Content Pack Updates

This document provides details about Content updates for various 7.1.x releases.

Deployment Notes

  • Content Pack Updates require the use of FortiSIEM version 6.4.0 or later. Procedures related to Content Updates can be found here.

  • Content Pack Updates are made available for the latest major release and the most recent prior three major releases. For example, If the latest release was 7.1.3, Content Pack Updates would include 7.1.x, 7.0.x, 6.7.x, and 6.6.x releases.

  • 7.1.0 Content Pack Updates release begin with Content Update 601, and increments. If your FortiSIEM does not contain an older content update, it is automatically downloaded and added during your content update.

  • Content Pack Updates must be done in the following order:  

    1. Update FortiSIEM Manager.

    2. Update FortiSIEM Supervisor.

    3. Update FortiSIEM Worker.

Content Updates for 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6 and 7.1.7

Content Update 616

Published November 11, 2024

This content update contains the following:

  1. 2 x Outbreak Rules and Reports:

    • Outbreak: Mallox Ransomware Detected on Network

    • Outbreak: Mallox Ransomware Detected on Host

  2. New indicators added to FortiManager Rules/Reports.

    • Outbreak: FortiManager Command Execution Vulnerability Detected on Network

    • Outbreak: FortiManager Command Execution Vulnerability Detected on Device

  3. Updates to FortiGate Reports.

    • FortiGate: Top Applications by Bandwidth

    • FortiGate: Top non-HTTP Applications by Bandwidth

  4. Updates to Access Violation Rules.

    • Concurrent Successful Authentications To Same Account From Multiple Cities

    • Concurrent Failed Authentications To Same Account From Multiple Countries

    • Concurrent Failed Authentications To Same Account From Multiple Cities

  5. Latest GeoDB updates.

Content Update 615

Published October 29, 2024

This content update contains the following:

  1. 2 x Outbreak Rules and Reports:

    • Outbreak: FortiManager Command Execution Vulnerability Detected on Network

    • Outbreak: FortiManager Command Execution Vulnerability Detected on Device

  2. Latest GeoDB updates.

Content Update 614

Published October 17, 2024

This content update contains the following:

  1. 2 x Outbreak Rules and Reports:

    • Outbreak: Synacor Zimbra Collaboration Command Execution Vuln Detected on Network

    • Outbreak: Synacor Zimbra Collaboration Command Execution Vuln Detected on Host

  2. Enhancements to FortiGate parser.

  3. New parser for FortiAuthenticator Debug Logs.

  4. Latest GeoDB updates.

Content Update 613

Published September 24, 2024

  1. 3 x Outbreak Rules and Reports:

    • Outbreak: CISA Alert AA24-249A Russian Cyber Espionage Attack Detected on Network

    • Outbreak: CISA Alert AA24-249A Russian Cyber Espionage Attack Detected on Host

    • Outbreak: GeoServer RCE Attack Detected on Network

  2. Additional event attributes to support new parsing.

  3. Enhancements to Apache, CiscoDuo, FortiClient, FortiMail, FortiRecon, Sendmail, TenableVuln, Unix, VMwareVCenter, and WinOSWmi parsers.

  4. Updated descriptive metadata for several rules.

  5. Latest GeoDB updates.

Content Update 612

Published August 28, 2024

This content update contains the following:

  1. 4 x Outbreak Rules and Reports:

    • Outbreak: ServiceNow Remote Code Execution Attack Detected on Network

    • Outbreak: Apache OFBiz RCE Attack Detected on Network

    • Outbreak: Jenkins RCE Attack Detected on Network

    • Outbreak: Jenkins RCE Attack Detected on Host

  2. Enhancements to Okta, LinuxAudit, and Unix parsers.

  3. Latest GeoDB updates.

Content Update 611

Published August 1, 2024

This content update contains the following:

  1. Enhancements to parsers: Office365, FortiEDRRest, CitrixNetScaler, Dragos, VMwareVCenter, VMwareEvent, and CarbonBlackCEF.

  2. Updated report "Slow FortiSIEM Queries".

  3. Latest GeoDB updates.

Content Update 610

Published June 17, 2024

This content update contains the following:

  1. 3 x Outbreak Rules and Reports:

    • Outbreak: Dlink Multiple Devices Attack Detected on Network

    • Outbreak: Check Point Quantum Security Gateways Information Disclosure Attack Detected on Network

    • Outbreak: PHP CGI OS Command Injection Vuln Detected on Network

  2. Enhancements to WinOSWmi, WinOSXml, FortiSandbox, FortiNDR, FortiAuthenticator, and JunipSSGFirewallLog parsers.

  3. Updated Windows rule to fix incorrect logic.

    • Windows: Active Directory User Backdoors

  4. Dedicated FortiSandbox rule to detect phishing URLs.

    • FortiSandbox detects Phishing URL

  5. Latest GeoDB updates.

Content Updates for 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5 and 7.1.6

Content Update 609

Published May 22, 2024

This content update contains the following:

  1. 2 x Outbreak Rules and Reports:

    • Outbreak: Black Basta Ransomware Detected on Network

    • Outbreak: Black Basta Ransomware Detected on Host

  2. Enhancements to Postfix, WinOSWmi, and WinOSXml parsers.

  3. Latest GeoDB updates.

Content Updates for 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4 and 7.1.5

Content Update 608

Published May 13, 2024

This content update contains the following:

  1. 4 x Outbreak Rules and Reports:

    • Outbreak: Akira Ransomware Detected on Network

    • Outbreak: Akira Ransomware Detected on Host

    • Outbreak: CDATA Web Management System RCE Attack Detected on Network

    • Outbreak: CDATA Web Management System RCE Attack Detected on Host

  2. Enhancements to FortiMail and Cyxtera parsers.

  3. Latest GeoDB updates.

Content Update 607

Published April 17, 2024

This content update contains the following:

  1. 5 x Outbreak Rules and Reports:

    • Outbreak: Nice Linear eMerge Command Injection Vuln Detected on Network

    • Outbreak: Sunhillo SureLine Command Injection Attack Detected on Network

    • Outbreak: Sunhillo SureLine Command Injection Attack Detected on Host

    • Outbreak: PAN OS GlobalProtect Command Injection Vuln Detected on Network

    • Outbreak: PAN OS GlobalProtect Command Injection Vuln Detected on Host

  2. Enhancements to Proofpoint and Unix parsers.

  3. Latest GeoDB updates.

Content Updates for 7.1.0, 7.1.1, 7.1.2, 7.1.3 and 7.1.4

Content Update 606

Published March 25, 2024

This content update contains the following:

  1. Updated Windows Agent Parser for Agent 7.1.4.

  2. 2 Outbreak Rules and Reports:

    • Outbreak: ConnectWise ScreenConnect Attack Detected on Network

    • Outbreak: ConnectWise ScreenConnect Attack Detected on Host

  3. Updated Ransomware Rule to prevent false positives.

    • Ransomware detected on a host

  4. Updated Rule and Watchlist for Windows dormant users.

    • Windows Dormant Account Detected

  5. Enhancements to FortiGate, DellNSeries, and Unix parsers.

  6. Latest GeoDB updates.

Content Updates for 7.1.0, 7.1.1, 7.1.2 and 7.1.3

Content Update 605

Published February 08, 2024

This content update contains the following:

  1. Updated GenericJSON parser

Content Update 604

Published February 05, 2024

This content update contains the following:

  1. 1 x Outbreak Rules and Reports:

    • Outbreak: Ivanti Connect Secure and Policy Secure Attack Detected on Network

  2. New parser for Microsoft Graph API Platform

  3. Rules, Reports, and new parser for Trend Micro Vision One integration

  4. Updated FortiDeceptor and WinOSWmi parsers

Content Updates for 7.1.0, 7.1.1 and 7.1.2

Content Update 603

Published January 25, 2024

This content update contains the following:

  1. 6 x Outbreak Rules and Reports:

    • Outbreak: Microsoft SharePoint Server Elevation of Privilege Vuln Detected on Network

    • Outbreak: Microsoft SharePoint Server Elevation of Privilege Vuln Detected on Host

    • Outbreak: Adobe ColdFusion Access Control Bypass Attack Detected on Network

    • Outbreak: Adobe ColdFusion Access Control Bypass Attack Detected on Host

    • Outbreak: Androxgh0st Malware Attack Detected on Network

    • Outbreak: Androxgh0st Malware Attack Detected on Host

  2. Updated FortiGate and FortiProxy event types.

  3. Latest GeoDB updates.

Content Updates for 7.1.0 and 7.1.1

Content Update 602

Published December 20, 2023

This content update contains the following:

  1. 4 x Outbreak Rules and Reports:

    • Outbreak: Lazarus RAT Attack Detected on Network

    • Outbreak: Lazarus RAT Attack Detected on Host

    • Outbreak: JetBrains TeamCity Authentication Bypass Attack Detected on Network

    • Outbreak: JetBrains TeamCity Authentication Bypass Attack Detected on Host

  2. Enhancements to WinOSWmi and CiscoFTD parsers.

  3. Latest GeoDB updates.

Content Updates for 7.1.0

Content Update 601

Published November 29, 2023

This content update contains the following:

  1. 3 Outbreak Rules and Reports:

    • Outbreak: Citrix Bleed Attack Detected on Network

    • Outbreak: Apache ActiveMQ Ransomware Attack Detected on Network

    • Outbreak: Apache ActiveMQ Ransomware Attack Detected on Host

  2. Dedicated rules to detect admin user addition/deletion via console.

    • FortiGate: Admin User Added via Console

    • FortiGate: Admin User Deleted via Console

  3. Added FortiEDR specific rules.

    • FortiEDR: Malicious Process Detected

    • FortiEDR: Malicious Process Blocked

    • FortiEDR: Suspicious Process Detected

    • FortiEDR: Suspicious Process Blocked

    • FortiEDR: Inconclusive or PUP Process Detected

    • FortiEDR: Inconclusive or PUP Process Blocked

    • FortiEDR: Likely Safe Process Detected

    • FortiEDR: Likely Safe Process Blocked

    • FortiEDR: Safe Process Detected

    • FortiEDR: Safe Process Blocked

  4. Enhancements to FortiGate, CarbonBlackCEF, WinOSWmi, AOWUA_Win, PaloAlto, FortiEDR, FortiDeceptor, and FortiAuthenticator parsers.

  5. New parser for ZScaler JSON logs - ZScalerNSSParser.

  6. Fixed Application Server dashboard report and Netflow dashboards.

  7. Latest GeoDB updates.