). In addition, Geo database updates are also included.

Rules

  • Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Network

  • Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Host

Reports

  • Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Network

  • Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on Host

Content Update 105

Published April 1, 2022

This content update contains rules and reports for detecting Spring4Shell zero day remote code execution vulnerability (CVE-2022-22965). The detection is currently based on Fortinet products.

Rules

  • Spring4Shell Malware Detected on Host

  • Spring4Shell Malware Detected on Network

Reports

  • Spring4Shell Malware Detected on Host

  • Spring4Shell Malware Detected on Network

Content Update 104

Published March 07, 2022

This content update contains rules and reports for detecting HermeticWiper-FoxBlade malware (CVE_2021_44228). The detection is currently based on Fortinet products. The content update also includes the latest Fortinet GeoDB update.

Rules

  • HermeticWiper-Foxblade Malware Detected on Host

  • HermeticWiper-Foxblade Malware Detected on Network

Reports

  • HermeticWiper-Foxblade Malware Detected on Host

  • HermeticWiper-Foxblade Malware Detected on Network

GeoDB

  • FortiGuard latest GeoDB updates

Content Update 103

Published February 23, 2022

15 Parser Updates

  • CheckpointCEFParser

  • DragosParser

  • F5Big-IP-LTMParser

  • ForeScoutCounterACTParser

  • FortiAnalyzerParser

  • FortiWebParser

  • HPProCurveParser

  • JunOSParser

  • NozomiParser

  • PaloAltoParser

  • PHGenericLogParser

  • SAPEnterpriseThreatDetectionParser

  • VMwareVCenterParser

  • WinOSWmiParser

  • WinSyslogParser

7 New Parsers

  • CybereasonCEFParser

  • HitachiVSPParser

  • MSDefAdvancedHuntingParser

  • NutanixParser

  • SAPEnterpriseThreatDetectionParser

  • TrendMicroWorryFreeParser

  • VMwareNSXvSphereParser

11 New Reports

  • MS Defender for Endpoint Alerts

  • MS Defender for Endpoint Events

  • Nutanix: API Requests Audit

  • Nutanix: Top Dropped Traffic Flows

  • Nutanix: Top Dropped Traffic Flows by Destination

  • Nutanix: Top Dropped Traffic Flows by Source

  • Nutanix: Top Permitted Traffic Flows

  • Nutanix: Top Permitted Traffic Flows by Destination

  • Nutanix: Top Permitted Traffic Flows by Source

  • Nutanix: Top Consolidated Audit Events by User

  • Nutanix: Top Consolidated Audit Events by Count

14 New Rules

  • FortiAnalyzer: No logs received from a device in 4 hours

  • MS Defender for Endpoint Alert - Generic

  • LSASS Memory - Credential Access Alert from MS Defender for Endpoint

  • Process Injection - Defense Evasion Alert from MS Defender for Endpoint

  • Suspicious Process Discovery - Discovery Alert from MS Defender for Endpoint

  • System Network Configuration Discovery - Discovery Alert from MS Defender for Endpoint

  • System Service Discovery - Discovery Alert from MS Defender for Endpoint

  • Ingress Tool Transfer - Execution Alert from MS Defender for Endpoint

  • Masquerading - Execution Alert from MS Defender for Endpoint

  • Suspicious PowerShell command line - Execution Alert from MS Defender for Endpoint

  • Suspicious Task Scheduler activity - Persistence Alert from MS Defender for Endpoint

  • OS Credential Dumping - Suspicious Activity Alert from MS Defender for Endpoint

  • Windows Logging Service Shutdown

  • Windows Security Log is Full

22 Bugs Fixes

  • 782926 – Add Parsing, Rules, and Reports for MS Defender AdvancedHunting Events forwarded to Azure Event Hub

  • 773036 – Checkpoint CEF Parser didn’t properly handle URL filtering logs

  • 762065 – Add parsing support for Cybereason CEF log format

  • 754611 – Update Dragos Parser to support events with MITRE data

  • 598590 – Update F5Big-IP-LTM Parser to extract GEO location information from some logs

  • 762424 – Update ForeScoutCounterACT Parser to handle additional log format

  • 776027 – Update FortiAnalyzer Parser to not set Reporting Device Name if the value is “.self”, observed when forwarding local system logs

  • 770842 – Update FortiWeb Parser to handle logs from legacy hardware models

  • 762419 – Add syslog parser for Hitachi VSP logs

  • 754088 – Update HP Procurve Parser to handle additional log format

  • 769325 – Update JunOS Parser to handle additional event type formats

  • 769317 – Update Nozomi Parser to handle MITRE data in syslog

  • 645109 – Add Nutanix syslog parser, reports, and dashboard

  • 770908 – Palo Alto event type PAN-OS-THREAT-virus-100000-deny is not parsed correctly

  • 781393 - Set correct phEventCategory of system PH_GENERIC_DEBUG events

  • 765158 – Update VMwareVCenter Parser to handle additional generic event types

  • 777847 – Update WinOSWmiParser and WinSyslog parsers to better handle Terminal Services events

  • 770195 – Update WinOSWmiParser to categorize Active Directory Federated Services events

  • 745940 – Update WinOSWmiParser to parse relative target name correctly for some events

  • 706296 – Add missing windows security event types and rules corresponding to Windows Logging Service Shutdown and Windows Security Log is full

  • 771691 – Add support for Trend Micro Worry-Free Business Security Services (WFBS-SVC) via syslog

  • 762384 – Add parser for VMware NSX-V appliance, the logging format is distinct from NSX-T appliances

Content Update 102

Published on February 15, 2022

2 New Rules to detect CVE-2022-21882

  • Win32k Elevation of Privilege Vulnerability Detected on Network

  • Win32k Elevation of Privilege Vulnerability Detected on Host

2 New Reports for CVE-2022-21882

  • Win32k Elevation of Privilege Vulnerability Detected on Host

  • Win32k Elevation of Privilege Vulnerability Detected on Network

Content Update 101

Published on January 24, 2022

4 New Rules

  • Active Directory Privilege Escalation Exploit Detected on Host

  • Active Directory Privilege Escalation Exploit Detected on Network

  • Windows HTTP Protocol Stack RCE Detected on Host

  • Windows HTTP Protocol Stack RCE Detected on Network

4 New Reports

  • Active Directory Privilege Escalation Exploit Detected on Host

  • Active Directory Privilege Escalation Exploit Detected on Network

  • Windows HTTP Protocol Stack RCE Detected on Host

  • Windows HTTP Protocol Stack RCE Detected on Network