FortiSIEM What’s New In 4.6.3

What’s new in Release 4.6.3

Starting 4.6.3, AccelOps has been re-branded as FortiSIEM.

Special upgrade procedure

Features

FortiSIEM re-branding

Enforce TLS 1.2 for tighter security

Windows Agent Enhancements (Windows Agent and Agent Manager 2.0)

Bug Fixes / Enhancements

Current Open Issues

Special upgrade procedure

Features

FortiSIEM re-branding

From this release onward, AccelOps will be branded FortiSIEM.

Enforce TLS 1.2 for tighter security

FortiSIEM web servers now only advertise TLS1.2. All FortiSIEM components now communicate using secure TLS 1.2 protocol. This includes the following communications

Collector to Super/Worker

Worker to Super

Browser to Super

Windows Agent to Agent Manager

Agent Manager to Collector and Super

Windows Agent Enhancements (Windows Agent and Agent Manager 2.0)

This release contains the following Windows Agent enhancements.

  1. Enhanced user file monitoring: Windows Agent allows users to monitor changes in custom files. This release enhances this feature in the following ways.
    1. Allow user to specify a custom string for each monitored file. The specified user defined string would be included in the event type as a signature for that file. For example, if user is monitoring a special MyApp1 log file, then user can specify a custom string e.g. MyApp1 and the event type would be AO-WUA-UserFile-MyApp1. This approach allows the user to write a specific parser for each monitored log file by specifying the string AO-WUA-UserFile-MyApp1 in the event format recognizer.
    2. Allow wildcards in monitored file name; e.g. *radius.log. This enhancement allows for dynamically named log files including dates in file name. For example DHCP and RADIUS files are generated every day and the file names contain the date e.g. 012415radius.log.
  2. Ability to monitor any file in Windows Event Manager tree: Prior to this release AccelOps only monitored specific log files in the Windows Event Manager tree, namely Security, Application, Performance events, DNS logs, DHCP logs etc. This release provides the capability to monitor any file in Windows Event Manager tree. User needs to choose the desired Windows Event Manager folder and FortiSIEM Agent will start monitoring events for that application. The corresponding event type will contain the folder name to distinguish it from events from other folders.
  3. Windows CD/DVD/USB monitoring: FortiSIEM can now detect insertion/removal and certain file read/write activity on external media such as USB and CD/DVD. Specifically, the following cases are covered in this release
    1. Detect when external media such as USB, CD, DVD is inserted
    2. Detect when external media such as USB, CD, DVD is removed
    3. Detect when a file is written to USB
  4. Enhanced File integrity and Registry change monitoring: This release contains the following enhancements:
    1. User can exclude directories while specifying files to be monitored, e.g. monitor “C:\System32” but exclude “C:\System32\Log” b.  Include the process name triggered file modification in FortiSIEM events
    2. Allow environment variables in the file path definition
  5. Monitoring Template and License Assignment improvements: for details see here.
    1. User can define multiple monitoring templates per host, e.g. OS monitoring template, Application 1 monitoring template, Application 2 monitoring template etc.
    2. User can assign templates and licenses for large number of hosts with much fewer clicks than earlier releases
    3. A searchable tabular display of Host to license and template assignments.
  6. Allow multiple power shell and WMI scripts per monitoring template. Prior releases only allowed one script per template.
  7. Create Alerts when an Agent is stopped, uninstalled or unresponsive. This allows users to report and detect these potential policy violations.

Bug Fixes / Enhancements

Bug

ID

Severity Component Description
13156 Major System In high eps environment, license checking may fail because of the inability to fork new processes, resulting in workers to become unavailable.
16125 Major App Server The feature “Fire Incidents for Approved devices only” does not work correctly
16555 Major App Server User added widgets to dashboards in Super global mode always run in adhoc query mode (instead of inline mode), making dashboards run slowly
16433 Normal Parser Netflow Application from Fortinet firewalls is not handled correctly
16248 Normal Parser Syslog over TCP does not work correctly – logs are not complete
16442 Normal App Server Summary dashboard loads slowly when there are large number of devices with location specified
16586 Normal App Server Incident Notification over XML over HTTPS Notification does not work correctly because of handshake failure.
16286 Enhancement GUI Add search filter for collectors in Admin > General Settings > Event Org mapping > Add > Collectors
16567 Normal Performance

Monitoring

AWS RDS monitoring sometimes does not work correctly.
16470 Normal Rule Engine Incidents may not trigger when Event Dropping Rules refer to stale CMDB Objects
16581 Normal GUI ‘Copy to remote’ option is turned off for ‘Scheduled for’ when user schedules a report in Super/global mode.
16530 Normal Performance

Monitoring

SNMP V3 with AES not working after upgrading to 4.6.2
16481 Normal Performance

Monitoring

STM job credential manipulation may cause discover and performance monitor to crash. This is first introduced in 4.6.2 enhancement that obfuscates user names and password in system calls from back end processes
16093 Enhancement App Server Report names are not meaningful when they are copied over to an external location in “Copy to remote” feature
16251 Enhancement GUI, Parser Allow comma separated External Org in Event Org Mapping. This allows for multiple external organizations to map to a single FortiSIEM organization.

Current Open Issues

Id Severity Component Description
8867 Normal Rule Engine LAST and FIRST operators in rules do not work (may crash Rule Worker module)
11036 Normal Rule Engine Rule Worker module may abort when a PctChange Expression is used
14242 Normal Query Engine RBAC data conditions not enforced for SP organizations when login in via the super org and moving to another org.
15022 Normal Parser Engine Parser module may stall/pause if a host name resolution is slow. Work around for now is to disable host name resolution.
11112 Normal Rule Engine COUNT DISTINCT operations consume large resources for rules utilizing Anomaly Detection
14478 Normal GUI Sometimes GUI pops up warning (Large amount of data stored over the boundaries) when users restore the archived data or delete the restored data
15109 Normal Performance

Monitoring

Failed Custom JDBC job shows in performance page after Discovery
15247 Normal Parser AIX Parser cannot parse events correctly.
15253 Normal Parser Reporting device name is parsed wrong in LinuxInotifyParser (affects Linux file integrity monitoring via AccelOps agent)
14929 Normal Performance

Monitoring

Maintenance calendar issue – Maintenance for a device does not start at the configured time if there is a long running disabled job of another device
15068 Normal Application

Server

Dashboard Search Filtering Does not work for Clariion LUNs under Summary Tab
15231 Normal Application

Server

Generating PDF Reports over 100 Pages will drop Page Footer
15233 Minor Application

Server

“Validation Status” column in Admin->Event DB->Event Integrity does not allow for sorting.
15300 Minor GUI For Report Server, if you sync -> unsync -> sync is rapid succession, then the last sync may not take effect
9261 Enhancement Application

Server

Charts in exported reports (PDF format) only contain stacked charts – not line charts

What’s new in Release 4.6.2

 

This release contains the following bugs fixes.

Bug Fixes

Bug

ID

Severity Component Description
15161 Major Performance Monitor,

Discovery

The ability for AccelOps to connect to SNMP on a UDP port different than default 161, a 4.6.1 feature, does not work correctly.
16235 Major Parser WMI based pulling of Windows Security, Application and System logs truncates some event attributes. So certain windows eports and rules may not work correctly.
16249 Minor Discovery Default hardware serial numbers (like “None” in CentOS) causes two devices to be merged incorrectly during discovery
16237 Minor Performance

Monitoring

Long running performance monitoring jobs may cause new performance monitoring jobs to not take effect

 

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.