FortiSIEM 4.9.0 User Guide - Fortinet Document Library

FortiSIEM User Guide
Version 4.9.0
FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com
FORTINET VIDEO GUIDE
http://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATE COOKBOOK
http://cookbook.fortinet.com
FORTINET TRAINING SERVICES
http://www.fortinet.com/training
FORTIGUARD CENTER
http://www.fortiguard.com
END USER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
Thursday, June 1, 2017
FortiSIEM User Guide
Revision 2
Version 4.9.0
TABLE OF CONTENTS
Change Log
What's new in 4.9.0
Features
FortiCare based licensing
FortiGuard Indicators of Compromise (IOC) Service
Malware Detection Via Host Name Entropy
Enhancements
Windows Agent (2.1.1) Enhancements
Large external threat intelligence data handling optimization
Ability to directly email incidents without a notification policy
Ability to export rules by function
Ability to turn off trigger event reporting in Incident notification
Framework for handling dynamically changing lines in device configuration
Optimize GUI loading after login
Optimize HTML5 dashboard search via inline report post filtering
Device Support
FortiSIEM Basics
Features and Architecture
Supervisors, Workers, Collectors, and Organizations
Deployment Options
Enterprise Deployment Options
Multi-Tenant Deployment Options for Managed Service Providers or Multiple Organizations
Export-Restrictions
Installing/Upgrading FortiSIEM
Licensing
Installation
System Performance Estimates and Recommendations for Large Scale Deployments
Browser Support and Hardware Requirements
Information Prerequisites for All FortiSIEM Installations
Hypervisor Installations
ISO-Installation
General Installation
Using NFS Storage with FortiSIEM
FortiSIEM Windows Agent and Agent Manager Install
Upgrade
Upgrade Overview
Migrating from 3.7.x versions to 4.2.1
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
8
9
9
9
11
11
11
11
11
11
12
12
12
12
12
12
13
14
17
18
19
26
32
33
34
48
50
53
57
58
84
85
88
96
108
109
111
3
Migrating the SVN Repository to a Separate Partition on a Local Disk
Special pre-upgrade instruction for 4.3.3
Special pre-upgrade instruction for 4.6.1
Enabling TLS 1.2 Patch On Old Collectors
Upgrading to 4.6.3 for TLS 1.2
Setting Up the Image Server for Collector Upgrades
Upgrading a FortiSIEM Single Node Deployment
Upgrading a FortiSIEM Cluster Deployment
Upgrading FortiSIEM Windows Agent and Agent Manager
Automatic OS Upgrades during Reboot
Configuring FortiSIEM
Initial System Configuration
Setting Up the Email Gateway
Setting Up Routing Information for Reports and Incident Notifications
Setting Up User Roles
Adding Users for Enterprise Deployments
Managing Organizations for Multi-Tenant Deployments
Adding Users to Multi-Tenant Deployments
Discovering Infrastructure
Discovery Settings
Discovery for Multi-Tenant Deployments
Setting up CyberArk
Setting Access Credentials for Device Discovery
Discovering Devices
Discovering Amazon Web Services (AWS) Infrastructure
Discovering Microsoft Azure Infrastructure
Associating Microsoft Azure with Credentials
Discovering Microsoft Azure Compute Nodes
Approving Newly Discovered Devices
Inspecting Event Pulling Methods for Devices
Inspecting Changes Since Last Discovery
Discovery Range Definition Options
Scheduling a Discovery
Adding Devices to the CMDB Outside of Discovery
Decommissioning a device
Creating Dynamic CMDB Group Policies
Configuring Monitoring
Device Monitoring Settings
Managing Monitoring of System and Application Metrics for Devices
Setting Up Synthetic Transaction Monitoring Tests
4
155
156
157
158
159
160
161
162
164
167
168
169
170
171
176
179
188
192
197
198
203
204
206
208
209
211
211
212
213
214
215
216
219
220
221
221
223
224
229
230
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Creating Business/IT Services
Data Update Subscription Service
Data Update Overview
Configuring Data Update
Creating Custom Parsers and Monitors for Devices
Creating Event Attributes, Event Types, and Device Types
Custom Parsers
Custom Performance Monitors
Custom Command Output Monitor
Custom File Monitor
Custom Configuration Change Monitoring
Configuring Event Handling
Event Dropping
Event Forwarding
Event Organization Mapping
Multi-line Syslog Handling
Managing FortiSIEM
General System Administration
FortiSIEM Backend Processes
Administrator Tools
Managing User Activity
Creating Maintenance Window for Devices
Creating Maintenance Window for Synthetic Transaction Monitoring jobs
Creating Reverse SSH Tunnels to Debug Collector Issues
Managing System Date Format and Logos
Viewing Cloud Health and System Information
Viewing Collector Health
Viewing License Information and Adding Nodes to a License
FortiSIEM Event Categories and Handling
Changing Dashboard Theme
Installing OS Security Patches
Working with the Configuration Management Database (CMDB)
CMDB Categorization of Devices and Applications
Overview of the CMDB User Interface
Managing CMDB Objects
Reporting on CMDB Objects
Creating Event Database Archives
Managing Event Data Archive
Managing Online Event Data
Restoring Archived Data
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
238
239
240
241
243
244
248
272
314
329
338
340
341
342
343
344
346
347
348
350
351
353
354
355
364
365
366
368
369
371
372
373
374
377
384
435
444
446
446
449
5
Validating Log Integrity
Integrating with External CMDB and Helpdesk Systems
FortiSIEM Integration Framework Overview
External Helpdesk System Integration
External Help desk / CMDB Integration
Setting Schedules for Receiving Information from External Systems
Exporting Events to External Systems via Kafka
Backing Up and Restoring FortiSIEM Directories and Databases
Backing Up and Restoring SVN
Backing Up and Restoring the CMDB
Backing Up and Restoring the Event Database
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Dashboard Overview
Customizing Dashboards
Creating Dashboard Slideshow
Exporting and Importing Dashboards
Link Usage Dashboard
Dashboards - HTML5 version
Viewing System Dashboards
Creating New Dashboards
Deleting Dashboards
Modifying Dashboards
Sharing Dashboards
Importing and Export Widget Dashboards
Analytics
Search
Rules
Reports
Audit
Visual Analytics
Sample Incident Queries
Real Time Performance Probe
Incidents - Flash version
Viewing and Searching Incidents
Incident Notifications
Creating Tickets In FortiSIEM In-built Ticketing System
Creating Tickets in External Ticketing System
Using Incidents in Searches and Rules
Incidents - HTML5 version
6
450
452
453
454
460
464
465
466
467
468
469
470
471
472
495
501
502
503
504
505
506
507
508
510
511
512
513
562
595
618
624
646
667
669
669
678
690
696
697
698
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Incident Attributes
Viewing Incidents
Searching Incidents
Managing Incidents
Device Risk Score Computation
Miscellaneous Operations
Exporting Events to Files
Dynamic Population of Location, User, and and Geolocation Information for Events
Monitoring Custom Applications
IPS Vulnerability Map
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
699
703
706
708
709
710
711
713
717
718
7
Change Log
Change Log
8
Date
Change Description
2017-15-05
Initial version of FortiSIEM Release notes for 4.9.0.
2017-30-05
Second revision with updates in the section: Enhancements > Windows Agent (2.1.1)
Enhancements.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
What's new in 4.9.0
Features
What's new in 4.9.0
This section describes the new and enhanced features in FortiSIEM version 4.9.0. For more information about
the new features, bug fixes and known issues, refer to FortiSIEM 4.9.0 Release Notes.
l
l
l
Features
l
FortiCare based licensing
l
FortiGuard Indicators of Compromise (IOC) Service
l
Malware Detection Via Host Name Entropy
Enhancements
l
Windows Agent (2.1.1) enhancements
l
Large external threat intelligence data handling optimization
l
Ability to directly email incidents without a notification policy
l
Ability to export rules by function
l
Ability to turn off trigger event reporting in Incident notification
l
Framework for handling dynamically changing lines in device configuration
l
Optimize GUI loading after login
l
Optimize HTML5 dashboard search via inline report post filtering
Device/Application support
Features
FortiCare based licensing
Starting this release, AccelOps license server will be deprecated. FortiSIEM 4.9.0 and later will not accept
licenses from AccelOps license server.
While versions 4.8.1 and earlier will continue to run with existing license, a new FortiCare issued license is
required when current license expires or customer adds to their current license. Fortinet recommends customers
to download a new license well ahead of the expiry day.
Note the following:
l
l
Make sure you have sufficient license to cover your needs.
The device and EPS enforcement is tighter than earlier releases.
l
If your device license completely expires, you will not be able to login to the system (same as 4.8.1 and
earlier).
l
l
If your currently licensed device count is smaller than CMDB device count, a warning message is shown for
two weeks. After the two weeks grace period, randomly chosen devices are decommissioned - that means
they can not be monitored and newly received logs are dropped. This situation may happen if you renew for
a smaller number of devices than what exists in CMDB.
If your currently licensed EPS is smaller than EPS specified in FortiSIEM, a warning message is shown for
two weeks. After the two weeks grace period, EPS is reduced. This situation may happen if you renew for a
smaller EPS than what existed before license expiry.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
9
Features
What's new in 4.9.0
What's changed with the new licensing mechanism?
l
l
l
l
In the current release, license key file generated by FortiCare has to be imported into the system. FortiSIEM will not
register to the license server and therefore, no internet connectivity is needed. Customer has to get a new license
key file every file for any change to the license. In later releases, FortiSIEM will communicate with FortiGuard to get
renewal updates.
There are fewer licensing parameters with the new license:
l
License Type - Subscription/Perpetual
l
Windows agent count - Basic and Advanced l
Additional EPS
l
IOC Subscription
l
Maintenance and Support
The following license parameters from AccelOps legacy license are eliminated:
l
Service Provider/Enterprise
l
Number of Organizations (Service Provider only)
l
Number of FortiSIEM Virtual Machines
l
Number of Collectors
l
Report Server
l
Salesforce support
Eliminated license parameters from AccelOps legacy license are handled as follows:
l
User need to set Service Provider/Enterprise during install.
l
Number of Organizations for Service Providers is unlimited - user can add Organizations whenever they
want.
l
Number of FortiSIEM Virtual Machines is unlimited.
l
Number of Collectors is unlimited as well.
l
User can add Report Servers without any restriction.
l
Salesforce support is available for free for now.
An overview of the licensing operation is as follows (Refer to FortiSIEM 4.9.0 User Guide > Section:
Installation/Upgrade > Licensing):
l
New users:
l
Get registration codes in email after purchase (one registration code for each SKU).
l
l
10
(FortiCare) Register base FortiSIEM product using registration code and Hardware ID and get the
FortiSIEM Serial Number.
l
(FortiCare) Register additional FortiSIEM products to the FortiSIEM Serial number.
l
(FortiCare) Generate FortiSIEM license key file.
l
Install FortiSIEM.
l
Import license key file into FortiSIEM.
Existing users - existing licenses are already imported into FortiCare:
l
(FortiCare) Locate FortiSIEM Serial Number and validate entitlements.
l
(FortiCare) Associate Hardware ID to the Serial Number.
l
(FortiCare) Generate FortiSIEM license key file.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
What's new in 4.9.0
l
(FortiSIEM) Validate the license key file to make sure that entitlements are accurate.
l
Import license key file into FortiSIEM.
Enhancements
FortiGuard Indicators of Compromise (IOC) Service
Starting this release, FortiSIEM can communicate FortiGuard IOC Service and download Malware IP, URL and
Domain information. This information can be used to detect malware both in historical logs (via queries) or in
incoming logs (via rules).
This feature is driven by license. You need to purchase FortiGuard IOC Service (SKU: FC[1-G]-10-FSM98-14902-DD), obtain a new license and then install the new license in FortiSIEM.
Malware Detection Via Host Name Entropy
Sophisticated malware is known to use Domain Generation Algorithms (DGA) to generate domain names that
can be used as rendezvous points with their CC servers. In this release, FortiSIEM computes the domain name
entropy in events containing destination host names (e.g. DNS events, Web proxy events) and appends this as an
event meta data attribute (domainEntropy). Events with high domainEntropy can provide indications of malware.
Enhancements
Windows Agent (2.1.1) Enhancements
l
Agent forces the use of TLS 1.2 on client side while communicating to Agent Manager and Collector.
l
Agent detects TLS v1.2 and .NET framework 4.5 before installation to avoid failure.
l
Limits the log size in Agent to 20 MB and Agent Manager to 100 MB.
l
Gracefully handle malformed Windows event logs created by other applications.
l
Limits Agent event database to 1 GB (Agent version 2.1.1) and 512 MB (Agent version 2.0.1).
l
Preserve Agent event database after Agent service restarts.
Large external threat intelligence data handling optimization
Threat Intelligence data (e.g. Malware IP, Domain, URL) can have large number of entries during the first
download. Furthermore, on a regular basis, there can be large number of incremental changes. These large data
sets need to be kept up to date and distributed dynamically to FortiSIEM Worker nodes for rule and report
evaluation. This release provides several system level optimizations that enables FortiSIEM to keep up with large
external threat intelligence data sets.
Ability to directly email incidents without a notification policy
In prior releases, you have to write a notification policy to notify someone of an Incident via email. This release
simplifies this situation - you can directly send an email (via regular template or custom template) from an
incident page.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
11
Device Support
What's new in 4.9.0
Ability to export rules by function
This feature allows users to create a CMDB report containing rules for a specific function (security, performance,
availability etc.)
Ability to turn off trigger event reporting in Incident notification
Currently, incident notification emails contain raw events. These queries can be expensive at high event rates.
This release allows you to turn off raw event capture in incident notification emails.
Framework for handling dynamically changing lines in device configuration
Dynamically changing lines in network device configuration causes excessive configuration change incidents.
This release allows you to filter such lines by creating a configuration file.
Optimize GUI loading after login
When CMDB has large number of entries, GUI loading can take some time as system tries to load information to
facilitate GUI navigation. This release provides several optimizations to speed up initial GUI loading for better
user experience.
Optimize HTML5 dashboard search via inline report post filtering
HTML5 dashboard has a search functionality. This function is optimized by doing the search at the back end
rather than GUI. This provides more accurate results.
Device Support
12
l
FortiAP integration - Discovery, performance monitoring and log analysis.
l
FortiWLC and Meru AP integration - Discovery, performance monitoring and log analysis.
l
FortiClient integration - Log analysis.
l
GitHib integration - Log analysis.
l
Linux AIDE
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
FortiSIEM Basics
FortiSIEM Basics
These topics provide an overview of the FortiSIEM solution, including its component and various deployment
configurations. l
Features and Architecture
l
Supervisors, Workers, Collectors, and Organizations
l
Deployment Options
l
Export Restrictions
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
13
Features and Architecture
FortiSIEM Basics
Features and Architecture
FortiSIEM provides an all-in-one, seamlessly integrated and service-oriented IT infrastructure monitoring solution
that covers performance, availability, change, and security monitoring aspects of network devices, servers, and
applications. It is offered in two versions:
l
l
A VMware based virtual appliance, which you can deploy as a single appliance or a cluster of virtual appliances in a
highly available, scaled-out grid architecture. This is what we refer to as FortiSIEM Enterprise.
Software-as-a-Service (SaaS), where you deploy a Collector virtual on-premises for a customer, and all of the
customer data is transmitted to FortiSIEM data center. This is what we refer to as FortiSIEM Multi-Tenant, since
collector deployments are commonly used by organizations such as Managed Service Providers to monitor the
services of their customers.
Some of the features of the FortiSIEM monitoring solution include:
l
Intelligent Device Discovery
l
Analytics
l
Business Services
l
Architecture
Intelligent Device Discovery
The first step in the monitoring process is IT infrastructure discovery. FortiSIEM has a fast and intelligent
discovery engine that can automatically crawl an IT infrastructure and discover network devices, servers, and
applications in depth. The user needs to provide appropriate credentials, a discovery IP address range, and
optionally a starting router IP address for faster discovery.
A wide range of information is discovered including hardware information, serial numbers and licenses, installed
software, running applications and services, and router configuration. The discovered devices are automatically
categorized into detailed functional groups, such as Routers/Switches, Firewalls, and Network IPS, and this
information is maintained within an integrated configuration management database (CMDB). Some special
relationships are also discovered, for example WLAN Access Points to WLAN Controllers, VMware guests to
physical hosts, etc. The CMDB is kept up to date through user-defined scheduled discoveries and FortiSIEM
listening to changes as part of performance monitoring.
A novel aspect of FortiSIEM discovery is that those aspects of a device that can be monitored are also discovered
at the same time. For example, given SNMP, WMI, and JDBC credentials for a Windows server, FortiSIEM might
discover the following:
l
l
System performance metrics that can be collected by SNMP, for example CPU, memory utilization, and disk space
utilization
System performance metrics that can be collected by WMI, for example Disk I/O utilization, memory swap rates,
and process utilization
l
Application specific metrics that can be collected by WMI, for example IIS, DNS, DHCP, and Exchange metrics
l
Event logs that can be collected by WMI
l
Database logs that can be pulled from the server by JDBC
You simply approve the discovered results and monitoring begins. This approach reduces human error, since
FortiSIEM learns from the true device configuration state.
14
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
FortiSIEM Basics
Features and Architecture
Analytics
FortiSIEM uses a unified event-based framework to analyze all data including logs, performance monitoring data.
Logs can either be sent to FortiSIEM via Syslog, SNMP traps, or other common log shipping methods, or
FortiSIEM can periodically access the system and collect the logs. Performance monitoring data is collected by
periodically probing the system. The data is parsed, indexed, and stored in a proprietary flat-file based database.
In contrast, the CMDB information is stored in a PostgreSQL relational database. FortiSIEM unified data
management architecture combines the two databases and presents a single view to the user.
FortiSIEM provides a broad range of metrics. First, it is possible to search all data based on keywords or in a
structured way using the attributes parsed by AcceOps. The search can be done in real time, in which the data
streaming in from devices is displayed, or the search can be based on historical data. Historical data is referred to
as Reports in FortiSIEM, and can be scheduled to run at intervals you set. A large number of reports are provided
in a categorized fashion, based on device type, and also based on functionality such as availability, performance,
change and security. Two novel aspects of FortiSIEM metrics include unification and drill-down capabilities. With
unification, all the data is analyzed and presented the same way, whether it be real time search, reports, rules or
performance, availability, or change or security data. By using drill-down you can start from a specific context,
such as Top Authentication Failed Users, and iteratively select attributes to further analyze data and get to the
root cause of a problem. As an example, the investigation of Top Authentication Failed users could follow a drilldown of pick user and time range -> Top Destination IP, Ports for specific user and time range -> pick destination
IP and port -> Query all raw messages.
FortiSIEM also uses rules for real-time alerting - a real-time event correlation engine analyzes all data and
triggers alerts based on these rules. FortiSIEM ships with 500+ broad rules that cover a broad range of interrelated performance, availability, change and security scenarios. Rules can vary from simple text search and
threshold conditions, to comprehensive logic supporting full Boolean operators and nested sub-patterns
referencing multiple elements including thresholds and defined services. Thresholds can be static or dynamically
derived from profiled network, system resource and user activity. You can add new rules, and customize existing
ones, as described in Creating Rules using GUI.
Business Services
A business service lets you view FortiSIEM metrics and prioritize alerts from a business service perspective. A
business service is defined within FortiSIEM as a smart container of relevant devices and applications serving a
business purpose. Once defined, all monitoring and analysis can be presented from a business service
perspective. It is possible to track service level metrics, efficiently respond to incidents on a prioritized basis,
record business impact, and provide business intelligence on IT best practices, compliance reporting, and IT
service improvement. What is also novel about FortiSIEM is how easily a business service can be defined and
maintained. Because FortiSIEM automatically discovers the applications running on the servers as well as the
network connectivity and the traffic flow, you can simply choose the applications and respective servers and be
intelligently guided to choose the rest of components of the business service. This business service discovery and
definition capability in FortiSIEM completely automates a process that would normally take many people and
considerable effort to complete and maintain.
Architecture
The FortiSIEM virtual appliance solution operates as a turnkey, guest host application running within the most
popular hypervisors with the option of using NFS or local storage. The implementation process is flexible and can
be accomplished in phases to support a variety of distributed and hybrid-cloud implementations The FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
15
Features and Architecture
FortiSIEM Basics
virtual appliance is placed on a network where it can obtain operational data, as well as establish sessions with
the infrastructure. Remote sites can use the FortiSIEM Collector client to locally discover, collect, compress and
securely transmit of operation data back to the FortiSIEM virtual appliance. FortiSIEM' scale-out architecture
allows for virtual appliance clustering to increase processing capacity and availability. Additional virtual
appliances can be added on-the-fly with nominal configuration, which will automatically distribute workload
across cluster members to extend event analysis throughput and to reduce query response time.
16
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
FortiSIEM Basics
Supervisors, Workers, Collectors, and Organizations
Supervisors, Workers, Collectors, and Organizations
An FortiSIEM deployment can be configured using either a single virtual appliance, or with multiple virtual
appliances that play different roles within the deployment. The Supervisor virtual appliance is the primary
component in both standalone and cluster deployments, and all deployments begin with the set up and
configuration of the Supervisor. As described in Supervisor and Worker Cluster Deployment for Enterprises, there
may be situations in which the single appliance cannot monitor all the data and devices in your infrastructure, and
so you can deploy Worker virtual appliances to take up the extra load. Finally, you may encounter situations in
which you need to deploy Collectors for the purpose of gathering data that will be processed by Supervisors and
Workers. As described in Supervisor with Collectors Deployment for Enterprises and Supervisor and Worker
Cluster Deployment for Multi-Tenancy, these are most likely situations where you need to monitor IT
infrastructure for different sites, as in the case of a large or distributed enterprise, or for different organizations, as
in the case of multi-tenant installations for Managed Service providers (MSPs). For these situations each
Organization is defined separately within FortiSIEM, so you can tailor your monitoring, analytics, and reports to
meet the specific needs of that organization. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
17
Deployment Options
FortiSIEM Basics
Deployment Options
FortiSIEM architecture of workers, collectors, and supervisors offers a number deployment options for enterprises
at any level of scale, as well as deployment options for managed service providers who need Service Provider
solutions. Topics in this section describe these deployment options in detail, including use cases for each
deployment type as well as node and server configurations for each deployment type. 18
l
Enterprise Deployment Options
l
Multi-Tenant Deployment Options for Managed Service Providers or Multiple Organizations
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
FortiSIEM Basics
Deployment Options
Enterprise Deployment Options
For FortiSIEM, an Enterprise deployment is one in which there is a single organization for which data is gathered
and analyzed, and the virtual appliances are located entirely on-premises for that organization.
l
Standalone Supervisor Deployment for Enterprises
l
Supervisor and Worker Cluster Deployment for Enterprises
l
Supervisor with Collectors Deployment for Enterprises
l
Matrix of Enterprise Deployment Configuration Options
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
19
Deployment Options
FortiSIEM Basics
Standalone Supervisor Deployment for Enterprises
This is the simplest possible deployment option, in which a single Supervisor handles all the work of monitoring,
processing, and analyzing data. You can configure the Supervisor to use local or NFS storage, depending on your
event data storage requirements, as described in Using NFS Storage with FortiSIEM:
Supervisor and Worker Cluster Deployment for Enterprises
As the number of monitored devices, or the analyzed event rate, grows, one Supervisor may not be able to handle
the load. In that case, you can deploy a cluster of Supervisor and Worker virtual appliances that share data over
NFS. In a cluster deployment, the Supervisor and Worker nodes have specific functions:
l
l
l
l
l
l
20
Discovery always runs on the Supervisor node.
Logs can be sent to either the Supervisor or Worker nodes, and parsing occurs on the node where the event is
received.
Performance monitoring jobs are distributed by the Supervisor node across all Supervisor and Worker nodes
following a load distribution algorithm.
Users connect to the Supervisor via the FortiSIEM interface, and the Supervisor node runs the Application server,
PostgreSQL (containing CMDB) and SVN database.
Adhoc user queries, preset continuously running reports, and rules are handled by the cluster in a collaborative
manner.
Worker nodes are stateless, and can be seamlessly added or removed from the cluster as needed as the number of
monitored devices or the rate of events grows, or if better query performance is required.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
FortiSIEM Basics
Deployment Options
Supervisor with Collectors Deployment for Enterprises
There are two cases where a single Supervisor may not be enough for your deployment:
l
l
There are monitored devices behind a firewall that will not allow monitoring protocols like Windows Management
Instrumention (WMI) to be used from the Supervisor
The Supervisor can only reach the monitored devices through a high latency network like a Wide Area Network
(WAN), in which case monitoring like protocols like Simple Network Management Protocol (SNMP) or WMI do not
work well
In these cases, you can deploy Collectors to monitor the devices, and they will communicate to the Supervisor
over HTTP(S). The Collectors communicate with the devices, collect and parse events and logs, compress them,
and then send them to the Supervisor for monitoring and analysis. Collectors also can buffer the events, in case
transmission to the Supervisor is interrupted. As shown in the diagrams, you can use Collectors in a deployment
with a single Supervisor, or in a deployment that also includes Workers.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
21
Deployment Options
FortiSIEM Basics
FortiSIEM deployment with a single Supervisor and Collectors FortiSIEM deployment using a Single Supervisor + 2 Workers + 2 Collectors.
22
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
FortiSIEM Basics
Deployment Options
Matrix of Enterprise Deployment Configuration Options
This matrix shows the components required for each enterprise deployment option.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
23
Deployment Options
Deployment
Option
Single
Supervisor
Node
Supervisor
Node with
Collectors
Enterprise
Cluster
Enterprise
Cluster with
Collectors
Supervisor
Node with
Tableau Visual
Analytics
Supervisor
Node with
Collectors and
Tableau Visual
Analytics
Enterprise
Cluster with
Tableau Visual
Analytics
24
Supervisor
Node
FortiSIEM Basics
Worker
Node
Collector
Node
NFS Server
Report
Server
Visual Analytics Server
This is the most basic
single site enterprise
deployment.
x
x
x
x
This is also an enterprise
deployment covering
multiple sites. Data
collection is simplified by
deploying a collector for
the satellite sites.
x
x
x
This is the scalable
enterprise deployment. An
NFS Server is required in
the data sharing
architecture between
Supervisor and Worker
nodes.
x
x
This deployment adds
collectors to the mix and is
the most comprehensive
enterprise deployment.
x
x
x
x
x
x
x
x
x
x
Description
x
x
x
This is the most basic
single node enterprise
deployment, with added
capability for Visual
Analytics with Tableau
This is also an enterprise
deployment covering
multiple sites with added
capability for Visual
Analytics with Tableau.
Data collection is simplified
by deploying a collector for
the satellite sites.
This is the scalable
enterprise deployment
with added capability for
with added capability for
Visual Analytics with
Tableau. An NFS Server is
required in the data
sharing architecture
between Supervisor and
Worker nodes.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
FortiSIEM Basics
Deployment
Option
Enterprise
Cluster with
Collectors and
Tableau Visual
Analytics
Deployment Options
Supervisor
Node
x
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Worker
Node
x
Collector
Node
x
NFS Server
x
Report
Server
x
Visual Analytics Server
x
Description
This deployment adds
collectors to the mix and is
the most comprehensive
enterprise deployment,
with added capability for
Visual Analytics with
Tableau.
25
Deployment Options
FortiSIEM Basics
Multi-Tenant Deployment Options for Managed Service Providers or Multiple
Organizations
While a common use case for FortiSIEM is the monitoring of IT infrastructure for a single enterprise, Managed
Service Providers (MSPs) and large enterprises with multiple organizations can also use FortiSIEM to monitor IT
infrastructure at the customer or organization level, either by splitting IP addresses to correspond to the customer
or organization, or by deploying Collectors for each customer or organization and managing the monitoring and
analysis of their data from a centralized Supervisor. 26
l
Standalone Supervisor Deployment for Multi-Tenancy
l
Supervisor and Worker Cluster Deployment for Multi-Tenancy
l
Matrix of Multi-Tenancy Deployment Configuration Options
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
FortiSIEM Basics
Deployment Options
Standalone Supervisor Deployment for Multi-Tenancy
FortiSIEM allows users to create organizations, to and manage the entire IT infrastructure monitoring life cycle
from data collection, storage, analytics and alerting for an organization that organization as a separate entity
from other organizations. There are several use cases for this this multi-tenant model.
l
Hosting service providers that host multiple customers in their own data center
l
Managed service providers that manage a customer's data centers from their own data center l
Large enterprises that want to manage separate parts of the organization as individual customers
The simplest multi-tenancy deployment involves a single Supervisor, with organizations defined through the
splitting of IP address ranges. For example:
l
10.1.1.0/24 = Customer 1
l
10.1.2.0/24 = Customer 2 During the discovery process, FortiSIEM will tag a device with the right customer ID based on the IP address
definition.
Supervisor and Worker Cluster Deployment for Multi-Tenancy
As the number of monitored devices, or the analyzed event rate, grows, one Supervisor may not be able to handle
the load. In that case, you can deploy a cluster of Supervisor and Worker virtual appliances that share data over
NFS. In a cluster deployment, the Supervisor and Worker nodes have specific functions:
l
l
l
l
Discovery always runs on the Supervisor node
Logs can be sent to either the Supervisor or Worker nodes, and parsing occurs on the node where the event is
received
Performance monitoring jobs are distributed by the Supervisor node across all Supervisor and Worker nodes
following a load distribution algorithm.
Users connect to the Supervisor via the FortiSIEM interface, and the Supervisor node runs the Application server,
PostgreSQL (containing CMDB) and SVN database
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
27
Deployment Options
l
l
FortiSIEM Basics
Adhoc user queries, preset continuously running reports, and rules are handled by the cluster in a collaborative
manner
Worker nodes are stateless, and can be seamlessly added or removed from the cluster as needed as the number of
monitored devices or the rate of events grows, or if better query performance is required
In these deployments, you can define organizations by splitting IP address ranges. For example:
l
10.1.1.0/24 = Customer 1
l
10.1.2.0/24 = Customer 2 During the discovery process, the FortiSIEM Supervisor node will tag a device with the correct customer ID based
on the IP address definition.
28
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
FortiSIEM Basics
Deployment Options
Matrix of Multi-Tenancy Deployment Configuration Options
This matrix shows the components required for the each multi-tenancy deployment option.
Deployment
Option
Supervisor Worker Collector
Node
Node
Node
Single MultiTenant Supervisor
Node
x
Multi-Tenant
Supervisor Node
Collectors with
x
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
NFS
Server
Report
Server
Visual Analytics Server
Description
This is the most
basic single site
multi-tenant
deployment,
primarily suitable
for hosting
providers.
Organizations are
created by
splitting up the IP
address space.
x
This is a service
provider
deployment
covering multiple
sites. Data
collection is
simplified by
deploying a
collector for the
satellite sites. You
can add
organizations by
assigning a
collector to an
organization, or by
splitting up the IP
address space.
29
Deployment Options
Deployment
Option
FortiSIEM Basics
Supervisor Worker Collector
Node
Node
Node
Multi-Tenant
Cluster
x
x
Multi-Tenant
Cluster with
Collectors
x
x
Multi-Tenant
Supervisor Node
with Tableau
Visual Analytics
x
30
x
NFS
Server
Report
Server
Visual Analytics Server
Description
x
This is a
scalable service
provider
deployment
suitable for
deployments with
large compute and
storage needs. An
NFS Server is
required in the
data sharing
architecture
between
Supervisor and
Worker nodes.
Organizations are
created by
splitting up the IP
address space.
x
This deployment
adds collectors to
the configuration
and is the most
comprehensive
service provider
deployment. You
can add
organizations by
assigning a
collector to an
organization, or by
splitting up the IP
address space.
x
x
This is the most
basic single
site multi-tenant
deployment, with
added capability
for Visual
Analytics with
Tableau.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
FortiSIEM Basics
Deployment
Option
Deployment Options
Supervisor Worker Collector
Node
Node
Node
Multi-Tenant
Supervisor Node
with Collectors
and Tableau
Visual Analytics
x
Multi-Tenant
Cluster with
Tableau Visual
Analytics
x
x
Multi-Tenant
Cluster with
Collectors and
Tableau Visual
Analytics
x
x
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
NFS
Server
x
x
Report
Server
Visual Analytics Server
Description
x
x
This is a service
provider
deployment
covering multiple
sites, with added
capability for
Visual Analytics
with Tableau.
Data collection is
simplified by
deploying a
collector for the
satellite sites.
x
x
x
This is a
scalable service
provider
deployment ,with
added capability
for Visual
Analytics with
Tableau. An NFS
Server is required
in the data sharing
architecture
between
Supervisor and
Worker nodes.
x
x
x
This deployment
adds collectors to
the configuration
and is the most
comprehensive
service provider
deployment, with
added capability
for Visual
Analytics with
Tableau.
31
Export-Restrictions
FortiSIEM Basics
Export-Restrictions
FortiSIEM Export Control Classification Number is D5002.
Our Encryption Registration Number is available upon request.
Our product can not be exported, distributed, sold or used in: Cuba, Iran, Sudan, Syria and North Korea.
32
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installing/Upgrading FortiSIEM
This chapter describes the following:
l
Licensing
l
Installation
l
Upgrade
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
33
Licensing
Installing/Upgrading FortiSIEM
Licensing
l
Overview
l
Prerequisites
l
License for new users
l
Registering Base FortiSIEM Product
l
l
Adding Additional devices/services
License for existing users
Overview
Starting release 4.9.0, FortiSIEM will only accept licenses issued by FortiCare. AccelOps license server
will not issue any more licenses effective immediately.
Note: Current FortiSIEM license will continue to work until the license expires. However, you have to
get a new license from FortiCare if:
l
your current FortiSIEM license has expired.
l
you need to buy additional services.
l
you have a valid license and need to upgrade to FortiSIEM 4.9.0
Prerequisites
Before proceeding with FortiSIEM license registration, read and save the required information related to the
following:
l
Registration code
l
Hardware ID
l
FortiSIEM image download site
Registration code
FortiSIEM product functionality is driven by the product SKUs below. You have to first purchase the
right combination of SKUs based on your needs from Fortinet. You will receive the registration letters
via email that will contain a separate registration code for every SKU. You need to use these
registration SKUs to obtain FortiSIEM license.
34
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Product
Licensing
SKU
Description
FSM-AIO-BASE
Base All-In-One (AIO) Perpetual
License for 50 devices and 500
EPS.
FortiSIEM Base Product
FortiSIEM All-In-One Perpetual
License
FortiSIEM All-In-One
Subscription License
FSM-AIO-XXXX-UG
Add X devices and EPS/device AllIn-One (AIO) Perpetual license for
Non-MSP/MSP's.
FC[1-8]-10-FSM98-180-02-DD
Per Device Subscription License
that manages minimum X devices,
10 EPS/Device.
FSM-EPD-XX-UG
Add XX End-Points and 2 EPS/
End-Point for End-Point Perpetual
License
FortiSIEM Additional Products
FortiSIEM End-Point Device
Perpetual License
FortiSIEM End-Point Device
Subscription License
FC[1-8]-10-FSM98-184-02-DD
Per End-Point Subscription License
for minimum X End-Points, 2
EPS/End-Point
Add 1 EPS Perpetual License
FSM-EPS-100-UG
Add 1 EPS Perpetual
Add 1 EPS Subscription License
FC1-10-FSM98-183-02-DD
Add 1 EPS Subscription
FortiSIEM Basic Windows
Agent Perpetual License
FSM-WIN-XX-UG
XX Basic Windows Agents for
Perpetual License
FortiSIEM Advanced Windows
Agent Perpetual License
FortiSIEM Basic Windows
Agent Subscription License
FortiSIEM Advanced Windows
Agent Subscription License
IOC Service Subscription
License
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
FSM-WIN-ADV-XX-UG
FC[1-8]-10-FSM98-181-02-DD
FC[1-8]-10-FSM98-182-02-DD
FC[1-G]-10-FSM98-149-02-DD
XX Advanced Windows Agents for
Perpetual License
Per Agent Subscription License for
minimum XX Basic Windows
Agents
Per Agent Subscription License for
minimum XX Advanced Windows
Agents
(X Points) FortiSIEM Indicators of
Compromise (IOC) Service. 1
device or 2 End points or 3
Windows Agents equals 1 point.
35
Licensing
Installing/Upgrading FortiSIEM
Product
SKU
Description
FC[1-G]-10-FSM97-248-02-DD
24x7 FortiCare Contract (X points).
1 device or 2 End points or 3
Windows Agents equals 1 point.
FortiSIEM Support
FortiCare Support for FortiSIEM
Hardware ID
Hardware ID (UUID) is used to uniquely identify the server where FortiSIEM Supervisor node will run.
Go to the server where FortiSIEM Supervisor node has to be installed or is currently installed.
i. Login via SSH as root.
ii. Run the command cat /sys/class/dmi/id/product_uuid
iii. Note the output – you will need this to create a license.
FortiSIEM image download site
l
Fresh installation:
l
If you are new to Fortinet products and do not have a support account other than FortiSIEM, download the
FortiSIEM image from https://images-cdn.fortisiem.fortinet.com/VirtualAppliances/latestrelease.html
l
l
36
If you have existing Fortinet products, login to Fortinet support site: https://support.fortinet.com and find
the image under Download > Firmware Images.
Upgrade:
l
Use the traditional upgrade process which will download the image from the old location.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Licensing
License for new users
This section describes procedures for new FortiSIEM users to license FortiSIEM product. There is no Base
requirement for Subscription License, but the Ordering Quantity has to meet minimum quantity requirements of
each SKU.
Note: The base device related SKUs has to be registered first.
Base SKU
Description
FSM-AIO-BASE
Base all-in-one Perpetual License for 50 devices and 500 EPS
FC[1-8]-10-FSM98-180-02-DD
Per Device Subscription License that manages minimum X
devices, 10 EPS/Device.
Other FortiSIEM products such as additional devices, windows agents, IOC Services, Maintenance and Support
etc. can be added after the Base has been registered.
l
Registering Base FortiSIEM product
l
Adding additional devices/services
Registering Base FortiSIEM product
1. Go to FortiCare Product Registration link: https://support.fortinet.com/.
2. Click SIGN UP to create an account.
3. Log in using your Account ID/Email and Password.
4. Click Asset > Register/Renew and enter the Registration Code of the Base license based on the license type.
l
l
Subscription based license: Open the SKU file corresponding to the Subscription based license: FC[18]-10-FSM98-180-02-DD and get the Registration code.
Perpetual license: Open the SKU file corresponding to the Base Perpetual License: FSM-AIO-BASE
and get the Registration code.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
37
Licensing
Installing/Upgrading FortiSIEM
5. Select the End User Type and click Next.
6. On the License Registration page, enter the Hardware ID and select the Fortinet Partner type from the list.
7. Click Next.
8. Read and agree to the terms and conditions of Fortinet Product Registration Agreement and click Next.
9. On the Verification page, read and agree to the terms and click Confirm.
10. Verify the information displayed under Product Info and click Finish. Note the Serial Number for use in further
steps.
38
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Licensing
11. Go to Asset > Manage/View products and click the Serial number obtained from the previous step.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
39
Licensing
Installing/Upgrading FortiSIEM
12. Select General and click Edit to associate the Hardware ID of the VM where the Supervisor is going to run.
Hardware ID can be obtained by following the steps in Prerequisites (b).
13. Select License & Key and click Get the License file link to download the license.
Note: If you need to add additional devices to the license, download the license file after adding all the
devices following the steps under ' Adding additional devices/services'.
40
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Licensing
14. Download and install FortiSIEM. See Prerequisites (c) for the image location.
15. Once FortiSIEM is installed, log in and click Browse to select the license file.
Note: If the UI does not redirect to the license upload screen, open https://<ip_of_
supervisor>/phoenix/licenseUpload.html and upload the license file.
16. Select the License Type based on the deployment type as:
l
Enterprise for single organizations
l
Service Provider for multiple organizations
Note: For earlier versions of FortiSIEM, the License Type options displayed were VA for Enterprise and
SP for Service Provider.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
41
Licensing
Installing/Upgrading FortiSIEM
17. Click Upload.
18. Verify the license following one of the methods:
a. On FortiSIEM UI, go to Admin > License Management and verify the license information.
b. On the server where FortiSIEM is installed, execute the command on the license file and verify the
license information:
l
# phLicenseRead <LicenseFile>
Note: Using this tool, you will not be able to identify the License type.
c. On the server where FortiSIEM is installed, execute one the following commands:
l
# phLicenseTool --show
l
# phLicenseTool --verify
Adding additional devices/services
After registering the base license, you can register additional devices/services supported by FortiSIEM:
l
Devices
l
End points
l
Windows Agents
l
IOC Service
l
Maintenance and Service
Follow the below steps to add a device/service:
1. Open the SKU related to get the Registration code. Refer to the table under Prerequisites (a).
2. On FortiCare, go to Asset > Register/Review and add the Registration code of the new device.
42
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Licensing
3. Click the Serial Number obtained while registering the base.
4. Go to General > Edit to associate the Hardware ID and save.
Note: If you are adding more devices or services, repeat the procedure of adding the related registration id
to the same serial number and use the license generated at the end of registering all devices/services.
5. Go to License & Key tab and click Get the License File to download the license.
6. Download and install FortiSIEM image from the link: https://support.fortinet.com/. Refer to 'Installation' section
for more information about FortiSIEM installation.
7. Log in to FortiSIEM and click Browse to select the license file.
Note: If the UI does not redirect to the license upload screen, open https://<ip_of_
supervisor>/phoenix/licenseUpload.html and upload the license file.
8. Select the License Type based on the deployment type of your organization as:
l
Enterprise for single organizations
l
Service Provider for multiple organizations
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
43
Licensing
Installing/Upgrading FortiSIEM
Note: For earlier versions of FortiSIEM, the License Type options displayed were VA for Enterprise and
SP for Service Provider.
9. Verify the license following one of the methods:
a. On FortiSIEM UI, go to Admin > License Management and verify the license information.
b. On the server where FortiSIEM is installed, execute the command on the license file and verify the
license information:
l
# phLicenseRead <LicenseFile>
Note: Using this tool, you will not be able to identify the License type.
c. On the server where FortiSIEM is installed, execute one the following commands:
l
# phLicenseTool --show
l
44
# phLicenseTool --verify
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Licensing
License for existing users
For existing FortiSIEM customers, licenses are already imported into FortiCare. While the current FortiSIEM
license will continue to work until the license expires, you have to get a new license from FortiCare, if you want to
renew the license or buy additional products. Follow the below procedure to get a license:
1. Go to FortiCare Product Registration link: https://support.fortinet.com/.
2. Log in using your Account ID/Email and Password.
3. Click Asset > Manage/View Products.
The Serial Number corresponding to your license will be displayed.
4. Click the Serial number and select the General tab on the left tree.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
45
Licensing
Installing/Upgrading FortiSIEM
5. Click Edit to associate the Hardware ID and Save. Refer to Prerequisites (b) section for more information about
how to get the hardware id for your FortiSIEM install.
6. Go to License & Key tab on the left tree and click Get the License File to download the license.
7. Before installing the license, please verify that you have the right license installed. The system will not function
if you have an incorrect license. Verify the license following one of the methods:
a. Download the phLicenseRead tool from the image download site. See Prerequisites (c).
b. Copy the phLicenseRead tool to /opt/phoenix/bin in the Supervisor node. Make sure the
permissions are correct (root/root).
c. Execute the command on the license file downloaded in Step 6 to verify the license information: #
phLicenseRead <LicenseFile>
Note: Using the phLicenseRead tool, you will not be able to identify the License type.
Note: If the license is incorrect, contact Fortinet support to get the right license. Do not install partial
license.
8. Upgrade FortiSIEM. Refer to 'Upgrade' section for more information about the upgrade process.
46
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Licensing
9. After the Supervisor reboots, log in to the Supervisor node and upload the license file from Step 6.
10. Verify the license information again from the GUI.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
47
Installation
Installing/Upgrading FortiSIEM
Installation
The topics in this section are intended to guide you through the basic process of setting up and configuring your
FortiSIEM deployment. This includes downloading and installing the FortiSIEM OVA image, using your
hypervisor virtual machine manager to configure the hardware settings for your FortiSIEM node, setting up basic
configurations on your Supervisor node, and registering your Supervisor and other nodes. Setting up IT
infrastructure monitoring, including device discovery, monitoring configuration, setting up business services, is
covered in under the section Configuring Your FortiSIEM Platform.
l
What You Need to Know before You Begin Installation
l
Basic Installation Process
What You Need to Know before You Begin Installation
What Kind of Deployment Will You Set Up?
Before beginning installation you should have determined the exact deployment configuration you will follow, as
described in the topics under Deployment Options. Note that many deployment options have particular hardware
requirements. For example, if you intend to use an NFS server for a cluster deployment, or if want to use Visual
Analytics, you will need to make sure that you have the necessary hardware and network components in place.
We strongly recommend that you read through all the installation topics for your deployment configuration before
you begin. Who Will Install and Configure FortiSIEM?
These topics assume that you have the basic system administration skills required to install FortiSIEM, and that
you are already familiar with the use of hypervisors such as VMware ESX or, if you are setting up a Cloud
deployment, that you are already familiar with Cloud environments such as Amazon Web Services.
What Information Do You Need to Get Started?
You will need to have administrator-level permissions on the host where you will download and install FortiSIEM,
and you will also need to have username and password associated with your FortiSIEM license. If you intend to
use NFS storage for event data, you will also need to have set up an NFS server prior to installation.
48
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Basic Installation Process
The installation process for any FortiSIEM deployment consists of a few steps:
l
Import the FortiSIEM virtual appliance into a hypervisor or Amazon Web Services environment
l
Edit the virtual appliance hardware settings
l
Start and configure the virtual appliance from the hypervisor console
l
Register the virtual appliance
Topics in this section will take you through the specific installation and configuration instructions for the most
popular hypervisors and deployment configurations. l
System Performance Estimates and Recommendations for Large Scale Deployments
l
Browser Support and Hardware Requirements
l
Information Prerequisites for All FortiSIEM Installations
l
Hypervisor Installations
l
ISO Installation
l
General Installation
l
Using NFS Storage with FortiSIEM
l
FortiSIEM Windows Agent and Agent Manager Install
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
49
Installation
Installing/Upgrading FortiSIEM
System Performance Estimates and Recommendations for Large Scale Deployments
This topic includes estimates and recommendations for storage capacity, disk performance, and network
throughput for optimum performance of FortiSIEM deployments processing over 10,000 EPS.
In general, event ingestion at high EPS requires lower storage IOPS than for queries simply because queries
need to scan higher volumes of data that has accumulated over time. For example, at 20,000 EPS, you have
86,400 times more data in a day than in one second, so a query such as 'Top Event types by count for the past 1
day' will need to scan 20,000 x 86,400 = ~ 1.72 billion events. Therefore, it is important to size your FortiSIEM
cluster to handle your query and report requirements first, which will also handle event ingestion very well. These
are the top 3 things to do for acceptable FortiSIEM query performance:
1. Add more worker nodes, higher than what is required for event ingestion alone
2. 10Gbps network on NFS server is a must, and if feasible on Supervisor and Worker nodes as well
3. SSD Caching on NFS server - The size of the SSD should be as close to the size required to cache hot data. In
typical customer scenarios, the last 1 month data can be considered hot data because monthly reports are quite
commonly run.
Schedule frequently run reports into the dashboard
If you have frequently run ranking reports that have group-by criteria (as opposed to raw message based reports),
you can add such reports into a custom dashboard so that FortiSIEM schedules to run these reports in inline
mode. Such reports compute their results in streaming manner as event data is processed in real-time. Such
reports do not put any burden on the storage IOPS because they read very little data from the EventDB. Note that
raw message reports (no group-by) are always computed directly from EventDB
An example scenario is presented at the end of this guide.
System Performance
Component
50
Estimates and Recommendations
Event Storage Capacity
Storage capacity estimates are based on an average event size of 64
compressed bytes x EPS (events per section). Browser Support and Hardware
Requirements includes a table with storage capacity requirements for up to
10,000 EPS.
Root Disk IOPS
Standard hard disk IOPS
CMDB Disk IOPS
1000 IOPS or more. Lab testing for EC2 scalability used 2000 IOPS.
SVN Disk IOPS
1000 IOPS
EventDB IOPS for Event
Ingestion
1000 IOPS for 100K EPS (minimum)
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
System Performance
Component
Installation
Estimates and Recommendations
As high as feasible to improve query performance (use SSD caching on NFS
server when feasible). In EC2 scalability testing, 2000 read IOPS while
ingesting 100K EPS using one supervisor and two workers produced these
results:
Index Query – No filter, display COUNT(Matched Events), group-by
event type for 24 hours
l
EventDB Read IOPS for
Queries
l
l
Total Events processed = 2,594,816,711 (2.59 billion events)
Average events per second scanned by Query (QEPS) = 1.02 million
QEPS
Average Query Runtime = 2543 seconds (~ 42 minutes)
Raw Event Log Query - Same as Index Query with filter Raw Event
Log contains 'e'
l
l
l
Network Throughput
Total Events processed = 350,914,385 (350 million events)
Average events per second scanned by Query (QEPS) = 179,909 EPS
(179k QEPS)
Average Query Runtime = 1950 seconds (~ 33 minutes)
Recommend 10Gbps network between Supervisor, Workers, and NFS server.
Using VMXNet3 Adapter for VMware
To achieve the best network throughput in VMware environments,
delete the E1000 network adapter and add one that uses VMXNet3
for theeth0/eth1 network configuration. VMXNet3 adapter supports 10Gbps networking between VMs on the
same host as well as across hosts, though you must also have a
10Gbps physical network adapter to achieve that level of throughput
across hosts. You may need to upgrade the virtual hardware version
(VMWare KB 1003746) in order to have the ability to use VMXNet3.
More details on different types of VMWare network adapters is
available in VMWare KB 1001805
Achieving 10Gbps on AWS EC2
To achieve 10Gbps in the AWS EC2 environment, you will need to:
a. Deploy FortiSIEM Super, Workers, and NFS server on 8xlarge
class of instances (for example, c3.8xlarge). Refer to EC2
Instance Types for available types, and look for instance types with
10 Gigabit noted next to them. b. You will need to use the HVM image for both the FortiSIEM image
and NFS server image that supports enhanced networking.
c. Supervisor, Workers, and NFS Server must be placed under the same
AWS EC2 placement group within an AWS VPC.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
51
Installation
Installing/Upgrading FortiSIEM
System Performance
Component
Estimates and Recommendations
Network Interfaces
FortiSIEM recommends the use of separate network interfaces for event
ingestion/GUI access and storage data to NFS
Number of Workers
6000 EPS per worker for event ingestion. More worker nodes for query
performance. See example below.
Example:
An MSP customer has 12,000 EPS across all their customers. Each event takes up 64 bytes on average in
compressed form in the EventDB.
Storage and Query Performance Example
1 Year total events = 12000 * 86400 * 365 = 378.432 billion events
1 month total events = 12000 * 86400 * 365 = 31.536 billion events
1 Year Storage for 12,000 EPS = 12000 * 86400 * 365 * 64 bytes = 23TB
1 month Storage = ~ 2TB (SSD cache on NFS)
Run time for 'Top Event types by count for last 1 month' (@ 1 million QEPS using 1
super + 2 workers) = 31536 seconds = 8.75 hours
Example run time for above query using 1 super + 20 workers = 1.25 hours*
* Assuming that read IOPS are not limited due to SSD cache for 1 month data
These calculations are just extrapolations based on a test on EC2. Actual results may vary from this because of
differences in hardware, event data, types of queries. Therefore, it is recommended that customers do a pilot
evaluation using production data either on-premise or on AWS before arriving at an exact number of worker nodes
52
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Browser Support and Hardware Requirements
l
Supported Operating Systems and Browsers
l
Hardware Requirements for Supervisor and Worker Nodes
l
Hardware Requirements for Collector Nodes
l
Hardware Requirements for Report Server Nodes
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
53
Installation
Installing/Upgrading FortiSIEM
Supported Operating Systems and Browsers
These are the browsers and operating systems that are supported for use with the FortiSIEM web client. OS Supported
Browser Supported
Windows
Firefox, Chrome, Internet Explorer 11.x, Microsoft Edge
Mac OS X
Firefox, Chrome, Safari
Linux
Firefox, Chrome
Hardware Requirements for Supervisor and Worker Nodes
The FortiSIEM Virtual Appliance can be installed using either storage configured within the ESX server or NFS
storage. See the topic Configuring NFS Server for more information on working with NFS storage. Event Data Storage Requirements
The storage requirement shown in the Event Data Storage column is only for the eventdb data, but the
/data partition also includes CMDB backups and queries. You should set the /data partition to a larger amount
of storage to accommodate for this.
Encryption for Communication Between FortiSIEM Virtual Appliances
All communication between Collectors that are installed on-premises and FortiSIEM Supervisors and Workers is
secured by TLS 1.2 encryption. Communications are managed by OpenSSL/Apache HTTP Server/mod_ssl on
the Supervisor/Worker side, and libcurl, using the NSS library for SSL, on the Collector side.The FortiSIEM
Supervisor/Workers use RSA certificate with 2048 bits as default. You can control the exact ciphers used for communications between virtual appliances by editing
the SSLCipherSuite section in the file /etc/httpd/conf.d/ssl.conf on FortiSIEM Supervisors and
Workers. You can test the ciphersuite for your Super or worker using the following nmap command:
nmap --script ssl-cert,ssl-enum-ciphers -p 443 <super_or_worker_fqdn>
Calculating Events per Second (EPS) and Exceeding the License Limit
FortiSIEM calculates the EPS for your system using a counter that records the total number of received events in
a three minute time interval. Every second, a thread wakes up and checks the counter value. If the counter is less
than 110% of the license limit (using the calculation 1.1 x EPS License x 180) , then FortiSIEM will continue to
collect events. If you exceed 110% of your licensed EPS, events are dropped for the remainder of the three
minute window, and an email notification is triggered. At the end of the three minute window the counter resets
and resumes receiving events.
54
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Overall
Quantity
EPS
1,500
1
4,500
1
7,500
1 Super; 1
Worker
10,000
20,000
30,000
Higher
than
30,000
1 Super; 1
Worker
1 Super; 3
Workers
1 Super; 5
Workers
Installation
Host SW
Processor
Memory
OS/App and CMDB Storage
ESXi (4.0
or later
preferred)
4 Core 3 GHz,
64 bit
16 GB; 24 GB
(4.5.1+)
200GB (80GB OS/App,
60GB CMDB, 60GB SVN)
4 Core 3 GHz,
64 bit
16 GB; 24 GB
(4.5.1+)
200GB (80GB OS/App,
60GB CMDB, 60GB SVN)
Super: 8
Core 3 GHz,
64 bit;
Worker: 4
Core 3 GHz,
64 bit
Super: 24 GB;
Worker: 16 GB
Super: 200GB (80GB
OS/App, 60GB
CMDB, 60GB SVN);
Worker: 200GB (80GB
OS/App)
ESXi (4.0
or later
preferred)
ESXi (4.0
or later
preferred)
ESXi (4.0
or later
preferred)
ESXi (4.0
or later
preferred)
ESXi (4.0
or later
preferred)
Super: 8
Core 3 GHz,
64 bit;
Worker: 4
Core 3 GHz,
64 bit
Super: 8
Core 3 GHz,
64 bit;
Worker: 4
Core 3 GHz,
64 bit
Super: 8
Core 3 GHz,
64 bit;
Worker: 4
Core 3 GHz,
64 bit
Super: 24 GB;
Worker: 16 GB
Super: 24 GB;
Worker: 16 GB
Super: 24 GB;
Worker: 16 GB
Super: 200GB (80GB
OS/App, 60GB
CMDB, 60GB SVN);
Worker: 200GB (80GB
OS/App)
Super: 200GB (80GB
OS/App, 60GB
CMDB, 60GB SVN);
Worker: 200GB (80GB
OS/App)
Super: 200GB (80GB
OS/App, 60GB
CMDB, 60GB SVN);
Worker: 200GB (80GB
OS/App)
Event Data
Storage (1
year)
3 TB
8 TB
12 TB
17 TB
34 TB
50 TB
Consult
FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
55
Installation
Installing/Upgrading FortiSIEM
Hardware Requirements for Collector Nodes
Component Quantity Host SW
Processor
Memory
OS/App Storage
Collector
2 Core 2 GHz,
64 bit
4 GB
40 GB
2 Core, 64 bit
4GB
40 GB
1
ESX
Native Linux
Collector
1
Suggested Platform: Dell PowerEdge R210
Rack Server Hardware Requirements for Report Server Nodes
Component Quantity Host SW
Processor Memory OS/App Storage
Report
Server
8 Core 3
GHz, 64
bit
56
1
ESX
16 GB
200GB (80GB OS/App,
60GB CMDB, 60GB
SVN)
Report Data Storage (1
year)
See recommendations
under Hardware
Requirements for
Supervisor and Worker
nodes.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Information Prerequisites for All FortiSIEM Installations
You should have this information ready before you begin installing the FortiSIEM virtual appliance on ESX:
1. The static IP address and subnet mask for your FortiSIEM virtual appliance.
2. The IP address of NFS mount point and NFS share name if using NFS storage. See the topics Configuring NFS
Storage for VMware ESX Server and Setting Up NFS Storage in AWS for more information.
3. The FortiSIEM host name within your local DNS server.
4. The VMWare ESX datastore location where the virtual appliance image will be stored if using ESX storage.
Proxy Server Authentication Not Supported
Proxy server authentication is not supported in this version of FortiSIEM. Turn off proxy server authentication or
completely disable the proxy for your virtual appliance host.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
57
Installation
Installing/Upgrading FortiSIEM
Hypervisor Installations
Topics in this section cover the instructions for importing the FortiSIEM disk image into specific hypervisors and
configuring the FortiSIEM virtual appliance. See the topics under General Installation for information on
installation tasks that are common to all hypervisors.
58
l
Installing in Amazon Web Services (AWS)
l
Installing in Linux KVM
l
Installing in Microsoft Hyper-V
l
Installing in VMware ESX
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Installing in Amazon Web Services (AWS)
You Must Use an Amazon Virtual Public Cloud with FortiSIEM
You must set up a Virtual Public Cloud (VPC) in Amazon Web Services for FortiSIEM deployment rather than
classic-EC2. FortiSIEM does not support installation in classic-EC2. See the Amazon VPC documentation for
more information on setting up and configuring a VPC. See Creating VPC-based Elastic IPs for Supervisor and
Worker Nodes in AWS for information on how to prevent the public IPs of your instances from changing when they
are stopped and started.
Using NFS Storage with Amazon Web Services
If the aggregate EPS for your FortiSIEM installation requires a cluster (FortiSIEM virtual appliance + worker
nodes), then you must set up an NFS server. If your storage requirements for the EventDB are more than 1TB, it
is strongly recommended that you use an NFS server where you can configure LVM+RAID0. For more
information, see Setting Up NFS Storage in AWS.
Note: SVN password reset issue after system reboot for FortiSIEM 3.7.6 customers in AWS Virtual Private Cloud
(VPC).
FortiSIEM uses SVN to store monitored device configurations. In AWS VPC setup, we have noticed that
FortiSIEM SVN password gets changed if the system reboots - this prevents FortiSIEM from storing new
configuration changes and viewing old configurations. The following procedure can be used to reset the SVN
password to FortiSIEM factory default so that FortiSIEM can continue working correctly.
This script needs to be run only once.
1. Logon to Super.
2. Copy the attached “ao_svnpwd_reset.sh” script to Super on EC2+VPC deployment.
3. Stop all back-end processes before running script by issuing the following command: phtools --stop all.
4. Run following command to change script permissions: "chmod +x ao_svnpwd_reset.sh".
5. Execute “ao_svnpwd_reset.sh” as root user: "./ao_svnpwd_reset.sh". The system will reboot.
6. Check SVN access to make sure that old configurations can be viewed.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
59
Installation
Installing/Upgrading FortiSIEM
Determining the Storage Type for EventDB in AWS
If the aggregate EPS for your FortiSIEM installation requires a cluster (a virtual appliance + Worker nodes), then
you must set up an NFS server as described in Using NFS Storage with Amazon Web Services. If your storage
requirement for EventDB is more than 1TB, it is recommended that you use an NFS server where you can
configure LVM+RAID0, which is also described in those topics. Although it is possible to set up a similar
LVM+RAID0 on the FortiSIEM virtual appliance itself, this has not been tested. Here's an example of how to calculate storage requirements: At 5000 EPS, you can calculate daily storage
requirements to be about 22-30GB (300k events take roughly 15-20MB on average in compressed format stored
in eventDB). So, in order to have 6 months of data available for querying, you need to have 4 - 6TB of storage.
If you only need one FortiSIEM node and your storage requirements are lower than 1TB, and is not expected to
ever grow beyond this limit, you can avoid setting up an NFS server and use a local EBS volume for EventDB. For
this option, see the topic Configuring Local Storage in AWS for EventDB.
60
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Configuring Local Storage in AWS for EventDB
l
Create the Local Storage Volume
l
Attach the Local Storage Volume to the Supervisor
Create the Local Storage Volume
1. Log in to AWS.
2. In the E2 dashboard, click Volumes.
3. Click Create Volume.
4. Set Size to 100 GB to 1 TB (depending on storage requirement).
5. Select the same Availability Zone region as the FortiSIEM Supervisor instance.
6. Click Create.
Attach the Local Storage Volume to the Supervisor
1. In the EC2 dashboard, select the local storage volume.
2. In the Actions menu, select Attach Volume.
3. For Instance, enter the Supervisor ID. 4. For Device, enter /dev/xvdi.
5. Click Attach.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
61
Installation
Installing/Upgrading FortiSIEM
Setting Up Supervisor, Worker and Collector Nodes in AWS
The basic process for installing FortiSIEM Supervisor, Worker, or Collector node is the same. Since Worker nodes
are only used in deployments that use NFS storage, you should first configure your Supervisor node to use NFS
storage, and then configure your Worker node using the Supervisor NFS mount point as the mount point for the
Worker. See Configuring NFS Storage for VMware ESX Server for more information. Collector nodes are only
used in multi-tenant deployments, and need to be registered with a running Supervisor node.
l
Setting Up AWS Instances
l
Creating VPC-based Elastic IPs for Supervisor and Worker Nodes in AWS
l
Configuring the Supervisor and Worker Nodes in AWS
l
Registering the Collector to the Supervisor in AWS
When you're finished with the specific hypervisor setup process, you need to complete your installation by
following the steps described under General Installation.
You Must Use an Amazon Virtual Public Cloud with FortiSIEM
You must set up a Virtual Public Cloud (VPC) in Amazon Web Services for FortiSIEM deployment rather than
classic-EC2. FortiSIEM does not support installation in classic-EC2. See the Amazon VPC documentation for
more information on setting up and configuring a VPC. See Creating VPC-based Elastic IPs for Supervisor and
Worker Nodes in AWS for information on how to prevent the public IPs of your instances from changing when they
are stopped and started.
Using NFS Storage with Amazon Web Services
If the aggregate EPS for your FortiSIEM installation requires a cluster (FortiSIEM virtual appliance + worker
nodes), then you must set up an NFS server. If your storage requirements for the EventDB are more than 1TB, it
is strongly recommended that you use an NFS server where you can configure LVM+RAID0. For more
information, see Setting Up NFS Storage in AWS.
62
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Setting Up AWS Instances
You Must Use an Amazon Virtual Public Cloud with FortiSIEM
You must set up a Virtual Public Cloud (VPC) in Amazon Web Services for FortiSIEM deployment rather than
classic-EC2. FortiSIEM does not support installation in classic-EC2. See the Amazon VPC documentation for
more information on setting up and configuring a VPC. See Creating VPC-based Elastic IPs for Supervisor and
Worker Nodes in AWS for information on how to prevent the public IPs of your instances from changing when they
are stopped and started.
Using NFS Storage with Amazon Web Services
If the aggregate EPS for your FortiSIEM installation requires a cluster (FortiSIEM virtual appliance + worker
nodes), then you must set up an NFS server. If your storage requirements for the EventDB are more than 1TB, it
is strongly recommended that you use an NFS server where you can configure LVM+RAID0. For more
information, see Setting Up NFS Storage in AWS.
1. Log in to your AWS account and navigate to the EC2 dashboard.
2. Click Launch Instance.
3. Click Community AMIs and search for the AMI ID associated with your version of FortiSIEM. The latest AMI IDs
are on the image server where you download the other hypervisor images.
4. Click Select.
5. Click Compute Optimized.
Using C3 Instances
You should select one of the C3 instances with a Network Performance rating of High, or 10Gb performance.
The current generation of C3 instances run on the latest Intel Xeons that AWS provides. If you are running
these machines in production, it is significantly cheaper to use EC2 Reserved Instances (1 or 3 year) as
opposed to on-demand instances.
6. Click Next: Configure Instance Details.
7. Review these configuration options:
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
63
Installation
Installing/Upgrading FortiSIEM
Network and Subnet
Select the VPC you set up for your instance.
Number of Instances
For enterprise deployments, set to 1. For a configuration of 1
Supervisor + 2 Workers, set to 3. You can also add instances
later to meet your needs.
Clear the option Automatically assign a public IP address
to your instances if you want to use VPN.
Public IP
Placement Group
EBS Optimized Instance
A placement group is a logical grouping for your cluster
instances. Placement groups have low latency, full-bisection
10Gbps bandwidth between instances. Select an existing group
or create a new one.
An EBS optimized instance enables dedicated throughput
between Amazon EBS and Amazon EC2, providing improved
performance for your EBS volumes. Note that if you select this
option, additional Amazon charges may apply.
8. Click Next: Add Storage.
9. For Size, Volume Type, and IOPS, set options for your configuration. Storage Configuration Options
In a configuration with three instances for 1 Supervisor + 2 Workers, Volume Type should be set
to Provisioned IOPS, even though only the Supervisor node's CMDB data needs higher IOPS. For
Workers, Standard IOPS is enough. You can also launch with Standard IOPS, and then add a separate
EBS volume for CMDB separately with the higher Provisioned IOPS.
If you are using local storage for EventDB, click Add New Volume to create a new EBS volume, and
set these options:
Device
/dev/xvdi
Size
50GB to 1TB, depending on storage requirement
Volume Type
Provisioned IOPS
IOPS
2000
10. Click Next: Tag Instance.
11. Under Value, enter the Name you want to assign to all the instances you will launch, and then click Create Tag.
After you complete the launch process, you will have to rename each instance to correspond to its role in your
configuration, such as Supervisor, Worker1, Worker2. 12. Click Next: Configure Security Group.
13. Select Select an Existing Security Group, and then select the default security group for your VPC.
FortiSIEM needs access to HTTPS over port 443 for GUI and API access, and access to SSH over port 22 for
64
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
remote management, which are set in the default security group. This group will allow traffic between all instances
within the VPC.
Limiting IP Access
Make sure you have limited the IP addresses that can access your VPC, or that you have set up VPN
access to it. VPN will block all inbound Internet traffic.
14. Click Review and Launch.
15. Review all your instance configuration information, and then click Launch. 16. Select an existing or create a new Key Pair to connect to these instances via SSH. If you use an existing key pair, make sure you have access to it. If you are creating a new key pair, download the
private key and store it in a secure location accessible from the machine from where you usually connect to these
AWS instances.
17. Click Launch Instances.
18. When the EC2 Dashboard reloads, check that all your instances are up and running.
19. All your instances will be tagged with the Name you assigned in Step 11, select an instance to rename
it according to its role in your deployment. 20. For all types of instances, follow the instructions to SSH into the instances as described in Configuring the
Supervisor and Worker Nodes in AWS, and then run the script phstatus.sh to check the health of the
instances.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
65
Installation
Installing/Upgrading FortiSIEM
Creating VPC-based Elastic IPs for Supervisor and Worker Nodes in AWS
You need to create VPC-based Elastic IPs and attach them to your nodes so the public IPs don't change when you
stop and start instances.
1. Log in to the Amazon VPC Console.
2. In the navigation pane, click Elastic IPs.
3. Click Allocate New Address.
4. In the Allocate New Address dialog box, in the Network platform list, select EC2-VPC, and then click Yes,
Allocate.
5. Select the Elastic IP address from the list, and then click Associate Address.
6. In the Associate Address dialog box, select the network interface for the NAT instance. Select the address to
associate the EIP with from the Private IP address list, and then click Yes, Associate.
66
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Configuring the Supervisor and Worker Nodes in AWS
1. From the EC2 dashboard, select the instance, and then click Connect.
2. Select Connect with a standalone SSH client, and follow the instructions for connecting with an SSH client.
For the connection command, follow the example provided in the connection dialog, but substitute the FortiSIEM
root user name for ec2-user@xxxxxx. The ec2-user .name is used only for Amazon Linux NFS server. 3. SSH to the Supervisor. 4. Run cd /opt/phoenix/deployment/jumpbox/aws.
5. Run the script pre-deployment.shto configure host name and NFS mount point. 6. Accept the License Agreements.
7. Enter the Host Name.
Finding the Host Name
You can find the host name on the EC2 dashboard. Select the instance, right click, and then select
Connect with a standalone SSH client. The host name will be listed under Public DNS.
8. Enter the Mount Point for your storage configuration.
NFS
Storage
Local
Storage
<NFS Server IP>:/data
For <NFS Server IP>, use the 10.0.0.X IP address of the NFS Server
running within the VPC
/dev/xvdi
9. The system will reboot.
10. Log in to the Supervisor.
11. Register the Supervisor by following steps here.
12. Run cd /opt/phoenix/deployment/jumpbox/aws.
13. Run the scriptdeployment.sh (now includes running post-deployment.sh
automatically). The system will reboot and is now ready.
14. To install a worker node, follow steps 1-9 and the worker is ready
15. To add a Worker to the cluster (assume Worker is already installed)
1. Log in to the FortiSIEM GUI
2. Go to Admin > License Management > VA Information
3. Click Add
4. Enter the private address of the Worker Node
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
67
Installation
Installing/Upgrading FortiSIEM
Registering the Collector to the Supervisor in AWS
1. Locate a Windows machine on AWS.
2. Open a Remote desktop session from your PC to that Windows machine on AWS.
3. Within the remote desktop session, launch a browser and navigate to
4. Enter the Collector setup information.
Name
Collector Name
User ID
Admin User
Password
Admin Password
Cust/Org ID
Organization Name
Cloud URL
Supervisor URL
https://<Collector-IP>:5480
5. Click Save.
The Collector will restart automatically after registration succeeds.
68
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Installing in Linux KVM
The basic process for installing FortiSIEM Supervisor, Worker, or Collector node in Linux KVM is the same as
installing these nodes under VMware ESX, and so you should follow the instructions in Installing a Supervisor,
Worker, or Collector Node in ESX. Since Worker nodes are only used in deployments that use NFS storage, you
should first configure your Supervisor node to use NFS storage, and then configure your Worker node using the
Supervisor NFS mount point as the mount point for the Worker. Collector nodes are only used in Service Provider
deployments, and need to be registered with a running Supervisor node.
l
Setting up a Network Bridge for Installing FortiSIEM in KVM
l
Importing the Supervisor, Collector, or Worker Image into KVM
l
Configuring Supervisor Hardware Settings in KVM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
69
Installation
Installing/Upgrading FortiSIEM
Setting up a Network Bridge for Installing FortiSIEM in KVM
If FortiSIEM is the first guest on KVM, then a bridge network may be required to enable network connectivity. For
details see the KVM documentation provided by IBM.
In these instructions, br0 is the initial bridge network, em1 is connected as a management network, and em4 is
connected to your local area network.
1. In the KVM host, go to the directory /etc/sysconfig/network-scripts/.
2. Create a bridge network config file ifcfg-br0.
DEVICE=br0
BOOTPROTO=none
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Bridge
NAME="System br0"
3. Edit network config file ifcfg-em4.
DEVICE=em4 BOOTPROTO=sharedNM_
CONTROLLED=noONBOOT=yesTYPE=EthernetUUID="24078f8d-67f1-41d58eea-xxxxxxxxxxxx"IPV6INIT=noUSERCTL=noDEFROUTE=yesIPV4_
FAILURE_FATAL=yesNAME="System
em4"HWADDR=F0:4D:00:00:00:00BRIDGE=br0
4. Restart the network service.
70
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Importing the Supervisor, Collector, or Worker Image into KVM
1. Download and uncompress the FortiSIEM OVA package from the FortiSIEM image server to the location where
you want to install the image.
2. Start the KVM Virtual Machine Manager. 3. Select and right-click on a host to open the Host Options menu, and then select New. 4. In the New VM dialog, enter a Name for your FortiSIEM node.
5. Select Import existing disk image, and then click Forward. 6. Browse to the location of OVA package and select it.
7. Choose the OS Type and Version you want to use with this installation, and then click Forward. 8. Allocate Memory and CPUs to the FortiSIEM node as recommended in the topic Browser Support and Hardware
Requirements, and then click Forward.
9. Confirm the installation configuration of your node, and then click Finish. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
71
Installation
Installing/Upgrading FortiSIEM
Configuring Supervisor Hardware Settings in KVM
1. In KVM Virtual Machine Manager, select the FortiSIEM Supervisor, and then click Open.
2. Click the Information icon to view the Supervisor hardware settings.
3. Select the Virtual Network Interface.
4. For Source Device, select an available bridge network.
See Setting up a Network Bridge for Installing FortiSIEM in KVM for more information.
5. For Device model, select Hypervisor default, and then click Apply. 6. In the Supervisor Hardware settings, select Virtual Disk. 7. In the Virtual Disk dialog, open the Advanced options, and for Disk bus, select IDE.
8. Click Add Hardware, and then select Storage. 9. Select the Select managed or other existing storage option, and then browse to the location for your storage.
You will want to set up a disk for both CMDB (60GB) and SVN (60GB). If you are setting up FortiSIEM Enterprise,
you may also want to create a storage disk for EventDB, with Storage format set to Raw. 10. In the KVM Virtual Machine Manager, connect to the FortiSIEM Supervisor and power it on. 11. Follow the instructions in Configuring the Supervisor, Worker, or Collector from the VM Console to complete the
installation.
Related Links
l
72
Configuring the Supervisor, Worker, or Collector from the VM Console
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Installing in Microsoft Hyper-V
This topics describes how to install FortiSIEM on a Microsoft Hyper-V virtual server.
l
Importing a Supervisor, Collector, or Worker Image into Microsoft Hyper-V
Supported Versions
FortiSIEM has been tested to run on Hyper-V on Microsoft Windows 2012.
Importing a Supervisor, Collector, or Worker Image into Microsoft Hyper-V
Using Local or NFS Storage for EventDB in Hyper-V
Before you install FortiSIEM virtual appliance in Hyper-V, you should decide whether you plan to use NFS storage
or local storage to store event information in EventDB. If you decide to use a local disk, you can add a data disk of
appropriate size. Typically, this will be named as /dev/sdd if it is the 4th disk. When using local disk, choose the
type 'Dynamically expanding' (VHDX) format so that you are able to resize the disk if your EventDB will grow
beyond the initial capacity.
If you are going to use NFS storage for EventDB, follow the instructions in the topic Configuring NFS Storage for
VMware ESX Server.
Disk Formats for Data Storage
FortiSIEM virtual appliances in Hyper-V use dynamically expanding VHD disks for the root and CMDB partitions,
and a dynamically expanding VHDX disk for EventDB. Dynamically expanding disks are used to keep the exported
Hyper-V image within reasonable limits. See the Microsoft documentation topic Performance Tuning Guidelines
for Windows Server 2012 (or R2) for more information.
1. Download and uncompress the the FortiSIEM OVA package from the FortiSIEM image server to the location
where you want to install the image.
2. Start Hyper-V Manager.
3. In the Action menu, select Import Virtual Machine.
The Import Virtual Machine Wizard will launch. 4. Click Next. 5. Browse to the folder containing the OVA package, and then click Next. 6. Select the FortiSIEM image, and then click Next. 7. For Import Type, select Copy the virtual machine, and then click Next.
8. Select the storage folders for your virtual machine files, and then click Next. 9. Select the storage folder for your virtual machine's hard disks, and then click Next. 10. Verify the installation configuration, and then click Finish.
11. In Hyper-V Manager, connect to the FortiSIEM virtual appliance and power it on. 12. Follow the instructions in Configuring the Supervisor, Worker, or Collector from the VM Console to complete the
installation.
Related Links
l
Configuring the Supervisor, Worker, or Collector from the VM Console
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
73
Installation
Installing/Upgrading FortiSIEM
Installing in VMware ESX
74
l
Setting the Network Time Protocol (NTP) for ESX
l
Installing a Supervisor, Worker, or Collector Node in ESX
l
Configuring the Supervisor, Worker, or Collector from the VM Console
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Setting the Network Time Protocol (NTP) for ESX
It's important that your Virtual Appliance has the accurate time in order to correlate events from multiple devices
within the environment.
1. Log in to your VMWare ESX server.
2. Select your ESX host server.
3. Click the Configuration tab.
4. Under Software , select Time Configuration .
5. Click Properties.
6. Select NTP Client Enabled.
7. Click Options.
8. Under General, select Start automatically.
9. Under NTP Setting, click Add....
10. Enter the IP address of the NTP servers to use.
Publicly Accessible NTP Server: If you don't have an internal NTP server, you can access a publicly
available one at http://tf.nist.gov/tf-cgi/servers.cgi
11. Click Restart NTP service.
12. Click OK to apply the changes.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
75
Installation
Installing/Upgrading FortiSIEM
Installing a Supervisor, Worker, or Collector Node in ESX
The basic process for installing FortiSIEM Supervisor, Worker, or Collector node is the same. Since Worker nodes
are only used in deployments that use NFS storage, you should first configure your Supervisor node to use NFS
storage, and then configure your Worker node using the Supervisor NFS mount point as the mount point for the
Worker. See Configuring NFS Storage for VMware ESX Server for more information. Collector nodes are only
used in Service Provider deployments, and need to be registered with a running Supervisor node.
l
Importing the Supervisor, Collector, or Worker Image into the ESX Server
l
Editing the Supervisor, Collector, or Worker Hardware Settings
l
Setting Local Storage for the Supervisor
l
Troubleshooting Tips for Supervisor Installations
When you're finished with the specific hypervisor setup process, you need to complete your installation by
following the steps described under General Installation.
76
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Importing the Supervisor, Collector, or Worker Image into the ESX Server
1. Download and uncompress the FortiSIEM OVA package from the FortiSIEM image server to the location where
you want to install the image.
2. Log in to the VMware vSphere Client.
3. In the File menu, select Deploy OVF Template.
4. Browse to the .ova file (example: FortiSIEM-VA-4.3.1.1145.ova) and select it.
On the OVF Details page you will see the product and file size information. 5. Click Next.
6. Click Accept to accept the "End User Licensing Agreement," and then click Next.
7. Enter a Name for the Supervisor or Worker, and then click Next. 8. Select a Storage location for the installed file, and then click Next.
9. Select a Disk Format, and then click Next.
Disk Format Recommendation: FortiSIEM recommends using Thick Provision Lazy Zeroed.
10. Review the Deployment Settings, and then click Finish.
Do not turn off or reboot the system. Deployment will complete in 7 to 10 minutes. Do not
turn off or reboot the system during this time.
11. When the deployment completes, click Close.
Running on VMWare ESX 6.0: If you are importing FortiSIEM VA, Collector, or Report Server
images for VMWare on an ESXi 6.0 host, you will need to also "Upgrade VM Compatibility" to ESXi 6.0.
If the VM is already started, you need to shutdown the VM, and use the "Actions" menu to do this. Due
to some incompatibility created by VMWare, our collector VM processes restarted and the collector
could not register with the supervisor. Similar problems are also likely to occur on supervisor, worker, or
report server as well, so make sure their VM compatibilities are upgraded as well. More information
about VM compatibility is available in the VMWare KB below:
https://kb. vmware .com/kb/1010675
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
77
Installation
Installing/Upgrading FortiSIEM
Editing the Supervisor, Collector, or Worker Hardware Settings
Before you start the Supervisor, Worker, or Collector for the first time you need to make some changes to its
hardware settings. 1. In the VMware vSphere client, select the imported Supervisor, Worker, or Collector.
2. Right-click on the node to open the Virtual Appliance Options menu, and then select Edit Settings... .
3. Select the Hardware tab, and check that Memory is set to at least 16 GB and CPUs is set to 8.
Memory Allocation for Large Deployments
For large deployments you should allocate at least 24GB of memory. See the topic Hardware
Requirements for more information.
78
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Setting Local Storage for the Supervisor
Using NFS Storage
You can install the Supervisor using either native ESX storage or NFS storage. These instructions are for creating
native EXS storage. See Configuring NFS Storage for VMware ESX Server for more information. If you are using
NFS storage, you will set the IP address of the NFS server during Step 15 of the Configuring the Supervisor,
Worker, or Collector from the VM Console process.
1. On Hardware tab, click Add.
2. In the Add Hardware dialog, select Hard Disk, and then click Next. 3. Select Create a new virtual disk, and then click Next.
4. Check that these selections are made in the Create a Disk dialog:
Disk Size
300GB
See the Hardware Requirements for Supervisor and Worker Nodes
in the Browser Support and Hardware Requirements topic for more
specific disk size recommendations based on Overall EPS.
Disk
Provisioning
Thick Provision Lazy Zeroed
Location
Store to the Virtual Machine
5. In the Advanced Options dialog, make sure that the Independent option for Mode is not selected.
6. Check all the options for creating the virtual disk, and then click Finish.
7. In the Virtual Machine Properties dialog, click OK. The Reconfigure virtual machine task will launch.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
79
Installation
Installing/Upgrading FortiSIEM
Troubleshooting Tips for Supervisor Installations
l
Check the Supervisor System and Directory Level Permissions
l
Check Backend System Health
Check the Supervisor System and Directory Level Permissions
Use SSH to connect to the Supervisor and check that the cmdb, data, query, querywkr,
and svn permissions match those in this table:
Check that the /data , /cmdb, and /svn directory level permissions match those in this table:
80
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Check Backend System Health
Use SSH to connect to the supervisor and run phstatus to see if the system status metrics match those in this
table:
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
81
Installation
82
Installing/Upgrading FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Configuring the Supervisor, Worker, or Collector from the VM Console
Do Not Press Control Keys: Do not press any control keys (for example Control-C or Control-Z)
while configuring the virtual appliances in the VMware console, as this might cause the installation
process to stop. If this happens you must erase the virtual appliance and start the installation process
again.
1. In the VMware vSphere client, select the Supervisor, Worker, or Collector virtual appliance
2. Right-click to open the Virtual Appliance Options menu, and then select Power > Power On.
3. In the Virtual Appliance Options menu, select Open Console
Network Failure Message: When the console starts up for the first time you may see a Network
eth0 Failed message, but this is expected behavior.
4. In VM console, select Set Timezone and then press Enter.
5. Select your Location, and then press Enter .
6. Select your Country, and then press Enter .
7. Select your Timezone, and then press Enter .
8. Review your Timezone information, select 1, and then press Enter.
9. When the Configuration screen reloads, s elect Login, and then press Enter.
10. Enter the default login credentials
Login
root
Password
ProspectHills
11. Run the vami_config_net script to configure the network. /opt/vmware/share/vami/vami_config_
net
12. When prompted, enter the the information for these network components to configure the Static IP address: IP
Address, Netmask, Gateway, DNS Server(s).
Authenticated Proxy Server Not Supported: The authenticated proxy server is not supported in
this version of FortiSIEM. Turn off proxy server authentication or completely disable the proxy for the
ESX host.
13. Press Y to accept the network configuration settings. 14. Enter the Host name, and then press Enter.
15. For the Supervisor, set either the Local or NFS storage mount point.
16. For a Worker, use the same IP address of the NFS server you set for the Supervisor.
Supervisor Local
storage
NFS storage
/dev/sdd
<NFS_Server_IP_Address>:/<Directory_Path>
After you set the mount point, the Supervisor will automatically reboot, and in 15 to 25 minutes the Supervisor will
be successfully configured. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
83
Installation
Installing/Upgrading FortiSIEM
ISO-Installation
This topics covers installation of FortiSIEM from an ISO under a native file system such as Linux, also known as
installing "on bare metal."
l
Installing a Collector on Bare metal
Installing a Collector on Bare Metal Hardware
You can install Collectors on bare metal hardware (that is, without a hypervisor layer). Be sure to read the section
on Hardware Requirements for Collectors in Browser Support and Hardware Requirements before starting
the installation process.
1. Download the Linux collector ISO image from https://images.FortiSIEM.net/VMs/releases/CO/.
2. Burn the ISO to a DVD so that you can boot from it to begin the setup.
3. Before you begin the installation, make sure the host where you want to install the Collector has an Internet
connection.
4. Log into the server where you want to install the Collector as root and make sure your boot DVD is loaded.
5. Go to /etc/yum.repos.d and make sure these configuration files are in the directory:
CentOS-Base.repo
CentOS-Debuginfo.repo
CentOS-Media.repo
CentOS-Vault.repo
6. As root, run the update command. yum –y update
7. As root, run the deployment script. /opt/phoenix/deployment/deployment.sh
8. The system will reboot itself when installation completes.
9. Follow the instructions in Registering the Collector to the Supervisor to complete the Collector set up.
Installing in Dell PowerEdge R210 II
In the R210 II model of Dell PowerEdge, the net interface has been renamed to p1p1 and em1, where in
previous versions it was named eth0. This can cause installation issues for your Collector. FortiSIEM
recommends this workaround:
1. Find the script named either /etc/sysconfig/network-scripts/ifcfg-p1p1 or
/etc/sysconfig/network-scripts/ifcfg-em1.
2. Rename the script to /etc/sysconfig/network-scripts/ifcfg-eth0.
3. In that script, edit DEVICE= to be DEVICE=eth0.
If you use the embedded NIC, the device name is em1, and if another NIC is inserted, the device name will be
p1p1.
84
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
General Installation
Configuring Worker Settings
If you are using FortiSIEM clustered deployment that includes both Workers and Collectors, you must define the
Address of your Worker nodes before you register any Collectors. When you register your Collectors, the Worker
information will be retrieved and saved locally to the Collector. The Collector will then upload event and
configuration change information to the Worker.
Worker Address in a Non-Clustered Environment
If you are not using FortiSIEM clustered deployment, you will not have any Worker nodes. In that case, enter the
IP address of the Supervisor for the Worker Address, and your Collectors will upload their information directly to
the Supervisor.
1. Log in to your Supervisor node.
2. Go to Admin > General Settings > System.
3. For Worker Address, enter a comma-separated list of IP addresses or host names for the Workers.
The Collector will attempt to upload information to the the listed Workers, starting with the first Worker address
and proceeding until it finds an available Worker. Using a Load Balancer with Workers
You may also enter the Host Name or IP Address of a load balancer for the Worker Address,
in which case the load balancer needs to be configured to send information to the Workers.
4. Click Save.
Registering the Supervisor
1. In a Web browser, navigate to the Supervisor's IP address: https://<Supervisor IP>
2. Enter the login credentials associated with your FortiSIEM license, and then click Register.
3. When the System is ready message appears, click the Here link to log in to FortiSIEM.
4. Enter the default login credentials.
User ID
admin
Password
admin*1
Cust/Org ID
super
5. Go to Admin > Cloud Health and check that the Supervisor Health is Normal.
Registering the Worker
1. Go to Admin > License Management > VA Information.
2. Click Add, enter the new Worker's IP address, and then click OK.
3. When the new Worker is successfully added, click OK. You will see the new Worker in the list of Virtual Appliances. 4. Go to Admin > Cloud Health and check that the Worker Health is Normal.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
85
Installation
Installing/Upgrading FortiSIEM
Registering the Collector to the Supervisor
The process for registering a Collector node with your Supervisor node depends on whether you are setting up the
Collector as part of an enterprise or multi-tenant deployment. For a multi-tenant deployment,you must first create
an organization and add Collectors to it before you register it with the Supervisor. For an enterprise deployment,
you install the Collector within your IT infrastructure and then register it with the Supervisor.
l
Create an Organization and Associate Collectors with it for Multi-Tenant Deployments
l
Register the Collector with the Supervisor for Enterprise Deployments
Create an Organization and Associate Collectors with it for Multi-Tenant Deployments 1. Log in to the Supervisor.
2. Go to Admin > Setup Wizard > Organizations.
3. Click Add.
4. Enter Organization Name, Admin User, Admin Password, and Admin Email. 5. Under Collectors, click New.
6. Enter the Collector Name, Guaranteed EPS, Start Time, and End Time.
Unlimited Start and End Times
If you select Unlimited for Start Time and End Time, those fields will be greyed out for text
entry.
7. Click Save .
The newly added organization and Collector should be listed on the Organizations tab.
8. In a Web browser, navigate to https://<Collector-IP>:5480 .
9. Enter the Collector setup information.
Name
Collector Name
User ID
Organization Admin User
Password
Organization Admin Password
Cust/Org ID
Organization Name
Cloud URL
Supervisor URL
10. Click Save.
The Collector will restart automatically after registration succeeds.
11. In the Supervisor interface, g o to Admin > Collector Health and check that the Collector Health is Normal.
Register the Collector with the Supervisor for Enterprise Deployments
1. Log in to the Supervisor.
2. Go to Admin > License Management. and check that Collectors are allowed by the license.
3. Go to Setup Wizard > General Settings and add at least the Supervisor's IP address.
This should contain a list of the Supervisor and Worker accessible IP addresses or FQDNs.
86
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
4. Go to Setup Wizard > Event Collector and add the Collector information. Setting
Description
Name
Will be used in step 6
Guaranteed
EPS
This is the number of Events per Second (EPS) that this Collector will be
provisioned for
Start Time
Select Unlimited
End Time
Select Unlimited
5. Connect to the Collector at https://:<IP Address of the Collector>:5480.
6. Enter the Name from step 4.
7. Userid and Password are the same as the admin userid/password for the Supervisor.
8. The IP address is the IP address of the Supervisor.
9. For Organization, enter Super.
10. The Collector will reboot during the registration, and you will be able to see its status on the Collector Health
page. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
87
Installation
Installing/Upgrading FortiSIEM
Using NFS Storage with FortiSIEM
When you install FortiSIEM, you have the option to use either local storage or NFS storage. For cluster
deployments using Workers, the use of an NFS Server is required for the Supervisor and Workers to communicate
with each other. These topics describe how to set up and configure NFS servers for use with FortiSIEM.
Supported Versions
FortiSIEM only supports NFS Version 3. l
Configuring NFS Storage for VMware ESX Server
l
Using NFS Storage with Amazon Web Services
Configuring NFS Storage for VMware ESX Server
This topic describes the steps for installing an NFS server on CentOS Linux 6.x and higher for use with VMware
ESX Server. If you are using an operating system other than CentOS Linux, follow your typical procedure for NFS
server set up and configuration. 1. Login to CentOS 6.x as root and download and Install the NFS packages.
2. Download and Install the NFS packages.
yum install nfs-utils nfs-utils-lib
3. Run the NFS server startup scripts.
chkconfig nfs on service rpcbind start service nfs start
4. Check NFS service status and make sure the nfsd service is running.
service nfs status
5. Create a new directory in the large volume to share with the FortiSIEM Supervisor and Worker nodes, and change
the access permissions to provide FortiSIEM with access to the directory. mkdir /FortiSIEM chmod -R 777 /FortiSIEM
6. Edit the /etc/exports file to share the /FortiSIEM directory with the FortiSIEM Supervisor and Worker nodes.
vi /etc/exports /FortiSIEM <Supervisor_IP_Address>(rw,sync,no_root_squash)
/FortiSIEM <Worker1_IP_Address>(rw,sync,no_root_squash) /FortiSIEM
<Worker2_IP_Address>(rw,sync,no_root_squash)
7. Save your changes to /etc/exports and restart the NFS server.
showmount -e localhost
Example:
Export list for localhost:
/FortiSIEM <Supervisor_IP_Address>,<Worker1_IP_Address>,<Worker2_IP_
Address>
88
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
8. Check shared directories.
service nfs restart
Related Links
l
Setting Up NFS Storage in AWS
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
89
Installation
Installing/Upgrading FortiSIEM
Using NFS Storage with Amazon Web Services
90
l
Setting Up NFS Storage in AWS
l
Setting Up Snapshots of EBS Volumes that Host EventDB and CMDB in AWS
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Setting Up NFS Storage in AWS
Youtube Talk on NFS Architecture for AWS
Several architecture and partner options for setting up NFS storage that is highly available across availability zone
failures are presented by an AWS Solutions Architect in this talk (40 min) and link to slides. Using EBS Volumes
These instructions cover setting up EBS volumes for NFS storage. EBS volumes have a durability guarantee that
is 10 times higher than traditional disk drives. This is because data in traditional disk drives is replicated within an
availability zone for component failures (RAID equivalent), so adding another layer of RAID does not provide
higher durability guarantees. EBS has an annual failure rate (AFR) of 0.1 to 0.5%. In order to have higher
durability guarantees, it is necessary to take periodic snapshots of the volumes. Snapshots are stored in AWS S3,
which has 99.999999999% durability (via synchronous replication of data across multiple data centers) and
99.99% availability. see the topic Setting Up Snapshots of EBS Volumes that Host EventDB and CMDB in AWS
for more information.
Using EC2 Reserved Instances for Production
If you are running these machines in production, it is significantly cheaper to use EC2 Reserved Instances (1 or 3
year) as opposed to on-demand instances.
1. Log in to your AWS account and navigate to the EC2 dashboard.
2. Click Launch Instance.
3. Select HVM Amazon Linux AMI (HVM) 64-bit, and then click Select.
HVM v. PV
4. The reason to choose the HVM image over the default Paravirtualized (PV) image is that the HVM image
automatically includes drivers to support enhanced networking, which uses SR-IOV for networking and
provide higher performance (packets per second), lower latency, and lower jitter. 5. Click Compute Optimized.
Using C3 Instances
You should select one of the C3 instances with a Network Performance rating of High, or 10Gb
performance. The current generation of C3 instances run on the latest Intel Xeons that AWS provides. If
you are running these machines in production, it is significantly cheaper to use EC2 Reserved Instances
(1 or 3 year) as opposed to on-demand instances.
6. Click Next: Configure Instance Details.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
91
Installation
Installing/Upgrading FortiSIEM
7. Review these configuration options:
Network and Subnet
Public IP
Select the VPC you set up for your instance.
Clear the option Automatically assign a public IP address
to your instances if you want to use VPN.
Placement Group
A placement group is a logical grouping for your cluster
instances. Placement groups have low latency, full-bisection
10Gbps bandwidth between instances. Select an existing
group or create a new one.
Shutdown Behavior
Make sure Stop is selected.
Enable Termination
Make sure Protect Against Accidental Termination is
Protection
selected.
EBS Optimized
Instance
An EBS optimized instance enables dedicated throughput
between Amazon EBS and Amazon EC2, providing improved
performance for your EBS volumes. Note that if you select this
option, additional Amazon charges may apply.
8. Click Next: Add Storage.
9. Add EBS volumes up to the capacity you need for EventDB storage.
EventDB Storage Calculation Example
At 5000 EPS, you can calculate daily storage requirements to amount to roughly 22-30GB (300k events
are 15-20MB on average in compressed format stored in EventDB). In order to have 6 months of data
available for querying, you need to have 4-6TB of storage. On AWS, the maximum EBS volume is sized
at 1TB. In order to have larger disks, you need to create software RAID-0 volumes. You can attach, at
most 8 volumes to an instance, which results in 8TB with RAID-0. There's no advantage in using a
different RAID configuration other than RAID-0, because it does not increase durability guarantees. In
order to ensure much better durability guarantees, plan on performing regular snapshots which store
the data in S3 as described in Setting Up Snapshots of EBS Volumes that Host EventDB and CMDB in
AWS. Since RAID-0 stripes data across these volumes, the aggregate IOPS you get will be the sum of
the IOPS on individual volumes. 10. Click Next: Tag Instance.
11. Under Value, enter the Name you want to assign to all the instances you will launch, and then click Create Tag.
After you complete the launch process, you will have to rename each instance to correspond to its role in your
configuration, such as Supervisor, Worker1, Worker2. 12. Click Next: Configure Security Group.
13. Select Select an Existing Security Group, and then select the default security group for your VPC.
FortiSIEM needs access to HTTPS over port 443 for GUI and API access, and access to SSH over port 22 for
remote management, which are set in the default security group. This group will allow traffic between all instances
within the VPC.
92
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Limiting IP Access
Make sure you have limited the IP addresses that can access your VPC, or that you have set up VPN
access to it. VPN will block all inbound Internet traffic.
14. Click Review and Launch.
15. Review all your instance configuration information, and then click Launch. 16. Select an existing or create a new Key Pair to connect to these instances via SSH. If you use an existing key pair, make sure you have access to it. If you are creating a new key pair, download the
private key and store it in a secure location accessible from the machine from where you usually connect to these
AWS instances.
17. Click Launch Instances.
18. When the EC2 Dashboard reloads, check that all your instances are up and running.
19. Select the NFS server instance and click Connect.
20. Follow the instructions to SSH into the volumes as described in Configuring the Supervisor and Worker Nodes in
AWS
21. Configure the NFS mount point access to give the FortiSIEM internal IP full access. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
93
Installation
94
Installing/Upgrading FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Setting Up Snapshots of EBS Volumes that Host EventDB and CMDB in AWS
In order to have high durability guarantees for FortiSIEM data, you should periodically create EBS snapshots on
an hourly, daily, or weekly basis and store them in S3. The EventDB is typically hosted as a RAID-0 volume of
several EBS volumes, as described in Setting Up NFS Storage in AWS. In order to reliably snapshot these EBS
volumes together, you can use a script, ec2-consistent-snapshot, to briefly freeze the volumes and
create a snapshot. You an then use a second script, ec2-expire-snapshots, to schedule cron jobs to delete
old snapshots that are no longer needed. CMDB is hosted on a much smaller EBS volume, and you can also use
the same scripts to take snapshots of it.
You can find details of how download these scripts and set up periodic snapshots and expiration in this blog post:
http://twigmon.blogspot.com/2013/09/installing-ec2-consistent-snapshot.html
You can download the scripts from these from these Github projects:
l
https://github.com/alestic/ec2-consistent-snapshot
l
https://github.com/alestic/ec2-expire-snapshots
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
95
Installation
Installing/Upgrading FortiSIEM
FortiSIEM Windows Agent and Agent Manager Install
FortiSIEM can discover and collect performance metrics and logs from Windows Servers in an agent less fashion
via WMI. However agents are needed when there is a need to collect richer data such as file integrity monitoring
and from a large number of servers.
This section describes how to setup FortiSIEM Windows Agent and Agent Manager as part of FortiSIEM
infrastructure.
96
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
FortiSIEM Windows Agent Pre-installation Notes
l
l
Licensing
Hardware and Software Requirements
l
Windows Agents
l
l
l
l
Windows Agent Manager
Supported versions
l
Windows Agent
Windows Agent Manager
Communication Ports between Agent and Agent Manager
Licensing
When you purchase the Windows Agent Manager, you also purchase a set number of licenses that can be applied
to the Windows devices you are monitoring. After you have set up and configured Windows Agent Manager, you
can see the number of both Basic and Advanced licenses that are available and in use in your deployment by
logging into your Supervisor node and going to Admin > License Management, where you will see an entry for
Basic Windows Licenses Allowed/Used and Advanced Windows Licenses Allowed/Used. You can see
how these licenses have been applied by going to Admin > Windows Agent Health. When you are logged into
the Windows Agent Manager you can also see the number of available and assigned licenses on the Assign
Licenses to Users page. There are two types of licenses that you can associate with your Windows agent.
License Type
Description
None
An agent has been installed on the device, but no license is associated with it.
This device will not be monitored until a license is applied to it.
Advanced
The agent is licensed to monitor all activity on the device, including logs,
installed software changes, and file/folder changes
Basic
The agent is licensed to monitor only logs on the device
When applying licenses to agents, keep in mind that Advanced includes Basic, so if you have purchased a
number of Advanced licenses, you could use all those licenses for the Basic purpose of monitoring logs.. For
example, if you have purchased a total of 10 licenses, five of which are Advanced and five of which are Basic,
you could apply all 10 licenses to your devices as Basic.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
97
Installation
98
Installing/Upgrading FortiSIEM
Feature
License Type
Windows Security Logs
Basic
Windows Application Logs
Basic
Windows System Logs
Basic
Windows DNS Logs
Basic
Windows DHCP Logs
Basic
IIS logs
Basic
DFS logs
Basic
File Integrity Monitoring
Advanced
Installed Software Change Monitoring
Advanced
Registry Change Monitoring
Advanced
Custom file monitoring
Advanced
WMI output Monitoring
Advanced
Power shell Output Monitoring
Advanced
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Hardware and Software Requirements
Windows Agents
Component
Requirement
CPU
x86 or x64 (or compatible) at 2Ghz or higher
Hard Disk
10 GB (minimum)
Server OS
Windows XP-SP3 and above (Recommended)
Desktop OS
Windows 7/8
RAM
l
l
Notes
Performance issues may occur due to
limitations of desktop OS
1 GB for XP
2+GB for Windows Vista & above /
Windows Server l
l
Installed
Software
l
Windows Agent 2.1: .NET 4.5 or higher
l
Windows Agent 2.0: .NET 4.0
l
PowerShell 2.0 or higher
l
Windows
OS
Language
.NET Framework 4.0 can be
downloaded from
http://www.microsoft.com/enus/download/details.aspx?id=17718
.NET Framework 4.5 can be
downloaded from
http://www.microsoft.com/enus/download/details.aspx?id=30653,
and is already available on Windows
8 and Windows Server 2012
You can download PowerShell from
Microsoft at
http://www.microsoft.com/enus/download/details.aspx?id=4045.
English
Add Port 80 and 443 as an Exception to the Inbound Firewall Rule
If you are using a firewall, make sure to add Port 80 and 443 as an exception to the inbound firewall rule. Windows Agent Manager
Each Manager has been tested to handle up to 1000 agents at an aggregate 7.5k events/sec. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
99
Installation
Installing/Upgrading FortiSIEM
Component
Requirement
CPU
x86 or x64 (or compatible) at 2Ghz or
higher
Hard Disk
10 GB (minimum)
Server OS
Windows Server 2008 and above (Strongly
recommended)
Desktop OS
RAM
Windows 7/8 (performance issues might
occur)
l
l
l
l
Installed
Software
Windows OS
Language
100
For 64 bit OS, 4 GB for Windows
7/8 and Windows Server 2008 /
2012 is a minimum
.NET Framework 4.5 or higher
l
SQL Server Express or SQL Server
2012 installed using “SQL Server
Authentication Mode”
Power Shell 2.0 or higher
l
IIS 7 or higherinstalled
l
Performance issues may occur due to
limitations of desktop OS
For 32 bit OS, 2 GB for Windows 7
/ 8 is a minimum
l
l
Notes
l
IIS 7, 7.5: ASP .NET feature must
be enabled from Application
Development Role Service of IIS
IIS 8.0+: ASP .NET 4.5 feature
must be enabled from Application
Development Role Service of IIS l
.NET Framework 4.5 can be
downloaded from
http://www.microsoft.com/enus/download/details.aspx?id=30653,
and is already available on Windows 8
and Windows Server 2012
You can download PowerShell from
Microsoft at
http://www.microsoft.com/enus/download/details.aspx?id=4045 .
SQL Server Express does not have any
performance degradation compared to
SQL Server 2012.
English
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Supported versions
Windows Agent
l
Windows 7
l
Windows 8
l
Windows XP SP3 or above
l
Windows Server 2003 (Use Windows Agent 2.0 since 2003 does not support TLS 1.2.)
l
Windows Server 2008
l
Windows Server 2008 R2 l
Windows Server 2012
l
Windows Server 2012 R2
l
Windows Server 2016
l
Windows Server 2016 R2
Windows Agent Manager
l
Windows Server 2008
l
Windows Server 2008 R2
l
Windows Server 2012
l
Windows Server 2012 R2
l
Windows Server 2016
l
Windows Server 2016 R2
Communication Ports between Agent and Agent Manager
l
TCP Port 443 (V1.1 on wards) and TCP Port 80 (V1.0) on Agent Manager for receiving events from Agents.
l
Ports 135, 137, 139, 445 needed for NetBIOS based communication
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
101
Installation
Installing/Upgrading FortiSIEM
Installing FortiSIEM Windows Agent Manager
Prerequisites
1. Make sure that the ports needed for communication between Windows Agent and Agent Manager are open and
the two systems can communicate
2. For versions 1.1 and higher, Agent and Agent Manager communicate via HTTPS. For this reason, there is a
special pre-requisite: Get your Common Name / Subject Name from IIS
1. Logon to Windows Agent Manager
2. Open IIS by going to Run, typing inetmgr and pressing enter
3. Go to Default Web Site in the left pane
4. Right click Default Web Site and select Edit Bindings.
5. In Site Bindings dialog, check if you have https under Type column
6. If https is available, then
a. Select column corresponding to https and click on Edit
b. In Edit Site Binding dialog, under SSL certificate section, click on View... button.
c. In Certificate dialog, under General tab, note the value of Issued to. This is your Common
Name / Subject Name
3. If https is not available, then you need to bind the default web site with https.
1. Import a New certificate. This can be done in one of two ways
a. Either create a Self Signed Certificate as follows
i. Open IIS by going to Run, typing inetmgr and pressing enter
ii. In the left pane, select computer name
iii. In the right pane, double click on Server Certificates
iv. In the Server Certificate section, click on Create Self-Signed Certificate... from
the right pane
v. In Create Self-Signed Certificate dialog, specify a friendly name for the certificate
and click OK
vi. You will see your new certificate in the Server Certificates list
b. Or, Import a third party certificate from a certification authority.
a. Buy the certificate (.pfx or .cer file)
b. Install the certificate file in your server
c. Import the certificate in IIS
d. Go to IIS. Select Computer name and in the right pane select Server Certificates
e. If certificate is PFX File
i. In Server Certificates section, click on Import... in right pane
ii. In the Import Certificate dialog, browse to pfx file and put it in Certificate
file(.pfx) box
iii. Give your pfx password and click Ok. Your certificate gets imported to IIS
f. If certificate is CER File
i. In Server Certificates section, click on Complete Certificate Request...
in right pane
ii. In the Complete Certificate Request dialog, browse to CER file and put it
in File name section
iii. Enter the friendly name, click Ok. Your certificate gets imported to IIS .
102
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
2. Bind your certificate to Default Web Site
a. Open IIS by going to Run, typing inetmgr and pressing enter
b. Right click on Default Web Site and select Edit Bindings...
c. In Site Bindings... dialog, click on Add..
d. In Add Site Binding dialog, select 'https' from Type drop down menu
e. The Host name is optional but if you want to put it, then it must be the same as the
certificate's common name / Subject nam e
f. Select your certificate from SSL certificate: drop down list
g. Click OK. 3. Your certificate is now bound to the Default Web Site.
4. Enable TLS 1.2 for Windows Agent Manager 2.0 for operating with FortiSIEM Supervisor/Worker 4.6.3
and above. By default SSL3 / TLS 1.0 is enabled in Windows Server 2008-R2. Hence, before proceeding with the
server installation, please enable TLS 1.2 manually as follows.
1. Start elevated Command Prompt (i.e., with administrative privilege)
2. Run the following commands sequentially as shown.
REG ADD
"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Pr
otocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d
00000000
REG ADD
"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Pr
otocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d
00000000
3. Restart computer
Procedure
1. On the machine where you want to install the manager, launch either the FortiSIEMServer-x86.MSI (for 32-bit
Windows) or FortiSIEMServer-x64.MSI (for 64-bit Windows) installer.
2. In the Welcome dialog , click Next.
3. In the EULA dialog, agree to the Terms and Conditions, and then click Next.
4. Specify the destination path for the installation, and then click Next.
By default the Windows Agent Manager will be installed at C:\Program Files\AccelOps\Server.
5. Specify the destination path to install the client agent installation files, and then click Next. By default these files will be installed at C:\AccelOps\Agent. The default location will be on the drive that has
the most free storage space. This path will automatically become a shared location that you will access from the
agent devices to install the agent software on them. 6. In the Database Settings dialog,
a. Select the database instance where metrics and logs from the Windows devices will be stored. b. Select whether you want to use Windows authentication, otherwise provide the login credentials that are
needed to access the SQL Server instance where the database is located.
c. Enter the path where FortiSIEM Agent Manager database will be stored. By default it is
C:\AccelOps\Data
7. Provide the path to the FortiSIEM Supervisor, Worker, or Collector that will receive information about your
Windows devices. Click Next. 8. In the Administrator Settings dialog, enter username and password credentials that you will use to log in to the
Windows Agent Manager.
Both your username and password should be at least six characters long.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
103
Installation
Installing/Upgrading FortiSIEM
9. (New in Release 1.1 for HTTPS communication between Agent and Agent Manager) Enter the common name/
subject name of the SSL certificate created in pre-requisite step 2
10. Click Install.
11. When the installation completes, click Finish. 12. You can now exit the installation process, or click Close Set Up and Run FortiSIEM to log into your FortiSIEM
virtual appliance.
104
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
Installing FortiSIEM Windows Agent
Prerequisites
1. Windows Agent and Agent Manager need to be able to communicate - agents need to access a path on the Agent
Manager machine to install the agent software.
2. Starting with Version 1.1, there is a special requirement if you want user information appended to file/directory
change events. Typically file/directory change events do not have information about the user who made the
change. To get this information, you have to do the following steps. Without this step, File monitoring events will
not have user information.
1. In Workgroup Environment:
a. Go to Control Panel
b. Open Administrative Tools
c. Double click on Local Security Policy
d. Expand Advanced Audit Policy configuration in the left-pane
e. Under Advanced Audit Policy, expand System Audit Policies – Local Group Policy
Object
f. Under System Audit Policies – Local Group Policy Object, select Object Access
g. Double-click on Audit File System in the right-pane
h. Audit File System Properties dialog opens. In this dialog, under Policy tab, select
Configure the following audit events. Under this select both Success and Failure check
boxes
i. Click Apply and then OK
2. In Active Directory Domain Environment: FortiSIEM Administrator can use Group Policies to propagate
the above settings to the agent computers as follows:
a. Go to Control Panel
b. Open Administrative Tools
c. Click on Group Policy Management
d. In Group Policy Management dialog, expand Forest:<domain_name> in the left-pane
e. Under Forest:<domain_name>, expand Domains
f. Under Domains, expand <domain_name>
g. Right-click on <domain_name> and click on 'Create a GPO in this domain, and link it
here...“ h. New GPO dialog appears. Enter a new name (e.g., MyGPO) in Name text box. Press OK.
i. MyGPO appears under the expanded <domain_name> in left-pane. Click on MyGPO and click
on the Scope tab in the right-pane.
j. Under Scope tab, click on Add in Security filtering section
k. Select User, Computer or Group dialog opens. In this dialog click the Object Types button.
l. Object Types dialog appears, uncheck all options and check the Computers option. Click
OK.
m. Back in the Select User, Computer or Group dialog, enter the FortiSIEM Windows Agent
computer names under Enter the object name to select area. You can choose computer
names by clicking the Advanced' button and then in Advanced dialog clicking on the Find Now
button.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
105
Installation
Installing/Upgrading FortiSIEM
n. Once the required computer name is specified, click OK and you will find the selected
computer name under Security Filtering.
o. Repeat steps (xi) – (xiv) for all the required computers running FortiSIEM Windows Agent.
p. Right click on MyGPO in the left-pane and click on Edit.
q. Group Policy Management Editor opens. In this dialog, expand Policies under Computer
Configuration.
r. Go to Policies > Windows Settings > Security Settings > Advanced Audit Policy
Configuration > Audit Policies > Object Access > Audit File System.
s. In the Audit File System Properties dialog, under Policy tab select Configure the
following audit events. Under this, select both Success and Failure check boxes.
Installing one agent
1. Log into the machine where you want to install the agent software as an adminstrator.
2. Navigate to the shared location on the Windows Agent Manager machine where you installed the agent
installation files in Step 5 of Installing FortiSIEM Windows Agent Manager.
The default path is C:\AccelOps\Agent. 3. In the shared location, double-click on the appropriate .MSI file to begin installation. FortiSIEMAgent-x64.MSI is for the 64-bit Agent, while FortiSIEMAgent-x86.MSI is for the 32-bit Agent
4. When the installation completes, go to Start > Administrative Tools > Services and make sure that the
FortiSIEM Agent Service has a status of Started. Installing multiple agents via Active Directory Group Policy
Multiple agents can be installed via GPO if all the computers are on the same domain.
1. Log on to Domain Controller
2. Create a separate Organization unit for containing all computers where FortiSIEM Windows Agent have to be
installed.
a. Go to Start > Administrative Tools > Active Directory Users and Computers
b. Right click on the root Domain on the left side tree. Click New > Organizational Unit
c. Provide a Name for the newly created Organizational Unit and click OK.
d. Verify that the Organizational Unit has been created.
3. Assign computers to the new Organizational Unit.
a. Click Computers under the domain. The list of computers will be displayed on the right pane
b. Select a computer on the right pane. Right click and select Move and then select the new Organizational
Unit.
c. Click OK.
4. Create a new GPO
a. Go to Start > Administrative Tools > Group Policy Management
b. Under Domains, select the newly created Organization Unit
c. Right click on the Organization Unit and select Create and Link a GPO here...
d. Enter a Name for the new GPO and click OK.
e. Verify that the new GPO is created under the chosen Organizational Unit
f. Right click on the new GPO and click Edit. Left tree now shows Computer Configuration and User
Configuration
g. Under Computer Configuration, expand Software Settings.
106
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Installation
h. Click New > Package. Then go to AOWinAgt folder on the network folder. Select the Agent MSI you
need - 32 bit or 64 bit. Click OK.
i. The selected MSI shows in the right pane under Group Policy Editor window
j. For Deploy Software, select Assigned and click OK.
5. Update the GPO on Domain Controller
a. Open a command prompt
b. Run gpupdate /force
6. Update GPO on Agents
a. Log on to the computer
b. Open a command prompt
c. Run gpupdate
d. Restart the computer
e. You will see FortiSIEM Windows Agent installed after restart
If you have a mix of 32 bit and 64 bit computers, need to have two separate Organizational Units - one for 32bit
and one for 64bit, and then assign corresponding MSIs to each.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
107
Upgrade
Installing/Upgrading FortiSIEM
Upgrade
l
Upgrade Overview
l
Migrating from 3.7.x versions to 4.2.1
l
Migrating the SVN Repository to a Separate Partition on a Local Disk
l
Special pre-upgrade instruction for 4.3.3
l
Special pre-upgrade instruction for 4.6.1
l
Enabling TLS 1.2 Patch On Old Collectors
l
Upgrading to 4.6.3 for TLS 1.2
l
Setting Up the Image Server for Collector Upgrades
l
Upgrading a FortiSIEM Single Node Deployment
l
Upgrading a FortiSIEM Cluster Deployment
l
Upgrading FortiSIEM Windows Agent and Agent Manager
l
Automatic OS Upgrades during Reboot
Important Post-Upgrade Procedure
After an upgrade, please clear all browser cache before accessing FortiSIEM GUI. Otherwise, browser caching
may prevent FortiSIEM GUI from working correctly.
108
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Upgrade Overview
Note the following
l
l
Before upgrading FortiSIEM, you MUST read the changes in FortiSIEM licensing documented in
Licensing section.
You must upgrade Supervisor, Worker/s and Report server first before applying 4.9.0 license. Apply
4.9.0 license after FortiSIEM cluster (Supervisor, Worker/s and Report server) upgrade.
UPGRADE REQUIREMENT
Starting 4.5, Supervisor requires 24GB RAM. This is because Supervisor node is caching device monitoring status
for faster performance.
Starting 4.6.1, Linux swap space is increased to match the physical memory size, as recommended by Linux best
practices for optimal system performance. This size is automatically increased during 4.6.1 upgrade which may
cause upgrade to take a little longer than normal.
FortiSIEM SNMP Configuration
If you enabled SNMP on FortiSIEM nodes (Collectors, Workers, Supervisors), it recommended that you modify
the snmpd.local.conf file to store special configurations. You should not modify snmpd.conf file since FortiSIEM
upgrade will wipe away the changes in snmpd.conf. To prevent changes from being lost, copy the changes to
snmpd.local.conf file and then upgrade.
Upgrading from 3.7.6 to latest
1. First upgrade to 4.2.1 following steps in here. This involves OS migration
2. Upgrade from 4.2.1 to 4.3.1 following steps in here. This involves SVN migration
3. Upgrade from 4.3.1 to 4.5.2. This is a regular upgrade - single node case and multi-node case.
4. Upgrade from 4.5.2 to 4.6.3 following steps in here. This involves TLS 1.2 upgrade.
5. Upgrade from 4.6.3 to 4.9.0. This is a regular upgrade - single node case and multi-node case.
Upgrading from 4.2.x to latest
1. Upgrade to 4.3.1 following steps in here. This involves SVN migration.
2. Upgrade from 4.3.1 to 4.5.2. This is a regular upgrade -single node case and multi-node case.
3. Upgrade from 4.5.2 to 4.6.3 following steps in here. This involves TLS 1.2 upgrade.
4. Upgrade from 4.6.3 to 4.9.0. This is a regular upgrade -single node case and multi-node case.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
109
Upgrade
Installing/Upgrading FortiSIEM
Upgrading from 4.3.1 to latest
1. Upgrade from 4.3.1 to 4.5.2. This is a regular upgrade -single node case and multi-node case.
2. Upgrade from 4.5.2 to 4.6.3 following steps in here. This involves TLS 1.2 upgrade.
3. Upgrade from 4.6.3 to 4.9.0. This is a regular upgrade -single node case and multi-node case.
Upgrading from 4.3.3 to latest
1. Do the special pre-upgrade steps.
2. Upgrade to 4.5.2. This is a regular upgrade -single node case and multi-node case.
3. Upgrade from 4.5.2 to 4.6.3 following steps in here. This involves TLS 1.2 upgrade.
4. Upgrade from 4.6.3 to 4.9.0. This is a regular upgrade -single node case and multi-node case.
Upgrading from 4.4.x, 4.5.1 to latest
1. Upgrade to 4.5.2. This is a regular upgrade - single node case and multi-node case.
2. Upgrade from 4.5.2 to 4.6.3 following steps in here. This involves TLS 1.2 upgrade.
3. Upgrade from 4.6.3 to 4.9.0.This is a regular upgrade -single node case and multi-node case.
Upgrading from 4.5.2 to latest
1. Upgrade to 4.6.3 following steps in here. This involves TLS 1.2 upgrade.
2. Upgrade from 4.6.3 to 4.7.1. This is a regular upgrade -single node case and multi-node case.
Upgrading from 4.6.1 to latest
1. Do the special pre-upgrade steps.
2. Upgrade to 4.6.3 following steps in here. This involves TLS 1.2 upgrade.
3. Upgrade from 4.6.3 to 4.9.0. This is a regular upgrade -single node case and multi-node case.
Upgrading from 4.6.2 to latest
1. Upgrade to 4.6.3 following steps in here. This involves TLS 1.2 upgrade.
2. Upgrade from 4.6.3 to 4.9.0. This is a regular upgrade - single node case and multi-node case.
Upgrading from 4.6.3 to latest
1. Upgrade to 4.9.0. This is a regular upgrade -single node case and multi-node case.
Upgrading Windows Agents
FortiSIEM Windows Agent Upgrade is covered in Upgrading FortiSIEM Windows Agent and Agent Manager
110
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Migrating from 3.7.x versions to 4.2.1
The 4.2 version of FortiSIEM uses a new version of CentOS, and so upgrading to version 4.2 from previous
versions involves a migration from those versions to 4.2.x, rather than a typical upgrade. This process involves
two steps:
1. You have to migrate the 3.7.6 CMDB to a 4.2.1 CMDB on a 3.7.6 based system.
2. The migrated 4.2.1 CMDB has to be imported into a 4.2.1 system.
Topics in this section cover the migration process for supported hypervisors for both migrations in-place and using
staging systems. Using a staging system requires more hardware, but minimizes downtime and CMDB migration
risk compared to the in-place method. If you decide to use the in-place method, we strongly recommend that you
take snapshots for recovery. Migrating Before Upgrading to 4.3.x
If you are running a 3.7.x version of FortiSIEM, you must first migrate from that version to version 4.2.1 before
you can upgrade to version 4.3.x.
l
Migrating VMware ESX-based Deployments
l
Migrating AWS EC2 Deployments
l
Migrating KVM-based deployments
l
Migrating Collectors
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
111
Upgrade
Installing/Upgrading FortiSIEM
Migrating VMware ESX-based Deployments
The options for migrating VMware ESX deployments depend on whether you are using NFS for storage, and
whether you choose to migrate in-place, or by using a staging system or rsync. Using the staging system requires
more hardware, but minimizes downtime and CMDB migration risk compared to the in-place approach. The rsync
method takes longer to complete because the event database has to be copied. If you use the in-place method,
then we strongly recommend that you take snapshots of the CDMB for recovery.
Internet access is needed for migration to succeed. A third party library needs to access the schema website.
<faces-config xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:cdk="http://jboss.org/schema/richfaces/cdk/extensions" version="2.0" metadatacomplete="false" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd">
l
Migrating an ESX Deployment with Local Storage in Place
l
Migrating an ESX Local Disk-based Deployment Using an rsync Tool
l
Migrating an ESX NFS-based Deployment in Place
l
Migrating an ESX NFS-based Deployment via a Staging System
112
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Migrating an ESX Deployment with Local Storage in Place
This migration process is for FortiSIEM deployment with a single virtual appliance and the CMDB data stored on
a local VMware disk, and where you intend to run a 4.2.x version on the same physical machine as the 3.7.x
version, but as a new virtual machine. This process requires these steps:
l
Prerequisites
l
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
l
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
l
Assigning the 3.7.x Supervisor's IP Address to the 4.2.1 Supervisor
l
Registering Workers to the Supervisor
Prerequisites
l
Contact FortiSIEM Support to reset your license
l
Take a snapshot of your 3.7.x installation for recovery purposes if needed
l
Make sure the 3.7.x virtual appliance has Internet access
l
Download the 4.2.1 migration scripts (ao-db-migration-4.2.1.tar). You will need the Username and Password
associated with your FortiSIEM license to access the scripts.
Use More Storage for Your 4.2.1 Virtual Appliance
Install the 4.2.1 virtual appliance on the same host as the 3.7.x version with a local disk that is larger than the
original 3.7.x version. You will need the extra disk space for copying operations during the migration. Upgrading the 3.7.x CMDB to 4.2.1 CMDB
1. Log in over SSH to your running 3.7.x virtual appliance as root.
2. Change the directory to /root.
3. Move or copy the migration script ao-db-migration-4.2.1.tar to /root.
4. Untar the migration script.
5. Run ls -al to check that root is the owner of the files ao-db-migration.sh and ao-db-migrationarchiver.sh.
6. For each FortiSIEM Supervisor, Worker, or Collector node, stop all backend processes by running
the phtools command. phtools --stop all.
7. For each FortiSIEM Supervisor, Worker, or Collector node, stop all backend processes by running
the phtools command. phtools --stop all
8. Run the archive script to create an archive version of the CMDB, and specify the directory where it should be
created. ./ao-db-migration-archiver.sh /tmp/376_archive/
9. Check the that archive files phoenixdb_migration_* and opt-migration-*.tar were successfully
created in the destination directory.
10. Copy the opt-migration-*.tar file to /root.
This contains various data files outside of CMDB that will be needed to restore the upgraded CMDB. 11. Run the migration script on the 3.7.x CMDB archive you created in step 7.
The first argument is the location of the archived 3.7.x CMDB, and the second argument is the location where the
migrated CMDB file will be kept. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
113
Upgrade
Installing/Upgrading FortiSIEM
/root/ao-db-migration.sh /tmp/376_archive/cmdb-migration-xyz /tmp/376_
migration
12. Make sure the migrated files were successfully created.
13. Copy the migrated CMDB phoenixdb_migration_xyz file to the /root directory of your 4.2.1 virtual
appliance
This file will be used during the CMDB restoration process. Removing the Local Disk from the 3.7.x Virtual Appliance
1. Log in to your vSphere client.
2. Select your 3.7.x virtual appliance and power it off. 3. Open the Hardware properties for your virtual appliance. 4. Select Hard disk 3, and then click Remove. Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
1. Log in to your 4.2.1 virtual appliance as root.
2. Change the directory to /opt/phoenix/deployment/.
3. Run the post-ao-db-migration.sh script with the 3.7.x migration files phoenixdb_migration_xyz and opt-migration-*.tar.
./post-ao-db-migration.sh /root/phoenixdb_migration_xyz /root/opt-migration-xyz.tar
4. When the migration script completes the virtual appliance will reboot.
Adding the Local Disk to the 4.2.1 Virtual Appliance
1. Log into your vSphere client.
2. Select your 4.2.1 virtual appliance and power it off.
3. Go the Hardware settings for your virtual appliance and select Hard disk 3.
4. Click Remove.
5. Click Add.
6. For Device Type, select Hard Disk, and then click Next.
7. Select Use an existing virtual disk, and then click Next.
8. Browse to the location of the migrated virtual disk that was created by the migration script, and then click OK.
9. Power on the virtual appliance.
Assigning the 3.7.x Supervisor's IP Address to the 4.2.1 Supervisor
1. In the vSphere client, power off the 3.7.x Supervisor.
The IP Address for the 3.7.x Supervisor will be transferred to the 4.2.1 Supervisor.
2. Log in to the 3.7.x Supervisor as root over SSH.
3. Run the vami_config_net script.Your virtual appliance will reboot when the IP address change is
complete. /opt/vmware/share/vami/vami_config_net
Registering Workers to the Supervisor
1. Log in to the Supervisor as admin.
2. Go to Admin > License Management.
114
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
3. Under VA Information, click Add, and add the Worker.
4. Under Admin > Collector Health and Cloud Health, check that the health of the virtual appliances is normal. Setting the 4.2.1 SVN Password to the 3.7.x Password
1. Log in to the 4.2.1 Supervisor as root over SSH.
2. Change the directory to /opt/phoenix/deployment/jumpbox.
3. Run the SVN password reset script ./phsetsvnpwd.sh
4. Enter the following full admin credential to reset SVN password
Organization: Super
User: admin
Password:****
Migration is now complete - Make sure all devices, user created rules, reports, dashboards are migrated
successfully
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
115
Upgrade
Installing/Upgrading FortiSIEM
Migrating an ESX Local Disk-based Deployment Using an rsync Tool
This process requires these steps:
l
Overview
l
Prerequisites
l
Copy the 3.7.x CMDB to a 4.2.1 Virtual Appliance Using rsync
l
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
l
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
l
Assigning the 3.7.x Supervisor's IP Address to the 4.2.1 Supervisor
l
Registering Workers to the Supervisor
Overview
This migration process is for FortiSIEM deployment with a single virtual appliance and the CMDB data stored on
a local VMware disk, and where you intend to run the 4.2.1 version on a different physical machine as the 3.7.x
version.
Prerequisites
l
Contact FortiSIEM Support to reset your license
l
Take a snapshot of your 3.7.x installation for recovery purposes if needed
l
Make sure the 3.7.x virtual appliance has Internet access
l
Download the 4.2.1 migration scripts (ao-db-migration-4.2.1.tar). You will need the Username and Password
associated with your FortiSIEM license to access the scripts.
Copy the 3.7.x CMDB to a 4.2.1 Virtual Appliance Using rsync
Installing rsynch
Before you can copy CMDB, you need to have rsync installed on the 3.7.x virtual appliance where you will be
making the copy.
1. Log in to the 3.7.x Supervisor as root over SSH.
2. Copy CentOS-Base.repo to /etc/yum.repos.d .
cp /etc/yum.repos.d.orig/CentOS-Base.repo /etc/yum.repos.d
3. Install rsync yum repo.
yum install rsync
Procedure
1. Log in to the 4.2.1 virtual appliance as root.
2. Check the disk size in the remote system to make sure that there is enough space for the database to be copied
over.
3. Copy the directory /data from the 3.7.x virtual appliance to the 4.2.1 virtual appliance using the rsync tool.
rsync Command Syntax
Make sure that the trailing / is used in the final two arguments in the rsync command
rsync --progress -av root@<3.7.x_VA_ip_address>:/data/ /data/
116
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
4. After copying is complete, make sure that the size of the event database is identical to the 3.7.x system.
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
1. Log in over SSH to your running 3.7.x virtual appliance as root.
2. Change the directory to /root.
3. Move or copy the migration script ao-db-migration-4.2.1.tar to /root.
4. Untar the migration script.
5. Run ls -al to check that root is the owner of the files ao-db-migration.sh and ao-db-migrationarchiver.sh.
6. For each FortiSIEM Supervisor, Worker, or Collector node, stop all backend processes by running
the phtools command.
phtools --stop all
7. Run the archive script to create an archive version of the CMDB, and specify the directory where it should be
created.
./ao-db-migration-archiver.sh /tmp/376_archive/
8. Check the that archive files phoenixdb_migration_* and opt-migration-*.tar were successfully
created in the destination directory.
9. Copy the opt-migration-*.tar file to /root.
This contains various data files outside of CMDB that will be needed to restore the upgraded CMDB. 10. Run the migration script on the 3.7.x CMDB archive you created in step 7.
The first argument is the location of the archived 3.7.x CMDB, and the second argument is the location where the
migrated CMDB file will be kept. /root/ao-db-migration.sh /tmp/376_archive/cmdb-migration-xyz /tmp/376_
migration
11. Make sure the migrated files were successfully created.
12. Copy the migrated CMDB phoenixdb_migration_xyz file to the /root directory of your 4.2.1 virtual
appliance
This file will be used during the CMDB restoration process. Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
1. Log in to your 4.2.1 virtual appliance as root.
2. Change the directory to /opt/phoenix/deployment/.
3. Run the post-ao-db-migration.sh script with the 3.7.x migration files phoenixdb_migration_
xyz and opt-migration-*.tar.
./post-ao-db-migration.sh /root/phoenixdb_migration_xyz /root/optmigration-xyz.tar
4. When the migration script completes the virtual appliance will reboot.
Assigning the 3.7.x Supervisor's IP Address to the 4.2.1 Supervisor
1. In the vSphere client, power off the 3.7.x Supervisor.
The IP Address for the 3.7.x Supervisor will be transferred to the 4.2.1 Supervisor.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
117
Upgrade
Installing/Upgrading FortiSIEM
2. Log in to the 3.7.x Supervisor as root over SSH.
3. Run the vami_config_net script.
Your virtual appliance will reboot when the IP address change is complete. /opt/vmware/share/vami/vami_config_net
Registering Workers to the Supervisor
1. Log in to the Supervisor as admin.
2. Go to Admin > License Management.
3. Under VA Information, click Add, and add the Worker.
4. Under Admin > Collector Health and Cloud Health, check that the health of the virtual appliances is normal. Setting the 4.2.1 SVN Password to the 3.7.x Password
1. Log in to the 4.2.1 Supervisor as root over SSH.
2. Change the directory to /opt/phoenix/deployment/jumpbox.
3. Run the SVN password reset script ./phsetsvnpwd.sh
4. Enter the following full admin credential to reset SVN password
Organization: Super
User: admin
Password:****
Migration is now complete - Make sure all devices, user created rules, reports, dashboards are migrated
successfully
118
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Migrating an ESX NFS-based Deployment in Place
The steps for this process are:
l
Overview
l
Prerequisites
l
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
l
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
l
Mounting the NFS Storage on Supervisors and Workers
l
Assigning the 3.7.x Supervisor's IP Address to the 4.2.1 Supervisor
l
Registering Workers to the Supervisor
Overview
In this migration method, the production FortiSIEM systems are upgraded in-place, meaning that the production
3.7.x virtual appliance is stopped and used for migrating the CMDB to the 4.2.1 virtual appliance. The advantage
of this approach is that no extra hardware is needed, while the disadvantage is extended downtime during
the CMDB archive and upgrade process. During this downtime events are not lost but are buffered at the
collector. However, incidents are not triggered while events are buffered. Prior to the CDMB upgrade process, you
might want to take a snapshot of CMDB to use as a backup if needed.
Prerequisites
l
Contact FortiSIEM Support to reset your license
l
Take a snapshot of your 3.7.x installation for recovery purposes if needed
l
Make sure the 3.7.x virtual appliance has Internet access
l
Download the 4.2.1 migration scripts (ao-db-migration-4.2.1.tar). You will need the Username and Password
associated with your FortiSIEM license to access the scripts.
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
1. Log in over SSH to your running 3.7.x virtual appliance as root.
2. Change the directory to /root.
3. Move or copy the migration script ao-db-migration-4.2.1.tar to /root.
4. Untar the migration script.
5. Run ls -al to check that root is the owner of the files ao-db-migration.sh and ao-db-migrationarchiver.sh.
6. For each FortiSIEM Supervisor, Worker, or Collector node, stop all backend processes by running
the phtools command.
phtools --stop all
7. Run the archive script to create an archive version of the CMDB, and specify the directory where it should be
created.
./ao-db-migration-archiver.sh /tmp/376_archive/
8. Check the that archive files phoenixdb_migration_* and opt-migration-*.tar were successfully
created in the destination directory.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
119
Upgrade
Installing/Upgrading FortiSIEM
9. Copy the opt-migration-*.tar file to /root.
This contains various data files outside of CMDB that will be needed to restore the upgraded CMDB. 10. Run the migration script on the 3.7.x CMDB archive you created in step 7.
The first argument is the location of the archived 3.7.x CMDB, and the second argument is the location where the
migrated CMDB file will be kept. /root/ao-db-migration.sh /tmp/376_archive/cmdb-migration-xyz /tmp/376_
migration
11. Make sure the migrated files were successfully created.
12. Copy the migrated CMDB phoenixdb_migration_xyz file to the /root directory of your 4.2.1 virtual
appliance
This file will be used during the CMDB restoration process. Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
1. Log in to your 4.2.1 virtual appliance as root.
2. Change the directory to /opt/phoenix/deployment/.
3. Run the post-ao-db-migration.sh script with the 3.7.x migration files phoenixdb_migration_
xyz and opt-migration-*.tar.
./post-ao-db-migration.sh /root/phoenixdb_migration_xyz /root/optmigration-xyz.tar
4. When the migration script completes the virtual appliance will reboot.
Mounting the NFS Storage on Supervisors and Workers
Follow this process for each Supervisor and Worker in your deployment.
1. Log in to your virtual appliance as root over SSH.
2. Run the mount command to check the mount location.
3. Stop all FortiSIEM processes.
service crond stop
phtools --stop all
killall -9 phMonitor
su - admin
/opt/glassfish/bin/asadmin stop-domain
exit
service postgresql-9.1 stop
service httpd stop
4. Unmount 4.2.1 NFS storage location.
umount /data
5. Mount back to the 3.7.x NFS storage location.
Usage: mount -t nfs -o nfsvers=3 <NFS_Server_IP>:<Mount_Path> /data
ex: mount -t nfs -o nfsvers=3 192.168.67.168:/data/mig/SP61_376 /data
120
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
6. Verify mount location on the Supervisor or Workers.
7. Change to the 3.7.x mount path location in the /etc/fstab file on the Supervisor or Workers.
8. Reboot the Supervisor or Worker.
Assigning the 3.7.x Supervisor's IP Address to the 4.2.1 Supervisor
In the vSphere client, power off the 3.7.x Supervisor.
The IP Address for the 3.7.x Supervisor will be transferred to the 4.2.1 Supervisor.
1. Log in to the 3.7.x Supervisor as root over SSH.
2. Run the vami_config_net script.
Your virtual appliance will reboot when the IP address change is complete. /opt/vmware/share/vami/vami_config_net
Registering Workers to the Supervisor
1. Log in to the Supervisor as admin.
2. Go to Admin > License Management.
3. Under VA Information, click Add, and add the Worker.
4. Under Admin > Collector Health and Cloud Health, check that the health of the virtual appliances is normal. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
121
Upgrade
Installing/Upgrading FortiSIEM
Setting the 4.2.1 SVN Password to the 3.7.x Password
1. Log in to the 4.2.1 Supervisor as root over SSH.
2. Change the directory to /opt/phoenix/deployment/jumpbox.
3. Run the SVN password reset script ./phsetsvnpwd.sh
4. Enter the following full admin credential to reset SVN password
Organization: Super
User: admin
Password:****
Migration is now complete - Make sure all devices, user created rules, reports, dashboards are migrated
successfully
122
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Migrating an ESX NFS-based Deployment via a Staging System
The steps in this process are:
l
Overview
l
Prerequisites
l
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
l
Mounting the NFS Storage on Supervisors and Workers
l
Assigning the 3.7.x Supervisor's IP Address to the 4.2.1 Supervisor
l
Registering Workers to the Supervisor
Overview
In this migration method, the production 3.7.x FortiSIEM systems are left untouched. A separate mirror image
3.7.x system is first created, and then upgraded to 4.2.1. The NFS storage is mounted to the upgraded 4.2.1
system, and the collectors are redirected to the upgraded 4.2.1 system. The upgraded 4.2.1 system now
becomes the production system, while the old 3.7.6 system can be decommissioned. The collectors can then be
upgraded one by one. The advantages of this method is minimal downtime in which incidents aren't triggered,
and no upgrade risk. If for some reason the upgrade fails, it can be aborted without any risk to your production
CMDB data. The disadvantages of this method are the requirement for hardware to set up the mirror 3.7.x mirror
system, and longer time to complete the upgrade because of the time needed to set up the mirror system.
Prerequisites
l
Contact FortiSIEM Support to reset your license
l
Take a snapshot of your 3.7.x installation for recovery purposes if needed
l
Make sure the 3.7.x virtual appliance has Internet access
l
Download the 4.2.1 migration scripts (ao-db-migration-4.2.1.tar). You will need the Username and Password
associated with your FortiSIEM license to access the scripts.
Create the 3.7.x CMDB Archive
1. Log in to your running 3.7.x production AccelOp virtual appliance as root.
2. Change the directory to /root.
3. Copy the migration script ao-db-migration-4.2.1.tar to the /root directory.
4. Untar the migration script.
5. Make sure that the owner of ao-db-migration.sh and ao-db-migration-archiver.sh files is root.
6. Run the archive script, specifying the directory where you want the archive file to be created.
./ao-db-migration-archiver.sh /tmp/376_archive/
7. Check that the archived files were successfully created in the destination directory.
You should see two files, cmdb-migration-*.tar, which will be used to migrate the 3.7.x CMDB, and optmigration-*.tar, which contains files stored outside of CMDM that will be needed to restore the upgraded
CMDB to your new 4.2.1 virtual appliance. 8. Copy the cmdb-migration-*.tar file to the 3.7.x staging Supervisor, using the same directory name you
used in Step 6.
9. Copy the opt-migration-*.tar file to the /root directory of the 4.2.1 Supervisor.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
123
Upgrade
Installing/Upgrading FortiSIEM
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
1. Log in to your 4.2.1 virtual appliance as root.
2. Change the directory to /opt/phoenix/deployment/.
3. Run the post-ao-db-migration.sh script with the 3.7.x migration files phoenixdb_migration_
xyz and opt-migration-*.tar.
./post-ao-db-migration.sh /root/phoenixdb_migration_xyz /root/optmigration-xyz.tar
4. When the migration script completes the virtual appliance will reboot.
Mounting the NFS Storage on Supervisors and Workers
Follow this process for each Supervisor and Worker in your deployment.
1. Log in to your virtual appliance as root over SSH.
2. Run the mount command to check the mount location.
3. Stop all FortiSIEM processes.
service crond stop
phtools --stop all
killall -9 phMonitor
su - admin
/opt/glassfish/bin/asadmin stop-domain
exit
service postgresql-9.1 stop
service httpd stop
4. Unmount 4.2.1 NFS storage location.
umount /data
5. Mount back to the 3.7.x NFS storage location.
Usage: mount -t nfs -o nfsvers=3 <NFS_Server_IP>:<Mount_Path> /data
ex: mount -t nfs -o nfsvers=3 192.168.67.168:/data/mig/SP61_376 /data
124
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
6. Verify mount location on the Supervisor or Workers.
7. Change to the 3.7.x mount path location in the /etc/fstab file on the Supervisor or Workers.
8. Reboot the Supervisor or Worker.
Assigning the 3.7.x Supervisor's IP Address to the 4.2.1 Supervisor
1. In the vSphere client, power off the 3.7.x Supervisor.
The IP Address for the 3.7.x Supervisor will be transferred to the 4.2.1 Supervisor.
2. Log in to the 3.7.x Supervisor as root over SSH.
3. Run the vami_config_net script.
Your virtual appliance will reboot when the IP address change is complete. /opt/vmware/share/vami/vami_config_net
Registering Workers to the Supervisor
1. Log in to the Supervisor as admin.
2. Go to Admin > License Management.
3. Under VA Information, click Add, and add the Worker.
4. Under Admin > Collector Health and Cloud Health, check that the health of the virtual appliances is normal. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
125
Upgrade
Installing/Upgrading FortiSIEM
Setting the 4.2.1 SVN Password to the 3.7.x Password
1. Log in to the 4.2.1 Supervisor as root over SSH.
2. Change the directory to /opt/phoenix/deployment/jumpbox.
3. Run the SVN password reset script ./phsetsvnpwd.sh
4. Enter the following full admin credential to reset SVN password
Organization: Super
User: admin
Password:****
Migration is now complete - Make sure all devices, user created rules, reports, dashboards are migrated
successfully
126
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Migrating AWS EC2 Deployments
This section covers migrating FortiSIEM AWS EC2 based Virtual Appliances from 3.7.x to 4.2.1. Since FortiSIEM
4.2.1 has new CentOS version, the procedure is unlike a regular upgrade (say from 3.7.5 to 3.7.6) - certain
special procedures have to be followed.
Very broadly, 3.7.6 CMDB have to be first migrated to a 4.2.1 CMDB on a 3.7.6 based system and then the
migrated 4.2.1 CMDB has to be imported to a 4.2.1 system.
There are 4 choices based on
l
NFS or a single Virtual appliance based deployment
l
In-place or Staging based method is chosen for data migration
The various methods are explained later, but stated simply, staging approach take more hardware but minimizes
downtime and CMDB migration risk compared to the in-place approach.
If in-place method is to be deployed, then a snapshot method is highly recommended for recovery purposes.
Note: Internet access is needed for migration to succeed. A third party library needs to access the
schema website.
<faces-config xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cdk="http://jboss.org/schema/richfaces/cdk/extensions"
version="2.0" metadata-complete="false"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd">
l
Migrating an AWS EC2 Local Disk-based Deployment
l
Migrating an AWS EC2 NFS-based Deployment in Place
l
Migrating an AWS EC2 NFS-based Deployment via a Staging System
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
127
Upgrade
Installing/Upgrading FortiSIEM
Migrating an AWS EC2 Local Disk-based Deployment
l
Overview
l
Prerequisites
l
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
l
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
l
Change Local Volumes for Your AWS Instances
l
Change the IP Addresses Associated with Your Virtual Appliances
l
Registering Workers to the Supervisor
l
Setting the 4.2.1 SVN Password to the 3.7.x Password
Overview
This migration process is for FortiSIEM deployment with a single virtual appliance and the CMDB data stored on
a local AWS volume, and where you intend to run a 4.2.x version on the same physical machine as the 3.7.x
version, but as a new virtual machine.
Prerequisites
l
Contact FortiSIEM Support to reset your license
l
Take a snapshot of your 3.7.x installation for recovery purposes if needed
l
Make sure the 3.7.x virtual appliance has Internet access
l
Download the 4.2.1 migration scripts (ao-db-migration-4.2.1.tar). You will need the User name and Password
associated with your FortiSIEM license to access the scripts.
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
1. Log in over SSH to your running 3.7.x virtual appliance as root.
2. Change the directory to /root.
3. Move or copy the migration script ao-db-migration-4.2.1.tar to /root.
4. Untar the migration script.
5. Run ls -al to check that root is the owner of the files ao-db-migration.sh and ao-db-migrationarchiver.sh.
6. For each FortiSIEM Supervisor, Worker, or Collector node, stop all backend processes by running
the phtools command.
phtools --stop all
7. Run the archive script to create an archive version of the CMDB, and specify the directory where it should be
created.
./ao-db-migration-archiver.sh /tmp/376_archive/
8. Check the that archive files phoenixdb_migration_* and opt-migration-*.tar were successfully
created in the destination directory.
9. Copy the opt-migration-*.tar file to /root.
This contains various data files outside of CMDB that will be needed to restore the upgraded CMDB. 10. Run the migration script on the 3.7.x CMDB archive you created in step 7.
The first argument is the location of the archived 3.7.x CMDB, and the second argument is the location where the
128
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
migrated CMDB file will be kept. /root/ao-db-migration.sh /tmp/376_archive/cmdb-migration-xyz /tmp/376_
migration
11. Make sure the migrated files were successfully created.
12. Copy the migrated CMDB phoenixdb_migration_xyz file to the /root directory of your 4.2.1 virtual
appliance
This file will be used during the CMDB restoration process. Log in to the AWS EC2 dashboard and stop your 3.7.x virtual appliance.
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
1. Log in to your 4.2.1 virtual appliance as root.
2. Change the directory to /opt/phoenix/deployment/.
3. Run the post-ao-db-migration.sh script with the 3.7.x migration files phoenixdb_migration_
xyz and opt-migration-*.tar.
./post-ao-db-migration.sh /root/phoenixdb_migration_xyz /root/optmigration-xyz.tar
4. When the migration script completes the virtual appliance will reboot.
Change Local Volumes for Your AWS Instances
1. Log in to AWS EC2 dashboard and power off your 4.2.1 virtual appliance.
2. In the Volumes table, find your production 3.7.x volume and tag it so you can identify it later, while also making a
note of its ID.
For instance, 3.7.x_data_volume.
3. Detach the volume.
4. In the Volumes tab, find your 4.2.1 volume, and Detach it. 5. Attach your 3.7.x volume to your 4.2.1 virtual appliance.
4.2.1 Volume Device Name
Make sure the Device name for your 4.2.1 volume is dev/xvdf .
6. Power on your 4.2.1. virtual appliance.
7. Stop all back-end processes and change the SVN URL and Server IP address in database by running these
commands.
phtools --stop all
psql -U phoenix -d phoenixdb -c "update ph_sys_conf set
value='https://<4.2.1-Private-IP-address>/repos/cmdb' where property='svn_
url'"psql -U phoenix -d phoenixdb -c "update ph_sys_server set ip_
addr='<4.2.1-Private-IP-address>' where id='1'"
Change the IP Addresses Associated with Your Virtual Appliances
1. Log in to the AWS EC2 dashboard.
2. Click Elastic IPS, and then select the public IP associated with your 4.2.1 virtual appliance.
3. Click Disassociate Address, and then Yes, Disassociate.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
129
Upgrade
Installing/Upgrading FortiSIEM
4. In Elastic IPs, select the IP address associated with your 3.7.x virtual appliance.
5. Click Disassociate Address, and then Yes, Disassociate.
6. In Elastic IPs, select the production public IP of your 3.7.x virtual appliance, and click Associate Address to
associate it with your 4.2.1 virtual appliance. The virtual appliance will reboot automatically after the IP address is changed. Registering Workers to the Supervisor
1. Log in to the Supervisor as admin.
2. Go to Admin > License Management.
3. Under VA Information, click Add, and add the Worker.
4. Under Admin > Collector Health and Cloud Health, check that the health of the virtual appliances is normal. Setting the 4.2.1 SVN Password to the 3.7.x Password
1. Log in to the 4.2.1 Supervisor as root over SSH.
2. Change the directory to /opt/phoenix/deployment/jumpbox.
3. Run the SVN password reset script ./phsetsvnpwd.sh
4. Enter the following full admin credential to reset SVN password
Organization: Super
User: admin
Password:****
Migration is now complete - Make sure all devices, user created rules, reports, dashboards are migrated
successfully
130
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Migrating an AWS EC2 NFS-based Deployment in Place
The steps for this process are:
l
Overview
l
Prerequisites
l
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
l
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
l
Mounting the NFS Storage on Supervisors and Workers
l
Change the SVN URL and Server IP Address
l
Change the IP Addresses Associated with Your Virtual Appliances
l
Registering Workers to the Supervisor
l
Setting the 4.2.1 SVN Password to the 3.7.x Password
Overview
In this migration method, the production FortiSIEM systems are upgraded in-place, meaning that the production
3.7.x virtual appliance is stopped and used for migrating the CMDB to the 4.2.1 virtual appliance. The advantage
of this approach is that no extra hardware is needed, while the disadvantage is extended downtime during
the CMDB archive and upgrade process. During this downtime events are not lost but are buffered at the
collector. However, incidents are not triggered while events are buffered. Prior to the CDMB upgrade process, you
might want to take a snapshot of CMDB to use as a backup if needed.
Prerequisites
l
Contact FortiSIEM Support to reset your license
l
Take a snapshot of your 3.7.x installation for recovery purposes if needed
l
Make sure the 3.7.x virtual appliance has Internet access
l
Download the 4.2.1 migration scripts (ao-db-migration-4.2.1.tar). You will need the Username and Password
associated with your FortiSIEM license to access the scripts.
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
1. Log in over SSH to your running 3.7.x virtual appliance as root.
2. Change the directory to /root.
3. Move or copy the migration script ao-db-migration-4.2.1.tar to /root.
4. Untar the migration script.
5. Run ls -al to check that root is the owner of the files ao-db-migration.sh and ao-db-migrationarchiver.sh.
6. For each FortiSIEM Supervisor, Worker, or Collector node, stop all backend processes by running
the phtools command.
phtools --stop all
7. Run the archive script to create an archive version of the CMDB, and specify the directory where it should be
created.
./ao-db-migration-archiver.sh /tmp/376_archive/
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
131
Upgrade
Installing/Upgrading FortiSIEM
8. Check the that archive files phoenixdb_migration_* and opt-migration-*.tar were successfully
created in the destination directory.
9. Copy the opt-migration-*.tar file to /root.
This contains various data files outside of CMDB that will be needed to restore the upgraded CMDB. 10. Run the migration script on the 3.7.x CMDB archive you created in step 7.
The first argument is the location of the archived 3.7.x CMDB, and the second argument is the location where the
migrated CMDB file will be kept. /root/ao-db-migration.sh /tmp/376_archive/cmdb-migration-xyz /tmp/376_
migration
11. Make sure the migrated files were successfully created.
12. Copy the migrated CMDB phoenixdb_migration_xyz file to the /root directory of your 4.2.1 virtual
appliance
This file will be used during the CMDB restoration process. Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
1. Log in to your 4.2.1 virtual appliance as root.
2. Change the directory to /opt/phoenix/deployment/.
3. Run the post-ao-db-migration.sh script with the 3.7.x migration files phoenixdb_migration_
xyz and opt-migration-*.tar.
./post-ao-db-migration.sh /root/phoenixdb_migration_xyz /root/optmigration-xyz.tar
4. When the migration script completes the virtual appliance will reboot.
Mounting the NFS Storage on Supervisors and Workers
Follow this process for each Supervisor and Worker in your deployment.
1. Log in to your virtual appliance as root over SSH.
2. Run the mount command to check the mount location.
3. Stop all FortiSIEM processes.
service crond stop
phtools --stop all
killall -9 phMonitor
su - admin
/opt/glassfish/bin/asadmin stop-domain
exit
service postgresql-9.1 stop
service httpd stop
4. Unmount 4.2.1 NFS storage location.
umount /data
5. Mount back to the 3.7.x NFS storage location.
Usage: mount -t nfs -o nfsvers=3 <NFS_Server_IP>:<Mount_Path> /data
ex: mount -t nfs -o nfsvers=3 192.168.67.168:/data/mig/SP61_376 /data
132
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
6. Verify mount location on the Supervisor or Workers.
7. Change to the 3.7.x mount path location in the /etc/fstab file on the Supervisor or Workers.
8. Reboot the Supervisor or Worker.
Change the SVN URL and Server IP Address
Run these commands.
phtools --stop all psql -U phoenix -d phoenixdb -c "update ph_sys_conf set
value='https://<4.2.1-Private-IP-address>/repos/cmdb' where property='svn_url'" psql -U
phoenix -d phoenixdb -c "update ph_sys_server set ip_addr='<4.2.1-Private-IP-address>'
where id='1'"
Change the IP Addresses Associated with Your Virtual Appliances
1. Log in to the AWS EC2 dashboard.
2. Click Elastic IPS, and then select the public IP associated with your 4.2.1 virtual appliance.
3. Click Disassociate Address, and then Yes, Disassociate.
4. In Elastic IPs, select the IP address associated with your 3.7.x virtual appliance.
5. Click Disassociate Address, and then Yes, Disassociate.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
133
Upgrade
Installing/Upgrading FortiSIEM
6. In Elastic IPs, select the production public IP of your 3.7.x virtual appliance, and click Associate Address to
associate it with your 4.2.1 virtual appliance. The virtual appliance will reboot automatically after the IP address is changed. Registering Workers to the Supervisor
1. Log in to the Supervisor as admin.
2. Go to Admin > License Management.
3. Under VA Information, click Add, and add the Worker.
4. Under Admin > Collector Health and Cloud Health, check that the health of the virtual appliances is normal. Setting the 4.2.1 SVN Password to the 3.7.x Password
1. Log in to the 4.2.1 Supervisor as root over SSH.
2. Change the directory to /opt/phoenix/deployment/jumpbox.
3. Run the SVN password reset script ./phsetsvnpwd.sh
4. Enter the following full admin credential to reset SVN password
Organization: Super
User: admin
Password:****
Migration is now complete - Make sure all devices, user created rules, reports, dashboards are migrated
successfully
134
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Migrating an AWS EC2 NFS-based Deployment via a Staging System
l
Overview
l
Prerequisites
l
Create the 3.7.x CMDB Archive
l
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
l
Mounting the NFS Storage on Supervisors and Workers
l
Change the IP Addresses Associated with Your Virtual Appliances
l
Registering Workers to the Supervisor
l
Setting the 4.2.1 SVN Password to the 3.7.x Password
Overview
In this migration method, the production 3.7.x FortiSIEM systems are left untouched. A separate mirror image
3.7.x system is first created, and then upgraded to 4.2.1. The NFS storage is mounted to the upgraded 4.2.1
system, and the collectors are redirected to the upgraded 4.2.1 system. The upgraded 4.2.1 system now
becomes the production system, while the old 3.7.6 system can be decommissioned. The collectors can then be
upgraded one by one. The advantages of this method is minimal downtime in which incidents aren't triggered,
and no upgrade risk. If for some reason the upgrade fails, it can be aborted without any risk to your production
CMDB data. The disadvantages of this method are the requirement for hardware to set up the mirror 3.7.x mirror
system, and longer time to complete the upgrade because of the time needed to set up the mirror system.
Prerequisites
l
Contact FortiSIEM Support to reset your license
l
Take a snapshot of your 3.7.x installation for recovery purposes if needed
l
Make sure the 3.7.x virtual appliance has Internet access
l
Download the 4.2.1 migration scripts (ao-db-migration-4.2.1.tar). You will need the Username and Password
associated with your FortiSIEM license to access the scripts.
Create the 3.7.x CMDB Archive
1. Log in to your running 3.7.x production AccelOp virtual appliance as root.
2. Change the directory to /root.
3. Copy the migration script ao-db-migration-4.2.1.tar to the /root directory.
4. Untar the migration script.
5. Make sure that the owner of ao-db-migration.sh and ao-db-migration-archiver.sh files is root.
6. Run the archive script, specifying the directory where you want the archive file to be created.
./ao-db-migration-archiver.sh /tmp/376_archive/
7. Check that the archived files were successfully created in the destination directory.
You should see two files, cmdb-migration-*.tar, which will be used to migrate the 3.7.x CMDB, and optmigration-*.tar, which contains files stored outside of CMDM that will be needed to restore the upgraded
CMDB to your new 4.2.1 virtual appliance. 8. Copy the cmdb-migration-*.tar file to the 3.7.x staging Supervisor, using the same directory name you
used in Step 6.
9. Copy the opt-migration-*.tar file to the /root directory of the 4.2.1 Supervisor.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
135
Upgrade
Installing/Upgrading FortiSIEM
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
1. Log in to your 4.2.1 virtual appliance as root.
2. Change the directory to /opt/phoenix/deployment/.
3. Run the post-ao-db-migration.sh script with the 3.7.x migration files phoenixdb_migration_
xyz and opt-migration-*.tar.
./post-ao-db-migration.sh /root/phoenixdb_migration_xyz /root/optmigration-xyz.tar
4. When the migration script completes the virtual appliance will reboot.
Mounting the NFS Storage on Supervisors and Workers
Follow this process for each Supervisor and Worker in your deployment.
1. Log in to your virtual appliance as root over SSH.
2. Run the mount command to check the mount location.
3. Stop all FortiSIEM processes.
service crond stop
phtools --stop all
killall -9 phMonitor
su - admin
/opt/glassfish/bin/asadmin stop-domain
exit
service postgresql-9.1 stop
service httpd stop
4. Unmount 4.2.1 NFS storage location.
umount /data
5. Mount back to the 3.7.x NFS storage location.
Usage: mount -t nfs -o nfsvers=3 <NFS_Server_IP>:<Mount_Path> /data
ex: mount -t nfs -o nfsvers=3 192.168.67.168:/data/mig/SP61_376 /data
136
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
6. Verify mount location on the Supervisor or Workers.
7. Change to the 3.7.x mount path location in the /etc/fstab file on the Supervisor or Workers.
8. Reboot the Supervisor or Worker.
Change the IP Addresses Associated with Your Virtual Appliances
1. Log in to the AWS EC2 dashboard.
2. Click Elastic IPS, and then select the public IP associated with your 4.2.1 virtual appliance.
3. Click Disassociate Address, and then Yes, Disassociate.
4. In Elastic IPs, select the IP address associated with your 3.7.x virtual appliance.
5. Click Disassociate Address, and then Yes, Disassociate.
6. In Elastic IPs, select the production public IP of your 3.7.x virtual appliance, and click Associate Address to
associate it with your 4.2.1 virtual appliance. The virtual appliance will reboot automatically after the IP address is changed. Registering Workers to the Supervisor
1. Log in to the Supervisor as admin.
2. Go to Admin > License Management.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
137
Upgrade
Installing/Upgrading FortiSIEM
3. Under VA Information, click Add, and add the Worker.
4. Under Admin > Collector Health and Cloud Health, check that the health of the virtual appliances is normal. Setting the 4.2.1 SVN Password to the 3.7.x Password
1. Log in to the 4.2.1 Supervisor as root over SSH.
2. Change the directory to /opt/phoenix/deployment/jumpbox.
3. Run the SVN password reset script ./phsetsvnpwd.sh
4. Enter the following full admin credential to reset SVN password
Organization: Super
User: admin
Password:****
Migration is now complete - Make sure all devices, user created rules, reports, dashboards are migrated
successfully
138
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Migrating KVM-based deployments
This section covers migrating FortiSIEM KVM based Virtual Appliances from 3.7.x to 4.2.1. Since FortiSIEM 4.2.1
has new CentOS version, the procedure is unlike a regular upgrade (say from 3.7.5 to 3.7.6) - certain special
procedures have to be followed.
Very broadly, 3.7.6 CMDB have to be first migrated to a 4.2.1 CMDB on a 3.7.6 based system and then the
migrated 4.2.1 CMDB has to be imported to a 4.2.1 system.
There are 4 choices based on
l
NFS or a single Virtual appliance based deployment
l
In-place or Staging or rsync based method is chosen for data migration
The various methods are explained later, but stated simply
l
l
Staging approach take more hardware but minimizes downtime and CMDB migration risk compared to the in-place
approach
rsync method takes longer to finish as event database has to be copied
If in-place method is to be deployed, then a snapshot method is highly recommended for recovery purposes.
Note: Internet access is needed for migration to succeed. A third party library needs to access the
schema website.
<faces-config xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cdk="http://jboss.org/schema/richfaces/cdk/extensions"
version="2.0" metadata-complete="false"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd">
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
139
Upgrade
Installing/Upgrading FortiSIEM
Migrating a KVM Local Disc-based Deployment In Place
This process requires these steps:
l
Overview
l
Prerequisites
l
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
l
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
l
Assigning the 3.7.x Supervisor's IP Address to the 4.2.1 Supervisor
l
Registering Workers to the Supervisor
Overview
This migration process is for FortiSIEM deployment with a single virtual appliance and the CMDB data stored on
a local VMware disk, and where you intend to run a 4.2.x version on the same physical machine as the 3.7.x
version, but as a new virtual machine.
Prerequisites
l
Contact FortiSIEM Support to reset your license
l
Take a snapshot of your 3.7.x installation for recovery purposes if needed
l
Make sure the 3.7.x virtual appliance has Internet access
l
Download the 4.2.1 migration scripts (ao-db-migration-4.2.1.tar). You will need the Username and Password
associated with your FortiSIEM license to access the scripts.
Use More Storage for Your 4.2.1 Virtual Appliance
Install the 4.2.1 virtual appliance on the same host as the 3.7.x version with a local disk that is larger than the
original 3.7.x version. You will need the extra disk space for copying operations during the migration. 140
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
1. Log in over SSH to your running 3.7.x virtual appliance as root.
2. Change the directory to /root.
3. Move or copy the migration script ao-db-migration-4.2.1.tar to /root.
4. Untar the migration script.
5. Run ls -al to check that root is the owner of the files ao-db-migration.sh and ao-db-migrationarchiver.sh.
6. For each FortiSIEM Supervisor, Worker, or Collector node, stop all backend processes by running
the phtools command.
phtools --stop all
7. Run the archive script to create an archive version of the CMDB, and specify the directory where it should be
created.
./ao-db-migration-archiver.sh /tmp/376_archive/
8. Check the that archive files phoenixdb_migration_* and opt-migration-*.tar were successfully
created in the destination directory.
9. Copy the opt-migration-*.tar file to /root.
This contains various data files outside of CMDB that will be needed to restore the upgraded CMDB. 10. Run the migration script on the 3.7.x CMDB archive you created in step 7.
The first argument is the location of the archived 3.7.x CMDB, and the second argument is the location where the
migrated CMDB file will be kept. /root/ao-db-migration.sh /tmp/376_archive/cmdb-migration-xyz /tmp/376_
migration
11. Make sure the migrated files were successfully created.
12. Copy the migrated CMDB phoenixdb_migration_xyz file to the /root directory of your 4.2.1 virtual
appliance
This file will be used during the CMDB restoration process. Removing the Local Disk from the 3.7.x Virtual Appliance
1. Log in to your vSphere client.
2. Select your 3.7.x virtual appliance and power it off. 3. Open the Hardware properties for your virtual appliance. 4. Select IDE Disk 2, and then click Remove. Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
1. Log in to your 4.2.1 virtual appliance as root.
2. Change the directory to /opt/phoenix/deployment/.
3. Run the post-ao-db-migration.sh script with the 3.7.x migration files phoenixdb_migration_
xyz and opt-migration-*.tar.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
141
Upgrade
Installing/Upgrading FortiSIEM
./post-ao-db-migration.sh /root/phoenixdb_migration_xyz /root/optmigration-xyz.tar
4. When the migration script completes the virtual appliance will reboot.
Adding the Local Disk to the 4.2.1 Virtual Appliance
1. Log in to Virtual Machine Manager.
2. Select your 4.2.1 virtual appliance and power it off.
3. Go the Hardware settings for your virtual appliance and select IDE Disk 3.
4. Click Remove .
5. Click Add Hardware .
6. Select Storage.
7. Select the option to use managed or existing storage, and then browse to the location of the detached 3.7.x
disk.
8. Click Finish .
9. Select Use an existing virtual disk , and then click Next .
10. Browse to the location of the migrated virtual disk that was created by the migration script, and then click OK .
11. Power on the virtual appliance.
Assigning the 3.7.x Supervisor's IP Address to the 4.2.1 Supervisor
1. In the vSphere client, power off the 3.7.x Supervisor.
The IP Address for the 3.7.x Supervisor will be transferred to the 4.2.1 Supervisor.
2. Log in to the 3.7.x Supervisor as root over SSH.
3. Run the vami_config_net script.
Your virtual appliance will reboot when the IP address change is complete. /opt/vmware/share/vami/vami_config_net
Registering Workers to the Supervisor
1. Log in to the Supervisor as admin.
2. Go to Admin > License Management.
3. Under VA Information, click Add, and add the Worker.
4. Under Admin > Collector Health and Cloud Health, check that the health of the virtual appliances is normal. Setting the 4.2.1 SVN Password to the 3.7.x Password
1. Log in to the 4.2.1 Supervisor as root over SSH.
2. Change the directory to /opt/phoenix/deployment/jumpbox.
3. Run the SVN password reset script ./phsetsvnpwd.sh
4. Enter the following full admin credential to reset SVN password
Organization: Super
User: admin
Password:****
142
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Migration is now complete - Make sure all devices, user created rules, reports, dashboards are migrated
successfully
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
143
Upgrade
Installing/Upgrading FortiSIEM
Migrating a KVM Local Disk-based Deployment using an RSYNC Tool
This process requires these steps:
l
Overview
l
Prerequisites
l
Copy the 3.7.x CMDB to a 4.2.1 Virtual Appliance Using rsync
l
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
l
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
l
Assigning the 3.7.x Supervisor's IP Address to the 4.2.1 Supervisor
l
Registering Workers to the Supervisor
Overview
This migration process is for FortiSIEM deployment with a single virtual appliance and the CMDB data stored on
a local VMware disk, and where you intend to run the 4.2.1 version on a different physical machine as the 3.7.x
version. This process requires these steps:
Prerequisites
l
Contact FortiSIEM Support to reset your license
l
Take a snapshot of your 3.7.x installation for recovery purposes if needed
l
Make sure the 3.7.x virtual appliance has Internet access
l
Download the 4.2.1 migration scripts (ao-db-migration-4.2.1.tar). You will need the Username and Password
associated with your FortiSIEM license to access the scripts.
Copy the 3.7.x CMDB to a 4.2.1 Virtual Appliance Using rsync
Installing rsynch
Before you can copy CMDB, you need to have rsync installed on the 3.7.x virtual appliance where you will be
making the copy.
1. Log in to the 3.7.x Supervisor as root over SSH.
2. Copy CentOS-Base.repo to /etc/yum.repos.d .
cp /etc/yum.repos.d.orig/CentOS-Base.repo /etc/yum.repos.d
3. Install rsync yum repo.
yum install rsync
Procedure
1. Log in to the 4.2.1 virtual appliance as root.
2. Check the disk size in the remote system to make sure that there is enough space for the database to be copied
over.
3. Copy the directory /data from the 3.7.x virtual appliance to the 4.2.1 virtual appliance using the rsync tool. rsync
Command Syntax Make sure that the trailing / is used in the final two arguments in the rsync command
rsync --progress -av root@<3.7.x_VA_ip_address>:/data/ /data/
4. After copying is complete, make sure that the size of the event database is identical to the 3.7.x system.
144
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
1. Log in over SSH to your running 3.7.x virtual appliance as root.
2. Change the directory to /root.
3. Move or copy the migration script ao-db-migration-4.2.1.tar to /root.
4. Untar the migration script.
5. Run ls -al to check that root is the owner of the files ao-db-migration.sh and ao-db-migrationarchiver.sh.
6. For each FortiSIEM Supervisor, Worker, or Collector node, stop all backend processes by running
the phtools command.
phtools --stop all
7. Run the archive script to create an archive version of the CMDB, and specify the directory where it should be
created.
./ao-db-migration-archiver.sh /tmp/376_archive/
8. Check the that archive files phoenixdb_migration_* and opt-migration-*.tar were successfully
created in the destination directory.
9. Copy the opt-migration-*.tar file to /root.
This contains various data files outside of CMDB that will be needed to restore the upgraded CMDB. 10. Run the migration script on the 3.7.x CMDB archive you created in step 7.
The first argument is the location of the archived 3.7.x CMDB, and the second argument is the location where the
migrated CMDB file will be kept. /root/ao-db-migration.sh /tmp/376_archive/cmdb-migration-xyz /tmp/376_
migration
11. Make sure the migrated files were successfully created.
12. Copy the migrated CMDB phoenixdb_migration_xyz file to the /root directory of your 4.2.1 virtual
appliance
This file will be used during the CMDB restoration process. Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
1. Log in to your 4.2.1 virtual appliance as root.
2. Change the directory to /opt/phoenix/deployment/.
3. Run the post-ao-db-migration.sh script with the 3.7.x migration files phoenixdb_migration_
xyz and opt-migration-*.tar.
./post-ao-db-migration.sh /root/phoenixdb_migration_xyz /root/optmigration-xyz.tar
4. When the migration script completes the virtual appliance will reboot.
Assigning the 3.7.x Supervisor's IP Address to the 4.2.1 Supervisor
1. In the vSphere client, power off the 3.7.x Supervisor.
The IP Address for the 3.7.x Supervisor will be transferred to the 4.2.1 Supervisor.
2. Log in to the 3.7.x Supervisor as root over SSH.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
145
Upgrade
Installing/Upgrading FortiSIEM
3. Run the vami_config_net script.
Your virtual appliance will reboot when the IP address change is complete. /opt/vmware/share/vami/vami_config_net
Registering Workers to the Supervisor
1. Log in to the Supervisor as admin.
2. Go to Admin > License Management.
3. Under VA Information, click Add, and add the Worker.
4. Under Admin > Collector Health and Cloud Health, check that the health of the virtual appliances is normal. Setting the 4.2.1 SVN Password to the 3.7.x Password
1. Log in to the 4.2.1 Supervisor as root over SSH.
2. Change the directory to /opt/phoenix/deployment/jumpbox.
3. Run the SVN password reset script ./phsetsvnpwd.sh
4. Enter the following full admin credential to reset SVN password
Organization: Super
User: admin
Password:****
Migration is now complete - Make sure all devices, user created rules, reports, dashboards are migrated
successfully
146
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Migrating a KVM NFS-based Deployment In Place
The steps for this process are:
l
Overview
l
Prerequisites
l
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
l
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
l
Mounting the NFS Storage on Supervisors and Workers
l
Registering Workers to the Supervisor
Overview
In this migration method, the production FortiSIEM systems are upgraded in-place, meaning that the production
3.7.x virtual appliance is stopped and used for migrating the CMDB to the 4.2.1 virtual appliance. The advantage
of this approach is that no extra hardware is needed, while the disadvantage is extended downtime during
the CMDB archive and upgrade process. During this downtime events are not lost but are buffered at the
collector. However, incidents are not triggered while events are buffered. Prior to the CDMB upgrade process, you
might want to take a snapshot of CMDB to use as a backup if needed.
Prerequisites
l
Contact FortiSIEM Support to reset your license
l
Take a snapshot of your 3.7.x installation for recovery purposes if needed
l
Make sure the 3.7.x virtual appliance has Internet access
l
Download the 4.2.1 migration scripts (ao-db-migration-4.2.1.tar). You will need the Username and Password
associated with your FortiSIEM license to access the scripts.
Upgrading the 3.7.x CMDB to 4.2.1 CMDB
1. Log in over SSH to your running 3.7.x virtual appliance as root.
2. Change the directory to /root.
3. Move or copy the migration script ao-db-migration-4.2.1.tar to /root.
4. Untar the migration script.
5. Run ls -al to check that root is the owner of the files ao-db-migration.sh and ao-db-migrationarchiver.sh.
6. For each FortiSIEM Supervisor, Worker, or Collector node, stop all backend processes by running
the phtools command.
phtools --stop all
7. Run the archive script to create an archive version of the CMDB, and specify the directory where it should be
created.
./ao-db-migration-archiver.sh /tmp/376_archive/
8. Check the that archive files phoenixdb_migration_* and opt-migration-*.tar were successfully
created in the destination directory.
9. Copy the opt-migration-*.tar file to /root.
This contains various data files outside of CMDB that will be needed to restore the upgraded CMDB. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
147
Upgrade
Installing/Upgrading FortiSIEM
10. Run the migration script on the 3.7.x CMDB archive you created in step 7.
The first argument is the location of the archived 3.7.x CMDB, and the second argument is the location where the
migrated CMDB file will be kept. /root/ao-db-migration.sh /tmp/376_archive/cmdb-migration-xyz /tmp/376_
migration
11. Make sure the migrated files were successfully created.
12. Copy the migrated CMDB phoenixdb_migration_xyz file to the /root directory of your 4.2.1 virtual
appliance
This file will be used during the CMDB restoration process. Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
1. Log in to your 4.2.1 virtual appliance as root.
2. Change the directory to /opt/phoenix/deployment/.
3. Run the post-ao-db-migration.sh script with the 3.7.x migration files phoenixdb_migration_
xyz and opt-migration-*.tar.
./post-ao-db-migration.sh /root/phoenixdb_migration_xyz /root/optmigration-xyz.tar
4. When the migration script completes the virtual appliance will reboot.
Mounting the NFS Storage on Supervisors and Workers
Follow this process for each Supervisor and Worker in your deployment.
1. Log in to your virtual appliance as root over SSH.
2. Run the mount command to check the mount location.
3. Stop all FortiSIEM processes.
service crond stop
phtools --stop all
killall -9 phMonitor
su - admin
/opt/glassfish/bin/asadmin stop-domain
exit
service postgresql-9.1 stop
service httpd stop
4. Unmount 4.2.1 NFS storage location.
umount /data
5. Mount back to the 3.7.x NFS storage location.
Usage: mount -t nfs -o nfsvers=3 <NFS_Server_IP>:<Mount_Path> /data
ex: mount -t nfs -o nfsvers=3 192.168.67.168:/data/mig/SP61_376 /data
148
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
6. Verify mount location on the Supervisor or Workers.
7. Change to the 3.7.x mount path location in the /etc/fstab file on the Supervisor or Workers.
8. Reboot the Supervisor or Worker.
Registering Workers to the Supervisor
1. Log in to the Supervisor as admin.
2. Go to Admin > License Management.
3. Under VA Information, click Add, and add the Worker.
4. Under Admin > Collector Health and Cloud Health, check that the health of the virtual appliances is normal. Setting the 4.2.1 SVN Password to the 3.7.x Password
1. Log in to the 4.2.1 Supervisor as root over SSH.
2. Change the directory to /opt/phoenix/deployment/jumpbox.
3. Run the SVN password reset script ./phsetsvnpwd.sh
4. Enter the following full admin credential to reset SVN password
Organization: Super
User: admin
Password:****
Migration is now complete - Make sure all devices, user created rules, reports, dashboards are migrated
successfully.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
149
Upgrade
Installing/Upgrading FortiSIEM
Migrating a KVM NFS-based Deployment via a Staging System
The steps in this process are:
l
Overview
l
Prerequisites
l
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
l
Mounting the NFS Storage on Supervisors and Workers
l
Registering Workers to the Supervisor
l
Setting the 4.2.1 SVN Password to the 3.7.x Password
Overview
In this migration method, the production 3.7.x FortiSIEM systems are left untouched. A separate mirror image
3.7.x system is first created, and then upgraded to 4.2.1. The NFS storage is mounted to the upgraded 4.2.1
system, and the collectors are redirected to the upgraded 4.2.1 system. The upgraded 4.2.1 system now
becomes the production system, while the old 3.7.6 system can be decommissioned. The collectors can then be
upgraded one by one. The advantages of this method is minimal downtime in which incidents aren't triggered,
and no upgrade risk. If for some reason the upgrade fails, it can be aborted without any risk to your production
CMDB data. The disadvantages of this method are the requirement for hardware to set up the mirror 3.7.x mirror
system, and longer time to complete the upgrade because of the time needed to set up the mirror system.
Prerequisites
l
Contact FortiSIEM Support to reset your license
l
Take a snapshot of your 3.7.x installation for recovery purposes if needed
l
Make sure the 3.7.x virtual appliance has Internet access
l
Download the 4.2.1 migration scripts (ao-db-migration-4.2.1.tar). You will need the Username and Password
associated with your FortiSIEM license to access the scripts.
Create the 3.7.x CMDB Archive
1. Log in to your running 3.7.x production AccelOp virtual appliance as root.
2. Change the directory to /root.
3. Copy the migration script ao-db-migration-4.2.1.tar to the /root directory.
4. Untar the migration script.
5. Make sure that the owner of ao-db-migration.sh and ao-db-migration-archiver.sh files is root.
6. Run the archive script, specifying the directory where you want the archive file to be created.
./ao-db-migration-archiver.sh /tmp/376_archive/
7. Check that the archived files were successfully created in the destination directory.
You should see two files, cmdb-migration-*.tar, which will be used to migrate the 3.7.x CMDB, and optmigration-*.tar, which contains files stored outside of CMDM that will be needed to restore the upgraded
CMDB to your new 4.2.1 virtual appliance. 8. Copy the cmdb-migration-*.tar file to the 3.7.x staging Supervisor, using the same directory name you
used in Step 6.
9. Copy the opt-migration-*.tar file to the /root directory of the 4.2.1 Supervisor.
150
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Restoring the Upgraded CMDB in a 4.2.1 Virtual Appliance
1. Log in to your 4.2.1 virtual appliance as root.
2. Change the directory to /opt/phoenix/deployment/.
3. Run the post-ao-db-migration.sh script with the 3.7.x migration files phoenixdb_migration_
xyz and opt-migration-*.tar.
./post-ao-db-migration.sh /root/phoenixdb_migration_xyz /root/optmigration-xyz.tar
4. When the migration script completes the virtual appliance will reboot.
Mounting the NFS Storage on Supervisors and Workers
Follow this process for each Supervisor and Worker in your deployment.
1. Log in to your virtual appliance as root over SSH.
2. Run the mount command to check the mount location.
3. Stop all FortiSIEM processes.
service crond stop
phtools --stop all
killall -9 phMonitor
su - admin
/opt/glassfish/bin/asadmin stop-domain
exit
service postgresql-9.1 stop
service httpd stop
4. Unmount 4.2.1 NFS storage location.
umount /data
5. Mount back to the 3.7.x NFS storage location.
Usage: mount -t nfs -o nfsvers=3 <NFS_Server_IP>:<Mount_Path> /data
ex: mount -t nfs -o nfsvers=3 192.168.67.168:/data/mig/SP61_376 /data
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
151
Upgrade
Installing/Upgrading FortiSIEM
6. Verify mount location on the Supervisor or Workers.
7. Change to the 3.7.x mount path location in the /etc/fstab file on the Supervisor or Workers.
8. Reboot the Supervisor or Worker.
Registering Workers to the Supervisor
1. Log in to the Supervisor as admin.
2. Go to Admin > License Management.
3. Under VA Information, click Add, and add the Worker.
4. Under Admin > Collector Health and Cloud Health, check that the health of the virtual appliances is normal. Setting the 4.2.1 SVN Password to the 3.7.x Password
1. Log in to the 4.2.1 Supervisor as root over SSH.
2. Change the directory to /opt/phoenix/deployment/jumpbox.
3. Run the SVN password reset script ./phsetsvnpwd.sh
4. Enter the following full admin credential to reset SVN password
Organization: Super
User: admin
Password:****
152
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Migration is now complete - Make sure all devices, user created rules, reports, dashboards are migrated
successfully
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
153
Upgrade
Installing/Upgrading FortiSIEM
Migrating Collectors
1. After migrating all your Supervisors and Workers to 4.2.1, install the 4.2.1 Collectors.
2. SSH to the 3.7.x Collector as root.
3. Change the directory to /opt/phoenix/cache/parser/events.
4. Copy the files from this directory to the same directory on the 4.2.1 system.
5. Change the directory to /opt/phoenix/cache/parser/upload/svn.
6. Copy the files from this directory to the same directory on the 4.2.1 system.
7. Power off the 3.7.x Collector.
8. SSH to the 4.2.1 Collector and change its IP address to the same as the 3.7.x Collector by running the vami_
config_net script.
/opt/vmware/share/vami/vami_config_net
9. In a browser, navigate to https://<4.2.1_Collector_IP_address>:5480 and fill in the administration
information to complete the Collector setup/
154
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Migrating the SVN Repository to a Separate Partition on a Local Disk
If you are using NFS storage, your SVN repository will be migrated to a local disk to improve performance and
reliability. If you are using local storage only, the SVN repository will be moved out of the /data partition and
into an /svn partition.
60GB Local Disk Storage Required
You must have 60GB of local storage on Supervisor node available for the SVN repository migration. Please
create a new virtual disk size with a size of 60GB before starting the SVN migration.
1. SSH as root into the Supervisor node where you want to run the SVN migration.
ssh root@<Super IP>
2. Run df –h to see if an /svn partition does NOT exist. The migration script is going to create that partition. This screenshot shows an expected typical partition structure.
3. Download ao-svn-migration.sh script from image server. (https://images.FortiSIEM.net/upgrade/va/4.3.1)
4. Copy or move the ao-svn-migration.sh script to /root.
5. Run ls -al to check that root is the owner of ao-svn-migration.sh.
6. Run chmod to change the permissions on ao-svn-migration.sh to 755.: chmod 755 ao-svnmigration
7. Reboot the machine.
8. Log into the Supervisor as root.
9. Run ao-svn-migration.sh.
. /ao-svn-migration
10. When the script executes, you will be asked to confirm that you have 60GB of local storage available for the
migration. When the script completes, you will see the message Upgrade Completed. SVN disk
migration done.
11. Run df –h to confirm that the /svn partition was completed. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
155
Upgrade
Installing/Upgrading FortiSIEM
Special pre-upgrade instruction for 4.3.3
1. SSH as root into the Supervisor node
2. Download "phupdateinstall-4.3.3.sh" script
3. Copy or move the phupdateinstall-4.3.3.sh script to /root
4. Run chmod to change the permissions on phupdateinstall-4.3.3.sh to 755: chmod 755 phupdateinstall4.3.3.sh
5. Run phupdateinstall-4.3.3.sh: ./phupdateinstall-4.3.3.sh
6. Repeat step 1 to 5 on Worker/s and Report Server node
156
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Special pre-upgrade instruction for 4.6.1
Instructions for Supervisor node
Run the following command as root:
rpm -e vmware-jre
Instructions for Collector nodes Run the following command as root on each collector prior to upgrading the collector from the GUI, or the
upgrade will fail:
mkdir -p /opt/phoenixphscripts/bin
ln -sf /opt/phoenix/phscripts/bin/phcollectorimageinstaller.py
/opt/phoenixphscripts/bin/phcollectorimageinstaller.py
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
157
Upgrade
Installing/Upgrading FortiSIEM
Enabling TLS 1.2 Patch On Old Collectors
Older FortiSIEM collectors 4.5.2 or earlier running JDK 1.7 do not have TLS 1.2 enabled. To enable them to
communicate to FortiSIEM 4.6.3, follow these steps
1. SSH to Collector and edit /opt/phoenix/bin/runJavaAgent.sh
2. Enable TLS v1.2 option.
exec ${JAVA_HOME}/bin/java $initialJobXML Djava.library.path=/opt/phoenix/lib64 Dhttps.protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2 -classpath ${MY_CLASS_PATH} Xmx2048M com.ph.phoenix.agent.AgentMain "$@"
3. Save changes, restart Java and phAgentManager:
killall -9 java
killall -9 phAgentManager
158
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Upgrading to 4.6.3 for TLS 1.2
Enforcing TLS 1.2 requires that the following steps be followed in strict order for upgrade to succeed.
Additional steps for TLS 1.2 compatibility are marked in bold.
1. Remove/etc/yum.repos.d/accelops* andRun "yum update" on Collectors, Worker(s), Supervisor and to get
all TLS 1.2 related libraries up to date. Follow this yum update order Collectors → Worker(s) → Supervisor.
2. If your environment has a collector and it is running FortiSIEM 4.5.2 or earlier (with JDK 1.7), then first patch the
Collector for TLS 1.2 compatibility(see here). This step is not required for Collectors running FortiSIEM 4.6.1 or
later.
3. Pre-upgrade step for upgrading Supervisor: Stop FortiSIEM (previously FortiSIEM) processes all Workers by
running "phtools --stop ALL". Collectors can be up and running. This is to avoid build up of report files.
4. Upgrade Supervisor following usual steps.
5. If your environment has Worker nodes, Upgrade Workers following usual steps.
6. If your environment has FortiSIEM Windows Agents, then upgrade Windows Agent Manager from 1.1 to 2.0. Note
t here are special pre-upgrade steps to enable TLS 1.2 (see here).
7. If your environment has Collectors, upgrade Collectors following usual steps.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
159
Upgrade
Installing/Upgrading FortiSIEM
Setting Up the Image Server for Collector Upgrades
If you want to upgrade a multi-tenant deployment that includes Collectors, you must set up and then specify an
image server that will be used as a repository for the Collector upgrade files. You can use a standard HTTP server
for this purpose, but there is a preferred directory structure for the server. These instruction describe how to set up
that structure, and then add a reference to the image server in your Supervisor node.
Setting Up the Image Server Directories
1. Log into the image server with Admin rights.
2. Create the directory images/collector/upgrade.
3. Download the latest collector image upgrade file
from https://images.accelops.net/upgrade/offline/co/latest4/ to images/collector/upgrade.
4. Untar the file. You should see a set of files that looks like this: [image]# tar xvf /root/CO-4.3.3.1189.tar CO-4.3.3.1189/ CO-4.3.3.1189/RPM-GPG-KEY CO4.3.3.1189/FortiSIEM-collector-4.3.3.1189.rpm CO-4.3.3.1189/repodata/ CO4.3.3.1189/repodata/other.xml.gz CO-4.3.3.1189/repodata/filelists.xml.gz CO4.3.3.1189/repodata/primary.xml.gz CO-4.3.3.1189/repodata/repomd.xml
5. Use the link command to create a symbolic link to the latest directory. /bin/link -sf /images/collector/upgrade/CO-x.x.x.xxxx
/images/collector/upgrade/latest
6. Make sure a directory tree structure like this is created in the images directory before proceeding:
/images/collector/upgrade/CO-x.x.x.xxxx
/FortiSIEM-collector-x.x.x.xxxx.rpm/RPM-GPG-KEY/repodata
/filelists.xml.gz
/other.xml.gz/primary.xml.gz
/repomd.xml
7. Create a link from the image directories to the webserver html pages.
/bin/link -sf /images/collector/upgrade/latest
/var/www/html/vms/collector/upgrade/latest
8. Test the image server locations by entering one of the following addresses into a browser:
l
http://images.myserver.net/vms/collector/upgrade/latest/
l
https://images.myserver.net/vms/collector/upgrade/latest/
Setting the Image Server in the Supervisor
1. Log in to your Supervisor node.
2. Go to Admin > General Settings > System.
3. Under Image Server, enter the URL or IP address for your image server.
4. Enter the authentication credentials for your image server. 5. Click Save.
160
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Upgrading a FortiSIEM Single Node Deployment
These instructions cover the upgrade process for FortiSIEM Enterprise deployment with a single Supervisor. 1. Using SSH, log in to the FortiSIEM virtual appliance as the root user.
2. Change to the pbin directory.
cd /pbin
3. Run the command to download the image: ./phdownloadimage <userID> <password>
<downloadUrl>
Example Command to Download the 4.7.1 Upgrade Image
./phdownloadimage <userID> <password>
https://images.accelops.net/upgrade/va/latest/
UserID and Password should be same credentials you used for license registration.
4. Select Yes to confirm the download.
The console will show the progress of the download. Do Not Stop the Download Process: It takes 40 - 60 minutes to download the upgrade image
depending on network traffic. Do not stop the download process manually.
5. After the download completes, run this command to upgrade your virtual appliance: ./phupgradeimage
Do Not Stop the Upgrade Process:
The system upgrade takes 10 - 30 minutes depending on the size of your databases and system
resources. Do not stop the upgrade process manually.
Your console will display the progress of the upgrade process. 6. When the upgrade process is complete, your FortiSIEM virtual appliance will reboot. 7. Log in to your virtual appliance, and in the Admin > Cloud Health page, check that you are running the
upgraded version of FortiSIEM. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
161
Upgrade
Installing/Upgrading FortiSIEM
Upgrading a FortiSIEM Cluster Deployment
l
Overview
l
Upgrading Supervisors and Workers
l
Upgrading Collectors
Overview
Follow these steps while upgrading a VA cluster
1. Shutdown all Workers. Collectors can be up and running.
2. Upgrade Super first (while all workers are shutdown)
3. After Super is up and running, upgrade worker one by one.
4. Upgrade collectors
Step #1 prevents the accumulation of Report files while Super is not available during upgrade (#2). If these steps
are not followed, Supervisor may not be able to come up after upgrade because of excessive unprocessed report
fie accumulation.
Note: Both Super and Worker MUST be on the same FortiSIEM version, else various software modules may not
work properly. However, Collectors can be in older versions - they will work except that they may not have the
latest discovery and performance monitoring features in the Super/Worker versions. So FortiSIEM recommends
that you also upgrade Collectors within a short period of time. If you have Collectors in your deployment, make
sure you have configured an image server to use as a repository for the Collector
Upgrading Supervisors and Workers
For both Supervisor and Worker nodes, follow the upgrade process described here, but be sure to upgrade the
Supervisor node first. 1. Using SSH, log in to the FortiSIEM virtual appliance as the root user.
2. Change to the pbin directory. Run the command to download the upgrade image.
./phdownloadimage <userID> <password> <downloadUrl>
Example Command to Download the 4.7.1 Upgrade Image
./phdownloadimage <userID> <password>
https://images.accelops.net/upgrade/va/latest/UserID and Password should
be same credentials you used for license registration.
3. Select Yes to confirm the download.
4. The console will show the progress of the download. Do Not Stop the Download Process. It takes 40 - 60 minutes
to download the upgrade image depending on network traffic. Do not stop the download process manually.
5. After the download completes, run this command to upgrade your virtual appliance.
./phupgradeimage
Do Not Stop the Upgrade Process: The system upgrade takes 10 - 30 minutes depending on the
size of your databases and system resources. Do not stop the upgrade process manually.
Your console will display the progress of the upgrade process. When the upgrade process is complete,
your FortiSIEM virtual appliance will reboot.
162
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
6. Log in to your virtual appliance, and in the Admin > Cloud Health page, check that you are running the
upgraded version of FortiSIEM. Upgrading Collectors
The process for upgrading Collectors is similar to the process for Supervisors and Workers, but you must initiate
the Collector process from the Supervisor. 1. Log in to the Supervisor node as an administrator. 2. Go to Admin > General Settings
3. Under Image Server Settings, enter the download path to the upgrade image, and the Username and
Password associated with your license. 4. Go to Admin > Collector Health.
5. Click Download Image, and then click Yes to confirm the download. As the download progresses you can click Refresh to check its status.
6. When Finished appears in the Download Status column of the Collector Health page, click Install Image.
The upgrade process will begin, and when it completes, your virtual appliance will reboot. The amount of time it
takes for the upgrade to complete depends on the network speed between your Supervisor node and the
Collectors. 7. When the upgrade is complete, make sure that your Collector is running the upgraded version of FortiSIEM.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
163
Upgrade
Installing/Upgrading FortiSIEM
Upgrading FortiSIEM Windows Agent and Agent Manager
l
Upgrade from V1.0 to V1.1
l
Upgrade from V1.1 to V2.0
l
Upgrading Windows Agent License
l
Uninstalling Agents
Upgrade from V1.0 to V1.1
Version 1.0 and 1.1 Backward Incompatibility
Note 1.0 Agents and Agent Managers communicate only over HTTP while 1.1 Agents and Agent Managers
communicate only over HTTPS. Subsequently, 1.1 Agents and Agent managers are not backward compatible
with 1.0 Agents and Agent Managers. You have to completely upgrade the entire system of Agents and Agent
Managers.
1. Uninstall V1.0 Agents
2. Close V1.0 Agent Manager Application.
3. Uninstall V1.0 Agent Manager
4. Bind Default Website with HTTPS as described in Pre-requisite in Installing FortiSIEM Windows Agent Manager.
5. Install V1.1 Agent Manager following Installing FortiSIEM Windows Agent Manager.
a. In Database Settings dialog, enter the V1.0 database path as the "FortiSIEM Windows Agent Manager"
SQL Server database path (Procedures Step 6 in Installing FortiSIEM Windows Agent Manager).
b. Enter the same Administrator username and password (as the previous installation) in the Agent
Manager Administrator account creation dialog
6. Install V1.1 Agents
7. Assign licenses again. Use the Export and Import feature.
Upgrade from V1.1 to V2.0
Windows Agent Manager
1. Enable TLS 1.2 on Agent Manager - FortiSIEM Supervisor/Worker 4.6.3 and above enforces the use of TLS
1.2 for tighter security. However, by default only SSL3 / TLS 1.0 is enabled in Windows Server 2008-R2.
Therefore, enable TLS 1.2 for Windows Agent Manager 2.0 for operating with FortiSIEM Supervisor/Worker 4.6.3
and above.
a. Start elevated Command Prompt (i.e., with administrative privilege) to Windows Agent Manager 1.1.
b. Run the following commands sequentially as shown.
REG ADD
"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d
00000000 REG ADD
"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d
00000000 REG ADD
"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d
00000000 REG ADD
164
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d
00000000
c. Restart computer
2. Uninstall Agent Manager 1.1
3. Install SQL Server 2012-SP1 Feature Pack on Agent manager available at https://www.microsoft.com/enin/download/details.aspx?id=35580.
a. Select the language of your choice and mark the following two MSIs (choose x86 or x64 depending on
your platform) for download:
i. SQLSysClrTypes.msi
ii. SharedManagementObjects.msi
b. Click on the Download button to download those two MSIs. Then double-click on those MSIs to install
those one by one.
4. Install Agent Manager 2.0
a. In Database Settings dialog, set the old database path as FortiSIEMCAC database path.
b. Enter the same Administrator username and password (as in the previous installation) in the new Agent
Manager Administrator account creation dialog.
5. Run Database migration utility to convert from 1.1 to 2.0
a. Open a Command Prompt window
b. Go to the installation directory (say, C:\Program Files\AccelOps\Server)
c. Run AOUpdateManager.exe with script.zip as the command line parameter. You will find script.zip
alongside the MSI.
Windows Agent
1. Uninstall V1.0 Agents
2. Install Agents
Upgrading Windows Agent License
Follow these steps if you have bought additional Windows Agent licenses or extended the term of the license.
1. Login to FortiSIEM Supervisor using admin account
2. Go to Admin > License Management and make sure that the license is updated
3. Go to Admin > Setup Wizard > Windows Agent
4. Edit each Windows Agent Manager entry and modify the agent count and license expiry date if needed
The new license will be automatically pushed to each Windows Agent Manager. You can now logon to each
Windows Agent Manager and allocate the additional licenses if needed.
Uninstalling Agents
Single Agent
l
Simply uninstall like a regular Windows service
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
165
Upgrade
Installing/Upgrading FortiSIEM
Multiple Agents using Group Policy
1. Go to the Group Policy you created during Agent installation. Right click and select Edit.
2. In theGroup Policy Management Editor, go to MyGPO > Computer Configuration > Policies > Software
Settings > Software Installation
3. Right click on FortiSIEM Windows Agent <version>
4. Click All Tasks > Remove
5. In Remove Software dialog, choose the option Immediately uninstall the software from users and
computers. Then click OK.
6. The FortiSIEM Windows Agent <version> entry will disappear from the right pane. Close theGroup Policy
Management Editor.
7. Force the group policy update
a. On Domain Controller > cmd, run gpupdate /force
b. On Agent server > cmd, run gpupdate
8. Restart each Agent Computer to complete the uninstall.
166
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Installing/Upgrading FortiSIEM
Upgrade
Automatic OS Upgrades during Reboot
In order to patch CentOS and system packages for security updates as well as bugfixes and make the system
on-par with a fresh installed FortiSIEM node, the following script is made available. Internet connectivity to
CentOS mirrors should be working in order for the following script to be successful, otherwise the script will print
and error and exit. This script is available on all nodes starting from 4.6.3: Supervisor, Workers, Collectors, and
Report Server
/opt/phoenix/phscripts/bin/phUpdateSystem.sh
The above script is also invoked during system boot up and is invoked in the following script:
/etc/init.d/phProvision.sh
The ensures that the node is up to date right after an upgrade and system reboot. If you are running a node that
was first installed in an older release and upgraded to 4.6.3, then there are many OS/system packages that will
be downloaded and installed the first time. Therefore, upgrade time is longer than usual. On subsequent
upgrades and reboots, the updates will be small.
Nodes that are deployed in bandwidth constrained environments can disable this by commenting out the line
phUpdateSystem.sh in phProvision.sh above. However, it is strongly recommended to keep this in-place to
ensure that your node has security fixes from CentOS and minimize the risk of an exploit. Alternatively, in
bandwidth constrained environments, you can deploy a freshly installed collector to ensure that security fixes are
up to date.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
167
Configuring FortiSIEM
Configuring FortiSIEM
This chapter describes the following:
l
Initial System Configuration
l
Discovering Infrastructure
l
Configuring Monitoring
l
Creating Business/IT Services
l
Data Update Subscription Service
l
Creating Custom Parsers and Monitors for Devices
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
168
Initial System Configuration
Configuring FortiSIEM
Initial System Configuration
Before you can initiate discovery and monitoring of your IT infrastructure, you will need to configure several
general settings, add users, and add organizations for Service Provider deployments..
l
Setting Up the Email Gateway
l
Setting Up Routing Information for Reports and Incident Notifications
l
Setting Up User Roles
l
Adding Users for Enterprise Deployments
l
Managing Organizations for Multi-Tenant Deployments
l
Adding Users to Multi-Tenant Deployments
169
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Setting Up the Email Gateway
Before you can set up notifications, you have to set up the email gateway that your system will use for all alerts
and system notifications. 1. Log into your Supervisor node.
2. Go to Admin > General Settings > Email Settings.
3. Enter the Email Gateway Server. 4. Enter any additional account or connection information.
5. Click Save.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
170
Initial System Configuration
Configuring FortiSIEM
Setting Up Routing Information for Reports and Incident Notifications
Topics in this section describe how to set up email addresses to send alerts to when a scheduled report runs, and
distribution information for notifications associated with incidents. You can also automate the sending of tickets
to a Remedy system when an incident occurs. These are all general settings, in that you don't need to have any
rules or reports defined before you configure them. For information on configuring specific notification policies for
rules and incidents, see Incident Notifications.
l
Setting Up Email Alert Routing for Scheduled Reports
l
Setting Up SNMP Traps for Incident Notifications
l
Setting Up XML Message Routing for Incident Notifications
l
Setting Up Routing for Remedy Tickets
Related Links
l
Scheduling Reports
l
Incident Notifications
171
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Setting Up Email Alert Routing for Scheduled Reports
You can schedule reports to run and send email notifications to specific individuals. This setting is for default
email notifications that will be sent when any scheduled report completes.
1. Log into your Supervisor node.
2. Go to Admin > General Settings > Analytics.
3. Click +.
If you haven't configured your email gateway yet, you will see an error message. 4. Select SMS or Email for the delivery method.
5. Enter the email address or SMS number. 6. Click OK.
7. Click Save All when you are done. Sending Alerts to the Console
Select Send an alert to console if you also want to send alerts to the console. Alerts are always displayed in
the Incidents tab, while the alerts sent to the console are immediately displayed but without any grouping by rule
name, incident source, incident target, or other detail information.
Empty Reports
Sometimes a report may be empty because there are no matching events. If you don't want to send empty
reports to users, select Do not send scheduled emails if report is empty. If you are running a multi-tenant
deployment, and you select this option while in the Super/Global view, this will apply only to Super/Global
reports. If you want to suppress delivery of empty reports to individual organizations, you will have to configure
this option in the organizational view.
Related Links
l
Setting Up the Email Gateway
l
Scheduling Reports
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
172
Initial System Configuration
Configuring FortiSIEM
Setting Up SNMP Traps for Incident Notifications
You can define SNMP traps that will be notified when an event triggers an incident. 1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Analytics.
3. Enter the SNMP Trap IP Address.
4. Enter the SNMP Community String that will authorize sending the trap to the SNMP trap IP address.
5. Select the SNMP Trap Type.
6. Select a Protocol.
7. Click Test SNMP to check the connection. 8. Click Save All. Related Links
l
173
Incident Notifications
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Setting Up XML Message Routing for Incident Notifications
You can configure FortiSIEM to send an XML message over HTTP(s) when an a incident is triggered by a rule. 1. Log in to your Supervisor.
2. Go to Admin > General Settings > Analytics.
3. For HTTP(S) Server URL, enter the URL of the remote host where the message should be sent.
4. Enter the Username and Password to use when logging in to the remote host, and then Reconfirm the
password.
5. Click Test HTTP to check the connection. 6. Click Save All.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
174
Initial System Configuration
Configuring FortiSIEM
Setting Up Routing for Remedy Tickets
You can set up Remedy to accept notifications from FortiSIEM and generate tickets from those notifications.
These instructions explain how to set up the routing to your Remedy server.
1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Analytics.
3. For WSDL, enter the URL of the Remedy Server.
4. Enter the Username and Password associated with your Remedy server, and then Reconfirm the password.
5. Click Test Remedy to test the connection.
6. Click Save All. 175
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Setting Up User Roles
FortiSIEM has a wide operational scope - it provides performance, availability, and environmental alerts, as well
as change and security monitoring for network devices, servers and applications. It is difficult for one admin to
monitor across the entire spectrum of available information. In addition, devices may be in widely distributed
geographical and administratively disjointed locations. Role-based access control provides a way to partition the
FortiSIEM administrative reponsibilities across multiple admins.
A role defines two aspects of a user's interaction with the FortiSIEM platform:
l
l
Which user interface elements a user can see and the ability to use the associated Read/Write/Execute
permissions. As an example, the built-in Executive role can see only the dashboard, while the Server Admin role
cannot see network devices. Role permissions can be defined to the attribute level in which, for example, a Tier1
Network Admin role can see network devices but not their configurations.
What data can the user see. For example, consider a Windows Admin role and a Unix Admin role. They both
can run the same reports, but the Windows admins sees only logs from Windows devices. This definition can also
be fine-grained, for example one Windows admin sub-role can be defined to see Windows performance metrics,
while another Windows admin sub-role can see Windows authentication logs.
Topics in this section explain how to use the Default roles that come with FortiSIEM, and how to define new ones. l
Default Roles
l
Creating Custom User Roles
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
176
Initial System Configuration
Configuring FortiSIEM
Default Roles
To perform any action with FortiSIEM, a user must be assigned a role with the required permissions. The roles
listed in this table are default roles. You can create custom roles and permissions by following the instructions in
the topic Creating Custom User Roles.
Role
Permissions
Full Admin
Full access to the GUI and full access to the data. Only this role can
define roles, create users and map users to roles.
Network Admin
System Admin
Server Admin
Windows Server Admin
Full access to the Server/Workstation/Storage part of the GUI and
full access to logs from those devices
Full access to the Server part of the GUI and full access to logs from
those devices
Full access to the Windows Server part of the GUI and full access to
logs from those devices
Unix Server Admin
Full access to the Unix Server part of the GUI and full access to logs
from those devices
Security Admin
Full access to Security aspects of all devices
Storage Admin
Full access to the Storage device part of the GUI and full access to
logs from those devices
DB Admin
177
Full access to the network device portion of the GUI and full access
to logs from network devices
Full access to the database servers part of the GUI and full access
to logs from those devices
Helpdesk
Access to the Admin, CMDB, and Dashboard tabs, with view and
run permissions for the the Analytics and Incidents tabs
Read Only Admin
View access to all tabs and permission to run reports
Executive
View access to the Business Service dashboard and personalized
My Dashboard tabs, but reports can be populated by logs from any
device
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Creating Custom User Roles
1. Log in to your Supervisor node.
2. Go to Admin > Role Management.
3. Click New.
4. Enter a Role Name and Role Description.
5. Enter the Data Conditions for this role. This restricts access to the event/log data that is available to the user, and will be appended to any query that is
submitted by users with this role. This applies to both Real-Time and Historical searches, as well as Report and
Dashboard information.
6. Enter the CMDB Report Conditions for this role.
This restricts access to the reports for devices, users, and monitors that are available to the user with this role.
7. Select the UI Access Conditions for this role.
8. This defines the user interface elements that can be accessed by users with this role. By default, child nodes in the
tree inherit the permissions of their immediate parent, however you can override those default permissions by
explicitly editing the permission of the child node. Options for these settings are:
Setting
Description
Full
No access restrictions
Edit
The role can make changes to the UI element
Run
The role can execute processes for the UI element
View
The role can only view the UI element
Hide
The UI element is hidden from the role
Hiding Network Segments
If a Network Segment is marked as hidden for a user role, then users with that role will not be able to see any of
the devices whose IP addresses fall within that network segment, even if the CMDB folder(s) containing those
devices have not been hidden.
Explicit v. Effective Permissions
When a permission icon is shown within a grey box, that means that the permission was explicitly set. If the icon
is shown without a border, then it represents a node's effective permission. If a permission has not been set for a
node, then its effective permission is that of its nearest parent in the tree.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
178
Initial System Configuration
Configuring FortiSIEM
Adding Users for Enterprise Deployments
Adding users to enterprise deployments involves first deciding if you are going to use external authentication, or
local authentication credentials defined within each user profile. You can then add users on an individual basis,
or, if you are using LDAP authentication, you can discover users within Active Directory over LDAP. For mutttenant deployments you can add individual users to an organization as described in these topics, but if you need
to add users who have a role in more than one organization (Global users), see the topics under Adding Users to
Multi-Tenant Deployments.
l
Setting Up External Authentication
l
Adding a Single User
l
Adding Users from Active Directory via LDAP
l
Adding Users from Okta
l
Adding 2-factor Authentication via Duo Security
179
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Setting Up External Authentication
You have three options for setting up external authentication for your FortiSIEM deployment. The first option,
LDAP, is discussed in detail in Adding Users from Active Directory via LDAP. The other options, RADIUS and
Okta, follow the same authentication set up process.
Multiple Authentication Profiles
If more than one authentication profile is associated with a user, then the servers will be contacted one-by-one
until a connection to one of them is successful. Once a server has been contacted, if the authentication fails, the
process ends, and the user is notified that the authentication failed.
1. Log into your Supervisor node.
2. Go to Admin > General Settings > External Authentication. 3. Click Add.
4. If you are setting up authentication for an organization within a multi-tenant deployment, select the
Organization.
5. Select the Protocol.
6. Complete the protocol settings.
Protocol
User-Defined Settings
LDAP
Access IP
Select Set DN Pattern to open a text field in which you can enter the
DN pattern if you want to override the discovered pattern, or you
want to add a specific LDAP user.
See Adding Users from Active Directory via LDAP for more
information about configuration settings for LDAP.
RADIUS
Okta
Access IP
Shared Secret
Select CHAP if you are using encrypted authentication to your
RADIUS server Certificate
See Configuring Okta Authentication for more information.
7. Click Test, and then enter credentials associated with the protocol you selected to make sure users can
authenticate to your deployment. You can now associate users to this authentication profile as described in Adding a Single User. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
180
Initial System Configuration
Configuring FortiSIEM
Configuring Okta Authentication
To use Okta authentication for your FortiSIEM deployment, you must set up a SAML 2.0 Application in Okta, and
then use the certificate associated with that application when you configure external authentication
1. Log into Okta.
2. In the Applications tab, create a new application using Template SAML 2.0 App. 3. Under General Settings, configure these settings:
Post Back URL
Post Back URL
Destination
https://<FortiSIEMIP>/phoenix/okta
Recipient
FortiSIEM
Audience Restriction
Super
authnContextClassRef
PasswordProtectedTransport
Request
Uncompressed
4. Click Save.
5. In the Sign On tab, click View Setup Instructions.
6. Click Download Certificate. 7. Follow the instructions in Setting Up External Authentication and enter the downloaded certificate for Okta
authentication. 181
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Adding a Single User
1. Log in to your Supervisor node.
2. Go to CMDB > Users.
3. Click New.
4. Complete the User Name and user profile information. 5. For System Administrator, select Yes.
6. Select a Default Role for the user.
See the topic Default Roles for a list of default roles and permission. You can also create new roles as described
in Creating Custom User Roles, which will be available in this menu after you create them. 7. For System Account Enabled, select Yes.
8. For Session Timeout, enter the number of minutes after which an inactive user will be logged out. 9. For User Lockout, enter the number of minutes the user will be unable to log into the system after three
successive authentication failures.
10. For System Password Reset, enter the number of days after which a user’s current password for logging in to
the system will automatically expire.
If left blank, the user's password will never expire. 11. For Password, select Local or External.
If you select Local, enter and then reconfirm the user password. See Setting Up External Authentication for more
information about using external authentication.
Multiple Authentication Profiles: If more than one authentication profile is associated with a user, then the
servers will be contacted one-by-one until a connection to one of them is successful. Once a server has been
contacted, if the authentication fails, the process ends, and the user is notified that the authentication failed.
12. Click Save.
Related Links
l
Default Roles
l
Creating Custom User Roles
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
182
Initial System Configuration
Configuring FortiSIEM
Adding Users from Active Directory via LDAP
If you want to add users to your FortiSIEM deployment from an Active Directory server over LDAP, you must first
add the login credentials for your server and associate them to an IP range, and then run the discovery process on
the Active Directory server. If the server is discovered successfully, then all the users in that directory will be
added to your deployment. You then need to set up an authentication profile, which will become an option you
can associate with users as described in Adding a Single User.
l
Create Login Credentials and Associate with an IP Address
l
Discover the Active Directory Server and Users
Page Size Limit for FortiSIEM Versions Prior to 4.3.1
There is a page size limit for each LDAP search result in the Active Directory server, which is often set to 1000. If
any OU has more than 1000 users and the default limit is not increased, then all the users may not be discovered
in FortiSIEM - this issue has been addressed in 4.3.1 by using the paged control LDAP search API. For
information on how to change this limit, see this Microsoft KB article.
183
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Create Login Credentials and Associate with an IP Address
1. Log in to your Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. Enter a Name.
4. For Device Type, select Microsoft Windows.
5. Select your Access Protocol.
FortiSIEM supports these LDAP protocols:
Protocol
Port
LDAP
Non-secure version on port 389
LDAPS
Secure version on port 636
LDAP Start TLS
Secure version on port 389
6. For Used For, select Microsoft Active Directory. 7. For Base DN, be sure to enter the root of the LDAP user tree. 8. Enter the NetBIOS/Domain for your LDAP directory.
9. Enter the User Name for your LDAP directory.
For user discovery from OpenLDAP, specify the full DN as the user name. For Active Directory, use your server
login name.
10. Enter and confirm the Password for your User Name. 11. Click Save.
Your LDAP credentials will be added to the list of Credentials.
12. Under Enter IP Range to Credential Associations, click Add. 13. Select your LDAP credentials from the list of Credentials. 14. Enter the IP range or host name for your Active Directory server.
15. Click OK.
Your LDAP credentials will appear in the list of credential/IP address associations.
16. Click Test Connectivity to make sure you can connect to the Active Directory server.
Discover the Active Directory Server and Users
1. Go to Admin > Discovery.
2. Click Add.
3. For Name, enter Active Directory.
4. For Include Range, enter the IP address or host name for your Active Directory server. 5. Leave all the default settings, but clear the Discover Routes option. 6. Click OK.
Active Directory will be added to the list of discoverable devices.
7. Select the Active Directory device and click Discover. 8. After discovery completes, go to CMDB > Users to view the discovered users. You may need to click Refresh for the user tree hierarchy to load.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
184
Initial System Configuration
Configuring FortiSIEM
Adding Users from Okta
Create an Okta API Token
1. Log in to Okta using your Okta credentials. 2. Got to Administration > Security > API Tokens.
3. Click Create Token.
You will use this token when you set up the Okta login credentials in the next section. Note that this token will have
the same permissions as the person who generated it. Create Login Credentials and Associate Them with an IP Address
1. Log in to your Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. Enter a Name.
4. For Device Type, select Okta.com.
5. For Access Protocol, select Okta API.
6. Enter the NetBIOS/Domain associated with your Okta account.
For example, FortiSIEM.okta.com. 7. For Pull Interval, enter how often, in minutes, you want FortiSIEM to pull information from Okta.
8. Enter and reconfirm the Security Token you created.
9. Click Save.
Your LDAP credentials will be added to the list of Credentials.
10. Under Enter IP Range to Credential Associations, click Add. 11. Select your Okta credentials from the list of Credentials. 12. Enter the IP range or host name for your Okta account.
13. Click OK.
Your Okta credentials will appear in the list of credential/IP address associations.
14. Click Test Connectivity to make sure you can connect to the Okta server.
Discover Okta Users
If the number of users are less than 200, then Test Connectivity will discover all the users.
Okta API has some restrictions that does not allow FortiSIEM to pull more than 200 users. In this case, follow
these steps:
1. Login to Okta.
2. Download user list CSV file (OktaPasswordHealth.csv) by visiting Admin > Reports > Okta Password Health.
3. Rename the CSV file to "all_user_list_%s.csv". (%s is the placeholder of token obtained in Create an Okta API
Token - Step 3, e.g. 'all_user_list_00UbCrgrU9b1Uab0cHCuup-5h-6Hi9ItokVDH8nRRT.csv')
4. Login to FortiSIEM Supervisor node:
a. Upload csv file all_user_list_%s.csv to this directory /opt/phoenix/config/okta/
b. Make sure the permissions are admin and admin (Run "chown -R admin:admin
/opt/phoenix/config/okta/")
c. Go to Admin > Setup Wizard > Enter IP Range to Credential Associations. Select the Okta entry
and run Test connectivity to import all users.
185
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Adding 2-factor Authentication via Duo Security
Obtain keys for FortiSIEM to communicate with Duo Security
1. Sign up for a Duo Security account: signup. This will be admin account for Duo Security.
2. Log in to Duo Security Admin Panel and navigate to Applications
3. Click Protect an Application. Locate Web SDK in the applications.
4. Get API Host Name, Integration key, Secret key from the page. You will need it when you configure
FortiSIEM.
5. Generate Application key as a long string. This is a password that Duo Security will not know. You can choose
any 40 character long string or generate it as follows using python
import os, hashlib
print hashlib.sha1(os.urandom(32)).hexdigest()
Create and Manage FortiSIEM users in Duo Security
This determines how the 2-factor authentication response page will look like in FortiSIEM and how user will
respond to the second factor authentication challenge
1. Log in to Duo Security as admin user
2. Choose the Logo which will be shown to users as they log on
3. Choose the super set of 2-factor Authentication Methods.
4. Optional - you can create the specific users that will logon via FortiSIEM. If the users are not pre-created here,
then user accounts will be created automatically when they attempt 2-factor authentication for the first time.
Add 2-factor authentication option for FortiSIEM users
1. Create a 2-factor authentication profile
a. Go to Admin > General Settings > External Authentication.
b. Click Add.
a. Enter Name
b. Set Organization to be the scopre of the users who will be authenticated.
1. For AO-VA, specify System.
2. For AO-SP, specify System if this will be used globally. Else specify a specific
organization
c. Set Protocol as Duo
d. Set IP/Host from API hostname from Step 4 in "Obtain keys for FortiSIEM to communicate
with Duo Security"
e. Set Integration key, Secret keyfrom Step 4 in "Obtain keys for FortiSIEM to communicate
with Duo Security"
f. Set Application key from Step 5 in "Obtain keys for FortiSIEM to communicate with Duo
Security"
g. Click Save
2. Add the 2-factor authentication profile to an user:
a. Go to CMDB > User.
b. Select a specific user.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
186
Initial System Configuration
Configuring FortiSIEM
c. Check Second Factor checkbox.
d. Select the 2-factor authentication profile created in Step 1.
e. Click Save.
Login to FortiSIEM using 2-factor authentication
Before logging in to FortiSIEM with 2-factor authentication, make sure that the three steps are completed.
1. Obtain keys for FortiSIEM to communicate with Duo Security.
2. Create and Manage FortiSIEM users in Duo Security.
3. Add 2-factor authentication option for FortiSIEM users.
Follow these steps:
1. Logon to FortiSIEM normally (first factor) using the credential defined in FortiSIEM - local or external in LDAP.
2. If the 2-factor authentication is enabled, the user will now be redirected to the 2-factor step
a. If the user is not created in Duo system (by Duo admin), a setup wizard will let you set some basic
information like phone number and ask you download the Duo app.
b. If the user already exists in FortiSIEM, then follow the authentication method and click Log in
3. The user will be able to log in to FortiSIEM
187
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Managing Organizations for Multi-Tenant Deployments
Organizations can be created with or without Collectors. If you are using Collectors in a clustered deployment that
includes Workers, please make sure you have followed the instructions in Configuring Worker Settings before you
have registered your Collectors with the Supervisor in order to make sure your Collectors properly upload
information to the Workers.
1. Log in to your Supervisor node as a Super/Global users.
2. Go to Admin > Setup Wizard > Organization.
3. Click Add. 4. Enter information for the organization. 5. If your organization uses Collectors, click New under Collectors. 6. Complete the Collector information.
For Guaranteed EPS, enter the events per second from this collector that FortiSIEM will accept. See the topic
Dynamic Distribution of Events per Second (EPS) across Collectors for more information. For Start Time and End
Time, enter the dates for which the Collector license is valid.
7. Click Save.
8. For Max Devices, enter the maximum number of devices discovered by this collector that the system will accept.
9. Click Save.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
188
Initial System Configuration
Configuring FortiSIEM
Deleting Organizations
1. Log into your Supervisor node as a Super/Global user.
2. Go to Admin > Setup Wizard > Organizations.
3. Write down the ID of the organization you want to delete.
4. Go to Admin > Collector Health.
Note the IP Address and Collector Name of any Collectors associated with the organization you want to delete. 5. Log out of your Supervisor node.
6. SSH into the Collector hosts for the organization as root.
7. Using phTools, stop the Collector processes.
8. Power down the Collector.
9. Log back into your Supervisor node as an Admin user for the organization you want to delete.
10. Go to CMDB > Devices.
11. Delete all devices in both the Device View and the VM View.
12. Go to CMDB > Device View > Users, and delete all users except for the default admin account under which
you are currently logged in.
13. Go to Admin > Setup Wizard > Synthetic Transaction Monitoring and delete all STM tests. 14. Log out of your Supervisor node, and then log back in as the Super/Global user.
15. Go to Admin > Collector Health.
16. Delete the organization's Collectors.
Issues with Deleting Collectors Because of In-Memory Processes
You may encounter issues with deleting Collectors if there are processes in memory on the Supervisor
that are related to Collector status that are updated to the CMDB. If you encounter these issues, please
contact FortiSIEM Support.
17. Delete the organization.
18. Log out of your Supervisor node.
19. SSH into the Supervisor host machine as root.
20. In the /data directory, delete the eventdb database for that organization.
Finding the Right EventDB Database
You can tell which EventDB belongs to the organization you want to delete based on the organization ID that
you wrote down in Step 3. For example, if the organization ID is 2005, you would look for
/data/eventdb/CUSTOMER_2005 as the database to delete. Be careful that you don't delete the EventDB for
a continuing organization.
189
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Dynamic Distribution of Events per Second (EPS) across Collectors
In Service Provider deployments, the service provider is licensed a certain amount of EPS. The service provider
distributes these EPS among the various collectors during collector setup by setting the Guaranteed EPS.
Because an organization can have multiple collectors, the guaranteed EPS for an organization is the sum total of
guaranteed EPS for all collectors belonging to that organization. This total must be no more than the total EPS
licensed to the service provider. The remaining EPS (the difference between the service provider EPS and the
total EPS across all collectors), if any, is allocated to the super-local organization, the service provider's core
system, if that needs to be monitored. To monitor this system, FortiSIEM recommends creating a new
organization to monitor the service's own network, and to install another Collector to monitor that organization.
The redistribution algorithm uses three metrics for each Collector. Guaranteed EPS
Incoming EPS
Allocated EPS
Defined during the collector configuration process while setting up an
organization, FortiSIEM ensures that the collector can always send EPS
at this rate. This is a constant that never changes during the operation of
the algorithm, unless you edit the Collector definition.
This is the EPS that the Collector sees. This changes continuously. You
can view this metric for a Collector in Admin > Collector Health.
This is the EPS that is currently allocated to the Collector by the
redistribution algorithm. Y ou can view this metric for a Collector in
Admin > Collector Health .
Each Collector periodically reports Incoming EPS to the Supervisor, which then determines the Allocated EPS and
pushes this control down to the collectors. Allocated EPS is set to Guaranteed EPS initially, but if for some
Collector, Incoming EPS is greater than Allocated EPS, the Supervisor examines all Collectors and determines
excess capacity as sum total of max (0,Allocated - Incoming) for all Collectors. If there is a Collector with excess
capacity, its Allocated EPS is reduced and the excess amount is given to the Collector that needs the excess EPS.
If the collector that gave up EPS, that is, Allocated EPS is less than Guaranteed EPS, subsequently needs the
EPS, then EPS is taken away from the collectors with Allocated greater than Guaranteed and given back. This
continuous readjustment is centrally coordinated by the Supervisor node. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
190
Initial System Configuration
Configuring FortiSIEM
How Devices are Added to Organizations
When you initiate device discovery for organizations, the way in which those devices are added to organizations
depends on whether you are using Collectors in your deployment. l
l
For organizations with Collectors, discovery is carried out by the Collector, and the Collector assigns devices to the
organization with which it is associated. If organizations have an overlapping IP range, deploying Collectors and
assigning them to a specific IP range and organization will ensure that the device is added to the correct
organization. For organizations without Collectors, discovery is carried out by the Supervisor. In this case, the Include/Exclude
IP Range you defined when you set up the organization is used to add the device to the organization.
l
If a device matches only one defined organization IP Range, then it is assigned to that organization
l
If a device matches multiple defined IP Ranges, then it is assigned to the Super organization
You can change a device's assigned organization manually, and FortiSIEM will automatically update the
Include/Exclude IP Range for that organization. This updated IP range definition will then be used in the next
discovery process. However, this may create confusing IP range definitions for the organization, so you may want
to re-define the organization's IP range and rediscover devices. 191
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Adding Users to Multi-Tenant Deployments
Two kinds of admin users can be added
l
users belonging to a specific organization or super-local
l
users belonging to super-global
Adding specific organization users
This can be done from the specific organization admin account or from the super global account.
l
Logon as an appropriate administrator - two possibilities
l
logon as admin user for that organization or
l
l
logon as super-global and then switch user to that organization.
Follow the steps for AO-VA case described here. Note that for Active Directory based discovery, the Active Directory
server has to belong to that specific organization. If the Active Directory server belongs to super-local, then the
users also belong to super and would not be visible for that organization.
FortiSIEM provides a short-cut to add admin users for multiple organizations in one shot
l
Logon as super-global.
l
Manually create the user as described in the manual user creation mode here.
l
Choose the Default role.
l
Choose the permitted organizations and also override the default role for a specific organization if needed. In the
example below, user1 is the Network Admin for every organization but System Admin for O-eng.
Adding super-global users
Super-global users are often need for managing multiple organizations, and can be created from the super-global
account. There are two cases depending on whether organizations have collectors or not.
For the organizations-with-collector-only case, users must be created manually.
l
Logon as super-global.
l
Manually create the user as described in the manual user creation mode here.
l
Choose the Default role.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
192
Initial System Configuration
l
Configuring FortiSIEM
Choose the permitted organizations. Override the default role for each specific organization, if needed. In the
example below, user1 is the Network Admin for every organization but System Admin for O-eng.
For the organizations-without-collector case, if the Active Directory Server belongs to super-local, then the
discovered users would be visible from the super-global view and any of these users can be made FortiSIEM user.
In this case the steps are
l
Logon as super-global
l
Create the user as described here - both manual and discovery-based approaches can be used
l
Choose the Default role
l
193
Choose the permitted organizations. And if needed, override the default role for specific organizations. In the
example below, user1 is the Network Admin for every organization but System Admin for O-eng.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Adding Users to Organizations
Adding users to organizations for Service Provider deployments follows the same processes described in Adding
Users for Enterprise Deployments, though if you want to discover users in an Active Directory server over LDAP,
the Active Directory server has to belong the organization where you want to add the user.
1. Log in to your Supervisor node either as the Admin user for the organization where you want to add the user, or log
in as a Super/Global user to add the user to more than one organization.
2. Create the user as described in Adding a Single User, or follow the instructions in Adding Users from Active
Directory via LDAP. 3. If you have logged in as the Super/Global user, select the organizations where you want to add the user,
overriding any Default Roles for the organization as necessary. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
194
Initial System Configuration
Configuring FortiSIEM
Adding Super/Global Users to Organizations with Collectors
In Service Provider deployments, you may need to create Super/Global users who have roles within multiple
organizations. If your deployments include organizations with collectors, you must add add the users individually. 1. Log in to your Supervisor node as a Super/Global users.
2. Create the individual user as described in Adding a Single User, choosing the appropriate Default Role.
3. Select the Permitted Organizations the user is allowed to access, overriding any default role settings as
necessary. 4. Click Save.
195
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Initial System Configuration
Adding Super/Global Users to Organizations without Collectors
For the organizations-without-collector case, if the Active Directory Server belongs to super-local, then the
discovered users would be visible from the super-global view and any of these users can be made FortiSIEM user.
In this case the steps are
l
Logon as super-global
l
Create the user as described here - both manual and discovery-based approaches can be used
l
Choose the Default role
l
Choose the permitted organizations. And if needed, override the default role for specific organizations. In the
example below, user1 is the Network Admin for every organization but System Admin for O-eng.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
196
Discovering Infrastructure
Configuring FortiSIEM
Discovering Infrastructure
FortiSIEM can automatically discover the devices, applications, and users in your IT infrastructure and begin
monitoring them. You initiate device discovery by providing the credentials that are needed to access the
infrastructure component, and from there FortiSIEM is able to discover information about your component such
as the host name, operating system, hardware information such as CPU and memory, software information such
as running processes and services, and configuration information. Once discovered, FortiSIEM will also begin
monitoring your component on an ongoing basis.
Though FortiSIEM is able to automatically manage device discovery, the pulling of event information such as logs
and IPS events from your device, and establishing what aspects of your device functionality it can monitor, you
can also manually configure the way FortiSIEM interacts with your infrastructure by creating custom event pulling
methods and monitoring profiles for your devices.
Check Device Configuration Before Initiating Discovery
Before you begin the process of device discovery, you should make sure your devices are properly configured for
discovery and monitoring by FortiSIEM. Refer to FortiSIEM 4.9.0 External Systems Configuration Guide for
more information.
WMI or SNMP for Discovery of Windows Devices
Windows servers can be discovered by either SNMP or WMI. or both. SNMP provides installed software
information, while WMI provides all application metrics, detailed system metrics, and logs. Ping-Only Discovery for Basic Up/Down Status
If you only need to monitor a device for up/down status, then select the Ping Discovery Only option when
setting the Range Definition for discovering the device. The device will be listed in the CMDB and consume one
device license.
l
Discovery Settings
l
Discovery for Multi-Tenant Deployments
l
Setting up CyberArk
l
Setting Access Credentials for Device Discovery
l
Discovering Devices
l
Discovering Amazon Web Services (AWS) Infrastructure
l
Discovering Microsoft Azure Infrastructure
l
Approving Newly Discovered Devices
l
Inspecting Event Pulling Methods for Devices
l
Inspecting Changes Since Last Discovery
l
Discovery Range Definition Options
l
Scheduling a Discovery
l
Adding Devices to the CMDB Outside of Discovery
l
Decommissioning a device
197
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Discovering Infrastructure
Discovery Settings
Before you initiate discovery, you should configure the Discovery Settings in your Supervisor. 1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Discovery.
3. Configure the settings as required for your deployment.
See Setting Device Location Information for information on how to manually enter locations for devices, or to
upload a CSV file of device locations. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
198
Discovering Infrastructure
Setting
Virtual IPs
Configuring FortiSIEM
Description
Often a common virtual IP address will exist in multiple machines for load
balancing and failover purposes. When you discover devices, you need to
have these virtual IP addresses defined within your discovery settings for
two reasons:
l
l
Listing the virtual IP addresses ensures that two or more devices with the
same virtual IP will not be merged into one device during device discovery,
so each of the load-balanced devices will maintain their separate identity in
the CMDB
The virtual IP will not be used as an access IP during discovery, since the
identity of the device when accessed via the virtual IP is unpredictable
Click the Edit icon to enter a Virtual IP address, and then click + to add
more.
Excluded
Shared
Device IPs
Allow
Incident
Firing On
An enterprise often has servers that share credentials, for example mail
servers, web proxies, and source code control servers, and a large number
of users will authenticate to these servers to access their services.
Providing a list of of the IP addresses for these servers allows FortiSIEM to
exclude these servers from user identity and location calculations in the
Analytics > IdentityandLocation report.
For example, suppose user U logs on to server M to retrieve his mail, and
server M authenticates user U via Active Directory. If server M is not
excluded, the Analytics > Identity and Location Report will contain
two entries for user U: one for the workstation that U logs into, and also
one for server M. You can eliminate this behavior by adding server M to
the list of Server IPs with shared credentials.
With this setting you can control incident firings based on approved device
status. If you select Approved Devices Only, then FortiSIEM will use
this logic to determine if an incident is triggered:
l
l
If an incident reporting device is not approved, the incident does not trigger
If an incident reporting device is approved, then there are two possible
cases: (a) at least one Source, Destination or Host IP is approved and the
incident triggers, or (b) none of the Source, Destination or Host IPs are
approved and the incident does not trigger
If you select Approved Devices Only, then when the discovery process
completes, you will need to approve devices, as described in Approving
Newly Discovered Devices, before incidents are triggered.
199
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Setting
Discovering Infrastructure
Description
This setting allows you to limit the set of devices that the system
automatically discovers from logs and netflows. After receiving a log from
a device, the system automatically discovers that device, and then adds it
to CMDB. For example, when a Netflow analysis detects a TCP/UDP
service is running on a server, the server, along with the open ports, are
added to CMDB. Sometimes you may not want to add all of these devices
to CMDB, so you can create filters to exclude a specific set of devices from
being added to CMDB. CMDB
Device
Filter
Each filter consists of a required Excluded IP Range field and an
optional Except field. A device will not be added to CMDB if it falls in the
range defined in the Excluded IP Range field. For example, if you wanted
to exclude the 172.16.20.0/24 network from CMDB, you would to add
a filter with 172.16.20.0-172.16.20.255 in its Excluded IP
Range field.
The Except field allows you to specify some exceptions in the excluded
range. For example, if you wanted to exclude the 172.16.20.0/24
network without excluding the 172.16.20.0/26 network, you would
add a filter with 172.16.20.0-172.16.20.255 in the Excluded IP
Range field, and 172.16.20.192-172.16.20.255 in the Except
field.
Click Add to add a new CMDB Device Filter, then click Apply.
Application
Filtering
This setting allows you to limit the set of applications/processes that the
system automatically learns from discovery.
You may be more interested in discovering and monitoring server
processes/daemons, rather than client processes, that run on a server. To
exclude client processes from being discovered and listed in the CMDB,
enter these applications here. An application/process will not be added to
CMDB if it matches one of the entries defined in this table.
Click Add, then enter the Process Name and any Parameters for that
process that you want to filter.
M atching is exact and case-insensitive based on Process Name and
Parameter. If Parameter is empty, then only Process Name is matched.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
200
Discovering Infrastructure
Configuring FortiSIEM
Setting Device Location Information
In the Admin > General Settings > Discovery screen, you can set device locations based on IP range and
organization. You can do this manually for each organization or IP range, or upload a CSV file that contains
location information. This information can then be applied to devices already in the CMDB, or during the
discovery process, to set their location. l
l
Manually Creating Location Information
Uploading Location Information from a CSV File
l
Prerequisite
l
Procedure
Manually Creating Location Information
1. Log into your Supervisor node.
2. Go to Admin > General Settings > Discovery.
3. Under Location, click Add.
4. For Multi-Tenant deployments, enter the Organization you want to associate with the IP range and devices. 5. Enter the IP/IP Range you want to associate with the location.
This can be in either CIDR notation, such as 192.168.64.0/24, or range notation, such as 192.168.64.0192.168.64.255.
6. Enter the Display Name you want to use for this location. For example, San Jose Office, Northern California Campus, etc. 7. Enter any additional location information that is relevant for your location.
8. Click OK.
9. In the Location Definition dialog, select Update Manual Devices if you want to update devices that have had
their locations set manually in the CMDB.
10. Click OK. The location information will appear in the Location pane. 11. Select a location in the Location pane, and then click Apply to associate all devices in the CMDB with that IP/IP
range to that organization and location. A dialog will indicate how many devices have been updated. 12. Click OK. 13. Go to CMDB > Devices and check that your device locations have been updated. Uploading Location Information from a CSV File
Prerequisite
Before you can upload it, you must first create a CSV file with this format.
Comma-separated IP
address, Range, or
Subnet
Location Display
Name
Update Manual
Devices (False/True)
Geographic Information
("region:;country:;state:;city:
;building:;floor:;
latitude:;longitude:;")
201
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Discovering Infrastructure
Example
"10.1.1.1/24,20.1.1.120.1.1.10"
"30.1.1.10"
San
JoseDatacenter
USA
Fremont
Datacenter USA
true
true
"region:North America;country:United
States;state:California;
city:Fremont;building:
10;floor:4;latitude:38.1747222;longitud e:121.2775;"
Procedure
1. Log into your Supervisor node.
2. Go to Admin > General Settings > Discovery.
3. Under Location, click Import. 4. Browse to your CSV file and select it. 5. Click Upload.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
202
Discovering Infrastructure
Configuring FortiSIEM
Discovery for Multi-Tenant Deployments
In Service Provider deployments with organizations, the discovery process differs depending on whether or not
you are using Collectors. This is because of the way in which IP addresses are used to establish the relationship
between devices and organizations. l
If you are using Collectors, IP address overlap between organizations is allowed
l
If you are not using Collectors, then each organization must have a unique IP address
These two requirements determine which administrative account you will use for discovery.
l
l
For organizations with collectors, you must initiate discovery using the administrative account associated with the
organization. Every device discovered by a collector is automatically assigned to the organization that the collector
belongs to.
For organizations without collectors, you must initiate discovery using the Super/Global administrative account.
Devices for all organizations are discovered at the same time, and are assigned to organizations based on the IP
address assignments you set up for the organization.
.
l
If a device matches only one organization's IP address assignment, then it is assigned to that organization
l
If a device matches multiple organization definitions, then it is assigned to the Super/Global organization.
These would typically be devices that are part of the Super/Global organization's network backbone.
Related Links
l
How Devices are Added to Organizations
l
Managing Organizations for Multi-Tenant Deployments
203
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Discovering Infrastructure
Setting up CyberArk
This section specifies how FortiSIEM can be configured to fetch credentials from CyberArk.
Installing CyberArk Provider in FortiSIEM
Refer to “Credential Provider and ASCP Implementation Guide” for more details on CyberArk Credential
Provider installation.
1. Login to FortiSIEM as root.
2. Run the rpm command to begin the installation: rpm -i CARKaim-<version>-<build number>.x86_
64.rpm
The installation runs automatically and does not require any interactive response from the user. When the
installation is complete, the following message appears: “Installation process completed successfully.”
Configuring CyberArk Provider in FortiSIEM
Refer to “Credential Provider and ASCP Implementation Guide” for more details on CyberArk Credential
Provider installation.
1. Login as root.
2. Open the Vault.ini file and specify the parameters of the Vault that will be accessed by the Provider.
3. Run CreateCredFile to create a credential file for the administrative user that will create the Vault environment
during installation.
Createcredfile <filename> Password –Username <username> -Password <password>
4. Run the CreateEnv utility that was copied to the bin folder during Provider installation
CredFilePath <CredFilePath> -VaultFilePath <VaultFilePath> -AppProviderUser
<ProviderUserName> -LicensedProducts <AIM\OPM\ALL> [-AppProviderConfSafe
<ConfigurationSafeName>] [-MainAppProviderConfFilePath
<MainConfigurationFilePath>] [-OverrideExistingConfFile <Y\N>] [PIMConfigurationSafe <PIMConfigurationSafeName>] [-AppProviderUserLocation
<ApplicationUsersLocation>]
5. Check the log file /var/tmp/aim-install-logs/CreateEnv.log to make sure that the Provider environment was
created successfully
6. Start the CyberArk Application Password Provider service manually as a privileged user
7. Add /opt/CARKaim/sdk/ in /etc/ld.so.conf
8. Run ldconfig
Configuring CyberArk for communication with FortiSIEM
Refer to the Privileged Account Security Implementation Guidefor more information about adding and managing
privileged accounts.
1. Login to CyberArk Password Vault Web Access (PVWA) Interface as an user allowed to managed applications (it
requires Manage Users authorization).
2. Add FortiSIEM as an Application
a. Go to Applications and click Add Application.
b. Set Name to FortiSIEM
c. In the Description, specify a short description of the application that will help you identify it
FortiSIEM SIEM)
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
(e.g.
204
Discovering Infrastructure
Configuring FortiSIEM
d. In the Business owner section, specify contact information about the application’s Business owner.
e. In the lowest section, specify the Location of the application in the Vault hierarchy. If a Location is not
selected, the application will be added in the same Location as the user who is creating this application.
f. Click Add; the application is added and is displayed in the Application Details
page
3. Check Allow extended authentication restrictions – this enables you to specify an unlimited number of
machines and Windows domain OS users for a single application
4. Specify the application’s (FortiSIEM) Authentication details. This information enables the Credential Provider to
check certain application characteristics before retrieving the application password.
a. In the Authentication tab, click Add; a drop-down list of authentication characteristics is displayed.
b. Specify the OS user as “admin” and Click Add.
c. Specify the application path as “/opt/phoenix/bin”. Make sure Path is folder and Allow internal scripts to
request credentials... check boxes are checked
d. Do not specify a hash
e. In the Allowed Machines tab, click Add and specify the IP/host name of the FortiSIEM Supervisor,
Workers and Collectors
5. Authorize FortiSIEM to retrieve accounts.
a. Go to Policies > Access Control (Safes)
b. For every Safe, Click on Members.
c. Click on Add Safe Member
d. Search for FortiSIEM. An entry will already exist. Select that entry.
e. Check Retrieve accounts.
f. Click Add
Now FortiSIEM should be ready to retrieve passwords from CyberArk via Test Connectivity and Discovery.
205
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Discovering Infrastructure
Setting Access Credentials for Device Discovery
Before you can discover devices, you need to provide the access protocol and credentials associated with the IP
address or range where your devices are located. FortiSIEM will then use this information to access your devices,
pull information from them, and begin monitoring them. Access Protocols Required for Discovery
SNMP, VM SDK (for VMware vCenter), or WMI (for Windows devices) must be one of the access protocols for
which you provide credentials in order for the devices associated with an IP address or range to be discovered. If
your device does not use one of these protocols, then you must configure it to communicate with FortiSIEM as
described in FortiSIEM 4.9.0 External Systems Configuration Guide. As described in those topics, you may also
need to set up additional configurations within your devices to send logs and other information to FortiSIEM.
Associate Credentials Only with the IP Address Where They Will be Used
Credentials should only be associated with IP addresses where they can be used. Assigning multiple credentials
to IP addresses where they are not used will trigger discovery operations for each credential, and the system will
wait for a timeout to occur for each credential before it moves to the next one. This will cause the discovery
process to require much more processing time and processing power from the FortiSIEM system. You can,
however, associate the same credential (for example, a generic SNMP access credential) to multiple IP
addresses where it will be used to communicate with a device over that protocol.
Before starting the discovery process, credentials need to be defined and then associated to specific IP
addresses.
CyberArk configuration
If CyberArk is going to be used for Test Connectivity and Discovery, then first follow the steps defined here. Define Credentials
1. Log into your Supervisor node.
2. Go to Admin > Setup Wizard > Discovery.
3. Under Enter Credentials, click Add. 4. Enter a Name for the credential.
5. Select a Device Type to associate with the credential.
6. Select the Access Protocol for which you want to enter credentials.
Note that the Device Type selection determines which Access Protocols are available.
Change the default destination ports only if needed 7. Choose Password Configuration method
1. Manual - means that you have to define credentials in FortiSIEM
2. CyberArk - means Accelps will fetch credentials from CyberArk
8. If you choose Password Configuration as Manual, then enter the credentials required for the Access Protocol.
9. If you choose Password Configuration as CyberArk, then choose CyberArk parameters
1. AppID must be set to FortiSIEM
2. Specify Safe, Folder, Object: This is the CyberArk Vault Safe, Folder, Object where the credential is
defined.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
206
Discovering Infrastructure
Configuring FortiSIEM
3. Specify User Name: This is the User Name of the credential
4. Specify Platform (Policy ID): This is the platform related property for the credential. Specify this only
if this property is also set in CyberArk. The match will be case sensitive.
5. Specify Database: This is a property for the database credential. Specify this only if this property is
also set in CyberArk. The match will be case sensitive.
6. Check Include Address for Query: If checked, FortiSIEM will query the CyberArk credential by IP or
host name. Specify this if CyberArk credential objects are specified by IP.
10. Click Save. The credentials you created will be added to the list.
Specify Device to Credential Mapping
1. Under Enter IP Range to Credential Associations, click Add.
2. Select the credential you just created from the list. Note that you can add multiple credentials to the same IP/host information in this step by clicking +.
3. Enter an IP address, IP range, or Host Name to associate with the credential.
Formats for IP Information
You can provide the IP information in several formats:
A single IP address e.g. 192.168.1.1
A range of IP addresses in the format <IP Address>-<IP Address>
A IP subnet specified in CIDR notation <IP Address>/<Maskbits> e.g. 192.168.0.0/16 to specify the IP
range 192.168.0.0-192.168.255.255
A combination of the three formats separated by comma, e.g. 192.168.1.1, 192.168.1.2, 10.10.0.0/16,
10.11.0.0-10.11.255.255
A host name
4. Click OK.
Test Connectivity
You need to perform a Test Connectivity to make sure that the credentials are correct.
1. Select the IP/credential association you just created, and click Test Connectivity. A ping will be performed first to
make sure that the host is alive. If ping is disabled in your network, then choose Test Connectivity without
ping.
A dialog will show you the results of your connectivity tests. Note that the connectivity tests can take several
minutes, so you may want to use the Run in Background option.
207
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Discovering Infrastructure
Discovering Devices
Prerequisites
l
Make sure you have configured the Discovery Settings for your deployment
l
Set up the Access Credentials for your devices so FortiSIEM can communicate with them
Procedure
After you have set up the access protocols for your devices as described in Setting Access Credentials for Device
Discovery, you are ready to discover devices in your IT infrastructure.
1. Log in to your Supervisor node.
Discovering Devices for Multi-Tenant Deployments
If you have a Service Provider FortiSIEM deployment that uses Collectors and you and want to discover
devices for a specific organization, rather than the Global organization, log into your Supervisor node as
an admin user for that organization. See Discovery for Multi-Tenant Deployments for more information
about how discovery works for Service Provider deployments with and without Collectors.
2. Go to Admin > Setup Wizard > Discovery.
3. Click Add.
You can also schedule single or recurring discovery processes as described in Scheduling a Discovery.
4. In the Range Definition dialog, set the options for this discovery.
See Discovery Range Definition Options for more information about the options available in this dialog. 5. Click OK.
Your range definition will be added to the list.
6. Select your range definition, and then click Discover.
A discovery dialog will show you the progress of your discovery. For long-running discoveries, you can use the Run
in Background option. 7. When discovery completes, the results will be displayed in the dialog. Click Errors to view any errors.
Possible Causes of Discovery Errors
If there are errors during the discovery process, the Errors screen will inform you of their severity,
impact, and potential resolution. Some possible reasons for errors include:
l
l
l
l
A device is not online or not reachable via ping. FortiSIEM will attempt to ping devices before initiating a
full discovery to save time.
A device is not responding to SNMP or WMI requests, or there is a firewall blocking these requests from
FortiSIEM
The SNMP/WMI credentials are incorrect
WMI may not have been set up correctly on the server. See the appropriate topic in FortiSIEM 4.9.0
External Systems Configuration Guide for how to configure WMI for your device.
Approving Newly Discovered Devices
If you selected Approved Devices Only for the discovery setting Allow Incident Firing On, as
described in Discovery Settings, then you will need to approve your newly discovered devices before
incidents will be triggered for those devices. See Approving Newly Discovered Devices for more
information.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
208
Discovering Infrastructure
Configuring FortiSIEM
Discovering Amazon Web Services (AWS) Infrastructure
You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For
more information, refer to sections 'Discovering Infrastructure' and 'Setting Access Credentials for Device
Discovery' under 'Chapter: Configuring FortiSIEM'.n AWS follows the same basic process described in Setting
Access Credentials for Device Discovery and Discovering Devices, but requires a different approach to
associating credentials to IP addresses, since AWS uses dynamic, rather than static, IP address assignment. The
generic AWS SDK credential is used to discover Amazon Machine Instances (AMIs) and associated information
such as host name, instance ID, and instance state, while credentials for generic versions of WMI, SMTP, and
other access protocols are used to discover associated devices as you would for any other discovery process. l
Setting Access Credentials for AWS Instances
l
Associating the AWS Host with Credentials
If you have not already configured Access Keys and permissions on AWS, please follow the steps outlined in AWS
Access Key IAM Permissions and IAM Policies.
Setting Access Credentials for AWS Instances
1. Log into your Supervisor node.
2. Go to Admin > Setup Wizard > Discovery.
3. Under Enter Credentials, click Add. 4. Enter a Name for the credential.
5. For Device Type, select Amazon AWS SDK.
6. For Access Protocol, select AWS SDK.
7. For Region, enter the region where your AWS instance is located.
8. Enter the Access Key ID and Secret Access Key associated with your AWS instance.
9. Click Save.
Associating the AWS Host with Credentials
After you've defined all the credentials associated with the access protocols used by devices in your AWS
instance, you need to associate those credentials to the AWS host. In other deployment configurations, you
would associate credentials with IP addresses corresponding to your device locations, but since AWS uses
dynamic IP addressing, you need to associate all your credentials to the same host. 1. Under Enter IP Range to Credential Associations, click Add.
2. For IP/Host Name, enter amazon.com.
3. Click +, and add the AWS SDK credential, as well as any other generic credentials you've created. 4. Click OK. 5. Click Test Connectivity to make sure you can reach your instance and that all credentials are entered correctly
before you initiate discovery. Both the connectivity test and the discovery process will try to connect to the Amazon instances first, and from
there will try to connect to the private IPs of discovered instances using the other access protocols.
6. You can now initiate discovery of your instances and associated devices as described in Discovering Devices, but
for Discovery Type, select AWS Scan.
If discovery is successful, your discovered instances and devices will be added to Admin > Setup wizard >
Monitor Change/Performance, and in CMDB > Devices, you will see an Amazon EC2 directory, which will
209
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Discovering Infrastructure
include your discovered instances. If you have defined other access credentials, the discovered devices will also
appear in that directory, as well as under CMDB > Server. You can query these devices from either directory. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
210
Discovering Infrastructure
Configuring FortiSIEM
Discovering Microsoft Azure Infrastructure
Discovering Microsoft Azure Cloud infrastructure follows the same basic process described in Setting Access
Credentials for Device Discovery and Discovering Devices, but requires a different approach to associating
credentials to IP addresses, since Azure uses dynamic, rather than static, IP address assignment. l
Create a Certificate file for communicating to Azure Management Server
l
Setting Access Credentials for Microsoft Azure Discovery
l
Associating Microsoft Azure with Credentials
l
Discovering Microsoft Azure Compute Nodes
Create a Certificate file for communicating to Azure Management Server
1. Create a pem file.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout azure-cert.pem
-out azure-cert.pem
2. Create the cert file.
openssl x509 -outform der -in azure-cert.pem -out azure-cert.cer
3. Login to the Azure old portal, upload the .cer to the Settings ->"Management Certificates" section.
Setting Access Credentials for Microsoft Azure Discovery
1. Log into your Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. Under Enter Credentials, click Add. 4. Enter a Name for the credential.
5. For Device Type, select Microsoft Azure Compute.
6. For Subscription ID, enter .
7. Upload the Certificate File, enter the region where your AWS instance is located.
8. Enter the Access Key ID and Secret Access Key associated with your AWS instance.
9. Click Save.
Associating Microsoft Azure with Credentials
After you've defined all the credentials associated with the access protocols used by devices in your Microsoft
Azure instance, you need to associate those credentials.
1. Log into your Supervisor node.
2. Go to Admin > Setup Wizard > Credentials.
3. Under Enter IP Range to Credential Associations, click Add.
4. For IP/Host Name, enter azure.com.
5. Click +, and add the Microsoft Azure Compute credential created in "Setting Access Credentials for Microsoft
Azure Discovery", as well as any other generic credentials you've created. 6. Click OK. 211
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Discovering Infrastructure
7. Click Test Connectivity to make sure you can reach your instance and that all credentials are entered correctly
before you initiate discovery.
Discovering Microsoft Azure Compute Nodes
After you've defined and tested all the credentials, you can proceed to discovery. 1. Log into your Supervisor node.
2. Go to Admin > Setup Wizard > Discovery.
3. Click Add
4. For Discovery Type, select Azure Scan.
5. Click Save.
6. Select the entry just created and click Discover.
If discovery is successful, your discovered instances will be added to Admin > Setup wizard > Monitor
Change/Performance and CMDB > Devices > Microsoft Azure Cloud > Azure Compute.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
212
Discovering Infrastructure
Configuring FortiSIEM
Approving Newly Discovered Devices
When devices are discovered by FortiSIEM, monitoring of them begins automatically, and incidents for those
devices will trigger automatically based on the rules associated with that device. However, you can configure the
Discovery Settings so incidents will be triggered only for devices you approve. If you select Approved Devices
Only for Allow Incident Firing On, then you will need to approve devices before incidents will be triggered for
those devices, but they will still be monitored and added to the CMDB.
1. Log in to your Supervisor node.
2. Go to Admin > Discovery Results.
3. Select a discovery result.
4. Click View Changes.
5. Expand the folder Discovery Delta.
6. Expand the folder New Devices.
7. Select the devices you want to approve, and click Approve Selected.
You can approve all the new devices by selecting the New Devices folder, and then click Approve All.
Related Links
l
213
Discovery Settings
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Discovering Infrastructure
Inspecting Event Pulling Methods for Devices
Once you have discovered and approved the devices in your IT infrastructure, you should verify that the
FortiSIEM perfMonitor module is polling them over the correct access protocol and pulling event information
from them. If you are having issues collecting performance metrics from your devices, you should begin
troubleshooting by first checking the status of the event pulling method for the device.
1. Go to Admin > Setup Wizard > Pull Events.
2. Review the Event Pulling Status for each of your discovered devices.
Status
Description
Successful
If event information is being pulled from the device, you will see the name of the
event pulling method rendered in plain black text.
Added but
Not
Monitored
If the name of the event pulling method has a Star icon next to it, event
information can be successfully pulled from the device, but the perfMonitor
module has not yet initiated monitoring.
Paused
A Pause icon indicates that event information is not being pulled from the device
because it failed the verification check at the beginning of the monitoring cycle.
This is usually caused by an issue with the access protocol credentials. The
credential was valid when discovery succeeded, and so the event pulling method
was able to monitor the associated metrics, but the perfMonitor module failed
on the credential at a later time. You should check the access protocol credentials
associated with the devices and event pulling methods, and then re-initiate
discovery of the device.
Failed
An Alert icon and the name of the event pulling method in red indicates that
adding that event pulling method for the device failed.
3. Click Show Errors to view a more detailed description of any errors associated with an event pulling method.
4. Click Edit to change any of the event pulling methods associated with a device. 5. Click Apply to apply any changes to your event pulling methods.
6. Click Test Pull Events to test any changes you make. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
214
Discovering Infrastructure
Configuring FortiSIEM
Inspecting Changes Since Last Discovery
After you run discovery for the first time, FortiSIEM keeps track of changes to your discovered devices during
subsequent discovery runs, including new devices, changed devices, and failed devices.
1. Log in to your Supervisor node.
2. Go to Admin > Discovery Results.
3. Select a discovery result.
4. Click View Changes.
5. Expand the folder Discovery Delta.
6. Move your mouse cursor over a folder or item until a blue Information icon appears, and then click on the icon to
view basic information about the item.
215
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Discovering Infrastructure
Discovery Range Definition Options
When you set the range definition for your discovery processes, several options are available for how you want
the discovery process to run. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
216
Discovering Infrastructure
Discover Routes
Configuring FortiSIEM
Selected by default, if you clear this option then discovery will not use the route table to find next
hop devices. This can be useful if your network includes border routers, which can significantly
impact the time required for the discovery process.
Four types of scans are available for the discovery process:
Smart Scan
Smart Scan is an optimized search method in which only the live devices
in the network are searched. To use Smart Scan, you first provide a root
device (typically the first hop Layer 3 router). FortiSIEM then discovers
the root device and learns of its first hop neighbors from the ARP table.
These devices are then discovered using existing credentials, and their
one hop neighbors are subsequently discovered. This continues until no
more devices are discovered. Often a single Layer 3 router, switch, or
firewall is sufficient to discover the entire network. However, if a firewall
that can block SNMP is installed, then devices on either side of the
firewall need to be provided as root devices. Smart Scan is usually faster
than Range Scan, but in rare cases discovery can miss a device when it
is quiet and not present in the ARP table of adjacent devices.
Discovery Type
Range Scan (default)
AWS Scan
L2 Scan
In contrast to Smart Scan, Range Scan is a brute force method in which
FortiSIEM attempts to discover all the devices in the IP ranges you
provide. With Range Scan, FortiSIEM will first attempt to ping a device,
and if that succeeds, discovery will proceed.
AWS Scan is used to discover devices in Amazon Web Services.
See Discovering Amazon Web Services (AWS) Infrastructure for more
information.
L2 Scan is used to update the Layer 2 connectivity information used in
the Identity and Location report. It does not discover system and
application monitors, installed and running software, or users and
groups, and, in contrast to the other scan methods, it does not update
the CMDB and executes more quickly.
Do Not Ping Before
Discovery
To save time, FortiSIEM first attempts to reach devices by ping before initiating discovery. You
should select this option if ping has been disabled for your network, otherwise discovery will fail.
Include Powered
Off VMs
By default, only powered on VMs are discovered.
Include VM
Templates
Include/Exclude
Device Types
Include/Exclude
Domains (AWS
Only)
217
By default, VM templates are not discovered.
Click the Edit icon to select devices that you want to include or exclude from the discovery
process. Note that if you have entries for both of these option, the discovery process will
prioritize included devices over excluded ones.
Enter the domains you want to include or exclude from the discovery process.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Include/Exclude
Ranges
Include/Exclude
Zones (AWS Only)
Discovering Infrastructure
Enter the IP addresses or host names you want to include or exclude from the discovery process.
Enter the zones you want to include or exclude from the discovery process.
Only Discover
Devices not in
CMDB
If you select this option, discovery will only find those devices whose IP addresses do not match
the address of any device in CMDB. To make an exception to this rule, specify a list of IP
addresses in the Exclude Ranges field. The primary use case for this is for indirect device
discovery such as VCenter-based VM discovery, or WLAN controller-based access point
discovery. By specifying the VCenter IP address in the Exclude Ranges field, new guest VMs can
always be discovered even if the VCenter is already in the CMDB.
Ping Only
Discovery
Select this option if you are only interested in discovering whether a device or service is up or
down.
Root IPs
For Smart Scan only, provide the root IPs from which you want the Smart Scan to start.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
218
Discovering Infrastructure
Configuring FortiSIEM
Scheduling a Discovery
Discovery can be a long-running process when performed on a large network, or over a large IP range, and so you
may want to schedule it to occur when there is less load on your network or during off hours. You may also want to
set up a schedule for the process to run and discover new devices on a regular basis. 1. Log in to your Supervisor node.
2. Go to Admin > Setup Wizard > Discovery.
3. Click Schedule.
4. Click the + icon.
5. Select from the available ranges.
You can select multiple ranges and set the order in which discovery will run on them by using the up and down
arrows.
6. Set the time at which you want discovery to run. 7. For a one-time scheduled discovery, enter a Date for the discovery to run. 8. For recurring discoveries, select how often (hourly, daily, weekly, monthly), you want discovery to run, and then
enter other scheduling options. 9. Click OK.
219
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Discovering Infrastructure
Adding Devices to the CMDB Outside of Discovery
There are situations in which you may want to add devices to the Configuration Management Database (CMDB)
outside of the discovery procedure. For example, FortiSIEM needs access to devices over SNMP or WMI to
discover them, but you may have devices in your infrastructure that don't utilize these access protocols. The IP
addresses for those devices will still be contained in traffic logs, and rules may need to incorporate that device. In
order to make sure that logs are parsed correctly and rules function as expected, you need to make sure that
these undiscovered devices are associated with an IP address. Adding a device directly to the CMDB lets you
provide the information necessary for FortiSIEM to recognize the device, including associating it with an IP
address or range.
Adding Devices to Device Groups
When you add a device to the CMDB manually, make sure to choose the group, such Firewall, Printers, or
Storage, in the Device View where you want to add it. If you only add it to the top-most Devices group, it will
not be added to the topology map correctly.
1. Log into your Supervisor node.
2. Click CMDB.
3. In the Device View, select Devices, then select the sub-category where you want to add the device.
4. In the summary pane, click New.
5. For Summary, Contact, Interfaces, and Properties, enter information for the new device. Entering Interface Information
When you enter the interface information for the device, make sure to provide the correct IP address
and network mask for the interfaces. FortiSIEM will use this network information to generate the
Network Segments for the device.
6. Click Save when you're done adding the device information.
Related Links
l
Adding a Synthetic Monitoring Test to a Business Service
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
220
Discovering Infrastructure
Configuring FortiSIEM
Decommissioning a device
Decommissioning a device lets you re-assign the IP address to a new device but still keep the old device in CMDB
for historical purposes.
To decommission a device:
1. Go to CMDB > Devices
2. Select the device.
3. Click on the menu under Name and select Decommission.
4. Provide a Reason and Select OK to decommission the device
5. Consequences of decommissioning
a. Device will be moved to CMDB > Devices > Decommission folder
b. Device will be removed from maintenance calendars
c. Performance monitoring will stop
d. A new device with the same IP can be discovered
To re-commission the device:
1. Go to CMDB > Devices > Decommission
2. Select the device.
3. Click on the menu under Name and select Recommission.
4. The device will be moved back to the folder where it was when it was decommissioned.
5. Performance monitoring will resume
Creating Dynamic CMDB Group Policies
This setting allows you to write rules to put devices in CMDB Device Group and Business Service Groups of your
choice. When a device is discovered, the policies defined here are applied and the device is assigned to the group
(s) defined in the matching policies.
To create a new CMDB Group Policy:
1. Go to Admin > General Settings > Discovery > CMDB Group.
2. Click Add.
3. For matching conditions - enter the following information
a. Organization - the organization which this rule applies to
b. Vendor - the matching device vendor - select from the list
c. Model - the matching device model - select from the list
d. Host Name - matching device host name via regular expression match
e. IP Range - matching device access IP - format is single IP, IP range, CIDR
4. For Actions (Add To) - enter the following information
a. Groups - specify the groups which the matching devices will be added to
b. Biz Services - specify the business services which the matching devices will be added to
This device grouping does not overwrite the CMDB Device group assigned during discovery. The grouping
defined here is in addition to the discovery defined CMDB group.
Conditions are matched in ANDed manner
221
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Discovering Infrastructure
Both the actions are taken, that is, if both a Group and a Business Service is specified, then the device will be
added to both the specified Group and Business Service.
To apply one or more CMDB Group policies,
1. Select one or more policies and click Apply or Click Apply All to apply all policies.
2. Once a policy is saved, then next discovery will apply these policies. That means, discovered devices will belong to
the groups and business services defined in the policies.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
222
Configuring Monitoring
Configuring FortiSIEM
Configuring Monitoring
Once FortiSIEM discovers your devices, they will monitored continuously, and you can use the data collected to
analyze the performance of your infrastructure. You can also configure FortiSIEM to send notifications when
events that meet specific conditions occur in your infrastructure.
You can disable the collection of metrics for specific devices, disable devices for monitoring, and change the
polling interval for metric collection. Some devices need to be configured to send logs to FortiSIEM, as described
in the topics under FortiSIEM 4.9.0 External Systems Configuration Guide. You can also configure FortiSIEM to
monitor important ports, processes, and interfaces, and set up monitoring tests that use synthetic transaction to
make sure that critical services are up and running.
l
Device Monitoring Settings
l
Managing Monitoring of System and Application Metrics for Devices
l
Setting Up Synthetic Transaction Monitoring Tests
223
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Configuring Monitoring
Device Monitoring Settings
While FortiSIEM constantly monitors and reports on your IT infrastructure, there are several settings you can use
to refine reporting on critical interfaces, important processes and ports, and disk utilization.
l
Adding Critical Interfaces to Device Monitoring
l
Adding Important Ports to Device Monitoring
l
Adding Important Processes to Device Monitoring
l
Excluding Disks from Disk Capacity Utilization Monitoring
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
224
Configuring Monitoring
Configuring FortiSIEM
Adding Important Interfaces
This setting allows you to always get interface utilization reports on a set of important network interfaces across
all device types.
Behavior prior to Release 4.8.1
FortiSIEM continuously monitored every network interface on every server and network device for utilization and
up/down. By marking an interface as Critical, (a) up/down was monitored for Critical interfaces only but (b) all
interfaces were monitored for utilization and critical ones were marked in the event. Since all interfaces were
monitored for utilization - a large number of events may be generated, as certain devices such as voice gateways
can have many logical interfaces.
Behavior in Release 4.8.1 onwards
FortiSIEM would monitor only the interfaces marked as Critical in this tab. So it is important for to define
ALL critical interface at once.
Important Interface Setup after 4.8.1 Upgrade
The behavior of interface monitoring has dramatically changed since 4.8. So it is very important to follow these
steps.
1. Create a list of all Important interfaces
2. Go to Admin > General Settings > Monitoring > Important Interfaces
3. Click Enable. This will stop all interface monitoring.
4. Click Add.
5. Select either Device View or Interface View.
6. Select a device to view and select its interfaces, or select an interface.
7. Click OK to add the selected interface to the list. The Critical and Monitor boxes would be automatically
checked.
8. Check the WAN box if applicable. If checked, the interface utilization events would have isWAN = "yes" attribute.
You can use this to run a report for all WAN interfaces.
9. Click Apply All. Now FortiSIEM will start monitoring only the selected interfaces in this tab will be monitored.
10. If you want to disable this behavior and return to ALL interface monitoring (as in releases prior to 4.8), then click
Disable.
225
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Configuring Monitoring
Adding Important Processes
This setting allows you to always get process resource utilization reports and up/down alerts on a set of important
processes across all device types.
Behavior prior to Release 4.8.1
FortiSIEM continuously monitors every process on every server and network device for resource utilization and
up/down. By marking an process as Critical, (a) up/down was monitored for Critical processes only, but (b) all
processes were monitored for resource utilization. Since there are a large number of processes across all device
types, a large number of events can be generated.
Behavior in Release 4.8.1 onwards
FortiSIEM would monitor only the processes marked as Critical in this tab. So it is important for to define
ALL critical processes at once.
Important Process Setup after 4.8.1 Upgrade
The behavior of process utilization monitoring has dramatically changed since 4.8. So it is very important to follow
these steps.
1. Create a list of all Important interfaces
2. Go to Admin > General Settings > Monitoring > Important Processes
3. Click Enable. This will stop all interface monitoring.
4. Click Add.
5. Enter a Process Name and any Parameters, and then click OK.
6. Click Apply All. Now FortiSIEM will start monitoring only the selected processes in this tab.
7. If you want to disable this behavior and return to ALl interface monitoring, then click Disable.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
226
Configuring Monitoring
Configuring FortiSIEM
Adding Important Ports
Always reporting the UP/DOWN status for every TCP/UDP port on every server can consume a significant amount
of resources. FortiSIEM will report the UP/DOWN status only for the ports you add to the Important Ports
list. Matching is exact based on port number and IP protocol.
1. Go to Admin > General Settings > Monitoring.
2. Under Important Ports, click Add. 3. Enter the Port Number and select the Port Type. 4. Click OK. 5. Click Apply All. 227
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Configuring Monitoring
Excluding Disks from Disk Capacity Utilization Monitoring
You can exclude disks from disk capacity utilization monitoring. Disk capacity utilization events will not be
generated for devices matching the device name, access IP, and disk name that you provide. Incidents will not
trigger for these events, and the disks will not show up in summary dashboards.
Exclude Stable, Almost-Full Disks
Use this list to exclude read-only disk volumes or partitions that do not grow in size and are almost full. This will
prevent from these servers from always showing a CRITICAL status in dashboards.
1. Go to Admin > General Settings > Monitoring.
2. Under Excluded Disks, click Add. 3. Select a device to to view its disks, and then select the disk you want to exclude from monitoring.
4. Click OK.
5. Click Apply All. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
228
Configuring Monitoring
Configuring FortiSIEM
Managing Monitoring of System and Application Metrics for Devices
When FortiSIEM discovers devices, it also discovers the system and application metics that can be monitored for
each device, and displays these in the Monitor Change/Performance tab of the Setup Wizard. Here you can
also disable the monitoring of specific metrics for devices, disable devices from being monitored, and change the
polling interval for specific metrics. See Inspecting Event Pulling Methods for Devices for an explanation of the
different status indicators for System Monitor and Application Monitor metrics. 1. Go to Admin > Setup Wizard > Monitor Change/Performance.
2. Click Refresh to make sure you have the latest list of devices.
Single Line Display
Select Single Line Display to view each device, along with its list of application and system monitors,
on a single line.
3. To disable monitoring for a device, clear the Enable option for it.
4. To enable or disable monitoring of a specific metrics for a device, click on a device to select it, then click Edit and
select System Monitoring or Application Monitoring to view the list of metrics associated with that monitor
and device. You can also enable or disable the metrics for a device's monitor type by clicking on the System
Monitoring or Application Monitoring section for the device.
5. To change the polling interval for a metric, in the More menu, select Set Intervals. Select the Monitor Type and
Device, and then set the interval.
6. When you are done making changes, click Apply. 229
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Configuring Monitoring
Setting Up Synthetic Transaction Monitoring Tests
A Synthetic Transaction Monitoring (STM) test lets you test whether a service is up or down, and measure the
response time. An STM test can range from something as simple as pinging a service, to something as complex
as sending and receiving an email or a nested Web transaction. Setting up an STM test involves defining the type
of monitor, associating the monitor definition to a device and testing it, and then deploying the STM test to a
Supervisor or Collector. You can view the results of STM tests in the Synthetic Transaction Monitoring page,
either by navigating to Summary Dashboard > Availability/Performance > Application Summary >
Synthetic Transaction Monitoring, or to Admin > Setup Wizard > Synthetic Transaction Monitoring,
and then clicking on Monitoring Status. You can also report on the results of STM tests in the reports Top
Applications By Synthetic Transaction Response Time and Top Applications By Synthetic
Transaction Response Time - Detailed view. When an STM test fails, three system rules are triggered, and
you can receive an email notification of that failure by creating a notification policy for these rules. System Rule
Description
Service Degraded - Slow
Response to STM
Detects that the response time of an end-user monitored service is greater
than a defined threshold (average over 3 samples in 15 minutes is more than
5 seconds)
Service Down - No
Response to STM
Detects a service suddenly went down from the up state and is no longer
responding to synthetic transaction monitoring probes.
Service Staying Down - No
Response to STM
Detects a service staying down, meaning that it went from up to down and
did not come up, and is no longer responding to end user monitoring probes
1. Go to Admin > Setup Wizard > Synthetic Transaction Monitoring.
2. Click Add. 3. Enter a Name and Description for the test. 4. For Frequency, enter how often, in minutes, you want the test to run.
5. Select the Protocol for your test.
See Protocol Settings for Synthetic Transaction Monitoring Tests for more information about the settings and test
results for specific protocols. 6. Click Save. You now have to associate the STM test with a target host name, IP address, or IP range. 7. Click Create and Test.
8. For Monitoring Definition select one of the STM tests you have created.
9. For Host Name or IP/Range, enter the information for your STM test target.
10. For Port, click + and enter any ports to use when connecting to the target with this test.
11. Click OK.
FortiSIEM will run the test and verify if it is successful. If it succeeds, it will be added to the list of tests with a
yellow Star next to it, indicating that it has been added but is not yet running.
12. Click Apply All to begin executing your tests at their set frequency.
The yellow Star will be removed from your test after it executes against the target the first time FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
230
Configuring Monitoring
Configuring FortiSIEM
Protocol Settings for Synthetic Transaction Monitoring Tests
This table describes the settings associated with the various protocols used for setting up Synthetic Transaction
Monitoring tests.
231
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Protocol
Description
Ping
Checks packet loss
and round trip time
Configuring Monitoring
Settings
Notes
Maximum Packet Loss PCT:
tolerable packet loss
Maximum Average Round
Trip Time: tolerable round trip
time (seconds) from FortiSIEM
to the destination and back
If either of these two thresholds
are exceeded, then the test is
considered as failed.
Timeout : the time limit by
which the end to end LOOP
EMAIL test must complete.
Outgoing Settings: these
specify the outgoing SMTP
server account for sending the
email.
l
LOOP
Email
This test sends an
email to an
outbound SMTP
server and then
attempts to
receive the same
email from a
mailbox via IMAP
or POP. It also
records the end-toend time.
l
l
User Name: user account
on the SMTP server
Email Subject: content
of the subject line in the
test email
Incoming Settings: These
specify the inbound IMAP or
POP server account for fetching
the email.
l
l
l
l
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
SMTP Server: name of
the SMTP server
Before you set up the test you will need
to have set up access credentials for an
outbound SMTP account for sending
email, and an inbound POP/IMAP
account for receiving email
Protocol Type: choose
IMAP or POP
Server: name of the IMAP
or POP server
User Name: user account
on the IMAP or POP server
Email Subject: content
of the subject line in the
test email
232
Configuring Monitoring
Configuring FortiSIEM
Protocol
Description
Settings
HTTP(S) Selenium
Script
This test uses a
Selenium script to
play back a series
of website actions
in FortiSIEM.
Upload: select the java file you exported
from Selenium
Notes
How to export:
l
Total Timeout: the script must complete
by this time or the test will be considered
failed
Step Timeout: each step must complete
by this time
l
l
Make sure Selenium IDE is
installed within Firefox browser
Open Firefox
Launch Tools > Selenium IDE.
From now on, Selenium is
recording user actions
l
Visit websites
l
Once done, stop recording
l
l
Click File > Export Test case as
> Java / Junit 4 /WebDriver
Save the file as .java in your
desktop. This file has to be
inputted in FortiSIEM. URI: the URI to connect to
Authentication: any
authentication method to use
when connecting to this URI
HTTP(S) Simple
This test connects
to a URI over
HTTP(s) and
checks the
response time and
expected results
Timeout: t his is the primary
success criterion - if there is no
response within the time
specified here, then the test fails
Contains: an expected string in
the test results
Does Not Contain: a string
that should not be contained in
the test results
Response Code: an expected
HTTP(S) response code in the
test results. The default is set to
200 - 204.
233
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Protocol
Description
HTTP(S) Advanced
This test uses
HTTP requests to
connect to a URI
over HTTP(s), and
checks the
response time and
expected results
Configuring Monitoring
Settings
Notes
Click + to add an HTTP request
to run against a URI.
URI: the URI to run the test
against
SSL: Whether or not to use SSL
when connecting to the URI,
and the port to connect on
Authentication: the type of
authentication use when
connecting to the URI
Timeout: t his is the primary
success criterion - if there is no
response within the time
specified here, then the test fails
Method Type: the type of
HTTP request to use
Send Parameters: click + or
the Pencil icon to add or edit
any parameters for the request
Contains: an expected string in
the test results
Does Not Contain: a string
that should not be contained in
the test results
Response Code : an expected
HTTP(S) response code in the
test results. The default is set to
200 - 204 .
Store Variables as
Response Data for Later
Use: click + or the Pencil icon
to add or edit any variable
patterns that should be used as
data for later tests
TCP
This test attempts
to connect to the
specified port
using TCP
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Timeout: this is the single success
criterion. If there is no response within the
time specified here, then the test fails.
234
Configuring Monitoring
Protocol
Description
DNS
Checks response
time and expected
IP address
Configuring FortiSIEM
Settings
Notes
Query: the domain name that
needs to be resolved
Record Type: the type of
record to test against
Result: specify the expected IP
address that should be
associated with the DNS entry
Timeout: this is the primary
success criterion - if there is no
response within the time
specified here, then the test fails
SSH
LDAP
This test issues a
command to the
remote server over
SSH, and checks
the response time
and expected
results
This test connects
to the LDAP
server, and checks
the response time
and expected
results
Remote Command: the
command to run after logging on
to the system Timeout: this is the primary
success criterion - if there is no
response within the time
specified here, then the test fails
Contains: an expected string in
the test results
Base DN: an LDAP base DN
you want to run the test against
Filter: any filter criteria for the
Base DN
You will need to have set up an SSH
credential on the target server before
setting up this test. As an example test,
you could set Raw Command to ls,
and then set Contains to the name of a
file that should be returned when that
command executes on the target server
and directory.
You will need to have set up an access
credential for the LDAP server before
you can set up this test
Scope: any scope for the test
Timeout: t his is the primary
success criterion - if there is no
response within the time
specified here, then the test fails
Number of Rows: the
expected number of rows in the
test results
Contains: an expected string in
the test results
Does Not Contain: a string
that should not be contained in
the test results
235
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Configuring Monitoring
Protocol
Description
Settings
IMAP
This tests checks
connectivity to the
IMAP service
Timeout : t his is the single success
criterion - if there is no response within the
time specified here, then the test fails
This test checks
connectivity to the
IMAP service
Timeout : t his is the single success
criterion - if there is no response within the
time specified here, then the test fails
This test checks
connectivity to the
SMTP service
Timeout : t his is the single success
criterion - if there is no response within the
time specified here, then the test fails
POP
SMTP
JDBC
This test issues a
SQL command
over JDBC to a
target database,
and checks the
response time and
expected results
Notes
JDBC Type: the type of
database to connect to
Database Name: the name of
the target database
SQL: the SQL command to run
against the target database
Timeout : t his is the primary
success criterion - if there is no
response within the time
specified here, then the test fails
Number of Rows: the
expected number of rows in the
test results
Contains: an expected string in
the test results
Does Not Contain: a string
that should not be contained in
the test results
Anonymous Login: choose
whether to use anonymous login
to connect to the FTP directory
FTP
This test issues a
FTP command to
the server and
checks expected
results
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Remote Directory: the remote
directory to connect to
Timeout : t his is the primary
success criterion - if there is no
response within the time
specified here, then the test fails
236
Configuring Monitoring
Protocol
Description
TRACE
ROUTE
This test issues a
trace route
command to the
destination and
parses the results
to create PH_
DEV_MON_
TRACEROUTE
events, one for
each hop.
Configuring FortiSIEM
Settings
Timeout: If there is no response
from the system within the time
specified here, then the test
fails. Protocol Type: Specifies the IP
protocol over which trace route
packets are send - current
options are UDP, TCP and
ICMP
Max TTL: Max time to live (hop)
value used in outgoing trace
route probe packets.
Wait Time: Max time in
seconds to wait for a trace route
probe response
Notes
For the trace route from AO to
destination D via hops H1, H2, H3,
FortiSIEM generates 3 hop by hop PH_
DEV_MON_TRACEROUTE events.
First event: Source AO,
destination H1, Min/Max/Avg
RTT, Packet Loss for this hop
Second event: Source H1,
destination H2, Min/Max/Avg
RTT, Packet Loss for this hop
Third event: Source H2,
destination H3, Min/Max/Avg
RTT, Packet Loss for this hop
Fourth event: Source H3,
destination D, Min/Max/Avg
RTT, Packet Loss for this hop
Adding a Synthetic Monitoring Test to a Business Service
You may want to add a Synthetic Transaction Monitoring (STM) test to a Business Service as part of the
monitoring infrastructure for that service. However, in order to enable reporting on that STM, you need to add it to
the business service as a device that FortiSIEM can then report on. This topic explains how to create a device for
an STM test and add it to your business service report.
1. Create your STM as described in Setting Up Synthetic Transaction Monitoring Tests.
2. Note the IP address that your STM resolves to in Step 9 of the setup instructions.
3. In the CMDB tab, select Devices, and then select a subcategory where you want to add the STM device.
You may want to create your own group where you manage your STM devices.
4. In the summary pane for the device subcategory, click New.
5. Complete all relevant information for the STM device, providing the IP address/range from Step 2 in the Access
IP field of the Summary page.
6. Click Save when you're done entering device information for the STM.
7. Follow the instructions in Creating a Report to add information about the STM device to a business service report,
and then use the instructions in Adding Widgets to Dashboards to add it to your dashboard.
Related Links
l
Adding Devices to the CMDB Outside of Discovery
l
Creating CMDB Groups and Adding Objects to Them
l
Creating a Report
l
Adding Widgets to Dashboards
237
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Business/IT Services
Creating Business/IT Services
By defining an IT or Business Service, you can create a logical grouping of devices and IT components which can
be monitored together. 1. Log in to your Supervisor node.
2. Go to CMDB > Business Services.
3. Click New.
4. Enter a Name and Description for the business service. 5. Select a Device/Application Group, and when the list of associated devices loads into the selection pane,
select a device and click >> to add it to the Selected Devices/Applications for the business service. 6. Click Save when you're done adding devices to the business service.
After you have created a business service, you can select it, and the Show Topology option, to view it within
overall IT topology. You can also use the links in the Analysis menu of the Business Services summary
dashboard to find out more information about incidents, device availability, device and application performance,
interface and event status, and real-time and historical search for a selected business service. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
238
Data Update Subscription Service
Configuring FortiSIEM
Data Update Subscription Service
FortiSIEM is constantly developing support for additional IT infrastructure devices. By subscribing to the
FortiSIEM Data Update Service, you can receive updates when support for new devices becomes available,
rather than waiting for it to be included in a formal release. In addition to devices you can also receive new rules,
reports, parser updates etc.
l
Data Update Overview
l
Configuring Data Update
239
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Data Update Subscription Service
Data Update Overview
FortiSIEM data update subscription service updates your FortiSIEM deployment with the latest device support
related data as it becomes available, rather than having to wait for it to be included in a formal release.
The following items can be included in an update
l
New event attribute
l
New event types
l
New device type
l
New parsers or modifications for existing parsers
l
Performance monitoring templates for new devices or modified ones for existing devices
l
New rules or modifications for existing rules
l
New reports or modifications for existing reports - both CMDB report and event based reports
l
l
New groups or modifications for existing groups for Event Types, Rules, Reports, Device Groups, Application
Groups
Code to handle new devices
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
240
Data Update Subscription Service
Configuring FortiSIEM
Configuring Data Update
Provide a brief (two to three sentence) description of the task or the context for the task. l
Prerequisites
l
Procedure
Prerequisites
l
l
l
Contact FortiSIEM support and make sure that your license includes Data Update Service.
Make sure you have Data Update URL - this is typically https://images.FortiSIEM.net/upgrade/ds- contact
FortiSIEM to make sure that this information has not changed.
Make sure you have license credentials.
Procedure
Configure Data Update Server Setting
1. Log on to FortiSIEM Supervisor with Administrator credentials
2. Go to Admin > General Settings > System
3. Configure Data Update Server Setting
1. Enter Data Update URL (see prerequisites)
2. Enter Server Username and Server Password - these are the license credentials
3. Specify Notify Email (optional) - you will receive email when new data updates are available
4. Click Save
Check Available Data Updates
1. Log on to FortiSIEM Supervisor with Administrator credentials.
2. Go to Admin > Data Update.
3. Click Refresh.
1. Available data updates are shown on left.
2. Click a version on the left and the contents for that version is shown on the right.
4. Check the current data version from Admin > Cloud Health > Data Update Version. The number after 3rd
decimal is the data version. For example 4.4.1.38 means data version is 38.
5. Note the data version you would like to upgrade to.
Apply Data Update on Supervisor
1. SSH to FortiSIEM Supervisor as root.
2. Go to /pbin.
3. Download the data version by running ./phdownloaddata and specify the data version you would like to upgrade
to.
4. Install the data version by running ./phinstalldata.
241
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Data Update Subscription Service
Apply Data Update on Collectors
1. Log on to FortiSIEM Supervisor with Administrator credentials.
2. Go to Admin > Collector Health.
1. Select a Collector.
2. Click Download Data Update - this downloads the data files to the collector.
3. Click Install Data Update - this installs the data files on the collector.
4. Repeat for all collectors.
Check whether Data Update Installed Successfully
1. Log on to FortiSIEM Supervisor with Administrator credentials.
2. Check Admin > Cloud Health > Data Update Version.
3. Check Admin > Collector Health > Data Update Version.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
242
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Creating a custom parser for device logs involves writing an XML specification for the parser, and then using a
test event to make sure the logs are parsed correctly. Creating a custom monitor involves defining a performance
object that you want to monitor, associating that performance object to a device type, event type, and event
attribute type, and then testing to make sure that the monitored metrics are correctly received by FortiSIEM. You
can create custom monitors for system and application performance, command outputs, and file monitoring. l
Creating Event Attributes, Event Types, and Device Types
l
Custom Parsers
l
Custom Performance Monitors
l
Custom Command Output Monitor
l
Custom File Monitor
243
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Creating Event Attributes, Event Types, and Device Types
When you create a custom parser or monitor, you must also specify the device, application, event type, and event
attribute to which it applies. If these objects aren't already included in the FortiSIEM CMDB, you can create them
as a preliminary step to creating your parser or monitor. l
Creating Device and Application Types
l
Creating Event Attribute Types
l
Creating Event Types
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
244
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Creating Device and Application Types
If the device or application that you want to create a parser or monitor for isn't already listed in Admin > Device
Support > Device/App Types, you can add it. 1. Go to Admin > Device Support > Device/App Types.
2. Click New, and then choose New Device Type or New Application Type.
3. Enter the information for the new device or application type.
Device Type
Application Type
l
Vendor
l
Model
l
Version
l
Device/App Group
l
Biz Service group
l
Description
l
Vendor
l
Model
l
Version
l
Device/App Group
l
Biz Service group
l
Application Package Group
l
Description
4. Click Save.
245
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Creating Event Types
After parsing an event or log, FortiSIEM assigns a unique event type to that event/log. When you create a new
custom parser for device logs, you almost always have to add a new event type to FortiSIEM so the log events
can be identified.
Naming Custom Event Types
All custom event types must begin with the prefix P H_DEV_MON_CUST_ .
1. Go to Admin > Device Support > Event Types.
2. Click New. 3. Enter a Name for the new event type. 4. Select the Device Type to associate with the event type. If the device type isn't included in the menu options, you can add it to FortiSIEM.
5. Select the Event Type Group category for this event type.
6. Select a Severity to associate with the event type. 7. Enter an optional Description. 8. Click Save. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
246
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Creating Event Attribute Types
Event attributes are used to capture parsed information from events. You only have to create a new attribute if
the one you want use for your custom parser or monitor is not listed in Admin > Device Support > Event
Attribute Types.
Creating an Event Attribute Type by Cloning
You can clone an existing event attribute type to use as the basis for a new one. Select the event attribute type
you want to use, click Clone, and then modify as necessary.
1. Go to Admin > Device Support > Event Attribute Types. 2. Click New.
3. Enter a Name and Display Name. 4. Select the Value Type to associate with the event attribute type. 5. Optionally enter a Display Format Type and Description. 6. Click Save. 247
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Custom Parsers
To start creating a custom parser for device logs, you should begin by reviewing the Event Parser XML
Specification. Writing the XML specification is the primary task in creating a custom parser.
l
Event Parser XML Specification
l
Creating a Custom Parser
l
Deleting or Disabling a Parser
l
Exporting a Custom Parser
l
Importing a Custom Parser
l
Parser Examples
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
248
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Event Parser XML Specification
FortiSIEM uses an XML-based parser framework to parse events. These topics describe the parser syntax and
include examples of XML parser specifications.
l
Custom Parser XML Specification Template
l
Parser Name Specification
l
Device or Application Type Specification
l
Format Recognizer Specification
l
Pattern Definition Specification
l
Parsing Instructions Specification
249
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Custom Parser XML Specification Template
The basic template for a custom parser XML specification includes five sections. Click on the name of any section
for more information.
Section
Description
Parser Name Specification
Name of the parser file
Device Type
The type of device or application associated with the parser
Format Recognizer
Specification
Patterns that determine whether an event will be parsed by this
parser
Pattern Definition
Specification
Defines the parsing patterns that are iterated over by the parsing
instructions
Parsing Instructions
Specification
Instructions on how to parse events that match the format
recognizer patterns
Custom Parser XML Specification Template
<eventParser name="xxx">
<deviceType> </deviceType>
<eventFormatRecognizer>
</eventFormatRecognizer>
<patternDefinitions> </patternDefinitions>
<parsingInstructions> </parsingInstructions></eventParser>
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
250
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Parser Name Specification
This section specifies the name of the parser, which is used only for readability and identifying the device type
associated with the parser.
<eventParser name="CiscoIOSParser"></eventParser>
251
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Device or Application Type Specification
This section specifies the device or the application to which this parser applies. The device and application
definitions enable FortiSIEM to detect the device and application type for a host from the received events. This is
called log-based discovery in FortiSIEM. Once a received event is successfully parsed by this file, a CMDB
entry is created with the device and application set from this file. FortiSIEM discovery may further refine the
device.
There are two separate subsections for device and application. In each section, vendor, model and version can be
specified, but version is not typically needed. Set Version to Any
In the examples in this topic, <Version> is set to ANY because events are generally not tied to a particular
version of a device or software. You could of course set this to a specific version number if you only wanted this
parser to apply to a specific version of an application or device.
Vendor and Model Must Match the FortiSIEM Version
<Vendor> and <Model> entries must match the spelling and capitalization in the CMDB.
l
Examples of Specifications for Types of Device and Applications
l
Hardware Appliances l
Software Operating Systems that Specify the Device Type
l
Applications that Specify Both Device Type and Application
l
Applications that Specify the Application Type but Not the Device Type
Examples of Specifications for Types of Device and Applications
Hardware Appliances
In this case, the type of event being parsed specifies the device type, for example Cisco IOS, Cisco ASA, etc.
<deviceType>
<Vendor>Cisco</Vendor>
sion>ANY</Version></deviceType>
<Model>IOS</Model>
<Ver-
Software Operating Systems that Specify the Device Type
In this case, the type of events being parsed specifies the device type, for example Microsoft Windows etc. In this
case the device type section looks like
<deviceType>
<Vendor>Microsoft</Vendor>
sion>ANY</Version></deviceType>
<Model>Windows</Model>
<Ver-
Applications that Specify Both Device Type and Application
In this case, the events being parsed specify the device and application types because Microsoft SQL Server can
only run on Microsoft Windows OS.
<deviceType>
<Vendor>Microsoft</Vendor>
<Model>Windows</Model>
<Version>ANY</Version></deviceType><appType>
<Vendor>Microsoft</Vendor>
<Model>SQL Server</Model>
<Version>ANY</Version>
<Name> Microsoft SQL Server</Name></appType>
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
252
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Applications that Specify the Application Type but Not the Device Type
Consider the example of an Oracle database server, which can run on both Windows and Linux operating
systems. In this case, the device type is set to Generic but the application is specific. FortiSIEM depends on
discovery to identify the device type.
<deviceType>
<Vendor>Generic</Vendor>
<Model>Generic</Model>
<Version>ANY</Version></deviceType><appType>
<Vendor>Oracle</Vendor>
<Model>Database Server</Model>
<Version>ANY</Version>
<Name>Oracle Database
Server</Name></appType>
253
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Format Recognizer Specification
In many cases, events associated with a device or application will contain a unique pattern. You can enter a
regular expression in the Format Recognizer section of the parser XML file to search for this pattern, which, if
found, will then parse the events according to the parser instructions. After the first match, the event source IP to
parser file map is cached, and only that parser file is used for all events from that source IP. A notable exception
is when events from disparate sources are received via a syslog server, but that case is handled differently.
While not a required part of the parser specification, a format recognizer can speed up event parsing, especially
when one parsing pattern file among many pattern files must be chosen. Only one pattern check can determine
whether the parsing file must be used or not. The other less efficient option would be to examine patterns in every
file. At the same time, the format recognizer must be carefully chosen so that it is not so broad to misclassify
events into wrong files, and at the same time, not so narrow that it fails at classifying the right file. Order in Which Parsers are Used
FortiSIEM parser processes the files in the specific order listed in the file parserOrder.csv.
l
l
Format Recognizer Syntax
Example Format Recognizers
l
Cisco IOS
l
Cisco ASA
l
Palo Alto Networks Log Parser
Format Recognizer Syntax
The specification for the format recognizer section is:
<eventFormatRecognizer><![CDATA[regexpattern]]></eventFormatRecognizer>
In the regexpattern block, a pattern can be directly specified using regex or a previously defined pattern (in the
pattern definition section in this file or in the GeneralPatternDefinitions.xml file) can be referenced.
Example Format Recognizers
Cisco IOS
All Cisco IOS events have a %module name pattern.
<patternDefinitions>
<pattern name="patCiscoIOSMod" list="begin"><![CDATA
[FW|SEC|SEC_LOGIN|SYS|SNMP|]]></pattern>
<pattern name="patCiscoIOSMod" listt="continue"><![CDATA[LINK|SPANTREE|LINEPROTO|DTP|PARSER|]]></pattern>
<pattern
name="patCiscoIOSMod" list="end"><![CDATA[CDP|DHCPD|CONTROLLER|PORT_SECURITYSP]]></pattern></patternDefinitions><eventFormatRecognizer><![CDATA[: %<:patCiscoIOSMod>-<:gPatInt>-<:patStrEndColon>:]]></eventFormatRecognizer>
Cisco ASA
All Cisco ASA events have the pattern ASA-severity-id pattern, for example ASA-5-12345.
<eventFormatRecognizer><![CDATA[ASA-\d-\d+]]></eventFormatRecognizer>
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
254
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Palo Alto Networks Log Parser
In this case, there is no unique keyword, so the entire message structure from the beginning to a specific point in
the log must be considered.
Event
<14>May 6 15:51:04 1,2010/05/06
15:51:04,0006C101167,TRAFFIC,start,1,2010/05/06
15:50:58,192.168.28.21,172.16.255.78,::172.16.255.78,172.16.255.78,rule3,,,icm
p,vsys1,untrust,untrust,ethernet1/1,ethernet1/1,syslog172.16.20.152,2010/05/06
15:51:04,600,2,0,0,0,0,0x40,icmp,allow,196,196,196,2,2010/05/06
15:50:58,0,any,0
<eventFormatRecognizer><![CDATA[<:gPatTime>,\w+,
(?:TRAFFIC|THREAT|CONFIG|SYSTEM)]]></eventFormatRecognizer>
255
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Pattern Definition Specification
In this section of the parser XML specification, you set the regular expression patterns that that FortiSIEM will
iterate through to parse the device logs.
Reusing Pattern Definitions in Multiple Parser Specifications
If there is a pattern definition that you wan to use in multiple parser specification, you need to define it in the file
GeneralPatternDefintions.xml, and then refer to it from your s, then it needs to be defined in the
file GeneralPatternDefinitions.xml. The patterns in that file are named with a g prefix, and can be
referenced as shown in this example:
<generalPatternDefinitions>
<pattern name="gPatSyslogPRI"><![CDATA[<\d+>]]></pattern>
<pattern name="gPatMesgBody"><![CDATA[.*]]></pattern>
<pattern namee="gPatMonNum"><![CDATA[\d{1,2}]]></pattern>
<pattern name="gPatDay"><![CDATA
[\d{1,2}]]></pattern>
<pattern name="gPatTime"><![CDATA[\d{1,2}:\d{1,2}:\d
{1,2}]]></pattern>
<pattern name="gPatYear"><![CDATA[\d{2,4}]]></pattern></generalPatternDefinitions>
Each pattern has a name and the regular expression pattern within the CDATA section. This the basic syntax. <pattern name="patternName"><![CDATA[pattern]]></pattern>
This is an example of a pattern definition. <patternDefinitions>
<pattern name="patIpV4Dot"><![CDATA[\d{1,3}.\d{1,3}.\d
{1,3}.\d{1,3}]]></pattern>
<pattern name="patComm"><![CDATA[[^,]+]]></pattern>
<pattern name="patUpDown"><![CDATA[up|down]]></pattern>
<pattern namee="patStrEndColon"><![CDATA[[^:]*]]></pattern></patternDefinitions>
You can also write a long pattern definition in multiple lines and indicate their order as shown in this example. The
value of the list attribute should be begin in first line and end in last line. If there are more than two lines, the
attribute should be set to continue for the other lines.
<pattern name="patSolarisMod" list="begin"><![CDATA[sshd|login|]]></pattern><pattern name="patSolarisMod" list="continue"><![CDATA[inetd|lpstat|]]></pattern><pattern name="patSolarisMod" list="end"><![CDATA
[su|sudo]]></pattern>
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
256
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Parsing Instructions Specification
This section is the heart of the parser, which attempts to recognize patterns in a log message and populate
parsed event attributes.
In most cases, parsing involves applying a regular expression to the log, picking up values, and setting them to
event attributes. Sometimes the processing is more involved, for example when attributes need to be stored as
local variables and compared before populating the event attributes. There are three key components that are
used in parsing instructions: Event attributes and variables, inbuilt functions that perform operations on event
attributes and variables, and switch and choose branching constructs for logical operations. Values can be
collected from both unstructured and structured strings in log messages. l
Event Attributes and Variables
l
Inbuilt Functions
l
Branching Constructs
l
Collecting Values from Unstructured Strings
l
Collecting Fields from Structured Strings
Event Attributes and Variables
The dictionary of event attributes are defined in FortiSIEM database and any member not belonging to that list is
considered a local variable. For readability, local variables should begin with an _, although this is not enforced.
Setting an Event Attribute to a Constant
<setEventAttribute attr="eventSeverity">1</setEventAttribute>
Setting an Event Attribute from Another Variable
The $ symbol is used to specify the content of a variable. In the example below, attribute hostMACAddr gets
the value stored in the local variable _mac.
<setEventAttribute attr="hostMACAddr">$_mac</setEventAttribute>
Inbuilt Functions
Combining Two or More Strings to Produce a Final String
This is accomplished by using the combineMsgId function. Here _evIdPrefix is the prefix, _evIdSuffix
is the suffix, and the output will be string1-_evIdPrefix-_evIdSuffix.
<setEventAttribute attr="eventType">combineMsgId("string1", $_evIdPrefix, "-", $_
evIdSuffix)</setEventAttribute>
Normalize MAC Address
This is accomplished by using the normalizeMAC function. The output will be six groups of two nibbles
separated by a colon, for example AA:BB:CC:DD:EE:FF.
<setEventAttribute attr="hostMACAddr">normalizeMAC($_mac)</setEventAttribute>
257
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Compare Interface Security Level
This is accomplished by using the compIntfSecVal function. This primarily applies to Cisco ASA and PIX
firewalls. The results returned are:
l
LESS if srcIntf has strictly lower security level than destIntf
l
GREATER if srcIntf has strictly higher security level than destIntf
l
EQUAL if srcIntf and destIntf have identical security levels
<setEventAttribute attr="_result">compIntfSecVal($srcIntf, $destIntf)</setEventAttribute>
Convert Hex Number to Decimal Number
This is accomplished by using the convertHexStrToInt function.
<setEventAttribute attr="ipConnId">convertHexStrToInt($_ipConnId)</setEventAttribute>
Convert TCP/UDP Protocol String to Port Number
This is accomplished by using the convertStrToIntIpPort function.
<setEventAttribute attr="destIpPort">convertStrToIntIpPort($_dport)</setEventAttribute>
Convert Protocol String to Number
This is accomplished by the using the convertStrToIntIpProto function.
<setEventAttribute attr="ipProto">convertStrToIntIpProto($_proStr)</setEventAttribute>
Convert Decimal IP to String
This is accomplished by using the converIpDecimalToStr function.
<setEventAttribute attr="srcIpAddr">convertIpDecimalToStr($_srcIpAddr)</setEventAttribute>
Convert Host Name to IP
This is accomplished by using the convertHostNameToIp function.
<setEventAttribute attr="srcIpAddr">convertHostNameToIp($_saddr)</setEventAttribute>
Add Two Numbers
This is accomplished by using the add function.
<setEventAttribute attr="totBytes">add($sentBytes, $recvBytes)</setEventAttribute>
Divide Two Numbers
This is accomplished by using the divide function.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
258
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
<setEventAttribute attr="memUtil">divide($_usedMem, $_totalMem)</setEventAttribute>
Scale Function
This is accomplished by using the scale function.
<setEventAttribute attr="durationMSec">scale($_durationSec, 1000)</setEventAttribute>
Extract Host from Fully Qualified Domain Name
This is accomplished by using the extractHostFromFQDN function. If _fqdn` contains a . , get the string
before the first ., otherwise, get the whole string.
<setEventAttribute attr="hostName">extractHostFromFQDN($_fqdn)</setEventAttribute>
Replace a String Using a Regular Expression
This is accomplished by using the replaceStringByRegex function.
<setEventAttribute attr="eventType">replaceStringByRegex($_eventType, "\s+", "_
")</setEventAttribute>e.g. _eventType: "Event Type"; eventType: "Event_Type"
Replace String in String
This is accomplished by using the replaceStrInStr function.
<setEventAttribute attr="computer">replaceStrInStr($_computer, "\\", "")</setEventAttribute>
Resolve DNS Name
This is accomplished by using the resolveDNSName function, which converts DNS name to IP address.
<setEventAttribute attr="destIpAddr">resolveDNSName($destName)</setEventAttribute>
Convert to UNIX Time
This is accomplished by using the toDateTime function.
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_year, $_time)</setEventAttribute><setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_
time)</setEventAttribute>
Trim Attribute
This is accomplished by using the trimAttribute function. In the example below, it is used to trim the leading and
trailing dots in destName.
<setEventAttribute attr="destName">trimAttribute($destName, ".")</setEventAttribute>
259
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Branching Constructs
Choose Construct
The format is:
<choose>
<when test='$AttributeOrVariable1 operator Value1'>
</when>
<when test='$AttributeOrVariable2 operator Value2'>
</when>
<otherwise>
...
</otherwise></choose>
...
...
Switch Construct
The format is:
<switch>
</case>
</case>
<case>
<case>
</switch>
...
...
Collecting Values from Unstructured Strings
From a string input source, a regex match is applied and variables are set. The variables can be event attributes
or local variables. The input will be a local variable or the default raw message variable. The syntax is:
<collectAndSetAttrByRegex src="$inputString ">
expattern]]></regex> </collectAndSetAttrByRegex>
<regex><![CDATA[reg-
The regexpattern is specified by a list of variables and sub-patterns embedded within a larger pattern. Each
variable and sub-pattern pair are enclosed within <>.
Consider an example in which the local variable _body is set to list 130 permitted eigrp
172.16.34.4(Serial1 ) > 172.16.34.3, 1 packet. From this sting we need to set the values to
local variables and event attributes.
Value
Set To
Type
130
_aclName
Local Variable
permitted
_action
Local Variable
eigrp
_proto
Local Variable
172.16.34.4
srcIpAddr
Event Attribute
Serial1
srcIntfName
Event Attribute
172.16.34.3
destIpAddr
Event Attribute
1
totPkts
Event Attribute
This is achieved by using this XML. Note that you can use both the collectAndSetAttrByRegex and
collectFieldsByRegex functions to collect values from fields. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
260
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[list <_
aclName:gPatStr> <_action:gPatWord> <_proto:gPatWord> <srcIpAddr:gPatIpV4Dot>(<:srcIntfName:gPatWord>) -> <destIpAddr:gPatIpV4Dot>, <totPkts:gPatInt> <:gPatMesgBody>]]></regex>
</collectAndSetAttrByRegex>
Collecting Fields from Structured Strings
The are usually two types of structured strings in device logs:
l
Key=value structured
l
Value list structured
In each case, two simpler specialized parsing constructs than are provided
Key=Value Structured Data
Certain logs, such as SNMP traps, are structured as Key1 = value1 <separator> Key2 = value2,....
These can be parsed using the collectAndSetAttrByKeyValuePair XML attribute tag with this syntax.
<collectAndSetAttrByKeyValuePair sep='separatorString' src="$inputString">
<attrKeyMap attr="variableOrEventAttribute1" key="key1"/>
<attrKeyMap attrr="variableOrEventAttribute2" key="key2"/></collectAndSetAttrByKeyValuePair>
When a key1 match is found, then the entire string following key1 up to the separatorString is parsed out
and stored in the attribute variableOrEventAttribute1.
As an example, consider this log fragment.
_body =
SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60 = Hex-STRING: 07 D8 06 0B 13 15 00
00 2D 07 00
SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.11.0 = Hex-STRING: 00 16
B6 DB 12 22 SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.12.0 = Hex-STRING: 00 21
55 4D 66 B0 SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.13.0 = INTEGER: 36
SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.1.0 = Hex-STRING: 00 1A 1E C0 60 7A
SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.56.0 = INTEGER: 2
SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.17.0 = STRING: "00:1a:1e:c0:60:7a"
The corresponding parser fragment is:
<collectAndSetAttrByKeyValuePair sep='\t\\| SNMP' src="$_body">
<attrKeyMap
attr="srcMACAddr" key="SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.11.0 = HexSTRING: "/>
<attrKeyMap attr="_destMACAddr" key="SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.12.0 = Hex-STRING: "/>
<attrKeyMap attr="wlanSSID"
key="SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.6.0 = STRING: "/>
<attrKeyMap
attr="wlanRadioId" key="SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.56.0 = INTEGER:
"/>
<attrKeyMap attr="apMac" key="SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.17.0 = STRING: "/> </collectAndSetAttrByKeyValuePair>
After parsing, the attribute values are set:
261
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Value
Attribute
00 16 B6 DB 12 22
srcMACAddr
00 21 55 4D 66 B0
destMacAddr
2
wlanRadioId
00:1a:1e:c0:60:7a
apMac
Value List Structured Data
Certain application logs, such as those from Microsoft IIS, are structured as a list of values with a separator.
These can be parsed using the collectAndSetAttrByPos XML attribute tag following this syntax.
<collectAndSetAttrByPos sep='separatorString' src="$inputString">
<attrPosMap attr="variableOrEventAttribute1" pos='offset1'/>
<attrPosMap
attr="variableOrEventAttribute2" pos='offset2'/>
</collectAndSetAttrByPos>
When the position offset1 is encountered, the subsequent values up to the separatorString is stored in
variableOrEventAttribute1.
As an example, consider this log fragment.
_body =
W3SVC1 ADS-PRI 192.168.0.10 GET /Document/ACE/index.htm - 80 - 192.168.20.55
HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.8.1.11)+Gecko/20071127+Firefox/2.0.0.11 [http://wwwin/Document/] wwwin 200 0 0
5750 445 15
The parser fragment is:
<collectAndSetAttrByPos src="$_body" sep=' '>
<attrPosMap attrr="srvInstName" pos='1'/>
<attrPosMap attr="destName" pos='2'/>
<attrPosMap attr="relayDevIpAddr" pos='2'>
<attrPosMap attr="destIpAddr" pos='3'/>
<attrPosMap attr="httpMethod" pos='4'/>
<attrPosMap attrr="uriStem" pos='5'/>
<attrPosMap attr="uriQuery" pos='6'/>
<attrPosMap attr="destIpPort" pos='7'/>
<attrPosMap attr="user" pos='8'/>
<attrPosMap attr="srcIpAddr" pos='9'/>
<attrPosMap attr="httpVersion" pos='10'/>
<attrPosMap attr="httpUserAgent" pos='11'/>
<attrPosMap attrr="httpReferrer" pos='13'/>
<attrPosMap attr="httpStatusCode" pos='15'/>
<attrPosMap attr="httpSubStatusCode" pos='16'/>
<attrPosMap attrr="httpWin32Status" pos='17'/>
<attrPosMap attr="recvBytes" pos='18'/>
<attrPosMap attr="sentBytes" pos='19'/>
<attrPosMap attr="durationMSec" pos='20'/>
</collectAndSetAttrByPos>
For structured strings, techniques in this section are more efficient than in the previous section since, the
expression is simpler and ONE tag can be used to parse regardless of the order in which the keys or values
appear in the string.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
262
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Creating a Custom Parser
Cloning New Parsers
You can clone an existing parser and then use it as the basis for creating a new one. Select the parser you want to
clone, and then click Clone. Modify the parser as necessary, and then make sure you use the Up and Down
buttons to place it in the list of parsers at the point at which is should be applied.
Creating Custom Parsers for Multi-Tenant Deployments
Custom parsers can only be created from the Super/Global account in Service Provider FortiSIEM deployments. l
Prerequisites
l
Procedure
Prerequisites
l
l
You should have examples of the logs that you want to parse
You should have created any new device/application types, event attribute types, or event types that you want to
use in your XML specification
l
You should already have written the XML specification for your parser
l
You should have prepared a test event that you can use to validate the parser
Parsers Applied in Order
Parsers are applied in the order they are listed in Admin > Device Support > Parsers, so it is important to add
your custom parser to the list in relation to any other parsers that may be applied to your device logs. If you click
Fix Order, this will arrange the parsers with system-defined parsers at the top of the list in their original order,
and user-defined parsers at the bottom. By sure to click Apply to make sure the change in order is picked up by
the back-end module.
Procedure
1. Go to Admin > Device Support > Parsers.
2. Select a parser that is above the location in the list where you want to add your parser, and then click New.
3. Enter a Name for the parser. 4. Select a Device Type to which the parser should apply.
If the device type doesn't appear in the menu, you should create a new device type
5. Enter a Test Event containing an example of an event that you want to use to validate the parser.
6. Enter the Parser XML.
7. Click Validate.
This will validate the XML.
8. Click Test. This will send the test event to the parser to make sure it is parsed correctly, and will also test the parsers above
and below yours in the list to make sure they continue to parse logs correctly.
9. If the XML for your parser validates and the test event is correctly parsed, select Enable.
If you need to continue working on your parser, you can Save it without selecting Enable. 10. Click Save.
263
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
11. Click Apply to have the backend module pick up your parser and begin applying it to device logs. You should now validate that events are being parsed by creating some activity that will cause a log to be
generated, and then run a query against the new device IP address and validate the parsed results. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
264
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Deleting or Disabling a Parser
Deleting User-Defined Parsers
You can only delete user-defined parsers, but both system and user-defined parsers can be disabled. 1. Go to Admin > Device Support > Parsers.
2. Select the parser you want to delete or disable. 3. Click Delete or Disable. 4. Click Yes to confirm that you want to delete or disable the parser.
265
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Exporting a Custom Parser
To export a parser, you must also export XML files for the device/app types, event attribute types, event types,
and then the parser specification file used by your parser. 1. Go to Admin > Device Support > Device/App Types.
2. Select the device/application types used in your parser, and then click Export.
3. Go to Admin > Device Support > Event Attribute Types.
4. Select the event attribute types used in your parser, and then click Export. 5. Go to Admin > Device Support > Event Types.
6. Select the event types used in your parser, and then click Export. 7. Go to Admin > Device Support > Parsers.
8. Select the parser specification for your parser, and then click Export. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
266
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Importing a Custom Parser
Importing a custom parser involves importing four XML files: the XML files containing any device/app types,
event attribute types, or event types that you have created for this parser, followed by the parser specification
XML file. 1. For each device/app type, event attribute type, or event type XML file that is required for your parser, go to the
appropriate tab in Admin > Device Support, and then click Import.
2. Browse to the location of your XML file, and then click Upload.
3. Go to Admin > Device Support > Parsers, and then click Import. 4. Browse to the location of your parser specification XML file, and then click Upload. 5. Follow the instruction in Creating a Custom Parser to validate your XML and test the parser, and to make sure it
appears in the correct position in the list of parsers. 267
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Parser Examples
l
Cisco IOS Syslog Parser
Cisco IOS Syslog Parser
The objective is to parse this syslog message:
<190>91809: Jan 9 02:38:47.872: %SEC-6-IPACCESSLOGP: list testlog permitted tcp
192.168.20.33(3438) -> 69.147.86.184(80), 1 packet
Creating the appropriate parser requires these steps.
l
Add Device Type
l
Create the Parser Specification and Add Local Patterns
l
Define the Format Recognizer
l
Parse the Syslog Header
l
Parse the Syslog Body
l
Final Parser
l
Parsed Output
Add Device Type
Create a file CiscoIOSParser.xml with this content.
<eventParser name="CiscoIOSParser">
<deviceType>
<Vendor>Cisco</Vendor>
<Model>IOS</Model>
<Version>ANY</Version>
</deviceType></eventParser>
Create the Parser Specification and Add Local Patterns
Create the parser XML file with this content, and add the pattern definition patCiscoIOSMod for detecting IOS
modules such as SEC.
<eventParser name="CiscoIOSParser">
<deviceType>
<Vendor>Cisco</Vendor>
<Model>IOS</Model>
<Version>ANY</Version>
</deviceType>
<patternDefinitions>
<pattern name="patCiscoIOSMod" list="begin">
<![CDATA
[FW|SEC|SEC_LOGIN|SYS|SNMP|]]></pattern>
<pattern name="patCiscoIOSMod" listt="continue"> <![CDATA[LINK|SPANTREE|LINEPROTO|DTP|PARSER|]]></pattern>
<pattern name="patCiscoIOSMod" list="end"><![CDATA[CDP|DHCPD|CONTROLLER|PORT_SECURITYSP]]></pattern>
<pattern name="patStrEndColon"><![CDATA[[^:]*]]></pattern>
<pattern name="patComm"><![CDATA[[^,]+]]></pattern> </patternDefinitions></eventParser>
Define the Format Recognizer
Add this format recognizer for detecting %SEC-6-IPACCESSLOGP, which is a signature of Cisco IOS syslog
messages. <eventParser name="CiscoIOSParser">
<deviceType>
<Vendor>Cisco</Vendor>
<Model>IOS</Model>
<Version>ANY</Version>
</deviceType>
<patternDefinitions>
<pattern name="patCiscoIOSMod" list="begin">
<![CDATA
[FW|SEC|SEC_LOGIN|SYS|SNMP|]]></pattern>
<pattern name="patCiscoIOSMod" listt="continue"> <![CDATA[LINK|SPANTREE|LINEPROTO|DTP|PARSER|]]></pattern>
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
268
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
<pattern name="patCiscoIOSMod" list="end"><![CDATA[CDP|DHCPD|CONTROLLER|PORT_
SECURITY-SP]]></pattern>
<pattern name="patStrEndColon"><![CDATA[[^:]*]]></pattern>
<pattern name="patComm"><![CDATA[[^,]+]]></pattern>
</patternDefinitions>
<eventFormatRecognizer>
<![CDATA[: %<:patCiscoIOSMod><:gPatInt>-<:patStrEndColon>:]]>
</eventFormatRecognizer></eventParser>
Parse the Syslog Header
A syslog message consists of a syslog header, and a body. For better organization, we first parse the syslog
header and event type. Subsequent code will include event type specific parsing, which is why event type is
extracted in this step. In this example, the header is in boldface.
<190>91809: Jan 9 02:38:47.872: %SEC-6-IPACCESSLOGP: list testlog permitted
tcp 192.168.20.33(3438) -> 69.147.86.184(80), 1 packet
The XML code for parsing the header does the following:
1. Matches the pattern <190>91809: Jan 9 02:38:47.872: %SEC-6-IPACCESSLOGP:
2. Sets the eventType attribute to IOS-SEC- IPACCESSLOGP.
3. Sets deviceTime.
4. Sets event severity (1-7 scale in Cisco IOS, 1=> most severe, to normalized 1-10 scale in FortiSIEM where
10=>most severe)
5. Saves the event list testlog permitted tcp 192.168.20.33(3438) -> 69.147.86.184
(80), 1 packet in a temporary variable _body.
Note that the patterns gPatSyslogPRI, gPatMon, gPatDay, gPatTime, gPatInt, gPatmesgBody are
global patterns that are defined in the GeneralPatternDefinitions.xml file:
<generalPatternDefinitions>
<pattern name="gPatSyslogPRI"><![CDATA
[<\d+>]]></pattern>
<pattern name="gPatMesgBody"><![CDATA[.*]]></pattern> <pattern name="gPatMon"> <![CDATA[Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec|\d
{1,2}]]></pattern> <pattern name="gPatDay"><![CDATA[\d{1,2}]]></pattern> <pattern name="gPatTime"><![CDATA[\d{1,2}:\d{1,2}:\d{1,2}]]></pattern> <pattern namee="gPatInt"><![CDATA[\d+]]></pattern></generalPatternDefinitions>
This parser file XML fragment for parsing the example syslog message looks like this:
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><!
[CDATA[<:gPatSyslogPRI>?<:gPatMon>\s+<:gPatDay>\s+<:gPatTime> %<_evIdPrefix:patCiscoIOSMod>-<_severity:gPatInt>-<_evIdSuffix:patStrEndColon>: <_
body:gPatMesgBody>]]></regex>
</collectFieldsByRegex>
<setEventAttribute
attr="eventType">combineMsgId("IOS-", $_evIdPrefix, "-", $_evIdSuffix)</setEventAttribute>
<choose>
<when test='$_severity IN "6, 7"'>
<setEventAttribute attr="eventSeverity">1</setEventAttribute>
</when>
<when test='$_severity = "1"'>
<setEventAttribute attrr="eventSeverity">10</setEventAttribute>
</when>
<when test='$_severity = "2"'>
<setEventAttribute
attr="eventSeverity">8</setEventAttribute>
</when>
<when test='$_
severity IN "3, 4"'>
<setEventAttribute attrr="eventSeverity">5</setEventAttribute>
</when>
<when test='$_severity =
"5"'>
<setEventAttribute attr="eventSeverity">2</setEventAttribute>
</when>
</choose><parsingInstructions>
269
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Parse the Syslog Body
The parsing is done on an eventType by eventType basis, since the formats are eventType specific. Parsing the
syslog body involves three steps:
1. Parsing the action string. Based on the action staring value (permit or denied), modify the eventType by
appending the action string value at the end, and also modify the eventSeverity values.
2. Parsing the protocol, source and destination IP, port, and totalPackets.
3. Converting the protocol string to a protocol integer.
<choose>
<when test='$eventType IN "IOS-SEC-IPACCESSLOGP, IOS-SEC-IPACCESSLOGDP,
IOS-SEC-IPACCESSLOGRP"'>
<collectAndSetAttrByRegex src="$_body">
<regex><![CDATA[list <_aclName:gPatStr>\s+<_action:gPatWord>\s+<_proto:gPatWord>\s+<srcIpAddr:gPatIpV4Dot>\(<srcIpPort:gPatInt>\)<:gPatMesgBody>>\s+<destIpAddr:gPatIpV4Dot>\(<destIpPort:gPatInt>\),\s+<totPkts:gPatInt>
<:gPatMesgBody>]]>
</regex>
</collectAndSetAttrByRegex>
<choose>
<when test='$_action = "permitted"'>
<setEventAttribute attr="eventType">combineMsgId("IOS-", $_evIdPrefix, "-", $_evIdSuffix, "PERMITTED")</setEventAttribute>
<setEventAttribute attrr="eventSeverity">1</setEventAttribute>
</when>
<when test='$_
action = "denied"'>
<setEventAttribute attr="eventType">combineMsgId
("IOS-", $_evIdPrefix, "-", $_evIdSuffix, "-DENIED")</setEventAttribute>
<setEventAttribute attr="eventSeverity">3</setEventAttribute>
</when>
</choose>
<setEventAttribute attr="ipProto">convertStrToIntIpProto($_
proto)</setEventAttribute>
</when></choose>
Final Parser
<eventParser name="CiscoIOSParser">
<deviceType>
<Vendor>Cisco</Vendor>
<Model>IOS</Model>
<Version>ANY</Version>
</deviceType>
<patternDefinitions>
<pattern name="patCiscoIOSMod" list="begin">
<![CDATA
[FW|SEC|SEC_LOGIN|SYS|SNMP|]]></pattern>
<pattern name="patCiscoIOSMod"
list="continue"> <![CDATA[LINK|SPANTREE|LINEPROTO|DTP|PARSER|]]></pattern>
<pattern name="patCiscoIOSMod" list="end"><![CDATA[CDP|DHCPD|CONTROLLER|PORT_
SECURITY-SP]]></pattern>
<pattern name="patStrEndColon"><![CDATA
[[^:]*]]></pattern>
<pattern name="patComm"><![CDATA[[^,]+]]></pattern>
</patternDefinitions>
<parsingInstructions>
<!—parse header -->
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI>?<:gPatMon>\s+<:gPatDay>\s+<:gPatTime> %<_evIdPrefix:patCiscoIOSMod>-<_
severity:gPatInt>-<_evIdSuffix:patStrEndColon>: <_body:gPatMesgBody>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="eventType">combineMsgId("IOS", $_evIdPrefix, "-", $_evIdSuffix)</setEventAttribute>
<choose>
<when
test='$_severity IN "6, 7"'>
<setEventAttribute attrr="eventSeverity">1</setEventAttribute>
</when>
<when test='$_severity = "1"'>
<setEventAttribute
attr="eventSeverity">10</setEventAttribute>
</when>
<when test='$_
severity = "2"'>
<setEventAttribute attrr="eventSeverity">8</setEventAttribute>
</when>
<when test='$_severity IN "3, 4"'>
<setEventAttribute
attr="eventSeverity">5</setEventAttribute>
</when>
<when test='$_severity = "5"'>
<setEventAttribute attr="eventSeverity">2</setEventAttribute>
</when>
</choose>
<!—parse body -->
<choose>
<when
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
270
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
test='$eventType IN "IOS-SEC-IPACCESSLOGP, IOS-SEC-IPACCESSLOGDP, IOS-SECIPACCESSLOGRP"'>
<collectAndSetAttrByRegex src="$_body">
<regex><!
[CDATA[list <_aclName:gPatStr>\s+<_action:gPatWord>\s+<_proto:gPatWord>\s+<srcIpAddr:gPatIpV4Dot>\(<srcIpPort:gPatInt>\)<:gPatMesgBody>>\s+<destIpAddr:gPatIpV4Dot>\(<destIpPort:gPatInt>\),\s+<totPkts:gPatInt>
<:gPatMesgBody>]]>
</regex>
</collectAndSetAttrByRegex>
<choose>
<when test='$_action = "permitted"'>
<setEventAttribute attr="eventType">combineMsgId("IOS-", $_evIdPrefix, "-", $_
evIdSuffix, "-PERMITTED")</setEventAttribute>
<setEventAttribute attrr="eventSeverity">1</setEventAttribute>
</when>
<when
test='$_action = "denied"'>
<setEventAttribute attrr="eventType">combineMsgId("IOS-", $_evIdPrefix, "-", $_evIdSuffix, "-DENIED")</setEventAttribute>
<setEventAttribute
attr="eventSeverity">3</setEventAttribute>
</when>
</choose>
<setEventAttribute attr="ipProto">convertStrToIntIpProto($_proto)</setEventAttribute>
</when>
</choose><parsingInstructions>
Parsed Output
Input syslog:
<190>91809: Jan 9 02:38:47.872: %SEC-6-IPACCESSLOGP: list testlog permitted
tcp 192.168.20.33(3438) -> 69.147.86.184(80), 1 packet
Parsed fields:
1. phRecvTime: the time at which the event was received by FortiSIEM
2. phDeviceTime: Jan 9 02:38:47 2010
3. eventType: SEC-IPACCESSLOGP-PERMITTED
4. eventSeverity: 3
5. eventSeverityCategory: LOW
6. aclName: testlog
7. ipProto: 6
8. srcIpAddr: 192.168.20.33
9. destIpAddr: 69.147.86.184
10. srcIpPort: 3438
11. destIpPort: 80
12. totPkts: 1
The master list of event attributes supported by FortiSIEM is here
271
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Custom Performance Monitors
Creating a custom performance monitor involves creating a performance object that specifies the monitoring
access protocol to use, maps event attributes available for that protocol to FortiSIEM event attribute types, and
then associates those attributes to an event type. You can use system or user-defined device types, event
attribute types, and event types when creating the performance object.
l
Creating a Custom Performance Monitor
l
Monitoring Protocol Configuration Settings
l
Mapping Monitoring Protocol Objects to Event Attributes
l
Exporting a Custom Performance Monitor
l
Importing a Custom Performance Monitor
l
Examples of Custom Performance Monitors
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
272
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Creating a Custom Performance Monitor
You create custom performance monitors by defining the performance object that you want to monitor, including
the relationship between the performance object and FortiSIEM events and event attributes, and then
associating the performance object to a device type. Creating Custom Performance Monitors for Enterprise and Multi-Tenant Deployments
In Service Provider FortiSIEM deployments, custom performance performance have to be created by the
Super/Global account, and apply to all organizations. In enterprise deployments, custom performance monitors
can be created by any user who has access to the Admin tab.
l
Prerequisites
l
Procedure
Prerequisites
l
l
l
You should review the configuration settings for the monitoring protocols that you will use in your monitor, and be
ready to provide the appropriate OIDs, classes, or database table attributes for the access protocol.
You should have created any new device/application types, event attribute types, or event types that you want to
use in your performance monitor
You should have the IP address and access credentials for a device that you can use to test the monitor
Procedure
Creating the Performance Object and Applying it to a Device
1. Go to Admin > Device Support > Performance Monitoring.
2. Click New.
3. Enter a Name for the performance monitor.
4. For Type, select either System or Application.
5. For Method, select the monitoring protocol for the performance monitor.
See the topics under Monitoring Protocol Configuration Settings for more information about the configuration
settings for each type of monitoring protocol. 6. Click New next to List of Attributes, and create the mapping between the performance object and FortiSIEM
event attributes. Note that the Method you select will determine the name of this mapping and the configuration options that are
available. See Mapping Monitoring Protocol Objects to Event Attributes for more information.
7. Select the Event Type that will be monitored. 8. Enter the Polling Frequency for the monitor.
9. Enter a Description. 10. Click Save.
11. In Admin > Device Support > Performance Monitoring, under Enter Device Type to Performance
Object Mapping, click New. 12. Enter a Name for the mapping. 13. In the top pane of the dialog, select the Device Type to which you want to apply the monitor. Whenever a device belonging to the selected device type is discovered, FortiSIEM will attempt to apply the
performance monitor to it. 273
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
14. In the bottom pane of the dialog, select the custom performance monitor.
15. Click Save. Testing the Performance Monitor
1. Go to Admin > Device Support > Performance Monitoring.
2. Select the performance monitor.
3. Click Test.
4. For IP, enter the IP address of the device that you want to use to test the monitor. Testing for Multi-Tenant Deployments
If you have a Service Provider FortiSIEM, select the Supervisor or Collector where the device is
monitored.
5. Click Test.If the test succeeds, click Close, and then click Apply to register the new monitor with the backend
module.
After you have successfully tested and applied the performance monitor, you should initiate discovery of the
device that it will monitor, and then make sure that the new monitor is enabled as described in Managing
Monitoring of System and Application Metrics for Devices.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
274
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Monitoring Protocol Configuration Settings
These topics describe the configuration settings for monitoring protocols such as SNMP, WMI, and JDBC that are
used for creating custom performance monitors. l
JDBC Configuration Settings
l
JMX Configuration Settings
l
SNMP Configuration Settings for Custom Performance Monitors
l
WMI Configuration Settings for Custom Performance Monitors
275
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
JDBC Configuration Settings
When configuring JDBC as the access protocol for a custom performance monitor, use these settings. You may
also want to review the topic Custom JDBC Performance Monitor for a Custom Table as example of how to set up
a custom performance monitor using JDBC.
Field
Setting/Notes
Method
JDBC
Database Type
Select the type of database to connect to
SQL Query
The SQL Query to execute when connecting
List of Columns
This creates the mapping between columns in the database and FortiSIEM
event attributes. See Mapping Monitoring Protocol Objects to Event Attributes
for more information.
Where Clauses
This indicates whether the database table being queried has a fixed set of
rows, or whether it is growing over time. An example of this would be a table
containing logs, in which case FortiSIEM would keep track of the last entry and
only pull the new ones. There are three options here:
1. There is a fixed set of rows and all rows are needed.
Leave all options cleared.
2. There is a fixed set of rows and a fixed number of rows are needed.
Select Fixed Records and enter the number of required rows.
3. The table is growing and only new values are needed.
Select Retrieve all new values since last retrieve time of
column, and enter the name of the column that represents time in
the database. FortiSIEM will keep track of the largest value in this
column and only pull entries greater than that value during the next
polling interval.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
276
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
JMX Configuration Settings
When configuring JMX as the monitoring protocol for a custom performance monitor, use these settings. You
may also want to review the topic Custom JMX Monitor for IBM Websphere as an example of creating a custom
JMX performance monitor. Field
Setting/Notes
Method
JMX
MBean
Enter the MBean interface that you want to monitor, or click the downward
arrow to browse the JMX tree and select it. Note that the option you select
here will determine the objects that are available when you select an
Object Attribute for the List of Attributes. See the next section in this
topic for information on how to find
Identifying MBean Names and Attributes for Custom Applications
This section discusses how to get MBean names and attributes for custom J2EE based applications.
1. Launch JConsole on your workstation and connect to the application.
2. Select the MBeans tab.
3. Browse to the application you want to monitor, and select it.
4. In the right pane you will see the MBeanInfo. Note the ObjectName, while the attributes for the application will
be listed in the tree view.
277
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
SNMP Configuration Settings for Custom Performance Monitors
When configuring SNMP as the access protocol for a custom performance monitor, use these settings. You may
also want to review the topics Custom SNMP Monitor for D-Link Interface Network Statistics and Custom SNMP
Monitor for D-Link HostName and SysUpTime as example of how to set up a custom performance monitor using
SNMP.
Field
Settings/Notes
Method
SNMP
Parent OID
The parent Object Identifier (OID) is used to optimize the number of SNMP
GETs required for pulling the various individual OIDs. You can enter this
directly, or click the downward arrow to select it from an MIB file. Several
different MIB files are available to select from, s ee Importing OID Definitions
from a MIB File for more information.
Parent ID is
table
List of OIDs
Select is table if the OIDs you want to monitor are in a table with at least one
row. An example would be interface metrics, such as ifInOctets and
ifOutOctets, since there is an interface metric for each interface.
The OIDs you want to monitor mapped to FortiSIEM event attributes. The
selection you make for Parent OID determines the options available in the
OID menu when you select New.
Importing OID Definitions from a MIB File
Many devices include MIB files that you can then use to create a custom performance monitor for the device. This
involves creating a configuration file based on information in the MIB file, using that file as input for the mib2xml
executable, and then placing the resulting output file in the /data/mibXml directory of your Supervisor. Once
placed in this directory, you can select the file from the MIB File List menu to select the parent OID, which will
then also affect which OIDs you can select for the OID to event attribute mapping. Procedure
1. Collect the device OID files you want to use and place them in a directory where the mib2XML 2. Create the input config file with these fields, and name it with the .cfg file designation. See the attached alcatel.cfg file for an example.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
278
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Field
Description
group
This is the number of MIB file group. MIB files need to be analyzed
as a group because of cross-references within them. The group
attribute specifies an ID for each group and needs to be unique for
every group.
mibFile
The name of the MIB file being analyzed. There can be multiple
entries. Be sure to specify the path to the MIB files.
vendor
The name of the device vendor for the MIB file
model
The model name or number for the device
evtPrefix
As SNMP trap notification definitions in the MIB file are parsed, an
event file is generated for each SNMP trap. This field specifies the
event type prefix.
enterpriseId
The enterprise ID number for this vendor, which is used for
generating the SNMP trap parser
3. Run mib2XML <filename>.cfg.
4. Move the resulting .mib.xml file to the /data/mibXml directory of your Supervisor.
Example
In this example, a set of MIB files from an Alcatel 7x50 device are used to generate the XML output file. 1. Sample MIB files:
TIMETRA-CHASSIS-MIB.mib
TIMETRA-GLOBAL-MIB.mib
TIMETRA-SYSTEM-MIB.mib
TIMETRA-TC-MIB.mib
2. Information in these files, and the paths to them, are then used to create this config file. alcatel.cfg
3. Running mib2xml alcatel.cfg generates both an output and an mib2XML file. alcatel.out
TIMETRA-TC-MIB.mib.xml
279
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
WMI Configuration Settings for Custom Performance Monitors
When configuring WMI as the monitoring protocol for a custom performance monitor, use these settings. You
may also want to review the topic Custom WMI Monitor for Windows Domain and Physical Registry as example
of how to set up a custom performance monitor using WMI.
Field
Settings
Method
WMI
Parent Class
WMI metrics are defined in the form of a parent class having multiple attributes.
For example, the parent class Win32_ComputerSystem has the attributes
Domain and TotalPhysicalMemory.
Is Table
If the parent WMI class is a table with one or more rows, select this option.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
280
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Mapping Monitoring Protocol Objects to Event Attributes
When you select a monitoring protocol for your custom performance monitor, you must also establish the
relationship between the objects used by that protocol and event attributes in FortiSIEM. For example, creating a
performance monitor that uses SNMP to monitor a device requires that you create a mapping between the SNMP
OIDs that you want to monitor, and set of event attributes. This topic describes the configuration settings that you
will use to create these object-to-event attribute relationships. Procedure
1. When creating your custom performance monitor, after you have selected the Method, click New next to List of
Attributes.
Depending on the monitoring protocol that you select, this table may be named List of OIDs (SNMP), or List of
Columns (JDBC). 2. In the first field, enter or select the monitoring protocol object that you want to map to FortiSIEM event attribute.
Your options depend on the monitoring protocol you selected for Method.
Monitoring
Protocol
Field Name
Settings/Notes
SNMP
OID
Select an MIB file from the MIB File List, and then select the
OID that you want to create the mapping for.
WMI
Attribute
JMX
Object
Attribute
JDBC
Column Name
Enter an attribute of the WMI class you entered for Parent
Class.
The MBean you select determines the attributes you can select.
You will also have to enter a Name and Private Key for the
MBean attribute.
Enter the name of the column in the SQL Query that you are
using to monitor the database.
3. Select the Format for the object attribute.
Your options will depend on the monitoring protocol you selected for Method. 4. For Type, select Raw Value or Counter. 5. For Event Attribute, select the FortiSIEM event attribute that the monitoring protocol object should map to. If you need to create a new event attribute, see Creating Event Attribute Types.
6. Create any Transforms of the values returned for the monitoring protocol object.
See the next section for more information how to configure transforms.
7. Click Save when you are done creating the mappings, and then complete the configuration of your custom
performance monitor. Creating Transforms
You can use a transform to convert the value returned for your monitoring project object into a more physically
meaningful or usable metric. You an create multiple transforms, and they will be evaluated in the order shown in
the table. Multiple transforms can be selected – they are evaluated in sequential order as shown in the display
table
281
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
1. Next to Transforms, click New.
2. For Type, select System or Custom. 3. For Formula, either select a system-defined transformation formula from the menu if you selected System for
Type, or enter a formula if you selected Custom. 4. Click Save. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
282
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Exporting a Custom Performance Monitor
To export a parser, you must also export XML files for the device/app types, event attribute types, event types,
and then the monitor. 1. Go to Admin > Device Support > Device/App Types.
2. Select the device/application types used in your monitor, and then click Export.
3. Go to Admin > Device Support > Event Attribute Types.
4. Select the event attribute types used in your monitor, and then click Export. 5. Go to Admin > Device Support > Event Types.
6. Select the event types used in your monitor, and then click Export. 7. Go to Admin > Device Support > Performance Monitoring.
8. Select the monitor, and then click Export. 283
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Importing a Custom Performance Monitor
Importing a custom performance monitor involves importing four XML files: the XML files containing any
device/app types, event attribute types, or event types that you have created for this parser, followed by the
custom performance monitor file. 1. For each device/app type, event attribute type, or event type XML file that is required for your monitor, go to the
appropriate tab in Admin > Device Support, and then click Import.
2. Browse to the location of your XML file, and then click Upload.
3. Go to Admin > Device Support > Performance Monitors, and then click Import. 4. Browse to the location of your performance monitor file, and then click Upload. 5. Follow the instructions in Creating a Custom Performance Monitor to test and apply your performance monitor.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
284
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Examples of Custom Performance Monitors
l
Custom JDBC Performance Monitor for a Custom Table
l
Custom JMX Monitor for IBM Websphere
l
Custom SNMP Monitor for D-Link HostName and SysUpTime
l
Custom SNMP Monitor for D-Link Interface Network Statistics
l
Custom WMI Monitor for Windows Domain and Physical Registry
285
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Custom JDBC Performance Monitor for a Custom Table
l
Planning
l
Adding New JDBC Performance Objects
l
Associating Device Types to Performance Objects
l
Testing the Performance Monitor
l
Enabling the Performance Monitor
l
Writing Queries for the Performance Metrics
Planning
Examining the Table Structure
For this example, consider two custom Oracle tables that you want to monitor. 1. A table called HEALTH_STATIC_DEMO that does not have time stamp as a column. The table does not grow with
time, and the HEALTH column is updated by the application.
create table
{
ID
HOST_NAME
HEALTH
}
HEALTH_STATIC_DEMO
VARCHAR2 (200) not null,
NVARCHAR2 (200) not null,
NVARCHAR2 (50)
2. A table called HEALTH_DYNAMIC_DEMO that has a time-stamp in the column create_time. Only records with
a more recent time-stamp than previous ones have to be pulled in, and every time a new record is written, it
includes a time stamp.
create table HEALTH_DYNAMIC_DEMO
{
ID
VARCHAR2 (200) not null,
HOST_NAME
NVARCHAR2 (200) not null,
HEALTH
NVARCHAR2 (50),
CREATE_TIME DATE not null
}
Creating New Device Types, Event Attribute Types, and Event Types
In this case, you only need to create two new event types to handle the contents of the two tables. Naming Custom Event Types
All custom event types must begin with the prefix P H_DEV_MON_CUST_ .
Event Types
Name
Device Type
PH_DEV_MON_CUST_JDBC_PERFORMANCE_STATIC
Generic
Low
Generic
Low
PH_DEV_MON_CUST_JDBC_PERFORMANCE_DYNAMIC
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
286
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Adding New JDBC Performance Objects
Each table requires its own performance object for monitoring. Performance Object Configuration for Static Table HEALTH_STATIC_DEMO
Field
Setting
Name
jdbc_static_perfObj
Type
Application
Method
JDBC
Database Type
Oracle Database Server
SQL Query
select * from health_static_demo
Column Name
List of Columns
Where Clauses
Event Type
Polling Frequency
287
Name
Format
Event Attribute
host_name
STRING
hostName
health
STRING
health
Not applicable, since the table doesn't grow over time
PH_DEV_MON_CUST_JDBC_PERFORMANCE_STATIC
180 seconds
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Performance Object Configuration for Dynamic Table HEALTH_DYNAMIC_DEMO
Field
Setting
Name
jdbc_dynamic_perfObj
Type
Application
Method
JDBC
Database Type
Oracle Database Server
SQL Query
select * from health_dynamic_demo
Column Name
List of Columns
Name
Format
Event Attribute
host_name
STRING
hostName
cpu_util
DOUBLE
cpuUtil
mem_util
DOUBLE
memUtil
create_time
STRING
createTime
Where Clauses
retrieve all new values since last retrieve time of column create_time
Event Type
PH_DEV_MON_CUST_JDBC_PERFORMANCE_STATIC
Polling Frequency
180 seconds
Associating Device Types to Performance Objects
In this example, the Oracle database runs on Microsoft Windows, so you would need to associate Microsoft
Windows device types to the two performance objects. Because the discovered device type has to exactly match
one of device types in this association in order for the discovery module to initiate monitoring, you would need to
add other device types, such as Linux, if you also wanted to monitor Oracle databases over JDBC on those
devices. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
288
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Edit Device to Performance Object
Field
Settings
Name
windows_oracle_perf_association
Device Types
Perf Objects
l
Microsoft Windows
l
Microsoft Windows 7
l
Microsoft Windows 98
l
Microsoft Windows ME
l
Microsoft Windows NT
l
Microsoft Windows Server 2000
l
Microsoft Windows Server 2003
l
Microsoft Windows Server 2008
l
Microsoft Windows Vista
l
Microsoft Windows XP
l
jdbc_static_perfObj(JDBC) - Default Interval:3mins
l
jdbc_dynamic_perfObj(JDBC) - Default Interval:3mins
Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the database server, created
the IP address to credentials mapping, and tested connectivity to the server. 1. Go to Admin > Device Support > Performance Monitoring.
2. Select one of the performance monitors you created, and then click Test. 3. For IP, enter the address of the Oracle database server, and select either the Supervisor or Collector node that will
retrieve the information for this monitor. 4. Click Test . You should see succeed under Result , and a parsed event attributes in the test result pane. 5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
1. Discover or re-discover the device you want to monitor. 2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics. Writing Queries for the Performance Metrics
You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should
display the metrics for the event attributes you defined. 1. Create a structured historical search, and in the Filter Criteria, enter Event Type = "PH_DEV_MON_CUST_
JDBC_PERFORMANCE_STATIC"; Group by: [None]
This should show the entries in the HEALTH_STATIC_DEMO table 289
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
2. Create a structured historical search, and in the Filter Criteria, enter Event Type = "PH_DEV_MON_CUST_
JDBC_PERFORMANCE_SDynamic"; Group by: [None]
This should show the entries in the HEALTH_DYNAMIC_DEMO table .
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
290
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Custom SNMP Monitor for D-Link Interface Network Statistics
This example shows how to create a custom performance monitor for network interface statistics for D-link
switches. In this case, the result is a table, with one set of metrics for each interface.
l
Planning
l
Adding the D-Link SNMP Performance Object
l
Associating Device Types to Performance Objects
l
Testing the Performance Monitor
l
Enabling the Performance Monitor
l
Writing Queries for the Performance Metrics
Planning
Matching SNMP OIDs to FortiSIEM Event Attribute Types
If you run the command snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.2.2.1 against the
D-Link switch, you should see an output similar to this:
IF-MIB::ifIndex.1
IF-MIB::ifIndex.2
IF-MIB::ifIndex.3
IF-MIB::ifIndex.4
IF-MIB::ifIndex.5
...
=
=
=
=
=
INTEGER:
INTEGER:
INTEGER:
INTEGER:
INTEGER:
1
2
3
4
5
To get the interface index, you would run snmpwalk -v 1 -c <community> <ip>
.1.3.6.1.2.1.2.2.1.1:
IF-MIB::ifIndex.1
IF-MIB::ifIndex.2
IF-MIB::ifIndex.3
IF-MIB::ifIndex.4
IF-MIB::ifIndex.5
...
=
=
=
=
=
INTEGER:
INTEGER:
INTEGER:
INTEGER:
INTEGER:
1
2
3
4
5
To get interface queue length (the outQLen event attribute in FortiSIEM), you would run snmpwalk -v 1 -c
<community> <ip> .1.3.6.1.2.1.2.2.1.21:
IF-MIB::ifOutQLen.1
IF-MIB::ifOutQLen.2
IF-MIB::ifOutQLen.3
IF-MIB::ifOutQLen.4
IF-MIB::ifOutQLen.5
...
=
=
=
=
=
Gauge32:
Gauge32:
Gauge32:
Gauge32:
Gauge32:
0
0
0
0
0
To get interface speed, you would run snmpwalk -v 1 -c <community> <ip>
.1.3.6.1.2.1.2.2.1.5:
IF-MIB::ifSpeed.1
IF-MIB::ifSpeed.2
IF-MIB::ifSpeed.3
IF-MIB::ifSpeed.4
291
=
=
=
=
Gauge32:
Gauge32:
Gauge32:
Gauge32:
1000000000
1000000000
1000000000
1000000000
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
IF-MIB::ifSpeed.5 = Gauge32: 1000000000
...
To get received bytes (the recvBitsPerSec event attribute in FortiSIEM), you would run snmpwalk -v 1 c <community> <ip> .1.3.6.1.2.1.2.2.1.10:
IF-MIB::ifInOctets.1
IF-MIB::ifInOctets.2
IF-MIB::ifInOctets.3
IF-MIB::ifInOctets.4
IF-MIB::ifInOctets.5
...
=
=
=
=
=
Counter32:
Counter32:
Counter32:
Counter32:
Counter32:
0
1247940872
0
0
0
Finall,y to get sent bytes (the sentBitsPerSec event attribute in FortiSIEM ), you would run snmpwalk -v
1 -c <community> <ip> .1.3.6.1.2.1.2.2.1.16:
IF-MIB::ifOutOctets.1
IF-MIB::ifOutOctets.2
IF-MIB::ifOutOctets.3
IF-MIB::ifOutOctets.4
IF-MIB::ifOutOctets.5
...
=
=
=
=
=
Counter32:
Counter32:
Counter32:
Counter32:
Counter32:
0
1271371281
0
0
0
From these outputs you can see that if you want to create a performance monitor for D-Link switch uptime, you
need to:
1. Create a new device type, since D-Link switches are not supported in this release.
2. Create an event type, PH_DEV_MON_CUST_DLINK_INTF_STAT, that will contain the event attribute types outQLen , recvBitsPerSec, and sentBitsPerSec, which are already part of the FortiSIEM event
attribute library, and hostNameSnmpIndx and intfSpeed, which you need to create.
3. Create the mapping between the SNMP OIDs and the event attributes:
1. OID .1.3.6.1.2.1.2.2.1.1 and hostNameSnmpIndx
2. OID .1.3.6.1.2.1.2.2.1.5 and intfSpeed
3. OID .1.3.6.1.2.1.2.2.1.21 and outQLen
4. OID .1.3.6.1.2.1.2.2.1.10 and recvBitsPerSec
5. OID .1.3.6.1.2.1.2.2.1.16 and sentBitsPerSec
Creating New Device Types, Event Attributes, and Event Types
Device Type
Create a new device type with these attributes:
Field
Setting
Vendor
D-Link
Model
DGS
Version
Any
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
292
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Device/App Group
Devices > Network Devices > Router Switch
Biz Service Group
<no selection>
Description
D-Link Switch
Event Attribute Types
Create these event attribute types:
Name
Display Name
Value Type
Display Format Type
hostSnmpIndex
Host Interface SNMP Index
INT64
<left blank>
intfSpeed
Interface Speed in bits/sec
INT64
<left blank>
Event Types
Naming Custom Event Types
All custom event types must begin with the prefix P H_DEV_MON_CUST_ .
Create this event type:
Name
Device Type
Severity
PH_DEV_MON_CUST_INTF_STAT
D-Link DGS
Low
Adding the D-Link SNMP Performance Object
In this case, you will create one performance object that will map the SNMP OIDs to the FortiSIEM event
attribute types, and then associate them with the PH_DEV_MON_CUST_INTF_STAT event type. When you
create the recvBitsPerSec and sentBitsPerSec mapping you will also add a sequential
transform to convert the cumulative metric to a rate, and then convert bytes per second to bits per second. . 293
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Performance Object Configuration for Event Type PH_DEV_MON_CUST_INTF_STAT
Field
Setting
Name
D-LinkIntStat
Type
System
Method
SNMP
Parent
OID
.1.3.6.1.2.1.2.2.1
Parent
OID is
Table
List of
OIDs
Selected
Object
Attribute
Name
Form
at
Type
Event
Attribute
.1.3.6.1.1.2.1.2
.2.1.1
IntfIndex
INTEG
ER
RawV
alue
hostSnmpI
ndex
.1.3.6.1.1.2.1.1
.2.1.5
intfSpeed
Gauge
32
RawV
alue
intfSpeed
recvBitsPe
rSec
Count
er32
Count
er
Count
er32
Count
er
sentBitsPerS
ect
Gauge
32
RawV
alue
OutQLen
.1.3.6.1.1.2.1.1
.2.1.10
.1.3.6.1.1.2.1.1
.2.1.16
.1.3.6.1.1.2.1.1
.2.1.21
Event
Type
Polling
Frequen
cy
sentBitsPe
rSect
outInftQ
recvBitsPerS
ec
PH_DEV_MON_CUST_INTF_STAT
60 seconds
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
294
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Transform Formula for recvBitsPerSec and sentBitsPerSec Event Attributes
Type
Formula
system
toRate
system
BytesPerSecToBitsPerSec
Associating Device Types to Performance Objects
In this case you would only need to make one association with the D-Link DGS device you created. Field
Settings
Name
D-LinkPerfObj
Device Types
l
D-Link DGS
Perf Objects
l
D-LinkIntfStat(SNMP) - Default Interval:1mins
Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the
IP address to credentials mapping, and tested connectivity. 1. Go to Admin > Device Support > Performance Monitoring.
2. Select the performance monitor you created, and then click Test. 3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the
information for this monitor. 4. Click Test. You should see succeed under Result, and the parsed event attributes in the test result pane. 5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
1. Discover or re-discover the device you want to monitor. 2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics. Writing Queries for the Performance Metrics
You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should
display the metrics for the event attributes you defined. Create a structured historical search with these settings:
Filter Criteria
295
Display Columns
Time
For
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Organizations
Structured
Reporting IP IN <IP
Range> AND Event Type ="
PH_DEV_MON_CUST_INTF_
STAT"; Group by: Host
Name, Host Interface
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Host Name,Host Interface
SNMP Index,MAX(Out Intf
Queue), AVG(Intf Speed),
AVG(Sent Bit Rate), AVG
(Received Bit Rate)
Last 10
Minutes
All
296
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Custom JMX Monitor for IBM Websphere
l
Planning
l
Adding New IBM WebSphere Performance Objects
l
Associating Device Types to Performance Objects
l
Testing the Performance Monitor
l
Enabling the Performance Monitor
l
Writing Queries for the Performance Metrics
This example illustrates how to write a custom performance monitor for retrieving IBM Websphere thread, heap
memory, and non-heap memory metrics.
Planning
Creating New Device Types, Event Attribute Types, and Event Types
In this case, the IBM Websphere device type is already supported by FortiSIEM, but you need to create new
event attributes and event types for the metrics you want to retrieve.
297
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Event Attribute Types
Display
Format
Type
Name
Display Name
Value
Type
websphere_heapPCT
WebSphere HeapPct
INT64
websphere_numThreads
WebSphere NumThreads
INT64
websphere_maxThreads
WebSphere MaxThreads
INT64
websphere_threadPct
WebSphere ThreadPct
INT64
websphere_numClass
WebSphere NumClass
INT64
websphere_heapUsed
WebSphere HeapUsed
INT64
Bytes
websphere_heapMax
WebSphere HeapMax
INT64
Bytes
websphere_heapCommitted
WebSphere
HeapCommitted
INT64
Bytes
INT64
Bytes
INT64
Bytes
INT64
Bytes
websphere_nonHeapUsed
websphere_nonHeapMax
websphere_nonHeapCommitted
WebSphere
NonHeapUsed
WebSphere NonHeapMax
WebSphere
NonHeapCommitted
Event Types
Naming Custom Event Types
All custom event types must begin with the prefix P H_DEV_MON_CUST_ .
Name
Device Type
Severity
PH_DEV_MON_CUST_WEBSPHERE_HEAPMEMORY
IBM WebSphere App Server
Low
PH_DEV_MON_CUST_WEBSPHERE_NON_
HEAPMEMORY
IBM WebSphere App Server
Low
IBM WebSphere App Server
Low
PH_DEV_MON_CUST_WEBSPHERE_THREAD
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
298
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Adding New IBM WebSphere Performance Objects
Each of the event types requires creating a performance object for monitoring. Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_HEAPMEMORY
Field
Setting
Name
websphere_heapMemory_perfObj
Type
Application
Method
JMX
MBean
java.lang:type=Memory
List of
Attributes
Event Type
Polling
Frequency
Object
Attribute
Private
Key
Name
Form
at
Event
Attribute
HeapMemoryUs
age
committ
ed
committ
ed
Long
websphere_
heapCommitt
ed
HeapMemoryUs
age
used
used
Long
websphere_
heapUsed
HeapMemoryUs
age
max
max
Long
websphere_
heapMax
Long
websphere_
heapPCT
PH_DEV_MON_CUST_WEBSPHERE_HEAPMEMORY
180 seconds
Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_THREAD
For the webSphere_threadPct Event Attribute, you will enter a transform as shown in the second table. 299
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Field
Name
Creating Custom Parsers and Monitors for Devices
Setting
websphere_thread_perfObj
Type
Application
Method
JMX
MBean
java.lang:type=Threading
List of
Attributes
Object
Attribute
Privat
e Key
Name
ThreadCount
ThreadCount
PeakThreadCo
unt
PeakThreadCo
unt
Form
at
Event
Attribute
Long
webspher
e_
numThrea
ds
Long
webspher
e_
maxThrea
ds
Long
Event Type
PH_DEV_MON_CUST_WEBSPHERE_THREAD
Polling
Frequency
180 seconds
webspher
e_
threadPC
T
Transform Formula for websphere_threadPCT Event Attribute
Click New next to Transforms in the dialog to enter the formula. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
300
Creating Custom Parsers and Monitors for Devices
Field
Settings
Object Attribute
<blank>
Name
<blank>
Private Key
<blank>
Format
Long
Event Attribute
websphere_threadPct
Transforms
301
Type
Formula
custom
ThreadCount*100/PeakThreadcount
Configuring FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Performance Object Configuration for Event Type PH_DEV_MON_CUST_WEBSPHERE_NON_
HEAPMEMORY
Field
Setting
Name
websphere_nonHeapMemory_perfObj
Type
Application
Method
JMX
MBean
java.lang:type=Memory
List of
Attributes
Event
Type
Object Attribute
Private
Key
NonHeapMemoryUs
age
Nam
e
Form
at
Event Attribute
used
Long
websphere_
nonHeapUsed
NonHeapMemoryUs
age
committ
ed
Long
websphere_
nonHeapCommit
ted
NonHeapMemoryUs
age
max
Long
websphere_
nonHeapMax
PH_DEV_MON_CUST_WEBSPHERE_NON_HEAPMEMORY
180 seconds
Polling
Frequency
Associating Device Types to Performance Objects
In this example, IBM WebSphere runs on Microsoft Windows, so you would need to associate Microsoft Windows
device types to the three performance objects. Because the discovered device type has to exactly match one of
device types in this association in order for the discovery module to initiate these monitors, you would need to add
other device types, such as Linux, if you also wanted to monitor IBM Websphere over JMX on those devices. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
302
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Edit Device to Performance Object
Field
Settings
Name
windows_oracle_perf_association
Device Types
Perf Objects
l
Microsoft Windows
l
Microsoft Windows 7
l
Microsoft Windows 98
l
Microsoft Windows ME
l
Microsoft Windows NT
l
Microsoft Windows Server 2000
l
Microsoft Windows Server 2003
l
Microsoft Windows Server 2008
l
Microsoft Windows Vista
l
Microsoft Windows XP
l
websphere_thread_perfObj(JMX) - Default Interval:3mins
l
websphere_thread_perfObj(JMX) - Default Interval:3mins
l
websphere_nonHeapMemory_perfObj (JMX) - Default
Interval:3mins
Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the server, created the IP
address to credentials mapping, and tested connectivity. 1. Go to Admin > Device Support > Performance Monitoring.
2. Select one of the performance monitors you created, and then click Test. 3. For IP, enter the address of the Oracle database server, and select either the Supervisor or Collector node that will
retrieve the information for this monitor. 4. Click Test . You should see succeed under Result , and the parsed event attributes in the test result pane. 5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
1. Discover or re-discover the device you want to monitor. 2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics. Writing Queries for the Performance Metrics
You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should
display the metrics for the event attributes you defined. Create a structured historical search with these settings:
303
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Filter Criteria
Structured
Reporting IP IN <IP Range> AND Event
Type CONTAIN "ph_dev_mon_cust_web";
Group by: [None]
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Creating Custom Parsers and Monitors for Devices
Display
Columns
Event Receive
Time,Reporting
IP, Event
Time
Last 60
Minutes
For
Organizations
All
304
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Custom SNMP Monitor for D-Link HostName and SysUpTime
Although D-link switches and routers are not supported in this release of FortiSIEM, you can still use the custom
monitor feature to create a system uptime event that will collect basic performance metrics like hostName and
SysUpTime. Planning
Mapping SNMP OIDs to FortiSIEM Event Attribute Types
If you run the command snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.1 against the D-Link
switch, you should see an output similar to this:
SNMPv2-MIB::sysDescr.0 = STRING: DGS-1210-48
2.00.011
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.171.10.76.11
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (157556100) 18 days, 5:39:21.00
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: SJ-Test-Lab-D-Link
SNMPv2-MIB::sysLocation.0 = STRING: San Jose
SNMPv2-MIB::sysServices.0 = INTEGER: 72
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (157555949) 18 days, 5:39:19.49
To get sysUptime, you would run snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.1.3:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (157577770) 18 days, 5:42:57.70
To get hostname, you run snmpwalk -v 1 -c <community> <ip> .1.3.6.1.2.1.1.5:
SNMPv2-MIB::sysName.0 = STRING: SJ-Test-Lab-D-Link
From these outputs you can see that if you want to create a performance monitor for D-Link switch uptime, you
need to:
1. Create a new device type, since D-Link switches are not supported in this release
2. Create an event type, PH_DEV_MON_CUST_DLINK_UPTIME, that will contain the event attribute
types hostName and SysUpTime, which are already part of the FortiSIEM event attribute type library. 3. Create the mapping between the SNMP OIDs and the event attributes:
l
OID .1.3.6.1.2.1.1.5 and hostName.
l
OID .1.3.6.1.2.1.1.5 and SysUpTime.
Creating New Device Types, Event Attribute Types, and Event Types
Device Type
Create a new device type with these attributes:
305
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Field
Setting
Vendor
D-Link
Model
DGS
Version
Any
Device/App Group
Devices > Network Devices > Router Switch
Biz Service Group
<no selection>
Description
D-Link Switch
Event Attribute Types and Event Types
Both sysUptime and hostName are included in the Event Attribute Types, so you only need to create a new
event type, PH_DEV_MON_CUST_DLINK_UPTIME, that will contain them. Naming Custom Event Types
All custom event types must begin with the prefix P H_DEV_MON_CUST_ .
Device
Type
Name
PH_DEV_MON_CUST_DLINK_UPTIME
D-Link DGS
Severity
Description
0 - Low
D-Link Uptime
Adding the D-Link SNMP Performance Object
In this case, you will create one performance object that will map the SNMP OIDs to the FortiSIEM event
attribute types hostName and SysUptime, and then associate them with the PH_DEV_MON_CUST_DLINK_
UPTIME event type. When you create the SysUpTime mapping you will also add a transform to convert system
time to centiseconds to seconds as shown in the second table. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
306
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Performance Object Configuration for Event Type PH_DEV_MON_CUST_DLINK_UPTIME
Field
Setting
Name
D-LinkUptime
Type
System
Method
SNMP
Parent OID
.1.3.6.1.1.2.1.1
Parent OID is Table
<left cleared>
Object
Attribute
List of OIDs
.1.3.6.1.1.2.1.1
.5
.1.3.6.1.1.2.1.1
.3
Event Type
Polling Frequency
Name
Format
Type
Event
Attribute
Host
Name
String
RawValu
e
hostName
Uptim
e
Timetick
s
RawValu
e
SysUpTim
e
PH_DEV_MON_CUST_DLINK_UPTIME
10 seconds
Transform Formula for SysUptime Event Attribute
Type
Formula
custom
uptime/100
Associating Device Types to Performance Objects
In this case you would only need to make one association with the D-Link DGS device you created. 307
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Field
Settings
Name
D-LinkPerfObj
Device Types
l
D-Link DGS
Perf Objects
l
D-LinkUptime(SNMP) - Default Interval:0.17mins
Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the
IP address to credentials mapping, and tested connectivity. 1. Go to Admin > Device Support > Performance Monitoring.
2. Select the performance monitor you created, and then click Test. 3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the
information for this monitor. 4. Click Test. You should see succeed under Result, and the parsed event attributes in the test result pane. 5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
1. Discover or re-discover the device you want to monitor. 2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics. Writing Queries for the Performance Metrics
You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should
display the metrics for the event attributes you defined. Create a structured historical search with these settings:
Filter Criteria
Structured
Reporting IP IN <IP Range> AND Event Type
= "PH_DEV_MON_CUST_DLINK_UPTIME"; Group
by: [None]
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Display
Time
Columns
For
Organizations
Event
All
Last 10
Minutes
308
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Custom WMI Monitor for Windows Domain and Physical Registry
Planning
Mapping Windows WMI Classes to FortiSIEM Event Attribute Types
If you run the command wmic -U <domain>/<user>%<pwd> //<ip> "select * from Win32_
ComputerSystem against a Windows server, you will see an output similar to this:
CLASS: Win32_ComputerSystem
AdminPasswordStatus::SEP::AutomaticManagedPagefile::SEP::AutomaticResetBootOption::SEP::AutomaticResetCapability::SEP::Bo
1::SEP::True::SEP::True::SEP::True::SEP::3::SEP::3::SEP::True::SEP::Normal
boot::SEP::WIN2008-ADS::SEP::3::SEP::Win32_ComputerSystem::SEP::420::SEP::True::SEP::AT/AT COMPATIBLE::SEP::WIN2008ADS::SEP::FortiSIEM.net::SEP::5::SEP::True::SEP::3::SEP::False::SEP::NULL::SEP::
(null)::SEP::3::SEP::(null)::SEP::VMware, Inc.::SEP::VMware Virtual Platform::SEP::WIN2008-ADS::SEP::(null)::SEP::True::SEP::1::SEP::1::SEP::NULL::SEP::
([MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7],Welcome to the Virtual
Machine)::SEP::True::SEP::3932100000::SEP::0::SEP::NULL::SEP::False::SEP::0::SEP::0::SEP::3::SEP::(null)::SEP::Windows User::SEP::1::SEP::-1::SEP::-1::SEP::(LM_
Workstation,LM_Server,Primary_Domain_Controller,Timesource,NT,DFS)::SEP::OK::SEP::NULL::SEP::0::SEP::NULL::SEP::0::SEP::X86-based
PC::SEP::3::SEP::4293496832::SEP::FortiSIEM\Administrator::SEP::6::SEP::(null)
From this output you can see that the Win32_ComputerSystem WMI class has two attributes:
1. Domain
2. TotalPhysicalMemory
From these outputs you can see that if you want to create a performance monitor for Windows Domain and
Physical Registry, you need to
1. Create an event type, PH_DEV_MON_CUST_WIN_MEM, that will contain the event attribute types Domain and
memTotalMB, both of which are already contained in the FortiSIEM event attribute types library. 2. Create the mapping between the WMI class attributes and the FortiSIEM event attribute types:
l
WMI class attribute Domain and Domain.
l
WMI class attribute TotalPhysicalMemory (Bytes) and memTotalMB (type INT64). Because
TotalPhysicalMemory returns in bytes, and memTotalMB is in INT64, a transform will be required
to convert the metrics.
Creating New Device Types, Event Attributes, and Event Types
Device Type
Since Microsoft Windows is supported by FortiSIEM, you don't need to create a new device type.
309
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Event Attribute Types and Event Types
Both Domain and memTotalMB are included in the FortiSIEM event attribute type library, so you only need
to create a new event type, PH_DEV_MON_CUST_WIN_MEM, that will contain them. Naming Custom Event Types
All custom event types must begin with the prefix P H_DEV_MON_CUST_ .
Name
PH_DEV_MON_CUST_WIN_
MEM
Device
Type
Microsoft
Windows
Severity
0 - Low
Description
Windows Domain and
Memory
Adding the Microsoft Windows WMI Performance Object
In this case, you will create one performance object that will map the WMI Class attributes to the FortiSIEM event
attribute types Domain and memTotalMB, and then associate them with the PH_DEV_MON_CUST_WIN_
MEM event type. When you create the memTotalMB mapping you will also add a transform to convert bytes to
INT64 as shown in the second table. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
310
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Performance Object Configuration for Event Type PH_DEV_MON_CUST_DLINK_UPTIME
Field
Setting
Name
WinMem
Type
System
Method
WMI
Parent Class
Win32_ComputerSystem
Parent Class is Table
<left cleared>
Attribute
Format
Type
Event
Attribute
Domain
String
RawValue
domain
TotalPhysicalMemory
Integer
RawValue
memTotalMB
List of Attributes
Event Type
PH_DEV_MON_CUST_WIN_MEM
Polling Frequency
20 seconds
Transform Formula for TotalPhysicalMemory Event Attribute Type
Type
Formula
custom
TotalPhysicalMemory/1024/1024
Associating Device Types to Performance Objects
In this example, you would need to associate Microsoft Windows device types to the performance object. 311
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Edit Device to Performance Object
Field
Settings
Name
WinMisc
Device Types
Perf Objects
l
Microsoft Windows
l
Microsoft Windows NT
l
Microsoft Windows Server 2000
l
Microsoft Windows Server 2003
l
Microsoft Windows Server 2008
l
Microsoft Windows Vista
l
Microsoft Windows XP
l
WinMem(WMI) - DefaultInterval:0.33mins
Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the server, created the IP
address to credentials mapping, and tested connectivity. 1. Go to Admin > Device Support > Performance Monitoring.
2. Select one of the performance monitors you created, and then click Test. 3. For IP, enter the address of the Microsoft Windows server, and select either the Supervisor or Collector node that
will retrieve the information for this monitor. 4. Click Test. You should see succeed under Result, and the parsed event attributes in the test result pane. 5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
1. Discover or re-discover the device you want to monitor. 2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics. Writing Queries for the Performance Metrics
You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should
display the metrics for the event attributes you defined. Create a structured historical search with these settings:
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
312
Creating Custom Parsers and Monitors for Devices
313
Configuring FortiSIEM
Filter Criteria
Display Columns
Time
Host IP = <IP> AND Event Type
= " PH_DEV_MON_CUST_WIN_
MEM"; Group by:[None]
Event Receive
Time,Reporting
IP,Domain,Total
Memory (MB)
Last 10
Minutes
For
Organizations
All
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Custom Command Output Monitor
You may already have commands or scripts for your devices that collect important metrics or perform some useful
function. By creating a custom command output monitor, you can import the output of those commands into the
FortiSIEM event database, where it can be used to create reports, write rules to alert against anomolies, or
trigger the execution of scripts. Creating a custom command output monitor involves collecting a sample output
from the command, and then creating a performance object that uses regex to parse the command output, maps
the output event attributes to FortiSIEM event attribute types, and then associates those to an event type. l
Creating a Custom SSH Command Output Monitor
l
Creating a Custom Multi-Line SSH Command Output Monitor
l
Creating a Custom WINEXE Command Output Monitor
Device Types Supported for Custom SSH Command Output Monitors
l
Linux variants
l
Unix variants - IBM AIX, HP UX
l
Microsoft Windows (with Cygwin tools installed that allows SSH)
l
Cisco IOS, NX-OS, ASA, CatOS
l
Juniper JunOS, SSG, ISG
l
PaloAlto PANOS
l
Fortinet FortiGate
l
HP Procurve, H3C
l
Extreme Ntwork XOS
l
Foundry BigIron
l
Avaya ERS
Device Types Supported for Custom WINEXE Command Output Monitors
l
Microsoft Windows
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
314
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Creating a Custom SSH Command Output Monitor
l
Planning
l
Adding the iostat Command Output Performance Object
l
Associating Device Types to Performance Objects
l
Testing the Performance Monitor
l
Enabling the Performance Monitor
l
Writing Queries for the Performance Metrics
In this example, the regular expression is used to parse a single line of the command output. Planning
Mapping SSH Command Outputs to FortiSIEM Event Attribute Types
In this example, you want to monitor the output of the iostat command. On a Linux machine, the output would
look similar to this:
This is the event log that you will want to produce in FortiSIEM:
[PH_DEV_MON_CUST_CMD]:[hostIpAddr]=10.1.20.52,[hostName]=centos6-yu.FortiSIEM.net,
[readBytes]=17292116.00,
[readRate]=5.71,[tps]=1.49,[writtenBytes]=147500688.00,[writtenRate]=48.73,
[diskName]="sda2"
From this example, you can see that to create a monitor for the iostat command output, you would need to:
1. Create the event attribute types
readBytes,readRate, tps, writtenBytes, writtenRate, and diskName, to correspond to Blk_
read, Blk_read/s, tps, Blk_wrtn, Blk_wrtn/s, and Device from the command output. 2. Create an event type, PH_DEV_MON_CUST_CMD, that will contain the event attribute
types readBytes, readRate, tps, writtenBytes, writtenRate, and diskName,
3. Create a performance object containing the regular expression that will parse the command output and match
value positions to event attribute types, and then associate those event attribute types and values to PH_DEV_
MON_CUST_CMD.
315
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Creating New Event Attribute Types and Event Types
Event Attributes
Create these event attribute types:
Name
Display Name
Value Type
Display Format Type
diskName
Disk Name
Rawvalue
STRING
tps
Transactions/s
Rawvalue
DOUBLE
readRate
Read Rate
Rawvalue
DOUBLE
readBytes
Read Bytes
Rawvalue
INTEGER
writtenBytes
Written Bytes
Rawvalue
INTEGER
writtenRate
Written Rate
Rawvalue
DOUBLE
Event Types
Naming Custom Event Types
All custom event types must begin with the prefix P H_DEV_MON_CUST_ .
Create this event type:
Name
Device Type
Severity
PH_DEV_MON_CUST_CMD
Centos IOS
Low
Adding the iostat Command Output Performance Object
In this case, you will create one performance object that will use a regular expression to parse the command
output, match value positions in the command output against FortiSIEM event attributes, and then associate
those with the event type PH_DEV_MON_CUST_CMD.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
316
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Performance Object Configuration for Event Type PH_DEV_MON_CUST_CMD
Field
Setting
Name
cmd-iostat
Type
Application
Method
Login
Used For
Command Output Monitoring
Command
iostat
Regular
Expression
(^[^]+)\s+([0-9]+\.?[0-9]+|\d+)\s+([0-9]+\.?[0-9]+|\d+)\s+
([0-9]+\.?[0-9]+|\d+)\s+([0-9]+\?[0-9]+|\d+)\s+([0-9]+\.?
[0-9]+|\d+)
Matched Attribute
Count
List of Attributes
317
6
Matched
Position
Format
Type
Event Attribute
1
STRING
RawValue
diskName
2
DOUBLE
RawValue
tps
3
DOUBLE
5
INTEGER
6
INTEGER
4
DOUBLE
Event Type
PH_DEV_MON_CUST_CMD
Polling Frequency
60 seconds
RawValue
RawValue
RawValue
RawValue
readRate
readBytes
writtenBytes
writtenRate
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Associating Device Types to Performance Objects
Field
Settings
Name
cmd-iostat
Device Types
l
Centos Linux
Perf Objects
l
cmd-iostat(SSH)- Default Interval:1mins
Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the
IP address to credentials mapping, and tested connectivity. 1. Go to Admin > Device Support > Performance Monitoring.
2. Select the performance monitor you created, and then click Test. 3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the
information for this monitor. 4. Click Test. You should see succeed under Result, and the parsed event attributes in the test result pane. 5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
1. Discover or re-discover the device you want to monitor. 2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics. Writing Queries for the Performance Metrics
You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should
display the metrics for the event attributes you defined. Create a structured historical search with these settings:
Filter Criteria
Display Columns
Time
Structured
Reporting IP IN <IP Range>
AND Event Type ="PH_DEV_MON_
CUST_CM"; Group by:[None]
Disk Name,Transactions/s,
Read Rate, Read Bytes,
Written Bytes, Written Rate
Last 10
Minutes
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
For
Organizations
All
318
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Creating a Custom WINEXE Command Output Monitor
There may be times when you want the output of a PowerShell command from a Microsoft server as an input for
FortiSIEM. Because PowerShell commands can't be sent via SSH, you need to configure a WINEXE performance
object to send the command, parse the output, and associate values to FortiSIEM event attribute types. Often there is a need to have powershell command output from Microsoft servers into FortiSIEM. These
commands cannot be run on Windows systems via SSH. The equivalent way of remotely running a command on
Windows systems is Winexe. FortiSIEM will run the Winexe command on Windows systems, collect the output
and parse the output into fields for use in FortiSIEM analytics.
Planning
For this example, assume you want to monitor disabled users in Microsoft Active Directory. You would use this
command:
./winexe -U '<user>%<pwd>' //10.1.2.11 'powershell -NonInteractive -InputFormat
none -OutputFormat text -Command "& {Import-Module ActiveDirectory;Get-ADUser LDAPFilter {(useraccountcontrol:1.2.840.113556.1.4.803:=2)}}"'
which would have an output similar to this:
DistinguishedName
Enabled
GivenName
Name
ObjectClass
ObjectGUID
SamAccountName
SID
Surname
UserPrincipalName
:
:
:
:
:
:
:
:
:
:
CN=Guest,CN=Users,DC=sh-FortiSIEM,DC=com
False
DistinguishedName
Enabled
GivenName
Name
ObjectClass
ObjectGUID
SamAccountName
SID
Surname
UserPrincipalName
:
:
:
:
:
:
:
:
:
:
CN=krbtgt,CN=Users,DC=sh-FortiSIEM,DC=com
False
DistinguishedName
Enabled
GivenName
Name
ObjectClass
ObjectGUID
SamAccountName
SID
Surname
:
:
:
:
:
:
:
:
:
CN=sshd,CN=Users,DC=sh-FortiSIEM,DC=com
False
319
Guest
user
dfe5eb21-557f-4550-9cea-5db4ee74317f
Guest
S-1-5-21-2731518400-1375262604-1712717995-501
krbtgt
user
13a3703b-185c-4208-98b5-0e65ff638593
krbtgt
S-1-5-21-2731518400-1375262604-1712717995-502
sshd
user
aec0ab40-647a-48ae-ba61-9cf31c08794d
sshd
S-1-5-21-2731518400-1375262604-1712717995-1225
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
UserPrincipalName :
DistinguishedName
Enabled
GivenName
Name
ObjectClass
ObjectGUID
SamAccountName
SID
Surname
UserPrincipalName
:
:
:
:
:
:
:
:
:
:
CN=ywang12,DC=sh-FortiSIEM,DC=com
False
ywang12
user
df694fd2-cf44-49d1-9ecc-42d8a87102c3
ywang12
S-1-5-21-2731518400-1375262604-1712717995-1253
From this example, you can see that to create a monitor for the iostat command output, you would need to:
1. Create an event type, PH_DEV_MON_CUST_DISABLED_USERS, that will contain the event attribute
types distName, samAccount, and sid, all of which are already contained in the FortiSIEM event attribute
types library, and which match to DistinguishedName, SamAccountName, and SID in the command output. 2. Create a performance object containing the regular expression that will parse the command output and match
values against the event attribute types, and then associate those event attribute types and values to PH_DEV_
MON_CUST_CMD.
After enabling the WIINEXE output monitor, you should see an event similar to this in FortiSIEM:
[PH_DEV_MON_CUST_DISABLED_USERS]:[hostIpAddr]=10.1.2.11,[hostName]=WIN2K8-SHRPNT,
[distName]="CN=krbtgt,CN=Users,DC=sh-FortiSIEM,DC=com",[samAccount]="krbtgt",[sid]]="S-1-5-21-2731518400-1375262604-1712717995-502"
Creating New Event Attribute Types and Event Types
Event Types
Naming Custom Event Types
All custom event types must begin with the prefix P H_DEV_MON_CUST_ .
Create this event type:
Name
PH_DEV_MON_CUST_DISABLED_USERS
Device Type
Severity
Cisco IOS
Low
Adding the show interfaces Command Output Performance Object
In this case, you will create one performance object that will use a regular expression to parse the command
output, match value positions in the command output against FortiSIEM event attributes, and then associate
those with the event type PH_DEV_MON_CUST_DISABLED_USERS.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
320
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Performance Object Configuration for Event Type PH_DEV_MON_CUST_DISABLED_USERS
Name
WINEXE-AD-Disabled-Users-Output
Type
System
Method
WINEXE
Used For
Command Output Monitoring
Command
Import-Module ActiveDirectory:Get-ADUser -LDAPFilter
{(useraccountcontrol:1.2.840.113556.1.4.803:2)}
Regular
Expression
\nDistinguishedName\s+:\s+(.*?)\n.*?SamAccountName\s+:\s+
(.*?)\nSID\s+(.*?)\n
Matched
Attribute
Count
3
List of
Attributes
Matched
Position
Format
Type
Event
Attribute
1
STRING
RawValue
disName
RawValue
samAccount
RawValue
sid
2
3
Event Type
Polling
Frequency
321
STRING
STRING
PH_DEV_MON_CUST_DISABLED_USERS
60 seconds
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Associating Device Types to Performance Objects
Field
Settings
Name
Device Types
Perf Objects
DiscoverDisabledUsers
l
MIcrosoft Windows Server 2008
l
MIcrosoft Windows Server 2008 R2
l
MIcrosoft Windows Server 2012
l
MIcrosoft Windows Server 2012 R2
l
WINEXE-AD-Disabled-Users-Output(WINEXE)-Default Interval:1mins
Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the D-Link device, created the
IP address to credentials mapping, and tested connectivity. 1. Go to Admin > Device Support > Performance Monitoring.
2. Select the performance monitor you created, and then click Test. 3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the
information for this monitor. 4. Click Test. You should see succeed under Result, and the parsed event attributes in the test result pane. 5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
1. Discover or re-discover the device you want to monitor. 2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics. Writing Queries for the Performance Metrics
You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should
display the metrics for the event attributes you defined. Create a structured historical search with these settings:
Filter Criteria
Structured
Event Type = PH_DEV_MON_CUST_DISABLED_
USERS; Group by:[None]
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Display
Columns
Time
Event
Receive
Last 10
Minutes
For
Organizations
All
322
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Creating a Custom Multi-Line SSH Command Output Monitor
In some cases, the output from a command may run over several lines. An example, as shown in the code block
below, is the show interfaces command for Cisco IOS routers. Here the information for each interface, such
as Vlan1, Vlan2, etc., needs to be consolidated into a single FortiSIEM event. This topic will show you how to
configure a performance object for multi-line SSH command outputs, including an example of the regular
expression you would use to parse the example output. l
Planning
l
Adding the show interfaces Command Output Performance Object
l
Associating Device Types to Performance Objects
l
Testing the Performance Monitor
l
Enabling the Performance Monitor
l
Writing Queries for the Performance Metrics
Planning
Mapping a Multi-Line SSH Command Output to FortiSIEM Event Attribute Types
In this example, you want to monitor the output of the 'show interfaces' command, which would look
similar to this for a Cisco IOS router:
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 00d0.055b.5000 (bia 00d0.055b.5000)
Description: DevNet
Internet address is 192.168.20.1/22
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 1/75/12681/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 3583000 bits/sec, 1726 packets/sec
5 minute output rate 3118000 bits/sec, 1064 packets/sec
L2 Switched: ucast: 2060202231 pkt, 586057481378 bytes - mcast: 62824587 pkt,
9271104426 bytes
L3 in Switched: ucast: 43940778993 pkt, 16358818361299 bytes - mcast: 0 pkt, 0
bytes mcast
L3 out Switched: ucast: 37329069590 pkt, 18769383194932 bytes mcast: 0 pkt, 0
bytes
44460046444 packets input, 16420615020121 bytes, 0 no buffer
Received 52655932 broadcasts (0 IP multicasts)
0 runts, 0 giants, 146 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
37746681819 packets output, 18872504999045 bytes, 0 underruns
0 output errors, 0 interface resets
323
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
0 output buffer failures, 0 output buffers swapped out
Vlan2 is up, line protocol is up
Hardware is EtherSVI, address is 00d0.055b.5000 (bia 00d0.055b.5000)
Description: ServerNet
Internet address is 192.168.0.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/16/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1652000 bits/sec, 367 packets/sec
5 minute output rate 258000 bits/sec, 177 packets/sec
L2 Switched: ucast: 3422947811 pkt, 2275729058787 bytes - mcast: 4291290 pkt,
528654887 bytes
L3 in Switched: ucast: 17926721335 pkt, 14810495462969 bytes - mcast: 0 pkt, 0
bytes mcast
L3 out Switched: ucast: 13822525718 pkt, 7788778830975 bytes mcast: 0 pkt, 0
bytes
19067733427 packets input, 15044884652941 bytes, 0 no buffer
Received 4283101 broadcasts (0 IP multicasts)
0 runts, 0 giants, 2 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
13850959642 packets output, 7791605865261 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Vlan3 is up, line protocol is up
Hardware is EtherSVI, address is 00d0.055b.5000 (bia 00d0.055b.5000)
Description: newbuildnet
Internet address is 192.168.24.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:04, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 23000 bits/sec, 1 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
L2 Switched: ucast: 319623039 pkt, 321540971691 bytes - mcast: 6427637 pkt,
563598014 bytes
L3 in Switched: ucast: 9237477530 pkt, 10166398798345 bytes - mcast: 0 pkt, 0
bytes mcast
L3 out Switched: ucast: 5881512921 pkt, 4457997315264 bytes mcast: 0 pkt, 0
bytes
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
324
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
9289735817 packets input, 10171188457635 bytes, 0 no buffer
Received 6427548 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
5939896982 packets output, 4471143181770 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
From this example, you can see that to create a monitor for the 'show interfaces' command output, you would
need to:
1. Create an event type, PH_DEV_MON_CUST_SHOW_INTF, that will contain the event attribute
types intfName, recvBitsPerSec, recvPacketsPerSec, sentBitsPerSec, and
sentPacketsPerSec, all of which are already contained in the FortiSIEM event attribute types library. 2. Create a performance object containing the regular expression that will parse the command output and match
values against the event attribute types, and then associate those event attribute types and values to PH_DEV_
MON_CUST_CMD.
Creating New Event Attribute Types and Event Types
Event Types
Naming Custom Event Types
All custom event types must begin with the prefix P H_DEV_MON_CUST_ .
Create this event type:
Name
Device Type
Severity
PH_DEV_MON_CUST_SHOW_INTF
Cisco IOS
Low
Adding the show interfaces Command Output Performance Object
In this case, you will create one performance object that will use a regular expression to parse the command
output, match value positions in the command output against FortiSIEM event attributes, and then associate
those with the event type PH_DEV_MON_CUST_SHOW_INTF.
325
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Performance Object Configuration for Event Type PH_DEV_MON_CUST_SHOW_INTF
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
326
Creating Custom Parsers and Monitors for Devices
Field
Setting
Name
ssh-multiline-CiscoIOS
Type
System
Method
Login
Used For
Command Output Monitoring
Command
show interfaces
Regular
Expression
\n(\S*?) is [administratively down|up|down]
(?!\n\S.)*5 minute input rate\s+
(\d+)\s+bits\/sec.*?5 minute output rate\s+
(\d+)\s+bits\/sec,\s+(\d+)\s+packets\/sec
Matched Attribute
Count
5
Matche
d
Positio
n
Format
Type
1
STRING
RawVal
ue
2
INTEGE
R
RawVal
ue
List of Attributes
3
4
5
327
Configuring FortiSIEM
INTEGE
R
INTEGE
R
INTEGE
R
RawVal
ue
Event Attribute
intfName
recvBitsPerSec
recvPacketsPer
Sec
RawVal
ue
sentBitsPerSec
RawVal
ue
sentPacketsPer
Sec
Event Type
PH_DEV_MON_CUST_SHOW_INTF
Polling Frequency
60 seconds
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Associating Device Types to Performance Objects
Field
Settings
Name
ssh-Cisco-Intf-Status
Device Types
l
Cisco IOS
Perf Objects
l
ssh-multiline-CiscoIOS(SSH)-Default Interval:1mins
Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the Cisco IOS device, created
the IP address to credentials mapping, and tested connectivity. 1. Go to Admin > Device Support > Performance Monitoring.
2. Select the performance monitor you created, and then click Test. 3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the
information for this monitor. 4. Click Test. You should see succeed under Result, and the parsed event attributes in the test result pane. 5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
1. Discover or re-discover the device you want to monitor. 2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics. Writing Queries for the Performance Metrics
You can now use a simple query to make sure that that the metrics are pulled correctly. The search results should
display the metrics for the event attributes you defined. Create a structured historical search with these settings:
Filter Criteria
Structured
Event Type = " P H_DEV_MON_CUST_SHOW_
INTF"; Group by:[None]
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Display
Columns
Time
Event
Receive
Last 10
Minutes
For
Organizations
All
328
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Custom File Monitor
You can create custom file monitors to monitor changes to directories and specific files, and also to trigger
incidents when the content of a monitored file is changed from a target gold file. l
Agent-less File-Integrity Monitoring
l
Agent-less Target File Monitoring
329
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Agent-less File-Integrity Monitoring
You can use file integrity monitoring to make sure that critical files and directories on servers are not modified.
When you enable a file integrity monitor for a specific file or directory, the monitor will:
1. Log in to the system using SSH.
2. Compute the checksums of the files or a directory, including all files in the directory.
3. Periodically verify the computed checksums.
4. Create an event when a change to the checksums is detected. l
Supported Servers
l
Example Events
l
Adding the File Integrity Monitoring Performance Object
l
Associating Device Types to Performance Objects
l
Testing the Performance Monitor
l
Enabling the Performance Monitor
l
Writing Queries for the Performance Metrics
Supported Servers
File and directory integrity monitoring is supported for these servers:
l
Linux variants
l
Unix variants
l
Windows (with Unix tools installed that allow SSH)
Example Events
These are examples of events that are generated by FortiSIEM when a file or directory is modified, deleted, or
has its permissions changed.
File Monitors and Event Types
Unlike other custom monitors, you don't need to set the event type to associate with the monitor. When you
select File Monitor for the Used For option, this automatically associates the event types with the file or
directory you specify for monitoring. These examples include the event type associated with each monitoring
event.
A Directory is Modified by Adding a File
Event Type: PH_DEV_MON_CUST_FILE_CREATE
Thu Mar 27 16:33:27 2014 CO228SP222 FortiSIEM-FimLog
file="/home/admin/DirectoryMon/file4.txt"
hash="d41d8cd98f00b204e9800998ecf8427e" user="root" group="root"
access="rw-r--r--" size="0"
type="create" hostIp="192.168.64.228"
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
330
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
A Specific File is Modified
Event Type: PH_DEV_MON_CUST_FILE_CHANGE_CONTENT
Thu Mar 27 16:37:50 2014 CO228SP222 FortiSIEM-FimLog
file="/home/admin/TargetFileMon/tartget1.txt" prehash="3c9d4de73e30f41eabaef892d507894c"
hash="3c9d4de73e30f41eabaef892d507894c" user="root" group="root" access="rw-r--r--"
size="26" targetfilehash="cc3d5ed5fda53dfa81ea6aa951d7e1fe" type="modify"
hostIp="192.168.64.228"
A Specific File is Deleted Event Type: PH_DEV_MON_CUST_FILE_DELETE
Thu Mar 27 16:33:52 2014 CO228SP222 FortiSIEM-FimLog filee="/home/admin/DirectoryMon/file3.txt"
hash="cc3d5ed5fda53dfa81ea6aa951d7e1fe" user="root" group="root" access="rw-r--r-" size="18"
type="delete" hostIp="192.168.64.228"
Permissions or Ownership of a Specific File or Any File in a Directory is Changed
Event Type: PH_DEV_MON_CUST_FILE_CHANGE_ATTRIB.
For permissions changes, look for the preaccess and access attributes.
For ownership changes, look for the preuser, user, pregroup, and group attributes.
Thu Mar 27 16:33:10 2014 CO228SP222 FortiSIEM-FimLog filee="/home/admin/FileMon/file1.txt"
hash="cc3d5ed5fda53dfa81ea6aa951d7e1fe" preuser="root" user="admin" pregroup="root" group="admin"
preaccess="rw-r--r--" access="rwxrwxrwx" size="18" type="change" hostIpp="192.168.64.228"
File Scan Event
Event Type: PH_DEV_MON_CUST_FILE_SCAN
When FortiSIEM scans a file or a directory, this event is generated and can be reported against.
Thu Mar 27 13:59:26 2014 CO228SP222 FortiSIEM-FimLog filee="/home/admin/TargetFileMon/tartget1.txt"
hash="cc3d5ed5fda53dfa81ea6aa951d7e1fe" user="root" group="root" access="rw-r--r-" size="18"
targetfilehash="cc3d5ed5fda53dfa81ea6aa951d7e1fe" type="scan" hostIpp="192.168.64.228"
Adding the File Integrity Monitoring Performance Object
In Service Provider deployments, the performance object should be created by the Super/Global account, and will
apply to all organizations. For both Service Provider and enterprise deployments, the performance object can be
created for an organization by any user who has access to the Admin tab. 331
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
In this case, you will create one performance object for each file or directory you want to monitor. You don't need
to create a new event type or event attribute type, as these are automatically associated with the performance
object when you select File Monitoring for the Used For field. Performance Object Configuration for File Integrity Monitoring
Field
Setting
Name
LinuxFileMon
Type
Application
Method
Login
Used For
File Monitor
File Path
home/admin/FileMon/file.txt
Polling Frequency
30 seconds
Performance Object Configuration for Directory Integrity Monitoring
Field
Setting
Name
LinuxDirMon
Type
Application
Method
Login
Used For
File Monitor
File Path
home/admin/DirectoryMon
Polling Frequency
30 seconds
Associating Device Types to Performance Objects
You should associate the performance object to the Linux, Unix, or SSH-capable Windows device type that
contains the file or directory path you want to monitor. Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the device, created the IP
address to credentials mapping, and tested connectivity. 1. Go to Admin > Device Support > Performance Monitoring.
2. Select the performance monitor you created, and then click Test. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
332
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the
information for this monitor. 4. Click Test. You should see succeed under Result, and the parsed event attributes in the test result pane. 5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
1. Discover or re-discover the device you want to monitor. 2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics. Writing Queries for the Performance Metrics
You can now use a simple query to make sure that that the metrics are pulled correctly. Change: Audited File Added/Deleted
Create a structured historical search with these settings:
Filter Criteria
Structured
Event Type IN ("PH_DEV_MON_CUST_
FILE_CREATE","PH_DEV_MON_CUST_FILE_
DELETE") Group by:[None]
Display
For
Time
Columns
Organizations
Event
Receive
Time
Last
1
Day
All
Change: Audited File Content Modifications
Create a structured historical search with these settings:
Filter Criteria
Structured
Event Type ="PH_DEV_MON_CUST_
FILE_DELTA" Group by:[None]
Display
Columns
Time
Event Receive
Time, Host
Last 1
Day
For
Organizations
All
Change: Audited File Attribute Modifications
Create a structured historical search with these settings:
333
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Filter Criteria
Structured
Event Type =" PH_DEV_MON_CUST_
FILE_CHANGE_ATTRIB" Group by:
[None]
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Creating Custom Parsers and Monitors for Devices
Display
Columns
Event Receive
Time, Host
Time
Last
1
Day
For
Organizations
All
334
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Agent-less Target File Monitoring
You can use target file monitoring to make sure that a specific file, for example a device configuration file, is
always identical in content to a gold standard target file that you import into FortiSIEM. When you enable a target
file monitor, it will:
1. Pre-compute the checksum of the gold standard target file imported into FortiSIEM.
2. Periodically, log in to the system using SSH and compute the checksum of the file.
3. Create an event when the content of the monitored file is different than the gold standard target file.
l
Supported Servers
l
Example Events
l
Adding the File Integrity Monitoring Performance Object
l
Testing the Performance Monitor
l
Enabling the Performance Monitor
l
Checking the Difference between Versions of Monitored Files
Supported Servers
Target file monitoring is supported for these servers:
l
Linux variants
l
Unix variants
l
Windows (with Unix tools installed that allow SSH)
Example Events
Two events that are generated by FortiSIEM when the target file is modified.
File Monitors and Event Types
Unlike other custom monitors, you don't need to set the event type to associate with the monitor. When you
select File Monitor for the Used For option, this automatically associates the event types with the file or
directory you specify for monitoring. These examples include the event type associated with each monitoring
event.
Event Type: PH_DEV_MON_CUST_TARGET_FILE_CHANGE
This indicates that content of the target file has changed. You can see that the values for prehash and hash
are different.
Thu Mar 27 16:37:50 2014 CO228SP222 FortiSIEM-FimLog
file="/home/admin/TargetFileMon/tartget1.txt"
prehash="3c9d4de73e30f41eabaef892d507894c" hash="3c9d4de73e30f41eabaef892d507894c"
user="root" group="root" access="rw-r--r--" size="26"
targetfilehash="cc3d5ed5fda53dfa81ea6aa951d7e1fe" type="modify"
hostIp="192.168.64.228"
Event Type: PH_DEV_MON_CUST_TARGET_FILE_DELTA
This indicates what was changed,as you can see with theaddedItem, deletedItem,
oldSVNVersion, and newSVNVersion attributes.
<14>Mar 27 14:02:28 VA223_TestaThon phPerfMonitor[3740]: [PH_DEV_MON_
CUST_TARGET_FILE_DELTA]:[eventSeverity]=PHL_INFO,
335
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
[procName]=phPerfMonitor,[fileName]=phSvnUpdate.cpp,[lineNumber]=205,
[phCustId]=1,[hostName]=CO228SP222,
[hostIpAddr]=192.168.64.228,
[fileName]=/home/admin/TargetFileMon/tartget1.txt,[oldSVNVersion]=15,
[newSVNVersion]=20,
[deletedItem]=(none),[addedItem]=newline;,[phLogDetail]=
Adding the File Integrity Monitoring Performance Object
In Service Provider deployments, the performance object should be created by the Super/Global account, and will
apply to all organizations. For both Service Provider and enterprise deployments, the performance object can be
created for an organization by any user who has access to the Admin tab. In this case, you will create one performance object in which you will upload the gold target file and enter the path
to the file you want to monitor. You don't need to create a new event type or event attribute type, as these are
automatically associated with the performance object when you select File Monitoring for the Used For field. Performance Object Configuration for File Integrity Monitoring
Field
Setting
Name
LinuxTargetFileMon
Type
Application
Method
Login
Used For
File Monitor
File Path
home/admin/FileMon/file.txt
Target
File
Click Upload and browse to the location of the file that you want to use as the gold
target
Associating Device Types to Performance Objects
You should associate the performance object to the Linux, Unix, or SSH-capable Windows device type that
contains the file or directory path you want to monitor. Testing the Performance Monitor
Before testing the monitor, make sure you have defined the access credentials for the device, created the IP
address to credentials mapping, and tested connectivity. 1. Go to Admin > Device Support > Performance Monitoring.
2. Select the performance monitor you created, and then click Test. 3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the
information for this monitor. 4. Click Test. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
336
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
You should see succeed under Result, and the parsed event attributes in the test result pane. 5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.
Enabling the Performance Monitor
1. Discover or re-discover the device you want to monitor. 2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics. Checking the Difference between Versions of Monitored Files
When the monitor detects a difference between the files, it will trigger the rule Audited target file
content modified, and the rule will continue to trigger and generate incidents until the checksums of the
files match. You can compare the original monitored file against the new version in the CMDB.
1. Go to CMDB > Devices.
2. Select the device where the monitored filed is located 3. Click the Configuration tab.
In the left pane you will see a list of all the files, and their versions, on the device. 4. To compare files, select one, CNTRL/select the other, and then click Diff. 337
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Creating Custom Parsers and Monitors for Devices
Custom Configuration Change Monitoring
This features provides a way for collecting configuration files for any device and monitoring changes.
Define a new vendor, model (Optional)
If the device vendor and model is not yet defined in FortiSIEM, then the new definition needs to be added.
To check whether you device is already defined
1. Go to Admin > Device Support > Device/App Types
2. In the Search area, type in the vendor name and see if it exists.
To add a new device type
1. Go to Admin > Device Support > Device/App Types
2. Click New
3. Fill in the following information:
l
Vendor: Type in the name of the Vendor (e.g. Fortinet or Cisco)
l
Model: Type in the model - be very generic - preferable software model e.g. FortiOS, IOS - do not enter
hardware model for appliances
l
Version: Most of the time ANY
l
Device/App Group: Select the CMDB Group to which the new device will belong
l
Business Service Group: Define the Business Service Group to which the new device will belong
l
Description: Add description
4. Click Save
Create a valid access method
1. Go to Admin > Setup > Credentials (Step 1).
2. Click Add.
3. Create an SSH credential
a. Device Type - Select your device.
b. Access Protocol - Set to SSH.
c. Define User Name and Password.
4. Click Save.
5. Go to Admin > Setup > Step 2: IP Range to Credentials.
6. Click Add.
7. Enter the following information for IP Range to Credential Mapping:
1. IP/Range - the access IP of the device.
2. Credentials - pick the credential in Step 3.
3. Click OK.
8. Select the entry and Click Test Connectivity or Test Connectivity without Ping.
9. Make sure Test Connectivity succeeds.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
338
Creating Custom Parsers and Monitors for Devices
Configuring FortiSIEM
Create a Performance Object
1. Go to Admin > Device Support > Performance Monitoring.
2. Under Enter Performance Object are, Click New.
3. Enter the following information to create a new Performance Object:
1. Name - enter a name for reference
2. Type - set to System
3. Method - set to LOGIN
4. Used For - set to Configuration Monitoring
5. Expect Script - Click Upload to store a configuring pulling expect script in FortiSIEM
6. Polling Frequency - determines how often configuration will be pulled - recommended 30 minutes
4. Click Save
Create Device Type to Performance Object association
1. Go to Admin > Device Support > Performance Monitoring.
2. Under Enter Device Type to Performance Object Association, Click New.
3. Enter the following information to create an association:
1. Name - enter a name for reference
2. Device Types - select the relevant device type for custom configuration polling
3. Perf Objects - Select the performance object created in previous step
4. Click Save
Discover the device
1. Go to Admin > Setup > Discovery.
2. Click Add.
3. In Include Range, enter the IP address of the device.
4. Click OK.
5. Select the entry and then click Discover.
Validation Check
The expect script will be executed and configuration will be discovered.
1. Go to Admin > Setup > Monitor Change/Performance. Search for the device and check the configuration
monitoring task under System Monitor
2. Go to CMDB. Search for the device and check for the configuration under Configuration tab for the selected
device.
339
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Configuring Event Handling
Configuring Event Handling
This section describes certain event handling operations that happen at the moment events are received in
FortiSIEM.
l
Event Dropping
l
Event Forwarding
l
Event Organization Mapping
l
Multi-line Syslog Handling
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
340
Configuring Event Handling
Configuring FortiSIEM
Event Dropping
Some devices and applications generate a significant number of logs, which may be very verbose, contain little
valuable information, and consume storage resources. You can configure Event Dropping rules that will drop
events just after they have been received by FortiSIEM, preventing these event logs from being collected and
processed. I mplementing these rules may require some thought to accurately set the event type, reporting
device type, and event regular expression match, for example. However, dropped events do not count towards
licensed Events per Second (EPS), and are not stored in the Event database. Dropped event also do not appear in
reports, and do not trigger rules. You can also specify that events should be dropped but stored, so event
information will be available for searches and reports, but will not trigger rules. And example of an event type that
you might want to store but not have trigger any rules would be an IPS event that is a false positive.
1. Log in to your Supervisor node.
For Service Provider deployments you should log in to the Super/Global account if you want to set a system-wide
event dropping rule. If you want to set an event-dropping rule for a specific organization, either log in as an
administrator for that organization, or or log in using the Super/Global Account and then select the organization to
which the rule should apply when you are creating it. 2. Go to Admin > General Settings > Event Handling.
3. Under Event Dropping Rule, click Add.
4. Next to Reporting Device, click Edit, and use the CMDB Browser to find device group or individual device that
you want to create the rule for. 5. Next to Event Type, click Edit, and use the Event Type Browser to find the group of event types, or a specific
event type, that you want to create the rule for. 6. If the event type you select has an Source IP or Destination IP attribute, you can enter specific IP addresses to
which the rule should apply. 7. For Regex Filter, enter any regular expressions you want to use to filter the log files. If any matches are made against your regular expression, then the event will be dropped.
8. For Service Provider deployments, select the Organization to which the rule should apply. 9. Select the Action that should be taken when the event dropping rule is triggered.
10. Enter any Description for the rule. 11. Click Save.
Implementation Notes
1. All matching rules are implemented by FortiSIEM, and inter-rule order is not important. If you create a duplicate of
an event dropping rule, the first rule is in effect.
2. If you leave a rule definition field blank, then that field is not evaluated. For example, leaving Event Type left
blank is the same as selecting All Event Types.
3. FortiSIEM drops the event at the first entry point. If your deployment uses Collectors, events are dropped by the
Collectors. If your deployment doesn't use Collectors, then the event will be dropped by the Worker or Supervisor
where the event is received.
4. You can use the report System Event Processing Statistics to view the statistics for dropped events. When you run
the report, select AVG(Policy Dropped Event Rate(/sec) as one of the dimensions for Chart For to see events that
have been dropped to this policy.
341
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Configuring Event Handling
Event Forwarding
In systems management, many servers may need access to forward logs, traps and Netflows from network
devices and servers, but it is often resource intensive for network devices and servers to forward logs, traps and
netflows to multiple destinations. For example, most Cisco routers can forward Netflow to two locations at most.
However, FortiSIEM can forward/relay specific logs, traps and Netflows to one or more destinations. If you want
to send a log to multiple destinations, you can send it to FortiSIEM, which will use an event forwarding rule to
send it to the desired locations. 1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Event Handling.
3. Under Event Forwarding Rule, for Service Provider deployments, select the organization for which the rule will
apply.
4. Click Add.
5. For Sender IP, enter the IP address of the device that will be sending the logs.
6. For Severity, select an operator and enter a severity level that must match for the log to be forwarded.
7. Select the Traffic Type to which the rule should apply.
The Forward To > Port field will be populated based on your selection here.
8. For Forward to > IP, enter the IP address to which the event should be forwarded.
9. Click OK .
Multiple Destinations from the Same Sender IP
If you want the same sender IP to forward events to multiple destinations, create a rule for each destination.
Duplicate Rules Create Duplicate Logs
FortiSIEM will implement all rules that you create and enable, so if you create a duplicate of an event forwarding
rule, two copies of the same log will be sent to the destination IP. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
342
Configuring Event Handling
Configuring FortiSIEM
Event Organization Mapping
FortiSIEM can handle reporting devices that are themselves Service Provider and hence have organization
names in events that they send. This section describes how you can map organization names in external events
to those on FortiSIEM so that those events have the correct FortiSIEM organizations.
Adding Organization Mapping Rules
1. Go to Admin > General Settings > Event Handling > Event Organization Handling
2. Click Add to add a rule
3. Select Enabled if this rule is to be enforced
4. Select the Device Type of the sender. This has to be a device that FortiSIEM understands and able to parse
events.
5. Select the Event Attribute that contains the external organization name. FortiSIEM will map the value in this
field to FortiSIEM organization.
6. Select the Collectors that are going to receive the events. By default any collectors would be able to do this but it
is possible to scope down if needed. This field is optional.
7. Specify the Reporting IP/Range of the Service Provider devices that are sending events. Format of this field is a
comma separated list of IP addresses intermixed with IP ranges, e.g. 10.1.1.1,10.1.1.2,10.10.1.1-10.10.1.250.
8. Specify the Org Mapping.
a. Click Edit
b. Select the System (FortiSIEM) organization on the left column
c. Click the Event Organization and enter the external Organization name corresponding to the System
Organization on the left column
9. Click OK to Save.
Implementation Notes
Do not define overlapping rules - make sure no overlaps in (Collector, Reporting IP/Range,Event Attribute)
between multiple rules.
343
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Configuring FortiSIEM
Configuring Event Handling
Multi-line Syslog Handling
Often applications generate a single syslog in multiple lines. For analysis purposes, the multiple lines need to put
together into a single log. This feature enables you to do that.
User can write multiple multi-line syslog combining rules based on reporting IP and begin and ending patterns. All
matching syslog within the begin and ending pattern are combined into a single log.
To create a multi-line syslog rule,
1. Go to Admin > General Settings > Event Handling
2. Scroll down to Multiline syslog section
3. Click Add
4. Enter the following information
a. Enabled - check this if the rule needs to be effective
b. Sender IP - the source of the syslog - format is a single IP, IP range, CIDR and a combination of the
above separated by comma
c. Protocol - TCP or UDP since syslog can come via either of these protocols
d. Organization - syslog from devices belonging to this organization will be combined into one line
e. Begin Pattern - combining syslog starts when the regular expression specified here is encountered
f. End Pattern - combining syslog stops when the regular expression specified here is encountered
5. Click Save
Example 1 - Syslog over UDP
In this case, Begin Pattern is required and End Pattern is optional.
l
If a packet matches the Begin Pattern, FortiSIEM will hold it in memory and wait for the next packet.
l
If the 2nd packet also matches the Begin Pattern, continue waiting.
l
If the 3rd packet doesn't match the Begin Pattern, flush out the 2 events (1+2 and 3).
l
If any packet matches the End Pattern, flush out.
l
The Begin Pattern is in each packet of a multiline syslog. Remove them except the 1st packet.
For example, the receiver gets these packets:
<syslog header> I come to
<syslog header> work
<syslog header> every day
If you set the Begin Pattern to a regular expression to match the <syslog header> and leave the End Pattern to
be empty, then the three syslogs are combined into a single syslog
<syslog header> I come to work every day
If you set the Begin Pattern to a regular expression to match the <syslog header> and leave the End Pattern to
match work, then the first two syslogs are combined into a single syslog, while the third one is left alone.
<syslog header> I come to work
<syslog header> work
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
344
Configuring Event Handling
Configuring FortiSIEM
Example 2 - Syslog over TCP - octet counting
Octet counting means that there is a header that specifies the length of the syslog. In this case, syslog is not
combined. There is no need to combine, since the source can send large syslog messages.
Example 3 - syslog over TCP - non-transparent framing
In non-transparent framing, two syslogs sent over a TCP stream is delineated by the "\n" character. In this case,
either Begin Pattern or End Pattern is required. Both can be present as well.
l
If the Begin Pattern is matched in the TCP stream, a multi-line syslog combination begins
l
If the End Pattern is matched in the TCP stream, multi-line syslog combination ends
l
If the Begin Pattern is again matched in the TCP stream, the previous multi-line syslog combination ends
TCP syslog stream: id=0,name=<1>name=a,id=1<2>name=b,id=2<3>
Begin pattern is <\d+> and end pattern is id=\d+. This results in 3 syslogs
id=0,name=
<1>name=a,id=1
<2>name=b,id=2
And <3> will be held for next packet.
If the Begin pattern is <\d+> and end pattern is empty, this also results in 3 syslogs as before.
345
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Managing FortiSIEM
This chapter describes the following:
l
General System Administration
l
Working with the Configuration Management Database (CMDB)
l
Creating Event Database Archives
l
Integrating with External CMDB and Helpdesk Systems
l
Backing Up and Restoring FortiSIEM Directories and Databases
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
346
General System Administration
Managing FortiSIEM
General System Administration
Topics in this section contain information on monitoring the health of your FortiSIEM deployment, general system
settings such as language, date format, and system logos, and how to add devices to a maintenance calendar.
l
FortiSIEM Backend Processes
l
Administrator Tools
l
Managing User Activity
l
Creating Maintenance Window for Devices
l
Creating Maintenance Window for Synthetic Transaction Monitoring jobs
l
Creating Reverse SSH Tunnels to Debug Collector Issues
l
Managing System Date Format and Logos
l
Viewing Cloud Health and System Information
l
Viewing Collector Health
l
Viewing License Information and Adding Nodes to a License
l
FortiSIEM Event Categories and Handling
l
Changing Dashboard Theme
l
Installing OS Security Patches
347
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
General System Administration
FortiSIEM Backend Processes
This topic provides a brief description of FortiSIEM backend system processes, and the nodes (Supervisor,
Collector, Worker) that use them.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
348
General System Administration
Process
Function
phMonitor
Monitoring other
processes
Used by
Supervisor
X
Used by
Worker
X
Used by
Collector
X
phDiscover
Pulling basic data from
target
X
phPerfMonitor
Execute performance job
X
X
X
phAgentManager
Execute event pulling job
X
X
X
phCheckpoint
Execute checkpoint
monitoring
X
X
X
phEventPackage
phParser
phDataManager
Parsing event to shared
store (SS)
Save event from SS to
Event DB
X
X
X
X
X
Determines if a rule
should trigger
X
phRuleWorker
Aggregates data for rules
X
phQueryMaster
Merges data from
QueryWorker
X
phQueryWorker
Executes a query task
X
phReportMaster
Merge data from
ReportWorker
X
phIPIdentityMaster
phIdentityWorker
Apache
X
Uploading event/SVN file
to Supervisor/Worker
phRuleMaster
phReportWorker
349
Managing FortiSIEM
Aggregates data for
reports
Merges IP identity
information
Collects IP identity
information
Receives event/SVN files
from the Collector
X
X
X
X
X
X
X
X
X
X
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
General System Administration
Administrator Tools
This topic describes administration tools and scripts that are included with your FortiSIEM deployment, along with
information on where to find and how to use them.
Tool
Description
How to Use It
phTools
phTools is a simple tool for starting and
stopping backend processes, and for
getting change log information. When
you upgrade your deployment, for
example, you would use phTools to stop
all backend processes.
Log in to the FortiSIEM host machine as
root.
Usage
[root@FortiSIEM]#
phtools
Commands: --changelog, --start, --stop, -stats
Target: ALL
--change-log also supports
ERROR, TRACE, INFO,
DEBUG, CRITICAL
TestSegmentReader
phExportEvent
Test Segment Reader is used to quickly
read data segments in the eventdb
through the command line. You can use
this to manually inspect data integrity
and parsed event attributes.
Used to export event information to a
CSV file
Log into the FortiSIEM host machine as
root.
Usage
[root@FortiSIEM]#
TestSegmentReader
<segmentDir>
See Exporting Events to Files
A script to selectively delete event data
per org and time interval
TestDBPurger
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Use Only to Delete Data for a Single
Date: You should only use this script to
delete data for a single date and
organization. If you try to delete data for
multiple dates, the script will fail. You can find the script at
/opt/phoenix/bin/TestDBPurger
. Run it in terminal mode and follow the
instructions.
350
General System Administration
Managing FortiSIEM
Managing User Activity
In the User Activity page you can view the users who are logged into your system, user query activity, and locked
out users. You can also log users out of the system, stop active user queries, and lock or unlock users from being
able to log in. Click the User Activity icon in the upper-right corner of the FortiSIEM web interface to access user
activity information.
l
Managing Logged In Users
l
Managing Locked Out Users
l
Managing Active User Queries
351
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
General System Administration
Managing Logged In Users
In the Logged In Users tab of the User Activity page you can see the users who are currently logged in to your
system. You can also log users out of the system, with an option to lock them out as well.
1. Log in to your Supervisor node.
2. In the upper-right corner of the FortiSIEM web interface, click the User Activity icon.
3. Click the Logged In Users tab.
You will see a list of all the users who are currently in your system. 4. If you want to log a user out of the system, select the user and click Log Out.
5. If you want to lock a user out of the system, select the user and click Log Out and Lock Out.
Managing Locked Out Users
In the Locked Users tab of the User Activity page you can see the users who are currently locked out of your
system, and also unlock them.
1. Log in to your Supervisor node.
2. In the upper-right corner of the FortiSIEM web interface, click the User Activity icon.
3. Click the Locked Users tab.
You will see a list of all users who are locked out of the system.
4. To unlock a user, select the user and then click Unlock.
Managing Active User Queries
In the User Queries tab of the User Activity page you can see the user queries that are running in your system,
and also stop queries.
1. In the upper-right corner of the FortiSIEM web interface, click the User Activity icon.
2. Click the User Queries tab.
You will see a list of all the queries that are currently running in your system.
3. To stop a query, select it and then click Stop Query.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
352
General System Administration
Managing FortiSIEM
Creating Maintenance Window for Devices
You can add a device to a maintenance window. During this period, the device is not monitored, and alerts for the
device are not triggered. If you have FortiSIEM Service Provider deployment and you log in as a Super/Global
user, you can schedule maintenance events for single organizations, the Super/Global organization, or add
devices from multiple organizations to the same maintenance event. 1. Log in to your Supervisor node.
2. Go to Admin > Maintenance Calendar.
3. Click Add. 4. Enter a Name and Description for the maintenance event. 5. Set the Time Range and Date Range for the maintenance event. Recurring Maintenance Events: Select From start date on to set up recurring maintenance events.
6. Under Groups and Devices, click Edit.
7. If you have FortiSIEM Service Provider deployment, select the Organization that has the devices you want to add
to the maintenance calendar. Multiple Organizations, One Maintenance Event: If you are the Super/Global user, it is possible to
add devices from different organizations to the same maintenance event.
8. Add Folders or Items to the maintenance event by selecting them, and then using the Folder >> and Item >>
buttons to move them into the selection pane. 9. Click OK when you're done selecting Folders and Items.
10. Select Generate incidents for devices under active maintenance if you want incidents for devices that are
part of this maintenance event to be triggered. 11. Click OK.
12. You will now see your maintenance event listed on the calendar. Mouse over any calendar entry to view details of
the maintenance event. 353
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
General System Administration
Creating Maintenance Window for Synthetic Transaction Monitoring jobs
You can add a Synthetic Transaction Monitoring (STM) job to a maintenance event. During the maintenance
event, the STM job is not executed and hence related alerts do not trigger.
If you have FortiSIEM Service Provider deployment and you log in as a Super/Global user, you can schedule
maintenance events for single organizations, the Super/Global organization, or add devices from multiple
organizations to the same maintenance event. 1. Log in to your Supervisor node.
2. Go to Admin > Maintenance Calendar.
3. Click Add. 4. Enter a Name and Description for the maintenance event. 5. Set the Time Range and Date Range for the maintenance event. Recurring Maintenance Events: Select From start date on to set up recurring maintenance events.
6. Under Groups and Devices, click Edit.
7. If you have FortiSIEM Service Provider deployment, select the Organization that has the devices you want to add
to the maintenance calendar. Multiple Organizations, One Maintenance Event: If you are the Super/Global user, it is possible to
add devices from different organizations to the same maintenance event.
8. Click Synthetic Transaction Monitor (STM) to see all the STM jobs under Items in the windows below.
9. Select the Items from the bottom left and then click Item >> to move them into the selection pane. 10. Click OK to Save the configuration.
11. Select Generate incidents for devices under active maintenance if you want incidents for devices that are
part of this maintenance event to be triggered. 12. Click OK.
13. You will now see your maintenance event listed on the calendar. Mouse over any calendar entry to view details of
the maintenance event. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
354
General System Administration
Managing FortiSIEM
Creating Reverse SSH Tunnels to Debug Collector Issues
l
Using SSH Tunnels to Connect to Managed Endpoints l
Browser Plugins and Connectivity Protocol Support
l
Firewall Configuration
l
Using Role-Based Access Control to Limit Access to Tunnel Creation, Viewing, and Closing
l
Related Links
Using SSH Tunnels to Connect to Managed Endpoints When you want to quickly debug an issue, you often need to connect to a managed endpoint directly from a
browser using protocols such as Telnet/SSH, RDP, or VNC to HTTP(S), depending on the operating system of the
endpoint. However, in a Service Provider deployment, the managed endpoint could be behind a firewall and
across the Internet. To further complicate matters, the firewall may not permit an inbound connection for
management protocols for security reasons, and also may not allow quick policy changes. The FortiSIEM solution to this situation is to build a reverse SSH tunnel between the Collector and the
Supervisor. The firewall already allows HTTP(S) sessions from Collector to Supervisor. After also being
configured to also allow SSH connections from Collector to Supervisor, FortiSIEM builds an on-demand reverse
SSH Tunnel initiated by the Collector. You can then use the tunnel to open a remote management session from
your browser to the remote managed endpoint. This blog post on The Geek Stuff describes the process for
setting up reverse SSH tunnels on Linux, and provides some additional technical details.
If the managed endpoint is directly accessible from your browser, FortiSIEM can open a direct session. The
devices have to be discovered first, and based on this information, FortiSIEM can determine whether to launch a
direct or Collector-based session.
l
l
If the device is discovered by the Supervisor, then it opens a direct session
If the device is discovered by a Collector, then it opens a reverse SSH tunnel from the collector, and then initiates a
session over this tunnel
FortiSIEM has several features for managing SSH tunnels, including:
l
You can define the port of the reverse SSH tunnel. By default it is set to 19999, but it can be changed to any port.
l
FortiSIEM automatically times out each tunnel after a day, although you can manually delete a tunnel at any time
l
FortiSIEM provides full tunnel management auditing, such as a reporting on who creates and deletes a tunnel
l
l
FortiSIEM supports a broad group of connectivity protocols protocols. You can can launch any connectivity
application by specifying the port, and FortiSIEM will create the tunnel. RBAC is supported at the Collector level - if the user can visit the Collector health page, then the user can open a
remote collector tunnel.
Browser Plugins and Connectivity Protocol Support
Since FortiSIEM runs from a browser, some integrations are possible if certain browser plugins are installed. The
best use case is:
l
Using the Firefox browser to connect to FortiSIEM
l
The FireSSH browser plugin is already installed in Firefox
l
You launch a remote session to the managed endpoint over SSH
355
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
General System Administration
l
FortiSIEM launches the FireSSH browser plugin and passes the managed endpoint IP
l
You type in your user name and password, and if the authentication succeeds, then the shell appears
This table lists the browsers, and the protocols supported by their plugins, that you can use to connect to the
managed endpoint.
Note: Always type the end host/device credentials for direct connections over a reverse tunnel even though the
displayed IP/port belongs to the Supervisor.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
356
General System Administration
357
Managing FortiSIEM
Web
Browser
Supported Connectivity
Browser
Integration
Protocol
Plugin
Firefox
SSH
FireSSH
Telnet
None
A dialog shows the Supervisor's port/tunnel endpoint to
connect to. Use your favorite external telnet client to telnet
to <Supervisor-IP> and the port.
HTTP(S)
None
required
Another tab opens. You will need to provide your user
name and password if the endpoint device requires it.
RDP
None
A dialog shows the Supervisor's port/tunnel endpoint to
connect to. Use your favorite external remote desktop
client to connect to <Supervisor-IP> and the port.
VNC
None
Other
None
The plugin launches. You need to provide your user name
and password for the end host/device
A dialog shows the Supervisor's port/tunnel endpoint to
connect to. Use your favorite external VNC client to
connect to <Supervisor-IP> and the port.
A dialog shows the Supervisor's port/tunnel endpoint to
connect to. Use your favorite external application client to
connect to <Supervisor-IP> and the port.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
General System Administration
Web
Browser
Supported Connectivity
Browser
Integration
Protocol
Plugin
Chrome
SSH
FireSSH
Telnet
None
RDP
Chrome
RDP
A dialog opens for the Chrome RDP plugin. Make sure
your popup blocker is disabled, or that you allow popups
from this site. Click Launch App to launch the plugin in a
new tab. A dialog shows the Supervisor's port/tunnel
endpoint to connect to. Enter <Supervisor-IP>:<Supervisor
Port> to connect. Alternatively, you can use your favorite
RDP client.
HTTP(S)
None
required
Another tab opens. You will need to provide your user
name and password if the endpoint device requires it.
VNC
None
A dialog shows the Supervisor's port/tunnel endpoint to
connect to. Use your favorite external VNC client to
connect to <Supervisor-IP> and the port.
Other
None
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
The plugin launches. You need to provide your user name
and password for the end host/device.
A dialog shows the Supervisor's port/tunnel endpoint to
connect to. Use your favorite external telnet client to telnet
to <Supervisor-IP> and the port.
A dialog shows the Supervisor's port/tunnel endpoint to
connect to. Use your favorite external application client to
connect to <Supervisor-IP> and the port.
358
General System Administration
Web
Browser
Safari
(on OSX
only)
Internet
Explorer
Managing FortiSIEM
Supported Connectivity
Browser
Integration
Protocol
Plugin
SSH
Mac
Terminal
A new terminal window launches and connects via SSH to
<Supervisor-IP> and <Supervisor-port>. Enter your user
name and password for the end host/device.
A new terminal window launches and connects via telnet
to <Supervisor-IP> and <Supervisor-port>. Enter your user
name and password for the end host/device.
Telnet
Mac
Terminal
RDP
None
A dialog opens for the Chrome RDP plugin. Make sure
your popup blocker is disabled, or that you allow popups
from this site. Click Launch App to launch the plugin in a
new tab. A dialog shows the Supervisor's port/tunnel
endpoint to connect to. Enter <Supervisor-IP>:<Supervisor
Port> to connect. Alternatively, you can use your favorite
RDP client.
HTTP(S)
None
required
Another tab opens. You will need to provide your user
name and password if the endpoint device requires it.
VNC
None
A dialog shows the Supervisor's port/tunnel endpoint to
connect to. Use your favorite external VNC client to
connect to <Supervisor-IP> and the port.
Other
None
A dialog shows the Supervisor's port/tunnel endpoint to
connect to. Use your favorite external application client to
connect to <Supervisor-IP> and the port.
SSH, Telnet,
RDP, HTTP
(S), VNC,
Other
No plugin
integration
Create the tunnel and then connect to the <SupervisorPort> that is displayed using an external application.
Firewall Configuration
If there is a firewall between the Collector and the Supervisor, the firewall needs to allow SSH from the Collector
to the Supervisor. The default setting uses a non-standard port, 19999, so make sure you configure the firewall
between the Collector and the Supervisor to allow outbound TCP connections on port 19999.
Using Role-Based Access Control to Limit Access to Tunnel Creation, Viewing, and Closing
For security and management reasons, you may want to limit the ability of users to create tunnels. The easiest
way to do this is through user roles that have defined access capabilities. For example
l
359
To prevent the creation of any tunnels for a role, disallow access to the CMDB tab for that role, or disallow access
to the particular device or device group. This second option lets you create fine-grained controls for tunnel creation,
for example:
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
l
l
l
l
General System Administration
Admins who are able to view Network devices can only open tunnels to Network devices
Admins who are able to view Servers can only open tunnels to Servers
Admins who are able to view a custom-created device group can only open tunnel to that specific
custom group
To prevent viewing and closing existing tunnels, disallow access to the Admin > Collector Health page.
Related Links
l
Setting Up User Roles
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
360
General System Administration
Managing FortiSIEM
Auditing the Creation and Deletion of SSH Tunnels
FortiSIEM includes a system-defined report that shows the SSH tunnel open/close history for the time range that
you specify. 1. Log in to your Supervisor node.
2. Go to Analytics > Reports > System Audit.
3. Select the SSH Tunnel Open/Close History report. 4. Run the report as described in Running System and User-Defined Reports and Baseline Reports.
361
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
General System Administration
Creating a Remote Tunnel to a Device Monitored by a Collector
Prerequisites
l
You should review the browsers and plugins that are supported for the connectivity protocol you want to use to
connect to the device. Procedure
1. Log in to your Supervisor node.
2. Go to CMDB > Devices. 3. Search for or browse to the device you want to establish the connection to. 4. In the IP Address column for that device, click on the IP address associated with it to open the Options menu. 5. In the Options menu, select Connect To... .
6. Enter the Protocol and Port you want to use to connect to the device. For SSH this is Port 22.
7. Select Create Tunnel. A tunnel will be established between the Supervisor and the Collector that is monitoring the device. 8. Use your browser and plugins to establish remote connectivity to the device as described in Creating Reverse SSH
Tunnels to Debug Collector Issues.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
362
General System Administration
Managing FortiSIEM
Managing Remote Tunnels to Collector Devices
After you have created tunnels to collector devices, you can view and manage those tunnels in the Collector
Health page. 1. Log in to your Supervisor node.
2. Go to Admin > Collector Health.
3. Click Tunnels. The existing tunnels will be displayed in a table with these columns:
Column Name
Description
Host IP
The IP address of the managed endpoint
Super Port
Sessions are opened on this port on the Supervisor to connect to the
managed endpoint. This ensures that the Supervisor will use the correct
tunnel to reach the managed endpoint.
Protocol
The protocol used to establish the connection to the endpoint
Collector
The Collector that monitors the endpoint
PID
The process ID of the tunnel. If you kill this process, it will kill the tunnel
Opened Time
The time when the tunnel was opened
4. You can close a tunnel by selecting it and then clicking Close, or you can close all tunnels at the same time by
clicking Close All. 363
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
General System Administration
Managing System Date Format and Logos
The UI page under Admin > General Settings contains fields that you can use to change the date format for
your FortiSIEM user interface, and to upload logos to be used within the user interface and on PDF reports.
1. Log in to your Supervisor node.
2. Go to Admin > General Settings > UI.
3. Select the Date Format you want to use to display dates in the user interface, and then click Change.
4. Click Change to choose a UI Logo that will be displayed alongside the main application tabs for your FortiSIEM
deployment.
The logo file must be in in PNG format, and should not be more than 200 pixels wide or 60 pixels high (54 pixels is
the ideal height).
5. Click Change to choose a Report Logo that will be used in the header of reports you export to PDF.
The logo file must be in SVG format, 160 pixels wide and 40 pixels high, or other dimensions with a 4:1
width/height ratio.
For Service Provider installs, UI Logos can also be set on a per organization basis.
1. SSH to Supervisor via root
2. Change user to admin 'su admin'
3. Change directory by running 'cd /opt/glassfish3/glassfish/domains/domain1/applications/phoenix/phoenix-web1.0_war/resources/header'
4. Create a logo per organization
a. mkdir org
b. cd org
c. Create Organizations IDs as directories. Eg: ‘mkdir 2001’ (To find Org ids, Goto Admin > Setup Wizard >
Organizations > ID)
5. Copy PNG files to respected Organizations as logo.png. For example:
/opt/glassfish3/glassfish/domains/domain1/applications/phoenix/phoenix-web-1.0_
war/resources/header/org/2001/logo.png
6. Logon to Organization e.g: Org1 (id: 2001) and make sure that UI logo is updated
Steps to convert JPEG, GIF and PNGs to SVG format
Note - FortiSIEM only accepts SVG formatted logo. All other formats must be converted to SVG formats first.
1. Upload 160 x 40 JPEG/GIF/PNG logo to http://vectormagic.com
2. Download SVG formatted logo from converter
3. Upload converted SVG formatted logo on FortiSIEM UI (Admin > General Settings > UI)
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
364
General System Administration
Managing FortiSIEM
Viewing Cloud Health and System Information
The Admin > Cloud Health page shows you the status of the nodes in your deployment, as well as the
processes running on them. 1. Go to Admin > Cloud Health.
2. Click on any node to view its Process Details. See FortiSIEM Backend Processes for more information about the system role played by each process. 3. You can access other information about your FortiSIEM deployment by clicking the Alert icon in the upper-right
corner of the user interface, which will show you Alerts and Tasks for the system within the last 24 hours. Viewing System Errors
You can view system errors from any page in the FortiSIEM user interface by clicking on the System Errors link
directly under the URI address window in your browser.
365
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
General System Administration
Viewing Collector Health
If your FortiSIEM deployment includes Collectors, you can monitor the status of the Collectors in the Admin >
CollectorHealth page. You can also upgrade Collectors from this page, as described in Setting Up the Image
Server for Collector Upgrades.
1. Log in to your Supervisor node.
2. Go to Admin > Collector Health.
3. Select a Collector and click Show Processes to see the processes running on that Collector. See FortiSIEM Backend Processes for more information about the processes that run on Collectors. 4. You can also Stop or Start a Collector by selecting it and clicking the appropriate button. Properties associated with Collector Health include:
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
366
General System Administration
Collector Property
Description
Org Name
Name of the organization to which the Collector belongs
Collector Name
The name of the Collector
IP Address
The IP address of the Collector
Status
The status of the Collector as either Up or Down
Health
Displays the health of the Collector based on the health of the modules
running on it. If Health is Critical, it means that one of the modules is
not running on the Collector. Up Time
Total time that the Collector has been up
Last Performance
Data
The time when the collector last reported its performance status to the
cloud
Last Status Update
The time when the collector last reported its status to the cloud
Last Event Data
T he time when the collector last reported events to the cloud
CPU Utilization
Overall CPU utilization of the Collector
Memory Utilization
Overall memory utilization of the Collector
Version
Which version of FortiSIEM the Collector is running on
Build Date
The date on which the version of FortiSIEM the Collector is running on
was built
Upgrade Version
If the Collector has been upgraded, the version it was upgraded to
Install Status
If you upgrade the Collector, the status of the upgrade is shown here as
either Success or Failed
Download Status
367
Managing FortiSIEM
If an image was downloaded to the Collector as described in Setting Up
the Image Server for Collector Upgrades, the status of the download is
shown here as Success or Failed
Allocated EPS
The number of events per second (EPS) dynamically allocated by the
system to this collector. See Dynamic Distribution of Events per Second
(EPS) across Collectors for more information about how EPS is allocated
across Collectors.
Incoming EPS
The EPS that the Collector is currently seeing
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
General System Administration
Viewing License Information and Adding Nodes to a License
The License Management page in the Admin tab shows information associated with your current FortiSIEM
license, and allows you to add virtual appliances and Report Servers to your deployment as your license allows.
1. Log in to your Supervisor node.
2. Go to Admin > License Management.
3. Under License Information you will see detailed information about both Allowed and Current Usage for the
number of virtual appliances, EPS, number of devices, and other attributes associated with you FortiSIEM license.
4. Under VA Information you will see the name and IP address of the virtual appliances, and their roles, in your
FortiSIEM deployment. Click Add, and then enter an IP address for other nodes that you want to add to your
license.
5. Under Report Server Information you will see the IP address of any Report Servers in your deployment. Click
Add, and then enter an IP address for other Report Servers that you want to add to your license.
Calculations for License Usage Statistics
Statistic
Calculation
EPS
Notes
FortiSIEM calculates the EPS for your system using a counter
that records the total number of received events in a three minute
time interval. Every second, a thread wakes up and checks the
counter value. If the counter is less than 110% of the license limit
(using the calculation 1.1 x EPS License x 180) , then FortiSIEM
will continue to collect events. If you exceed 110% of your
licensed EPS, events are dropped for the remainder of the three
minute window, and an email notification is triggered. At the end
of the three minute window the counter resets and resumes
receiving events.
Each entry in CMDB > Devices counts as one device.
Exceptions to this are:
Number of
Devices
l
Workstations
l
Mobile Devices
l
VoIP Phones
These devices are not counted against the number of
devices that are licensed for your deployment.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
368
General System Administration
Managing FortiSIEM
FortiSIEM Event Categories and Handling
This topic provides a brief description of various types of event categories in FortiSIEM.
Event Categories
System Event
Description
Category
Counted in
phstatus -a
EPS
outout
License
Stored in DB?
0
Yes
EPS
Yes
No
EPS INTERNAL
Yes
No
EPS INTERNAL
Yes
No
EPS INTERNAL
Yes
Yes
EPS
Yes
No
EPS INTERNAL
Yes
1
2
3
4
5
External events and not flow
events (e.g. syslog, SNMP Trap,
Event pulling)
Incidents (events that begin with
PH_RULE)
FortiSIEM Audit Events (events
that begin with PH_AUDIT)
FortiSIEM Internal system logs,
free format
External flow events (Netflow,
Sflow)
FortiSIEM Internal health
events for summary dashboards
6
FortiSIEM Performance
Monitoring events (events that
begin with PH_DEV_MON)
Yes
EPS PERF
Yes
7
AO Beaconing events
No
EPS INTERNAL
Yes
8
FortiSIEM Real Time
Performance Probe Events
No
EPS INTERNAL
No
99
FortiSIEM Internal Rule Engine
No
EPS INTERNAL
No
Event handling at various nodes
Running "phstatus -a" command at various nodes provides the events handled by that node.The output shows the
statistics at 3min, 15min and 30 min averages.
EPS: 3 Min: 26.19 15 Min: 30.36 30 Min: 28.85
EPS INTERNAL: 3 Min: 0.35 15 Min: 0.38 30 Min: 0.35
369
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
General System Administration
EPS PERF: 3 Min: 0.00 15 Min: 0.00 30 Min: 0.00
l
l
l
If you run "phstatus -a" at a Collector, the output shows the events handled by that collector
If you run "phstatus -a" at a Worker, the output shows the events handled by that Worker - includes events sent by
devices directly to that Worker or events sent by Collectors
If you run "phstatus -a" at a Supervisor, you get the aggregated view across all nodes
Reported EPS by events
The following events report eps which includes EPS (EXTERNAL) and EPS PERF - to be measured against
license
1. PH_SYSTEM_EVENTS_PER_SEC: this reports eps at a organization level
2. PH_SYSTEM_PERF_EVENTS_PER_SEC: this reports performance monitoring related eps (counted against
license)
3. PH_SYSTEM_INTERNAL_EVENTS_PER_SEC: this reports internal eps (not counted against license)
4. PH_SYSTEM_IP_EVENTS_PER_SEC: this reports eps reported by a device level
5. PH_SYSTEM_DEVAPP_EVENTS_PER_SEC: his reports eps reported by a device level but also has vendor,
model info
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
370
General System Administration
Managing FortiSIEM
Changing Dashboard Theme
The UI page under Admin > General Settings contains fields that you can use to change the theme for widget
dashboards.
l
My Dashboard
l
Availability/Performance > Avail/Perf Widgets
l
Biz Svc Dashboard
l
Dashboards By Function
To do this:
1. Log in to your Supervisor node.
2. Go to Admin > General Settings > UI.
3. Select the Dashboard Theme you want to use, and then click Change.
4. Refresh the browser.
Global Setting
Currently the dark theme setting is a global setting - so all users would have the same theme.
371
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
General System Administration
Installing OS Security Patches
You may want to install OS level security patches to fix some recently found vulnerabilities.
First check whether the CVEs you are interested in have already been patched by the current FortiSIEM version.
You can do this by running the following command.
rpm --changelog -q httpd
To upgrade OS packages on Collectors, run the following command as root
/opt/phoenix/bin/phUpdateSystem.sh
To upgrade OS packages on Super/Workers, run the following command as root
yum -y --exclude=google-chrome-stable update
We use a headless chrome browser for STM but chrome is not supported by Google on CentOS6 or 7 platforms.
To upgrade that package to the latest version, we use a third party system.
Run the following commands as root on Super/Worker/Collector
sed --in-place -e 's/\(.*phsetosaccelops\)/#\1/' /var/spool/cron/root
yum reinstall -y centos-release
wget http://chrome.richardlloyd.org.uk/install_chrome.sh
chmod u+x install_chrome.sh
./install_chrome.sh
sed --in-place -e 's/^#\(.*phsetosaccelops\)/\1/' /var/spool/cron/root
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
372
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
The Configuration Management Database (CMDB) contains:
l
l
l
Discovered information about your IT infrastructure such as devices, networks, applications, and users
Information derived from your discovered infrastructure, including network topology and inter-device relationships
such as the relationship of WLAN Access Points to Controller, and Virtual Machines to ESX Hosts.
Information about system objects such as rules, reports, business services, event types, networks, and
ports/protocols
You can find and manage all this information under the CMDB tab.
l
CMDB Categorization of Devices and Applications
l
Overview of the CMDB User Interface
l
Managing CMDB Objects
l
Reporting on CMDB Objects
373
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
CMDB Categorization of Devices and Applications
l
Categorization of Devices and Applications
l
Examples
Categorization of Devices and Applications
FortiSIEM uses four methods to identify and categorize devices and applications in the CMDB.
From Discovery - Network Devices
When FortiSIEM discovers a device, it looks for keywords in the SNMP sysDescr attribute and also probes for
the SNMP sysObjectID attribute. Internal tables are then used to map a discovered device to one or more
CMDB device groups based on these attributes.
l
l
l
Keywords from the sysDescr attribute are matched against the system table Device Vendor and Model
Keywords from the sysObjectID attribute are matched against the system table Device Vendor and
Model
Matches from the Device Vendor and Model table are then matched against the ApprovedDeviceVendor.csv
table that is used to create the categories in the CMDB Devices/Applications. From Discovery - Applications
FortiSIEM discovers applications by discovering the processes that are running on a server. The
table AppMapping.csv maps process names to Applications, Application Groups, and application folders in
the CMDB. From Logs
FortiSIEM includes a large number of log parsers, each of of which is associated with a Device Vendor/Model and
Application Vendor/Model. When the log is parsed by FortiSIEM, the Device/Application/Vendor information is
matched against the table ApprovedDeviceVendor.csv, which then assigns the application or device to the
appropriate CMDB Device/Application folder.
Special Cases
There are some special cases that cannot be categorized using discovery or log information. An example
is Microsoft Active Directory. It is an application, but there is no explicit process for i.t as it is part of the kernel or
big system service. In this case, specific logs are used: Windows Security logs 672, 673 to detect Microsoft
Domain Controller 2000, 2003, and Windows Security logs 4768, 4769 to detect Microsoft Windows Domain
Controller 2008, 2012.
Examples
Categorizing a Cisco IOS Router/Switch
This is an example of categorizing a device using discovery. In this case, the Cisco IOS substring in the SNMP
sysDescr attribute is used to detect a Cisco IOS device,
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
374
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
[desktop]$ snmpwalk -v 2c -c public 192.168.20.1 sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, s72033_rp Software (s72033_
rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Sat 28-Mar-09 10:29 by pr
Then this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Cisco IOS to the
Router/Switch category in the CMDB. PH_SYS_DEVICE_ROUTER_SWITCH is the internal ID of the category.
#id,Vendor,ModelOS,Version,Type,CMDB Folder Id,,Biz Service,Access Protocol,Parsed,Priority
301,Cisco,IOS,ANY,Appliance,PH_SYS_DEVICE_ROUTER_SWITCH,,,"TELNET,SSH",1,10
Categorizing Fortinet Firewalls
This is also an example of categorizing a device by discovery. In this case, the SNMPv2SMI::enterprises.12356 substring in the SNMP sysObjectId attribute is used to detect a Fortinet
Firewall device.
[desktop]$ snmpwalk -v 2c -c public 172.16.255.82 sysObjectID
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.12356.101.1.502
Then this entry in the ApprovedDeviceVendor.csv table maps the Device Vendor/Model Fortinet
FortiOS to the Firewall and Network IOS categories in the CMDB, since Fortinet is a UTM device. PH_SYS_
DEVICE_FIREWALL and PH_SYS_DEVICE_NETWORK_IPS are the internal IDs of the categories .
#id,Vendor,ModelOS,Version,Type,CMDB Folder Id,,Biz Service,Access Protocol,Parsed,Priority
21,Fortinet,FortiOS,ANY,Appliance,"PH_SYS_DEVICE_FIREWALL,PH_SYS_DEVICE_NETWORK_
IPS,PH_SYS_DEVICE_SEC_GW",,PH_SYS_BizSrvc_FW,"TELNET,SSH",1,10
Categorizing Microsoft IIS
This is an example of categorizing an application based on a running process. In this case, SNMP discovers a
process svchost.exe with the path -k iissvcs.
[desktop]$ snmpwalk -v 2c -c public 192.168.0.10 | grep 1148
HOST-RESOURCES-MIB::hrSWRunIndex.1148 = INTEGER: 1148
HOST-RESOURCES-MIB::hrSWRunName.1148 = STRING: "svchost.exe"HOST-RESOURCESMIB::hrSWRunParameters.1148 = STRING: "-k iissvcs"
This entry in the AppMapping.csv table is then used to map the process name svchost.exe with the path
name -k iissvcs to a Microsoft IIS application.
#Application group name,package signature,process name,process parameter,process
Description,Priority,Ports,Group
Microsoft IIS,,svchost.exe,"-k iissvcs",Microsoft IIS,10,"http,https",PH_SYS_APP_
WEB_SERVER,
Categorizing Cisco ASA This is an example of categorizing a device based on logs. The Cisco ASA parser has has a Device Vendor/Model
associated with it, and when a log from the Cisco ASA device is parsed by FortiSIEM, this entry in
ApprovedDeviceVendor.csv maps the Device Vendor/Model Cisco ASA to the Firewall and VPN
375
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Gateway categories in the CMDB. PH_SYS_DEVICE_FIREWALL and PH_SYS_DEVICE_VPN_GATEWAY
are the internal IDs of these categories. #id,Vendor,ModelOS,Version,Type,CMDB Folder Id,,Biz Service,Access Protocol,Parsed,Priority
11,Cisco,ASA,ANY,Appliance,"PH_SYS_DEVICE_FIREWALL,PH_SYS_DEVICE_VPN_
GATEWAY",,"PH_SYS_BizSrvc_FW,PH_SYS_BizSrvc_VPN","TELNET,SSH",1,10
Categorizing Microsoft IIS
This is an example of categorizing an application based on logs. The Microsoft IIS (via Snare) parser has a Device
Vendor/Model associated with it, and when a log from Microsoft IIS is processed by FortiSIEM, this entry in
ApprovedDeviceVendor.csv maps the Device Vendor/Model Microsoft to the Windows Server and
Web Server categories in the CMDB. PH_SYS_DEVICE_WINDOWS_SERVER and PH_SYS_APP_WEB_
SERVER are the internal IDs of these categories. the following entry in
#id,Vendor,ModelOS,Version,Type,CMDB Folder Id,,Biz Service,Access Protocol,Parsed,Priority
901,Microsoft,IIS,ANY,Application,"PH_SYS_DEVICE_WINDOWS_SERVER,PH_SYS_APP_WEB_
SERVER",Microsoft IIS,,None,1,10
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
376
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Overview of the CMDB User Interface
While the Summary and Widget dashboard views of your IT infrastructure provide real-time monitoring and
reporting on your IT infrastructure, the CMDB view provides more in-depth detail about devices, applications,
users, and other IT infrastructure components as they are listed in the CMDB, as well as the ability to manage
these objects. l
Tab Overview
l
Inventory Management and Edit Details Controls
l
User Interface Controls for Device View
l
Data Collection Status
Tab Overview
This screenshot shows the Device view of the CMDB tab with Devices selected in the Device View of the IT
infrastructure hierarchy. For any type of object you select in the hierarchy, the CMDB will load a Summary view
of the objects in the top pane, and Details for any individual object you select from the summary in the bottom
pane. While the available details will change depending on the type of object you select, all objects in the CMDB
view will have Inventory Management controls in the summary pane, and an Edit Details control in the Details
pane. Inventory Management and Edit Details Controls
377
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
UI Control
Description
New
Add a new object to the CMDB.
Manually Adding Devices to the CMDB: In most cases you
will want to add devices to the CMDB through the device
discovery process, but there are some situations in which you
may want to add them manually, as described in Adding Devices
to the CMDB Outside of Discovery and Adding a Synthetic
Monitoring Test to a Business Service.
Delete
Delete a selected object from the CMDB.
Edit
Edit details about the selected object. You can also use the Edit Details
button in the Details pane for the same purpose. You can also set devicespecific properties to use in defining per-device thresholds.
User Interface Controls for Device View
The view of devices in the CMDB provides you with a number of ways to access information about a device.
Some of the device user interface controls in the CMDB view you can also find in the dashboard summary view of
devices, such as the Analysis menu and the Quick Info view of a device.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
378
Working with the Configuration Management Database (CMDB)
UI Control
Views
Managing FortiSIEM
Description
l
l
l
Inventory
A summary of all devices of that type in the CMDB
Topo
Shows all devices of the selected type in a topology view
Performance
Shows a Performance Summary dashboard for all devices of that type Hover your mouse cursor over the IP address associated with a device to open the IP
Management menu
l
l
IP
Management
l
l
l
More
l
l
l
l
l
379
Quick Info
Loads the Quick Info for the device, which you can also see by selecting Quick
Info in the Analysis menu Topology
Shows the device's location in the network topology, which you can also see by
clicking the Topology button in the device Details pane
Show Real-Time events on this IP
Loads a Real Time Search with the selected IP address in the search criteria Show Events on this IP for the Past 5 Minutes
Loads and Historial search with the selected IP address in the search criteria and
the Time filter set to Last 5 Mins
Add to WatchList
Add that IP address to a WatchList
Location
Displays any location information associated with the device ChangeOrg
For multi-tenant deployments, change the organization associated with the device
Impacted Org
Shows organizations that device is associated with Maintenance
Displays the maintenance schedule for the device Export General Info Exports a summary view of selected devices, or a detailed view of information for a
specific device, in PDF or CSV format Approve
Approve any newly-discovered devices
Analysis
The Analysis menu contains a number of options for component analytics, depending on
the component selected. See Using the Analysis Menu for more information. You can also
access the Analysis menu for a component by hovering your mouse over the component's
Device IP menu until the blue Quick Info icon appears, and then clicking the icon.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
UI Control
Working with the Configuration Management Database (CMDB)
Description
The Quick Info view of a device, which you can also access through the Analysis menu or
hovering your mouse cursor over the Device IP column, displays General and Health
information for the device, and when appropriate, Identity and Location information. It
also contains links to additional information about the device:
l
l
l
l
Quick Info
l
l
l
l
Incidents
An exportable summary of incidents associated with the device
Health
Availability, Performance, and Security health information for the device. You
can also access this information by clicking the Device Health user interface
control, or by selecting Device Health in the Analysis menu.
BizService
Any business services impacted by the device. You can also access this information
by selecting Impacted Business Services in the Analysis menu. Applications
Displays a report on the top 10 applications associated with the device by Average
CPU Utilization over the past hour
Vulnerability and IP Status (Not used in the Dashboard view)
Displays the vulnerability status reports that are also available by selecting
Vulnerability and IPS Status in the Analysis menu Hardware Health (Used only for the CMDB/Storage view)
Displays health information for the hardware being used for storage Interfaces
Displays a report on the top 10 interfaces associated with the device by average
throughput
Topology
Shows the device's location in the network topology. You can also access this
information by selecting Topology in the Analysis menu.
The Quick Info view also contains two links, Goto Config Item, which links to
the device entry in the CMDB, and Goto Identity, which links to Analytics >
Identity and Location Report, where you can edit this information for the
device.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
380
Working with the Configuration Management Database (CMDB)
UI Control
Device Info
Managing FortiSIEM
Description
Each tab contains information about a specific aspect of the device, as well as an
Edit button to change information:
l
l
l
l
l
l
l
l
l
Summary
General organizational and operational information about the device Health
Availability , Performance , and Security health reports for the device. You can
also access this information by selecting a device in the Summary dashboard, and
then click Health, or by going to Quick Info > Health after selecting the device . If
any Incidents are displayed, click the number to view the Incident Summary .
Depending on the reported metric, you can zoom in for a closer look at graphs and
reports by clicking the Magnifying Glass icon that appears when you hover your
mouse cursor over them. Monitor
Shows Event Receive Status and Performance Monitor Status - when data was last
collected and status
Contact
Contact information for the device Interfaces
Interfaces connected to the device Software
Software running on the device. Categories include Installed Software, Running
Applications, Windows Services, and Installed Patches. In the Installed
Software category you can use the Diff... button to compare different versions of
software you've installed.
Hardware
Information about the hardware associated with the device.Categories include
Processors, Storage, SAN Storage, System BIOS, Components, SAN
Ports, RAID Groups, LUNs, and Storage Groups.
Configuration
Configuration files associated with the device. You can compare configuration files
by selecting two or more, and then clicking Diff...
Relationships
Other devices that this device interacts with
Topology
Shows the selected device in the Topology view
Edit Details
Click to edit the Summary, Contact Info, Interfaces, and Properties for the device
Data Collection Status
Real time data collection status is shown for each device 381
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
l
Performance Monitor Status
l
Normal - if every performance monitor job status for this device is Normal l
l
l
Working with the Configuration Management Database (CMDB)
Warning - if at least one performance monitor job status for this device is Warning and none is
critical
Critical - if at least one performance monitor job status for this device is Critical
Event Receive Status
l
Normal - if the event receive status of every protocol for this device is Normal l
l
Warning - if the event receive status of at least one protocol for this device is Warning and none is
critical
Critical - if the event receive status of at least one protocol for this device is Critical
Performance Monitor Job Status is computed as follows. Two global constants are defined in Admin
> Device Support > Custom Properties.
1. Performance Monitoring Time Gap Warning Threshold - multiples of polling interval (default 3)
2. Performance Monitoring Time Gap Critical Threshold - multiples of polling interval (default 5)
Event Receive Job Status is computed as follows. Two global constants are defined in Admin >
Device Support > Custom Properties.
1. Event Receive Time Gap Warning Threshold in minutes (default 10)
2. Event Receive Time Gap Critical Threshold in minutes (default 20)
These constants can also be specified at a per device level from CMDB > Device > Bottom pane
Edit > Properties. Write new values for these thresholds in the edit box and click Save.
Metric
Status
Condition
Performance Monitor
Job Status
Normal
Performance Monitoring Time Gap LESS THAN Performance
Monitoring Time Gap Warning Threshold
Performance Monitor
Job Status
Performance Monitor
Job Status
Event Receive Job
Status
Event Receive Job
Status
Event Receive Job
Status
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Warning
Critical
Normal
Warning
Critical
Performance Monitoring Time Gap GREATER THAN
Performance Monitoring Time Gap Warning Threshold BUT
LESS THAN Performance Monitoring Time Gap Critical
Threshold
Performance Monitoring Gap GREATER THAN Performance
Monitoring Time Gap Critical Threshold
Event Receive Time Gap LESS THAN Event Receive Time Gap
Warning Threshold
Event Receive Time Gap GREATER THAN Event Receive
Time Gap Warning Threshold BUT LESS THAN Event Receive
Time Gap Critical Threshold
Event Receive Time Gap GREATER THAN Event Receive
Time Gap Critical Threshold
382
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
The following table shows how the various job types are classified into Performance Monitor or Event
Received types
Classification in CMDB >
Device > Monitor
Job Type
Jobs defined in Admin > Setup wizard > Monitor
Change/performance
Performance Monitor
Jobs defined in Admin > Setup wizard > Pull Events (e.g.
Event Receive
Protocols via which data is pushed to us - syslog, SNMP
Trap, Netflow, SFlow, Windows Agents etc
Event Receive
The following rules trigger when certain data collection exceptions happen.
Rule
When does it trigger?
When does it clear?
Missing specific
performance metric
from a device
Triggers when Performance Monitor is
Critical for one job for a monitored device
Clears when Performance
Monitor is Normal for that
job from that device
No performance
metrics from a device
Triggers when Performance Monitor is
Critical for ALL jobs for a monitored device
Clears when Performance
Monitor is Normal for all
jobs from that device
FortiSIEM
Performance
Monitoring Relay Not
Working - All Devices
delayed
Triggers when Performance Monitor is
Critical for all devices monitored by a
Worker/Collector (that is acting as a
Performance Monitoring Relay)
Clears when Performance
Monitoris Normal for all
devices from that
Worker/Collector
No logs from a device
FortiSIEM Log Relay
Not Working - All
Devices delayed
383
Triggers when Event Receive Job Status
is Critical for one device
Triggers when Event Receive Job Status
is Critical for all devices to a specific
Worker/collector (that is acting as a Log
Relay)
Clears when Event
Receive Job Status is
Normal for that device
Clears when Event
Receive Job Status is
Normal for all devices from
that Worker/Collector
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Managing CMDB Objects
CMDB objects include discovered devices and their network relationships, as well as system objects like rules and
events. You can find the full list of these objects in the Device View of the CMDB tab, and you can add objects
to the database or edit ones that are already there. l
Anonymity Networks and Groups
l
Applications
l
Blocked Domains
l
Blocked IP Addresses
l
Blocked URLs
l
Blocked Processes
l
Country Groups
l
Creating CMDB Groups and Adding Objects to Them
l
Default Passwords
l
Devices
l
Event Types
l
Malware Hashes
l
Networks
l
Protocols
l
User Agents
l
Users
l
Watch Lists
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
384
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Anonymity Networks and Groups
An anonymity network is used to hide one's network identity, and is typically used by malware to hide its
originating IP address. Enterprise network traffic should not be originating from or destined to Anonymity network.
When FortiSIEM discovers traffic destined to or originating from anonymity networks, it triggers these rules:
l
Inbound Traffic from Tor Network
l
Outbound Traffic to Tor Network
l
Inbound Traffic from Open Proxies
l
Outbound Traffic to Open Proxies
Adding an Anonymity Network
1. Log into your Supervisor node.
2. Go to CMDB > Anonymity Networks. 3. Create a group to add the new network to if you are not adding it to an existing group.
System-Defined Anonymity Network Groups: FortiSIEM provides two default groups for Anonymity
Networks: l
l
Open Proxies: A set of open proxies in the internet. This is a static group.
Tor Nodes : This group is dynamically updated from https://check.torproject.org/exit-addresses . You can
schedule regular updates for this group by clicking on the group name, then click Update and provide
update scheduling information. 4. Click Anonymity Network.
5. Select the group where you want to add the anonymity network.
6. Click New.
7. Enter IP, Port, and Country information about the anonymity network. 8. Click the Calendar icon to enter the date you created or updated this entry.
9. Click Save.
Adding Anonymity Networks to a Group with a CSV File
Instead of manually adding anonymity networks to a group individually, you can upload a CSV file with multiple
entries to the group by selecting the group and then clicking Upload. You will need to format the file with these
fields:
IP Address,Port,Country,Last Update Time and Date
For example:
99.99.99.99,,USA,10:00:00 10/02/2014
Adding Anonymity Networks to Watch Lists
You can easily add an anonymity network IP address to your watch lists. Hover you mouse cursor over the
anonymity network IP address until the icon for the Options menu appears, and then select Add to Watchlist.
385
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Setting Up an External Data Source for Anonymity Networks
This topic describes how to import anonymity networks information into FortiSIEM from external threat feed
websites. Anonymity networks are used by malware to hide their own identity. Two prominent examples of
anonymity networks are Open Proxies and TOR Nodes.
l
Prerequisites
l
Procedure
Prerequisites
Before proceeding gather the following information about a threat feed web site.
l
The website URL
l
Credentials required to access the website (optional)
l
If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the
URL.
l
if the data is in the comma separated value format (the separator need not be a comma but could be any
separator, then a simple integration is possible.
l
If the data is any other format, e.g. XML, then some code needs to be written for integration using the
FortiSIEM provided framework
Procedure
Websites with built in support
The following websites are supported
l
Threat Stream Open Proxy (https://api.threatstream.com)
l
Threat Stream TOR Node (https://api.threatstream.com)
To import data from these websites, follow these steps
1. In the CMDB > Anonymity Network, find the website you need to import data from. 2. Select the folder.
3. Click Update.
4. Select Update via API. The link should show in the edit box.
5. Enter a schedule by clicking on the "+" icon.
6. Enter the schedule parameters - when to start and how often to import. FortiSIEM recommends no more frequent
than hourly.
7. Select the type of template you want to create.
Custom websites - CSV data - one-time manual import
This requires that the data to be imported is already in a file in comma separated value format. The required
format is
IP, Port, Malware Type, Confidence, Severity, Asn, Org, Country, Description, Data
Found(MM/DD/YYYY), Last Seen(MM/DD/YYYY)
Although many fields are possible, only IP is required
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
386
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
1. Select CMDB>Anonymity Network.
2. Click on the "+" button on the left navigation tree to bring up the Create New Anonymity Network Group
dialog.
3. Enter Group and add Description. Click OK to create the folder under Anonymity Networks.
4. Select the folder just created.
5. Select Import from a file.
6. Click Browse; enter the file name and click Upload.
7. The imported data will show on the right pane.
Custom websites - CSV data - programmatic import
This requires that the web site data is
l
file in comma separated value format (separator can be any special character such as space, tab, hash, dollar etc.)
l
one entry is in one line
Note: Although many fields are possible, only the IP is required.
Follow these steps.
1. Select CMDB>Anonymity Networks.
2. Click on the "+" button on the left navigation tree to bring up the Create New Anonymity Network Group
dialog.
3. Enter Group and add Description. Click OK to create the folder under Anonymity Networks.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
1. Enter the URL of the website
2. Enter User Name and Password (optional)
3. For Plugin class, the default class
com.FortiSIEM.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not
modify this for this case.
4. Enter the correct Field separator (by default it is a comma)
5. Select CSV as the Data Format
6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website
data. For example if the IP is in third position, then choose 3 in the Position column.
7. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often
to import to get new data from the website.
9. The imported data will show on the right pane after some time.
New Websites - non-CSV data - programmatic import
This is the most general case where the website data format does not satisfy the previous conditions. In this
case, user has to write a Java plugin class by modifying the default system provided one. After the class has been
written and fully tested for correctness, follw these steps.
387
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
1. Select CMDB>Anonymity Networks.
2. Click on the "+" button on the left navigation tree to bring up the Create New Anonymity Network Group
dialog.
3. Enter Group and add Description. Click OK to create the folder under Anonymity Networks.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
a. Enter the URL of the website
b. Enter User Name and Password (optional)
c. For Plugin class, the custom Java class for this case.
d. Enter the correct Field separator (by default it is a comma)
e. Select CSV as the Data Format
f. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website
data. For example if the IP address is in third position, then choose 3 in the Position column.
g. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often
to import to get new data from the website.
9. The imported data will show on the right pane after some time.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
388
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Applications
Applications in the CMDB are grouped at the highest level by Infrastructure and User apps, with further subcategorization in each of those two categories. Adding an Application
1. Log in to your Supervisor node.
2. Go to CMDB > Applications.
3. Create a new application group or select an existing one. 4. Click New.
5. Enter an Application Name and Process.
6. Enter any other information for the application.
7. Click Save.
389
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Malware Domains
The CMDB Malware Domains page lists domains that are known to generate spam, host botnets, create DDoS
attacks, and generally contain malware. The three default groups included in your FortiSIEM
deployment, MalwareDomainList, Zeus Domains, and SANS Domains, contain malware domains that are
derived from the websites malwaredomainlist.com, zeustracker.abuse.ch, and isc.sans.edu. Because malware
domains are constantly shifting, FortiSIEM recommends maintaining a dynamically generated list of IP
addresses provided by services such as these that is updated on a regular schedule, but you can also add or
remove blocked IP addresses from these system-defined groups, and create your own groups based on manual
entry of IP addresses or file upload.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
390
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Updating System Defined Malware Domain Groups
System defined groups are MalwareDomainList, Zeus Domains, and SANS Domains, which are updated by
their corresponding services. You can set these to update automatically on a schedule, or add or remove
individual IP addresses from them.
Setting Schedule
1. Log in to your Supervisor node.
2. Click CMDB.
3. Select a system-defined group.
4. Click Update.
5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
6. Set the schedule for how often you want the list to update from the service.
7. Click Save.
Adding/Removing entries
1. If you want to remove a domain or set of domains from the group, clear the Enable selection next to the domain
name, and then click Continue to confirm.
The domain will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it. 2. If you want to add a blocked domain to the group, make sure the group is selected, click New, and enter
information about the blocked IP address.
Changing to STIX/TAXII
If the system defined threat feeds are available via STIX/TAXII, then check the STIX/TAXII box.
391
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Manually Creating Blocked Domains and Groups
1. Create a group under Blocked Domains as described in Creating CMDB Groups and Adding Objects to Them.
2. Select the group you created and click New.
3. Enter information for the Blocked Domain you want to add, and then click Save.
Adding Blocked Domains to a Group with a CSV File
Instead of manually adding a blocked domain to a user-defined or system group individually, you can upload a
CSV file with multiple entries to the group by selecting the group, clicking Update, and then selecting Import
Manually. You will need to format the file with these fields:
#domain,malware name,date(MM/DD/YYYY),IP,Reverse IP lookup,ASN For example:
t3tr.co.cc,Blackhole exploit kit,1/23/2011,173.201.33.90,ip-173-201-3390.ip.secureserver.net.,26496sq2s.co.cc,Blackhole exploit
kit,1/23/2011,173.201.33.90,ip-173-201-33-90.ip.secureserver.net.,26496
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
392
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Custom Malware Domain Threat Feed
This topic describes how to import malware domain information into FortiSIEM from external threat feed
websites.
l
Pre-requisites
l
Threat feed Websites with built in support
l
Custom threat feed websites - CSV data - one-time manual import
l
Custom threat feed websites - CSV data - programmatic import
l
Custom threat feed websites - non-CSV data - programmatic import
l
Custom threat feed websites - STIX formatted data and TAXII import
Pre-requisites
Before proceeding gather the following information about a threat feed web site.
l
The website URL
l
Credentials required to access the website (optional)
l
If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the
URL.
l
if the data is in the comma separated value format (the separator need not be a comma but could be any
separator, then a simple integration is possible.
l
If the data is any other format, e.g. XML, then some code needs to be written for integration using the
FortiSIEM provided framework
Threat feed Websites with built in support
The following websites are supported
l
Malware domain list (http://www.malwaredomainlist.com)
l
Zeus domains (https://zeustracker.abuse.ch)
l
SANS Domains (https://isc.sans.edu/feeds/)
l
Threat Stream Domains (https://api.threatstream.com)
l
Hail-A-TAXII Domains (http://hailataxii.com/)
For Threat Stream the following malware domain types are included
l
Command and Control Domain
l
Compromised Domain
l
Malware Domain
l
Dynamic DNS Domain
l
APT Domain
To import data from these websites, follow these steps
1. In the CMDB > Malware Domains, find the website you need to import data from. 2. Select the folder.
3. Click Update.
4. Select Update via API. The link should show in the edit box.
5. Enter a schedule by clicking on the "+" icon.
393
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
6. Enter the schedule parameters - when to start and how often to import. FortiSIEM recommends no more frequent
than hourly.
7. Select the type of template you want to create.
Custom threat feed websites - CSV data - one-time manual import
This requires that the data to be imported is already in a file in comma separated value format. The required
format is
Domain Name, IP, Reverse Lookup, Malware Type, Confidence, Severity, ASN, Org,
Country,Description, Date Found(MM/DD/YYYY),Last Seen(MM/DD/YYYY)
Although many fields are possible, only the Domain Name is required
1. Select CMDB>Malware Domains.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware Domain Group dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
4. Select the folder just created.
5. Select Import from a file.
6. Click Browse; enter the file name and click Upload.
7. The imported data will show on the right pane.
Custom threat feed websites - CSV data - programmatic import
This requires that the web site data is
l
file in comma separated value format (separator can be any special character such as space, tab, hash, dollar etc.)
l
one entry is in one line
Although many fields are possible, only the Domain Name is required.
Follow these steps.
1. Select CMDB>Malware Domains.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware Domain Group dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
4. Select the folder just created.
5. Select Update via API.
6. For Website, Click Add.
7. In the Data Mapping dialog:
a. Enter the URL of the website
b. Enter User Name and Password (optional)
c. For Plugin class, the default class
com.FortiSIEM.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not
modify this for this case.
d. Enter the correct Field separator (by default it is a comma)
e. Select CSV as the Data Format
f. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website
data. For example if the domain name is in third position, then choose 3 in the Position column.
g. Click Save.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
394
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often
to import to get new data from the website.
9. The imported data will show on the right pane after some time.
Custom threat feed websites - non-CSV data - programmatic import
This is the most general case where the website data format does not satisfy the previous conditions. In this
case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in
the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section. After the
class has been written and fully tested for correctness, follow these steps.
1. Select CMDB>Malware Domains.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware Domain Group dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
4. Select the folder just created.
5. Select Update via API.
6. For Website, Click Add.
7. In the Data Mapping dialog:
a. Enter the URL of the website.
b. Enter User Name and Password (optional).
c. For Plugin class, choose the custom Java class for this case.
d. Enter the correct Field separator (by default it is a comma).
e. Select CSV as the Data Format.
f. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website
data. For example if the domain name is in third position, then choose 3 in the Position column.
g. Click Save.
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often
to import to get new data from the website.
9. The imported data will show on the right pane after some time.
Custom threat feed websites - STIX formatted data and TAXII import
In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.
1. Select CMDB>Malware Domains.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware Domain Group dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
4. Select the folder just created.
5. Select Update via API.
6. For Website, Click Add.
7. In the Data Mapping dialog:
a. Enter the URL of the website.
b. Enter User Name and Password (optional).
c. For Plugin class, choose STIX-TAXII and Full.
d. Click Save.
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often
395
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
to import to get new data from the website.
9. The imported data will show on the right pane after some time.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
396
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Blocked IP Addresses
The CMDB Blocked IP Addresses page lists IP addresses that are known to generate spam, host botnets,
create DDoS attacks, and generally contain malware. The two default groups included in your FortiSIEM
deployment, Emerging Threats and Zeus, contain IP addresses that are derived from the websites
rules.emergingthreats.net and zeustracker.abuse.ch. Because malware IP addresses are constantly shifting,
FortiSIEM recommends maintaining a dynamically generated list of IP addresses provided by services such as
these that is updated on a regular schedule, but you can also add or remove blocked IP addresses from these
system-defined groups, and create your own groups based on manual entry of IP addresses or file upload.
397
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Updating System-Defined Blocked IP Groups
System defined groups are Emerging Threats and Zeus, which are updated by their corresponding services.
You can set these to update automatically on a schedule, or add or remove individual IP addresses from them.
1. Log in to your Supervisor node.
2. Click CMDB.
3. Select a system-defined group.
4. Click Update.
5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
6. Set the schedule for how often you want the list to update from the service.
7. Click Save.
8. If you want to remove an IP address or set of IP addresses from the group, clear the Enable selection next to the
IP address, and then click Continue to confirm.
The IP address will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it. 9. If you want to add a blocked IP address to the group, make sure the group is selected, click New, and enter
information about the blocked IP address.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
398
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Manually Creating Blocked IP Addresses and Groups
1. Create a group under Blocked IPs as described in Creating CMDB Groups and Adding Objects to Them.
2. Select the group you created and click New.
3. Enter information for the Blocked IP address you want to add, and then click Save.
Adding Blocked IP Addresses to a Group with a CSV File
Instead of manually adding blocked IP address to a user-defined or system group individually, you can upload a
CSV file with multiple entries to the group by selecting the group, clicking Update, and then selecting Import
Manually. You will need to format the file with these fields:
#domain,malware name,date(MM/DD/YYYY),IP,Reverse IP lookup,ASN
For example:
t3tr.co.cc,Blackhole exploit kit,1/23/2011,173.201.33.90,ip-173-201-3390.ip.secureserver.net.,26496
sq2s.co.cc,Blackhole exploit kit,1/23/2011,173.201.33.90,ip-173-201-3390.ip.secureserver.net.,26496
399
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Custom Malware IP Threat Feed
This topic describes how to import Malware IP information into FortiSIEM from external threat feed websites.
l
Prerequisites
l
Websites with built in support
l
Custom threat feed websites - CSV data - one-time manual import
l
Custom threat feed websites - CSV data - programmatic import
l
Custom threat feed websites - non-CSV data - programmatic import
l
Custom threat feed websites - STIX formatted data and TAXII import
Prerequisites
Before proceeding gather the following information about a threat feed web site.
l
The website URL
l
Credentials required to access the website (optional)
l
If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the
URL.
l
if the data is in the comma separated value format (the separator need not be a comma but could be any
separator, then a simple integration is possible.
l
If the data is any other format, e.g. XML, then some code needs to be written for integration using the
FortiSIEM provided framework
Websites with built in support
The following websites are supported
l
Emerging threat (http://rules.emergingthreats.net)
l
Zeus (https://zeustracker.abuse.ch)
l
Threat Stream Malware IP (https://api.threatstream.com)
l
Hail-A-TAXII Malware IP (http://hailataxii.com/)
For Threat Stream Malware IP, the following Malware types are imported
l
Bot IP
l
Actor IP
l
APT Email
l
APT IP
l
Bruteforce IP
l
Compromised IP
l
Malware IP
l
DDoS IP
l
Phishing email IP
l
Phish URL IP
l
Scan IP
l
Spam IP
To import data from these websites, follow these steps
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
400
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
1. In the CMDB > Malware IPs, find the website you need to import data from. 2. Select the folder.
3. Click Update.
4. Select Update via API. The link should show in the edit box.
5. Enter a schedule by clicking on the "+" icon.
6. Enter the schedule parameters - when to start and how often to import. FortiSIEM recommends no more frequent
than hourly.
7. Select the type of template you want to create.
Custom threat feed websites - CSV data - one-time manual import
This requires that the data to be imported is already in a file in comma separated value format. The required
format is
Name, Low IP, High IP, Malware Type, Confidence, Severity, ASN, Org, Country ,Description,Data Found(MM/DD/YYYY),Last Seen(MM/DD/YYYY)
Although many fields are possible, only Low IP is required. If High IP is not provided, then it is set to Low IP.
1. Select CMDB>Malware IPs.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware IP Group dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
4. Select the folder just created.
5. Select Import from a file.
6. Click Browse; enter the file name and click Upload.
7. The imported data will show on the right pane.
Custom threat feed websites - CSV data - programmatic import
This requires that the web site data is
l
file in comma separated value format (separator can be any special character such as space, tab, hash, dollar etc.)
l
one entry is in one line
Although many fields are possible, only Low IP is required. If High IP is not provided, then it is set to Low IP.
Follow these steps.
1. Select CMDB>Malware IPs.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware IP Group dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
a. Enter the URL of the website.
b. Enter User Name and Password (optional).
c. For Plugin class, the default class
com.FortiSIEM.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not
modify this for this case.
401
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
d. Enter the correct Field separator (by default it is a comma).
e. Select CSV as the Data Format.
f. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website
data. For example if the IP is in third position, then choose 3 in the Position column.
g. Click Save.
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often
to import to get new data from the website.
9. The imported data will show on the right pane after some time.
Custom threat feed websites - non-CSV data - programmatic import
This is the most general case where the website data format does not satisfy the previous conditions. In this
case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in
the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section.
After the class has been written and fully tested for correctness, follow these steps.
1. Select CMDB>Malware IPs.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware IP Group dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
4. Select the folder just created.
5. Select Update via API.
6. For Website, Click Add.
7. In the Data Mapping dialog:
a. Enter the URL of the website
b. Enter User Name and Password (optional)
c. For Plugin class, the custom Java class for this case.
d. Enter the correct Field separator (by default it is a comma)
e. Select CSV as the Data Format
f. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website
data. For example if the Low IP is in first position, then choose 1 in the Position column.
g. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often
to import to get new data from the website.
9. The imported data will show on the right pane after some time.
Custom threat feed websites - STIX formatted data and TAXII import
In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.
1. Select CMDB>Malware IPs.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware IP Group dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
402
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
7. In the Data Mapping dialog:
a. Enter the URL of the website
b. Enter User Name and Password (optional)
c. For Plugin class, choose STIX-TAXII and Full
d. Click Save.
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often
to import to get new data from the website.
9. The imported data will show on the right pane after some time.
403
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Blocked URLs
The CMDB Blocked URLs page lists URLs that are known to host malware.
The Threat Stream Blocked URL group is included in your FortiSIEM deployment.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
404
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Updating System-Defined Blocked URL Group
System defined groups are Threat Stream Blocked URL, which are updated by its own service. You can set
these to update automatically on a schedule.
1. Log in to your Supervisor node.
2. Click CMDB.
3. Select Threat Stream Blocked URL.
4. Click Update.
5. Set Schedule
1. Select Update Automatically to open the update scheduler and verify the URI of the update service.
2. Set the schedule for how often you want the list to update from the service.
3. Click OK.
4. Click Save
6. Set user name and password
1. Select the link (https://api.threatstream.com/api/v1/intelligence/)
2. Click Edit
3. Enter User Name and Password
4. Set Data Format to Custom and Incremental
5. Click Save
405
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Custom Malware URL Threat Feed
This topic describes how to import Malware URL information into FortiSIEM from external threat feed websites.
l
Prerequisites
l
Threat feed websites with built in support
l
Custom threat feed websites - CSV data - one-time manual import
l
Custom threat feed websites - CSV data - GUI import
l
Custom threat feed websites - non-CSV data - programmatic import
l
Custom threat feed websites - STIX formatted data and TAXII import
Prerequisites
Before proceeding gather the following information about a threat feed web site.
l
The website URL
l
Credentials required to access the website (optional)
l
If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the
URL.
l
If the data is in comma separated value (CSV) format, then a simple integration is possible. Note that the
separator need not be a comma but could be any separator.
l
If the data is any other format, e.g. XML, then some code needs to be written for integration using the
FortiSIEM provided framework
Threat feed websites with built in support
The following websites are supported
l
Threat Stream Malware URL (https://api.threatstream.com)
l
FortiSandbox Malware URL
l
Hail-A-TAXII Malware IP (http://hailataxii.com/)
To import data from these websites, follow these steps
1. In the CMDB > Malware URLs, find the website you need to import data from. 2. Select the folder.
3. Click Update.
4. Select Update via API. The link should show in the edit box.
5. Enter a schedule by clicking on the "+" icon.
6. Enter the schedule parameters - when to start and how often to import. FortiSIEM recommends no more frequent
than hourly.
Custom threat feed websites - CSV data - one-time manual import
This requires that the data to be imported is already in a file in comma separated value format. The required
format is
URL, Malware Type, Confidence, Description,Last Seen(MM/DD/YYYY)
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
406
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
1. Select CMDB>Malware URLs.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware URL Group dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
4. Select the folder just created.
5. Select Import from a file.
6. Click Browse; enter the file name and click Upload.
7. The imported data will show on the right pane.
Custom threat feed websites - CSV data - GUI import
This requires that the web site data has the following structure.
l
l
The file in comma separated value format (separator can be any special character such as space, tab, hash, dollar
etc.)
One line has only one entry
Follow these steps.
1. Select CMDB>Malware URLs.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware URL Group dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
a. Enter the URL of the website
b. Enter User Name and Password (optional)
c. For Plugin class, the default class
com.FortiSIEM.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not
modify this for this case.
d. Enter the correct Field separator (by default it is a comma)
e. Set Data Format to CSV.
f. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website
data. For example if the URL is in third position, then choose 3 in the Position column.
g. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often
to import to get new data from the website.
9. The imported data will show on the right pane after some time.
Custom threat feed websites - non-CSV data - programmatic import
This is the most general case where the website data format is not CSV. In this case, user has to write a Java
plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI
available at FortiSIEM support portal under FortiSIEM ServiceAPI section.
After the class has been written and fully tested for correctness, follow these steps.
1. Select CMDB>Malware URLs.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware URL Group dialog.
407
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
a. Enter the URL of the website
b. Enter User Name and Password (optional)
c. For Plugin class, the custom Java class for this case
d. Select Custom as the Data Format.
e. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often
to import to get new data from the website.
9. The imported data will show on the right pane after some time.
Custom threat feed websites - STIX formatted data and TAXII import
In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.
1. Select CMDB>Malware URLs.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware URL Group dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
4. Select the folder just created.
5. Select Update via API.
6. For Website, Click Add.
7. In the Data Mapping dialog:
a. Enter the URL of the website.
b. Enter User Name and Password (optional).
c. For Plugin class, choose STIX-TAXII and Full.
d. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often
to import to get new data from the website.
9. The imported data will show on the right pane after some time.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
408
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Country Groups
The Country Groups page contains a list of all the country names in the FortiSIEM geolocation database. You can
also create folders that represent different organizations of countries for use in Analytics.
Adding a New Country or Country Group
1. Log in to your Supervisor node.
2. Go to CMDB > Country Groups.
3. Select an existing country group, or create a new one.
4. Click New.
5. Enter a name and description for the new country. 6. Click Save.
409
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Creating CMDB Groups and Adding Objects to Them
In the CMDB browser pane you will see several categories, or groups, for each type of CMDB object. For
example, under Applications, you will see the groups Infrastructure App, User App, and Ungrouped, with
additional subcategorization within each of those groups. You can create your own groupings and add CMDB
objects to them.
1. Log in to your Supervisor node.
2. Click CMDB.
3. In the CMDB browser pane, select the type of CMDB object you want to create a group for, and then click +.
4. Enter a Group name and Description.
5. Under Select Group Members, select any existing groups from which you would like to add objects to your new
group.
The group containing all the CMDB objects of this type is selected by default.
6. Select the objects you want to add to the group, and then click >> to add them to the group. 7. Click OK.
Your new group, and the objects it contains, will be listed under that CMDB object type in the CMDB browser
pane. You can add objects directly to the group by selecting it in the CMDB browser pane, and then following the
process for adding a new object.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
410
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Default Passwords
The CMDB Default Password page contains a list of default vendor credentials. These well-known credentials
should never be used in production. During device discovery FortiSIEM checks if the device credentials are still
set to default , and the system rule Default Password Detected by System triggers an incident if they
are. A sample raw event log for a default password incident:
<174>Oct 20 22:50:03 [PH_AUDIT_DEFAULT_PWD_MATCH]:
[phEventCategory]=2,[appTransportProto]=SNMP,
[reptModel]=Firewall-1 SPLAT,[srcIpAddr]=192.168.19.195,
[phCustId]=1,[sessionId]=0f8bdee2b6a265c4bd075fc777ed,
[procName]=AppServer,[reptVendor]=Checkpoint,
[hostIpAddr]=172.16.0.1,[hostName]=SJ-QA-F-Lnx-CHK,
[eventSeverity]=PHL_INFO,[user]=,[phLogDetail]=Default
password matches for the same composite key (Vendor, Model,
Access method, User Name, Password)
Adding a New Default Password
1. Log in to your Supervisor node.
2. Go to CMDB > Default Passwords.
3. Select a group where you want to add the default password, or create a new one. 4. Click New.
5. Select the Vendor and Model of the device for which you want to enter a default password.
6. Select the Access Protocol that is used to connect to the device. 7. Enter the default User Name and Password for the device. 8. Click Save.
Adding Default Passwords to a Group with a CSV File
You can upload a CSV file with multiple entries to the a default password group by selecting the group, clicking
Import, and then browsing to a CSV file. You will need to format the file with these fields:
Vendor,Model,Access Protocol,User Name,Password
For example:
Microsoft,Windows,WMI,Administrator,Administrator
411
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Devices
You would typically add devices to the CMDB through the Discovering Infrastructure process. However, there may
be situations in which you want to add devices to the CMDB manually. For example, you may not have access
credentials for a device but still want to be able to include network information about it so that logs received by
FortiSIEM can be parsed properly. These topics describe those situations and provide instructions for how to
successfully add a device to the CMDB:
l
Adding Devices to the CMDB Outside of Discovery
l
Adding a Synthetic Monitoring Test to a Business Service
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
412
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Event Types
The CMDB Event Types page lists the types of events that are collected for supported devices. Adding a New Event Type
1. Log in to your Supervisor node.
2. Go to CMDB > Event Types.
3. Select a group to add the new event to, or create a new one. 4. Click New.
5. Enter a Name, Display Name, and Description for the event type. 6. Select the Device to associate with this event type. 7. Select the level of Severity associated with this event type.
8. For CVE IDs, enter links to any vulnerabilities associated with this event type as cataloged by the National
Vulnerability Database.
9. Click Save.
413
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Malware Hashes
The CMDB Malware Hash page can be used to define a list of malware files and their hash functions. When
FortiSIEM monitors a directory, it generates these directory events:
Directory Event
Generated by
PH_DEV_MON_CUST_FILE_CREATE
New file creation
PH_DEV_MON_CUST_FILE_SCAN
Directory is scanned
PH_DEV_MON_CUST_FILE_CHANGE_CONTENT
Changes in file content
When FortiSIEM scans a file and collects its hash, it uses the system rule Malware Hash Check to check the
list of malware hashes, and triggers an alert if a match is found. Adding a New Malware Hash
1. Log in to your Supervisor node.
2. Go to CMDB > Malware Hash.
3. Select a group where you want to add the malware hash, or create a new one. 4. Click New.
5. Enter information for the malware hash. 6. Click Save.
Adding Malware Hashes to a Group with a CSV File
You can upload a CSV file with multiple entries to the a default password group by selecting the group, clicking
Import, and then browsing to a CSV file. You will need to format the file with these fields:
BotNet name, Algorithm, Hash Code, Controller IP, Country, Confidence, Last
Seen Time
For example:
MyBotnet,SHA,aaecdrgt0987995dae567812,101.1.1.2,87,China,100,10/20/2014
Updating System Defined Malware Hash Group
Current system defined groups are updated by its own service
l
Threat Stream Malware Hash
l
FortiSandbox Malware Hash
You only need to set these to update automatically on a schedule.
l
Log in to your Supervisor node.
l
Click CMDB .
l
Select a system-defined group.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
414
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
l
Click Update.
l
Select Update Automatically to open the update scheduler and verify the URI of the update service.
l
Set the schedule for how often you want the list to update from the service.
l
Click Save.
l
l
l
If you want to remove an IP address or set of IP addresses from the group, clear the Enable selection next to the IP
address, and then click Continue to confirm.
The IP address will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.
If you want to add a malware IP address to the group, make sure the group is selected, click New, and enter
information about the blocked IP address.
Manually Creating Manual Hash
1. Create a group under Malware Hash as described in Creating CMDB Groups and Adding Objects to Them.
2. Select the group you created and click New.
3. Enter information for the Malware Hash you want to add, and then click Save.
Adding Blocked URLs to a Group with a CSV File
Instead of manually adding a blocked domain to a user-defined or system group individually, you can upload a
CSV file with multiple entries to the group by selecting the group, clicking Update, and then selecting Import from
a file. You will need to format the file with these fields:
Botnet Name, Algorithm, Has Code, Controller IP, Malware Type, Confidence,
Severity, Asn, Org, Country, Description, Data Found(MM/DD/YYYY), Last Seen
(MM/DD/YYYY)
415
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Custom Malware Hash Threat Feed
This topic describes how to import Malware Hash information into FortiSIEM from external threat feed websites.
l
Prerequisites
l
Threat feed websites with built in support
l
Custom threat feed websites - CSV data - one-time manual import
l
Custom threat feed websites - CSV data - programmatic import
l
Custom threat feed websites - non-CSV data - programmatic import
l
Custom threat feed websites - STIX formatted data and TAXII import
Prerequisites
Before proceeding gather the following information about a threat feed web site.
l
The website URL
l
Credentials required to access the website (optional)
l
If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the
URL.
l
if the data is in the comma separated value format (the separator need not be a comma but could be any
separator, then a simple integration is possible.
l
If the data is any other format, e.g. XML, then some code needs to be written for integration using the
FortiSIEM provided framework
Threat feed websites with built in support
The following websites are supported
l
ThreatStream Malware Hash (https://api.threatstream.com)
l
FortiSandbox Malware Hash
l
Hail-A-TAXII Malware IP (http://hailataxii.com/)
To import data from these websites, follow these steps
1. In the CMDB > Malware Hash, find the website you need to import data from.
2. Select the folder.
3. Click Update.
4. Select Update via API. The link should show in the edit box.
5. Enter a schedule by clicking on the "+" icon.
6. Enter the schedule parameters - when to start and how often to import. FortiSIEM recommends no more frequent
than hourly.
7. Select the type of template you want to create.
Custom threat feed websites - CSV data - one-time manual import
This requires that the data to be imported is already in a file in comma separated value format. The required
format is:
Botnet Name, Algorithm, Hash Code, Controller IP, Malware Type, Confidence, Severity,
Asn, Org, Country, Description, Data Found(MM/DD/YYYY), Last Seen(MM/DD/YYYY), High IP,
Malware Type, Confidence, Severity, ASN, Org, Country ,Description,Data Found
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
416
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
(MM/DD/YYYY),Last Seen(MM/DD/YYYY)
Note: Although many fields are possible, only Botnet Name and Hash Code are required.
1. Select CMDB > Malware Hash.
2. Click on the "+" button on the left navigation tree to bring up the "Create New Malware Hash Group" dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
4. Select the folder just created.
5. Select Import from a file.
6. Click Browse; enter the file name and click Upload.
7. The imported data will show on the right pane.
Custom threat feed websites - CSV data - programmatic import
This requires that the web site data is:
l
file in comma separated value format (separator can be any special character such as space, tab, Hash, dollar etc.)
l
one entry is in one line
Note: Although many fields are possible, only Botnet Name and Hash Code are required.
Follow these steps.
1. Select CMDB > Malware Hash.
2. Click on the "+" button on the left navigation tree to bring up the "Create New Malware Hash Group" dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
1. Enter the URL of the website
2. Enter User Name and Password (optional)
3. For Plugin class, the default class
com.FortiSIEM.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify
this for this case.
4. Enter the correct Field separator (by default it is a comma)
5. Select CSV as the Data Format
6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website
data. For example if the Hash is in third position, then choose 3 in the Position column.
7. Click Save.
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to
import to get new data from the website.
9. The imported data will show on the right pane after some time.
Custom threat feed websites - non-CSV data - programmatic import
This is the most general case where the website data format does not satisfy the previous conditions. In this
case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in
417
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section. After the
class has been written and fully tested for correctness, follow these steps.
1. Select CMDB>Malware Hash.
2. Click on the "+" button on the left navigation tree to bring up the "Create New Malware Hash Group" dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
a. Enter the URL of the website
b. Enter User Name and Password (optional)
c. For Plugin class, the custom Java class for this case.
d. Enter the correct Field separator (by default it is a comma)
e. Select CSV as the Data Format
f. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website
data. For example if the Low Hash is in first position, then choose 1 in the Position column.
g. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to
import to get new data from the website.
9. The imported data will show on the right pane after some time.
Custom threat feed websites - STIX formatted data and TAXII import
In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.
1. Select CMDB>Malware Hash.
2. Click on the "+" button on the left navigation tree to bring up the Create New Malware Hash Group dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
a. Enter the URL of the website
b. Enter User Name and Password (optional)
c. For Plugin class, choose STIX-TAXII and Full
d. Click Save.
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to
import to get new data from the website.
9. The imported data will show on the right pane after some time.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
418
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Networks
The CMDB Networks page lists the defined networks in your IT infrastructure
Adding a New Network
1. Log in to your Supervisor node.
2. Go to CMDB > Networks.
3. Create a new network group or select an existing one.
4. Click New.
5. Enter an Network Name and the Low IP address of the network IP range.
6. Enter any other information about the network.
7. Click Save.
419
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Protocols
The CMDB Protocols page lists the protocols used by applications and devices to communicate with the
FortiSIEM virtual appliance.
Adding a Protocol
1. Log in to your Supervisor node.
2. Go to CMDB > Protocols.
3. Create a new protocol group or select an existing one. 4. Click New.
5. Enter an Name and Description for the protocol.
6. Click + to select a protocol and associate it with a port
7. Select or create an Apps Group to associate with the protocol.
8. Click Save.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
420
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
User Agents
The CMDB User Agent page lists common and uncommon user agents in HTTP communications. The traditional
use case for a user agent is to detect browser types so the server can return an optimized page. However, user
agents are often misused by malware, and are used to communicate the identity of the client to the BotNet
controller over HTTP(S). FortiSIEM monitors HTTP(S) logs and the system rule Blacklist User Agent
Match uses regular expression matching to detect blacklisted user agents.
Adding User Agents
1. Log in to your Supervisor node.
2. Go to CMDB > User Agents.
3. Select the User Agent group where you want to add the new user agent. 4. Click New.
5. Enter the User Agent using regular expression notation.
6. Click Save.
Adding User Agents to a Group with a CSV File
Instead of manually adding user agents to a user-defined or system group individually, you can upload a CSV file
with multiple entries to the group by selecting the group, clicking Update, and then selecting Import Manually.
You will need to format the user agent password with regular expression notation:
^Really\s+Bad\s+User\s+Agent
421
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Users
The CMDB Users page contains information about users of your system. For more information about adding
users, see Adding a Single User.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
422
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Watch Lists
A Watch List is a smart container of similar items such as host names, IP addresses, or user names, that are of
significant interest to an administrator and need to be watched. Examples of watch lists that are already set up in
FortiSIEM are
l
Frequent Account Lockouts - users who are frequently locked out
l
Host Scanners - IP addresses that scan other devices
l
Disk space issues - hosts with disks that are running out of capacity
l
Denied countries - countries with an excessive number of access denials at the firewall
l
Blacklisted WLAN endpoints - Endpoints that have been blacklisted by Wireless IPS systems Typically items are added to a watch list dynamically when a rule is triggered, but you can also add items to a
watch list manually. When you define a rule, you can also choose a watch list that will be populated with a specific
incident attribute, as described in Adding a Watch List to a Rule, and you can use watch lists as conditions when
creating reports, as described in Using Watch Lists as Conditions in Rules and Reports. You can also define when
an entry leaves a watch list. Typically this is time based. For example, if the rule does not trigger for that attribute
for defined time-period, then the entry is removed from the watch list. Watch lists are also multi-tenant aware,
with organization IDs tracked in relation to watch list items.
l
Creating a Watch List
l
System-Defined Watch Lists
Related Links
l
Using Watch Lists as Conditions in Rules and Reports
l
Adding a Watch List to a Rule
l
Overview of the CMDB User Interface
423
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Creating a Watch List
1. Log in to your Supervisor node.
2. Go to CMDB > Watch Lists.
3. Click +.
4. Choose an Organization to associate with the watch list.
5. Enter a Group name and Description for the watch list.
6. Select an object Type for the incident attribute that will be saved to the watch list.
7. Select Case Sensitive if the object type is String and you want to use case sensitivity to compare strings.
8. For Values Expire in, set the time period in which items will expire from the watch if there is no activity for that
time.
9. Click OK.
You can now add your new watch list to a rule, so that when the rule is triggered, items will be added to the watch
list. You can also use your watch list as a condition in historical search. See Adding a Watch List to a Rule
and Using Watch Lists as Conditions in Rules and Reports for more information.
Related Links
l
Adding a Watch List to a Rule
l
Using Watch Lists as Conditions in Rules and Reports
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
424
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
System-Defined Watch Lists
FortiSIEM includes several pre-defined watch lists that are populated by system-defined rules.
425
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Watch list
Description
Accounts
Locked
Domain accounts that
are locked out frequently
Working with the Configuration Management Database (CMDB)
Attribute
Type
User
(STRING)
Triggering Rules
Account Locked: Domain
IIS Virtual Memory Critical
SQL Server Low Buffer Cache Hit Ratio
SQL Server Low Log Cache Hit Ratio
SQL Server Excessive Deadlock
SQL Server Excessive Page Read/Write
SQL Server Low Free Pages In Buffer Pool
SQL Server Excessive Blocking
Database Server Disk Latency Critical
SQL Server Excessive Full Scan
SQL Server scheduled job failed
High Oracle Table Scan Usage
High Oracle Non-System Table Space Usage
Application
Issues
Applications exhibiting
issues
Host Name
(STRING)
Oracle database not backed up for 1 day
Exchange Server SMTP Queue High
Exchange Server Mailbox Queue High
Exchange Server RPC Request High
Exchange Server RPC Latency High
Oracle DB Low Buffer Cache Hit Ratio
Oracle DB Low Library Cache Hit Ratio
Oracle DB Low Row Cache Hit Ratio
Oracle DB Low Memory Sorts Ratio
Oracle DB Alert Log Error
Excessively Slow Oracle DB Query
Excessively Slow SQL Server DB Query
Excessively Slow MySQL DB Query
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
426
Working with the Configuration Management Database (CMDB)
Watch list
Description
Availability
Issues
Servers, networks or
storage devices or
Applications that are
exhibiting availability
issues
Attribute
Type
Host Name
(STRING)
Managing FortiSIEM
Triggering Rules
Network Device Degraded - Lossy Ping Response
Network Device Down - No Ping Response
Server Degraded - Lossy Ping Response
Server Down - No Ping Response
Server Network Interface Staying Down
Network Device Interface Flapping
Server Network Interface Flapping
Important Process Staying Down
Important Process Down
Auto Service Stopped
Critical network Interface Staying Down
EC2 Instance Down
Storage Port Down
Oracle Database Instance Down
Oracle Listener Port Down
MySQL Database Instance Down
SQL Server Instance Down
Service Staying Down - Slow Response To STM
Service Down - No Response to STM
Service Staying Down - No Response to STM
Excessive End User DNS Queries to Unauthorized
DNS servers
DNS Violators
Sources that send
excessive DNS traffic or
send traffic to
unauthorized DNS
gateways
Excessive End User DNS Queries
Excessive Denied End User DNS Queries
Source IP
Excessive Malware Domain Name Queries
Excessive uncommon DNS Queries
Excessive Repeated DNS Queries To The Same
Domain
427
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Attribute
Watch list
Description
Denied
Countries
Countries that are seeing
a high volume of denials
on the firewall
Destination
Country
(STRING)
Denied Ports
Ports that are seeing a
high volume of denies on
the firewall
Destination
Port (INT)
Environmental
Issues
Environmental Devices
that are exhibiting issues
Host name
(String)
Type
Triggering Rules
Excessive Denied Connections From An External Country
Excessive Denied Connection To A Port
UPS Battery Metrics Critical
UPS Battery Status Critical
HVAC Temp High
HVAC Temp Low
HVAC Humidity High
HVAC Humidity Low
FPC Voltage THD High
FPC Voltage THD Low
FPC Current THD High
FPC ground current high
NetBoz Module Door Open
NetBotz Camera Motion Detected
Warning APC Trap
Critical APC Trap
Network Device Hardware Warning
Network Device Hardware Critical
Hardware
Issues
Servers, networks or
storage devices that are
exhibiting hardware
issues
Server Hardware Warning
Host Name
(String)
Server Hardware Critical
Storage Hardware Warning
Storage Hardware Critical
Warning NetApp Trap
Critical Network Trap
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
428
Working with the Configuration Management Database (CMDB)
Watch list
Description
Host Scanners
Hosts that scan other
hosts
Attribute
Type
Source IP
Managing FortiSIEM
Triggering Rules
Heavy Half-open TCP Host Scan
Heavy Half-open TCP Host Scan On Fixed Port
Heavy TCP Host Scan
Heavy TCP Host Scan On Fixed Port
Heavy UDP Host Scan
Heavy UDP Host Scan On Fixed Port
Heavy ICMP Ping Sweep
Multiple IPS Scans From The Same Src
Mail Violators
Malware
Found
End nodes that send too
much mail or send mail
to unauthorized
gateways
Hosts where malware
found by Host IPS /AV
based systems and the
malware is not
remediated
Excessive End User Mail to Unauthorized
Gateways
Excessive End User Mail
Host Name
(String)
Virus found but not remediated
Malware found but not remediated
Phishing attack found but not remediated
Rootkit found
Adware process found
429
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Watch list
Description
Working with the Configuration Management Database (CMDB)
Attribute
Type
Triggering Rules
Excessive Denied Connections From Same Src
Suspicious BotNet Like End host DNS Behavior
Permitted Blacklisted Source
Denied Blacklisted Source
Permitted Blacklisted Destination
Denied Blacklisted Destination
Spam/malicious Mail Attachment found but not
remediated
Spyware found but not remediated
Malware
Likely
Hosts that are likely to
have malware - detected
by network devices and
the determination is not
as certain as host based
detection
Source IP
or
Destination
IP
DNS Traffic to Malware Domains
Traffic to Emerging Threat Shadow server list
Traffic to Emerging Threat RBN list
Traffic to Emerging Threat Spamhaus list
Traffic to Emerging Threat Dshield list
Traffic to Zeus Blocked IP list
Permitted traffic from Emerging Threat Shadow
server list
Permitted traffic from Emerging Threat RBN list
Permitted traffic from Emerging Threat Spamhaus
list
Permitted traffic from Emerging Threat Dshield list
Permitted traffic from Zeus Blocked IP list
Port Scanners
Hosts that scan ports on
a machine
Source IP
Heavy Half-open TCP Port Scan: Single
Destination
Heavy Half-open TCP Port Scan: Multiple
Destinations
Heavy TCP Port Scan: Single Destination
Heavy TCP Port Scan: Multiple Destinations
Heavy UDP Port Scan: Single Destination
Heavy UDP Port Scan: Multiple Destinations
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
430
Working with the Configuration Management Database (CMDB)
Watch list
Description
Attribute
Type
Managing FortiSIEM
Triggering Rules
P2P Traffic detected
IRC Traffic detected
P2P Traffic consuming high network bandwidth
Tunneled Traffic detected
Inappropriate website access
Policy
Violators
End nodes exhibiting
behavior that is not
acceptable in typical
Corporate networks
Inappropriate website access - multiple categories
Inappropriate website access - high volume
Source IP
Inbound clear text password usage
Outbound clear text password usage
Remote desktop from Internet
VNC From Internet
Long lasting VPN session
High throughput VPN session
Outbound Traffic to Public DNS Servers
431
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Watch list
Description
Resource
Issues
Servers, networks or
storage devices that are
exhibiting resource
issues: CPU, memory,
disk space, disk I/O,
network I/O,
virtualization resources either at the system level
or application level
Working with the Configuration Management Database (CMDB)
Attribute
Type
Host Name
(STRING)
Triggering Rules
High Process CPU: Server
High Process CPU: Network
High Process Memory: Server
High Process Memory: Network
Server CPU Warning
Server CPU Critical
Network CPU Warning
Network CPU Critical
Server Memory Warning
Server Memory Critical
Network Memory Warning
Network Memory Critical
Server Swap Memory Critical
Server Disk space Warning
Server Disk space Critical
Server Disk Latency Warning
Server Disk Latency Critical
Server Intf Util Warning
Server Intf Util Critical
Network Intf Util Warning
Network Intf Util Critical
Network IPS Intf Util Warning
Network IPS Intf Util Critical
Network Intf Error Warning
Network Intf Error Critical
Server Intf Error Warning
Server Intf Error Critical
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
432
Working with the Configuration Management Database (CMDB)
Watch list
Description
Attribute
Type
Managing FortiSIEM
Triggering Rules
Virtual Machine CPU Warning
Virtual Machine CPU Critical
Virtual Machine Memory Swapping Warning
Virtual Machine Memory Swapping Critical
ESX CPU Warning
ESX CPU Critical
ESX Memory Warning
ESX Memory Critical
ESX Disk I/O Warning
ESX Disk I/O Critical
ESX Network I/O Warning
ESX Network I/O Critical
Storage CPU Warning
Storage CPU Critical
NFS Disk space Warning
NFS Disk space Critical
433
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Watch list
Description
Working with the Configuration Management Database (CMDB)
Attribute
Type
Triggering Rules
NetApp NFS Read/Write Latency Warning
NetApp NFS Read/Write Latency Critical
NetApp CIFS Read/Write Latency Warning
NetApp CIFS Read/Write Latency Critical
NetApp ISCSI Read/Write Latency Warning
NetApp ISCSI Read/Write Latency Critical
NetApp FCP Read/Write Latency Warning
NetApp FCP Read/Write Latency Critical
NetApp Volume Read/Write Latency Warning
NetApp Volume Read/Write Latency Critical
EqualLogic Connection Read/Write Latency
Warning
EqualLogic Connection Read/Write Latency Critical
Isilon Protocol Latency Warning
Routing
Issues
Network devices
exhibiting routing related
issues
Host Name
(STRING)
OSPF Neighbor Down
EIGRP Neighbor down
OSPF Neighbor Down
Half-open TCP DDOS Attack
Scanned
Hosts
Vulnerable
Systems
Hosts that are scanned
Systems that have high
severity vulnerabilities
from scanners
Destination
IP
Host Name
(STRING)
TCP DDOS Attack
Excessive Denied Connections to Same
Destination
Scanner found severe vulnerability
Rogue or Unsecure AP detected
Wireless LAN
Issues
Wireless nodes triggering
violations
MAC
Address
(String)
Wireless Host Blacklisted
Excessive WLAN Exploits
Excessive WLAN Exploits: Same Source
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
434
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Reporting on CMDB Objects
All of the information in the CMDB can be reported on. FortiSIEM includes a number of pre-defined reports that
you can run and export to PDF, and you can also create your own reports. l
CMDB Report Types
l
Running, Saving, and Exporting a CMDB Report
l
Creating and Modifying CMDB Reports
l
Importing and Exporting CMDB Report Definitions
435
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
CMDB Report Types
You can find all system-defined reports in CMDB > CMDB Reports. The reports are organized into folders as
shown in this table. Click on a report to view Summary information about it, including the report conditions and
the columns included in the report.
Report and Organization Associations for Multi-Tenant Deployments
If you have FortiSIEM Service Provider deployment, the Organization column in the CMDB report table will show
whether the report is defined for a specific organization. If it is, then that report is available for both the
organization and Super/Global users.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
436
Working with the Configuration Management Database (CMDB)
437
Managing FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
CMDB Report
Folder
Object to Report On
Overall
Device Approval Status
Report Name
l
Approved Devices
l
Not Approved Devices
l
Discovered Users
l
Users
l
Locally Authenticated FortiSIEM
Users
l
Manually Defined Users
l
Active Rules
l
Rules with Exceptions
Reports
l
Scheduled Reports
Performance Monitors
l
Active Performance Monitors
Task
l
All Existing Tasks
Business Service
l
Business Service Membership
Rules
l
Network Device Components with
Serial Number
l
Network Interface Report
l
Router/Switch Inventory
l
Router/Switch Image Distribution
Ports
l
Network Open Ports
Relationship
l
WLAN-AP Relationship
Inventory
Network
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Externally Authenticated
FortiSIEM Users
438
Working with the Configuration Management Database (CMDB)
CMDB Report
Folder
Object to Report On
Server
Inventory
Managing FortiSIEM
Report Name
l
Server Inventory
l
Server OS Distribution
l
Server Hardware: Processor
l
Server Hardware: Memory and
Storage
Ports
l
Server Open Ports
Running Services
l
Windows Auto Running Services
l
Windows Auto Stopped Services
l
l
l
l
l
Windows Exchange Running
Services
Windows IIS Running Services
Windows Manual Running
Services
Windows Manual Stopped
Services
Windows SNMP Running
Services
l
Windows VNC Running Services
l
Windows WMI Running Services
Windows Installed Software
Installed Software /
Patches
Virtualization
439
Relationship
Windows Installed Patches
Windows Installed Software
Distribution
l
VM-ESX Relationship
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Running, Saving, and Exporting a CMDB Report
1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports, and select the report you want to run.
3. Click Run.
4. If you have a multi-tenant deployment, you will be prompted to select the organizations for which you want to run
the report.
5. Click Saveif you want to save the report.
Reports are only saved for the duration of your login session, and you can view saved reports by clicking Report
Results. Each saved report will be listed as a separate tab, and you can delete them by clicking the X
that appears when you hover your mouse over the report name in the tab. You can save up to 5 reports per login
session
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
440
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Creating and Modifying CMDB Reports
There are two ways you can create new CMDB reports: you can create a new report from scratch, or you can
clone and modify an existing system or user-defined report.
Creating a New Report
1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports.
3. Create a group to add the new report to if you are not adding it to an existing group.
4. Click New.
5. Enter a Name and Description for the report.
6. Select the Conditions for the report.
You can use parentheses to give higher precedence to evaluation conditions.
7. Select the Display Columns.
The Display Column attributes contain an implicit "group by" command. You can change the order of the columns
with the Move Row: Up and Down buttons. 8. Click Save.
Cloning and Modifying a Report
You can modify user-defined reports by selecting the report and clicking Edit. However, you cannot directly edit a
system-defined report. Instead, you have to clone it, then save it as a new report and modify it.
1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports.
3. Select the system-defined you want to modify, and then click Clone.
4. Enter a name for the new report, and then click Save.
The cloned report will be added to the folder of the original report. 5. Select the new report, and then click Edit.
6. Edit the report, and then click Save. 441
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Working with the Configuration Management Database (CMDB)
Importing and Exporting CMDB Report Definitions
Instead of using the user interface to define a report, you can import report definitions, or you can export a
definition, modify it, and import it back into your FortiSIEM virtual appliance. Report definitions follow an XML
schema.
Importing a Report Definition
1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports.
3. Select the folder where you want to import the report definition, or create a new one. 4. Click Import. 5. Copy your report definition into the text field, and then click Import. Exporting a Report Definition
1. Log in to your Supervisor node.
2. Go to CMDB > CMDB Reports.
3. Select the report you want to export, and then click Export.
4. Click Copy to Clipboard.
5. Paste the report definition into a text editor, modify it, and then follow the instructions for importing it back into
your virtual appliance.
XML Schema for Report Definitions
The XML schema for the report definition is:
<cmdbReports><cmdbReport><name></name><naturalid></naturalid><description></description><selectCla
This is an example for the Active Rules report:
<cmdbReports><cmdbReport><name>Active Rules</name><naturalId>PH_CMDB_Report_Overall_8</naturalId><target>com.ph.phoenix.model.query.Rule</target><description>This
report captures active rules on a per organization basis</description><selectClause>ph_drq_rule.ph_incident_category,ph_drq_rule.name,ph_
sys_domain.name</selectClause><orderByClause>ph_drq_rule.ph_incident_category
ASC</orderByClause><whereClause>ph_drq_rule.active =
true</whereClause></cmdbReport></cmdbReports> Importing a CMDB Report Definition
1. Go to Report listing page and select the CMDB Report folder where the report is to be imported.
2. Click Import and paste the report into the window
3. Click Import and see the report showing up in the correct folder.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
442
Working with the Configuration Management Database (CMDB)
Managing FortiSIEM
Exporting a CMDB Report Definition
1. Go to Report listing page
2. Select a CMDB Report and click Export
3. Click "Copy to clipboard" and paste it into a file. Click Close after done.
443
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Creating Event Database Archives
Creating Event Database Archives
l
Online v. Offline Storage
l
Setting Purge and Archive Policies
l
Archive and Purge Alerts
Online v. Offline Storage
The FortiSIEM event database, eventDB, is for near-to-intermediate term storage and querying of events. As an
online database, eventDB has fast query performance, but this performance comes with a limited storage
capacity, and is expensive in terms of resource consumption. For these reasons, data needs to be periodically
purged from eventDB and moved into offline storage, but still be available for querying for forensic analysis.
FortiSIEM checks the capacity of the online EventDB storage every 30 minutes, and when approaches capacity,
begins to move event information, in daily increments, into the offline storage location. The FortiSIEM virtual appliance includes a data archiving function that enables you to define an offline storage
location, and a policy for the number of days that events will be kept in online or offline storage. This archiving
function also includes the ability for compliance auditors to validate logs to ensure that they haven't been
tampered with in the offline storage. The data is cryptographically signed (SHA256) at the point of entry, and the
checksums are stored in the database. The check sums can be re-verified on demand at any point of time, and if
the data has been tampered with, then the check sums will not match. The data integrity reports can be exported
in PDF format. If the events in offline storage need to be queried at some point in the future, they can be restored
to the FortiSIEM virtual appliance.
Checking Online and Offline Storage Storage Consumption
You can check the amount of storage required for both your online data and your offline archive under the Event
DB Management > Data Manager tab. Setting Purge and Archive Policies
Online data is only moved to the archive location when online storage reaches capacity. When you set the archive
policy as described in Setting Up an Event Data Archive and Archive Policy, you are setting the amount of time
that archived data will be retained before it is purged. For example, if you set the Data Management Policy for
your deployment or an organization to 90 days, then maintenance will run every day to purge data that is over 90
days old. If there is not enough offline storage for 90 days, then archived events will be purged from offline
storage to create more capacity. If there is enough storage for the 90 days, then events will only be purged after
90 days. For this reason it is very important that you set an archive location that has sufficient capacity to store
the amount of data for the number of days that you specify.
For Service Provider deployments, you can set archive policies for each organization. If one organization requires
30 days of storage, and another customer requires 90 days of storage, then FortiSIEM will attempt to enforce
these policies in relation to the amount of storage available. For the first organization, events will be deleted from
the archive storage location on the 31st day to free up capacity for the organization that has longer storage
requirements.
As with the online EventDB data, every 30 minutes FortiSIEM will check the capacity of the offline archive
storage, and when the remaining storage capacity reaches a 20GB threshold, it will begin to purge data from the
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
444
Creating Event Database Archives
Managing FortiSIEM
archive location, beginning with the oldest data, and purging it in daily increments, until the remaining storage
capacity is above 20GB. Archive and Purge Alerts
There are several system alerts that are related to eventDB capacity and the archiving function:
Alert
Description
Online event database
close to full (below 20GB)
When the database reaches a point where the remaining
storage capacity is below 20GB, its contents will be purged
or archived, depending on whether an archive storage
location has been defined
Event Archive started
The archive process has been initiated
Event Archive failed
The archive process has failed, likely due to a lack of
capacity in the offline storage location
Event Archive purged
because of archive
purging policy
The contents of the event archive have been purged from
offline storage according to the archive purging policy
Event Archive purged
because it is full
The contents of the event archive have been purged from
offline storage due to capacity issues
Related links
l
Setting Up an Event Data Archive and Archive Policy
l
Restoring Archived Data
l
Validating Log Integrity
445
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Creating Event Database Archives
Managing Event Data Archive
l
Prerequisites
l
Creating Archive Destination
l
Creating Offline (Archive) Retention Policy
Prerequisites
l
l
Make sure you read the section on Setting Archive and Purge Policies in the topic Creating Event Database
Archives before you set up your policy. It is very important that you understand how FortiSIEM moves data into the
archive, and purges archived data when the archive destination storage reaches capacity, before you create your
policy. Make sure that your Archive Destination has sufficient storage for your event data + 20GB. When the archive
storage reaches 20GB of capacity, FortiSIEM will begin to purge archived data, in daily increments, starting with the
oldest data, to maintain a 20GB overhead. Creating Archive Destination
1. Log in to your Supervisor node.
2. Go to Admin > Event DB Management.
3. Click Retention Policy.
4. For Archive Destination, enter the full path of the file system directory where you want your event data to be
archived, and then click Apply.
Offline Storage Capacity for Multi-Tenant Deployments
Note that all organizations will share the same Archive Destination. For this reason, you should make
sure that the archive destination has enough capacity to hold the event data for both the number of
organizations and the archive retention period that you set for each. If the archive destination does not
have enough storage capacity, the archive operation may fail.
Creating Offline (Archive) Retention Policy
This enables you to control which customers data stays in event data archive and for how long.
1. Log in to your Supervisor node.
2. Go to Admin > Event DB Management.
3. Click Retention Policy.
4. Under Offline Retention Policies, click New.
5. For multi-tenant installations, select the Organization for which this policy will apply. 6. For Time Period, enter the number of days that event data should be held in the offline storage before it is
purged. 7. Click Save.
Managing Online Event Data
Creating Online Event Retention Policy
This enables you to control the content of online event data.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
446
Creating Event Database Archives
Managing FortiSIEM
1. Log in to your Supervisor node.
2. Go to Admin > Event DB Management .
3. Click Retention Policy .
4. Under Online Retention Policies , click Add .
5. Enter the following information
a. Enabled - Check this box if the policy has to be enforced right away.
b. Organizations - Choose the organizations for which the policy has to be applied (for Service Provide
installs)
c. Reporting Devices - Choose the reporting devices relevant to this policy
d. Event Type - Choose the event types or event type groups
e. Time period - enter the number of days that event data specified by the conditions (Organizations,
Reporting Devices and Event Type) should be held in the online storage before it is moved to archive or
purged.
f. Description - enter a description for the policy
6. Click Save .
Viewing Online Event Data Usage
This enables you to see a summarized view of online event data. These views enables you to manage storage
more effectively by writing appropriate event dropping policies or online event retention policies.
l
447
Calendar View - This view shows you how much storage is used by each organization on a day by day basis
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
l
Creating Event Database Archives
Top (Event Type, Reporting Device) View - This view shows you the top (Event Type, Reporting Device) tuples
consuming most storage for each organization on a month-by-month basis
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
448
Creating Event Database Archives
Managing FortiSIEM
Restoring Archived Data
Once your event data has been moved to an offline archive, you can no longer query that data from within
FortiSIEM. However, you can restore it to your virtual appliance, and then proceed with any queries or analysis.
1. Log in to your Supervisor node.
2. Go to Admin > Event DB Management > Data Manager.
3. Under Reserved Restore Space (GB), enter the amount of storage space that will be reserved for the restored
data.
This should be equal to or larger than the size of the archive to be restored. 4. Under Archived Data, select the archive that you want to restore.
5. Click Restore.
The archive data will be moved to the restore space and can be queried in the usual ways.
449
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Creating Event Database Archives
Validating Log Integrity
1. Security auditors can validate that archived event data has not been tampered with by using the Event Integrity
function of Event DB Management.
2. Log in to your Supervisor node.
3. Go to Admin > Event DB Management > Event Integrity.
4. Select the Begin Time and End Times for the time period during which log integrity needs to be validated.
5. Click Show. You will see a table of all the logs that are available for the specified time period
6. Use Validation Status to filter the types of logs you want to validate.
7. Select the log you want to validate, and click Validate.
A table showing the validation status of logs will be displayed.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
450
Creating Event Database Archives
Managing FortiSIEM
Column
Description
Start Time
The earliest time of the messages in this file. The file does not contain
messages that were received by FortiSIEM before this time.
End Time
Category
The latest time of the messages in this file. The file does not contain
messages that were received by FortiSIEM after this time.
l
l
l
Internal: these messages were generated by FortiSIEM for its own
use. This includes FortiSIEM system logs and monitoring events such
as the ones that begin with PH_DEV_MON.
External: these messages were received by FortiSIEM from an
external system
Incident: these corresponds to incidents generated by FortiSIEM
File Name
The name of the log file
Event Count
The number of events in the file
Checksum
Algorithm
The checksum algorithm used for computing message integrity
Message
Checksum
The value of the checksum
l
l
Validation Status
l
File Location
Not Validated: the event integrity has not been validated yet
Successful: the event integrity has been validated and the return
was success. This means that the logs in this file were not altered.
Failed: the event integrity has been validated and the return was
failed. This means that the logs in this file were altered.
l
Archived: the events in this file were archived to offline storage
l
Local: local to Supervisor node
l
External: means external to Supervisor node, for example on NFS
storage
8. Click Export to create a PDF version of the validation results.
451
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Integrating with External CMDB and Helpdesk Systems
Integrating with External CMDB and Helpdesk Systems
Topics in this section include:
l
FortiSIEM Integration Framework Overview
l
Creating Outbound Policies for Exporting CMDB Devices to External Helpdesk Systems
l
Creating Outbound Policies for Creating Tickets in External Helpdesk Systems
l
Creating Inbound Policies for Updating Ticket Status from External Ticketing Systems
l
Creating Inbound Policies for Importing Devices from an External System
l
Searching for Tickets from or to External Systems
l
Setting Schedules for Receiving Information from External Systems
l
Using the FortiSIEM API to Integrate with External Systems
l
Exporting Events to External Systems via Kafka
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
452
Integrating with External CMDB and Helpdesk Systems
Managing FortiSIEM
FortiSIEM Integration Framework Overview
The FortiSIEM integration framework provides a way for you create two-way linkages between workflow-based
Help centers like ServiceNow and Connectwise, as well as external CMDBs.
The integration framework is based on creating policies for inbound and outbound communications with other
systems, including sharing of incident and ticket information, and CMDB updates. Support is provided for creating
policies to work with selected vendor systems, while the integration API lets you build modules to integrate with
proprietary and other systems. Once you've created your integration policies, you can set them to execute once
on a defined date and time, or on a regular schedule. 453
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Integrating with External CMDB and Helpdesk Systems
External Helpdesk System Integration
Creating Inbound Policies for Updating Ticket Status from External Ticketing Systems
Once a ticket has been opened in an external ticketing system, the status of the ticket is maintained in external
system. This section shows how to synchronize the external ticket status back in FortiSIEM. FortiSIEM has out of the box support for ServiceNow, ConnectWise and Salesforce. For other vendors, you need
to build support using FortiSIEM Service API as specified in "Populating custom CMDB or extending current
integration"
l
Creating a integration policy
l
Updating FortiSIEM external ticket state and incident status automatically on a schedule
l
Populating custom CMDB or extending current integration
Creating a integration policy
Create an integration policy for updating FortiSIEM external ticket state and incident status.
1. Log into your FortiSIEM Supervisor with administrator credentials. 2. Go to Admin > General Settings > Integration. 3. Click Add.
4. For Type, select Incident. 5. For Direction, select Inbound. 6. For Vendor, select the vendor of the system you want to connect to. ServiceNow and ConnectWise is supported
out of the box.
When you select the Vendor:
a. An Instance is created - this is the unique name for this policy. If you had 2 ServiceNow or ConnectWise
installations, each would have different Instance names. You can change this instance name.
b. A default Plugin Name is populated - this is the Java code that implements the integration including
connecting to the external help desk systems and creating/updating the ticket. The plugin name is
automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your
own plugin and type in the plugin name here.
7. For Host/URL, enter the host name or URL of the external system. 8. For User Name and Password, enter a user name and password that the system can use to authenticate with
the external system. 9. Enter the Time Window - external ticket state for tickets closed in the external help desk/workflow system during
the time window specified here will be synched back.
10. Click Save.
Updating FortiSIEM external ticket state and incident status automatically on a schedule
1. Log into your FortiSIEM Supervisor with administrator credentials. 2. Go to Admin > General Settings > Integration.
3. Click Schedule and then click +
a. Select the integration policy.
b. Select a schedule.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
454
Integrating with External CMDB and Helpdesk Systems
Managing FortiSIEM
The following fields in FortiSIEM incident are updated:
l
External Ticket State
l
Ticket State
l
External Cleared Time
l
External Resolve Time
Populating custom CMDB or extending current integration
Create a new plugin by following instructions in the FortiSIEM ServiceAPI.
455
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Integrating with External CMDB and Helpdesk Systems
Creating Outbound Policies for Exporting CMDB Devices to External Helpdesk Systems
You can populate an external CMDB from FortiSIEM CMDB. Currently, ServiceNow CMDB population is natively
supported. For other CMDB, you need to write a Java class and add some mapping files.
FortiSIEM has out of the box support for ServiceNow, ConnectWise and Salesforce. For other vendors, you need
to build support using FortiSIEM Service API as specified in "Populating custom CMDB or extending current
integration"
l
Prerequisites
l
Procedure
l
Populating custom CMDB or extending current integration
Prerequisites
l
Make sure you have the URL and the credentials for connecting to external help desk systems. The credentials
must have sufficient permission to make changes to the CMDB.
Procedure
Creating an integration policy
1. Log into your Supervisor node with administrator credentials. 2. Go to Admin > General Settings > Integration. 3. Click Add.
4. For Type, select Device. 5. For Direction, select Outbound. 6. For Vendor, select the vendor of the system you want to connect to. ServiceNow is supported out of the box.
When you select the Vendor:
1. An Instance is created - this is the unique name for this policy. For example if you had 2 ServiceNow
installations, each would have different Instance names.
2. A default Plugin Name is populated - this is the Java code that implements the integration including
connecting to the external help desk systems and synching the CMDB elements. The plugin is
automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your
own plugin and type in the plugin name here 7. For Host/URL, enter the host name or URL of the external system. 8. For User Name and Password, enter a user name and password that the system can use to authenticate with
the external system. 9. Enter the Maximum number of devices to send to the external system. 10. For Org Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and
the names of the organization in the external system.
11. For ConnectWise, it is possible to define a Content Mapping
1. Enter Column Mapping
1. To add a new mapping, Click on the + button
2. Choose FortiSIEM CMDB attribute as the Source Column
3. Enter external (ConnectWise) attribute as the Destination Column
4. Specify Default Mapped Value as the value assigned to the Destination Column if the
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
456
Integrating with External CMDB and Helpdesk Systems
Managing FortiSIEM
Source Column is not found in Data Mapping definitions.
5. Select Put to a Question is the Destination Column is a custom column in ConnectWise
2. Enter Data Mapping
1. Choose the (Destination) Column Name
2. Enter From as the value in FortiSIEM
3. Enter To as the value in ConnectWise
12. For Groups, click Edit if you want the policy to only apply to a specific group of CMDB devices. 13. Select Run after Discovery if you want this export to take place after you have run discovery in your system. This
is the only way to push automatic changes from FortiSIEM to the external system.
14. Click Save.
Updating external CMDB automatically after FortiSIEM discovery
1. Create an integration policy
2. Make sure Run after Discovery is checked.
3. Click Save
Updating external CMDB automatically on a schedule
1. Log into your FortiSIEM Supervisor with administrator credentials. 2. Go to Admin > General Settings > Integration.
3. Click Schedule and then click +
1. Select the integration policies
2. Select a schedule
Updating external CMDB on-demand (one-time)
1. Log into your FortiSIEM Supervisor with administrator credentials. 2. Go to Admin > General Settings > Integration.
3. Select a specific integration policy and Click Run
Populating custom CMDB or extending current integration
Create a new plugin by following instructions in the FortiSIEM ServiceAPI. The document is available at
FortiSIEM support portal under FortiSIEM ServiceAPI section.
457
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Integrating with External CMDB and Helpdesk Systems
Searching for Tickets from or to External Systems
This should not be client accessible!
Provide a brief (two to three sentence) description of the task or the context for the task. l
Prerequisites
l
Procedure
l
Related Links
Prerequisites
Optional, list any information the user needs to complete the task, or any tasks they need to complete before this
task.
l
Prerequisite 1
l
Prerequisite 2
Procedure
1. A step should be a single sentence telling the user what to do. Use bold for interface elements, monospace for
system messages, file names, etc. Write any results of the step or notes to the user on the line below the step. You can also insert any of the info
boxes here.
2. A step should be a single sentence telling the user what to do. Use bold for interface elements, monospace for
system messages, file names, etc. Write any results of the step or notes to the user on the line below the step. You can also insert any of the info
boxes here.
3. A step should be a single sentence telling the user what to do. Use bold for interface elements, monospace for
system messages, file names, etc. Write any results of the step or notes to the user on the line below the step. You can also insert any of the info
boxes here.
l
Use the {info} macro to provide the user with additional information that could be useful in completing the task or
step.
l
Use the {tip} macro for helpful hints for the step or task
l
Use the {note} macro to alert the user to any potential issues or problems with a step or task
l
Use the {warning} macro to alert the user to possible data corruption or other failure issues associated with a step or
task
Post Requisites
Optional, list anything the user should do after completing the task.
l
Post-requisite l
Post-requisite
Related Links
List any related topics. Do not include topics that are in the same hierarchy as this topic, as the relationship is
implied by the hierarchy.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
458
Integrating with External CMDB and Helpdesk Systems
l
Related link 1
l
Related link 2
459
Managing FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Integrating with External CMDB and Helpdesk Systems
External Help desk / CMDB Integration
FortiSIEM has inbuilt support for ServiceNow and ConnectWise for CMDB and 2-way incident integration.
Other systems can be supported by creating a new Java plug-in following instructions in the FortiSIEM Service
API. The document is available under FortiSIEM Service API section.
Creating Inbound Policies for Importing Devices from an External System
You can import the contents of other help desk and external system device databases into the FortiSIEM CMDB. l
Prerequisites
l
Procedure
Prerequisites
l
You will need to have created a CSV file for mapping the contents of the external database to a location on your
FortiSIEM Supervisor, which will be periodically updated based on the schedule you set. See Creating the CSV File
for Importing Devices from External Systems for more information.
Procedure
1. Log into your Supervisor node with administrator credentials. 2. Go to Admin > General Settings > Integration. 3. Click Add.
4. For Type, select Device. 5. For Direction, select Inbound. 6. Select the Vendor of the external system you want to connect to. 7. Enter the File Path to the CSV file. 8. For Column Mapping, click + and enter the mapping between columns in the Source CSV file and the
Destination CMDB.
For example, if the source CSV has a column IP, and you want to map that to the column Device IP in the
CMDB, you would enter IP for Source Column, and select Device IP for Destination Column.
Creating Custom Properties
You also have the option to create a property for devices in the destination CMDB if it doesn't already
exist, and to overwrite the values of entries in the CMDB for that property if it does.
1. Select Create a New Property if it Doesn't Exist.
2. Enter a name for the Destination Column of the property in the CMDB.
3. Select a Property type.
4. Enter the Display Name for the property.
5. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite its
current value. You can view and edit any custom properties you create by going to Admin > Device Support >
Custom Properties.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
460
Integrating with External CMDB and Helpdesk Systems
Managing FortiSIEM
9. When you are finished creating column mappings, click OK.
10. For Data Mapping, click + and enter the mapping between data values in the external system and the destination
CMDB.
For example, if you wanted to change all instances of California in the entries for the State attribute in the
external system to CA in the destination CMDB, you would select the State attribute, enter California for From.
and CA for To. 11. When you are done creating your data mappings, click OK.
12. Click Save.
461
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Integrating with External CMDB and Helpdesk Systems
Creating Outbound Policies for Exporting CMDB Devices to External Helpdesk Systems
You can populate an external CMDB from FortiSIEM CMDB. Currently, ServiceNow CMDB population is natively
supported. For other CMDB, you need to write a Java class and add some mapping files.
FortiSIEM has out of the box support for ServiceNow, ConnectWise and Salesforce. For other vendors, you need
to build support using FortiSIEM Service API as specified in "Populating custom CMDB or extending current
integration"
l
Prerequisites
l
Procedure
l
Populating custom CMDB or extending current integration
Prerequisites
l
Make sure you have the URL and the credentials for connecting to external help desk systems. The credentials
must have sufficient permission to make changes to the CMDB.
Procedure
Creating an integration policy
1. Log into your Supervisor node with administrator credentials. 2. Go to Admin > General Settings > Integration. 3. Click Add.
4. For Type, select Device. 5. For Direction, select Outbound. 6. For Vendor, select the vendor of the system you want to connect to. ServiceNow is supported out of the box.
When you select the Vendor:
1. An Instance is created - this is the unique name for this policy. For example if you had 2 ServiceNow
installations, each would have different Instance names.
2. A default Plugin Name is populated - this is the Java code that implements the integration including
connecting to the external help desk systems and synching the CMDB elements. The plugin is
automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your
own plugin and type in the plugin name here 7. For Host/URL, enter the host name or URL of the external system. 8. For User Name and Password, enter a user name and password that the system can use to authenticate with
the external system. 9. Enter the Maximum number of devices to send to the external system. 10. For Org Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and
the names of the organization in the external system.
11. For ConnectWise, it is possible to define a Content Mapping
1. Enter Column Mapping
1. To add a new mapping, Click on the + button
2. Choose FortiSIEM CMDB attribute as the Source Column
3. Enter external (ConnectWise) attribute as the Destination Column
4. Specify Default Mapped Value as the value assigned to the Destination Column if the
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
462
Integrating with External CMDB and Helpdesk Systems
Managing FortiSIEM
Source Column is not found in Data Mapping definitions.
5. Select Put to a Question is the Destination Column is a custom column in ConnectWise
2. Enter Data Mapping
1. Choose the (Destination) Column Name
2. Enter From as the value in FortiSIEM
3. Enter To as the value in ConnectWise
12. For Groups, click Edit if you want the policy to only apply to a specific group of CMDB devices. 13. Select Run after Discovery if you want this export to take place after you have run discovery in your system. This
is the only way to push automatic changes from FortiSIEM to the external system.
14. Click Save.
Updating external CMDB automatically after FortiSIEM discovery
1. Create an integration policy
2. Make sure Run after Discovery is checked.
3. Click Save
Updating external CMDB automatically on a schedule
1. Log into your FortiSIEM Supervisor with administrator credentials. 2. Go to Admin > General Settings > Integration.
3. Click Schedule and then click +
1. Select the integration policies
2. Select a schedule
Updating external CMDB on-demand (one-time)
1. Log into your FortiSIEM Supervisor with administrator credentials. 2. Go to Admin > General Settings > Integration.
3. Select a specific integration policy and Click Run
Populating custom CMDB or extending current integration
Create a new plugin by following instructions in the FortiSIEM ServiceAPI. The document is available at
FortiSIEM support portal under FortiSIEM ServiceAPI section.
463
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Integrating with External CMDB and Helpdesk Systems
Setting Schedules for Receiving Information from External Systems
l
Prerequisites
l
Procedure
You can set schedules for when your inbound external integration policies will run and update your incidents or
CMDB.
Prerequisites
You should already have created an inbound policy for importing a device from an external system or an an
inbound policy for receiving Incidents.
Procedure
1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Integration.
3. Click Schedule. 4. Click +.
5. Select the notification policy you want to create a schedule for, and use the arrow buttons to add it to the Selected
list. 6. Set the parameters for one-time, Hourly, Daily, Weekly, or Monthly scheduled updates. 7. Click OK. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
464
Integrating with External CMDB and Helpdesk Systems
Managing FortiSIEM
Exporting Events to External Systems via Kafka
This section describes procedures for exporting FortiSIEM events to an external system via the Kafka message
bus.
Prerequisites
l
Make sure you have set up a Kafka Cloud (here) with a specific Topic for FortiSIEM events.
l
Make sure you have identified a set of Kafka brokers that FortiSIEM is going to send events to.
l
l
Make sure you have configured Kafka receivers which can parse FortiSIEM events and store in a database. An
example would be Logstash receiver (see here) that can store in a Elastic Search database.
Supported Kafka version: 0.8
Procedure
1. Go to Admin > General Settings > Kafka Configuration.
2. Select Enable Kafka.
3. Select a Topic.
4. Add Brokers by clicking on + icon.
l
Enter IP address or Host name of the broker.
l
Enter Broker port (default 9092).
5. Click Save.
Note: Enter multiple broker addresses for redundancy. If one broker is not available, FortiSIEM is going to try the
next broker in the list. The full list of brokers does not need to be specified.
465
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Backing Up and Restoring FortiSIEM Directories and Databases
Backing Up and Restoring FortiSIEM Directories and Databases
l
Backing Up and Restoring SVN
l
Backing Up and Restoring the CMDB
l
Backing Up and Restoring the Event Database
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
466
Backing Up and Restoring FortiSIEM Directories and Databases
Managing FortiSIEM
Backing Up and Restoring SVN
Backup and restore SVN
FortiSIEM uses an inbuilt SVN to store network device configuration and installed software versions.
Backup
The SVN files are stored in /data/svn. Copy the entire directory to another location.
# cd /data
# cp -r svn /<another>/<mount>/<point>
Restore
Copy the entire /data/svn from the backup location and rename the directory to /data/svn.
# cd /<another>/<mount>/<point># cp -r svn /data
467
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Managing FortiSIEM
Backing Up and Restoring FortiSIEM Directories and Databases
Backing Up and Restoring the CMDB
The FortiSIEM Configuration Management Database (CMDB) contains discovered information about devices,
servers, networks and applications. You should create regular backups of the CMDB that you can use to restore it
in the event of database corruption.
Backup
The database files are stored in /data/cmdb/data . FortiSIEM automatically backs up this data twice daily and the backup files
are stored in /data/archive/cmdb. To perform a backup, move these files to another location. For example:
[root@SaaS-Sup cmdb] #cd /data/archive/cmdb
[root@SaaS-Sup cmdb] #cp phoenixdb* /<another>/<mount>/<point>
If your /data disk is on an external NFS mount then your CMDB backup is already separate from the VM
infrastructure.
[root@SaaS-Sup cmdb]# pwd
/data/archive/cmdb
[root@SaaS-Sup cmdb]# ls -lt
total 1213952
-rw-rw-rw- 1 root root 95559457
-rw-rw-rw- 1 root root 93010144
-rw-rw-rw- 1 root root 91142941
-rw-rw-rw- 1 root root 89686080
Apr
Apr
Apr
Apr
20
19
19
18
03:02
13:04
03:02
13:03
phoenixdb_2011-04-20T03-00-01
phoenixdb_2011-04-19T13-00-02
phoenixdb_2011-04-19T03-00-01
phoenixdb_2011-04-18T13-00-02
Restore
If your database becomes corrupted, restore it from backup by performing these steps on you Supervisor node. 1. Stop all processes with this phTools command:
#phtools --stop all
2. Check that all processes have stopped.
#phstatus
These processes will continue to run, which is expected behavior:
phMonitor
Apache
AppSvr
DBSvr
1-01:55:17
1-01:56:45
1-01:56:35
1-01:57:06
0
0
0
0
992m
236m
3908m
383m
540m
9720
758m
6656
3. Copy the latest phoenixdb_<timestamp> file to a directory like /tmp on the Supervisor host.
4. Go to /opt/phoenix/deployment.
5. Run db_restore /tmp/phoenixdb_<timestamp>.
6. When this process completes, reboot the system.
#reboot
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
468
Backing Up and Restoring FortiSIEM Directories and Databases
Managing FortiSIEM
Backing Up and Restoring the Event Database
l
Backup
l
Restore
Backup
The event data is stored in /data/eventdb. Since this data can become very large over time, you should use a
program such as rsync to incrementally move the data to another location. From version 4.2.1 the rsync program
is installed on FortiSIEM by default.
Use this command to back up the eventdb.
#rsync -a --status /data/eventdb /<another>/<mount>/<point>
Restore
To restore eventdb there are two options:
l
Mount the directory where the event database was backed up.
l
Copy the backup to the /data/eventdb directory.
These instructions are for copying the backup to the /data/eventdb directory.
1. Stop all running processes.
#phtools --stop all
2. Check that all processes have stopped.
#phstatus
You will see that these processes are still running, which is expected behavior.
phMonitor
Apache
AppSvr
DBSvr
1-01:55:17
1-01:56:45
1-01:56:35
1-01:57:06
0
0
0
0
992m
236m
3908m
383m
540m
9720
758m
6656
3. Copy the the event DB to the event DB location /data/eventdb If you use the cp command it may appear that
the command has hung if there is a lot of data to copy
#cp -a /backup/eventdb /data/eventdb
Alternatively you can use rsync and display the process status.
#rsync -a --status /backup/eventdb /data/eventdb
4. Once complete, restart all processes.
#phtools --start all
Check that all processes have started.
#phstatus
469
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Monitoring Operations with FortiSIEM
This chapter describes the following:
l
Dashboards - Flash version
l
Dashboards - HTML5 version
l
Analytics
l
Incidents - Flash version
l
Incidents - HTML5 version
l
Device Risk Score Computation
l
Miscellaneous Operations
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
470
Dashboards - Flash version
Monitoring Operations with FortiSIEM
Dashboards - Flash version
FortiSIEM includes several different types of dashboards and views to monitor your IT infrastructure. Topics in
this section provide an overview of the General and VM View dashboards available in the Dashboard tab, along
with their user interface controls and customization options. l
Dashboard Overview
l
Customizing Dashboards
l
Creating Dashboard Slideshow
l
Exporting and Importing Dashboards
l
Link Usage Dashboard
471
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Dashboard Overview
FortiSIEM includes two types of component dashboards: General, which are used to monitor IT infrastructure
components, and VM View, which focus specifically on information about virtual machines in your infrastructure.
These two types of component dashboards also include two types of dashboads for collecting different types of
information:
l
l
Summarydashboards that provide single-line entries for IT infrastructure components based on their system
status (Critical, Criitcal + Warning, All) in operational time
Widget-based dashboards that provide metrics and analytics for functional areas using historical data
In addition to the summary and widget-based dashboards, FortiSIEM also includes a specialized Incident
dashboard, with features that are detailed in the Incidents - Flash version section. Topics in this section provide an overview of the Summary and Widget dashboards, as well as how to use the
Analysis menu to gain more information about your IT infrastructure components.
l
Summary Dashboard User Interface Overview
l
VM Dashboard User Interface Overview
l
Widget Dashboard User Interface Overview
l
Network Topology View of Devices
l
How Values in Dashboard Columns are Derived
l
Using the Analysis Menu
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
472
Dashboards - Flash version
Monitoring Operations with FortiSIEM
Summary Dashboard User Interface Overview
l
Dashboard Overview
l
Summary Dashboard UI Controls
Dashboard Overview
Summary dashboards are best used for gathering information about individual infrastructure components in
operational time. Summary dashboards include the Exec Summary dashboard, and all the dashboards in
the Summary Dashboards and Availability/Performance folders of the Dashboards > General pane. In
the Dashboards > VM View pane, summary dashboards include the ESX Host Type dashboards (All ESX
Hosts and Standalone ESX Hosts, for example). Metrics for these dashboards are displayed either on a realtime basis, or as an average of ten minute intervals. This screenshot shows an example of a Biz Service Summary dashboard for a multi-tenant deployment. It
contains all the standard user interface controls found in summary dashboard, though some additional UI controls
are found in other summary dashboards as described in the table Columnar Dashboard UI Controls.
Selecting a business service in the top pane loads all the components associated with that service into the panes
below. 473
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Summary Dashboard UI Controls
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
474
Dashboards - Flash version
Monitoring Operations with FortiSIEM
UI Control
Description
Status Filter
Filters the view of the components based on component status: Critical, Critical + Warning, All
Organizations
Filter
For multi-tenant deployments, filter components based on the organization they belong to
Service Info
For the Business Services summary dashboard, shows the Quick Info for the business service. For
other components, an Info link is provided in the same location in the UI.
Analysis Menu
The Analysis menu contains a number of options for component analytics, depending on the
component selected. See Using the Analysis Menu for more information. You can also access the
Analysis menu for a component by hovering your mouse over the component's Device IP menu until
the blue Quick Info icon appears, and then clicking the icon.
Customize
Columns
The Custom Columns control lets you change the columns that are displayed in the dashboard. See
Adding Custom Columns to Dashboards for more information.
Performance
Summaries
Most columns contain a summary or trend view of their display information. Hover your mouse over
the metric until a trend line icon appears, and then click to view the summary or trend information.
Note that many of these summary pop-ups have their own navigational controls, for example to set
the time interval for the summary.
Incident
Summary
475
The incident summary shows the number and type of incidents associated with the component. Hover
over the number to view a quick summary of the incidents, click on the incident number to view
incident details.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
UI Control
Dashboards - Flash version
Description
The Quick Info view of a device, which you can also access through the Analysis menu or
hovering your mouse cursor over the Device IP column, displays General and Health
information for the device, and when appropriate, Identity and Location information. It
also contains links to additional information about the device:
l
l
l
Quick
Info
l
l
l
l
l
Incidents
An exportable summary of incidents associated with the device
Health
Availability, Performance, and Security health information for the device. You can also
access this information by clicking the Device Health user interface control, or by selecting
Device Health in the Analysis menu.
BizService
Any business services impacted by the device. You can also access this information by
selecting Impacted Business Services in the Analysis menu. Applications
Displays a report on the top 10 applications associated with the device by Average CPU
Utilization over the past hour
Vulnerability and IP Status (Not used in the Dashboard view)
Displays the vulnerability status reports that are also available by selecting Vulnerability and
IPS Status in the Analysis menu Hardware Health (Used only for the CMDB/Storage view)
Displays health information for the hardware being used for storage Interfaces
Displays a report on the top 10 interfaces associated with the device by average throughput
Topology
Shows the device's location in the network topology. You can also access this information by
selecting Topology in the Analysis menu.
The Quick Info view also contains two links, Goto Config Item, which links to the device
entry in the CMDB, and Goto Identity, which links to Analytics > Identity and Location
Report, where you can edit this information for the device.
Component
Health
Availability , Performance , and Security health reports for the device. You can also access this
information by selecting a device in the Summary dashboard, and then click Health, or by going to
Quick Info > Health after selecting the device . If any Incidents are displayed, click the number to
view the Incident Summary . Depending on the reported metric, you can zoom in for a closer look at
graphs and reports by clicking the Magnifying Glass icon that appears when you hover your mouse
cursor over them. Location
Selection
Filters components by their geographic locations. See Setting Device Location Information for more
information.
Time View and
Refresh
Interval
The Time View has two options for whether you want to view Real Time or Average-10 mins
metrics for your component, and for the interval and which you want them to refresh.{to
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
476
Dashboards - Flash version
Monitoring Operations with FortiSIEM
VM Dashboard User Interface Overview
The Dashboard > VM View provides a complete overview of your virtual infrastructure, including Data Centers,
Standalone ESX Hosts, Resource Pools, Clusters, ESXs, and VMs. Over 400 VMs can be discovered, and their
metrics pulled via VCenter in under three minutes during initial discovery. As you navigate the Virtual
Infrastructure hierarchy, you will see Summary dashboards similar to those in the General > Dashboard view
for VM Clusters, All ESX Hosts, and Standalone ESX Hosts, while widget dashboards that provide
performance metrics for CPU Utilization, Memory, Network Interface, Disk I/O and Data Store Utilization are
available at the level of VM, ESX, Resource Pool and Cluster.
l
VM Summary Dashboards Overview
l
The ESX Hosts View
l
The ESX and VM View
VM Summary Dashboards Overview
This screenshot shows the All ESX Hosts summary dashboard, which includes a summary pane for All ESXs at
the top, and a summary pane for individual VM instances for selected ESXs at the bottom. The user interface
controls for the Virtual Infrastructure summary dashboards are very similar to those in the General summary
dashboards.
UI Controls for Virtual Infrastructure Summary Dashboards
477
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Ui Control
Description
Organizations
Filter
For multi-tenant deployments, filter components based on the organization they
belong to
The Quick Info view of a device, which you can also access through the
Analysis menu or hovering your mouse cursor over the Device IP column,
displays General and Health information for the device, and when
appropriate, Identity and Location information. It also contains links to
additional information about the device:
l
l
l
Quick Info
l
l
l
l
Incidents
An exportable summary of incidents associated with the device
Health
Availability, Performance, and Security health information for the
device. You can also access this information by clicking the Device
Health user interface control, or by selecting Device Health in the
Analysis menu.
BizService
Any business services impacted by the device. You can also access this
information by selecting Impacted Business Services in the
Analysis menu. Applications
Displays a report on the top 10 applications associated with the device
by Average CPU Utilization over the past hour
Vulnerability and IP Status (Not used in the Dashboard view)
Displays the vulnerability status reports that are also available by
selecting Vulnerability and IPS Status in the Analysis menu Hardware Health (Used only for the CMDB/Storage view)
Displays health information for the hardware being used for storage Interfaces
Displays a report on the top 10 interfaces associated with the device by
average throughput.
Topology
Shows the device's location in the network topology. You can also
access this information by selecting Topology in the Analysis menu.
The Quick Info view also contains two links, Goto Config Item, which links to
the device entry in the CMDB, and Goto Identity, which links to Analytics >
Identity and Location Report, where you can edit this information for the
device.
l
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
478
Dashboards - Flash version
Monitoring Operations with FortiSIEM
Ui Control
Description
Device Health
Availability , Performance , and Security health reports for the device. You
can also access this information by selecting a device in the Summary
dashboard, and then click Health, or by going to Quick Info > Health after
selecting the device . If any Incidents are displayed, click the number to view
the Incident Summary . Depending on the reported metric, you can zoom in
for a closer look at graphs and reports by clicking the Magnifying Glass icon
that appears when you hover your mouse cursor over them. Analysis Menu
Locations
Customize
Columns
The Analysis menu contains a number of options for component analytics,
depending on the component selected. See Using the Analysis Menu for more
information. You can also access the Analysis menu for a component by
hovering your mouse over the component's Device IP menu until the blue
Quick Info icon appears, and then clicking the icon.
Filters components by their geographic locations. See Setting Device Location
Information for more information.
The Custom Columns control lets you change the columns that are displayed
in the dashboard. See Adding Custom Columns to Dashboards for more
information.
ESX Hosts View
When you select an individual ESX Host in the Virtual Infrastructure hierarchy, the ESX Health tab will be selected
and you will see a widget dashboard with reports for ESX Statistics, Active Incidents, Performance Metrics,
Memory Utilization, and Disk Rate. Additional tabs are VM Summary and Top VMs.
Tab Name
Description
ESX Health
A widget dashboard with reports for ESX Statistics, Active
Incidents, Performance Metrics, Memory Utilization, and Disk Rate
VM Summary
A summary dashboard for VMs on the ESX host.
Top VMs
A widget dashboard with reports for Top VMs by CPU Utilization, Top
VMs by Memory Utilization, Top VMs by Disk Write Request Rates,
Top VMs by CPU Ready Percentage, and Top VMs by Disk Read
Request Rate, all updated hourly
ESX and VM View
When you select an ESX or VM in the Virtual Infrastructure hierarchy, you will see a widget dashboard that
contains reports for VM Statistics, Active Incidents, and Performance Metrics. 479
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Widget Dashboard User Interface Overview
Widget dashboards are best for viewing aggregated metrics based on historical search, which are generally
presented in the form of a graph or chart. From the widget view of information, you can drill down to view and
modify the underlying historical search. Examples of widget dashboards include Availability/Performance >
Avail/Perf Widgets, the Security Dashboard, BizService Dashboard > Avail/Perf Widgets and Security
Widgets, and all the dashboards listed under Dashboards by Function.
This screenshot shows an edited view of the Availability/Performance >Avail/Perf widgets dashboard. It
contains all the standard user interface controls found in widget dashboards. This screenshot shows the Event Info menu that you open by hovering your mouse cursor over an event within a
widget until the menu icon appears.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
480
Dashboards - Flash version
Monitoring Operations with FortiSIEM
Widget Dashboard UI Controls
UI Control
Description
Resize
You can resize the widget by clicking on this control, and then indicating how many tile
spaces you want that widget to use in the dashboard
Drill Down
Edit Settings
Hover your mouse cursor over the right upper corner of the widget to access this control.
Select a line displayed in the widget to drill down to the historical search associated with
that metric. You can then run or modify the search. See Refining the Results from
Historical Searchfor more information. This is also the same functionality as the Drill
Down option in the Event Info menu.
Hover your mouse cursor over the right upper corner of the widget to access this
control. Edit the settings associated with the widget. These include:
l
Title - the title of the report
l
Description - a summary description of the report
l
l
Display - select the type of chart you would like the widget to display
l
Time - the time interval to use in gathering data
l
Refresh Interval - how often the data should be refreshed
l
Result Limit - how many results should be included in the report
l
Remove
Condition - filters within the report. Look up the report in CMDB > CMDB
Reports to view the filter conditions it uses.
Run report for - for multi-tenant deployments, select the organization that the
widget should report on
Hover your mouse cursor over the right upper corner of the widget to access this control.
Click this control to remove the widget from the dashboard
Event Info
Hover your mouse cursor over a line in a report to view the Quick Info for the associated
Event Type, or select Drill Down to view, edit, and run the associated historical search.
See Refining the Results from Historical Search for more information.
Add Report
At the bottom of each widget dashboard is a button to add more widgets to the dashboard.
Related Links
l
481
Refining the Results from Historical Search
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Network Topology View of Devices
FortiSIEM provides two ways to view the topology of your IT infrastructure, one at the CMDB level that shows all
devices, and another at the level of device groups and individual devices.
l
How is Network Topology Discovered and Visualized?
l
CMDB All Devices View
l
Device Group and Device View
l
Viewing Device Information in the Topological Map
How is Network Topology Discovered and Visualized?
FortiSIEM discovers network topology at two levels, layer 3 and layer 2. Layer 3 connectivity involves IP
addresses, while Layer 2 connectivity
The layer 3 topology is discovered by obtaining network interface IP address and masks for all devices via SNMP
(RFC 1213). The local networks e.g. loopback (127.0.0.0/8), link local addresses (169.254.0.0/16) are filtered out
and the distinct networks segments are identified.
A layer 3 topology is visualized on the FortiSIEM Topology map by drawing:
l
l
Network segment and devices as node and
Srawing line segments from the network segment nodes to every device node that have an interface with IP
address in that network segment.
The devices are represented by vendor specific icons and the network nodes are represented by a line and
labeled as “Net-<net>/<maskbits>”. For visual clarity:
l
l
Only the network devices are drawn by default. A network device is one that belongs to row Network Device tab in
the CMDB.
Only those networks are drawn that have devices discovered by FortiSIEM (and are in CMDB). There is a “ ” button
next to those networks. Clicking on the “” button displays those hosts in the topology graph. Clicking on the “-“ button hides those hosts.
When an enterprise network has Layer 2 switches and hubs, a layer 3 topology misses the connectivity between
servers to layer 2 switches and the trunk port connectivity between layer 2/3 switches. Layer 2 discovery is difficult
and, more importantly, vendor dependent as vendors have different implementations of the Spanning Tree
Protocol (STP).
For Cisco switches, the layer 2 topology is obtained via SNMP (IEEE spanning tree MIB as found in RFC1493 and
CISCO-VTP-MIB) as follows:
For every switch,
1. Identify all active VLANs on that switch
2. For every active VLAN:
a) Get MAC forwarding table
b) Get STP table to identify trunk ports and directly connected trunk port on adjacent switches
The MAC forwarding table obtained in Step 2a provides the server to switch port connectivity (after eliminating
the trunk port entries obtained in step 2b). The trunk port connectivity between switch ports is directly obtained
from Step 2b.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
482
Dashboards - Flash version
Monitoring Operations with FortiSIEM
The Layer 2 topology is visualized on the FortiSIEM topology diagram by choosing the layer 2 mode. Then by
clicking the “+” next to a device, the VLANs on that switch are displayed. Also, the trunk port connectivity is shown
in an orange color and a tool tip provides the VLANs over this trunk link.
Then by clicking on the “+” of a VLAN, the hosts belonging to that VLAN and also the switch ports they connect to
are displayed.
The host to switch port connectivity can also be seen in a tabular form by first clicking the switch and then clicking
the “Port Mapping Table”.
CMDB All Devices View
This screenshot shows the CMDB tab selected, and in the Device View, Topology is selected. This topology
map shows all the devices for the selected organization, and provides controls for editing the topology views that
will be available to users from that organization.
CMDB All Devices User Interface Controls
483
UI Control
Description
Zoom
Use the slider to increase or decrease the zoom level of the map
Organizations
Filter
For multi-tenant deployments, filter devices based on the organization they
belong to
View
Select the layers, connection types, and number of hops from the host to
display in the map
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
UI Control
Description
Search
Search for specific devices based on name, IP, or Business Service
View Options
Set the display options, including severity levels, for the map
Layout Options
Set the type of topological map to display, as well as the length of links
between devices
Save and Update
l
l
l
Refresh
When you make a change to the map settings, click Refresh to see
them reflected in the map
Save
Save your Layout and View Options to use them in other
topographical maps associated with this organization
Sync
If you make changes to your infrastructure or add devices to the
CMDB, click Sync to see them reflected in the map Device Group and Device View
You can access the device group view of the topological map by selecting a group of devices in the Device View,
and then clicking the Topo button in the Summary pane. Select an individual device, and then click the Topo
button in the Details pane to view that device within the topological map.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
484
Dashboards - Flash version
Monitoring Operations with FortiSIEM
Device Group and Device View User Interface Controls
UI Control
Description
Zoom
Use the slider to increase or decrease the zoom level of the map
View Controls
Click on the arrow icon in the upper-right corner of the map to open
these controls. Options to enable/disable node dragging, incident
display, connection layer display, and the number of hops from the
host to display.
Map Explorer
485
Click o the arrow icon in the lower-right corner of the map to open the
Map Explorer. As you zoom into the map, the map explorer will show
you the area that you are currently viewing. You can move to another
area by clicking and dragging the highlighted section of the map
explorer to that area.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Viewing Device Information in the Topological Map
Devices within the topological map have additional icons to represent information about the device.
Icon
Name
Description
Show Connected
Hosts
If a device has a green + icon in the
topographic map, you can click on that
icon to see hosts that are connected to
that device
Show Incident
Details
Show Device
Details
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Incidents for a device are displayed as a
number in a circle to the right of the
device icon, with the color of the circle
(red, yellow, green) indicating the
severity of the incidents. Click the
number to view the Incident Summary
for the device, and then click on
individual incident to view the Incident
Details in the Overview of the Incident
Dashboard. In the Incident Summary you
can also view and apply a subset of
options from the Analysis Menu by
having your mouse cursor over the
Incident Source or Incident Target
entries for the incident.
Click on the name of the device to view
details about it. The kind of information
displayed will depend the type of device
you select.
486
Dashboards - Flash version
Monitoring Operations with FortiSIEM
How Values in Dashboard Columns are Derived
The values in Summary dashboard columns are either derived from system information (for example, the IP
address for a device), or are metrics associated with events and their attributes. This topic uses the example of
the CPU Util column in many summary dashboards to explain the relationship between event attributes and
display columns, and how values in those columns are calculated.
1. Log into you your Supervisor node.
2. Go to Dashboard > Device View > All Devices.
3. Click Select Columns.
You will see a list of all the columns used in this dashboard under Selected Columns. Under Selected Columns
you'll see CPU Util, and next to it, in parentheses, you will see three event types listed, whose attributes are used
to create this calculation: PH_DEV_MON_SYS_CPU_UTIL, PH_DEV_MON_EC2_METRIC, and PH_DEV_MON_
CLARION_SP_UTIL. The metrics associated with these attributes are displayed in the CPU Util column, but how
are metrics collected over time represented as a single value? To answer this question, you need to examine the
column settings and Aggregation Method in the Device Support > Dashboard Columns page.
4. Go to Admin > Device Support > Dashboard Columns.
5. Find System CPU Utilization in the list of dashboard columns.
CPU Util is part of the System CPU Utilization set of metric.
6. Each dashboard column has the same set of attributes:
487
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Column
Attribute
Description
Value for System CPU Utilization
Name
The metric collected
System CPU Utilization
Event Type
The type of event that provides
the attributes for the metric
PH_DEV_MON_SYS_CPU_UTIL
PH_DEV_MON_EC2_METRIC
PH_DEV_MON_CLARION_SP_UTIL
Column Name
The display name in the
Summary dashboard for the
metric
CPU Name
Storage Processor
CPU Utilization
Host IP Address
Most events include a Host IP address,
however there is no Column Name for this
metric as FortiSIEM generates the column
name Device IP in relation to the metric.
Column
Attribute
The specific attribute used for
each Column Name
Device IP (system generated name) hostIpAddr
CPU Name - cpuName
Storage Processor - spName
CPU Util - cpuUtil
Column Type
The type of information that will
be displayed in the column for
each attribute
Host
For readings, the mathematical
aggregator that will be used to
calculate the metric. Options are:
AVG, SUM, MAX, MIN, LAST.
Using a pipe | between two
operators indicates that the first
operation should be aggregated
over time, and the second over
the object.
CPU Util - cpuUtil - Reading - AVG|AVG
Aggregator
Device IP (system generated name) - hostIpAddr CPU Name - cpuName - Object
Storage Processor - spName -Object
CPU Util - cpuUtil - Reading
With this information, you can see that CPU Util metric is derived from the cpuUtil attribute of the PH_DEV_
MON_SYS_CPU_UTIL event, and that the display column is a reading that uses the calculation Average over
time and then Average over the object being reported on. Now apply this to the event reports for a host with two
CPUs, and you can see how the calculation works.
[PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=3137,
[cpuName]=CPU x 1,[hostName]=win2k8.FortiSIEM.net,[hostIpAddr]=192.168.0.40,
[cpuUtil]=2.000000,[pollIntv]=176,[phLogDetail]=
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
488
Dashboards - Flash version
Monitoring Operations with FortiSIEM
[PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=3137,
[cpuName]=CPU x 1,[hostName]=win2k8.FortiSIEM.net,[hostIpAddr]=192.168.0.40,
[cpuUtil]=4.000000,[pollIntv]=176,[phLogDetail]=
PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=3137,
[cpuName]=CPU x 2,[hostName]=win2k8.FortiSIEM.net,[hostIpAddr]=192.168.0.40,
[cpuUtil]=20.000000,[pollIntv]=176,[phLogDetail]=
[PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=3137,
[cpuName]=CPU x 2,[hostName]=win2k8.FortiSIEM.net,[hostIpAddr]=192.168.0.40,
[cpuUtil]=40.000000,[pollIntv]=176,[phLogDetail]=
This output shows two samples of cpuUtil taken over three minutes for each CPU running on the host
192.168.0.40. According to the Aggregator for this column, FortiSIEM should first average the samples over
time for each CPU, and then average those together to derive the metric for the host. The average for the CPU 1
is 3.000000, and the average for CPU 2 is 30.000000. These values are combined and averaged again to get
the overall metric for the host, which is 16.500000.
489
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Using the Analysis Menu
The Analysis menu located in the Summary dashboards presents a number of options for gathering more
information about items selected in the dashboard. You can also access the Analysis menu items by selecting a
line in a summary dashboard, and hovering your mouse over the IP address of the device until the blue Analysis
menu option appears. Analysis Menu Options
Editing Settings for Displayed Reports
You can edit the settings for any of the reports displayed from Analysis menu options. See Widget Dashboard
UI Controls > Edit Settings in the topic Widget Dashboard User Interface Overview for more information about
widget settings options.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
490
Dashboards - Flash version
491
Monitoring Operations with FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Menu Option
Description
Quick Info
The Quick Info view of a device, which you can also access through the
Analysis menu or hovering your mouse cursor over the Device IP column,
displays General and Health information for the device, and when
appropriate, Identity and Location information. It also contains links to
additional information about the device:
l
l
l
l
l
l
l
Incidents
An exportable summary of incidents associated with the device
Health
Availability, Performance, and Security health information for the
device. You can also access this information by clicking the Device
Health user interface control, or by selecting Device Health in the
Analysis menu.
BizService
Any business services impacted by the device. You can also access
this information by selecting Impacted Business Services in the
Analysis menu. Applications
Displays a report on the top 10 applications associated with the
device by Average CPU Utilization over the past hour
Vulnerability and IP Status (Not used in the Dashboard view)
Displays the vulnerability status reports that are also available by
selecting Vulnerability and IPS Status in the Analysis menu Hardware Health (Used only for the CMDB/Storage view)
Displays health information for the hardware being used for storage Interfaces
Displays a report on the top 10 interfaces associated with the device
by average throughput
Topology
Shows the device's location in the network topology. You can also
access this information by selecting Topology in the Analysis
menu.
The Quick Info view also contains two links, Goto Config Item, which links
to the device entry in the CMDB, and Goto Identity, which links to Analytics
> Identity and Location Report, where you can edit this information for the
device.
l
Topology
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Shows the device location within the network topology
492
Dashboards - Flash version
Monitoring Operations with FortiSIEM
Menu Option
Description
Device Health
Availability , Performance , and Security health reports for the device.
You can also access this information by selecting a device in the Summary
dashboard, and then click Health, or by going to Quick Info > Health after
selecting the device . If any Incidents are displayed, click the number to view
the Incident Summary . Depending on the reported metric, you can zoom in
for a closer look at graphs and reports by clicking the Magnifying Glass icon
that appears when you hover your mouse cursor over them. Incidents
Summary
A summary of incidents associated with the device. Select an incident and
then hover your mouse cursor over the Incident Name to open the View
Incident Details option, which will load the selected incident into the
Incident Dashboard. See the topics under Incidents - Flash version for
more information about working with the Incident Dashboard. If you hover
your mouse cursor over the Incident Target for an incident in the Incident
Summary screen, you will see some additional options, including:
l
Add to Watch List - add the incident target to a watch list. See
Watch Lists for more information.
l
l
Device
Availability
Device
Performance
Interface Status
Application
Performance
Event Status
All Events by
Group for the
Last 10 Minutes
493
Show Related Real Time Search - opens a real time search using
the Host IP and Name for the incident target
Show Related Historical Search - opens an historical search using
the Host IP and Name for the incident target
Displays reports for Availability Trend Status, Ping Response Time, and
Ping Packet Loss for the device over the past hour, and Device Uptime for
the device over the past thirty minutes
Displays reports for Performance Health Trend, Avg Memory
Utilization, Avg CPU Utilization, and Avg Disk Utilization over the past
hour for the device
Displays reports for Interface Utilization Percentage, Interface Error
Percentage, Interface Traffic, and Interface Error Count over the past
hour for the device
Displays reports for Average Application CPU Utilization, Application
CPU Utilization, Average Application Memory Utilization, and
Application Memory Utilization over the past hour for the device
Displays reports for Events per Second, Top Network Connections, Top
Events by Severity, and Top TCP/UDP Ports over the past hour for the
device
Opens an Historial Search for the selected device using these criteria
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Menu Option
Description
Traffic Status
Displays reports for All Permitted Traffic Sourced From or Destined to
the selected device, and All Denied Traffic Sourced from or Destined to
the selected device over the previous hour
Vulnerability and
IPS Status
Displays reports for All Vulnerabilities for Last 1 Day and All Warning +
Critical IPS Events for the device over the past 24 hours
Impacted Biz
Services
Business services that contain the selected device
Real-time Events
Opens a Real-Time Search for the selected device
Historical Events
for Last 5 Mins
Opens an historical search for all events associated with the device over the
past five minutes
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
494
Dashboards - Flash version
Monitoring Operations with FortiSIEM
Customizing Dashboards
FortiSIEM includes several dashboards for device types and IT functional areas, but you can also customize and
create new dashboards and widgets.
l
Adding Custom Columns to Dashboards
l
Adding Widgets to Dashboards
l
Creating a Customized Dashboard
l
Setting a Dashboard to Home
495
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Adding Custom Columns to Dashboards
You may want to add custom columns based on event attributes to a Summary dashboard. This topic explains
how to create a custom set of columns using the example of a hardware temperature readout, and then add them
to a dashboard. Prerequisites
l
Read the topic How Values in Dashboard Columns are Derived
Procedure
1. Find the event that contains the attribute you want to use. In this case, you want to create a hardware temperature reading. The event PH_DEV_MON_HW_TEMP contains
the attribute envTempDegC.
[[PH_DEV_MON_HW_TEMP]:[eventSeverity]=PHL_INFO,[fileName]=deviceJunOS.cpp,
[lineNumber]=619,[hostName]=JunOS-3200-1,
[hostIpAddr]=172.16.5.64,[hwComponentName]=FPC- EX3200-24T- 8 POE @ 0/*/*,
[envTempDegC]=33,[phLogDetail]=
2. Go to Admin > Device Support > Dashboard Columns.
3. Click New.
4. For Name, enter the display name for the new metric you want to collect.
For this example, enter the name Temperature Reading. 5. For Event Type, click the Edit icon and select the event you want to use.
For this example, select PH_DEV_MON_HW_TEMP.
6. Click the + icon to add a column. As you complete each column, click OK, then click + to add more columns.
For each event type, you will typically create three columns: a Host column that contains IP information for
associated hosts, an Object column that includes information about the object being reported on, and a Reading
column that contains the metric you want to report on. Note that you could create additional Reading columns for
other attributes contained in your event. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
496
Dashboards - Flash version
Monitoring Operations with FortiSIEM
Column Type
Example Settings
Host
Attributes : hostIpAddr
Aggregator : N/A
Display Name : N/A
Format : N/A
Trend Chart : N/A
Type : Host
Object
Reading
Attributes : hwComponentName
Aggregator : N/A
Display Name : N/A
Format : N/A
Trend Chart : N/A
Type : Object
Attributes : envTempDegC
Aggregator : AVG|MAX
Display Name : Temp
Format : DegreeC
Trend Chart : Health
Type : Reading
7. When you're finished adding columns, click OK.
The new column you created will appear in the Admin > Device Support > Dashboard Columns.
8. Select your new column in the list, and then click Apply. 9. To add your column to a dashboard, navigate to the dashboard.
10. In the dashboard, click Select Columns.
11. Under Event Types, select the event type you used to create the new column. The columns associated with that event type will be listed under Columns, and the Attribute Name will list the
attribute you used to create the column.
12. Under Columns, select your column and use the >> button to move it into the Selected Columns.
13. Use the up and down position buttons to place the column in the order where you want it to appear in the
dashboard.
14. Click OK.
Your new column will appear in the dashboard.
497
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Adding Widgets to Dashboards
1. Navigate to the widget dashboard where you want to add the widget.
2. At the bottom of the dashboard click Add Reports to Dashboard.
3. For Service Provider deployments, select the Organization that you want to have access to the report.
4. Select a Category for the type of report you want to add.
5. Under Available Reports, select the report you want to add, and then click the >> button to add it to the
Selected Reports.
6. Click OK. To add CMDB Reports, select from the CMDB Reports folder in Step 5.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
498
Dashboards - Flash version
Monitoring Operations with FortiSIEM
Creating a Customized Dashboard
You can create both Summary and Widget custom dashboards.
1. In the Dashboard tab, select My Dashboard in the General view.
2. At the top of the General view, click the + icon.
3. Enter a Group to categorize the dashboard, and a Description.
4. Select a Dashboard Type.
5. Click OK.
The dashboard will be added under My Dashboard. 6. Select the dashboard.
7. For a Device Summary Dashboard, click Devices at the top of the dashboard and select the devices you want
to add to the dashboard.
8. For a Widget Dashboard, click Add Reports to Dashboard, and then select the reports you want to add.
499
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Setting a Dashboard to Home
You can set any system or user-defined dashboard to be your home page when you log into FortiSIEM.
1. In the Dashboard view, select the dashboard you want to set for your home page.
2. At the top of the General view of the dashboards, click the Home icon.
The Home icon will be filled in rather than greyed out, and the next time you log into FortiSIEM, the page you
selected will be your home page.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
500
Dashboards - Flash version
Monitoring Operations with FortiSIEM
Creating Dashboard Slideshow
l
Go to Dashboard
l
Click on Slideshow icon on top left.
l
A check box appears next to each dashboard in the dashboard tree under the General tab
l
For each folder, expand the folder to see the check box for each dashboard
l
Select the dashboards for slideshow
l
Select the Interval for switching between dashboards
l
Click Start to enter Slideshow mode. Click Cancel to not save the current slideshow configuration
l
Once in Slideshow mode, click Escape button to stop the slideshow
Note: Slideshow configuration is saved on a per user basis. When the user logs back on, same slideshow can be
used.
501
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - Flash version
Exporting and Importing Dashboards
It is possible to export and then import the following types of widget dashboards
l
My Dashboard
l
Availability/Performance > Avail/Perf Widgets
l
Biz Svc Dashboard
l
Dashboards By Function
To export a dashboard
l
Go to a specific dashboard folder
l
Click Export on top right portion
l
An XML file will be created and saved.
To import a dashboard, first have the XML file ready
l
Go to a specific dashboard folder
l
Click Import on top right portion
l
Provide the dashboard file in XML format
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
502
Dashboards - Flash version
Monitoring Operations with FortiSIEM
Link Usage Dashboard
For perimeter network devices such as firewalls and routers, it is important to know which interfaces are busy and
which traffic is consuming the most resources. This special dashboard provides this view and enables users to
determine which router interfaces are overly utilized, which applications are using them and what is the QoS
statistics.
l
Go to CMDB > Devices > Firewall or CMDB > Devices > Router/Switch
l
The default is Inventory View. Click Link Usage to change to this special view
l
A three level panel appears on right
l
Top pane: Device level view: System level metrics such as CPU, Memory, Connections, Sent/Receive
Traffic, Received EPS. Source is SNMP.
l
l
Middle pane: For the selected device in Top pane, it shows metrics for each interface. Source is SNMP.
Bottom pane: For the selected device in Top pane and interface in middle pane, it shows
l
Application Usage: Top Applications, Top Sources, Top Connections. Source is Netflow.
l
QoS Statistics: QoS statistics. Source is SNMP - Fortinet only
Note: Slideshow configuration is saved on a per user basis. When the user logs back on, same slideshow can be
used.
503
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - HTML5 version
Dashboards - HTML5 version
FortiSIEM includes two types of dashboards:
l
l
Summary dashboards that shows multiple metrics for the device in a single line. This enables users to see
multiple metrics of the same device in one view.
Widget dashboards that provide separate views of each metric. This enables to see critical devices for a metric at
a time.
Multiple dashboards can be grouped into a folder. User first needs to choose the dashboard folder and then select
the dashboard within that folder.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
504
Dashboards - HTML5 version
Monitoring Operations with FortiSIEM
Viewing System Dashboards
FortiSIEM provides several built-in dashboard folders covering many functional areas:
l
l
l
l
Infrastructure level
l
Network Dashboard
l
Server Dashboard
l
VMWare Dashboard
l
Web Server Dashboard
l
Application Server dashboard
Cloud Infrastructure level
l
Amazon Web Services Dashboard
Security Dashboard
Storage level
l
NetApp Dashboard
l
l
l
VNX Dashboard
Application level
l
Salesforce Dashboard
l
Office 365 Dashboard
l
Google Apps Dashboard
FortiSIEM Dashboard
To view these dashboards
1. Logon to FortiSIEM
2. Switch to the right organization (for Service Provider version)
3. Click Dashboard tab on the main user interface
4. Select the appropriate dashboard folder from the drop down. The dashboards belonging to the selected folder will
show and the contents of the first dashboard will display automatically.
5. Select the appropriate dashboard to see its contents.
505
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - HTML5 version
Creating New Dashboards
Make sure that you are logged on to the right organization (for Service Provider version).
Creating a new dashboard folder
1. Click on the dashboard folder menu and Select New.
2. Enter the name of the new dashboard folder
3. The new dashboard will show
Creating a new dashboard within a folder
1. Click on the
icon on the top bar
2. Enter the following information
l
Name - the name of the dashboard
l
Type - Widget or Summary dashboard
Description
3. Click Save
l
Adding reports to a widget dashboard
1. Click on the icon on the left under the dashboard name
2. Select the report and it will highlight
3. Drag the report to the dashboard and the results will show
4. To customize the chart settings, see here.
To add a CMDB Report, simply add from the CMDB Report folder in Step 2.
Adding devices to a summary dashboard
1. Click on the
icon on the top menu bar
2. Select the device(s) and move them to the right pane by clicking the
button
3. Click OK
4. To customize the columns, see here
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
506
Dashboards - HTML5 version
Monitoring Operations with FortiSIEM
Deleting Dashboards
Note that built-in dashboard folders and dashboards can not be deleted.
Deleting user defined dashboards
1. Click on the
button next to the dashboard.
2. Click OK.
Deleting user defined dashboard folders
1. Click on the
button next to the dashboard folder.
2. Click OK.
507
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - HTML5 version
Modifying Dashboards
Saving changes
User settings changes are saved - both for built-in and user created dashboards. If the user logs back in, then the
changes will be seen. System upgrades will also preserve these customizations.
Modifying widget display
1. Select a widget and click on the
Settings button
2. Customize the fields as appropriate
l
Title - the chart name that displays at the top
l
Display - select chart type from the possible options
l
Width - the size of the chart in horizontal dimension - note that this is relative
l
Height - the size of the chart in vertical dimension - note that this is relative
l
Refresh interval - how often the chart's content will refresh
l
Result Limit - number of rows in the result
3. Click OK.
Adding reports to a widget dashboard
1. Click on the icon on the left under the dashboard name
2. Select the report and it will highlight.
3. Drag the report to the dashboard and the results will show
4. To customize the chart settings, see here.
If you want to add a new report or modify a system report, then follow these steps
1. Create the report in Analytics
2. Then report will show up in the list of reports in Step 2 above.
Modifying widget dashboard layout
There are two possibilities - Tile layout (default) or column layout.
1. To select Tile layout, select Tile option from the menu next to
to place widgets of several sizes on the dashboard.
2. To select a column layout, choose the number of columns from the menu next to
on top. Tile layout allows you
.
Adding, removing and re-ordering columns on a summary dashboard
1. Select the
button the top.
2. To remove one or more columns from display, select them in the Selected Columns and then move them to the
left by clicking the
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
button.
508
Dashboards - HTML5 version
Monitoring Operations with FortiSIEM
3. To add one or more columns to the display:
a. Select an Event Type in the left most column. The corresponding metrics from that event type will
show.
b. Select one or more columns in the middle column.
c. Move them to the right by clicking the
button.
4. To change the position of the columns
5. Click OK to save the changes.
509
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Dashboards - HTML5 version
Sharing Dashboards
The following sharing rules are enforced
l
User created dashboard folders and its contents are only visible to the user who created it. If this folder need to be
visible to other users, then we recommend:
l
using a shared account or
l
l
using export/import mechanism to create the folder for that user.
System dashboard folders are owned by FortiSIEM. Any changes to those dashboards may be lost during upgrade,
if FortiSIEM also decides to change those dashboards.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
510
Dashboards - HTML5 version
Monitoring Operations with FortiSIEM
Importing and Export Widget Dashboards
Importing widget dashboards
Widget Dashboards can be imported from another FortiSIEM installation or from another dashboard folder of the
same installation. If the two FortiSIEM versions do not have the same version, then the charts may look different
because the data definition may be different.
1. Make sure you are viewing the dashboard
2. Click Import
.
3. Select the file from local desktop. It must an XML file suitable for import. Typically this is exported from another
FortiSIEM system.
4. Click Import.
5. The dashboard will display
Exporting widget dashboards
1. Make sure you are viewing the dashboard.
2. Click Export
511
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Analytics
FortiSIEM Analytics has three components:
Search
FortiSIEM search functionality includes real time and and historical search of information that has been collected
from your IT infrastructure. With real time search, you can see events as they happen, while historical search is
based on information stored in the event database. Both types of search include simple keyword searching, and
structured searches that let you search based on specific event attributes and values, and then group the results
by attributes.
Rules
Because FortiSIEM is continuously monitoring your IT infrastructure, you can also set rules so that when specific
conditions are met, it triggers an incident, and, in some cases, sends a notification. Reports
Reports are pre-defined search queries. FortiSIEM includes a large catalog of reports for common devices and IT
analysis tasks that you can use and customize, and you can also save searches that you've run as reports to use
again later. l
Search
l
Rules
l
Reports
l
Audit
l
Visual Analytics
l
Real Time Performance Probe
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
512
Analytics
Monitoring Operations with FortiSIEM
Search
Historical and Real Time search is the core functionality of FortiSIEM analytics, enabling you to analyze, report
on, and further improve your IT infrastructure. l
Historical Search
l
Real Time Search
l
Structured Search Operators
l
Selecting Attributes for Structured Searches, Display Fields, and Rules
l
Using Expressions in Structured Searches and Rules
l
Keywords and Operators for Simple Searches
l
Using Geolocation Attributes in Searches and Search Results
l
Creating Filter Criteria and Display Column Sets
513
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Historical Search
With the Historical Search feature, you can go back in time and retrieve events from the event database. By using
either a simple keyword-based search or a more detailed structured search, you can get quick and valuable
insights into events that have occurred over any selected time period.
l
Overview of the Historical Search User Interface
l
Example of How a Structured Historical Search is Processed
l
Sample Historical Searches
l
Creating a Simple Historical Search
l
Creating a Structured Historical Search
l
Using System-Defined Reports for Historical Search
l
Overview of Historical Search Results and Charts
l
Refining the Results from Historical Search
l
Converting an Historical Search to a Real Time Search
l
Converting an Historical Search to a Rule
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
514
Analytics
Monitoring Operations with FortiSIEM
Overview of the Historical Search User Interface
You can run two types of historical searches on FortiSIEM data: simple searches, in which you use a keyword
search, and structured searches, in which you can specify search conditions and how the results should be
grouped.
l
Simple Historical Search
l
Structured Historical Search
Simple Historical Search
When you use simple historical search, you enter a keyword to search for in the logs collected by FortiSIEM,
specify any filter criteria, and then run the search, which will produce a chart and a list of results matching your
search criteria. You can then use additional user interface controls to change the chart display, filter or find more
information about events in the result list, and export or share results. This screenshot shows the results of simple search using the keyword TCP. 515
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Simple Historical Search User Interface Controls
UI Control
Description
Search Criteria
For simple historical search, use the search box to find keywords in raw event
logs. You can also load an existing historical search report to use for your
search criteria, or create a rule from your search results.
List Display
Columns
Filters
Select which columns will be displayed in the search results
Set the time interval over which you want to search, and, for multi-tenant
deployments, which organization's logs you want to search
l
l
Report
Management
l
l
ChartDisplay
Event Filter
Event Information
Save
Saves the report to Generated Reports where it will be retained for
the time period you specify. You can also select whether you want
the search criteria to be saved as a report that you can use in the
future.
Export
Export the report, with the option of including the chart, as a PDF or
CSV file
Email
Email the report as a CSV or PDF file, with the option of including the
chart
Copy to a new tab
Load the search into a new tab within FortiSIEM
You can set both the data you want to display, and how it should be
displayed. See Overview of Historical Search Results and Charts for more
about the different chart types.
Select an event from the results, and add its attributes to structured search
conditions.
Select an event, and view Quick Info about it, or view Location information
about it such as source or destination IPs.
Structured Historical Search
With historical structured search, you can enter conditions for your search based on event attributes, and set
which attributes will be used to group the search results in a way that is similar to the use of the of the Group By
command in SQL.
This screenshot shows a structured historical search for All Non-Reporting Modules selected from the system
Reports > Event Status. The screenshot below it shows a close-up of the the Conditions and Group By
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
516
Analytics
Monitoring Operations with FortiSIEM
options dialog. See Creating a Structured Historical Search and Structured Search Operators for more
information about these options.
517
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Example of How a Structured Historical Search is Processed
When you run a structured historical search, all events within the specified time window are examined and added
to the result set following these steps:
1. The system fetches the next event within the search time window and applies the filtering criteria. If the event
does not pass the filtering criteria, the system fetches the next event.
2. If the event passes the filtering criteria, the system then compares the attributes of this event against the other
entries in the result set. If the current event contains an attribute that is included in the Group By attribute set,
then the results for that attribute are updated. Otherwise, a new entry is created in the result set.
3. After all the events in the search time window are processed, the system sorts the results to produce the final
result set.
As an example, consider these events in the event database, and running a search for Top Firewall Recorded
Conversations Ranked By Total Connections (Descending) and Total Bytes (descending) over them . Event
Time
id
Reporting
Source IP
Device
Destination
IP
Protocol Source Destination Total
Port
Port
Bytes
1
1/1/2010
10.1.1.1
192.168.1.1
192.168.10.4
TCP
2033
80
1024
2
1/2/2010
10.1.1.1
192.168.1.2
192.168.10.4
TCP
3000
443
4096
3
1/3/2010
10.1.1.1
192.168.1.1
192.168.10.4
TCP
2034
80
1024
4
1/4/2010
10.1.1.1
192.168.1.2
192.168.10.5
TCP
3001
443
2048
5
1/4/2010
10.1.1.1
192.168.1.1
192.168.10.4
TCP
2035
80
1024
6
1/5/2010
10.1.1.1
192.168.1.2
192.168.10.6
TCP
3002
443
2048
7
1/5/2010
10.1.1.2
192.168.1.1
192.168.10.4
TCP
9000
80
1024
Search
Search Criteria
Top Firewall Recorded
Conversations Ranked By
Total Connections
(Descending) and Total Bytes
(descending)
Filtering criteria: Reporting Device IP IN Firewall AND Event Type IN
Permit Traffic Group-By attributes: Source IP, Destination IP, IP Protocol, Destination
Port Display attributes: Source IP, Destination IP, IP Protocol, Destination Port,
SUM(Matched Events) DESC, SUM(Total Bytes) DESC Query window: Between 1/2/10 and 1/5/10
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
518
Analytics
Monitoring Operations with FortiSIEM
Result
Source IP
Destination
IP
Protocol
Destination COUNT (Matched
Port
Events)
SUM(Total Bytes)
192.1.1.1
202.1.1.4
TCP
80
3
3072
192.1.1.2
202.1.1.4
TCP
80
1
4096
192.1.1.2
202.1.1.5
TCP
443
1
2048
192.1.1.2
202.1.1.6
TCP
443
1
2048
You could then run another search over these results:
Search
Search Criteria
Top Destination IPs Ranked
By Total Connections
(Descending) and Total Bytes
(descending)
Filtering criteria: Reporting Device IP IN Firewall AND Event
Type IN Permit Traffic Group-By attributes: Destination IP Display attributes: Destination IP, SUM(Matched Events)
DESC, SUM(Total Bytes) DESC Query window: Between 1/2/10 and 1/5/10
Result
519
Destination IP
COUNT (Matched Events)
SUM(Total Bytes)
202.1.1.4
4
7 KB
202.1.1.5
1
2 KB
202.1.1.6
1
2KB
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Sample Historical Searches
l
Sample Filter Criteria
l
Sample Structured Searches
Sample Filter Criteria
Filter criteria
Type
Meaning
Raw Event Log CONTAINS "login
AND failed"
Simple
(keyword)
search
Only events that contain both the keywords
"logon" and "failed" are part of report
Simple
(keyword)
search
Only events that contain the keyword "denied"
are part of report
Structured
search
Only events from the device that is reporting
with IP address 10.1.1.1 are part of the report
Reporting Device IP IN Firewall
Structured
search
Only events from firewall devices in CMDB are
part of the report
Reporting Device IP IN Firewall AND
Event Type IN Deny Traffic
Structured
search
Only firewall deny events from firewall devices
in CMDB are part of the report
Reporting Device IP IN Firewall AND
Event Type IN Deny Traffic AND
(Source IP = 192.1.1.1 OR Dest IP =
192.1.1.1)
Structured
search
Denied traffic from 192.1.1.1 or to 192.1.1.1
reported by firewall devices in CMDB are part of
the report
Reporting Device IP IN Domain
Controller AND
Event Type IN User/Group Change
AND user NOT IN Domain Admins
Structured
search
Domain Controller User/Group Changes not
performed by users in the Domain Admin group
Raw Event Log REGEXP
"faddr\s+\d+.\d+\d+\d+"
Structured
search
Only events that contains strings like "faddr
10.1.1.1", "faddr 192.168.29.1" are included in
the report.
Raw Event Log CONTAINS "denied"
Reporting Device IP = 10.1.1.1
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
520
Analytics
Monitoring Operations with FortiSIEM
Sample Structured Searches
The following examples illustrate how to write a search using the AccelOps GUI.
Search
Specification in AccelOps GUI
Top Reporting Firewalls
ranked by event count in the
last hour
Filter Criteria: Reporting Device IP IN Firewall Group By attributes: Reporting Device IP Display attributes: Reporting IP, COUNT(Matched Events) DESC Query window: 1 hour
Top Reporting Firewalls and
Event Types ranked by event
count in the last hour
Top Firewall Denied Source
IPs ranked by the total
number of attempts in the last
hour
Top Firewall Recorded
Conversations Ranked By
Sent Bytes (descending),
Received Bytes (descending)
All unauthorized domain
user/group changes in the last
week
521
Filte Criteria: Reporting Device IP IN Firewall Group By attributes: Reporting Device IP, Event Type Display attributes: Reporting IP, Event Type, Severity, COUNT(Matched
Events) DESC Query window: 1 hour
Filter Criteria: Reporting Device IP IN Firewall AND Event Type IN Deny
Traffic Group By attributes: Source IP Display attributes: Source IP, COUNT(Matched Events) DESC Query window: 1 hour
Filter Criteria: Reporting Device IP IN Firewall AND Event Type IN Permit
Traffic Group By attributes: Source IP, Destination IP, IP Protocol, Destination
Port Display attributes: Source IP, Destination IP, IP Protocol, Destination Port,
SUM(Sent Bytes) DESC, SUM(Received Bytes) DESC Query window: 1 hour
Filter Criteria: Reporting Device IP IN Domain Controller AND Event Type IN User/Group Change AND user NOT IN Domain Admins Group By attributes: none Display attributes: Time, event type, user, computer, domain, target user,
target domain Query window: 1 week
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Creating a Simple Historical Search
l
Prequisites
l
Procedure
Prequisites
If you need to familiarize yourself with how historical search works or the historical search interface, you should
read these topics:
l
Overview of the Historical Search User Interface
l
Example of How a Structured Historical Search is Processed
l
Sample Historical Searches
l
Structured Search Operators
Procedure
1. Log in to your Supervisor node.
2. Go to Analytics > Historical Search.
3. For Filter Criteria, select Simple.
4. Enter the keywords you want to search for in the raw event logs.
See Keywords and Operators for Simple Searches for information on keyword searching.
5. Under Display Fields, select the attributes you want to use as the columns in your results list. See Selecting Attributes for Structured Searches, Display Fields, and Rules and Creating Filter Criteria and
Display Column Sets for options for selecting display field attributes and sets. 6. For Time, set the interval over which you want the search to run.
7. For Service Provider deployments, select the Organization you want to run the search against.
8. Click Run.
The results of your search will be displayed in the chart and search results list. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
522
Analytics
Monitoring Operations with FortiSIEM
Creating a Structured Historical Search
l
Prequisites
l
Procedure
Prequisites
If you need to familiarize yourself with how historical search works or the historical search interface, you should
read these topics:
l
Overview of the Historical Search User Interface
l
Example of How a Structured Historical Search is Processed
l
Sample Historical Searches
l
Structured Search Operators
Procedure
1. Log in to your Supervisor node.
2. Go to Analytics > Historical Search.
3. For Filter Criteria, select Structured. The Conditions and Group By search window will open.
4. Click the downward arrow in the search window to open the Conditions and Group By options.
Alternatively you can click ... to use a saved Filter Criteria Set.
5. Under Conditions, set the Attribute, Operator, and Value for your condition.
You can also use expressions as search conditions. See Using Expressions in Structured Searches and Rules for
more information, and Selecting Attributes for Structured Searches, Display Fields, and Rules for more
information about using attributes in conditions. 6. Click + under Row to add another condition, and set the Next Operator to use for that condition.
You can give precedence to conditions by setting parentheses around them with the + button under Paren. 7. Under Group By, set the event attributes that you want to use to group the results, as described in Example of
How a Structured Historical Search is Processed.
8. Click OK.
You can also click Save as Filter Criteria Set, and these conditions and group by attributes will be available for
future historical searches by clicking ... next to the search window.
9. Under Display Fields, select the attributes you want to use as the columns in your results list. See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about selecting
attributes for devices and events to use as display fields. 10. For Service Provider deployments, select the Organization you want to run the search against.
11. For Time, set the interval over which you want the search to run.
12. Click Run. The results of your search will appear in the chart and results list.
523
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Using System-Defined Reports for Historical Search
FortiSIEM includes a number of pre-defined reports that you can use as the basis for historical searches. l
Viewing Available Reports
l
Using System-Defined Reports in Historical Searches
Viewing Available Reports
1. Log in to your Supervisor node.
2. Go to Analytics > Reports.
3. Select a report group in the navigation pane, and then a report. Each report includes four information tabs:
Tab
Description
Summary
Includes name, description, and all the criteria used in constructing the
historical search for the report
Schedule
Any scheduled runs for the report. See Scheduling Reports for more
information.
Results
Any saved results from running the report
Defintion
The XML definition of the report
Using System-Defined Reports in Historical Searches
1. Log in to your Supervisor node.
2. Go to Analytics > Historical Search.
3. Click Load Report.
4. Select the report you want to use, and then click OK.
5. Follow the same steps that you would for Creating a Structured Historical Search.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
524
Analytics
Monitoring Operations with FortiSIEM
Overview of Historical Search Results and Charts
When your search runs, you will see both a Results List in the bottom pane of the screen, and a chart in the
middle pane. The types of charts that are displayed depend both on the data being analyzed, and whether or not
you have specified any Group By conditions in your search. You can also add dimensions to your search results
and change the chart display type for further analysis. l
Non-Aggregated Search Results
l
Aggregated Search Results
Non-Aggregated Search Results
Non-aggregated searches are searches that don't use any Group By conditions to process the results. These
types of searches produce two views of the results:
View
Trend
Results
List
Description
Screen Example
Shows the trend
over time for
search results
Shows the
results of the
search based on
the Search
Display fields
you selected
Aggregated Search Results
Aggregated searches are those that use a Group By condition to process the results. 525
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
View
Results
List
Description
Shows the results of
the search based on
the Group By and
Display fields you
selected
Analytics
Screen Example
Notes
This example shows the search
results for Top Event Types by
Count
l
Filter Condition: Empty
l
Group By Condition: Event Type
l
Selected Display Fields: Event
Type and COUNT(Matched Events)
There are two trend views of results
for aggregated searches, the line
chart, shown here as the first chart,
and the stack chart, shown as the
second chart.
Trend
Pie Chart
Bar Chart
Shows the time trend
of aggregated fields
(one at a time)
In this example, the line chart
illustrates when the events
occurred. The stacked display
avoids line crossings, but the
values have to be read off as the
height and not the absolute value.
For example, the event count for
PIX-302015 at 9:00 hours is
20,000-14000 = 6000.
Shows the proportion
for the COUNT
(Matched Events)
attribute
For any set of results where you are charting
Count (Matched Events), click the Pie
Chart icon to view a proportional
representation of the results.
Shows the distribution
of aggregated fields
For any set of results where you are charting
Count (Matched Events) , click the Bar
Chart icon to view the distribution of events
for your results.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
526
Analytics
View
Scatter
Plot
Monitoring Operations with FortiSIEM
Description
Shows the correlation
between two
aggregated fields
Screen Example
Notes
Scatter plots can show the
correlation between two
aggregated dimensions, effectively
converting a one dimensional chart
into a two dimensional one. In this
case, a report is run with these
parameters:
l
l
l
Filter Condition: Event Types PH_
DEV_MON_SYS_CPU_UTIL and
PH_DEV_MON_SYS_MEM_UTIL
Group By attribut: Host Name
Display Fields: AVG(CPU
Utilization) and AVG(Memory
Utilization)
The results are first presented as a
stacked trend and bar chart. When
you click on the Scatter Plot
Chart icon, you can now see the
display fields as two dimensions,
which shows that most devices use
more memory than CPU. Hovering
your mouse cursor over an item in
the chart displays the values for the
selected host.
Bubble
Plot
527
Shows the correlation
between two
aggregated fields with
a third dimension as
size
A bubble pot is a scatter plot with a third
dimension field added to indicate size. In this
example, the same type of search that was
used to generate the scatter plot example is
run, though the display field Last (System
Uptime) has been added as a Size indicator.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
View
Tree Map
Description
A hierarchical treestructured visualization
that can be used to
analyze dominating
components of
multidimensional data
Analytics
Screen Example
Notes
A tree map is a hierarchical treestructured visualization that you
can use to analyze dominant
components of multi-dimensional
data. A classic example is an
attempt to understand Top Talkers
in a network.
The results, which run to 400 pages
with approximately 10,000 entries,
do not provide any information
about:
l
l
l
The proportion of the Top Destination
Port
The proportion of Top Source IPs for
a given Destination Port
The proportion of Top Destination IPs
for a given Destination Port and
Source IP
By switching to a Tree chart, you
can now see:
l
l
Top ports are 161 (SNMP) and 53
(DNS) - with SNMP taking roughly 1.5
times the connections
The top destinations for DNS are: l
192.168.0.10 (Internal DNS)
l
l
l
208.67.222.222 (External
DNS)
The top sources going to
192.168.0.10 on the DNS port are
192.168.20.116, 192.168.65.125
The top sources going to
208.67.222.222 on DNS port are
192.168.0.10
You can now drill down on port 53
for a closer view by clicking 53.00 in
the tree map, which results in the
third screenshot in this example.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
528
Analytics
View
Monitoring Operations with FortiSIEM
Description
Screen Example
Notes
A heat map visualizes two display
fields using a color gradient that
indicates intensity. A classic
example is an attempt to
understand which host is talking on
which network port.
In this example, a search is run
with these parameters:
l
l
l
Heat Map
529
visualizes calculated
measures in two
dimensions using a
color grade that helps
users to understand
intensity
Filter Conditions: Group:Permit
Traffic
Group By attributes: Destination
TCP/UDP Port, Source IP
Display Fields: Destination
TCP/UDP Port, Source IP, COUNT
(Matched Events)
The first screenshot shows the
results as a stacked trend chart.
The second shows the results as a
heat map with the Sample set to
1000. You can now hover your
mouse cursor over indicators of
higher intensity to view specific
information. In this case
192.168.0.10, which appears as a
small red bar in the lower left
corner, is a heavy contributor to
traffic on Port 53. In addition,
vertical lines indicate multiple hosts
communicating on the same port,
for example ports 22, 53, 80, 443,
while horizontal lines indicate same
host talking across multiple ports.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Refining the Results from Historical Search
Overview of Historical Search Results and Charts describes the charts that you can use to visualize historical
search results, but there are also a variety of methods you can use to drill down into search results and refine your
queries.
l
Charting a Specific Row from Historical Search Results
l
Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart
l
Drilling Down on Search Results by Time Interval
l
Using Search Results to Refine Historical Searches
l
Using Tabs to View Multiple Search Results
Charting a Specific Row from Historical Search Results
When your chart loads, the top five items are displayed as color-coded stack charts, as show in the example of
this screenshot. However, you may want to remove results from the chart to get a clearer view of what is
happening with a specific result. Here, for example, there are spikes for 192.168.19.65 that are clearly visible at
various intervals, but the chart results for the other IPs obscure much of what is happening with this source IP.
The solution is to remove the other Source IPs from the chart. In the Chart column of the Results List, click on
the items you want to remove from or add to the chart. In this example, all four of the other IPs have been
removed from the chart to obtain a clearer visualization of the activity for 192.168.19.65.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
530
Analytics
Monitoring Operations with FortiSIEM
Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart
When you run a query, the resulting chart typically displays the first aggregated attribute in the Results List.
However, if there are other aggregated attribute values in the search results, you can add those to the chart as a
second dimension.
This screenshot shows the results for the report Top Router Network Intf By Util, Error, Discards, which
includes the values for a single aggregated attribute, AVG(In Intf Util), for incoming interface utilization. In this case, it could also be informative to understand more about the outbound interface utilization. In the
second Chart For menu, AVG(Out Intf Util) is selected, and this is added as a second dimension to the chart
beneath the 0 line, as shown in this screenshot.
531
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Drilling Down on Search Results by Time Interval
When you run a search, the chart displays results for the time interval you set in your original query. However, you
can also drill down to 5 minute, 10 second, and 1 second time intervals for a closer inspection of the results.
1. Hover your mouse cursor over the result and time interval you want to drill down on until the information pop-up
appears, as shown in the first example screenshot.
2. Click to drill down and view the results for a 5 minute interval. 3. Follow the same process to drill down to the 10 second and one second intervals. This series of screenshots illustrates starting from the original search results, and then drilling down to the 5
minute interval.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
532
Analytics
533
Monitoring Operations with FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Using Search Results to Refine Historical Searches
In this screenshot of search results you can see a small but sudden spike in the SUM(Total Bytes) for
Destination TCP/UDP Port 20756, which is represented by the color purple in the chart. In order to understand
what is happening in this time interval, you can select this port and the time period of interest, and use these as
filter criteria for a deeper investigation.
1. In the Results List, select the row containing the item of interest.
2. Click the Filter menu, and you will see the attributes of the selected item as filter options.
3. Select the attribute you want to use for your filter.
In this case, you would select Destination TCP/UDP Port = 20756. Adding a Specific Attribute Value to a Filter
You can also click in the cell of the Results List that contains the attribute value you want to use in your
filter, and then select Add to Filter from the pop-up menu that appears when you hover your mouse
cursor over the attribute value.
4. In the Show menu select Raw Messages.
This will include the raw event logs in the Incident Details. 5. In the Display Fields menu, add or remove any display fields you want for the refined search results.
In this case two fields are added, Destination TCP/UDP Port and Total Bytes.
6. In the chart, click on the time period that is of interest to add it to the search criteria.
7. Click Run. This screenshot shows the results for the selected port and time period, indicating that two events originating from
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
534
Analytics
Monitoring Operations with FortiSIEM
Seattle WA were responsible for the spike.
8. Click in the Raw Event Log column for an event to view the event details.
See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information on how to view
the attributes for reported events and add them to the display fields for your results. 535
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Using Tabs to View Multiple Search Results
There may be occasions when you want to be able to run and compare the results of multiple searches. 1. Run your first search.
2. In the upper-left corner of the search screen, click +.
A new tab will open up in the Analytics Window.
3. Run your second search in the new tab.
New Tabs for Drill-Down and Refined Searches
If you refine an existing search, zoom in on a time period, or use the time interval drill-down to examine search
results, new tabs are automatically generated for each level of drill down, and for each refined search. When you
select an attribute to use in a refined search, you can also select Add to Filter in New Tab from the Options
menu.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
536
Analytics
Monitoring Operations with FortiSIEM
Converting an Historical Search to a Real Time Search
In the course of running an historical search, you may produce results that you want to examine in real time. For
example, suppose that an historical search shows that yesterday there was an excessive amount of outgoing
traffic from your home country or countries that you do business with. You may want to know if this same traffic
pattern is happening right now, in real time. You can answer this question from within the same historical search
that raised your suspicions. 1. In the historical search window, click Real Time Search.
The historical search criteria are loaded into a Real Time Search window and begin to execute.
2. You can now refine your Real Time Search results to reflect your current interest, for example by adding a
Destination County attribute to the display results and running the search again.
537
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Converting an Historical Search to a Rule
Example While using historical search, you may observe a pattern that you want to use as a rule so if the pattern recurs, it
will trigger an alert. For example, in an historical search you may notice excessive traffic going outside your
country or the countries you do business with. You can generate a rule to watch for this traffic pattern from within
the historical search. These screenshots show the conditions and results for the example of an historical search for excessive outgoing
traffic. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
538
Analytics
Monitoring Operations with FortiSIEM
Following this example, you may now want to create a rule that will send you an alert when a particular source
sends more than 1000 connections, or more that 5MB of traffic, in five minutes. Procedure
1. In the historical search that you want to use as the basis for your rule, click Create Rule. The Rule Editor will load, with most information for the rule auto-populated from the search. You can also read
the topics under Rules for more information about creating rules. 2. Enter a Rule Name and Description.
3. Set the Severity to associate with incidents generated by this rule. 4. Set the Incident Category to associate with incidents generated by this rule. 5. Set the number of seconds for the Time Window that this rule should apply to.
In the example of excessive outgoing traffic over a five minute period, this would be set to 300. 6. Under the Conditions, click the Edit icon for Filter_1.
You will see that all your filter conditions for the search have been populated into this sub pattern.
7. You can now edit the Filter and Aggregate conditions for your original search, or change the Group By conditions.
8. Click Save when you're done editing the rule. This screenshot show editing the rule sub pattern Filter_1 from the original rule conditions, with the Aggregate
Conditions for COUNT(Matched Events) and SUM(Total Bytes) to 1000 and 5242880 to match the new alert
conditions from the example historical search, and the AND operator changed to OR.
539
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Analytics
540
Analytics
Monitoring Operations with FortiSIEM
Real Time Search
You can use Real Time search to view events as they are occurring in real time within your IT infrastructure. You
can use both simple and structured search criteria, as you would with historical search, but instead of the results
displayed in a report like you would see with an historical search, real time search results are displayed as a rolling
graph and summary of events that you can drill down into.
l
Overview of the Real Time Search User Interface
l
Creating a Simple Real Time Search
l
Creating a Structured Real Time Search
l
Viewing and Refining Real Time Search Results
541
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Overview of the Real Time Search User Interface
The real time search interface is very similar to the interface for historical search, with the exception that real time
search doesn't have an option to set a search time period. As with historical search, you can also run simple or
structured search queries. The main difference between historical and real time search is that real time search
displays your results as they are occurring in your IT infrastructure, with a scrolling chart and summary of the
results. l
Simple Real Time Search
l
Structured Real Time Search
Simple Real Time Search
When you use simple real time search, you enter a keyword to search for in the logs collected by FortiSIEM, set
any columns you want to display in the Raw Event Log Results Summary, and, for multi-tenant deployments,
select any organizations you want to filter the results for. You can then select results in the real time chart to use
for historical searches, or you can select results in the Raw Event Log Results Summary to learn more information
about them or use them as filters in refining your search. This screenshot shows the results for searching the raw event logs for occurrences of TCP.
Simple Real Time Search Interface Controls
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
542
Analytics
Monitoring Operations with FortiSIEM
Ui Control
Description
Filter Criteria
For simple real time search, use the search box to find keywords in raw
event logs. You can also create a rule from your search results.
Set Summary
Display
Columns
Select which columns will be displayed in the Raw Event Log Results
Summary
Organizations
Filter
For multi-tenant deployments, select which organizations you would like
to filter the results for
Real Time
Chart
Displays results as they occur in real time. Use the Pause, Fast
Forward, Stop, and Clear buttons to control the display.
Raw Event
Log Results
Summary
Displays a summary of the raw event logs for your search results in real
time. Click Pause in the real time chart and then select an item in the
summary results to view attributes such as Reporting and Destination
IP, add an IP address to a watch list, add an attribute as a search filter,
or get topological information about network devices. Selecting a result
from the summary list also enables the Filter, Quick Info, and
Locations buttons.
Structured Real Time Search
For structured real time search, you only enter the filter conditions that you want to use, instead of having to also
specify aggregation and group by conditions as you would in a structured historical search. This screenshot shows the Conditions dialog for structured real time search. You can select attributes and
create expressions to use in structured real time search the same way you would in structured historical search. This screenshot shows the Conditions dialog after having selected Structured in the search controls, with two
search conditions set. 543
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Creating a Simple Real Time Search
1. Log into your Supervisor node.
2. Go to Analytics > Real Time Search.
3. In Filter Criteria, select Simple.
4. Enter the keywords you want to search for in the raw event logs collected by FortiSIEM.
See Keywords and Operators for Simple Searches for more information about keyword searching. 5. Select the Display Fields for the results summary. See Selecting Attributes for Structured Searches and Display Fields for more information about selecting
attributes that can be displayed for reported events. 6. For Service Provider deployments, select any Organizations that you want to filter the results for. 7. Click Search.
Related Links
l
Keywords and Operators for Simple Searches
l
Selecting Attributes for Structured Searches, Display Fields, and Rules
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
544
Analytics
Monitoring Operations with FortiSIEM
Creating a Structured Real Time Search
1. Log in to your Supervisor node.
2. Go to Analytics > Real Time Search.
3. For Filter Criteria, select Structured. The Conditions search window will open.
4. Click the downward arrow in the search window to open the Conditions options.
Alternatively you can click ... to use a saved Filter Criteria Set.
5. Under Conditions, set the Attribute, Operator, and Value for your condition.
You can also use expressions as search conditions. See Using Expressions in Structured Searches and Rules for
more information, and Selecting Attributes for Structured Searches, Display Fields, and Rules for more
information about using attributes in conditions. 6. Click + under Row to add another condition, and set the Next Operator to use for that condition.
You can give precedence to conditions by setting parentheses around them with the + button under Paren. 7. Click OK.
You can also click Save as Filter Criteria Set, and these conditions will be available for future searches by
clicking ... next to the search window.
8. Under Display Fields, select the attributes you want to use as the columns in your results list. See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information about selecting
attributes for devices and events to use as display fields. 9. For Service Provider deployments, select the Organization you want to run the search against.
10. Click Search. The results of your search will appear in the real time chart and results list.
545
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Viewing and Refining Real Time Search Results
When your real time search runs, you will see the results represented as a scrolling chart across the top of the
search results window, and as a scrolling list in the bottom of the window that include the raw event log
information for events matching your search criteria. You can select items in the scrolling chart to use in historical
search, view more information about individual items in the results list, and add attributes from your search
results to your search filters or display fields. l
Selecting Results for Historical Search
l
Viewing Information about Real Time Search Results
l
Adding Search Results to Search Filters. Watch Lists, or Display Field
Selecting Results for Historical Search
1. When you see a time interval of events that you want to use for historical search appear in the scrolling chart, click
Pause or Stop. 2. Hover your mouse cursor over the bar that represents the time interval until you see the time interval information
appears, and then double-click on the bar.
3. The time interval and Event Type will be added to the criteria for an historical search.
Complete the other criteria you want to use for the search as described in Historical Search.
Viewing Information about Real Time Search Results
1. When you see an event appear in the search results list that you want more information about, click Pause or
Stop.
2. Select the event row and click Quick Info to view the Reporting IP, Event Type, Source IP, and Destination
IP for that event. 3. To view information about specific attributes of an event, click in the attribute display field and click Quick Info.
For attributes associated with devices, this will open the Quick Info view of the device as described Overview of
the Summary Dashboard User Interface. For events types, it will show info such as the severity and device
associated with the even type. 4. To view information about a device's location in the network topology, select it in the display field and then select
Topology. Adding Search Results to Search Filters. Watch Lists, or Display Fields
l
l
l
l
l
With a search result selected in the results list, click Filter to select event attributes to add to the search filter. In the expanded Raw Events Log, click on items in the text string to include or exclude them as search filter
criteria.
To add a specific result to the search criteria, in the results list, click on an item in a display field to open the options
menu, and then select Add to Filter. To add an IP address to a watch list, click on it to open the options menu, and then select Add to Watch List.
See Watch Lists for more information.
See the section on Selecting Attributes from the Raw Event Log Column in the Results Lists in the topic
Selecting Attributes for Structured Searches and Display Fields for information on how you can view and select the
attributes associated with events to use as search filters or display fields from the real time search results list. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
546
Analytics
Monitoring Operations with FortiSIEM
Structured Search Operators
547
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Allowed on Event Attribute Types or CMDB
Example as seen in GUI
Group
Operator
Meaning
=, !=
Compares whether an
attribute is exactly identical
or not identical to a
specified value.
All except DATE types
Compares whether an
attribute is less or greater
than a specified value
Numeric types: UINT16,
UINT32, UINT64,
DOUBLE
>, >=, <, <=
IN, NOT IN
Determines whether an
attribute belongs or does
not belong to a set of
values. For string valued
attributes, the match is
case insensitive.
Event Type = "PH_DEV_MON_
SYS_CPU_UTIL"
Source IP != 10.1.1.1
All except DATE
type
Allows CMDB
Groups
CPU Util > 10
System Event Category IN (3,6)
Event Type IN ("PH_DEV_MON_
SYS_CPU_UTIL","PH_DEV_MON_
SYS_MEM_UTIL")
Event Type IN ("PH_DEV_MON_
SYS_CPU_UTIL",Event
Types:Login Failure)
Source IP IN Devices:Windows,
Devices:Unix
Destination IP IN Networks:VPN
Pool
Source IP BETWEEN (10.1.1.1,
10.1.1.255)
BETWEEN,
NOT
BETWEEN
Determines whether an
attribute is between a
range of values
IS (NULL),
IS NOT
(NULL)
Determines whether an
attribute is present or not
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
All except STRING types
CPU Util BETWEEN (20.0, 30.0)
Event Receive Time BETWEEN
(18:35 03/17/2014, 18:35
03/26/2014)
All types
Host Name IS NOT NULL
548
Analytics
Operator
Monitoring Operations with FortiSIEM
Meaning
Allowed on Event Attribute Types or CMDB
Example as seen in GUI
Group
Event Type CONTAINS "DEV_
MON" matches "PH_DEV_MON_
CPU"
CONTAINS,
NOT
CONTAINS
Determines whether a
string valued attribute
contains a specified substring.
l
For Raw Event Log
- the sub-string has
to contain the
beginning of every
word
l
Event Type NOT CONTAINS "DEV_
MON" does not matche "PH_DEV_
MON_CPU"
Reporting Model CONTAINS "dows"
matches "Microsoft Windows"
STRING
Reporting Model CONTAINS "soft
win" matches "Microsoft Windows"
Raw Event Log CONTAINS "dows"
does not match "Microsoft
Windows"
For all other string
type attributes: the
sub-string can be
in any position
Raw Event Log CONTAINS
"microsoft win" matches "Microsoft
Windows 2003"
(For more general patterns use
regular expressions)
REGEXP,
NOT
REGEXP
549
Determines whether a
string valued attribute
matches a specified
pattern. Raw message
needs to be UTF-8
encoded.
STRING
Raw Event Log REGEXP
"\d+.\d+\d+.\d+"
Event Type NOT REGEXP "PH_
DEV_MON_.*" - match events with
event types not beginning with PH_
DEV_MON
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Selecting Attributes for Structured Searches, Display Fields, and Rules
For both Real Time and Historical structured searches you have the option to to select event attributes to use in
both your search and Group By filters, and as display fields in your result lists. Since FortiSIEM recognizes over
130,000 event attributes, the documentation and user interface provides several ways to find the attributes you
want to use. These instructions show how to access the Common Attributes menu and the CMDB attribute
browser through the Attributes in search conditions, but you can access the same functionality in the Display
Fields menu for searches, and when you create a new rule. They also contain information on how you can access
the attributes associated with reported events through the Raw Event Logs column of results lists.
l
The Event Dictionary and Master Attribute List
l
Selecting Attributes in the Common Attributes Menu
l
Selecting Event Attributes from the CMDB
l
Selecting Attributes from the Raw Events Log Column of the Results Lists
The Event Dictionary and Master Attribute List
This documentation includes an Event Dictionary that describes events and their attributes, and an attribute
master list, which lists the primary event attributes and their data type, along with a brief description of what
values FortiSIEM expects to see when that attribute information is returned.
Selecting Attributes in the Common Attributes Menu
This screenshot shows the Common Attributes menu open in the Conditions Builder for an Historical search.
Open the menu by clicking the downward arrow next to an Attribute text field. You can scroll through the list of
event attributes to select the one you want, or begin typing an attribute name and the menu will sort based on
your entry. Selecting Event Attributes from the CMDB
You also have the option to browse all the attributes listed in the CMDB to find the one that you want. These two
screenshots show the CMDB attribute browser, which you can access by clicking ... next to the Attribute text
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
550
Analytics
Monitoring Operations with FortiSIEM
field. The first screenshot illustrates browsing the CMDB attributes based on Device Type and Feature Type:
Availability, Change, Performance, Security, and All. In this example, Security has been selected for
Feature Type, and Cisco IOS has been selected for Device Type. This loads all the security attributes
associated with the Cisco IOS into the Attribute List. The second screenshot illustrates browsing the CMDB Event Types to find an event attribute. In this example,
Cisco ASA is selected for Device Type. Clicking in the Event Type window opens an Event Browser for the
CMDB. Select any group in the browser, and you will see the event types within that group that are applicable to
the Device Type you selected.
551
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Selecting Attributes from the Raw Events Log Column of the Results Lists
All real time search results lists include a Raw Event Log column, and you can add a a Raw Event Log column to
the list of results for historical searches. In addition to providing detailed information from the raw event logs, you
can also use this column to view all the attributes associated with a reported event and add them to the display
fields in your results list or to your filters for structured searches. 1. Cilck in the Raw Event Log column of your results list to collapse the view.
The raw event log text will collapse into an information icon with a blue +.
2. Click on the blue + icon to open the Event Details.
You will see the raw event log text and list of all the attributes associated with that event type. 3. Select Filter or Display to add an attribute to the search filters or display fields for that search.
4. Click X to close the Event Details window when you're done making your selections.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
552
Analytics
Monitoring Operations with FortiSIEM
Using Expressions in Structured Searches and Rules
An expression can contain a single event attribute, multiple attributes, or functions that contain an event attribute
as their argument. You can also use parentheses and arithmetic operators to form complex expressions.
You can enter an expression manually, paste it in, or build it dynamically using the Expression Builder. If you use
the Expression Builder, you will have to enter parentheses or arithmetic operators in the expression.
l
The Expression Builder
l
Creating Expressions
The Expression Builder
You can access the Expression Builder by clicking the e icon next to the Attribute or Value field when creating a
structured search or rule.
This screenshot shows the Expression Builder open for creating a rule.
Creating Expressions
Adding a Function
To add a function to the expression, select it from the Add Function menu, and then click the + icon. The
available functions depend on whether you are are creating an expression to use as part of a filter condition for a
search or rule, or as part of the aggregation conditions for a rule. Selecting Function-Specific Attributes
When you select any type of function, the function and a set of parentheses will be added to the expression. If
you place your cursor within the parentheses and then open the Event Attribute menu, you will see event
attributes that are relevant for that function. For example, if you select COUNT as the function, (MATCHED
ITEMS) will automatically appear between the parentheses, and will be selected in the Event Attribute menu. If
you select a function like AVG for an aggregation condition, you will see options such as CPU UTIL and Apache
Uptime. If you select a function like HourOfDay for a filter condition, you will see options like Access Time and
Vulnerable Since. You can search through the options in either situation by beginning to type a keyword in the
Event Attribute menu. Selecting Attributes for Structured Searches, Display Fields, and Rules has more
information about ways to search for and select event attributes.
553
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Filter Condition Functions
If you select HourOfDay or DayOfWeek for the function, the Event Attributes menu will contain date and timerelated event attributes, while if you select DeviceToCMDBAttr, it will contain device-related attributes.
Function
Description
HourOfDay
Specify an hour of the day in the condition
DayOfWeek
Specify a day of the week in the condition
DeviceToCMDBAttr
If you add the DeviceToCMDBAttr() function to the expression, the first
argument must be an event attribute, and the second argument must be a
CMDB attribute, which you can select using the CMDB Attribute menu.
The DeviceToCMDBAttr function is used to create expressions for perdevice thresholds.
This screenshot shows the beginning of creating an expression to use as the Attribute in a condition for an
historical search. HourOfDay is selected as the Function, and Access Time is selected as the Event
Attribute.
Aggregation Condition Functions
You use these functions to perform operations on numerical event attributes such as Sent Bytes, Received
Bytes, CPU Utilization, or Memory Utilization.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
554
Analytics
Monitoring Operations with FortiSIEM
Function
Description
Count
Count the number of items returned
Count
Distinct
Count the number of distinct items returned
Sum
Add the numbers
Average
Average the numbers
Min
The lowest number
Max
The highest number
Last
The last number
First
The first number
Pctile95
The 95th percentile
PctChange
Percentage change
STAT_AVG
Statistical average. This function is used in conjunction with creating baseline
reports.
STAT_
STDDEV
Statistical standard deviation. This function is used in conjunction with creating
baseline reports .
This screenshot shows the beginning of creating an expression to use as an aggregation condition in rule. Max is
selected as the Function, and CPU Util is selected as the Event Attribute.
555
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Keywords and Operators for Simple Searches
Both historical and real time searches have a simple search option that searches for keywords in the raw ASCII
tex of event logs. You can use operators in your keyword searches to combine terms or create simple search
filters.
l
Keyword Operators
l
Quotes and Backslash Characters in Search Terms
Keyword Operators
You can use the operators AND , OR, AND NOT between keywords. If you enter more than one keyword,
then AND is assumed as the operator between them. You can also use parentheses () to change the precedence
of the operators.
Examples of Using Keyword Search Operators
Search String
Results
TCP
Finds all events with TCP in the event logs
TCP 80
Finds all events with TCP and 80 in the event logs
TCP AND (80 OR 443)
Finds all events with TCP and 80 or 40 in the event logs
TCP AND NOT 80
Finds all events with TCP but not 80
Quotes and Backslash Characters in Search Terms
If the search string contains quotation marks or back-slash characters, you must escape them by prefixing them
with a backslash character. For example, if you wanted to search for [location]="United States" then
you would need to enter [location]=\"United States\" as your search string.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
556
Analytics
Monitoring Operations with FortiSIEM
Using Geolocation Attributes in Searches and Search Results
When you view the results of a search, you will see that IP address fields in the results, such as Source IP or
Destination IP, often have a flag added to them to indicate the geolocation of that IP address. This topic
describes the geolocation information that is associated with event attributes, and provides examples of how to
use this information in searches and search results.
l
Event and Geolocation Attributes
l
Using Geolocation Attributes in Searches
l
Viewing Geographic Locations from Search Results
Event and Geolocation Attributes
The event attributes Source IP, Destination IP, Host IP, and Reporting IP include geolocation attributes that
you can use in search queries and as display fields in search results. In Incident Reports you may also see
country flags included with IP addresses for Incident Source and Incident Target, which have the same
geolocation attributes as Source IP and Destination IP.
Event Attribute
Source IP
Destination IP
Host IP
Reporting IP
557
Geolocation Attributes
l
Source Country
l
Source City
l
Source State
l
Source Organization
l
Source Longitude
l
Source Latitude
l
Destination Country
l
Destination City
l
Destination State
l
Destination Organization
l
Destination Longitude
l
Destination Latitude
l
Host Country
l
Host City
l
Host State
l
Host Organization
l
Host Longitude
l
Host Latitude
l
Reporting Country
l
Reporting City
l
Reporting State
l
Reporting Organization
l
Reporting Longitude
l
Reporting Latitude
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Using Geolocation Attributes in Searches
You can use geolocation attributes in both real time and historical structured searches. For example, setting a
search attribute to Source Country != United States will remove all Source IPs with a geolocation of United
States from the search results. This screenshot shows the results of using Source Country != United States and Event Severity = 1 as the
search criteria. The Source IP display field contains only IP addresses associated with countries other than the
United States, as indicated by the national flags next to each IP address in the Source IP column.
If you use a geolocation attribute such as Source Country as a Display Field or Group By condtion, then the
results will include name information for that attribute, rather than a national flag. This screenshot shows the results of the same query used previously, but with Group By = Source Country.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
558
Analytics
Monitoring Operations with FortiSIEM
Viewing Geographic Locations from Search Results
If your search results contain geographic information, click the Locations button to view that information on a
map. This screenshot shows the results for the first example query presented in a map. Clicking on a number in the
map will provide you with an overview of incidents for that location. 559
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Analytics
560
Analytics
Monitoring Operations with FortiSIEM
Creating Filter Criteria and Display Column Sets
When you create searches, you have the option to select saved filter criteria and column sets to use. This topic
describes how to create those sets.
1. Log in to your Supervisor node.
2. In the Analytics tab, select either Display Column Sets or Filter Criteria Sets, depending the type of set you
want to create. 3. Click New.
4. Add the filter criteria or display columns that you want to the set. See Using Expressions in Structured Searches and Selecting Attributes for Structured Searches and Display Fields
for more information about building searches and display columns.
5. Click Save.
You set will be saved to the list of sets, and you will be able to use it in searches by clicking the ... button next to
the Filter Criteria text field in structured searches or the Display Columns menu for both structured and simple
searches. Saving Sets from Searches
Whenever you create a set of filter criteria for a structured search, or a set of display columns for both simple and
structured search, you can save it by clicking the Save as Filter Criteria Set or Save As Display Column Set
button.
Related Links
l
Using Expressions in Structured Searches and Rules
l
Selecting Attributes for Structured Searches, Display Fields, and Rules
561
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Rules
FortiSIEM continuously monitors your IT infrastructure and provides you with information you can use to analyze
performance, availability, and security. There may also be situations in which you want to receive alerts when
exceptional, suspicious, or potential failure conditions arise. You can accomplish this by using rules that define
the conditions to watch out for, and which trigger an incident when those conditions arise. This incident will
appear on the Incident Summary dashboard, and you can also configure a notification policy that will send email
and SNMP alerts that the incident has occurred. FortiSIEM includes over 500 system-defined rules, which you
can see in Analytics > Rules, but you can also create your own rules as described in the topics in this section. l
Creating Rules
l
Activating and Deactivating Rules
l
Adding a Watch List to a Rule
l
Cloning a Rule
l
Running Historical Searches to Test Rule Sub Patterns
l
Setting Rules for Event Dropping
l
Setting Rules for Event Forwarding
l
Setting Global and Per-Device Threshold Properties
l
Using Geolocation Attributes in Rules
l
Using Watch Lists as Conditions in Rules and Reports
l
Viewing Rules
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
562
Analytics
Monitoring Operations with FortiSIEM
Creating Rules
FortiSIEM constantly monitors your IT infrastructure for events and collects information about them, but you can
also set rules that will trigger incidents from events and send notifications when they occur. These topics describe
the concepts and processes for creating rules. l
Creating a Rule
l
Defining Rule Conditions
l
Defining the Incident Generated by a Rule
l
Defining Rule Exceptions
l
Defining Clear Conditions
l
Testing a Rule
563
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Creating a Rule
Creating a new rule involves defining the attributes of the incident that is triggered by the rule, as well as the
triggering conditions and any exceptions or clear conditions.
Creating New Rules from Clones
You can also create a rule by cloning an existing rule and editing it. Restriction on names
Do not use certain keywords in subpattern names
l
regexp
1. Log in to your Supervisor node.
2. Go to Analytics > Rules.
3. Select the group where you want to add the new rule.
4. Click New.
5. Enter a Rule Name and Description.
6. For Status, keep the rule Inactive.
You can activate the rule after you're finished creating and testing it. 7. Select an Incident Category for the incident triggered by the rule.
You can click Add and enter a custom incident category. 8. Select a Severity to associate with the incident triggered by the rule. 9. Select Update the Perf Status column on summary dashboard if you want the incident to display in the
Performance Status column of the Exec Summary dashboard.
10. For Attributes, enter the functional area, such as Security, that you want to associate the rule with. 11. Enter a Notification Frequency for how often you want notifications to be sent when an incident is triggered by
this rule. 12. Under Conditions, click Add Subpattern to create the rule conditions.
See Defining Rule Conditions for detailed information on selecting event and aggregation attributes to use with
rules. You can also see examples of rules with a single subpattern and multiple sub patterns.
13. Enter the time interval during which the rule conditions will apply.
The minimal interval is 120 seconds. 14. Next to Actions, click Edit to define the incident that will be generated by this rule.
See Defining the Incident Generated by a Rule for more information.
One Incident Definition Required to Save: You must have at least one incident defined before you
can save your rule.
15. Next to Watch Lists, click Edit to add a watch list to the rule.
See Adding a Watch List to a Rule for more information. 16. If you want to define any Exceptions for the rule, click Edit.
See Defining Rule Exceptions for more information.
17. If you want to define any Clear Conditions for the rule, click Edit.
See Defining Clear Conditions for more information.
18. Click Save.
Your new rule will be saved to the group you selected in an inactive state. Before you activate the rule, you should
test it. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
564
Analytics
Monitoring Operations with FortiSIEM
Defining Rule Conditions
Rule conditions define the event attributes and thresholds that will trigger an incident. Rule conditions are built
from sub-patterns of event attribute filters and aggregation functions. You can specify more than one subpattern
and the relationships and constraints between them. l
Specifying a Subpattern
l
Setting the Relationship between Subpatterns
l
Setting Inter-subpattern Constraints
Specifying a Subpattern
A subpattern defines the characteristics of events that will cause a rule to trigger an incident. A subpattern
involves defining event attributes that will be monitored, and then defining the threshold values for aggregations
of event attributes that will trigger an incident.
l
Example of a rule with a single subpatten
This screenshot shows an example of a subpattern with a single event filter and a single event aggregation
condition. Expressed as a sentence, this rule would be "When there are more than three events on a single Host
IP where average CPU utlization is equal to 95%, trigger an incident."
Event Filters
Event filter criteria determine which event attributes and values will be monitored by the rule, and are set in a way
that is similar to the way you set event attributes for structured historical searches and real time
searches. See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information on
finding attributes to use in your event filters.
565
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Event Aggregation
While you could have a rule that triggers an incident on a single instance of a particular event, it is more likely that
you will want your rule to trigger an incident when some number of events have been found that meet your event
filter criteria.
Group By Attributes
This determines which event attributes will be used to group the events before the group constraints are applied,
in a way that is similar to the way the Group By attribute is used to aggregate the results of structured searches. Aggregate Conditions
The group aggregation conditions set the threshold at which some aggregation of events will trigger a rule to
create an incident. You create an aggregation condition by using the Expression Builder to set a function, and
then enter the Operator and Value for the aggregation condition. Examples of Group By and Aggregate Conditions Settings
Scenario
Group By Attributes
Aggregate Conditions
10 or more events
none
COUNT(Matched events) >= 10
Connections to 100 or more
distinct destination IPs from
the same source IP
Source IP
COUNT (DISTINCT Destination IP) >= 100
Source IP,Destination
Port
COUNT (DISTINCT destination IP) >= 100
Connections to 100 or more
distinct destination IPs from
the same source IP on the
same destination port
Average CPU Utilization on the
same server > 95% over 3
samples
Logins from the same source
workstation to 5 or more
accounts on the same target
server
Host IP
Source IP, Destination
IP
COUNT (Matched Events) >= 3 AND AVG
(CPU Util) > 95
COUNT(DISTINCT user) >= 5
Setting the Relationship between Subpatterns
l
Example of a rule with multiple subpatterns
If you have more than one sub-pattern, you must specify the relationship between them with these operators.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
566
Analytics
Monitoring Operations with FortiSIEM
Operator
Meaning
AND
Sub-pattern P1 AND Sub-pattern P2 means both sub-patterns P1 and P2 have to
occur
OR
Sub-pattern P1 OR Sub-pattern P2 means either P1 or P2 have to occur
FOLLOWED-BY
Sub-pattern P1 FOLLOWED-BY Sub-pattern P2 means P1 has to be followed by
P2 in time
AND-NOT
Sub-pattern P1 AND-NOT Sub-pattern P2 means P1 must occur while P2 must not;
the time order between P1 and P2 is not important
NOT-FOLLOWEDBY
Sub-pattern P1 NOT-FOLLOWED-BY P2 means P1 must occur and P2 must not
occur after P1
Setting Inter-subpattern Constraints
You may want to relate attributes of a sub-pattern to the corresponding attributes of another sub-pattern, in a way
that is similar to a JOIN operation in an SQL, by using the relationship operators <, >, <=, >=, =, !=.
567
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Examples of inter-subpattern relationships and constraints
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
568
Analytics
569
Monitoring Operations with FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Scenario
5 login
failures
from the
same
source to a
server not
followed by
a
successful
logon from
the same
source to
the same
server
An security
attack to a
server
followed by
the server
scanning
the
network,
that is,
attempting
to
communica
te to 100
distinct
destination
IP
addresses
in 5 minute
time
windows
Average
CPU > 95%
over 3
sample on
a server
AND Ping
loss > 75%
Analytics
Subpattern
P1 filter
P1 Group-by
attribute
set
P1
Group
constrai
nt
Subpattern
P2 filter
Inter-P1P2Inter-P1-P2
P2 group
P2
group-by
relationshi
constraint
constrain
attribute
ps
ts
Event
type =
Login
Succe
ss
Source
IP,
Destinati
on IP
COUNT
(Matche
d Event)
>= 5
Event
type =
Login
failure
Source
IP,
Destinati
on IP
COUNT
(Matche
d Event)
>0
Event
Type =
Connecti
on
Attempte
d
Event
type =
Attack
Event
Type =
CPU_
Stat
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Destinati
on IP
Host IP
COUNT
(Matche
d Event)
>= 3
AND
AVG
(cpuUtil)
> 95
Event
Type =
PING
Stat
Source IP
COUNT
(Matched
Event) > 0
COUNT
(DISTINC
T
Destinatio
n IP) >
100
Host IP
P1 NOT_
FOLLOWE
D_BY P2
P1
FOLLOWE
D_BY P2
P1 AND P2
pingLossP
ct > 75
P1's
Source IP
= P2's
Source IP
P1's
Destinati
on IP =
P2's
Source IP
P1's Host
IP = P2's
Host IP
570
Analytics
Monitoring Operations with FortiSIEM
Example of a Rule with a Single Condition Sub-Pattern
This topic shows an example of how to create a rule with a single sub-pattern based on the condition that Average
CPU on a server is more than 95% over 3 sample measurements.
Attribute
Avg CPU
Util
Group By
Attribute
Aggregate Conditions
Host IP
COUNT (Matched Event) >=
3
1. For Rule Name, enter Hi Avg CPU.
2. For Description enter Average CPU on a server is more than 95% over 3 sample measurements.
3. For Severity, select 9 - High.
4. For Attributes, select All.
5. Set the Notification Frequency for 1 Hour.
6. Next to Conditions, click AddSubpattern. 7. For Subpattern Name, enter Pattern 1.
8. Under Filters, set these options:
Option
Setting
Attribute
Avg CPU Util
Operator
>=
Value
95
9. Under Aggregate Conditions, click the Expression Builder icon next to the Attribute field, select COUNT
(Matched Events) from the Add Function menu, and then click OK.
10. Under Aggregate Conditions, select = for Operator and enter 3 for Value.
11. Under Group By, select Host IP.
12. Click Save.
13. Enter 5 for the time interval during which the conditions will apply.
14. You would now complete the rule by Defining the Incident Generated by a Rule, and any exceptions or clear
conditions. You could also associate it with a notification policy. This screenshot shows the subpattern settings for this example.
571
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
The following steps describe how to create a rule that matches the above example 1:
1. Enter a name for the rule in the 'Rule Name' text box.
2. Enter a description for the rule in the 'Description' text box.
3. Use the drop down menu to choose a 'Severity' for the rule.
4. Click on the '+ Add Condition' button.
a. Chose the 'Function' for the rule. In this case 'AVG' is chosen.
b. Choose the 'Attribute' for the rule. In this case 'CPU Util' is chosen.
c. Chose the 'Operator' for the rule. In this case '>=' is chosen.
d. Enter the 'Value' for the rule. In this case '95' is entered.
5. Select the devices to apply the rule to.
6. Enter the number of events that must occur for the rule to fire. In this case '3' is used.
7. Enter the time frame for the rule. In this case '600' seconds is used.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
572
Analytics
Monitoring Operations with FortiSIEM
Example of a Rule with Multiple Sub-Patterns
This topic provides an example of a rule with two sub-patterns, and also how to use the Event Type attribute as a
filter.
l
Rule Conditions
l
Creating Sub-Pattern P1
l
Creating Sub-Pattern P2
l
Defining the Relationship Between Patterns
l
Defining the Incident to be Generated by the Rule
Rule Conditions
The purpose of this rule is to trigger an incident when five login failures from the same source to a server are not
followed by a successful login from the same source to the same server within one hour. This requires two subpatterns, the first one to detect "five login failures from the same source to a server," and a second one to detect
"a successful logon from the same source to the same server." The two sub-patterns need to be interrelated to
make the complete rule.
Sub-pattern 1 (P1)
Event Filter
Attribute
Group By
Attributes
Aggregate
Conditions
Event type = Logon
Source IP,
Destination IP
COUNT (Matched
Event) >= 5
Failure
Sub-pattern 2 (P2)
Event Filter Attribute
Event type = Logon
Success
Group By
Attributes
Aggregate
Conditions
Source IP,
Destination IP
COUNT(Matched
Event) > 0
P1/P2 Interrelationships and Constraints
573
Interrelationships
Constraints
P1 NOT_
FOLLOWED_BY
P2
P1's Source IP = P2's Source IP, P1's Destination IP =
P2's Destination IP
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Creating Sub-Pattern P1
The following steps describe how to create a rule that matches the above example 2:
1. Log in to your Supervisor node.
2. Go to Analytics > Rules.
3. Click New.
4. For Rule Name, enter Suspicious Login Failure.
5. For Description, enter the rule conditions stated in the introduction to this topic.
6. For Severity, select 10 - High.
7. For Attributes, select All. 8. Next to Conditions, click Add Subpattern. You will now create the first subpattern for "five login failures from
the same source to a server.". 9. For Subpattern Name, enter LogonFailures.
To create this sub pattern you will want to specify that all types of logon failures should be monitored. For this
reason, you will want to specify an entire folder of event types as the rule condition, rather than a single attribute
of a event.
10. For Attribute, select Event Type.
11. For Operator, select IN.
12. For Value, click ... to open the CMDB Browser.
13. In the CMDB Browser, go to Event Types > Security > Logon Failure, and click Folder >> to select the
Logon Failure events group. Your filter condition, as shown in the screenshot, can be read as "For any type of event in the Logon Failure event
group . . ."
14. Under Aggregate Conditions, click the Expression Builder icon next to Attribute and select COUNT(Matched
Events). 15. For Operator, enter >=.
16. For Value, enter 5.
17. Under Group By, enter Source IP for Attribute, and then click + to add another Group By attribute.
18. Enter Destination IP.
19. Click Save.
This screenshot shows the complete entry for sub-pattern P1.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
574
Analytics
Monitoring Operations with FortiSIEM
Creating Sub-Pattern P2
1.
In your rule, next to Conditions, click Add Subpattern. 2. For Subpattern Name, enter LogonSuccess.
3. For Attribute, select Event Type.
4. For Operator, select IN.
5. For Value, click ... to open the CMDB Browser.
This button only becomes active if you select Event Type as an attribute.
6. In the CMDB Browser, go to Event Types > Security > Logon Failure, and click Folder >> to select
the Logon Failure events group. Your filter condition, as shown in the screenshot, can be read as "For any type of event in the Logon Failure event
group . . ."
7. Under Aggregate Conditions, click the Expression Builder icon next to Attribute and select COUNT(Matched
Events). 8. For Operator, enter >.
9. For Value, enter 0.
10. Under Group By, enter Source IP for Attribute, and then click + to add another Group By attribute.
11. Enter Destination IP.
12. Click Save.
This screenshot shows the complete entry for sub-pattern P2.
575
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Defining the Relationship Between Patterns
You will now see both of your sub-patterns listed under the Conditions for your rule definition.
1. Makes sure that LogonFailures is selected as the first pattern under If this Pattern occurs, and under Next
Op, select NOT_FOLLOWED_BY.
2. Select LoginSuccess as the second subpattern.
3. Click AddSubpattern Relationship.
4. For the first relationship definition, select LogonFailures for Subpattern, Source IP for Attribute, and = for
Operator.
5. For the second subpattern, select LogonSuccess for Subpattern, Source IP for Attribute, and AND for Next
Op.
6. Under Row, click +. 7. For the second relationship definition, for the first subpattern, select LogonFailure for Subpattern, Destination
IP for Attribute, and = for Operator.
8. For the second subpattern, select LogonSuccess for Subpattern, and Destination IP for Attribute.
Defining the Incident to be Generated by the Rule
1. In your rule definition, click Edit next to Generate Incident.
2. For Incident Name, enter Suspicious_Login_Failure.
3. Under Incident Attributes, select Source IP for Event Attribute, LoginFailures for Subpattern, and Source
IP for Filter Attribute.
4. Under Row, click +.
5. For the second incident attribute, select Destination IP for Event Attribute, LoginFailures for Subpattern,
and Destination IP for Filter Attribute.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
576
Analytics
Monitoring Operations with FortiSIEM
6. Under Triggered Event Attributes, make sure that Event Receive Time, Event Type, Reporting IP, and
Raw Event Log are listed in the Selected Attributes.
7. Click OK.
577
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Defining the Incident Generated by a Rule
Defining an incident involves setting attributes for the incident based on the subpatterns you created as
conditions for the rule, and then setting attributes for the incident that will be used in analytics and reports.
One Incident Definition Required to Save
You must have at least one incident defined before you can save your rule.
1. In the rule you want to define an incident for, click Edit next to Actions: Generate Incident.
2. Enter an Incident Name, Display Name, and Description.
3. Under Incident Attributes, you will define attributes for the incident based on the Group By and Aggregate
Conditions attributes you set for your sub patterns. Typically you will set the Incident attributes to be the same as
the Group by attributes in the subpattern.
a. Select the Event Attribute you want to add to Incident.
b. Select a Subpattern. c. This will populate values from the Group By attributes in the subpattern to the Filter Attribute menu. d. In the Filter menu, select the attribute you want to set as equivalent to the Event Attribute.
Incident Definition Settings for the Single Subpattern Example
In the single sub pattern example, Pattern1 has the Group By attribute set to Host IP, and
the Aggregate Conditions attribute set to COUNT(Matched Events). You can then select
these to set as the incident attributes as shown in this screenshot.
4. Under Triggered Event Attributes, select the attributes from the triggering events that you want to include in
dashboards and analytics for this event. This is pre-populated with typical attributes you would want included in an incident report.
5. Click OK. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
578
Analytics
Monitoring Operations with FortiSIEM
Defining Rule Exceptions
Once you activate a rule, it continuously monitors your IT infrastructure for conditions that would trigger an event.
However, you may also want to define exceptions to those conditions. For example, you may know that a server
will be going down for maintenance during a specific time period and you don't want your Server Down - No
Ping Response rule to trigger an incident for it. 1. In Analytics > Rules, select the rule you want to add the exception to, and click Edit. 2. Next to Exceptions, click Edit.
3. Select an Attribute and Operator, and enter a Value, for the conditions that will prevent an incident from being
generated. The values in the Attribute menu are from the Event Attributes associated with the incident definition. 4. Click the + icon to set an effective time period for the exception.
You can set effective time periods for single and recurring events, and for durations of time from hours to days.
5. Enter any Notes about the exception. 6. Click OK.
Exception Condition for the Single Subpattern Example
This screenshot shows the exception conditions for the single sub-pattern example, where a specific server is set
as an exception to the Host IPs that will trigger incidents during the maintenance period from March 9 to March
16 2015, starting at 14:00 Pacific Time for every day during that period, and lasting for 8 hours each day. The two
Attribute options are populated from the attributes associated with the incident definition for the example.
579
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Defining Clear Conditions
Clear conditions specify conditions in which incidents will have their status changed from Active to Cleared. You
can set the time period that must elapse for the clear condition to occur, and then set the conditions based on the
triggering of the original rule, or on a sub pattern based on the Incident Attributes.
1. In Analytics > Rules, select the rule you want to add the clear condition to, and click Edit. 2. Next to Clear Condition, click Edit.
3. Set the Time Period that should elapse for the clear condition to go into effect.
4. If you want the clear condition to go into effect based on the firing of the original rule, select t he Original Rule
Does Not Trigger.
For example, if you wanted the clear condition to change the status of Active incidents to Cleared after the
original rule had not been triggered for ten minutes, you would set Cleared Within to 10 Minutes and select this
option. 5. If you want to base the clear condition on a sub-pattern of the incident attributes, select the following
conditions are met.
The incident attributes from your rule will load and the clear condition attributes will be set to match. 6. Define the pattern to use by clicking the Edit icon next to the clear sub pattern.
7. Click Save.
Clear Condition for the Single Subpattern Example
This screenshot shows the exception condition settings for the example of a rule with a single subpattern. In the
original rule, an incident was generated if there were three events over 10 seconds where Avg CPU Util
exceeded 95% on a single host. In this example, those incidents will change status from from Active to Cleared
if there are three events over 10 seconds where Avg CPU Util is under 100%.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
580
Analytics
581
Monitoring Operations with FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Testing a Rule
After you've created or a edited a rule, you should test it to see if behave as expected before you activate it. This
topic describes how to test a rule using synthetic events.
l
Procedure
l
Test Results
l
Test Example
l
Troubleshooting for Rule Testing
Procedure
1. Go to Analytics > Rules, and deactivate the rule you want to test.
Cloning Active Rules for Testing: You cannot test an active rule. If you can't deactivate a rule for
testing, you can clone an inactive version of it. 2. Select the rule, and then click Test Rule. This will open the Rule Debugger. 3. Enter a Reporting IP where the synthetic event should originate from.
Reporting IP Group Membership: If the rule you're testing specifies that the Reporting IP should
be a member of a group, you should make sure that the Reporting IP you enter here is in that group.
4. Under Raw Event, enter the raw event log text that contains the triggering conditions for the rule. 5. Under Pause, enter the number of seconds before the next test event will be sent, and then click + under Action
to enter additional test events.
You will need to create as many events as are necessary to trigger the rule conditions. 6. Click Run Test.
If the test succeeds you are now ready to activate the rule. Test Results
The test will run through a four stage process, which you can observe in the Test Results tab of the rule. A yellow
icon will also appear in the Status column for the rule to indicate that the test is running.
1. Rules are checked for syntax errors.
2. Events are parsed and sent to Rule Workers.
If there are errors in the rule syntax or event parsing errors, see the examples under Troubleshooting for Rule
Testing for suggestions on how to correct them. As events are being parsed, you can view their Event Details by
clicking on the Raw Event Log icon next to the event.
3. Rule Worker nodes evaluate the events against the rule conditions, and if they match, they are sent to the Rule
Master.
4. The Rule Master creates incidents, which then appear in the Incidents dashboards.
When the test successfully completes, a green icon will appear in the Status column next to the rule name.
Test Example
This screenshot shows the example of a test for the rule Multiple Admin Login Failures: Net Devices. The
conditions for this rule are that the the Reporting IP must belong to a network device, and there must be 3 login
failure events from the same IP and user.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
582
Analytics
Monitoring Operations with FortiSIEM
Troubleshooting for Rule Testing
If the test fails, a red icon will appear under the Status column next to the rule name, and you will see the error
message in the Test Results tab for the rule. Rule Syntax Error
The rule is changed to introduce the following error
Rule testing fails as shown below:
583
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Rule Semantics Error
This means that the conditions of the rule were not met by the event. For example, if five events were required to
meet the condition, but only one was sent. Event Parsing Error
This means that some text in the raw event log did not pass the event parser. For example, if "denied" is the term
expected by the parser in the test example, but the raw event log contains the term "deny," then the event will not
pass the parser.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
584
Analytics
Monitoring Operations with FortiSIEM
Activating and Deactivating Rules
When you create a new rule, you must activate it before it will start to monitor events. You may also want to
deactivate a rule, for example to test it, instead of deleting it from the system. 1. Log in to your Supervisor node.
2. Go to Analytics > Rules.
3. Browse or search to find the rule that you want to activate or deactivate.
4. Select Active for the rule you want to activate, or clear the Active option if you want to deactivate a rule. Activating Rules for Multi-Tenant Deployments
For Service Provider deployments you can activate or deactivate rules for individual organizations, and also set
default rules for all organizations.
1. Navigate to the rule that you want to activate, deactivate, or set as default.
2. In the Summary tab of the rule, click Edit.
3. Next to Status, click Edit.
4. To set this rule as a default rule for all organizations, select Activation Default.
5. Select an organization to activate the rule for, or clear its selection to deactivate the rule.
6. Click OK.
7. Click Save.
585
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Adding a Watch List to a Rule
1. Go to Analytics > Rules.
2. Select the rule you want to add the watch list to, and then click Edit.
3. Next to Watch Lists, click Edit. 4. Select the watch list you want to add, and use the Add >> button to add it to the rule.
5. For Incident Attribute, select the incident information you want to add to the watch list.
Watch List Attribute Type Must Match Incident Attribute: The Type that you set for the watch list
must match the Incident Attribute Types for the rule. For example, if your watch list Type is IP, and the
Incident Attribute Type for the rule is string, you will not be able to associate the watch list to the rule.
6. Click OK.
Next to Watch Lists, you will see Watch List has been defined.
Cloning a Rule
You can clone a rule to use it as the basis for creating another rule, or to use in testing. 1. Log in to your Supervisor node.
2. Go to Analytics > Rules.
3. Search or browse to select the rule you want to clone.
4. Click Clone. 5. Enter a new name for the cloned rule and click OK.
The cloned rule will be added to the same group as the original rule but will be inactive. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
586
Analytics
Monitoring Operations with FortiSIEM
Running Historical Searches to Test Rule Sub Patterns
If you are trying to analyze why a rule is triggering an excessive number of incidents, or why it isn't triggering any,
you can run an historical search with the rule sub patterns to see how the sub pattern behaves in relation to past
events. If the search has interesting results, you can then generate a report for further investigation. This is a way
that you can test rules without having to deactivate them. 1. Go to Analytics > Rules.
2. Select a rule and then click Edit. 3. Click Edit next to the sub pattern you want to use in the search.
4. Click Run as Query.
5. Enter information for the time period you want to search.
6. Click OK.
An historical search will run based on the sub pattern filters, aggregate conditions, and group by conditions.
Using a Sub Pattern in a Report
If the search includes results that you want to share or investigate further, you can save the rule as a report.
1. In the sub pattern you want to save, click Save as Report.
The report will be saved in Analytics > Reports, and will have the phrase From Rule in the report name. 2. Select the report and click Run Now to generate a report from the sub pattern.
587
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Setting Rules for Event Dropping
Some devices and applications generate a significant number of logs, which may be very verbose, contain little
valuable information, and consume storage resources. You can configure Event Dropping rules that will drop
events just after they have been received by FortiSIEM, preventing these event logs from being collected and
processed. Implementing these rules may require some thought to accurately set the event type, reporting device
type, and event regular expression match, for example. However, dropped events do not count towards licensed
Events per Second (EPS), and are not stored in the Event database. Dropped event also do not appear in reports,
and do not trigger rules. You can also specify that events should be dropped but stored, so event information will
be available for searches and reports, but will not trigger rules. And example of an event type that you might want
to store but not have trigger any rules would be an IPS event that is a false positive.
Procedure
1. Log in to your Supervisor node.
For multi-tenant deployments you should log in to the Super/Global account if you want to set a system-wide
event dropping rule. If you want to set an event-dropping rule for a specific organization, either log in as an
administrator for that organization, or or log in using the Super/Global Account and then select the organization to
which the rule should apply when you are creating it. 2. Go to Admin > General Settings > Event Handling.
3. Under Event Dropping Rule, click Add.
4. Next to Reporting Device, click Edit, and use the CMDB Browser to find device group or individual device that
you want to create the rule for. 5. Next to Event Type, click Edit, and use the Event Type Browser to find the group of event types, or a specific
event type, that you want to create the rule for. 6. If the event type you select has an Source IP or Destination IP attribute, you can enter specific IP addresses to
which the rule should apply. 7. For Regex Filter, enter any regular expressions you want to use to filter the log files. If any matches are made against your regular expression, then the event will be dropped.
8. For multi-tenant deployments, select the Organization to which the rule should apply. 9. Select the Action that should be taken when the event dropping rule is triggered.
10. Enter any Description for the rule. 11. Click Save.
Notes
l
l
l
l
All matching rules are implemented by FortiSIEM, and inter-rule order is not important. If you create a duplicate of
an event dropping rule, the first rule is in effect.
If you leave a rule definition field blank, then that field is not evaluated. For example, leaving Event Type left blank
is the same as selecting All Event Types.
FortiSIEM drops the event at the first entry point. If your deployment uses Collectors, events are dropped by the
Collectors. If your deployment doesn't use Collectors, then the event will be droppedby the Worker or Supervisor
where the event is received.
You can use the report System Event Processing Statistics to view the statistics for dropped events. When
you run the report, select AVG(Policy Dropped Event Rate(/sec) as one of the dimensions for Chart For to see
events that have been dropped to this policy. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
588
Analytics
Monitoring Operations with FortiSIEM
Setting Rules for Event Forwarding
In systems management, many servers may need access to forward logs, traps and Netflows from network
devices and servers, but it is often resource intensive for network devices and servers to forward logs, traps and
netflows to multiple destinations. For example, most Cisco routers can forward Netflow to two locations at most.
However, FortiSIEM can forward/relay specific logs, traps and Netflows to one or more destinations. If you want
to send a log to multiple destinations, you can send it to FortiSIEM, which will use an event forwarding rule to
send it to the desired locations. 1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Event Handling.
3. Under Event Forwarding Rule, for multi-tenant deployments, select the organization for which the rule will
apply.
4. Click Add.
5. For Sender IP, enter the IP address of the device that will be sending the logs.
6. For Severity, select an operator and enter a severity level that must match for the log to be forwarded.
7. Select the Traffic Type to which the rule should apply.
The Forward To > Port field will be populated based on your selection here.
8. For Forward to > IP, enter the IP address to which the event should be forwarded.
9. Click OK.
Multiple Destinations from the Same Sender IP
If you want the same sender IP to forward events to multiple destinations, create a rule for each destination.
Duplicate Rules Create Duplicate Logs
FortiSIEM will implement all rules that you create and enable, so if you create a duplicate of an event forwarding
rule, two copies of the same log will be sent to the destination IP. 589
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Setting Global and Per-Device Threshold Properties
l
Overview
l
Defining a Global Threshold Property
l
Defining Per-Device Threshold Properties
l
Using the DeviceToCMDBAttr Function in a Rule
Overview
In many cases when you create a rule, you set values for device thresholds that should trigger an incident. The
example of a rule with a single sub-pattern, for example, contains a condition where if the average CPU utilization
of a server exceeds 95% over 3 samples, an incident should be triggered. This is an example of setting an
absolute value for the threshold in the rule itself. Instead of setting an absolute value for the threshold, you can define global threshold properties that you can use
as functions within a rule, and also define these threshold properties on a per-device basis. The advantage
of this approach is that if you want to change the threshold values in a rule, you can edit the threshold property,
rather than having to edit the rule. This is accomplished by using the DeviceToCMDBAttr function to return the
value set for that device in the rule. This table illustrates the difference between using an absolute value, shown in the first column, and threshold
property, shown in the second column, in the aggregation conditions for a rule. For the threshold property, the
function takes the form of DeviceToCMDBAttr(Host IP, Threshold Property), while it takes the form
of DeviceToCMDBAttr(Host IP, Component, Threshold) for devices with components as shown in the
second example. Rule Name
Server CPU
Critical
Server Disk
Space
Critical
Aggregate Condition
based on Absolute Value
AVG(CPU Utilization) > 95
AVG(Disk Utilization) > 99
Aggregate Condition based on
Threshold Property Value
AVG(CPU Utilization) > DeviceToCMDBAttr (Host
IP,Server CPU Util Critical Threshold)
AVG(Disk Utilization) > DeviceToCMDBAttr(Host
IP,Disk Name,Disk Space Util Critical Threshold)
In the first example, when the rule evaluates the function, the Server CPU Critical rule will return the value of
Server CPU Util Critical Threshold for the host IP if that has been defined for the reporting device, otherwise
the global threshold value will return. In the second example, i f the Disk Space Util Critical Threshold is
defined for a (Host IP,Disk Name) tuple, then the function returns that value, otherwise the global threshold value
returns. This is an example of a Map threshold, in which there is one threshold value for each component, and
which apply only to disk and interface components.
Defining a Global Threshold Property
FortiSIEM includes over 30+ pre-defined global threshold properties that you can edit and use in rules, but you
can also create custom threshold properties. 1. Go to Admin > Device Support.
2. Click the Custom Properties tab.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
590
Analytics
Monitoring Operations with FortiSIEM
3. Click Add.
4. Enter a Name and Display Name for the new threshold property. 5. Enter the Default Value for the threshold. 6. Select the Type of threshold value.
For most global threshold values you will select Double. For Map thresholds, which apply to disks and interfaces,
select the Item Type for the threshold value, and then select the Component Type to which it applies. 7. Click Save.
Defining Per-Device Threshold Properties
1. Go to CDMB > Devices.
2. Select a device.
3. In the Device Details pane, click Edit. 4. Click the Properties tab.
5. For any of the threshold properties, enter a value. If you want to edit a Map property, click Edit next to the property name, and then enter the value. If that device
does not have any components to which that property could apply, you will see an error message. 6. Click OK. Using the DeviceToCMDBAttr Function in a Rule
Using the example of the Server CPU Critical rule, you would use the DeviceToCMDB function to set a threshold
for the aggregation conditions of the rule in this way:
1. In the sub pattern of the rule, under Aggregation Conditions, click the expression builder icon next to the
Attribute field. 2. In the expression builder, under Add Function, select AVG.
3. In the Add Event Attribute field, select CPU Utilization.
4. Click OK.
The expression builder will close, and you will see the function and event attribute you selected listed as the
Attribute for the Aggregate Conditions.
5. For Operator, select =.
6. Click the expression builder icon next to the Value field. 7. In the Add Function menu, select DeviceToCMDBAttr.
8. In the Select Function Pattern dialog, select DeviceToCMDBAttr(EventAttr,CMDBAttr).
9. Under Add Event Attribute, select Host IP.
10. Under Add CMDB Attribute, select Server CPU Util Critical Threshold.
11. Click OK.
12. Click Save.
591
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Using Geolocation Attributes in Rules
In the same way that you can use geolocation attributes in searches and search results, you can also use them in
creating rules. FortiSIEM includes four system-level rules based on geolocation attributes:
l
Failed VPN Logon from Outside My Country
l
Successful VPN Logon from Outside My Country
l
Large Inbound Transfer From Outside My Country
l
Large Outbound Transfer To Outside My Country
This screenshot shows the sub pattern for Failed VPN Logon from Outside My Country as an illustration of
the way you can use geolocation attributes in a rule.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
592
Analytics
Monitoring Operations with FortiSIEM
Using Watch Lists as Conditions in Rules and Reports
You may want to create a rule that refers to the attributes in a watch list, for example if you want to create a
condition in which a Source IP listed in your DNS Violators watch list will trigger an incident. 1. Go to the rule or report where you want to use the watch list.
2. Under Conditions for the report, or under Filters in your rule subpattern, enter the watch list attribute you want to
filter for in the Attribute field.
For example, Source IP. 3. For Operator, select IN.
4. Click ... next to Value, and use the CMDB Browser to find and select the watch list you want to use.
For example, DNS Violators.
5. Click Folder >> to select the watch list, and then click OK.
6. Continue with creating your search criteria or rule sub pattern as you normally would.
593
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Viewing Rules
FortiSIEM includes a large set of rules for Availability, Performance, Change, and Security incidents in addition to
the rules that you can define for your system.
1. To view all system and user-defined rules, go to Analytics > Rules.
2. For multi-tenant deployments, use the Organizations menu in the upper-right corner of the Rules List pane to
filter rules by organization.
3. Select any rule in the Rules List to view information about it. All rules have three information tabs:
Tab
Description
Summary
This tab provides an overview of the rule's logic, its status, and its notification
settings.
Definition
An XML definition of the rule. This is what will be copied to your clipboard if
you Export a rule.
Test Results
If you are testing a rule, you can view the results here.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
594
Analytics
Monitoring Operations with FortiSIEM
Reports
You can think of reports as saved or pre-defined versions of searches that you can load and run at any time.
FortiSIEM includes over 2000 pre-defined reports that you can access in Analytics > Reports. Topics in this
section describe how to access and view information about reports, how to create baseline reports, and how to
use specialized reports like the Identity and Location report. You can refine the results of your reports in the
same way that you would refine the results of an historical search or a real time search. l
Baseline Reports
l
Creating a Report or Baseline Report
l
Identity and Location Report
l
Report Bundles
l
Running System and User-Defined Reports and Baseline Reports
l
Scheduling Reports
l
Viewing Available Reports
595
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Baseline Reports
l
How FortiSIEM Sets Baselines
l
Evaluating Rules and Detecting Deviations
When you are setting up FortiSIEM to monitor your IT infrastructure, you may want to define what is "normal"
activity within your systems, and have incidents triggered when a a deviation from that normal activity occurs. For
example, you can always assume that there will be some logon failures to a server on a daily basis. Rather than
creating a rule that will trigger an incident when a certain hard-coded number of failures occurs, you can set up
baseline reports that will trigger an incident when the total number of logon failures over a time period is twice the
average over the same time period, or when the deviation from the average is threee times the standard
deviation over a specific time period.
By creating a baseline report, you can set mean and standard deviations for any metric and use them in rule, and
FortiSIEM will evaluate the current monitored values against the mean and standard deviation for that time
period.
How FortiSIEM Sets Baselines
Establishing a baseline means recognizing that data center resource usage is time dependent:
l
l
Usage is different during weekdays and weekends, and may also be different depending on the day of the week or
month
Usage is dramatically higher during business hours, typically 8am-5pm
FortiSIEM maintains distinct baselines for weekdays, weekends and for each hour of day - a total of 24*2 = 48
buckets. Baselines for days of the week or month are not maintained to save memory usage, as this would
require 31*24 = 1764 buckets, a 15 fold-increase of memory.
A baseline report is a set of Keys that represent the baselined metrics, and a collection of Values. You can see
examples of these Keys and Values in the System-Defined Baseline Reports. These are then used in this process
to build the report: 1. During the current hour, the Supervisor and any Worker nodes operate in parallel to save a baseline report in
memory by analyzing the report events as a stream.
2. When the hour finishes:
1. The report is written to disk (on NFS for FortiSIEM cluster).
2. The Supervisor module summarizes individual baseline reports from all nodes and forms the baseline for
the current hour.
3. The baselines are stored in a SQLite database on a local Supervisor.
4. The Supervisor module reads the previous baseline for the current time interval from the SQLite
database. Then it combines the previous values with the current values to create a new baseline.
5. The new baseline is then stored in SQLite database.
3. For the new hour, a new baseline is created following this process
As this process illustrates, baselining is continuous in FortiSIEM, and new baseline values are learned adaptively.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
596
Analytics
Monitoring Operations with FortiSIEM
Evaluating Rules and Detecting Deviations
A baseline rule contains expressions that involve using the functions STAT_AVG() and STAT_STDDEV() to set
dynamic thresholds.
These examples show how STAT_AVG() and STAT_STDDEV() would be used to evaluate the conditions for
the example of logon failures in the introduction to this topic.
Condition Statement
Current value of X is more than 2
times the statistical average of X for
the current hour
Deviation of X from its statistical
average is more than 3 times its
standard deviation for the current
hour
How the Baseline is Evaluated
Baseline evaluated using Baseline
Report with ID X > 2 * STAT_AVG
(X:ID)
All baselines evaluated using Baseline Report
with ID ABS(X - STAT_AVG(X:ID) > 3 * STAT_
STDDEV(X:ID)
When FortiSIEM processes these rules:
1. Rule engine computes the current values in memory.
2. Every 5 minutes:
1. It looks for STAT_AVG(X:ID) and STAT_STDDEV(X:ID) in memory
2. If it fails, it retrieves them from the SQLite database and caches them for future use during the hour.
3. Evaluates the rule conditions A sample rule condition involving statistical functions is shown below with (X = AVG(fwConnCount); ID = 112).
<PatternClause window="1800"> <SubPattern id="3238092" name="StatHighConn">
<SingleEvtConstr>eventType = "PH_DEV_MON_FW_CONN_UTIL"</SingleEvtConstr>
<GroupEvtConstr> (AVG(fwConnCount)-STAT_AVG(AVG(fwConnCount):112))/STAT_
STDDEV(AVG(fwConnCount):112) >= 3 AND STAT_STDDEV(AVG(fwConnCount):112) > 0
</GroupEvtConstr> <GroupByAttr>hostName,hostIpAddr</GroupByAttr>
</SubPattern></PatternClause>
Setting Sample Points for Baselines
Two sample points are needed to avoid premature triggering of a rule before a baseline is set and becomes
active.
l
l
If the first data is received for a subject on Monday, then the rules will start triggering for that subject for that
baseline starting Wednesday
If the first data is received for a subject on Saturday, then the rules will start triggering for that subject for that
baseline starting next Saturday
System-Defined Baseline Reports
l
Network Traffic Analysis
l
Performance / Availability Monitoring
597
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
l
Analytics
Logon Activity
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
598
Analytics
Monitoring Operations with FortiSIEM
Network Traffic Analysis
599
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Analytics
600
Analytics
Report
Description
ID
Fields
DNS Request
Profile
This report baselines DNS
requests on a per client basis:
the number of requests and
distinct destinations it
attempted to resolve
113
Key: Source IP Values: Number of Requests,
Distinct Destination Count - means and
standard deviation for each
DNS Traffic Profile
Destination Traffic
Profile
Source Traffic
Profile
Firewall Connection
Count Profile
Firewall Denied
Aggregate Traffic
Profile
601
Monitoring Operations with FortiSIEM
This report baselines DNS
traffic characteristics on a per
client basis: sent and receive
bytes and packets.
This report baselines traffic
destined to a server. The data
is reported by network flow
(Netflow, Sflow) and firewall
logs. For each destination IP,
the number of distinct peers,
the number of distinct ports
opened on the server and the
total number of flows are
tracked.
This report baselines traffic
generated by a source. The
data is reported by network
flow (Netflow, Sflow) and
firewall logs. For each source
IP, the number of distinct
peers, the number of distinct
ports opened by the source,
the total number of flows and
total bytes exchanged are
tracked.
This report provides baseline
of permitted firewall
connection count typically
gathered by SNMP.
This profile baselines denied
firewall traffic from firewall
logs - volume of denied
traffic, distinct attacker count,
distinct target IP and port.
113
126
125
112
108
Key: Source IP Values: Sent Bytes, Received
Bytes, Total Bytes - mean and standard
deviation for each
Key: Destination IP Values: Distinct Source IP,
Distinct Destination Ports, Total Flows - mean
and standard deviation for each Key: Source IP Values: Distinct Destination IP,
Distinct Destination Ports, Total Flows, Total
Bytes - mean and standard deviation for each
Key: Firewall Name, Firewall IP Values:
Firewall Connection Count - mean and
standard deviation for each
Key: Firewall Name, Firewall IP Values:
Denied Flows, Distinct Denied Source IP, Distinct Denied Destination IP, Distinct Denied
Destination Port - mean and standard deviation
for each
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Report
Description
ID
Fields
ICMP Traffic Profile
This report baselines
generated ICMP traffic by
each source: number of ICMP
packets and number of
distinct destinations
114
Key: Source IP Values: Distinct Destinations,
Total Flows, Total Bytes - mean and standard
deviation for each
Inbound
Firewall DeniedTCP/UDP
Port Profile
Inbound
Firewall PermittedTCP/UDP
Port Usage Profile
Outbound
Firewall DeniedTCP/UDP
Port Profile
Outbound
Firewall PermittedTCP/UDP
Port Usage Profile
This report provides baseline
of denied inbound TCP/UDP
port usage as reported by
firewall logs. For every port,
the number of denied
attempts and the number of
distinct source are profiled.
This report provides baseline
of permitted inbound
TCP/UDP port usage. The
data is reported by firewall
logs. For every inbound
destination port and protocol
combination, the total
number of unique sources,
destinations and the total
bytes and flows are profiled
This report provides baseline
of denied outbound TCP/UDP
port usage as reported by
firewall logs. For every port,
the number of denied
attempts and the number of
distinct destinations are
profiled.
This report provides baseline
of permitted inbound
TCP/UDP port usage. The
data is reported by firewall
logs. For every inbound
destination port and protocol
combination, the total
number of unique sources,
destinations and the total
bytes and flows are profiled
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
106
104
107
105
Key: Destination Protocol, Port Values: Distinct
Source IP, Total Flows - mean and standard
deviation for each
Key: Destination Protocol, Port Values: Distinct
Source IP, Distinct Destination IP, Total Flows,
Total Bytes - mean and standard deviation for
each
Key: Destination Protocol, Port Values: Distinct
Destination IP, Total Flows - mean and
standard deviation for each
Key: Destination Protocol, Port Values: Distinct
Source IP, Distinct Destination IP, Total Flows,
Total Bytes - mean and standard deviation for
each
602
Analytics
Monitoring Operations with FortiSIEM
Performance / Availability Monitoring
603
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Report
Description
ID
Fields
Device CPU,
Memory Usage
Profile
This report provides baselines
cpu, memory usage - the data is
collected by SNMP or WMI. For
every host, CPU, real and virtual
memory utilization are profiled
109
Key: Host Name Values: CPU Utilization,
Memory Utilization, Virtual Memory Utilization
- mean and standard deviation for each
Device Disk I/O
Profile
Network
Interface Traffic
Profile
Network
Interface Error
Profile
Server Process
Count profile
Reporting EPS
Profile
Reported Event
Type Profile
Reported Error
Log Profile
STM Response
Time Profile
This report provides baselines
disk I/O usage for servers, VMs
and ESX - the data is collected by
SNMP or WMI or VCenter API.
For every host and disk
combination, read and write
volumes are profiled
This report provides baselines
network interface traffic. The data
is collected by SNMP. For each
network interface, the total sent
and received bytes are profiled.
This report provides baselines
network interface errors and
discards. The data is collected by
SNMP. For each network
interface, the total errors and
discards are profiled.
This report baselines the number
of processes running at a server.
The data is collected by SNMP.
This report baselines the rate at
which devices sends events to
FortiSIEM.
This report provides baselines for
distinct event types reported by a
device.
This report baselines the number
of system errors reported in logs
on a per device basis.
This report baselines Synthetic
Transaction Monitoring response
times
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
121
110
111
123
116
119
120
123
Key: Host Name, Datastore Name, Disk
Name Values: Disk Read KBps, Disk Write
KBps - mean and standard deviation for each
Key: Host Name, Interface name Values:
Sent Bytes, Received Bytes - mean and
standard deviation for each
Key: Host Name, Interface name Values:
Errors, Discards - inbound and outbound mean for each
Key: Host name Values: Process Count mean and standard deviation
Key: Host Name, Host IP Values: Events/sec
- mean and standard deviation
Key: Host Name, Host IP Values: Distinct
Event Type - mean and standard deviation
Key: Host Name, Host IP Values: Number of
events classified as system errors - mean
Key: Host Name, Monitor Name Values:
Response Time - mean and standard
deviation
604
Analytics
Monitoring Operations with FortiSIEM
Logon Activity
Report
Description
ID
Fields
Successful
Logon Profile
This report baseline successful log
on activity at a host. The data is
collected from logs.
115
Key: Host Name, Host IP Values: Successful
Logons, Distinct Source IP, Distinct Users mean and standard deviation
Failed Logon
Profile
Privileged
Logon Profile
605
Key: Host Name, Host IP Values: Failed
Logons, Distinct Source IP, Distinct Users mean and standard deviation
This report baseline failed log on
activity at a host. The data is
collected from logs.
This report baseline successful log
on activity at a host. The data is
collected from logs.
118
Key: Host Name, Host IP Values: Privileged
Logons - mean and standard deviation
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Creating a Report or Baseline Report
Creating a report or baseline report is like creating a structured historical search, because you set the Conditions
and Group By attributes that will be used to process the report data, and specify Display Fields to use in the
report summary. Cloning an Existing Rule: You can clone an existing rule to use as the basis for a new rule by
selecting the existing rule, and then click Clone.
1. Log in to your Supervisor node.
2. Go to Analytics > Reports, and select the category for your new report.
Select Baseline for baseline reports. 3. Click New.
4. Enter a report Name and Description.
5. For baseline reports, select Anomaly Detection Baseline.
6. Enter the Conditions to use in your report.
See Selecting Attributes for Structured Searches, Display Fields, and Rules and Using Expressions in Structured
Searches and Rules for more information on setting conditions. For creating baseline reports, see Baseline
Reports for information on how to use the STAT_AVG and STAT_STDDEV functions in creating expressions for
baseline reports.
7. Select the Group By attribute to use in processing the search results.
The topic Example of How a Structured Historical Search is Processed explains how the Group By attribute is used
in search results. 8. Set the Display Fields to use in your search results. See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information on using event
attributes in display fields. 9. Click Save.
Your report will be saved into the selected category, and you can now run it or schedule it to run later.
Related Links
l
Creating a Structured Historical Search
l
Selecting Attributes for Structured Searches, Display Fields, and Rules
l
Example of How a Structured Historical Search is Processed
l
Using Expressions in Structured Searches and Rules
l
Baseline Reports
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
606
Analytics
Monitoring Operations with FortiSIEM
Identity and Location Report
l
Overview
l
The Identity and Location Report Display Fields
l
Report Information and Event Types
l
Creating New Identity Events Overview
The Identity and Location report is constructed by associating a network identity like an IP address, or MAC
address, to a user identity like a user name, computer name, or domain, and tying that to a location, like a wired
switch port, a wireless LAN controller, or VPN gateway. When any element of these associations changes, a new
entry is created in the report.
The associations between IP addresses, users, and locations are obtained by combining Windows Active
Directory events, DHCP events, and WLAN and VPN logon events, with discovery results to produce a report
combining all of this information into a comprehensive listing of users and machines by their identity and location.
The Identity and Location Report Display Fields
The Identity and Location Report contains these display fields:
607
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Display Field
Description
IP Address
IP adress of a host whose identity and location is recorded in this result. You can view IP
addresses with country flags in a map by clicking Locations.
MAC Address
MAC address of the host
User
User associated with this IP Address. Obtained from one of these event types:
Windows Domain Logon, WLAN Login, VPN Logon, AAA Authentication. See
the section on Report Information and Event Types on this topic for more information.
Host Name
Domain
Obtained from the Windows Domain Logon and WLAN Authentication event
types.
Information displayed here depends on the logon event type it was obtained from:
l
Windows Domain Logon: the Domain name
l
VPN Logon: the reporting IP address of the VPN gateway
l
WLAN Logon: the reporting IP address of the WLAN controller
l
AAA Logon: the reporting IP of the AAA server
VLAN ID
For hosts directly attached to a switch, this is the VLAN ID of the switch port
Location
For h osts attached to a switch port, this is the switch name, reporting IP address, and
interface name
First Seen
Last Seen
Analytics
The time at which this entry was first created in the FortiSIEM Identity and Location
table
The time at which some attribute of this entry was last updated. If there is a conflict, for
example a host acquiring a new IP address because of DHCP, then the original entry is
closed and a new entry is created. A closed entry will never be updated.
Report Information and Event Types
This table lists the events and event types that contribute to information in the Identity and Location Report, as
well as what information is collected for each type of event.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
608
Analytics
Monitoring Operations with FortiSIEM
IP
DHCP
Renew
Events
x
MAC
Host
Name
User
Domain
VLAN
Location
x
Contributing
event type
l
l
AD
Successful
Login
Events
AAA
Successful
Login
Events
x
(resolvabl
e by DNS
or in
FortiSIEM
CMDB)
x
x
x (if in
Event)
x
Linux_DHCPACK
l
Generic_DHCPACK
l
Win-Security-540
l
Win-Security-4624
l
Win-IAS-PassedAuth
l
VPN
Successful
Login
Events
x
WLAN
Successf
ul Login
Events
x (if
in
Even
t)
x
x
x (if in
Event)
x
Cisco-VPN3K-IKE/25
l
ASA-722022
l
ASA-713228
l
l
WLAN
Discover
y Events
VoIP Call
Manager
Discover
y Events
609
x (if
in
Even
t)
x
x
x
x (if in
Event)
x
x
l
x
CisACS_01_
PassedAuth
l
l
x
WIN-DHCP-IPASSIGN
l
x
x
WIN-DHCP-IP-LEASERENEW
l
ASA-713049-ClientVPN-Logon-success
Cisco-WLC-53bsnDot11StationAssoc
iate
PH_DISCOV_CISCO_
WLAN_HOST_
LOCATION
PH_DISCOV_ARUBA_
WLAN_HOST_
LOCATION
PH_DISCOV_VOIP_
PHONE_ID
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
IP
FortiSIE
M L2
discovery
Events
x
MAC
Host
Name
Analytics
User
Domain
x (if
resolvabl
e by
DNS or
in
FortiSIE
M
CMDB)
x
VLAN
x
Location
x
Contributing
event type
l
PH_DISCOV_HOST_
LOCATION
Creating New Identity Events There may be a situation in which a new event type is added to FortiSIEM, and you want to use the parsed
attributes of that event in the Identity and Location report. Once you have made sure that the event will parse
correctly, you will need to edit the identityDef.xml file for your Supervisor and any Worker nodes in your
deployment.
1. Log in to your Supervisor host machine as admin.
2. Change the directory to /opt/phoenix/config/xml.
3. Logon to FortiSIEM Super as admin
4. Edit the identityDef.xml file:
1. Create a new <identityEvent>.
2. For <eventType>, enter the ID of the event containing the identity attribute.
3. For <eventAttributes>, enter the name of the event attribute and its corresponding identity
attribute. For reqd, enter yes if the event must have this event attribute for use in the identity and
location report.
Possible location attributes include:
l
ipAddr
l
macAddr l
computerName
l
domain
l
domainUser
l
aaaUser
l
vpnUser l
geoCountry
l
geoState
l
geoCity
l
geoLatitude
l
vlanId
l
netEntryPt
l
netEntryPort
2. Restart identityMaster and identityWorker
3. Repeat for any Worker nodes.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
610
Analytics
Monitoring Operations with FortiSIEM
This code sample is an example of a new <identityEvent> entry in the identityDef.xml file
<identityEvent>
<eventType>PH_DISCOV_CISCO_WLAN_HOST_LOCATION,PH_DISCOV_ARUBA_
WLAN_HOST_LOCATION</eventType>
<eventAttributes>
<eventAttribute namee="hostIpAddr" identityAttrib="ipAddr" reqd="no"/>
<eventAttribute namee="hostMACAddr" identityAttrib="macAddr" reqd="no"/>
<eventAttribute
name="user" identityAttrib="domainUser" reqd="no"/>
<eventAttribute namee="domain" identityAttrib="domain" reqd="no"/>
<eventAttribute namee="nepDevName" identityAttrib="netEntryPtName" reqd="yes"/>
<eventAttribute
name="nepDevIpAddr" identityAttrib="netEntryPt" reqd="yes"/>
<eventAttribute name="nepDevPort" identityAttrib="netEntryPort" reqd="yes"/>
<eventAttribute name="wlanContrIpAddr" identityAttrib="wlanContrIpAddr" reqdd="yes"/>
<eventAttribute name="wlanContrHostName" identityAttrib="wlanContrHostName" reqd="yes"/>
<eventAttribute
name="hostGeoCountry" identityAttrib="geoCountry" reqd="no"/>
<eventAttribute name="hostGeoState" identityAttrib="geoState" reqd="no"/>
<eventAttribute name="hostGeoCity" identityAttrib="geoCity" reqd="no"/>
<eventAttribute name="hostGeoLatitude" identityAttrib="geoLatitude" reqd="no"/>
<eventAttribute name="hostGeoLongitude" identityAttrib="geoLongitude" reqdd="no"/>
</eventAttributes> </identityEvent>
611
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Report Bundles
Report bundles are groups of reports for common IT infrastructure analytics, such as Windows Server Health.
Be defining a bundle and placing reports into it, you can run all the reports at the same time, and apply the same
filter conditions to all reports. You can view system and user-defined report bundles under Analytics > Report
Bundles. l
Creating a Report Bundle
l
Running a Report Bundle
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
612
Analytics
Monitoring Operations with FortiSIEM
Creating a Report Bundle
Creating a report bundle involves naming and describing the bundle, adding reports to the bundle, and then
setting what you want to include in the report results.
1. Log in to your Supervisor node.
2. Go to Analytics > Reports > Report Bundles.
3. Click the + icon at the top of the Analytics navigation pane.
4. For Group, enter the name of the bundle, and then enter a Description.
5. Under Select Group Members, select the report category that contains the report you want to add to the bundle. When you select a category, all the reports in that category will be added to the selection window. 6. Select a report and use the >> button to add it to the bundle. 7. Select Show Table if you want all reports to include tables by default.
You can set individual reports to show tables by selecting the report under Show Reports, clicking Edit, and then
selecting Show Table.
8. Enter the number of Rows per Table.
9. Click OK.
613
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Running a Report Bundle
1. Log in to your Supervisor node.
2. Go to Analytics > Reports > Report Bundles.
3. Select a report bundle to run. 4. At the top of the Analytics navigation pane, click the blue Arrow icon.
5. For multi-tenant deployments, select the Organization for which the reports should apply.
6. Select the Time Range for the results. 7. Set any Data Conditions to use in filtering the results.
The most common use cases for setting data conditions involves imposing additional restrictions on the reporting
devices, for example reporting devices IN a particular device group. These conditions are AND-ed to the filter
conditions in every report of the bundle.
8. Click Export.
The reports will run in the background, and when ready, you will see a dialog to save or download the PDF files.
Scheduling Report Bundles to Run
You can also schedule report bundles to run once or on recurring occasions in the future. Select a report bundle as
you would to run it, and then click the Clock icon in the top-right corner of the Analytics navigation pane. Follow
the steps described in Scheduling Reports to schedule the report bundles.
This screenshot shows the UI controls for working with report bundles.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
614
Analytics
Monitoring Operations with FortiSIEM
Running System and User-Defined Reports and Baseline Reports
FortiSIEM includes a number of baseline reports for common data center analytics, as well as over 300 reports
relating to IT infrastructure. You can also create your own reports. This topic describes how to run a systemgenerated or user-defined baseline report.
1. Log in to your Supervisor node.
2. Go to Analytics > Reports and select the subcategory containing the report you want to run.
For baseline reports, select Baseline. 3. Select the report to run.
4. Click Run Now to run the report immediately, or Run Later to schedule the report. 5. If you chose Run Now and have a multi-tenant deployment, select the Organization for which you want to run
the baseline report, and then click OK. The report will run and the results will be displayed. l
l
l
For baseline results, the values in the Profile Date Type column indicate whether the baseline date type is
a Weekend (Saturday and Sunday) - 0 or Workday - 1. The values in Hour of Day, 1 - 24, column
indicate the time on which the baseline is based. You can further refine the results of reports and baseline reports as described in Using Search Results to
Refine Historical Searches.
For baseline reports, you can create scatter plots of the report results, use the Quick Info menu to get
more information about items in the report results, and also view geolocation information about the results.
For other types of reports you can use all the charts and other methods of refining results that are related to
historical search.
Related Links
l
Scheduling Reports
l
Using Search Results to Refine Historical Searches
l
System-Defined Baseline Reports
l
Overview of Historical Search Results and Charts
l
Using the Analysis Menu
l
Using Geolocation Attributes in Rules
l
Refining the Results from Historical Search
615
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Scheduling Reports
You can schedule reports to run once or on recurring periods in the future. When the test runs, the results will be
saved to the Results tab for the report, and in Analytics > Generated Reports. Prerequisites
l
When you schedule a report, you can specify notifications that should be sent for that report. In addition, you should
make sure that the default settings for notifications for all scheduled reports have been set up.
Procedure
1. Log in to your Supervisor node.
2. Go to Analytics > Reports.
3. Select the report you want to schedule.
4. Click Run Later.
The Schedule Tab: You can also schedule a report by going to the Schedule tab for the report. Click
the + icon and follow the rest of the steps in this topic. 5. Select Schedule this report for:
6. For multi-tenant deployments, select the Organization for which this report should apply. 7. Select the Report Time Range.
8. Select the Schedule Settings.
9. Select the Output Format, whether you want to include the Chart in the output, and the Maximum Rows to
Display.
10. Specify the Notifications that should be sent when the report runs.
Click Specify custom notifications if you want to send notifications to specific email addresses.
To copy the report to a remote directory, first define the remote location in Admin > General Settings >
Analytics > Report to be copied to this remote location when scheduler runs any report. and then
select Copy to a remote directory option.
11. Specify the amount of time the report should be retained after it has run. 12. Click OK.
The report will run at the time you scheduled. Related Links
l
Setting Up Email Alert Routing for Scheduled Reports
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
616
Analytics
Monitoring Operations with FortiSIEM
Viewing Available Reports
The Synced Reports Group
The Synced Reports group contains the reports that can be synched with Report Server for use in Visual
Analytics. 1. Log in to your Supervisor node.
2. Go to Analytics > Reports.
3. For multi-tenant deployments, select the Organization for which you want to view the available reports. 4. Expand the Reports list, and select the subcategory of report you want to view.
5. Select the report you want to view information about.
Each report has four information tabs:
Report Tab
Description
Summary
Includes the Filter and Group By conditions for the report, and the report's Display
attributes
Schedule
617
Information about when the report is scheduled to run. See Scheduling Reports for more
information. You can click the + icon to set a schedule for the report to run.
Results
The results from any scheduled runs of the report, or results you have saved from running the
report.
Definition
The XML definition of the report.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Audit
Audit Reports can be used to determine if a device is running the recommended OS and installed software
versions, performance metrics are within bounds and harmful events have not triggered.
l
Creating Audit Report
l
Running an Audit
l
Exporting Audit Results
l
Scheduling an Audit
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
618
Analytics
Monitoring Operations with FortiSIEM
Creating Audit Report
To create an Audit Report
1. Go to Analytics tab
2. Expand Audit node on the left tree and go to the folder to which the new report will belong. You can also create a
new folder first by clicking on the + on top of the left tree.
3. Click New.
4. Enter the following information for an Audit Report
1. Name: Name of the Audit Report
2. Description: Description of the Audit Report
3. Vendor: Select a specific device vendor from the drop down list. The Audit Report will be specific to the
chosen device vendor and model
4. Model: Select a vendor specific model from the drop down list. The Audit Report will be specific to the
chosen device vendor and model
5. Specify Failed Criteria for the Audit Report. A device will fail the audit if any of the specified criteria is
matched.
1. OS Version Condition:
1. Choose an operator: possible choices are IN, NOT IN, CONTAINS, NOT CONTAINS
2. Specify value to be matched: this can be a comma separated list
2. Install Software Condition:
1. Specify Condition name. This is just for reference purposes.
2. Specify Install software name - the name has to be exactly identical to the
discovered installed software in CMDB > Devices > Installed Software > Name
3. Choose an operator: possible choices are IN, NOT IN, CONTAINS, NOT CONTAINS
4. Specify value to be matched: this can be comma separated list
3. Rules Condition:
a. Click ... and the Rule selector dialog appears
b. Select the appropriate Rule folder from the left most tree. If you do not know the
specific folder, then choose the top level Rules folder.
c. Select the rules from the middle section. You can also type a search string. You can
expand the window and shrink the left most section to see more of the rule
descriptions. The rules in the selected folder will appear in the middle section.
d. Click Items >> to place the selected rules on the rightmost section
e. Click OK.
4. Report Condition:
a. Click ... and the Report selector dialog appears
b. Select the appropriate Report folder from the left most tree. If you do not know the
specific folder, then choose the top level Reports folder. The reports in the selected
folder will appear in the middle section.
c. Select the reports from the middle section. You can also type a search string. You can
expand the window and shrink the left most section to see more of the report
descriptions.
d. Click Items >> to place the selected reports on the rightmost section
e. Click OK.
619
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Audit Policy Criteria Matching Notes
1. For each criteria, only devices in CMDB with vendor and model specified in the Audit Report is considered
2. If any of the criteria matches, then the device fails the audit
3. IN and NOT IN are exact match while CONTAINS and NOT CONTAINS are case insensitive sub-string match
4. For OS Version match, the entered value is compared with the Version column in CMDB > Device.
5. For Installed Software Version match, the entered value is compared with the Version column in CMDB > Device >
Installed Software
6. For Rule match, the specified rule must trigger during the time interval specified in the Audit Report. Organization
id and access IP of the device is compared to the Organization Id and Host IP in an incident.
7. For Report match, the specified reports run for the time duration specified in Audit Report must have data.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
620
Analytics
Monitoring Operations with FortiSIEM
Running an Audit
To run an Audit,
1. Select an Audit Policy
2. Click Run Now
3. In the follow up dialog,
a. Select the organizations for which to run the audit (meaningful for Service Provider version)
b. Choose a time window - absolute or relative
c. Click OK
The Audit Policy check results are displayed in the right bottom pane.
Summary tab shows a high level overview of the Audit Policy check.
l
Audit Result Distribution chart shows the device pass/fail distribution for every selected organization.
l
Failed Criteria distribution chart shows the contribution of each audit criteria to the devices that failed the audit.
l
Detail tab shows the Audit Policy check for each device matching the vendor, model specified in the policy.
l
Organization specifies the entity to which the device belongs
l
Device Name is the host name of the device in CMDB
l
Audit Status is the Pass/Fail flag
l
Details specifes the reasons for Audit Policy check failure
621
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Exporting Audit Results
To export an Audit Report,
1. Select an Audit Policy
2. Run the Audit Policy Check. The results will be shown in the bottom right pane.
3. Click Export
a. Add User Notes
b. Choose Output Format - PDF or CSV
c. Click Generate Report - the PDF file will be stored in local disk
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
622
Analytics
Monitoring Operations with FortiSIEM
Scheduling an Audit
To schedule a report to run at a later time
1. Choose between one of two options
l
Run this report for - If the 'Run this report for' button is selected, a report will be scheduled for the super
user, containing data from the organizations selected. The super user will be the owner of the report. The
recipients of the report may be defined in the 'Send Notifications' section below or in Admin -> General
Settings -> Analytics.
l
Schedule this report for - If the 'Schedule this report for' button is selected, multiple reports will be
scheduled -- one for each selected organization -- and containing only that organization's data. The reports
will be owned by the respective organizations. The recipients of the report are taken from Admin ->
General Settings -> Analytics. When multiple reports are run in this way the notification recipients cannot
be indicated in the 'Send Notifications' section below.
2. Select all the Organizations for which to run the Audit Report
3. Select the Report time range
4. Specify Schedule settings - when to run this report
5. Choose Output Format - PDF or CSV
6. Select notification - report recipients and method
l
If you choose Send default notification, then the settings in Admin > General Settings > Analytics
> Alerts to be sent when scheduler runs any REPORT, is used.
l
If you choose Specify custom notifications, then you can specify email addresses.
l
If you choose Copy to a remote directory, then the settings in Admin > General Settings >
Analytics > Reports to be copied to this remote location when scheduler runs any REPORT, is
used.
623
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Visual Analytics
Visual Analytics is an add-on for FortiSIEM that lets you create custome visualizations of FortiSIEM report data,
as well as dashboards containing multiple visualization charts. FortiSIEM Visual Analytics has three components:
l
The FortiSIEM Report Server, which syncs with and replicates FortiSIEM reports in near-real time.
l
Tableau Server from Tableau Software, which enables the publication and distribution of your visualizations.
l
Tableau Desktop, also from Tabeleau Software, which is your primary tool for creating visualizations.
See Installation and Configuration of FortiSIEM Visual Analytics for information about setting up FortiSIEM
Report Server. For more detailed information about Tableau Server and Desktop, including installation,
configuration, and examples of creating sheets and workbooks, you should consult the Product Support section of
the Tableau Software website. l
FortiSIEM Visual Analytics Architecture
l
Installation and Configuration of FortiSIEM Visual Analytics
l
Working with the Report Server
l
Installing and Configuring Tableau Server
l
Creating and Managing Workbooks
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
624
Analytics
Monitoring Operations with FortiSIEM
Visual Analytics Architecture
l
Overview and Report Server Architecture
l
Using FortiSIEM Report Server with Tableau Software
Overview and Report Server Architecture
With FortiSIEM Visual Analytics, you can now create visual representations of the data that is stored in
FortiSIEM. This includes:
l
l
Structured data stored in the FortiSIEM CMDB relational PostgreSQL database, such as:
l
Discovered information about devices, systems, applications and users
l
Identity and location information
l
Incidents and notifications
Unstructured data such as logs, events, performance metrics etc. that are monitored by FortiSIEM and stored in
the EventDB NoSQL database, which is accessible by Supervisors and Workers over NFS.
In order to provide near real-time visual analytics without compromising the performance of your FortiSIEM
deployment, both structured and unstructured data is exported to a separate virtual machine, the FortiSIEM
Report Server, running PostgreSQL. The Report Server contains two databases that are queried by FortiSIEM
Visual Analytics:
l
l
phoenixdb
This database contains the entire FortiSIEM CMDB and is populated via asynchronous PostgreSQL replication
(slony) in near-real time.
reportdb
This database contains the results of event queries
You can find more information about FortiSIEM Report Server in the topic Report Server Architecture: phoenixdb
and reportdb and its related topics. 625
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Using FortiSIEM Report Server with Tableau Software
FortiSIEM Report Server integrates with Tableau Software to provide the interface for creating and publishing
your data visualizations. Workbooks containing visualizations based on FortiSIEM data are created using Tableau
Desktop, and then are published to Tableau server, where they can be accessed on any Windows or OS X device
by users how have been granted permission for viewing or editing them. FortiSIEM provides some workbooks for
visualizations, but you can construct others for custom analytics. You can find more information about workbooks
in the section Creating and Managing Workbooks.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
626
Analytics
Monitoring Operations with FortiSIEM
Installation and Configuration of FortiSIEM Visual Analytics
Installation and configuration of FortiSIEM Visual Analytics involves setting up FortiSIEM Report Server, and then
integrating it with Tableau Server and Desktop from Tableau Software. Topics in this section contain setup and
configuration instructions for Report Server. For information on setting up and configuring Tableau Server and
Desktop, see the online Tableau Software documentation.
l
Requirements for Visual Analytics Report Server
l
Setting Up Visual Analytics
l
Hypervisor Installations for Report Server
l
Syncing with the Report Server
627
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Requirements for Visual Analytics Report Server
You install Visual Analytics Report Server as FortiSIEM node, and these requirements assume that you have
already set up and installed FortiSIEM. If you are working with a fresh install of FortiSIEM that includes Report
Server, see the topics under Installation for complete requirements and installation instructions for the FortiSIEM
Virtual Appliance.
Dedicated Machine for Report Server: You must install Visual Analytics Report Server on a dedicated
machine.
Hardware Requirements for Report Server Nodes
Component Quantity
Report
Server
1
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Host
OS/App
Processor Memory
SW
Storage
Reports Data Storage
(1 year)
ESX
See recommendations
under Hardware
Requirements for
Supervisor and Worker
nodes
8 Core 3
GHz, 64
bit
16 GB
200GB
(80GB
OS/App,
60GB CMDB,
60GB SVN)
628
Analytics
Monitoring Operations with FortiSIEM
Setting Up Visual Analytics
There are three components to FortiSIEM Visual Analytics:
l
Accelops Report Server
l
Tableau Server l
Tableau Desktop
Setting up Visual Analytics involves setting up each of those components in order, and establishing the
relationship between them. 1. You must first install Report Server as described in Installing and Registering FortiSIEM Report Server in VMware
ESX. 2. After installing Tableau Server on a Windows server, and installing Tableau Desktop on a Windows or Mac OS X
device, you then connect the two systems as described in the Tableau Software product documentation. 3. When this connection is established, it automatically triggers the remote registration and configuration of the
FortiSIEM Report Server, including replication of the CMDB and EventDB data from the FortiSIEM Cluster to the
FortiSIEM Report Server, as well as the user account required for access to the original databases. Registration of the Report Server and replication of the FortiSIEM database data may take some time depending
on the size of the original CMDB. Registration is complete when the replication process catches up with the latest
data in the system. From that point on, replication from the CMDB to FortiSIEM Report Server takes place in near
real time, letting you run Visual Analytics queries against CMDB data that has been replicated to the Report
Server's phoenixdb.
You can find full information about setting up all components of FortiSIEM Visual Analytics in the
section Installation and Configuration of FortiSIEM Visual Analytics
629
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Hypervisor Installations for Report Server
These topics cover the installation of Report Server in various hypervisor enviroments.
l
Installing and Registering FortiSIEM Report Server in Amazon Web Services
l
Installing and Registering FortiSIEM Report Server in KVM
l
Installing and Registering FortiSIEM Report Server in Microsoft Hyper-V
l
Installing and Registering FortiSIEM Report Server in VMware ESX
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
630
Analytics
Monitoring Operations with FortiSIEM
Installing and Registering FortiSIEM Report Server in Amazon Web Services
Follow the instructions for setting up FortiSIEM virtual appliance as described in Setting Up Supervisor, Worker
and Collector Nodes in AWS, and then register the Report Server to the Supervisor as described in Installing and
Registering FortiSIEM Report Server in VMware ESX.
Turn on archive mode for Report server CMDB replication
1. Mount a NFS shared directory on both Super and report server and make sure that this mount can survive system
reboot. For example:
2. Make this shared directory own by postgres.postgres:
3. On Super, edit postgresql.conf under /cmdb/data to turn on archive mode by uncommenting (removing # in the
first column) the following lines and make sure archive_command points to the correct directory which is created in
step 1.
archive_mode = on # allows archiving to be done
# (change requires restart)
archive_command = 'cp %p /data/replication/archive/%f'
4. On Report Server, edit /cmdb/data/recovery.conf and uncomment the following lines and make sure restore_
command and
restore_command = 'cp /data/replication/archive/%f %p'
archive_cleanup_command = 'pg_archivecleanup
/data/replication/archive %r
5. On Super, restart postgresql DB 'service postgresql-9.1 restart'
6. On Super, restart App Server (Glassfish)
7. On Report Server, restart postgresql DB 'service postgresql-9.1 restart'
Registering Report Server
1. In the Admin tab, select License Management.
2. Under Report Server Information, click Add.
3. Enter the Report Server IP Address, and the Database Username and Password you want to use to administer
Report Server.
4. These are also the credentials that you will use when you set up the Visual Analytics Server to read data from
Report Server.
5. Click Run in Background if you want Report Server registration to run in the background for larger installations.
6. When CMDB size is under 1GB, registration takes approximately 3 minutes to complete.
7. When registration completes, click OK in the confirmation dialog.
8. Under the Admin tab, select Cloud Health and make sure Report Server is up and running.
631
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Installing and Registering FortiSIEM Report Server in KVM
Follow the instructions for installing FortiSIEM virtual appliance as described in Importing a Supervisor, Collector,
or Worker Image into KVM, and then register the Report Server with the Supervisor as described in Installing and
Registering a Report Server Node in ESX.
Turn on archive mode for Report server CMDB replication
1. Mount a NFS shared directory on both Super and report server and make sure that this mount can survive system
reboot. For example: /data/replication/archive
2. Make this shared directory own by postgres.postgres
3. On Super, edit postgresql.conf under /cmdb/data to turn on archive mode by uncommenting (removing # in the
first column) the following lines and make sure archive_command points to the correct directory which is created in
step 1.
archive_mode = on
# allows archiving to be done
# (change requires restart)
archive_command = 'cp %p /data/replication/archive/%f'
4. On Report Server, edit /cmdb/data/recovery.conf and uncomment the following lines and make sure restore_
command and archive_cleanup_command are pointing to the directory created in step 1:
restore_command = 'cp /data/replication/archive/%f %p'
archive_cleanup_command = 'pg_archivecleanup /data/replication/archive %r
5. On Super, restart postgresql DB 'service postgresql-9.1 restart'
6. On Super, restart App Server (Glassfish)
7. On Report Server, restart postgresql DB 'service postgresql-9.1 restart'.
Registering Report Server
1. In the Admin tab, select License Management. 2. Under Report Server Information, click Add. 3. Enter the Report Server IP Address, and the Database Username and Password you want to use to
administer Report Server.
These are also the credentials that you will use when you set up the Visual Analytics Server to read data from
Report Server. 4. Click Run in Background if you want Report Server registration to run in the background for larger installations.
When CMDB size is under 1GB, registration takes approximately 3 minutes to complete. 5. When registration completes, click OK in the confirmation dialog. 6. Under the Admin tab, select Cloud Health and make sure Report Server is up and running. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
632
Analytics
Monitoring Operations with FortiSIEM
Installing and Registering FortiSIEM Report Server in Microsoft Hyper-V
Follow the virtual appliance installing instructions in Installing in Microsoft Hyper-V, and then register the Report
Server node with the Supervisor as described in Installing and Registering FortiSIEM Report Server in VMware
ESX.
Turn on archive mode for Report server CMDB replication
1. Mount a NFS shared directory on both Super and report server and make sure that this mount can survive system
reboot. For example: /data/replication/archive
2. Make this shared directory own by postgres.postgres
3. On Super, edit postgresql.conf under /cmdb/data to turn on archive mode by uncommenting (removing # in the
first column) the following lines and make sure archive_command points to the correct directory which is created in
step 1.
archive_mode = on
# allows archiving to be done
# (change requires restart)
archive_command = 'cp %p /data/replication/archive/%f'
4. On Report Server, edit /cmdb/data/recovery.conf and uncomment the following lines and make sure restore_
command and archive_cleanup_command are pointing to the directory created in step 1:
restore_command = 'cp /data/replication/archive/%f %p'
archive_cleanup_command = 'pg_archivecleanup /data/replication/archive %r
5. On Super, restart postgresql DB 'service postgresql-9.1 restart'
6. On Super, restart App Server (Glassfish)
7. On Report Server, restart postgresql DB 'service postgresql-9.1 restart'.
Registering Report Server
1. In the Admin tab, select License Management. 2. Under Report Server Information, click Add. 3. Enter the Report Server IP Address, and the Database Username and Password you want to use to
administer Report Server.
These are also the credentials that you will use when you set up the Visual Analytics Server to read data from
Report Server. 4. Click Run in Background if you want Report Server registration to run in the background for larger installations.
When CMDB size is under 1GB, registration takes approximately 3 minutes to complete. 5. When registration completes, click OK in the confirmation dialog. 6. Under the Admin tab, select Cloud Health and make sure Report Server is up and running. 633
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Installing and Registering FortiSIEM Report Server in VMware ESX
These instructions are for installing Report Server on VMWare ESX, and assume that you have already installed
and configured FortiSIEM environment. For instructions for a complete FortiSIEM install, see the topics
under Installation.
Installing Report Server Follow the instructions for installing FortiSIEM virtual appliance as described in the topics under Installing a
Supervisor, Worker, or Collector Node in ESX and Configuring the Supervisor, Worker, or Collector from the VM
Console.
Turn on archive mode for Report server CMDB replication
1. Mount a NFS shared directory on both Super and report server and make sure that this mount can survive system
reboot. For example: /data/replication/archive
2. Make this shared directory own by postgres.postgres
3. On Super, edit postgresql.conf under /cmdb/data to turn on archive mode by uncommenting (removing # in the
first column) the following lines and make sure archive_command points to the correct directory which is created in
step 1.
archive_mode = on
# allows archiving to be done
# (change requires restart)
archive_command = 'cp %p /data/replication/archive/%f'
4. On Report Server, edit /cmdb/data/recovery.conf and uncomment the following lines and make sure restore_
command and archive_cleanup_command are pointing to the directory created in step 1:
restore_command = 'cp /data/replication/archive/%f %p'
archive_cleanup_command = 'pg_archivecleanup /data/replication/archive %r
5. On Super, restart postgresql DB 'service postgresql-9.1 restart'
6. On Super, restart App Server (Glassfish)
7. On Report Server, restart postgresql DB 'service postgresql-9.1 restart'
Registering Report Server
1. In the Admin tab, select License Management. 2. Under Report Server Information, click Add. 3. Enter the Report Server IP Address, and the Database Username and Password you want to use to
administer Report Server.
These are also the credentials that you will use when you set up the Visual Analytics Server to read data from
Report Server. 4. Click Run in Background if you want Report Server registration to run in the background for larger installations.
When CMDB size is under 1GB, registration takes approximately 3 minutes to complete. 5. When registration completes, click OK in the confirmation dialog. 6. Under the Admin tab, select Cloud Health and make sure Report Server is up and running. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
634
Analytics
Monitoring Operations with FortiSIEM
Syncing with the Report Server
Using FortiSIEM Visual Analytics involves first syncing reports contained in the primary FortiSIEM application to
the FortiSIEM Report Server.
1. Log in to your Supervisor node.
2. Go to Analytics > Reports > Synced Reports.
3. Select a report. Currently only reports that contain a Group By condition can be synced. Both system and user-created reports
can be synched as long as the contain a Group By condition.
4. Select Sync.
When the sync process initiates, the Supervisor node dynamically creates a table within the Report Server
reportdb database. When the sync is established, it will run every five minutes, and the last five minutes of data in
the synced report will be pushed to the corresponding table. This lets you run Visual Analytics on event data
stored in the Report Server reportdb database.
635
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Working with the Report Server
This section contains information on FortiSIEM Report Server architecture, viewing and querying CMDB and
Event data in contained in the Report Server databases, and database maintenance.
l
Report Server Architecture: phoenixdb and reportdb
l
Working with CMDB Data in FortiSIEM Report Server
l
Working with Event Data in FortiSIEM Report Server
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
636
Analytics
Monitoring Operations with FortiSIEM
Report Server Architecture: phoenixdb and reportdb
FortiSIEM Report Server contains two databases:
l
l
phoenixdb
This database contains the entire FortiSIEM CMDB and is populated via asynchronous PostgreSQL replication
(slony) in near-real time.
reportdb
This database contains the results of event queries.
Topics in this section describe how to view the tables in these databases, and how those tables are organized.
For viewing the tables, we recommend using the pgAdmin PostgreSQL database utility, which you can download
from the pgAdmin website.
637
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Working with CMDB Data in FortiSIEM Report Server
Data from the FortiSIEM CMDB database is populated to the FortiSIEM Report Server and stored in the Report
Server phoenixdb. This section contains information on how to view the organization of phoenixdb, and write
queries against the data it contains.
l
Viewing phoenixdb Organization
l
Querying Incident Data in FortiSIEM Report Server
l
Querying Other CMDB Tables in FortiSIEM Report Server
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
638
Analytics
Monitoring Operations with FortiSIEM
Viewing phoenixdb Organization
This database contains the contents of the entire FortiSIEM CMDB database, including incidents.
1. In the pgAdmin utility, go to File > Add Server.
2. In the New Server Registration dialog, enter connection details for FortiSIEM Report Server.
For Maintenance DB, select phoenixdb.
For Username and Password, use the read-only user name and password that you created when you
provisioned the Report Server.
3. Click OK.
When the connection to the FortiSIEM Report Server is established, phoenixdb will load in the Object
browser. There are approximately 197 tables in phoenixdb, which are replicated from the FortiSIEM cluster.
4. Select a table to view, then right-click to open the Options menu.
5. In the Options menu, select View Data, and then select an option for which rows you want to view.
For example, to view the contents of the ph_device table, which contains CMDB information about discovered
devices, you would select and then right click on ph_device, then select View Data > View All Rows.
You can also use this method to examine Views and other objects in the phoenixdb database.
639
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Querying Incident Data in FortiSIEM Report Server
There are two ways to look at the incident data inside FortiSIEM Report Server:
l
l
Incident Tables (ph_incident and ph_incident_detail)
Contains the incidents
Incident View (ph_incident_view)
This is a database view that adds other context to the incident tables by joining with other tables in the database.
Added information includes location and business service. Some information is parsed out for easier query, such as
host names and IP address fields from incident_source, and incident_target fields in ph_incident
are parsed out as separate fields in ph_incident_view.
This topic describes how to view the data contained in Incident View.
1. Follow the instructions in Viewing phoenixdb Organization to access the phoenixdb database in FortiSIEM Report
Server.
2. Go to Views > ph_incident_view > Columns to view the table columns.
3. Go to Views > ph_incident_view > View Data > View Last 100 Rows to view the incidents.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
640
Analytics
Monitoring Operations with FortiSIEM
Reference: Attribute Columns in the ph_incident_view Table
641
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Analytics
642
Analytics
643
Monitoring Operations with FortiSIEM
Column Name
Format
Description
incident_id
integer
Unique id for an incident
cust_org_id
integer
Customer Id (for AO-SP)
first_seen_time
integer
The time when the incident was first seen. The format is
UNIX time but with milliseconds granularity. It is defined as
the number of milliseconds that have elapsed since
00:00:00 Coordinated Universal Time (UTC), Thursday, 1
January 1970
The time when the incident was last seen. The format is
UNIX time but with milliseconds granularity. It is defined as
the number of milliseconds that have elapsed since
00:00:00 Coordinated Universal Time (UTC), Thursday, 1
January 1970
last_seen_time
integer
incident_et
string
incident_status
integer
incident_count
integer
The number of times this exact incident (with the same
parameters: source, destination etc has happened)
biz_name
string
Associated business service name
severity
integer
Numerical severity of the incident - range 0-10
severity_cat
string
Incident severity category: 0-4: LOW, 5-8: MEDIUM and 910: HIGH
orig_device_ip
string
IP address of the device that reported the incident
ph_incident_
category
string
Category of infrastructure affected by this incident: possible
valies: Network, Server, Storage, Virtualization, Application,
Internal
incident_src
string
Incident Source string formatted as a list of
<Attribute>:Value; e.g.
srcIpAddr:10.1.1.1,srcName:JoeLaptop
src_ip_addr
string
Source IP parsed out from incident_src field
src_name
string
Source Name parsed out from incident_src field
Incident event type id e.g. PH_RULE_SERVER_HW_
CRITICAL
0: Active 1: Auto Cleared 2: Manually Cleared 3: System
Cleared
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Column Name
Format
Description
src_device_
location
string
(Geo) Location display name string for the object specified
in incident_src
src_country
string
(Geo) Country name string for the object specified in
incident_src
src_state
string
(Geo) State name for the object specified in incident_src
src_building
string
(Geo) Building name for the object specified in incident_src
src_floor
string
(Geo) Floor for the object specified in incident_src
src_latitude
double
(Geo) Latitude for the object specified in incident_src
src_longitude
double
(Geo) Latitude for the object specified in incident_src
incident_target
string
Incident Destination string formatted as a list of
<Attribute>:Value; e.g.
"destIpAddr:10.1.1.1,destName:JoeLaptop" or
"hostIpAddr:10.1.1.1,hostName:JoeLaptop"
dest_ip_addr
string
Destination IP parsed out from incident_target field
dest_name
string
Destination Name parsed out from incident_target field
dest_device_
location
string
(Geo) Location display name string for the object specified
in incident_target
dest_country
string
(Geo) Country name string for the object specified in
incident_target
dest_state
string
(Geo) State name for the object specified in incident_target
dest_building
string
(Geo) Building name for the object specified in incident_
target
dest_floor
string
(Geo) Floor for the object specified in incident_target
dest_latitude
double
(Geo) Latitude for the object specified in incident_target
dest_longitude
double
(Geo) Longitude for the object specified in incident_target
host_ip_addr
string
Host IP address parsed out from incident_target field
host_name
string
Host Name parsed out from incident_target field
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
644
Analytics
645
Monitoring Operations with FortiSIEM
Column Name
Format
Description
host_device_
location
string
(Geo) Location display name string for the object specified
in incident_target - populated if incident_target contains
hostIpAddr
host_country
string
host_state
string
host_building
string
host_floor
string
host_latitude
double
host_longitude
double
vm_name
string
user_attr
string
target_user_attr
string
ldap_domain
string
Domain if incident involves user, i.e. incident_target
contains domain
computer
string
Computer name incident_target contains computer
target_computer
string
Target Computer name incident_target contains
targetComputer
incident_details
string
(Geo) Country name string for the object specified in
incident_target - populated if incident_target contains
hostIpAddr
(Geo) State name for the object specified in incident_target
- populated if incident_target contains hostIpAddr
(Geo) Building name for the object specified in incident_
target - populated if incident_target contains hostIpAddr
(Geo) Floor for the object specified in incident_target populated if incident_target contains hostIpAddr
(Geo) Latitude for the object specified in incident_target populated if incident_target contains hostIpAddr
(Geo) Longitude for the object specified in incident_target populated if incident_target contains hostIpAddr
VM Name if incident involves a Virtual machine - populated
if incident_target contains vmName
User name if incident involves user, i.e. incident_target
contains user
Target user name if incident involves user, i.e. incident_
target contains targetUser
Incident Details containing evidence on why the incident
triggered e.g. Triggered Event Count = 90 or AVG(CPUUtil)
= 90 etc
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Sample Incident Queries
l
Show Incident Categories with Severity and Frequency Occurrence
l
Show Incident Location
Show Incident Categories with Severity and Frequency Occurrence
This query will show which parts of the infrastructure are triggering events.
1. Follow the instructions in Viewing phoenixdb Organization to access the phoenixdb in FortiSIEM Report Server.
2. Under Views, select ph_incident_view.
3. In pgAdmin, click on the SQL icon in the menu bar to open the SQL query window.
4. Enter this SQL query:
SELECTph_incident category, incident_et, severity_cat, src_ip_addr,
host_name, COUNT(*)FROMph_incident_viewGROUPBYph_incident category,
incident_et, severity_cat, src_ip_addr, host_nameORDERBYCOUNT
(*) DESC;
5.
6. When the query executes, you will see a list of matching incidents in the Output Pane.
Show Incident Location
1. Follow the instructions in Viewing phoenixdb Organization to access the phoenixdb in Accelops Report Server.
2. Under Views, select ph_incident_view.
3. In pgAdmin, click on the SQL icon in the menu bar to open the SQL query window.
4. Enter this SQL query:
SELECT host_device_location, severity_cat, ph_incident_category, COUNT(*)FROM ph_incident_viewGROUP BY host_device_location, ph_incident_
category, severity_catORDER BY host_device_location ASC, severity_cat ASC
COUNT(*) DESC;
5. When the query executes, you will see a list of incidents and their locations in the Output Pane.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
646
Analytics
Monitoring Operations with FortiSIEM
Working with Event Data in FortiSIEM Report Server
Data from the FortiSIEM EventDB database is populated to the FortiSIEM Report Server and stored in the Report
Server reportdb. This section contains information on how to view the organization of reportdb, and write queries
against the data it contains.
l
Viewing reportdb Organization
l
Syncing FortiSIEM Report with Report Server
l
Deleting a Report from FortiSIEM Report Server
l
Modifying an Existing Report in FortiSIEM Report Server
647
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Viewing reportdb Organization
This database contains the reports that are synched from the FortiSIEM cluster.
1. In the pgAdmin utility, go to File > Add Server.
2. In the New Server Registration dialog, enter connection details for FortiSIEM Report Server.
For Maintenance DB, select reportdb.
For the Port enter 30000 (default port used for the reported).
For Username and Password, use the read-only user name and password that you created when you
provisioned the Report Server.
3. Click OK.
When the connection to the Report Server is established, reports will load in the Object browser.
4. Select a table to view, then right-click to open the Options menu.
5. In the Options menu, select View Data , and then select an option for which rows you want to view.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
648
Analytics
Monitoring Operations with FortiSIEM
Syncing FortiSIEM Report with Report Server
1. Log in to FortiSIEM.
2. Go to Analytics > Reports. 3. Select a report.
Any reports with a Sync checkbox can be synced. Run the report to make sure it contains some data.
4. For each report you want to sync, select the Sync checkbox. AO-SP: In the Sync Details dialog, select the organizations whose data needs to be synced.
5. Click OK.
6. After several minutes, follow the instructions in Viewing reportdb Organization to view the reportdb database.
7. Under Tables, you should now see the synced reports.
Table Structure for Synced Reports
When you sync FortiSIEM report to FortiSIEM Report Server, two pairs of tables are created in reportdb, one pair
for each organization in the case of AO-SP. For each organization, multiple tables are created:
1. A parent table containing data for all months: the table name is of the form <Report Name>_<ID>_
<custId>
2. A child table for the current month: <Report Name>_<ID>_<custId>_<yYYYYmMM> where YYYY is the
year and MM is the month.
Queries should be written using the parent table. To see data in the parent table, follow the instructions in Viewing reportdb Organization . The reportdb database fields are generated from the display fields in FortiSIEM
report definitions. Only the field report_time is added to the Report Server table definitions to capture the
time when the particular report is generated. For example, if you synced the report Network Devices by CPU,
Memory, you would see these fields:
Field
Description
report_time
UNIX time at which the report is generated. Unix time (or POSIX time or Epoch
time) is a system for describing instants in time, defined as the number
of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC),
Thursday, 1 January 1970 not counting leap seconds.
hostName
Host Name of the device for which CPU and memory are being measured
hostIpAddr
Access IP of the device for which CPU and memory are being measured
AVG(cpuUtil)
Average of all the CPU utilization metrics within the last 5 minutes ending with
report_time
AVG(memUtil)
649
Average of all the CPU utilization metrics within the last 5 minutes ending with
report_time
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Deleting a Report from FortiSIEM Report Server
1. Log in to FortiSIEM.
2. In Analytics > Reports > Synced Reports, select the report you want to delete.
3. In the Sync Details dialog, clear the Sync option for the report, and then click OK.
The report will no longer be synced with Report Server. You can verify this by making sure the Sync option is not
selected for the report on the Analytics > Reports > Synced Reports page. You can now delete the report
from FortiSIEM Report Server.
4. Log in to FortiSIEM Report Server via SSH and navigate to the
directory /opt/phoenix/deployment/jumpbox.
5. Run the phreportdbmanager.py command, along with the table name and date as arguments, to delete the
report.
phreportdbmanager.py --remove tablenames='"Network Devices By CPU, Memory_
1278492569_1"'reporttimes=2014-10
Viewing the Names of Reports in Report Sever: Use the pgAdmin utility to view the names of all
tables and reports in Report Server, as described in
Viewing reportdb Organization.
When the deletion process completes, you will see a command line output like this:
6. After you have deleted the table containing the report information, you will need to delete the parent table, which
will now be empty of content, using the same phreportdbmanager.py command.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
650
Analytics
Monitoring Operations with FortiSIEM
Modifying an Existing Report in FortiSIEM Report Server
Suppose a system report is synced and exported to FortiSIEM Report Server. When you modify that report in
FortiSIEM, you must rename it, at which point it becomes a user report. When you then sync that report for
Accelops Report Server, a new table is created on the FortiSIEM Report Server.
Suppose now that you have a user-defined report that is already synced to the FortiSIEM Report Server, but you
modify it inline in FortiSIEM, which means that you have changed the report conditions without changing the
report name. This will cause a change in the table, but a new table will not be created. Here are some examples
of inline modifications, and how they affect the structure of the table as well as the data collected in the table:
Modification
Effect
GROUP BY field added
The corresponding table has the new GROUP BY field, but only
newer data populates the field
GROUP BY field removed
GROUP BY field changed
Aggregated fields added
Aggregated field removed
Aggregated Field Changed
651
There is no change in the corresponding table, and newer data
does not populate the field
For example, the field srclpAddr is changed to destlpAddr.
Both fields are retained, but newer data populates destlpAddr.
The corresponding table has the new field, but only newer data
populate that field
There is no change in the corresponding table, and newer data
does not populate the field
For example, AVG(cpUutil) is changed to MAX(cpuUtil).
Both fields are retained, but newer data populates MAX
(cpuUtil).
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Installing and Configuring Tableau Server
l
Prerequisites
l
Installation
l
Activation
l
Configuration
Prerequisites
Before you begin installing Tableau Server, make sure you have read the section on Tableau
Server in Requirements for Visual Analytics Report Server. This contains information on the Administrator
Account and Ports that you will need during the configuration process. You may want to also consult the Tableau
Server Administration Guide before you begin the installation process.
Installation
1. Download the installation file from Tableau Software. 2. Double-click the installation file to launch the Setup Wizard.
3. When the Setup Wizard launches, click Next to begin the installation process.
4. Enter a Destination Location where you want to install the server files, and then click Next.
5. When the system verification process completes, click Next.
6. Enter a location for the Start Menu folder, or use the default location, and then click Next.
7. Click Install to complete the installation process.
8. Click Next to begin the server activation process.
Activation
1. If you are evaluating Tableau Server, click Start trial now. Otherwise, click Activate the product to enter a
license key.
2. If you enter a license key, click Activate.
3. Click Continue to launch the Tableau Server configuration process. Configuration
1. In the Configuration dialog, enter a User Name and Password for the domain admin account that you will use to
administer the Tableau Server.
2. If necessary, enter a Gateway port through which you will connect to the server over HTTP.
3. Click OK.
The initialization process will launch and complete within several minutes.
4. Click Finish to complete the configuration process. 5. Launch the Tableau Server user interface by entering the URI for the server in a browser window.
The URI will be be in the format of http://<Windows_Server_IP_Address>:<Port_Number_Used_
In_Step_2>
6. Sign in to the server by entering the credentials for the domain admin account that you created in Step 1, and then
click Sign In.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
652
Analytics
Monitoring Operations with FortiSIEM
7. Click the Admin tab and select Maintenance.
8. Under Status, check to make sure that all systems are up and running. You are now ready to install Tableau Desktop. After you have completed the Desktop installation process and
connect to Report Server for the first time to create a sheet, as described in Creating a Single Sheet Workbook,
you will also establish the connection between FortiSIEM Report Server and Tableau Server. 653
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Creating and Managing Workbooks
This section contains information on using Visual Analytics Desktop to create sheets and workbooks that are
based on FortiSIEM reports, and then publishing them for others to use. l
Viewing Workbooks
l
Creating and Publishing Workbooks
l
Adding Users to Workbooks
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
654
Analytics
Monitoring Operations with FortiSIEM
Viewing Workbooks
1. Log in to Visual Analytics Server.
2. Click the Content tab and select Workbooks.
3. Click on a workbook.
The workbook along with the various worksheets are displayed.
4. Select a workbook or worksheet. 5. You will be prompted for credentials that will allow the workbook or worksheet to access database information.
Enter the Admin credential that you used to set up Accelops Report Server and click OK.
6. When your credential is accepted, the chart associated with the selected workbook or worksheet will be displayed.
655
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Creating and Publishing Workbooks
Workbooks are collections of FortiSIEM reports that have been synced to FortiSIEM Report Server, and which are
then the basis for charts and dashboards that can be published to Visual Analytics Server for access by other
users. Information in this section describes how to create single and multiple sheets of report information, and
then make them accessible to other users. l
Creating a Single Sheet Workbook
l
Creating a Multiple Sheet Workbook
l
Using FortiSIEM Workbooks with Tableau Visual Analytics Desktop and Server
Creating a Single Sheet Workbook
These instructions demonstrate how to create a single-sheet workbook that will chart the CPU and memory
utilization trend for various servers. This example uses the Servers by CPU, Memory report and its associated
table, but any report with a table in the reportdb database can also be used. The Tableau Desktop online Help
also contains extensive information about building sheets and workbooks with the Tableau Desktop editor, which
powers the FortiSIEM Visual Analytics Desktop. l
Prerequisites
l
Procedure
Prerequisites
l
l
Follow the instructions in Syncing FortiSIEM Report with Report Server to sync the report you want to use for your
worksheet.
You will need to know the name of the parent table for your synced report. Follow the instructions in Viewing
reportdb Organization to find the table that corresponds to your report.
Procedure
Create the Sheet
1. Launch Tableau Visual Analytics Desktop.
2. Connect to FortiSIEM Report Server with the Username and Password that you used during Report Server
installation.
l
For Database, enter reportdb
l
For Port, enter 30000
Connecting to Port 30000: It's important to make sure you enter the correct port to connect to
the reportdb database. If you leave this option blank you will connect to the default PostgreSQL
database port, which will connect you with phoenixdb instead of reportdb. For more information
about the databases contained in Report Server, see Report Server Architecture: phoenixdb and
reportdb.
3. Under Tables, select the parent table for your report. For the steps following, we will use the Servers by CPU, Memory table and its associated columns. 4. Drag the table to the View pane and click Update Now.
The data in the table will load into the pane below. Note that the table columns match closely to the Report
Display Columns in FortiSIEM. FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
656
Analytics
Monitoring Operations with FortiSIEM
5. For Connection, select Live.
6. Click Go to Worksheet.
In the worksheet view you will see that a set of Dimensions and Measures are populated for the table. 7. Under Measures, select Report Time and drag it to the Dimensions section to create Report Time as a
calculated measurement.
8. Under Dimensions, right-click on Report Time to edit the calculation formula and convert it to a humanreadable format from UNIX time.
The formula should look like DATEADD('second',INT([Report Time]),#1969-12-31 16:00:00#)
You may also want to rename Report Time to Time to make it easier to read on the resulting chart.
9. Drag Report Time from Dimensions to Columns.
10. Under Columns, right-click on Report Time and select Exact Date.
You should now see dates and time increments in your chart as the X-axis. 11. Under Measures, select and drag AVG(cpuUtil) and AVG(memUtil) to Rows.
12. Set the aggregation of both AVG(cpuUtil) and AVG(memUtil) to AVG.
For example, AVG(AVG(cpuUtil)) and AVG(AVG(memUtil)).
You should now see both measures on the Y-axis of your chart.
13. Under Dimensions, drag Host Name to the Color section under Marks. Each host will be assigned a color and added to the chart.
14. Change the chart display name for AVG(cpuUtil) and AVG(memUtil) by clicking on each in the Y-axis to launch the
Edit Y-Axis dialog. You can now edit the Title and Range, as well as other attributes, for each measure.
15. Under Data, click on the data source to open the Options menu, then click Refresh.
16. Rename the sheet by clicking on the data source to open the Options menu, then select Rename and enter a new
name. Your sheet is now complete. Hover your mouse over a trend line to view information about a specific host.
Create the Workbook
1. Click the Dashboard tab on the bottom of the Sheet editor to open the Dashboard editor.
2. Under Dashboard, select an appropriate Size and screen resolution. 3. Under Dashboard, select the sheet and drag it into the display pane.
4. Open the Dashboard options menu and select Rename.
Change the name of the dashboard from Server CPU/Memory Trend to Server Performance.
5. In the File menu, select Save.
Publish the Workbook
1. In the Server menu, select Sign In...
2. Enter the IP address and port number for the Visual Analytics Server.
3. Enter the Username and Password for the Visual Analytics Server admin user, and then click Sign In.
4. In the Server menu, select Publish Workbook. 5. Enter attributes for the workbook, such the associated Project, Name, View Permissions, and Views to
Share. See Adding Users to Workbooks for more information about user permissions for workbooks. 6. Click Publish.
657
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Creating a Multiple Sheet Workbook
These instructions demonstrate how to create a multiple-sheet workbook that will contain a set of charts related
to Network Health. This example uses the Network Devices by Ping RTT, Network Interfaces By
Utilization, and Network Devices By CPU, Memory reports, but any report with an associated table and
views in the reportdb database could be used. The Tableau Desktop online Help also contains extensive
information about building sheets and workbooks with the Tableau Desktop editor, which powers the FortiSIEM
Visual Analytics Desktop. l
Prerequisites
l
Procedure
Prerequisites
l
l
Follow the instructions in Syncing FortiSIEM Report with Report Server to sync the reports you want to use for your
worksheet.
You will need to know the name of the parent table for your synced reports. Follow the instructions in Viewing
reportdb Organization to find the table that corresponds to your report.
Procedure
Create a View
Each report you want to include in your workbook corresponds to a table in the FortiSIEM reportdb. These tables
need to be joined to cross-link the information that will appear in your workbook. In the case of a Network Health
workbook that includes the sheets Network Devices by Ping RTT, Network Interfaces By Utilization, and Network
Devices By CPU, Memory, the joining keys are host name and time. 1. Follow the instructions in Viewing reportdb Organization to find the parent tables for the reports you want to join. For each report there is one parent table and multiple child tables containing data for a particular month.
2. Create a SQL statement in pgAdmin to join the tables.
In this example data is captured for one day. This enables quick generation of the data visualization.
SELECT cpu.report_time, cpu."hostName", cpu."hostIpAddr", cpu."AVG
(cpuUtil)", cpu."AVG(memUtil)",
uptime."SUM(sysDownTime)", uptime."AVG(avgDurationMSec)",
uptime."LAST(sysUpTime)",
uptime."SUM(pollIntv)", util."intfName", util."intfAlias",
util."AVG(inIntfUtil)" AS "totalAvgInIntfUtil", util."AVG
(outIntfUtil)" AS "totalAvgOutIntfUtil",
util."AVG(recvBitsPerSec)" AS "totalAvgRecvBitsPerSec",
util."AVG(sentBitsPerSec)" AS "totalAvgSentBitsPerSec",
util."AVG(outQLen)", util."AVG(intfSpeed64)"
FROM "Network Devices By CPU, Memory_1278492569_1" cpu,
"Network Devices by Ping RTT_2021056235_1" uptime,
"Network Interfaces By Utilization_382117475_1" util
WHERE ((cpu.report_time * 1000)::double precision *
'00:00:00.001'::interval + '1969-12-31 16:00:00-08'::timestamp with time
zone) >= (now() - 1::double precision * '1 day'::interval)
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
658
Analytics
Monitoring Operations with FortiSIEM
AND ((uptime.report_time * 1000)::double precision *
'00:00:00.001'::interval + '1969-12-31 16:00:00-08'::timestamp with time
zone) >= (now() - 1::double precision * '1 day'::interval)
AND ((util.report_time * 1000)::double precision *
'00:00:00.001'::interval + '1969-12-31 16:00:00-08'::timestamp with time
zone) >= (now() - 1::double precision * '1 day'::interval)
AND cpu.report_time = uptime.report_time AND cpu."hostName" =
uptime."hostName" AND uptime.report_time = util.report_time AND
uptime."hostName" = util."hostName";
3. Click the Play icon in pgAdmin to execute the query. Make sure the output pane contains data that is the result of the query execution. 4. Modify the SQL statement to create a view. Add this command at the top of the SQL statement:
CREATE OR REPLACE VIEW ph_network_health_view AS
Add this command at the bottom of the SQL statement:
grant select on ph_network_health_view TO public;
Your complete SQL statement should look like this:
CREATE OR REPLACE VIEW ph_network_health_view AS
SELECT cpu.report_time, cpu."hostName", cpu."hostIpAddr", cpu."AVG
(cpuUtil)", cpu."AVG(memUtil)",
uptime."SUM(sysDownTime)", uptime."AVG(avgDurationMSec)",
uptime."LAST(sysUpTime)",
uptime."SUM(pollIntv)", util."intfName", util."intfAlias",
util."AVG(inIntfUtil)" AS "totalAvgInIntfUtil", util."AVG
(outIntfUtil)" AS "totalAvgOutIntfUtil",
util."AVG(recvBitsPerSec)" AS "totalAvgRecvBitsPerSec",
util."AVG(sentBitsPerSec)" AS "totalAvgSentBitsPerSec",
util."AVG(outQLen)", util."AVG(intfSpeed64)"
FROM "Network Devices By CPU, Memory_1278492569_1" cpu,
"Network Devices by Ping RTT_2021056235_1" uptime,
"Network Interfaces By Utilization_382117475_1" util
WHERE ((cpu.report_time * 1000)::double precision *
'00:00:00.001'::interval + '1969-12-31 16:00:00-08'::timestamp with time
zone) >= (now() - 1::double precision * '1 day'::interval)
AND ((uptime.report_time * 1000)::double precision *
'00:00:00.001'::interval + '1969-12-31 16:00:00-08'::timestamp with time
zone) >= (now() - 1::double precision * '1 day'::interval)
AND ((util.report_time * 1000)::double precision *
'00:00:00.001'::interval + '1969-12-31 16:00:00-08'::timestamp with time
zone) >= (now() - 1::double precision * '1 day'::interval)
AND cpu.report_time = uptime.report_time AND cpu."hostName" =
uptime."hostName" AND uptime.report_time = util.report_time AND
uptime."hostName" = util."hostName";
659
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
grant select on ph_network_health_view TO public; 5. In pgAdmin, click the Play icon to execute the statement.
6. Using pgAdmin, navigate to the Views and make sure the ph_network_health_view has been created.
7. Right-click on ph_network_health_view to open the Options menu, then select View Data > View Last
100 Rows to make sure the view contains data. Create a Workbook that Uses the View
1. Launch FortiSIEM Visual Analytics Desktop.
2. Connect to FortiSIEM Report Server with the Username and Password that you used during Report Server
installation.
For Database, enter reportdb.
For Port, enter 30000.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
660
Analytics
Monitoring Operations with FortiSIEM
3. Under Tables, enter the name of the view you created in the search box to locate the view. 4. Drag the view into the Join pane and click Update Now. The data in the view will load into the pane below. 5. For Connection, select Live.
6. Click Go to Worksheet.
In the worksheet view you will see that a set of Dimensions and Measures are populated for the view. An example worksheet showing CPU and Memory Utilization with several Dimensions and Measures populated
from the original table.
661
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
7. For each report in your workbook you can now create an individual sheet, as described in Creating a Single Sheet
Workbook.
Create the Workbook
1. Click the Dashboard tab on the bottom of the Sheet editor to open the Dashboard editor.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
662
Analytics
Monitoring Operations with FortiSIEM
2. Drag each sheet you've created into the Join pane. An example of three worksheets loaded into the Dashboard Join pane. 3. Under Dashboard, select an appropriate Size and screen resolution. 4. Open the Dashboard Options menu and select Rename.
5. In the File menu, select Save .
Publish the Workbook
1. In the Server menu, select Sign In...
2. Enter the IP address and port number for the Visual Analytics Server.
3. Enter the Username and Password for the Visual Analytics Server admin user, and then click Sign In.
4. In the Server menu, select Publish Workbook. 5. Enter attributes for the workbook, such the associated Project, Name, View Permissions, and Views to
Share. See Adding Users to Workbooks for more information about user permissions for workbooks. 663
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
6. Click Publish.
Using FortiSIEM Workbooks with Tableau Visual Analytics Desktop and Server
You can use any of the workbooks provided by FortiSIEM, which are attached to this page, to create
visualizations of FortiSIEM data.
1. Download a workbook attached to this page to your local device where Tableau Visual Analytics Desktop is
installed.
2. In Visual Analytics Desktop, go to File > Open....
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
664
Analytics
Monitoring Operations with FortiSIEM
3. Browse to the file you downloaded and open it.
4. You can make any changes you want to the workbook, but you can upload it to the server and start using it as is.
Follow the instructions in the Publish the Workbook section of Creating a Single Sheet Workbook to publish to
the Tableau Visual Analytics Sever, and add user permissions as described in Adding Users to Workbooks.
665
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Adding Users to Workbooks
Only the workbook publisher can give access to specific users during report creation time. As the FortiSIEM Visual
Analytics Server Administrator, you can add users to the system and view which workbooks users can access.
l
Adding Users to Visual Analytics Server
l
Viewing User Access to Workbooks
Adding Users to Visual Analytics Server
1. Log in to FortiSIEM Visual Analytics Server.
2. In the Admin tab click Users.
3. Click Add.
4. Enter the user name as it appears in Active Directory.
5. Select the License Level for the user and assign User Rights as necessary.
6. Click OK.
Viewing User Access to Workbooks
1. Log in to Visual Analytics Server.
2. In the Admin tab click Users.
3. Select a user name to see the workbooks that the user can access.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
666
Analytics
Monitoring Operations with FortiSIEM
Real Time Performance Probe
This section describes how to probe monitored devices for real time performance metrics.
l
Available metrics
l
GUI launch locations
l
Running a real time probe
l
Example - Real time Interface Statistics Display
Available metrics
l
CPU utilization
l
Memory utilization
l
Network interface statistics
l
Uptime
l
Disk utilization
l
SNMP Ping Statistics
l
Process Utilization
GUI launch locations
Real time Performance Metrics option is available from the following GUI locations
l
CMDB > Device > IP Address > Right click
l
CMDB > Device > Interfaces > Name > Right click
l
Incident > Incident Source and Incident Target > Right click
Running a real time probe
1. From any of the above locations, select Real Time Performance Metrics
2. Select the parameters
a. Select Job Name as the metric of interest
b. Select polling Frequency in seconds
c. Select the number of Runs as the number of times the device will be polled
d. Select the Collector which should communicate to the device
e. Depending on the job name, you may also need to select a Filter. For example, select Interface Name
for Network Interface Statistics.
3. Click Start
4. The data will start to be displayed in the chart below
5. You can select two fields to be displayed side-by-side by
a. selecting one attribute in the Left Chart drop down
b. selecting another attribute in the Right Chart drop down and
c. selecting Right Chart
The probe will stop after the device has been probed for the specified number of Runs.
6. To stop a probe, click Probe.
667
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Analytics
Implementation Note
FortiSIEM uses the same event framework to collect data from the devices and display them in the GUI. However
these events are neither stored in the database, nor do they trigger incidents.
Example - Real time Interface Statistics Display
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
668
Incidents - Flash version
Monitoring Operations with FortiSIEM
Incidents - Flash version
Incidents are a category of events that are are triggered when a set of rule conditions have been met. When an
incident occurs, it appears in both the Dashboard > Incident Dashboard and in the Incidents tab, and, in
some cases, a notification is sent based on the notification policies you have set. You can also create tickets from
FortiSIEM incidents. Topics in this section cover the incident information that is available in the dashboard, how
to create incident notification policies, how to create tickets for FortiSIEM and other ticket-handling systems, and
how to manage the IPS Vulnerability Map. l
Incident Information
l
The IPS Vulnerability Map
l
Incident Notifications
l
Creating Tickets
l
Using Incidents in Searches and Rules
Viewing and Searching Incidents
The Incident Dashboard displays incident information for your IT infrastructure based on the filter conditions you
set. You can also view incidents grouped by incident attributes, use values in incident attributes to refine your
searches, view information about rules that triggered incidents, and use incident information to create rule
exceptions and event dropping rules. l
List View of Incidents
l
Device Risk View of Incidents
l
Calendar View of Incidents
l
Fishbone View of Incidents
List View of Incidents
There are two ways you can view the incidents that are occurring in your IT infrastructure. l
l
The Incidents tab, shown in the screenshot for this topic, where you can view incidents and incident details
Dashboard > Incident Dashboard, which includes the same incident summary and user interface controls found
in the Incidents tab, but which also provides other views of incidents, including a fishbone view of incidents in your
infrastructure, a topology view with the number and severity of incidents overlaid on devices, a calendar view, and a
location view that includes both a summary view of incident source and target IP locations and a map view, along
with the number and severity of incidents for that location overlaid on the map.
In both locations you can filter the incidents in the dashboard, find out more information about sources and
targets of incidents, customize the dashboard layout, and manage the rules associated with incidents.
l
Incident Attributes
l
Incident Dashboard User Interface Controls
l
Incident Details
Incident Attributes
An Incident has the following attributes.
669
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
Attribute Name
Description
Event Severity Category
The severity of the incident, High, Medium, or Low
Last Seen Time
The last time that the incident was triggered
First Seen Time
The first time that the incident was triggered
Incident Name
The name of the rule that triggered the incident
Incident ID
The unique ID assigned to the incident
Incident Source
The source IP or host name that triggered the incident
Incident Target
The IP or host name where the incident occurred
Incident Detail
Event attributes that triggered the incident
Status
The status of the incident, Active, Cleared, Cleared Manually, System
Cleared
Cleared Reason
For manually cleared incidents, this displays the reason the incident was
cleared
Cleared Time
The time an incident was cleared
Cleared User
The person who cleared the incident
Comments
Any comments that users have entered for the incident
Ticket Status
Status of any tickets associated with the incident
Ticket ID
The ID number of any tickets generated by the incident
Ticket User
The person assigned to any tickets generated by the event
External User
If the ticket was cleared in an external ticket-handling system, this lists the
name of the person the ticket was assigned to
External Cleared Time
If the ticket was cleared in an external ticket-handling system, this lists the
time it was cleared.
External Resolved Time
If the ticket was resolved in an external ticket-handling system, this lists the
time it was resolved.
External Ticket ID
The ID of the incident in an external ticket-handling system
External Ticket State
The state of the incident ticket in an external ticket-handling system
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
670
Incidents - Flash version
Monitoring Operations with FortiSIEM
Attribute Name
Description
External Ticket Type
The type assigned to the incident ticket in an external ticket-handling
system.
Organization
The organization reporting the event
Impacts
Organizations impacted by the event
Business Service
Business services impacted by the incident
Incident Notification Status
Status of any notifications that were sent because of the incident
Notification Recipients
Who received notification of the incident
Incident Count
How many times the incident has occurred during the selected time interval
Incident Dashboard User Interface Controls
This screenshot shows the Incidents tab with the major user interface controls outlined in red.
Incident Dashboard Filter Controls
The filter controls let you control which incidents are shown in the dashboard.
671
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Filter Control
Description
Filter Criteria
ou have three options for the filter conditions:
l
l
l
Incidents - Flash version
ID
Search for an incident by ID
IP
Search for an incident based on an IP address Advanced
Use this option to set filter conditions based on event attributes as
described in Creating a Structured Real Time Search. See Selecting
Attributes for Structured Searches, Display Fields, and Rules for more
information about using attributes in search filters.
Group By
Use these options to group incidents in the dashboards based on incident
attributes. See Using Group By Attributes to View Incidents for more information.
Severity
Use these options to only see incidents with the selected severity level
Function
Use these options to view incidents related to a specific infrastructure functional
area, such as Performance or Security.
Incident Status
Filter incidents to view according to their status
Ticket Status
Filter incidents based on the status of their associated tickets. See Creating
Tickets In FortiSIEM In-built Ticketing System for more information.
Time Selection
Organization
Impacts
Select the time interval during which incidents should have occurred. The default
is Last 2 Hours.
For Service Provider deployments, select the organization you want to view
incidents for.
For multi-tenant deployments, select an organization to view the incidents that
are impacting it
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
672
Incidents - Flash version
Monitoring Operations with FortiSIEM
Incident Management Controls
Filter Control
Description
Refresh
Refresh the dashboard view
Edit Rule
Edit the rule associated with the incident. See the topics under Rules for more
information.
Exception
Create an exception to the rule associated with the incident. See Defining Rule
Exceptions for more information.
Ticket
Create a ticket from the incident. See Creating Tickets In FortiSIEM In-built Ticketing
System for more information.
History
View the ticket history associated with an incident.
Clear
Clear the incident. See Defining Clear Conditions for more information on how to set
rule conditions that will automatically clear incidents. All non-security related
incidents are cleared from the system every night at midnight local time, and will
show a status of System Cleared. A status of Manual Clear means that a user
cleared the incident from the Incident Dashboard, while Clear means it was cleared
by a rule condition.
Email
Select one or more incidents from the incident view and send email using any specific
email template.
Comments
Add comments to the incident.
Columns
Change the columns displayed in the summary table. Incident Columns describes all
the columns that can be added to the Incident Dashboard.
Export
Export the incident information to a PDF or CSV file
Locations
View geolocation information about the incidents. Pin colors on the map
indicate incident severity:
l
Red: HIGH Severity
l
Yellow: MEDIUM Severity
l
Green: LOW Severity
l
Black: Incidents with multiple severity levels at the same location
Contextual Menus
Clicking on an item within a column of the incident summary will open a contextual menu, with options depending
on whether the incident attribute you selected includes an IP address (Source IP or Target IP, for example), or
some other kind of incident attribute. Shared between both menus are an Add to Filter option, which enables
you to select a result attribute and add it to the Filter By conditions. Both menus also include most of the same
options available in the Incident Management controls to edit and add exceptions to rules. The IP address
673
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
contextual menu provides options to view more information about the associated device, with many of the same
options you would find in the Analysis menu used in search summary dashboards.
This screenshot shows the IP contextual menu open after selecting an IP address in the Incident Source
column of the Incidents tab. Incident Summary in the Dashboard > Incident Dashboard Contextual Menu
The Dashboard > Incident Dashboard contextual menu includes an option not found in the Incident tab view
of incidents. Click in any column for an incident in the Incident Dashboard to open the contextual menu, and you
will see the option Show incident details. If you select this option the Incidents tab view of incidents will load,
and you will see detailed information about the incident you selected in the Incident Details pane.
Incident Details
The Incident Details pane at the bottom of the Incidents Dashboard provides you with information about a
selected incident in three areas: Incident Details, Triggered Events, and Related Incidents.
Incident Details
The Incident Details include the ID of the incident, specific details about the event that triggered the incident,
and the definition of the rule associated with the incident.
Triggered Events
The list of events that triggered the incident. For columns containing an event type, or host or IP information,
click on an item to open a contextual menu and view more information about it.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
674
Incidents - Flash version
Monitoring Operations with FortiSIEM
Selecting Sub Patterns
If the rule that triggered the incident has multiple sub patterns, you can select a sub pattern to see which events
met its conditions.
Related Incidents
Use this menu to view related incidents based on the Source, Target, Rule Name, or Reporting IP associated
with the selected incident.
Searching for Incidents by Incident Attributes
As your review incidents in your dashboard, you may want to build searches based on attributes from selected
incidents. For example, you may want to use the value for the Incident Target attribute in an incident as a
filter condition to find similar or related incidents, and then add more conditions based on the results of that
search.
1. Log in to your Supervisor node.
2. Go to Incidents.
3. In the Incident Dashboard, select an incident.
4. Click on the attribute value for the selected incident that you want to add to the Filter By condition to open the
Options menu, and then select Add to Filter. The type of search will change to Advanced, and the attribute value you selected will be added to the Filter By
conditions. 5. Click in the Filter By Conditions field to open the Conditions Builder and add other incident attributes. 6. Click Refresh when you're done creating filter conditions to see the results.
Using Group By Attributes to View Incidents
The Incident Dashboard presents a view of all incidents based on the filter conditions you select. However, there
may be situations in which you want to view incidents grouped on incident attributes like Incident Source,
Incident Target, Severity, or Incident Name. Once incidents are grouped by their attributes, you can view
Incident Details for the entire group. 1. Log in to your Supervisor node.
2. Go to Incidents.
3. In the Group By menu, select the attributes you want to use to group the incidents, and then click Refresh.
The Incident Dashboard will refresh and display incidents grouped according to the attributes you selected, with
a COUNT(Matched Events) column that indicates how many incidents are in each group.
4. Select a group and then click on it to open the Options menu.
5. In the Options menu, select Show Incident Details for This Group.
The Incident Dashboard will refresh to show all incidents in the selected incident group, and you can use the
Contextual Menus to find out more information about them. Device Risk View of Incidents
Viewing Devices Sorted By Risk:
1. Go to Incident tab
2. Set Group By to Host Risk Score.
675
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
3. Left pane shows Devices Sorted By Risk
4. Right pane shows incidents for the device selected in left panel
Calendar View of Incidents
The calendar view of incidents provides a summary view of the number of incidents that have occurred on a
calendar day, grouped by severity. Clicking a group loads a summary of those incidents.
This screenshot shows the calendar view of incidents for the month of February 2015.
Fishbone View of Incidents
The fishbone view of incidents presents a view of networks and devices in those networks, along with the
incidents triggered for those devices over the last 24. This view is derived from the Network Segments in the
CMDB, with the devices associated with those segments overlaid. The numbers and colors for each device
indicate the number and severity of incidents associated with that device.
l
l
l
Clicking on an incident number will show you a summary of those incidents. Clicking on Last Seen, First Seen,
Incident Name, or Incident Details in that summary will let you select Incident Details to view more
information. Clicking on any IP addresses associated with the device will open a contextual menu that will let you
find out more information about that device.
Clicking on an IP number or hostname in the fishbone view will let you view the Quick Info for that device, or you
can select Topology to view it within the context of your network topology.
Hovering your mouse cursor over a device or incident number will show you the IP address and host name for that
device, as well as the type of device.
This screenshot shows an example fishbone view of network segments, devices, and associated incidents.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
676
Incidents - Flash version
677
Monitoring Operations with FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
Incident Notifications
The sending of notifications when an incident occurs is handled by Notification Policies, which you can see listed
in the Analytics > Incident Notification Policies page. Instead of having notifications set for each rule, you
can create a policy and have it apply to multiple rules. When viewing the notification policies, think of the columns on the page as representing a series of "If ... and ...
then" statements that lead to the notification action. For example, you could read the table columns as a
sentence:
"IF Incident Severity is X1 AND Rule is X2 AND Time Range is X3 AND Affected Items includes X4
AND Affected Organizations is X5, THEN take the actions specified in the ACTION column."
When FortiSIEM evaluates whether a notification action should be triggered based on the notification conditions,
it evaluates all notification policies, and will trigger the actions of all policies that meet the condition, instead of
just the first policy that meets the conditions. This means that the order of policies in the list doesn't matter, and
that you can write policies with overlapping conditions that could also, for example, include different actions. See also the topics under Incident Notification for more information about the methods that are available for
sending notifications from FortiSIEM, including the FortiSIEM API.
l
Creating an Incident Notification Policy
l
Sending Email and SMS Notifications for Incidents
l
Setting Scripts as Notification Actions
l
Viewing Incident Notification History
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
678
Incidents - Flash version
Monitoring Operations with FortiSIEM
Creating an Incident Notification Policy
Prerequisites
l
l
Make sure you have enabled the settings for sending email or other notification actions as described in Setting Up
Routing Information for Reports and Incident Notifications. You should read the introductory topic on incident notifications to understand how policy conditions are processed.. Procedure
1. Log in to your Supervisor node.
2. Go to Analytics > Incident Notification Policy.
3. Click New.
4. Select the Incident Severity.
Only incidents matching the severity level you select will trigger a notification.
5. For Rules, click ... and select the rule or rules you want to trigger this notification. 6. Set a Time Range during which this notification will be in effect. Notifications will be sent only if an incident occurs during the time range you set here.
7. For Affected Items, click ... and use the CMDB Browser to select the devices or applications for which this policy
should apply. Instead of individual devices or groups, you can apply the notification policy to an IP address or range by clicking
Add under IP/Range. You can also select a group, and then select the Not option to explicitly exclude that group
of applications or devices from the notification policy.
8. For Service Provider deployments, select the Organizations to which the notification policy should apply.
Notifications will be sent only if the triggering incidents affect the selected organization.
9. Select the Actions to take when the notification is triggered. See the topics under Sending Email and SMS Notifications for Incidents, Creating Tickets, Creating Inbound
Policies for Updating Ticket Status from External Ticketing Systems, and Setting Scripts as Notification Actions for
more information about notification actions. 10. Enter any Comments about the policy.
11. When you are finished creating the notification policy, select Enabled to make it active in your deployment.
12. Click Save.
679
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
Sending Email and SMS Notifications for Incidents
When you set actions for an incident notification, one option is to send an email or SMS message to groups or
individuals, and you also have an option to specify a template that should be used in the email. l
Prerequisites
l
Procedure
l
Related Links
Prerequisites
l
Make sure the email gateway has been configured for your deployment.
l
You should also have set up any email templates that you want to use for notifications.
Procedure
1. Log in to your Supervisor node.
2. Go to Analytics > Incident Notification Policy.
3. Select the policy that you want to set up the email or SMS notification for.
4. Under Actions, next to the email/sms notification table, click ... .
5. For multi-tenant deployments, select the Organization that contains the individuals or groups you want notified.
Under Folders, you will see the user groups for that organization listed.
6. In the Folders pane, select a group.
In the Items pane, you will see a list of users for that group.
7. Select a group and click Folder >> to add a group to the Notification Actions list, or select individual users and
click Items >>. Adding Individual Email Addresses
If you want to set up notifications for individual email addresses without selecting from a user group,
click Add under Email Addr and enter the addresses separated by commas. 8. Under Notification Actions, select the Method, Email or SMS, that you want to use sending the notification.
9. Select an Email Template if you are sending an email notification.
If you leave this blank, the default email template will be used. 10. Click Save.
Run On
The Run On column only applies if your notification action is to execute a script. For email and SMS
notification actions, it will be auto-populated with Super.
You can send incident notification emails for multiple incidents based on customer requirements by selecting
multiple incidents and clicking Email button.
Related Links
l
Setting Up the Email Gateway
l
Setting Scripts as Notification Actions
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
680
Incidents - Flash version
Monitoring Operations with FortiSIEM
Customizing Email Templates for Notifications
Email templates for incident notifications are based on incident variables that you put into the subject and body of
the template, which are then populated with the actual attribute values in the incident.
l
Incident Attribute Variables
l
Example Email Template l
Creating an Email Template
Incident Attribute Variables
These are the incident attribute variables you can use for your email template.
l
$organization
l
$status
l
$hostName
l
$incidentId
l
$incidentTime
l
$firstSeenTime
l
$lastSeenTime
l
$incident_severityCat
l
$incident_severity
l
$incident_incidentCount
l
$ruleName
l
$ruleDescription
l
$incident_source
l
$incident_target
l
$incident_detail
l
$affectedBizService
Example Email Template This example first shows a template with the incident attribute variables, and then an email based on this
template with the variables populated from an incident.
Template
Email Subject:
$ruleName was triggered at $incidentTime
Email Body:
The host, $incident_target, was being scanned by $incident_source starting at $firstSeenTime and ending at
$lastSeenTime. There were $incident_incidentCount hits.
Please investigate and report as necessary.
Generated Email
Subject: Server Memory Warning was triggered at Jan 10 22:43 UTC
681
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
Body: The host, Host IP: 192.168.1.23 Host Name: QA-V-WIN03-ORCL, was being scanned by 10.1.1.1
starting at Jan 10 22:05 UTC and ending at Jan 10 22:11 UTC. There were 2 hits.
Please investigate and report as necessary.
Creating an Email Template
1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Incident Email Templates.
3. Click Add.
4. For Service Provider deployments, select the organization for which you are creating the email template.
5. Enter a Name for the template. 6. Enter the Email Subject and Email Body.
You can select attribute variables from the Insert Content menu to enter into your template, rather than having to
type them out by hand.
7. Click OK.
Setting a Default Template
When you are creating a notification policy and need to select an email template, if you leave the option blank,
the default template will be used. To set an email template as default, select the template in the list on the
Incident Email Templates page, and then click Set as Default. For Service Provider deployments, to select a
template as default for an organization, first select the organization, then set the default email template for that
organization.
Setting Scripts as Notification Actions
One of the actions you can specify for an incident notification is to execute a script. For example, suppose you are
monitoring Windows services that are in Auto mode, and you have rules that will trigger an incident if one of those
services is stopped. The notification action for that incident can include the running of a script by FortiSIEM that
will re-start the service, as shown in the example scripts in this topic. How Script Notification Actions are Processed
1. When a notification policy is triggered, the policy actions are handled in sequential order. That means, if there are
multiple script actions, the first one will be processed before the second.
2. When you specify the notification action as a script, you must provide the full path to the script in the notification
policy settings, for example /tmp/Myscript.py
3. When the script action is processed,
a. FortiSIEM notification module will first generate an incident XML file and put it in the same directory as
the script.
b. FortiSIEM will then call the script with the XML file name as an argument. The full incident XML file path
will be passed as the first command line parameter to the script, e.g. $1 for shell and sys.argv[1] for
Python.
4. You must write the script so it expects the incident XML file to be located in the same directory as the script, for
example /tmp if the script location is /tmp/Myscript.py. Use absolute path to refer to the incident XML file.
5. When the script returns, the incident XML file that was created by FortiSIEM is deleted, so there is no confusion
with the next script action which involves a new incident XML file and is processed only after the previous script
action is complete.
See here for an example of a notification script.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
682
Incidents - Flash version
Monitoring Operations with FortiSIEM
Setting a Script Notification Action
1. Log in to your Supervisor node.
2. Go to Analytics > Incident Notification Policy.
3. Select the notification policy where you want to add the script action.
4. Under Actions, next to the Methods table, click ... .
5. Under Run Script, click Add.
6. For Script Name, enter the name of the script and the absolute directory path to it. 7. Click OK.
The script will be added to the Notification Actions. Selecting the Collector Where the Script Will Run
If your deployment includes Collectors, you can specify the Collector where the script will run.
1. Prepare the script on the Collector(s) and make sure they run properly.
2. When incident triggers, Collector will download the incident XML from the Supervisor and run the script with
incident XML as argument.
3. The Collector will then return the results to the Supervisor.
In the Notification Actions table, select the Collector from the list in the Run On menu after you have added
the script to the notification actions.
683
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
Example of a Windows Restart Script as a Notification Action
This topic provides an example of a script that could be used as a notification action, following the example of restarting a Windows service that has stopped an triggered an incident as described in Setting Scripts as
Notification Actions.
This example requires two scripts: one located on the Windows server that hosts the service, and a script on the
FortiSIEM Supervisor host machine that will be triggered by the incident notification and will execute the
Windows server script.
Windows Script
1. Create a script named installWinexeSvc.bat for starting the remote winexe provider service.
sc create AoWinexeSvc binPath= C:\WINDOWS\WINEXESVC.EXE start= auto
DisplayName= AoWinexeSvc
sc description AoWinexeSvc "Remote command provider for FortiSIEM
monitoring"sc start AoWinexeSvc
2. Run installWinexeSvc.bat on the monitored Windows server and make sure that the AoWinexeSvc
service starts.
C:\>installWinexeSvc.bat
You should see an output similar to this as Windows installs the service and verifies that it is running. C:\>sc create AoWinexeSvc binPath= C:\WINDOWS\WINEXESVC.EXE start= auto
DisplayName= AoWinexeSvc
[SC] CreateService SUCCESS
C:\>sc description AoWinexeSvc "Remote command provider for FortiSIEM
monitoring"[SC] ChangeServiceConfig2 SUCCESS
C:\>sc start AoWinexeSvc
SERVICE_NAME: AoWinexeSvc
TYPE
STATE
SHUTDOWN)
WIN32_EXIT_CODE
SERVICE_EXIT_CODE
CHECKPOINT
WAIT_HINT
PID
FLAGS
: 10 WIN32_OWN_PROCESS
: 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_
:
:
:
:
:
:
0 (0x0)
0 (0x0)
0x0
0x7d0
1580
FortiSIEM Script
This script, restartWinService.py, reads the incident XML file, parses out the target IP and stopped
service, and issues a winexe command to restart the service.
#!/usr/bin/python
importos, re, sys, time
importxml.dom.minidom
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
684
Incidents - Flash version
Monitoring Operations with FortiSIEM
iflen(sys.argv) != 2:
print "Usage: parseTargetIP.py incident.xml"
exit()
else:
fileName = sys.argv[1]
print "parsing incident xml file : ", fileName
#os.system("cp "+ fileName + " "+ fileName + ".txt")
# /incident/incidentTarget/entry[@attribute='hostIpAddr']
doc = xml.dom.minidom.parse(fileName)
nodes = doc.getElementsByTagName('incidentTarget')
ifnodes.length < 1:
print "no incident Target found!"else:
targeNode = nodes[0]
targetIP = ""fornode in targeNode.childNodes :
ifnode.nodeType == node.ELEMENT_NODE:
ifnode.getAttribute("attribute") == "hostIpAddr":
targetIP = node.firstChild.data
iftargetIP == "":
print "no incident target found!"# trim IP, e.g. 10.1.20.189(SH-Quidway-SW1)
targetIP = re.sub(r'\(.+\)', "", targetIP)
print "restart service for target IP: ", targetIP
# parse process name
nodes = doc.getElementsByTagName('incidentDetails')
ifnodes.length < 1:
print "no incidentDetails found!"else:
targeNode = nodes[0]
fornode in targeNode.childNodes :
ifnode.nodeType == node.ELEMENT_NODE:
ifnode.getAttribute("attribute") == "serviceName":
targetService = node.firstChild.data
################################################################################################
# NOTE: You need to replace the user and password with an account on your Windows
server that #
#
has permissions to run thiswindows command.
#
################################################################################################
# stop the service
stopCmd = "winexe --user Administrator --password ProspectHills! //"+ targetIP + "
'sc stop "+ targetService + "'"ret = os.system(stopCmd)
print "stop service with return code ,", ret
print "waiting service stop"time.sleep(10)
################################################################################################
# NOTE: You need to replace the user and password with an account on your Windows
server that #
#
has permissions to run thiswindows command.
#
685
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
################################################################################################
## start the service
startCmd = "winexe --user Administrator --password ProspectHills! //"+ targetIP +
" 'sc start "+ targetService + "'"print "start command: ", startCmd
ret = os.system(startCmd)
print "start service with return code ,", ret
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
686
Incidents - Flash version
Monitoring Operations with FortiSIEM
Incident XML File Format
This topic includes an example of the XML file that is generated for incidents, and descriptions of its contents.
l
Example Incident XML File
l
XML Tag and Attribute Definitions
Example Incident XML File
<?xml version="1.0" encoding="UTF-8" ?><incident incidentId="5672" ruleType="PH_
RULE_AUTO_SRVC_DOWN" severity="10" repeatCount="1" organization="Super" statuss="Cleared"> <name>Auto Service Stopped</name> <description>Detects that an automatically running service stopped. Currently this works for windows servers and is
detected via WMI.</description> <displayTime>Fri Jun 29 15:51:10 PDT 2012</displayTime> <incidentSource> </incidentSource> <incidentTarget>
<entry attribute="hostIpAddr" name="Host IP">172.16.10.15</entry>
<entry
attribute="hostName" name="Host Name">QA-V-WIN03-ADS</entry> </incidentTarget>
<incidentDetails>
<entry attribute="serviceName" name="OS Service Name">Spooler</entry>
<entry attribute="servicePath" name="OS Service
Path">C:\WINDOWS\system32\spoolsv.exe</entry> </incidentDetails> <affectedBizSrvc>Auth Service</affectedBizSrvc> <identityLocation> </identityLocation>
<rawEvents>
[SrvcDown]
[PH_DEV_MON_AUTO_SVC_START_TO_STOP]:[eventSeverity]=PHL_INFO,[fileName]]=phPerfJob.cpp,[lineNumber]=6005,[hostName]=QA-V-WIN03-ADS,[hostIpAddr]=172.16.10.15,[serviceName]=Spooler,
[servicePath]=C:\WINDOWS\system32\spoolsv.exe,[serviceDesc]=Manages all local and
network print queues and controls all printing jobs. If this service is stopped,
printing on the local machine will be unavailable. If this service is disabled,
any services that explicitly depend on it will fail to start.,[phLogDetail]=
</rawEvents>
</incident>
687
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
XML Tag and Attribute Definitions
XML Tag
Attributes
Description
incidentID
Unique id of the incident in FortiSIEM. You can search for
the incident by using this ID.
ruleType
Unique id of the rule in FortiSIEM
severity
The severity of the incident, HIGH MEDIUM LOW
repeatCount
How many times this incident has occurred
organization
In Service Provider deployments, the organization affected
by the incident
status
The status of the incident
<incident>
<name>
The name of the rule that triggered the incident
<description>
The description of the rule that triggered the incident
<displayTime>
The time when the incident occurred
<incidentSource>
The source of the incident. It includes the event attributes
associated with the source presented as name:value pairs.
Common attributes for source and target tributes here are
srcIpAddr , destIpAddr , hostIpAddr .
<incidentTarget>
<incidentDetails>
<affectedBizSrvc>
Where the incident occurred, or the target of an IPS alert.
It includes the event attributes associated with the target
presented as name:value pairs. Common attributes for
source and target tributes here are srcIpAddr ,
destIpAddr , hostIpAddr .
The event attributes associated with the rule definition that
triggered the incident
Any business services impacted by the event
<identityLocation>
Information associated with the Identity and Location
Report
<rawevents>
The contents of the raw event log for the incident.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
688
Incidents - Flash version
Monitoring Operations with FortiSIEM
Viewing Incident Notification History
There are two ways you can view the notification history for an incident.
1. In the Incident Notification Status column of the Incident Dashboard.
2. Click on an incident in the Incident Name column of the Incident Dashboard, and then select View Notification
History from the Options menu. 689
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
Creating Tickets In FortiSIEM In-built Ticketing System
FortiSIEM includes a feature that will let you create and assign tickets for IT infrastructure tasks, and create
tickets directly from incidents. You can see all tickets that have been created by going to Incidents > Tickets, and
then use the filter controls to view tickets by assignee, organization, priority, and other attributes. You can also
configure FortiSIEM and you Remedy system so that Remedy will take tickets created by incident notification
actions.
l
Configuring Remedy to Accept Tickets from FortiSIEM Incident Notifications
l
Ticket Related Operations
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
690
Incidents - Flash version
Monitoring Operations with FortiSIEM
Configuring Remedy to Accept Tickets from FortiSIEM Incident Notifications
This topic describes how to configure Remedy to accept tickets as notification actions from FortiSIEM.
Prerequisites
l
Make sure you have configured the Remedy server settings in FortiSIEM.
Procedure
1. In Remedy, create a new form, FortiSIEM_Incident_Interface, with the incident attributes listed in the table at
the end of this topic as the form fields.
2. When you have defined the fields in the form, right-click on the field and select the Data Type that corresponds to
the incident attribute.
3. After setting the form field data type, click in the form field again to set the Label for the field.
4. When you are done creating the form, go to Servers > localhost > Web Service in Remedy, and select New
Web Service.
5. For Base Form, enter FortiSIEM_Incident_Interface.
6. Click the WSDL tab.
7. For the WSDL Handler URL, enter http://<midtier_
server>/arsys/WSDL/public/<servername>/FortiSIEM_Incident_Interface.
8. Click the Permissions tab and select Public.
9. Click Save.
You can test the configuration by opening a browser window and entering the WSDL handler URL from step 7,
substituting the Remedy Server IP address for <midtier_server> and localhost for <servername>. If
you see an XML page, your configuration was successful. 691
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
Incident Attributes for Defining Remedy Forms
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
692
Incidents - Flash version
Monitoring Operations with FortiSIEM
Incident Attribute
Data Type
Description
biz_service
text
Name of the business services affected by this incident
cleared_events
text
cleared_reason
text
The reason for clearing the incident if it was cleared,
cleared_time
bigint
The time at which the incident was cleared
cleared_user
character varying
(255)
The user who cleared the incident
comments
text
Comments
cust_org_id
bigint
The organization id to which the incident belongs
first_seen_time
bigint
Time when the incident occurred for the first time
last_seen_time
bigint
Time when the incident occurred for the last time
incident_count
integer
Number of times the incident triggered between the first and
last seen times
incident_detail
text
Incident Detail attributes that are not included in incident_
src and incident_target
incident_et
text
Incident Event type
incident_id
bigint
Incident Id
incident_src
text
Incident Source
incident_status
integer
Incident Status
incident_target
text
Incident Target
notif_recipients
text
Incident Notification recipients
notification_action_
status
text
orig_device_ip
text
ph_incident_category
character varying
(255)
FortiSIEM defined category to which the incident belongs:
Network, Application, Server, Storage, Environmental,
Virtualization, Internal, Other
rule_id
bigint
Rule id
693
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
Incident Attribute
Data Type
Description
severity
integer
Incident Severity 0 (lowest) - 10 (highest)
severity_cat
character varying
(255)
LOW (0-4), MEDIUM (5-8), HIGH (9-10)
ticket_id
character varying
(2048)
Id of the ticket created in FortiSIEM
ticket_status
integer
Status of ticket created in FortiSIEM
ticket_user
character varying
(1024)
Name of the user to which the ticket is assigned to in
FortiSIEM
view_status
integer
view_users
text
Ticket Related Operations
Creating a ticket without an Incident
1. Go to Incidents > Tickets.
2. Click New.
3. Enter a Summary and Description for the ticket. Both of these fields are required. 4. For Assigned To, select a user from the menu. 5. Set any Due Date for the ticket. 6. Select a Priority for the ticket. 7. Click Save.
Creating a ticket from an Incident
1. In the Incident Dashboard, select the incident you want to create a ticket for. 2. Click Ticket.
The Incident ID, Summary and Description for the ticket will be populated from the incident information. 3. Select the person you want to assign the ticket to.
4. Enter a Due Date for the ticket.
5. Set a Priority for the ticket.
6. Click Save.
Closing a ticket
1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
694
Incidents - Flash version
Monitoring Operations with FortiSIEM
4. For State drop down, select Closed
5. Click Save.
Changing the assignee in a ticket
1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. For Assigned drop down, select the new Assignee
5. Click Save.
Changing the due date in a ticket
1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. For Due Date edit box, select the date and then the time
5. Click Save.
Adding notes to a ticket
1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. Add to Description
5. Click Save
Adding attachments to a ticket
1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. Click PDF or PNG under Attach file
5. Include the file and Click Upload.
6. Click Save
Exporting a ticket
1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Export
Viewing Ticket History
1. Go to Incidents > Tickets.
2. Select a ticket
695
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - Flash version
3. Click Edit
4. See Action History on bottom right pane
Searching tickets
This can be done in two ways:
l
l
Type in key words in Search box Type in key words in Search box will be searched.
Summary column will be searched.
Summary column
Creating Tickets in External Ticketing System
See External Helpdesk System Integration.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
696
Incidents - Flash version
Monitoring Operations with FortiSIEM
Using Incidents in Searches and Rules
l
Creating an Historical Search from an Incident
l
Creating a Real Time Search from an Incident
l
Editing Rules from Incidents
Creating an Historical Search from an Incident
When you are viewing an incident, you may want to about other events related to the source or target of the
incident. This topic describes how to create an historical search from an incident. 1. In the Incident Dashboard, select the incident you want to use.
2. Select the Incident Source or Incident Target you want to use, and then select Show Related Historical
Events.
The Historical Search interface will load, with the IP address of the selected incident attribute loaded in the Filter
By conditions, and the Display Fields set to the incident attributes.
3. Click Run. 4. You will see a list of events for the Incident Source or Target, which you can further analyze as described
in Refining the Results from Historical Search.
Creating a Real Time Search from an Incident
When you are viewing an incident, you may want to about other events related to the source or target of the
incident. This topic describes how to create a real time search from an incident. 1. In the Incident Dashboard, select the incident you want to use.
2. Select the Incident Source or Incident Target you want to use, and then select Show Related Real Time
Events.
The real time search interface will load, with the IP address of the selected incident attribute loaded in the Filter
By conditions, and the Display Fields set to the incident attributes.
3. Click Run. 4. You will see a list of events for the Incident Source or Target, which you can further analyze as described
in Viewing and Refining Real Time Search Results.
Editing Rules from Incidents
If you need to edit the rule associated with an incident, you can do so directly from the Incident Dashboard.
1. In the Incident Dashboard, select an incident based on the rule you want to edit.
2. Click in any column of the selected incident to open the Options menu, and then select Edit Rule. 3. Edit the rule as necessary, and then click Save. 697
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - HTML5 version
Incidents - HTML5 version
Incident tab allows users to view and manage incidents.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
698
Incidents - HTML5 version
Monitoring Operations with FortiSIEM
Incident Attributes
This topic describes all the columns that can be used to create views in the Incident Dashboard. You can add or
remove columns from the dashboard by clicking the Columns icon. 699
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Incidents - HTML5 version
700
Incidents - HTML5 version
Monitoring Operations with FortiSIEM
Column Name
Description
Severity
The severity of the incident, High, Medium, or Low
Last Occurred
The last time that the incident was triggered
First Occurred
The first time that the incident was triggered
Incident
The name of the rule that triggered the incident
Incident ID
The unique ID assigned to the incident
Source
The source IP or host name that triggered the incident
Target
The IP or host name where the incident occurred
Detail
Event attributes that triggered the incident
Status
The status of the incident, Active, Cleared, Cleared Manually, System
Cleared
701
Cleared Reason
For manually cleared incidents, this displays the reason the incident was
cleared
Cleared Time
The time an incident was cleared
Cleared User
The person who cleared the incident
Comments
Any comments that users have entered for the incident
Ticket Status
Status of any tickets associated with the incident
Ticket ID
The ID number of any tickets generated by the incident
Ticket User
The person assigned to any tickets generated by the event
External User
If the ticket was cleared in an external ticket-handling system, this lists the
name of the person the ticket was assigned to
External Cleared
Time
If the ticket was cleared in an external ticket-handling system, this lists the
time it was cleared
External Resolved
Time
If the ticket was resolved in an external ticket-handling system, this lists
the time it was resolved
External Ticket ID
The ID of the incident in an external ticket-handling system
External Ticket State
The state of the incident ticket in an external ticket-handling system
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - HTML5 version
Column Name
Description
External Ticket Type
The type assigned to the incident ticket in an external ticket-handling
system
Organization
The organization reporting the event
Impacts
Organizations impacted by the event
Business Service
Business services impacted by the incident
Incident Notification
Status
Status of any notifications that were sent because of the incident
Notification
Recipients
Incident Count
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Who received notification of the incident
How many times the incident has occurred during the selected time
interval
702
Incidents - HTML5 version
Monitoring Operations with FortiSIEM
Viewing Incidents
l
Device Risk View of all incidents
l
Viewing incident details
l
Grouped View of all incidents
Device Risk View of all incidents
This is the default view when user clicks the Incident tab. It shows a list of devices that triggered incidents.
Devices are ranked by a risk score that is computed by combining asset criticality, triggered incidents and found
security vulnerabilities (details - here).
To see the incidents for a device, click that device. The incidents show up in a time line view.
l
l
Active Incidents over the last 2 hours are displayed
The following incident attributes are shown
l
Severity - High, Medium, Low - shown by colored icons
l
Last Occurred - the last time the Incident happened
l
Reporting Device Name - names of devices that reported the events that led to the incident
l
Incident - rule name
l
Source - incident source
l
Target - incident target
l
Detail - incident parameters other than source and target
l
Count - number of times the same incident has triggered
To show incidents over a different time interval:
1. Click Time Range Button. A search window appears
2. To choose a relative time window
l
Choose Time Range Operator as LAST.
l
Specify the number of Minutes/Hours/Days/Weeks.
l
Click Check button.
l
The Incident page will automatically refresh to show all the incidents over the time window.
3. To choose an absolute time window
l
Choose Time Range Operator as FROM.
l
Specify the starting and end times.
l
Click Check button.
l
The Incident page will automatically refresh to show all the incidents over the time window
An incident can be in any of the following states:
l
Active
l
Cleared
l
Cleared Manually
l
System Cleared
By default only Active Incidents are shown. To show Incidents in other states
703
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - HTML5 version
1. Click Incident Status Button. A search window appears.
2. To add a new value, click on the white space next to the selected value. A menu appears. Select the needed
values one by one.
3. Click Check button. The Incident page will automatically refresh to show all the incidents in selected state(s).
To select a different set of Incident attributes
1. Click Choose columns icon 2. In the popup, select the columns you want to display by moving them to the right. You can re-order the position of
the columns.
3. ClickOK.To force a refresh of the incident view, click the Refresh icon Incidents may be displayed over multiple pages. To see incidents on a different page,
1. Select the Page Selector icon 2. Either enter the page number or click on the Next or Previous icon to go to the right page
To view incidents for a different organization (Service Provider version),
1. Click the User icon on top right
2. Choose the right organization
3. Click Change View
Viewing incident details
In the default view, an incident is shown in a single line. To see the details of the incident, l
Click anywhere on the incident line
l
Basic incident attributes are shown immediately below the incident
l
More advanced incident attributes are shown in a bottom pane
To revert to the single line incident view, click anywhere on the incident line. Detailed views will disappear.
To view the rule that triggered the incident,
l
Click anywhere on the incident line in the single line incident view
l
In the bottom pane, Click Rule tab. Rule details are displayed.
To view the events that triggered the incident
l
Click anywhere on the incident line in the single line incident view
l
In the bottom pane, Click Events tab. Basic Event attributes are displayed in a single line.
l
To see the raw events, click on the Basic Event line. Raw events are displayed.
Grouped View of all incidents
Sometimes user may need a grouped view of incidents to get an overview of what incidents have triggered and
involves which devices. The following grouped views are provided
l
Severity - Ranks Incident Severities By Count
l
Name - Ranks the Incidents By Count
l
Name, Target - Ranks Incident Name and Incident Target By Count
l
Name, Source - Ranks Incident Name and Incident Source By Count
l
Name, Source, Target - Ranks Incident Name, Incident Source and Incident Target By Count
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
704
Incidents - HTML5 version
l
l
Monitoring Operations with FortiSIEM
Name, Source, Target, Business Service - Ranks Incident Name, Incident Source, Incident Target and
Business Services By Count
Name, Source, Target, Business Service, Organizations - Ranks Incident Name, Incident Source, Incident
Target, Business Services and Organizations By Count
To get a grouped view
l
Choose the desired view from Group By drop down
Group view works with Search
Grouped view works with Search filters. In other words, Grouped view includes the incidents where the search
conditions are satisfied. To get to a un-grouped view from grouped view,
l
705
Choose Nonein the Group By selector.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - HTML5 version
Searching Incidents
l
Searchable Incident Attributes
l
Constructing Search Condition
Searchable Incident Attributes
Incident Attribute
Description
Time Range
In
ID
Incident ID
IP
Incident Source IP or Incident Target IP
Host
Host name associated with Incident Source IP or Incident Target IP
User
User field specified in Incident Target or Incident Details
Severity
Incident Severity category - High, Medium or Low
Function
Security, Availability, Performance or Change. This is a property of an
Incident.
Incident Status
Possible values are Active, Cleared, Cleared Manually, System Cleared
Ticket Status
Possible values are New, Open, Closed, External, reopened, None.
External means opened in an external system.
Incident
Rule name
Biz Service
Business Service name
Organization
Organization name
Constructing Search Condition
To construct a Search condition from a displayed Incident,
l
Mouse over the cell containing the specific Incident attribute
l
Right click and choose Add to filter
l
The condition will be added to existing search string
l
Matching incidents will be displayed
To construct a Search condition from scratch:
l
Click on the Add filter edit area. Three fields are displayed
l
Incident Attribute
l
Operator
l
Value
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
706
Incidents - HTML5 version
l
Select one of the Incident Attributes from the drop down
l
Select an Operator from =, != IN, NOT IN, CONTAINS, NOT CONTAINS
l
Select one or more Values from the displayed choices
l
Click the Check button.
l
Matching incidents will be displayed
707
Monitoring Operations with FortiSIEM
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Incidents - HTML5 version
Managing Incidents
l
Adding Comments
l
Clearing Incidents
l
Exporting Incidents to a PDF document
Adding Comments
1. Click on an Incident in the un-grouped view
2. From Actions drop down, select Add Comments
3. Write the comment and click OK.
Clearing Incidents
1. Click on an Incident in the un-grouped view
2. If you have more incidents to clear, then press Shift and click on the second incident. This will will select all
incidents between the first one and this one. To get this approach to work effectively,
l
Create a filter to get all the incidents to be cleared in view
l
Select the first incident
l
Press Shift and click on the last incident - all incidents are now selected
3. From Actions drop down, select Clear
4. Click OK
Exporting Incidents to a PDF document
1. Click on an Incident in the un-grouped view
2. If you have more incidents to export, then press Shift and click on the second incident. This will will select all
incidents between the first one and this one. To get this approach to work effectively,
l
Create a filter to get all the incidents to be exported in view
l
Select the first incident
l
Press Shift and click on the last incident - all incidents are now selected
3. From Actions drop down, select Export
4. Click OK
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
708
Device Risk Score Computation
Monitoring Operations with FortiSIEM
Device Risk Score Computation
Risk computation algorithms are proprietary and this section presents only the knobs that user is able to tweak to
change the score.
Risk score components
The following factors affect risk score of a device
1. Device Importance (also called Asset Weight)
2. Count and CVS Score for non-remediated vulnerabilities found for that device
3. Severity and Frequency of Security incidents triggering with that device as source or destination
4. Severity and Frequency of Other (performance, availability and change) incidents triggering on that device
Overall Score (0-100) is a weighted average of 3 components - Vulnerability Score, Security Incident Score and
Other Incident Score, computed as follows.
Overall Risk = vul_weight * Vulnerability Score + security_inci_weight *
Security Incident Score + other_inci_weight * Other Incident Score.
User controllable constants
1. Device Importance - this can be set in CMDB > Device > Summary. You can select multiple devices and set the
Importance in one shot. Values are
a. Mission Critical - 10
b. Critical - 7
c. Important - 4
d. Normal - 1
2. Relative weights of Vulnerabilities, Security and Other incidents to the risk score. The default values of the
constants are defined in phoenix_config.txt:
a. vul_weight = 0.6
b. security_inci_weight = 0.3
c. security_inci_weight = 0.1
3. Maximum number of high-severity events that a mission-critical host can tolerate for each of the 3 score
components. These default thresholds are defined in ‘phoenix_config.txt:
a. vul_threshold = 1
b. security_inci_threshold = 3
c. other_inci_threshold = 6
Time varying Risk score
Risk scores are computed for each day. Current risk score is a exponentially weighted average of today's risk and
yesterday's risk.
The algorithm also reduces the score for earlier vulnerabilities that are now patched. Such vulnerabilities have a
weight of 0.7 while new and old but existing vulnerabilities have weight 1
709
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Miscellaneous Operations
Miscellaneous Operations
l
Exporting Events to Files
l
Dynamic Population of Location, User, and and Geolocation Information for Events
l
Monitoring Custom Applications
l
The IPS Vulnerability Map
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
710
Miscellaneous Operations
Monitoring Operations with FortiSIEM
Exporting Events to Files
You can run the phExportEvent tool from a Supervisor or Worker node to export events to CSV files. The file will
contain these fields:
l
Customer Id (applicable to SP license)
l
Reporting Device IP
l
Reporting Device Name
l
Event Received Time
l
Raw Message
This code block shows the commands that you can use with phExportEvent, followed by a table that describes
them in more detail.
phExportEvent {--dest DESTINATION_DIR} {--starttime START_TIME | --relstarttime RELATIVE_
START_TIME} {--endtime END_TIME | --relendtime RELATIVE_END_TIME} [--dev DEVICE_NAME] [-org
ORGANIZATION_NAME] [-t TIME_ZONE]
phExportEvent
Command
DESTINATION_
DIR
START_TIME
RELATIVE_
START_TIME
Description
Destination directory where the exported event files are saved
Starting time of events to be exported. The format is YYYY-MM-DD HH:MM:SS {+|-}
TZ. If TZ is not given, local time zone of the machine where the script is running will
be used. Example: 2010-03-10 23:00:00 -8 means Pacific Standard Time,
23:00:00 03/10/2010. 2010-07-29 10:20:00 +5:30 means India Standard
Time 10:20:00 07/29/2010.
Must be used together with END_TIME. Starting time of events to be exported
relative backward to the end time as specified using --endtime END_TIME. The
format is
{NUM}{d|h|m}
where NUM is the number of days or hours or minutes. For example, -relstarttime 5d means the starting time is 5 days prior to the ending
time.
711
END_TIME
Ending time of events to be exported. The format is the same as START_TIME.
RELATIVE_END_
TIME
Must be used together with START_TIME. Ending time of events to be exported
relative forward to the start time as specified using START_TIME. The format is
same as RELATIVE_START_TIME.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
phExportEvent
Command
DEVICE_NAME
ORGANIZATION_
NAME
TIME_ZONE
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Miscellaneous Operations
Description
Host name or IP address of the device with the events to be exported. Use a
comma-separated list to specify multiple IPs or host names, for example, --dev
10.1.1.1,10.10.10.1,router1,router2. Host name is case insensitive
Used only for Service Provider deployments. The name of the organization with the
events to be exported. To specify multiple organizations, enter a commandeach for
one organization, for example, --org "Public Bank" --org "Private
Bank". The organization name is case insensitive.
Specifies the time zone used to format the event received time in the exported event
files. The format is {+|-}TZ, for example, -8 means Pacific Standard Time,
+5:30 means India Standard Time.
712
Miscellaneous Operations
Monitoring Operations with FortiSIEM
Dynamic Population of Location, User, and and Geolocation Information for Events
In most cases, network logs only contain IP address information, but to investigate incidents involving that IP, you
need additional context for that IP address such as host name, user, and geolocation information. Because
FortiSIEM collects detailed IT infrastructure information in the CMDB, it is able to correlate that information to
the IP address to create a context for the event, and insert that context information into events in real time as
parsed attributes. This topic describes the way in which this context information is populated into events. l
Correlating Event Information
l
Assigning Attributes to Events
l
Dynamic Updating of Attribute Information
l
Attributes Added to Events Correlating Event Information
Event information is derived from several different sources. 1. During the discovery process, FortiSIEM discovers the host name and network interface address information
during discovery and stores them in the CMDB. If any IP address other than the Access IP changes, then running
a rediscovery will update the CMDB with the right information.
2. FortiSIEM collates information from various authentication logs and forms a time-based Identity and Location
Report containing the IP address, MAC address, Host Name, Domain, User, Network Access Point, and Network
Access Point Port for the event. 3. The geolocation database maps IP addresses to Country, State, City, Organization, Longitude, and Latitude
information.
Assigning Attributes to Events
When FortiSIEM parses an event, attributes are assigned to it following this process:
Host Name Attribute
For each IP address (Host IP, Source IP, Destination IP, Reporting IP):
1. FortiSIEM checks the CMDB for an associated host name, and if one is found, then the host name is added to the
event.
2. If the host name is not found in then CMDB, then FortiSIEM checks the Identity and Location Report for the host
name, and if one is found, then it is added to the event. 3. If the host name is not found in either the CMDB or Identity and Location Report, then FortiSIEM runs DNS lookup
for the host name, and if one is found, then it is added to the event. For performance reasons the DNS result is
cached, and because excessive DNS lookups can cause event processing delays, FortiSIEM has an algorithm to
dynamically bypass DNS lookup if it begins falling behind in event processing.
User Name Attribute
For Source IP, FortiSIEM checks for user information in the Identity and Location Report, and if anything is
found, it is added to the event. 713
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Miscellaneous Operations
Geolocation Attribute
For each IP address (Host IP, Source IP, Destination IP, Reporting IP), FortiSIEM checks the geolocation
database. If geolocation information is found for that IP, then Country, State, City, Organization, Longitude, and
Latitude information is added to it.
Dynamic Updating of Attribute Information
For any of these attributes, when there is a change in the infrastructure (for example, a network device has a new
IP or a new user logs on to the system), the change is populated into the CMDB and/or Identity and Location
Report, and the event parsing module learns of the change and starts populating events with the new metadata.
Because the FortiSIEM approach to populating event attributes is dynamic and change driven, it is always able to
map the right IP address to host names and users in the face of dynamic changes in the IT infrastructure.
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
714
Miscellaneous Operations
Monitoring Operations with FortiSIEM
Attributes Added to Events 715
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
IP Type
Source IP
Destination IP
Host IP
Reporting IP
PostNAT (Network
Address Translation) IP
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Miscellaneous Operations
Attributes
l
Source Host Name
l
User (corresponding to Source IP)
l
Source Country
l
Source State
l
Source City
l
Source Organization
l
Source Longitude
l
Source Latitude
l
Destination Host Name
l
Destination Country
l
Destination State
l
Destination City
l
Destination Organization
l
Destination Longitude
l
Destination Latitude
l
Host Name
l
Host Country
l
Host State
l
Host City
l
Host Organization
l
Host Longitude
l
Host Latitude
l
Reporting Host Name
l
Reporting Country
l
Reporting State
l
Reporting City
l
Reporting Organization
l
Reporting Longitude
l
Reporting Latitude
l
PostNAT Country
l
PostNAT State
l
PostNAT City
l
PostNAT Organization
l
PostNAT Longitude
l
PostNAT Latitude
716
Miscellaneous Operations
Monitoring Operations with FortiSIEM
Monitoring Custom Applications
While FortiSIEM provides support for many applications, there may also be situations in which you have a custom
application running in your infrastructure that you want to monitor. This topic explains how to set up FortiSIEM to
monitor that application, and add it to a business service.
1. Log in to your Supervisor.
2. Go to CMDB > Applications, and either select a group where you want to add the application, or create a new
one. 3. Click New, and enter an Application Name and a Process Name.
4. Click Save.
5. Initiate discovery of the server where the application is running. 6. Go to CMDB > Devices and select the server.
7. Click the Software tab and make sure the application has been discovered. 8. Go to General Settings > Monitoring > Important Processes.
9. Click Add and enter the name of the process that the application is running on. 10. Click Apply All. 11. Run a structured historical search using these attributes to make sure the process utilization metrics are being
received by FortiSIEM.
Attribute
Value
Reporting IP
The IP address of the server where the application is running
Event Type
PH_DEV_MON_PROC_RESOURCE_UTIL
Application Name
The name of the application
12. Add your application to a business service.
You should now be able to go Dashboard > Summary Dashboards > Biz Service Summary and see your
process running under Top Monitored Processes when you select the associated business service. 717
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Monitoring Operations with FortiSIEM
Miscellaneous Operations
IPS Vulnerability Map
The IPS Vulnerability Map lists devices that have a known vulnerability. You can view the IPS Vulnerability Map
by going to Incidents > IPS Vunerability Map, and you can also add new devices to the map. The IPS Vulnerability Map includes these columns. Column
Description
IPS Event Types
The event types associated with the vulnerability
Vendor Vulnerability ID
The vulnerability ID provided by the device vendor
CVE IDs
The vulnerability ID provided by Common Vulnerabilities and Exposures
Vulnerability Description
A brief description of the device's vulnerability
Found in Device Type
Specific devices or applications that have the vulnerability
Found in Version
The version of the device or application that has the vulnerability
Fixed in Version
The version in which the vulnerability was fixed
Fixed via Patches
The patch version in which the vulnerability was fixed
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
718
Miscellaneous Operations
Monitoring Operations with FortiSIEM
Adding Entries to the IPS Vulnerabilities Map
Updating IPS Vulnerability Map Entries: You can update existing entries, for example when a patch is
released to fix a vulnerability, by selecting an entry in the IPS Vulnerabilities Map and clicking Edit.
1. Log in to your Supervisor node.
2. Go to Incidents > IPS Vulnerability Map.
3. Click Add.
4. Select the IPS Event Type associated with the vulnerability.
5. Enter any Vendor Vulnerability IDs. 6. Enter any CVE IDs.
See the Common Vulnerability and Exposures website for CVE IDs. Separate multiple IDs with commas.
7. Enter a Vulnerability Description.
8. For Affected Software, click Add, and then select the affected devices or applications from the Found in
Device Type menu. 9. Enter any Found in Version information for the affected software.
10. Enter any fix information for the vulnerability.
11. Click OK.
12. Click Save.
719
FortiSIEM 4.9.0 User Guide
Fortinet Technologies Inc.
Copyright© 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.