What’s new in Release 4.6.3
Starting 4.6.3, AccelOps has been re-branded as FortiSIEM.
Special upgrade procedure
Features
FortiSIEM re-branding
Enforce TLS 1.2 for tighter security
Windows Agent Enhancements (Windows Agent and Agent Manager 2.0)
Bug Fixes / Enhancements
Current Open Issues
Special upgrade procedure
Features
FortiSIEM re-branding
From this release onward, AccelOps will be branded FortiSIEM.
Enforce TLS 1.2 for tighter security
FortiSIEM web servers now only advertise TLS1.2. All FortiSIEM components now communicate using secure TLS 1.2 protocol. This includes the following communications
Collector to Super/Worker
Worker to Super
Browser to Super
Windows Agent to Agent Manager
Agent Manager to Collector and Super
Windows Agent Enhancements (Windows Agent and Agent Manager 2.0)
This release contains the following Windows Agent enhancements.
- Enhanced user file monitoring: Windows Agent allows users to monitor changes in custom files. This release enhances this feature in the following ways.
- Allow user to specify a custom string for each monitored file. The specified user defined string would be included in the event type as a signature for that file. For example, if user is monitoring a special MyApp1 log file, then user can specify a custom string e.g. MyApp1 and the event type would be AO-WUA-UserFile-MyApp1. This approach allows the user to write a specific parser for each monitored log file by specifying the string AO-WUA-UserFile-MyApp1 in the event format recognizer.
- Allow wildcards in monitored file name; e.g. *radius.log. This enhancement allows for dynamically named log files including dates in file name. For example DHCP and RADIUS files are generated every day and the file names contain the date e.g. 012415radius.log.
- Ability to monitor any file in Windows Event Manager tree: Prior to this release AccelOps only monitored specific log files in the Windows Event Manager tree, namely Security, Application, Performance events, DNS logs, DHCP logs etc. This release provides the capability to monitor any file in Windows Event Manager tree. User needs to choose the desired Windows Event Manager folder and FortiSIEM Agent will start monitoring events for that application. The corresponding event type will contain the folder name to distinguish it from events from other folders.
- Windows CD/DVD/USB monitoring: FortiSIEM can now detect insertion/removal and certain file read/write activity on external media such as USB and CD/DVD. Specifically, the following cases are covered in this release
- Detect when external media such as USB, CD, DVD is inserted
- Detect when external media such as USB, CD, DVD is removed
- Detect when a file is written to USB
- Enhanced File integrity and Registry change monitoring: This release contains the following enhancements:
- User can exclude directories while specifying files to be monitored, e.g. monitor “C:\System32” but exclude “C:\System32\Log” b. Include the process name triggered file modification in FortiSIEM events
- Allow environment variables in the file path definition
- Monitoring Template and License Assignment improvements: for details see here.
- User can define multiple monitoring templates per host, e.g. OS monitoring template, Application 1 monitoring template, Application 2 monitoring template etc.
- User can assign templates and licenses for large number of hosts with much fewer clicks than earlier releases
- A searchable tabular display of Host to license and template assignments.
- Allow multiple power shell and WMI scripts per monitoring template. Prior releases only allowed one script per template.
- Create Alerts when an Agent is stopped, uninstalled or unresponsive. This allows users to report and detect these potential policy violations.
Bug Fixes / Enhancements
| Bug
ID |
Severity | Component | Description |
| 13156 | Major | System | In high eps environment, license checking may fail because of the inability to fork new processes, resulting in workers to become unavailable. |
| 16125 | Major | App Server | The feature “Fire Incidents for Approved devices only” does not work correctly |
| 16555 | Major | App Server | User added widgets to dashboards in Super global mode always run in adhoc query mode (instead of inline mode), making dashboards run slowly |
| 16433 | Normal | Parser | Netflow Application from Fortinet firewalls is not handled correctly |
| 16248 | Normal | Parser | Syslog over TCP does not work correctly – logs are not complete |
| 16442 | Normal | App Server | Summary dashboard loads slowly when there are large number of devices with location specified |
| 16586 | Normal | App Server | Incident Notification over XML over HTTPS Notification does not work correctly because of handshake failure. |
| 16286 | Enhancement | GUI | Add search filter for collectors in Admin > General Settings > Event Org mapping > Add > Collectors |
| 16567 | Normal | Performance
Monitoring |
AWS RDS monitoring sometimes does not work correctly. |
| 16470 | Normal | Rule Engine | Incidents may not trigger when Event Dropping Rules refer to stale CMDB Objects |
| 16581 | Normal | GUI | ‘Copy to remote’ option is turned off for ‘Scheduled for’ when user schedules a report in Super/global mode. |
| 16530 | Normal | Performance
Monitoring |
SNMP V3 with AES not working after upgrading to 4.6.2 |
| 16481 | Normal | Performance
Monitoring |
STM job credential manipulation may cause discover and performance monitor to crash. This is first introduced in 4.6.2 enhancement that obfuscates user names and password in system calls from back end processes |
| 16093 | Enhancement | App Server | Report names are not meaningful when they are copied over to an external location in “Copy to remote” feature |
| 16251 | Enhancement | GUI, Parser | Allow comma separated External Org in Event Org Mapping. This allows for multiple external organizations to map to a single FortiSIEM organization. |
Current Open Issues
| Id | Severity | Component | Description |
| 8867 | Normal | Rule Engine | LAST and FIRST operators in rules do not work (may crash Rule Worker module) |
| 11036 | Normal | Rule Engine | Rule Worker module may abort when a PctChange Expression is used |
| 14242 | Normal | Query Engine | RBAC data conditions not enforced for SP organizations when login in via the super org and moving to another org. |
| 15022 | Normal | Parser Engine | Parser module may stall/pause if a host name resolution is slow. Work around for now is to disable host name resolution. |
| 11112 | Normal | Rule Engine | COUNT DISTINCT operations consume large resources for rules utilizing Anomaly Detection |
| 14478 | Normal | GUI | Sometimes GUI pops up warning (Large amount of data stored over the boundaries) when users restore the archived data or delete the restored data |
| 15109 | Normal | Performance
Monitoring |
Failed Custom JDBC job shows in performance page after Discovery |
| 15247 | Normal | Parser | AIX Parser cannot parse events correctly. |
| 15253 | Normal | Parser | Reporting device name is parsed wrong in LinuxInotifyParser (affects Linux file integrity monitoring via AccelOps agent) |
| 14929 | Normal | Performance
Monitoring |
Maintenance calendar issue – Maintenance for a device does not start at the configured time if there is a long running disabled job of another device |
| 15068 | Normal | Application
Server |
Dashboard Search Filtering Does not work for Clariion LUNs under Summary Tab |
| 15231 | Normal | Application
Server |
Generating PDF Reports over 100 Pages will drop Page Footer |
| 15233 | Minor | Application
Server |
“Validation Status” column in Admin->Event DB->Event Integrity does not allow for sorting. |
| 15300 | Minor | GUI | For Report Server, if you sync -> unsync -> sync is rapid succession, then the last sync may not take effect |
| 9261 | Enhancement | Application
Server |
Charts in exported reports (PDF format) only contain stacked charts – not line charts |
What’s new in Release 4.6.2
This release contains the following bugs fixes.
Bug Fixes
| Bug
ID |
Severity | Component | Description |
| 15161 | Major | Performance Monitor,
Discovery |
The ability for AccelOps to connect to SNMP on a UDP port different than default 161, a 4.6.1 feature, does not work correctly. |
| 16235 | Major | Parser | WMI based pulling of Windows Security, Application and System logs truncates some event attributes. So certain windows eports and rules may not work correctly. |
| 16249 | Minor | Discovery | Default hardware serial numbers (like “None” in CentOS) causes two devices to be merged incorrectly during discovery |
| 16237 | Minor | Performance
Monitoring |
Long running performance monitoring jobs may cause new performance monitoring jobs to not take effect |