What’s New in Release 4.4.1
Features
Windows Agent
Currently AccelOps collects Windows logs and performance metrics using WMI and SNMP, or via third-party agents such as Correlog and Snare. Pulling logs using WMI is expensive and difficult to maintain for high volume logging scenarios. Starting with this release, you can deploy
AccelOps agents to replace most of the above functionalities. AccelOps Windows agents can be purchased in two forms: Basic and Advanced. Basic agents collect Security/System/Application logs, IIS/DNS/DHCP logs, and custom log files. Advanced agents can additionally collect installed software changes, registry changes, file changes for file integrity monitoring, and specific WMI and Powershell command outputs. Windows agents can be configured via AccelOps Windows Agent Manager using configuration templates. Windows Agent Manager communicates to the AccelOps Supervisor node for licensing/registration, and sends events to Collector or Supervisor nodes in compressed and encrypted form. AccelOps recommends that basic discovery and performance monitoring be carried out via SNMP/WMI, but the log pulling be performed via the agents. See Windows Agent Configuration for more information. Windows configuration manager is available on a separate license, contact sales@accelops.com for more information.
Beaconing
The Beaconing service transmits health and usage information about your AccelOps deployment to an AccelOps Cloud. Beaconing can be basic or advanced. Under basic beaconing, information transmitted includes the health of your AccelOps virtual appliances, CMDB device types, event parsing errors, performance monitoring job health, incident names, and summary information about the configuration of your deployment. Advanced beaconing includes system logs. Note that no specific host name, IP address or user information information is transmitted except the IP address of AccelOps virtual appliance themselves. This transmitted information is used exclusively by AccelOps support for forensic analysis of your system, and is never shared with anyone else. The basic Beaconing service is included as a standard feature in all 4.4+ versions of AccelOps, while a more advanced version can be purchased to provide additional log-based support services. The basic version is turned on by default but you can opt out at any time. See Using Beaconing to Communicate with AccelOps Support for more information.
External Threat Feed Integration Framework for Blocked Domains, Blocked IPs, Malware Hashes and Anonymity Networks
Before release 4.4, AccelOps already integrated with external threat intelligence feeds (such as Torproject.org, MalwareDomainList.com, ZeusTracker, EmergingThreats.net ) to populate blocked domains, blocked IPs, malware hashes and anonymity networks. However, the available integrations were mostly with free websites. Starting this release, user can integrate with their own paid content such as the Threat Stream OPTIC threat intelligence platform and others. A java based API is provided that enables you to integrate with any threat feed. If the threat feed is a website and the data is in the form of a comma separated file (csv) file format, then the integration can be accomplished from the AccelOps GUI itself by simply defining the column mappings and the separator. In all other cases, you will need to write Java classes based on examples provided with AccelOps 4.4. See the topics Custom Malware Domain Threat Feed, Custom Malware IP Threat Feed, Setting Up an External Data Source for Anonymity Networks and Custom Malware Hash Threat Feed for more information.
Integration Framework for External CMDB and Workflow Systems
This framework enables you to integrate AccelOps CMDB and incidents with external systems. Specifically, device information and new device attributes from an external CMDB, such as BMC Atrium, can be imported into the AccelOps CMDB. AccelOps CMDB data can also be
programmatically synched to an external CMDB, such as ServiceNow. AccelOps incidents can be pushed to a external workflow system, such as ServiceNow and ConnectWise – this integration is two-way, as changes in the ticket state in an external CMDB can be reflected back in the corresponding AccelOps incident. The integrations are built on a Java based API. While industry leading platforms such as ServiceNow and ConnectWise are already integrated out of the box, integrations with other CMDBs and workflow systems can be developed using the API. See the topics under Integrating with External CMDB and Helpdesk Systems for more information.
Data Update Service
AccelOps provides built in extensive device support in terms of device discovery, performance monitoring, log parsing, rules and reports. However until now, users had to wait for a formal product release, for example 4.4.2, to get new device support and existing device support extensions such as parser fixes, rule and report extensions. Starting with this release, customers can get device support enhancements, for example 4.4.1.101, via a data update service, in between formal AccelOps releases. As AccelOps continually adds support for more devices, by subscribing to this service, you can receive updated device support as it becomes available, instead of having to wait for a formal release. See the topics under Data Update Subscription Service for more information, and contact sales@accelops.com to purchase a subscription.
AccelOps User Management
This release enables AccelOps administrators to see all the currently logged on and locked out AccelOps users. Users can be forcibly logged off from the system. Locked users can also be unlocked. Administrators can also see ongoing queries, the user who started the queries, and stop long running queries if needed.
User Interface and Navigation Enhancements
This release includes a number of enhancements to improve the user interface navigation and dashboards. Dashboard charts have now a flat look. The layout changed from column layout to cell layout where smaller charts can be combined with bigger charts on different rows. Cell size can be adjusted by the user on a widget by widget basis. The report selector has been redesigned. Single line chart now has a Gauge display in addition to text. Line charts can be stacked for better visual clarity. The Table view and combo view now allows user to set colors based on displayed metrics. See the topics under Dashboard Overview for more information.
Revised Product Documentation and Customer Support Portal
The AccelOps product documentation wiki, as well as the customer support knowledge base and community forums, have been completely re-organized and revised for this release to improve the discoverability and usability of information. We welcome your feedback and suggestions for future development at infodev@accelops.com.
Enhancements
- Ability to monitor asymmetric network link utilization where send and receive link speeds are unequal
- Ability to exclude shared account names from Identity and location calculations
- Collector tunnel plugin launch should use super host name from browser to handle NAT deployment
- AO-SP: Every organization can have their own “My Home” country definition
- Ability to run a query with specific values from Dashboard Charts
- Ability to use Incident Category in Rule definition for filtering incidents for user defined rules
- Ability to query location name using Analytics framework
- Ability to choose a time period in Historical Search by dragging mouse over the time axis
Device Support
| Device | Access Protocols | Used For |
| Cisco Meraki Cloud Controller, Cisco Meraki Firewalls, Router/Switches and Wireless Access Points | SNMP | Discovery and Performance
Monitoring |
| Syslog | Security Event Management and
Log Analysis |
|
| SNMP Trap | Availability Monitoring | |
| Avaya Communication Manager | SNMP | Discovery and Performance
Monitoring |
| CDR files pushed to AccelOps via FTP or SCP | Call record analysis | |
| Windows Active Directory – health analysis by running dcdiag and repadmin/replsummary commands | Remote command execution via
Winexe |
Availability and Performance
Monitoring |
| Windows HyperV Monitoring | Remote powershell via Winexe | Availability and Performance
Monitoring |
| Dell Compellent Storage | SNMP | Discovery and Performance
Monitoring |
| Bit9 Security Platform | Syslog | Security Event Management and
Log Analysis |
| SourceFire NetworkAMP log analysis via syslog | Syslog | Security Event Management and
Log Analysis |
| Dell NSeries Router / Switch | SNMP, | Discovery, Performance
Monitoring |
| SSH | Configuration change monitoring | |
| HP Value Series Switches (19xx Series) and HP 3Com Switches (29xx Series) | SNMP | Discovery and Performance
Monitoring |
| SSH | Configuration change monitoring |
Bug Fixes
| Bug | Severity | Module | Description |
| 5423 | enhancement | App Server | Provide ability to tune event and per
Supervisor node |
| 12646 | major | App Server | Calendar view of incidents: actual # of |
| 13424 | minor | App Server | Collector tunnel plugin launch should u |
| 13099 | normal | App Server | (AO-SP) Every organization needs it o |
| 11137 | normal | GUI | On Analytics > Rule tab, it sometimes |
| 11416 | normal | GUI | User is not able to edit device under su |
| 12042 | normal | GUI | Drill down from Biz service dashboard |
| 12833 | enhancement | GUI | Can not delete Biz Service from CMDB |
| 12955 | normal | GUI | After editing a newly created user grou |
| 13173 | major | GUI | Identity and location exported PDF con |
| 11350 | normal | GUI | Sometimes the raw event log is empty |
| 9285 | major | GUI | Incidents triggered by user defined rule |
| 10593 | enhancement | GUI | Loading Analytics > Historical > Struc |
| 11050 | normal | GUI | A view only user should not be able to |
| 11054 | normal | GUI | If you only keep the Admin tab and hid |
| 12169 | normal | GUI | Quick Info > “Go to Identity” can’t find |
| 12203 | major | GUI | Deleting collector causes problems wh |
| 12285 | normal | GUI | Ticket belonging to an organization w |
| 12539 | normal | GUI | When you copy a search result to a new |
| 12752 | enhancement | GUI | Historical search prior time range menu |
| 12783 | normal | GUI | The Device Time attribute is not prope |
| 12924 | normal | GUI | Creating event dropping rule for an org |
| 12961 | normal | GUI | Custom Performance monitoring: delet |
| 13665 | normal | GUI | Enforce RBAC control on user tab – an |
| 13673, 13625 | normal | GUI | Chinese characters in UI when locale is |
| 12232 | normal | GUI | When user switches to an Organization |
| 12241 | normal | GUI | Important processes defined in Super/g |
| 12246 | normal | GUI | System defined device type will be ove |
| 12274 | normal | GUI | ON DNS Synthetic Transaction Monito |
| 12346 | normal | GUI | Cannot change port value on a newly c |
| 12457 | normal | GUI | Duplicated credential causes JDBC cus |
| 12504 | normal | GUI | An organization user can see Super Glo |
| 12547 | normal | GUI | Restrict customers from adding Organi |
| 12708 | minor | GUI | Need to (re)set to correct default port if |
| 12774 | normal | GUI | Parser XML editor: If search strings co |
| 12802 | normal | GUI | On Firefox browser, email subject does |
| 12902 | normal | GUI | User cannot delete an organization if u |
| 12962 | normal | GUI | Allow more than 255 characters in Reg |
| 12973 | normal | GUI | Restrict user from adding more than 16 |
| 13354 | normal | GUI | Cannot delete authentication profiles fo |
| 9973 | enhancement | GUI | Allow user to bulk delete any CMDB g |
| 10044 | enhancement | GUI | Allow to display “latest” vulnerability a |
| 11768 | normal | GUI | CMDB > Applications > Running On t |
| 12001 | normal | GUI | Cloning and Moving CMDB Items resu |
| 12140 | minor | GUI | Should validate email address format w |
| 12347 | normal | GUI | Impact org shows in maintenance colum |
| 12420 | enhancement | GUI | Duplicate Components section in CMD |
| 12434 | normal | GUI | Can create duplicate biz service name i |
| 12534 | minor | GUI | Can not add / edit the description for an |
| 12548 | minor | GUI | Device Maintenance Takes Dates that a |
| 12851 | normal | GUI | CMDB Device Custom Property Thres |
| 12870 | normal | GUI | Allow CMDB Reports to be emailed in |
| 12890 | minor | GUI | The group name does not show when u |
| 13552 | normal | GUI | Drill down does not work for some of w |
i
| 13681 | enhancement | GUI | Add Location in the CMDB Search dro |
| 2437 | normal | GUI | For hosts, system uptime is calculated |
| 6482 | minor | GUI | Report sort order does not affect to wid |
| 12085 | enhancement | GUI | Extend Dashboard widget extend time |
| 12381 | normal | GUI | Invalid IP addresses with spaces can be |
| 12517 | normal | GUI | App Health page empty for EMC CLA |
| 12724 | normal | GUI | The sort function is lost in business ser |
| 12876 | normal | GUI | Duplicate “Free Array Storage” on Cla |
| 13253 | normal | GUI | Single Line widget on a dashboard doe |
| 13639 | normal | GUI | Dashboard Drill Down from Magnifyin |
| 9610 | normal | GUI | If any report is run with the “Run Late email all show Organization “Global”. |
| 10314 | normal | GUI | Reports with expressions in display col |
| 11544 | normal | GUI | When values are less than 1, heat maps |
| 11804 | normal | GUI | Provide an option to not have charts in |
| 12223 | normal | GUI | Date format in PDF is US date formate |
| 12446 | normal | GUI | Historical Search: Once stopped a quer |
| 12764 | minor | GUI | Schedule report date format should be |
| 12775 | enhancement | GUI | Need to shorten key info in incident vis |
| 4320 | enhancement | GUI | System-defined rule exceptions work f |
| 12276 | normal | GUI | New button is grey in Analytics > Rule |
| 12362 | minor | GUI | The drop down box of subpattern is too |
| 12926 | normal | GUI | Two rules (“Multiple Logon Failures: show “Triggered Event Count” inciden |
| 13383 | normal | GUI | Can’t see email template names in Ema |
| 12454 | normal | GUI | In CMDB -> Devices -> Topo (upper r |
| 13288 | normal | GUI | The incident count is wrong on Inciden |
| 12528 | normal | GUI | PDF export of Event Pulling errors doe |
| 10285 | normal | GUI | Add ability to mail::CC with Email No |
| 13192 | GUI | In CMDB tab, a device should be filter | |
| 10531 | normal | Data | Frequent SVN error – Could not create |
| 10645 | major | Data | InfoBlox NiOS SNMP based discovery |
| 12395 | normal | Data | Palo Alto Firewall: the event PAN-OS- |
| 13600 | normal | Data | Enhance IronPort web parser to cover d |
| 13622 | normal | Data | Sonicwall wlan logs from firewall not p |
| 13667 | normal | Data | Add retry for creating folder in phData |
| 13683 | enhancement | Data | Add Guaranteed eps to these events |
| 13684 | enhancement | Data | Add vmware datastore utilization rules |
| 12411 | normal | Data | Rule “Critical APC Trap” cannot be au |
| 13179 | normal | Data | Uncommon DNS Query Rule triggers u |
| 9654 | normal | Data | Some WinOSWmi Spanish events not |
| 11864 | enhancement | Data | Security Descriptor Field need to be pa |
| 11930 | normal | Data | Certain IOS events not parsed – IOS-E |
| IOS-LAPP_ON_MSGS-LAPP_ON_
IOS-SWITCH_QOS_TB-TRUST_DEV |
|||
| 11993 | enhancement | Data | Fortigate wireless AP events needs to b |
| 12445 | normal | Data | Incorrect test events for SyslogNG pars |
| 13004 | normal | Data | Need to resolve host name parsed from |
| 13064 | normal | Data | Sourcefire NetworkAMP events not pa |
| 13338 | normal | Data | Windows WMI and Snare parsers have |
| 13341 | normal | Data | Brocade SAN Switch events parsed to |
| 13345 | enhancement | Data | Windows System event types need to i |
| 13390 | normal | Data | Parsing error when [ in attr value in ph |
| 13610 | normal | Discovery | Special character “&” in host name cau |
| 7726 | major | Identity | Need to differentiate between domain u |
| 12267 | normal | Parser | Allow Netflow flows to be dropped lik |
| 13612 | normal | Parser | WMI events ‘Reporting IP’ not parsed c |
| 13743 | normal | Parser | PH_DEV_MON events have incorrect |
| 12985 | enhancement | Parser | Extend the Sender IP choice in Event F |
| 11788 | enhancement | Performance Monitoring | Pre-define some ssh/telnet/winexe jobs |
| 12970 | normal | Performance Monitoring | AO still pulls custom perf events after |
| 13355 | normal | Performance Monitoring | Oracle Acme Packet Controller Session |
| 13611 | normal | Performance Monitoring | Sonicwall interface not monitored corr |
| 13619 | normal | Performance Monitoring | Arista interface does not include link e |
| 13629 | enhancement | Performance Monitoring | Monitor load average for linux machin |
| 13770 | normal | Performance Monitoring | InfoBlox DHCP monitoring memory le |
| 13640 | normal | Performance Monitoring | VMware Cluster Consumed Memory v |
| 11684 | major | Query / Report | Query worker continues to perform sto |
| 11847 | normal | Query / Report | Query may not finish when event cand |
| 10300 | enhancement | Query / Report | Exported query results on super global |
| 12747 | enhancement | Query / Report | Allow customers to report on “Passwor |
| 12884 | normal | Query / Report | Exclude the event ASA-Update-Conn f |
| 12919 | normal | Query / Report | Exported Dynamic watchlists show inc |
| 13439 | normal | Query / Report | (AO-SP) The event PH_DEV_MON_ set to 1 – so network performance effic |
| 12886 | normal | Rule | Add reason for dropping events in PH poorly defined rules. |
| 12913 | normal | Rule | In rule synch error window, when you |
| 10386 | enhancement | Rule | When running Test Rule do not create |
| 13609 | normal | Rule | Network efficiency calculation is incor |
| 10235 | enhancement | System | Allow user to specify Super or Worker |
| 10377 | major | System | Fix the following vulnerabilities – CVE |
| 10566 | major | System | Fix the following vulnerabilities – CV
Cipher |
| 10596 | major | System | SVN password in EC2 build gets reset |
| 11649 | major | System | Failure to mount NFS on worker does n |
| 12831 | normal | System | Force AccelOps images to always mou |
| 13008 | minor | System | Disable SSLv3 and RC4 cypher by def |
| 13690 | normal | System | Installation script should ask the user t
in CMDB |
Caveats / Open Issues
| Bug
Id |
Issue | Workaround |
| 6940 | Rule/Query does not work with NULL non-string fields (e.g. Source IP). These entries are skipped. It works however with NULL string values (such as Host name). | If Group By conditions have non-string fields, then make sure that those fields are parsed in events. |
| 8867 | LAST and FIRST operators in rule group event constraints causes Rule Worker modules to crash | Avoid using LAST and FIRST operators in Rule group event constraints |
| 11036 | PctChange operator in rule group event constraints causes Rule Worker modules to crash | Avoid using PctChange operator in
Rule group event constraints |
| 11112 | COUNT DISTINCT operations are expensive for anomaly rules | Avoid using COUNT DISTINCT in anomaly rules |
| 12900 | Advanced HTTP STM via Selenium plugin does not work for some webpages – root cause is that AccelOps uses python export which does not support the full functionality of the browser plugin. Need to use java export instead of python export. | None – use STM on simpler webpages. |
| 13744 | Empty strings in synched report results should be exported to Report Server as NULL instead of empty strings. Within Tableau, CAST conversion operations FAIL when an empty string is encountered, but do not when a NULL is there. | None |
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!