Fortinet opublikował aktualizację oprogramowania dla FortiSIEM o oznaczeniu wersji 7.1.1. Nowa wersja przynosi aktualizację Rocky Linux OS, optymalizację zużycia pamięci, rozszerzenie funkcjonalności Fortinet Advisor oraz rozwiązuje sporo błędów. Więcej szczegółów w artykule!

Co nowego:

• Rocky Linux 8.9
• Redis Memory Usage Optimization
• Support for Trend Vision One
• More SOC Queries via Fortinet Advisor
• SIGMA Rule Fixes
• Rocky Linux 8.9

 

• Rocky Linux 8.9
  
  • To wydanie aktualizuje system operacyjny Rocky Linux do wersji 8.9 i zawiera aktualizacje systemu operacyjnego Rocky Linux opublikowane do 28 listopada 2023 r. Listę aktualizacji można znaleźć na stronie https://errata.rockylinux.org/.
  • Repozytoria FortiSIEM Rocky Linux (os-pkgs-cdn.fortisiem.fortinet.com i os-pkgs-r8.fortisiem.fortinet.com) również zostały zaktualizowane w celu uwzględnienia poprawek do 14 lipca 2023 r. W związku z tym klienci FortiSIEM w wersjach 6.4. 1 i nowszych, mogą aktualizować tylko swoje wersje Rocky Linux, postępując zgodnie z procedurami opisanymi w Procedurze aktualizacji systemu operacyjnego FortiSIEM.
• Optymalizacja wykorzystania pamięci Redis
  • FortiSIEM używa Redis do dystrybucji obiektów grup CMDB (w tym obiektów Malware IP/Domain/URL/Hash) z bazy danych Supervisor PostGreSQL do węzłów Worker. Adres IP złośliwego oprogramowania lub grupa domen zawierająca dużą liczbę wpisów może spowodować, że Redis osiągnie limit pamięci i spowoduje niepowodzenie zapytań wyszukiwania. W tej wersji, dzięki zastosowaniu technik kompresji, szczytowe wykorzystanie pamięci Redis zostało znacznie zmniejszone. Umożliwia to FortiSIEM obsługę większej liczby wpisów w źródłach zagrożeń i większej liczby grup CMDB.
  • Na przykład w eksperymentach firmy Fortinet obejmujących 1 milion adresów IP FortiGuard dla złośliwego oprogramowania, 3 miliony domen złośliwego oprogramowania, 500 000 adresów URL złośliwego oprogramowania i pamięć Java App Server ustawioną na 10 GB, szczytowe wykorzystanie pamięci Redis zostało zmniejszone z 1 GB w wersji 7.0.2 do 156 MB w wersji 7.1. 1. W tym przypadku kompresja spowodowała zmniejszenie pamięci szczytowej Redis o ponad 80%.
• Wsparcie dla Trend Vision One
  • W tej wersji dodano obsługę platformy Trend Vision One XDR. Aby uzyskać szczegółowe informacje na temat integracji, zobacz Trend Vision One w Podręczniku konfiguracji systemów zewnętrznych.
• Więcej zapytań SOC za pośrednictwem Fortinet Advisor
  • Doradca Fortinet rozpoznaje i odpowiada na następujące pytania Security Operations Center (SOC).

1. Get my FortiSIEM environment
2. Get latest 10 high severity Incidents
3. Get most frequent 10 Incidents
4. Get Top 10 risky users
5. Get Top 10 risky devices

• Poprawki zasad SIGMA
  • To wydanie aktualizuje kilka reguł FortiSIEM zaadaptowanych z reguł SIGMA. Aktualizacje obejmują konwersję wyrażeń regularnych z formatu SIGMA do formatu FortiSIEM.

Rozwiązane problemy:

Bug ID	Severity	Module	Description
971855	Major	App Server	Null pointer exception may occur during App Server incident handling.
971840	Major	App Server	App Server may hit deadlock issue in Postgres during FortiSIEM node health update.
977554	Major	ClickHouse	After upgrading to 7.1.0, adding new ClickHouse node to the same shard fails with DDL error.
914974	Major	Rule Engine	User created security incidents auto-clear after 24 hours even if auto_clear_security_incidents=0 is set.
975345	Minor	App Server	For Windows and Linux Agents, agent monitoring attributes overwrite agentless monitoring attributes, when both agentless methods (such as OMI or SSH) are used along with agents on the same server.
973567	Minor	App Server	After cloning an existing rule and changing the evaluation mode to scheduled, Incidents are still evaluated in streaming mode.
972257	Minor	App Server	Summary Dashboards do not show performance metrics collected by Windows Agent.
971860	Minor	App Server	For Event Receive Hour/Day/Week queries, Query Result Export and Scheduled Report do not work correctly.
971276	Minor	App Server	System defined and user defined Network objects with same IP range become incorrectly linked together.
971126	Minor	App Server	Invalid Query XML for IN queries with more than 1 Individual Countries.
969372	Minor	App Server	Public REST API for Event Query and Archive Query return no events if report syntax is invalid. It should return error instead.
968983	Minor	App Server	Content update fails if there are dashboard widgets in the content update.
968751	Minor	App Server	Box.com integration may cause App Server to lock up when auth token expires.
968266	Minor	App Server	For Incident public REST API, queries for second and subsequent pages may fail with 503 error code if called too fast.
962913	Minor	App Server	Need to throttle public REST API queries by returning HTTP status code 429, when client sends in too many requests.
939273	Minor	App Server	Cannot modify device properties for multi-tenant collector.
936243	Minor	App Server	Timezone selection for Europe/Berlin is not listed in UTC+2, but it is in UTC+1.
927843	Minor	App Server	Discovering a device via FSM Agent and EMS/FGT integration results in duplicate CMDB entries.
926647	Minor	App Server	CMDB Device Report: No result for 'Property Event Receive Time Gap [Low/High] Threshold minutes’.
970594	Minor	ClickHouse Backend	Update phClickHouseImport tool to support event DB data import from custom directory instead of CUSTOMER_1 only.
974846	Minor	Discovery	Test Connectivity for Cisco FireAmp fails.
970075	Minor	Discovery	GitLab discovery failure: Need to use host name as IP does not work during SSL handshake.
931808	Minor	Discovery	For standalone FortiSwitch, Network Interfaces not discovered via SNMP v3 because of lack of support for SHA-224, SHA-256, SHA-384 and SHA-512 for authentication and AES-192 and AES-256 for encryption.
976427	Minor	GUI	Analytics > Investigation page, Run Reports > Event Receive Time column shows epoch value instead of date formatted values.
976046	Minor	GUI	User with Dashboard only role gets empty landing page after login.
974384	Minor	GUI	In CMDB Report, Latest Monitor Time and Latest Event Pulling Time fields show epoch value instead of date formatted values.
972715	Minor	GUI	Check Reputation in Real Time/Historical Search does not work.
971557	Minor	GUI	NullPointerException in the POST SAML response after modifying the idle timeout for Azure SSO user.
966730	Minor	GUI	Name field from External Authentication shouldn’t allow 'space’ when the protocol is SAML.
966728	Minor	GUI	SAML Organization field for SAML Role configuration doesn’t accept space + umlaut characters.
964794	Minor	GUI	For user defined rules/reports, the user cannot move rules or reports to a new custom folder without creating a copy.
963867	Minor	GUI	Malformed IP address can be successfully imported from .CSV file without error checking.
957400	Minor	GUI	CMDB Report – Rule query – Scope attribute only takes integer, but needs string.
927769	Minor	GUI	GUI allows invalid / character to be added in port field for FortiOS credentials.
887630	Minor	GUI	Widget Setting as Single Line Chart and Display Type as Text – COUNT(Matched Events) displays no count.
628705	Minor	GUI	It is better to disable 'Test’ button for OKTA authentication policy instead of showing 'IP/Host is required’.
970976	Minor	Parser	In 'PH_SYSTEM_IP_EVENTS_PER_SEC’ event, Reporting Device is set incorrectly.
966727	Minor	Parser	For Amazon AWS CloudWatch, CMDB is populated for each discovered device.
974448	Minor	phMonitor	Disaster recovery setup may fail with 1 hour timeout, if CMDB replication takes a long time (resulting from CMDB being large and network bandwidth being slow).
968131	Minor	Query	Query using DevicetoCMDBAttr does not return any result for custom property.
965081	Minor	Report	In PDF Report, legend may not always show.
971810	Minor	System	phziplogs does not pull phoenix-x.log due to file format change from phoenix.log.x.
966773	Minor	System	Collector fresh-install needs internet to uninstall rpcbind.
972752	Minor	Windows Agent	Windows Agent reports „Disk Full” for Optical Drives.
954108	Minor	Windows Agent	Agent can’t talk to Collector (verification fails) when Collector has a TLS certificate.
964501	Enhancement	ClickHouse Backend	Generate an incident and system error when free disk of ClickHouse is lower than 20%.
961884	Enhancement	ClickHouse Backend	Enhancement – Procedures for incrementally adding ClickHouse storage.
972486	Enhancement	Data work	Add rule/report for Apache ActiveMQ Ransomware Attack.
971135	Enhancement	Data work	Netflow dashboards do not include all relevant traffic.
967829	Enhancement	Data work	Windows – Need to parse Logon GUID to userID instead of machineGUID.
966160	Enhancement	Data work	Need to enhance FortiEDR Rule and event parsing.
964446	Enhancement	Data work	FortiGate Events generated with logID 0100044545 needs to be parsed as FortiGate-event-admin-delete.
963543	Enhancement	Data work	Missing column 'appServerState’ when loading Application Server dashboard.
962882	Enhancement	Data work	Update Carbon Black CEF parser.
939482	Enhancement	Data work	HPiLoParser Unknown Event due to different syslog header format.
936650	Enhancement	Data work	PANOS parser enhancement needed to parse original VM name from Panorama logs.
916555	Enhancement	Data work	’Group Policy Object Created/Modified’ rules have the same event type filter.
912298	Enhancement	Data work	Parse device hostname for FortiAuthenticator parser.
869437	Enhancement	Data work	Update Zscaler log integration in JSON format.
850455	Enhancement	Data work	Update KasperskyParser, update RegEx.
964471	Enhancement	Generative AI	In ChatGPT audit log, provide visibility of user and org ID.
969605	Enhancement	Performance Monitoring	mib2xml enhancements to handle Dell iDRAC.
963416	Enhancement	Rule Engine	Sometimes phRuleWorkers drops events, while load is light and has CPU and memory resources.

 

Notatki producenta: FortiSIEM 7.1.1

Pozdrawiamy,

Zespół B&B
Bezpieczeństwo w biznesie