Content Pack Updates

This document provides details about Content updates for various 6.7.x releases.

• Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7, 6.7.8, 6.7.9

• Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7, 6.7.8

• Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7

• Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4

• Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3

• Content Updates for 6.7.1 and 6.7.2

• Content Updates for 6.7.0

Deployment Notes

Content Pack Updates require the use of FortiSIEM version 6.4.0 or later. Procedures related to Content Updates can be found here.

6.7.0 content pack updates release begin with Content Update 401, and increments.

Content Pack Updates must be done in the following order:  

1. Update FortiSIEM Manager.

2. Update FortiSIEM Supervisor.

3. Update FortiSIEM Worker.

Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7, 6.7.8, 6.7.9

• Content Update 421

• Content Update 420

• Content Update 418

Note: There is no Content Update 419.

Content Update 421

Published April 17, 2024

This content update contains the following:

1. 5 x Outbreak Rules and Reports:

   • Outbreak: Nice Linear eMerge Command Injection Vuln Detected on Network

   • Outbreak: Sunhillo SureLine Command Injection Attack Detected on Network

   • Outbreak: Sunhillo SureLine Command Injection Attack Detected on Host

   • Outbreak: PAN OS GlobalProtect Command Injection Vuln Detected on Network

   • Outbreak: PAN OS GlobalProtect Command Injection Vuln Detected on Host

2. Enhancements to Proofpoint and Unix parsers.

3. Latest GeoDB updates.

Content Update 420

Published March 25, 2024

This content update contains the following:

1. Updated Windows Agent Parser for Agent 7.1.4.

2. 2 Outbreak Rules and Reports:

   • Outbreak: ConnectWise ScreenConnect Attack Detected on Network

   • Outbreak: ConnectWise ScreenConnect Attack Detected on Host

3. Updated Ransomware Rule to prevent false positives.

   • Ransomware detected on a host

4. Updated Rule and Watchlist for Windows dormant users.

   • Windows Dormant Account Detected

5. Enhancements to FortiGate, DellNSeries, and Unix parsers.

6. Latest GeoDB updates.

Content Update 418

Published February 08, 2024

This content update contains the following:

1. FortiDeceptor parser fix to handle additional event parsing

2. Updated GenericJSON parser

3. For 6.7.9, Rollup of Content Updates: 401-417. See Content Updates for 6.7.0 (Content Updates 401-404), Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3 (Content Update 405), Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4 (Content Updates 406-407), Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7 (Content Updates 408-410), and Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7, 6.7.8 (Content Updates 411-417) for more information.

Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7, 6.7.8

• Content Update 417

• Content Update 416

• Content Update 415

• Content Update 414

• Content Update 413

• Content Update 412

• Content Update 411

Content Update 417

Published February 05, 2024

This content update contains the following:

1. 1 x Outbreak Rules and Reports:

• Outbreak: Ivanti Connect Secure and Policy Secure Attack Detected on Network

1. New parser for Microsoft Graph API Platform

2. Updated FortiDeceptor and WinOSWmi parsers

Content Update 416

Published January 25, 2024

This content update contains the following:

1. 6 x Outbreak Rules and Reports:

   • Outbreak: Microsoft SharePoint Server Elevation of Privilege Vuln Detected on Network

   • Outbreak: Microsoft SharePoint Server Elevation of Privilege Vuln Detected on Host

   • Outbreak: Adobe ColdFusion Access Control Bypass Attack Detected on Network

   • Outbreak: Adobe ColdFusion Access Control Bypass Attack Detected on Host

   • Outbreak: Androxgh0st Malware Attack Detected on Network

   • Outbreak: Androxgh0st Malware Attack Detected on Host

2. Updated FortiGate and FortiProxy event types.

3. Latest GeoDB updates.

Content Update 415

Published December 20, 2023

This content update contains the following:

1. 4 x Outbreak Rules and Reports:

   • Outbreak: Lazarus RAT Attack Detected on Network

   • Outbreak: Lazarus RAT Attack Detected on Host

   • Outbreak: JetBrains TeamCity Authentication Bypass Attack Detected on Network

   • Outbreak: JetBrains TeamCity Authentication Bypass Attack Detected on Host

2. Enhancements to WinOSWmi and CiscoFTD parsers.

3. Latest GeoDB updates.

Content Update 414

Published November 29, 2023

This content update contains the following:

1. 3 Outbreak Rules and Reports:

   • Outbreak: Citrix Bleed Attack Detected on Network

   • Outbreak: Apache ActiveMQ Ransomware Attack Detected on Network

   • Outbreak: Apache ActiveMQ Ransomware Attack Detected on Host

2. Dedicated rules to detect admin user addition/deletion via console.

   • FortiGate: Admin User Added via Console

   • FortiGate: Admin User Deleted via Console

3. Added FortiEDR specific rules.

   • FortiEDR: Malicious Process Detected

   • FortiEDR: Malicious Process Blocked

   • FortiEDR: Suspicious Process Detected

   • FortiEDR: Suspicious Process Blocked

   • FortiEDR: Inconclusive or PUP Process Detected

   • FortiEDR: Inconclusive or PUP Process Blocked

   • FortiEDR: Likely Safe Process Detected

   • FortiEDR: Likely Safe Process Blocked

   • FortiEDR: Safe Process Detected

   • FortiEDR: Safe Process Blocked

4. Enhancements to FortiGate, CarbonBlackCEF, WinOSWmi, AOWUA_Win, PaloAlto, FortiEDR, FortiDeceptor, and FortiAuthenticator parsers.

5. New parser for ZScaler JSON logs - ZScalerNSSParser.

6. Fixed Application Server dashboard report and Netflow dashboards.

7. Latest GeoDB updates.

Content Update 413

Published November 1, 2023

This content update contains the following:

1. 3 Outbreak Rules and Reports:

   • Outbreak: Cisco IOS XE Web UI Attack Detected on Network

   • Outbreak: HTTP2 Rapid Reset Attack Detected on Network

   • Outbreak: HTTP2 Rapid Reset Attack Detected on Host

2. Latest GeoDB updates.

Content Update 412

Published October 11, 2023

This content update contains the following:

1. 2 Outbreak Rules and Reports:

   • Outbreak: Google Chromium WebP Vuln Detected on Network

   • Outbreak: Google Chromium WebP Vuln Detected on Host

2. Dedicated rules for detecting FortiMail Malicious URL/File attachments.

   • FortiMail: Malicious URL found

   • FortiMail: Malicious Spam File Attachment Found

3. Updated Malware rule to detect FortiGate IPS events.

   • Malware found by firewall but not remediated

4. Updated Windows Sigma rule to prevent false positives.

   • Windows: Possible DCShadow

5. Enhancements to FortiGate, FortiEDRRest, FortiMail, PulseSecure, McAfeeWebGwCEF, and PaloAlto parsers.

6. Latest GeoDB updates.

Content Update 411

Published September 21, 2023

This content update contains the following:

1. 6 Outbreak Rules and Reports:

   • Outbreak: Adobe ColdFusion Deserialization of Untrusted Data Vuln Detected on Network

   • Outbreak: Adobe ColdFusion Deserialization of Untrusted Data Vuln Detected on Host

   • Outbreak: WooCommerce Payments Improper Authentication Vuln Detected on Network

   • Outbreak: WooCommerce Payments Improper Authentication Vuln Detected on Host

   • Outbreak: Agent Tesla Malware Attack Detected on Network

   • Outbreak: Agent Tesla Malware Attack Detected on Host

2. New parser for FortiWeb Cloud

3. Enhancements to FortiClient, FortiWeb, FortiAuthenticator, FortiManager, WinOSWmi, GenericDHCP, and Sourcefire2 parsers

4. Latest GeoDB updates

5. For 6.7.8, Rollup of Content Updates: 401-410. See Content Updates for 6.7.0 (Content Updates 401-404), Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3 (Content Update 405), Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4 (Content Updates 406-407), and Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7 (Content Updates 408-409) for more information.

Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7

• Content Update 410

• Content Update 409

• Content Update 408

Content Update 410

Published August 24, 2023

This content update contains the following:

1. 5 Outbreak Rules and Reports:

   • Outbreak: Microsoft Office and Windows HTML RCE Vuln Detected on Network

   • Outbreak: Microsoft Office and Windows HTML RCE Vuln Detected on Host

   • Outbreak: Zyxel Router Command Injection Attack Detected on Network

   • Outbreak: Ivanti Endpoint Manager Mobile Authentication Bypass Vuln Detected on Network

   • Outbreak: Ivanti Endpoint Manager Mobile Authentication Bypass Vuln Detected on Host

2. New parser for Armis Asset Intelligence Platform.

3. New parser for Hillstone Firewall.

4. Enhancements to FortiEDRParser, GitlabLogParser, FortiClientParser and UbiquityParser.

5. Latest GeoDB updates.

6. For 6.7.7, this content update also contains Rollup of Content Updates: 401-409.See Content Updates for 6.7.0 (404-404), Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3 (405), and Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4 (406-407), and Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7 (408-409) for more information.

Content Update 409

Published July 13, 2023

This content update contains the following:

1. Enhanced FortiGateParser, McAfeeXmlParser, and WinOSWmiParser.

2. 3 x Outbreak Rules and Reports:

   • Outbreak: VMware Aria Operations for Networks Command Injection Vuln Detected on Network

   • Outbreak: Apache RocketMQ RCE Vuln Detected on Network

   • Outbreak: SolarView Compact Command Injection Vuln Detected on Network

3. Added the following Dragos threatfeed rules and reports:

   • Traffic to Dragos Worldview Malware IP List

   • Permitted Traffic from Dragos Worldview Malware IP List

4. Latest GeoDB updates.

5. For 6.7.6 and 6.7.7, this content update also contains Rollup of Content Updates 401-408. See Content Updates for 6.7.0 (404-404), Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3 (405), and Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4 (406-407) and Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7 (408) for more information.

Content Update 408

Published June 16, 2023

This content update contains the following:

1. 9 x Outbreak Rules and Reports:

   • Outbreak: Multiple Vendor Camera System Attack Detected on Network

   • Outbreak: TP-Link Archer AX-21 Command Injection Attack Detected on Network

   • Outbreak: TP-Link Archer AX-21 Command Injection Attack Detected on Host

   • Outbreak: Zyxel Multiple Firewall Vuln Detected on Network

   • Outbreak: Zyxel Multiple Firewall Vuln Detected on Host

   • Outbreak: Progress MOVEit Transfer SQL Injection Vuln Detected on Network

   • Outbreak: Progress MOVEit Transfer SQL Injection Vuln Detected on Host

   • Outbreak: CosmicEnergy Malware Detected on Network

   • Outbreak: CosmicEnergy Malware Detected on Host

2. Added 2 Ransomware rules

   • Ransomware detected on a host

   • Ransomware outbreak detected

3. Latest GeoDB updates.

4. For 6.7.5, this content update also contains Rollup of Content Updates 401-407. See Content Updates for 6.7.0 (404-404), Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3 (405), and Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4 (406-407) for more information.
   

 

Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4

• Content Update 407

• Content Update 406

Content Update 407

Published May 16, 2023

This content update contains the following:

1. FortiNAC parser enhancement.

2. PaloAlto parser enhancement.

3. 4 x Outbreak Rules and Reports:

   • Outbreak: PaperCut MF/NG Improper Access Control Vulnerability Detected on Network

   • Outbreak: PaperCut MF/NG Improper Access Control Vulnerability Detected on Host

   • Outbreak: TBK DVR Authentication Bypass Attack Detected on Network

   • Outbreak: Oracle WebLogic Server Vuln Detected on Network

4. Latest GeoDB updates.

Content Update 406

Published April 27, 2023

This content update contains the following:

1. Fixed several dashboard reports for FortiDeceptor and FortiGate

2. Fixed FortiGate Parser issue for some models

3. 5 x Outbreak Rules and Reports:

   • Outbreak: Zoho ManageEngine RCE Vulnerability Detected on Network

   • Outbreak: ThinkPHP Remote Code Execution Vulnerability Detected on Network

   • Outbreak: ThinkPHP Remote Code Execution Vulnerability Detected on Host

   • Outbreak: Realtek SDK Attack Detected on Network

   • Outbreak: Realtek SDK Attack Detected on Host

4. Latest GeoDB updates.

5. For 6.7.4, this content update also contains Rollup of Content Updates 401-405. See Content Updates for 6.7.0 (404-404) and Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3 (405) for more information.

Content Updates for 6.7.0, 6.7.1, 6.7.2, 6.7.3

• Content Update 405

Content Update 405

Published April 04, 2023

This content update contains the following:

1. 10 x Outbreak Rules and Reports:

   • Outbreak: IBM Aspera Faspex Code Execution Vulnerability Detected on Network

   • Outbreak: IBM Aspera Faspex Code Execution Vulnerability Detected on Host

   • Outbreak: Joomla! CMS Improper Access Check Vulnerability Detected on Network

   • Outbreak: Teclib GLPI Remote Code Execution Vulnerability Detected on Network

   • Outbreak: Progress Telerik UI Attack Detected on Network

   • Outbreak: Progress Telerik UI Attack Detected on Host

   • Outbreak: Microsoft Outlook Elevation of Privilege Vulnerability Detected on Network

   • Outbreak: Microsoft Outlook Elevation of Privilege Vulnerability Detected on Host

   • Outbreak: 3CX Supply Chain Attack Detected on Network

   • Outbreak: 3CX Supply Chain Attack Detected on Host

2. Latest GeoDB Updates.

3. For 6.7.3, this content update also contains Rollup of Content Updates 401-404. See Content Updates for 6.7.0 for more information.

Content Updates for 6.7.1 and 6.7.2

• Content Update 404

Content Update 404

Published March 14, 2023

This content update contains the following:

1. Rollup of Content Updates: 401-403. See Content Updates for 6.7.0 for more information.

2. FortiGateParser update.

3. 5 x Outbreak Rules and Reports:

   • Outbreak: VMware ESXi Server Ransomware Attack Detected on Network

   • Outbreak: Cacti Server Command Injection Attack Detected on Network

   • Outbreak: Cacti Server Command Injection Vulnerability Detected on Host

   • Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on Host

   • Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on Network

4. All outbreak network rules updated to not trigger when source is public and is blocked by a firewall.

5. Latest GeoDB Updates.

Content Updates for 6.7.0

• Content Update 404

• Content Update 403

• Content Update 402

• Content Update 401

Content Update 404

Published March 14, 2023

This content update contains the following:

1. FortiGateParser update.

2. 5 x Outbreak Rules and Reports:

   • Outbreak: VMware ESXi Server Ransomware Attack Detected on Network

   • Outbreak: Cacti Server Command Injection Attack Detected on Network

   • Outbreak: Cacti Server Command Injection Vulnerability Detected on Host

   • Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on Host

   • Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on Network

3. All outbreak network rules updated to not trigger when source is public and is blocked by a firewall.

4. Latest GeoDB Updates.

Content Update 403

Published February 7, 2023

This content update contains the following:

1. 4 x Outbreak Rules and Reports

   • Outbreak: Control Web Panel Login Exploit Detected on Host

   • Outbreak: Control Web Panel Login Exploit Detected on Network

   • Outbreak: Router Malware Attack Detected on Host

   • Outbreak: Router Malware Attack Detected on Network

2. Latest GeoDB Updates

Content Update 402

Published January 12, 2023

This content update contains the following:

• Windows Parsing Enhancements

• 9 x Outbreak Rules and Reports

  • Outbreak: Atlassian Pre-Auth Arbitrary File Read Vuln detected on Network

  • Outbreak: Atlassian Pre-Auth Arbitrary File Read Vuln detected on Host

  • Outbreak: BURNTCIGAR MS Signed Driver Malware detected on Network

  • Outbreak: BURNTCIGAR MS Signed Driver Malware detected on Host

  • Outbreak: FortiWeb detected VMware Spring Cloud Func RCE Vulnerability on Network

  • Outbreak: VMware Spring Cloud Func RCE Vulnerability on Network

  • Outbreak: FortiWeb detected Zerobot Botnet Activity on Network

  • Outbreak: Zerobot Botnet Activity Detected on Host

  • Outbreak: Zerobot Botnet Activity Detected on Network

• UnixParser support for Chronyd events

• Dedicated rules for detecting FortiGate admin user creation/deletion

  • FortiGate: Admin User Added

  • FortiGate: Admin User Deleted

• PaloAlto Parser updated to parse additional attributes for some log types

• Latest GeoDB Updates

Content Update 401

Published January 3, 2023

This content update contains Outbreak rules and reports and the latest GEO database updates.

Rules

• Outbreak: VMWare Workspace ONE Vulnerability - CVE-2022-22954 on Network

• Outbreak: Redigo Malware Detected on Network

• Outbreak: Redigo Malware Detected on Host

• Outbreak: FortiOS SSLVPN Heap Buffer Overflow Attack - CVE-2022-42475 Detected on Network

Reports

• Outbreak: VMWare Workspace ONE Vulnerability - CVE-2022-22954 on Network

• Outbreak: Redigo Malware Detected on Network

• Outbreak: Redigo Malware Detected on Host

• Outbreak: FortiOS SSLVPN Heap Buffer Overflow Attack - CVE-2022-42475 Detected on Network