FortiSIEM What’s New in Release 4.4.1

What’s New in Release 4.4.1


Windows Agent

Currently AccelOps collects Windows logs and performance metrics using WMI and SNMP, or via third-party agents such as Correlog and Snare. Pulling logs using WMI is expensive and difficult to maintain for high volume logging scenarios. Starting with this release, you can deploy

AccelOps agents to replace most of the above functionalities. AccelOps Windows agents can be purchased in two forms: Basic and Advanced. Basic agents collect Security/System/Application logs, IIS/DNS/DHCP logs, and custom log files. Advanced agents can additionally collect installed software changes, registry changes, file changes for file integrity monitoring,  and specific WMI and Powershell command outputs. Windows agents can be configured via AccelOps Windows Agent Manager using configuration templates. Windows Agent Manager communicates to the AccelOps Supervisor node for licensing/registration, and sends events to Collector or Supervisor nodes in compressed and encrypted form. AccelOps recommends that basic discovery and performance monitoring be carried out via SNMP/WMI, but the log pulling be performed via the agents. See Windows Agent Configuration for more information. Windows configuration manager is available on a separate license, contact for more information.


The Beaconing service transmits health and usage information about your AccelOps deployment to an AccelOps Cloud. Beaconing can be basic or advanced. Under basic beaconing, information transmitted includes the health of your AccelOps virtual appliances, CMDB device types, event parsing errors, performance monitoring job health, incident names, and summary information about the configuration of your deployment. Advanced beaconing includes system logs. Note that no specific host name, IP address or user information information is transmitted except the IP address of AccelOps virtual appliance themselves. This transmitted information is used exclusively by AccelOps support for forensic analysis of your system, and is never shared with anyone else. The basic Beaconing service is included as a standard feature in all 4.4+ versions of AccelOps, while a more advanced version can be purchased to provide additional log-based support services. The basic version is turned on by default but you can opt out at any time. See Using Beaconing to Communicate with AccelOps Support for more information.

External Threat Feed Integration Framework for Blocked Domains, Blocked IPs, Malware Hashes and Anonymity Networks

Before release 4.4, AccelOps already integrated with external threat intelligence feeds (such as,, ZeusTracker, ) to populate blocked domains, blocked IPs, malware hashes and anonymity networks. However, the available integrations were mostly with free websites. Starting this release, user can integrate with their own paid content such as the Threat Stream OPTIC threat intelligence platform and others. A java based API is provided that enables you to integrate with any threat feed. If the threat feed is a website and the data is in the form of a comma separated file (csv) file format, then the integration can be accomplished from the AccelOps GUI itself by simply defining the column mappings and the separator. In all other cases, you will need to write Java classes based on examples provided with AccelOps 4.4. See the topics Custom Malware Domain Threat Feed, Custom Malware IP Threat Feed, Setting Up an External Data Source for Anonymity Networks and Custom Malware Hash Threat Feed for more information.

Integration Framework for External CMDB and Workflow Systems

This framework enables you to integrate AccelOps CMDB and incidents with external systems. Specifically, device information and new device attributes from an external CMDB, such as BMC Atrium, can be imported into the AccelOps CMDB. AccelOps CMDB data can also be

programmatically synched to an external CMDB, such as ServiceNow. AccelOps incidents can be pushed to a external workflow system, such as ServiceNow and ConnectWise – this integration is two-way, as changes in the ticket state in an external CMDB can be reflected back in the corresponding AccelOps incident. The integrations are built on a Java based API. While industry leading platforms such as ServiceNow and ConnectWise are already integrated out of the box, integrations with other CMDBs and workflow systems can be developed using the API. See the topics under Integrating with External CMDB and Helpdesk Systems for more information.

Data Update Service

AccelOps provides built in extensive device support in terms of device discovery, performance monitoring, log parsing, rules and reports. However until now, users had to wait for a formal product release, for example 4.4.2, to get new device support and existing device support extensions such as parser fixes, rule and report extensions. Starting with this release, customers can get device support enhancements, for example, via a data update service, in between formal AccelOps releases. As AccelOps continually adds support for more devices, by subscribing to this service, you can receive updated device support as it becomes available, instead of having to wait for a formal release. See the topics under Data Update Subscription Service for more information, and contact to purchase a subscription.

AccelOps User Management

This release enables AccelOps administrators to see all the currently logged on and locked out AccelOps users.  Users can be forcibly logged off from the system. Locked users can also be unlocked. Administrators can also see ongoing queries, the user who started the queries, and stop long running queries if needed.

User Interface and Navigation Enhancements

This release includes a number of enhancements to improve the user interface navigation and dashboards. Dashboard charts have now a flat look. The layout changed from column layout to cell layout where smaller charts can be combined with bigger charts on different rows. Cell size can be adjusted by the user on a widget by widget basis. The report selector has been redesigned. Single line chart now has a Gauge display in addition to text. Line charts can be stacked for better visual clarity.  The Table view and combo view now allows user to set colors based on displayed metrics. See the topics under Dashboard Overview for more information.

Revised Product Documentation and Customer Support Portal

The AccelOps product documentation wiki, as well as the customer support knowledge base and community forums, have been completely re-organized and revised for this release to improve the discoverability and usability of information. We welcome your feedback and suggestions for future development at


  1. Ability to monitor asymmetric network link utilization where send and receive link speeds are unequal
  2. Ability to exclude shared account names from Identity and location calculations
  3. Collector tunnel plugin launch should use super host name from browser to handle NAT deployment
  4. AO-SP: Every organization can have their own “My Home” country definition
  5. Ability to run a query with specific values from Dashboard Charts
  6. Ability to use Incident Category in Rule definition for filtering incidents for user defined rules
  7. Ability to query location name using Analytics framework
  8. Ability to choose a time period in Historical Search by dragging mouse over the time axis

Device Support

Device Access Protocols Used For
Cisco Meraki Cloud Controller, Cisco Meraki Firewalls, Router/Switches and Wireless Access Points SNMP Discovery and Performance


Syslog Security Event Management and

Log Analysis

SNMP Trap Availability Monitoring
Avaya Communication Manager SNMP Discovery and Performance


CDR files pushed to AccelOps via FTP or SCP Call record analysis
Windows Active Directory – health analysis by running dcdiag and repadmin/replsummary commands Remote command execution via


Availability and Performance


Windows HyperV Monitoring Remote powershell via Winexe Availability and Performance


Dell Compellent Storage SNMP Discovery and Performance


Bit9 Security Platform Syslog Security Event Management and

Log Analysis

SourceFire NetworkAMP log analysis via syslog Syslog Security Event Management and

Log Analysis

Dell NSeries Router / Switch SNMP, Discovery, Performance


SSH Configuration change monitoring
HP Value Series Switches (19xx Series) and HP 3Com Switches (29xx Series) SNMP Discovery and Performance


SSH Configuration change monitoring


Bug Fixes

Edit Document

Bug Severity Module Description
5423 enhancement App Server Provide ability to tune event and per

Supervisor node

12646 major App Server Calendar view of incidents: actual # of
13424 minor App Server Collector tunnel plugin launch should u
13099 normal App Server (AO-SP) Every organization needs it o
11137 normal GUI On Analytics > Rule tab, it sometimes
11416 normal GUI User is not able to edit device under su
12042 normal GUI Drill down from Biz service dashboard
12833 enhancement GUI Can not delete Biz Service from CMDB
12955 normal GUI After editing a newly created user grou
13173 major GUI Identity and location exported PDF con
11350 normal GUI Sometimes the raw event log is empty
9285 major GUI Incidents triggered by user defined rule
10593 enhancement GUI Loading Analytics > Historical > Struc
11050 normal GUI A view only user should not be able to
11054 normal GUI If you only keep the Admin tab and hid
12169 normal GUI Quick Info > “Go to Identity” can’t find
12203 major GUI Deleting collector causes problems wh
12285 normal GUI Ticket belonging to an organization w
12539 normal GUI When you copy a search result to a new
12752 enhancement GUI Historical search prior time range menu
12783 normal GUI The Device Time attribute is not prope
12924 normal GUI Creating event dropping rule for an org
12961 normal GUI Custom Performance monitoring: delet
13665 normal GUI Enforce RBAC control on user tab – an
13673, 13625 normal GUI Chinese characters in UI when locale is
12232 normal GUI When user switches to an Organization
12241 normal GUI Important processes defined in Super/g
12246 normal GUI System defined device type will be ove
12274 normal GUI ON DNS Synthetic Transaction Monito
12346 normal GUI Cannot change port value on a newly c
12457 normal GUI Duplicated credential causes JDBC cus
12504 normal GUI An organization user can see Super Glo
12547 normal GUI Restrict customers from adding Organi
12708 minor GUI Need to (re)set to correct default port if
12774 normal GUI Parser XML editor: If search strings co
12802 normal GUI On Firefox browser, email subject does
12902 normal GUI User cannot delete an organization if u
12962 normal GUI Allow more than 255 characters in Reg
12973 normal GUI Restrict user from adding more than 16
13354 normal GUI Cannot delete authentication profiles fo
9973 enhancement GUI Allow user to bulk delete any CMDB g
10044 enhancement GUI Allow to display “latest” vulnerability a
11768 normal GUI CMDB > Applications > Running On t
12001 normal GUI Cloning and Moving CMDB Items resu
12140 minor GUI Should validate email address format w
12347 normal GUI Impact org shows in maintenance colum
12420 enhancement GUI Duplicate Components section in CMD
12434 normal GUI Can create duplicate biz service name i
12534 minor GUI Can not add / edit the description for an
12548 minor GUI Device Maintenance Takes Dates that a
12851 normal GUI CMDB Device Custom Property Thres
12870 normal GUI Allow CMDB Reports to be emailed in
12890 minor GUI The group name does not show when u
13552 normal GUI Drill down does not work for some of w



13681 enhancement GUI Add Location in the CMDB Search dro
2437 normal GUI For hosts, system uptime is calculated
6482 minor GUI Report sort order does not affect to wid
12085 enhancement GUI Extend Dashboard widget extend time
12381 normal GUI Invalid IP addresses with spaces can be
12517 normal GUI App Health page empty for EMC CLA
12724 normal GUI The sort function is lost in business ser
12876 normal GUI Duplicate “Free Array Storage” on Cla
13253 normal GUI Single Line widget on a dashboard doe
13639 normal GUI Dashboard Drill Down from Magnifyin
9610 normal GUI If any report is run with the “Run Late email all show Organization “Global”.
10314 normal GUI Reports with expressions in display col
11544 normal GUI When values are less than 1, heat maps
11804 normal GUI Provide an option to not have charts in
12223 normal GUI Date format in PDF is US date formate
12446 normal GUI Historical Search: Once stopped a quer
12764 minor GUI Schedule report date format should be
12775 enhancement GUI Need to shorten key info in incident vis
4320 enhancement GUI System-defined rule exceptions work f
12276 normal GUI New button is grey in Analytics > Rule
12362 minor GUI The drop down box of subpattern is too
12926 normal GUI Two rules (“Multiple Logon Failures: show “Triggered Event Count” inciden
13383 normal GUI Can’t see email template names in Ema
12454 normal GUI In CMDB -> Devices -> Topo (upper r
13288 normal GUI The incident count is wrong on Inciden
12528 normal GUI PDF export of Event Pulling errors doe
10285 normal GUI Add ability to mail::CC with Email No
13192   GUI In CMDB tab, a device should be filter
10531 normal Data Frequent SVN error – Could not create
10645 major Data InfoBlox NiOS SNMP based discovery
12395 normal Data Palo Alto Firewall: the event PAN-OS-
13600 normal Data Enhance IronPort web parser to cover d
13622 normal Data Sonicwall wlan logs from firewall not p
13667 normal Data Add retry for creating folder in phData
13683 enhancement Data Add Guaranteed eps to these events
13684 enhancement Data Add vmware datastore utilization rules
12411 normal Data Rule “Critical APC Trap” cannot be au
13179 normal Data Uncommon DNS Query Rule triggers u
9654 normal Data Some WinOSWmi Spanish events not
11864 enhancement Data Security Descriptor Field need to be pa
11930 normal Data Certain IOS events not parsed – IOS-E




11993 enhancement Data Fortigate wireless AP events needs to b
12445 normal Data Incorrect test events for SyslogNG pars
13004 normal Data Need to resolve host name parsed from
13064 normal Data Sourcefire NetworkAMP events not pa
13338 normal Data Windows WMI and Snare parsers have
13341 normal Data Brocade SAN Switch events parsed to
13345 enhancement Data Windows System event types need to i
13390 normal Data Parsing error when [ in attr value in ph
13610 normal Discovery Special character “&” in host name cau
7726 major Identity Need to differentiate between domain u
12267 normal Parser Allow Netflow flows to be dropped lik
13612 normal Parser WMI events ‘Reporting IP’ not parsed c
13743 normal Parser PH_DEV_MON events have incorrect
12985 enhancement Parser Extend the Sender IP choice in Event F
11788 enhancement Performance Monitoring Pre-define some ssh/telnet/winexe jobs
12970 normal Performance Monitoring AO still pulls custom perf events after
13355 normal Performance Monitoring Oracle Acme Packet Controller Session
13611 normal Performance Monitoring Sonicwall interface not monitored corr
13619 normal Performance Monitoring Arista interface does not include link e
13629 enhancement Performance Monitoring Monitor load average for linux machin
13770 normal Performance Monitoring InfoBlox DHCP monitoring memory le
13640 normal Performance Monitoring VMware Cluster Consumed Memory v
11684 major Query / Report Query worker continues to perform sto
11847 normal Query / Report Query may not finish when event cand
10300 enhancement Query / Report Exported query results on super global
12747 enhancement Query / Report Allow customers to report on “Passwor
12884 normal Query / Report Exclude the event ASA-Update-Conn f
12919 normal Query / Report Exported Dynamic watchlists show inc
13439 normal Query / Report (AO-SP) The event PH_DEV_MON_ set to 1 – so network performance effic
12886 normal Rule Add reason for dropping events in PH poorly defined rules.
12913 normal Rule In rule synch error window, when you
10386 enhancement Rule When running Test Rule do not create
13609 normal Rule Network efficiency calculation is incor
10235 enhancement System Allow user to specify Super or Worker
10377 major System Fix the following vulnerabilities – CVE
10566 major System Fix the following vulnerabilities – CV


10596 major System SVN password in EC2 build gets reset
11649 major System Failure to mount NFS on worker does n
12831 normal System Force AccelOps images to always mou
13008 minor System Disable SSLv3 and RC4 cypher by def
13690 normal System Installation script should ask the user t


Caveats / Open Issues




Issue Workaround
6940 Rule/Query does not work with NULL non-string fields (e.g. Source IP). These entries are skipped. It works however with NULL string values (such as Host name). If Group By conditions have non-string fields, then make sure that those fields are parsed in events.
8867 LAST and FIRST operators in rule group event constraints causes Rule Worker modules to crash Avoid using LAST and FIRST operators in Rule group event constraints
11036 PctChange operator in rule group event constraints causes Rule Worker modules to crash Avoid using PctChange operator in

Rule group event constraints

11112 COUNT DISTINCT operations are expensive for anomaly rules Avoid using COUNT DISTINCT in anomaly rules
12900 Advanced HTTP STM via Selenium plugin does not work for some webpages – root cause is that AccelOps uses python export which does not support the full functionality of the browser plugin. Need to use java export instead of python export. None – use STM on simpler webpages.
13744 Empty strings in synched report results should be exported to Report Server as NULL instead of empty strings. Within Tableau, CAST conversion  operations FAIL when an empty string is encountered, but do not when a NULL is there. None

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos