Category Archives: FortiSIEM

FortiSIEM Features

Features

HTML5 based GUI for dashboard

You can logon to HTML5 version of Dashboard page using the link https://<SupervisorIP>/phoenix/html.

For details see Dashboards – HTML5 version.

Policy based event retention

Currently, the on-line event database storage is managed in a FCFS basis. When the event database gets full, oldest events are purged or archived. This release enables you to set event retention policies based on Customer (Service Provider case), Reporting Devices and Event Types. For example, performance metrics and flow events should be kept for 30 days but server logs for 1 year.

This release also provides visibility into which reporting Device and Event Type is consuming most storage on a per-day basis. This enables administrators to write better data retention policies.

Note that this feature will consume significant compute and storage I/O resources. Since events are stored in a compressed manner, these events have to be first uncompressed, then filtered according to the data retention policies and finally the logs that remain have to be re-indexed. It is recommended that you create these policies after some thought and change infrequently. Run the reports to monitor the performance of retention policy execution.

For details, see Managing Online Event Data..

Vulnerability correlation and device risk scoring

In this release, FortiSIEM assigns a risk score (0-100) to a device by combining Asset Weight, Vulnerabilities found on that device, Security and Non-security incident counts and severities. Users can modify certain factors to tailor the risk computation for their environment. A view is created that shows the devices ranked by risk scores along with a timeline view of the incidents that resulted in that score. The risk score is computed hourly and the trend is presented in the view.

For details, see here for Flash version and here for HTML5 version. Risk computation is detailed here.

Scalable windows agent architecture enabling agent sending events to collectors (Windows Agent/Agent Manager 2.1)

FortiSIEM Windows agents provides efficient log collection and other important functionalities such as file integrity monitoring, registry and installed software change monitoring, removable media insertion and write activity etc. In previous releases, a set of Windows agents were associated with a single Windows Agent Manager (WAM), which was responsible for configuring the Windows Agents and then relaying logs from the Agents to a Collector. This architecture has several issues, e.g. (a) WAM is a single point of failure for configuration and log relay, (b)rigid association of Agents to a single WAM results in deployment and bookkeeping issues when large number of agents need to be deployed.

This release vastly improves the above architecture. WAM is primarily used for configuring Agents. As part of the configuration, Agents can be associated to one or more FortiSIEM collectors. Agents send log directly to the assigned set of collectors in a round robin fashion. A single WAM can configure a large number of Agents.  By removing the WAM from the event forwarding path and utilizing the Collector infrastructure, this architecture provides great scalability.

For details, see here

Dynamic CMDB groups

CMDB Device Groups and Business Service Groups are critical to FortiSIEM Analytics. It enables users to write rules as reports of the form

“Reporting IP IN A CMDB Group”. Currently, CMDB Device Groups are populated during discovery based on an internal template keying on Device vendor and model, e.g. Fortinet FortiGate belongs to both Firewall Group and VPN Group, Cisco IOS belongs to Router/Switch Group etc. Business Groups have to created manually and kept up to date.

This release automates this process by allowing the user to define rules for dynamically associating devices to CMDB groups and Business Services. A rule condition can be based on Device Vendor, Model, Host Name and IP Range. When there is a match, the matching devices would be placed in the specified CMDB Groups and Business Services. The Dynamic CMDB Group happens automatically during discovery. But the assignment rules can also be applied at any time to force immediate assignment. Note that this dynamic CMDB Group assignment is in addition t o the  internal template based assignment during discovery.

For details, see Creating Dynamic CMDB Group Policies..

Display CMDB reports in dashboard

Currently, a dashboard can only show reports containing event data. Starting with this release, CMDB reports can also be displayed on the same dashboard, side by side with event data.

For details, see here for Flash version and here for HTML5 version.

Multi-line syslog handling

Often applications generate a single syslog in multiple lines. For analysis purposes, the multiple lines need to put together into a single log. This feature enables you to do that.

User can write multiple multi-line syslog combining rules based on reporting IP and begin and ending patterns. All matching syslog within the begin and ending pattern are combined into a single log.

For details, see Multi-line Syslog Handling..

Custom configuration change monitoring

FortiSIEM can collect configurations from devices and detect changes. Currently, FortiSIEM supports a limited set of devices for this feature and users can not add devices of their choice.

This release provides a way for users to do configuration change monitoring for any device. The user simply needs to upload their own configuration collection script into the system and associate to a device type. When that device type is discovered, a configuration change detection job is created via the user defined custom configuration collection script.

For details, see Custom Configuration Change Monitoring.

STIX/TAXII support for external threat intelligence

This release allows you to download any threat intelligence data in STIX format using TAXII transport protocol without writing any code. Supported IOCs include Malware Domain, IP, URL and hash.

For details, see Custom Malware Domain Threat Feed, Custom Malware IP Threat Feed, Custom Malware Hash Threat Feed and Custom Malware URL Threat Feed.

Enhancements

Ability to monitor a subset of interfaces and processes

Currently, FortiSIEM monitors all interfaces and processes and there is no way to disable monitoring a subset of interfaces and processes. Many network devices (e.g. Voice Gateways) have logical interfaces that do not need to be monitored. Similarly servers have processes that may not need to be monitored. Often these redundant interfaces and processes create lots of events and consumes lots of storage over time, specially if there are many devices with such interfaces/processes.

This release allows you to specify a set of important interfaces and processes. Once this set is defined, FortiSIEM switches to monitoring only this set of important interfaces and processes.

For details, see Adding Important Interfaces and Adding Important Processes.

Ability to flag a WAN interface

Often it is important to monitor only WAN interfaces in a dashboard or report. Typically a deployment has many routers/firewalls with one or two WAN interfaces. Since WAN interfaces are not clearly marked in any configuration or SNMP MIB, the only way to create a report is manually list all the devices and interface pairs in the query. This makes the query quite cumbersome.

This release enables you to mark an interface as a WAN interface. The interface events will have the WAN flag set. To query all WAN interfaces, one simply has to specify “isWAN = true” in the query. This makes writing a query extremely simple.

For details, see Adding Important Interfaces.

Ability to define per-process CPU, Memory thresholds

FortiSIEM provides a way to specify global thresholds and per device local thresholds and refer to them in a rule. This way a single rule can capture global and local thresholds.

The thresholds can be a single value such as Critical CPU threshold, Warning CPU threshold or a map such as a map of interface utilization, disk utilization. While the single values are completely customizable meaning that users can add their own; map thresholds need a definition of the keys (such as interface name, disk name) to be defined in the system.

This release extends the map thresholds to also include process name. User can define global thresholds for process CPU utilization, process Memory utilization and per device, per process overrides (e.g. SQL Server).

For details, see Setting Global and Per-Device Threshold Properties.

Ability to include attachments in a ticket

FortiSIEM provides its own ticketing system for users that do not want to rely on an external ticketing system. Often there is a need to include attachments in a ticket, e.g. to demonstrate the problem while creating a ticket and  to demonstrate the problem resolution while closing a ticket. This release allows you to include (PDF and PNG formatted) attachments  into a ticket and export that ticket in PDF format to also include the attachments.

For details, see Ticket Related Operations..

Allow exceptions for merging based on hardware serial numbers

FortiSIEM has an algorithm based on hardware serial numbers, host name, IP and MAC addresses to merge devices in CMDB, which is needed since FortiSIEM repeatedly discovers devices. Currently, hardware serial number is a definitive factor – two devices are merged if their serial number is identical. However often some virtualized devices have generic serial numbers e.g. “Unknown”, “0000” etc which causes devices to merged incorrectly. This release provides a way to create a list of virtual serial numbers which are not considered for merge purposes.

For details, see Discovery Settings.

Device / Application Support

Windows Server 2016 – discovery, performance monitoring and log analysis like other Windows Servers – see Microsoft Windows Server Configuration.

FortiDDoS – log analysis – see FortiDDoS Configuration

Google Apps – audit log analysis – see Google Apps Audit Configuration.

Microsoft Office 365 – audit log analysis – see Microsoft Office365 Audit Configuration

Cisco ACI – performance monitoring – see Cisco Application Centric Infrastructure (ACI) Configuration

Brocade CER and MLX routers – performance monitoring – see Brocade NetIron CER Routers

Clavister IPS – log analysis – see here

Cisco SF 300 SG300/350 switches – discovery, performance monitoring – see Cisco 300 Series Routers

Fortinet 5001B firewalls – discovery, performance monitoring – per CPU utilization extensions – see Fortinet FortiGate Firewall

Configuration

Bug Fixes / Enhancements

Bug ID Severity Component Description
17906 major Parser FortiSandbox Parser does not support FortiSandbox VM
17415 major Parser Some WatchGuard events are not parsed
17453 major Parser Update the SourceFire parser to support version 6 and later and  Snort messages.
18053 major GUI Incorrect Admin > General Settings > Discovery > Application Filter
17281 normal App Server Handle rediscovery of devices moved from a system defined group
17346 normal App Server Should not update ‘Worker up’ error message every 3 minute if the worker is not in down status
18056 normal Parser Parse event severity from Stonesoft events
12617 normal Parser Event severity of some Snort events are incorrect
16765 normal GUI Multiple users cannot use the same dashboard name
16845 normal System FortiSIEM Login credential anonymization algorithm causes unnecessary login failures
16514 normal App Server Reports: Display Column “Display As” not working for scheduled PDF reports
18108 normal App Server Incident Id in Notification Email includes HTML tags in Email Subject
17418 normal GUI Add Remediation to Rule Export
15868 normal Discovery FortiSIEM SSH not logging out of Palo Alto Firewall during configuration discovery
17979 normal GUI Improve display performance of CMDB > Link Usage page in GUI
17422 normal Parser Imperva DAM Unknown Event Types in Panasonic logs
16985 normal App Server Allow Super-Global admin assign incident  ticket to a org user in Super
17555 normal Parser Application recognition inconsistency in Netflow IPFIX analysis
17507 normal Rule Error in System defined Rule “Cisco Call Manager DDR Down”
17110 normal Parser Reporting device name parsed wrong in Motorola AirDefense Parser
16966 normal GUI Virtual IPs disappear after exporting and importing credentials
16956 normal GUI When two super global users create a dashboard for an org, they see each others dashboards in that org
16311 normal GUI Sometimes the value of application performance shows incompletely when the bar is red
17253 normal GUI Page header of Ticket export has display issues
17540 normal GUI Can’t export the result of a cloned Audit Rule to PDF
16023 normal GUI Incidents page – Filter condition will change after user cancels it via “…” and “e”
17436 normal GUI Cannot save new ticket without assignee or due date.
17837 normal System Reverse tunnel vulnerability not fixed on 4.7.2 upgrade
16763 normal Parser Event parse status is wrong for MYSQL_JDBC_PULL_STAT
16762 enhancement Parser Parse ‘reporting device name’ ‘host name’ at the first time for log discovered device.
13823 enhancement GUI Allow Users to select Important Processes per device from the software tab in  CMDB
17094 enhancement GUI Need CMDB Report for Running Applications
17860 enhancement App Server Threat Feed integration with InSights required by Panasonic
15792 enhancement App Server Support ‘Report Logo’ and ‘UI Logo’ for Organizations UI and PDF reports
16973 enhancement App Server Improve and Optimize CI lookup
16983 enhancement App Server Need a way to specify ticket due dates to specific times
17093 enhancement DataManager Create an event for when Incoming EPS is more than Guaranteed EPS
12049 enhancement Parser Parse more Symantec AV Events
18003 enhancement Parser Some event type display names have %s
17428 enhancement App Server In CMDB Report,  allow Organization and Collector Name as columns
16994 enhancement GUI Allow the ability to launch integration policy from a specific Incident

Current Open Issues

Id Severity Component Description
8867 Normal Rule Engine LAST and FIRST operators in rules do not work (may crash Rule Worker module)
11036 Normal Rule Engine Rule Worker module may abort when a PctChange Expression is used
14242 Normal Query Engine RBAC data conditions not enforced for SP organizations when login in via the super org and moving to another org.
15022 Normal Parser Engine Parser module may stall/pause if a host name resolution is slow. Work around for now is to disable host name resolution.
11112 Normal Rule Engine COUNT DISTINCT operations consume large resources for rules utilizing Anomaly Detection
14478 Normal GUI Sometimes GUI pops up warning (Large amount of data stored over the boundaries) when users restore the archived data or delete the restored data
15109 Normal Performance

Monitoring

Failed Custom JDBC job shows in performance page after Discovery
15247 Normal Parser AIX Parser cannot parse events correctly.
15253 Normal Parser Reporting device name is parsed wrong in LinuxInotifyParser (affects Linux file integrity monitoring via AccelOps agent)
14929 Normal Performance

Monitoring

Maintenance calendar issue – Maintenance for a device does not start at the configured time if there is a long running disabled job of another device
15068 Normal Application

Server

Dashboard Search Filtering Does not work for Clariion LUNs under Summary Tab
15231 Normal Application

Server

Generating PDF Reports over 100 Pages will drop Page Footer
15233 Minor Application

Server

“Validation Status” column in Admin->Event DB->Event Integrity does not allow for sorting.
15300 Minor GUI For Report Server, if you sync -> unsync -> sync is rapid succession, then the last sync may not take effect
9261 Enhancement Application

Server

Charts in exported reports (PDF format) only contain stacked charts – not line charts