FortiSIEM What’s New in Release 4.3.1

What’s New in Release 4.3.1

This release adds features and functionality in several areas.

AccelOps Visual Analytics

AccelOps Systems Features

New chart types for search result visualization

Visualization for profiled metrics and drill down from incidents

Performance and Availability Monitoring

Ability to specify per-device threshold in rules

Enhanced custom command output monitoring

Windows custom command output monitoring

Log Management and Security Incident Event Monitoring (SIEM)

Amazon Web Services CloudTrail monitoring

Box.com file monitoring

Okta Single Sign-On (SSO) integration via SAML 2.0

Vendor default password usage detection

Detect malware via file hash and user agent match

Detect communication via Anonymity Networks (Open Proxies and TOR nodes)

Device Support

Significant Enhancements

Migrate SVN to local disk

Trigger event query optimization

Device location import

Event dropping rule enhancement

CIDR format for specifying discovery ranges

Launch discovery from CMDB

IP Address management enhancements

Critical interface selection usability enhancement

CMDB Report extensions

Dynamic EPS Adjustment algorithm

Incident table and Identity/Location table partitioning

Paged control support for Microsoft Active Directory LDAP discovery

Events when device performance monitoring status changes

Enhanced custom parser development graphical user interface

Fixed Issues and Minor Enhancements

General GUI

Platform

Performance Monitoring / Event Pulling / Synthetic Transaction Monitoring (STM)

Rule / Query / Report Engine

Discovery

Device Support

Parsing  area

Data: System Rules/Reports

 

 

New Product

AccelOps Visual Analytics

This release enables AccelOps data to be visualized using Tableau Visual Analytics and Visual Analytics Desktop in conjunction with the AccelOps Report Server. Two kinds of AccelOps data can be visualized:

Data residing in Configuration Management Database (CMDB) e.g. Incidents, Device attributes

Any event database report result as long as it contains an aggregation condition e.g. GROUP BY

You can find full information in the Visual Analytics section of this wiki.

AccelOps Systems Features

New chart types for search result visualization

This release enables users to visualize query results within AccelOps using scatter plots, bubble charts, tree maps and heat maps. This complements existing visualization via pie charts, bar charts, trend charts, and geo maps. Scatter plots enable users to see correlations between any pair of calculated measures (e.g. CPU and memory utilization, Sent and received bytes etc). Bubble charts add a third dimension to scatter plots to reflect the size of the added dimension, e.g. in a scatter plot containing CPU and memory utilization as the two dimensions, the third dimension could be total sent and received bits/sec. The tree map is a hierarchical tree-structured visualization that is often used to analyze dominating components of multidimensional data e.g. IPS signatures, network traffic etc. Heat maps show the calculated measure for two dimensions using a color grade that helps users to understand severity. These charts are available both in Analytics and Dashboard areas.

This topic is discussed here.

Visualization for profiled metrics and drill down from incidents

AccelOps creates statistical baselines (profiles) for a large number of use cases. While earlier releases showed this information in tabular form, this data can now be visualized. For a specific dimension (such as host), up to four measures can be visualized on a trending hour-by-hour basis for weekdays and weekends as a multi-series column chart. In general, the profiles can be visualized as a scatter plot. From an incident indicating excessive deviation from statistical measures, it is now possible to drill down into the baseline with one click.

This topic is discussed here.

Performance and Availability Monitoring

Ability to specify per-device threshold in rules

AccelOps has rules that trigger when certain thresholds are crossed. When the thresholds have to be fine-tuned on a per-device basis, rule conditions become complex and difficult to manage. This release solves this issue. Instead of explicit threshold values in rules, the thresholds are now defined as custom properties in which the user can choose to override the global thresholds by redefining the thresholds locally for a certain set of devices. Instead of hard-coding thresholds, rules are now written using a function that returns the appropriate values – local values if one is defined, global values otherwise. This approach keeps the number of rules the same, but allows users to set thresholds for any number of devices. Thresholds can be a simple number (e.g. CPU utilization) or a map (e.g. interface utilization for each interface, disk utilization for one or more disks).

This topic is covered here (see the section: “Thresholds as Custom Properties”).

Enhanced custom command output monitoring

This release enhances the way custom performance monitor command outputs are parsed into events. Prior to release 4.3.1, command outputs are parsed as one line into one event. This does not include, for example, “show version” commands for Cisco IOS routers that can span multiple lines. Release 4.3.1 improves this situation – multiple lines can be parsed into one event.

This topic is covered here.

Windows custom command output monitoring

A Windows custom performance monitor can be used to bring PowerShell command outputs into AccelOps. Prior to release 4.3.1, command output was obtained via Telnet/SSH, but that is not natural for Windows, and the user had to install Cygwin Telnet/SSH in Windows systems. This release enhances the situation by using winexe client on AccelOps – any Windows shell commands, such as PowerShell, can be remotely run on Windows servers using WMI credentials. There is no need to install any software on Windows. Additionally, multi-line command outputs can be parsed into one event in AccelOps. This enhancement now enables customers to run PowerShell commands in Windows servers.

This topic is covered here.

Log Management and Security Incident Event Monitoring (SIEM)

Amazon Web Services CloudTrail monitoring

As more and more applications are deployed in the Cloud, monitoring user activity in the cloud is becoming increasingly important. For example, it is important to know when users are created, permissions are changed, virtual machines are spun up, network configurations are changed, or Virtual Private Clouds (VPCs) are created. This release enables AccelOps to efficiently collect, parse, report, and alert on Amazon Web Services activity via the AWS CloudTrail API.

This topic is discussed here.

Box.com file monitoring

Box.com is a cloud storage provider that is used by individuals as well as corporations to store and share files. This release enables AccelOps to monitor file activity within a Box.com account. AccelOps securely logs on to the Box.com account and monitors file creation, deletion, and modification activity within the account. More interestingly, for a specific file or all files in a folder, AccelOps can monitor file-sharing properties – is the file shared, is it password protected, is it preview/download enabled, and how many times was the file downloaded or viewed. If a particular file or directory contains confidential information, AccelOps can alert when any file in that directory was exposed to the outside or was viewed.

This topic is discussed here.

Okta Single Sign-On (SSO) integration via SAML 2.0

Oka is a cloud-based Single Sign-on (SSO) Service provider. This release enables AccelOps customers who are already authenticated in Okta to automatically log in to AccelOps without entering any credentials. AccelOps communicates via SAML 2.0 with Okta to verify user identity. In addition, AccelOps discovers all users defined in Okta (like Microsoft Active Directory) – the discovered users can be used in rule and report conditions and in notification policies. Finally, AccelOps collects Okta audit trails that can detect activity on the Okta web site such as account changes, logon activity, and other configuration changes.

This topic is discussed here.

Vendor default password usage detection

A common compliance requirement is to alert against the use of default vendor-defined credentials. This release enables AccelOps users to satisfy this requirement. AccelOps comes pre-built with a set of vendor and device specific default passwords. Users can add to this list.

Whenever a device discovery succeeds with a credential from this list, an alert triggers.

This topic is discussed here.

Detect malware via file hash and user agent match

This release comes with a set of built-in well-known malware user agents and malware file hash signatures. Users can also import their own lists from outside sources. Since malware is known to use non-standard http user agents, AccelOps alerts when it sees a malware user agent, regular expression-based match from web server or web-proxy logs. If AccelOps is configured for file integrity monitoring, then it can alert when it detects a malicious file hash match in a monitored directory.

Malware hash  is discussed here.

User agent is discussed here.

Detect communication via Anonymity Networks (Open Proxies and TOR nodes)

A compromised host or a user with malicious intent uses various techniques to hide their identity, with two common examples being proxies and TOR networks. This release comes with a set of built in well-known proxies and TOR networks. Users can also import their own lists from outside sources. Whenever AccelOps sees an IP address match from firewall logs or Netflow, an alert is created.

This topic is discussed here.

Device Support

Cisco VoIP infrastructure monitoring – see here

Cisco VoIP phone discovery from Cisco Call Manager via SNMP

Cisco Unity Connection – discovery and performance monitoring via SNMP

Cisco Presence Server – discovery and performance monitoring via SNMP

Cisco Contact Center – discovery and performance monitoring via SNMP

Cisco Tandeberg VCS – discovery and performance monitoring via SNMP

Cisco Telepresence MCU – discovery and performance monitoring via SNMP

More detailed performance monitoring of Cisco Call Manager – SIP Trunk Status, Gateway Status, H323 Device Status, Voice mail Server Status, CTI Device Status, Media Device Status

Parse 1000+ syslog messages from Cisco Call Manager and RTMT and create rules corresponding to RTMT Alerts

Oracle ACME Packet Controller – discovery and performance monitoring via SNMP

Brocade SAN Switch – discovery and performance monitoring via SNMP

Dell Force10 Switch – discovery and performance monitoring via SNMP – see here

Dell PowerConnect switches – discovery and performance monitoring via SNMP – see here

Nimble Storage – discovery and performance monitoring via SNMP

Cisco WAPX WLAN Controllers – discovery and performance monitoring via SNMP

MS SQL Server 2014 – discovery, performance monitoring, audit log  collection via SNMP, WMI, JDBC Oracle Audit log parsing via syslog

Wireless LAN Controller “module” on Fortinet firewalls. TrippLite Environmental Monitors

IBM WebSphere monitoring via HTTP(S) instead of JMX – see here

Arista switches and routers – discovery and performance monitoring via SNMP – see here VMware vShield – log parsing via syslog

Significant Enhancements

Migrate SVN to local disk

AccelOps uses SVN to store device configuration data and installed software information. Over time, this repository can grow and contain a very large number of files. Earlier releases hosted SVN over NFS, and network performance could become an issue over time. Since all accesses to SVN are via the Supervisor node, this release moves SVN to a Supervisor local disk on a separate logical drive. Fresh AccelOps 4.3.1 install automatically create a separate partition for storing SVN files. During AccelOps 4.3.1 upgrade process, a special pre-upgrade step is invoked to copy the SVN files over NFS to local disk. Actual upgrade does not begin unless existing SVN data has been copied over to the new disk – so the system continues to work during the pre-upgrade process.

Trigger event query optimization

Incidents are triggered by defined trigger events. When a user browses an incident in the graphical user interface, trigger events are shown, and incident notification emails can contain up to 10 trigger events. However, the AccelOps rule engine does not store raw events in memory, but only event identifiers, in an attempt to save memory. This means trigger events have to be retrieved from the event database by querying the event database. This query can be very expensive if the event is current, since the event may not have been indexed yet. This has been seen to create significant pressure on the AccelOps I/O system, especially if there is a sudden surge of incidents. This release addresses this issue by using an in-memory cache of raw messages for a short period of time.

Device location import

CMDB devices typically belong to private address spaces and their location is only known to the system administrators. There is now an easy way to input this information into AccelOps. Users can define locations by IP range or sub-net, and the location in CMDB will be instantly updated. The locations can be input manually via the graphical user interface, or imported from a file. In addition, devices can be searched by location in both the summary dashboard and CMDB.

This topic is discussed here.

Event dropping rule enhancement

Devices are often chatty and send all kinds of uninteresting logs to AccelOps. Since online storage is expensive, it is often necessary to be able to efficiently drop events before they are processed or stored. This release enhances event dropping rule framework by:

Including Source IP and Destination IP into the event dropping rule definition criteria

Allowing two different actions: drop completely, or store but do not trigger rules

Allowing the ability to automatically create drop rules from incidents in case the incident is a false positive, which is common in Network IPS event correlation scenarios

This topic is discussed here.

CIDR format for specifying discovery ranges

The test connectivity and discovery IP ranges can now be specified in CIDR notion as well.

Launch discovery from CMDB

Rediscovery can be directly launched from the CMDB page.

IP Address management enhancements

When allocating new addresses to hosts, it is often important to know the hosts that currently are assigned to addresses in a specific network segment. In prior releases, AccelOps discovered the network segments and showed only CMDB devices in that network segment. These do not include user devices such as laptops, workstations, mobile devices etc., since these devices do not necessarily belong in CMDB. Starting with this release, the Network Segment page also shows the hosts in the Identity and Location page belonging to the same network segment. Since AccelOps accurately learns all the IP addresses in a network via DHCP and IP ARP cache scan, administrators can correctly see every active host belonging to a specific network segment.

This topic is discussed here.

Critical interface selection usability enhancement

AccelOps allows users to mark interfaces as critical, and such interfaces are always monitored for utilization and up/down status. A common example is switch trunk ports, since a trunk port going down can cause a widespread network outage. Currently there is no easy way in AccelOps to select the trunk ports of all switches. Instead, the user has to traverse every switch and select trunk ports within that switch, which can be very tedious for a large network containing a large number of switches. This release provides a flattened view of the network interfaces so that a user can quickly select a large number of interfaces matching some search criteria. This enables administrators to mark all critical interfaces for a large network with only a few clicks.

This topic is discussed here.

CMDB Report extensions

CMDB Reports are extended to include

Successful Performance Monitor Reports

Failed Performance Monitor Reports

Identity and Location Report

Scheduled Report

Devices not updated in last N days

Dynamic EPS Adjustment algorithm

AccelOps has an algorithm to re-distribute unused EPS at a collector to other collectors seeing an event spike. The algorithm is now adjusted to have the following property: A collector is now always guaranteed to have the events-per-second specified as “Guaranteed EPS.” This EPS is never redistributed to other collectors. Only the excess EPS (defined as Overall EPS license minus the sum of all Guaranteed EPS) is redistributed on demand.

Incident table and Identity/Location table partitioning

In AccelOps CMDB, there are two tables that grow with time:

Incident table

Identity/Location table

The incident table grows as new incidents are created, while the Identity/Location table grows as new computers and users appear in the system or change location. As these tables grow, eventually the database may become full and read performance may suffer with corresponding growth in the table indices. In this release the following enhancements are made:

Incident Table Optimization:

The incident table is partitioned by month, so recent queries access the current month and result in fast returns During migration to 4.3.1 release:

Data for the last three months is migrated to the new tables (based on Last Seen Time field)

All ‘Active’ incidents are migrated

Older incidents are archived. Scripts are provided for customer to migrate older incidents into 4.3.1 CMDB. Scripts are provided to purge older incidents from 4.3.1 CMDB

Identity/Location Table Optimization:

The Identity/Location table is partitioned by month, so recent queries access the current month and result in fast returns During migration to 4.3.1 release:

Data for the last three months is migrated to the new tables (based on Last Seen Time field)

Older entries are archived. Scripts are provided for customer to migrate older identity/location entries into 4.3.1 CMDB. Scripts are provided to purge older identity/location entries from 4.3.1 CMDB

Paged control support for Microsoft Active Directory LDAP discovery

AccelOps discovers users in Microsoft Active Directory via LDAP protocol. By default, Microsoft LDAP search queries return up to 1000 entries per call (MaxPageSize limit – see Microsoft KB article). Earlier AccelOps releases required administrators to increase the MaxPageSize limit to a much higher number for user discoveries to work. This is generally inconvenient and may also cause resource issues on the server. This release enhances this situation. AccelOps LDAP discovery now uses the paged control version of the LDAP search API to fetch an arbitrarily large number of entries – 1000 at a time. Administrators are not required to increase the MaxPageSize limit beyond the default 1000.

Events when device performance monitoring status changes

AccelOps now generates audit events when the performance monitoring status of a job changes.

  1. User deleted a device or a collector:

<174>Nov 05 09:52:07

[PH_AUDIT_DEV_MON_JOB_STATUS_CHANGE]:[custId]=1,[phEventCategory]=2

,[srcIpAddr]=192.168.20.164,[phCustId]=1,[sessionId]=11178d2aeae08e

9c2babe2725fa1,[procName]=AppServer,[hostName]=HQ-A-Pxy-blueCoat,

[hostIpAddr]=172.16.0.141, [eventSeverity]=PHL_INFO,[customer]=Super,[jobStatusType]=UserDelet edDevice,[user]=admin, [phLogDetail]=Monitors on device were deleted due to device being deleted

  1. User disabled monitoring at a device level:

 

<174>Nov 05 09:53:58

[PH_AUDIT_DEV_MON_JOB_STATUS_CHANGE]:[custId]=1,[phEventCategory]=2

,[srcIpAddr]=192.168.20.164,[phCustId]=1,[sessionId]=11178d2aeae08e

9c2babe2725fa1,[procName]=AppServer,[hostName]=ACCELOPS-W2K3B4, [hostIpAddr]=192.168.64.124,[eventSeverity]=PHL_INFO,[custName]=Sup er,[jobStatusType]=UserDisabledDevice,[user]=admin, [phLogDetail]=Monitoring device, 192.168.64.124, is  disabled by user

  1. User enabled monitoring at a device level:

<174>Nov 05 09:54:38

[PH_AUDIT_DEV_MON_JOB_STATUS_CHANGE]:[custId]=1,[phEventCategory]=2

,[srcIpAddr]=192.168.20.164,[phCustId]=1,[sessionId]=11178d2aeae08e

9c2babe2725fa1,[procName]=AppServer,[hostName]=ACCELOPS-W2K3B4, [hostIpAddr]=192.168.64.124,[eventSeverity]=PHL_INFO,[custName]=Sup er,[jobStatusType]=UserEnabledDevice,[user]=admin,[phLogDetail]=Mon itoring device, 192.168.64.124, is enabled by user

  1. User disabled a specific job:

<174>Nov 05 09:55:17

[PH_AUDIT_DEV_MON_JOB_STATUS_CHANGE]:[custId]=1,[phEventCategory]=2 ,[phCustId]=1,[customer]=Super,[jobName]=System cpu usage,[srcIpAddr]=192.168.20.164,[appTransportProto]=SNMP,[sessionI d]=11178d2aeae08e9c2babe2725fa1,[procName]=AppServer,[hostIpAddr]=1 92.168.64.124,[hostName]=ACCELOPS-W2K3B4,

[eventSeverity]=PHL_INFO,[jobStatusType]=UserDisabledJob,[user]=adm in,[pullInteval]=180,[phLogDetail]=Protocol to monitor is disabled

  1. User enabled a specific job:

<174>Nov 05 09:55:59

[PH_AUDIT_DEV_MON_JOB_STATUS_CHANGE]:[custId]=1,[phEventCategory]=2

,[phCustId]=1,[customer]=Super,[jobName]=System cpu usage,

[srcIpAddr]=192.168.20.164,[appTransportProto]=SNMP,[sessionId]=111

78d2aeae08e9c2babe2725fa1,[procName]=AppServer,[hostIpAddr]=192.168

.64.124,[hostName]=ACCELOPS-W2K3B4, [eventSeverity]=PHL_INFO,[jobStatusType]=UserEnabledJob,[user]=admi n,[pullInteval]=180,[phLogDetail]=Protocol to monitor is enabled

  1. User changed job polling interval:

<174>Nov 05 09:57:21

[PH_AUDIT_DEV_MON_JOB_STATUS_CHANGE]:[custId]=1,[phEventCategory]=2

,[phCustId]=1,[customer]=Super,[jobName]=System real memory usage,

[srcIpAddr]=192.168.20.164,[appTransportProto]=SNMP,[sessionId]=111

78d2aeae08e9c2babe2725fa1,[procName]=AppServer,[hostIpAddr]=192.168 .64.124,[hostName]=ACCELOPS-W2K3B4,[eventSeverity]=PHL_INFO,[jobSta tusType]=UserChangedPollIntv,[user]=admin,[pullInteval]=300,[phLogD etail]=Interval of protocol to monitor is changed

<174>Nov 05 10:33:01

[PH_AUDIT_DEV_MON_JOB_STATUS_CHANGE]:[custId]=1,[errReason]=Missing

/Invalid WMI credential for 192.168.20.207, PROC_RESOURCE, [phEventCategory]=2,[phCustId]=1,[jobId]=1545818,[customer]=Super,[ jobName]=Process Resource Usage via WMI, [srcIpAddr]=192.168.64.153,[appTransportProto]=WMI,[sessionId]=13b3 48ad44270e0249eafc9dfdc5,[procName]=AppServer,[hostIpAddr]=192.168.

20.207,[hostName]=win-li5sipp8s7s.accelops.net,[eventSeverity]=PHL_

INFO,[jobStatusType]=DiscoveryNotScheduled,[user]=1,[pullInteval]=1

80,[phLogDetail]=Monitor on device is not scheduled

  1. Successful job:

<174>Nov 05 10:13:00 [PH_AUDIT_DEV_MON_JOB_STATUS_CHANGE]:[custId]=1,[errReason]=,[phEve ntCategory]=2,[phCustId]=1,[jobId]=1536112,[customer]=Super,[jobNam e]=Process Resource usage via SNMP,[srcIpAddr]=192.168.64.153,[appTransportProto]=SNMP,[sessionId

]=128e159a35b9f0f4cd71ca80222b,[procName]=AppServer,[hostIpAddr]=19

2.168.20.170,[hostName]=qa-win2008-217.accelops.net,[eventSeverity]

=PHL_INFO,[jobStatusType]=ExecutionSuccess,[user]=1,[pullInteval]=1

20,[phLogDetail]=Status of monitor is changed by Job

  1. Failed job:

<174>Nov 05 10:15:00 [PH_AUDIT_DEV_MON_JOB_STATUS_CHANGE]:[custId]=1,[errReason]=Failed to get process utilization in

executeGeneralProcResourceJobOpt,[phEventCategory]=2,[phCustId]=1,[ jobId]=1536112,[customer]=Super,[jobName]=Process Resource usage via SNMP, [srcIpAddr]=192.168.64.153,[appTransportProto]=SNMP,[sessionId]=12a b68da5ca2cceab2a69cbda16e,[procName]=AppServer,[hostIpAddr]=192.168 .20.170,[hostName]=qa-win2008-217.accelops.net,[eventSeverity]=PHL_ INFO,[jobStatusType]=ExecutionFailed,[user]=1,[pullInteval]=120,[ph

LogDetail]=Monitoring device failed

  1. Job stays in “Discovered Added” state for more than 15 minutes and is not scheduled:

<174>Nov 05 10:55:57 [PH_AUDIT_DEV_MON_JOB_NOT_STARTED]:[custId]=1,[phEventCategory]=2,[ phCustId]=1,[customer]=Super,[jobName]=ICMP Ping Status,[appTransportProto]=PING,[procName]=AppServer,[hostIpAddr]=1

72.16.10.110,[hostName]=HOST-172.16.10.110,[eventSeverity]=PHL_INFO

,[jobStatusType]=DiscoveryAdded,[user]=SYSTEM(phDiscovery),[pullInt eval]=120,[phLogDetail]=Monitoring job did not start yet

Enhanced custom parser development graphical user interface

The custom parser development graphical user interface is enhanced to include the following:

  1. Ability to search text within the XML file.
  2. Add a line number in the XML file. When there is a Error in ‘Validate’ or ‘Test’, show the line number as a reference to help user fix the problem.
  3. Allow user to reformat the text after block update for easy readability.
  4. Allow an option to Clear XML in one shot to allow for bulk replace.
  5. Color code the XML tags and text for easy readability.
  6. Show the parsed fields in Test results in a nice tabular form.
  7. Improve the scrolling/editing response for large XML files.
  8. Show the XML in a tree form – allow cross-linking of the XML Tree and the text edit window.
  9. Allow user to increase the size of the edit window.

Fixed Issues and Minor Enhancements

General GUI

Bug 7489: Created a CMDB report named “Active Dependent Rules” that tracks which rules depend on other rules. This helps users to tweak/enable/disable chained system rules

Bug 8021: Added indices in ph_task and ph_alter tables in PostgreSQL – this improves the GUI experience when user visits Alert and

Task tabs

Bug 8054: Allow an option to search on ‘Origin’ field in every tab in Admin > Device Support area. This allows users to quickly see user defined Device/Application types, Event Types, Event Attribute Types, Parsers and Dashboard columns

Bug 8165: Show VLAN as a column in Analytics > Identity and Location Report

Bug 8181: Need to get result of scheduled report even if the report has no data

Bug 8291: Allow user to unlock an AccelOps account

Bug 8896: Allow scheduled reports to skip charts and only contain tables

Bug 9266: Added “errReason” attribute to system event PH_REPORT_ACTION_STATUS – the attribute states why notification failed

Bug 9670: CMDB Device shows under Scheduled Maintenance even after device removed from Schedule Maintenance Calendar

Bug 9900: Expose Last Updated Time and Discover Method fields of a device for use in CMDB reports

Bug 10083: Display a warning when user disables or deletes a rule that is referenced in other rules

Bug 10172: Change the AccelOps GUI CMDB > Users so that all locally created users cannot edit the “domain” field

Bug 10198: Removal of devices or organizations from CMDB sometimes display foreign key violation errors

Bug 10250: Remove “Show Password” check box for credential

Bug 10382: enhancement:  allow HTML tags in custom e-mail templates

Bug 10394: Allow bulk disabling for blocked IP in the CMDB through the GUI

Bug 10450: Add ‘Apply To’ option to facilitate applying multiple authentication profiles to one or more users

Bug 10563: Add an Export button for Related Incidents screen

Bug 10830: Add locations view in summary dashboard

Bug 11343: Long device names truncated on Widget dashboard

Bug 11371: Allow import/ export of user defined watch list

Bug 11498: A rule with CLEAR conditions becomes invalid after clone process – constraints between main and clear rules are not properly copied over

Bug 11508: Ability to set locations for a large number of devices in  one shot

Bug 11596: Ability to add Notes to Rule exceptions. One should also be report on Rule exceptions.

Bug 11597: Add Remediation section to Rule definition. Add this to default email template. Make this part of CMDB report. Add this to custom notification template.

Bug 12583: User can not manually add important processes that have the same name but different process parameters

Bug 12613: Columns on Amazon EC2 performance view should be same as EC2 dashboard

Bug 12694: Provide an option to not have charts in exported PDF reports

Bug 12698: Enable search on “Monitor Errors” and “Error Description” on Admin > Setup wizard > Monitor Change/Performance > Monitor Errors popup

Bug 12760: Edit a Report Schedule and the Report automatically Runs

Bug 12786: Make error message clearer for event dropping rule creation on grouped incidents

Platform

Bug 9518: Glassfish log rotation is now configured for saving space – only keep 20 files and each of them max-sized 2000000 bytes.

Bug 9828: EPS Pulling functionality has limitations that lead to dropping of events by collectors

Bug 9938: Allow modular ‘yum upgrades’ for non-base-CentOS packages like JVM, Chrome, PostgreSQL, Glassfish

Bug 10144: Do not overwrite customer’s ssl.conf during upgrade

Bug 11926: DNS caching code has performance issues

Bug 12130: AccelOps uses rsyslog to receive our internally generated events. There is a throttle defined there (200 messages in 5 minutes interval). This will result message loss in high throughput situation like VoIP phone discovery, Layer 2 port mapping discovery etc. This throttle is removed since this is intra-computer communication and can handle much higher message rates.

Bug 12538: Detailed events, rules and reports for performance monitoring status changes

Bug 12584: Collectors sometimes fail to negotiate HTTP(S) connection to Super/Worker if ever they choose SSLV3 (because of poodle vulnerability – possibly because of a man-in-the-middle device like a IPS or a firewall disallowing all SSLV3 negotiations.

Bug 12585:The phMonitor module crashes when it sees a 3.7.6’s rest_cache_api list entry in phoenix_config.txt

Bug 12586: The configuration file phoenix_config.txt needs to be upgraded properly by maintaining user’s changes from previous versions

Bug 12644: Run script notification may fail if the raw message contains special XML characters

Bug 12649: Updating Dynamic Watch List by incidents causes Application Server to run out of memory when there are many many-to-many relationships between incidents and dynamic watch lists

Bug 12650: Full VM build does not ‘yum update’ packages as previously designed

Performance Monitoring / Event Pulling / Synthetic Transaction Monitoring (STM)

Bug 9848: Packet transmission timeouts for SNMP v1 and v2 phoenix_config needs to be extended from 1 minute to 5 minutes

Bug 11423: Add Custom command output monitoring via winexe for windows environments

Bug 12066: Parse CVSS_BASE score for vulnerabilities into (vulnCvssBaseScore attribute)

Bug 12213: Cisco IOS CPU can not be monitored in some cases with multiple CPUs – performance monitoring has to identify the control plane cpus

Bug 12214: PerfMonitor module will stop sending PH_DEV_MON_PING_STAT events for a gateway if its immediate down steam device are down

Bug 12387: NexPose vulnerability report XML parsing takes a long time

Bug 12458: Checkpoint needs a resume event handler

Bug 12561: Discovery never removes a PING job even if the device is not reachable by PING during discovery. This is done since a

PING is fundamental for measuring up time. Only a user can manually disable PING jobs

Bug 12601: Admin > Setup wizard > Monitor Change/Performance tab does not reflect the status of successful discovery after correcting device credentials.

Bug 12604: Events are not picked up by parser module if Supervisor node is down for an extended period of time

Bug 12625: For Qualys Vulnerability Scanner, Test connectivity succeeds, but the discover method and event pull methods are not set in discovery, resulting in no job creation for Java agent.

Bug 12661: Don’t trigger config change while getting config error

Bug 12730: Allow pulling interval to be less than 1 minute to pull windows logs at a faster rate. Added a phoenix config entry of

“wmi_pull_interval_scale” that can have a range from 1 (default) to 10. If users want to have a shorter interval for WMI event pulling, they can change it to 6 to make it 6 times faster; if the pulling interval in GUI is 1 minute, then events are pulled every 10 seconds.

Bug 12754: Enhance custom command output monitoring to generate an event to indicate no matching lines for regular expression. This can be used to detect e.g. a process is down from running the top command. If the regular custom command output monitoring command is PH_DEV_MON_CUST_DF then AccelOps would generate PH_DEV_MON_CUST_DF_NOT_FOUND when the are no matching lines in the command output

Bug 12787: Enhance performance monitoring status job upload to keep uploading if failed last time

Bug 12801: Custom command output monitoring – deleted items are still monitored

Bug 12803: Custom SNMP job monitoring sometimes fails to distinguish when one key is a prefix of the other; e.g.

SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.1 from SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.16. So the obtained value for

SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.1 may be the value for SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.16

Bug 12804: Custom Performance Monitoring – when custom transforms are nested, the order may not be preserved resulting in wrong calculations. For example, if custom transforms are defined as “used = transform(used/1024)”, “total = transform(total/1024)” and “memUtil = transform(used/total)”, then the transforms must be calculated in the order used -> total -> memUtil. Earlier releases did not do this.

Rule / Query / Report Engine

Bug 8512: Turn off inaccurate system rule ‘Windows Disk controller problem’

Bug 9847: Add Identity and location to CMDB Report

Bug 10996: Worker down rule did not trigger after license expires

Bug 11008: RFE:  when retrieving Triggered Events for an Incident in GUI or e-mail notification, search 60 minutes before and after

Incident Time. This is fixed by the ‘Trigger Event Query Optimization’ feature

Bug 12322: Increase per rule GROUP BY thresholds – per cust and over all customers

Bug 12558: Improved cache miss handling for profile anomaly rule handling: The profiles for anomaly detection are stored in a SQLite database. When rule engine attempts to look up the average and standard deviation values for a particular key (e.g. IP address, port number etc), and an exact match is not found, then earlier releases picked up the lowest values for that profile in that database. This heuristic often causes unnecessary rule triggers. This release makes tightens the cache miss handling case – profile anomaly rules do not trigger for a key value if the average and standard deviation values are not found for that key value for that time period.

Bug 12640: When performing analytical searches when individual countries from the country groups are referenced in filter conditions as objects, then no results are returned

Discovery

Bug 10363: Disallow discovery via Virtual IP

Bug 10533: Add ability to define IP subnets in the 172.16.16.0/22 type format

Bug 11308: Foundry router becomes generic-generic

Bug 11972: Telnet discovery of HP Procurve switches fails due to error in expect script

Bug 12713: If host name contains unprintable characters like backspace(x08) and enquiry(x05), then parsing this XML causes app server to throw exceptions and run out of memory

Device Support

Bug 9942: RFE: add performance monitoring for Cisco WAPX (lightweight) devices

Bug 10006: RFE:  add device support for Tripp lite UPS devices

Bug 10307: Microsoft cluster services incorrectly assigned to Microsoft Exchange Application Group

Bug 10362: Add support for (Oracle) Acme Packet Border Controller

Bug 10366: Support for Dell Force 10 Networking devices

Parsing  area

Bug 8894: Cisco ASA parser: trailing white space in User attribute causing searches to miss events with condition User EQUALS ‘string’ Bug 10418: Parse username in Windows MSSQL Event 18453

Bug 11351: Parse username in Win-Security-5145

Bug 12485: Parse jitter field in Cisco VoIP CDR/CMR record

Bug 12626: Snort events collected via database have wrong severity

Bug 12641: Added more Symantec Anti-virus events

Bug 12643: A null pointer exception can happen during pulling performance monitor config for discovery

Bug 12656: Some FortiGate traffic logs do not parse if “status=” is missing in the logs

Bug 12668: More Foundry switch logs to be parsed

Bug 12714: Enhance McAfee EPO parser to parse more logs

Bug 12716: Enhance Cisco IOS and NX-OS parser to parse more logs

Bug 12757: Put Fortigate firewall DHCP messages into the identity and location section – so the IP to user and host name mapping shows up when FortiGate is acting as the DHCP server

Bug 12765, 12767: Add a “Total Bit Rate” attribute for interface utilization and Netflow events – so user can quickly run 95th percentile on the total bandwidth for an interface

Data: System Rules/Reports

Bug 8512: Turn off inaccurate system rule ‘Windows Disk controller problem’

Bug 10113: Added description for windows security events: 5142, 5143, 5144, 5168, 4985, 5145

Bug 12660: Enhance “Heavy TCP Port Scan” rule to exclude Windows Security Firewall logs (Win-Security-5156), ASA/PIX Teardown events (ASA-302014, PIX-302014, FWSM-302014)

Bug 12676: The event type group for JUNOS_KMD_VPN_DOWN_ALARM_USER event is incorrect

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.