Fortinet opublikował aktualizację oprogramowania dla FortiSIEM o oznaczeniu wersji 7.1.0. Wersja ta przynosi sporo nowości, pośród których znajdziemy między innymi Fortinet Advisor – czyli doradca oparty o sztuczną inteligencję (OpenAI/ChatGPT-4) który będzie w stanie odpowiadać na zapytania SOC, odpowiadać na pytania (na podstawie dokumentacji oraz wewnętrznego KB), analizować oraz rekomendować w przypadku incydentów oraz zautomatyzować ten proces oraz wspierać podczas tworzenia raportu generowanego z poziomu FortiSIEM. Wprowadzono również nowe modele uczenia maszynowego, służące wykrywaniu anomalii oraz wiele więcej!
Co nowego:
Fortinet Advisor
This release introduces OpenAI/ChatGPT-4 powered Advisor that provides the following functions:
- Responses to SOC Queries by running an API. Currently, the following questions are supported.
- Get FortiSIEM health – This retrieves the current health of FortiSIEM nodes including Supervisor, Worker and Collector.
- Get the latest known vulnerabilities – This retrieves the list of vulnerabilities in your environment known to FortiSIEM. To get this data, you must enable FortiSIEM to collect data from FortiClient/EMS or vulnerability scanners.
- Responses to Questions from 7.1.0 Product documentation and internal knowledge base articles.
- Analysis and Recommendations for logs and Incidents: From Incidents > List View, Incidents > Risk, Incidents > Investigation and Analytics > Search pages, you can launch these requests using the Fortinet Advisor menu option. Incident analysis provided by OpenAI/ChatGPT-4 can be added to Incident Comments.
- Automated Incident Analysis and Recommendation using the Notification policy framework. Incident Notification email can be configured to include Incident analysis provided by OpenAI/ChatGPT-4.
- Help in building a FortiSIEM Report: You can ask the Fortinet Advisor to “Create a report”. After the report has been generated, the report can be uploaded to Analytics at the click of a button and subsequently run. You can also create a rule once you are satisfied with the Report.
Important Notes:
- When asking Advisor to build a report, you can describe the report using natural language, but certain keywords need to be present for accuracy. The syntax is as follows and the keywords are in bold: Create a report to show the <comma separated list of attributes> where <filtering conditions>, group them by <list of event attributes>, and only show results for <having conditions>, order by <attribute> in ascending or descending order. Grouping and ordering is optional. Several examples are provided in the Advisor GUI.
- For SOC Queries, you always have to use the exact question: “Get FortiSIEM health” and “Get the latest known vulnerabilities”.
- Anonymization: When you ask ChatGPT for log and Incident analysis using the Fortinet Advisor menu option, then customer specific information is anonymized before sending to ChatGPT. The returned results are converted back to the original values before displaying to the user. The full list of event attributes are located at Admin > Device Support > Event Attributes. Similar anonymization is performed when you invoke ChatGPT via Notification policy. If you manually enter log and ask ChatGPT to analyze the log, then the log fields are not anonymized.
For details on using the Fortinet Advisor, see here.
Scheduled Rules for ClickHouse based Deployments
This release allows users to create Incidents by running reports on periodic intervals. This is only supported for ClickHouse based deployments. In contrast to the current in-memory streaming rule engine, Scheduled rules require disk access and does not scale comparably. In-memory option is faster and a large number of rules can be evaluated concurrently. However, the new scheduled report-based approach has the following advantages:
- Rules can be written using the complex analytic functions introduced in 7.0.
- Rules can be evaluated over larger time intervals.
Once the scheduled rule conditions are met, Incidents are created the same way as Streaming rules.
For steps on how to define scheduled rules, see Creating a Rule.
A ClickHouse Query Management layer is introduced to enforce a priority-based scheduling between 3 types of queries: Interactive GUI queries (highest priority), Scheduled Rules (medium priority), and Scheduled Reports (lowest priority). The status of currently running ClickHouse queries can be seen on the Query Status page.
Windows Certificate Monitoring via Agent
This release enables FortiSIEM to monitor certificates on Windows hosts via FortiSIEM Agent 7.1.0 and later. The following use-cases are handled:
- Detect when a certificate is added or deleted.
- Detect when a certificate has 7-30 days (configurable) left before expiration.
- Report on certificates that have expired (Can notify „X” number of days after certificate has expired, „X” being configurable).
- Detect self-signed certificates.
Steps on how to create a Certificate Monitoring Template and distribute to Windows agents is described in Define the Windows Agent Monitor Templates. Sample logs are available here.
Windows Osquery via Agent
Osquery (https://osquery.readthedocs.io/en/latest/) enables you to collect a variety of information from hosts. The osquery framework provides the following key advantages over logging, and can be used effectively in addition to log analysis.
- Osquery can provide information that is not necessarily available in logs, for example the programs that run when a machine starts up, the TCP/UDP ports that are tied to services, etc…
- Hosts can be queried for live information using osquery. This can be very useful in Incident investigations.
- Osquery is Operating system independent – the same Osquery can work for Windows and Linux. Note that FortiSIEM currently supports Osquery for Windows only.
In this release, the osquery framework is integrated into FortiSIEM Windows Agent 7.1. When the 7.1 agent installs, or you upgrade to the 7.1 version, the osquery feature is available.
- A built-in set of osqueries is provided (Resources > Osquery), and you can create and test your own osquery.
- An osquery can be attached to a Windows monitoring template, along with other logging and performance monitoring definitions. When the template is assigned to hosts, each host will run the osquery at specific intervals and send the osquery results as FortiSIEM events (prefixed with
PH_OSQUERY_WIN). The events can be used in Rules and Reports. Lookup Tables can be populated using these events and Rules can be written using the Lookup Tables. - Reports for built-in osqueries are in Resources > Reports > Osquery. Built-in Rules for osqueries can be found by searching for “osquery” in Resources > Rules in the main pane.
- The user can also run live osqueries from Incident Investigation View. The osquery will collect the current matching data from the hosts. The results can be saved to PDF and attached to Cases.
For steps on how to create an osquery, see here. To attach an osquery to a Windows Monitoring template, see here. Running an osquery from an Incident Investigation graph is a selectable option under Run Reports.
User Alias in Risk Calculation
Often times, a user can have multiple accounts, e.g. Active Directory, AWS, Office 365, email. This release provides a way to define aliases for the main user account in CMDB > User> Edit > Alias. FortiSIEM calculates the Total Risk for that user by including the incidents in which aliases appear.
New Machine Learning Models
This release adds two new Anomaly Detection Machine Learning models:
- Gaussian Model – This unsupervised machine learning model approximates the probability distribution of an event attribute as a Gaussian distribution. A data point is considered anomalous if its occurrence probability is lower than the provided threshold.
- Gaussian Mixture Model – As a generalization of the Gaussian model, this unsupervised machine learning model approximates the probability distribution of an event attribute as N Gaussian distributions. This is useful for modeling event attributes which has multiple peaks and valleys. A data point is considered anomalous if its occurrence probability is lower than the provided threshold.
Rozwiązane problemy:
| Bug ID | Severity | Module | Description |
|---|---|---|---|
| 954115 | Major | App Server | When host status=UEBA and template configuration with only 'UEBA’ is applied, then a Device license is counted. |
| 951833 | Major | ClickHouse Backend | NFS Real Time Archive for ClickHouse does not work. |
| 953340 | Major | GUI | GUI throws error when a requestor tries to activate or deactivate one rule in Enterprise mode. |
| 955478 | Major | Linux Agent | Linux Agent is auditing its own processes and system calls – resulting in large number of useless events. |
| 951156 | Major | System | In some situations, ReportWorker to ReportMaster communication issues can cause Data Manager to drop events. |
| 953313 | Minor | App Server | Audit log is not generated when rule is activated or deactivated in Enterprise mode. |
| 953181 | Minor | App Server | PH_UPDATE_RULE_SUCCEED audit event does not have correct ruleName event attribute, when rule is deleted (added is OK). |
| 949130 | Minor | App Server | Description column not included when importing watchlist. |
| 944462 | Minor | App Server | PDF/CSV Export fails for „Rules with Exception” CMDB Report. |
| 937174 | Minor | App Server | Upgrade and Content Updates may not complete as jobs show status as 'InWaiting’. |
| 936858 | Minor | App Server | Error occurs when disabling/enabling a new created event dropping rule. |
| 936635 | Minor | App Server | Can’t update content version to 409 if content version is not configured to 400. |
| 936224 | Minor | App Server | Backend LDAP Authentication Events Shown as Unknown Events in Analytics. |
| 930437 | Minor | App Server | PostgreSQL log files are growing in number when DR has issue – create a log when this happens. |
| 928788 | Minor | App Server | Scheduling a report to run in the future runs after saving the schedule. |
| 926547 | Minor | App Server | Public Watchlist REST API (POST /phoenix/rest/watchlist/save) is not working. |
| 923582 | Minor | App Server | Public REST API /phoenix/rest/device/update returns error when updating a specific device. |
| 923081 | Minor | App Server | Public REST API to update CMDB Device System property returns NullPointer Exception. |
| 920602 | Minor | App Server | Public REST API for device maintenance (/phoenix/rest/deviceMaint/update) returns status code 500 even though it successfully created a maintenance schedule. |
| 915524 | Minor | App Server | Cases tab – Export Summary for all tickets is limited to 30 entries. |
| 902079 | Minor | App Server | Periodic updates are not working for AlienVault Malware Hash. |
| 887393 | Minor | App Server | FortiSIEM Incident Tags not being reflected in Incident JSON when pulled via Rest API. |
| 881550 | Minor | App Server | Malware Domain (AlienVault) doesn’t pull all the domain values from AlienVault’s response. |
| 876052 | Minor | App Server | Global Org view permission not honored from dashboard widget and drill down when phEventCategory is part of the query. |
| 874420 | Minor | App Server | Custom dashboard cannot be shared with AD group role user. |
| 814006 | Minor | App Server | Cloud Health shows wrong info after 6.5.0 for Supervisor with two NICs. |
| 954731 | Minor | App Server,GUI | Global constraint using simple function in rule is not working properly. |
| 860610 | Minor | App Server,GUI | Read-only user can still modify some values due to improper access controls. |
| 940119 | Minor | ClickHouse Backend | ClickHouse internal logs (trace_log, part_log, asynchronous_metric_log, query_log) grow to take up significant storage. |
| 888575 | Minor | ClickHouse Backend | ClickHouse encounters Signal 8 segmentation fault when all nodes in a shard are deleted. |
| 958249 | Minor | Data work | FortiGate Parser Event Type Spelling Error for NTP Status Events. |
| 955723 | Minor | Data work | Drilldown from the Server Dashboard -> Logins -> Account Lockouts widget leads to the wrong report. |
| 932909 | Minor | Data work | GitlabLogParser not functioning properly. |
| 932801 | Minor | Data work | Update Cisco Umbrella DNS parser. |
| 904038 | Minor | Data work | Update parsing for Win-Security-5136. |
| 946373 | Minor | Discovery | LDAP discovery imports contact when email field is configured. |
| 937157 | Minor | Discovery | AD Discovery completes, but cmdb GUI does not load (reason: bad group insertion in ph_group table). |
| 958820 | Minor | Event Pulling Agents | Agent Manager has high memory when reading large files for Generic AWS S3 integration. |
| 958363 | Minor | Event Pulling agents | Missing some Proofpoint events due to vendor’s data format changes. |
| 951615 | Minor | Event Pulling Agents | For Tenable Security Agent, duplicate events may be seen if phAgentManager process is restarted. |
| 949554 | Minor | Event Pulling Agents | CrowdStrike event stream is getting reset every 5 minutes. |
| 956515 | Minor | GUI | Cases with overlapping incidents does not work. If a Case is opened for an Incident which is already part of a Case, then the existing case is updated. |
| 954050 | Minor | GUI | FortiGuard CTS external lookup results not added to result history in Investigation. |
| 934291 | Minor | GUI | Altering critical interfaces list in CMDB is only possible for the first selected device. |
| 933843 | Minor | GUI | Allow Parser Test to proceed even if there are more than 10 test events. |
| 928561 | Minor | GUI | Need to add OMI in Resources > Remediation, since Windows Remediation scripts require OMI credential. |
| 946758 | Minor | Identity & Location | Sometimes phIpIdentityWorker module crashed in libcurl module. |
| 915091 | Minor | Linux Agent | Linux agent audit.log folder filling up with denied write messages for user fsmadmin. |
| 951409 | Minor | Machine Learning | Viewing Scatter Plot from Machine Learning > Prepare causes GUI corruption. |
| 951408 | Minor | Machine Learning | Report for ML job built from ad-hoc report is saved in Ungrouped folder instead of Machine Learning. |
| 934545 | Minor | Notification | Case automatically created from incident without any notification policy configured. |
| 899393 | Minor | Notification | No subject line in SMS Incident Notification. |
| 943849 | Minor | Parser | Two PH_SYSTEM_EPS_ORG events generated for Super organization when there are Super local collectors. |
| 936757 | Minor | Parser | EPS calculation mismatch because (a) unknown events not counted towards license and (b) type casting error. |
| 931868 | Minor | Parser | Collector Name is not set correctly in events. |
| 925100 | Minor | Query | ClickHouse Queries referring custom network range object returns no data. |
| 937564 | Minor | Report | Report Designer only allows one Legend per Page, even if you add multiple Charts to the same page. |
| 952241 | Minor | Rule | Occasional NullPointerException error when testing a rule. |
| 925899 | Minor | Rule | phRuleMaster process crashes due to event size 65k buffer overflow. |
| 938995 | Minor | System | In Redis cache and clickhouse, ingestionnodesonline key missing for datamanager and querymaster, causing queries to fail – happens on migrating other databases to ClickHouse. |
| 938739 | Minor | System | PostgreSQL symbolic link was missing for psql 13 (6.4.x -> 6.7.2). |
| 938735 | Minor | System | Upgrade failed due to httpd process that did not start (6.7.1 -> 6.7.3). |
| 938675 | Minor | System | Upgrade to 6.7.4 could not uninstall python package pyyaml (6.6.3 -> 6.7.4). |
| 921597 | Minor | System | Reboot extremely slow and /tmp files removal errors after upgrade to v7.0.0. |
| 902108 | Minor | System | Installing on VMware ESX8 reports a certificate error. |
| 952305 | Minor | Windows Agent | UEBA File printed events comes through as ’?’ when printing files with Arabic characters. |
| 947196 | Minor | Windows Agent | Windows agent events are not parsed, when agent moves from offline > online. |
| 902941 | Minor | Windows Agent | Windows Agent always uses Windows proxy settings automatically and ignores /noproxy settings. |
| 954539 | Enhancement | App Server | Add Audit log when user runs a query and exports data from GUI. |
| 951444 | Enhancement | App Server | Extend the public Incident API to pull Incidents by specific event types. |
| 937666 | Enhancement | App Server | Remove unnecessary elements from Rule and Report Definition XML file during export from GUI. |
| 919278 | Enhancement | App Server | Provide IP + User based lockout for shared system accounts. |
| 908586 | Enhancement | App Server | FortiSIEM nodes discovered as a separate CMDB Group. |
| 877664 | Enhancement | App Server | Handle AlienVault new native API. |
| 808565 | Enhancement | App Server | Provide feedback on GUI when importing malware ip/hash, etc. from CSV files. |
| 955721 | Enhancement | Data work | Proofpoint parser update for URLs. |
| 958363 | Enhancement | Data work | Proofpoint parser needs update. |
| 955949 | Enhancement | Data work | Update FortiMail Cloud event parser. |
| 953321 | Enhancement | Data work | Enhance Pulse Secure VPN events to parse User, Source IP and Source Country fields. |
| 953213 | Enhancement | Data work | Sophos XG Firewall Parser update. |
| 951972 | Enhancement | Data work | Win-Sysmon-22-DNS-Query Event needs enhancement. |
| 949904 | Enhancement | Data work | Wrong Incident Title – Concurrent VPN Authentications To Same Account From Different Cities. |
| 949563 | Enhancement | Data work | Ingestion JSON Formatted Event from BitdefenderGravityZoneParser does not populate Reporting Ip. |
| 947118 | Enhancement | Data work | Add case to Generic DHCP Parser to resolve 'unknown’ events. |
| 943724 | Enhancement | Data work | Fortimanager v7.2.3 parsing fails. |
| 943106 | Enhancement | Data work | Update FortiClient parser. |
| 940666 | Enhancement | Data work | Update FortiEDR parser. |
| 936898 | Enhancement | Data work | Several parsers incorrectly use applicationId of type UINT32 as a string field. |
| 935755 | Enhancement | Data work | Need to update UbiquityParser for new event types. |
| 933472 | Enhancement | Data work | Parse VMware vSAN Trace Logs. |
| 926545 | Enhancement | Data work | Update McAfeeXmlParser Parser. |
| 925683 | Enhancement | Data work | Create two rules for Dragos Worldview IP Traffic. |
| 924510 | Enhancement | Data work | FortiGate Parser doesn’t parse when FortiGate serial number begins with 'FD’. |
| 911349 | Enhancement | Data work | WinOSWmiParser not parsing Application Name as attribute for event ids : 5154, 5158. |
| 901988 | Enhancement | Data work | NSX-T events are not being parsed correctly. |
| 885730 | Enhancement | Data work | FortiWeb Cloud Parser via syslog. |
| 885316 | Enhancement | Data work | Sourcefire2Parser is not parsing the HTTP Response Code field to httpStatusCode in the Raw Event Log. |
| 884548 | Enhancement | Data work | FortiAI/NDR parser update. |
| 881333 | Enhancement | Data work | Add Support to parse events received from FortiAuthenticator. |
| 879396 | Enhancement | Data work | Windows Security Event IDs 1200,1201,1206,1207,1210 are missing fields in 'RequestAuditComponent’ via windows agent. |
| 876847 | Enhancement | Data work | McAfee Web Gateway parser update. |
| 873640 | Enhancement | Data work | Additional SNMP SysObjIds needed for Dell switches. |
| 926726 | Enhancement | Discovery | Add support for JBOSS 7.1. |
| 829081 | Enhancement | Discovery | For Agent/WMI/OMI – provide user option to set FQDN or shortname in discovery, perf monitoring and logs. |
| 930821 | Enhancement | Event Pulling Agents | Enhance HTTPS Advanced Generic Poller to support raw JSON post to support APIs similar to Cortex XDR. |
| 937127 | Enhancement | GUI | Add capability to Search on Discover > Include/Exclude Types. |
| 927632 | Enhancement | GUI | Allow users to choose number of rows/page in tables. |
| 916266 | Enhancement | GUI | Prevent users from changing incident severity category by mistake. |
| 942641 | Enhancement | Linux Agent | Add FortiSIEM Linux Agent support for Debian 11 and Debian 12. |
| 941337 | Enhancement | Performance Monitoring | Add CPU and Memory Monitoring via SNMP for Huawei VRP. |
| 922131 | Enhancement | Rule | Create a System Error in GUI when FortiSIEM starts to throttle Incidents (Rate limiting threshold is hit). |
| 938679 | Enhancement | System | Need to verify FSM RPM before upgrade (6.7.x -> 6.7.7). |
| 938672 | Enhancement | System | Clean up old upgrade images from /opt/upgrade to save space and make new upgrade succeed. |
| 926490 | Enhancement | System | Enhance phziplogs to include phoenix_config.txt and dmesg output. |
| 880535 | Enhancement | System | Enable Content update Docker Collector. |
| 933390 | Enhancement | Upgrade | Before beginning upgrade, ensure that /opt has enough free disk for CMDB backup. |
Znane problemy:
- Kafka encryption via SASL/SSL is set from the GUI. This feature was added to 6.7.6 and 7.0.1, but the configuration was via
phoenix_config.txt. If you are using this feature in 6.7.6 or 7.0.1 and upgrade to 7.1.0, you need to navigate to Admin > Settings > System > Kafka in FortiSIEM GUI, change Protocol from PLAINTEXT to SSL and re-do Test Connectivity. - Special steps for upgrading 6.2.0 Collector with 7.1.0 Supervisor are required. A bug was introduced in 6.2.0 but fixed in 6.2.1, which will cause the Collector upgrade from 6.2.0 to 7.1.0 to fail, unless the following steps are taken:
- Download the upgrade package,
FSM_Upgrade_All_7.1.0_build####.zip. - Unzip the package:
unzip FSM_Upgrade_All_7.1.0_build####.zip - Go to the upgrade package folder:
cd FSM_Upgrade_All_7.1.0_build### - Decompress the python 3.9 package:
tar xf Py39-compiled-install.tar.xz - Move the python 3.9 folder to
/usr/local:mv py39/ /usr/local/ - Create symlink for python 3.9:
ln -s /usr/local/py39/bin/python3.9 /usr/bin/python3.9 - Continue with upgrade from Supervisor.
- Download the upgrade package,
Notatki producenta: FortiSIEM 7.1.0
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie
