Release Notes FortiSIEM 6.3.0 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com

FORTINET VIDEO GUIDE https://video.fortinet.com

FORTINET BLOG https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/training-certification

NSE INSTITUTE https://training.fortinet.com

FORTIGUARD CENTER https://www.fortiguard.com

END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK Email: [email protected]

09/21/2021 FortiSIEM 6.3.0 Release Notes TABLE OF CONTENTS

Change Log 4 Whats New in 6.3.0 5 New Features 5 Customizable GUI Login Banner 5 UTC and ISO8601 Formatted Dates 6 Ability to Tags Incidents and Search Incidents by Tag 6 Report Export in RTF Format 6 Trend Chart for Hourly/Daily/weekly Aggregates 6 Email Encryption via S/MIME 7 Load Balancing Inserts across Multiple Elasticsearch Coordinator Nodes 7 Watchlist Management API 7 JSON Incident API 7 FortiSIEM Collector as Management Extension Application (MEA) on FortiAnalyzer 7 Key Enhancements 8 Infrastructure Upgrade 8 Elasticsearch 7.12.1 Support 8 MITRE ATT&CK Framework Update to V0.9 8 Authentication for Kafka based Event Forwarding 8 Report Design Template Enhancements 8 Selective Role based Raw Message Obfuscation 9 Shared Dashboard Ownership Transfer 9 Custom Elasticsearch Mapping Template 9 Elasticsearch to EventDB Archive Performance Improvement 9 Optimize PostgreSQL Incident Query 10 New Device Support 10 Device Support Extensions 10 Bug Fixes and Minor Enhancements 10 Known Issues 14 Slow Event Database Operations Using Azure Managed NFS Share Service 14 Need to Re-Configure Open Tunnel After Upgrade/Install of 6.3.0 15 Need to set Account Environment in Azure Cloud Support Access Credentials after Upgrade 16 and Issue into Report Designer Text Editor 16 Rule and Report Modifications since 6.2.1 16

FortiSIEM 6.3.0 Release Notes 3 Fortinet Technologies Inc. Change Log

Date Change Description

07/08/2021 Initial version of FortiSIEM 6.3.0 Release Notes.

08/17/2021 Added Known Issue "Slow Event Database Operations Using Azure Managed NFS File Share Service" to 6.3.0 Release Notes.

09/21/2021 Updated Custom Elasticsearch Mapping Template section in 6.3.0 Release Notes.

FortiSIEM 6.3.0 Release Notes 4 Fortinet Technologies Inc. Whats New in 6.3.0

Whats New in 6.3.0

This document describes the additions for the FortiSIEM 6.3.0 release.

l New Features

l Key Enhancements

l New Device Support

l Device Support Extensions

l Bug Fixes and Minor Enhancements

l Known Issues

l Rule and Report Modifications since 6.2.1

New Features

l Customizable GUI Login Banner

l UTC and ISO8601 Timestamp Formatted Dates

l Ability to Tag Incidents and Search Incidents by Tag

l Report Export in RTF Format

l Trend Chart for Hourly/Daily/Weekly Aggregates

l Email Encryption via S/MIME

l Load Balancing Inserts across Multiple Elasticsearch Coordinator Nodes

l Watchlist Management API

l JSON Incident API

l FortiSIEM Collector as Management Extension Application (MEA) on FortiAnalyzer

Customizable GUI Login Banner

FortiSIEM administrators can now define a login banner page that GUI users will view, after entering their credentials. This page displays the last successful login , changes to the user’s account since their last successful login, along with an administrator defined message. This message is typically used to warn against unauthorized system access. A default message is provided, but users with full admin privileges can change the message, create a new message, or completely disable this banner. This system setting applies for all users. For details on how to set up and customize a login banner, located ADMIN > Settings > System > UI, see Administrator UI Settings. Notes:

l This is a system wide screen for all users.

l Some simple BBCode tags are allowed in this message input - “b” - bold, “i” - italic, “u” - underline, and “url”.

l HTML tags are not allowed.

l Nested tags are not allowed.

FortiSIEM 6.3.0 Release Notes 5 Fortinet Technologies Inc. Whats New in 6.3.0

UTC and ISO8601 Formatted Dates

Earlier releases displayed dates (e.g. in the INCIDENTS page) in local time format. In this release, two other time format options are added – UTC and ISO 8601. This is a per-user setting and the chosen time format is honored in the GUI for that user as well as for report exports, and scheduled reports done by that user and Incident email notification. For details on how to set up date display format, located at User Profile > UI Settings, see User Profile UI Settings.

Ability to Tags Incidents and Search Incidents by Tag

This release allows you to define Tags and then associate one or Tags to Rules. Incidents triggered by that rule will have the associated Tags attribute as an Incident attribute. You can display Tags from the INCIDENTS page and search/filter Incidents by Tags. For MSSP deployments, Tags are globally defined for all Organizations. For details on how to define tags, see Tags. For details on how to set tags in rules, see Creating a Rule: Step 3: Define Actions. For details on how to display tags in INCIDENTS, see Acting on Incidents on how to add the Tags column to the INCIDENTS page. For details on how to search Incidents by tags, see Searching Incidents. From the Actions drop-down list, click Search. Use the Incident Tag filter in the same panel to locate tags.

Report Export in RTF Format

In earlier releases, reports could be exported in PDF and CSV formats. This release adds Rich Text Format (RTF) format that can be viewed using Microsoft Word. For setting RTF format for adhoc reports, see Email Results, Exporting Report Results, and Exporting Results. For setting RTF format for scheduled reports, see Scheduling a Report and Scheduling CMDB Reports. For more information on creating a report template, which can be sent in RTF format, see Designing a Report Template.

Trend Chart for Hourly/Daily/weekly Aggregates

In earlier releases, the granularity of time axis in trend charts was chosen automatically by the system. Therefore, user cannot have hourly, daily and weekly values plotted in Report Trend Charts. This release allows users this option. Because daily, weekly queries can take a long time to run, this works best in pre-computed queries and in dashboards where results are computed inline mode. In ANALYTICS, you can choose the trend option as part of Filter conditions. See Specifying a Trend Interval. In DASHBOARD, you can select Line chart as the display , and then choose a trend option as part of a Widget Dashboard. See Modifying Widget Display Information. Trend Attributes can be added to scheduled reports, report bundles and through a real-time search.

FortiSIEM 6.3.0 Release Notes 6 Fortinet Technologies Inc. Whats New in 6.3.0

Email Encryption via S/MIME

This release allows you to send encrypted emails from FortiSIEM using S/MIME. Examples of emails send from FortiSIEM includes Incident notification emails, Scheduled Report emails, Adhoc Query Result email, etc... To first set up S/MIME, see Email Settings. After the S/MIME configuration, add the S/MIME certificate for a new user or to an existing one at CMDB > Users.

Load Balancing Inserts across Multiple Elasticsearch Coordinator Nodes

This release enables you to add multiple Elasticsearch Coordinator nodes in GUI. Then phDataManager process on each Worker will load balance event inserts across multiple Elasticsearch Coordinator nodes. This design allows faster parallel inserts and also protects against Coordinator node failures. The Coordinator nodes can be configured in the URL field for Native Elasticsearch configuration.

Watchlist Management API

This release allows you to view, add, edit Watchlist folders and entries (RESOURCES > Watchlist). See Watchlist Integration in the API Integration Guide.

JSON Incident API

This release allows you to integrate incidents from FortiSIEM with a JSON REST API. This is used for the ServiceNow SecOps integration. See JSON API Incident Integration in the API Integration Guide.

FortiSIEM Collector as Management Extension Application (MEA) on FortiAnalyzer

You can now run a FortiSIEM Collector as a management extension application (MEA) image on FortiAnalyzer 7.0.1 or higher. This alleviates the need for a separate FortiSIEM Collector node (Virtual machine or appliance), when you already have a FortiAnalyzer deployed, and it has sufficiently spare CPU, Memory and Disk available to run a FortiSIEM Collector. A FortiSIEM MEA Collector functionally works the same way as a regular virtual machine based FortiSIEM Collector or a hardware appliance 500F, but the set up and upgrade processes are slightly different. For general setup, troubleshooting, event collection, discovery and performance monitoring using a FortiSIEM MEA Collector, see the FortiSIEM MEA Collector Administration Guide in FortiAnalyzer 7.0 docs. The FortiSIEM MEA Administration Guide also covers upgrade issues and general differences between a FortiSIEM MEA Collector and a virtual machine/hardware appliance Collector. Note: To collect FortiSIEM Windows or Agent logs via FortiSIEM MEA Collector, you need to run Windows Agent 4.1.2 or higher and Linux Agent 6.3.0 or higher.

FortiSIEM 6.3.0 Release Notes 7 Fortinet Technologies Inc. Whats New in 6.3.0

Key Enhancements

l Infrastructure Upgrade

l Elasticsearch 7.12.1 Support

l MITRE ATT&CK Framework Update to V0.9

l Authentication for Kafka based Event Forwarding

l Report Design Template Enhancements

l Selective Role based Raw Message Obfuscation

l Shared Dashboard Ownership Transfer

l Custom Elasticsearch Mapping Template

l Elasticsearch to EventDB Archive Performance Improvement

l Optimize PostgreSQL Incident Query

Infrastructure Upgrade

This release upgrades the underlying CentOS version to 8.4.

Elasticsearch 7.12.1 Support

This release extends native Elasticsearch event database support to 7.12.1.

MITRE ATT&CK Framework Update to V0.9

This release imports the MITRE ATT&CK Techniques and Tactics as found in V9 released on April 29, 2021.

Authentication for Kafka based Event Forwarding

FortiSIEM allows events to be forwarded via Kafka. This release adds the ability for FortiSIEM to authenticate to the Kafka receiver. To set up Kafka authentication, see step 9 under Kafka Settings.

Report Design Template Enhancements

This release covers the following Report Design enhancements

l A Rich Text editor so that user does not have to type in raw HTML text in Text Area in Report Design.

l Allow user to insert a Page Break

l the Cover page and Table of Contents optional For details see Designing a Report Template.

FortiSIEM 6.3.0 Release Notes 8 Fortinet Technologies Inc. Whats New in 6.3.0

Selective Role based Raw Message Obfuscation

FortiSIEM user roles allows per-user obfuscation of certain event attributes like Source IP, Host IP, User etc. In earlier releases, if one event attribute was obfuscated, then the entire raw message was not shown to that user. This restriction is removed in this release. As an example, this means that if a user role has obfuscated User name, then that user can see the entire raw message except the specific user name in the message. For configuration information, see Adding a New Role.

Shared Dashboard Ownership Transfer

FortiSIEM allows dashboards to be shared between the creator (owner) and several other users. However, in earlier releases, when the shared dashboard owner was not available, no one else could modify the shared dashboard. This release allows the shared dashboard owner to transfer ownership to another user with exactly the same role. Then that person becomes the new owner and can edit the dashboard. For details on how to change ownership, see Dashboard Ownership.

Custom Elasticsearch Mapping Template

FortiSIEM uses an Event Attribute Mapping Template file to map each of the 3,000+ FortiSIEM Event Attributes to Elasticsearch data types. This explicit mapping is done to conserve Elasticsearch event storage. Our research (using the Elasticsearch Rally Tool) has shown that Elasticsearch performance can be improved by choosing a smaller Event Attribute Template file relevant to events seen in the customer's environment. This release allows customers to use the right Event Attribute Template file for their environment and improve Elasticsearch performance. A tool is provided that customers can use to create an Event Attribute Template file based on last N (configurable) days of data in Elasticsearch. Details can be found in Administrator Tools. The user can import this custom Event Attribute Template file from the Supervisor GUI and click and Save to deploy to Elasticsearch. Details can be found in Configuring a Native, AWS, or Cloud Elasticsearch database. Note: If a new log appears and has new event attributes not present in the Event Attribute Template file, then Elasticsearch will auto-detect the type. If you wish to change the type, you will need to run the tool again and upload the new Event Attribute Custom Template. The custom Event Attribute template will take effect for the new index. This release has been tested in native Elasticsearch 7.8, 7.12.1, AWS Elasticsearch 7.8, and Elastic Cloud 6.8.

Elasticsearch to EventDB Archive Performance Improvement

For high EPS situations, FortiSIEM recommends the Real time Archive option, because reading events from Elasticsearch and copying to EventDB on NFS is an expensive operation that can slow down real time event ingestion. However, if you require the non-real time archiving option, this release optimizes the code to reduce pressure on Elasticsearch and archive faster. No user configuration is required.

FortiSIEM 6.3.0 Release Notes 9 Fortinet Technologies Inc. Whats New in 6.3.0

Optimize PostgreSQL Incident Query

Incidents can span multiple partitions and SQL queries to multiple partitions, which can be expensive. This release optimizes such queries by only going over the minimum necessary partitions. Users will see less disk IOPS for CMDB partition and faster GUI response times.

New Device Support

l Microsoft Windows Print Service Log

l AWS Elasticsearch Load Balancer Log

l CyberX OT/IoT Security via Log

l Digital Defense Vulnerability Scanner via API

l FortiAI via Log

l FortiCASB integration via API

l HP ILO via SNMP Trap

l Palo Alto Cortex XDR via Log

l Palo Alto WildFire via Log through Palo Alto Firewall

Device Support Extensions

l CloudTrail Logs via AWS Kinesis

l CyberArk Vault integration via REST API

l FortiAnalyzer System Event Logs via Syslog

l FortiEDR integration via API

l FortiGate, FortiAP and FortiSwitch via FortiGate API

l GCC High Tenant for Azure Audit

l VPC Flow Logs via AWS Kinesis

Bug Fixes and Minor Enhancements

Bug Severity Module Description ID

719210 Major App Server Choosing Malware IOC (IP/Domain/URL/Hash) when there are many Malware IOC groups, would result in a sluggish GUI. A full download is recommended for faster FortiSIEM processing. Do not choose incremental download when the website does not provide incremental download.

FortiSIEM 6.3.0 Release Notes 10 Fortinet Technologies Inc. Whats New in 6.3.0

Bug Severity Module Description ID

718253 Major App Server Any customer defined rule cannot be approved for deployment in the TASKS > Approval page

650020 Major GUI If a user navigated to RESOURCES > Reports > Baseline, selected a Reporting EPS Profile and clicked Run, the visualization would not appear, and showed a "stuck" loading indicator. A workaround was to navigate to ANALYTICS, go to the folder option, navigate to Reports > Baseline, select a Reporting EPS Profile and click Run.

715377 Minor App Server If a primary contact admin user was saved with an incorrect organization, the ADMIN > License > General and Usage pages would not display any data.

711680 Minor App Server On a 6.2.0 upgraded FortiSIEM, if an ANALYTICS query result spanned many pages (over 199), then later pages might not show any results.

705642 Minor App Server If a SAML response did not carry the signature and X509 Certificates attributes, the AppServer would throw a NullPointerException.

685195 Minor App Server Occasionally, after a few weeks or months, the STM job would automatically change from HTTP type to TCP.

719795 Minor Data The Source IP was incorrectly set for Windows Security Event ID 4624 event.

719331 Minor Data The FortiGateParser set Event Action as 0(permit) even when Firewall action=block in event logs; it should be 1. Note: The keyword "blocked" was handled correctly.

717349 Minor Data The Zscaler parser was not correctly handling events with quotes in the URL.

715951 Minor Data The Checkpoint parser created spurious CMDB devices due to incorrect parsing of origin field.

713156 Minor Data Office365 Authentication events incorrectly parsed "Authentication success" when "UserKey" is "Not Available" and "Actor" is "Unknown".

712384 Minor Data Windows Security Event 4728 had the incorrect target User field.

712153 Minor Data The FortiClient EMS parser sometimes failed when there was no clientfeature field.

709663 Minor Data The Nginx parser would not work when a log contained a negative GMT time value.

709182 Minor Data Occasionally, the Windows Log parser would not parse the correct Destination Host Name.

708681 Minor Data Maldives is incorrectly in RESOURCES > Country Groups > Europe instead of RESOURCES > Country Groups > Asia.

FortiSIEM 6.3.0 Release Notes 11 Fortinet Technologies Inc. Whats New in 6.3.0

Bug Severity Module Description ID

708638 Minor Data The Cisco ASA parser and Cisco FWSM parser had incorrect mapping of the Destination and Source IP/Ports.

706898 Minor Data Windows Security log parsing enhanced to include Kerberos Cipher name.

697112 Minor Data The Palo Alto Firewall parser showed the "flowEndReason" attribute value as 0.

694642 Minor Data Uruguay was incorrectly included in the Europe Country Group instead of the South America Country Group.

694259 Minor Data The FortiAuthenticator logs forwarded through FortiAnalyzer provided the incorrect Reporting Device IP.

692909 Minor Data For WatchGuard Firebox firewall, HTTPS certificate attributes were not parsed.

645187 Minor Data Country name mismatches caused rules to trigger.

715304 Minor Data The Palo Alto Firewall log parser did not work for global protect system logs.

685952 Minor Data The Palo Alto parser enhanced to handle additional log types, including multiple WildFire events.

716961 Minor Data The FortiAuthenticator Failed Login was parsed as Successful Login.

724187 Minor Data SQL Injection Attack detected by NIPS rule logic corrected to match rule description.

724187 Minor Data Palo Alto event type PAN-IDP-31914 categorization corrected to match trigger behavior. Event type PAN-IDP-55873 added.

718372 Minor GUI When creating a new report under Org, a "unknown Error" warning would pop up after saving.

717183 Minor GUI With a large number of CMDB users defined in FortiSIEM, in the CASES tab, the New and Edit operations would sometimes timeout.

712019 Minor GUI The auto-load feature would re-load at 4 am every day, even when an active query was running.

698621 Minor GUI In Report Schedule, multiple email addresses could not be added.

689328 Minor GUI In the Interface Usage Dashboard, user changes to the Application Usage chart were not saved.

681160 Minor GUI From the CMDB page, installed software could not be detected when discovered.

677375 Minor GUI When saving or copying into a parser window, the ">" and "< "characters were getting encoded and translated.

FortiSIEM 6.3.0 Release Notes 12 Fortinet Technologies Inc. Whats New in 6.3.0

Bug Severity Module Description ID

668386 Minor GUI In MSSP mode, if the user was in CMDB, the device group could not be changed.

688542 Minor Log Azure Audit logs only pulled from one subscription, even when multiple Collection subscriptions were configured.

719190 Minor Parser The Cisco ASA built/teardown parsing was sometimes sluggish when matching connection ids.

707125 Minor Performance The VMware cluster level CPU and memory utilization calculations were Monitoring not accurate.

714176 Minor Performance In CMDB > Device > Monitor, the Last Successful attribute was not Monitoring reset properly, causing flapping between Normal and Warning.

700690 Minor Performance HTTPS based STM did not work correctly when different IPs in different Monitoring STMs were mapped to the same host name.

694596 Minor Performance FortiSIEM could not monitor a metric via SNMP when there were more Monitoring than two alternative OIDS for that metric and another method like SSH was simultaneously used to monitor other metrics.

712602 Minor Query Query failed if there were parentheses in the nested query with attributes like "Destination TCP/UDP Port".

684647 Minor Query In ANALYTICS search, a filter on TCP flag would make the query work incorrectly.

682137 Minor System The /etc/hosts file needed to be preserved across upgrades.

690781 Enhancement App Server When an incident is cleared in FortiSIEM, it is now cleared on ConnectWise.

712012 Enhancement Data Geo-IP database updated to handle more IPs.

705478 Enhancement Data FortiSandbox parser now extracts virusid and attack name in a better way to parse malware name attribute.

705471 Enhancement Data FortiMail parser now extracts virus attribute.

705468 Enhancement Data FortiClient parser now maps threat to malware name attribute.

702603 Enhancement Data Extend Windows Security log parser now supports Sysmon v13.

692796 Enhancement Data UnixParser extended to parse SFTP Open file, SFTP Close file, and internal-sftp logs.

689608 Enhancement Data Meraki Firewall parser enhanced to include Flow Start and Flow End events.

684254 Enhancement Data Extreme switch logs parser enhanced.

682424 Enhancement Data Parsing improved for Windows Event ID 5145.

FortiSIEM 6.3.0 Release Notes 13 Fortinet Technologies Inc. Whats New in 6.3.0

Bug Severity Module Description ID

680432 Enhancement Data Cisco Callmanager and Cisco IMP servers parsers enhanced to handle more event types.

668492 Enhancement Data Windows log parser for French Language Windows enhanced. Note: Enhancement primarily for security log 4728.

725618 Enhancement Data Parsing enhanced to handle Cisco Nexus AUTHPRIV syslog messages.

704115 Enhancement Data The Palo Alto parser extended to parse global protect system logs.

684897 Enhancement Data The rule "Traffic to FortiGuard Malware IP List" is now able to trigger on valid non-firewall logs.

696237 Enhancement GUI Port number under External Authentication can now be changed.

705100 Enhancement Log Windows BitDefender REST API now allows different regions to be Collection selected. Note: Originally, it defaulted hostname to the US.

703881 Enhancement Rule Engine PH_REPORT_PACK_FAILED log (that indicates event dropped during packing from Worker to Supervisor) now includes groupby and aggregate attributes.

712034 Enhancement System pHEventExport and TestESSplitter backend tools updated to run in FortiSIEM 6.x.

Known Issues

Slow Event Database Operations Using Azure Managed NFS File Share Service

If you are running a FortiSIEM 6.3.0 Cluster in Microsoft Azure Cloud using Azure Managed NFS File Share Service, then FortiSIEM will not work correctly. Symptoms are file build up in the /data directory and slow GUI queries. A bug was introduced in the Linux kernel (affecting Redhat CentOS 8.4 and FortiSIEM 6.3.0) that slows NFS operations. For details, see the section titled " hangs for large directory enumeration on some kernels" in this URL document: https://docs.microsoft.com/en-us/azure/storage/files/storage-troubleshooting-files-nfs Note: If you deploy your own NFS V3 or V4, then FortiSIEM 6.3.0 is not impacted. Redhat has not yet published a for this issue. The current workaround is to manually downgrade the Linux kernel from 8.4 to 8.3. Download and install the Linux 8.3 kernel by following these steps on each Supervisor and all your Worker nodes. 1. On your system, login as user root, and run the following commands. Note: The order of the commands is important. If your system is offline without internet access, you can download the RPM to a flash drive or file share to upload to the Supervisor and Workers. a. /tmp b. downgrade c. cd downgrade

FortiSIEM 6.3.0 Release Notes 14 Fortinet Technologies Inc. Whats New in 6.3.0

d. wget https://os-pkgs- cdn.fortisiem.fortinet.com/centos83/baseos/Packages/kernel-core-4.18.0- 240.10.1.el8_3.x86_64.rpm e. yum localinstall kernel-core-4.18.0-240.10.1.el8_3.x86_64.rpm Click 'y' to confirm when prompted. f. grub2-mkconfig -o /boot/grub2/grub.cfg g. -F\' '$1=="menuentry" {print $2}' /boot/grub2/grub.cfg Note: Entries are ordered 0,1,2,3,4 from top to bottom. If the kernel 4.18.0-240.10.1.el8_3.x86_64 is third in the list, use the command below to set it as the default. h. grub2-set-default 2 i. Reboot the system with the following command: reboot 2. Log back in as user root and check the kernel version that is running with the following command: –r In the uname –r output, notate the new kernel. It should be: 4.18.0-240.10.1.el8_3.x86_64

After the Linux kernel downgrade is done for the Supervisor and Workers, take the following steps: 1. Login to the Supervisor FortiSIEM GUI. 2. Go to the ANALYTICS tab. 3. Run a query for 10-30 minutes and confirm that the speed of the query execution is relatively fast.

Need to Re-Configure Open Tunnel After Upgrade/Install of 6.3.0

After upgrading or doing a fresh install of 6.3.0, the feature - "Connect to" a CMDB device via 'Open Tunnel' will no longer work without a configuration change. When users connect via a tunnel, it will appear that the tunnel is opened. However, the displayed Supervisor's port on which the tunneled connection is running is actually not open so users will not be able to connect either via plugin or directly. To re-enable this feature, take the following steps: 1. Edit sshd_config.tunneluser on the Supervisor by changing the entry AllowTcpForwarding to yes. AllowTcpForwarding yes 2. Reload the tunnel sshd configuration using the following command: -HUP $(pgrep -f sshd_config.tunneluser) 3. If you have tunnels you had opened after the upgrade, but prior to making the above change, you will need to click on the Close All button from ADMIN > Health > Collector Health > Tunnels page. Note: This fix was done to address bug 602294: CVE-2004-1653 SSH port forwarding exposes unprotected internal services.

FortiSIEM 6.3.0 Release Notes 15 Fortinet Technologies Inc. Whats New in 6.3.0

Need to set Account Environment in Azure Cloud Support Access Credentials after Upgrade

Prior to the 6.3.0 FortiSIEM release, the Azure CLI agent only supported Global Azure (AzureCloud). It did not support Azure Government Cloud, Azure China Cloud, or Azure German Cloud. In 6.3.0 and later releases, the 4 types of Azure Clouds listed here are supported by the Azure CLI agent. When you need to upgrade the collector to 6.3.0 for Azure CLI jobs, make sure the Supervisor is also 6.3.0, and enter the Account Env as part of its Access Credentials.

Account Environment Azure Portal URL

AzureCloud https://portal.azure.com

AzureChinaCloud https://portal.azure.cn

AzureUSGovernmentCloud https://portal.azure.us

AzureGermanCloud https://portal.microsoftazure.de/

Cut and Paste Issue into Report Designer Text Editor

If you cut and paste text from an external document into the Report Designer Text Editor, then you need to select all copied text, click "Clear Format" and then add your own formatting within the Editor. Otherwise, Export will fail.

Rule and Report Modifications since 6.2.1

The following rules were added:

l ES Coordinator Node Staying Down

l ES Coordinator Node Down

l Cortex XDR Alert Detected

l Cortex XDR Alert Prevented

l F5 BIG-IP TMM Attack - FortiGate IPS Exploit Permitted

l FortiAI: Attack Chain Blocked

l FortiAI: Attack Chain Permitted

l CyberX Malware Detected

l Windows Process Tampering Detected

l SUNBURST Suspicious File Hash match by Source and Destination

l DEARCRY Infected File Detected on Network

l DEARCRY Infected File Detected on Host

l DARKSIDE Domain Traffic Detected

l DARKSIDE Ransomware File Activity Detected on Network

l DARKSIDE Ransomware File Activity Detected on Host

FortiSIEM 6.3.0 Release Notes 16 Fortinet Technologies Inc. Whats New in 6.3.0

l DARKSIDE Ransomware Outbound Network Traffic Detected

l DARKSIDE Ransomware Inbound Network Traffic Detected

l DARKSIDE Suspicious File Hash Found on Network

l DARKSIDE Suspicious File Hash Found on Host The following rules were deleted:

l Excessive Malware Domain Name Queries

l DNS Traffic to Malware Domains The following rules were renamed:

l Windows: Unidentified Attacker November 2018 Activity 1 -> Windows: Unidentified Attacker November 2018 Activity 1

l SUNBURST Suspicious File MD5 match -> SUNBURST Suspicious File Hash Match

The following reports were added:

l AWS ELB - Top HTTP Methods by Count

l AWS ELB - Top HTTP Status Codes by Count

l AWS ELB - Top Requests by Source Country

l AWS ELB - Top Source IPs by Count

l AWS ELB - Top Request URLs by Count

l F5 BIG-IP TMM Attack - FortiGate IPS Exploit Permitted

l FortiAI: Attack-Chain Blocked

l FortiAI: Attack-Chain Permitted

l FortiAI: Dashboard Attack-Chain Blocked

l FortiAI: Dashboard Attack-Chain Permitted

l FortiAI: Dashboard Incidents

l FortiAI: Top Attacker IPs by Count

l FortiAI: Top Malware Family by Count

l FortiAI: Top Victim IPs by Count

l Cases Created - Daily

l DARKSIDE Domain Traffic Detected

l DARKSIDE Ransomware File Activity Detected on Network

l DARKSIDE Ransomware File Activity Detected on Host

l DARKSIDE Ransomware Traffic Detected

l DARKSIDE Suspicious File Hash Found

l DEARCRY Infected File Detected on Network

l DEARCRY Infected File Detected on Host

l CyberX Security Alerts

l ZOS: SMF 14/15/17 Dataset Open/Update/Delete Activity

l ZOS: SMF 18 Dataset Rename Activity

l ZOS: SMF 30 JES Job/STC start/end Activity

l ZOS: SMF 32 JES TSO Termination Activity

l ZOS: SMF 42 SMS Add/Delete/Rename/Reuse Activity

FortiSIEM 6.3.0 Release Notes 17 Fortinet Technologies Inc. Whats New in 6.3.0

l ZOS: SMF 62 VSAM Open Dataset Activity

l ZOS: SMF 80 Security Violations

l ZOS: SMF 81 Initialization and SETROPTS events

l ZOS: SMF 83 Security Changes

l ZOS: SMF 90:37 APF List Changes

l ZOS: SMF 119: TSO Logon

l ZOS: SMF 119: TN3270 Logon

l ZOS: SMF 119: FTP Completion

l ZOS: SMF 119: TCP Connection Termination The following reports were deleted:

l Incident Trend By Severity - Monthly

l SANS CC5: DNS Traffic To Malware Domains The following reports were renamed:

l Incident Resolution Time Trend By Severity - Monthly "Mean Time to Resolution" -> Incidents By Location and Category

l Monthly Assigned Incident User Trend -> Cases Created - Weekly

l Incidents By Location and Category -> Cases Closed - Weekly

l Cases Created - Daily -> Cases Closed By User - Weekly

l Cases Created - Monthly -> Incident Trend By Severity - Monthly

l Cases Created - Weekly -> Incident Resolution Time Trend By Severity - Monthly "Mean Time to Resolution"

l Cases Closed - Weekly -> Monthly Assigned Incident User Trend

l Cases Closed By User - Weekly -> Cases Created - Monthly

l SUNBURST Suspicious File MD5 match -> SUNBURST Suspicious File Hash match

FortiSIEM 6.3.0 Release Notes 18 Fortinet Technologies Inc. www.fortinet.com

Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.