Fortinet opublikował aktualizację oprogramowania dla FortiSIEM o oznaczeniu wersji 7.1.1. Nowa wersja przynosi aktualizację Rocky Linux OS, optymalizację zużycia pamięci, rozszerzenie funkcjonalności Fortinet Advisor oraz rozwiązuje sporo błędów. Więcej szczegółów w artykule!
Co nowego:
- Rocky Linux 8.9
- Redis Memory Usage Optimization
- Support for Trend Vision One
- More SOC Queries via Fortinet Advisor
- SIGMA Rule Fixes
- Rocky Linux 8.9
- Rocky Linux 8.9
- To wydanie aktualizuje system operacyjny Rocky Linux do wersji 8.9 i zawiera aktualizacje systemu operacyjnego Rocky Linux opublikowane do 28 listopada 2023 r. Listę aktualizacji można znaleźć na stronie https://errata.rockylinux.org/.
- Repozytoria FortiSIEM Rocky Linux (os-pkgs-cdn.fortisiem.fortinet.com i os-pkgs-r8.fortisiem.fortinet.com) również zostały zaktualizowane w celu uwzględnienia poprawek do 14 lipca 2023 r. W związku z tym klienci FortiSIEM w wersjach 6.4. 1 i nowszych, mogą aktualizować tylko swoje wersje Rocky Linux, postępując zgodnie z procedurami opisanymi w Procedurze aktualizacji systemu operacyjnego FortiSIEM.
- Optymalizacja wykorzystania pamięci Redis
- FortiSIEM używa Redis do dystrybucji obiektów grup CMDB (w tym obiektów Malware IP/Domain/URL/Hash) z bazy danych Supervisor PostGreSQL do węzłów Worker. Adres IP złośliwego oprogramowania lub grupa domen zawierająca dużą liczbę wpisów może spowodować, że Redis osiągnie limit pamięci i spowoduje niepowodzenie zapytań wyszukiwania. W tej wersji, dzięki zastosowaniu technik kompresji, szczytowe wykorzystanie pamięci Redis zostało znacznie zmniejszone. Umożliwia to FortiSIEM obsługę większej liczby wpisów w źródłach zagrożeń i większej liczby grup CMDB.
- Na przykład w eksperymentach firmy Fortinet obejmujących 1 milion adresów IP FortiGuard dla złośliwego oprogramowania, 3 miliony domen złośliwego oprogramowania, 500 000 adresów URL złośliwego oprogramowania i pamięć Java App Server ustawioną na 10 GB, szczytowe wykorzystanie pamięci Redis zostało zmniejszone z 1 GB w wersji 7.0.2 do 156 MB w wersji 7.1. 1. W tym przypadku kompresja spowodowała zmniejszenie pamięci szczytowej Redis o ponad 80%.
- Wsparcie dla Trend Vision One
- W tej wersji dodano obsługę platformy Trend Vision One XDR. Aby uzyskać szczegółowe informacje na temat integracji, zobacz Trend Vision One w Podręczniku konfiguracji systemów zewnętrznych.
- Więcej zapytań SOC za pośrednictwem Fortinet Advisor
- Doradca Fortinet rozpoznaje i odpowiada na następujące pytania Security Operations Center (SOC).
- Get my FortiSIEM environment
- Get latest 10 high severity Incidents
- Get most frequent 10 Incidents
- Get Top 10 risky users
- Get Top 10 risky devices
- Poprawki zasad SIGMA
- To wydanie aktualizuje kilka reguł FortiSIEM zaadaptowanych z reguł SIGMA. Aktualizacje obejmują konwersję wyrażeń regularnych z formatu SIGMA do formatu FortiSIEM.
Rozwiązane problemy:
Bug ID | Severity | Module | Description |
---|---|---|---|
971855 | Major | App Server | Null pointer exception may occur during App Server incident handling. |
971840 | Major | App Server | App Server may hit deadlock issue in Postgres during FortiSIEM node health update. |
977554 | Major | ClickHouse | After upgrading to 7.1.0, adding new ClickHouse node to the same shard fails with DDL error. |
914974 | Major | Rule Engine | User created security incidents auto-clear after 24 hours even if auto_clear_security_incidents=0 is set. |
975345 | Minor | App Server | For Windows and Linux Agents, agent monitoring attributes overwrite agentless monitoring attributes, when both agentless methods (such as OMI or SSH) are used along with agents on the same server. |
973567 | Minor | App Server | After cloning an existing rule and changing the evaluation mode to scheduled, Incidents are still evaluated in streaming mode. |
972257 | Minor | App Server | Summary Dashboards do not show performance metrics collected by Windows Agent. |
971860 | Minor | App Server | For Event Receive Hour/Day/Week queries, Query Result Export and Scheduled Report do not work correctly. |
971276 | Minor | App Server | System defined and user defined Network objects with same IP range become incorrectly linked together. |
971126 | Minor | App Server | Invalid Query XML for IN queries with more than 1 Individual Countries. |
969372 | Minor | App Server | Public REST API for Event Query and Archive Query return no events if report syntax is invalid. It should return error instead. |
968983 | Minor | App Server | Content update fails if there are dashboard widgets in the content update. |
968751 | Minor | App Server | Box.com integration may cause App Server to lock up when auth token expires. |
968266 | Minor | App Server | For Incident public REST API, queries for second and subsequent pages may fail with 503 error code if called too fast. |
962913 | Minor | App Server | Need to throttle public REST API queries by returning HTTP status code 429, when client sends in too many requests. |
939273 | Minor | App Server | Cannot modify device properties for multi-tenant collector. |
936243 | Minor | App Server | Timezone selection for Europe/Berlin is not listed in UTC+2, but it is in UTC+1. |
927843 | Minor | App Server | Discovering a device via FSM Agent and EMS/FGT integration results in duplicate CMDB entries. |
926647 | Minor | App Server | CMDB Device Report: No result for 'Property Event Receive Time Gap [Low/High] Threshold minutes’. |
970594 | Minor | ClickHouse Backend | Update phClickHouseImport tool to support event DB data import from custom directory instead of CUSTOMER_1 only. |
974846 | Minor | Discovery | Test Connectivity for Cisco FireAmp fails. |
970075 | Minor | Discovery | GitLab discovery failure: Need to use host name as IP does not work during SSL handshake. |
931808 | Minor | Discovery | For standalone FortiSwitch, Network Interfaces not discovered via SNMP v3 because of lack of support for SHA-224, SHA-256, SHA-384 and SHA-512 for authentication and AES-192 and AES-256 for encryption. |
976427 | Minor | GUI | Analytics > Investigation page, Run Reports > Event Receive Time column shows epoch value instead of date formatted values. |
976046 | Minor | GUI | User with Dashboard only role gets empty landing page after login. |
974384 | Minor | GUI | In CMDB Report, Latest Monitor Time and Latest Event Pulling Time fields show epoch value instead of date formatted values. |
972715 | Minor | GUI | Check Reputation in Real Time/Historical Search does not work. |
971557 | Minor | GUI | NullPointerException in the POST SAML response after modifying the idle timeout for Azure SSO user. |
966730 | Minor | GUI | Name field from External Authentication shouldn’t allow 'space’ when the protocol is SAML. |
966728 | Minor | GUI | SAML Organization field for SAML Role configuration doesn’t accept space + umlaut characters. |
964794 | Minor | GUI | For user defined rules/reports, the user cannot move rules or reports to a new custom folder without creating a copy. |
963867 | Minor | GUI | Malformed IP address can be successfully imported from .CSV file without error checking. |
957400 | Minor | GUI | CMDB Report – Rule query – Scope attribute only takes integer, but needs string. |
927769 | Minor | GUI | GUI allows invalid / character to be added in port field for FortiOS credentials. |
887630 | Minor | GUI | Widget Setting as Single Line Chart and Display Type as Text – COUNT(Matched Events) displays no count. |
628705 | Minor | GUI | It is better to disable 'Test’ button for OKTA authentication policy instead of showing 'IP/Host is required’. |
970976 | Minor | Parser | In 'PH_SYSTEM_IP_EVENTS_PER_SEC’ event, Reporting Device is set incorrectly. |
966727 | Minor | Parser | For Amazon AWS CloudWatch, CMDB is populated for each discovered device. |
974448 | Minor | phMonitor | Disaster recovery setup may fail with 1 hour timeout, if CMDB replication takes a long time (resulting from CMDB being large and network bandwidth being slow). |
968131 | Minor | Query | Query using DevicetoCMDBAttr does not return any result for custom property. |
965081 | Minor | Report | In PDF Report, legend may not always show. |
971810 | Minor | System | phziplogs does not pull phoenix-x.log due to file format change from phoenix.log.x . |
966773 | Minor | System | Collector fresh-install needs internet to uninstall rpcbind . |
972752 | Minor | Windows Agent | Windows Agent reports „Disk Full” for Optical Drives. |
954108 | Minor | Windows Agent | Agent can’t talk to Collector (verification fails) when Collector has a TLS certificate. |
964501 | Enhancement | ClickHouse Backend | Generate an incident and system error when free disk of ClickHouse is lower than 20%. |
961884 | Enhancement | ClickHouse Backend | Enhancement – Procedures for incrementally adding ClickHouse storage. |
972486 | Enhancement | Data work | Add rule/report for Apache ActiveMQ Ransomware Attack. |
971135 | Enhancement | Data work | Netflow dashboards do not include all relevant traffic. |
967829 | Enhancement | Data work | Windows – Need to parse Logon GUID to userID instead of machineGUID . |
966160 | Enhancement | Data work | Need to enhance FortiEDR Rule and event parsing. |
964446 | Enhancement | Data work | FortiGate Events generated with logID 0100044545 needs to be parsed as FortiGate-event-admin-delete . |
963543 | Enhancement | Data work | Missing column 'appServerState’ when loading Application Server dashboard. |
962882 | Enhancement | Data work | Update Carbon Black CEF parser. |
939482 | Enhancement | Data work | HPiLoParser Unknown Event due to different syslog header format. |
936650 | Enhancement | Data work | PANOS parser enhancement needed to parse original VM name from Panorama logs. |
916555 | Enhancement | Data work | ’Group Policy Object Created/Modified’ rules have the same event type filter. |
912298 | Enhancement | Data work | Parse device hostname for FortiAuthenticator parser. |
869437 | Enhancement | Data work | Update Zscaler log integration in JSON format. |
850455 | Enhancement | Data work | Update KasperskyParser, update RegEx. |
964471 | Enhancement | Generative AI | In ChatGPT audit log, provide visibility of user and org ID. |
969605 | Enhancement | Performance Monitoring | mib2xml enhancements to handle Dell iDRAC. |
963416 | Enhancement | Rule Engine | Sometimes phRuleWorkers drops events, while load is light and has CPU and memory resources. |
Notatki producenta: FortiSIEM 7.1.1
Pozdrawiamy,
Zespół B&B
Bezpieczeństwo w biznesie