Content Pack Updates
This document provides details about Content updates for various 6.5.x releases.
Deployment Notes
Content Pack Updates require the use of FortiSIEM version 6.4.0 or later. Procedures related to Content Updates can be found here.
6.5.0 content pack updates release begin with Content Update 201, and increments.
Content Pack Updates must be done in the following order:
-
Update FortiSIEM Manager.
-
Update FortiSIEM Supervisor.
-
Update FortiSIEM Worker.
Content Updates for 6.5.0, 6.5.1, and 6.5.2
Content Update 224
Published November 1, 2023
This content update contains the following:
-
3 Outbreak Rules and Reports:
-
Outbreak: Cisco IOS XE Web UI Attack Detected on Network
-
Outbreak: HTTP2 Rapid Reset Attack Detected on Network
-
Outbreak: HTTP2 Rapid Reset Attack Detected on Host
-
-
Latest GeoDB updates.
Content Update 223
Published October 11, 2023
This content update contains the following:
-
2 Outbreak Rules and Reports:
-
Outbreak: Google Chromium WebP Vuln Detected on Network
-
Outbreak: Google Chromium WebP Vuln Detected on Host
-
-
Dedicated rules for detecting FortiMail Malicious URL/File attachments.
-
FortiMail: Malicious URL found
-
FortiMail: Malicious Spam File Attachment Found
-
-
Updated Malware rule to detect FortiGate IPS events.
-
Malware found by firewall but not remediated
-
-
Updated Windows Sigma rule to prevent false positives.
-
Windows: Possible DCShadow
-
-
Enhancements to FortiGate, FortiEDRRest, FortiMail, PulseSecure, McAfeeWebGwCEF, and PaloAlto parsers.
-
Latest GeoDB updates.
Content Update 222
Published September 21, 2023
This content update contains the following:
-
6 Outbreak Rules and Reports:
-
Outbreak: Adobe ColdFusion Deserialization of Untrusted Data Vuln Detected on Network
-
Outbreak: Adobe ColdFusion Deserialization of Untrusted Data Vuln Detected on Host
-
Outbreak: WooCommerce Payments Improper Authentication Vuln Detected on Network
-
Outbreak: WooCommerce Payments Improper Authentication Vuln Detected on Host
-
Outbreak: Agent Tesla Malware Attack Detected on Network
-
Outbreak: Agent Tesla Malware Attack Detected on Host
-
-
New parser for FortiWeb Cloud
-
Enhancements to FortiClient, FortiWeb, FortiAuthenticator, FortiManager, WinOSWmi, GenericDHCP, and Sourcefire2 parsers
-
Latest GeoDB updates.
-
For 6.5.2, Rollup of Content Updates 201-221. See Content Updates for 6.5.0 and 6.5.1 for more information on Content Updates 207-221 and Content Updates for 6.5.0 for more information on Content Updates 201-206.
Content Updates for 6.5.0 and 6.5.1
Content Update 221
Published August 25, 2023
This content update contains the following:
-
5 Outbreak Rules and Reports:
-
Outbreak: Microsoft Office and Windows HTML RCE Vuln Detected on Network
-
Outbreak: Microsoft Office and Windows HTML RCE Vuln Detected on Host
-
Outbreak: Zyxel Router Command Injection Attack Detected on Network
-
Outbreak: Ivanti Endpoint Manager Mobile Authentication Bypass Vuln Detected on Network
-
Outbreak: Ivanti Endpoint Manager Mobile Authentication Bypass Vuln Detected on Host
-
-
New parser for Armis Asset Intelligence Platform.
-
New parser for Hillstone Firewall.
-
Enhancements to FortiEDRParser, GitlabLogParser, FortiClientParser and UbiquityParser.
-
Latest GeoDB updates.
Content Update 220
Published July 13, 2023
This content update contains the following:
-
Enhanced FortiGateParser, McAfeeXmlParser, and WinOSWmiParser.
-
3 x Outbreak Rules and Reports:
-
Outbreak: VMware Aria Operations for Networks Command Injection Vuln Detected on Network
-
Outbreak: Apache RocketMQ RCE Vuln Detected on Network
-
Outbreak: SolarView Compact Command Injection Vuln Detected on Network
-
-
Latest GeoDB updates.
Content Update 219
Published June 16, 2023
This content update contains the following:
-
9 x Outbreak Rules and Reports:
-
Outbreak: Multiple Vendor Camera System Attack Detected on Network
-
Outbreak: TP-Link Archer AX-21 Command Injection Attack Detected on Network
-
Outbreak: TP-Link Archer AX-21 Command Injection Attack Detected on Host
-
Outbreak: Zyxel Multiple Firewall Vuln Detected on Network
-
Outbreak: Zyxel Multiple Firewall Vuln Detected on Host
-
Outbreak: Progress MOVEit Transfer SQL Injection Vuln Detected on Network
-
Outbreak: Progress MOVEit Transfer SQL Injection Vuln Detected on Host
-
Outbreak: CosmicEnergy Malware Detected on Network
-
Outbreak: CosmicEnergy Malware Detected on Host
-
-
Added 2 Ransomware rules
-
Ransomware detected on a host
-
Ransomware outbreak detected
-
-
Latest GeoDB updates.
Content Update 218
Published May 16, 2023
This content update contains the following:
-
FortiNAC parser enhancement.
-
PaloAlto parser enhancement.
-
4 x Outbreak Rules and Reports:
-
Outbreak: PaperCut MF/NG Improper Access Control Vulnerability Detected on Network
-
Outbreak: PaperCut MF/NG Improper Access Control Vulnerability Detected on Host
-
Outbreak: TBK DVR Authentication Bypass Attack Detected on Network
-
Outbreak: Oracle WebLogic Server Vuln Detected on Network
-
-
Latest GeoDB updates.
Content Update 217
Published April 27, 2023
This content update contains the following:
-
Fixed several dashboard reports for FortiDeceptor and FortiGate
-
Fixed FortiGate Parser issue for some models
-
5 x Outbreak Rules and Reports:
-
Outbreak: Zoho ManageEngine RCE Vulnerability Detected on Network
-
Outbreak: ThinkPHP Remote Code Execution Vulnerability Detected on Network
-
Outbreak: ThinkPHP Remote Code Execution Vulnerability Detected on Host
-
Outbreak: Realtek SDK Attack Detected on Network
-
Outbreak: Realtek SDK Attack Detected on Host
-
-
Latest GeoDB updates.
Content Update 216
Published April 04, 2023
This content update contains the following:
-
10 x Outbreak Rules and Reports:
-
Outbreak: IBM Aspera Faspex Code Execution Vulnerability Detected on Network
-
Outbreak: IBM Aspera Faspex Code Execution Vulnerability Detected on Host
-
Outbreak: Joomla! CMS Improper Access Check Vulnerability Detected on Network
-
Outbreak: Teclib GLPI Remote Code Execution Vulnerability Detected on Network
-
Outbreak: Progress Telerik UI Attack Detected on Network
-
Outbreak: Progress Telerik UI Attack Detected on Host
-
Outbreak: Microsoft Outlook Elevation of Privilege Vulnerability Detected on Network
-
Outbreak: Microsoft Outlook Elevation of Privilege Vulnerability Detected on Host
-
Outbreak: 3CX Supply Chain Attack Detected on Network
-
Outbreak: 3CX Supply Chain Attack Detected on Host
-
-
Latest GeoDB Updates.
Content Update 215
Published March 14, 2023
This content update contains the following:
-
FortiGateParser update.
-
5 x Outbreak Rules and Reports:
-
Outbreak: VMware ESXi Server Ransomware Attack Detected on Network
-
Outbreak: Cacti Server Command Injection Attack Detected on Network
-
Outbreak: Cacti Server Command Injection Vulnerability Detected on Host
-
Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on Host
-
Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on Network
-
-
All outbreak network rules updated to not trigger when source is public and is blocked by a firewall.
-
Latest GeoDB Updates.
Content Update 214
Published February 7, 2023
This content update contains the following:
-
4 x Outbreak Rules and Reports
-
Outbreak: Control Web Panel Login Exploit Detected on Host
-
Outbreak: Control Web Panel Login Exploit Detected on Network
-
Outbreak: Router Malware Attack Detected on Host
-
Outbreak: Router Malware Attack Detected on Network
-
-
Latest GeoDB Updates
Content Update 213
Published January 12, 2023
This content update contains the following:
-
Windows Parsing Enhancements
-
9 x Outbreak Rules and Reports
-
Outbreak: Atlassian Pre-Auth Arbitrary File Read Vuln detected on Network
-
Outbreak: Atlassian Pre-Auth Arbitrary File Read Vuln detected on Host
-
Outbreak: BURNTCIGAR MS Signed Driver Malware detected on Network
-
Outbreak: BURNTCIGAR MS Signed Driver Malware detected on Host
-
Outbreak: FortiWeb detected VMware Spring Cloud Func RCE Vulnerability on Network
-
Outbreak: VMware Spring Cloud Func RCE Vulnerability on Network
-
Outbreak: FortiWeb detected Zerobot Botnet Activity on Network
-
Outbreak: Zerobot Botnet Activity Detected on Host
-
Outbreak: Zerobot Botnet Activity Detected on Network
-
-
UnixParser support for Chronyd events
-
Dedicated rules for detecting FortiGate admin user creation/deletion
-
FortiGate: Admin User Added
-
FortiGate: Admin User Deleted
-
-
PaloAlto Parser updated to parse additional attributes for some log types
-
Latest GeoDB Updates
Content Update 212
Published December 20, 2022
This content update contains Outbreak rules and reports, and the latest GEO database updates.
Added Rules
-
Outbreak: VMWare Workspace ONE Vulnerability - CVE-2022-22954 on Network
-
Outbreak: Redigo Malware Detected on Network
-
Outbreak: Redigo Malware Detected on Host
-
Outbreak: FortiOS SSLVPN Heap Buffer Overflow Attack - CVE-2022-42475 Detected on Network
Added Reports
-
Outbreak: VMWare Workspace ONE Vulnerability - CVE-2022-22954 on Network
-
Outbreak: Redigo Malware Detected on Network
-
Outbreak: Redigo Malware Detected on Host
-
Outbreak: FortiOS SSLVPN Heap Buffer Overflow Attack - CVE-2022-42475 Detected on Network
Content Update 211
Published November 30, 2022
This content update contains Outbreak rules and reports, updated FortiGate and FortiProxy regular IPS signatures, updated FortiGate and FortiProxy Industrial Operational Technology (OT) IPS signatures, and the latest GEO database updates.
Added Rules
-
Outbreak: ABB Flow Computer Path Traversal Vulnerability Detected on Network
-
Outbreak: Sandbreak vm2 sandbox module RCE Vulnerability Detected on Network
-
Outbreak: Hive Ransomware Detected on Network
-
Outbreak: Hive Ransomware Detected on Host
-
Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on Network
-
Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on Host
-
Outbreak: CISA Top 20 Vulnerability detected on Host
-
Outbreak: FortiGate detected CISA Top 20 Vulnerability on Network
-
Outbreak: FortiWeb detected CISA Top 20 Vulnerability on Network
Added Reports
-
Outbreak: ABB Flow Computer Path Traversal Vulnerability Detected on Network
-
Outbreak: Sandbreak vm2 sandbox module RCE Vulnerability Detected on Network
-
Outbreak: Hive Ransomware Detected on Network
-
Outbreak: Hive Ransomware Detected on Host
-
Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on Network
-
Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on Host
-
Outbreak: CISA Top 20 Vulnerability detected on Host
-
Outbreak: FortiGate detected CISA Top 20 Vulnerability on Network
-
Outbreak: FortiWeb detected CISA Top 20 Vulnerability on Network
Content Update 210
Published October 26, 2022
This content update contains rules and reports for Prestige Ransomware, Apache Commons Text RCE (CVE-2022-42889, CVE-2022-33980), and an enhanced FortiSandbox parser.
Added Rules
-
Prestige Ransomware Detected on Network
-
Prestige Ransomware Detected on Host
-
Apache Commons Text RCE Vulnerability Detected on Network
-
Apache Commons Text RCE Vulnerability Detected on Host
Added Reports
-
Prestige Ransomware Detected on Network
-
Prestige Ransomware Detected on Host
-
Apache Commons Text RCE Vulnerability Detected on Network
-
Apache Commons Text RCE Vulnerability Detected on Host
Parser Update
-
FortiSandboxParser - Parse sha1 checksum
Content Update 209
Published October 14, 2022
This content update contains a rule and report for FGT Auth Bypass on Administrative Interface (CVE-2022-40684), enhanced parsers, and the latest GEO database updates.
Added Rule
-
FortiGate Authentication bypass on Administrative Interface
Added Report
-
FortiGate Authentication bypass on Administrative Interface Detected
Parser Updates
-
AOWUA_DNSParser - Parse event severity
-
FortiGate- Detection for CVE-2022-40684
-
FortiProxy - Detection for CVE-2022-40684
Content Update 208
Published October 6, 2022
This content update contains rules and reports for Microsoft Exchange ProxyNotShell RCE Vulnerability (CVE-2022-41040, CVE-2022-41082), enhanced parsers, an enhanced "Concurrent VPN Authentications To Same Account From Different Cities" rule, and the latest GEO database updates.
Added Rules
-
Microsoft Exchange Autodiscover RCE ProxyNotShell Detected on Host
-
Microsoft Exchange Autodiscover RCE ProxyNotShell Detected on Network
Added Reports
-
Microsoft Exchange Autodiscover RCE ProxyNotShell Detected on Host
-
Microsoft Exchange Autodiscover RCE ProxyNotShell Detected on Network
Modified Rules
-
Concurrent VPN Authentications to same account from different cities, excluded user “N/A” seen in some FortiGate VPN logs
Parser Updates
-
ImpervaParser – Event types generalized to reflect that SecureSphere does more than just DB monitoring
-
FireEyeParsers – Test modified/corrected events
-
FortiSandbox – Enhanced to handle additional fields, and re-structured to allow ease of expansion
Content Update 207
Published September 23, 2022
This content update contains rules and reports for Apache Path Traversal Vulnerability (CVE-2021-42013, CVE-2021-41773), Wordpress WPGateway Plugin Vulnerability (CVE-2022-3180), and latest GEO database updates.
Rules
-
Apache Path Traversal Vuln Detected on Network
-
Apache Path Traversal Vuln Detected on Host
-
Wordpress WPGateway Plugin Vuln Detected on Network
-
Wordpress WPGateway Plugin Vuln Detected on Host
Reports
-
Apache Path Traversal Vuln Detected on Network
-
Apache Path Traversal Vuln Detected on Host
-
Wordpress WPGateway Plugin Vuln Detected on Network
-
Wordpress WPGateway Plugin Vuln Detected on Host
Content Updates for 6.5.0
Content Update 206
Published September 12, 2022
This content update contains rules and reports for Hikvision Command Injection Vulnerability (CVE-2021-36260), and FortiDeceptor parser updates.
Rules
-
Hikvision IP Camera Command Injection Vulnerability CVE-2021-36260 on Network
Reports
-
Hikvision IP Camera Command Injection Vulnerability CVE-2021-36260 on Network
Parser Updates
-
FortiDeceptorParser
Content Update 205
Published August 30, 2022
This content update contains rules and reports for Zimbra Collaboration Mboximport Vulnerability (CVE-2022-27925, CVE-2022-37042) and several parser updates.
Rules
-
Zimbra Collaboration Mboximport Vulnerability Detected on Host
-
Zimbra Collaboration Mboximport Vulnerability on Network
Reports
-
Zimbra Collaboration Mboximport Vulnerability Detected on Host
-
Zimbra Collaboration Mboximport Vulnerability on Network
Parser Updates
-
AwsSecurityHubParser
-
BarracudaCloudGenFWParser
-
BroadcomSSLParser
-
CheckpointCEFParser
-
CiscoIOSParser
-
CiscoMerakiParser
-
CiscoNxOSParser
-
CiscoUmbrellaJSONParser
-
ClarotyParser
-
ExtremeSwitchParser
-
F5Big-IP-LTMParser
-
FalconDataRepParser
-
FalconStreamingParser
-
FortiGateParser
-
FortiInsightNativeParser
-
FortiMailParser
-
FortiNDRParser
-
FoundryIronwareParser
-
GoogleGCPParser
-
H3CComwareParser
-
HPProCurveParser
-
HuaweiVRPParser
-
InfoBloxAppParser
-
InfoBloxAuditParser
-
IPswitchWS_FTPParser
-
IronportMailParser
-
JunipNSM-IDP
-
JunipSSGFirewallLog
-
MikroTikFirewallParser
-
MotorolaWiNGParser
-
MSDefAdvancedHuntingParser
-
NCircleVAParser
-
OracleAuditParser
-
OracleCASBParser
-
PacketFence2Parser
-
PCAPPacketsDataParser
-
PHBoxParser
-
PostfixParser
-
RadiusParser
-
ReconnextLogParser
-
RSAAuthenticationServerParser
-
SnortParser
-
SophosUTMParser
-
UbiquityParser
-
UnixParser
-
VeeamBackupParser
-
VMwareVCenterParser
-
WatchGuardFirewallParser
-
WinDefATPParser
-
WinOSPullParser
-
WinOSWmiParser
-
WinSyslogParser
-
ZyxelUSGParser
Content Update 204
Published August 25, 2022
This content updates contains an added parser, several parser updates, and latest GEO database updates.
Added Parser
-
BarracudaWebSecGWParser.xml
Parser Updates
-
ApacheParser.xml
-
AOWUA_WinParser.xml
-
AwsSecurityHubParser.xml
-
BitdefenderGravityZoneParser.xml
-
CiscoASAParser.xml
-
CiscoIOSParser.xml
-
CiscoISEParser.xml
-
CloudTrailParser.xml
-
FireAMPCloudParser.xml
-
Office365Parser.xml
-
PHBoxParser.xml
-
Rapid7InsightVMVulnParser.xml
-
RuckusParser.xml
-
WinDefATPParser.xml
-
WinOSWmiParser.xml
Content Update 203
Published June 7, 2022
This content update contains 2 new rules and reports for detecting Atlassian Confluence Vulnerability (CVE-2022-26134).
Rules
-
Atlassian Confluence CVE-2022-26134 Vuln Detected on Host
-
Atlassian Confluence CVE-2022-26134 Vuln Detected on Network
Reports
-
Atlassian Confluence CVE-2022-26134 Vuln Detected on Host
-
Atlassian Confluence CVE-2022-26134 Vuln Detected on Network
Content Update 202
Published June 3, 2022
This content update contains 2 new rules and reports for detecting Microsoft Office Follina Vulnerability (CVE-2022-30190), ExtremeSwitch Parser updates, and latest Geo database updates.
Rules
-
Microsoft Office Follina Vuln Detected on Host
-
Microsoft Office Follina Vuln Detected on Network
Reports
-
Microsoft Office Follina Vuln Detected on Host
-
Microsoft Office Follina Vuln Detected on Network
Parser Update
-
ExtremeSwitch
Content Update 201
Published May 19, 2022
This content update contains 2 new rules and reports for detecting Sysrv-K Botnet Activity which exploits CVE-2022-22947 and other vulnerabilities in the Spring Framework and WordPress plugins. It also contains a fix for Nginx parser (Bug 797026).
Rules
-
Sysrv-K Botnet Activity Detected on Network
-
Sysrv-K Botnet Activity Detected on Host
Reports
-
Sysrv-K Botnet Activity Detected on Network
-
Sysrv-K Botnet Activity Detected on Host
Parser Update
-
NGINX Parser (Bug 797026)