Features
HTML5 based GUI for dashboard
You can logon to HTML5 version of Dashboard page using the link https://<SupervisorIP>/phoenix/html.
For details see Dashboards – HTML5 version.
Policy based event retention
Currently, the on-line event database storage is managed in a FCFS basis. When the event database gets full, oldest events are purged or archived. This release enables you to set event retention policies based on Customer (Service Provider case), Reporting Devices and Event Types. For example, performance metrics and flow events should be kept for 30 days but server logs for 1 year.
This release also provides visibility into which reporting Device and Event Type is consuming most storage on a per-day basis. This enables administrators to write better data retention policies.
Note that this feature will consume significant compute and storage I/O resources. Since events are stored in a compressed manner, these events have to be first uncompressed, then filtered according to the data retention policies and finally the logs that remain have to be re-indexed. It is recommended that you create these policies after some thought and change infrequently. Run the reports to monitor the performance of retention policy execution.
For details, see Managing Online Event Data..
Vulnerability correlation and device risk scoring
In this release, FortiSIEM assigns a risk score (0-100) to a device by combining Asset Weight, Vulnerabilities found on that device, Security and Non-security incident counts and severities. Users can modify certain factors to tailor the risk computation for their environment. A view is created that shows the devices ranked by risk scores along with a timeline view of the incidents that resulted in that score. The risk score is computed hourly and the trend is presented in the view.
For details, see here for Flash version and here for HTML5 version. Risk computation is detailed here.
Scalable windows agent architecture enabling agent sending events to collectors (Windows Agent/Agent Manager 2.1)
FortiSIEM Windows agents provides efficient log collection and other important functionalities such as file integrity monitoring, registry and installed software change monitoring, removable media insertion and write activity etc. In previous releases, a set of Windows agents were associated with a single Windows Agent Manager (WAM), which was responsible for configuring the Windows Agents and then relaying logs from the Agents to a Collector. This architecture has several issues, e.g. (a) WAM is a single point of failure for configuration and log relay, (b)rigid association of Agents to a single WAM results in deployment and bookkeeping issues when large number of agents need to be deployed.
This release vastly improves the above architecture. WAM is primarily used for configuring Agents. As part of the configuration, Agents can be associated to one or more FortiSIEM collectors. Agents send log directly to the assigned set of collectors in a round robin fashion. A single WAM can configure a large number of Agents. By removing the WAM from the event forwarding path and utilizing the Collector infrastructure, this architecture provides great scalability.
For details, see here
Dynamic CMDB groups
CMDB Device Groups and Business Service Groups are critical to FortiSIEM Analytics. It enables users to write rules as reports of the form
“Reporting IP IN A CMDB Group”. Currently, CMDB Device Groups are populated during discovery based on an internal template keying on Device vendor and model, e.g. Fortinet FortiGate belongs to both Firewall Group and VPN Group, Cisco IOS belongs to Router/Switch Group etc. Business Groups have to created manually and kept up to date.
This release automates this process by allowing the user to define rules for dynamically associating devices to CMDB groups and Business Services. A rule condition can be based on Device Vendor, Model, Host Name and IP Range. When there is a match, the matching devices would be placed in the specified CMDB Groups and Business Services. The Dynamic CMDB Group happens automatically during discovery. But the assignment rules can also be applied at any time to force immediate assignment. Note that this dynamic CMDB Group assignment is in addition t o the internal template based assignment during discovery.
For details, see Creating Dynamic CMDB Group Policies..
Display CMDB reports in dashboard
Currently, a dashboard can only show reports containing event data. Starting with this release, CMDB reports can also be displayed on the same dashboard, side by side with event data.
For details, see here for Flash version and here for HTML5 version.
Multi-line syslog handling
Often applications generate a single syslog in multiple lines. For analysis purposes, the multiple lines need to put together into a single log. This feature enables you to do that.
User can write multiple multi-line syslog combining rules based on reporting IP and begin and ending patterns. All matching syslog within the begin and ending pattern are combined into a single log.
For details, see Multi-line Syslog Handling..
Custom configuration change monitoring
FortiSIEM can collect configurations from devices and detect changes. Currently, FortiSIEM supports a limited set of devices for this feature and users can not add devices of their choice.
This release provides a way for users to do configuration change monitoring for any device. The user simply needs to upload their own configuration collection script into the system and associate to a device type. When that device type is discovered, a configuration change detection job is created via the user defined custom configuration collection script.
For details, see Custom Configuration Change Monitoring.
STIX/TAXII support for external threat intelligence
This release allows you to download any threat intelligence data in STIX format using TAXII transport protocol without writing any code. Supported IOCs include Malware Domain, IP, URL and hash.
For details, see Custom Malware Domain Threat Feed, Custom Malware IP Threat Feed, Custom Malware Hash Threat Feed and Custom Malware URL Threat Feed.
Enhancements
Ability to monitor a subset of interfaces and processes
Currently, FortiSIEM monitors all interfaces and processes and there is no way to disable monitoring a subset of interfaces and processes. Many network devices (e.g. Voice Gateways) have logical interfaces that do not need to be monitored. Similarly servers have processes that may not need to be monitored. Often these redundant interfaces and processes create lots of events and consumes lots of storage over time, specially if there are many devices with such interfaces/processes.
This release allows you to specify a set of important interfaces and processes. Once this set is defined, FortiSIEM switches to monitoring only this set of important interfaces and processes.
For details, see Adding Important Interfaces and Adding Important Processes.
Ability to flag a WAN interface
Often it is important to monitor only WAN interfaces in a dashboard or report. Typically a deployment has many routers/firewalls with one or two WAN interfaces. Since WAN interfaces are not clearly marked in any configuration or SNMP MIB, the only way to create a report is manually list all the devices and interface pairs in the query. This makes the query quite cumbersome.
This release enables you to mark an interface as a WAN interface. The interface events will have the WAN flag set. To query all WAN interfaces, one simply has to specify “isWAN = true” in the query. This makes writing a query extremely simple.
For details, see Adding Important Interfaces.
Ability to define per-process CPU, Memory thresholds
FortiSIEM provides a way to specify global thresholds and per device local thresholds and refer to them in a rule. This way a single rule can capture global and local thresholds.
The thresholds can be a single value such as Critical CPU threshold, Warning CPU threshold or a map such as a map of interface utilization, disk utilization. While the single values are completely customizable meaning that users can add their own; map thresholds need a definition of the keys (such as interface name, disk name) to be defined in the system.
This release extends the map thresholds to also include process name. User can define global thresholds for process CPU utilization, process Memory utilization and per device, per process overrides (e.g. SQL Server).
For details, see Setting Global and Per-Device Threshold Properties.
Ability to include attachments in a ticket
FortiSIEM provides its own ticketing system for users that do not want to rely on an external ticketing system. Often there is a need to include attachments in a ticket, e.g. to demonstrate the problem while creating a ticket and to demonstrate the problem resolution while closing a ticket. This release allows you to include (PDF and PNG formatted) attachments into a ticket and export that ticket in PDF format to also include the attachments.
For details, see Ticket Related Operations..
Allow exceptions for merging based on hardware serial numbers
FortiSIEM has an algorithm based on hardware serial numbers, host name, IP and MAC addresses to merge devices in CMDB, which is needed since FortiSIEM repeatedly discovers devices. Currently, hardware serial number is a definitive factor – two devices are merged if their serial number is identical. However often some virtualized devices have generic serial numbers e.g. “Unknown”, “0000” etc which causes devices to merged incorrectly. This release provides a way to create a list of virtual serial numbers which are not considered for merge purposes.
For details, see Discovery Settings.
Device / Application Support
Windows Server 2016 – discovery, performance monitoring and log analysis like other Windows Servers – see Microsoft Windows Server Configuration.
FortiDDoS – log analysis – see FortiDDoS Configuration
Google Apps – audit log analysis – see Google Apps Audit Configuration.
Microsoft Office 365 – audit log analysis – see Microsoft Office365 Audit Configuration
Cisco ACI – performance monitoring – see Cisco Application Centric Infrastructure (ACI) Configuration
Brocade CER and MLX routers – performance monitoring – see Brocade NetIron CER Routers
Clavister IPS – log analysis – see here
Cisco SF 300 SG300/350 switches – discovery, performance monitoring – see Cisco 300 Series Routers
Fortinet 5001B firewalls – discovery, performance monitoring – per CPU utilization extensions – see Fortinet FortiGate Firewall
Configuration
Bug Fixes / Enhancements
| Bug ID | Severity | Component | Description |
| 17906 | major | Parser | FortiSandbox Parser does not support FortiSandbox VM |
| 17415 | major | Parser | Some WatchGuard events are not parsed |
| 17453 | major | Parser | Update the SourceFire parser to support version 6 and later and Snort messages. |
| 18053 | major | GUI | Incorrect Admin > General Settings > Discovery > Application Filter |
| 17281 | normal | App Server | Handle rediscovery of devices moved from a system defined group |
| 17346 | normal | App Server | Should not update ‘Worker up’ error message every 3 minute if the worker is not in down status |
| 18056 | normal | Parser | Parse event severity from Stonesoft events |
| 12617 | normal | Parser | Event severity of some Snort events are incorrect |
| 16765 | normal | GUI | Multiple users cannot use the same dashboard name |
| 16845 | normal | System | FortiSIEM Login credential anonymization algorithm causes unnecessary login failures |
| 16514 | normal | App Server | Reports: Display Column “Display As” not working for scheduled PDF reports |
| 18108 | normal | App Server | Incident Id in Notification Email includes HTML tags in Email Subject |
| 17418 | normal | GUI | Add Remediation to Rule Export |
| 15868 | normal | Discovery | FortiSIEM SSH not logging out of Palo Alto Firewall during configuration discovery |
| 17979 | normal | GUI | Improve display performance of CMDB > Link Usage page in GUI |
| 17422 | normal | Parser | Imperva DAM Unknown Event Types in Panasonic logs |
| 16985 | normal | App Server | Allow Super-Global admin assign incident ticket to a org user in Super |
| 17555 | normal | Parser | Application recognition inconsistency in Netflow IPFIX analysis |
| 17507 | normal | Rule | Error in System defined Rule “Cisco Call Manager DDR Down” |
| 17110 | normal | Parser | Reporting device name parsed wrong in Motorola AirDefense Parser |
| 16966 | normal | GUI | Virtual IPs disappear after exporting and importing credentials |
| 16956 | normal | GUI | When two super global users create a dashboard for an org, they see each others dashboards in that org |
| 16311 | normal | GUI | Sometimes the value of application performance shows incompletely when the bar is red |
| 17253 | normal | GUI | Page header of Ticket export has display issues |
| 17540 | normal | GUI | Can’t export the result of a cloned Audit Rule to PDF |
| 16023 | normal | GUI | Incidents page – Filter condition will change after user cancels it via “…” and “e” |
| 17436 | normal | GUI | Cannot save new ticket without assignee or due date. |
| 17837 | normal | System | Reverse tunnel vulnerability not fixed on 4.7.2 upgrade |
| 16763 | normal | Parser | Event parse status is wrong for MYSQL_JDBC_PULL_STAT |
| 16762 | enhancement | Parser | Parse ‘reporting device name’ ‘host name’ at the first time for log discovered device. |
| 13823 | enhancement | GUI | Allow Users to select Important Processes per device from the software tab in CMDB |
| 17094 | enhancement | GUI | Need CMDB Report for Running Applications |
| 17860 | enhancement | App Server | Threat Feed integration with InSights required by Panasonic |
| 15792 | enhancement | App Server | Support ‘Report Logo’ and ‘UI Logo’ for Organizations UI and PDF reports |
| 16973 | enhancement | App Server | Improve and Optimize CI lookup |
| 16983 | enhancement | App Server | Need a way to specify ticket due dates to specific times |
| 17093 | enhancement | DataManager | Create an event for when Incoming EPS is more than Guaranteed EPS |
| 12049 | enhancement | Parser | Parse more Symantec AV Events |
| 18003 | enhancement | Parser | Some event type display names have %s |
| 17428 | enhancement | App Server | In CMDB Report, allow Organization and Collector Name as columns |
| 16994 | enhancement | GUI | Allow the ability to launch integration policy from a specific Incident |
Current Open Issues
| Id | Severity | Component | Description |
| 8867 | Normal | Rule Engine | LAST and FIRST operators in rules do not work (may crash Rule Worker module) |
| 11036 | Normal | Rule Engine | Rule Worker module may abort when a PctChange Expression is used |
| 14242 | Normal | Query Engine | RBAC data conditions not enforced for SP organizations when login in via the super org and moving to another org. |
| 15022 | Normal | Parser Engine | Parser module may stall/pause if a host name resolution is slow. Work around for now is to disable host name resolution. |
| 11112 | Normal | Rule Engine | COUNT DISTINCT operations consume large resources for rules utilizing Anomaly Detection |
| 14478 | Normal | GUI | Sometimes GUI pops up warning (Large amount of data stored over the boundaries) when users restore the archived data or delete the restored data |
| 15109 | Normal | Performance
Monitoring |
Failed Custom JDBC job shows in performance page after Discovery |
| 15247 | Normal | Parser | AIX Parser cannot parse events correctly. |
| 15253 | Normal | Parser | Reporting device name is parsed wrong in LinuxInotifyParser (affects Linux file integrity monitoring via AccelOps agent) |
| 14929 | Normal | Performance
Monitoring |
Maintenance calendar issue – Maintenance for a device does not start at the configured time if there is a long running disabled job of another device |
| 15068 | Normal | Application
Server |
Dashboard Search Filtering Does not work for Clariion LUNs under Summary Tab |
| 15231 | Normal | Application
Server |
Generating PDF Reports over 100 Pages will drop Page Footer |
| 15233 | Minor | Application
Server |
“Validation Status” column in Admin->Event DB->Event Integrity does not allow for sorting. |
| 15300 | Minor | GUI | For Report Server, if you sync -> unsync -> sync is rapid succession, then the last sync may not take effect |
| 9261 | Enhancement | Application
Server |
Charts in exported reports (PDF format) only contain stacked charts – not line charts |