User. Worker. Inbound. TCP/22. Admin access via SSH. FortiSIEM 6.1.1 External Systems Configuration Guide. 15. Fortinet Technologies Inc.
Revision 13: added Zeek (Bro) installation instructions for Security Onion, ... LOGbinder SP getting started document - remember to configure LOGbinder SP ...
FortiSIEM - External Systems Configuration Guide
Version 6.1.1
FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/training-certification NSE INSTITUTE https://training.fortinet.com FORTIGUARD CENTER https://www.fortiguard.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: techdoc@fortinet.com
10/27/2021 FortiSIEM 6.1.1 External Systems Configuration Guide
Change Log
Date 2018-05-23 2018-07-24 2018-08-07 2018-09-12 2018-09-26 2018-11-28 2019-01-29 2019-03-15 2019-03-28 2019-04-24 2019-07-24 2019-10-22
2019-11-22
2020-01-03 2020-04-15
2020-07-22 2020-10-09 2020-12-18
Change Description
Initial version of the guide.
Revision 2 with a new section under Windows Server Configuration - Configuring Log Monitoring for Non-Administrative User.
Revision 3 with updated section: Fortinet FortiGate Firewall
Revision 4 with updated section: Microsoft Azure Audit
Revision 5 with updated section: WatchGuard Firebox Firewall
Revision 6 with updated section: Fortinet FortiGate Firewall > Configuring SSH on FortiSIEM to communicate with FortiGate
Revision 7: updated section: Cisco FireSIGHT
Revision 8: new section: Threat Intelligence
Revision 9: updates the guide to reflect the new menu hierarchy in the FortiSIEM tool.
Revision 10: added Carbon Black Security Platform under End Point Security Software.
Revision 11: updated integration instructions for Microsoft Office 365 Audit.
Revision 12: added Clavister Firewall and FortiADC devices. Added Active Directory User Discovery section to Microsoft Active Directory device. Corrections to SQL Server DDL Event Creation Script and SQL Server Database Level Event Creation Script.
Revision 13: added Zeek (Bro) installation instructions for Security Onion, Cyberoam FortiADC, Epic SecuritySIEM, FortiEDR, FortiNAC, FortiDeceptor, Microsoft Network Policy Server, TrendMicro Deep Discovery. Changed the name of Cisco FireAMP to Cisco AMP Cloud V0. Changed the name of Cisco AMP to Cisco AMP Cloud V1.
Revision 14: added CradlePoint.
Revision 15: added Alert Logic Iris API, AWS Kinesis, AWS Security Hub, Cisco Amp, GitLab Cli, Azure Event Hub, Azure Compute, McAfee ePolicy Orchestrator, LastLine, Imperva Securesphere Web App Firewall, Imperva Securesphere DB Security Gateway, Imperva Securesphere DB Monitoring Gateway, Green League WVSS, FortiInsight, Damballa Failsafe, AWS EC2, Cisco Fireamp, Novell Netware, Green League RSAS, Checkpoint SmartCenter, FortiTester, Cisco Viptela, MobileIron, Duo, Indegy Industrial Cybersecurity Suite, Netwrix, Darktrace DCIP, Hirschmann SCADA Firewalls and Switches.
Revision 16: Edits to Cisco AMP Cloud V0 and Cisco AMP Cloud V1.
Revision 17: Added Alcide io KAudit, Stormshield Network Security and Tigera Calico
Revision 18: Added note to AWS CloudTrail API Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
3
Fortinet Technologies Inc.
Change Log
Date 2021-01-05 2021-02-03 2021-03-03 2021-18-03
2021-05-04 2021-07-04 2021-16-04 2021-23-04 2021-18-05
2021-21-05 2021-07-26
2021-07-30 2021-08-02 2021-08-30 2021-09-24
2021-10-27
Change Description
Revision 19: Added Mapping Active Directory User Attributes to FortiSIEM User Attributes. Revision 20: Updated Malwarebytes to Malwarebytes Endpoint Protection. Revision 21: Added NetApp Data ONTAP Supported Version. Revision 22: Added Claroty Continuous Threat Detection, Corero Smartwall Threat Defense, Dragos Platform, Malwarebytes Breach Remediation, Oracle Cloud Access Security Broker (CASB), Proofpoint. Revision 23: Updated Linux server section. Revision 24: Updated AWS Kinesis for 6.2.0. Revision 25: Updated Microsoft Office 365 Audit "Create the Office 365 API Credential" steps. Revision 26: Added Salesforce Configuration for 6.2.0, 6.1.x, 5.4.0, 5.3.x, 5.2.x releases. Revision 27: Updated Apache Web Server, AWS EC2 CloudWatch API, and Fortigate Firewall for 6.1.x releases. Added FortiAnalyzer for 6.1.x releases. Revision 28: Updated Windows Agent links for Microsoft sections. Revision 29: Updated Epilog/snare link for Oracle Database Server, Juniper Steel Belted RADIUS, and Apache Web Server configurations. Revision 30: Updated Tenable Nessus Vulnerability Scanner configuration. Revision 31: Updated Cisco FireSIGHT Configuration. Revision 32: Updated Microsoft SQL Server for 6.x guides. Revision 33: Updated Squid Web Proxy with syslog configuration for versions 4.1.1 and later for 6.1.1-6.3.x Guides. Revision 34: Updated Cisco Firepower Management Center (FMC) - Formerly FireSIGHT and FirePower Threat Defense : Using Cisco eStreamer Client for 6.x Guides.
FortiSIEM 6.1.1 External Systems Configuration Guide
4
Fortinet Technologies Inc.
TABLE OF CONTENTS
Change Log
Overview
FortiSIEM External Ports Supervisor Communication Worker Communication Collector Communication
Supported Devices and Applications by Vendor
Applications Application Server Apache Tomcat IBM WebSphere Microsoft ASP.NET Oracle GlassFish Server Oracle WebLogic Redhat JBOSS Authentication Server Cisco Access Control Server (ACS) Cisco Identity Solution Engine (ISE) Cisco Duo CyberArk Password Vault Fortinet FortiAuthenticator Juniper Networks Steel-Belted RADIUS Microsoft Internet Authentication Server (IAS) Microsoft Network Policy Server (RAS VPN) OneIdentity Safeguard (previously Balabit Privileged Session Management) Vasco DigiPass Database Server IBM DB2 Server Microsoft SQL Server What is Discovered and Monitored Microsoft SQL Server Scripts MySQL Server Oracle Database Server DHCP and DNS Server Infoblox DNS/DHCP ISC BIND DNS Linux DHCP Microsoft DHCP Microsoft DNS Directory Server Microsoft Active Directory Document Management Server Microsoft SharePoint Healthcare IT
FortiSIEM 6.1.1 External Systems Configuration Guide
Fortinet Technologies Inc.
3
12
13 13 15 17
19
51 52 53 57 64 65 69 73 77 78 84 85 89 91 92 94 95 96 97 99 100 105 105 125 128 133 140 141 143 145 147 149 151 152 157 158 159
5
Epic EMR/EHR System Mail Server
Microsoft Exchange Management Server/Appliance
Cisco Application Centric Infrastructure (ACI) What is Discovered and Monitored Fortinet FortiInsight Fortinet FortiManager Remote Desktop Citrix Receiver (ICA) Source Code Control GitHub GitLab API GitLab CLI Unified Communication Server Configuration Avaya Call Manager Cisco Call Manager Cisco Contact Center Cisco Presence Server Cisco Tandeberg Telepresence Video Communication Server (VCS) Cisco Telepresence Multipoint Control Unit (MCU) Cisco Telepresence Video Communication Server Cisco Unity Connection Web Server Apache Web Server Microsoft IIS for Windows 2000 and 2003 Microsoft IIS for Windows 2008 Nginx Web Server
Blade Servers Cisco UCS Server HP BladeSystem
Cloud Applications Alcide.io KAudit AWS Access Key IAM Permissions and IAM Policies AWS CloudTrail Amazon AWS EC2 AWS EC2 CloudWatch API AWS Kinesis AWS RDS AWS Security Hub Box.com Google Workspace Audit Microsoft Azure Audit Microsoft Office 365 Audit Microsoft Cloud App Security Microsoft Azure Advanced Threat Protection (ATP) Microsoft Azure Compute Microsoft Azure Event Hub
FortiSIEM 6.1.1 External Systems Configuration Guide
Fortinet Technologies Inc.
160 162 163 166 167 167 171 174 175 176 180 181 183 187 190 191 193 199 200 201 203 204 205 206 207 211 213 215
217 218 221
222 223 224 226 230 232 234 237 239 246 248 253 255 265 268 269 275
6
Microsoft Windows Defender Advanced Threat Protection (ATP) Okta Salesforce CRM Audit
Console Access Devices Lantronix SLC Console Manager
End Point Security Software Bit9 Security Platform Carbon Black Security Platform Cisco AMP Cloud V0 Cisco AMP Cloud V1 Cisco Security Agent (CSA) CloudPassage Halo CrowdStrike Endpoint Security Digital Guardian CodeGreen DLP ESET NOD32 Anti-Virus FortiClient Fortinet FortiEDR Malwarebytes Endpoint Protection McAfee ePolicy Orchestrator (ePO) MobileIron Sentry and Connector Netwrix Auditor (via Correlog Windows Agent) Palo Alto Traps Endpoint Security Manager SentinelOne Sophos Central Sophos Endpoint Security and Control Symantec Endpoint Protection Symantec SEPM Tanium Connect Trend Micro Interscan Web Filter Trend Micro Intrusion Defense Firewall (IDF) Trend Micro OfficeScan
Environmental Sensors APC Netbotz Environmental Monitor APC UPS Generic UPS Liebert FPC Liebert HVAC Liebert UPS
Firewalls Check Point FireWall-1 Check Point Provider-1 Firewall Configuring CMA for Check Point Provider-1 Firewalls Configuring CLM for Check Point Provider-1 Firewalls Configuring MDS for Check Point Provider-1 Firewalls Configuring MLM for Check Point Provider-1 Firewalls Check Point VSX Firewall Cisco Adaptive Security Appliance (ASA) Clavister Firewall
FortiSIEM 6.1.1 External Systems Configuration Guide
Fortinet Technologies Inc.
281 283 288
292 293
294 295 297 299 305 312 315 317 320 321 322 325 327 328 332 333 334 335 337 339 340 342 343 344 346 347
348 349 352 354 355 357 359
361 362 365 367 370 372 375 377 380 386
7
Cyberoam Firewall
388
Dell SonicWALL Firewall
390
Fortinet FortiGate Firewall
392
Imperva Securesphere Web App Firewall
398
Juniper Networks SSG Firewall
400
McAfee Firewall Enterprise (Sidewinder)
404
Palo Alto Firewall
406
Sophos UTM
410
Stormshield Network Security
412
Tigera Calico
413
WatchGuard Firebox Firewall
415
Load Balancers and Application Firewalls
417
Brocade ServerIron ADX
418
Citrix Netscaler Application Delivery Controller (ADC)
421
F5 Networks Application Security Manager
423
F5 Networks Local Traffic Manager
425
Settings for Access Credentials
427
F5 Networks Web Accelerator
428
Fortinet FortiADC
429
Qualys Web Application Firewall
430
Log Aggregators
433
Fortinet FortiAnalyzer
434
Network Compliance Management Applications
437
Cisco Network Compliance Manager
438
PacketFence Network Access Control (NAC)
440
Network Intrusion Prevention Systems (IPS)
441
3Com TippingPoint UnityOne IPS
442
AirTight Networks SpectraGuard
445
Alert Logic IRIS API
447
Cisco Firepower Management Center (FMC) - Formerly FireSIGHT and FirePower
Threat Defense
450
Cisco Intrusion Prevention System
455
Cisco Stealthwatch
457
Cylance Protect Endpoint Protection
458
Cyphort Cortex Endpoint Protection
460
Damballa Failsafe
462
Darktrace CyberIntelligence Platform
463
FireEye Malware Protection System (MPS)
465
FortiDDoS
467
Fortinet FortiDeceptor
469
Fortinet FortiNAC
471
Fortinet FortiSandbox
473
Fortinet FortiTester
475
IBM Internet Security Series Proventia
476
Indegy Security Platform
479
Juniper DDoS Secure
480
Juniper Networks IDP Series
482
McAfee IntruShield
484
FortiSIEM 6.1.1 External Systems Configuration Guide
8
Fortinet Technologies Inc.
McAfee Stonesoft IPS Motorola AirDefense Nozomi Radware DefensePro Snort Intrusion Prevention System Sourcefire 3D and Defense Center Trend Micro Deep Discovery Zeek (Bro) Installed on Security Onion
Routers and Switches Alcatel TiMOS and AOS Switch Arista Router and Switch Brocade NetIron CER Routers Cisco 300 Series Routers Cisco IOS Router and Switch How CPU and Memory Utilization is Collected for Cisco IOS Cisco Meraki Cloud Controller and Network Devices Cisco NX-OS Router and Switch Cisco ONS Cisco Viptela SDWAN Router Dell Force10 Router and Switch Dell NSeries Switch Dell PowerConnect Switch and Router Foundry Networks IronWare Router and Switch HP/3Com ComWare Switch HP ProCurve Switch HP Value Series (19xx) and HP 3Com (29xx) Switch Hirschmann SCADA Firewalls and Switches Juniper Networks JunOS Switch MikroTik Router Nortel ERS and Passport Switch
Security Gateways Barracuda Networks Spam Firewall Blue Coat Web Proxy Cisco IronPort Mail Gateway Cisco IronPort Web Gateway Fortinet FortiMail Fortinet FortiWeb Imperva Securesphere DB Monitoring Gateway Imperva Securesphere DB Security Gateway McAfee Vormetric Data Security Manager McAfee Web Gateway Microsoft ISA Server Squid Web Proxy SSH Comm Security CryptoAuditor Websense Web Filter
Servers HP UX Server IBM AIX Server
FortiSIEM 6.1.1 External Systems Configuration Guide
Fortinet Technologies Inc.
487 489 491 493 495 500 502 504
506 507 509 512 514 516 525 527 529 534 536 537 540 543 545 549 551 553 556 557 560 562
564 565 567 571 573 575 578 580 581 583 584 586 592 595 596
598 599 602
9
IBM OS400 Server Linux Server Microsoft Windows Server QNAP Turbo NAS Sun Solaris Server
Storage Brocade SAN Switch Configuration Dell Compellent Storage Dell EqualLogic Storage EMC Clariion Storage EMC Isilon Storage EMC VNX Storage Configuration NetApp DataONTAP NetApp Filer Storage Nimble Storage Reports Nutanix Storage
Threat Intelligence Fortinet FortiInsight Lastline ThreatConnect
Virtualization Hyper-V HyTrust CloudControl VMware ESX
VPN Gateways Cisco VPN 3000 Gateway Cyxtera AppGate Software Defined Perimeter (SDP) Juniper Networks SSL VPN Gateway Microsoft PPTP VPN Gateway Pulse Secure
Vulnerability Scanners AlertLogic Intrusion Detection and Prevention Systems (IPS) Green League WVSS McAfee Foundstone Vulnerability Scanner Qualys QualysGuard Scanner Qualys Vulnerability Scanner Rapid7 NeXpose Vulnerability Scanner Rapid7 InsightVM Integration Tenable.io Tenable Nessus Vulnerability Scanner Tenable Security Center YXLink Vuln Scanner
WAN Accelerators Cisco Wide Area Application Server Riverbed SteelHead WAN Accelerator
FortiSIEM 6.1.1 External Systems Configuration Guide
Fortinet Technologies Inc.
605 607 613 629 630
633 634 634 636 638 640 645 647 651 653 656 656 658
662 663 666 668
670 671 674 675
677 678 680 681 683 684
686 687 689 690 692 693 695 697 699 701 704 706
707 708 711
10
Wireless LANs
713
Aruba Networks Wireless LAN
714
Reports
714
Cisco Wireless LAN
716
CradlePoint
719
FortiAP
721
FortiWLC
723
Motorola WiNG WLAN AP
726
Ruckus Wireless LAN
728
Using Virtual IPs to Access Devices in Clustered Environments
730
Syslog over TLS
731
Appendix
732
CyberArk to FortiSIEM Log Converter XSL
732
Access Credentials
737
FortiSIEM 6.1.1 External Systems Configuration Guide
11
Fortinet Technologies Inc.
Overview
This document describes how to configure third party devices for monitoring by FortiSIEM.
l Ports Used by FortiSIEM for Discovery and Monitoring l Supported Devices and Applications by Vendor l Windows Agent Installation Guide l Applications l Blade Servers l Cloud Applications l Console Access Devices l End Point Security Software l Environmental Sensors l Firewalls l Load Balancers and Application Firewalls l Log Aggregators l Network Compliance Management Applications l Network Intrusion Protection Systems (IPS) l Routers and Switches l Security Gateways l Servers l Storage l Virtualization l VPN Gateways l Vulnerability Scanners l WAN Accelerators l Wireless LANs l Using Virtual IPs to Access Devices in Clustered Environments l Syslog over TLS
FortiSIEM 6.1.1 External Systems Configuration Guide
12
Fortinet Technologies Inc.
FortiSIEM External Ports
This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for:
l Supervisor Communication l Worker Communication l Collector Communication
In release 6.1, some clear communication has been replaced by SSL communication. If an entry in the tables below has 5.3, then that entry is valid for releases 5.3 and below. If an entry in the tables below has 6.1, then that entry is valid for releases 6.1 and above.
Supervisor Communication
From
To
FortiSIEM Management User
FortiSIEM Management User
FortiSIEM Management User
Collector, Worker, Windows Agent, Linux Agent
Supervisor
Worker
Supervisor Supervisor Supervisor Supervisor
Report Server Supervisor
Inbound or Outbound
Inbound
Ports TCP/22
Inbound
ICMP
Inbound
TCP/443
Inbound
TCP/443
Outbound Inbound
TCP/5432 SSL/7914
Worker Supervisor
Supervisor Worker
Inbound
SSL/7900
Outbound SSL/7900
Worker
Supervisor
Inbound
SSL/7918
Services
Admin access via SSH
Monitoring via ICMP
GUI access via HTTPS
REST API access via HTTPS
PostGreSQL (report loading) phParser on Worker to phParser on Supervisor for EPS enforcement phMonitorWorker to phMonitorSuper communication phMonitorSuper to phMonitorWorker Communication phQueryWorker to phQueryMaster Communication
FortiSIEM 6.1.1 External Systems Configuration Guide
13
Fortinet Technologies Inc.
FortiSIEM External Ports
From Supervisor Worker Worker 6.1
To Worker Supervisor Supervisor
Inbound or Outbound
Outbound
Ports SSL/7916
Inbound
SSL/7922
Outbound SSL/7920
Worker Worker Supervisor Worker Supervisor External Device External Device External Device External Device External Device External Device Supervisor
Supervisor Supervisor Supervisor Supervisor
Supervisor
Inbound
SSL/7934
Supervisor
Inbound
SSL/7938
Worker Supervisor
Outbound Inbound
TCP/6666 TCP/5555
External Device Outbound UDP/161
Supervisor
Inbound
TCP/21
Supervisor
Supervisor
Supervisor
Supervisor
Supervisor
External Windows Devices
External Devices
External Devices
External Devices
Checkpoint
Inbound Inbound Inbound Inbound Inbound Outbound
UDP/162 UDP/514 TCP/514 SSL/6514 UDP/2055 TCP/135
Outbound TCP/389 Outbound TCP/1433 Outbound UDP/8686 Outbound TCP/18184
Services
phQueryMaster to phQueryWorker communication phRuleWorker to phRuleMaster communication phQueryMaster to phDataManager for trigger event query phReportWorker to phReportMaster Communication phIdentityWorker to phIpIdentityMaster Redis communication phFortiInsightAI module data collection SNMP based monitoring
FTP (for receiving Bluecoat logs via ftp) SNMP Trap UDP syslog TCP syslog Syslog over TLS NetFlow WMI based monitoring and log collection
LDAP discovery
JDBC based monitoring and data collection JMX based monitoring and data collection Checkpoint LEA based log collection
FortiSIEM 6.1.1 External Systems Configuration Guide
14
Fortinet Technologies Inc.
FortiSIEM External Ports
From Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor
Supervisor
Supervisor
Supervisor Supervisor
To Checkpoint
Inbound or Outbound
Outbound
Ports TCP/18190
External Device Outbound TCP/443
Services
Checkpoint CPMI based data collection HTTPS based log collection
External Device Outbound TCP/110
POP3 for email monitoring (STM)
External Device Outbound TCP/143
IMAP for email monitoring (STM)
External Device Outbound
External Device Outbound
Mail Gateway NFS Server
Outbound Outbound
Elasticsearch Coordinating Node
Elasticsearch Coordinating Node
Spark Master Node
HDFS Name Node
Outbound Outbound Outbound Outbound
TCP/993 TCP/995 TCP/SMTP UDP/111, TCP/111
HTTPS/9200 (configurable)
IMAP/SSL for email monitoring (STM)
POP/SSL for email monitoring (STM)
Sending email notification
NFS Portmapper for writing events in NFS based deployments
Storing events for Elasticsearch based deployments
HTTPS/9300 or HTTPS/443 (configurable)
HTTPS/7077 (configurable)
HTTPS/9000 (configurable)
Querying events for Elasticsearch based deployments
Querying events for HDFS based deployments
Archiving events for HDFS based deployments
Worker Communication
From
To
FortiSIEM Management User
Worker
Inbound or Outbound
Inbound
Ports TCP/22
Services Admin access via SSH
FortiSIEM 6.1.1 External Systems Configuration Guide
15
Fortinet Technologies Inc.
FortiSIEM External Ports
From
To
FortiSIEM Management User
Collector
Worker
Worker
Worker Supervisor
Inbound or Outbound
Inbound
Ports ICMP
Inbound Outbound
TCP/443 SSL/7914
Worker
Supervisor
Outbound
SSL/7900
Supervisor
Worker
Inbound
SSL/7900
Worker
Supervisor
Outbound
SSL/7918
Supervisor
Worker
Inbound
SSL/7916
Worker
Supervisor
Outbound
SSL/7922
Worker 6.1
Supervisor
Outbound
SSL/7920
Worker
Supervisor
Outbound
SSL/7934
Worker Supervisor Worker Worker External Device External Device External Device External Device External Device External Device Worker
Worker
Supervisor Worker Supervisor External Device Worker Worker Worker Worker Worker Worker External Windows Devices External Devices
Outbound Inbound Outbound Outbound Inbound Inbound Inbound Inbound Inbound Inbound Outbound
Outbound
SSL/7938 TCP/6666 TCP/5555 UDP/161 TCP/21 UDP/162 UDP/514 TCP/514 SSL/6514 UDP/2055 TCP/135
TCP/389
Services
ICMP
REST API access via HTTPS phParser on Worker to phParser on Supervisor for EPS enforcement phMonitorWorker to phMonitorSuper communication phMonitorSuper to phMonitorWorker Communication phQueryWorker to phQueryMaster Communication phQueryMaster to phQueryWorker communication phRuleWorker to phRuleMaster communication phQueryMaster to phDataManager for trigger event query phReportWorker to phReportMaster Communication phIdentityWorker to phIpIdentityMaster Redis communication phFortiInsightAI module data collection SNMP based monitoring FTP (for receiving Bluecoat logs via ftp) SNMP Trap UDP syslog TCP syslog Syslog over TLS NetFlow WMI based monitoring and log collection LDAP discovery
FortiSIEM 6.1.1 External Systems Configuration Guide
16
Fortinet Technologies Inc.
FortiSIEM External Ports
From
Worker
Worker
Worker Worker Worker Worker Worker Worker Worker Worker
Worker
Worker
To External Devices
Inbound or Outbound
Outbound
Ports TCP/1433
External Devices Outbound
UDP/8686
Checkpoint Checkpoint External Device External Device External Device External Device External Device NFS Server
Outbound Outbound Outbound Outbound Outbound Outbound Outbound Outbound
Elasticsearch
Outbound
Coordinating Node
TCP/18184 TCP/18190 TCP/443 TCP/110 TCP/143 TCP/993 TCP/995 UDP/111, TCP/111 HTTPS/9200 (configurable)
Services
JDBC based monitoring and data collection JMX based monitoring and data collection Checkpoint LEA based log collection Checkpoint CPMI based data collection HTTPS based log collection POP3 for email monitoring (STM) IMAP for email monitoring (STM) IMAP/SSL for email monitoring (STM) POP/SSL for email monitoring (STM) NFS Portmapper for writing events in NFS based deployments Storing events for Elasticsearch based deployments
HDFS Name Node Outbound
HTTPS/9000 (configurable)
Archiving events for HDFS based deployments
Collector Communication
From
To
FortiSIEM Management User FortiSIEM Management User Collector Collector Worker External Device
Worker
Worker
Worker Supervisor External Device Worker
External Device
Worker
Inbound or Outbound Inbound
Inbound
Outbound Outbound Outbound Inbound
Inbound
Ports
TCP/22
ICMP
TCP/443 TCP/443 UDP/161 TCP/21
UDP/162
Services
Admin access via SSH
ICMP
REST API access via HTTPS REST API access via HTTPS SNMP based monitoring FTP (for receiving Bluecoat logs via ftp) SNMP Trap
FortiSIEM 6.1.1 External Systems Configuration Guide
17
Fortinet Technologies Inc.
FortiSIEM External Ports
From
External Device External Device External Device External Device Collector
Collector Collector
Collector
Collector
Collector
Collector Collector
Collector
Collector
Collector
To
Worker Worker Worker Worker External Windows Devices External Devices External Devices
Inbound or Outbound Inbound Inbound Inbound Inbound Outbound
Outbound Outbound
External Devices Outbound
Checkpoint
Outbound
Checkpoint
Outbound
External Device External Device
Outbound Outbound
External Device
Outbound
External Device
Outbound
External Device
Outbound
Ports
Services
UDP/514 TCP/514 SSL/6514 UDP/2055 TCP/135
TCP/389 TCP/1433
UDP/8686
TCP/18184
TCP/18190
TCP/443 TCP/110
TCP/143
TCP/993
TCP/995
UDP syslog
TCP syslog
Syslog over TLS
NetFlow
WMI based monitoring and log collection
LDAP discovery
JDBC based monitoring and data collection
JMX based monitoring and data collection
Checkpoint LEA based log collection
Checkpoint CPMI based data collection
HTTPS based log collection
POP3 for email monitoring (STM)
IMAP for email monitoring (STM)
IMAP/SSL for email monitoring (STM)
POP/SSL for email monitoring (STM)
FortiSIEM 6.1.1 External Systems Configuration Guide
18
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor AirTight Networks
Alcatel Alcatel Alert Logic
Alert Logic Alcide.io Amazon
Amazon
Amazon Amazon Amazon
Model
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Details
SpectraGuard
Discovered via LOG only
Not natively supported - Custom monitoring needed
CEF format: Over 125 event types parsed covering various Wireless suspicious activities
Currently not natively supported
AirTight Networks SpectraGuard
TiMOS Routers and Switches
SNMP: OS, Hardware
SNMP: CPU, memory, interface utilization, hardware status
Not natively supported Custom parsing needed
Currently not natively supported
Alcatel TiMOS and AOS Switch Configuration
AOS Routers and SNMP: OS,
Switches
Hardware
SNMP: CPU, memory, interface utilization, hardware status
Not natively supported Custom parsing needed
Currently not natively supported
Alcatel TiMOS and AOS Switch Configuration
Intrusion Detection and Prevention Systems (IPS)
Host name and Device type
Not supported
Not supported Alert Logic IPS
Iris API
Host name and Device type
Not supported
Not supported Alert Logic IRIS API
KAudit
Not natively supported
Not natively supported
Kubernetes Audit logs
Not natively supported
Alcide io KAudit
AWS Servers
AWS API: Server Name, Access IP, Instance ID, Image Type, Availability Zone
CloudWatch API: System Metrics: CPU, Disk I/O, Network
CloudTrail API: Over 325 event types parsed covering various AWS activities
CloudTrail API: various administrative changes on AWS systems and users
AWS CloudWatchAWS CloudTrail
AWS Elastic Block Storage (EBS)
CloudWatch API: Volume ID, Status, Attach Time
CloudWatch API: Read/Write Bytes, Ops, Disk Queue
AWS EBS and RDS
AWS EC2
AWS EC2
AWS Relational Database Storage (RDS)
CloudWatch API: CPU, Connections, Memory, Swap, Read/Write Latency and Ops
AWS EBS and RDS
Security Hub
AWS Security
FortiSIEM 6.1.1 External Systems Configuration Guide
19
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Apache Apache
APC
APC
Arista Networks
Aruba Networks
Avaya Avaya Barracuda Networks
Model
Discovery Overview
Performance Monitoring Overview
Tomcat Application Server
Apache Web server
JMX: Version
JMX: CPU, memory, servlet, session, database, threadpool, request processor metrics
SNMP: Process name
SNMP: process level cpu, memory HTTPS via the modstatus module: Apache level metrics
NetBotz Environmental Monitor
UPS
Routers and Switches
Aruba Wireless LAN
SNMP: Host name, Hardware model, Network interfaces
SNMP: Temperature, Relative Humidity, Airflow, Dew point, Current, Door switch sensor etc.
SNMP: Host name, Hardware model, Network interfaces
SNMP: UPS metrics
SNMP: OS, Hardwar; SSH: configuration, running processes
SNMP: CPU, Memory, Interface utilization, Hardware Status
SNMP: Controller OS, hardware, Access Points
SNMP: Controller CPU, Memory, Interface utilization, Hardware Status SNMP: Access Point Wireless Channel utilization, noise metrics, user count
Call Manager
SNMP: OS, Hardware
SNMP: CPU, Memory, Interface utilization, Hardware Status
Session Manager SNMP: OS, Hardware
SNMP: CPU, Memory, Interface utilization, Hardware Status
Spam Firewall
Application
Currently not natively supported
type discovery
Log Analysis Overview
Config Change Monitoring
Currently not natively supported - Custom parsing needed
Currently not natively supported
Syslog: W3C formatted access logs - per HTTP (S) connection: Sent Bytes, Received Bytes, Connection Duration
Currently not natively supported
SNMP Trap: Over 125 SNMP Trap event types parsed covering various environmental exception conditions
Currently not natively supported
Details
Hub Apache Tomcat
Apache Web Server
APC Netbotz
SNMP Trap: Over 49 SNMP Trap event types parsed covering various environmental exception conditions
Currently not natively supported
APC UPS
Syslog and NetFlow
SSH: Running config, Startup config
Arista Router and Switch
SNMP Trap: Over 165 event types covering Authentication, Association, Rogue detection, Wireless IPS events CDR: Call Records
Syslog: Over 20 event types covering mail
Currently not natively supported
Currently not natively supported Currently not natively supported Currently not natively
Aruba WLAN
Avaya Call Manager
Barracuda Spam
FortiSIEM 6.1.1 External Systems Configuration Guide
20
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Model
Discovery Overview
Performance Monitoring Overview
via LOG
Bit9 Blue Coat
Security platform
Application type discovery via LOG
Currently not natively supported
Security Gateway Versions v4.x and later
SNMP: OS, Hardware
SNMP: CPU, Memory, Interface utilization, Proxy performance metrics
Box.com Brocade
Cloud Storage SAN Switch
Currently not natively supported
SNMP: OS, Hardware
Currently not natively supported
SNMP: CPU, Memory, Interface utilization
Brocade
Carbon Black
CentOS / Other Linux distributions
ServerIron ADX switch
SNMP: Host name, serial number, hardware
SNMP: Uptime, CPU, Memory, Interface Utilization, Hardware status, Real Server Statistics
Security platform
Application type discovery via LOG
Currently not natively supported
Linux
SNMP: OS, Hardware, Software, Processes, Open Ports SSH: Hardware details, Linux distribution
SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down SSH: Disk I/O, Paging
CentOS / Other Linux distributions
DHCP Server
Currently not natively supported
Currently not natively supported
Checkpoint
FireWall-1 versions NG,
SNMP: OS, Hardware
SNMP: CPU, Memory, Interface utilization
Log Analysis Overview
Config Change Monitoring
scanning and filtering activity
supported
Syslog: Over 259 event types covering various file monitoring activities
Currently not natively supported
Syslog: Admin access to Security Gateway ; SFTP: Proxy traffic analysis
Currently not natively supported
Box.com API: File creation, deletion, modify, file sharing
Currently not natively supported
Currently not natively supported
Currently not natively supported
Details
Carbon Black Security Platform Blue Coat Web Proxy
Box.com
Brocade SAN Switch Brocade ADX
Syslog: Over 259 event types covering various file monitoring activities
Currently not natively supported
Carbon Black Security Platform
Syslog: Situations covering Authentication Success/Failure, Privileged logons, User/Group Modification; SSH: File integrity monitoring, Command output monitoring, Target file monitoring; FortiSIEM LinuxFileMon Agent: File integrity monitoring
SSH: File integrity monitoring, Target file monitoring; Agent: File integrity monitoring
Linux Server
Syslog: DHCP activity (Discover, Offer, Request, Release etc) Used in Identity and Location
Not Applicable
Linux DHCP
LEA from SmartCenter or Log Server: Firewall
LEA: Firewall Audit trail
Check Point Provider-1
FortiSIEM 6.1.1 External Systems Configuration Guide
21
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Checkpoint Checkpoint
Checkpoint Citrix Citrix Cisco
Cisco Cisco Cisco
Model
Discovery Overview
Performance Monitoring Overview
FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, NGX, and R75 GAIA
Provider-1 versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, NGX, and R75 VSX
Host name and Device type
Currently not natively supported
Currently not natively supported
SNMP: OS, Hardware
SNMP: CPU, Memory, Interface utilization
NetScaler Application Delivery Controller
SNMP: OS, Hardware
SNMP: CPU, Memory, Interface utilization, Hardware Status, Application Firewall metrics
ICA
SNMP:
SNMP: Process Utilization; WMI:
Process
ICA Session metrics
Utilization
ASA Firewall (single and multicontext) version 7.x and later
SNMP: OS, Hardware SSH: interface security level needed for parsing traffic logs, Configuration
SNMP: CPU, Memory, Interface utilization, Firewall Connections, Hardware Status
AMP
FireAMP
ASA firepower SFR Module
SNMP: OS, Hardware SSH: interface security level needed for parsing traffic
SNMP: CPU, Memory, Interface utilization, Firewall Connections, Hardware Status
Log Analysis Overview
Config Change Monitoring
Log, Audit trail, over 940 IPS Signatures
Details Firewall
Over 9 event types
LEA: Firewall Log, Audit trail
LEA: Firewall Audit trail
Check Point Provider-1
LEA from SmartCenter or Log Server: Firewall Log, Audit trail
LEA: Firewall Audit trail
Check Point Provider-1
Syslog: Over 465 event types covering admin activity, application firewall events, health events
Currently not natively supported
Citrix Netscaler
Currently not natively supported
Currently not natively supported
Citrix ICA
Syslog: Over 1600 event types parsed for situations covering admin access, configuration change, traffic log, IPS activity; NetFlow V9: Traffic log
SSH: Running config, Startup config
Cisco ASA
Cisco AMP
Cisco FireAMP Cloud
Syslog: Over 1600 event types parsed for situations covering admin access, configuration change, traffic log, IPS activity;
SSH: Running config, Startup config
Cisco ASA
FortiSIEM 6.1.1 External Systems Configuration Guide
22
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor Cisco
Cisco Cisco Cisco Cisco Cisco
Model
Discovery Overview
Performance Monitoring Overview
CatOS based Switches
Duo
logs, Configuration
SNMP: OS, Hardware (Serial Number, Image file, Interfaces, Components); SSH: configuration running process
SNMP: CPU, Memory, Interface utilization, Hardware Status
Not natively supported - Custom Monitoring needed
PIX Firewall
SNMP: OS, Hardware SSH: interface security level needed for parsing traffic logs, Configuration
SNMP: CPU, Memory, Interface utilization, Connections, Hardware Status
FWSM
SNMP: OS, Hardware SSH: interface security level needed for parsing traffic logs, Configuration
SNMP: CPU, Memory, Interface utilization, Connections, Hardware Status
Identity Services Engine (ISE)
Host name and Device type
IOS based Routers and Switches
SNMP: OS, Hardware; SSH:
SNMP: CPU, Memory, Interface utilization, Hardware Status; SNMP: IP SLA metrics; SNMP:
Log Analysis Overview
Config Change Monitoring
NetFlow V9: Traffic log
Details
Syslog: Over 700 event types parsed for situations covering admin access, configuration change, interface up/down, BGP interface up/down, traffic log, IPS activity NetFlow V5, V9: Traffic logs
SSH: Running config, Startup config
Cisco IOS
Via API
Not natively supported Custom Custom Configuration collection needed
Cisco Duo
Syslog: Over 1600 event types parsed for situations covering admin access, configuration change, traffic log, IPS activity
SSH: Running config, Startup config
Cisco ASA
Syslog: Over 1600 event types parsed for situations covering admin access, configuration change, traffic log, IPS activity
SSH: Running config, Startup config
Cisco ASA
Cisco ISE
Syslog: Over 200 event types parsed for situations covering
SSH: Running config, Startup config
Cisco IOS
FortiSIEM 6.1.1 External Systems Configuration Guide
23
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Cisco
Cisco Cisco Cisco
Cisco Cisco
Model
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Details
configuration, running process, Layer 2 connectivity
BGP metrics, OSPF metrics; SNMP: Class based QoS metrics; SNMP: NBAR metrics
admin access, configuration change, interface up/down, BGP interface up/down, traffic log, IPS activity; NetFlow V5, V9: Traffic logs
Nexus OS based Routers and Switches
SNMP: OS, Hardware; SSH: configuration running process, Layer 2 connectivity
SNMP: CPU, Memory, Interface utilization, Hardware Status; SNMP: IP SLA metrics, BGP metrics, OSPF metrics, NBAR metrics; SNMP: Class based QoS metrics
Syslog: Over 3500 event types parsed for situations covering admin access, configuration change, interface up/down, BGP interface up/down, traffic log, hardware status, software and hardware errors; NetFlow V5, V9: Traffic logs
SSH: Running config, Startup config
Cisco NX-OS
ONS
SNMP: OS, Hardware
SNMP Trap: Availability and Performance Alerts
Cisco NX-OS
ACE Application Firewall
SNMP: OS, Hardware
UCS Server
UCS API: Hardware components processors, chassis, blades, board, cpu, memory, storage, power supply unit, fan unit
UCS API: Chassis Status, Memory Status, Processor Status, Power Supply status, Fan status
Syslog: Over 500 event types parsed for situations covering hardware errors, internal software errors etc
Currently not natively supported
Cisco UCS
WLAN Controller and Access Points
SNMP: OS, Hardware, Access Points
SNMP: Controller CPU, Memory, Interface utilization, Hardware Status; SNMP: Access Point Wireless Channel utilization, noise metrics, user count
SNMP Trap: Over 88 event types parsed for situations covering Authentication, Association, Rogue detection, Wireless IPS events
Currently not natively supported
Cisco Wireless LAN
Call Manager
SNMP: OS, Hardware, VoIP Phones
SNMP: Call manager CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage; SNMP: VoIP
Syslog: Over 950 messages from Cisco Call Manager as well as Cisco Unified Real Time
Currently not natively supported
Cisco Call Manager
FortiSIEM 6.1.1 External Systems Configuration Guide
24
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco
Model
Discovery Overview
Contact Center
SNMP: OS, Hardware
Presence Server
SNMP: OS, Hardware
Tandeberg Telepresence Video Communication Server (VCS)
SNMP: OS, Hardware
Tandeberg Telepresence Multiple Control Unit (MCU)
SNMP: OS, Hardware
Unity Connection
SNMP: OS, Hardware
IronPort Mail Gateway
SNMP: OS, Hardware
IronPort Web Gateway
SNMP: OS, Hardware
Cisco Network IPS Appliances
SNMP: OS, Hardware
Sourcefire 3D
SNMP: OS,
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
phone count, Gateway count, Media Device count, Voice mail server count and SIP Trunks count; SNMP: SIP Trunk Info, Gateway Status Info, H323 Device Info, Voice Mail Device Info, Media Device Info, Computer Telephony Integration (CTI) Device Info
Monitoring Tool (RTMT); CDR Records, CMR Records: Call Source and Destination, Time, Call Quality metrics (MOS Score, Jitter, latency)
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change
Currently not natively supported - Custom parsing needed
Currently not natively supported
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change
Currently not natively supported - Custom parsing needed
Currently not natively supported
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change
Currently not natively supported - Custom parsing needed
Currently not natively supported
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change
Currently not natively supported - Custom parsing needed
Currently not natively supported
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change
Currently not natively supported - Custom parsing needed
Currently not natively supported
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change
Syslog: Over 45 event types covering mail scanning and forwarding status
Currently not natively supported
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change
W3C Access log (Syslog): Over 9 event types covering web request handling status
Currently not natively supported
SNMP: CPU, Memory, Disk Interface utilization, Hardware Status
SDEE: Over 8000 IPS signatures
Currently not natively supported
Details
Cisco Contact Center
Cisco Presence Server
Cisco Tandeberg Telepresence VCS Cisco Telepresence MCU Cisco Unity
Cisco IronPort Mail
Cisco IronPort Web
Cisco NIPS
Sourcefire 3D
FortiSIEM 6.1.1 External Systems Configuration Guide
25
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor Cisco
Cisco Cisco Cisco
Cisco
Cisco Cisco Cisco
Model
Discovery Overview
and Defense Center
Firepower Management Center (FMC) Formerly FireSIGHT Console
Hardware
Cisco Security Agent
SNMP or WMI: OS, Hardware
Cisco Access Control Server (ACS)
VPN 3000
SNMP or WMI: OS, Hardware
SNMP: OS, Hardware
Meraki Cloud Controllers
Meraki Firewalls
SNMP: OS, Hardware, Meraki devices reporting to the Cloud Controller
SNMP: OS, Hardware
Meraki
SNMP: OS,
Routers/Switches Hardware
Meraki WLAN Access Points
SNMP: OS, Hardware
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
eStreamer SDK: Intrusion events, Malware events, File events, Discovery events, User activity events, Impact flag events
SNMP or WMI: Process CPU and memory utilization
SNMP Trap: Over 25 event types covering Host IPS behavioral signatures.
SNMP or WMI: Process CPU and memory utilization
Syslog: Passed and Failed authentications, Admin accesses
SNMP: CPU, Memory, Interface utilization
Syslog: Successful and Failed Admin Authentication, VPN Authentication, IPSec Phase 1 and Phase 2 association, VPN statistics
SNMP: Uptime, Network Interface Utilization; SNMP Trap: Various availability scenarios
Currently not natively supported - Custom parsing needed
Currently not natively supported
Currently not natively supported Currently not natively supported
Currently not natively supported
Details
and Defense Center Cisco Firepower Management Center (FMC) Formerly Cisco FireSIGHT
Cisco CSA
Cisco ACS
Cisco VPN 3000
Cisco Meraki Cloud Controller and Network Devices
SNMP: Uptime, Network Interface Utilization
Syslog: Firewall log analysis
SNMP: Uptime, Network Interface Utilization
SNMP: Uptime, Network Interface Utilization
Currently not natively supported
Currently not natively supported
Currently not natively supported
Cisco Meraki Cloud Controller and Network Devices
Cisco Meraki Cloud Controller and Network Devices
Cisco Meraki Cloud Controller and Network Devices
FortiSIEM 6.1.1 External Systems Configuration Guide
26
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor Cisco Cisco
Model
Discovery Overview
Performance Monitoring Overview
MDS Storage Switch
SNMP: OS, Hardware
SNMP: CPU, Memory, Interface utilization, Hardware Status
Network Control Manager (NCM)
Cisco Cisco
Stealthwatch Viptela
Host name and Device type
Not supported
Discovered Via LOG only
Not natively supported - Custom monitoring needed
Cisco
Wide Area Application Services (WAAS)
SNMP: Host name, Version, Hardware model, Network interfaces
CloudPassage Halo
Host name and Device type
CradlePoint
CradlePoint
Discovered via LOG only
SNMP: CPU, Memory, Interface utilization, Disk utilization, Process cpu/memory utilization
Not supported
Not natively supported. Custom monitoring needed
CrowdStrike
Falcon
Cyberoam
Cyberoam
Host name and Device type
Discovered via LOG only
Not supported
Not natively supported. Custom monitoring needed.
Cylance
Cylance Protect
Log Analysis Overview
Config Change Monitoring
Details
Currently not natively supported - Custom parsing needed
Currently not natively supported
Syslog: Network device software update, configuration analysis for compliance, admin login
Cisco Network Compliance Manager
Not supported Cisco Stealthwatch
Over 289 Events Types parsed
Not natively supported Custom configuration collection needed
Cisco Viptela SDWAN Router
Cisco WAAS
Not supported CloudPassage Halo
29 Event types covering Security Violations, Config Changes, Authentications and informational events
Not currently supported.
CradlePoint
Not supported CrowdStrike Falcon
Event, Security, and Traffic logs
Syslog: Endpoint
Connection permit and deny, system events, maleware events
Cyberoam Firewall
Cylance Protect
FortiSIEM 6.1.1 External Systems Configuration Guide
27
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Cyphort Cyxtera Damballa Darktrace
Dell Dell Dell Dell Dell Dell Dell
Model
Discovery Overview
Endpoint Protection Cyphort Cortex Endpoint Protection AppGate SDP
Failsafe
Host name and Device type
CyberIntelligence Discovered
Platform
via LOG only
SonicWall Firewall
SNMP: OS, Hardware
Force10 Router and Switch
SNMP: OS, Hardware
NSeries Router and Switch
SNMP: OS, Hardware
PowerConnect Router and Switch
SNMP: OS, Hardware
Dell Hardware on Intel-based Servers
SNMP: Hardware
Compellent Storage
SNMP: OS, Hardware
EqualLogic Storage
SNMP: OS, Hardware (Network interfaces, Physical
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
protection alerts
Details
Syslog: Endpoint protection alerts
Cyphort Cortex
Not supported
Not supported Cyxtera AppGate SDP
Not natively supported - Custom monitoring needed
Over 40 Events Types parsed
SNMP: CPU, Memory, Interface utilization, Firewall session count
SNMP: CPU, Memory, Interface utilization, Interface Status, Hardware Status SNMP: CPU, Memory, Interface utilization, Hardware Status SNMP: CPU, Memory, Interface utilization, Hardware Status
Syslog: Firewall log analysis (over 1000 event types)
Damballa Failsafe
Not Natively Supported Custom Configuration collection needed
Darktrace CyberIntelligence Platform
Currently not natively supported
Dell SonicWALL
SSH: Running config, Startup config
Dell Force10
SSH: Startup config
Dell NSeries
SSH: Startup config
Dell PowerConnect
SNMP: Hardware Status: Battery, Disk, Memory, Power supply, Temperature, Fan, Amperage, Voltage
SNMP: Network Interface utilization, Volume utilization, Hardware Status (Power, Temperature, Fan)
SNMP: Uptime, Network Interface utilization; SNMP: Hardware status: Disk, Power supply, Temperature, Fan, RAID health; SNMP: Overall Disk health
Currently not natively supported.
Currently not natively supported.
Dell Compellent
Currently not natively supported.
Dell EqualLogic
FortiSIEM 6.1.1 External Systems Configuration Guide
28
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor Digital Guardian EMC
EMC
Model
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Disks, Components)
metrics: Total disk count, Active disk count, Failed disk count, Spare disk count; SNMP: Connection metrics: IOPS, Throughput; SNMP: Disk performance metrics: IOPS, Throughput; SNMP: Group level performance metrics: Storage, Snapshot
Code Green DLP
LOG Discovery
Currently not natively supported 1 broad event Type
Currently not natively supported
Clariion Storage
Naviseccli: Host name, Operating system version, Hardware model, Serial number, Network interfaces, Installed Software, Storage Controller Ports; Naviseccli: Hardware components, RAID Groups and assigned disks, LUNs and LUN -> RAID Group mappings, Storage Groups and memberships
Naviseccli: Storage Processor utilization, Storage Port I/O, RAID Group I/O, LUN I/O, Host HBA Connectivity, Host HBA Unregistered Host, Hardware component health, Overall Disk health, Storage Pool Utilization
Currently not natively supported.
VNX Storage
Naviseccli: Host name, Operating
Naviseccli: Storage Processor utilization, Storage Port I/O, RAID Group I/O, LUN I/O, Host HBA Connectivity, Host HBA Unregistered Host, Hardware
Details Digital Guardian Code Green DLP EMC Clariion
EMC VNX
FortiSIEM 6.1.1 External Systems Configuration Guide
29
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
EMC Epic ESET FireEye
Model
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
system version, Hardware model, Serial number, Network interfaces, Installed Software, Storage Controller Ports Naviseccli: Hardware components, RAID Groups and assigned disks, LUNs and LUN -> RAID Group mappings, Storage Groups and memberships
component health, Overall Disk health, Storage Pool Utilization
Isilon Storage
SNMP: Host name, Operating system, Hardware (Model, Serial number, Network interfaces, Physical Disks, Components)
SNMP: Uptime, Network Interface metrics; SNMP: Hardware component health: Disk, Power supply, Temperature, Fan, Voltage; SNMP: Cluster membership change, Node health and performance (CPU, I/O), Cluster health and performance, Cluster Snapshot, Storage Quota metrics, Disk performance, Protocol performance
5 event types
SecuritySIEM
Discovered via LOG only
Not natively supported. Custom monitoring needed.
Authentication Query, Client login Query
Currently not natively supported
Nod32 Anti-virus
Application type discovery via LOG
Syslog (CEF format): Virus found/cleaned type of events
Malware
Application
Syslog (CEF format):
Details
EMC Isilon
Epic EMR/EHR System ESET NOD32 FireEye MPS
FortiSIEM 6.1.1 External Systems Configuration Guide
30
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor FireEye F5 Networks F5 Networks
F5 Networks Fortinet Fortinet Fortinet Fortinet
Model
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Details
Protection System (MPS)
type discovery via LOG
Malware found/cleaned type of events
HX Appliances for Endpoint protection
Application type discovery via LOG
Syslog (CEF format): Malware Acquisition, Containment type of events
Application
Discovery via
Security Manager LOG
Syslog (CEF Format); Various application level attack scenarios - invalid directory access, SQL injections, cross site exploits
F5 Application Security Manager
Local Traffic Manager
SNMP: Host name, Operating system, Hardware (Model, Serial number, Network interfaces, Physical Disks), Installed Software, Running Software
SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start
SNMP Trap: Exception situations including hardware failures, certain security attacks, Policy violations etc; Syslog: Permitted and Denied Traffic
F5 Networks Local Traffic Manager
Web Accelerator
Discovery via LOG
Syslog: Permitted Traffic
F5 Networks Web Accelerator
FortiAnalyzer
Fortinet FortiAnalyzer
FortiAP
Access point Name, OS, Interfaces, Controller (FortiGate)
FortiAP CPU, Memory, Clients, Sent/Received traffic
Wireless events via FortiGate
FortiAP
FortiAuthenticato r
Vendor, OS, Model
Interface Stat, Authentication Stat Over 150 event types
Currently not natively supported.
Fortinet FortiAuthenticato r
FortiClient
Discovered via LOG only
Syslog: Traffic logs, Event logs
Not supported FortiClient
FortiSIEM 6.1.1 External Systems Configuration Guide
31
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor Fortinet Fortinet Fortinet
Fortinet Fortinet
Fortinet Fortinet
Fortinet
Model FortiDeceptor FortiEDR FortiGate firewalls
FortiInsight FortiManager
FortiNAC FortiWLC
FortiTester
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Details
Discovered via LOG only
Not natively supported. Custom monitoring needed.
Authentication logs, Decoy activity
Currently not natively supported.
Fortinet FortiDeceptor
Discovered via LOG only
Not natively supported. Custom monitoring needed.
System and security events (e.g. file blocked)
Currently not natively supported
Fortinet FortiEDR
SNMP: OS, Host name, Hardware (Serial Number, Interfaces, Components)
SNMP: Uptime, CPU and Memory utilization, Network Interface metrics
Syslog: Over 11000 Traffic and system logs; Netflow: traffic flow, Application flow
SSH: Running config, Startup config
Fortinet FortiGate
FortiInsight
SNMP: Host name, Hardware model, Network interfaces, Operating system version
SNMP: Uptime, CPU and Memory utilization, Network Interface metrics
FortiManager
Discovered via LOG only
Not natively supported. Custom monitoring needed
Administrative and User Admission Control events
Currently not natively supported
Fortinet FortiNAC
SNMP Controller Name, OS, Serial Number, Interfaces, Associated Access Points name, OS, Interfaces
Controller CPU, Memory, Disk, Throughput, QoS statistics, Station count
Hardware/Software errors, failures, logons, license expiry, Access Point Association / Disassociation
Not supported FortiWLC
Discovered Via LOG only
Not natively supported - Custom monitoring needed
CEF format: Over 14 Event types parsed
Not natively supported Custom configuration collection needed
Fortinet FortiTester
FortiSIEM 6.1.1 External Systems Configuration Guide
32
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Model
Discovery Overview
Performance Monitoring Overview
Foundry Networks
IronWare Router and Switch
SNMP: OS, Hardware SSH: configuration, running process
SNMP: Uptime, CPU, Memory, Interface utilization, Hardware Status
FreeBSD
GitHub.com
GitHub
Host name and Device type
Not supported
GitLab API
GitLab
Host name and Device type
Not supported
GitLab CLI
GitLab
Host name and Device type
Not supported
Green League WVSS
Huawei HP HP
HP
VRP Router and Switch
SNMP: OS, Hardware; SSH: configuration, running process, Layer 2 connectivity
SNMP: Uptime, CPU, Memory, Interface utilization, Hardware Status
BladeSystem
SNMP: Host name, Access IP, Hardware components
SNMP: hardware status
HP-UX servers
SNMP: OS, Hardware
SNMP: Uptime, CPU, Memory, Network Interface, Disk space utilization, Network Interface Errors, Running Process Count, Running process CPU/memory utilization, Running process start/stop; SNMP: Installed Software change; SSH : Memory paging rate, Disk I/O utilization
HP Hardware on Intel-based
SNMP: hardware
SNMP: hardware status
Log Analysis Overview
Config Change Monitoring
Details
Syslog: Over 6000 event types parsed for situations covering admin access, configuration change, interface up/down
SSH: Running config, Startup config
Foundry Networks IronWare
Not supported GitHub
Not supported GitLab API
Not supported GitLab CLI
Syslog: Over 30 event types parsed for situations covering admin access, configuration change, interface up/down
Green League WVSS
SSH: Running config, Startup config
HP BladeSystem
HP UX Server
SNMP Trap: Over 100 traps covering hardware
FortiSIEM 6.1.1 External Systems Configuration Guide
33
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
HP HP HP HP HP
Model Servers
TippingPoint UnityOne IPS ProCurve Switches and Routers
Value Series (19xx) Switches and Routers
3Com (29xx) Switches and Routers
HP/3Com Comware Switches and Routers
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Details
model, hardware serial, hardware components (fan, power supply, battery, raid, disk, memory)
issues
SNMP: OS, Hardware
SNMP: Uptime, CPU, Memory, Network Interface, Network Interface Errors
Syslog: Over 4900 IPS alerts directly or via NMS
TippingPoint IPS
SNMP: OS, hardware model, hardware serial, hardware components; SSH: configuration
SNMP: Uptime, CPU, Memory, Network Interface, Network Interface Errors; SNMP: hardware status
SSH: Running config, Startup config
HP ProCurve
SNMP: OS, hardware model, hardware serial, hardware components; SSH: configuration
SNMP: Uptime, CPU, Memory, Network Interface, Network Interface Errors
SSH: Startup config
HP Value Series (19xx) and HP 3Com (29xx) Switch
SNMP: OS, hardware model, hardware serial, hardware components; SSH: configuration
SNMP: Uptime, CPU, Memory, Network Interface, Network Interface Errors
SSH: Startup config
HP Value Series (19xx) and HP 3Com (29xx) Switch
SNMP: OS, hardware model, hardware
SNMP: Uptime, CPU, Memory, Network Interface, Network Interface Errors; SNMP: hardware status
Syslog: Over 6000 vent types parsed for situations covering admin access,
SSH: Startup config
HP/3Com ComWare
FortiSIEM 6.1.1 External Systems Configuration Guide
34
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Hirschmann HyTrust IBM IBM IBM IBM
IBM Imperva
Model
Switches
CloudControl Websphere Application Server
DB2 Database Server ISS Proventia IPS Appliances AIX Servers
OS 400 Securesphere DB Monitoring Gateway
Discovery Overview
Performance Monitoring Overview
serial, hardware components; SSH: configuration
Host Name, OS
SNMP Uptime, CPU, Memory, Interface utilization, hardware Status, OSPF metrics
LOG Discovery
Currently not natively supported
SNMP or WMI: Running processes
HTTP(S): Generic Information, Availability metrics, CPU / Memory metrics, Servlet metrics, Database pool metrics, Thread pool metrics, Application level metrics, EJB metrics
SNMP or WMI: Running processes
JDBC: Database Audit trail: Log on, Database level and Table level CREATE/DELETE/MODIFY operations
SNMP: OS, Hardware, Installed Software, Running Processes, Open Ports; SSH: Hardware details
SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down ; SSH: Disk I/O, Paging
Log Analysis Overview
Config Change Monitoring
configuration change, interface up/down and other hardware issues and internal errors
Not natively supported Custom parsing needed
Not natively supported Custom configuration collection needed
Over 70 event types
Currently not natively supported
SNMP Trap: IPS Alerts: Over 3500 event types Syslog: General logs including Authentication Success/Failure, Privileged logons, User/Group Modification
Syslog via PowerTech Agent: Over 560 event types
Details
Hirschmann SCADA Firfewalls and Switches HyTrust CloudControl IBM WebSphere
IBM DB2
IBM ISS Proventia IBM AIX
IBM OS400 Imperva Securesphere DB Monitoring
FortiSIEM 6.1.1 External Systems Configuration Guide
35
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor Imperva Imperva
Indegy
Intel/McAfee
Intel/McAfee
Intel/McAfee Intel/McAfee Intel/McAfee Intel/McAfee Infoblox
Model
Discovery Overview
Performance Monitoring Overview
Securesphere DB Security Gateway
Securesphere Web App Firewall
Log Analysis Overview
Config Change Monitoring
Syslog in CEF format
Security Platform
McAfee Sidewinder Firewall
McAfee ePO
Intrushield IPS Stonesoft IPS
Discovered via LOG only
Not natively supported - Custom monitoring needed
Over 14 Events Types parsed
SNMP: OS, Hardware, Installed Software, Running Processes
SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start
SNMP: Related process name and parameters
SNMP: Process resource utilization
SNMP: OS, Hardware
SNMP: Hardware status
Syslog: Firewall logs
SNMP Trap: Over 170 event types
Syslog: IPS Alerts Syslog: IPS Alerts
Not natively supported Custom configuration collection needed
Web Gateway
Syslog: Web server log
Foundstone Vulnerability Scanner
JDBC: Vulnerability data
DNS/DHCP Appliance
SNMP: OS, Hardware, Installed Software, Running
; SNMP: Zone transfer metrics, DNS Cluster Replication metrics, DNS Performance metrics, DHCP Performance metrics, DDNS Update metrics, DHCP subnet
Syslog: DNS logs - name resolution activity success and failures
Details
Gateway Imperva Securesphere DB Security Gateway Imperva Securesphere DB Security Gateway Indegy Security Platform
McAfee Firewall Enterprise (Sidewinder)
McAfee ePolicy Orchestrator (ePO)
McAfee IntruShield McAfee Stonesoft McAfee Web Gateway McAfee Foundstone Vulnerability Scanner Infoblox DNS/DHCP
FortiSIEM 6.1.1 External Systems Configuration Guide
36
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor ISC Juniper
Juniper
Juniper
Juniper
Juniper Juniper
Model
Bind DNS JunOS Router/Switch
SRX Firewalls
SSG Firewall
ISG Firewall
Steelbelted RADIUS Secure Access
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Details
Processes
usage metrics ; SNMP: Hardware Status ; SNMP Trap: Hardware/Software Errors
Syslog: DNS logs - name resolution activity success and failures
ISC BIND DNS
SNMP: OS, Hardware; SSH: Configuration
SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status ;
Syslog: Over 1420 event types parsed for situations covering admin access, configuration change, interface up/down and other hardware issues and internal errors
SSH: Startup configuration
Juniper Networks JunOS
SNMP: OS, Hardware SSH: Configuration
SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status
Syslog: Over 700 event types parsed for situations covering traffic log, admin access, configuration change, interface up/down and other hardware issues and internal errors
SSH: Startup configuration
Juniper Networks JunOS
SNMP: OS, Hardware ; SSH: Configuration
SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status
Syslog: Over 40 event types parsed for situations covering traffic log, admin access, configuration change, interface up/down and other hardware issues and internal errors
SSH: Startup configuration
Juniper Networks SSG Firewall
SNMP: OS, Hardware ; SSH: Configuration
SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status
Syslog: Over 40 event types parsed for situations covering traffic log, admin access, configuration change, interface up/down and other hardware issues and internal errors
SSH: Startup configuration
Juniper Networks SSG Firewall
Discovered via LOG
Syslog - 4 event types covering admin access and AAA authentication
Juniper Networks Steel-Belted RADIUS
SNMP: OS,
SNMP: CPU, Memory, Disk,
Syslog - Over 30 event
Juniper Networks
FortiSIEM 6.1.1 External Systems Configuration Guide
37
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Model
Gateway
Discovery Overview
Hardware
Juniper
Netscreen IDP
Juniper Lantronix
LastLine Liebert
DDoS Secure
SLC Console Manager
HVAC
SNMP: Host Name, Hardware model
Liebert
FPC
Liebert
UPS
SNMP: Host Name, Hardware model
SNMP: Host Name, Hardware model
Malwarebytes
Malwarebytes Endpoint Protection
McAfee
Vormetric Data
LOG
Security Manager Discovery
Microsoft
ASP.NET
SNMP: Running Processes
Microsoft
Azure Advanced Host name
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Details
Interface utilization
types parsed for situations covering VPN login, Admin access, Configuration Change
SSL VPN Gateway
Syslog - directly from Firewall or via NSM Over 5500 IPS Alert types parsed
Juniper Networks IDP Series
Syslog - DDoS Alerts
Juniper DDoS
Syslog - Admin access, Updates, Commands run
Lantronix SLC Console Manager
Syslog in CEF format
LastLine
SNMP: HVAC metrics: Temperature: current value, upper threshold, lower threshold, Relative Humidity: current value, upper threshold, lower threshold, System state etc
Liebert HVAC
SNMP: Output voltage (X-N, Y-N, Z-N), Output current (X, Y. Z), Neutral Current, Ground current, Output power, Power Factor etc
Liebert FPC
SNMP: UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated Seconds Remaining, Output voltage etc
Liebert UPS
Malwarebytes Endpoint Protection
Currently not natively supported 1 broad event Type
Currently not natively supported
McAfee Vormetric Data Security Manager
SNMP or WMI: Process level resource usage ; WMI: Request Execution Time, Request Wait Time, Current Requests, Disconnected Requests etc
Microsoft ASP.NET
Not supported
Not supported Microsoft Azure
FortiSIEM 6.1.1 External Systems Configuration Guide
38
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor Microsoft Microsoft Microsoft Microsoft
Microsoft
Microsoft
Microsoft
Model
Discovery Overview
Threat Protection and Device
(ATP)
type
Azure Compute
Azure Event Hub
Cloud App Security
DHCP Server 2003, 2008
Host name and Device type
SNMP: Running Processes
DNS Server 2003, 2008
SNMP: Running Processes
Domain Controller / Active Directory - 2003, 2008, 2012
SNMP: Running Processes; LDAP: Users
Exchange Server
SNMP: Running Processes
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Details ATP
Not supported
Microsoft Azure Compute
Microsoft Azure Event Hub
Not supported Microsoft Cloud App Security
WMI: DHCP metrics: request rate, release rate, decline rate, Duplicate Drop rate etc
FortiSIEM Windows Agent (HTTPS): DHCP logs - release, renew etc; Snare Agent (syslog): DHCP logs - release, renew etc; Correlog Agent (syslog): DHCP logs - release, renew etc
Microsoft DHCP (2003, 2008)
WMI: DNS metrics: Requests received, Responses sent, WINS requests received, WINS responses sent, Recursive DNS queries received etc
FortiSIEM Windows Agent (HTTPS): DNS logs - name resolution activity; Snare Agent (syslog): DNS logs name resolution activity; Correlog Agent (syslog): DNS logs - name resolution activity
Microsoft DNS (2003, 2008)
WMI: Active Directory metrics: Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate etc; WMI: "dcdiag -e" command output - detect successful and failed domain controller diagnostic tests; WMI: "repadmin /replsummary" command output - Replication statistics; LDAP: Users with stale passwords, insecure password settings
Microsoft Active Directory
SNMP or WMI: Process level resource usage; WMI: Exchange performance metrics, Exchange
Exchange Tracker Logs via FSM
Microsoft Exchange
FortiSIEM 6.1.1 External Systems Configuration Guide
39
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Microsoft Microsoft
Microsoft
Microsoft Microsoft
Model
Hyper-V Hypervisor IIS versions
Internet Authentication Server (IAS)
Network Policy Server PPTP VPN Gateway
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
error metrics, Exchange mailbox metrics, Exchange SMTP metrics, Exchange ESE Database, Exchange Database Instances, Exchange Mail Submission Metrics, Exchange Store Interface Metrics etc
Advanced Windows Agent
Powershell over winexe: Guest/Host CPU usage, Memory usage, Page fault, Disk Latency, Network usage ;
SNMP: Running Processes
SNMP or WMI: Process level resource usage WMI: IIS metrics: Current Connections, Max Connections, Sent Files, Received Files etc
FortiSIEM Windows Agent (HTTPS): W3C Access logs - Per instance Per Connection - Sent Bytes, Received Bytes, Duration ; Snare Agent (syslog): W3C Access logs; Correlog Agent (syslog): W3C Access logs
SNMP: Running Processes
SNMP or WMI: Process level resource usage
FortiSIEM Windows Agent (HTTPS): AAA logs - successful and failed authentication ; Snare Agent (syslog): AAA logs - successful and failed authentication ; Correlog Agent (syslog): AAA logs successful and failed authentication
Discovered via LOG only.
Not natively supported. Custom monitoring needed.
AAA-based login events
Currently not natively supported
FortiSIEM Windows Agent (HTTPS): VPN Access - successful and failed Snare Agent (syslog): VPN Access successful and failed ; Correlog Agent (syslog): VPN Access - successful
Details
Hyper-V
Microsoft IIS for Windows 2000 and 2003; Microsoft IIS for Windows 2008
Microsoft Internet Authentication Server (IAS)
Microsoft Network Policy Server Microsoft PPTP
FortiSIEM 6.1.1 External Systems Configuration Guide
40
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor Microsoft
Microsoft
Microsoft Microsoft
Model
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Details
and failed
Sharepoint Server
SNMP: Running Processes
SNMP or WMI: Process level resource usage
LOGBinder Agent: SharePoint logs - Audit trail integrity, Access control changes, Document updates, List updates, Container object updates, Object changes, Object Import/Exports, Document views, Information Management Policy changes etc
Microsoft SharePoint
SQL Server 2005, 2008, 2008R2, 2012, 2014
SNMP: Running Processes
SNMP or WMI: Process resource usage; JDBC: General database info, Configuration Info, Backup Info,; JDBC: Per-instance like Buffer cache hit ratio, Log cache hit ratio etc; JDBC: per-instance, per-database Performance metrics Data file size, Log file used, Log growths etc; JDBC: Locking info, Blocking info
JDBC: database error log; JDBC: Database audit trail
Microsoft SQL Server
Windows Defender Advanced Threat Protection (ATP)
Host name and Device type
Not supported
Not supported Windows Defender ATP
Windows 2000, Windows 2003, Windows 2008, Windows 2008 R2, Windows 2012, Windows 2012 R2
SNMP: OS, Hardware (for Dell and HP), Installed Software, Running Processes; WMI: OS, Hardware (for Dell and HP), BIOS, Installed Software, Running Processes,
SNMP: CPU, Memory, Disk, Interface utilization, Process utilization ; WMI: SNMP: CPU, Memory, Disk, Interface utilization, Detailed CPU/Memory usage, Detailed Process utilization
WMI pulling: Security, System and Application logs; FortiSIEM Windows Agent (HTTPS): Security, System and Application logs, File Content change; Snare Agent (syslog): Security, System and Application logs; Correlog Agent (syslog): Security, System and Application logs
SNMP: Installed Software Change; FortiSIEM Windows Agent: Installed Software Change, Registry Change; FortiSIEM Windows Agent: File
Microsoft Windows Servers
FortiSIEM 6.1.1 External Systems Configuration Guide
41
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
MobileIron Sentry and Connector Motorola Motorola
Mikrotek
NetApp NetApp
Nessus
Model
Sentry
AirDefense Wireless IDS WiNG WLAN Access Point
Mikrotech Switches and Routers DataONTAP DataONTAP based Filers
Vulnerability Scanner
Discovery Overview
Performance Monitoring Overview
Services, Installed Patches
Discovered Via LOG only
Not natively supported - Custom monitoring needed
Host name, OS, Hardware model, Serial number, Components
SNMP: Uptime CPU utilization, Network Interface metrics
Log Analysis Overview
Config Change Monitoring
Integrity Monitoring
Over 18 Events Types parsed
Not natively supported Custom configuration collection needed
Syslog: Wireless IDS logs
Syslog: All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health
SNMP: Host name, OS, Hardware model, Serial number, Network interfaces, Logical volumes, Physical Disks
SNMP: CPU utilization, Network Interface metrics, Logical Disk Volume utilization; SNMP: Hardware component health, Disk health ONTAP API: Detailed NFS V3/V4, ISCSI, FCP storage IO metrics, Detailed LUN metrics, Aggregate metrics, Volume metrics, Disk performance metrics
SNMP Trap: Over 150 alerts - hardware and software alerts
Nessus API: Vulnerability Scan results - Scan name, Host, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulnerability CVE Id and Bugtraq Id, Vulnerability
Details
MobileIron Sentry
Motorola AirDefense Motorola WLAN
Mikrotek Router
NetApp DataONTAP NetApp Filer
Nessus Vulnerability Scanner
FortiSIEM 6.1.1 External Systems Configuration Guide
42
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor Netwrix Nginx Nimble
Nortel Nortel Nozomi Nutanix
Model
Auditor Web Server
NimbleOS Storage
ERS Switches and Routers
Passport Switches and Routers Guardian Controller VM
Discovery Overview
Not natively supported
SNMP: Application name
Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components SNMP: Host name, OS, Hardware model, Serial number, Components SNMP: Host name, OS, Hardware model, Serial number, Components No SNMP: Host name, OS, Hardware model, Serial number, Network
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
CVSS Score, Vulnerability Consequence, etc
Not natively supported
2 Event Types parsed (via Windows Correlog Agent)
Not natively supported
SNMP: Application Resource Usage
Syslog: W3C access logs: per HTTP(S) connection: Sent Bytes, Received Bytes, Connection Duration
SNMP: Uptime, Network Interface metrics, Storage Disk Utilization SNMP: Storage Performance metrics: Read rate (IOPS), Sequential Read Rate (IOPS), Write rate (IOPS), Sequential Write Rate (IOPS), Read latency, etc
SNMP: Uptime CPU/memory utilization, Network Interface metrics/errors, Hardware Status
SNMP: Uptime CPU/memory utilization, Network Interface metrics/errors, Hardware Status
No
Yes
No
SNMP: Uptime CPU/memory utilization, Network Interface metrics/errors, Disk Status, Cluster Status, Service Status, Storage Pool Info, Container Info
Details
Netwrix Auditor Nginx Web Server Nimble Storage
Nortel ERS and Passport Switch
Nortel ERS and Passport Switch
Nozomi Nutanix
FortiSIEM 6.1.1 External Systems Configuration Guide
43
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor Okta.com OneIdentity OpenLDAP Oracle
Oracle
Oracle
Model
SSO Safeguard
Discovery Overview
Performance Monitoring Overview
interfaces, Physical Disks, Components
Okta API: Users
Not supported
Log Analysis Overview
Config Change Monitoring
Okta API: Over 90 event types covering user activity in Okta website
OpenLDAP
LDAP: Users
Enterprise Database Server - 10g, 11g, 12c
SNMP or WMI: Process resource usage ;
JDBC: Database performance metrics: Buffer cache hit ratio, Row cache hit ratio, Library cache hit ratio, Shared pool free ratio, Wait time ratio, Memory Sorts ratio etc ; JDBC: Database Table space information: able space name, table space type, table space usage, table space free space, table space next extent etc; JDBC: Database audit trail: Database logon, Database operations including CREATE/ALTER/DROP/TRUNC ATE operations on tables, table spaces, databases, clusters, users, roles, views, table indices, triggers etc.
Syslog: Listener log, Alert log, Audit Log
MySQL Server
SNMP or WMI: Process resource usage
JDBC: User Connections, Table Updates, table Selects, Table Inserts, Table Deletes, Temp Table Creates, Slow Queries etc; JDBC: Table space performance metrics: Table space name, table space type, Character set and Collation, table space usage, table space free space etc; JDBC: Database audit trail: Database log on, Database/Table CREATE/DELETE/MODIFY operations
WebLogic
SNMP or
JMX: Availability metrics, Memory
Details Okta Configuration OneIdentity Safeguard Oracle Database
MySQL Server
Oracle WebLogic
FortiSIEM 6.1.1 External Systems Configuration Guide
44
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Oracle
Oracle
PacketFence Palo Alto Networks Palo Alto Networks
PulseSecure QNAP Qualys Qualys
Model
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Details
Application Server
WMI: Process resource usage
metrics, Servlet metrics, Database metrics, Thread pool metrics, EJB metrics, Application level metrics
Glassfish Application Server
SNMP or WMI: Process resource usage
JMX: Availability metrics, Memory metrics, Servlet metrics, Session metrics, Database metrics, Request processor metrics, Thread pool metrics, EJB metrics, Application level metrics, Connection metrics
Oracle GlassFish Server
Sun SunOS and Solaris
SNMP: OS, Hardware, Software, Processes, Open Ports ; SSH: Hardware details
SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down ; SSH: Disk I/O, Paging
Syslog: Situations covering Authentication Success/Failure, Privileged logons, User/Group Modification
Sun Solaris Server
Network Access Control
Host name and Device type
Not supported
Not supported
PacketFence Network Access Control
Palo Alto Traps Endpoint Security Manager
LOG Discovery
Currently not natively supported Over 80 event types
Currently not natively supported
Palo Alto Traps Endpoint Security Manager
PAN-OS based Firewall
SNMP: Host name, OS, Hardware, Network interfaces; SSH: Configuration
SNMP: Uptime, CPU utilization, Network Interface metrics, Firewall connection count
Syslog: Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs
SSH: Configuration Change
Palo Alto Firewall
PulseSecure VPN
Syslog: VPN events, Traffic events, Admin events
PulseSecure
Turbo NAS
QNAP Turbo NAS
QualysGuard Scanner
Qualys QualysGuard Scanner
Vulnerability Scanner
Qualys API: Vulnerability Scan results - Scan
Qualys Vulnerability
FortiSIEM 6.1.1 External Systems Configuration Guide
45
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Qualys Radware Rapid7 Rapid7
Riverbed
Model
Discovery Overview
Web Application Firewall
DefensePro
LOG Discovery
InsightVM
NeXpose Vulnerability Scanner
Host name and Device type
Steelhead WAN Accelerators
SNMP: Host name, Software version, Hardware model, Network interfaces
Performance Monitoring Overview
Currently not natively supported Not supported
Log Analysis Overview
Config Change Monitoring
name, Host, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulnerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence etc
syslog (JSON formatted): web log analysis
Over 120 event types
Currently not natively supported
Details
Scanner
Qualys Web Application Firewall Radware DefensePro Rapid7 InsightVM
Rapid7 NeXpose API: Vulnerability Scan results - Scan name, Host, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulnerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence etc
SNMP: Uptime, CPU / Memory / Network Interface / Disk space metrics, Process cpu/memory utilization; SNMP: Hardware Status SNMP: Bandwidth metrics: (Inbound/Outbound Optimized Bytes - LAN side, WAN side; Connection metrics: Optimized/Pass through / Halfopen optimized connections etc); SNMP: Top Usage metrics: Top source, Top destination, Top Application, Top Talker; SNMP:
SNMP Trap: About 115 event types covering software errors, hardware errors, admin login, performance issues - cpu, memory, peer latency issues ; Netflow: Connection statistics
Rapid7 NeXpose Vulnerability Scanner
Riverbed SteelHead WAN Accelerator
FortiSIEM 6.1.1 External Systems Configuration Guide
46
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Model
Redhat
Linux
Redhat
JBOSS Application Server
Redhat
DHCP Server
Ruckus
Wireless LAN
Security Onion Zeek (Bro)
SentinelOne
SentinelOne
Snort
IPS
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Peer status: For every peer: State, Connection failures, Request timeouts, Max latency
SNMP: OS, Hardware, Software, Processes, Open Ports ; SSH: Hardware details, Linux distribution
SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down ; SSH: Disk I/O, Paging
Syslog: Situations covering Authentication Success/Failure, Privileged logons, User/Group Modification SSH: File integrity monitoring, Command output monitoring, Target file monitoring Agent: File integrity monitoring
SSH: File integrity monitoring, Target file monitoring Agent: File integrity monitoring
SNMP: Process level CPU/Memory usage
JMX: CPU metrics, Memory
;
metrics, Servlet metrics, Database
pool metrics, Thread pool metrics,
Application level metrics, EJB
metrics
SNMP: Process level CPU/Memory usage
Syslog: DHCP address release/renew events
SNMP: Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points
SNMP: Controller Uptime, Controller Network Interface metrics, Controller WLAN Statistics, Access Point Statistics, SSID performance Stats
Discovered via LOG only
Not natively supported - Custom monitoring needed
Syslog JSON format: 6 event types parsed
Currently not natively supported
Discovered via LOG only
Not natively supported. Custom monitoring needed.
System and security events (e.g. file blocked)
Currently not natively supported
SNMP:
Syslog: Over 40K IPS
Details
Linux Server
Redhat JBOSS Linux DHCP Ruckus WLAN
Zeek (Bro) Installed on Security Onion SentinelOne Snort IPS
FortiSIEM 6.1.1 External Systems Configuration Guide
47
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Sophos Sophos Squid
SSH Com Security Stormshield Symantec
Tanium Tenable Tigera TrendMicro TrendMicro
Model
Discovery Overview
Performance Monitoring Overview
Process level CPU/Memory usage
Central
Host name and Device type
Sophos Endpoint Security and Control
Not supported
Web Proxy
SNMP: Process level CPU/Memory usage
CryptoAuditor
LOG Discovery
Currently not natively supported
Network Security
Not natively supported
Symantec Endpoint Protection
Not natively supported
Connect Tenable.io Calico Deep Discovery
Host name and Device type
Host name and Device type
Not natively supported
Discovered via LOG only
Not supported
Not supported
Not natively supported Not natively supportedCustom monitoring needed.
Deep Security
Log Analysis Overview
Config Change Monitoring
Details
Alerts DBC: Over 40K IPS Alerts - additional details including TCP/UDP/ICMP header and payload in the attack packet
Not supported Sophos Central
SNMP Trap: Endpoint events including Malware found/deleted, DLP events
Sophos Endpoint Security and Control
Syslog: W3C formatted access logs - per HTTP (S) connection: Sent Bytes, Received Bytes, Connection Duration
Squid Web Proxy
Many event types
Currently not natively supported
SSH Com Security CryptoAuditor
Firewall logs
Not natively supported
Stormshield Network Security
Syslog: Over 5000 event types covering end point protection events malware/spyware/adwar e, malicious events
Symantec Endpoint Protection
Not supported Tanium Connect
Not supported Tenable.io
Flow, Audit and DNS logs Malicious file detection
Syslog: Over 10 event
Not natively supported
Tigera Calico
Currently not natively supported
TrendMicro Deep Discovery
Not supported
FortiSIEM 6.1.1 External Systems Configuration Guide
48
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
TrendMicro TrendMicro TrendMicro Vasco VMware
VMware VMware WatchGuard Websense YXLink
Model
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Manager
types covering end point protection events
Interscan Web Filter
LOG Discovery
Currently not natively supported 15 event Types
Currently not natively supported
Intrusion Defense Firewall (IDF)
Syslog: Over 10 event types covering end point firewall events
Office scan
SNMP Trap: Over 30 event types covering end point protection events malware/spyware/adwar e, malicious events
DigiPass
Syslog - Successful and Failed Authentications, Successful and Failed administrative logons
VMware ESX and VCenter
VMWare SDK: Entire VMware hierarchy and dependencies - Data Center, Resource Pool, Cluster, ESX and VMs
VMWare SDK: VM level: CPU, Memory, Disk, Network, VMware tool status VMWare SDK: ESX level: CPU, Memory, Disk, Network, Data store VMWare SDK: ESX level: Hardware Status VMWare SDK: Cluster level: CPU, Memory, Data store, Cluster Status VMWare SDK: Resource pool level: CPU, Memory
VMWare SDK: Over 800 VCenter events covering account creation, VM creation, DRS events, hardware/software errors
vShield
Syslog: Over 10 events covering permitted and denied connections, detected attacks
VCloud Network and Security (vCNS) Manager
Syslog: Over 10 events covering various activities
Firebox Firewall
Syslog: Over 20 firewall event types
Web Filter
Syslog: Over 50 web filtering events and web traffic logs
Vulnerability Scanner
Details
TrendMicro Interscan Web Filter Trend Micro IDF Trend Micro OfficeScan Vasco DigiPass
WatchGuard Firebox Firewall Websense Web Filter YXLink Vulnerability
FortiSIEM 6.1.1 External Systems Configuration Guide
49
Fortinet Technologies Inc.
Supported Devices and Applications by Vendor
Vendor
Model
Discovery Overview
Performance Monitoring Overview
Log Analysis Overview
Config Change Monitoring
Details Scanner
FortiSIEM 6.1.1 External Systems Configuration Guide
50
Fortinet Technologies Inc.
Applications
This section describes how to configure applications for discovery and for providing information to FortiSIEM. l Application Server l Authentication Server l Database Server l DHCP and DNS Server l Directory Server l Document Management Server l Healthcare IT l Mail Server l Management Server/Appliance l Remote Desktop l Source Code Control l Unified Communication Server l Web Server
FortiSIEM 6.1.1 External Systems Configuration Guide
51
Fortinet Technologies Inc.
Application Server
FortiSIEM supports the discovery and monitoring of these application servers. l Apache Tomcat l IBM WebSphere l Microsoft ASP.NET l Oracle GlassFish Server l Oracle WebLogic l Redhat JBOSS
FortiSIEM 6.1.1 External Systems Configuration Guide
52
Fortinet Technologies Inc.
Apache Tomcat
l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Event for Tomcat Metrics
What is Discovered and Monitored
Protocol JMX
JMX
Information discovered
Metrics collected
Used for
Generic information: Application version, Application port
Availability metrics: Uptime, Application Server State
CPU metrics: CPU utilization
Memory metrics: Total memory, Free memory, Memory utilization, Virtual committed memory, Total Swap Memory, Free Swap Memory, Swap memory utilization, Heap Utilization, Heap Used Memory, Heap max memory, Heap commit memory, Nonheap Utilization, Non-heap used memory, Non-heap max memory, Non-heap commit memory
Servlet metrics: Web application name, Servlet Name, Count allocated, Total requests, Request errors, Load time, Avg Request Processing time
Session metrics: Web context path, Peak active sessions, Current active sessions, Duplicate sessions, Expired sessions, Rejected sessions, Average session lifetime, Peak session lifetime, Session processing time, Session create rate, Session expire rate, Process expire frequency, Max session limited, Max inactive Interval
Performance Monitoring
Database metrics: Web context path, Data source, Database driver, Peak active sessions, Current active sessions, Peak idle sessions, Current idle sessions
Thread pool metrics: Thread pool name, Application port, Total threads, Busy threads, Keep alive threads, Max threads, Thread priority, Thread pool daemon flag
Request processor metrics: Request processor name, Received Bytes, Sent Bytes, Average Request Process time, Max Request Processing time, Request Rate, Request Errors
Performance Monitoring
Event Types
In ADMIN > Device Support > Event, search for "tomcat" in the Device Type and Description column to see the event types associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
53
Fortinet Technologies Inc.
Applications
Reports
In RESOURCE > Reports , search for "tomcat" in the Name column to see the reports associated with this application or device.
Configuration
JMX
Add the necessary parameters to the Tomcat startup script.
Windows
Modify the file ${CATALINA_BASE}\bin\catalina.bat by adding these arguments for JVM before the comment: rem ----Execute The Requested Command ------
JMX Configuration for Windows
set JAVA_OPTS=-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=${Your JMX Port} \ -Dcom.sun.management.jmxremote.authenticate=true \ Dcom.sun.management.jmxremote.ssl=false \ Dcom.sun.management.jmxremote.access.file=jmxremote.access \ Dcom.sun.management.jmxremote.password.file=jmxremote.password \
Linux
Modify the file ${CATALINA_BASE}/bin/catalina.sh by adding these arguments for JVM before the comment: # ----Execute The Requested Command ------
JMX Configuration for Linux
JAVA_OPTS=" $ JAVA_OPTS -Dcom.sun.management.jmxremote \ Dcom.sun.management.jmxremote.port=${ Your JMX Port} \ Dcom.sun.management.jmxremote.authenticate=true \ -Dcom.sun.management.jmxremote.ssl=false \ -Dcom.sun.management.jmxremote.access.file=jmxremote.access \ Dcom.sun.management.jmxremote.password.file=jmxremote.password" \ 1. Edit the access authorization file jmxremote.access.
monitorRole readonly controlRole readwrite 2. Edit the password file jmxremote.password. The first column is user name and the second column is password). FortiSIEM only needs monitor access. monitorRole <FortiSIEMUserName>controlRole <userName> 3. In Linux, set permissions for the jmxremote.access and jmxremote.password files so that they are read-only and accessible only by the Tomcat operating system user.
FortiSIEM 6.1.1 External Systems Configuration Guide
54
Fortinet Technologies Inc.
Applications
chmod 600 jmxremote.access chmod 600 jmxremote.password
You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your Apache Tomcat application server over JMX:
Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name Password
Value Enter a name for the credential. Apache Apache Tomcat JMX 5
0 The user you created in step 3 The password you created in step 3
Sample Event for Tomcat Metrics
<134>Jan 22 01:57:32 10.1.2.16 java: [PH_DEV_MON_TOMCAT_CPU]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218, [appVersion]=Apache Tomcat/7.0.27,[appServerState]=STARTED,[sysUpTime]=2458304,[cpuUtil]=0
<134>Jan 22 01:57:32 10.1.2.16 java: [PH_DEV_MON_TOMCAT_MEMORY]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218, [appVersion]=Apache Tomcat/7.0.27,[appServerState]=STARTED,[freeMemKB]=116504, [freeSwapMemKB]=2974020,[memTotalMB]=4095,[swapMemTotalMB]=8189,[virtMemCommitKB]=169900, [memUtil]=98,[swapMemUtil]=65,[heapUsedKB]=18099,[heapMaxKB]=932096,[heapCommitKB]=48896, [heapUtil]=37,[nonHeapUsedKB]=22320,[nonHeapMaxKB]=133120,[nonHeapCommitKB]=24512, [nonHeapUtil]=91
<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_SERVLET]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218, [appVersion]=Apache Tomcat/7.0.27,[webAppName]=//localhost/host-manager, [servletName]=HTMLHostManager,[countAllocated]=0,[totalRequests]=0,[reqErrors]=0, [loadTime]=0,[reqProcessTimeAvg]=0,[maxInstances]=20,[servletState]=STARTED
<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_SESSION]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218, [appVersion]=Apache Tomcat/7.0.27,[webContextPath]=/host-manager,[activeSessionsPeak]=0, [activeSessions]=0,[duplicateSession]=0,[expiredSession]=0,[rejectedSession]=0, [sessionLifetimeAvg]=0,[sessionLifetimePeak]=0,[sessionProcessTimeMs]=0, [sessionCreateRate]=0,[sessionExpireRate]=0,[webAppState]=STARTED,
FortiSIEM 6.1.1 External Systems Configuration Guide
55
Fortinet Technologies Inc.
Applications
[processExpiresFrequency]=6,[maxSessionLimited]=-1,[maxInactiveInterval]=1800
<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_DB]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218, [appVersion]=Apache Tomcat/7.0.27,[webContextPath]=/host-manager, [dataSource]="jdbc/postgres1",[dbDriver]=org.postgresql.Driver,[activeSessionsPeak]=20, [activeSessions]=0,[idleSessionsPeak]=10,[idleSessions]=0
<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_THREAD_POOL]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=9218,[appVersion]=Apache Tomcat/7.0.27,[threadPoolName]=ajp-apr-18009, [appPort]=18009,[totalThreads]=0,[busyThreads]=0,[keepAliveThreads]=0[maxThreads]=200, [threadPriority]=5,[threadPoolIsDaemon]=true
<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_REQUEST_PROCESSOR]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SHWIN08R2-JMX,[destDevPort]=9218,[appVersion]=Apache Tomcat/7.0.27,[reqProcessorName]="httpapr-18080",[recvBytes]=0,[sentBytes]=62748914,[totalRequests]=4481, [reqProcessTimeAvg]=44107,[reqProcessTimeMax]=516,[reqRate]=0,[reqErrors]=7
FortiSIEM 6.1.1 External Systems Configuration Guide
56
Fortinet Technologies Inc.
Applications
IBM WebSphere
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
HTTPS Preferred for Monitoring over JMX IBM WebSphere performance metrics can be obtained via HTTP(S) or JMX. The HTTP(S) based method is highly recommended since it consumes significantly less resources on FortiSIEM.
Protocol HTTP / HTTP(S)
JMX
Information discovered
Metrics collected
Generic information: Application version, Application port Availability metrics: Uptime, Application Server State CPU metrics: Application server instance, CPU utilization Memory metrics: Heap utilization, Heap used memory, Heap free memory, Heap max memory, Heap commit memory Servlet metrics: Application name, Web application name, Servlet Name, Invocation count Database pool metrics: Application server instance, JDBC provider, Data source, Pool size, Closed connections, Active Connections, Requests wait for connections, Connection use time, Connection factory type, Peak connections Thread pool metrics: Application server instance, Thread pool name, Execute threads, Peak execute threads Transaction metrics: Application server instance, Active Transaction, Committed Transaction, Rolled back Transaction Authentication metrics: Application name, Application server instance, Authentication Method, Count
Generic information: Application version, Application port Availability metrics: Uptime, Application Server State CPU metrics: Application server instance, CPU utilization Memory metrics: Heap utilization, Heap used memory, Heap free memory, Heap max memory, Heap commit memory, Max System dumps on disk, Max heap dumps on disk Servlet metrics: Application name, Web application name, Servlet Name, Invocation count, Request errors Database pool metrics: Application server instance, JDBC provider, Data source, Pool size, Closed connections, Active Connections, Requests wait for connections, Connection use time, Connection factory type, Peak connections
Used for Performance Monitoring
Performance Monitoring
FortiSIEM 6.1.1 External Systems Configuration Guide
57
Fortinet Technologies Inc.
Applications
Protocol Syslog
Information discovered
Metrics collected
Used for
Thread pool metrics: Application server instance, Thread pool name, Execute threads, Peak execute threads Application level metrics: Application name, Web application name, Application server instance, Web application context root, Active sessions, Peak active sessions EJB metrics: Application name, Application server instance, EJB component name
Log analysis
Event Types
In ADMIN > Device Support > Event, search for "websphere" in the Description column to see the event types associated with this device.
l PH_DEV_MON_WEBSPHERE_CPU (from HTTPS)
<134>Dec 08 16:11:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_CPU]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host-10.1.2.16, [destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1,[cpuUtil]=0, [sysUpTime]=2340206,[appServerState]=RUNNING
l PH_DEV_MON_WEBSPHERE_CPU (from JMX)
<134>Jan 22 02:15:23 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_CPU]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[cpuUtil]=0,[sysUpTime]=42206,[appServerState]=STARTED
l PH_DEV_MON_WEBSPHERE_MEMORY (from HTTPS)
<134>Dec 08 16:11:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_MEMORY]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host-10.1.2.16, [destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1, [appServerState]=running,[heapFreeKB]=93208,[heapUsedKB]=168936,[heapCommitKB]=232576, [heapMaxKB]=262144,[heapUtil]=72
l PH_DEV_MON_WEBSPHERE_MEMORY (from JMX)
<134>Jan 22 02:15:25 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_MEMORY]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[appServerState]=STARTED,[maxSystemDumpsOnDisk]=10, [maxHeapDumpsOnDisk]=10,[heapFreeKB]=48140,[heapUsedKB]=172018,[heapCommitKB]=217815, [heapMaxKB]=262144,[heapUtil]=78
l PH_DEV_MON_WEBSPHERE_APP (from HTTPS)
<134>Dec 08 16:11:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_APP]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host-10.1.2.16,
FortiSIEM 6.1.1 External Systems Configuration Guide
58
Fortinet Technologies Inc.
Applications
[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1,[appName]=isclite, [webAppName]=ISCAdminPortlet.war,[activeSessions]=0,[activeSessionsPeak]=1
l PH_DEV_MON_WEBSPHERE_APP (from JMX)
<134>Jan 22 02:18:24 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_APP]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[appName]=isclite,[webAppName]=isclite.war, [webContextRoot]=admin_host/ibm/console,[activeSessions]=0,[activeSessionsPeak]=1
l PH_DEV_MON_WEBSPHERE_SERVLET (from HTTPS)
<134>Dec 08 16:11:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_SERVLET]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host10.1.2.16,[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1, [appName]=isclite,[webAppName]=isclite.war, [servletName]=/com.ibm.ws.console.servermanagement/collectionTableLayout.jsp, [invocationCount]=2
l PH_DEV_MON_WEBSPHERE_SERVLET (from JMX)
<134>Jan 22 02:15:24 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_SERVLET]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SHWIN08R2-JMX,[destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[appName]=isclite,[webAppName]=isclite.war, [servletName]=action,[reqErrors]=0,[invocationCount]=14
l PH_DEV_MON_WEBSPHERE_DB_POOL (from HTTPS)
<134>Dec 08 16:14:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_DB_POOL]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host-10.1.2.16, [destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1,[jdbcProvider]=Derby JDBC Provider (XA),[dataSource]=jdbc/DefaultEJBTimerDataSource,[poolSize]=0, [closedConns]=0,[activeConns]=0,[waitForConnReqs]=0,[connUseTime]=0
l PH_DEV_MON_WEBSPHERE_DB_POOL (from JMX)
<134>Jan 22 02:15:23 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_DB_POOL]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[jdbcProvider]=Derby JDBC Provider (XA), [dataSource]=DefaultEJBTimerDataSource,[poolSize]=0,[closedConns]=0,[activeConns]=0, [waitForConnReqs]=0,[connUseTime]=0,[connFactoryType]=,[peakConns]=0
l PH_DEV_MON_WEBSPHERE_THREAD_POOL (from HTTPS)
<134>Dec 08 16:14:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_THREAD_POOL]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host10.1.2.16,[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1, [threadPoolName]=WebContainer,[executeThreads]=2,[executeThreadPeak]=6
l PH_DEV_MON_WEBSPHERE_THREAD_POOL (from JMX)
<134>Jan 22 02:18:25 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_THREAD_POOL]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SHWIN08R2-JMX,[destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[threadPoolName]=ORB.thread.pool,[executeThreads]=0, [executeThreadPeak]=0
l PH_DEV_MON_WEBSPHERE_TRANSACTION (from HTTPS)
FortiSIEM 6.1.1 External Systems Configuration Guide
59
Fortinet Technologies Inc.
Applications
<134>Dec 08 16:14:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_TRANSACTION]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host10.1.2.16,[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1, [activeTxCount]=0,[committedTxCount]=3406,[rolledBackTxCount]=0
l PH_DEV_MON_WEBSPHERE_AUTHENTICATION (from HTTPS)
<134>Dec 08 16:14:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_AUTHENTICATION]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host10.1.2.16,[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1, [authenMethod]=TokenAuthentication,[count]=0
l PH_DEV_MON_WEBSPHERE_EJB (from JMX)
<134>Jan 22 02:15:24 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_EJB]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[appName]=SchedulerCalendars, [ejbComponentName]=Calendars.jar
Reports
In RESOURCE > Reports , search for "websphere" in the Name column to see the reports associated with this device.
Configuration
HTTP(S)
Install the perfServletApp Application
1. Log in to your Websphere administration console. 2. Go to Applications > Application Types > WebSphere enterprise application. 3. Click Install. 4. Select Remote file system and browse to {WebSphere_
Home}/AppServer/installableApps/PerfServletApp.ear. 5. Click Next.
The Context Root for the application will be set to /wasPerfTool, but you can edit this during installation.
Configure Security for the Application
1. Go to Security > Global Security. 2. Select Enable application security. 3. Go to Applications > Application Types > Websphere Enterprise Applications. 4. Select perfServletApp. 5. Click Security role to user/group mapping. 6. Click Map Users/Groups. 7. Use the Search feature to find and select the FortiSIEM user you want to provide with access to the application, 8. Click Map Special Subjects.
FortiSIEM 6.1.1 External Systems Configuration Guide
60
Fortinet Technologies Inc.
Applications
9. Select All Authenticated in Application's Realm. 10. Click OK.
Start the Application
1. Go to Applications > Application Types > WebSphere enterprise application. 2. Select perfServletApp. 3. Click Start. 4. In a web browser, launch the application by going
to http://<ip>:<port>/wasPerfTool/servlet/perfservlet. Default HTTP Port The default port for HTTP is 9080, HTTPS is 9443. You can change these by going to Servers > Server Types > WebSphere application servers > {serverInstance} > Configuration > Ports.
JMX
Configuring the Default JMX Port
By default, your Websphere application server uses port 8880 for JMX. You can change this by logging in to your application server console and going to Application servers > {Server Name} > Ports > SOAP_CONNECTOR_ ADDRESS. The username and password for JMX are the same as the credentials logging into the console. To configure JMX communications between your Websphere application server and FortiSIEM, you must copy several files from your application server to the Websphere configuration directory for each FortiSIEM virtual appliance that will be used for discovery and performance monitoring jobs. FortiSIEM does not include these files because of licensing restrictions.
1. Copy these files to the directory /opt/phoenix/config/websphere/ for each Supervisor, Worker, and Collector in your FortiSIEM deployment.
File Type Client Jars
SSL files
Location
l ${WebSphere_ Home}/AppServer/runtimes/ com.ibm.ws.admin.client.jar
l ${WebSphere_ Home}/AppServer/plugins/ com.ibm.ws.security.crypto.jar
l ${WebSphere_ Home}/AppServer/profiles/${Profile_ Name}/etc/DummyClientKeyFile.jks
l ${WebSphere_ Home}/AppServer/profiles/${Profile_ Name}/etc/DummyClientTrustFile.jks
2. Install IBM JDK 1.6 or higher in the location /opt/phoenix/config/websphere/java for each Supervisor, Worker, and Collector in your FortiSIEM deployment.
FortiSIEM 6.1.1 External Systems Configuration Guide
61
Fortinet Technologies Inc.
Applications
You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide > Section: Setting Credentials, and then initiate discovery of the device as described in the topics under Discovery Settings.
Settings for Access Credentials
Use these Access Method Definition options to let FortiSIEM access your IBM Websphere device over HTTPS and SNMP. When you set the Device Credential Mapping Definition, make sure to map both the HTTPS and SNMP credentials to the same IP address for your Websphere device. HTTPS.
Setting Name Device Type Access Protocol Port URL User Name
Password
Value websphere_https IBM Websphere App Server HTTPS 9443 /wasPerfTools/servlet/perfservlet Use the user name that you provided with access to the application The password associated with the user that has access to the application
Settings for IBM Websphere SNMP Access Credentials
Use these Access Method Definition settings to let FortiSIEM access your IBM Websphere device over SNMP. When you set the Device Credential Mapping Definition, make sure to map both the HTTPS and SNMP credentials to the same IP address for your Websphere device.
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
62
Fortinet Technologies Inc.
Applications
Settings for IBM Websphere JMX Access Credentials
Use these Access Method Definition settings to let FortiSIEM access your IBM Websphere device over JMX.
Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name
Password
Value websphere IBM Websphere App Server JMX 5
8880 The administrative user for the application server The password associated with the administrative user
FortiSIEM 6.1.1 External Systems Configuration Guide
63
Fortinet Technologies Inc.
Applications
Microsoft ASP.NET
l What is Discovered and Monitored l Configuration l Sample Event for ASP.NET Metrics
What is Discovered and Monitored
Protocol WMI
Information discovered
Metrics collected
Used for
Request Execution Time, Request Wait Time, Current Requests, Disconnected Requests, Queued requests, Disconnected Requests
Performance Monitoring
Event Types
In ADMIN > Device Support > Event, search for "asp.net" in the Description column to see the event types associated with this device.
Reports
In RESOURCE > Reports , search for "asp.net" in the Name column to see the reports associated with this application or device.
Configuration
WMI
See WMI Configurations in the Microsoft Windows Server Configuration section.
Sample Event for ASP.NET Metrics
[PH_DEV_MON_APP_ASPNET_MET]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=4868,[hostName]=QA-EXCHG,[hostIpAddr]=172.16.10.28, [appGroupName]=Microsoft ASPNET,[aspReqExecTimeMs]=0,[aspReqCurrent]=0, [aspReqDisconnected]=0,[aspReqQueued]=0,[aspReqRejected]=0,[aspReqWaitTimeMs]=0
FortiSIEM 6.1.1 External Systems Configuration Guide
64
Fortinet Technologies Inc.
Applications
Oracle GlassFish Server
l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Event for Glassfish Metrics
What is Discovered and Monitored
Protocol JMX
JMX
Information discovered
Metrics collected
Used for
Generic information: Application version, Application port
Availability metrics: Uptime, Application Server State
CPU metrics: CPU utilization
Memory metrics: Total memory, Free memory, Memory utilization, Virtual committed memory, Total Swap Memory, Free Swap Memory, Swap memory utilization, Heap Utilization, Heap Used Memory, Heap max memory, Heap commit memory, Non-heap Utilization, Non-heap used memory, Non-heap max memory, Non-heap commit memory
Servlet metrics: Web application name, Servlet Name, Count allocated, Total requests, Request errors, Avg Request Processing time
Performance Monitoring
Session metrics: Web context path, Peak active sessions, Current active sessions, Duplicate sessions, Expired sessions, Rejected sessions, Average session lifetime, Peak session lifetime, Session processing time, Session create rate, Session expire rate, Process expire frequency, Max session limited, Max inactive Interval
Database metrics: Data source
Thread pool metrics: Current live threads, Max live threads
Request processor metrics: Request processor name, Received Bytes, Sent Bytes, Total requests, Average Request Process time, Max Request Processing time, Request Rate, Request Errors, Max open connections, Current open connections, Last Request URI, Last Request method, Last Request completion time
Application level metrics: Cache TTL, Max cache size, Average request processing time, App server start time, Cookies allowed flag, Caching allowed flag, Linking allowed flag, Cross Context Allowed flag
EJB metrics: EJB component name, EJB state, EJB start time
Performance Monitoring
FortiSIEM 6.1.1 External Systems Configuration Guide
65
Fortinet Technologies Inc.
Applications
Protocol
Information discovered
Metrics collected
Connection metrics: Request processor name, HTTP status code, HTTP total accesses
Used for
Event Types
In ADMIN > Device Support > Event, search for "glassfish" in the Description column to see the event types associated with this device.
Reports
In RESOURCE > Reports , search for "glassfish" in the Name column to see the reports associated with this application or device.
Configuration
JMX
1. The default JMX port used by Oracle GlassFish is 8686. If you want to change it, modify the node jmx-connector of the file ${GlassFish_Home}\domains\${Domain_Name}\config\domain.xml.
2. The username and password for JMX are the same as the web console. You can now configure FortiSIEM to communicate with your device by following the instructions in "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Oracle GlassFish JMX Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your Oracle GlassFish device over JMX.
Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name
Value glassfish SUN Glassfish App Server JMX 5
8686 The administrative user for the application server
FortiSIEM 6.1.1 External Systems Configuration Guide
66
Fortinet Technologies Inc.
Applications
Setting Password
Value
The password associated with the administrative user
Sample Event for Glassfish Metrics
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_APP]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[webContextRoot]=, [webAppState]=RUNNING,[cacheMaxSize]=10240,[cacheTTL]=5000,[reqProcessTimeAvg]=0, [startTime]=1358755971,[cookiesAllowed]=true,[cachingAllowed]=false,[linkingAllowed]=false, [crossContextAllowed]=true
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_CPU]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[sysUpTime]=35266, [cpuUtil]=60
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_MEMORY]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [freeMemKB]=479928,[freeSwapMemKB]=6289280,[memTotalMB]=16051,[memUtil]=98,[swapMemUtil]=1, [swapMemTotalMB]=6142,[virtMemCommitKB]=4025864,[heapUsedKB]=1182575,[heapMaxKB]=3106432, [heapCommitKB]=3106432,[heapUtil]=38,[nonHeapUsedKB]=193676,[nonHeapMaxKB]=311296, [nonHeapCommitKB]=277120,[nonHeapUtil]=69
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_SESSION]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [webContextPath]=/__JWSappclients,[activeSessionsPeak]=0,[duplicateSession]=0, [activeSessions]=0,[expiredSession]=0,[rejectedSession]=0,[sessionProcessTimeMs]=85, [sessionLifetimeAvg]=0,[sessionLifetimePeak]=0,[maxSessionLimited]=-1, [maxInactiveInterval]=1800
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_SERVLET]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [webAppName]=phoenix,[webAppState]=RUNNING,[servletName]=DtExportServlet,[totalRequests]=0, [reqErrors]=0,[reqProcessTimeAvg]=0
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_CONN_STAT]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [reqProcessorName]=http8181,[httpStatusCode]=304,[httpTotalAccesses]=0
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_EJB]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201,
FortiSIEM 6.1.1 External Systems Configuration Guide
67
Fortinet Technologies Inc.
Applications
[destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [ejbComponentName]=phoenix-domain-1.0.jar,[ejbState]=RUNNING,[startTime]=1358755963,
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_JMS]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [jmsSource]=jms/RequestQueue
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_REQUEST_PROCESSOR]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host10.1.2.201,[destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [reqProcessorName]=http4848,[recvBytes]=0,[sentBytes]=0,[totalRequests]=0,[reqRate]=0, [reqProcessTimeAvg]=0,[reqProcessTimeMax]=0,[maxOpenConnections]=0,[lastRequestURI]=null, [lastRequestMethod]=null,[lastRequestCompletionTime]=0,[openConnectionsCount]=0, [reqErrors]=0
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_THREAD_POOL]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host10.1.2.201,[destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [liveThreads]=106,[liveThreadsMax]=138
<134>Jan 22 02:06:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_DB_POOL]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [dataSource]=jdbc/phoenixDS
FortiSIEM 6.1.1 External Systems Configuration Guide
68
Fortinet Technologies Inc.
Applications
Oracle WebLogic
l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Event for WebLogic Metrics
What is Discovered and Monitored
Protocol JMX
Information discovered
Metrics collected
Used for
Generic information: Application version, Application port, SSL listen port, Listen port enabled flag, SSL listen port enabled
Availability metrics: Uptime, Application Server State
Memory metrics: Total memory, Free memory, Used memory, Memory utilization, Heap utilization, Heap used memory, Heap max memory, Heap commit memory, Total nursery memory
Servlet metrics: Application name, App server instance, Web application name, Web context name, Servlet name, Invocation count, Servlet execution time
Database pool metrics: Application name, App server instance, Data source, Active connection count, Connection limit, Leaked connections, Reserve requests, Requests wait for connections
Thread pool metrics: App server instance, Completed requests, Execute threads, Pending requests, Standby threads, Total threads
EJB metrics: EJB component name, EJB state, EJB idle beans, EJB used beans, EJB pooled beans, EJB Waiter threads, EJB committed Transactions, EJB timedout transactions, EJB rolledback transactions, EJB activations, EJB Passivations, EJB cache hits, EJB cache misses, EJB cache accesses, EJB cache hit ratio
Application level metrics: Application name, App server instance, Web application name, Web context root, Peak active sessions, Current active sessions, Total active sessions, Servlet count, Single threaded servlet pool count,
Performance Monitoring
Event Types
In ADMIN > Device Support > Event, search for "WebLogic in the Description column to see the event types associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
69
Fortinet Technologies Inc.
Applications
Reports
In RESOURCE > Reports , search for "WebLogic" in the Name column to see the reports associated with this application or device.
Configuration
JMX
Enable and Configure Internet Inter-ORB Protocol (IIOP) 1. Log into the administration console of your WebLogic application server. 2. In the Change Center of the administration console, click Lock & Edit. 3. In the left-hand navigation, expand Environment and select Servers. 4. Click the Protocols tab, then select IIOP. 5. Select Enable IIOP. 6. Expand the Advanced options. 7. For Default IIOP Username and Default IIOP Password, enter the username and password that you will use as
the access credentials when configuring FortiSIEM to communicate with your application server.
Enable IIOP Configuration Changes 1. Go to the Change Center of the administration console. 2. Click Activate Changes.
You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your Oracle WebLogic application server over JMX.
The port for JMX is the same as the web console, and the default value is 7001.
Setting Name Device Type Access Protocol Pull Interval (minutes) Port
Value weblogic Oracle WebLogic App Server JMX 5
7001
FortiSIEM 6.1.1 External Systems Configuration Guide
70
Fortinet Technologies Inc.
Applications
Setting User Name Password
Value The administrative user you created in step 7. The password you created in step 7.
Sample Event for WebLogic Metrics
<134>Jan 22 02:12:20 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_GEN]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001, [appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[appServerState]=RUNNING,[sysUpTime]=1358476145, [appPort]=7001,[sslListenPort]=7002,[listenPortEnabled]=true,[sslListenPortEnabled]=true
<134>Jan 22 02:12:20 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_MEMORY]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001, [appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[appServerState]=RUNNING,[heapUsedKB]=153128, [heapCommitKB]=262144,[heapFreeKB]=109015,[heapUtil]=59,[heapMaxKB]=524288, [usedMemKB]=4086224,[freeMemKB]=107624,[memTotalMB]=4095,[memUtil]=97,[nurserySizeKB]=88324
<134>Jan 22 02:12:22 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_SERVLET]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001, [appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[appName]=consoleapp,[webAppName]=examplesServer_ /console,[servletName]=/framework/skeletons/wlsconsole/placeholder.jsp, [webContextRoot]=/console,[invocationCount]=1094,[servletExecutionTimeMs]=63
<134>Jan 22 02:15:24 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_DB_POOL]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001, [appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[appName]=examples-demoXA-2,[dataSource]=examples-demoXA2,[activeConns]=0,[connLimit]=1,[leakedConns]=0,[reserveRequests]=0,[waitForConnReqs]=0
<134>Jan 22 02:12:20 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_THREAD_POOL]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=7001,[appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[completedRequests]=14066312,[executeThreads]=7, [pendingRequests]=0,[standbyThreads]=5,[totalThreads]=43
<134>Jan 22 02:12:20 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_EJB]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001, [appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[ejbComponentName]=ejb30,[ejbIdleBeans]=0, [ejbUsedBeans]=0,[ejbPooledBeans]=0,[ejbWaiter]=0,[ejbCommitTransactions]=0, [ejbTimedOutTransactions]=0,[ejbRolledBackTransactions]=0,[ejbActivations]=0, [ejbPassivations]=0,[ejbCacheHits]=0,[ejbCacheMisses]=0,[ejbCacheAccesses]=0, [ejbCacheHitRatio]=0
<134>Jan 22 02:12:23 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_APP]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001, [appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[appName]=webservicesJwsSimpleEar, [webAppName]=examplesServer_/jws_basic_simple,[webContextRoot]=/jws_basic_simple,
FortiSIEM 6.1.1 External Systems Configuration Guide
71
Fortinet Technologies Inc.
Applications
[activeSessions]=0,[activeSessionsPeak]=0,[activeSessionTotal]=0,[numServlet]=4, [singleThreadedServletPool]=5
FortiSIEM 6.1.1 External Systems Configuration Guide
72
Fortinet Technologies Inc.
Applications
Redhat JBOSS
l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Event for JBOSS Metrics
What is Discovered and Monitored
Protocol JMX
Information discovered
Metrics collected
Used for
Generic information: Application version, Application port
Availability metrics: Uptime, Application Server State
CPU metrics: Application server instance, CPU utilization
Memory metrics: Heap utilization, Heap used memory, Heap free memory, Heap max memory, Heap commit memory, Max System dumps on disk, Max heap dumps on disk
Servlet metrics: Application name, Web application name, Servlet Name, Invocation count, Request errors
Database pool metrics: Application server instance, JDBC provider, Data source, Pool size, Closed connections, Active Connections, Requests wait for connections, Connection use time, Connection factory type, Peak connections
Thread pool metrics: Application server instance, Thread pool name, Execute threads, Peak execute threads
Application level metrics: Application name, Web application name, Application server instance, Web application context root, Active sessions, Peak active sessions
EJB metrics: Application name, Application server instance, EJB component name
Performance Monitoring
Event Types
In ADMIN > Device Support > Event, search for "boss" in the Description column to see the event types associated with this device.
Reports
In RESOURCE > Reports , search for jobs" in the Name column to see the reports associated with this application or device.
FortiSIEM 6.1.1 External Systems Configuration Guide
73
Fortinet Technologies Inc.
Applications
Configuration
Configuring JMX on the JBOSS Application Server
Changing the Default JMX Port
The default port for JMX is 1090. If you want to change it, modify the file ${JBoss_ Home}\server\default\conf\bindingservice.beans\META-INF\bindings-jboss-beans.xml.
<bean class="org.boss.services.bindging.ServiceBindingMetadata"> <property name="serviceName">jboss.remoting:service=JMXConnectorServer,protocol=rmi</property> <property name="port">1090</property> <property name="description">RMI/JRMP socket for connecting to the JMX MBeanServer</property></bean>
1. Enable authentication security check. Open the file ${JBoss_Home}\server\default\deploy\jmx-jbossbeans.xml, find the JMXConnector bean, and uncomment the securityDomain property.
<bean name="JMXConnector" class="org.boss.system.server.jmx.JMXConnector"><!-configuration properties --> <!-- To enable authentication security checks, uncomment the following --!><!--UNCOMMENT THIS --><property name="securityDomain">jmx-console</property>
2. Modify the file ${JBoss_Home}\server\default\conf\props\jmx-console-roles.properties to configure the JMX administrator role.
admin=JBossAdmin,HttpInvoker
3. Modify the file ${JBoss_Home}\server\default\conf\props\jmx-console-users.properties to configure the username and password for JMX.
admin=yourpassword
4. Configure DNS resolution for the JBOSS application server in your FortiSIEM Supervsior, Workers, and Collectors by adding the IP address and DNS name of the JBOSS application server to their /etc/hosts files. If DNS is already configured to resolve the JBOSS application server name, you can skip this step.
5. Start JBoss.
${JBoss_Home}/bin/run.sh or ${JBoss_Home}/bin/run.sh
-b 0.0.0.0 -b ${Binding IP}
Configuring FortiSIEM to Use the JMX Protocol with JBOSS Application Server
To configure JMX communications between your JBOSS application server and FortiSIEM, you must copy several files from your application server to the JBOSS configuration directory for each FortiSIEM virtual appliance that will be used for discovery and performance monitoring jobs. FortiSIEM does not include these files because of licensing restrictions.
JBOSS Version 4.x, 5.x, 6.x
Files to Copy
Copy ${JBoss_Home}/lib/jbossbootstrapapi.jar to /opt/phoenix/config/JBoss/
FortiSIEM 6.1.1 External Systems Configuration Guide
74
Fortinet Technologies Inc.
Applications
JBOSS Version Files to Copy
7.0
No copying is necessary
7.1
Copy ${JBoss_
Home}/bin/client/jboss-
client.jar
to /opt/phoenix/config/JBoss/
You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your Redhat JBOSS device over JMX:
Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name Password
Value jboss Redhat JBOSS App Server JMX 5
8880 The user you created in step 2 The password you created for the user in step 3
Sample Event for JBOSS Metrics
<134>Feb 06 11:38:35 10.1.2.16 java: [PH_DEV_MON_JBOSS_CPU]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090, [appVersion]=6.1.0.Final "Neo",[appServerState]=STARTED,[sysUpTime]=6202359,[cpuUtil]=2
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_MEMORY]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090, [appVersion]=6.1.0.Final "Neo",[appServerState]=STARTED,[freeMemKB]=264776, [freeSwapMemKB]=1427864,[memTotalMB]=4095,[memUtil]=94,[swapMemUtil]=83, [swapMemTotalMB]=8189,[virtMemCommitKB]=1167176,[heapUsedKB]=188629,[heapMaxKB]=466048, [heapCommitKB]=283840,[heapUtil]=66,[nonHeapUsedKB]=106751,[nonHeapMaxKB]=311296, [nonHeapCommitKB]=107264,[nonHeapUtil]=99
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_APP]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090, [appVersion]=6.1.0.Final "Neo",[webContextRoot]=//localhost/,[webAppState]=RUNNING, [cacheMaxSize]=10240,[cacheTTL]=5000,[reqProcessTimeAvg]=10472,[startTime]=1353919592, [cookiesAllowed]=true,[cachingAllowed]=true,[linkingAllowed]=false,
FortiSIEM 6.1.1 External Systems Configuration Guide
75
Fortinet Technologies Inc.
Applications
[crossContextAllowed]=true
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_SERVLET]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090, [appVersion]=6.1.0.Final "Neo",[webAppName]=//localhost/admin-console,[servletName]=Faces Servlet,[totalRequests]=6,[reqErrors]=0,[loadTime]=0,[reqProcessTimeAvg]=10610
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_DB_POOL]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090, [appVersion]=6.1.0.Final "Neo",[dataSource]=DefaultDS,[dataSourceState]=Started
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_REQUEST_PROCESSOR]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SHWIN08R2-JMX,[destDevPort]=1090,[appVersion]=6.1.0.Final "Neo",[reqProcessorName]=ajp0.0.0.0-8009,[recvBytes]=0,[sentBytes]=0,[reqProcessTimeAvg]=0,[reqProcessTimeMax]=0, [totalRequests]=0,[reqRate]=0,[reqErrors]=0
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_EJB]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090, [appVersion]=6.1.0.Final "Neo",[ejbComponentName]=ejbjar.jar, [ejbBeanName]=HelloWorldBeanRemote,[ejbAvailCount]=0,[ejbCreateCount]=0,[ejbCurrCount]=0, [ejbMaxCount]=0,[ejbRemovedCount]=0,[ejbInstanceCacheCount]=null,[ejbPassivations]=null, [ejbTotalInstanceCount]=null
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_THREAD_POOL]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=1090,[appVersion]=6.1.0.Final "Neo",[threadPoolName]=ajp-0.0.0.0-8009, [appPort]=8009,[totalThreads]=0,[busyThreads]=0,[maxThreads]=2048,[threadPriority]=5, [pollerSize]=32768,[threadPoolIsDaemon]=true
FortiSIEM 6.1.1 External Systems Configuration Guide
76
Fortinet Technologies Inc.
Applications
Authentication Server
FortiSIEM supports these authentication servers for discovery and monitoring. l Cisco Access Control Server (ACS) l Cisco Duo l Cisco Identity Solution Engine (ISE) l CyberArk Password Vault l Fortinet FortiAuthenticator l Juniper Networks Steel-Belted RADIUS l Microsoft Internet Authentication Server (IAS) l Microsoft Network Policy Server (RAS VPN) l OneIdentity Safeguard l Vasco DigiPass
FortiSIEM 6.1.1 External Systems Configuration Guide
77
Fortinet Technologies Inc.
Applications
Cisco Access Control Server (ACS)
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP WMI
Syslog
Information discovered Metrics collected
Used for
Application type
Process level CPU utilization, Memory utilization
Performance Monitoring
Application type, service mappings
Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O
Performance Monitoring
Application type
Successful and Failed Authentications, Successful and Failed administrative logons, RADIUS accounting logs
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "cisco secure acs" in the Device Type and Description column to see the event types associated with this device.
Configuration
SNMP
1. Log into the device you want to enable SNMP for as an administrator. 2. Go to Control Panel >Program and Features. 3. Click Turn Windows features on or off . 4. If you are installing on a Windows 7 device, select Simple Network Management Protocol (SNMP).
If you are installing on a Windows 2008 device, in the Server Manager window, go to Features > Add features > SNMP Services. 5. If necessary, select SNMP to enable the service. 6. Go to Programs > Administrative Tools > Services. 7. to set the SNMP community string and include FortiSIEM in the list of hosts that can access this server via SNMP. 8. Select SNMP Service and right-click Properties. 9. Set the community string to public. 10. Go to the Security tab and enter the FortiSIEM IP Address. 11. Restart the SNMP service.
FortiSIEM 6.1.1 External Systems Configuration Guide
78
Fortinet Technologies Inc.
Applications
WMI
Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:
l Creating a Generic User Who Does Not Belong to the Local Administrator Group l Creating a User Who Belongs to the Domain Administrator Group
Creating a Generic User Who Does Not Belong to the Local Administrator Group
Log in to the machine you want to monitor with an administrator account.
Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group
1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups. 2. Right-click Users and select Add User. 3. Create a user. 4. Go to Groups, right-click Distributed COM Users, and then click Add to group. 5. In the Distributed COM Users Properties dialog, click Add. 6. Find the user you created, and then click OK.
This is the account you must use to set up the Performance Monitor Users group permissions. 7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog. 8. Repeat steps 4 through 7 for the Performance Monitor Users group.
Enable DCOM Permissions for the Monitoring Account
1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed. 5. Click OK. 6. Under Access Permissions, click EditDefault. 7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed. 8. Click OK. 9. Under Launch and Activation Permissions, click Edit Limits. 10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the
permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. Click OK. 12. Under Launch and Activation Permissions, click Edit Defaults. 13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the
permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.
FortiSIEM 6.1.1 External Systems Configuration Guide
79
Fortinet Technologies Inc.
Applications
Creating a User Who Belongs to the Domain Administrator Group
Log in to the Domain Controller with an administrator account.
Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group
1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users. 2. Right-click Users and select Add User. 3. Create a user for the @accelops.com domain.
For example, YJTEST@accelops.com. 4. Go to Groups, right-click Administrators, and then click Add to Group. 5. In the Domain Admins Properties dialog, select the Members tab, and then click Add. 6. For Enter the object names to select, enter the user you created in step 3. 7. Click OK to close the Domain Admins Properties dialog. 8. Click OK.
Enable the Monitoring Account to Access the Monitored Device
Log in to the machine you want to monitor with an administrator account.
Enable DCOM Permissions for the Monitoring Account
1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then select Properties. 3. Select the Com Security tab, and then under Access Permissions, click Edit Limits. 4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both
Local Access and Remote Access. 5. Click OK. 6. In the Com Security tab, under Access Permissions, click Edit Defaults. 7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for
both Local Access and Remote Access. 8. Click OK. 9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits. 10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local
Launch, Remote Launch, Local Activation, and Remote Activation. 11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults. 12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local
Launch, Remote Launch, Local Activation, and Remote Activation.
Enable Account Privileges in WMI
The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device. 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications. 2. Select WMI Control, and then right-click and select Properties. 3. Select the Security tab.
FortiSIEM 6.1.1 External Systems Configuration Guide
80
Fortinet Technologies Inc.
Applications
4. Expand the Root directory and select CIMV2. 5. Click Security. 6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable
Account and Remote Enable. 7. Click Advanced. 8. Select the user you created for the monitoring account, and then click Edit. 9. In the Apply onto menu, select This namespace and subnamespaces. 10. Click OK to close the Permission Entry for CIMV2 dialog. 11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 12. In the left-hand navigation, under Services and Applications, select Services. 13. Select Windows Management Instrumentation, and then click Restart.
Allow WMI to Connect Through the Windows Firewall (Windows 2003)
1. In the Start menu, select Run. 2. Run gpedit.msc. 3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network
Connections > Windows Firewall. 4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain
or not. 5. Select Windows Firewall: Allow remote administration exception. 6. Run cmd.exe and enter these commands:
netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP
7. Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
1. Go to Control Panel > Windows Firewall. 2. In the left-hand navigation, click Allow a program or feature through Windows Firewall. 3. Select Windows Management Instrumentation, and the click OK.
Syslog
1. Log in to your Cisco Access Controls Server as an administrator. 2. Go to Start > All Programs > CiscoSecure ACS v4.1 > ACS Admin. 3. In the left-hand navigation, click System Configuration, then click Logging. 4. Select Syslog for Failed Attempts, Passed Authentication, and RADIUS Accounting to send these reports to
FortiSIEM. 5. For each of these reports, click Configure under CSV, and select the following attributes to include in the CSV
output.
Report Failed Attempts
CSV Attributes l Message-Type
FortiSIEM 6.1.1 External Systems Configuration Guide
81
Fortinet Technologies Inc.
Applications
Report
Passed Authentication
RADIUS Accounting
CSV Attributes
l User-Name l NAS-IP-Address l Authen-Failure-Code l Author-Failure-Code l Caller-ID l NAS-Port l Author-Date l Group-Name l Filter Information l Access Device l AAA Server
l Message-Type l User-Name l NAS-IP-Address l Authen-Failure-Code l Author-Failure-Code l Caller-ID l NAS-Port l Author-Date l Group-Name l Filter Information l Access Device l AAA Server l Proxy-IP-Address l Source-NAS l PEAP/EAP-FAST-Clear-Name l Real Name
l User-Name l NAS-IP-Address l NAS-Port l Group-Name l Service-Type l Framed-Protocol l Framed-IP-Address l Calling-Station-Id l Acct-Status-Type l Acct-Input-Octets l Acct-Output-Octets l Acct-Session-Id l Acct-Session-Time l Acct-Input-Packets l Acct-Output-Packets
FortiSIEM 6.1.1 External Systems Configuration Guide
82
Fortinet Technologies Inc.
Applications
6. For each of these reports, click Configure under Syslog, and for Syslog Server, enter the IP address of the FortiSIEM virtual appliance that will receive the syslog as the syslog server, enter 514 for Port, and set Max message length to 1024.
7. To make sure your changes take effect, go to System Configuration > Service Control, and click Restart ACS. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
83
Fortinet Technologies Inc.
Applications
Cisco Identity Solution Engine (ISE)
l Integration points l Configuring Cisco ISE l Configuring FortiSIEM l Access Credentials l Parsing and Events
Integration points
Protocol Syslog
Information Discovered AAA log - authentication
Used For Security and Compliance
Configuring Cisco ISE
Follow Cisco ISE documentation to send syslog to FortiSIEM.
Configuring FortiSIEM
FortiSIEM automatically recognizes Cisco ISE syslog as long it follows the following format as shown in the sample syslog: <181>Sep 21 06:50:51 fcmb-hq-psn01 CISE_Passed_Authentications 0000066354 3 0 2016-0921 06:50:51.516 +01:00 2915312533 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=287, Device IP Address=1.1.1.1, DestinationIPAddress=1.1.1.2, DestinationPort=1812, UserName=00-15-65-20-33-E5, Protocol=Radius, RequestLatency=33, NetworkDeviceName=ACME, User-Name=johndoe, NAS-IPAddress=1.1.1.2, NAS-Port=50009, Service-Type=Call Check, Framed-IP-Address=1.1.1.2, Framed-MTU=1500, Called-Station-ID=38-1C-1A-87-87-09, Calling-Station-ID=00-15-65-2033-E5, NAS-Port-Type=Ethernet, NAS-Port-Id=FastEthernet0/9, EAP-Key-Name=, cisco-avpair=service-type=Call Check, cisco-av-pair=audit-session-id=AC1B35F8000001240FC38F8A, OriginalUserName=0015652033e5, AcsSessionID=fcmb-hq-psn01/251903157/22970712, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=IP_Phones,
Access Credentials
For Device Type Cisco Identity Solutions Engine, see Access Credentials.
Parsing and Events
Over 20 events are parsed see event Types in Resources > Event Types and search for 'Cisco-ISE'.
FortiSIEM 6.1.1 External Systems Configuration Guide
84
Fortinet Technologies Inc.
Applications
Cisco Duo
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuring Cisco Duo l Configuring FortiSIEM l Sample Events
What is Discovered and Monitored
Protocol API
Information Discovered Host name and Device Type from LOG
Metrics/LOGs Collected 4 log types
Used For Security and Compliance
Event Types
Go to Admin > Device Type > Event Types and search for "Cisco-Duo".
Rules
None
Reports
None
Configuring Cisco Duo
Follow these steps to configure Cisco Duo to send logs to FortiSIEM. 1. Contact Cisco Duo support to enable the Admin API. 2. Get a credential for Cisco Duo: open the Cisco Duo dashboard and go to Application > Admin API. 3. Select the Integration key, Secret key, and API hostname options.
FortiSIEM 6.1.1 External Systems Configuration Guide
85
Fortinet Technologies Inc.
Applications
Configuring FortiSIEM
Follow these steps to configure FortiSIEM to receive Cisco Duo logs. 1. In the FortiSIEM UI, go to ADMIN > Setup > Credentials. 2. Click New to create a Cisco Duo credential.
Use these Access Method Definition settings to allow FortiSIEM to access Cisco Duo logs.
Setting Name Device Type Access Protocol Pull Interval (minutes) Integration Key
Secret Key
Value Enter a name for the credential. Cisco Duo Security Cisco Duo Admin REST API 2
Enter the integration key you obtained from Cisco Duo. Enter the secret key you obtained from Cisco Duo.
FortiSIEM 6.1.1 External Systems Configuration Guide
86
Fortinet Technologies Inc.
Applications
Setting
Value
Description
Enter an optional description for the credential.
3. In Step 2, click Add to create a new association between the credential and the API hostname.
4. Select Test Connectivity without Ping. A pop up will appear and show the connectivity results. 5. Go to the ANALYTICS page and check for Cisco Duo logs.
Sample Events
These events are collected via API:
FortiSIEM 6.1.1 External Systems Configuration Guide
87
Fortinet Technologies Inc.
Applications
FSM-CiscoDuo-Auth] [1] {"access_device":{"browser":"Chrome","browser_ version":"67.0.3396.99","flash_ version":"uninstalled","hostname":"null","ip":"169.232.89.219","java_ version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Mac OS X","os_version":"10.14.1"},"application": {"key":"DIY231J8BR23QK4UKBY8","name":"Microsoft Azure Active Directory"},"auth_device": {"ip":"192.168.225.254","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"My iPhone X (734-555-2342)"},"event_ type":"authentication","factor":"duo_push","reason":"user_ approved","result":"success","timestamp":1532951962,"trusted_endpoint_status":"not trusted","txid":"340a23e3-23f3-23c1-87dc-1491a23dfdbb","user": {"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway@example.com"}}
FortiSIEM 6.1.1 External Systems Configuration Guide
88
Fortinet Technologies Inc.
Applications
CyberArk Password Vault
What is Discovered and Monitored
Protocol
Syslog (CEF formatted and others)
Information discovered
Logs parsed
CyberArk Safe Activity
Used for
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "CyberArk-Vault" in the Device Type column to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "CyberArk": l CyberArk Vault Blocked Failure l CyberArk Vault CPM Password Disables l CyberArk Vault Excessive Failed PSM Connections l CyberArk Vault Excessive Impersonations l CyberArk Vault Excessive PSM Keystroke Logging Failure l CyberArk Vault Excessive PSM Session Monitoring Failure l CyberArk Vault Excessive Password Release Failure l CyberArk Vault File Operation Failure l CyberArk Vault Object Content Validation Failure l CyberArk Vault Unauthorized User Stations l CyberArk Vault User History Clear
Reports
In RESOURCE > Reports, search for "CyberArk": l CyberArk Blocked Operations l CyberArk CPM Password Disables l CyberArk CPM Password Retrieval l CyberArk File Operation Failures l CyberArk Impersonations l CyberArk Object Content Validation Failures l CyberArk PSM Monitoring Failures l CyberArk Password Resets l CyberArk Privileged Command Operations
FortiSIEM 6.1.1 External Systems Configuration Guide
89
Fortinet Technologies Inc.
Applications
l CyberArk Provider Password Retrieval l CyberArk Trusted Network Area Updates l CyberArk Unauthorized Stations l CyberArk User History Clears l CyberArk User/Group Modification Activity l CyberArk Vault CPM Password Reconcilations l CyberArk Vault CPM Password Verifications l CyberArk Vault Configuration Changes l CyberArk Vault Failed PSM connections l CyberArk Vault Modification Activity l CyberArk Vault PSM Keystore Logging Failures l CyberArk Vault Password Changes from CPM l CyberArk Vault Password Release Failures l CyberArk Vault Successful PSM Connections l Top CyberArk Event Types l Top CyberArk Safes, Folders By Activity l Top CyberArk Users By Activity
CyberArk Configuration for sending syslog in a specific format
1. Open \PrivateArk\Server\DBParm.ini file and edit the SYSLOG section: a. SyslogServerIP Specify FortiSIEM supervisor, workers and collectors separated by commas. b. SyslogServerProtocol Set to the default value of UDP. c. SyslogServerPort Set to the default value of 514. d. SyslogMessageCodeFilter Set to the default range 0-999. e. SyslogTranslatorFile Set to Syslog\FortiSIEM.xsl. f. UseLegacySyslogFormat - Set to the default value of No.
2. Copy the relevant XSL translator file here to the Syslog subfolder specified in the SyslogTranslatorFile parameter in DBParm.ini.
3. Stop and Start Vault (Central Server Administration) for the changes to take effect.
Make sure the syslog format is as follows.
<5>1 2016-02-02T17:24:42Z SJCDVVWCARK01 CYBERARK: Product="Vault";Version="9.20.0000";MessageID="295";Message="Retrieve password";Issuer="Administrator";Station="10.10.110.11";File="Root\snmpCommunity"; Safe="TestPasswords";Reason="Test";Severity="Info" <30>Mar 22 20:13:42 VA461_1022 CyberArk AIM[2453]: APPAP097I Connection to the Vault has been restored <27>Mar 22 20:10:50 VA461_1022 CyberArk AIM[2453]: APPAP289E Connection to the Vault has failed. Further attempts to connect to the Vault will be avoided for [1] minutes. <27>Mar 24 23:41:58 VA461_1022 CyberArk AIM[2453]: APPAU002E Provider [Prov_VA461_1022] has failed to fetch password with query [Safe=TestPutta;Object=Telnet91] for application [FortiSIEM]. Fetch reason: [APPAP004E Password object matching query
FortiSIEM 6.1.1 External Systems Configuration Guide
90
Fortinet Technologies Inc.
Applications
Fortinet FortiAuthenticator
l What is Discovered and Monitored l Event Types l Configuration
What is Discovered and Monitored
Protocol SNMP
Syslog
Information Discovered
Vendor, OS, Model, Network Interfaces LOG Discovery
Data Collected Interface Stat, Authentication Stat
Over 150 event types
Used for Performance Monitoring
Security and Compliance
Event Types
In RESOURCE > Event Types, Search for "Fortinet-FortiAuthenticator". Sample Event Type: <14>Aug 14 22:32:52 db[16987]: category="Event" subcategory="Authentication" typeid=20995 level="information" user="admin" nas="" action="Logout" status="" Administrator 'admin' logged out
Configuration
Configure FortiAuthenticator to send syslog on port 514 to FortiSIEM.
FortiSIEM Access Credentials
For Device Type Fortinet FortiAuthenticator, see Access Credentials.
FortiSIEM 6.1.1 External Systems Configuration Guide
91
Fortinet Technologies Inc.
Applications
Juniper Networks Steel-Belted RADIUS
What is Discovered and Monitored
Protocol SNMP
Information discovered
Application type
WMI Syslog
Application type, service mappings
Application type
Metrics collected
Used for
Process level CPU utilization, Memory utilization
Performance Monitoring
Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O
Performance Monitoring
Successful and Failed Authentications, Successful and Failed administrative logons, RADIUS accounting logs
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "Juniper Steel-Belted RADIUS" in the Device Type column to see the event types associated with this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
1. Login as administrator. 2. Install and configure Epilog application to convert log files written by Steelbelted RADIUS server into syslog for
sending to FortiSIEM: a. Download Epilog from snare, information to download here, and install it on your Windows Server. b. Launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows. c. Configure Epilog application as follows:
i. Select Log Configuration on left hand panel, click Add button to add log files whose content must be sent to FortiSIEM. These log files are written by the Steelbelted RADIUS server and their paths are correct. Also make sure the Log Type is SteelbeltedLog.
ii. Select Network Configuration on left hand panel. On the right, set the destination address to that of FortiSIEM server, port to 514 and make sure that syslog header is enabled. Then click Change Configuration button.
FortiSIEM 6.1.1 External Systems Configuration Guide
92
Fortinet Technologies Inc.
Applications
iii. Click the "Apply the latest audit configuration" link on the left hand side to apply the changes to Epilog applications. DHCP logs will now sent to FortiSIEM in real time.
FortiSIEM 6.1.1 External Systems Configuration Guide
93
Fortinet Technologies Inc.
Applications
Microsoft Internet Authentication Server (IAS)
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol WMI Syslog Windows Agent
Information Discovered
Metrics Collected
Used For IAS logs
Event Types
In ADMIN > Device Support > Event, search for "microsoft isa" in the Description column to see the event types associated with this device.
Configuration
WMI
See WMI Configurations in the Microsoft Windows Server Configuration section.
Syslog
You must configure your Microsoft Internet Authentication Server to save logs, and then you can use the Windows Agent Manager to configure the type of log information you want sent to FortiSIEM. 1. Log in to your server as an administrator. 2. Go to Start > Administrative Tools > Internet Authentication Service. 3. In the left-hand navigation, select Remote Access Logging, then select Local File. 4. Right-click on Local File to open the Properties menu, and then select Log File. 5. For Directory, enter C:\WINDOWS\system32\LogFiles\IAS. 6. Click OK. You can now use Windows Agent Installation Guide to configure what information will be sent to FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
94
Fortinet Technologies Inc.
Applications
Microsoft Network Policy Server (RAS VPN)
l Integration Points l Configuration l Setting for Access Credentials l Sample Events
Integration Points
Method Syslog
Information discovered Host name, Reporting IP
Metrics collected None
LOGs collected AAA based login events
Used for Security monitoring
Event Types
In ADMIN > Device Support > Event, search for "MS-NPS" to see the event types associated with this device.
Rules
No specific rules are written for Microsoft Network Policy Server but regular AA Server rules apply.
Reports
No specific reports are written for Microsoft Network Policy Server but regular AA Server reports apply.
Configuration
Configure Microsoft Network Policy Server system to send logs to FortiSIEM in the supported format (see Sample Events). See https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-accounting-configure.
Settings for Access Credentials
None required.
Sample Events
"HOSTXXVPN","RAS",03/10/2019,03:47:04,4,"domain\user",,"10.1.1.130","192.168.22.2",,"172.17. 220.130",
"HOSTXXVPN","10.5.5.212",387,,"10.5.5.212","HOSTXXVPN",1552214822,,5,,1,2,,,0, "311 1 fe80::a1bf:5c1c:7ebc:6ab7 02/07/2019 04:24:00
4805",,,,,2,,268050551,253119217,"4806",3,69101,833955,726102,1,"1251",1,,79617,1, "192.168.22.2","10.1.1.130",,,,,,,"MSRASV5.20",311,,"0x00504F4C42",0,, "Microsoft Routing and Remote Access Service Policy",,,,"MSRAS-0-HOST123413","MSRASV5.20"
FortiSIEM 6.1.1 External Systems Configuration Guide
95
Fortinet Technologies Inc.
Applications
OneIdentity Safeguard (previously Balabit Privileged Session Management)
l Integration points l Configuring OneIdentity Safeguard l Parsing and Events
Integration points
Protocol Syslog
Information Discovered Privileged session management events
Used For Security and Compliance
Configuring OneIdentitySafeguard
Follow OneIdentity Safeguard documentation to send syslog to FortiSIEM.
Configuring FortiSIEM
FortiSIEM automatically recognizes OneIdentity Safeguard syslog as long as it follows the following format in the sample syslog: <123>2018-10-08T22:59:49+08:00 scbdemo.balabit zorp/scb_rdp[31769]: core.debug(4): (svc/i9CTbTzV2wrRur3quVRzF4/GET_gateway_rdp:498:2): After NAT mapping; nat_type='0', src_addr='AF_INET(10.19.9.245:0)', dst_addr='AF_INET(10.46.26.196:3389)', new_addr='AF_ INET(10.11.101.30:0)'
Parsing and Events
Over 50 events are parsed see event Types in Resources > Event Types and search for 'OneIdentity-Safeguard-'.
FortiSIEM 6.1.1 External Systems Configuration Guide
96
Fortinet Technologies Inc.
Applications
Vasco DigiPass
What is Discovered and Monitored
Protocol Syslog
Information discovered
Metrics collected
Successful and Failed Authentications, Successful and Failed administrative logons
Used for
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "Vasco DigiPass" in the Device Type column to see the event types associated with this device. Some important ones are:
l Vasco-DigiPass-KeyServer-AdminLogon-Success l Vasco-DigiPass-KeyServer-UserAuth-Success l Vasco-DigiPass-KeyServer-UserAuth-Failed l Vasco-DigiPass-KeyServer-AccountLocked l Vasco-DigiPass-KeyServer-AccountUnlocked
Configuration
Configure the Vasco DigiPass management Console to send syslog to FortiSIEM. FortiSIEM is going to parse the logs automatically. Make sure the syslog format is as follows.
May 16 18:21:50 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-001003}, {A command of type [User] [Unlock] was successful.}, {0xA46B6230BA60B240CE48011B0C30D393}, {Source Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:flast}, {Domain:company.com}, {Input Details: {User ID : flast} {Domain Name : company.com}}, {Output Details: {User ID : flast} {Password : ********} {Created Time : 2013/05/13 19:06:52} {Modified Time : 2013/05/16 18:21:49} {Has Digipass : Unassigned} {Status : 0} {Domain Name : company.com} {Local Authentication : Default} {Back-end Authentication : Default} {Disabled : no} {Lock Count : 0} {Locked : no} {Last Password Set Time : 2013/05/13 19:06:52} {Static Password History : d0NdVMhSdvdNEQJkkKTWmiq8iB4K1dWreMf5FQlZM7U=} {Key ID : SSMINSTALLSENSITIVEKEY}}, {Object:User}, {Command:Unlock}, {Client Type:Administration Program}
May 15 20:27:35 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-004001}, {An administrative logon was successful.}, {0x25AB20F3222F554A96CFFD2886AE4C71}, {Source Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:admin}, {Domain:company.com}, {Client Type:Administration Program}
May 17 18:43:22 vascoservername ikeyserver[3582]: {Info}, {Initialization}, {I-002010}, {The SOAP protocol handler has been initialized successfully.}, {0x0E736D24D54E717E6F5DA6C09E89F8EE}, {Version:3.4.7.115}, {Configuration Details:IPAddress: 10.1.2.3, IP-Port: 8888, Supported-Cipher-Suite: HIGH, Server-Certificate:
FortiSIEM 6.1.1 External Systems Configuration Guide
97
Fortinet Technologies Inc.
Applications
/var/identikey/conf/certs/soap-custom.pem, Private-Key-Password: ********, CA-CertificateStore: /var/identikey/conf/certs/soap-ca-certificate-store.pem, Client-AuthenticationMethod: none, Reverify-Client-On-Reconnect: False, DPX-Upload-Location: /var/dpx/}
FortiSIEM 6.1.1 External Systems Configuration Guide
98
Fortinet Technologies Inc.
Applications
Database Server
FortiSIEM supports these database servers for discovery and monitoring. l IBM DB2 Server l Microsoft SQL Server l Microsoft SQL Server Scripts l MySQL Server l Oracle Database Server
FortiSIEM 6.1.1 External Systems Configuration Guide
99
Fortinet Technologies Inc.
Applications
IBM DB2 Server
l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Events
What is Discovered and Monitored
Protocol SNMP WMI
JDBC
Information discovered
Application type
Application type, service mappings
None
Metrics collected
Process level CPU and memory utilization
Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec
Database audit trail: Successful and failed database log on, Database CREATE/DELETE/MODIFY operations, Table CREATE/DELETE/MODIFY/INSERT operations
Used for
Performance Monitoring Performance Monitoring
Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "db2" in the Device Type and Description column to see the event types associated with this device.
Configuration
Configuring IBM DB2 Audit on Linux - DB2 side
1. Log in to IBM Installation Manager. 2. Click the Databases tab, and click the + icon to create a new Database Connection. 3. Enter these settings.
Setting
Database Connection Name
Data Server Type
Database Name
Value Enter a name for the connection, such as FortiSIEM
DB2 for Linux, Unix, and Windows Name of the database
FortiSIEM 6.1.1 External Systems Configuration Guide
100
Fortinet Technologies Inc.
Applications
Setting
Value
Host name
db2.org
Port number 50000
JDBC Security Clear text password
User ID
The username you want to use to access this Server from FortiSIEM
JDBC URL
jdbc:db2://db2.org:50000/<databasename>: retrieveMessagesFromServerOnGetMessage=true;securi
4. In the Job Manager tab, click Add Job. 5. For Name, enter audit. 6. For Type, select DB2 CLP Script. 7. Click OK. 8. Add script. 9. Add schedule detail to audit task. 10. Add database to audit task.
You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections 'Discovering Infrastructure' and 'Setting Access Credentials' for Device Discovery under Chapter: Configuring FortiSIEM.
Configuring IBM DB2 Audit on Windows - DB2 side
1. Create a non-admin user on Windows, for example "AoAuditUser" , and set password 2. Login DB2 task center, add the user to DB Users, connect it to database 3. Grant Permission (use Administrator), use commands below
a. Grant audit permission to db2admin
db2 connect to sample user administrator using 'ProspectHills!' DB2 GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_ARCHIVE TO DB2ADMIN DB2 GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_DELIM_EXTRACT TO DB2ADMIN db2 grant load on database to db2admin db2 grant secadm on database to db2admin db2 connect reset
b. Grant query permission to non-admin user
db2 connect to sample user db2admin using 'ProspectHills!' db2 grant select on AUDIT to AOAuditUser db2 grant select on CHECKING to AOAuditUser db2 grant select on OBJMAINT to AOAuditUser db2 grant select on SECMAINT to AOAuditUser db2 grant select on SYSADMIN to AOAuditUser db2 grant select on VALIDATE to AOAuditUser db2 grant select on CONTEXT to AOAuditUser db2 grant select on EXECUTE to AOAuditUser db2 connect reset
FortiSIEM 6.1.1 External Systems Configuration Guide
101
Fortinet Technologies Inc.
Applications
c. Check permission for non-admin user
db2 connect to sample user AOAuditUser using 'ProspectHills!' db2 select count (*) from DB2ADMIN.AUDIT db2 select count (*) from DB2ADMIN.CHECKING db2 select count (*) from DB2ADMIN.OBJMAINT db2 select count (*) from DB2ADMIN.SECMAINT db2 select count (*) from DB2ADMIN.SYSADMIN db2 select count (*) from DB2ADMIN.VALIDATE db2 select count (*) from DB2ADMIN.CONTEXT db2 select count (*) from DB2ADMIN.EXECUTE db2 connect reset
4. Create Catalog with db2admin 5. Create task in DB2 user Administrator:
a. Open DB2 task center, create a task like below b. Add schedule c. Add task
Settings for Access Credentials
Settings for IBM DB2 JDBC Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device: Values for Used For = Audit:
Setting Name Device Type Access Protocol Used For Pull Interval (minutes) Port Database Name Audit Table Checking Table ObjMaint Table SecMaint Table SysAdmin Table Validate Table Context Table
Value db2_linux IBM DB2 JDBC audit 5
50000 <database_name> AUDIT CHECKING OBJMAINT SECMAINT SYSADMIN VALIDATE CONTEXT
FortiSIEM 6.1.1 External Systems Configuration Guide
102
Fortinet Technologies Inc.
Applications
Setting Execute Table Account Name
Password
Value
EXECUTE
The administrative user for your IBM DB2 server
The password associated with the administrative user for your IBM DB2 server
Values for Used For = Synthetic Transaction Monitoring:
Setting Name Device Type Access Protocol Used For Pull Interval (minutes) Port Database Name Account Name
Password
Value db2_linux IBM DB2 JDBC Synthetic Transaction Monitoring 5
50000 <database_name> The administrative user for your IBM DB2 server The password associated with the administrative user for your IBM DB2 server
Sample Events
IBMDB2_CHECKING_OBJECT <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_OBJECT]:[eventSeverity]=PHL_INFO, [objName]=TABLES,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.41.085567,[user]=db2inst1, [eventCategory]=CHECKING,[dbRetCode]=0 IBMDB2_CHECKING_FUNCTION <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_FUNCTION]:[eventSeverity]=PHL_INFO, [objName]=CHECKING,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.40.739649,[user]=db2inst1, [eventCategory]=CHECKING,[dbRetCode]=0 IBMDB2_STATEMENT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_STATEMENT]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.48.59.433204,[user]=db2inst1, [eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_COMMIT
FortiSIEM 6.1.1 External Systems Configuration Guide
103
Fortinet Technologies Inc.
Applications
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_COMMIT]:[eventSeverity]=PHL_INFO, [srcIpAddr]=10.1.2.81,[srcApp]=db2jcc_application,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.51.30.447924,[srcName]=SP81, [user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_ROLLBACK <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_ROLLBACK]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.827986,[user]=db2inst1, [eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_CONNECT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.39.991288,[user]=db2inst1, [eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_CONNECT_RESET <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT_RESET]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.829149,[user]=db2inst1, [eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_CREATE_OBJECT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CREATE_OBJECT]:[eventSeverity]=PHL_INFO, [objName]=CAN_MONITOR=CAN_MONITOR_FUNC,[srcIpAddr]=10.1.2.68,[srcApp]=DS_ConnMgt_, [dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-1413.30.14.827242,[srcName]=10.1.2.68,[user]=db2inst1,[eventCategory]=OBJMAINT,[dbRetCode]=0 IBMDB2_JDBC_PULL_STAT <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_JDBC_PULL_STAT]:[eventSeverity]=PHL_INFO, [reptModel]=DB2,[dbName]=SAMPLE,[instanceName]=db2inst1,[reptVendor]=IBM,[rptIp]=10.1.2.68, [auditEventCount]=30,[relayIp]=10.1.2.68,[dbEventCategory]=db2inst1.AUDIT,[appGroupName]=IBM DB2 Server IBMDB2_ARCHIVE <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_ARCHIVE]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.44.002046,[user]=db2inst1, [eventCategory]=AUDIT,[dbRetCode]=0 IBMDB2_EXTRACT <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_EXTRACT]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.38.45.865016,[user]=db2inst1, [eventCategory]=AUDIT,[dbRetCode]=0 IBMDB2_LIST_LOGS <134>May 14 14:03:39 10.1.2.68 java: [IBMDB2_LIST_LOGS]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.58.43.204054,[user]=db2inst1, [eventCategory]=AUDIT,[dbRetCode]=0
FortiSIEM 6.1.1 External Systems Configuration Guide
104
Fortinet Technologies Inc.
Applications
Microsoft SQL Server
l Supported Versions l What is Discovered and Monitored l Recommended Configuration l SNMP Configuration l WMI Configuration l Configuration for Database Audit Logs l JDBC Configuration for Database Performance Metrics l JDBC Configuration for DDL Changes l Sample Events
Supported Versions
l SQL Server 2014 l SQL Server 2016 l SQL Server 2017 l SQL Server 2019
What is Discovered and Monitored
The following protocols are used to discover and monitor various aspects of Microsoft SQL server.
Protocol SNMP WMI
WMI JDBC
Information discovered Application type
Application type, service mappings
Metrics collected
Used for
Process level CPU and memory utilization
Performance Monitoring
Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec
Performance Monitoring
Windows application event logs - successful and failed login
Security Monitoring
General database info: database name, database version, database size, database owner, database created date, database status, database compatibility level Database configuration Info: Configure name, Configure value, Configure max and min value, Configure running value Database backup Info: Database name, Last backup date, Days since last backup
Availability Monitoring
FortiSIEM 6.1.1 External Systems Configuration Guide
105
Fortinet Technologies Inc.
Applications Protocol JDBC
Information discovered
JDBC
JDBC
JDBC
None
Metrics collected
Used for
Database performance metrics (per-instance): Buffer cache hit ratio, Log cache hit ratio, Transactions /sec, Page reads/sec, Page writes/sec, Page splits/sec, Full scans/sec, Deadlocks/sec, Log flush waits/sec, Latch waits/sec, Data file(s) size, Log file(s) used, Log growths, Log shrinks, User connections, Target server memory, Total Server Memory, Active database users, Logged-in database users, Available buffer pool pages, Free buffer pool pages, Average wait time Database performance metrics (per-instance, per-database): Database name, Data file size, Log file used, Log growths, Log shrinks, Log flush waits/sec, Transaction /sec, Log cache hit ratio
Performance Monitoring
Locking info: Database id, Database object id, Lock type, Locked resource, Lock mode, Lock status Blocking info: Blocked Sp Id, Blocked Login User, Blocked Database, Blocked Command, Blocked Process Name, Blocking Sp Id, Blocking Login User, Blocking Database, Blocking Command, Blocking Process Name, Blocked duration
Performance Monitoring
Database error log Database audit trail:Failed database logon is also collected through performance monitoring as logon failures cannot be collected via database triggers.
Availability / Performance Monitoring
Database audit trail: Successful and failed database logon, Various database operation audit trail including CREATE/ALTER/DROP/TRUNCATE operations on tables, table spaces, databases, clusters, users, roles, views, table indices, triggers etc
Security Monitoring and compliance
Recommended Configuration
1. SNMP or WMI for discovery and system level performance metrics 2. FortiSIEM Windows Agent for Database Audit logs Note that these logs can also be pulled via WMI, however
performance is limited because of WMI limitations. 3. JDBC for Database Performance metrics 4. JDBC for DDL changes
FortiSIEM 6.1.1 External Systems Configuration Guide
106
Fortinet Technologies Inc.
Applications
SNMP Configuration
See SNMP Configurations in the Microsoft Windows Server Configuration section.
WMI Configuration
See WMI Configurations in the Microsoft Windows Server Configuration section.
Configuration for Database Audit Logs
Database Audit logs include failed and successful logons and other C2 audit activity. These logs are written to the Windows Application logs. Configuration occurs in two parts.
l SQL Server Configuration l FortiSIEM Configuration
SQL Server Configuration
Step 1: Configure Login Auditing using SQL Server Management studio Take the following steps to configure Login Auditing. 1. In SQL Server Management Studio, connect to an instance of the SQL Server Database Engine with Object
Explorer. 2. In Object Explorer, right-click the server name, and then click Properties. 3. On the Security page, under Login auditing, select the desired option 4. On the Security page, under Options, click on the Enable C2 audit tracing check box and close the Server
Properties page. 5. In Object Explorer, right-click the server name, and then click Restart.
FortiSIEM 6.1.1 External Systems Configuration Guide
107
Fortinet Technologies Inc.
Applications
Note: You must restart the SQL Server before this option will take effect.
Step 2: Enabling SQL Server Audit
Create a Server-level audit object by taking the following steps:
1. In SQL Server Management Studio, connect to an instance of the SQL Server Database Engine with Object Explorer.
2. In the Object Explorer panel on the left, expand Security. 3. Right-click Audits, and select New Audit... from the menu. This will create a new SQL Server Audit object for
server-level auditing.
FortiSIEM 6.1.1 External Systems Configuration Guide
108
Fortinet Technologies Inc.
Applications
4. In the Create Audit window, give the audit settings a name in the Audit name field. 5. For On Audit Log Failure, select the Continue option. 6. For Audit destination, select Application Log from the drop-down list.
FortiSIEM 6.1.1 External Systems Configuration Guide
109
Fortinet Technologies Inc.
Applications
7. Click OK. 8. You will now find the new audit configuration in Object Explorer below Security > Audits. Right-click the new Audit
configuration and select Enable Audit from the menu.
FortiSIEM 6.1.1 External Systems Configuration Guide
110
Fortinet Technologies Inc.
Applications
9. Click Close in the Enable Audit dialog.
FortiSIEM Configuration
Step1: Define the Windows Agent Monitor Template for SQL Server Complete these steps to add a Windows Agent Monitor Template: 1. Navigate to ADMIN > Setup and click the Windows Agent tab. 2. Under Windows Agent Monitor Templates click New. 3. In the Windows Agent Monitor Template dialog box, in the Name field, enter a name. 4. Click on Event tab, and take following steps:
a. In the Event Log row, click New. b. From the Type drop-down list, select Security and click Save. c. In the Event Log row, click New again. d. From the Type drop-down list, select Application. e. From the Source drop-down list, select SQL Server.
FortiSIEM 6.1.1 External Systems Configuration Guide
111
Fortinet Technologies Inc.
Applications f. Click Save.
Step 2: Associate Windows Agents to Templates Complete these steps to associate a Host to Template: 1. Under Host To Template Associations, click New. 2. In the Host To Template Associations dialog box, enter the following information.
Settings Name Organization Host
Template
Collector
Guidelines
Name of the Host to Template Association.
Select the organization.
Use the drop-down list to browse the folders and select the Devices or/and Business Services to monitor and click Save.
Select one or more monitoring templates from the list, or select All Templates to include all. You can also use the serarch bar to find any specific template.
Select the Collector from the list or select All Collectors to include all. Agents forward events to Collectors via HTTP(S). A Collector is chosen at random and if that Collector is not available or non-responive, then another Collector in the list is chosen.
3. Associate the recently added SQL Server template to SQL server host. 4. Click Save and Apply.
Step 3: Check Events via Analytics
FortiSIEM 6.1.1 External Systems Configuration Guide
112
Fortinet Technologies Inc.
Applications
JDBC Configuration for Database Performance Metrics
FortiSIEM can pull SQL Server performance metrics via JDBC. Configuration occurs in two parts.
l SQL Server Configuration l FortiSIEM Configuration
SQL Server Configuration
Step 1: Create a Read-Only User for SQL Server Monitoring A regular Windows account cannot be used for SQL Server monitoring. FortiSIEM runs on Linux and certain Windows libraries needed for SQL Server monitoring are not available on Linux. You have to create a separate user with read-only privileges. 1. Log in to your SQL Server with sa account, and then create a read-only user to access system tables.
EXEC SP_ADDLOGIN 'AOPerfLogin','ProspectHills!','master'; EXEC SP_ADDROLE 'AOPerfRole'; EXEC SP_ADDUSER 'AOPerfLogin', 'AOPerfUser', 'AOPerfRole'; GRANT VIEW SERVER STATE TO AOPerfLogin; GRANT SELECT ON dbo.sysperfinfo TO AOPerfRole; GRANT EXEC on xp_readerrorlog to AOPerfRole;
2. Log in with your newly created read-only account (AOPerfLogin) and run these commands.
SP_WHO2 'active'; SELECT * FROM sys.databases; SELECT * FROM dbo.sysperfinfo; SELECT COUNT(*) as count FROM sysprocesses GROUP BY loginame;
FortiSIEM 6.1.1 External Systems Configuration Guide
113
Fortinet Technologies Inc.
Applications
Check to see if you get the same results with your read-only account (AOPerfLogin) as you do with your sa account. You should get the same results.
Step 2: Changing Authentication mode to SQL Server and Windows Authentication Mode It is common practice to enable SQL Server and Windows Authentication mode before accessing read-only user. To enable this mode, take the following steps: 1. In SQL Server Management Studio Object Explorer, right click the server, then click Properties. 2. On the Security page, under Sever authentication, select SQL Server and Windows Authentication mode.
3. Click OK. 4. In the SQL Server Management Studio dialog box, click OK to acknowledge the requirement to restart the SQL
Server. 5. In Object Explorer, right click your server, and then click Restart. If the SQL Server Agent is running, it must also
be restarted.
FortiSIEM Configuration
Settings for SQL Server JDBC Access Credentials for Performance Monitoring Use these Access Method Definition settings to allow FortiSIEM to communicate with your SQL Server over JDBC for performance monitoring: Step 1: Create a Separate Credential for Each Database Instance If multiple database instances are running on the same server, then each instance must run on a separate port, and you must create a separate access credential for each instance. You must also remember to associate each instance with the server's IP number for the Device Credential Mapping Definition. Take the following steps: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials, click New to create a new credential.
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box and click Save when done:
FortiSIEM 6.1.1 External Systems Configuration Guide
114
Fortinet Technologies Inc.
Applications
i. Setting Name
Access Protocol Used For Pull Interval (minutes) Port Database Name User Name
Password
Value The name of the database instance you're creating the credential for. JDBC
Performance Monitoring 5
1433 <leave this field blank>
The user you created in step 1 of the JDBC configuration. The password associated with the user you created in step 1.
FortiSIEM 6.1.1 External Systems Configuration Guide
115
Fortinet Technologies Inc.
Applications
3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping. a. Select the name of your credential from the Credentials drop-down list. b. In the IP/Host Name field, enter a host name, an IP, or an IP range. c. Click Save.
4. Click the Test drop-down list and select Test Connectivity to test the connection to the Microsoft SQL Server. 5. To discover the device, take the following steps:
a. Navigate to ADMIN > Setup > Discovery. b. Create a Discovery entry using the information here. For more information on how to create a discovery entry,
see here.
FortiSIEM 6.1.1 External Systems Configuration Guide
116
Fortinet Technologies Inc.
Applications
Setting
Value
Name
Discovery Type
Include
The name of the device to discover Leave as default (Range Scan).
Provide the IP address of the device you want discovered.
c. Click Save when done.
6. Select the discovery entry you created and click Discover. 7. After Discovery is completed, navigate to ADMIN > Setup > Monitor Performance to check the monitor
performance job.
8. Click on the More drop-down list and select Report to check related events.
FortiSIEM 6.1.1 External Systems Configuration Guide
117
Fortinet Technologies Inc.
Applications
JDBC Configuration for DDL Changes
FortiSIEM can pull SQL Server Data Definition Language (DDL) changes via JDBC. These changes include CREATE, ALTER, DROP, GRANT, DENY, REVOKE or UPDATE STATISTICS operations on database tables. This information is not naturally generated by a SQL Server. Hence, this involves creating database tables to store them and then creating triggers to populate those tables. Then FortiSIEM can pull them via JDBC. Configuration occurs in two parts.
l SQL Server Configuration l FortiSIEM Configuration
SQL Server Configuration
1. Save the SQL Server script (provided link here) as separate file to My Documents > SQL Server Management Studio > SQLServer_DDL_Events.sql.
2. Login to SQL Server Management Studio with sa account. 3. Browse to and execute the SQLServer_DDL_Events.sql script to create the database, tables and trigger events.
Creating a Database Truncate Script Since DDL tables grow after time, it is often a good idea to create a database truncate script that can run as a maintenance task and keep the table size under control. it is often necessary to create a database truncate procedure as follows. 1. Log into Microsoft SQL Management Studio and connect to the DB instance. 2. Under Management, go to Maintenance Plans, and create a new plan with the name RemoveOldLogs. 3. For Subplan, enter TRUNCATE, and for Description, enter TRUNCATE TABLE. 4. Click the Calendar icon to create a recurring, daily task starting at 12:00AM and running every 30 minutes until
11:59:59PM. 5. Go to View > Tool Box > Execute T-SQL Statement. A T-SQL box will be added to the subplan. 6. In the T-SQL box, enter this command
use PH_Events;
FortiSIEM 6.1.1 External Systems Configuration Guide
118
Fortinet Technologies Inc.
Applications
EXEC sp_MSForEachTable 'TRUNCATE TABLE DDLEvents'; 7. Click OK.
You will be able to see the history of this script's actions by right-clicking on the maintenance task, and then selecting View History.
FortiSIEM Configuration
Settings for SQL Server JDBC Access Ccredentials for DDL Events Collection
Use these Access Method Definition settings to allow FortiSIEM to communicate with your SQL Server database instance over JDBC for database DDL events collection.
Step 1: Create a Separate Credential for Each Database Instance
If multiple database instances are running on the same server, then each instance must run on a separate port, and you must create a separate access credential for each instance. You must also remember to associate each instance with the server's IP number for the Device Credential Mapping Definition.
Take the following steps:
1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials, click New to create a new credential.
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box, and click Save when done:
Setting
Value
Name
The name of the database instance you are creating the credential for
Device Type
Microsoft SQL Server
Used For
Audit
Pull Interval
5
(minutes)
Port
1433
Database Name <leave this field blank>
Logon Event Table
PH_Events.dbo.LogOnEvents
DDL Event Table PH_Events.dbo.DDLEvents
User Name
The user you created in step 1 of the JDBC configuration
Password
The password associated with the user you created in step 1.
FortiSIEM 6.1.1 External Systems Configuration Guide
119
Fortinet Technologies Inc.
Applications
3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping. a. Select the name of your credential from the Credentials drop-down list. b. In the IP/Host Name field, enter a host name, an IP, or an IP range. c. Click Save.
FortiSIEM 6.1.1 External Systems Configuration Guide
120
Fortinet Technologies Inc.
Applications
4. Click the Test drop-down list and select Test Connectivity to test the connection to the Microsoft SQL Server. 5. To discover the device, take the following steps:
a. Navigate to ADMIN > Setup > Discovery. b. Create a Discovery entry using the information here. For more information on how to create a discovery entry,
see here.
Setting Name Discovery Type Include
Value The name of the device to discover Leave as default (Range Scan).
Provide the IP address of the device you want discovered.
c. Click Save when done.
6. Select the discovery entry you created and click Discover. 7. After Discovery is completed, navigate to ADMIN > Setup > Pull Events to check the pull events job.
FortiSIEM 6.1.1 External Systems Configuration Guide
121
Fortinet Technologies Inc.
Applications 8. Click on Report to check related events.
Sample Events
l Per Instance Performance Metrics l Per Instance, per Database Performance Metrics l Generic Info l Config Info l Locking Info l Blocking Info l Error Log l Logon Events l DDL Events - Create Database l DDL Events - Create Index
Per Instance Performance Metrics
<134>Apr 16 10:17:56 172.16.22.100 java: [PH_DEV_MON_PERF_MSSQL_SYS|PH_DEV_MON_PERF_MSSQL_ SYS]:[eventSeverity]=PHL_INFO,[hostIpAddr]=172.16.22.100,[hostName]=wwwin.accelops.net, [appGroupName]=Microsoft SQL Server,[dbDataFileSizeKB]=13149056,[dbLogFileUsedKB]=26326, [dbLogGrowthCount]=4,[dbLogShrinkCount]=0,[dbLogFlushPerSec]=1.69,[dbTransPerSec]=4.44,
FortiSIEM 6.1.1 External Systems Configuration Guide
122
Fortinet Technologies Inc.
Applications
[dbDeadLocksPerSec]=0,[dbLogCacheHitRatio]=60.01,[dbUserConn]=16, [dbTargetServerMemoryKB]=1543232,[dbTotalServerMemoryKB]=1464760,[dbPageSplitsPerSec]=0.45, [dbPageWritesPerSec]=0.01,[dbLatchWaitsPerSec]=0.77,[dbPageReadsPerSec]=0.01, [dbFullScansPerSec]=1.83,[dbBufferCacheHitRatio]=100,[dbCount]=8,[dbUserCount]=25, [dbLoggedinUserCount]=2,[dbPagesInBufferPool]=116850,[dbPagesFreeInBufferPool]=2336, [dbAverageWaitTimeMs]=239376, [appVersion]=Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64),[serverName]=WIN-08VCENTER,[instanceName]=MSSQLSERVER,[appPort]=1433
Per Instance, per Database Performance Metrics
[PH_DEV_MON_PERF_MSSQL_PERDB]:[eventSeverity]=PHL_INFO,[hostIpAddr]=172.16.22.100, [hostName]=wwwin.accelops.net,[dbName]=tempdb,[appGroupName]=Microsoft SQL Server, [dbDataFileSizeKB]=109504,[dbLogFileUsedKB]=434,[dbLogGrowthCount]=4,[dbLogShrinkCount]=0, [dbTransPerSec]=0.96,[dbLogFlushPerSec]=0.01,[dbLogCacheHitRatio]=44.44, [appVersion]=Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64),[serverName]=WIN-08VCENTER,[instanceName]=MSSQLSERVER,[appPort]=1433
Generic Info
[PH_DEV_MON_PERF_MSSQL_GEN_INFO]:[eventSeverity]=PHL_INFO,[dbName]= tempdb,[dbSize]= 3.0, [dbowner]= sa,[dbId]= 2,[dbcreated]= 1321545600, [dbstatus]= Status=ONLINE; Updateability=READ_WRITE; UserAccess=MULTI_USER; Recovery=SIMPLE; Version=655; Collation=SQL_Latin1_General_CP1_CI_AS; SQLSortOrder=52; IsAutoCreateStatistics; IsAutoUpdateStatistics, [dbcompatibilityLevel]= 100,[spaceAvailable]= 0.9,[appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),[serverName]= WIN03MSSQL\SQLEXPRESS
Config Info
[PH_DEV_MON_PERF_MSSQL_CONFIG_INFO]:[eventSeverity]=PHL_INFO,[configureName]= user instances enabled,[configMinimum]= 0,[configMaximum]= 1,[dbConfigValue]= 1, [configRunValue]= 1,[appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),[serverName]= WIN03MSSQL\SQLEXPRESS
Locking Info
[PH_DEV_MON_PERF_MSSQL_LOCK_INFO]:[eventSeverity]=PHL_INFO,[dbId]= 4,[objId]= 1792725439, [lockType]= PAG,[lockedResource]= 1:1256,[lockMode]= IX, [lockStatus]= GRANT,[appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),[serverName]= WIN03MSSQL\SQLEXPRESS
Blocking Info
[PH_DEV_MON_PERF_MSSQL_BLOCKBY_INFO]:[eventSeverity]=PHL_INFO,[blockedSpId]= 51, [blockedLoginUser]= WIN03MSSQL\Administrator,[blockedDbName]= msdb, [blockedCommand]= UPDATE,[blockedProcessName]= Microsoft SQL Server Management Studio Query,[blockingSpId]= 54,[blockingLoginUser]= WIN03MSSQL\Administrator, [blockingDbName]= msdb,[blockingCommand]= AWAITING COMMAND,[blockingProcessName]= Microsoft SQL Server Management Studio - Query,[blockedDuration]= 5180936, [appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),[serverName]= WIN03MSSQL\SQLEXPRESS
FortiSIEM 6.1.1 External Systems Configuration Guide
123
Fortinet Technologies Inc.
Applications
Error Log
[PH_DEV_MON_PERF_MSSQL_ERROR_LOG_INFO]:[eventSeverity]=PHL_INFO,[logDate]= 1321585903, [processInfo]= spid52,[logText]= Starting up database 'ReportServer$SQLEXPRESSTempDB'., [appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),[serverName]= WIN03MSSQL\SQLEXPRESS
Logon Events
134>Feb 08 02:55:34 10.1.2.54 java: [MSSQL_Logon_Success]:[eventSeverity]=PHL_INFO, [eventTime]=2014-02-08 02:54:00.977, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54, [srcName]=<local machine>, [user]=NT SERVICE\ReportServer$MSSQLSERVEJIANFA, [srcApp]=Report Server, [instanceName]=MSSQLSERVEJIANFA, [procId]=52, [loginType]=Windows (NT) Login, [securityId]=AQYAAAAAAAVQAAAALJAZf5XMbcLh8PUDY31LioZ3Uwo=, [isPooled]=1, [destName]=WINS2EDLFIUPQK, [destPort]=1437,
DDL Events - Create Database
<134>Sep 29 15:34:48 10.1.2.54 java: [MSSQL_Create_database]:[eventSeverity]=PHL_INFO, [eventTime]=2013-09-29 15:34:05.687, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54, [user]=WINS2EDLFIUPQK\Administrator, [dbName]=JIANFA, [instanceName]=MSSQLSERVER, [objName]=, [procId]=59, [command]=CREATE DATABASE JIANFA, [destName]=WIN-S2EDLFIUPQK, [destPort]=1433,
DDL Events - Create Index
<134>Sep 29 15:34:48 10.1.2.54 java: [MSSQL_Create_index]:[eventSeverity]=PHL_INFO, [eventTime]=2013-09-29 15:30:40.557, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54, [user]=WINS2EDLFIUPQK\Administrator, [dbName]=master, [instanceName]=MSSQLSERVER, [objName]=IndexTest, [procId]=58, [command]=create index IndexTest on dbo.MSreplication_options(optname);, [schemaName]=dbo, [objType]=INDEX, [destName]=WIN-S2EDLFIUPQK, [destPort]=1433
FortiSIEM 6.1.1 External Systems Configuration Guide
124
Fortinet Technologies Inc.
Applications
Microsoft SQL Server Scripts
l SQL Server Trigger Creation Script l SQL Server Table Creation Script l SQL Server DDL Event Creation Script l SQL Server Database Level Event Creation Script
SQL Server Trigger Creation Script (PH_LogonEventsTrigger.sql)
This script is to create a server level trigger called PH_LoginEvents. It will record all logon events when a user establishes a session to the database server. The trigger locates at the database server > Server Objects > Triggers.
CREATE TRIGGER PH_LoginEvents ON ALL SERVER WITH EXECUTE AS self FOR LOGON AS BEGIN DECLARE @event XML SET @event = EVENTDATA() INSERT INTO PH_Events.dbo.LogonEvents (EventTime,EventType,SPID,ServerName,LoginName,LoginType,SID,HostName,IsPooled,AppName,XMLEv ent) VALUES(CAST(CAST(@event.query('/EVENT_INSTANCE/PostTime/text()') AS VARCHAR(64)) AS DATETIME),
CAST(@event.query('/EVENT_INSTANCE/EventType/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/SPID/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/ServerName/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/LoginName/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/LoginType/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/SID/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/ClientHost/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/IsPooled/text()') AS VARCHAR(128)), APP_NAME(), @event) END;
SQL Server Table Creation Script (PH_EventDB_Tables_Create.sql)
CREATE DATABASE PH_Events
GO CREATE TABLE PH_Events.dbo.DDLEvents (
XMLEvent XML, DatabaseName VARCHAR(64), EventTime DATETIME DEFAULT (GETDATE()), EventType VARCHAR(128), SPID VARCHAR(128), ServerName VARCHAR(128), LoginName VARCHAR(128), ObjectName VARCHAR(128), ObjectType VARCHAR(128), SchemaName VARCHAR(128),
FortiSIEM 6.1.1 External Systems Configuration Guide
125
Fortinet Technologies Inc.
Applications
CommandText VARCHAR(128) )
GO CREATE TABLE PH_Events.dbo.LogonEvents (
XMLEvent XML, EventTime DATETIME, EventType VARCHAR(128), SPID VARCHAR(128), ServerName VARCHAR(128), LoginName VARCHAR(128), LoginType VARCHAR(128), SID VARCHAR(128), HostName VARCHAR(128), IsPooled VARCHAR(128), AppName VARCHAR(255) )
SQL Server DDL Event Creation Script (PH_DDL_Server_Level_Events.sql)
CREATE TRIGGER PH_DDL_Server_Level_Events ON ALL SERVER
FOR DDL_ENDPOINT_EVENTS, DDL_LOGIN_EVENTS, DDL_GDR_SERVER_EVENTS, DDL_AUTHORIZATION_SERVER_ EVENTS, CREATE_DATABASE, ALTER_DATABASE, DROP_DATABASE /**FOR DDL_SERVER_LEVEL_EVENTS**/ AS DECLARE @eventData AS XML; SET @eventData = EVENTDATA(); /**declare @eventData as XML; set @eventData = EVENTDATA();**/ insert into PH_Events.dbo.DDLEvents(EventTime, EventType, SPID, ServerName, LoginName, ObjectName, ObjectType, SchemaName, DatabaseName, CommandText, XMLEvent) values(cast(@eventData.query('data(//PostTime)') as varchar(64)),
cast(@eventData.query('data(//EventType)') as varchar(128)), cast(@eventData.query('data(//SPID)') as varchar(128)), cast(@eventData.query('data(//ServerName)') as varchar(128)), cast(@eventData.query('data(//LoginName)') as varchar(128)), cast(@eventData.query('data(//ObjectName)') as varchar(128)), cast(@eventData.query('data(//ObjectType)') as varchar(128)), cast(@eventData.query('data(//SchemaName)') as varchar(128)), cast(@eventData.query('data(//DatabaseName)') as varchar(64)), cast(@eventData.query('data(//TSQLCommand/CommandText)') AS NVARCHAR(MAX)), /** DB_NAME(),**/ @eventData);
SQL Server Database Level Event Creation Script (PH_Database_Level_Events.sql)
USE master; GO CREATE TRIGGER PH_Database_Level_Events on DATABASE FOR DDL_DATABASE_LEVEL_EVENTS
FortiSIEM 6.1.1 External Systems Configuration Guide
126
Fortinet Technologies Inc.
Applications
AS DECLARE @eventData AS XML; SET @eventData = EVENTDATA(); INSERT INTO PH_Events.dbo.DDLEvents(EventTime, EventType, SPID, ServerName, LoginName, ObjectName, ObjectType, SchemaName, DatabaseName, CommandText, XMLEvent) VALUES(cast(@eventData.query('data(//PostTime)') as varchar(64)),
cast(@eventData.query('data(//EventType)') as varchar(128)), cast(@eventData.query('data(//SPID)') as varchar(128)), cast(@eventData.query('data(//ServerName)') as varchar(128)),
cast(@eventData.query('data(//LoginName)') as varchar(128)), cast(@eventData.query('data(//ObjectName)') as varchar(128)),
cast(@eventData.query('data(//ObjectType)') as varchar(128)), cast(@eventData.query('data(//SchemaName)') as varchar(128)), cast(@eventData.query('data(//DatabaseName)') as varchar(64)), cast(@eventData.query('data(//TSQLCommand/CommandText)') AS NVARCHAR(MAX)), @eventData );
FortiSIEM 6.1.1 External Systems Configuration Guide
127
Fortinet Technologies Inc.
Applications
MySQL Server
l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample events
What is Discovered and Monitored
Protocol SNMP WMI JDBC JDBC
JDBC
Information discovered Application type Application type, service mappings
None
Metrics collected
Used for
Process level CPU and memory utilization
Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec
Performance Monitoring
Performance Monitoring
Generic database information: Version, Character Setting
Database performance metrics: User COnnections, Table Updates, table Selects, Table Inserts, Table Deletes, Temp Table Creates, Slow Queries, Query cache Hits, Queries registered in cache, Database Questions, Users, Live Threads
Table space performance metrics: Table space name, table space type, Character set and Collation, table space usage, table space free space, Database engine, Table version, Table Row Format, Table Row Count, Average Row Length, Index File length, Table Create time, Table Update Time
Performance Monitoring
Database audit trail: Successful and failed database log on, Database CREATE/DELETE/MODIFY operations, Table CREATE/DELETE/MODIFY/INSERT operations
Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "mysql" in the Device Type and Description columns to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "mysql" in the Name column to see the rules associated with this application or device.
FortiSIEM 6.1.1 External Systems Configuration Guide
128
Fortinet Technologies Inc.
Applications
Reports
In RESOURCE > Reports , search for ""mysql" in the Name and Description columns to see the reports associated with this application or device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
JDBC for Database Auditing - MySQL Server
You must configure your MySQL Server to write audit logs to a database table. This topic in the MySQL documentation explains more about how to set the destination tables for log outputs. 1. Start MySQL server with TABLE output enabled.
bin/mysqld_safe --user=mysql --log-output=TABLE & 2. Login to mysql, run the following SQL commands to enable general.log in MyISAM.
SET @old_log_state = @@global.general_log; SET GLOBAL general_log = 'OFF'; ALTER TABLE mysql.general_log ENGINE = MyISAM; SET GLOBAL general_log = @old_log_state; SET GLOBAL general_log = 'ON'; You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
Settings for MySQL Server JBDC Access Credentials for Performance Monitoring
FortiSIEM 6.1.1 External Systems Configuration Guide
129
Fortinet Technologies Inc.
Applications
Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC for performance monitoring:
Setting Name Device Type Access Protocol Used For Pull Interval (minutes) Port User Name Password
Value MySQL-Performance-Monitoring Oracle MySQL JBDC Performance Monitoring 5
3306 The administrative user for the database server The password associated with the administrative user
Settings for MySQL Server JBDC Access Credentials for Database Auditing
Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC for database auditing:
Setting Name Device Type Access Protocol Used For Pull Interval (minutes) Port Database Name Audit Table User Name Password
Value MySQL-Audit Oracle MySQL JBDC Audit 5
3306 <database name> (mysql) dba_audit_trail The administrative user for the database server The password associated with the administrative user
Settings for MySQL Server JBDC Access Credentials for Synthetic Transaction Monitoring, Snort Audit, McAfee VulnMgr
Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC for Synthetic Transaction Monitoring, Snort Audit, or McAfee VulnMgr:
FortiSIEM 6.1.1 External Systems Configuration Guide
130
Fortinet Technologies Inc.
Applications
Setting Name Device Type Access Protocol Used For
Pull Interval (minutes) Port Database Name User Name Password
Value <name> Oracle MySQL JBDC Synthetic Transaction Monitoring, Snort Audit, or McAfee VulnMgr 5
3306 <database name> The administrative user for the database server The password associated with the administrative user
Sample events
System Level Performance Metrics
<134>Apr 21 19:06:07 10.1.2.8 java: [PH_DEV_MON_PERF_MYSQLDB]: [eventSeverity]=PHL_INFO, [hostIpAddr]=172.16.22.227, [hostName]=MYSQL, [appGroupName]=MySQL Database Server, [appVersion]=MySQL 5.6.11, [charSetting]=utf8, [dbConnections]=24, [dbComUpdate]=0, [dbComSelect]=1, [dbComInsert]=0, [dbComDelete]=0, [dbCreatedTmpTables]=0, [dbSlowQueries]=0, [dbQcacheHits]=0, [dbQcacheQueriesinCache]=0, [dbQuestions]=7, [dbThreadsConnected]=1, [dbThreadsRunning]=1
Table Space Performance Metrics
<134>Apr 29 10:06:07 172.16.22.227 java: [PH_DEV_MON_PERF_MYSQLDB_TABLESPACE]: [eventSeverity]=PHL_INFO, [appGroupName]=MySQL Database Server, [instanceName]=mysql, [tablespaceName]=general_log, [tablespaceType]=PERMANENT, [tablespaceUsage]=0.01, [tablespaceFreeSpace]=4193886, [dbEngine]=MyISAM, [tableVersion]=10, [tableRowFormat]=dynamic, [tableRows]=124, [tableAvgRowLength]=80, [tableIndexLength]=1024, [tableCreateTime]=2013-04-29 15:12:30, [tableUpdateTime]=2013-04-29 12:35:46, [tableCollation]=utf8_general_ci
System Level Performance Metrics
<134>Apr 21 19:06:07 10.1.2.8 java: [PH_DEV_MON_PERF_MYSQLDB]: [eventSeverity]=PHL_INFO, [hostIpAddr]=172.16.22.227, [hostName]=MYSQL, [appGroupName]=MySQL Database Server, [appVersion]=MySQL 5.6.11, [charSetting]=utf8, [dbConnections]=24, [dbComUpdate]=0, [dbComSelect]=1, [dbComInsert]=0, [dbComDelete]=0, [dbCreatedTmpTables]=0, [dbSlowQueries]=0, [dbQcacheHits]=0, [dbQcacheQueriesinCache]=0, [dbQuestions]=7, [dbThreadsConnected]=1, [dbThreadsRunning]=1
FortiSIEM 6.1.1 External Systems Configuration Guide
131
Fortinet Technologies Inc.
Applications
Logon/Logoff Events
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Success]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54, [logoffTime]=, [actionName]=Connect, [msg]=admin@172.16.22.227 on
<134>Apr 10 14:29:22 abc-desktop java: [MYSQL_Logoff]:[eventSeverity]=PHL_INFO, [eventTime]=2013-04-10 14:29:22, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [logonTime]=, [logoffTime]=2014-04-10 14:29:22, [actionName]=quit, [msg]=
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Fail]: [eventSeverity]=PHL_WARN, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54, [logoffTime]=, [actionName]=Connect, [msg]=Access denied for user 'admin'@'172.16.22.227' (using password: YES)
Database CREATE/DELETE/MODIFY Events
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Create_database]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=create database sliutest
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Drop_database]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=drop database sliutest
Table CREATE/DELETE/MODIFY Events
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Create_table]: [eventSeverity]=PHL_INFO,
[eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=CREATE TABLE tutorials_tbl(
tutorial_id INT NOT NULL AUTO_INCREMENT,
tutorial_title VARCHAR(100) NOT NULL,
tutorial_author VARCHAR(40) NOT NULL,
submission_date DATE,
PRIMARY KEY ( tutorial_id ) )
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Delete_table]: [eventSeverity]=PHL_INFO,
[eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DELETE FROM tutorials_tbl
WHERE tutorial_id=2NOT NULL,
tutorial_author VARCHAR(40) NOT NULL,
submission_date DATE,
PRIMARY KEY ( tutorial_
id )
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Insert_table]: [eventSeverity]=PHL_INFO,
[eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=INSERT INTO tutorials_tbl
(tutorial_title, tutorial_author, submission_date)
VALUES
("Learn Java", "John Smith", NOW())
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Drop_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DROP table sliutable
FortiSIEM 6.1.1 External Systems Configuration Guide
132
Fortinet Technologies Inc.
Applications
Oracle Database Server
l Supported Versions l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Events
Supported Versions
l Oracle Database 10g l Oracle Database 11g l Oracle Database 12c
What is Discovered and Monitored
Protocol SNMP WMI JDBC JDBC
Syslog JDBC
Information discovered Application type Application type, service mappings
None
Metrics collected
Used for
Process level CPU and memory utilization
Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec
Performance Monitoring
Performance Monitoring
Generic database information: version, Character Setting, Archive Enabled, Listener Status, Instance Status, Last backup date,
Database performance metrics: Buffer cache hit ratio, Row cache hit ratio, Library cache hit ratio, Shared pool free ratio, Wait time ratio, Memory Sorts ratio, Host CPU Util ratio, CPU Time ratio, Disk Read/Write rates (operations and MBps), Network I/O Rate, Enqueue Deadlock rate, Database Request rate, User Transaction rate, User count, Logged on user count, Session Count, System table space usage, User table space usage, Temp table space usage, Last backup date, Days since last backup
Table space performance metrics: Table space name, table space type, table space usage, table space free space, table space next extent
Performance Monitoring
Listener log, Alert log, Audit Log
Database audit trail: Successful and failed database logon, Various database operation audit trail including CREATE/ALTER/DROP/TRUNCATE operations on tables, table
Security Monitoring
FortiSIEM 6.1.1 External Systems Configuration Guide
133
Fortinet Technologies Inc.
Applications
Protocol
Information discovered
Metrics collected
spaces, databases, clusters, users, roles, views, table indices, triggers etc.
Used for
Event Types
In ADMIN > Device Support > Event, search for "oracle database" in the Description column to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "oracle database" in the Description column to see the rules associated with this application or device.
Reports
In RESOURCE > Reports , search for "oracle database" in the Name column to see the reports associated with this application or device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
JDBC for Database Performance Monitoring - Oracle Database Server
To configure your Oracle Database Server for performance monitoring by FortiSIEM, you must create a read-only user who has select permissions for the database. This is the user you will use to create the access credentials for FortiSIEM to communicate with your database server. 1. Open the SQLPlus application. 2. Log in with a system-level account. 3. Connect to your instance as sysdba.
SQL> conn / as sysdba; Connected. 4. Create a non-admin user account. (Note: If you already created the phoenix_agent user, you can skip this step.) SQL> create user phoenix_agent identified by "accelops"; User created.
FortiSIEM 6.1.1 External Systems Configuration Guide
134
Fortinet Technologies Inc.
Applications
5. Assign permissions to the user. grant select on dba_objects to phoenix_agent; grant select on dba_tablespace_usage_metrics to phoenix_agent; grant select on dba_tablespaces to phoenix_agent; grant select on nls_database_parameters to phoenix_agent; grant select on v_$backup_set to phoenix_agent; grant select on v_$instance to phoenix_agent; grant select on v_$parameter to phoenix_agent; grant select on v_$session to phoenix_agent; grant select on v_$sql to phoenix_agent; grant select on v_$sysmetric to phoenix_agent; grant select on v_$version to phoenix_agent; grant select on gv_$session to phoenix_agent; grant select on gv_$service_stats to phoenix_agent;
6. Verily that the permissions were successfully assigned to the user. select count(*) from dba_objects; select count(*) from dba_tablespace_usage_metrics; select count(*) from dba_tablespaces; select count(*) from gv$service_stats; select count(*) from nls_database_parameters; select count(*) from v$backup_set order by start_time desc; select count(*) from v$instance; select count(*) from v$parameter; select count(*) from v$session; select count(*) from v$sql; select count(*) from v$sysmetric; select count(*) from v$version;
JDBC for Database Auditing - Oracle Database Server
Required Environmental Variables
Make sure that these environment variables are set
l ORACLE_HOME= C:\app\Administrator\product\11.2.0\dbhome_1 l ORACLE_BASE= C:\app\Administrator 1. Create audit trail views by executing cataaudit.sql as the sysdb user.
Linux: su- oracle
sqlplus /nolog conn / as sysdba; @$ORACLE_HOME/rdbms/admin/cataudit.sql; quit
Windows: sqlplus /nolog conn / as sysdba; @%ORACLE_HOME%/rdbms/admin/cataudit.sql; quit
2. Enable auditing by modifying the Oracle instance initialization file init<SID>.ora. This is typically located in $ORACLE_BASE/admin/<SID>/pfile where DIS is the Oracle instance
FortiSIEM 6.1.1 External Systems Configuration Guide
135
Fortinet Technologies Inc.
Applications
AUDIT_TRAIL = DB or AUDIT_TRAIL = true
3. Restart the database.
su - oracle sqlplus /nolog conn / as sysdba; shutdown immediate; startup; quit
4. Create a user account and grant select privileges to that user.
su - oracle sqlplus /nolog conn / as sysdba Create user phoenix_agent identified by "phoenix_agent_pwd" (NOTE: please correct
this set -- above steps showed that we created phoenix_agent already, just add the grant steps and utilize the "accelops" password;
Grant connect to phoenix_agent; Grant select on dba_audit_trail to phoenix_agent; Grant select on v_$session to phoenix_agent;
5. Turn on auditing.
su - oracle sqlplus /nolog conn / as sysdba; audit session; quit;
6. Fetch the audit data to make sure the configuration was successful.
su - oracle; sqlplus phoenix_agent/phoenix_agent_pwd; select count (*) from dba_audit_trail;
You should see the count changing after logging on a few times.
Configuring listener log and error log via SNARE - Oracle side
1. Install and configure Epilog application to send syslog to FortiSIEM a. Download Epilog from snare, information to download here, and install it on your Windows Server. b. Launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows c. Configure Epilog application as follows i. Select Log Configuration on left hand panel, click Add button to add Oracle Listener log file to be sent to FortiSIEM. Also make sure the Log Type is OracleListenerLog. ii. Click Add button to add Oracle Alert log file to be sent to FortiSIEM. Also make sure the Log Type is OracleAlertLog. iii. After adding both the files, SNARE Log Configuration will show both the files included as follows iv. Select Network Configuration on left hand panel. On the right, set the destination address to that of FortiSIEM server, port to 514 and make sure that syslog header is enabled. Then click Change Configuration button.
FortiSIEM 6.1.1 External Systems Configuration Guide
136
Fortinet Technologies Inc.
Applications
v. Click the "Apply the latest audit configuration" link on the left hand side to apply the changes to Epilog applications. DHCP logs will now sent to FortiSIEM in real time.
You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
Settings for Oracle Database Server JDBC Access Credentials for Performance Monitoring
Use these Access Method Definition settings to allow FortiSIEM to communicate with your Oracle database server over JDBC:
Setting Name Device Type Access Protocol Used For Pull Interval (minutes) Port Instance Name User Name
Password
Value phoenix_agent_accelops Oracle Database Server JDBC Performance Monitoring 5
1521 orcl2 The user you created for performance monitoring The password associated with the user
FortiSIEM 6.1.1 External Systems Configuration Guide
137
Fortinet Technologies Inc.
Applications
Sample Events
System Level Database Performance Metrics
[PH_DEV_MON_PERF_ORADB]:[eventSeverity]=PHL_INFO, [hostIpAddr]=10.1.2.8, [hostName]=Host10.1.2.8, [appGroupName]=Oracle Database Server, [appVersion]=Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production, [instanceName]=orcl, [instanceStatus]=OPEN, [charSetting]=ZHS16GBK, [archiveEnabled]=FALSE,
[lastBackupDate]=1325566287, [listenerStatus]=OPEN,[dbBufferCacheHitRatio]=100, [dbMemorySortsRatio]=100,[dbUserTransactionPerSec]=0.13,[dbPhysicalReadsPerSec]=0, [dbPhysicalWritesPerSec]=0.48,[dbHostCpuUtilRatio]=0,[dbNetworkKBytesPerSec]=0.58, [dbEnqueueDeadlocksPerSec]=0,[dbCurrentLogonsCount]=32,[dbWaitTimeRatio]=7.13, [dbCpuTimeRatio]=92.87, [dbRowCacheHitRatio]=100,[dbLibraryCacheHitRatio]=99.91,[dbSharedPoolFreeRatio]=18.55, [dbSessionCount]=40,[dbIOKBytesPerSec]=33.26,[dbRequestsPerSec]=3.24, [dbSystemTablespaceUsage]= 2.88,[dbTempTablespaceUsage]= 0,[dbUsersTablespaceUsage]= 0.01, [dbUserCount]= 2,[dbInvalidObjectCount]= 4
Table Space Performance Metrics
[PH_DEV_MON_PERF_ORADB_TABLESPACE]:[eventSeverity]=PHL_INFO, [appGroupName]=Oracle Database Server, [instanceName]=orcl, [tablespaceName]=UNDOTBS1, [tablespaceType]=UNDO, [tablespaceUsage]=0.01, [tablespaceFreeSpace]=4193886, [tablespaceNextExtent]=0
[PH_DEV_MON_PERF_ORADB_TABLESPACE]:[eventSeverity]=PHL_INFO, [appGroupName]=Oracle Database Server, [instanceName]=orcl, [tablespaceName]=USERS, [tablespaceType]=PERMANENT, [tablespaceUsage]=0.01, [tablespaceFreeSpace]=4193774, [tablespaceNextExtent]=0
Oracle Audit Trail (FortiSIEM Generated Events)
<134>Apr 10 12:51:42 abc-desktop java: [ORADB_PH_Logoff]:[eventSeverity]=PHL_INFO, [retCode]=0, [eventTime]=2009-04-10 14:29:22:111420, [rptIp]=172.16.10.40, [srcIp]=QA-VCtOS-ora.abc.net, [user]=DBSNMP, [logonTime]=2009-04-10 14:29:22:111420, [logoffTime]=200904-10 14:29:22, [privUsed]=CREATE_SESSION,
Oracle Audit Log
<172>Oracle Audit[25487]: LENGTH : '153' ACTION :[004] 'bjn' DATABASE USER:[9] 'user' PRIVILEGE :[4] 'NONE' CLIENT USER:[9] 'user' CLIENT TERMINAL:[14] 'terminal' STATUS:[1] '0']
<172>Oracle Audit[6561]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[8] 'user' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'user' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID: [9] '200958341'
<172>Oracle Audit[28061]: LENGTH: 265 SESSIONID:[9] 118110747 ENTRYID:[5] 14188 STATEMENT: [5] 28375 USERID:[8] user ACTION:[3] 100 RETURNCODE:[1] 0 COMMENT$TEXT:[99] Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.90.217.247)(PORT=4566)) PRIV$USED:[1] 5
Oracle Listener Log
<46>Dec 13 06:07:08 WIN03R2E-110929 OracleListenerLog 0 12-OCT-2011 16:17:52 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=status)(ARGUMENTS=64)
FortiSIEM 6.1.1 External Systems Configuration Guide
138
Fortinet Technologies Inc.
Applications
(SERVICE=LISTENER)(VERSION=185599744)) * status * 0
Oracle Alert Log
<46>Dec 13 06:07:08 WIN03R2E-110929 OracleAlertLog 0 'C:\APP\ADMINISTRATOR\ORADATA\ORCL\REDO03.LOG'
ORA-00312: online log 3 thread 1:
FortiSIEM 6.1.1 External Systems Configuration Guide
139
Fortinet Technologies Inc.
Applications
DHCP and DNS Server
FortiSIEM supports these DHCP and DNS servers for discovery and monitoring. l Infoblox DNS/DHCP l ISC BIND DNS l Linux DHCP l Microsoft DHCP (2003, 2008) l Microsoft DNS (2003, 2008)
FortiSIEM 6.1.1 External Systems Configuration Guide
140
Fortinet Technologies Inc.
Applications
Infoblox DNS/DHCP
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
Information discovered
Metrics collected
Used for
SNMP
Host Name, Hardware model, Serial number, Network Interfaces, Running processes, Installed software
System CPU utilization, Memory utilization, Disk usage, Disk I/O
Performance Monitoring
SNMP
Process level CPU utilization, Memory utilization
SNMP
Zone Transfer metrics: For each zone: DNS Responses Sent, Failed DNS Queries, DNS Referrals, Non-existent DNS Record Queries, DNS Non-existent Domain Queries, Recursive DNS Query Received
DNS Cluster Replication metrics: DNS Replication Queue Status, Sent Queue From Master, Last Sent Time From Master, Sent Queue To Master, Last Sent Time To Master
DNS Performance metrics: NonAuth DNS Query Count, NonAuth Avg DNS Latency, Auth DNS Query Count, Auth Avg DNS Latency, Invalid DNS Port Response, Invalid DNS TXID Response
DHCP Performance metrics: Discovers/sec, Requests/Sec, Releases/Sec, Offers/sec, Acks/sec, Nacks/sec, Declines/sec, Informs/sec
DDNS Update metrics: DDNS Update Success, DDNS Update Fail, DDNS Update Reject, DDNS Prereq Update Reject, DDNS Update Latency, DDNS Update Timeout
DHCP subnet usage metrics: For each DHCP Subnet (addr, mask) - percent used
Security Monitoring and compliance
SNMP
Hardware status
Availability monitoring
SNMP Trap
Hardware failures, Software failures
Availability monitoring
FortiSIEM 6.1.1 External Systems Configuration Guide
141
Fortinet Technologies Inc.
Applications
Event Types
In ADMIN > Device Support > Event, search for "infoblox" in the Device Type and Description columns to see the event types associated with this device.
Reports
In RESOURCE > Reports , search for "infoblox" in the Name and Description column to see the reports associated with this application or device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
SNMP Trap
FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
142
Fortinet Technologies Inc.
Applications
ISC BIND DNS
What is Discovered and Monitored
Protocol SNMP Syslog
Information discovered
Application type
Application type
Metrics collected
Used for
Process level CPU utilization, Memory utilization
Performance Monitoring
DNS name resolution activity: DNS Query Success and Failure by type
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "isc bind" in the Device Type and Description column to see the event types associated with this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
Configure the ISC BIND DNS Server to Send Syslog 1. Edit named.conf and add a new line: include /var/named/conf/logging.conf;. 2. Edit the /var/named/conf/logging.conf file, and in the channel queries_file { } section add syslog
local3; 3. Restart BIND by issuing /etc/init.d/named restart.
Configure Syslog to Send to FortiSIEM 1. Edit syslog.conf and add a new line: Local7.* @<IP address of the FortiSIEM server>. 2. Restart the syslog daemon by issuing /etc/init.d/syslog restart.
Settings for Access Credentials
SNMP Access Credentials for All Devices
FortiSIEM 6.1.1 External Systems Configuration Guide
143
Fortinet Technologies Inc.
Applications
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
Sample BIND DNS Logs
<158>Jan 28 20:41:46 100.1.1.1 named[3135]: 28-Jan-2010 20:40:28.809 client 192.168.29.18#34065: query: www.google.com IN A +
FortiSIEM 6.1.1 External Systems Configuration Guide
144
Fortinet Technologies Inc.
Applications
Linux DHCP
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP Syslog
Information discovered
Application type
Application type
Metrics collected
Used for
Process level CPU utilization, Memory utilization
DHCP address release/renew events that are used by FortiSIEM for Identity and location: attributes include IP Address, MAC address, Host Name
Performance Monitoring
Security and compliance (associate machines to IP addresses)
Event Types
In ADMIN > Device Support > Event, search for "linux dhcp" in the Device Type column to see the event types associated with this device.
Configuration
SNMP
1. Make sure that snmp libraries are installed. FortiSIEM has been tested to work with net-snmp libraries.
2. Log in to your device with administrator credentials. 3. Modify the /etc/snmp/snmpd.conf file:
a. Define the community string for FortiSIEM usage and permit snmp access from FortiSIEM IP. b. Allow FortiSIEM to (read-only) view the mib-2 tree. c. Open up the entire tree for read-only view. 4. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart. 5. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on. 6. Make sure that snmpd is running. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
Configure Linux DHCP to Forward Logs to Syslog Daemon
FortiSIEM 6.1.1 External Systems Configuration Guide
145
Fortinet Technologies Inc.
Applications
1. Edit dhcpd.conf and insert the line log-facility local7;. 2. Restart dhcpd by issuing /etc/init.d/dhcpd restart. Configure Syslog to Forward to FortiSIEM 1. Edit syslog.conf and add a new line: Local7.* @<IP address of FortiSIEM server>. 2. Restart syslog daemon by issuing /etc/init.d/syslog restart.
Sample Syslog
<13>Aug 26 19:28:11 DNS-Pri dhcpd: DHCPREQUEST for 172.16.10.200 (172.16.10.8) from 00:50:56:88:4e:17 (26L2233B1-02)
Settings for Access Credentials
SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
146
Fortinet Technologies Inc.
Applications
Microsoft DHCP
l Supported OS l What is Discovered and Monitored l Configuration l Settings for Access Controls
Supported OS
l Windows 2003 l Windows 2008 and 2008 R2 l Windows 2012 and 2012 R2 l Windows 2016 l Windows 2019
What is Discovered and Monitored
Protocol SNMP WMI
Windows Agent
Information discovered
Metrics collected
Process details Process level CPU utilization, Memory utilization
Process details, process to service mappings
Process level metrics (Win32_Process, Win32_ PerfRawData_PerfProc_Process): uptime, CPU utilization, Memory utilization, Read I/O, Write I/O DHCP metrics (Win32_PerfFormattedData_DHCPServer_ DHCPServer): DHCP request rate, release rate, decline rate, Duplicate Drop rate, Packet Rate, Active Queue length, DHCP response time, Conflict queue length
Application type
DHCP address release/renew events that are used by FortiSIEM for Identity and location: attributes include IP Address, MAC address, Host Name
Used for
Performance Monitoring Performance Monitoring
Security and compliance (associate machines to IP addresses)
Event Types
In ADMIN > Device Support > Event, search for "microsoft dhcp" in the Description column to see the event types associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
147
Fortinet Technologies Inc.
Applications
Configuration SNMP
See SNMP Configurations in the Microsoft Windows Server Configuration section.
WMI
See WMI Configurations in the Microsoft Windows Server Configuration section.
FortiSIEM Windows Agent
For information on configuring DHCP for FortiSIEM Windows Agent, see Configuring Windows DHCP in the Windows Agent Installation Guide.
Settings for Access Controls
See Setting Access Credentials in the Microsoft Windows Server Configuration section.
FortiSIEM 6.1.1 External Systems Configuration Guide
148
Fortinet Technologies Inc.
Applications
Microsoft DNS
l Supported OS l What is Discovered and Monitored l Configuration l Settings for Access Credentials
Supported OS
l Windows 2003 l Windows 2008 and 2008 R2 l Windows 2012 and 2012 R2 l Windows 2016 l Windows 2019
What is Discovered and Monitored
Protocol SNMP WMI
Windows Agent
Information discovered Application type Application type, service mappings
Application type
Metrics collected
Used for
Process level CPU utilization, Memory utilization
Performance Monitoring
Process level metrics (Win32_Process, Win32_ PerfRawData_PerfProc_Process): uptime, CPU utilization, Memory utilization, Read I/O, Write I/O DNS metrics (Win32_PerfFormattedData_DNS_DNS): DNS requests received, DNS responses sent, WINS requests received, WINS responses sent, Recursive DNS queries received, Recursive DNS queries failed, Recursive DNS queries timeout, Dynamic DNS updates received, Dynamic DNS updates failed, Dynamic DNS updates timeout, Secure DNS update received, Secure DNS update failed, Full DNS Zone Transfer requests sent, Full DNS Zone Transfer requests received, Incremental DNS Zone Transfer requests sent, ncremental DNS Zone Transfer requests received
Performance Monitoring
DNS name resolution activity: DNS Query Success and Failure Security
by type
Monitoring
Event Types
In ADMIN > Device Support > Event, search for "microsoft dans" in the Description column to see the event types associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
149
Fortinet Technologies Inc.
Applications
Configuration SNMP
See SNMP Configurations in the Microsoft Windows Server Configuration section.
WMI
See WMI Configurations in the Microsoft Windows Server Configuration section.
FortiSIEM Windows Agent
For information on configuring DNS for FortiSIEM Windows Agent, see Configuring Windows DNS in the Windows Agent 3.2.0 Installation Guide.
Settings for Access Credentials
See Setting Access Credentials in the Microsoft Windows Server Configuration section.
FortiSIEM 6.1.1 External Systems Configuration Guide
150
Fortinet Technologies Inc.
Applications
Directory Server
FortiSIEM supports this directory server for discovery and monitoring. l Microsoft Active Directory
FortiSIEM 6.1.1 External Systems Configuration Guide
151
Fortinet Technologies Inc.
Applications
Microsoft Active Directory
l What is Discovered and Monitored l Configuration l Active Directory User Discovery l Mapping Active Directory User Attributes to FortiSIEM User Attributes
What is Discovered and Monitored
Protocol LDAP WMI
WMI WMI
Information discovered
User details, Password age
Metrics collected
Used for
Security Monitoring, User meta data for log
Win32_PerfRawData_NTDS_NTDS class: Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate, New LDAP Connection Rate, Successful LDAP Bind Rate, LDAP Active Threads, LDAP Bind Time, LDAP Client Sessions
Performance Monitoring
"dcdiag -e" command output - detect successful and failed domain controller diagnostic tests
Domain Controller Replication status
"repadmin /replsummary" command output - detect replication statistics
Domain Controller Replication status
Event Types
l PH_DISCOV_ADS_ACCOUNT_TO_EXPIRE (Active Directory account to excpire in 2 weeks) l PH_DISCOV_ADS_ACCT_DISABLED (Accounts Disabled) l PH_DISCOV_ADS_DORMANT_ACCT (Dormant User Acounts - not log on in last 30 days) l PH_DISCOV_ADS_PASSWORD_NEVER_EXPIRES (Active Directory user password never expires) l PH_DISCOV_ADS_PASSWORD_NOT_REQD (Active Directory user password not required) l PH_DISCOV_ADS_PASSWORD_STALE (Active Directory user password stale - more than 90 days) l PH_DISCOV_ADS_PASSWORD_TO_EXPIRE (Active Directory user password to excpire in 2 weeks) l PH_DEV_MON_DCDIAG (output of "dcdiag -e" command)
[PH_DEV_MON_DCDIAG]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT,[errReason]="", [testResult]="passed",[testSubject]="WIN-IGO8O8M5JVT",[testName]="NCSecDesc"
FortiSIEM 6.1.1 External Systems Configuration Guide
152
Fortinet Technologies Inc.
Applications
l PH_DEV_MON_SRC_AD_REPL_STAT (output of "repadmin /replsummary" command) [PH_DEV_MON_SRC_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00, [srcName]="WIN-IGO8O8M5JVT",[errReason]=""
l PH_DEV_MON_DST_AD_REPL_STAT (output of "repadmin /replsummary" command) [PH_DEV_MON_DST_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT,
[largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00, [destName]="WIN-IGO8O8M5JVT",[errReason]=""
Rules
l Failed Windows DC Diagnostic Test
Reports
l Successful Windows Domain Controller Diagnostic Tests l Failed Windows Domain Controller Diagnostic Tests l Source Domain Controller Replication Status l Destination Domain Controller Replication Status
Configuration
WMI
See WMI Configurations in the Microsoft Windows Server Configuration section.
Active Directory User Discovery
If you want to add Active Directory users to FortiSIEM, follow these steps in the FortiSIEM UI. 1. Add the login credentials for Active Directory server and associate them to an IP range. 2. Discover the Active Directory server. If the Active Directory server is discovered successfully, then all of the users and their properties will be added to FortiSIEM. After the users have been added to FortiSIEM, you can re-run discovery to get new changes from Active Directory. You cannot make changes in FortiSIEM as this will inevitably make FortiSIEM out of synch with Active Directory. Since Active Directory can contain many users, it is possible to choose a sub-tree by specifying a base DN (see below).
Adding Active Directory login credentials to FortiSIEM
1. Log in to your Supervisor UI. 2. Go to ADMIN > Setup > Credentials. 3. Click New to create an LDAP discovery credential by entering the following in the Access Method Definition dialog
box:
FortiSIEM 6.1.1 External Systems Configuration Guide
153
Fortinet Technologies Inc.
Applications
a. Name: a name for the credential. b. Device Type: select Microsoft Windows. c. Access Protocol:
i. By default, LDAP servers listen on TCP port 389. ii. LDAPS (LDAP with SSL) defaults to port 636. iii. LDAP Start TLS defaults to port 389. d. Used For: select Microsoft Active Directory. e. Enter the root of the LDAP user tree that you want to discover. For example, dc=companyABC,dc=com or ou=Org1,dc=companyABC,dc=com f. NetBIOS/Domain: enter the NetBIOS/Domain value. g. User Name: enter the user name for your LDAP directory. The user should be a member of the Domain Users group in Active Directory. See the Validating LDAP Credentials and Permissions for information on how to validate this membership. h. Enter and confirm the Password for your User. i. Click Save. Your LDAP credentials will be added to the list of credentials. 4. Under Enter IP Range to Credential Associations, click Add. 5. Select your LDAP credentials from the list of Credentials. Click + to add more. 6. Enter the IP/IP Range or host name for your Active Directory server. 7. Click Save. Your LDAP credentials will appear in the list of credential/IP address associations. 8. Click Test > Test Connectivity to make sure you can connect to the Active Directory server.
Discovering users in FortiSIEM
1. Go to ADMIN> Discovery and click Add. 2. For Name, enter Active Directory. 3. For Include Range, enter the IP address or host name for your Active Directory server. 4. Click OK. Active Directory will be added to the list of discoverable devices. 5. Select the Active Directory device and click Discover. 6. After discovery completes, go to CMDB > Users to view the discovered users. You may need to click Refresh to
load the user tree hierarchy.
To get user updates in Active Directory, simply re-run discovery.
Validating LDAP Credentials and Permissions
1. Log in to your Active Directory server. 2. Open the Active Directory console from the command prompt and execute the dsa.msc command.
FortiSIEM 6.1.1 External Systems Configuration Guide
154
Fortinet Technologies Inc.
Applications 3. From the Active Directory console, select the User that added in FortiSIEM Supervisor.
4. Right click the selected User and check Properties. 5. The User should be a member of Domain Users. 6. On FortiSIEM Base DN should match, example: DC=accelops,DC=net.
Mapping Active Directory User Attributes to FortiSIEM User Attributes
The following table shows how user attributes in Microsoft Active Directory are shown in the FortiSIEM UI. To find Active Directory user attributes, take the following steps:
1. Log in to Active Directory. 2. Go to Active Directory Users and Computers. 3. Click View > Enable Advanced Features. 4. Find a user, and take the following steps:
a. Double click user. b. Click Attribute Editor.
You will see a set of attributes and the values they are set to.
In FortiSIEM, user details can be found in CMDB > Users. First, click the tree node on the left that you have discovered, then locate the user in the right pane. Attributes are displayed on the main page and under Summary, Contact, and Member Of.
Microsoft Active Directory FortiSIEM User Attribute User Attribute
sAMAccoutName
User Name
name
Full Name
userPrincipalName
<Not shown>
FortiSIEM 6.1.1 External Systems Configuration Guide
155
Fortinet Technologies Inc.
Applications
Microsoft Active Directory FortiSIEM User Attribute User Attribute
mail
Email
telephoneNumber
Work Phone
mobile
Mobile Phone
title
Job Title
company
Company
department
<Not shown>
employeeID
Employee ID
manager
Manager
I
<Not shown>
postalCode
ZIP
streetAddress
Address
homePostalAddress
<Not shown>
c
City
st
State
co
Country
memberOf
Member Of
FortiSIEM 6.1.1 External Systems Configuration Guide
156
Fortinet Technologies Inc.
Applications
Document Management Server
FortiSIEM supports this document management server for discovery and monitoring. l Microsoft SharePoint
FortiSIEM 6.1.1 External Systems Configuration Guide
157
Fortinet Technologies Inc.
Applications
Microsoft SharePoint
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol
LOGbinder Agent
Information discovered
Metrics/Logs collected
SharePoint logs - Audit trail integrity, Access control changes, Document updates, List updates, Container object updates, Object changes, Object Import/Exports, Document views, Information Management Policy changes
Used for
Log analysis and compliance
Event Types
In ADMIN > Device Support > Event, search for "sharepoint" in the Description column to see the event types associated with this device.
Reports
In RESOURCE > Reports , search for "sharepoint" in the Name column to see the reports associated with this application or device.
Configuration
Microsoft SharePoint logs are supported via LOGbinder SP agent from Monterey Technology group. The agent must be installed on the SharePoint server. Configure the agent to write logs to Windows Security log. FortiSIEM simply reads the logs from windows security logs via WMI and categorizes the SharePoint specific events and parses SharePoint specific attributes.
Installing and Configuring LOGbinder SP Agent
l LOGbinder Install web link l LOGbinder Configuration web link - remember to configure LOGbinder SP agent to write to Windows security log l LOGbinder SP getting started document - remember to configure LOGbinder SP agent to write to Windows security
log
FortiSIEM 6.1.1 External Systems Configuration Guide
158
Fortinet Technologies Inc.
Applications
Healthcare IT
FortiSIEM supports the discovery and monitoring of these healthcare applications. l Epic EMR/EHR System
FortiSIEM 6.1.1 External Systems Configuration Guide
159
Fortinet Technologies Inc.
Applications
Epic EMR/EHR System
l Integration Points l Configuration l Settings for Access Credentials l Sample Events
Integration Points
Method Syslog
Information discovered
Host name, Reporting IP
Metrics collected None
LOGs collected
Used for
Authentication Query, Client login Query
Security monitoring
Event Types
In ADMIN > Device Support > Event, search for "Epic-SecuritySIEM" to see the event types associated with this device. There are two events that are parsed:
l Epic-SecuritySIEM-AUTHENTICATION-Query l Epic-SecuritySIEM-LOGIN-Query
Rules
No specific rules are written for Epic-SecuritySIEM.
Reports
No specific reports are written for Epic-SecuritySIEM.
Configuration
Configure the Epic-SecuritySIEM system to send logs to FortiSIEM in the supported format (see Sample Events).
Settings for Access Credentials
None required.
Sample Events
Oct 19 05:32:16 10.25.8.111 CEF:0|Epic|Security-SIEM|8.3.0|LOGIN|LOGIN|4|cnt=1 suser=3227^DOE, JOHN L^JOHN-DOE shost=PRD workstationID=WS7946 act=Query
FortiSIEM 6.1.1 External Systems Configuration Guide
160
Fortinet Technologies Inc.
Applications
end=Oct 19 00:30:00 flag=^^Workflow Logging CLIENTNAME=dom1/WS7946 DEP=100000010^RMC ICU MAIN IP=10.25.6.59/10.170.10.66 LOGINLDAPID=JOHN-DOE LOGINREASON= OSUSR=WS7946 ROLE=MODEL IP NURSE SOURCE=1-Hyperspace USERJOB=304401^RMC INPATIENT NURSE TEMPLATE#011
Oct 19 05:32:16 10.25.8.111 CEF:0|Epic|SecuritySIEM|8.3.0|AUTHENTICATION|AUTHENTICATION|4|cnt=1
suser=3055^DOE, JOHN^JOHN-DOE shost=PRD workstationID=WS7610 act=Query end=Oct 19 00:30:00 flag=Access History^^Workflow Logging LOGINCONTEXT=0-Login LOGINDEVICE=10001-ImprivataAuthMultiApp LOGINLDAPID=JOHN-DOE LOGINREVAL= 011
FortiSIEM 6.1.1 External Systems Configuration Guide
161
Fortinet Technologies Inc.
Applications
Mail Server
FortiSIEM supports this mail server for discovery and monitoring. l Microsoft Exchange
FortiSIEM 6.1.1 External Systems Configuration Guide
162
Fortinet Technologies Inc.
Applications
Microsoft Exchange
l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Logs
What is Discovered and Monitored
Protocol Protocol SNMP WMI
Information discovered
Information discovered
Application type
Application type, service mappings
Metrics collected
Used for
Metrics collected
Used for
Process level CPU and memory utilization for the various exchange server processes
Performance Monitoring
Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec for the various exchange server processes
Performance Monitoring
Exchange performance metrics (: VM Largest Block size, VM Large Free Block Size, VM Total Free Blocks, RPC Requests, RPC Request Peak, RPC Average Latency, RPC Operations/sec, User count, Active user Count, Peak User Count, Active Connection Count, Max Connection Count
Exchange error metrics (obtained from Win32_PerfRawData_ MSExchangeIS_MSExchangeIS WMI class): RPC Success, RPC Failed, RPC Denied, RPC Failed - Server Busy, RPC Failed Server Unavailable, Foreground RPC Failed, Backgorund RPC Failed
Exchange mailbox metrics (obtained from Win32_ PerfRawData_MSExchangeIS_MSExchangeISMailbox and Win32_PerfRawData_MSExchangeIS_MSExchangeISPublic WMI classes): Per Mailbox: Send Queue, Receive Queue, Sent Message, Submitted Message, Delivered Message, Active User, Peak User
Exchange SMTP metrics (obtained from Win32_PerfRawData_ SMTPSVC_SMTPServer WMI class): Categorization Queue, Local Queue, Remote Queue, Inbound Connections, Outbound Connections, Sent Bytes/sec, Received Bytes/sec, Retry Count, Local Retry Queue, Remote Retry Queue
Exchange ESE Database (Win32_PerfFormattedData_ESE_ MSExchangeDatabase):
FortiSIEM 6.1.1 External Systems Configuration Guide
163
Fortinet Technologies Inc.
Applications
Protocol
Windows Agent
Information discovered
Metrics collected
Used for
Exchange Database Instances (Win32_PerfFormattedData_ ESE_MSExchangeDatabaseInstances):
Exchange Mail Submission Metrics (Win32_ PerfFormattedData_MSExchangeMailSubmission_ MSExchangeMailSubmission):
Exchange Replication Metrics (Win32_PerfFormattedData_ MSExchangeReplication_MSExchangeReplication):
Exchange Store Interface Metrics (Win32_PerfFormattedData_ MSExchangeStoreInterface_MSExchangeStoreInterface):
Exchange Transport Queue Metrics (Win32_ PerfFormattedData_MSExchangeTransportQueues_ MSExchangeTransportQueues):
Application Logs
Security Monitoring and Compliance
Event Types
In ADMIN > Device Support > Event, search for "microsoft exchange" in the Description column to see the event types associated with this device.
Reports
In RESOURCE > Reports , search for "microsoft exchange" in the Name column to see the reports associated with this application or device.
Configuration SNMP
See SNMP Configurations in the Microsoft Windows Server Configuration section.
WMI
See WMI Configurations in the Microsoft Windows Server Configuration section.
Settings for Access Credentials
See Setting Access Credentials in the Microsoft Windows Server Configuration section.
FortiSIEM 6.1.1 External Systems Configuration Guide
164
Fortinet Technologies Inc.
Applications
Sample Logs
2017-10-05T12:06:00Z SRV-EXCH02.uskudar.bld 10.9.1.105 AccelOps-WUA-UserFileExchangeTrackLog [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="d78e4bd5-bc3f4950-bcdf-926947ee1db7" [timeZone]="+0300" [fileName]="C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\MSGTRKMS2017100512-1.LOG" [msg]="201710-05T12:05:56.564Z,fe80::ac4c:6f22:1c25:97d8%13,SRV-EXCH02,,SRVEXCH01.uskudar.bld,\"MDB:d72c63cf-290e-456e-86e5-85dedb1f56de, Mailbox:d7c8c416-c1a7-4225a17f-552d5274703d, Event:4419662, MessageClass:IPM.Note.ProbeMessage.MBTSubmissionServiceHeartbeatProbe, CreationTime:2017-1005T12:05:56.267Z, ClientType:Monitoring, SubmissionAssistant:MailboxTransportSubmissionEmailAssistant\",,STOREDRIVER,SUBMIT,,<e545b61 2256a4c14a563f78a8999fafd@uskudar.bel.tr>,0a21180c-5932-4c7e-388808d50be96f34,HealthMailbox66dd83eddb9b4ee69dbd3fa82c925a3b@uskudar.bel.tr,,,1,,,000000520000-0000-0000-0000ea5a2141MBTSubmissionServiceHeartbeatProbe,HealthMailbox66dd83eddb9b4ee69dbd3fa82c925a3b@uskudar.bel .tr,,2017-10-05T12:05:56.267Z;LSRV=SRV-EXCH02.uskudar.bld:TOTALSUB=0.296|SA=0.078|MTSS=0.209(MTSSD=0.209(MTSSDA=0.005|MTSSDC=0.005|SDSSO=0.161 (SMSC=0.020|SMS=0.140)|X-MTSSDPL=0.004|XMTSSDSS=0.008|MTSSDSDS=0.001)),Originating,,,,S:ItemEntryId=00-00-00-00-ED-99-60-31-E3-763C-4B-BE-FE-5B-27-F0-88-3D-0A-07-00-25-D5-0C-8E-46-5A-51-46-A4-18-7D-65-F7-DF-52-1C-00-0000-00-01-0B-00-00-25-D5-0C-8E-46-5A-51-46-A4-18-7D-65-F7-DF-52-1C-00-00-30-88-0D-FF-0000,Email,92e0d0ab-4670-41e9-d453-08d50be96f50,15.01.0845.034"
FortiSIEM 6.1.1 External Systems Configuration Guide
165
Fortinet Technologies Inc.
Applications
Management Server/Appliance
FortiSIEM supports these web servers for discovery and monitoring. l Cisco Application Centric Infrastructure (ACI) l Fortinet FortiInsight l Fortinet FortiManager
FortiSIEM 6.1.1 External Systems Configuration Guide
166
Fortinet Technologies Inc.
Applications
Cisco Application Centric Infrastructure (ACI)
What is Discovered and Monitored
Protocol
Information Discovered
Cisco APIC API (REST)
Metrics Collected
Overall Health, Tenant Health, Node Health, Cluster Health, Application Health, EPG health, Fault Record, Event record, Log Record, Configuration Change
Used For
Availability and Performance Monitoring
Event Types
Go to ADMIN > Device Support > Event and search for "Cisco_ACI".
Rules
Go to RESOURCE > Rules and search for "Cisco ACI".
Reports
Go to RESOURCE > Reports and search for "Cisco ACI".
Configuration Cisco ACI Configuration
Please configure Cisco ACI Appliance so that FortiSIEM can access it via APIC API.
FortiSIEM Configuration
1. Go to ADMIN > Setup > Credentials 2. In Step 1: Enter Credentials, click New and create a credential.
Settings Name Device Type Access Protocol Pull Interval Port
Description Enter a name for the credential. CISCO CISCO ACI Cisco APIC API 5 minutes 443
FortiSIEM 6.1.1 External Systems Configuration Guide
167
Fortinet Technologies Inc.
Applications
Settings
Description
Password config User Name Password Description
See Password Configuration User name for device access Password for the various REST APIs Password for the various REST APIs
3. In Step 2: Enter IP Range to Credential Associations click New and create the association. a. IP - specify the IP address of the ACI Controller b. Credential - specify the Name as in 2a
4. Test Connectivity - Run Test Connectivity with or without ping and make sure the test succeeds 5. Check Pull Events tab to make sure that a event pulling entry is created
Sample Events
Overall Health Event
[Cisco_ACI_Overall_Health]: {"attributes": {"childAction":"","cnt":"29","dn":"topology/HDfabricOverallHealth5min0","healthAvg":"82","he althMax":"89",
"healthMin":"0","healthSpct":"0","healthThr":"","healthTr":"1","index":"0","lastCollOffset": "290","repIntvEnd":"2016-09-05T08:13:53.232+00:00","repIntvStart":"2016-0905T08:09:03.128+00:00","status":""}}
Tenant Health Event
[Cisco_ACI_Tenant_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tnCliQr","lcOwn":"local","modTs":"2016-09-05T07:56:27.164+00:00","monPolDn":"uni/tncommon/monepgdefault","name":"CliQr","ownerKey":"","ownerTag":"","status":"","uid":"15374"},"children": [{"healthInst":{"attributes": {"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","stat us":"",
"twScore":"100","updTs":"2016-09-05T08:27:03.584+00:00"}}}]
Nodes Health Event
[Cisco_ACI_Node_Health]: {"attributes": {"address":"10.0.208.95","childAction":"","configIssues":"","currentTime":"2016-0905T08:15:51.794+00:00","dn":"topology/pod-1/node101/sys","fabricId":"1","fabricMAC":"00:22:BD:F8:19:FF","id":"101","inbMgmtAddr":"0.0.0.0",
"inbMgmtAddr6":"0.0.0.0","lcOwn":"local","modTs":"2016-09-05T07:57:29.435+00:00",
"mode":"unspecified","monPolDn":"uni/fabric/monfabdefault","name":"Leaf1","oobMgmtAddr":"0.0.0.0","oobMgmtAddr6":"0.0.0.0","podId":"1","role"
:"leaf","serial":"TEP-1-101","state":"inservice","status":"","systemUpTime":"00:00:27:05.000"},"children":[{"healthInst": {"attributes":{"childAction":"","chng":"-
FortiSIEM 6.1.1 External Systems Configuration Guide
168
Fortinet Technologies Inc.
Applications
10","cur":"90","maxSev":"cleared","prev":"100","rn":"health","status":"","twScore":"90","upd Ts":"2016-09-05T07:50:08.415+00:00"}}}]
Cluster Health Event
[Cisco_ACI_Cluster_Health]: {"attributes":{"addr":"10.0.0.1","adminSt":"inservice","chassis":"10220833-ea00-3bb3-93b2ef1e7e645889","childAction":"","cntrlSbstState":"approved","dn":"topology/pod-1/node1/av/node-1","health":"fully-fit","id":"1","lcOwn":"local","mbSn":"TEP-1-1","modTs":"201609-05T08:00:46.797+00:00","monPolDn":"","mutnTs":"2016-0905T07:50:19.570+00:00","name":"","nodeName":"apic1","operSt":"available","status":"","uid":" 0"}
Application Health Event
[Cisco_ACI_Application_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tninfra/ap-access","lcOwn":"local","modTs":"2016-09-07T08:17:20.503+00:00","monPolDn":"uni/tncommon/monepgdefault","name":"access","ownerKey":"","ownerTag":"","prio":"unspecified","status":"","uid": "0"},
"children":[{"healthInst":{"attributes": {"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","stat us":"","twScore":
"100","updTs":"2016-09-07T08:39:35.531+00:00"}}}]}
EPG Health Event
[Cisco_ACI_EPG_Health]: {"attributes": {"childAction":"","configIssues":"","configSt":"applied","descr":"","dn":"uni/tn-infra/apaccess/epgdefault","isAttrBasedEPg":"no","lcOwn":"local","matchT":"AtleastOne","modTs":"2016-0907T08:17:20.503+00:00","monPolDn":"uni/tn-common/monepgdefault","name":"default","pcEnfPref":"unenforced","pcTag":"16386","prio":"unspecified",
"scope":"16777199","status":"","triggerSt":"triggerable","txId":"5764607523034234882","uid": "0"},"children":[{"healthInst":{"attributes": {"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","stat us":"",
"twScore":"100","updTs":"2016-09-07T08:39:35.549+00:00"}}}]
Fault Record Event
[Cisco_ACI_Fault_Record]: ,"created":"2016-0905T08:00:41.313+00:00","delegated":"no","delegatedFrom":"","descr":
"Controller3isunhealthybecause:DataLayerPartiallyDegradedLeadership","dn":"subj[topology/pod-1/node-1/av/node-3]/fr4294967583","domain":"infra","highestSeverity":"critical","id":"4294967583","ind":"modificat ion",
"lc":"soaking","modTs":"never","occur":"1","origSeverity":"critical","prevSeverity":"critica l",
FortiSIEM 6.1.1 External Systems Configuration Guide
169
Fortinet Technologies Inc.
Applications
"rule":"infra-wi-nodehealth","severity":"critical","status":"","subject":"controller","type":"operational"}
Event Record Event
[Cisco_ACI_Event_Record]: {"attributes":{"affected":"topology/pod-1/node-2/lon/svc-ifc_ dhcpd","cause":"state-change","changeSet":"id:ifc_ dhcpd,leCnnct:undefined,leNonOptCnt:undefined,leNotCnnct:undefined,name:ifc_ dhcpd","childAction":"","code":"E4204979","created":"2016-0905T07:57:37.024+00:00","descr":"Allshardsofserviceifc_ dhcpdhaveconnectivitytotheleaderreplicaintheCluster.","dn":"subj-[topology/pod-1/node2/lon/svc-ifc_dhcpd]/rec-8589934722","id":"8589934722","ind":"statetransition","modTs":"never","severity":"info","status":"","trig":"oper","txId":
"18374686479671623682","user":"internal"}
Log Record Event
[Cisco_ACI_Log_Record]: {"attributes":{"affected":"uni/userext/useradmin","cause":"unknown","changeSet":"","childAction":"","clientTag":"","code":"generic","cr eated"
:"2016-09-05T07:56:25.825+00:00","descr":"From-198.18.134.150-client-type-REST-
Success","dn":"subj-[uni/userext/user-admin]/sess4294967297","id":"4294967297","ind":"special","modTs":"never","severity":"info","status":"", "systemId":"1","trig":
"login,session","txId":"0","user":"admin"}
Configuration Change Event
[Cisco_ACI_Configuration_Chang]: {"attributes":{"affected":"uni/tn-CliQr/out-CliQr-ProdL3Out/instP-CliQr-Prod-L3OutEPG/rscustQosPol","cause":"transition","changeSet":"","childAction":"","clientTag":"","code" :"E4206266",
"created":"2016-09-05T07:56:27.099+00:00","descr":"RsCustQosPolcreated","dn":"subj-[uni/tnCliQr/out-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol]/mod4294967308","id":"4294967308","ind":"creation","modTs":"never","severity":"info","status":"" ,"trig":"config","txId":
"7493989779944505526","user":"admin"}}
FortiSIEM 6.1.1 External Systems Configuration Guide
170
Fortinet Technologies Inc.
Applications
Fortinet FortiInsight
FortiInsight is a unique data security and threat detection solution that delivers advanced threat hunting to help you spot, respond to, and manage risky behaviors that put your business-critical data at risk. It combines powerful and flexible Machine Learning with detailed forensics around user actions to bring focus to the facts more rapidly than other solutions.
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration in FortiInsight l Configuration in FortiSIEM l Sample Events
What is Discovered and Monitored
Protocol FortiInsight API
Information collected Policy based alerts and AI based alerts
Used for Data security, threat protection
This feature allows FortiSIEM to get Policy-based alerts and AI-based alerts from FortiInsight.
Event Types
In RESOURCES > Event Types, enter "FortiInsight" in the Search column to see the event types associated with this device.
Rules
In RESOURCES > Rules, enter "FortiInsight" in the Search column to see the rules associated with this device.
Reports
No defined reports.
Configuration in FortiInsight
Get an API Key in FortiInsight
Complete these steps in the FortiInsight UI: 1. Login to FortiInsight. 2. Select Admin > Account from the left menu. 3. Click New API Key to open the New API Key dialog box.
FortiSIEM 6.1.1 External Systems Configuration Guide
171
Fortinet Technologies Inc.
Applications
4. Enter a descriptive Name. 5. Click Save to generate the API key. This will download a file containing the API key information (Client ID, Client
Secret, and Name). Make a note of these values; you will need them when you configure FortiSIEM.
Configuration in FortiSIEM
Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Settings Name Device Type Access Protocol Pull Interval
Client ID Client Secret Organization Description
Description Enter a name for the credential Fortinet FortiSIEM FortiInsight API The interval in which FortiSIEM will pull events from FortiInsight. Default is 3 minutes. Access key for your FortiInsight instance. Secret key for your FortiInsight instance The organization the device belongs to. Description of the device.
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your Fortinet FortiInsight credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
4. Click Test to test the connection to FortiInsight. 5. To see the jobs associated with FortiInsight, select ADMIN > Setup > Pull Events. 6. To see the received events select ANALYTICS, then enter FortiInsight in the search box.
Sample Events
[FORTIINSIGHT_POLICY_ALERT] = {"description":"","events":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-0318T13:22:24.344+00:00","id":null,"m":"uqP","mn":{"dh":"tcp://server-10-230-2153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Admini strator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc": {"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","long itude":"10.8925"},"p":"tcp-ip-
FortiSIEM 6.1.1 External Systems Configuration Guide
172
Fortinet Technologies Inc.
Applications
4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret \\prototypedemo1.mkv-> tcp://server-54-230-2-153.lhr5.r.cloudfront.net:443","u":"acmeltd__ engineer2"}],"extendedEvents":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-0318T13:22:24.344+00:00","id":null,"latestHostname":"mimas","latestIp":"10.10.0.1","m":"uqP"," mn":{"dh":"tcp://server-54-230-2153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Admini strator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc": {"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","long itude":"10.8925"},"p":"tcp-ip4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret \\prototypedemo1.mkv-> tcp://server-10-230-2153.lhr5.r.cloudfront.net:443","resolvedUsername":"","u":"acmeltd__ engineer2"}],"id":"AWmQ98PYg7b_-i6_5Rvg","labels":[""],"policyId":"default_ 6COnUMjTCB8N","policyName":"Browser Download","regimes": ["ZoneFox"],"serverIp":"52.209.49.52","serverName":"fortisiemtest.dev.fortiinsight.cloud","s everity":10,"status":"New","time":"2019-03-18T13:22:29.473715+00:00"}
FortiSIEM 6.1.1 External Systems Configuration Guide
173
Fortinet Technologies Inc.
Applications
Fortinet FortiManager
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol SNMP
Information Discovered
Metrics Collected
Host name, Hardware model, Network interfaces, Operating system version
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Used For
Availability and Performance Monitoring
Event Types
Regular monitoring events l PH_DEV_MON_SYS_CPU_UTIL l PH_DEV_MON_SYS_MEM_UTIL l PH_DEV_MON_SYS_DISK_UTIL l PH_DEV_MON_NET_INTF_UTIL
Rules
Regular monitoring rules
Reports
Regular monitoring reports
Configuration
You can now configure FortiSIEM to communicate with FortiManager. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. For Device Type Fortinet FortiManager, see Access Credentials.
FortiSIEM 6.1.1 External Systems Configuration Guide
174
Fortinet Technologies Inc.
Applications
Remote Desktop
FortiSIEM supports this remote desktop application for discovery and monitoring. l Citrix Receiver (ICA)
FortiSIEM 6.1.1 External Systems Configuration Guide
175
Fortinet Technologies Inc.
Applications
Citrix Receiver (ICA)
l What is Discovered and Monitored l Event Types l Reports l Configuration
What is Discovered and Monitored
Protocol WMI
Information Discovered
Metrics Collected
From PH_DEV_MON_APP_ICA_SESS_MET: l ICA Latency Last Recorded l ICA Latency Session Average l ICA Latency Session Deviation l ICA Input Session Bandwidth l ICA Input Session Line Speed l ICA Input Session Compression l ICA Input Drive Bandwidth l ICA Input Text Echo Bandwidth l ICA Input SpeedScreen Data Bandwidth l Input Audio Bandwidth l ICA Input VideoFrame Bandwidth l ICA Output Session Bandwidth l ICA Output Session Line Speed l ICA Output Session Compression l ICA Output Drive Bandwidth l ICA Output Text Echo Bandwidth l ICA Output SpeedScreen Data Bandwidth l ICA Output Audio Bandwidth l ICA Output VideoFrame Bandwidth
Used For
Event Types
In ADMIN > Device Support > Event, search for "citrix ICA" in the Description column to see the event types associated with this device.
Reports
In RESOURCE > Reports , search for "citrix ICA" in the Name column to see the reports associated with this application or device.
FortiSIEM 6.1.1 External Systems Configuration Guide
176
Fortinet Technologies Inc.
Applications
Configuration
WMI
Required WMI Class Make sure the WMI class Win32_PerfRawData_CitrixICA_ICASession is available on the host machine for Citrix ICA. Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this: l Creating a Generic User Who Does Not Belong to the Local Administrator Group l Creating a User Who Belongs to the Domain Administrator Group
Creating a Generic User Who Does Not Belong to the Local Administrator Group
Log in to the machine you want to monitor with an administrator account.
Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group
1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups. 2. Right-click Users and select Add User. 3. Create a user. 4. Go to Groups, right-click Distributed COM Users, and then click Add to group. 5. In the Distributed COM Users Properties dialog, click Add. 6. Find the user you created, and then click OK.
This is the account you must use to set up the Performance Monitor Users group permissions. 7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog. 8. Repeat steps 4 through 7 for the Performance Monitor Users group.
Enable DCOM Permissions for the Monitoring Account
1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed. 5. Click OK. 6. Under Access Permissions, click EditDefault. 7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed. 8. Click OK. 9. Under Launch and Activation Permissions, click Edit Limits. 10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the
permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. Click OK.
FortiSIEM 6.1.1 External Systems Configuration Guide
177
Fortinet Technologies Inc.
Applications
12. Under Launch and Activation Permissions, click Edit Defaults. 13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the
permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.
Creating a User Who Belongs to the Domain Administrator Group
Log in to the Domain Controller with an administrator account.
Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group
1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users. 2. Right-click Users and select Add User. 3. Create a user for the @accelops.com domain.
For example, YJTEST@accelops.com. 4. Go to Groups, right-click Administrators, and then click Add to Group. 5. In the Domain Admins Properties dialog, select the Members tab, and then click Add. 6. For Enter the object names to select, enter the user you created in step 3. 7. Click OK to close the Domain Admins Properties dialog. 8. Click OK.
Enable the Monitoring Account to Access the Monitored Device
Log in to the machine you want to monitor with an administrator account.
Enable DCOM Permissions for the Monitoring Account
1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then select Properties. 3. Select the Com Security tab, and then under Access Permissions, click Edit Limits. 4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both
Local Access and Remote Access. 5. Click OK. 6. In the Com Security tab, under Access Permissions, click Edit Defaults. 7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for
both Local Access and Remote Access. 8. Click OK. 9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits. 10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local
Launch, Remote Launch, Local Activation, and Remote Activation. 11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults. 12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local
Launch, Remote Launch, Local Activation, and Remote Activation.
FortiSIEM 6.1.1 External Systems Configuration Guide
178
Fortinet Technologies Inc.
Applications
Enable Account Privileges in WMI
The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device. 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications. 2. Select WMI Control, and then right-click and select Properties. 3. Select the Security tab. 4. Expand the Root directory and select CIMV2. 5. Click Security. 6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable
Account and Remote Enable. 7. Click Advanced. 8. Select the user you created for the monitoring account, and then click Edit. 9. In the Apply onto menu, select This namespace and subnamespaces. 10. Click OK to close the Permission Entry for CIMV2 dialog. 11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 12. In the left-hand navigation, under Services and Applications, select Services. 13. Select Windows Management Instrumentation, and then click Restart.
Allow WMI to Connect Through the Windows Firewall (Windows 2003)
1. In the Start menu, select Run. 2. Run gpedit.msc. 3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network
Connections > Windows Firewall. 4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain
or not. 5. Select Windows Firewall: Allow remote administration exception. 6. Run cmd.exe and enter these commands:
netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP
7. Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
1. Go to Control Panel > Windows Firewall. 2. In the left-hand navigation, click Allow a program or feature through Windows Firewall. 3. Select Windows Management Instrumentation, and the click OK. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
FortiSIEM 6.1.1 External Systems Configuration Guide
179
Fortinet Technologies Inc.
Applications
Source Code Control
FortiSIEM supports the GitHub and GitLab Source Code Control tools for log collection via an API. l GitHub l GitLab API l GitLab CLI
FortiSIEM 6.1.1 External Systems Configuration Guide
180
Fortinet Technologies Inc.
Applications
GitHub
l Integration points l Event Types l Rules l Reports l GitHub API Integration l Configuring GitHub Server l Configuring FortiSIEM
Integration points
Protocol GitHub API
Information collected Logs from the GitHub Service
Used for Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "GitHub" to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "GitHub" to see the rules associated with this device.
Reports
In RESOURCE > Reports, search for "GitHub" to see the reports associated with this device.
Configuring GitHub Server
Create an account to be used for FortiSIEM communication.
Configuring FortiSIEM
Use the account in previous step to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create a GitHub credential. 4. In Step 1: Enter Credentials, enter these settings in the Access Method Definition dialog box:
FortiSIEM 6.1.1 External Systems Configuration Guide
181
Fortinet Technologies Inc.
Applications
Settings
Description
Name Device Type Access Protocol Pull Interval
Password Config User Name and Password
Organization
Description
Enter a name for the credential
GitHub.com GitHub
GitHub API
The interval in which FortiSIEM will pull events. Default is 5 minutes.
See Password Configuration
Enter the user name and password for the account created while Configuring GitHub Server.
Choose the Organization if it is an MSP deployment and the same credential has to be used for multiple customers.
Description of the device
5. Enter an IP Range to Credential Association. a. Set IP to the IP address of the GitHub Server. b. Select the Credential created in steps 3 and 4. c. Click Save.
6. Select the entry in step 4 above and click Test Connectivity. 7. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to this
event pulling job. FortiSIEM will start to pull events from GitHub server using the API.
To test for received GitHub events:
1. Go to ADMIN > Setup > Pull Events. 2. Select the GitHub entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from GitHub in the last 15 minutes. You can modify the time interval to get more events.
FortiSIEM 6.1.1 External Systems Configuration Guide
182
Fortinet Technologies Inc.
Applications
GitLab API
l Integration Points l Event Types l Rules l Reports l Syslog Integration l API Integration l Configuring GitLab Server l Configuring FortiSIEM for GitLab API l Sample Event
Integration Points
Protocol syslog
API
Information collected
15 Log files including production.log and application.log over 130 event types prefixed with 'GitLab-'
Code commit, Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories, User created, deleted, modified.
Used for
Security and Compliance
Security and Compliance
Event Types
In RESOURCES > Event Types, enter "GitLab" in the Search field to see the events associated with this device.
Rules
No defined rules.
Reports
In RESOURCES > Reports, enter "GitLab" in the Search column to see the reports associated with this device.
Syslog Integration
Configure GitLab to send syslog to FortiSIEM via UDP on port 514. See here for details. FortiSIEM will automatically detect GitHLab log patterns and parse the logs. Currently, the following log files are parsed: api_json.log, application.log, gitaly, gitlab-monitor, gitlab-shell.log, gitlab-workhorse.log, gitlab_ access.log,production.log, production_json.log, Prometheus, Redis, remote-syslog, sidekiq, sidekiq_exporter.log, unicorn_stderr.log. Currently, over 134 GitLab event types are parsed. To see the event types:
FortiSIEM 6.1.1 External Systems Configuration Guide
183
Fortinet Technologies Inc.
Applications
1. Login to FortiSIEM. 2. Go to RESOURCES > Event Types. 3. Search for 'GitLab'. Use cases covered via syslog:
l Failed and Successful Login l Git command execution l Git API requests To test for received GitLab events received via syslog: 1. Login to FortiSIEM. 2. Go to ANALYTICS. 3. Click Edit Filters and Time Range:
a. Choose Attributes option. b. Create Search condition 'Event Type CONTAIN GitLab'. c. Select Time Range: Last 1 hour d. Click Apply & Run. 4. See the GitLab events on the GUI.
API Integration
FortiSIEM can also pull logs from GitLab using GitLab API. Currently, over 134 GitLab event types are parsed. To see the event types: 1. Login to FortiSIEM. 2. Go to RESOURCES > Event Types. 3. Search for 'GitLab'. Use cases covered via API:
l Code commit note that the current API does not capture committed files. l Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories etc l User created, deleted, modified For more details, see here.
Configuring GitLab Server
Create a personal access token to be used for FortiSIEM communication. 1. Login to your GitLab account. 2. Go to your Profile settings. 3. Go to Access tokens. 4. Choose a name and optionally an expiry date for the token. 5. Choose the desired scopes: api is required. 6. Click Create Personal Access Token. Save the personal access token in your local system. Note that once you
leave or refresh the page, you won't be able to access it again. For more details, see here.
FortiSIEM 6.1.1 External Systems Configuration Guide
184
Fortinet Technologies Inc.
Applications
Configuring FortiSIEM for GitLab API
Use the Personal Access Token in Configuring GitLab Server to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credentials. 3. Click New to create a GitLab credential. 4. In Step 1: Enter Credentials, enter these settings in the Access Method Definition dialog box:
Settings
Description
Name Device Type
Access Protocol Pull Interval
Password Config Account Name Personal Access Token Description
Enter a name for the credential GitLab GitLab (Vendor = GitLab, Model = Gitlab) GitLab API The interval in which FortiSIEM will pull events from GitLab. Default is 5 minutes. Manual Enter an account name. Enter the token you obtained in Configuring GitLab Server. Description of the device
5. Enter an IP range to Credential Association: a. Enter the IP of GitLab Server. b. Select the credential created in step 4 above. c. Click Save.
6. Select the entry in step 4 above and click Test Connectivity. Once successful, an entry will be created in ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from GitLab using the API.
To test for received GitLab events:
1. Go to ADMIN > Setup > Pull Events. 2. Select the GitLab entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from GitLab in the last 15 minutes. You can modify the time interval to get more events.
Sample Event
[GITLAB_EVENT_DATA] = {"action_name":"pushed to","author":{"avatar_ url":"https://abc.cda.com/avatar/62e30f8b2d3cbc60ed22c217c5fa4e57?s=80&d=identicon","id ":185,"name":"user1","state":"active","username":" user1","web_ url":"https://dac.com/gitmirror"},"author_id":185,"author_username":" user1","created_ at":"2018-11-13T22:30:30.340Z","project_id":553,"push_data":{"action":"pushed","commit_
FortiSIEM 6.1.1 External Systems Configuration Guide
185
Fortinet Technologies Inc.
Applications
count":2,"commit_from":"da5a4fd97fd1f6b7c5a8611c12592eb5e9ff9e2b","commit_title":"Merge \"Fix bizservice popup display issue and switching org in bizs...","commit_ to":"30d863ece3957aacc95ec45c7663c426c73f38f2","ref":"releases/FCS5_2_1","ref_ type":"branch"},"serverIp":"172.30.35.11","serverName":"abc.com","target_ id":null,"target_iid":null,"target_title":null,"target_type":null}
FortiSIEM 6.1.1 External Systems Configuration Guide
186
Fortinet Technologies Inc.
Applications
GitLab CLI
Events that are obtained with the GitLab REST API do not contain up-to-date information. To avoid this limitation, FortiSIEM uses the GitLab CLI to obtain events from the GitLab server in real time.
l Integration Points l Event Types l Rules l Reports l Generate an SSH Key in FortiSIEM l Configure an SSH Key in GitLab l Configuration in FortiSIEM l Sample Events
Integration points
Protocol GIT CLI
Information collected Git commit history
Used for Security and Compliance
Event Types
In RESOURCES > Event Types, enter "GitLab" in the Search field to see the events associated with this device.
Rules
No defined rules.
Reports
In RESOURCES > Reports, enter "GitLab" in the Search column to see the reports associated with this device.
Generate an SSH Key in FortiSIEM
Generate an SSH key for FortiSIEM. The key will allow you to access the GitLab by using Git commands. Use the following command to generate the public key file and the private key file in the /opt/phoenix/bin/.ssh/ directory. ssh-keygen -t rsa -b 4096 -C "root@localhost"
Configure an SSH Key in GitLab
Complete these steps to install the SSH key in the GitLab server:
FortiSIEM 6.1.1 External Systems Configuration Guide
187
Fortinet Technologies Inc.
Applications
1. Login to your GitLab account. 2. Select Settings from your account drop-down list. 3. Select the SSH Keys tab. 4. Add the public part of the key, for example:
/opt/phoenix/bin/.ssh/id_rsa.pub 5. Click Add Key. 6. Install Git, for example:
yum install git
Configuration in FortiSIEM
Complete these steps in the FortiSIEM UI:
1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Settings Name Device Type Access Protocol Pull Interval Local Path to Clone
Repositories
Description
Description
Enter a name for the credential
GitLab GitLab
GIT CLI
The interval in which FortiSIEM will pull events from GitLab. Default is 5 minutes.
The path to the location on your system where the repository will be downloaded. In the case of very large repositories, this gives users the opportunity to specify a location on an external device.
The address of the repository in Git. You can enter multiple repositories, separated by whitespaces.
Description of the device
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your GitLab credential from the Credentials drop-down list. b. Enter an IP or an IP range in the IP/IP Range field. c. Click Save.
4. Click Test to test the connection to GitLab CLI. 5. To see the jobs associated with GitLab, select ADMIN > Setup > Pull Events. 6. To see the received events, select ANALYTICS, then enter GitLab in the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
188
Fortinet Technologies Inc.
Applications
Sample Events
[PH_DEV_MON_GIT_COMMIT]: [deviceTime]=1547013028,[user]="abc", [exchMboxName]="abc@fortinet.com", [hashCode]="fa408380aa4296d13aeb24418164994eea2c2737", [preHashCode]="d9cd6e31346611a4f75dc7fe768f6202a46dd7e6",[title]="Add new file", [details]="",[updateCount]="1",[deleteCount]="0",[filePath]="testfile2", [fileType]="testfile2",[repoURL]="git@dops-git.fortinet-us.com:abc/testproject_mei_ willremove.git"
FortiSIEM 6.1.1 External Systems Configuration Guide
189
Fortinet Technologies Inc.
Applications
Unified Communication Server Configuration
FortiSIEM supports these VoIP servers for discovery and monitoring. l Avaya Call Manager l Cisco Call Manager l Cisco Contact Center l Cisco Presence Server l Cisco Tandeberg Telepresence Video Communication Server (VCS) l Cisco Telepresence Multipoint Control Unit (MCU) l Cisco Telepresence Video Communication Server l Cisco Unity Connection
FortiSIEM 6.1.1 External Systems Configuration Guide
190
Fortinet Technologies Inc.
Applications
Avaya Call Manager
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP SFTP
Information discovered
Application type
Metrics collected
System metrics: Uptime, Interface utilization
Call Description Records (CDR): Calling Phone IP, Called Phone IP, Call Duration
Used for
Performance Monitoring Performance and Availability Monitoring
Event Types
Avaya-CM-CDR: Avaya CDR Records
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
SFTP
SFTP is used to send Call Description Records (CDRs) to FortiSIEM.
Configure FortiSIEM to Receive CDR Records from Avaya Call Manager
1. Log in to your FortiSIEM virtual appliance as root over SSH. 2. Change the directory.
cd /opt/phoenix/bin 3. Create an FTP account for user ftpuser with the home directory /opt/phoenix/cache/avayaCM/<call-
manager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you will see a Success message when the definition is created.
FortiSIEM 6.1.1 External Systems Configuration Guide
191
Fortinet Technologies Inc.
Applications
4. The CDR records do not have field definitions, but only values. Field definitions are needed to properly interpret the values. Make sure that the CDR fields definitions matches the default one supplied by FortiSIEM in /opt/phoenix/config/AvayaCDRConfig.csv. FortiSIEM will interpret the CDR record fields according to the field definitions specified in:/opt/phoenix/config/AvayaCDRConfig.csv and generate events like the following:
Wed Feb 4 14:37:41 2015 1.2.3.4 FortiSIEM-FileLog-AvayaCM [Time of day-hours]="11" [Time of day-minutes]="36" [Duration-hours]="0" [Duration-minutes]="00" [Durationtenths of minutes]="5" [Condition code]="9" [Dialed number]="5908" [Calling number]="2565522011" [FRL]="5" [Incoming circuit ID]="001" [Feature flag]="0" [Attendant console]="8" [Incoming TAC]="01 1" [INS]="0" [IXC]="00" [Packet count]="12" [TSC flag]="1"
Configure Avaya Call Manager to Send CDR Records to FortiSIEM
1. Log in to Avaya Call Manager. 2. Send CDR records to FortiSIEM by using this information
Field Host Name/IP Address User Name Password Protocol Directory Path
Value <FortiSIEM IP Address>
ftpuser <The password you created for ftpuser> SFTP /opt/phoenix/cache/ avayaCM/<call-manager-ip>
Settings for Access Credentials in FortiSIEM
See Access Credentials to set access and protocol for SMTP, SSH, and Telnet.
FortiSIEM 6.1.1 External Systems Configuration Guide
192
Fortinet Technologies Inc.
Applications
Cisco Call Manager
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP SNMP
Information discovered
Metrics collected
Used for
Application type
System metrics: Uptime, CPU utilization, Memory utilization, Disk utilization, Interface utilization, Process count, Per process: CPU utilization, Memory utilization
Performance Monitoring
VoIP phones and registration status
Call Manager metrics:Global Info: VoIP phone count, Gateway count, Media Device count, Voice mail server count and SIP Trunks count broken down by Registered/Unregistered/Rejected status (FortiSIEM Event Type: PH_DEV_MON_CCM_GLOBAL_ INFO)
SIP Trunk Info: Trunk end point, description, status (FortiSIEM Event Type: PH_DEV_MON_CCM_SIP_TRUNK_STAT)
SIP Trunk Addition, Deletion: FortiSIEM Event Type: PH_ DEV_MON_CCM_NEW_SIP_TRUNK, PH_DEV_MON_CCM_ DEL_SIP_TRUNK
Gateway Status Info: Gateway name, Gateway IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_GW_ STAT)
Gateway Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_GW_STAT_CHANGE, PH_DEV_ MON_CCM_NEW_GW, PH_DEV_MON_CCM_DEL_GWH323 Device Info: H323 Device name, H323 Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_H323_ STAT)
Gateway Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_H323_STAT_CHANGE, PH_DEV_ MON_CCM_NEW_H323, PH_DEV_MON_CCM_DEL_H323
Voice Mail Device Info: Voice Mail Device name, Voice Mail Device IP, description, status (FortiSIEM Event Types: PH_ DEV_MON_CCM_VM_STAT)
Voice Mail Device Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_VM_STAT_ CHANGE, PH_DEV_MON_CCM_NEW_VM, PH_DEV_MON_ CCM_DEL_VM
Availability Monitoring
FortiSIEM 6.1.1 External Systems Configuration Guide
193
Fortinet Technologies Inc.
Applications
Protocol
WMI (for Windows based Call Managers) SFTP
Syslog
Information discovered
Application type, service mappings
Metrics collected
Used for
Media Device Info: Media Device name, Media Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_ CCM_MEDIA_STAT)
Media Device Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_MEDIA_STAT_ CHANGE, PH_DEV_MON_CCM_NEW_MEDIA, PH_DEV_ MON_CCM_DEL_MEDIA
Computer Telephony Integration (CTI) Device Info: CTI Device name, CTI Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_CTI_STAT)
CTI Device Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_CTI_STAT_CHANGE, PH_ DEV_MON_CCM_NEW_CTI, PH_DEV_MON_CCM_DEL_CTI
Process level metrics: Per process: Uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec
Performance Monitoring
Call Description Records (CDR): Calling Phone IP, Called Phone IP, Calling Party Number, Original Called Party Number, Final Called Party Number, Call Connect Time, Call Disconnect Time, Call Duration
Call Management Records (CMR): Latency, Jitter, Mos Score current, average, min, max for each call in CDR
Performance and Availability Monitoring
Syslog messages from Cisco Call Manager as well as Cisco Unified Real Time Monitoring Tool (RTMT)
Event Types
In ADMIN > Device Support > Event, search for "cisco_uc" and "cisco_uc_rtmt" in the Display Name column to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "cisco call manager" in the Name column to see the rules associated with this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the
FortiSIEM 6.1.1 External Systems Configuration Guide
194
Fortinet Technologies Inc.
Applications
User Guide.
WMI (for Call Manager installed under Windows)
Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:
l Creating a Generic User Who Does Not Belong to the Local Administrator Group l Creating a User Who Belongs to the Domain Administrator Group
Creating a Generic User Who Does Not Belong to the Local Administrator Group
Log in to the machine you want to monitor with an administrator account.
Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups. 2. Right-click Users and select Add User. 3. Create a user. 4. Go to Groups, right-click Distributed COM Users, and then click Add to group. 5. In the Distributed COM Users Properties dialog, click Add. 6. Find the user you created, and then click OK.
This is the account you must use to set up the Performance Monitor Users group permissions. 7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog. 8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed. 5. Click OK. 6. Under Access Permissions, click EditDefault. 7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed. 8. Click OK. 9. Under Launch and Activation Permissions, click Edit Limits. 10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the
permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. Click OK. 12. Under Launch and Activation Permissions, click Edit Defaults. 13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the
permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.
FortiSIEM 6.1.1 External Systems Configuration Guide
195
Fortinet Technologies Inc.
Applications
Creating a User Who Belongs to the Domain Administrator Group
Log in to the Domain Controller with an administrator account.
Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group
1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users. 2. Right-click Users and select Add User. 3. Create a user for the @accelops.com domain.
For example, YJTEST@accelops.com. 4. Go to Groups, right-click Administrators, and then click Add to Group. 5. In the Domain Admins Properties dialog, select the Members tab, and then click Add. 6. For Enter the object names to select, enter the user you created in step 3. 7. Click OK to close the Domain Admins Properties dialog. 8. Click OK.
Enable the Monitoring Account to Access the Monitored Device.
Log in to the machine you want to monitor with an administrator account.
Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then select Properties. 3. Select the Com Security tab, and then under Access Permissions, click Edit Limits. 4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both
Local Access and Remote Access. 5. Click OK. 6. In the Com Security tab, under Access Permissions, click Edit Defaults. 7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for
both Local Access and Remote Access. 8. Click OK. 9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits. 10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local
Launch, Remote Launch, Local Activation, and Remote Activation. 11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults. 12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local
Launch, Remote Launch, Local Activation, and Remote Activation.
Enable Account Privileges in WMI
The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device. 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications. 2. Select WMI Control, and then right-click and select Properties. 3. Select the Security tab.
FortiSIEM 6.1.1 External Systems Configuration Guide
196
Fortinet Technologies Inc.
Applications
4. Expand the Root directory and select CIMV2. 5. Click Security. 6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable
Account and Remote Enable. 7. Click Advanced. 8. Select the user you created for the monitoring account, and then click Edit. 9. In the Apply onto menu, select This namespace and subnamespaces. 10. Click OK to close the Permission Entry for CIMV2 dialog. 11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 12. In the left-hand navigation, under Services and Applications, select Services. 13. Select Windows Management Instrumentation, and then click Restart.
Allow WMI to Connect Through the Windows Firewall (Windows 2003)
1. In the Start menu, select Run. 2. Run gpedit.msc. 3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network
Connections > Windows Firewall. 4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain
or not. 5. Select Windows Firewall: Allow remote administration exception. 6. Run cmd.exe and enter these commands:
netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 7. Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
1. Go to Control Panel > Windows Firewall. 2. In the left-hand navigation, click Allow a program or feature through Windows Firewall. 3. Select Windows Management Instrumentation, and the click OK.
SFTP
SFTP is used to send Call Description Records (CDRs) to FortiSIEM. l Configure FortiSIEM to Receive CDR Records from Cisco Call Manager l Configure Cisco Call Manager to Send CDR Records to FortiSIEM
Configure FortiSIEM to Receive CDR Records from Cisco Call Manager
1. Log in to your FortiSIEM virtual appliance as root over SSH. 2. Change the directory.
cd /opt/phoenix/bin
FortiSIEM 6.1.1 External Systems Configuration Guide
197
Fortinet Technologies Inc.
Applications
3. Run ./phCreateCdrDestDir <call-manager-ip>. This creates an FTP account for user ftpuser with the home directory /opt/phoenix/cache/ccm/<callmanager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you will see a Success message when the definition is created.
4. Switch user to admin by issuing "su - admin" 5. Modify phoenix_config.txt entry
ccm_ftp_directory = /opt/phoenix/cache/ccm
6. Restart phParser by issuing "killall -9 phParser"
Configure Cisco Call Manager to Send CDR Records to FortiSIEM
1. Log in to Cisco Call Manager. 2. Go to Tools > CDR Management Configuration.
The CDR Management Configuration window will open. 3. Click Add New. 4. Enter this information.
5. Field
Value
Host Name/IP Address User Name Password Protocol Directory Path
<FortiSIEM IP Address>
ftpuser <The password you created for ftpuser> SFTP /opt/phoenix/cache/ccm/<callmanager-ip>
6. Click Save.
Settings for Access Credentials
See Access Credentials to set access and protocol for SMTP, SSH, and Telnet.
FortiSIEM 6.1.1 External Systems Configuration Guide
198
Fortinet Technologies Inc.
Applications
Cisco Contact Center
l What is Discovered and Monitored l Configuration l Setting Access Credentials
What is Discovered and Monitored
Protocol SNMP
SSH
Information discovered
Application type
Metrics collected
System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization, Install software change Disk I/O monitoring
Used for
Performance Monitoring
Event Types
There are no event types defined specifically for this device.
Rules
In RESOURCE > Rules, search for "cisco contact center" in the Name column to see the rules associated with this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Setting Access Credentials
See Access Credentials to set access and protocol for SMTP, SSH, and Telnet.
FortiSIEM 6.1.1 External Systems Configuration Guide
199
Fortinet Technologies Inc.
Applications
Cisco Presence Server
l What is Discovered and Monitored l Configuration l Setting Access Credentials
What is Discovered and Monitored
Protocol SNMP
SSH
Information discovered
Application type
Metrics collected
System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization, Install software change Disk I/O monitoring
Used for
Performance Monitoring
Event Types
There are no event types defined specifically for this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Setting Access Credentials
See Access Credentials to set access and protocol for SMTP, SSH, and Telnet.
FortiSIEM 6.1.1 External Systems Configuration Guide
200
Fortinet Technologies Inc.
Applications
Cisco Tandeberg Telepresence Video Communication Server (VCS)
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SSH
Information discovered
Application type
Metrics collected
System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization, Install software change Disk I/O monitoring
Used for
Performance Monitoring
Event Types
There are no event types defined specifically for this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide
Settings for Access Credentials SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type
Value <set name> Generic
FortiSIEM 6.1.1 External Systems Configuration Guide
201
Fortinet Technologies Inc.
Applications
Setting Access Protocol Community String
Value SNMP <your own>
SSH Access Credentials for All Devices
These are the generic settings for providing SSH access to your device from FortiSIEM.
Setting Name Device Type Access Protocol Port User Name
Password
Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user
FortiSIEM 6.1.1 External Systems Configuration Guide
202
Fortinet Technologies Inc.
Applications
Cisco Telepresence Multipoint Control Unit (MCU)
l What is Discovered and Monitored l Configuration l Setting Access Credentials
What is Discovered and Monitored
The following protocols are used to discover and monitor various aspects of Cisco Tandeberg VCS
Protocol SNMP
Information discovered
Application type
Metrics collected System metrics: Uptime, Interface utilization
Used for
Performance Monitoring
Event Types
In ADMIN > Device Support > Event, search for "cisco telepresence" in the Description column to see the event types associated with this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide
Setting Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
203
Fortinet Technologies Inc.
Applications
Cisco Telepresence Video Communication Server
What is Discovered and Monitored
Protocol Syslog
Logs parsed Call attempts, Call rejects, Media stats, Request, response, Search
Used for Log Analysis
Event Types
In ADMIN > Device Support > Event, search for "Cisco-TVCS" in the Description column to see the event types associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
204
Fortinet Technologies Inc.
Applications
Cisco Unity Connection
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
Information discovered
Application type
Metrics collected
System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization
Used for
Performance Monitoring
Event Types
In ADMIN > Device Support > Event, search for "cisco unity" in the Description column to see the event types associated with this device.
Rules
In RESOURCES > Rules, search for "cisco unity" in the Name column to see the rules associated with this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
See Access Credentials to set access and protocol for SMTP, SSH, and Telnet.
FortiSIEM 6.1.1 External Systems Configuration Guide
205
Fortinet Technologies Inc.
Applications
Web Server
FortiSIEM supports these web servers for discovery and monitoring. l Apache Web Server l Microsoft IIS for Windows 2000 and 2003 l Microsoft IIS for Windows 2008 l Nginx Web Server
FortiSIEM 6.1.1 External Systems Configuration Guide
206
Fortinet Technologies Inc.
Applications
Apache Web Server
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
Information discovered
SNMP
Application type
HTTP(S) via the modstatus module
Syslog
Application type
Metrics collected
Used for
Process level metrics: CPU utilization, Memory utilization
Performance Monitoring
Apachemetrics: Uptime, CPU load, Total Accesses, Total Bytes Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Idle Workers
Performance Monitoring
W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "apache" in the Device Type and Description column to see the event types associated with this device.
Reports
In RESOURCES > Reports , search for "apache" in the Name column to see the reports associated with this device.
Configuration
The Apache Web Server Configuration instructions utilizes a reference point for where Apache installs by default. Based on your own configuration, Apache may be installed in the following locations:
l /etc l /etc/httpd l /usr/local Adjust your configuration according to your installed Apache directory.
FortiSIEM 6.1.1 External Systems Configuration Guide
207
Fortinet Technologies Inc.
Applications
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
HTTPS
To communicate with FortiSIEM over HTTPS, you must configure the mod_status module in your Apache web server.
1. Log in to your web server as an administrator.
2. Open the configuration file /etc/Httpd.conf.
3. Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication. Without Authentication
LoadModule status_module modules/mod_status.so
...
ExtendedStatus on
...
#Configuration without authentication
<Location /server-status>
SetHandler server-status
Order Deny,Allow
Deny from all
Allow from .foo.com
</Location>
With Authentication
LoadModule status_module modules/mod_status.so
...
ExtendedStatus on
...
#Configuration with authentication
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from all
AuthType Basic
AuthUserFile /etc/httpd/account/users
AuthGroupFile /etc/httpd/account/groups
AuthName "Admin"
Require group admin
Satisfy all
</Location>
4. If you are using authentication, you will have to add user authentication credentials. a. Go to /etc/httpd, and if necessary, create an account directory. b. In the account directory, create two files, users and groups. c. In the groups file, enter admin:admin. d. Create a password for the admin user.
htpasswd --c users admin
FortiSIEM 6.1.1 External Systems Configuration Guide
208
Fortinet Technologies Inc.
Applications
5. Reload Apache. /etc/init.d/httpd reload
You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
Install and configure Epilog application to send syslog to FortiSIEM 1. Download Epilog from snare, information to download here, and install it on your Windows Server. 2. For Windows, launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows 3. For Linux, enter http://<yourApacheServerIp>:6162 4. Configure Epilog application as follows
a. Go to Log Configuration. Click the Add button and add the following log files to be sent to FortiSIEM l /etc/httpd/logs/access_log l /etc/httpd/logs/ssl_access_log
b. Go to Network Configuration i. Set AO System IP(all-in-1 or collector) in Destination Server address (10.1.2.20 here); ii. Set 514 in Destination Port text area
iii. Click Change Configuration to save the configuration c. Apply the Latest Audit Configuration. Apache logs will now sent to FortiSIEM in real time.
Define the Apache Log Format
You must define the format of the logs that Apache will send to FortiSIEM. 1. Open the file /etc/httpd/conf.d/ssl.conf for editing. 2. Add this line to the file.
CustomLog logs/ssl_request_log combined 3. Uncomment this line in the file.
#CustomLog logs/access_log common 4. Add this line to the file.
CustomLog logs/access_log combined 5. Reload Apache.
/etc/init.d/httpd reload
Apache Syslog Log Format
<142>Sep 17 13:27:37 SJ-Dev-S-RH-VMW-01.prospecthills.net ApacheLog 192.168.20.35 - [17/Sep/2009:13:27:37 -0700] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://192.168.0.30/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"<134>Mar 4 17:08:04 137.146.28.68 httpd: [ID 702911 local0.info] 192.168.20.38 - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"<142>Sep 17 13:27:37 135.134.33.23 HTTP: [ID 702911 local0.info] 192.168.20.38 - -
FortiSIEM 6.1.1 External Systems Configuration Guide
209
Fortinet Technologies Inc.
Applications
[04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
Settings for Apache Web Server HTTPS Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to communicate with your Apache web server over https.
Setting Name Device Type Access Protocol Port URL User Name
Password
Value Apache-https generic HTTP or HTTPS 80 (HTTP) or 443 (HTTPS) server-status?auto The admin account you created when configuring HTTPS The password associated with the admin account
FortiSIEM 6.1.1 External Systems Configuration Guide
210
Fortinet Technologies Inc.
Applications
Microsoft IIS for Windows 2000 and 2003
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP WMI
Windows Agent
Information discovered Application type Application type, service mappings
Application type
Metrics collected
Used for
Process level metrics: CPU utilization, memory utilization
Performance Monitoring
Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O
IIS metrics: Current Connections, Max Connections, Sent Files, Received Files, Sent Bytes, Received Bytes, ISAPI Requests, Not Found Errors
Performance Monitoring
W3C access logs: attributes include IIS Service Instance, Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "microsoft is" in the Description column to see the event types associated with this device.
Configuration SNMP
See SNMP Configurations in the Microsoft Windows Server Configuration section.
WMI
See WMI Configurations in the Microsoft Windows Server Configuration section.
FortiSIEM Windows Agent
For information on configuring IIS for FortiSIEM Windows Agent, see Configuring Windows IIS in the Windows Agent Installation Guide.
FortiSIEM 6.1.1 External Systems Configuration Guide
211
Fortinet Technologies Inc.
Applications
Settings for Access Credentials
See Setting Access Credentials in the Microsoft Windows Server Configuration section.
FortiSIEM 6.1.1 External Systems Configuration Guide
212
Fortinet Technologies Inc.
Applications
Microsoft IIS for Windows 2008
l What is Discovered and Monitored l Configuration l Setting Access Credentials l Sample IIS Syslog
What is Discovered and Monitored
Protocol SNMP WMI
Windows Agent
Information discovered Application type Application type, service mappings
Application type
Metrics collected
Used for
Process level metrics: CPU utilization, memory utilization
Performance Monitoring
Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O
IIS metrics: Current Connections, Max Connections, Sent Files, Received Files, Sent Bytes, Received Bytes, ISAPI Requests, Not Found Errors
Performance Monitoring
W3C access logs: attributes include IIS Service Instance, Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "microsoft is" in the Description column to see the event types associated with this device.
Configuration SNMP
See SNMP Configurations in the Microsoft Windows Server Configuration section.
WMI
See WMI Configurations in the Microsoft Windows Server Configuration section.
FortiSIEM Windows Agent
For information on configuring IIS for FortiSIEM Windows Agent, see Configuring Windows IIS in the Windows Agent Installation Guide.
FortiSIEM 6.1.1 External Systems Configuration Guide
213
Fortinet Technologies Inc.
Applications
Setting Access Credentials
See Setting Access Credentials in the Microsoft Windows Server Configuration section.
Sample IIS Syslog
<13>Oct 9 12:19:05 ADS-Pri.ACME.net IISWebLog
0
2008-10-09
19:18:43 W3SVC1 ADS-PRI 192.168.0.10 GET /iisstart.htm - 80 - 192.168.20.80 HTTP/1.1
Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.0.3)+Gecko/2008092417+Firefox/3.0.3 -
- 192.168.0.10 200 0 0 2158 368 156
<46>Mar 29 12:21:03 192.168.0.40 FTPSvcLog
0
2010-03-29 19:20:32 127.0.0.1 - MSFTPSVC1 FILER
127.0.0.1 21 [1]PASS IEUser@ - 530 1326 0 0 0 FTP - - - -
FortiSIEM 6.1.1 External Systems Configuration Guide
214
Fortinet Technologies Inc.
Applications
Nginx Web Server
l What is Discovered and Monitored l Configuration The following protocols are used to discover and monitor various aspects of Nginx webserver.
What is Discovered and Monitored
Protocol SNMP Syslog
Information discovered
Application type
Metrics collected
Used for
Process level metrics: CPU utilization, Memory utilization
W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration
Performance Monitoring
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "nginx" in the Device Type and Description column to see the event types associated with this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example. Example nginx Syslog <29>Jun 15 07:59:03 ny-n1-p2 nginx: "200.158.115.204","-","Mozilla/5.0 (Windows NT 5.1 WOW64; rv:9.0.1) Gecko/20100178 Firefox/9.0.1","/images/design/header-2logo.jpg","GET","http://wm-center.com/images/design/header-2-logo.jpg","200","0","/ypf-
FortiSIEM 6.1.1 External Systems Configuration Guide
215
Fortinet Technologies Inc.
Applications
cookie_auth/index.html","0.000","877","-","10.4.200.203","80","wm-center.com","no-cache, nostore, must-revalidate","-","1.64","_","-","-"
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
216
Fortinet Technologies Inc.
Blade Servers
FortiSIEM supports these blade servers for discovery and monitoring. l Cisco UCS Server l HP BladeSystem
FortiSIEM 6.1.1 External Systems Configuration Guide
217
Fortinet Technologies Inc.
Cisco UCS Server
l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Cisco UCS Events
What is Discovered and Monitored
Protocol
Cisco UCS API
Information Discovered
Metrics collected
Used for
Host name, Access IP, Hardware components processors, chassis, blades, board, cpu, memory, storage, power supply unit, fan unit
Chassis status: Input Power, Input Avg Power, Input Max Power, Input Min Power, Output Power, Output Avg Power, Output Max Power, Output Min Power
Memory status: Temp (C), Avg Temp (C), Max Temp (C), Min Temp (C)
Processor status: Input Current, Input Avg Current, Input Max Current, Input Min Current, Temp (C), Avg Temp (C), Max Temp (C), Min Temp (C)
Power supply status: Temp (C), Max Temp (C), Avg Temp (C), Min Temp (C), Input 210Volt, Avg Input 210Volt, Max Input 210Volt, Min Input 210Volt, Output 12Volt, Avg Output 12Volt, Max Output 12Volt, Min Output 12Volt, Output 3V3Volt, Avg Output 3V3Volt, Max Output 3V3Volt, Min Output 3V3Volt, Output Current, Avg Output Current, Max Output Current, Min Output Current, Output Power, Avg Output Power, Max Output Power,Min Output Power
Fan status: Fan Speed, Average Fan Speed, Max Fan Speed, Min Fan Speed
Availability and Performance Monitoring
Event Types
In ADMIN > Device Support > Event, search for "cisco us" in the Description column to see the event types associated with this device.
Reports
In RESOURCES > Reports , search for "cisco us" in the Name column to see the reports associated with this application or device.
FortiSIEM 6.1.1 External Systems Configuration Guide
218
Fortinet Technologies Inc.
Blade Servers
Configuration
UCS XML API
FortiSIEM uses Cisco the Cisco UCS XML API to discover Cisco UCS and to collect hardware statistics. See the Cisco UCS documentation for information on how to configure your device to connect to FortiSIEM over the API. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name
Password
Value ucs Cisco UCS UCS API 5
5988 The user name you set up in your UCS server to communicate with FortiSIEM The password associated with user name
Sample Cisco UCS Events
Power Supply Status Event
[PH_DEV_MON_UCS_HW_PSU_STAT]:[eventSeverity]=PHL_INFO,[hostName]=machine, [hostIpAddr]=10.1.2.36,[hwComponentName]=sys/chassis-1/psu-2, [envTempdDegC]=47.764706,[envTempAvgDegC]=36.176472,[envTempMaxDegC]=47.764706, [envTempMinDegC]=25.529411,[input210Volt]=214.294113, [input210AvgVolt]=210.784317,[input210MaxVolt]=214.294113,[input210MinVolt]=207.823532, [ouput12Volt]=12.188235,[ouput12AvgVolt]=12.109803, [ouput12MaxVolt]=12.376471,[ouput12MinVolt]=11.905882,[ouput3V3Volt]=3.141176, [ouput3V3AvgVolt]=3.374510,[ouput3V3MaxVolt]=3.458823, [ouput3V3MinVolt]=3.141176,[outputCurrentAmp]=15.686275,[outputCurrentAvgAmp]=20.261436, [outputCurrentMaxAmp]=24.509804, [outputCurrentMinAmp]=15.686275,[outputPowerWatt]=191.188004, [outputPowerAvgWatt]=245.736252,[outputPowerMaxWatt]=303.344879, [outputPowerMinWatt]=191.188004
FortiSIEM 6.1.1 External Systems Configuration Guide
219
Fortinet Technologies Inc.
Blade Servers
Processor Status Event
[PH_DEV_MON_UCS_HW_PROCESSOR_STAT]:[eventSeverity]=PHL_INFO, [hostName]=machine, [hostIpAddr]=10.1.2.36, [hwComponentName]=sys/chassis-1/blade-3/board/cpu-2, [inputCurrentAmp]=101.101959,[inputCurrentAvgAmp]=63.420914, [inputCurrentMaxAmp]=101.101959,[inputCurrentMinAmp]=44.580391, [envTempdDegC]=5.788235,[envTempAvgDegC]=6.216993,[envTempMaxDegC]=6.431373, [envTempMinDegC]=5.788235,
Chassis Status Event
[PH_DEV_MON_UCS_HW_CHASSIS_STAT]:[eventSeverity\]=PHL_INFO,[hostName]=machine, [hostIpAddr]=10.1.2.36,[hwComponentName]=sys/chassis-1, [inputPowerWatt]=7.843137,[inputPowerAvgWatt]=7.843137,[inputPowerMaxWatt]=7.843137, [inputPowerMinWatt]=7.843137, outputPowerWatt]=0.000000,[outputPowerAvgWatt]=0.000000,[outputPowerMaxWatt]=0.000000, [outputPowerMinWatt]=0.000000
Memory Status Event
[PH_DEV_MON_UCS_HW_MEMORY_STAT]:[eventSeverity]=PHL_INFO,[hostName]=machine, [hostIpAddr]=10.1.2.36, [hwComponentName]=sys/chassis-1/blade-1/board/memarray-1/mem-9,[envTempdDegC]=51.000000, [envTempAvgDegC]=50.128208, [envTempMaxDegC]=51.000000,[envTempMinDegC]=48.000000
Fan Status Event
[PH_DEV_MON_UCS_HW_FAN_STAT]:[eventSeverity]=PHL_INFO,[hostName]=machine, [hostIpAddr]=10.1.2.36, [hwComponentName]=sys/chassis-1/fan-module-1-5/fan-2,[fanSpeed]=7800.000000, [fanSpeedAvg]=7049.000000, [fanSpeedMax]=8550.000000,[fanSpeedMin]=2550.00000
FortiSIEM 6.1.1 External Systems Configuration Guide
220
Fortinet Technologies Inc.
Blade Servers
HP BladeSystem
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol SNMP
Information Discovered
Metrics collected
Host name, Access IP, Hardware components processors, chassis, blades, board, cpu, memory, storage, power supply unit, fan unit
Hardware status:Fan status, Power supply status, power enclosure status, Overall status
Used for
Availability and Performance Monitoring
Configuration
SNMP
FortiSIEM uses SNMP to discover the HP BladeSystem and collect hardware statistics. See the instructions on configuring SNMP in your Bladesystem documentation to enable communications with FortiSIEM. After you have configured SNMP on your BladeSystem blade server, you can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials in FortiSIEM
See Access Credentials to set access and protocol for SSH, and Telnet.
FortiSIEM 6.1.1 External Systems Configuration Guide
221
Fortinet Technologies Inc.
Cloud Applications
FortiSIEM supports these cloud applications for monitoring.
l AWS Access Key IAM Permissions and IAM Policies l AWS CloudTrail API l AWS EC2 l AWS EC2 CloudWatch API l AWS Kinesis l AWS RDS l AWS Security Hub l Box.com l Google Workspace Audit l Microsoft Azure Audit l Microsoft Office365 Audit l Microsoft Cloud App Security l Microsoft Azure ATP l Microsoft Azure Compute l Microsoft Azure Event Hub l Microsoft Windows Defender ATP l Okta l Salesforce CRM Audit
FortiSIEM 6.1.1 External Systems Configuration Guide
222
Fortinet Technologies Inc.
Alcide.io KAudit
l Integration Points l Configuring Alcide.io to Send Logs l Configuring FortiSIEM to Receive Logs l Alcid.io Event Types l Alcide.io Sample Log
Integration Points
Protocol Syslog
Information Collected Audit logs
Used For Security and Compliance Monitoring
Configuring Alcide.io to Send Logs
Follow the steps listed here to send syslog to FortiSIEM. 1. In the target section of the ConfigMap, set the following:
a. Target-type = syslog b. Syslog host = <fortisiem.host.com> c. Syslog port = 514 d. Syslog-tcp = false
Configuring FortiSIEM to Receive Logs
No configuration is needed. FortiSIEM can automatically detect and parse Alcide.io logs based on the built in parser.
Alcide.io Event Types
Go to Resources > Event Type and search "AlcideKAudit."
Alcide.io Sample Log
<109>Feb 28 07:09:18 AlcideKAudit: {"category":"anomaly","cluster":"devel","etype":"cluster","reasons":[{"values":{"high": [1]},"doc":"change in count of unique unusual URIs in read access attempts","period":180000,"direction":"read"}],"time":1582873380000,"short-doc":"change in targets of access attempts","project":"alcide-rnd","context":{"unusual-uri": ["LHUt"]},"period":180000,"eid":"cluster","confidence":"high","doc":"unusual change in count of unique unusual URIs in access attempts","direction":"read"}
FortiSIEM 6.1.1 External Systems Configuration Guide
223
Fortinet Technologies Inc.
AWS Access Key IAM Permissions and IAM Policies
To monitor AWS resources in FortiSIEM, an access key and a corresponding secret access key is needed. Prior to the availability of AWS IAM users, the recommendation was to create an access key at the level of root AWS account. This practice has been deprecated since the availability of AWS IAM users as you can read from the AWS Security Credentials best practice guide. If you were monitoring AWS using such access keys, the first step is to delete such keys and create keys based on a standalone IAM user dedicated for monitoring purposes in FortiSIEM. This document explains how to create such a user, and what permissions and policies to add to allow FortiSIEM to monitor your AWS environment.
Create IAM user for FortiSIEM monitoring
1. Login to the IAM Console - Users Tab. 2. Click Create Users. 3. Type in a username, e.g. aomonitoring under Enter User Names. 4. Leave the checkbox Generate an access key for each user selected or select it if it is not selected. 5. Click Download Credentials and click on Close button. 6. The downloaded CSV file contains the Access Key ID and Secret Access Key that you can use in FortiSIEM to
monitor various AWS services. You must add permissions before you can actually add them in FortiSIEM.
Change permissions for IAM user
1. Select the user you are monitoring. 2. Switch to tab Permissions. 3. Click Attach Policy. 4. Select
AmazonEC2ReadOnlyAccess, AWSCloudTrailReadOnlyAccess, AmazonRDSReadOnlyAccess, CloudWatchRea dOnlyAccess, AmazonSQSFullAccess and click Attach Policy. You can choose to skip attaching some policies if you do not use that service or plan on monitoring that service. For instance, if you do not use RDS, then you do not need to attach AmazonRDSReadOnlyAccess. 5. You can choose to provide blanket read-only access to all S3 buckets by attaching the policy AmazonS3ReadOnlyAccess. Alternatively, you can specificy a more restricted policy as described in the next step. 6. Identify the set of S3 bucket(s) that you have configured to store Cloudtrail logs for each region. You can create an inline policy, choose custom policy, then paste the sample policy below. Make sure you replace the actual S3 bucket names below aocloudtrail1, aocloudtrail2 with the ones you have configured.
S3 bucket read-only policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
FortiSIEM 6.1.1 External Systems Configuration Guide
224
Fortinet Technologies Inc.
Cloud Applications
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::aocloudtrail1",
"arn:aws:s3:::aocloudtrail2"
]
}
]
}
FortiSIEM 6.1.1 External Systems Configuration Guide
225
Fortinet Technologies Inc.
Cloud Applications
AWS CloudTrail
l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Events for AWS CloudTrail l Performance Tuning for High EPS CloudTrail Events
What is Discovered and Monitored
Protocol
CloudTrail API
Information Discovered
None
Metrics Collected None
Used For
Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "Cloudtrail" in the Device Type column to see the event types associated with this device. See the Amazon API reference for more information about the event types available for CloudTrail monitoring.
Reports
In RESOURCE > Reports, search for "cloudtrail" in the Name column to see the rules associated with this device.
Configuration
If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies. FortiSIEM receives information about AWS events through the CloudTrail API. After creating an S3 bucket for the storage of log files on AWS, you then configure the Simple Notification Service (SNS) and Simple Queue Service (SQS) to create a notification for the log file and have it delivered by SQS. In your FortiSIEM virtual appliance you then enter access credentials so FortiSIEM can communicate with CloudTrail as it would any other device. Note: Do not add any extra SNS notifications in the SQS queue. The queue should only have one SNS subscription, otherwise pulling logs will not function.
Create a new CloudTrail
1. Log in to https://console.aws.amazon.com/cloudtrail. 2. Switch to the region for which you want to generate cloud trail logs. 3. Click Trails. 4. Click on Add New Trail
FortiSIEM 6.1.1 External Systems Configuration Guide
226
Fortinet Technologies Inc.
Cloud Applications
5. Enter a Trail name such as aocloudtrail. 6. Select Yes for Apply Trail to all regions.
FortiSIEM can pull trails from all regions via a single credential. 7. Select Yes for Create a new S3 bucket. 8. For S3 bucket, enter a name like s3aocloudtrail. 9. Click Advanced. 10. Select Yes for Create a new SNS topic. 11. For SNS topic, enter a name like snsaocloudtrail. 12. Leave the rest of advanced settings to the default values. 13. Click Create.
A dialog will confirm that logging is turned on.
Configure Simple Queue Service (SQS) Delivery
1. Log in to https://console.aws.amazon.com/sqs. 2. Switch to the region in which you created a new cloudtrail above 3. Click Create New Queue. 4. Enter a Queue Name such as sqsaocloudtrail
Setting Default Visibility Timeout Message Retention Period
Value 0 seconds 10 minutes
This must be set for between 5 and 50 minutes. A lower value is recommended for high event rates to avoid event loss.
Maximum Message Size
Delivery Delay
Receive Message Wait Time
256 KB 0 seconds 5 seconds
5. Click Create Queue.
6. When the queue is created, click the Details tab and make note of the ARN (Amazon Resource Name), as you will need this when configuring the Simple Notification Service below and when configuring the access credentials for FortiSIEM.
Set Up Simple Notification Service (SNS)
1. Log in to https://console.aws.amazon.com/sns. 2. Switch to the region where you created the trail and SQS. 3. Select Topics. 4. Select the SNS topic snsaocloudtrail that you specified when creating a cloudtrail. 5. Click Actions > Subscribe to topic from the menu to launch the popup Create Subscription. 6. For Protocol, select Amazon SQS.
FortiSIEM 6.1.1 External Systems Configuration Guide
227
Fortinet Technologies Inc.
Cloud Applications
7. For Endpoint, enter the ARN of the queue that you created when setting up SQS. 8. Click Create Subscription.
Give Permission for Amazon SNS to Send Messages to SQS
1. Log in to https://console.aws.amazon.com/sqs. 2. Select the queue you created, sqsaocloudtrail. 3. In the Queue Actions menu, select Subscribe Queue to SNS Topic. 4. From the Choose a Topic dropdown, select the SNS topic snsaocloudtrail that you created earlier. 5. The Topic ARN will be automatically filled. 6. Click Subscribe.
Note: Ensure that SQS, SNS, S3 bucket and CloudTrail are in the same region.
You do not need to initiate discovery of AWS Cloud Trail, but should check that FortiSIEM is pulling events for AWS by checking for an amazon.com entry in ADMIN > Setup > Event Pulling.
You can configure FortiSIEM to communicate with your device by following the instructions in "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to communicate with the CloudTrail API.
Setting Name Device Type Access Protocol Region Bucket
SQS Queue URL
Password Config Access Key ID Secret Key Organization
Value aocloudtrail Amazon AWS CloudTrail Amazon AWS CloudTrail Region where you created the trail. The name of the S3 bucket you created (s3aocloudtrail) Enter the ARN of your queue without the http:// prefix. See Password Configuration. The access key for your AWS instance. The secret key for your AWS instance. Select an organization from the drop-down list.
Sample Events for AWS CloudTrail
Fri Oct 10 14:44:23 2014 FortiSIEM-CloudTrail [additionalEventData/LoginTo]=https://console.aws.amazon.com/console/home?state=
FortiSIEM 6.1.1 External Systems Configuration Guide
228
Fortinet Technologies Inc.
Cloud Applications
hashArgs%23&isauthcode=true
[additionalEventData/MFAUsed]=No [additionalEventData/MobileVersion]=No [awsRegion]=us-east1 [eventID]=fdf8f837-7e75-46a0-ac95-b6d15993ebf7 [eventName]=ConsoleLogin [eventSource]=SIGNIN [eventTime]=2014-10-10T06:38:11Z [eventVersion]=1.01 [requestParameters]=null [responseElements/ConsoleLogin]=Success [sourceIPAddress]=211.144.207.10 [userAgent]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 [userIdentity/accountId]=623885071509 [userIdentity/arn]=arn:aws:iam::623885071509:user/John.Adams [userIdentity/principalId]=AIDAIUSNMEIUYBS7AN4UW [userIdentity/type]=IAMUser [userIdentity/userName]=John.Adams
Fri Oct 10 14:19:45 2014 FortiSIEM-CloudTrail [awsRegion]=us-east-1 [eventID]=351bda80-39d441ed-9e4d-86d6470c2436 [eventName]=DescribeInstances [eventSource]=EC2 [eventTime]=2014-1010T06:12:24Z [eventVersion]=1.01 [requestID]=2d835ae2-176d-4ea2-8523-b1a09585e803 [requestParameters/filterSet/items/0/name]=private-ip-address [requestParameters/filterSet/items/0/valueSet/items/0/value]=10.0.0.233 [responseElements]=null [sourceIPAddress]=211.144.207.10 [userAgent]=aws-sdk-php2/2.4.7 Guzzle/3.7.1 curl/7.19.7 PHP/5.3.3 [userIdentity/accessKeyId]=AKIAI2MUUCROHFSLLT3A [userIdentity/accountId]=623885071509 [userIdentity/arn]=arn:aws:iam::623885071509:root [userIdentity/principalId]=623885071509 [userIdentity/type]=Root [userIdentity/userName]=accelops
Performance Tuning for High EPS CloudTrail Events
AWS CloudTrail can generate a lot of events. Follow these recommendations to enable FortiSIEM to keep up with high EPS CloudTrail events.
1. In the AWS configuration, change the Message retention period of SQS to 1 day. 2. Adjust the CloudTrail event pulling parameters as follows. Go to the Collector that pulls AWS CloudTrail events.
You will find these three relevant parameters in the /opt/phoenix/config/phoenix_config.txt file: l cloudtrail_msg_pull_interval (default 30 seconds, minimum recommended 10 seconds) - how often CloudTrail events are pulled. l cloudtrail_msg_pull_thread_num (default 1, maximum recommended 60) - how many threads are used to pull CloudTrail events. l cloudtrail_file_parse_thread_num (default 3, maximum recommended 60) - how many threads are used to parse CloudTrail events.
Since each API call returns maximum 10 files, set the parameters to satisfy the following two constraints. If the thread count is high, then you must increase the number of vCPUs in the Collector.
l Set (SQSInputEventRate times cloudtrail_msg_pull_interval) to be smaller than (cloudtrail_msg_ pull_thread_num times 10)
l Set cloudtrail_msg_pull_thread_num to be equal to cloudtrail_file_parse_thread_num
FortiSIEM 6.1.1 External Systems Configuration Guide
229
Fortinet Technologies Inc.
Cloud Applications
Amazon AWS EC2 What is Discovered and Monitored
Event Types
Reports
Configuration
Setup in FortiSIEM
Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Settings Name Device Type Access Protocol Region
Access Key ID
Secret Key
Description
Description
<set name> Amazon AWS EC2 AWS SDK [Required] Region in which your AWS instance is located [Required] Access key for your AWS instance [Required] Secret key for your AWS instance Description about the device
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
FortiSIEM 6.1.1 External Systems Configuration Guide
230
Fortinet Technologies Inc.
Cloud Applications
4. Click Test to test the connection to Amazon AWS EC2. 5. To see the jobs associated with AWS, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter AWS in the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
231
Fortinet Technologies Inc.
Cloud Applications
AWS EC2 CloudWatch API
l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample events
What is Discovered and Monitored
Protocol
CloudWatch API
Information Discovered
l Machine name
l Internal Access IP
l Instance ID l Image ID l Availability
Zone l Instance
Type l Volume ID l Status l Attach Time
Metrics Collected
l CPU Utilization l Received Bits/sec l Sent Bits/sec l Disk reads (Instance Store) l Disk writes (Instance Store) l Disk reads/sec (Instance Store) l Disk writes/sec (Instance Store) l Packet loss l Read Bytes (EBS) l Write Bytes (EBS) l Read Ops (EBS) l Write Ops (EBS) l Disk Queue (EBS)
Used For
Performance Monitoring
Event Types
l PH_DEV_MON_EBS_METRIC captures EBS metrics
Configuration
If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. You should also be sure to read the topic Discovering Amazon Web Services (AWS) Infrastructure. VPC Flow logs are supported. For more information, see HOW TO - Integrate Amazon VPC Flows.
FortiSIEM 6.1.1 External Systems Configuration Guide
232
Fortinet Technologies Inc.
Cloud Applications
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access AWS CloudWatch.
Setting
Value
Name
ec2
Device Type
Amazon AWS CloudWatch
Access Protocol AWS CloudWatch
Region
The region in which your AWS instance is located
AWS Account
The name of your AWS account.
Log Group Name Name of the log group.
Log Stream Name Name of the log stream.
Password Config See Password Configuration.
Access Key ID
The access key for your EC2 instance
Secret Key
The secret key for your EC2 instance
Sample events
[PH_DEV_MON_EC2_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=6571,[hostName]=ec2-54-81-216-218.compute-1.amazonaws.com, [hostIpAddr]=10.144.18.131,[cpuUtil]=0.334000,[diskReadKBytesPerSec]=0.000000, [diskWriteKBytesPerSec]=0.000000,[diskReadReqPerSec]=0.000000,[diskWriteReqPerSec]=0.000000, [sentBytes]=131,[recvBytes]=165,[sentBitsPerSec]=17.493333,[recvBitsPerSec]=22.026667, [phLogDetail]=
[PH_DEV_MON_EBS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAws.cpp,
[lineNumber]=133,[hostName]=ec2-52-69-215-178.ap-northeast-1.compute.amazonaws.com, [hostIpAddr]=172.30.0.50,[diskName]=/dev/sda1,[volumeId]=vol-63287d9f, [diskReadKBytesPerSec]=7.395556,[diskWriteKBytesPerSec]=7.395556,[ioReadsPerSec]=0.000000, [ioWritesPerSec]=0.010000,[diskQLen]=0,[phLogDetail]=
FortiSIEM 6.1.1 External Systems Configuration Guide
233
Fortinet Technologies Inc.
Cloud Applications
AWS Kinesis
Amazon Kinesis is an Amazon Web Service (AWS) for processing big data in real time. Kinesis is capable of processing hundreds of terabytes per hour from high volumes of streaming data from sources such as operating logs, financial transactions and social media feeds.
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuring AWS Kinesis l Configuring FortiSIEM l Sample Events
What is Discovered and Monitored
Protocol Amazon AWS Client Library
Information collected Streaming data
Used for Collect, process, and analyze real-time streaming data.
Event Types
In RESOURCES > Event Types, enter "Kinesis" in the Search column to see the event types associated with this device.
Rules
No defined rules.
Reports
No defined reports.
Configuring AWS Kinesis
1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console. 2. In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials. 3. On the AWS IAM Credentials tab, in the Access keys for CLI, SDK, and API access section, do any of the
following: l To create an access key, choose Create access key. Then choose Download .csv file to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the .csv file,
FortiSIEM 6.1.1 External Systems Configuration Guide
234
Fortinet Technologies Inc.
Cloud Applications
choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away. l To disable an active access key, choose Make inactive. l To reenable an inactive access key, choose Make active. l To delete an access key, choose its X button at the far right of the row. Then choose Delete to confirm. When you delete an access key, it's gone forever and cannot be retrieved. However, you can always create new keys.
Configuring ForitSIEM
1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box and click Save:
Settings
Description
Name
Enter a name for the credential
Device Type
Amazon AWS Kinesis
Access Protocol AWS Kinesis Client Library
Region
You can enter one or more regions separated by a space, for example, "useast-1 us-west-2". See Supported Regions in AWS for a list of valid regions.
Password Config
Choose Manual, CyberArk, or RAX_Janus from the drop down list. For CyberArk , see CyberArk Password Configuration. For RAX_Janus, see RAX_Janus Password Configuration.
Access Key
Access key for your AWS Kinesis instance. See Configuring AWS Kinesis.
Secret Key
Secret key for your AWS Security Hub instance
Organization
The organization the device belongs to.
Description
Description of the device.
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your AWS Kinesis credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
4. Click Test to test the connection to AWS Kinesis. 5. To see the jobs associated with AWS Kinesis, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter AWS Kinesisin the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
235
Fortinet Technologies Inc.
Cloud Applications
Sample Events
AWS Kinesis can collect data from different devices or services. The data format is the same as the source data.
FortiSIEM 6.1.1 External Systems Configuration Guide
236
Fortinet Technologies Inc.
Cloud Applications
AWS RDS
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Type
Protocol
Relational Database Storage (RDS)
CloudWatch API
Information Discovered
Metrics Collected
l CPU Utilization l User Connections l Free Memory l Free Storage l Used Swap l Read Latency l Write Latency l Read Ops l Write Ops
Used For
Performance Monitoring
Event Types
l PH_DEV_MON_RDS_METRIC captures RDS metrics
Configuration
If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies.
Discovering AWS RDS
1. Create a AWS credential a. Go to Admin > Credentials > Step 1: Enter Credentials. b. Click Add. i. Set Device Type to Amazon AWS RDS. ii. Set Access Protocol as AWS SDK. iii. Set Region as the region in which your AWS instance is located. iv. Set Password. See Password Configuration. v. Set Access Key ID as the access key for your EC2 instance. vi. Set Secret Key as the secret key for your EC2 instance. vii. Select an Organization from the drop-down list. c. Click Save.
FortiSIEM 6.1.1 External Systems Configuration Guide
237
Fortinet Technologies Inc.
Cloud Applications
2. In Step 2: Enter IP Range to Credential Associations: a. Set IP/IP Range to amazon.com b. Choose Credentials to the one created in Step 1b.
3. Click Test > Test Connectivity to make sure the credential is working correctly. 4. Go to Admin > Discovery:
a. Set Discovery Type as AWS Scan. b. Click OK to Save. c. Select the entry and Click Discover. 5. After Discovery finishes, check CMDB > Devices > Amazon Web Services > AWS Database.
Sample Events
[PH_DEV_MON_RDS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAwsRDS.cpp, [lineNumber]=104,[hostName]=mysql1.cmdzvvce07ar.ap-northeast-1.rds.amazonaws.com, [hostIpAddr]=54.64.131.93,[dbCpuTimeRatio]=1.207500,[dbUserConn]=0, [dbEnqueueDeadlocksPerSec]=0.000587,[freeMemKB]=489,[freeDiskMB]=4555, [swapMemUtil]=0.000000,[ioReadsPerSec]=0.219985,[ioWritesPerSec]=0.213329, [devDiskRdLatency]=0.08,[devDiskWrLatency]=0.4029,[phLogDetail]=
FortiSIEM 6.1.1 External Systems Configuration Guide
238
Fortinet Technologies Inc.
Cloud Applications
AWS Security Hub
Security Hub collects security data from across AWS accounts, services, and supported third-party partner products. FortiSIEM want to get this data collected by Security Hub and analyze this data to identify the highest priority security issues.
What is Discovered and Monitored
Protocol AWS Security Hub SDK
Information collected Security data
Used for Security and compliance
Event Types
In RESOURCES > Event Types, enter "AWS Sechub" in the Search column to see the event types associated with this device.
Rules
In RESOURCES > Rules, enter "AWS Sechub" in the Search column to see the rules associated with this device.
Reports
In RESOURCES > Reports, enter "AWS Security Hub" in the Search column to see the reports associated with this device.
Requirements
FortiSIEM uses PHP V3 SDK to integrate data from the security hub to perform comprehensive security analytics.
Configuring AWS Security Hub
Supported Regions in AWS
Security Hub only collects events from the region where you enabled Security Hub. If you don't enable the Security Hub for other regions, then you won't get events from those regions. FortiSIEM allows you to specify multiple regions when you create a new credential. In the regions you specify, the Security Hub will be enabled. These regions should use the following AWS region codes:
Region Name US East (Ohio)
Region Code us-east-2
FortiSIEM 6.1.1 External Systems Configuration Guide
239
Fortinet Technologies Inc.
Cloud Applications
Region Name
Region Code
US East (N. Virginia)
us-east-1
US West (N. California)
us-west-1
US West (Oregon) us-west-2
Asia Pacific (Hong ap-east-1 Kong)
Asia Pacific (Mumbai)
ap-south-1
Asia Pacific (Seoul)
ap-northeast-2
Asia Pacific (Singapore)
ap-southeast-1
Asia Pacific (Sydney)
ap-southeast-2
Asia Pacific (Tokyo)
ap-northeast-1
Canada (Central) ca-central-1
EU (Frankfurt)
eu-central-1
EU (Ireland)
eu-west-1
EU (London)
eu-west-2
EU (Paris)
eu-west-3
EU (Stockholm) eu-north-1
South America (São Paulo)
sa-east-1
Step 1: Enable Security Hub
Permissions required to enable Security Hub
1. The IAM identity (user, role, or group) that you use to enable Security Hub must have the required permissions. To grant the permissions required to enable Security Hub, attach the following policy to an IAM user, group, or role. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "securityhub:*", "Resource": "*"
FortiSIEM 6.1.1 External Systems Configuration Guide
240
Fortinet Technologies Inc.
Cloud Applications
}, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "securityhub.amazonaws.com" } } } ] } 2. Use the credentials of the IAM identity from step 1 to sign in to the Security Hub console. When you open the Security Hub console for the first time, choose Get Started and then choose Enable Security Hub.
Step 2: Get an Access Key
This feature supports long-term access keys. Access keys consist of two parts: an access key ID and a secret access key.
Permissions Required
To create access keys for your own IAM user, you must have the permissions from the following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "CreateOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:GetUser", "iam:ListAccessKeys" ], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }
FortiSIEM 6.1.1 External Systems Configuration Guide
241
Fortinet Technologies Inc.
Cloud Applications
To create, modify, or delete your own IAM user access keys (console):
1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console. 2. In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials. 3. On the AWS IAM Credentials tab, in the Access keys for CLI, SDK, and API access section, do any of the following:
l To create an access key, choose Create access key. Then choose Download .csv file to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the .csv file, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away.
l To disable an active access key, choose Make inactive. l To reenable an inactive access key, choose Make active. l To delete an access key, choose its X button at the far right of the row. Then choose Delete to confirm. When
you delete an access key, it's gone forever and cannot be retrieved. However, you can always create new keys.
Configuring FortiSIEM for AWS Security Hub Access
Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box and click Save:
Settings
Description
Name
Enter a name for the credential
Device Type
Amazon AWS Security Hub
Access Protocol AWS Security Hub SDK
Region
You can enter one or more regions separated by a space, for example, "useast-1 us-west-2". See Supported Regions in AWS for a list of valid regions.
Password Config
Choose Manual, CyberArk, or RAX_Janus from the drop down list. For CyberArk , see CyberArk Password Configuration. For RAX_Janus, see RAX_Janus Password Configuration.
Access Key
Access key for your AWS Security Hub instance. See Step 2: Get an Access Key.
Secret Key
Secret key for your AWS Security Hub instance
FortiSIEM 6.1.1 External Systems Configuration Guide
242
Fortinet Technologies Inc.
Cloud Applications
Settings
Description
Session Token
Organization Description
The session token is used by credentials from Rax Scan. If you obtained an access key as described in Step 2: Get an Access Key, then leave this field empty.
The organization the device belongs to.
Description of the device.
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your AWS Security Hub credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
4. Click Test to test the connection to AWS Security Hub. 5. To see the jobs associated with AWS Security Hub, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter AWS Security Hubin the search box.
Sample Events
[AWS_SECURITY_HUB_EVENT_DATA] ={ "AwsAccountId": "111111111111", "CreatedAt": "2019-08-06T04:56:44.894Z", "Description": "10.10.10.72 is performing SSH brute force attacks against i-
0100ee1e110c011c1. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.",
"FirstObservedAt": "2019-08-06T04:51:14Z", "GeneratorId": "arn:aws:guardduty:us-west2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa", "Id": "arn:aws:guardduty:us-west2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa/finding/8cb632a4b32f7c3b854d9f5347b f07a4", "LastObservedAt": "2019-08-06T05:22:54Z", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "ProductFields": {
"action/actionType": "NETWORK_CONNECTION", "action/networkConnectionAction/blocked": "false", "action/networkConnectionAction/connectionDirection": "INBOUND", "action/networkConnectionAction/localPortDetails/port": "22", "action/networkConnectionAction/localPortDetails/portName": "SSH", "action/networkConnectionAction/protocol": "TCP", "action/networkConnectionAction/remoteIpDetails/country/countryName": "China", "action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "34.7725", "action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "113.7266", "action/networkConnectionAction/remoteIpDetails/ipAddressV4": "10.10.10.72", "action/networkConnectionAction/remoteIpDetails/organization/asn": "56047", "action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "China Mobile communications corporation",
FortiSIEM 6.1.1 External Systems Configuration Guide
243
Fortinet Technologies Inc.
Cloud Applications
"action/networkConnectionAction/remoteIpDetails/organization/isp": "China Mobile Guangdong",
"action/networkConnectionAction/remoteIpDetails/organization/org": "China Mobile", "action/networkConnectionAction/remotePortDetails/port": "33242", "action/networkConnectionAction/remotePortDetails/portName": "Unknown", "archived": "false", "aws/securityhub/CompanyName": "Amazon", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west2::product/aws/guardduty/arn:aws:guardduty:us-west2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa/finding/8cb632a4b32f7c3b854d9f5347b f07a4", "aws/securityhub/ProductName": "GuardDuty", "aws/securityhub/SeverityLabel": "MEDIUM", "count": "7", "detectorId": "50b2ea07131dbe1530c23facb594b1fa", "resourceRole": "TARGET" }, "RecordState": "ACTIVE", "Resources": [ { "Details": {
"AwsEc2Instance": { "ImageId": "ami-f2c2408a", "IpV4Addresses": [ "10.10.10.20", "10.0.0.137"
], "LaunchedAt": "2019-08-05T17:10:47.000Z", "SubnetId": "subnet-931605f1", "Type": "m5.4xlarge", "VpcId": "vpc-c66576a4" } }, "Id": "arn:aws:ec2:us-west-2:111111111111:instance/i-0799ee6e490c078c5", "Partition": "aws", "Region": "us-west-2", "Tags": { "Name": "elasticsearch-node-coordinator" }, "Type": "AwsEc2Instance" } ], "SchemaVersion": "2018-10-08", "Severity": { "Normalized": 40, "Product": 2 }, "Title": "310.10.10.72 is performing SSH brute force attacks against i-0799ee6e490c078c5. ", "Types": [
FortiSIEM 6.1.1 External Systems Configuration Guide
244
Fortinet Technologies Inc.
Cloud Applications
"TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce" ],
"UpdatedAt": "2019-08-06T05:28:24.425Z", "WorkflowState": "NEW", "phCustId": 1, "serverIp": "10.10.10.22", "serverName": "amzon.com" }
FortiSIEM 6.1.1 External Systems Configuration Guide
245
Fortinet Technologies Inc.
Cloud Applications
Box.com
l Integration points l Box API Integration l Configuring Box.com Service l Configuring FortiSIEM
Integration points
Protocol Box.com API
Information Discovered
Used For Security and Compliance
Box API Integration
FortiSIEM can pull audit events from Box.com Cloud Service via Box API.
Configuring Box.com Service
Create an account to be used for FortiSIEM communication. l A general account can pull user events l An Admin account can pull enterprise events
Configuring FortiSIEM
Use the account in previous step to enable FortiSIEM access. 1. Logon to FortiSIEM. 2. Go to ADMIN > Setup > Credentials. 3. Click New to create a Box.com credential.
a. Choose Device Type = Box.com Box (Vendor = Box.com, Model = Box). b. Choose Access Protocol = Box API. c. Choose Account as the email address for the account created while Configuring Box.com Service. d. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple
customers. e. Click Save. f. You will be redirected to the Box.com website. g. Enter credentials for Box.com and click Authorize. h. Click Grant Access to Box. You should see that the authorization for FortiSIEM to access your Box.com
account was successful.
FortiSIEM 6.1.1 External Systems Configuration Guide
246
Fortinet Technologies Inc.
Cloud Applications
4. Enter an IP Range to Credential Association: a. Set Hostname to box.com. b. Select the Credential created in step 3. c. Click Save.
5. Select the entry in step 4 and click Test Connectivity and make sure it succeeds, implying that the credential is correct.
6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Box.com Cloud Service using the Box.com API.
To test for received Box.com events:
1. Go to ADMIN > Setup > Pull Events. 2. Select the Box.com entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from Box.com in the last 15 minutes. You can modify the time interval to get more events.
FortiSIEM 6.1.1 External Systems Configuration Guide
247
Fortinet Technologies Inc.
Cloud Applications
Google Workspace Audit
l What is Discovered and Monitored l Configuration l Sample Events for Google Workspace Audit
What is Discovered and Monitored
Protocol
Google Apps Admin SDK
Logs Collected
Configuration Change, Account Create/Delete/Modify, Account Group Create/Delete/Modify, Document Create/Delete/Modify/Download, Document Permission Change, Logon Success, Logon Failure, Device compromise
Used For
Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "Google_Apps" in the Search column to see the event types associated with this device.
Reports
There are many reports defined in Resource > Reports > Device > Application > Document Mgmt. Search for "Google Apps".
Configuration
l Create a Google Workspace Credential in Google API Console l Define Google Workspace Credential in FortiSIEM l Test Connectivity
FortiSIEM 6.1.1 External Systems Configuration Guide
248
Fortinet Technologies Inc.
Cloud Applications
Create a Google Workspace Credential in Google API Console
1. Logon to Google API Console (https://console.developers.google.com). 2. Open the Select a project window and click NEW PROJECT.
3. Under the New Project window: a. Project Name - enter a name. b. Click Create.
4. Open the Select a project window and select the new project that you created in Step 2. 5. Under Dashboard, click Enable API And Services to find the Admin SDK. 6. Select Admin SDK and click Enable to activate the Admin SDK for this project. 7. Create a Service Account for this project:
a. Under Credentials, click Create Credentials > Service Account. b. Enter the server account name. c. Click Create. d. Choose Role as Project > Viewer. e. Click Continue>Done. 8. Create key for the Service Account: a. Go to Navigation Menu> IAM &Admin>Service Accounts. b. Go to the Service Account table, choose the service account you create in Step 7. c. Click Actions > Create Key. d. Choose Key type as JSON. e. Click Create f. A JSON file containing the Service Account credentials will be stored in your computer.
FortiSIEM 6.1.1 External Systems Configuration Guide
249
Fortinet Technologies Inc.
Cloud Applications
9. Enable Google Workspace Domain-wide delegation: a. Go to Navigation Menu> IAM &Admin>Service Accounts b. Go to the Service Account table and choose the service account you created in Step 7. c. Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION. d. Check Enable G Suite Domain-wide Delegation. e. Enter FortiSIEM in the Product name for the consent screen. f. Click Save.
10. View Client ID: a. Go to Navigation Menu> IAM &Admin>Service Accounts. b. Go to the Service Account table and choose the service account you created in Step 7. c. Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION. d. You can find a Client ID.
11. Delegate domain-wide authority to the service account created in Step 7. a. Go to your Google Workspace domain's Admin console (https://admin.google.com). b. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. c. Select Advanced settings from the list of options. d. Click Manage domain wide delegation in the Domain wide delegation section. e. Click Add new. f. In the Client ID field, enter the service account's Client ID you obtained in Step 10d. g. In the OAuth scopes(comma-delimited) field, enter the following scope that FortiSEM should be granted access to: https://www.googleapis.com/auth/admin.reports.audit.readonly h. Click Authorize.
Define Google Workspace Credential in FortiSIEM
1. Log in to FortiSIEM Supervisor node. 2. Go to Admin > Setup > Credentials. 3. In Step 1, Click Add to create a new credential. 4. For Device Type, select Google Google Apps. 5. For Access Protocol, select Google Apps Admin SDK. 6. Enter the User Name (this is the account name to log in to the Admin console). 7. For Service Account Key, upload the JSON credential file (see Step 8f in Create a Google Workspace Credential
in Google API Console). 8. Click Save.
Test Connectivity
1. Log in to the FortiSIEM Supervisor node. 2. Go to Admin > Setup > Credentials. 3. In Step 2, Click Add to create a new association. 4. For Name/IP/IP Range, enter google.com. 5. For Credentials, enter the name of the credential created in Define Google Workspace Credential in FortiSIEM. 6. Click Save.
FortiSIEM 6.1.1 External Systems Configuration Guide
250
Fortinet Technologies Inc.
Cloud Applications
7. Select the entry just created and click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
8. Go to Admin > Setup > Pull Events and make sure an entry is created for Google Audit Log Collection.
Sample Events for Google Workspace Audit
Logon Success
<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_success]:[eventSeverity]=PHL_ INFO,[actor.profileId]=117858279951236905887,[id.time]=2016-09-09T06:53:58.000Z, [id.applicationName]=login,[kind]=admin#reports#activity,[id.customerId]=C01lzy8ye, [id.uniqueQualifier]=8830301951515521023,[event.parameters.login_type]=google_password, [event.type]=login,[ipAddress]=45.79.100.103,[actor.email]=api1@accelops.net, [event.name]=login_success,[etag]=""6KGrH_ UY2JDZNpgjPKUOF8yJF1A/Nfrg2SFjlC2gR6pJtpP2scVidmc""",Google_Apps_login_login_success,login_ success,1,45.79.100.103,
Logon Failure
<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_failure]: [eventSeverity]=PHL_INFO,[actor.profileId]=117858279951236905887, [id.applicationName]=login,[kind]=admin#reports#activity,[event.parameters.login_ type]=google_password,[ipAddress]=45.79.100.103,[event.name]=login_failure,[id.time]=201609-19T09:27:51.000Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=4795688196368428241, [event.type]=login,[actor.email]=api1@accelops.net,[etag]=""6KGrH_ UY2JDZNpgjPKUOF8yJF1A/v5zsUPNoEdXLLK79zQpBcuxNbQU"",[event.parameters.login_failure_ type]=login_failure_invalid_password",Google_Apps_login_login_failure,login_ failure,1,45.79.100.103,
Create User
<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_CREATE_USER]: [eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887, [id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103, [event.name]=CREATE_USER,[id.time]=2016-09-19T09:22:44.646Z,[id.customerId]=C01lzy8ye, [id.uniqueQualifier]=-8133102622954793216,[event.type]=USER_SETTINGS, [event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email]=api1@accelops.net, [etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/R5GJyWG9YHSiGRvo3-8ZBM0ZlL0""",Google_Apps_USER_ SETTINGS_CREATE_USER,CREATE_USER,1,45.79.100.103,
Delete user
<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_DELETE_USER]: [eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887, [id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103, [event.name]=DELETE_USER,[id.time]=2016-09-19T09:22:28.582Z,[id.customerId]=C01lzy8ye, [id.uniqueQualifier]=-4630441819990099585,[event.type]=USER_SETTINGS,[event.parameters.USER_ EMAIL]=test-user@accelops.org,[actor.email]=api1@accelops.net,[etag]=""6KGrH_ UY2JDZNpgjPKUOF8yJF1A/08MaodxPU6Zv7s6vJtuUQW9ugx0""",Google_Apps_USER_SETTINGS_DELETE_ USER,DELETE_USER,1,45.79.100.103,
FortiSIEM 6.1.1 External Systems Configuration Guide
251
Fortinet Technologies Inc.
Cloud Applications
Move user settings
<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT]: [eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887, [event.parameters.ORG_UNIT_NAME]=/test,[id.applicationName]=admin, [kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[event.name]=MOVE_USER_TO_ORG_UNIT, [id.time]=2016-09-19T09:24:25.285Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=6704816947489240452,[event.type]=USER_SETTINGS,[event.parameters.USER_EMAIL]=testuser@accelops.org,[actor.email]=api1@accelops.net,[event.parameters.NEW_VALUE]=/, [etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/r1v9DiPZbL06fXFFjJlrWf2s3qI""",Google_Apps_USER_ SETTINGS_MOVE_USER_TO_ORG_UNIT,MOVE_USER_TO_ORG_UNIT,1,45.79.100.103,,
FortiSIEM 6.1.1 External Systems Configuration Guide
252
Fortinet Technologies Inc.
Cloud Applications
Microsoft Azure Audit
l What is Discovered and Monitored l Configuration l Sample Events for Microsoft Azure Audit
What is Discovered and Monitored
Protocol Azure CLI
Information Discovered None
Information Collected Audit Logs
Used For Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "Microsoft Azure Audit" in the Search column to see the event types associated with this device.
Configuration
You must define a user account in Azure for use by FortiSIEM to pull Audit logs. Use any of the following roles: l Owner l Reader l Monitoring Reader l Monitoring Contributor l Contributor
FortiSIEM recommends using the 'Monitoring Reader' role, which is the least privileged to do the job.
Create Microsoft Azure Audit Credential in FortiSIEM
1. Log in to FortiSIEM Supervisor node. 2. Go to ADMIN > Setup > Credentials. 3. In Step 1, click Add to create a new credential. 4. For Device Type, select Microsoft Azure Audit. 5. For Access Protocol, select Azure CLI. 6. For Password Configuration, select Manual or CyberArk.
a. For Manual credential method, enter the username and credentials for an Azure account. FortiSIEM recommends using 'Monitoring Reader' role for this account.
b. For CyberArk, see Password Configuration. 7. Click Save.
FortiSIEM 6.1.1 External Systems Configuration Guide
253
Fortinet Technologies Inc.
Cloud Applications
Test Connectivity in FortiSIEM
1. Log in to FortiSIEM Supervisor node. 2. Go to ADMIN > Setup > Credentials. 3. In Step 2, click Add to create a new association. 4. For Name/IP/IP Range, enter any IP Address. 5. For Credentials, enter the name of the credential created in the "Microsoft Azure Audit Credential" step. 6. Click Save. 7. Select the entry just created and click Test Connectivity without Ping.
A pop-up appears with the Test Connectivity results. 8. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Microsoft Audit Log Collection.
Sample Events for Microsoft Azure Audit
2016-02-26 15:19:10 FortiSIEM-Azure, [action]=Microsoft.ClassicCompute/virtualmachines/shutdown/action, [caller]=Cuiping.Wang@shashiaccelops.onmicrosoft.com,[level]=Error, [resourceId]=/subscriptions/3ed4ee1c-1a83-4e02-a9287ff5e0008e8a/resourcegroups/china/providers/Microsoft.ClassicCompute/virtualmachines/china, [resourceGroupName]=china,[eventTimestamp]=2016-02-14T06:12:18.5539709Z,[status]=Failed, [subStatus]=Conflict,[resourceType]=Microsoft.ClassicCompute/virtualmachines, [category]=Administrative
FortiSIEM 6.1.1 External Systems Configuration Guide
254
Fortinet Technologies Inc.
Cloud Applications
Microsoft Office 365 Audit
l What is Discovered and Monitored l Event Types l Reports l Configuration in Office 365 Audit l Configuration in FortiSIEM l Sample Events for Audit
What is Discovered and Monitored
Office 365 Activity Type Operation
File and folder activities
FileAccessed, FileCheckedIn, FileCheckedOut, FileCopied, FileDeleted,FileCheckOutDiscarded, FileDownloaded, FileModified, FileMoved, FileRenamed, FileRestored, FileUploaded
Sharing and access request activities
AccessRequestAccepted, SharingInvitationAccepted, CompanyLinkCreated, AccessRequestCreated, AnonymousLinkCreated, SharingInvitationCreated, AccessRequestDenied, CompanyLinkRemoved, AnonymousLinkRemoved, SharingSet, AnonymousLinkUpdated, AnonymousLinkUsed, SharingRevoked, CompanyLinkUsed, SharingInvitationRevoked
Synchronization activities
ManagedSyncClientAllowed, UnmanagedSyncClientBlocked, FileSyncDownloadedFull, FileSyncDownloadedPartial, FileSyncUploadedFull, FileSyncUploadedPartial
Site administration activities
ExemptUserAgentSet, SiteCollectionAdminAdded, AddedToGroup, AllowGroupCreationSet, CustomizeExemptUsers, SharingPolicyChanged, GroupAdded, SendToConnectionAdded, SiteCollectionCreated, GroupRemoved, SendToConnectionRemoved, PreviewModeEnabledSet, LegacyWorkflowEnabledSet, OfficeOnDemandSet, NewsFeedEnabledSet, PeopleResultsScopeSet, SitePermissionsModified, RemovedFromGroup, SiteRenamed, SiteAdminChangeRequest, HostSiteSet, GroupUpdated
Exchange mailbox activities
Copy, Create, SoftDelete, Move, MoveToDeletedItems, HardDelete, SendAs, SendOnBehalf, Update, MailboxLogin
Sway activities
SwayChangeShareLevel, SwayCreate, SwayDelete, SwayDisableDuplication, SwayDuplicate, SwayEdit, EnableDuplication, SwayRevokeShare, SwayShare, SwayExternalSharingOff, SwayExternalSharingOn, SwayServiceOff, SwayServiceOn, SwayView
User administration activities
Add user, Change user license, Change user password, Delete user, Reset user password, Set force change user password, Set license properties, Update user
Group administration activities
Add group, Add member to group, Delete group, Remove member from group, Update group
FortiSIEM 6.1.1 External Systems Configuration Guide
255
Fortinet Technologies Inc.
Cloud Applications
Office 365 Activity Type Operation
Application administration activities
Add delegation entry, Add service principal, Add service principal credentials, Remove delegation entry, Remove service principal, Remove service principal credentials, Set delegation entry
Role administration activities
Add role member to role, Remove role member from role, Set company contact information
Directory administration activities
Add domain to company, Add partner to company, Remove domain from company, Remove partner from company, Set company information, Set domain authentication, Set federation settings on domain, Set password policy, Set DirSyncEnabled flag on company, Update domain, Verify domain, Verify email verified domain
Event Types
In ADMIN > Device Support > Event Types, search for "MS_Office365" in the Search field to see the event types associated with Office 365.
Reports
There are many reports defined in RESOURCES > Reports > Device > Application > Document Mgmt. Search for "Office365" in the main content panel Search... field.
Configuration in Office 365 Audit
l Enable Office 365 Audit Log Search l Create the Office 365 API Credential
Enable Office 365 Audit Log Search
To be able to search audit logs, you must first enable Office 365 audit log search. For instructions on how to enable audit log search, see https://docs.microsoft.com/en-us/office365/securitycompliance/turn-audit-log-search-on-or-off. To use the Office 365 Management Activity API to access auditing data for your organization, you must enable audit log search in the Security & Compliance Center. If you do not enable audit log search, you cannot access auditing data for your organization. Before you can enable or disable audit log search for your Microsoft 365 organization, you must be assigned the Audit Logs role in the Exchange admin center. Follow these steps to assign the Audit Logs role and enable audit log search for your organization.
FortiSIEM 6.1.1 External Systems Configuration Guide
256
Fortinet Technologies Inc.
Cloud Applications 1. Log in to Microsoft Office Online: https://login.microsoftonline.com. 2. Click Admin > Security & compliance.
3. Click Exchange admin center. If you receive the following alert, you must enable Office 365 Exchange Online before proceeding. In this case, go to Step 4. Otherwise, go to Step 6.
FortiSIEM 6.1.1 External Systems Configuration Guide
257
Fortinet Technologies Inc.
Cloud Applications 4. Click Admin > Purchase services.
5. Select one of Microsoft 365 services. In this example, Microsoft 365 Business Premium Trial is selected.
6. Click Admin > Security & compliance > Exchange admin center.
FortiSIEM 6.1.1 External Systems Configuration Guide
258
Fortinet Technologies Inc.
Cloud Applications 7. Click Exchange admin center > permissions > admin roles > New to create a new role.
FortiSIEM 6.1.1 External Systems Configuration Guide
259
Fortinet Technologies Inc.
Cloud Applications 8. Select Audit Logs Roles and add the members you want to add the group. Click Save.
9. The Audit Log role will display in the Exchange admin center > permissions > admin roles table.
FortiSIEM 6.1.1 External Systems Configuration Guide
260
Fortinet Technologies Inc.
Cloud Applications
10. Go back to the Microsoft 365 Admin center. 11. Click Security & compliance > Report dashboard.
When you first go into this page, it will ask you to enable Audit log. After you enable it, the page will display the Search button.
Create the Office 365 API Credential
Follow these steps to create the Office 365 API credential.
1. Login to https://portal.azure.com. 2. Click All Services. 3. Click Azure Active Directory. 4. Click App Registrations (on the right panel). 5. Click New registration and enter the following information:
Name: FSM Supported Account Types: Select Accounts in any organizational directory (Any Azure AD directory Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox). Redirect URI: https://your.internal.fsm.ip 6. Click Register: Copy the Application (client) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM. Copy the Directory (tenant) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM. 7. Click Certificates & secrets (on the right panel). 8. New client secret: Description: FSM Expires in: 2 years Copy the value (for example: AC83J.6_nobD:G1Q=DJe/hFiB3BP4+a) to a text editor. You will need this value when entering Office 365 Credentials in FortiSIEM. 9. Go to API permissions (left panel). 10. Click Add a permission. 11. Select Office 365 Management APIs. 12. Click Application permissions and expand all. 13. Select all permissions with "Read" access (we don't want to write). Click Add permissions. You will see a warning: "Permissions have changed." Users and/or admins will have to consent even if they have already done so previously. We'll need to approve all these permission grants.
FortiSIEM 6.1.1 External Systems Configuration Guide
261
Fortinet Technologies Inc.
Cloud Applications
14. Click grant admin consent and select Yes when you see the Do you want to grant consent for the requested permissions for all accounts in your_organization? alert. This will update any existing admin consent records this application already has to match what is listed below.
Sample API Permission
Configuration in FortiSIEM
Configuration is done in two parts. Follow the steps in these two sections to configure your FortiSIEM. l Define Office 365 Management Credential in FortiSIEM l Create IP Range to Credential Association and Test Connectivity
Define Office 365 Management Credential in FortiSIEM
Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.
1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. 1. b. Enter these settings in the Access Method Definition dialog box and click Save:
Settings Name Device Type
Description Enter a name for the credential Microsoft Office365
FortiSIEM 6.1.1 External Systems Configuration Guide
262
Fortinet Technologies Inc.
Cloud Applications
Settings Access Protocol Tenant ID Password config
Organization Description
Description
Office 365 Mgmt Activity API
Use the ID from Azure Login URL. See Step 5 in Create Office 365 API Credential.
If you select Manual, take the following steps: 1. For Client ID, use the value obtained in
Step 5 in Create Office 365 API Credential. 2. For Client Secret, use the value obtained in Step 7 in Create Office 365 API Credential. For CyberArk credential method, see CyberArk Password Configuration.
The organization the device belongs to.
Description of the device.
Create IP Range to Credential Association and Test Connectivity
From the FortiSIEM Supervisor node, take the following steps.
1. In Step 2: Enter IP Range to Credential Associations, click New to create a new association. a. Enter "manage.office.com" in the IP/Host Name field. b. Select the name of the credential created in the Define Office 365 Management Credential from the Credentials drop-down list. c. Click Save.
2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Office 365 Log Collection.
Sample Events for Audit
[OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"dtomic@my.company.org","Type":5}, {"ID":"10030000873CEE9F","Type":3},{"ID":"18ed3507-a475-4ccb-b669-d66bc9f2a36e","Type":2}, {"ID":"User_68d76168-813d-4b9f-88cd-37b66a5b3841","Type":2}, {"ID":"68d76168-813d-4b9f-88cd-37b66a5b3841","Type":2}, {"ID":"User","Type":2}],"ActorContextId":"653e32e8-fb2d-41aa-8841-90f05b340318","ActorIpAddr ess":"<null>","AzureActiveDirectoryEventType":1,"ClientIP":"<null>","CreationTime":"2019-0723T13:16:05UTC","ExtendedProperties": [{"Name":"actorContextId","Value":"653e32e8-fb2d-41aa-8841-90f05b340318"}, {"Name":"actorObjectId","Value":"68d76168-813d-4b9f-88cd-37b66a5b3841"}, {"Name":"actorObjectClass","Value":"User"}, {"Name":"actorUPN","Value":"dtomic@my.company.org"},
FortiSIEM 6.1.1 External Systems Configuration Guide
263
Fortinet Technologies Inc.
Cloud Applications
{"Name":"actorAppID","Value":"18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name":"actorPUID","Value":"10030000873CEE9F"},{"Name":"teamName","Value":"MSODS."}, {"Name":"targetContextId","Value":"653e32e8-fb2d-41aa-8841-90f05b340318"}, {"Name":"targetObjectId","Value":"02232019-4557-45d6-9630-f78694bc8341"}, {"Name":"extendedAuditEventCategory","Value":"Application"}, {"Name":"targetName","Value":"FSM"},{"Name":"targetIncludedUpdatedProperties","Value":" [\"AppAddress\",\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAcce ss\"]"},{"Name":"correlationId","Value":"a854ecc6-31d6-4fea-8d56-aeed05aa1174"}, {"Name":"version","Value":"2"},{"Name":"additionalDetails","Value":"{}"}, {"Name":"resultType","Value":"Success"}, {"Name":"auditEventCategory","Value":"ApplicationManagement"}, {"Name":"nCloud","Value":"<null>"},{"Name":"env_ver","Value":"2.1"},{"Name":"env_ name","Value":"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"},{"Name":"env_ time","Value":"2019-07-23T13:16:05.0208099Z"},{"Name":"env_epoch","Value":"64BOV"}, {"Name":"env_seqNum","Value":"25454285"},{"Name":"env_popSample","Value":"0"},{"Name":"env_ iKey","Value":"ikey"},{"Name":"env_flags","Value":"257"},{"Name":"env_ cv","Value":"##17a913a8-943a-42f3-b8ad-2ea3bc4bf927_00000000-0000-0000-0000-000000000000_ 17a913a8-943a-42f3-b8ad-2ea3bc4bf927"},{"Name":"env_os","Value":"<null>"},{"Name":"env_ osVer","Value":"<null>"},{"Name":"env_appId","Value":"restdirectoryservice"},{"Name":"env_ appVer","Value":"1.0.11219.0"},{"Name":"env_cloud_ver","Value":"1.0"},{"Name":"env_cloud_ name","Value":"MSO-AM5R"},{"Name":"env_cloud_role","Value":"restdirectoryservice"}, {"Name":"env_cloud_roleVer","Value":"1.0.11219.0"},{"Name":"env_cloud_ roleInstance","Value":"AM5RRDSR582"},{"Name":"env_cloud_environment","Value":"PROD"}, {"Name":"env_cloud_ deploymentUnit","Value":"R5"}],"Id":"fc12de96-0cbc-4618-9c8f-cc8ab7891e3b","ModifiedProperti es":[{"Name":"AppAddress","NewValue":"[\r\n {\r\n \"AddressType\": 0,\r\n \"Address\": \"https://10.222.248.17\",\r\n \"ReplyAddressClientType\": 1\r\n }\r\n]","OldValue":"[]"}, {"Name":"AppId","NewValue":"[\r\n \"0388f2da-dbcc-4506-ba57-a85c578297c0\"\r\n]","OldValue":"[]"}, {"Name":"AvailableToOtherTenants","NewValue":"[\r\n false\r\n]","OldValue":"[]"}, {"Name":"DisplayName","NewValue":"[\r\n \"FSM\"\r\n]","OldValue":"[]"}, {"Name":"RequiredResourceAccess","NewValue":"[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AppAddress, AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess","OldValue":""}],"ObjectId":"Not Available","Operation":"Add application.","OrganizationId":"653e32e8-fb2d-41aa-8841-90f05b340318","RecordType":8,"Result Status":"Success","SupportTicketId":"","Target":[{"ID":"Application_ 02232019-4557-45d6-9630-f78694bc8341","Type":2}, {"ID":"02232019-4557-45d6-9630-f78694bc8341","Type":2},{"ID":"Application","Type":2}, {"ID":"FSM","Type":1}],"TargetContextId":"653e32e8-fb2d-41aa-8841-90f05b340318","TenantId":" 653e32e8-fb2d-41aa-8841-90f05b340318","UserId":"dtomic@my.company.org","UserKey":"1003000087 3CEE9F@my.company.org","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId" :1}
FortiSIEM 6.1.1 External Systems Configuration Guide
264
Fortinet Technologies Inc.
Cloud Applications
Microsoft Cloud App Security
l Integration points l Configuring a SIEM Agent l Connecting Office 365 to Cloud App Security l Event Types l Sample Events
Integration points
Protocol SIEM Agent
Information Discovered
Logon, User creation/deletion and other Audit activity for Azure Applications including Office 365, SharePoint, OneDrive, Teams, PowerBI , Exchange
Used For
Security and Compliance
Configuring a SIEM Agent
FortiSIEM integrates with Microsoft Cloud App Security to collect alerts and activities from apps to Microsoft Cloud. As new activities and events are supported by connected apps, they become available to FortiSIEM via Microsoft Cloud App Security integration.
The integration is done via the Microsoft Cloud App Security SIEM agent. It can run on any server (including FortiSIEM). It pulls alerts and activities from Microsoft Cloud App Security and then streams them into FortiSIEM.
For details, see here.
FortiSIEM integration is accomplished in three steps:
1. Set up a SIEM Agent in the Microsoft Cloud App Security portal. 2. Download the SIEM agent (JAR file) and run it on a server. The agent would connect to the portal, collect logs and
forward to FortiSIEM. The server could be a FortiSIEM node such as Collector. 3. Validate that the SIEM agent is working correctly. 4. Configure an application to connect to Microsoft Cloud App Security portal. See those events in FortiSIEM.
Step 1: Set up a SIEM agent in the Microsoft Cloud App Security portal
1. In the Cloud App Security portal, under the Settings cog, click Security extensions and then click on the SIEM agents tab.
2. Click the plus icon to start the Add SIEM agent wizard. 3. In the wizard:
a. Click Start Wizard. b. Fill in a name. c. Select your SIEM format as 'Generic CEF'. d. In Advanced settings:
i. Set Time Format to 'RFC 5424'. ii. Check Include PRI.
FortiSIEM 6.1.1 External Systems Configuration Guide
265
Fortinet Technologies Inc.
Cloud Applications
iii. Check Include system name. e. Click Next. f. Type in the IP address or hostname FortiSIEM node receiving the events and port 514. Select TCP or UDP as
the SIEM protocol. In most common situations, you would choose a FortiSIEM Collector. Click Next. g. Select which data types, Alerts and Activities you want to export to your FortiSIEM. We recommend
choosing All Alerts and All Activities. You can use the Apply to drop-down to set filters to send only specific alerts and activities. You can click Edit and preview results to check that the filter works as expected. Click Next. h. The wizard will say that SIEM agent configuration is finished. Copy the token and save it for later. i. After you click Finish and leave the Wizard, back in the SIEM page, you can see the SIEM agent you added in the table. It will show that it's Created until it's connected later.
Step 2: Download the SIEM agent (JAR file) and run it on a server
1. In the Microsoft Download Center, after accepting the software license terms, download the .zip file and unzip it. 2. Run the following command:
java -jar mcas-siemagent-0.87.20-signed.jar --logsDirectory <DIRNAME> --token <TOKEN> & where:
l DIRNAME (optional) is the path to the directory for agent to write debug log. l TOKEN is the SIEM agent token you copied in the previous Step 1 Sub-step 3.h.
Step 3: Validate that the SIEM agent is working correctly
Make sure the status of the SIEM agent in the Cloud App Security portal is 'Connected'. If the connection is down for more than two hours, then the status may show 'Connection error'. The status will be 'Disconnected' if down for more than 12 hours.
Step 4: Configure an application to connect to Microsoft Cloud App Security portal.
Cloud App Security currently supports the following Office 365 apps: l Office 365 l Dynamics 365 CRM l Exchange (only appears after activities from Exchange are detected in the portal and requires you to turn on auditing) l OneDrive l PowerBI (only appears after activities from PowerBI are detected in the portal, and requires you to turn on auditing) l SharePoint l Teams (only appears after activities from Teams are detected in the portal)
See the Microsoft documentation to setup these applications.
Connecting Office 365 to Cloud App Security
Use the app connector API to connect Microsoft Cloud App Security to your existing Microsoft Office 365 account. The Microsoft Cloud App Security connection gives you visibility into and control over Office 365 use. For information on how Cloud App Security helps protect your Office 365 environment, see here.
FortiSIEM 6.1.1 External Systems Configuration Guide
266
Fortinet Technologies Inc.
Cloud Applications
For information on the prerequisites and steps to connect Microsoft Cloud App Security to your existing Microsoft Office 365 account, see How to connect Office 365 to Cloud App Security.
Event Types
Search for 'MS-Azure-CloudAppSec' in Admin > Device Support > Event Types.
Sample Events
<109>2018-05-22T04:17:28.340Z SP204 CEF:0|MCAS|SIEM_Agent|0.123.162|EVENT_CATEGORY_ LOGIN|Log on|0|externalId=70e988af3b82e19b872d12a91860d300d968f47e0bb245a0e765d9dbfbdb02ce rt=1526962648340 start=1526962648340 end=1526962648340 msg=Log on suser=yanlong@shashiaccelops.onmicrosoft.com destinationServiceName=Microsoft Azure dvc=43.254.220.13 requestClientApplication=;Windows 10;Edge 17.17134; cs1Label=portalURL cs1=https://shashiaccelops.us2.portal.cloudappsecurity.com/#/audits?activity.id\=eq (70e988af3b82e19b872d12a91860d300d968f47e0bb245a0e765d9dbfbdb02ce,) cs2Label=uniqueServiceAppIds cs2=APPID_AZURE cs3Label=targetObjects cs3=Azure Portal,yanlong,yanlong cs4Label=policyIDs cs4= c6a1Label="Device IPv6 Address" c6a1=
FortiSIEM 6.1.1 External Systems Configuration Guide
267
Fortinet Technologies Inc.
Cloud Applications
Microsoft Azure Advanced Threat Protection (ATP)
l Integration points l Configuration l Event Types
Integration Points
Protocol Syslog (CEF)
Information Discovered Suspicious alerts occurring on Windows machine in Azure
Used For Security and Compliance
Configuration
FortiSIEM receives alerts via CEF formatted syslog. See here for details.
Event Types
Search for 'MS-AzureATP' in Admin > Device Support > Event Types.
Sample Event
02-21-2018 16:20:21 Auth.Warning 192.168.0.220 1 2018-02-21T14:20:06.156238+00:00 CENTER CEF 6076 LdapBruteForceSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|LdapBruteForceSecurityAlert|Brute force attack using LDAP simple bind|5|start=2018-02-21T14:19:41.7422810Z app=Ldap suser=Wofford Thurston shost=CLIENT1 msg=A brute force attack using the Ldap protocol was attempted on Wofford Thurston (Software Engineer) from CLIENT1 (100 guess attempts). cnt=100 externalId=2004 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/57b8ac96-7907-49719b27-ec77ad8c029a
FortiSIEM 6.1.1 External Systems Configuration Guide
268
Fortinet Technologies Inc.
Cloud Applications
Microsoft Azure Compute
The purpose of this integration is to discover Virtual Machines running in Azure. It does not collect events or performance statistics.
Configuration
l Setup in Azure l Setup in FortiSIEM
Setup in Azure
1. Log in to the Azure Portal 2. Create an Azure Active Directory application
l Sign in to your Azure Account through the Azure portal. l Select Azure Active Directory. l Select App registrations. l Select New registration.
FortiSIEM 6.1.1 External Systems Configuration Guide
269
Fortinet Technologies Inc.
Cloud Applications 3. Assign the application to a role: l Select Subscriptions on the Home page.
l Select the particular subscription to assign your application to. In here, it uses Pay-As-You-GO as the example. Click Pay-AS-You-GO to open it. Save the Subscription ID for FortiSIEM credential.
l Copy the Subscription ID, it will be needed when defining the credential in FortiSIEM. l Select Access control (IAM).
l Select Add role assignment.
FortiSIEM 6.1.1 External Systems Configuration Guide
270
Fortinet Technologies Inc.
Cloud Applications l Select Owner to assign to the application and select the app that you created. And then click Save.
4. Get value for FortiSIEM credential l Select Azure Active Directory. l From App registrations in Azure AD, select your application.
l Copy the Application (client) ID and Directory (tenant) ID, it will be needed when defining the credential in FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
271
Fortinet Technologies Inc.
Cloud Applications l Select Certificate & secrets to generate a secret key.
5. Test l Command: /opt/phoenix/bin/getAzureResourceVM.py {subscriptionId} {tenantId} {clientId} {client secret}. l Example: /opt/phoenix/bin/getAzureResourceVM.py 7327432-1a83-4e02-a928-9032489032898a 05c94b87-da0c-4e11-be1d-789234789432 068863e4-c2fa-48df-8f33-79823478932 jh23hjkb324ugih32hujdsdsvqeP]]'
Setup in FortiSIEM
Follow these steps in the FortiSIEM UI:
FortiSIEM 6.1.1 External Systems Configuration Guide
272
Fortinet Technologies Inc.
Cloud Applications 1. Create a new credential. Make sure to select Azure Resource SDK as the Access Protocol.
2. Define a credential. 3. Create a Discovery Definition.
FortiSIEM 6.1.1 External Systems Configuration Guide
273
Fortinet Technologies Inc.
Cloud Applications 4. The CMDB should then be populated.
FortiSIEM 6.1.1 External Systems Configuration Guide
274
Fortinet Technologies Inc.
Cloud Applications
Microsoft Azure Event Hub
FortiSIEM uses the Azure Python SDK to integrate logs from the event hub to perform comprehensive security analysis. Azure Log Integration simplifies the task of integrating Azure logs with your on-premises SIEM system. The recommended method for integrating Azure logs is to stream the logs into event hubs via the Azure Monitor. FortiSIEM provides a connector to further integrate logs from the event hub into the SIEM.
Azure produces extensive logging for each Azure service. The logs represent these log types:
l Control/management logs: Provide visibility into the Azure Resource Manager CREATE, UPDATE, and DELETE operations. An Azure activity log is an example of this type of log.
l Data plane logs: Provide visibility into events that are raised when you use an Azure resource. An example of this type of log is the Windows Event Viewer's System, Security, and Application channels in a Windows virtual machine. Another example is Azure Diagnostics logging, which you configure through Azure Monitor.
l Processed events: Provide analyzed event and alert information that are processed for you. An example of this type of event is Azure Security Center alerts. Azure Security Center processes and analyzes your subscription to provide alerts that are relevant to your current security posture.
For more information on how to stream any type of log to an event hub, see:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/stream-monitoring-data-event-hubs
l What is Discovered sand Monitored l Event Types l Reports l Rules l Configuration in Azure l Configuration in FortiSIEM l Sample Events
What is Discovered and Monitored
Protocol Azure Python SDK
Information Discovered None
Information Collected Audit Logs
Used For Security Monitoring
Event Types
No defined event types.
Reports
No defined reports.
Rules
No defined rules.
FortiSIEM 6.1.1 External Systems Configuration Guide
275
Fortinet Technologies Inc.
Cloud Applications
Configuration in Azure
Create an Event Hub Namespace and Event Hub
Complete these steps in the Azure Portal:
Step 1: Create a Resource Group in Azure
A resource group is a logical collection of Azure resources. All resources are deployed and managed in a resource group. To create a resource group: 1. Login to the Azure portal: https://portal.azure.com/ . 2. Click Resource groups in the left navigation pane. 3. Click Add. 4. For Subscription, select the name of the Azure subscription in which you want to create the resource group. 5. Enter a unique name for the resource group, The system immediately checks to see if the name is available in the
currently selected Azure subscription. 6. Select a Region for the resource group. 7. Click Review + Create. 8. Click Create on the Review + Create page. Note: In the example used in step 2, a Resource Group called fsm1 was created.
Step 2: Create an Event Hub Namespace
An Event Hub namespace provides a unique scoping container, referenced by its fully-qualified domain name, in which you create one or more event hubs. To create a namespace in your resource group using the portal, complete the following steps: 1. In the Azure portal, click Create a resource at the top left of the screen.
2. In the "Search the Market text box, enter Select All services in the left menu, select star (*) next to Event Hubs, and then click the Create button in the ANALYTICS category.
3. On the Create namespace page, complete the following steps: a. Enter a name for the namespace. The system immediately checks to see if the name is available. b. Choose the pricing tier (Basic or Standard). c. Select the subscription in which you want to create the namespace. d. Select a location for the namespace.
FortiSIEM 6.1.1 External Systems Configuration Guide
276
Fortinet Technologies Inc.
Cloud Applications e. Click Create. You may have to wait a few minutes for the system to fully provision the resources.
4. Refresh the Event Hubs page to see the event hub namespace. You can check the status of the event hub creation in the alerts.
5. Select the namespace. You see the home page for your Event Hubs Namespace in the portal.
Step 3: Create an Event Hub
To create an event hub within the namespace, follow these steps: 1. In the Event Hubs Namespace page, click Event Hubs in the left menu.
2. At the top of the window, click + Event Hub.
FortiSIEM 6.1.1 External Systems Configuration Guide
277
Fortinet Technologies Inc.
Cloud Applications 3. Enter a name for your event hub, then click Create.
4. You can check the status of the event hub creation in alerts. After the event hub is created, you see it in the list of event hubs.
Step 4: Configure an Event Hub Namespace
1. Select an event hub namespace and go to Shared access policies, and then click +Add. Enter the Policy name, check the Manage box, and then click Create.
2. Select one of the Shared Access policies just created.
3. The Azure Python SDK needs the SAS Policy name (defined in step 4.1) and the Primary key when creating the credential in FortiSIEM. Copy the primary key and policy name to a text editor for later use.
Note: When the event hub namespace is created, Azure will also create a default Shared Access Policy named RootManageSharedAcessKey. 4. Select an event hub namespace and go to Event Hubs. 5. Select an event hub and go to Consumer group. You can click +Consumer group or use default group name $default. Note: If you have selected Basic (1 Consumer Group), then there will be no option to add a another Consumer group.
Configuration in FortiSIEM
Complete these steps in the FortiSIEM UI:
FortiSIEM 6.1.1 External Systems Configuration Guide
278
Fortinet Technologies Inc.
Cloud Applications
1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Settings
Description
Name Device Type Access Protocol Pull Interval
Event Hub Namespace Event Hub Name SAS Policy Name Primary Key Consumer Group Description
Enter a name for the credential Microsoft Azure Event Hub AZURE PYTHON SDK The interval in which FortiSIEM will pull events from Azure Event Hub. Default is 5 minutes. The name of the Azure event hub namespace The name of the Azure event hub. Shared Access (SAS) Policy Name The name of the primary key The name of the consumer group Description of the device
Based on the example screenshots, this is the configuration in FortiSIEM:
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your Azure event hub credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. For this integration, enter azure.com. c. Click Save.
4. Click Test to test the connection to Azure event hub. 5. To see the jobs associated with Azure, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Azure in the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
279
Fortinet Technologies Inc.
Cloud Applications
Note: Azure services must be configured to write to the Event Hub before there are any events to be collected.
Sample Events
{"records": [{ "count": 0, "total": 0, "minimum": 0, "maximum": 0, "average": 0, "resourceId": "/SUBSCRIPTIONS/3ED4EE1C-1A83-4E02-A928-7FF5E0008E8A/RESOURCEGROUPS/ANDY_ TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/FORTISIEMEVENTHUB", "time": "2019-0221T05:21:00.0000000Z", "metricName": "EHAMBS", "timeGrain": "PT1M"},{ "count": 0, "total": 0, "minimum": 0, "maximum": 0, "average": 0, "resourceId": "/SUBSCRIPTIONS/3ED4EE1C-1A83-4E02-A928-7FF5E0008E8A/RESOURCEGROUPS/ANDY_ TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/FORTISIEMEVENTHUB", "time": "2019-0221T05:22:00.0000000Z", "metricName": "EHAMBS", "timeGrain": "PT1M"},{ "count": 0, "total": 0, "minimum": 0, "maximum": 0, "average": 0, "resourceId": "/SUBSCRIPTIONS/3ED4EE1C-1A83-4E02-A928-7FF5E0008E8A/RESOURCEGROUPS/ANDY_ TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/FORTISIEMEVENTHUB", "time": "2019-0221T05:23:00.0000000Z", "metricName": "EHAMBS", "timeGrain": "PT1M"},{ "count": 0, "total": 0, "minimum": 0, "maximum": 0, "average": 0, "resourceId": "/SUBSCRIPTIONS/3ED4EE1C-1A83-4E02-A928-7FF5E0008E8A/RESOURCEGROUPS/ANDY_ TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/FORTISIEMEVENTHUB", "time": "2019-0221T05:24:00.0000000Z", "metricName": "EHAMBS", "timeGrain": "PT1M"}]}
FortiSIEM 6.1.1 External Systems Configuration Guide
280
Fortinet Technologies Inc.
Cloud Applications
Microsoft Windows Defender Advanced Threat Protection (ATP)
l Integration points l Configuring Windows Defender for FortiSIEM REST API Access l Configuring FortiSIEM for Windows Defender ATP REST API Access
Integration points
Protocol Windows Defender API REST API
Information Discovered
Used For Security and Compliance
Configuring Windows Defender for FortiSIEM REST API Access
Microsoft provides ample documentation here.
Follow the steps specified in 'Enabling SIEM integration', repeated here.
1. Login to Windows Defender Center. 2. Go to Settings > SIEM. 3. Select Enable SIEM integration. 4. Choose Generic API. 5. Click Save Details to File. 6. Click Generate Tokens.
Configuring FortiSIEM for Windows Defender ATP REST API Access
Use the account in previous step to enable FortiSIEM access.
1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create Windows Defender REST API credential:
a. Choose Device Type = Microsoft Windows Defender ATP (Vendor = Microsoft, Model = Windows Defender ATP).
b. Choose Access Protocol = Windows Defender ATP Alert REST API. c. Enter the Tenant ID for the credential created in Section 10.2. d. Password Config: for Manual, enter the Client ID and Client Secret for the credential created here. For
CyberArk, see CyberArk Password Configuration. e. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple
customers. f. Click Save. 4. Enter an IP Range to Credential Association: a. Set Hostname to wdatp-alertexporter-us.windows.com. b. Select the Credential created in step 3 above. c. Click Save. 5. Select the entry in step 4 and click Test Connectivity. If it succeeds, then the credential is correct.
FortiSIEM 6.1.1 External Systems Configuration Guide
281
Fortinet Technologies Inc.
Cloud Applications
6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Windows Defender Center using the REST API.
To test for events received via Windows Defender ATP REST API: 1. Go to ADMIN > Setup > Pull Events. 2. Select the Windows Defender ATP entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from Windows Defender Center in the last 15 minutes. You can modify the time interval to get more events.
FortiSIEM 6.1.1 External Systems Configuration Guide
282
Fortinet Technologies Inc.
Cloud Applications
Okta
FortiSIEM can integrate with Okta as a single-sign service for FortiSIEM users, discover Okta users and import them into the CMDB, and collect audit logs from Okta. See Setting Up External Authentication for information on configuring Okta to use as a single-sign on service, and Adding Users from Okta for discovering users and associating them with the Okta authentication profile. Once you have discovered Okta users, FortiSIEM will begin to monitor Okta events.
l What is Discovered and Monitored l Configuration l Access Credentials in FortiSIEM l Sample Okta Event l Adding Users from Okta l Configuring Okta Authentication l Logging In to Okta l Setting Up External Authentication
What is Discovered and Monitored
Protocol Information Discovered Okta API
Metrics Col- Used
lected
For
Event Types
In ADMIN > Device Support > Event, search for "okta" in the Device Type column to see the event types associated with this device.
Configuration
l In Okta Administartion -> Security -> API, create a Token. Note, tokens generated by this mechanism will have the permissions of the user who generated them.
l Tokens are valid for 30 days and automatically refresh with each API call. Tokens that are not used for 30 days will expire. The token lifetime is currently fixed and cannot be changed.
Access Credentials in FortiSIEM
Setting Name Device Type Access Protocol Pull Interval
Value <name> OKTA.com OKTA OKTA API 5
FortiSIEM 6.1.1 External Systems Configuration Guide
283
Fortinet Technologies Inc.
Cloud Applications
Setting Domain Security Token Organization
Value The name of your OKTA domain The token that has been created in Okta Select an organization from the drop-down list.
Sample Okta Event
Mon Jul 21 15:50:26 2014 FortiSIEM-Okta [action/message]=Sign-in successful [action/objectType]=core.user_auth.login_success [action/requestUri]=/login/do-login [actors/0/displayName]=CHROME [actors/0/id]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 [actors/0/ipAddress]=211.144.207.10 [actors/0/login]=YaXin.Hu@accelops.com [actors/0/objectType]=Client [eventId]=tev-UlpTnWJRI2vXNRKTJHE4A1405928963000 [eventName]=USER-AUTH-LOGIN-SUCCESS [published]=2014-07-21T07:49:23.000Z [requestId]=U8zGA0zxVNXabfCeka9oGAAAA [sessionId]=s024bi4GPUkRaegPXuA1IFEDQ [targets/0/displayName]=a_name [targets/0/id]=00uvdkhrxcPNGYWISAGK [targets/0/login]=a_ name@doamin.com [targets/0/objectType]=User
Adding Users from Okta
l Create an Okta API Token l Create Login Credentials and Associate Them with an IP Address l Discover Okta Users
Create an Okta API Token
1. Log in to Okta using your Okta credentials. 2. Got to Administration > Security > API Tokens. 3. Click Create Token.
You will use this token when you set up the Okta login credentials in the next section. Note that this token will have the same permissions as the person who generated it.
Create Login Credentials and Associate Them with an IP Address
1. Log in to your Supervisor node. 2. Go to ADMIN > Setup > Credentials. 3. Enter a Name. 4. For Device Type, select Okta.com. 5. For Access Protocol, select Okta API. 6. Enter the NetBIOS/Domain associated with your Okta account.
For example, FortiSIEM.okta.com. 7. For Pull Interval, enter how often, in minutes, you want FortiSIEM to pull information from Okta. 8. Enter and reconfirm the Security Token you created. 9. Click Save.
Your LDAP credentials will be added to the list of Credentials.
FortiSIEM 6.1.1 External Systems Configuration Guide
284
Fortinet Technologies Inc.
Cloud Applications
10. Under Enter IP Range to Credential Associations, click Add. 11. Select your Okta credentials from the list of Credentials. 12. Enter the IP range or host name for your Okta account. 13. Click OK.
Your Okta credentials will appear in the list of credential/IP address associations. 14. Click Test Connectivity to make sure you can connect to the Okta server.
Discover Okta Users
If the number of users are less than 200, then Test Connectivity will discover all the users.
Okta API has some restrictions that does not allow FortiSIEM to pull more than 200 users. In this case, follow these steps:
1. Login to Okta. 2. Download user list CSV file (OktaPasswordHealth.csv) from Admin > Reports > Okta Password Health. 3. Rename the CSV file to all_user_list_%s.csv (where %s is the placeholder of token obtained in Create an
Okta API Token - Step 3, for example, all_user_list_00UbCrgrU9b1Uab0cHCuup-5h6Hi9ItokVDH8nRRT.csv). 4. Login to FortiSIEM Supervisor node: a. Upload csv file all_user_list_%s.csv to this directory /opt/phoenix/config/okta/ b. Make sure the permissions are admin and admin (Run "chown -R admin:admin
/opt/phoenix/config/okta/") c. Go to ADMIN > Setup > Enter IP Range to Credential Associations. Select the Okta entry and run Test
connectivity to import all users.
Configuring Okta Authentication
To use Okta authentication for your FortiSIEM deployment, you must set up a SAML 2.0 Application in Okta, and then use the certificate associated with that application when you configure external authentication.
1. Log in to Okta. 2. In the Applications tab, create a new application using Template SAML 2.0 App. 3. Under Settings, configure the settings similar to the table below:
Post Back URL Application label Force Authentication Post Back URL Name ID Format Recipient Audience Restriction authnContextClassRef Response
Post Back URL FortiSIEM Demo Enable https://<FortiSIEMIP>/phoenix/okta EmailAddress FortiSIEM Super PasswordProtectedTransport Signed
FortiSIEM 6.1.1 External Systems Configuration Guide
285
Fortinet Technologies Inc.
Cloud Applications
Post Back URL
Post Back URL
Assertion Request Destination
Signed Uncompressed https://<FortiSIEMIP>/phoenix/okta
4. Click Save. 5. In the Sign On tab, click View Setup Instructions. 6. Click Download Certificate. 7. Enter the downloaded certificate for Okta authentication.
Logging In to Okta
Follow these steps to log in to Okta from the Okta domain https://fortinetfsm.okta.com. You cannot log into Okta from the FortiSIEM UI.
1. Create a new Okta account from https://www.okta.com/ or log in to an existing account, using the domain fortinetfsm.okta.com.
2. Configure users for the account, for example, testone@fortinet.com, testtwo@fortinet.com, and so on. See Adding Users From Okta and Create Login Credentials and Associate Them with an IP Address.
3. Discover the Okta users to ensure that you have users to test. See Discover Okta Users. 4. Create a SAML authentication configuration from Okta based on the OKTA SAML 2.0 template. See Configuring
Okta Authentication. 5. Associate the users (for example, testone@fortinet.com and testtwo@fortinet.com) to the external
profile in CMDB > Users. 6. Log in to the Okta domain https://fortinetfsm.okta.com as one of the users you defined in Step 2. 7. Click the SAML configuration application in Okta (see Configuring Okta Authentication). You can now log in to Okta.
Setting Up External Authentication
You have three options for setting up external authentication for your FortiSIEM deployment LDAP, Radius, and Okta.
Multiple Authentication Profiles
If more than one authentication profile is associated with a user, then the servers will be contacted one-by-one until a connection to one of them is successful. Once a server has been contacted, if the authentication fails, the process ends, and the user is notified that the authentication failed. 1. Log in to your Supervisor node. 2. Go to Admin > General Settings > External Authentication. 3. Click Add. 4. If you are setting up authentication for an organization within a multi-tenant deployment, select the Organization. 5. Select the Protocol. 6. Complete the protocol settings.
FortiSIEM 6.1.1 External Systems Configuration Guide
286
Fortinet Technologies Inc.
Cloud Applications
Protocol User-Defined Settings
LDAP RADIUS Okta
Access IP Select Set DN Pattern to open a text field in which you can enter the DN pattern if you want to override the discovered pattern, or you want to add a specific LDAP user.
Access IP Shared Secret Select CHAP if you are using encrypted authentication to your RADIUS server. See also Juniper Networks Steel-Belted RADIUS.
Certificate See Configuring Okta Authentication for more information.
7. Click Test, and then enter credentials associated with the protocol you selected to make sure users can authenticate to your deployment.
FortiSIEM 6.1.1 External Systems Configuration Guide
287
Fortinet Technologies Inc.
Cloud Applications
Salesforce CRM Audit
l What is Discovered and Monitored l Event Types l Reports l Configuration l Sample Events for Salesforce Audit
What is Discovered and Monitored
Protocol Salesforce API
Logs Collected
Successful/Failed Login, API Query Activity, Dashboard Activity, Opportunity Activity, Report Export Activity, Report Activity, Document Download Activity
Used For Security Monitoring
Event Types
In ADMIN > Device Support > Event Types, search for "Salesforce Audit" in the Search field to see the event types associated with this device.
Reports
There are many reports defined in RESOURCES > Reports > Device > Application > CRM l Salesforce Failed Logon Activity l Salesforce Successful Logon Activity l Top Browsers By Failed Login Count l Top Browsers By Successful Login Count l Top Salesforce Users By Failed Login Count l Top Salesforce Users By Successful Login Count l Top Successful Salesforce REST API Queries By Count, Run Time l Top Failed Salesforce Failed REST API Queries By Count, Run Time l Top Salesforce API Queries By Count, Run Time l Top Salesforce Apex Executions By Count, Run Time l Top Salesforce Dashboards Views By Count l Top Salesforce Document Downloads By Count l Top Salesforce Opportunity Reports By Count l Top Salesforce Report Exports By Count l Top Salesforce Reports By Count, Run Time l Top Salesforce Events
FortiSIEM 6.1.1 External Systems Configuration Guide
288
Fortinet Technologies Inc.
Cloud Applications
Configuration
l Salesforce Configuration l Define Salesforce Audit Credential in FortiSIEM l Create IP Range to Credential Association and Test Connectivity
Salesforce Configuration
Salesforce saves events in a SQL Database, where FortiSIEM will pull the following events from tables: EventLogFile, LoginHistory,User, Dashboard, Opportunity, Report through SQL commands.
If you get an error about missing columns, please make sure your administrator has enabled Set History Tracking for the missing columns in the tables.
For more information on how to enable Set History Tracking, please refer to https://help.salesforce.com/articleView?id=sf.updating_picklists.htm&type=5
The required columns are listed in this table.
Event EventLogFile LoginHistory Dashboard Opportunity Report User
Required Columns
Id, EventType, LogFile, LogDate, LogFileLength, LastModifiedDate, LastModifiedDate
Id, UserId, LoginTime, Browser, Platform, Status, SourceIp, LoginTime , LoginTime
Id, Description, DeveloperName, FolderName, Title, LastModifiedDate, LastModifiedDate LastModifiedDate
Id, Amount, CloseDate, Name, OwnerId, Type, LastModifiedDate, LastModifiedDate, LastModifiedDate
Id, Name
Id, Username
For example, if Type in Opportunity is not enabled in Set History Tracking, FortiSIEM will fail to get events in Opportunity.
FortiSIEM 6.1.1 External Systems Configuration Guide
289
Fortinet Technologies Inc.
Cloud Applications
Define Salesforce Audit Credential in FortiSIEM
Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.
1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. 1. b. Enter these settings in the Access Method Definition dialog box and click Save:
Settings Name Device Type Access Protocol Pull Interval Timeout Password config User Name Password Security Token Description
Description Enter a name for the credential Salesforce Salesforce Audit Salesforce API 5 minutes 30 seconds See Password Configuration User name for device access Password for device access Security token Description of the device.
Create IP Range to Credential Association and Test Connectivity
From the FortiSIEM Supervisor node, take the following steps (From ADMIN > Setup > Credentials).
FortiSIEM 6.1.1 External Systems Configuration Guide
290
Fortinet Technologies Inc.
Cloud Applications
1. In Step 2: Enter IP Range to Credential Associations, click New. a. Enter "login.salesforce.com" in the IP/Host Name field. b. Select the name of the credential created in the "Define Salesforce Audit Credential in FortiSIEM" from the Credentials drop-down list. c. Click Save.
2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Salesforce Audit Log Collection.
Sample Events for Salesforce Audit
[Salesforce_Activity_Perf]:[activityType]=API,[activityName]=get_user_info, [srcIpAddr]=23.23.13.166,[user]=huiping.hp@gmail.com,[deviceTime]=1458112097, [isSuccess]=false,[runTime]=31,[cpuTime]=9,[dbTime]=19434051,[infoURL]=Api
FortiSIEM 6.1.1 External Systems Configuration Guide
291
Fortinet Technologies Inc.
Console Access Devices
FortiSIEM supports this console access device for discovery and monitoring. l Lantronix SLC Console Manager
FortiSIEM 6.1.1 External Systems Configuration Guide
292
Fortinet Technologies Inc.
Lantronix SLC Console Manager
What is Discovered and Monitored
Protocol Syslog
Information discovered
Metrics/Logs collected Admin access, Updates, Commands run
Used for
Log analysis and compliance
Event Types
Around 10 event types are generated by parsing Lantronix SLC logs. The complete list can be found in ADMIN > Device Support > Event by searching for Lantronix-SLC. Some important ones are:
l Lantronix-SLC-RunCmd l Lantronix-SLC-Update l Lantronix-SLC-User-Logon-Success
Configuration
FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Example Syslog
<174>xmsd: gen/info-Syslog server changed to 10.4.3.37 <38>xwsd[32415]: auth/info-Web Authentication Success for user andbr003
FortiSIEM 6.1.1 External Systems Configuration Guide
293
Fortinet Technologies Inc.
End Point Security Software
The following anti-virus and host security (HIPS) applications are supported for discovery and monitoring by FortiSIEM.
l Bit9 Security Platform l Carbon Black Security Platform l Cisco AMP Cloud V0 l Cisco AMP Cloud V1 l Cisco Security Agent (CSA) l CloudPassage Halo l CrowdStrike l Digital Guardian CodeGreen DLP l ESET NOD32 Anti-Virus l FortiClient l FortinetFortiEDR l Malwarebytes Endpoint Protection l McAfee ePolicy Orchestrator (ePO) l MobileIron Sentry and Connector l Netwrix Auditor l Palo Alto Traps Endpoint Security Manager l SentinelOne l Sophos Central l Sophos Endpoint Security and Control l Symantec Endpoint Protection l Symantec SEPM l Tanium Connect l Trend Micro Interscan Web Filter l Trend Micro Intrusion Defense Firewall (IDF) l Trend Micro OfficeScan
FortiSIEM 6.1.1 External Systems Configuration Guide
294
Fortinet Technologies Inc.
Bit9 Security Platform
l What is Discovered and Monitored l Bit9 Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected Logs
Used For
Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "Bit9" in the Device Type columns to see the event types associated with this device.
Rules
l Bit9 Agent Uninstalled or File Tracking Disabled l Bit9 Fatal Errors l Blocked File Execution l Unapproved File Execution
Reports
l Bit9 Account Group Changes l Bit9 Fatal and Warnings Issues l Bit9 Functionality Stopped l Bit9 Security Configuration Downgrades
Bit9 Configuration
Syslog
FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514.
Sample Syslog
<14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Bit9 event: text="Server discovered new file 'c:\usersacct\appdata\local\temp\3cziegdd.dll' [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery"
FortiSIEM 6.1.1 External Systems Configuration Guide
295
Fortinet Technologies Inc.
End Point Security Software
subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52 PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_ hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_ name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080" server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_ threat="-1"
FortiSIEM 6.1.1 External Systems Configuration Guide
296
Fortinet Technologies Inc.
End Point Security Software
Carbon Black Security Platform
l What is Discovered and Monitored l Carbon Black Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected Logs
Used For
Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "Carbon Black" in the Device Type columns to see the event types associated with this device.
Rules
l Carbon Black Agent Uninstalled or File Tracking Disabled l Carbon Black Fatal Errors l Blocked File Execution l Unapproved File Execution
Reports
l Carbon Black Account Group Changes l Carbon Black Fatal and Warnings Issues l Carbon Black Functionality Stopped l Carbon Black Security Configuration Downgrades
Carbon Black Configuration
Syslog
FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514. CEF formatted logs are also supported.
Sample Syslog
Standard Syslog:
FortiSIEM 6.1.1 External Systems Configuration Guide
297
Fortinet Technologies Inc.
End Point Security Software
<14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Carbon Black event: text="Server discovered new file 'c:\usersacct\appdata\local\temp\3cziegdd.dll' [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery" subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52 PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_ hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_ name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080" server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_ threat="-1
CEF Formatted Syslog:
<14>May 06 13:28:09 host1 CEF:0|Carbon Black|Protection|8.0.0.2562|809|Report write (custom rule)|4|externalId=649219 cat=Policy Enforcement start=May 06 13:27:41 UTC rt=May 06 13:28:02 UTC filePath=c:\\windows\\system32\\perfdisk.dll fname=perfdisk.dll fileHash=60b8a55c0f3228b18d918a3fd6684c401442f6447f2cec5dad9860a8c1d6462c fileId=39126 deviceProcessName="C:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.14.17639.180410\\MsMDEV.exe" dst=172.30.31.13 dhost=EXAMPLE\\DC01 duser=NT AUTHORITY\\SYSTEM dvchost=cbprotection msg='c:\\windows\\system32\\perfdisk.dll' was created by 'NT AUTHORITY\\SYSTEM'. sproc=00000000-0000-15b8-01d3-dd191e70c6d3 cs1Label=rootHash cs1=e1c32fca51d86aad28c2dd13ec427eccd03f9d6900f8f1fe90b99f85550a8a98 cs2Label=installerFilename cs2=msi669d.tmp cs3Label=Policy cs3=Domain Controllers cs5Label=ruleName cs5=[File Integrity Monitoring] Changes to system files cfp1Label=fileTrust cfp1=10 flexString1Label=fileThreat flexString1=0 - Clean cfp2Label=processTrust cfp2=10 flexString2Label=processThreat flexString2=0 - Clean
FortiSIEM 6.1.1 External Systems Configuration Guide
298
Fortinet Technologies Inc.
End Point Security Software
Cisco AMP Cloud V0
l What is Discovered and Monitored l Configuration l Sample Events
What is Discovered and Monitored
Protocol CloudAMP API
Logs Collected End point malware activity
Used For Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "Cisco FireAMP Cloud" in the Search column to see the event types associated with this device.
Configuration
l Configure Cisco AMP Cloud V0 l Create Credentials in FortiSIEM
Configure Cisco AMP Cloud V0
1. Login in https://auth.amp.cisco.com/. 2. Click Accounts-> API Credentials.
FortiSIEM 6.1.1 External Systems Configuration Guide
299
Fortinet Technologies Inc.
End Point Security Software 3. Click New API Credential.
4. Input Application name and click Create.
FortiSIEM 6.1.1 External Systems Configuration Guide
300
Fortinet Technologies Inc.
End Point Security Software 5. Record the API Client ID and API key. You will need them in a later step.
Create Credentials in FortiSIEM
1. Log in to the FortiSIEM Supervisor node. 2. Go to ADMIN> Setup > Credentials. 3. Click Add to create a new credential. 4. Set Device Type to Cisco FireAMP Cloud. 5. Set Password config to Manual. 6. Set Client ID to CiscoAMP Client ID. 7. Set Client Secret to CiscoAMP API Key.
FortiSIEM 6.1.1 External Systems Configuration Guide
301
Fortinet Technologies Inc.
End Point Security Software 8. Click Save.
FortiSIEM 6.1.1 External Systems Configuration Guide
302
Fortinet Technologies Inc.
End Point Security Software
Test Connectivity and Event Pulling
1. Log in to the FortiSIEM Supervisor node. 2. Go to ADMIN> Setup > IP to Credential Mapping. 3. Click Add to create a new mapping. 4. For Name/IP/IP Range, enter api.amp.cisco.com. 5. For Credentials use the credentials you created in Create FireAMP credentials in FortiSIEM. 6. Click Save
7. Go to Admin > Credentials, select the credential, and run Test Connectivity.
The result is a success.
FortiSIEM 6.1.1 External Systems Configuration Guide
303
Fortinet Technologies Inc.
End Point Security Software 8. Go to Admin > Pull Events. An entry will appear in the Event Pulling table. That means events are being pulled.
FortiSIEM 6.1.1 External Systems Configuration Guide
304
Fortinet Technologies Inc.
End Point Security Software 9. Go to the Analytics page to see the events.
Sample Events
[FireAMP_Cloud_Threat_Detected]:[eventSeverity]=PHL_CRITICAL, [connectorGUID]=12345, [date]=2015-11- 25T19:17:39+00:00,[detection]=W32.DFC.MalParent, [detectionId]=6159251516445163587,[eventId]=6159251516445163587, [eventType]=Threat Detected,[eventTypeId]=1090519054, [fileDispostion]=Malicious,[fileName]=rjtsbks.exe, [fileSHA256]=3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370,
Cisco AMP Cloud V1
Cisco Advanced Malware Protection (AMP) for Endpoints is a lightweight connector that can use the public cloud or be deployed as a private cloud.
l What is Discovered and Monitored l Event Types l Rules l Reports l Configure Cisco AMP Cloud V1 l Configure FortiSIEM l Sample Events
FortiSIEM 6.1.1 External Systems Configuration Guide
305
Fortinet Technologies Inc.
End Point Security Software
What is Discovered and Monitored
Protocol AMQP
Information collected
Global threat intelligence, advanced sand boxing, and real-time malware blocking.
Used for
Intrusion protection system
Event Types
In RESOURCES > Event Types, enter "Cisco AMP" in the Search column to see the event types associated with this device.
Rules
No defined rules.
Reports
No defined reports.
Configure Cisco AMP Cloud V1
1. Log in to the Cisco AMP for Endpoints Portal as an administrator. 2. Click Accounts > API Credentials.
3. In the API Credentials pane, click New API Credential.
FortiSIEM 6.1.1 External Systems Configuration Guide
306
Fortinet Technologies Inc.
End Point Security Software
4. In the Application name field, enter a name, and then select Read & Write. Note: you must have Read & Write access to manage event streams on your Cisco AMP for Endpoints platform.
5. Click Create. 6. In the API Key Details section, make note of the values for the 3rd Party API Client ID and the API Key. You will
need these values to manage queues. 7. Click Management > Group 8. In the Groups pane, click Create Group.
FortiSIEM 6.1.1 External Systems Configuration Guide
307
Fortinet Technologies Inc.
End Point Security Software 9. Enter the group name and click Save.
10. Enter the following curl command to get the group_guid of the group that is created in the previous step. curl -X GET -H 'accept: application/json' \ -H 'content-type: application/json' --compressed \ -H 'Accept-Encoding: gzip, deflate' \ -u <CLIENTID:APIKEY>\ 'https://api.amp.cisco.com/v1/groups' where:
l <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6. l If you are in the Asia Pacific Japan and China (APJC) region, change
https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams. l If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams. 11. Enter the following curl command to create a Cisco AMP event stream: curl -X POST -H 'accept: application/json' \ -H 'content-type: application/json' --compressed \
FortiSIEM 6.1.1 External Systems Configuration Guide
308
Fortinet Technologies Inc.
End Point Security Software
-H 'Accept-Encoding: gzip, deflate' \ -d '{"name":"<STREAM_NAME>", "group_guid":["<GUID>"]}' \ -u <CLIENTID:APIKEY> \ 'https://api.amp.cisco.com/v1/event_streams' where: l < STREAM_NAME > is the name of your choice for the event stream. l < GUID > is the group GUID that you want to use to link to the event stream in Step 10. l <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6. l If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams. l If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams. 12. Enter the following curl command to get a summary of the information you need to get a CloudAMP V1 credential in FortiSIEM: curl -X POST -H 'accept: application/json' \ -H 'content-type: application/json' --compressed \ -H 'Accept-Encoding: gzip, deflate' \ -d '{"name":"meistream","group_guid":["34e483f4-85a8-412f-9997-07dd3f0c29ea"]}' \ -u a54c0f4c589d72e0c73e:14713974-eb93-420b-ad76-6e13943f87d4 \ 'https://api.amp.cisco.com/v1/event_streams' {
"version": "v1.2.0", "metadata": { "links": { "self": "https://api.amp.cisco.com/v1/event_streams" } }, "data": { "id": 8849, "name": "meistream", "group_guids": [ "34e483f4-85a8-412f-9997-07dd3f0c29ea" ], "amqp_credentials": { "user_name": "8849-a54c0f4c589d72e0c73e", "queue_name": "event_stream_8849", "password": "e3298163b3c57e5e4e11ea1b571e85cc2ac45b55", "host": "export-streaming.amp.cisco.com", "port": "443", "proto": "https" } } }
FortiSIEM 6.1.1 External Systems Configuration Guide
309
Fortinet Technologies Inc.
End Point Security Software
Configure ForitSIEM
1. In Admin > Setup > Credentials, create a Cisco CloudAMP Credential. 2. Click New and enter the following information:
a. Set Device Type to Cisco AMP. b. Set Access Protocol to AMQP. c. Set Queue Name from queue-name in Step 12 in the previous section. d. Set User Name from user_name in Step 12 in the previous section. e. Set Password from password in Step 12 in the previous section.
3. Click Save.
FortiSIEM 6.1.1 External Systems Configuration Guide
310
Fortinet Technologies Inc.
End Point Security Software
4. Go to Admin > Setup > IP to Credential Mapping and create an association as follows. Click New and enter the following information: a. Set IP/Host Name to host in Step 12 in previous section. b. Choose Credential to the one created in Steps 1 to Step 3 in the previous section. c. Click Save.
5. Go to Admin > Credentials, select the credential, and run Test Connectivity. 6. If connectivity is successful, go to Admin > Pull Events. An entry will appear in the Event Pulling table. That
means events are being pulled.
Sample Events
Events are in JSON format.
[CiscoAMP-Update-Policy-Failure] {"id":6723137944535695384,"timestamp":1565352535,"timestamp_ nanoseconds":82000000,"date":"2019-08-09T12:08:55+00:00","event_type":"Policy Update Failure","event_type_id":2164260866,"connector_guid":"98be064e-2ba5-4482-84054a9268ae9f2e","group_guids":["3c025f05-a2c4-4613-9186-343365f53853"],"error":{"error_ code":3242196993,"description":"Unknown Error"},"computer":{"connector_guid":"98be064e2ba5-4482-8405-4a9268ae9f2e","hostname":"host1","external_ ip":"1.2.3.4","active":true,"network_addresses": [{"ip":"1.2.3.5","mac":"00:21:97:1e:1c:05"}],"links": {"computer":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-84054a9268ae9f2e","trajectory":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-44828405-4a9268ae9f2e/trajectory","group":"https://api.amp.cisco.com/v1/groups/3c025f05a2c4-4613-9186-343365f53853"}}}
FortiSIEM 6.1.1 External Systems Configuration Guide
311
Fortinet Technologies Inc.
End Point Security Software
Cisco Security Agent (CSA)
l What is Discovered and Monitored l Configuration l SNMP Trap
What is Discovered and Monitored
Protocol SNMP Trap
Information Discovered
Metrics Collected
Rules
FortiSIEM uses these rules to monitor events for this device:
Rule
Description
Agent service control
Attempts to modify agent configuration
Agent UI control
Attempts to modify agent UI default settings, security settings, configuration, contact information
Application control Attempts to invoke processes in certain application classes
Buffer overflow attacks
Clipboard access Attempts to acccess clipboard data written by
control
sensitive data applications
COM component access control
Unusual attempts to access certain COM sets including Email objects
Connection rate limit
Excessive connections to web servers or from email clients
Data access control
Unusual attempts to access restricted data sets such as configuration files, password etc. by suspect applications
File access control
Unusual attempts to read or write restricted files sets such as system executables, boot files etc. by suspect applications
Kernel protection
Unusual attempts to modify kernel functionality by suspect applications
Used For
FortiSIEM 6.1.1 External Systems Configuration Guide
312
Fortinet Technologies Inc.
End Point Security Software
Rule
Description
Network access control
Attempts to connect to local network services
Network interface Attempts by local applications to open a stream
control
connection to the NIC driver
Network shield
Attacks based on bad IP/TCP/UDP/ICMP headers, port and host scans etc
Windows event log
Registry access control
Attempts to write certain registry entries
Resource access Symbolic link protection control
Rootkit/kernel protection
Unusual attempts to load files after boot
Service restart
Service restarts
Sniffer and
Attempts by packet/protocol sniffer to receive
protocol detection packets
Syslog control
Syslog events
System API control Attempts to access Windows Security Access Manager (SAM)
Reports
There are no predefined reports for Cisco Security Agent.
Configuration
SNMP Trap
FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Example SNMP Trap
2008-05-13 11:00:36 192.168.1.39 [192.168.1.39]:SNMPv2-MIB::sysUpTime.0 = Timeticks: (52695748) 6 days, 2:22:37.48 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2SMI::enterprises.8590.3.1 SNMPv2-SMI::enterprises.8590.2.1 = INTEGER: 619 SNMPv2SMI::enterprises.8590.2.2 = INTEGER: 261 SNMPv2-SMI::enterprises.8590.2.3 = STRING: "sjdevVwindb06.ProspectHills.net"SNMPv2-SMI::enterprises.8590.2.4 = STRING: "2008-0513 19:03:21.157" SNMPv2-SMI::enterprises.8590.2.5 = INTEGER: 5 SNMPv2SMI::enterprises.8590.2.6 = INTEGER: 452 SNMPv2-SMI::enterprises.8590.2.7 = STRING: "C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"SNMPv2-SMI::enterprises.8590.2.8 = NULL SNMPv2-SMI::enterprises.8590.2.9 = STRING: "192.168.20.38"SNMPv2SMI::enterprises.8590.2.10 = STRING: "192.168.1.39"SNMPv2-SMI::enterprises.8590.2.11 =
FortiSIEM 6.1.1 External Systems Configuration Guide
313
Fortinet Technologies Inc.
End Point Security Software
STRING: "The process 'C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe' (as user NT AUTHORITY\\SYSTEM) attempted to accept a connection as a server on TCP port 5900 from 192.168.20.38 using interface Wired\\VMware Accelerated AMD PCNet Adapter. The operation was denied." SNMPv2-SMI::enterprises.8590.2.12 = INTEGER: 109 SNMPv2SMI::enterprises.8590.2.13 = STRING: "192.168.1.39" SNMPv2-SMI::enterprises.8590.2.14 = STRING: "W"SNMPv2-SMI::enterprises.8590.2.15 = INTEGER: 3959 SNMPv2SMI::enterprises.8590.2.16 = INTEGER: 5900 SNMPv2-SMI::enterprises.8590.2.17 = STRING: "Network access control"SNMPv2-SMI::enterprises.8590.2.18 = STRING: "Non CSA applications, server for TCP or UDP services"SNMPv2-SMI::enterprises.8590.2.19 = INTEGER: 33 SNMPv2-SMI::enterprises.8590.2.20 = STRING: "CSA MC Security Module"SNMPv2-SMI::enterprises.8590.2.21 = NULL SNMPv2-SMI::enterprises.8590.2.22 = STRING: "NT AUTHORITY\\SYSTEM"SNMPv2-SMI::enterprises.8590.2.23 = INTEGER: 2
FortiSIEM 6.1.1 External Systems Configuration Guide
314
Fortinet Technologies Inc.
End Point Security Software
CloudPassage Halo
l Integration points l CloudPassage REST API Integration
Integration points
Protocol
CloudPassage REST API
Information collected
Halo events over 110 event types including User login and account activity, server compliance and vulnerability status, server FIM and firewall policy modification etc.
Used for
Security and Compliance
CloudPassage REST API Integration
FortiSIEM can pull logs from CloudPassage Halo via CloudPassage REST API. Currently, over 110 CloudPassage event types are parsed. To see the event types: 1. Login to FortiSIEM. 2. Go to ADMIN > Resources > Event Types. 3. Search for 'CloudPassage-Halo'. Use cases covered via API:
l User login to Halo and user account creation/deletion/modification activity l Vulnerable software package found and Compromised host detection l Server FIM, Firewall policy modification l Server account creation l Server login via ghostport
Configuring CloudPassage Portal
Create an API Key to be used for FortiSIEM communication. 1. Log in to your CloudPassage Halo portal. 2. Create an API Key and API Secret for use in FortiSIEM.
Configuring FortiSIEM
Use the API Key and Secret in previous step to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential.
FortiSIEM 6.1.1 External Systems Configuration Guide
315
Fortinet Technologies Inc.
End Point Security Software
3. Click New to create a CloudPassage Halo credential. a. Choose Device Type = CloudPassage Halo (Vendor = CloudPassage, Model = Halo). b. Choose Access Protocol = Halo REST API. c. Choose Pull Interval = 5 minutes. d. Password Configuration: for CyberArk and RAX_CustomerService, see Password Configuration. For Manual, see the following: i. Set API Key ID to API Key obtained from CloudPassage portal in Configuring CloudPassage Portal. ii. Set API Key Secret to API Secret obtained from from CloudPassage portal in Configuring CloudPassage Portal. e. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers. f. Click Save.
4. Enter an IP range to Credential Association. a. Set Hostname = api.cloudpassage.com b. Select the credential created in step 3. c. Click Save.
5. Select the entry in step 4 and click Test Connectivity. Once successful, an entry will be created in ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from CloudPassage portal using the API.
To test for received CloudPassage Halo events:
1. Go to ADMIN > Setup > Pull Events. 2. Select the CloudPassage entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from CloudPassage in the last 15 minutes. You can modify the time interval to get more events.
FortiSIEM 6.1.1 External Systems Configuration Guide
316
Fortinet Technologies Inc.
End Point Security Software
CrowdStrike Endpoint Security
l Integration Points l Falcon Streaming API Integration l Falcon Data Replicator Integration
Integration Points
Protocol Falcon Streaming API
Falcon Data Replicator
Information Discovered
Used For
Detection Summary, Authentication Log, Detection Status Update, Security and Indicators of Compromise, Containment Audit Events, IP White-listing Compliance events, Sensor Grouping Events.
Detection Summary, User Activity, Authentication Activity.
Security and Compliance
Falcon Streaming API Integration
FortiSIEM can collect following types of events from CrowdStrike Cloud Service via Falcon Streaming API: l Detection Summary l Authentication Log l Detection Status Update l Customer Indicators of Compromise l Containment Audit Events l IP White-listing Events l Sensor Grouping Events
CrowdStrike provides details about Falcon Streaming API here. To receive Crowdstrike security events via Falcon Streaming API, follow these two steps: 1. Configure Crowdstrike Service for Falcon Streaming API. 2. Configure FortiSIEM for Falcon Streaming API Based Access.
Configure CrowdStrike Service for Falcon Streaming API
Create an account to be used for FortiSIEM communication: 1. Login to CrowdStrike as Falcon Customer Admin. 2. Go to Support App > Key page. 3. Click Reset API Key. Copy the API key and UUID for safe keeping. Note that your API key and UUID are assigned
one pair per customer account, not one pair per user. Thus, if you generate a new API key, you may be affecting existing applications in your environment.
Configure FortiSIEM for Falcon Streaming API Based Access
Use the account in previous step to enable FortiSIEM access.
FortiSIEM 6.1.1 External Systems Configuration Guide
317
Fortinet Technologies Inc.
End Point Security Software
1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create CrowdStrike Falcon credential.
a. Choose Device Type = CrowdStrike Falcon (Vendor = CrowdStrike, Model = Falcon). b. Choose Access Protocol = Falcon Streaming API. c. Choose UUID and API Key Secret for the credential created while Configuring CrowdStrike Service for Falcon
Streaming API. d. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple
customers. e. Click Save. 4. Enter an IP Range to Credential Association. a. Set Hostname to firehose.crowdstrike.com. b. Select the Credential created in step 3. c. Click Save. 5. Select the entry in step 4 and click Test Connectivity and make sure Test Connectivity succeeds, implying that the credential is correct. 6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from CrowdStrike Cloud Service using the Falcon Streaming API.
To test for events received via CrowdStrike Streaming API:
1. Go to ADMIN > Setup > Pull Events. 2. Select the CrowdStrike Streaming API entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from CrowdStrike Cloud Service in the last 15 minutes. You can modify the time interval to get more events.
Falcon Data Replicator Integration
FortiSIEM can collect following types of events from CrowdStrike Cloud Service via Falcon Data Replicator method:
l Detection Summary Events l User Activity Audit Events l Auth Activity Audit Events
CrowdStrike provides details about Data Replicator method here.
To receive Crowdstrike security events via Falcon Data Replication Integration, follow these two steps:
1. Obtain AWS Credentials from Crowdstrike. 2. Configure FortiSIEM for Falcon Data Replicator.
Obtain AWS Credentials from CrowdStrike
Contact CrowdStrike to obtain AWS credentials for pulling CrowdStrike logs from AWS.
1. Generate a GPG key pair in ASCII format. 2. Send the public part of the GPG key to support@crowdstrike.com. 3. CrowdStrike will encrypt the API key with your public key and send you the encrypted API key. You can decrypt
using your private GPG key. 4. CrowdStrike Support will also provide you an SQS Queue URL.
Credentials obtained in steps 3 and 4 above will be used in the next step.
FortiSIEM 6.1.1 External Systems Configuration Guide
318
Fortinet Technologies Inc.
End Point Security Software
Configure FortiSIEM for Falcon Data Replicator
Use the credentials in previous step to enable FortiSIEM access.
1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credentials. 3. In Step 1: Enter Credentials, click New to create CrowdStrike Falcon Data Replicator credential.
a. Choose Device Type = CrowdStrike Falcon (Vendor = CrowdStrike, Model = Falcon). b. Choose Access Protocol = CrowdStrike Falcon Data Replicator. c. Enter the Region where the instance is located. d. Enter SQS Queue URL from here. e. Password Config: see Password Configuration. f. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple
customers. g. Click Save. 4. In Step 2: Enter IP Range to Credential Associations, click New. a. Get the Hostname from the SQL Queue URL. For example, for Queue URL:
https://us-west-1.queue.amazonaws.com/754656674199/cs-prod-cannon-queued5836cd3792ece8f set host name to us-west-1.queue.amazonaws.com. b. Select the Credential created in step 3 above. c. Click Save. 5. Select the entry in step 4, click the Test drop-down list, and select Test Connectivity. If the test succeeds, then the credential is correct. 6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from CrowdStrike Cloud Service using the Falcon Streaming API.
To test for events received via CrowdStrike Falcon Data Replicator:
1. Go to ADMIN > Setup > Pull Events. 2. Select the CrowdStrike Falcon Data Replicator entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from CrowdStrike Cloud Service in the last 15 minutes. You can modify the time interval to get more events.
FortiSIEM 6.1.1 External Systems Configuration Guide
319
Fortinet Technologies Inc.
End Point Security Software
Digital Guardian CodeGreen DLP
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Event
What is Discovered and Monitored
Protocol Syslog (CEF format)
Information Discovered -
Data Collected 1 event type
Used for Security and Compliance
Event Types
In RESOURCE > Event Types, Search for "CodeGreen-".
Rules
There are no specific rules, but generic rules for Data Leak Protection apply.
Reports
There are no specific reports, but generic rules for Data Leak Protection and Generic Servers apply.
Configuration
Configure Digital Guardian Code Green DLP to send syslog on port 514 to FortiSIEM.
Sample Event
<10>1 2017-05-11T12:08:06.380Z ABC-Manager DLP - INCADD incident_id="1.12815.1" managed_ device_id="1" number_of_incidents="1" incident_status="New,Audit Only" matched_policies_by_ severity="High:C_PHI_MRN / C_MRN_>25;" action_taken="NET_NS_H" matches="55" protocol="SMTP" http_url="" inspected_document="Milla_9.16-4.17__UPDATED.XLSX" source="abc@cda.org" source_ ip="1.1.1.1" source_port="21752" destination="abc@bcd.edu" destination_ip="2.2.2.2" destination_port="25" email_subject="RE: Open Encounters" email_sender="abc@cde.org" email_ recipients="abc@bcd.edu;" timestamp="2017-05-11 12:06:09 PDT" incidents_ url=https://aaa.lpch.net/LoadIncidentManagement.do?m=1&id=1,27372
FortiSIEM 6.1.1 External Systems Configuration Guide
320
Fortinet Technologies Inc.
End Point Security Software
ESET NOD32 Anti-Virus
l What is Discovered and Monitored l ESET NOD32 Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected
Used For
ESET NOD32 Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM Supervisor.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Example Syslog
<35313912>Jul 26 18:06:12 LMHCAPEAV01 ERA Server: [2011-07-26 13:06:12.784] V5 [4e2f02148110] [00000e9c] <SESSION_INFO> Kernel connection from 10.0.52.25:48071 accepted
<35313864>Jul 26 18:06:13 LMHCAPEAV01 ERA Server: [2011-07-26 13:06:13.221] V5 [4e2f02148110] [00000e9c] <SESSION_INFO> Kernel connection from 10.0.52.25:48071 closed (code 0,took 438ms, name 'Lmhathnsmt01', mac '00-1E-4F-E8-49-03', product 'ESET NOD32 Antivirus BUSINESS EDITION', product version '04.00002.00071', virus signature db version '63(20110726)')
FortiSIEM 6.1.1 External Systems Configuration Guide
321
Fortinet Technologies Inc.
End Point Security Software
FortiClient
l What is Discovered and Monitored l Configuration l Access Credentials for FortiSIEM l Sample Events
What is Discovered and Monitored
Protocol
Syslog via FortiAnalyzer (FortiClient > FortiAnalyzer -> FortiSIEM)
Information Discovered
Metrics Collected
Traffic logs (IPSec, VPN, File Cleaning/Blocking) Event logs (Antivirus, Web Filter, Vulnerability Scan, Application Firewall, VPN, WAN Optimization, Update logs)
Note: FortiSIEM collects logs from FortiAnalyzer (FAZ).
Used For
Security Monitoring and Log analysis
Event Types
Search for 'FortiClient' to see the event types associated with this device under RESOURCES > Event Types.
Rules
There are generic rules that trigger for this device as event types are mapped to specific event type groups.
Reports
Generic reports are written for this device as event types are mapped to specific event type groups.
Configuration
1. Configure FortiClient to send events to FAZ. 2. Configure FAZ to send events to FortiSIEM:
a. Login to FAZ. b. Go to System Settings > Advanced > Syslog Server. c. Click Create New. d. Enter the Name. It is recommended to use the name of the FortiSIEM Supervisor node. e. Set the IP address (or FQDN) field to the IP or a fully qualified name of the FortiSIEM node that would parse
the log (most likely Collector or Worker/Supervisor). f. Retain the Syslog Server Port default value '514'. g. Click OK to save your entries.
FortiSIEM 6.1.1 External Systems Configuration Guide
322
Fortinet Technologies Inc.
End Point Security Software
h. Go to System Settings > Dashboard > CLI Console. i. Type the following in the CLI Console for:
l FAZ 5.1 and older:
config system aggregation-client edit 1 (or the number for your FSM syslog entry) set fwd-log-source-ip original_ip
end
l FAZ 5.6 and newer:
config system log-forward edit 1 (or the number for your FSM syslog entry) set fwd-log-source-ip original_ip
end
j. Go to System Settings > Log Forwarding. k. Click Create New. l. Enter the Name. m. Select 'Syslog' as Remote Server Type. n. Enter the Server IP with the IP of the FortiSIEM Server/Collector. o. Retain the Server Port default value '514'. p. Set Reliable Connection to the default value 'Off'.
Note: Setting this to 'On' will make every log sent from FAZ appear with FAZ's IP and NOT that of the firewall (s). In addition, your network must allow UDP connection between FAZ and FortiSIEM Collector. Otherwise, the logs will not reach the Collector. q. Optional Use Log Forwarding Filters to select specific devices you want to forward log for. 3. Follow the steps below to validate that logs are properly flowing from FAZ to FortiSIEM: a. Login to FortiSIEM. b. Click ANALYTICS tab and use the filter to perform a real-time search: i. Click on the Attribute field to select 'Reporting IP' from the list or enter the same in the field to search. ii. Select '=' Operator. iii. In the Value field, enter the name of the Fortinet devices from where logs are expected. Note: This is NOT the IP address of the FAZ but of an original source device, like a FortiGate Firewall. To ensure that everything is being sent/received correctly, you can use multiple IPs. You will now see events from one, to numerous, source device(s), even though they are all forwarded from a single FAZ device. You can also check CMDB > Devices to see whether the devices are appearing within CMDB. Note: The Relaying IP value in FortiSIEM will not show the IP address of the FAZ but that of the original device which sent the logs to FAZ. All the device logs appear within FortiSIEM without configuring numerous devices individually.
Access Credentials for FortiSIEM
Setting Name Device Type Access Protocol
Value <name> Fortinet FortiClient WMI
FortiSIEM 6.1.1 External Systems Configuration Guide
323
Fortinet Technologies Inc.
End Point Security Software
Setting Pull Interval NetBIOS/Domain
Password config
Value 1 minute The NetBIOS name of servers or domain name See Password Configuration
Sample Events
Traffic Log
<116> device=FCTEMS0000000001 severity=medium from=FAZVM64(FAZ-VM0000000001) trigger=EVT2SIEM log="itime=1489562233 date=2017-03-15 time=00:17:13 logver=2 type=traffic sessionid=N/A hostname=hostname.local uid=1000000000 devid=FCT8000000000008 fgtserial=FCTEMS0000000005 level=warning regip=10.1.1.1 srcname="Opera" srcproduct=N/A srcip=10.1.1.3 srcport=18398 direction=outbound dstip=10.0.0.4 remotename="aa.com" dstport=20480 user="bb.lee" service=http proto=6 rcvdbyte=N/A sentbyte=N/A utmaction=blocked utmevent=webfilter threat="Gambling" vd=root fctver=1.2.1.1 os="Mac OS X 1.1.1" usingpolicy=N/A url=/ userinitiated=0 browsetime=N/A" ET---> FortiClient-traffic-blocked
Event Log
<116> device=FCTEMS0036759495 severity=medium from=FAZVM64(FAZ-VM0000000001) trigger=EVT2SIEM1 log="itime=1490237155 date=2017-03-22 time=19:45:55 logver=2 level=info uid=C4C4E56CE7B04762B053E8F88B8ECF47 vd=root fctver=5.4.2.0862 os="Microsoft Windows Server 2012 R2 Standard Edition, 64-bit (build 9600)" usingpolicy=AOFCT fgtserial=N/A emsserial=FCTEMS0036759495 devid=FCT8003883203338 hostname=sjcitvwfct01 pcdomain=accelops.net clientfeature=endpoint deviceip=devicemac=N/A type=event user=N/A id=96953 msg="Endpoint Control Status changed - Offline""
FortiSIEM 6.1.1 External Systems Configuration Guide
324
Fortinet Technologies Inc.
End Point Security Software
Fortinet FortiEDR
l Integration Points l Configuration l Settings for Access Credentials l Sample Events
Integration Points
Method Syslog
Information discovered
Metrics collected
Host name, Reporting None IP
LOGs collected
System and Security Events (e.g., file blocked)
Used for
Security monitoring
Event Types
In ADMIN > Device Support > Event, Search for "FortiEDR" to see the event types associated with this device.
Rules
No specific rules are written for FortiEDR but generic end point rules apply
Reports
No specific reports are written for FortiEDR but generic end point rules apply
Configuration
Configure FortiEDR system to send logs to FortiSIEM in the supported format (see Sample events below)
Settings for Access Credentials
None required
Sample Events
<133>1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478; Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N; Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe; Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation;
FortiSIEM 6.1.1 External Systems Configuration Guide
325
Fortinet Technologies Inc.
End Point Security Software
First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1; Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U; MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A
FortiSIEM 6.1.1 External Systems Configuration Guide
326
Fortinet Technologies Inc.
End Point Security Software
Malwarebytes Endpoint Protection
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected Malware detection log
Used For Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "malwarebytes" to see the event types associated with this device.
Rules
Malware found but not remediated.
Reports
In RESOURCE > Reports, search for "malware found" to see the reports associated with this device.
Configuration
Syslog
FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514.
Sample Syslog:
<45>1 2016-09-23T14:40:35.82-06:00 reportDeviceName Malwarebytes-Endpoint-Security 1552 - {"security_log":{"client_id":"ef5f8fc8-ad0e-46f8-b6d7-1a85d5f73e64","host_name":"Abccbd","domain":"abc.com","mac_address":"FF-FF-FF-FF-FF","ip_ address":"10.1.1.1","time":"2016-09-23T14:40:14","threat_level":"Moderate","object_ type":"FileSystem","object":"HKLM\\SOFTWARE\\POLICIES\\GOOGLE\\UPDATE","threat_ name":"PUM.Optional.DisableChromeUpdates","action":"Quarantine","operation":"QUARANTINE"," resolved":true,"logon_user":"dsamuels","data":"data","description":"No description","source":"MBAM","payload":null,"payload_url":null,"payload_ process":null,"application_path":null,"application":null}}
FortiSIEM 6.1.1 External Systems Configuration Guide
327
Fortinet Technologies Inc.
End Point Security Software
McAfee ePolicy Orchestrator (ePO)
l What is Discovered and Monitored l Event Types l Configuration l Sample Access Protection Violation detected SNMP Trap
What is Discovered and Monitored
Protocol SNMP Traps
Information Discovered
Metrics Collected
Used For
Event Types
In ADMIN > Device Support > Event Types, search for "mcafee epolicy" to see the event types associated with this application or device.
Configuration
FortiSIEM processes events via SNMP traps sent by the device. Follow the below procedures to configure McAfee ePO to send Threat based SNMP traps to FortiSIEM.
Step 1: Configuring SNMP Server to send Traps from McAfee ePO.
FortiSIEM processes events from a device via SNMP traps sent by the device. 1. Log in to the McAfee ePO web console. 2. Go to Main Menu > Configuration > Registered Servers, and click New Server.
The Registered Server Builder opens.
FortiSIEM 6.1.1 External Systems Configuration Guide
328
Fortinet Technologies Inc.
End Point Security Software
3. For Server type, select SNMP Server. 4. For Name, enter the IP address of your SNMP server. 5. Enter any Notes, and click Next to go to the Details page. 6. For Address, select IP4 from the drop-down and enter the IP/DNS Name for the FortiSIEM virtual appliance and
SNMP that will receive the SNMP trap. 7. For SNMP Version, select SNMPv1. 8. For Community, enter public.
Note: The community string entered here would not be used in FortiSIEM as FortiSIEM accepts traps from McAfee ePO without any configuration. 9. Click Send Test Trap, and then click Save. 10. Log in to your Supervisor node and use Real Time Search to see if FortiSIEM received the trap. Without any configuration on FortiSIEM, the traps are received under Real time/Historical Analytics. (Search using 'Reporting IP' as McAfee ePO's IP.)
FortiSIEM 6.1.1 External Systems Configuration Guide
329
Fortinet Technologies Inc.
End Point Security Software
Step 2: Configuring "Automatic Response"
By default, McAfee ePO does not send SNMP Trap alerts for the events that occur. This must be configured.
1. Go to Main Menu > Automation > Automatic Response. 2. By default, there are a few Automatic Response configured, but are in a disabled state. 3. Click on New Response button. 4. Enter a Name for the 'Response'. 5. Set Status as 'Enabled' and click Next. 6. Click the Ellipsis icon and select the top level under Select System Tree Group and click OK. 7. On the left side of the same screen, select Threat Handled.
Sample Access Protection Violation detected SNMP Trap
2017-05-30 16:24:27 192.168.100.205TRAP, SNMP v1, community fortisiem SNMPv2SMI::enterprises.3401.12.2.1.1 Enterprise Specific Trap (101) Uptime: 3:56:08.15 SNMPv2- SMI::enterprises.3401.12.2.1.1.5.7 = STRING: "Threat_Trigger_Rule"SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.30 = STRING: "58F5DD64- 43C5-11E7-0584-000C29219964"
SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.360 = STRING: "My Organization" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.20 = STRING: "05/30/17 13:20:24 UTC" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "ENDP_AM_1050" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.510 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.510 = STRING: "Access Protection" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.520 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.70 = STRING: "WIN2012- SKULLC" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.90 = STRING: "192.168.100.205" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.80 = STRING: "192.168.100.205" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.500 = STRING: "000c29219964" SNMPv2-
FortiSIEM 6.1.1 External Systems Configuration Guide
330
Fortinet Technologies Inc.
End Point Security Software
SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "McAfee Endpoint Security"SNMPv2SMI::enterprises.3401.12.2.1.1.6.0.00 = STRING: "10.5.0" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.370 = STRING: "Access Protection rule violation detected and NOT blocked" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.6 = STRING: "Threat" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.1 = INTEGER: 1 SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.390 = STRING: "Server" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.380 = STRING: "Windows Server 2012 R2" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "05/30/17 13:24:05 UTC" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.530 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.550 = STRING: "192.168.100.205" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.540 = STRING: "192.168.100.205" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.560 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.580 = STRING: "FIREFOX.EXE" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.590 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.570 = STRING: "WIN2012-SKULLC\Administrator" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.500 = STRING: "GlobalRoot\Directory\My Group"SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.280 = STRING: "C:\USERS\ADMINISTRATOR\DOWNLOADS\V3_2994DAT.EXE" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.200 = STRING: "WIN2012- SkullC" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.220 = STRING: "192.168.100.205" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.210 = STRING: "192.168.100.205" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.230 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.250 = STRING: "0" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.270 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.260 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.240 = STRING: "SYSTEM" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.340 = STRING: "IDS_ACTION_WOULD_BLOCK" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.290 = STRING: "'File' class or access"SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.300 = STRING: "1095"SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.350 = STRING: "True"SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.320 = STRING: "Browsers launching files from the Downloaded Program Files folder"SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.310 = STRING: "Critical" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.330 = STRING: "Access Protection"
FortiSIEM 6.1.1 External Systems Configuration Guide
331
Fortinet Technologies Inc.
End Point Security Software
MobileIron Sentry and Connector
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events
What is Discovered and Monitored
Protocol Syslog
Information Discovered Host name and Device Type from LOG
Metrics/LOG collected Over 14 types of security logs
Used for Security and Compliance
Event Types
Go to Admin > Device Type > Event Types and search for "MobileIron-".
Rules
None
Reports
None
Configuration
Configure MobileIron to send syslog in the supported format to FortiSIEM. No configuration is required in FortiSIEM.
Sample Events
Apr 3 04:16:51 mobile-apptunnel.xxxxx.com mi: PRODUCT=Sentry_9.4.0_4,2019 Apr 3 04:16:48 WARN (Device=bc7b8d61-b003-49e6-9ef5-76ee5bebd6d9, DeviceIPPort=10.1.1.1:60995, User=Username2, Command=POST, Server=25678:domain3.local, Service=Traveler) (AlertOrigin=Sentry, AlertId=HTTP503) Got exception during device-to-server processing, Sentry reporting error to client:java.net.SocketTimeoutException: Read timed out
FortiSIEM 6.1.1 External Systems Configuration Guide
332
Fortinet Technologies Inc.
End Point Security Software
Netwrix Auditor (via Correlog Windows Agent)
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events
What is Discovered and Monitored
Protocol
Via Correlog Windows Agent
Information Discovered
Metrics/LOG collected
Host name and Device Type from 2 Security logs LOG
Used for
Security and Compliance monitoring
Event Types
Go to Admin > Device Type > Event Types and search for "Netwrix_Auditor_".
Rules
None
Reports
None
Configuration
Configure Netwrix Auditor to send logs to Correlog Windows Agent. FortiSIEM will automatically parse the logs as long as they appear in the format below.
Sample Events
<158>2018 Jul 27 07:20:36 CorreLog_Win_Agent ACME-NETWRIX Netwrix_Auditor_Integration 0: Netwrix_Auditor_Integration_API: DataSource : Windows Server Action : Removed Message: Removed DNS A Where : ACME-DC02 ObjectType : DNS A Who : system What : DNS Server\SACDC02\acmegroup.local\ACME-TRADE08 IN A 10.150.90.180 1200 When : 2018-07-27T14:15:43Z Details : IP Address: 10.150.90.180, TTL: 1200, Container name: acmegroup.local, Owner name: acmegroup.local -
FortiSIEM 6.1.1 External Systems Configuration Guide
333
Fortinet Technologies Inc.
End Point Security Software
Palo Alto Traps Endpoint Security Manager
l What is Discovered and Monitored l Event Types l Configuration
What is Discovered and Monitored
Protocol Syslog (CEF format)
Information Discovered -
Data Collected Over 150 event types
Used for Security and Compliance
Event Types
In RESOURCE > Event Types, Search for "PAN-TrapsESM".
Sample Event Type:
Sep 28 2016 17:38:48 172.16.183.173 CEF:0|Palo Alto Networks|Traps Agent|3.4.1.16709|Traps Service Status Change|Agent|6|rt=Sep 28 2016 17:38:48 dhost=traps-win7x86 duser=Traps msg=Agent Service Status Changed: Stopped-> Running Sep 28 2016 17:42:04 ESM CEF:0|Palo Alto Networks|Traps ESM|3.4.1.16709|Role Edited|Config|3|rt=Sep 28 2016 17:42:04 shost=ESM suser=administrator msg=Role TechWriter was added\changed
Configuration
Configure Palo Alto Traps Endpoint Security Manager to send syslog on port 514 to FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
334
Fortinet Technologies Inc.
End Point Security Software
SentinelOne
l Integration Points l Event Types l Rules l Reports l Configuration l Settings for Access Credentials l Sample Events
Integration Points
Method Syslog
Information Discovered
Metrics Collected
Host name, Reporting None IP
Logs Collected
Used for
System and Security Events (e.g., file blocked)
Security monitoring
Event Types
In ADMIN > Device Support > Event, Search for "SentinelOne" to see the event types associated with this device.
Rules
No specific rules are written for SentinelOne but generic end point rules apply.
Reports
No specific reports are written for SentinelOne but generic end point rules apply.
Configuration
Configure SentinelOne system to send logs to FortiSIEM in the supported format (see Sample Events).
Settings for Access Credentials
None required.
Sample Events
<14>CEF:0|SentinelOne|Mgmt|Windows 7|21|Threat marked as resolved|1|rt=Jun 05 2017 09:29:17 uuid=586e7cc578207a3f75361073
FortiSIEM 6.1.1 External Systems Configuration Guide
335
Fortinet Technologies Inc.
End Point Security Software
fileHash=4b9c5fe8ead300a0be2dbdbcdbd193591451c8b4 filePath=\Device\HarddiskVolume2\Windows\AutoKMS\AutoKMS.exe
<14>CEF:0|SentinelOne|Mgmt|1.1.1.1|65|user initiated a fetch full report command to the agent DT-Virus7|1|rt=#arcsightDate(Jun 06 2017 09:29:17) suser=xyz duid=c29ca0cee8a0a989321495b78b1d256ab7189144 cat=SystemEvent
FortiSIEM 6.1.1 External Systems Configuration Guide
336
Fortinet Technologies Inc.
End Point Security Software
Sophos Central
l Integration points l Configuring Sophos Central for API Access l Configuring FortiSIEM for Sophos Central for API Access l Parsing and Events
Integration points
Protocol Sophos Central API
Information Discovered Endpoint suspicious activity detected by Sophos agent
Used For Security and Compliance
Configuring Sophos Central for API Access
Sophos provides ample documentation here.
1. Login to Sophos Central Website. 2. Go to Global Settings > API Token Management. Click Add Token.
The Token will display. 3. Note the following information for later use:
a. Get Host Name from API Access URL (part after https://). b. Get Authorization from API Access URL + Headers (part after Authorization:Basic). c. Get API Key from Headers (part between x-api-key: and Authorization Basic).
Configuring FortiSIEM for Sophos Central for API Access
Use the account in previous step to enable FortiSIEM access.
1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create Sophos Central credential:
a. Choose Device Type = Sophos Central. b. Choose Access Protocol = Sophos Central API. c. Enter Authorization created in the previous section - step 3b above. d. Keep User Name empty. e. Leave the URI field empty. FortiSIEM will use gateway/siem/v1/events. f. Enter API Key created in the previous section - step 3c. g. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple
customers. h. Click Save. 4. Enter an IP Range to Credential Association. a. Enter Hostname created here - step 3a. b. Select the Credential created here - step 3.
FortiSIEM 6.1.1 External Systems Configuration Guide
337
Fortinet Technologies Inc.
End Point Security Software
c. Click Save. 5. Select the entry in step 4 and click Test > Test Connectivity. If it succeeds, then the credential is correct. 6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start
to pull events from Sophos Central using the Sophos Central API. To test for events received via Windows Defender ATP REST API: 1. Go to ADMIN > Setup > Pull Events. 2. Select the Windows Defender ATP entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from Sophos Central in the last 15 minutes. You can modify the time interval to get more events.
Parsing and Events
Over 20 events are parsed see event types in Resources > Event Types and search for 'Sophos-Central'.
FortiSIEM 6.1.1 External Systems Configuration Guide
338
Fortinet Technologies Inc.
End Point Security Software
Sophos Endpoint Security and Control
l What is Discovered and Monitored l Sophos Configuration
What is Discovered and Monitored
Protocol SNMP Trap
Information Discovered
Metrics Collected
Used For
Event Types
In ADMIN > Device Support > Event, search for "sophos endpoint" in the Device Type column to see the event types associated with this application or device.
Sophos Configuration
SNMP Trap
FortiSIEM processes Sophos Endpoint control events via SNMP traps sent from the management console. Configure the management console to send SNMP traps to FortiSIEM, and the system will automatically recognize the messages. SNMP Traps are configured within the Sophos policies. 1. In the Policies pane, double-click the policy you want to change. 2. In the policy dialog, in the Configure panel, click Messaging. 3. In the Messaging dialog, go to the SNMP messaging tab and select Enable SNMP messaging. 4. In the Messages to send panel, select the types of event for which you want Sophos Endpoint Security and Control
to send SNMP messages. 5. In the SNMP trap destination field, enter the IP address of the recipient. 6. In the SNMP community name field, enter the SNMP community name.
Sample SNMP Trap
2011-05-03 18:22:32 172.15.30.8(via UDP: [172.15.30.8]:1216) TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.2604.2.1.1.1 Enterprise Specific Trap (1) Uptime: 5:59:55.31 SNMPv2-SMI::enterprises.2604.2.1.1.2.1.1 = STRING: "File \"C:\WINDOWS\system32\LDPackage.dll\" belongs to virus/spyware 'Mal/Generic-S'."SNMPv2SMI::enterprises.2604.2.1.1.2.2.2 = STRING: "9.5.5"
FortiSIEM 6.1.1 External Systems Configuration Guide
339
Fortinet Technologies Inc.
End Point Security Software
Symantec Endpoint Protection
l What is Discovered and Monitored l Symantec Endpoint Protection Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected Logs
Used For Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "symantec endpoint" in the Device Type and Description columns to see the event types associated with this device.
Symantec Endpoint Protection Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device.
Configuring Log Transmission to FortiSIEM
1. Log in to Symantec Endpoint Protection Manager. 2. Go to Admin> Configure External Logging > Servers > General. 3. Select Enable Transmission of Logs to a Syslog Server. 4. For Syslog Server, enter the IP address of the FortiSIEM virtual appliance. 5. For UDP Destination Port, enter 514.
Configuring the Types of Logs to Send to FortiSIEM
1. Go to Admin> Configure External Logging > Servers > Log Filter. 2. Select the types of logs and events you want to send to FortiSIEM.
Sample Syslog
<13>Feb 23 12:36:37 QA-V-Win03-App1.ProspectHills.net SymAntiVirus 0 2701170C2410,3,2,1,QA-V-WIN03-APP1,Administrator,,,,,,,16777216,"Scan started on selected drives and folders and all extensions.",1235421384,,0,,,,,0,,,,,,,,,,,{C11B44CF-35C9-4342AB3D-E0E9E3756510},,(IP)0.0.0.0,,ACME,00:50:56:A3:30:2F,11.0.1000.1112,,,,,,,,,,,,,,,,0,,,,,
FortiSIEM 6.1.1 External Systems Configuration Guide
340
Fortinet Technologies Inc.
End Point Security Software
<54>Jun 11 12:24:38 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server: sjdevswinapp05,Domain: Default,Admin: admin,Administrator log on failed <54>Jun 11 12:24:51 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server: sjdevswinapp05,Domain: Default,Admin: admin,Administrator log on succeeded <54>Feb 23 13:08:29 SymantecServer sjdevswinapp05: Virus found,Computer name: Filer,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:/Documents and Settings/Administrator.PROSPECTHILLS/Local Settings/Temp/vpqz3cxj.com,"",Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2009-02-23 21:06:51,Inserted: 2009-02-23 21:08:29,End: 2009-02-23 21:06:51,Domain: Default,Group: Global\Prospecthills,Server: sjdevswinapp05,User: Administrator,Source computer: ,Source IP: 0.0.0.0
Mar 16 15:11:06 SymantecServer aschq97: NF77088-PCA,Local: 192.168.128.255,Local: 138,Local: FFFFFFFFFFFF,Remote: 192.168.128.86,Remote: ,Remote: 138,Remote: 0015C53B9216,UDP,Inbound,Begin: 2009-03-16 15:05:02,End: 2009-03-16 15:05:02,Occurrences: 1,Application: C:/WINDOWS/system32/ntoskrnl.exe,Rule: Allow local file sharing,Location: Default,User: ,Domain: ASC <54>Feb 24 11:51:19 SymantecServer sjdevswinapp05: QA-V-Win03-App2,[SID: 20352] HTTP Whisker/Libwhisker Scan (1) detected. Traffic has been allowed from this application: C:\WINDOWS\system32 toskrnl.exe,Local: 0.0.0.0,Local: 000000000000,Remote: ,Remote: 192.168.1.4,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2009-02-24 11:50:01,End: 2009-02-24 11:50:01,Occurrences: 1,Application: C:/WINDOWS/system32/ntoskrnl.exe,Location: Default,User: Administrator,Domain: PROSPECTHILLS <54>Jul 28 08:08:52 SymantecServer corpepp01: 6910p-X751008R,Category: 2,Symantec AntiVirus,New virus definition file loaded. Version: 130727ag. <54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category: 2,Symantec AntiVirus,Symantec Endpoint Protection services shutdown was successful. <52>Jul 28 08:10:13 SymantecServer corpepp01: TEMPEXP02,Category: 0,Smc,Failed to disable Windows firewall <54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category: 0,Smc,Connected to Symantec Endpoint Protection Manager (10.0.11.17) <54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category: 0,Smc,Disconnected from Symantec Endpoint Protection Manager (10.0.11.17) <54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category: 0,Smc,Connected to Symantec Endpoint Protection Manager (corphqepp01) <54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category: 0,Smc,Disconnected from Symantec Endpoint Protection Manager (corpepp01) <54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category: 0,Smc,Network Threat Protection - - Engine version: 11.0.480 Windows Version info: Operating System: Windows XP (5.1.2600 Service Pack 3) Network info: No.0 "Local Area Connection 3" 00-15-c5-46-581e "Broadcom NetXtreme 57xx Gigabit Controller" 10.0.208.66 <54>Jul 28 07:55:32 SymantecServer corpepp01: tol-afisk,Blocked,Unauthorized NT call rejected by protection driver.,System,Begin: 2011-07-27 15:29:57,End: 2011-07-27 15:29:57,Rule: Built-in rule,6092,AcroRd32.exe,0,None,"FuncID=74H, RetAddr=18005CH",User: afisk,Domain: HST
FortiSIEM 6.1.1 External Systems Configuration Guide
341
Fortinet Technologies Inc.
End Point Security Software
Symantec SEPM
l Configuring Symantec SEPM l Receiving Events in FortiSIEM
Configuring Symantec SEPM
follow these steps to configure Symantec SEPM to send logs to FortiSIEM. For more information about Symantec SEPM, see the SEPM Installation and Administration Guide: https://support.symantec.com/us/en/article.DOC10654.html 1. In the Symantec SEPM console, go to Admin > Servers. 2. Click the local site or remote site that you want to export log data from. 3. Click Configure External Logging. 4. On the General tab, in the Update Frequency list box, select how often to send the log. 5. In the Master Logging Server list box, select the management server to send the logs to. If you use SQL Server
and connect multiple management servers to the database, then specify only one server as the Master Logging Server. 6. Check Enable Transmission of Logs to a Syslog Server (FortiSIEM). 7. Provide the following information. Be sure that syslog server IP and Port can be reached from SEPM. a. Syslog Server--Enter the IP address or domain name of the Syslog server that will receive the log data (in this
case, the IP of FortiSIEM). b. Destination Port--Select the protocol to use, and enter the destination port that the Syslog server uses to
listen for Syslog messages. (for example, UDP 514 for FortiSIEM). c. Log Facility--Enter the number of the log facility that you want to the Syslog configuration file to use, or use
the default value. Valid values range from 0 to 23. 8. On the Log Filter tab, check which logs to export
Receiving Events in FortiSIEM
1. Check for events in FortiSIEM. Go to the ANALYTICS page and search on "Symantec". 2. Check for the device added by log. Go to CMDB > Devices.
FortiSIEM 6.1.1 External Systems Configuration Guide
342
Fortinet Technologies Inc.
End Point Security Software
Tanium Connect
l Integration points l Configuring Tanium Connect l Configuring FortiSIEM l Parsing and Events
Integration points
Protocol Sophos Central API
Information Discovered Endpoint security logs
Used For Security and Compliance
Configuring Tanium Connect
Follow Tanium Connect documentation to send syslog to FortiSIEM.
Configuring FortiSIEM
FortiSIEM automatically recognizes Tanium Connect syslog as long it follows the following format as shown in the sample syslog: <134>1 2018-09-06T02:50:02.762000+00:00 tanium-server-1 Tanium 7020 - [ComplyDeployment-Status---Deployment-5@017472 Installed=true Version=3.0.45 Type=full Installed1=true Version1=8u131-e1 Comply---Has-Latest-Tools=true Count=2
Parsing and Events
Currently, 4 events are parsed see event Types in Resources > Event Types and search for "TaniumConnect-". User can extend the parser to add other events.
FortiSIEM 6.1.1 External Systems Configuration Guide
343
Fortinet Technologies Inc.
End Point Security Software
Trend Micro Interscan Web Filter
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration
What is Discovered and Monitored
Protocol Syslog (CEF format)
Information Discovered -
Data Collected 15 event types
Used for Security and Compliance
Event Types
In RESOURCE > Event Types, Search for "TrendMicro-InterscanWeb-".
Sample Event Type:
<130>abc.com: <Mon, 18 Sep 2017 10:00:48,IST> [EVT_URL_BLOCKING|LOG_CRIT] Blocked URL log tk_username=1.1.1.1,tk_date_field=2017-09-18 10:00:48+0530,tk_protocol=https,tk_ url=https://google.com:443/,tk_malicious_entity=,tk_file_name=,tk_entity_name=,tk_ action=,tk_scan_type=user defined,tk_blocked_by=rule,tk_rule_name=google.com,tk_opp_id=0,tk_ group_name=None,tk_category=URL Blocking,tk_uid=0099253425-0ecd0076872a9d0ace16,tk_filter_ action=0 <134>abc.com: <Mon, 18 Sep 2017 10:00:48,IST> [EVT_URL_ACCESS_TRACKING|LOG_INFO] Access tracking log tk_username=1.1.1.1,tk_url=http://aaa.com/pc/SHAREitSubscription.xml,tk_ size=0,tk_date_field=2017-09-18 10:00:48+0530,tk_protocol=http,tk_mime_ content=unknown/unknown,tk_server=abc.com,tk_client_ip=1.1.1.1,tk_server_ip=2.2.2.2,tk_ domain=aaa.com,tk_path=pc/SHAREitSubscription.xml,tk_file_name=SHAREitSubscription.xml,tk_ operation=GET,tk_uid=0099253421-bdd7d4ce063b924a2342,tk_category=56,tk_category_type=0 <134>abc.com: <Mon, 18 Sep 2017 10:00:59,IST> [EVT_PERFORMANCE|LOG_INFO] Performance log tk_ server=abc.com,tk_date_field=2017-09-18 10:00:59+0530,tk_metric_id=Number of FTP Processes,tk_metric_value=6,
Rules
There are no specific rules, but generic rules for Web Filters and Generic Servers apply.
Reports
There are no specific reports, but generic rules for Web Filters and Generic Servers apply.
FortiSIEM 6.1.1 External Systems Configuration Guide
344
Fortinet Technologies Inc.
End Point Security Software
Configuration
Configure TrendMicro Interscan Web Filter to send syslog on port 514 to FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
345
Fortinet Technologies Inc.
End Point Security Software
Trend Micro Intrusion Defense Firewall (IDF)
l What is Discovered and Monitored l Trend Micro Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected
Used For
Trend Micro Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Example Syslog
<134>May 31 15:24:34 DSK-FT11XL1 dsa_mpld: REASON=PLD:Disallow_Web_Proxy_Autodiscovery_ Protocol REV IN= OUT=Local_Area_Connection MAC=00:26:B9:80:74:71:2C:6B:F5:35:4E:00:08:00 SRC=192.168.20.2 DST=192.168.13.39 LEN=133 PROTO=UDP SPT=53 DPT=58187 CNT=1 act=Reset POS=0 SPOS=0 NOTE=CVE-2007-5355 FLAGS=0
FortiSIEM 6.1.1 External Systems Configuration Guide
346
Fortinet Technologies Inc.
End Point Security Software
Trend Micro OfficeScan
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol SNMP Trap
Information Discovered
Metrics Collected
Used For
Configuration
SNMP Trap
FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Example SNMP Trap
2011-04-14 02:17:54 192.168.20.214(via UDP: [192.168.20.214]:45440) TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.6101 Enterprise Specific Trap (5) Uptime: 0:00:00.30 SNMPv2-SMI::enterprises.6101.141 = STRING: "Virus/Malware: Eicar_test_file Computer: SJDEVVWINDB05 Domain: ABC File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yc8eayj0.com Date/Time: 4/10/2008 14:23:26 Result: Virus successfully detected, cannot perform the Clean action (Quarantine) "
FortiSIEM 6.1.1 External Systems Configuration Guide
347
Fortinet Technologies Inc.
Environmental Sensors
FortiSIEM supports these devices for monitoring. l APC Netbotz Environmental Monitor l APC UPS l Generic UPS l Liebert FPC l Liebert HVAC l Liebert UPS
FortiSIEM 6.1.1 External Systems Configuration Guide
348
Fortinet Technologies Inc.
APC Netbotz Environmental Monitor
l What is monitored and collected l Configuration l Setting Access Credentials
What is Monitored and Collected
Protocol
Information Discovered
Metrics collected
Used for
SNMP (V1, V2c)
Host name, Hardware model, Network interfaces
Temperature: Sensor Id, Sensor label, Enclosure Id, Temperature Relative Humidity: Sensor Id, Sensor label, Enclosure Id, Relative Humidity Air Flow: Sensor Id, Sensor label, Enclosure Id, Air Flow Dew Point Temperature: Sensor Id, Sensor label, Enclosure Id, Dew Point Temperature Current: Sensor Id, Sensor label, Enclosure Id, Current Audio Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Audio Sensor Reading Dry Contact Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Dry Contact Sensor Reading
Availability and Performance Monitoring
Door Switch Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Door Switch Sensor Reading (Open/Close)
Camera Motion Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Camera Motion Sensor Reading (Motion/No Motion)
Hadware Status (for NBRK0200): Contact Status, Output Relay Status, Outlet Status, Alarm Device Status, Memory Sensor Status, Memory Output Status, Memory Outlet Status, memory Beacon Status
EMS Status (for NBRK0200): EMS Hardware Status, Connection State
Hardware Probe (for NBRK0200): Sensor Id, Temperature, Relative Humidity, Connection State Code
Module Sensor (for NBRK0200): Sensor Name, Sensor location, Temperature, Relative Humidity, Connection State Code
SNMP Trap SNMP Trap (V1, V2c)
See Event Types for more information about viewing the SNMP traps collected by FortiSIEM for this device.
Availability and Performance Monitoring
FortiSIEM 6.1.1 External Systems Configuration Guide
349
Fortinet Technologies Inc.
Environmental Sensors
Event Types
In ADMIN > Device Support > Event, search for "NetBotz" in the Name column to see the event types associated with this application or device. Event types for NetBotz NBRK0200
l PH_DEV_MON_HW_STATUS [PH_DEV_MON_HW_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=deviceNetBotz.cpp, [lineNumber]=1642,[hostName]=Unknown,[hostIpAddr]=10.62.97.61,[hwStatusCode]=2, [hwProbeStatus]=2,[hwInputContactStatus]=2,[hwOutputRelayStatus]=0,[hwOutletStatus]=2, [hwAlarmDeviceStatus]=0,[hwMemSensorStatus]=0,[hwMemOutputStatus]=2, [hwMemOutletStatus]=2,[hwMemBeaconStatus]=2,[phLogDetail]=
l PH_DEV_MON_HW_EMS_STATUS [PH_DEV_MON_HW_EMS_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=deviceNetBotz.cpp, [lineNumber]=1871,[hostName]=Unknown,[hostIpAddr]=10.62.97.61,[reptDevName]=Unknown, [emsHwStatus]=0,[phyMachConnectionStateCode]=2,[hwLogStatus]=1,[phLogDetail]=
l PH_DEV_MON_HW_PROBE [PH_DEV_MON_HW_PROBE]:[eventSeverity]=PHL_INFO,[fileName]=deviceNetBotz.cpp, [lineNumber]=2100,[hostName]=Unknown,[hostIpAddr]=10.62.97.61,[envSensorLabel]=Sensor MM:4,[envTempDegF]=74,[envTempHighThreshDegF]=138,[envHumidityRel]=51, [envHumidityRelHighThresh]=90,[envHumidityRelLowThresh]=10,[serialNumber]=L3, [phyMachConnectionStateCode]=3,[maxTempThresh]=140,[minTempThresh]=32, [maxHumidityThresh]=99,[minHumidityThresh]=0,[phLogDetail]=
l PH_DEV_MON_HW_MODULE_SENSOR [PH_DEV_MON_HW_MODULE_SENSOR]:[eventSeverity]=PHL_INFO,[fileName]=deviceNetBotz.cpp, [lineNumber]=2567,[hostName]=Unknown,[hostIpAddr]=10.62.97.61,[moduleNumber]=0, [envSensorId]=1,[envSensorLabel]=Sensor MM:1,[envSensorLoc]=Orland Park Server, [envTempDegF]=74,[envHumidityRel]=50,[phyMachConnectionStateCode]=1, [hwAlarmDevicetatus]=1,[phLogDetail]=
Rules
In RESOURCE > Rules, search for "NetBotz" in the Name column to see the rules associated with this application or device.
Reports
In RESOURCE > Reports, search for "Netbotz" in the Name column to see the reports associated with this application or device.
FortiSIEM 6.1.1 External Systems Configuration Guide
350
Fortinet Technologies Inc.
Environmental Sensors
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
SNMP Trap
FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Setting Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> APC NetBotz See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
351
Fortinet Technologies Inc.
Environmental Sensors
APC UPS
l What is Discovered and Monitored l Configuration l Setting Access Credentials
What is Discovered and Monitored
Protocol
Information Discovered
Metrics collected
SNMP (V1, V2c)
Host name, Hardware model, Network interfaces
UPS metrics: Remaining battery charge, Battery status, Replace battery indicator, Time on battery, Output status, Output load, Output voltage, Output frequency
SNMP Trap
Used for
Availability and Performance Monitoring
Availability and Performance Monitoring
Event Types
In ADMIN > Device Support > Event, search for "apc" in the Device Type column to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "apc" in the Name column to see the rules associated with this device.
Reports
In RESOURCE > Reports , search for "apc" in the Name column to see the reports associated with this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
FortiSIEM 6.1.1 External Systems Configuration Guide
352
Fortinet Technologies Inc.
Environmental Sensors
SNMP Trap
FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Setting Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> APC UPS See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
353
Fortinet Technologies Inc.
Environmental Sensors
Generic UPS
l What is Discovered and Monitored l Configuration l Setting Access Credentials
What is Discovered and Monitored
Protocol
SNMP (V1, V2c)
Information Discovered
Metrics collected
Host name, Hardware model, Network interfaces
UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated Seconds Remaining, Output voltage, Output current, Temperature
Used for
Availability and Performance Monitoring
Configuration
SNMP
UPS-MIB Required Your device must have a UPS-MIB database to communicate with FortiSIEM over SNMP. FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in "Discovery Settings" and "Setting Credentials" in the User Guide, to establish the connection between the device and FortiSIEM, and to initiate the device discovery process.
Setting Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
354
Fortinet Technologies Inc.
Environmental Sensors
Liebert FPC
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
SNMP (V1, V2c)
Information Discovered
Metrics collected
Used for
Host name, Hardware model, Network interfaces
Output voltage (X-N, Y-N, Z-N), Output current (X, Y. Z), Neutral Current, Ground current, Output power, Power Factor, Output Frequency, Output Voltage THD (Vx, Vy, Vz), Output Current THD (Lx, Ly. Lz), Output KWh, Output Crest factor (Lx, Ly, Lz), Output K-factor (Lx, Ly, Lz), Output Lx Capacity, output Ly capacity
Availability and Performance Monitoring
Event Types
In ADMIN > Device Support > Event, search for "LIebert FPC" in the Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCE > Reports , search for "Liebert FPC" in the Name column to see the reports associated with this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your device.
FortiSIEM 6.1.1 External Systems Configuration Guide
355
Fortinet Technologies Inc.
Environmental Sensors
Setting Name Device Type Access Protocol Port Password config
Value <set name> Liebert FPC See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
356
Fortinet Technologies Inc.
Environmental Sensors
Liebert HVAC
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
SNMP (V1, V2c)
Information Discovered
Metrics collected
Used for
Host name, Hardware model, Network interfaces
HVAC metrics: Temperature: current value, upper threshold, lower threshold, Relative Humidity: current value, upper threshold, lower threshold, System state, Cooling state, Heating state, Humidifying state, Dehumidifying state, Economic cycle, Fan state, Heating capacity, Cooling capacity
Availability and Performance Monitoring
FortiSIEM uses SNMP to discover and collector metrics from Generic UPS devices. This requires the presence of UPSMIB on the UPS device.
See the Liebert HVAC documentation to enable FortiSIEM to poll the device via SNMP.
Event Types
In ADMIN > Device Support > Event, search for "Liebert HVAC" in the Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCE > Reports , search for "Liebert HVAC" in the Name column to see the reports associated with this device.
Configuration
SNMP
Note: UPS-MIB Required Your device must have a UPS-MIB database to communicate with FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
357
Fortinet Technologies Inc.
Environmental Sensors
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Liebert HVAC See Access Credentials See Access Credentials See Access Credentials
FortiSIEM 6.1.1 External Systems Configuration Guide
358
Fortinet Technologies Inc.
Environmental Sensors
Liebert UPS
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
SNMP (V1, V2c)
Information Discovered
Metrics collected
Host name, Hardware model, Network interfaces
UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated Seconds Remaining, Output voltage, Output current, Temperature
Used for
Availability and Performance Monitoring
Event Types
There are no event types defined specifically for this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration SNMP
Note: UPS-MIB Required Your device must include a UPS-MIB database to communicate with FortiSIEM. FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your device.
FortiSIEM 6.1.1 External Systems Configuration Guide
359
Fortinet Technologies Inc.
Environmental Sensors
Setting Name Device Type Access Protocol Port Password config
Value <set name> Liebert UPS See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
360
Fortinet Technologies Inc.
Firewalls
Firewalls
FortiSIEM supports these firewalls for discovery and monitoring. l Check Point FireWall-1 l Check Point Provider-1 l CLM for Check Point Provider-1 l CMA for Check Point Provider-1 l MDS for Check Point Provider-1 l MLM for Check Point Provider-1 l Check Point VSX l Cisco Adaptive Security Appliance (ASA) l Clavister Firewall l Cyberoam Firewall l Dell SonicWALL l Fortinet FortiGate Firewall l Imperva Securesphere Web App Firewall l Juniper Networks SSG l McAfee Firewall Enterprise (Sidewinder) l Palo Alto l Sophos UTM l WatchGuard Firebox
FortiSIEM 6.1.1 External Systems Configuration Guide
361
Fortinet Technologies Inc.
Firewalls
Check Point FireWall-1
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
LEA
Information Discovered
Host name, Firewall model and version, Network interfaces
Metrics collected
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count
All traffic and system logs
Used for
Availability and Performance Monitoring
Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "firewall-1" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
FortiSIEM 6.1.1 External Systems Configuration Guide
362
Fortinet Technologies Inc.
Firewalls
LEA
Add FortiSIEM as a Managed Node
1. Log in to your Check Point SmartDomain Manager. 2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch
Global SmartDashboard. 3. Select the Firewall tab. 4. Click the Network Objects icon. 5. Select Nodes, and then right-click to select Node > Host... . 6. Select General Properties. 7. Enter a Name for your FortiSIEM host, like FortiSIEMVA. 8. Enter the IP Address of your FortiSIEM virtual appliance. 9. Click OK.
Create an OPSEC Application for FortiSIEM
1. In the Firewall tab, click the Servers and OPSEC icon. 2. Select OPSEC Applications, and then right-click to select New > OPSEC Application. 3. Click the General tab. 4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA. 5. For Host, select the FortiSIEM host. 6. Under Client Entities, select LEA and CPMI.
For Check Point FireWall-1, also select SNMP. 7. Click Communication. 8. Enter a one-time password.
This is the password you will use in setting up access credentials for your firewall in FortiSIEM. 9. Click Initialize. 10. Close and re-open the application. 11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_
FortiSIEMVA,0=MDS..i6g4zq. This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM.
Create a Firewall Policy for FortiSIEM
1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application. 2. In the Rules menu, select Top. 3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance. 4. Right-click DESTINATION, then click Add and select your Check Point firewall. 5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.
Also select snmp if you are configuring a Check Point FireWall-1 firewall. 6. Right-click ACTION and select Accept. 7. Right-click TRACK and select Log.
FortiSIEM 6.1.1 External Systems Configuration Guide
363
Fortinet Technologies Inc.
Firewalls
8. Go to Policy > Install. 9. Click OK. 10. Go to OPSEC Applications and select your FortiSIEM application. 11. In the General tab of the Properties window, make sure that the communications have been enabled between your
firewall and FortiSIEM.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Checkpoint Firewall-1 See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
364
Fortinet Technologies Inc.
Firewalls
Check Point Provider-1 Firewall
l What is Discovered and Monitored l Configuration Overview
What is Discovered and Monitored
Protocol SNMP
LEA
Information Discovered
Host name, Firewall model and version, Network interfaces
Metrics collected
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count
All traffic and system logs
Used for
Availability and Performance Monitoring
Security and Compliance
Event Types
There are no event types defined specifically for this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration Overview
The configuration of Check Point Provider-1 depends on the type of log that you want sent to FortiSIEM. There are two options:
l Domain level audit logs, which contain information such as domain creation, editing, etc. l Firewall logs, which include both audit log for firewall policy creation, editing, etc., and traffic logs These logs are generated and stored among four different components: l Multi-Domain Server (MDS), where domains are configured and certificates have to be generated. l Multi-Domain Log Module (MLM), where domain logs are stored. l Customer Management Add-on (CMA), the customer management module. l Customer Log Module (CLM), which consolidates logs for an individual customer/domain. Discover Paired Components on the Same Collector or Supervisor
FortiSIEM 6.1.1 External Systems Configuration Guide
365
Fortinet Technologies Inc.
Firewalls
Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.
Component Configuration for Domain-Level Audit Logs
1. Configure MDS. 2. Use the Client SIC obtained while configuring MDS to configure MLM. 3. Pull logs from MLM.
Component Configuration for Firewall Logs
1. Configure CMA. 2. Use the Client SIC obtained while configuring CMA to configure CLM. 3. Pull logs from CLM.
If you want to pull firewall logs from a domain, you have to configure CLM for that domain. See these topics for instructions on how to configure each component for Check Point Provider-1 firewalls.
l Configuring MDS for Check Point Provider-1 Firewalls l Configuring MLM for Check Point Provider-1 Firewalls l Configuring CMA for Check Point Provider-1 Firewalls l Configuring CLM for Check Point Provider-1 Firewalls
FortiSIEM 6.1.1 External Systems Configuration Guide
366
Fortinet Technologies Inc.
Firewalls
Configuring CMA for Check Point Provider-1 Firewalls
The Check Point Provider-1 Customer Management Add-On (CMA) creates logs that are then consolidated by the Customer Log Module (CLM). If you want the CLM to send logs to FortiSIEM, you must first configure the CMA and obtain the AO Client SIC to configure access credentials for communication between the CLM and FortiSIEM.
l Configuration l Settings for Access Credentials Discover Paired Components on the Same Collector or Supervisor Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.
Configuration
Get CMA Server SIC for Setting Up FortiSIEM Access Credentials
1. Log in to your Check Point SmartDomain Manager. 2. Click the General tab. 3. Select Domain Contents. 4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard. 5. Select the Desktop tab. 6. Select the Network Objects icon. 7. Double-click on the Domain Management Server to view the General Properties dialog. 8. Click Test SIC Status... .
Note the value for DN. You will use this for the CMA Server SIC setting when creating the access credentials for FortiSIEM to access your CMA server.
Add FortiSIEM as a Managed Node
1. Log in to your Check Point SmartDomain Manager. 2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch
Global SmartDashboard. 3. Select the Firewall tab. 4. Click the Network Objects icon. 5. Select Nodes, and then right-click to select Node > Host... . 6. Select General Properties. 7. Enter a Name for your FortiSIEM host, like FortiSIEMVA. 8. Enter the IP Address of your FortiSIEM virtual appliance. 9. Click OK.
FortiSIEM 6.1.1 External Systems Configuration Guide
367
Fortinet Technologies Inc.
Firewalls
Create an OPSEC Application for FortiSIEM
1. In the Firewall tab, click the Servers and OPSEC icon. 2. Select OPSEC Applications, and then right-click to select New > OPSEC Application. 3. Click the General tab. 4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA. 5. For Host, select the FortiSIEM host. 6. Under Client Entities, select LEA and CPMI.
For Check Point FireWall-1, also select SNMP. 7. Click Communication. 8. Enter a one-time password.
This is the password you will use in setting up access credentials for your firewall in FortiSIEM. 9. Click Initialize. 10. Close and re-open the application. 11. In the General tab, next to Communication, the DN field will now contain a value like CN= OPSEC_
FortiSIEMVA,0=MDS..i6g4zq. This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM.
Create a Firewall Policy for FortiSIEM
1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application. 2. In the Rules menu, select Top. 3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance. 4. Right-click DESTINATION, then click Add and select your Check Point firewall. 5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.
Also select snmp if you are configuring a Check Point FireWall-1 firewall. 6. Right-click ACTION and select Accept. 7. Right-click TRACK and select Log. 8. Go to Policy > Install. 9. Click OK. 10. Go to OPSEC Applications and select your FortiSIEM application. 11. In the General tab of the Properties window, make sure that the communications have been enabled between your
firewall and FortiSIEM.
You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Settings for Check Point Provider-1 Firewall CLA SSLCA Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your Check Point Provider-1 Firewall CMA. When you complete the access credentials, click Generate Certificate to establish access between your firewall and FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
368
Fortinet Technologies Inc.
Firewalls
Setting Name Device Type Access Protocol CMA IP Checkpoint LEA Port AO Client SIC
CMA Server SIC CPMI Port Activation Key
Value CMA Checkpoint Provider-1 CMA CheckPoint SSLCA The IPS address of your server The port used by LEA on your server
The DN number of your FortiSIEM OPSEC application The DN number of your server The port used by CPMI on your server The password you used in creating your OPSEC application
FortiSIEM 6.1.1 External Systems Configuration Guide
369
Fortinet Technologies Inc.
Firewalls
Configuring CLM for Check Point Provider-1 Firewalls
l Prequisites l Configuration l Settings for Access Credentials
Prequisites
l You must first configure and discover the Check Point CLA and obtain the AO Client SIC before you can configure the Customer Log Module (CLM). The AO Client SIC is generated when you create the FortiSIEM OPSEC application.
Discover Paired Components on the Same Collector or Supervisor Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.
Configuration
Get CLM Server SIC for Creating FortiSIEM Access Credentials
1. Log in to your Check Point SmartDomain Manager. 2. Click the General tab. 3. Select Domain Contents. 4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard. 5. Select the Desktop tab. 6. Click the Network Objects icon. 7. Under Check Point, select the CLM host and double-click to open the General Properties dialog. 8. Under Secure Internal Communication, click Test SIC Status... . 9. In the SIC Status dialog, note the value for DN.
This is the CLM Server SIC that you will use in setting up access credentials for the CLM in FortiSIEM. 10. Click Close. 11. Click OK.
Install the Database
1. In the Actions menu, select Policy > Install Database... . 2. Select the MDS Server and the CLM, and then OK.
The database will install in both locations. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Settings for Check Point Provider-1 Firewall CLM SSLCA Access Credentials
FortiSIEM 6.1.1 External Systems Configuration Guide
370
Fortinet Technologies Inc.
Firewalls
Use these Access Method Definition settings to allow FortiSIEM to access your Check Point Provider-1 Firewall CMA. When you complete the access credentials, click Generate Certificate to establish access between your firewall and FortiSIEM.
Setting Name Device Type Access Protocol CLM IP
Checkpoint LEA Port AO Client SIC
CLM Server SIC CPMI Port CMA IP
Value CLM Checkpoint Provider-1 CLM CheckPoint SSLCA The IP address of the host where your CLM is located The port used by LEA on your server
The DN number of your FortiSIEM OPSEC application The DN number of your server The port used by CPMI on your server The IP address of the host where your CMA is located
FortiSIEM 6.1.1 External Systems Configuration Guide
371
Fortinet Technologies Inc.
Firewalls
Configuring MDS for Check Point Provider-1 Firewalls
l Configuration l Settings for Access Credentials The Check Point Provider-1 firewall Multi-Domain Server (MDS) is where domains are configured and certificates are generated for communicating with FortiSIEM. If you want to have domain logs from the Multi-Domain Log Module (MLM) sent from your firewall to FortiSIEM, you must first configure and discover MDS, then use the AO Client SIC created for your FortiSIEM OPSEC application to configure the access credentials for MLM. Discover Paired Components on the Same Collector or Supervisor Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.
Configuration
Get the MDS Server SIC for FortiSIEM Access Credentials
You will use the MDS Server SIC to create access credentials in FortiSIEM for communicating with your server. 1. Log in to your Check Point SmartDomain Manager. 2. Select Multi-Domain Server Contents. 3. Select MDS, and then right-click to select Configure Multi-Domain Server... . 4. In the General tab, under Secure Internet Communication, note the value for DN.
Add FortiSIEM as a Managed Node
1. Log in to your Check Point SmartDomain Manager. 2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch
Global SmartDashboard. 3. Select the Firewall tab. 4. Click the Network Objects icon. 5. Select Nodes, and then right-click to select Node > Host... . 6. Select General Properties. 7. Enter a Name for your FortiSIEM host, like FortiSIEMVA. 8. Enter the IP Address of your FortiSIEM virtual appliance. 9. Click OK.
Create an OPSEC Application for FortiSIEM
1. In the Firewall tab, click the Servers and OPSEC icon. 2. Select OPSEC Applications, and then right-click to select New > OPSEC Application. 3. Click the General tab. 4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA. 5. For Host, select the FortiSIEM host.
FortiSIEM 6.1.1 External Systems Configuration Guide
372
Fortinet Technologies Inc.
Firewalls
6. Under Client Entities, select LEA and CPMI. For Check Point FireWall-1, also select SNMP.
7. Click Communication. 8. Enter a one-time password.
This is the password you will use in setting up access credentials for your firewall in FortiSIEM. 9. Click Initialize. 10. Close and re-open the application. 11. In the General tab, next to Communication, the DN field will now contain a value like CN= OPSEC_
FortiSIEMVA,0=MDS..i6g4zq. This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM.
Create a Firewall Policy for FortiSIEM
1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application. 2. In the Rules menu, select Top. 3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance. 4. Right-click DESTINATION, then click Add and select your Check Point firewall. 5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.
Also select snmp if you are configuring a Check Point FireWall-1 firewall. 6. Right-click ACTION and select Accept. 7. Right-click TRACK and select Log. 8. Go to Policy > Install. 9. Click OK. 10. Go to OPSEC Applications and select your FortiSIEM application. 11. In the General tab of the Properties window, make sure that the communications have been enabled between your
firewall and FortiSIEM.
Copy Secure Internal Communication (SIC) certificates
Copy Client SIC
1. Go to Manage > Server and OPSEC Applications. 2. Select OPSEC Application and then right-click to select accelops. 3. Click Edit. 4. Enter the SIC DN of your application.
Copy Server SIC
1. In the Firewall tab, go to Manage. 2. Click the Network Object icon, and then right-click to select Check Point Gateway. 3. Click Edit. 4. Enter the SIC DN. 5. If there isn't a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN.
You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
FortiSIEM 6.1.1 External Systems Configuration Guide
373
Fortinet Technologies Inc.
Firewalls
Settings for Access Credentials
Settings for Check Point Provider-1 Firewall SSLCA Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your Check Point Provider-1 Firewall MDS. When you complete the access credentials, click Generate Certificate to establish access between your firewall and FortiSIEM.
Setting Name Device Type Access Protocol MDS IP Checkpoint LEA Port AO Client SIC
MDS Server SIC Password
CPMI Port Activation Key
Value MDS Checkpoint Provider-1 MDS CheckPoint SSLCA The IPS address of your server The port used by LEA on your server
The DN number of your FortiSIEM OPSEC application The DN number of your server The password associated with the administrative user The port used by CPMI on your server The password you used in creating your OPSEC application
1. Generate a certificate for MDS communication in FortiSIEM.
a. Configure Checkpoint Provider-1 MDS credential as shown below. Activation key was the one-time password you input in Create an OPSEC Application for FortiSIEM AO Client SIC was generated in Create an OPSEC Application for FortiSIEM MDS Server SIC was generated in Get the MDS Server SIC for FortiSIEM Access Credentials
b. Click Generate Certificate. It should be successful. Note that the button will be labeled Regenerate Certificate if you have already generated the certificate once.
FortiSIEM 6.1.1 External Systems Configuration Guide
374
Fortinet Technologies Inc.
Firewalls
Configuring MLM for Check Point Provider-1 Firewalls
l Prerequisites l Configuration l Settings for Access Credentials
Prerequisites
l You must configure and discover your Check Point Provider-1 MDS before you configure the Multi-Domain Log Module (MLM). You will need the AO Client SIC that was generated when you created your FortiSIEM OPSEC application in the MDS to set up the access credentials for your MLM in FortiSIEM.
Discover Paired Components on the Same Collector or Supervisor Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.
Configuration
Get MLM Server SIC for Setting Up FortiSIEM Access Credentials
1. Log in to your Check Point SmartDomain Manager. 2. In the General tab, click Multi-Domain Server Contents. 3. Right-click MLM and select Configure Multi-Domain Server... . 4. Next to Communication, note the value for DN. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Settings for Check Point Provider-1 MLM SSLCA Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your Check Point MLM over SSLCA.
Setting Name Device Type Access Protocol MLM IP Checkpoint LEA Port
Value MLM Checkpoint Provider-1 MLM CheckPoint SSLCA The IPS address of your module The port used by LEA on your server
FortiSIEM 6.1.1 External Systems Configuration Guide
375
Fortinet Technologies Inc.
Firewalls
Setting AO Client SIC
MLM Server SIC CPMI Port MDS IP
Value The DN number of your FortiSIEM OPSEC application The DN number of your MLM The port used by CPMI on your server The IP address of your MDS server
FortiSIEM 6.1.1 External Systems Configuration Guide
376
Fortinet Technologies Inc.
Firewalls
Check Point VSX Firewall
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
FortiSIEM uses SNMP, LEA to discover the device and to collect logs, configurations and performance metrics.
Protocol SNMP
LEA
Information Discovered
Host name, Firewall model and version, Network interfaces
Metrics collected
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count
All traffic and system logs
Used for
Availability and Performance Monitoring
Security and Compliance
Event Types
There are no event types defined specifically for this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
FortiSIEM 6.1.1 External Systems Configuration Guide
377
Fortinet Technologies Inc.
Firewalls
LEA
Add FortiSIEM as a Managed Node
1. Log in to your Check Point SmartDomain Manager. 2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch
Global SmartDashboard. 3. Select the Firewall tab. 4. Click the Network Objects icon. 5. Select Nodes, and then right-click to select Node > Host... . 6. Select General Properties. 7. Enter a Name for your FortiSIEM host, like FortiSIEMVA. 8. Enter the IP Address of your FortiSIEM virtual appliance. 9. Click OK.
Create an OPSEC Application for FortiSIEM
1. In the Firewall tab, click the Servers and OPSEC icon. 2. Select OPSEC Applications, and then right-click to select New > OPSEC Application. 3. Click the General tab. 4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA. 5. For Host, select the FortiSIEM host. 6. Under Client Entities, select LEA and CPMI.
For Check Point FireWall-1, also select SNMP. 7. Click Communication. 8. Enter a one-time password.
This is the password you will use in setting up access credentials for your firewall in FortiSIEM. 9. Click Initialize. 10. Close and re-open the application. 11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_
FortiSIEMVA,0=MDS..i6g4zq. This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM.
Create a Firewall Policy for FortiSIEM
1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application. 2. In the Rules menu, select Top. 3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance. 4. Right-click DESTINATION, then click Add and select your Check Point firewall. 5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.
Also select snmp if you are configuring a Check Point FireWall-1 firewall. 6. Right-click ACTION and select Accept. 7. Right-click TRACK and select Log.
FortiSIEM 6.1.1 External Systems Configuration Guide
378
Fortinet Technologies Inc.
Firewalls
8. Go to Policy > Install. 9. Click OK. 10. Go to OPSEC Applications and select your FortiSIEM application. 11. In the General tab of the Properties window, make sure that the communications have been enabled between your
firewall and FortiSIEM.
Copy Client SIC
1. Go to Manage > Server and OPSEC Applications. 2. Select OPSEC Application and then right-click to select accelops. 3. Click Edit. 4. Enter the SIC DN of your application.
Copy Server SIC
1. In the Firewall tab, go to Manage. 2. Click the Network Object icon, and then right-click to select Check Point Gateway. 3. Click Edit. 4. Enter the SIC DN. 5. If there isn't a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Checkpoint VSX See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
379
Fortinet Technologies Inc.
Firewalls
Cisco Adaptive Security Appliance (ASA)
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP (V1, V2c, V3)
SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) SNMP (V1, V2c, V3)
Information Discovered
Metrics collected
Used for
Host name, Hardware model, Network interfaces, Hardware component details: serial number, model, manufacturer, software and firmware versions of components such as fan, power supply, network cards etc., Operating system version, SSM modules such as IPS
Uptime, CPU and Memory utilization, Free processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count
Availability and Performance Monitoring
Hardware health: temperature, fan and power supply status
OSPF connectivity, neighbors, state, OSPF Area
OSPF state change
Routing Topology, Availability Monitoring
IPSec VPN Phase 1 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent Dropped Packets, Received/Sent Rejected Exchanges, Received/Sent Invalid Exchanges Invalid Received Pkt Dropped, Received Exchanges Rejected, Received Exchanges Invalid IPSec VPN Phase 2 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent
Performance Monitoring
FortiSIEM 6.1.1 External Systems Configuration Guide
380
Fortinet Technologies Inc.
Firewalls
Protocol Telnet/SSH
Telnet/SSH Netflow (V9) Syslog
Information Discovered
Running and startup configuration, Interface security levels, Routing tables, Image file name, Flash memory size
Open server ports Device type
Metrics collected
Used for
BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent Dropped Packets, Received/Sent Auth Failed, Sent Encrypted Failed, Received Decrupt failed, Received Replay Failed
Startup configuration change, delta between running and startup configuration
Performance Monitoring, Security and Compliance
Virtual context for multi-context firewalls, ASA interface security levels needed for setting source and destination IP address in syslog based on interface security level comparisons, ASA name mappings from IP addresses to locally unique names needed for converting names in syslog to IP addresses
Traffic logs (for ASA 8.x and above)
Security and Compliance
All traffic and system logs
Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "asa" in the Device Type column to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "asa" in the Description column to see the rules associated with this device.
Reports
In RESOURCE > Reports, search for "asa" in the Description column to see the reports associated with this device.
Configuration
l Don't Configure SNMP Trap. l Don't configure ASA to send logs via SNMP trap, as FortiSIEM doesn't parse them. Check Security Levels
FortiSIEM 6.1.1 External Systems Configuration Guide
381
Fortinet Technologies Inc.
Firewalls
Make sure interface security levels are appropriately set in FortiSIEM. In your FortiSIEM Supervisor, go to CMDB > Devices > Network Device > Firewall and select your firewall. Click the Interface tab, and make sure that the inside security level is 100, outside is 0 and other interfaces are in between. This information can either be discovered via SSH or entered manually after SNMP discovery. Without correct security level information, ASA traffic built and teardown logs can not be parsed correctly (they may not have correct source and destination addresses and ports).
SNMP
1. Log in to your ASA with administrative privileges. 2. Configure SNMP with this command.
snmp-server host <ASA Interface name> <FortiSIEM IP> poll community <community string>
Syslog
1. Log in to your ASA with administrative privileges. 2. Enter configuration mode (config terminal). 3. Enter the following commands:
l no names l logging enable l logging timestamp l logging monitor errors l logging buffered errors l logging trap debugging l logging debug-trace l logging history errors l logging asdm errors l logging mail emergencies l logging facility 16 l logging host <ASA interface name> <FortiSIEM IP>
Sample Cisco ASA Syslog
<134>Nov 28 2007 17:20:48: %ASA-6-302013: Built outbound TCP connection 76118 for outside:207.68.178.45/80 (207.68.178.45/80) to inside:192.168.20.31/3530 (99.129.50.157/5967)
SSH
1. Log in to your ASA with administrative privileges. 2. Configure SSH with this command.
ssh <FortiSIEM IP> <FortiSIEM IP netmask> <ASA interface name>
FortiSIEM 6.1.1 External Systems Configuration Guide
382
Fortinet Technologies Inc.
Firewalls
Telnet
1. Log in to your ASA with administrative privileges. 2. Configure telnet with this command.
telnet <FortiSIEM IP> <FortiSIEM IP netmask> <ASA interface name>
Commands Used During Telnet/SSH Communication
The following commands are used for discovery and performance monitoring via SSH. Make sure that the accounts associated with the ASA access credentials you set up in FortiSIEM have permission to execute these commands. Critical Commands It is critical to have no names and logging timestamp commands in the configuration, or logs will not be parsed correctly. 1. show startup-config 2. show running-config 3. show version 4. show flash 5. show context 6. show ip route 7. enable 8. terminal pager 0 9. terminal length 0
NetFlow
NetFlow is an optimized protocol for collecting high volume traffic logs. You should configure NetFlow with ASM, the ASA device manager.
Set Up FortiSIEM as a NetFlow Receiver
1. Login to ASDM. 2. Go to Configuration > Device Management > Logging > Netflow. 3. Under Collectors, click Add. 4. For Interface, select the ASA interface over which NetFlow will be sent to FortiSIEM. 5. For IP Address or Host Name, enter the IP address or host name for your FortiSIEM virtual appliance that will
receive the NetFlow logs. 6. For UDP Port, enter 2055. 7. Click OK. 8. Select Disable redundant syslog messages.
This prevents the netflow equivalent events from being also sent via syslog. 9. Click Apply.
FortiSIEM 6.1.1 External Systems Configuration Guide
383
Fortinet Technologies Inc.
Firewalls
Create a NetFlow Service Policy
1. Go to Configuration > Firewall > Service Policy Rules. 2. Click Add.
The Service Policy Wizard will launch. 3. Select Global - apply to all interfaces, and then click Next. 4. For Traffic Match Criteria, select Source and Destination IP Address, and then click Next. 5. For Source and Destination, select Any, and then click Next. 6. For Flow Event Type, select All. 7. For Collectors, select the FortiSIEM virtual appliance IP address. 8. Click OK.
Configure the Template Refresh Rate
This is an optional step. The template refresh rate is the number of minutes between sending a template record to FortiSIEM. The default is 30 minutes, and in most cases this is sufficient. Since flow templates are dynamic, FortiSIEM cannot process a flow until it knows the details of the corresponding template. This command may not always be needed, but if flows are not showing up in FortiSIEM, even if tcpdump indicates that they are, this is worth trying.
flow-export template timeout-rate 1
You can find out more about configuring NetFlow in the Cisco support forum.
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
Telnet Access Credentials for All Devices
These are the generic settings for providing Telnet access to your device from FortiSIEM.
Setting Name Device Type
Value Telnet-generic generic
FortiSIEM 6.1.1 External Systems Configuration Guide
384
Fortinet Technologies Inc.
Firewalls
Setting Access Protocol Port User Name
Password
Value Telnet 23 A user who has permission to access the device over Telnet The password associated with the user
SSH Access Credentials for All Devices
These are the generic settings for providing SSH access to your device from FortiSIEM.
Setting Name Device Type Access Protocol Port User Name
Password
Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user
FortiSIEM 6.1.1 External Systems Configuration Guide
385
Fortinet Technologies Inc.
Firewalls
Clavister Firewall
Integration Points
Method syslog
Information discovered
Host name, Reporting IP
Metrics collected None
LOGs collected
Used for
Connection permit and deny, system events
Security monitoring
Event Types
In ADMIN > Device Support > Event, Search for "Clavister" to see the event types associated with this device.
Rules
No specific rules are written for Clavister firewall but generic firewall rules will apply.
Reports
No specific reports are written for Clavister firewall but generic firewall rules will apply.
Configuration
Configure Clavister firewall to send logs to FortiSIEM in the supported format (see Sample Events below).
Settings for Access Credentials
None required
Sample Events
<134>[2016-04-26 16:10:07] EFW: CONN: prio=1 id=00600005 rev=1 event=conn_close_natsat action=close rule=if3_net_nat_out conn=close connipproto=TCP connrecvif=If3 connsrcip=192.168.99.13 connsrcport=43347 conndestif=If1 conndestip=1.1.1.1 conndestport=443 connnewsrcip=1.1.1.2 connnewsrcport=65035 connnewdestip=1.1.1.1 connnewdestport=443 origsent=1395 termsent=5763 conntime=83
<134>[2016-04-26 16:10:11] EFW: ALG: prio=1 id=00200001 rev=1 event=alg_session_open algmod=ftp algsesid=95238 connipproto=TCP connrecvif=If1 connsrcip=1.1.1.3 connsrcport=59576
FortiSIEM 6.1.1 External Systems Configuration Guide
386
Fortinet Technologies Inc.
Firewalls conndestif=core conndestip=1.1.1.4 conndestport=21 origsent=100 termsent=44
<134>[2016-04-26 16:10:05] EFW: IPSEC: prio=1 id=01800211 rev=2 event=reconfig_IPsec action=ipsec_reconfigured
FortiSIEM 6.1.1 External Systems Configuration Guide
387
Fortinet Technologies Inc.
Firewalls
Cyberoam Firewall
l Integration Points l Configuration l Setting for Access Credentials l Sample Events
Integration Points
Method Syslog
Information discovered
Host name, Reporting IP
Metrics collected None
LOGs collected
Used for
Connection permit and deny, Security system events, malware events monitoring
Event Types
In ADMIN > Device Support > Event, search for "Cyberoam-" to see the event types associated with this device.
Rules
No specific rules are written for Cyberoam firewall but generic firewall rules will apply.
Reports
No specific reports are written for Cyberoam firewall but generic firewall rules will apply.
Configuration
Configure Cyberoam firewall to send logs to FortiSIEM in the supported format (see Sample Events ).
Settings for Access Credentials
None required.
Sample Events
<30>date=2019-07-10 time=11:06:48 timezone="GMT" device_name="CR50iNG" device_ id=C162213098933-QQ6REI
log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=12 user_name="" user_gp="" iap=1 ips_policy_id=0 appfilter_policy_id=1 application="" application_risk=0 application_
technology="" application_category="" in_interface="PortA" out_interface="" src_mac=00: 0:00: 0:10: 0
FortiSIEM 6.1.1 External Systems Configuration Guide
388
Fortinet Technologies Inc.
Firewalls
src_ip=10.0.70.17 src_country_code=AP dst_ip=1.1.1.1 dst_country_code=IRL protocol="TCP" src_port=61244 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=
tran_src_port=0 tran_dst_ip=10.0.0.13 tran_dst_port=8080 srczonetype="LAN" srczone="ZONE1" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3340934816" vconnid=""
FortiSIEM 6.1.1 External Systems Configuration Guide
389
Fortinet Technologies Inc.
Firewalls
Dell SonicWALL Firewall
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
Syslog
Information Discovered
Metrics collected
Host name, Hardware model, Network interfaces, Operating system version
CPU Utilization, Memory utilization and Firewall Session Count
Device type
All traffic and system logs
Used for
Availability and Performance Monitoring
Availability, Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "sonicwall" in the Device Type column to see the event types associated with Dell SonicWALL firewalls.
Rules
There are no predefined rules for Dell SonicWALL firewalls.
Reports
There are no predefined reports for Dell SonicWALL firewalls.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
l Dell SonicWALL Firewall Administrator's Guide (PDF)
FortiSIEM 6.1.1 External Systems Configuration Guide
390
Fortinet Technologies Inc.
Firewalls
Syslog
1. Log in to your SonicWALL appliance. 2. Go to Log > Syslog.
Keep the default settings. 3. Under Syslog Servers, click Add.
The Syslog Settings wizard will open. 4. Enter the IP Address of your FortiSIEM Supervisor or Collector.
Keep the default Port setting of 514. 5. Click OK. 6. Go to Firewall > Access Rules. 7. Select the rule that you want to use for logging, and then click Edit. 8. In the General tab, select Enable Logging, and then click OK.
Repeat for each rule that you want to enable for sending syslog to FortiSIEM.
Your Dell SonicWALL firewall should now send syslog to FortiSIEM.
Example Syslog
Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
391
Fortinet Technologies Inc.
Firewalls
Fortinet FortiGate Firewall
l What is Discovered and Monitored l Configuring SNMP on FortiGate l Configuring SSH on FortiSIEM to communicate with FortiGate l Configuring FortiSIEM for SNMP and SSH to FortiGate l Configuring FortiAnalyzer to send logs to FortiSIEM l Configuring FortiGate to send Netflow via CLI l Configuring FortiGate to send Application names in Netflow via GUI l Example of FortiGate Syslog parsed by FortiSIEM
What is Discovered and Monitored
Protocol SNMP
Telnet/SSH Syslog Netflow
Information Discovered Host name, Hardware model, Network interfaces, Operating system version
Running configuration
Device type
Metrics collected
Used for
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths). For 5xxx series firewalls, per CPU utilization (event PH_ DEV_MON_FORTINET_PROCESSOR_USGE)
Availability and Performance Monitoring
Configuration Change
Performance Monitoring, Security and Compliance
All traffic and system logs
Availability, Security and Compliance
Firewall traffic, application detection and application link usage metrics
Security monitoring and compliance, Firewall Link Usage and Application monitoring
Event Types
In ADMIN > Device Support > Event, search for "fortigate" in the Name and Description columns to see the event types associated with this device.
Rules
In Resource > Rules, search for "fortigate" in the Name column to see the rules associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
392
Fortinet Technologies Inc.
Firewalls
Reports
Search for Reports under Network device, Firewall and Security groups.
Configuring SNMP on FortiGate
Follow these steps to configure SNMP on FortiGate. For more information on configuring the FortiGate to allow detailed interface monitoring using SNMP, see Data Source in the FortiSIEM User's Guide. 1. Log in to your firewall as an administrator. 2. Go to System > Network. 3. Select the FortiGate interface IP that FortiSIEM will use to communicate with your device, and then click Edit. 4. For Administrative Access, makes sure that SSH and SNMP are selected. 5. Click OK 6. Go to System > Config > SNMP v1/v2c. 7. Click Create New to enable the public community.
Configuring SSH on FortiSIEM to communicate with FortiGate
FortiSIEM Collector SSH Client, when communicating to FortiGate via SSH, may use the public key authentication method first. This may fail and create some alerts in FortiGate. To prevent this, modify the per user config file as follows: 1. Log in to the FortiSIEM node that communicates to FortiGate via SSH, as admin. 2. Open /opt/phoenix/bin/.ssh/config and create a new file, if necessary. 3. Add these two lines and save:
PreferredAuthentications password PubkeyAuthentication no 4. Ensure that the owner is admin: chown admin.admin /opt/phoenix/bin/.ssh/config chmod 600 /opt/phoenix/bin/.ssh/config 5. Verify using the commands: su admin ssh -v <fgt host>
Verification is successful if the following files are found:
Alternatively, modify the global ssh_config file as below. Since this is a global configuration, all programs will use this setting. 1. Log in to a FortiSIEM node that communicates to FortiGate via SSH, as root. 2. Open /etc/ssh/ssh_config 3. Add these two lines:
FortiSIEM 6.1.1 External Systems Configuration Guide
393
Fortinet Technologies Inc.
Firewalls
PreferredAuthentications password PubkeyAuthentication no
These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device. show firewall address show full-configuration
Sending Logs Over VPN
If you are sending these logs across a VPN, Fortigate will try to use the WAN interface for the source of all system traffic. You can change this by setting the source-ip option to the IP used on the Fortigates Internal/LAN interface.
With the Web GUI
1. Log in to your firewall as an administrator. 2. Go to Log & Report > Log Config > syslog. 3. Enter the IP Address, Port Number, and Minimum Log Level and Facility for your FortiSIEM virtual appliance. 4. Make sure that CSV format is not selected.
With the CLI
1. Connect to the Fortigate firewall over SSH and log in. 2. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 192.168.53.2
with the IP address of your FortiSIEM virtual appliance.
config log syslogd setting set status enable set server "192.168.53.2" set port 514
end
set facility user
3. Verify the settings.
frontend # show log syslogd setting config log syslogd setting
set status enable set server "192.168.53.2" set facility user end
Configuring FortiSIEM for SNMP and SSH access to FortiGate
You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide > Section: Configuring FortiSIEM > Discovering Infrastructure > Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics under Discovering Infrastructure.
FortiSIEM 6.1.1 External Systems Configuration Guide
394
Fortinet Technologies Inc.
Firewalls
Configuring FortiAnalyzer to send logs to FortiSIEM
If you are already sending FortiGate logs to FortiAnalyzer, then you can forward those logs to FortiSIEM by configuring FortiAnalyzer as follows:
1. Login to FortiAnalyzer. 2. Go to System Settings > Advanced > Syslog Server.
a. Click the Create New button. b. Enter the Name. (It is recommended to use the name of the FortiSIEM server.) c. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server. d. Leave the Syslog Server Port to the default value '514'. e. Click OK to save your entries. 3. Go to System Settings > Dashboard > CLI Console. 4. Click in the CLI Console and enter the following commands:
l For FortiAnalyzer versions 6.0 and later: Note: Replace <id> with the actual name of the log forward created earlier.
config system log-forward edit <id> set mode forwarding set fwd-max-delay realtime set server-name "<FSM_Collector>" set server-ip "a.b.c.d" set fwd-log-source-ip original_ip set fwd-server-type syslog next
end
l For FortiAnalyzer versions 5.6 to 5.9: Note: Replace <id> with the actual name of the log forward created earlier.
config system log-forward
edit <id> set mode forwarding set fwd-max-delay realtime set server-ip "a.b.c.d" set fwd-log-source-ip original_ip set fwd-server-type syslog
next end l For FortiAnalyzer versions earlier than 5.6: Note: Replace <id> with the number for your FortiSIEM syslog entry. config system aggregation-client
edit <id> set fwd-log-source-ip original_ip
end
FortiSIEM 6.1.1 External Systems Configuration Guide
395
Fortinet Technologies Inc.
Firewalls
Configuring FortiGate to send Netflow via CLI
1. Connect to the Fortigate firewall over SSH and log in. 2. To configure your firewall to send Netflow over UDP, enter the following commands:
config system netflow set collector-ip <FortiSIEM IP> set collector-port 2055 end 3. Enable Netflow on the appropriate interfaces, replacing port1 with your interface name: config system interface edit port1 set netflow-sampler both end 4. Optional - Using Netflow with VDOMs For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI commands: con global con sys netflow set collector-ip <FortiSIEM IP> set collector-port 2055 set source-ip <source-ip> end end
con vdom edit root (root is an example, change to the required VDOM name.) con sys interface edit wan1 (change the interface to the one to use.) set netflow-sampler both end end
Configuring FortiGate to send Application names in Netflow via GUI
1. Login to FortiGate. 2. Go to Policy & Objects > IPv4 Policy. 3. Click on the Policy IDs you wish to receive application information from. 4. Add SSL inspection and App Control on the policy by clicking the + button in the Security Profiles column.
Example of FortiGate Syslog parsed by FortiSIEM
<185>date=2010-04-11 time=20:31:25 devname=APS3012404200944 device_id=APS3012404200944 log_ id=0104032002 type=event subtype=admin pri=alert vd=root user="root" ui=ssh(10.1.20.21) action=login status=failed reason="name_
FortiSIEM 6.1.1 External Systems Configuration Guide
396
Fortinet Technologies Inc.
Firewalls
invalid"msg="Administrator root login failed from ssh(10.1.20.21) because of invalid user name"
FortiSIEM 6.1.1 External Systems Configuration Guide
397
Fortinet Technologies Inc.
Firewalls
Imperva Securesphere Web App Firewall What is Discovered and Monitored
Event Types
Reports
Configuration
Setup in FortiSIEM
Complete these steps in the FortiSIEM UI:
1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Setting Name Device Type Access Protocol Port Password config User Name
Password Super Password
Value <set name> Imperva Securesphere Web App Firewall See Access Credentials See Access Credentials See Password Configuration A user who has access credentials for the device The password for the user Password for Super
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
4. Click Test to test the connection to Imperva Securesphere Web App Firewall.
FortiSIEM 6.1.1 External Systems Configuration Guide
398
Fortinet Technologies Inc.
Firewalls
5. To see the jobs associated with Imperva, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Imperva in the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
399
Fortinet Technologies Inc.
Firewalls
Juniper Networks SSG Firewall
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
Telnet/SSH Syslog
Information Discovered
Metrics collected
Used for
Host name, Hardware model, Network interfaces, Operating system version
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count
Availability and Performance Monitoring
Running configuration
Configuration Change
Performance Monitoring, Security and Compliance
Device type
Traffic log, Admin login activity logs, Interface up/down logs
Availability, Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "SSG" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
400
Fortinet Technologies Inc.
Firewalls
Configuration
SNMP and SSH
Enable SNMP, SSH, and Ping
1. Log in to your firewall's device manager as an administrator. 2. Go to Network > Interfaces > List. 3. Select the interface and click Edit. 4. Under Service Options, for Management Services, select SNMP and SSH. 5. For Other Services, select Ping.
Create SNMP Community String and Management Station IP
1. Go to Configuration > Report Settings > SNMP. 2. If the public community is not available, create it and provide it with read-only access. 3. Enter the Host IP address and Netmask of your FortiSIEM virtual appliance. 4. Select the Source Interface that your firewall will use to communicate with FortiSIEM. 5. Click OK. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, see "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
Modify Policies so Traffic Matching a Policy is Sent via Syslog to FortiSIEM
1. Go to Policies. 2. Select a policy and click Options. 3. Select Logging. 4. Click OK.
Set FortiSIEM as a Destination Syslog Server
1. Go to Configuration > Report Settings > Syslog. 2. Select Enable syslog messages. 3. Select the Source Interface that your firewall will use to communicate with FortiSIEM. 4. Under Syslog servers, enter the IP/Hostname of your FortiSIEM virtual appliance. 5. For Port, enter 514. 6. For Security Facility, select LOCALD. 7. For Facility, select LOCALD. 8. Select Event Log and Traffic Log. 9. Select Enable. 10. Click Apply.
FortiSIEM 6.1.1 External Systems Configuration Guide
401
Fortinet Technologies Inc.
Firewalls
Set the Severity of Syslog to Send to FortiSIEM
1. Go to Configuration > Report Setting > Log Settings. 2. Click Syslog. 3. Select the Severity Levels of the syslog you want sent to FortiSIEM. 4. Click Apply.
Sample Parsed FortiGate Syslog
<129>Aug 26 11:09:45 213.181.33.233 20090826, 6219282, 2009/08/26 09:09:40, 2009/08/26 08:09:49, global.CoX, 1363, CoX-eveTd-fw1, 213.181.41.226, traffic, traffic log, untrust, (NULL), 81.243.104.82, 64618, 81.243.104.82, 64618, dmz, (NULL), 213.181.36.162, 443, 213.181.36.162, 443, tcp, global.CoX, 1363, Workaniser_cleanup, fw/vpn, 34, accepted, info, no, (NULL), (NULL), (NULL), (NULL), 3, 858, 1323, 2181, 0, 0, 14, 1, no, 0, Not
<129>Aug 26 11:09:45 213.181.33.233 20090826, 6219282, 2009/08/26 09:09:40, 2009/08/26 08:09:49, global.CoX, 1363, CoX-eveTd-fw1, Category, Sub-Category, untrust, (NULL), 81.243.104.82, 64618, 81.243.104.82, 64618, dmz, (NULL), 213.181.36.162, 443, 213.181.36.162, 443, tcp, global.Randstad, 1363, Workaniser_ cleanup, fw/vpn, 34, accepted, info, no, (NULL), (NULL), (NULL), (NULL), 3, 858, 1323, 2181, 0, 0, 14, 1, no, 0, Not
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to access your over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
Telnet Access Credentials for All Devices
These are the generic settings for providing Telnet access to your device from FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
402
Fortinet Technologies Inc.
Firewalls
Setting Name Device Type Access Protocol Port User Name
Password
Value Telnet-generic generic Telnet 23 A user who has permission to access the device over Telnet The password associated with the user
SSH Access Credentials for All Devices
These are the generic settings for providing SSH access to your device from FortiSIEM.
Setting Name Device Type Access Protocol Port User Name
Password
Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user
FortiSIEM 6.1.1 External Systems Configuration Guide
403
Fortinet Technologies Inc.
Firewalls
McAfee Firewall Enterprise (Sidewinder)
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected
Used For
Event Types
In ADMIN > Device Support > Event, search for "sidewinder" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your device.
FortiSIEM 6.1.1 External Systems Configuration Guide
404
Fortinet Technologies Inc.
Firewalls
Setting Name Device Type Access Protocol Port Password config
Value <set name> McAfee Sidewinder Firewall See Access Credentials See Access Credentials See Password Configuration
Sample Parsed Sidewinder Syslog
Jun 18 10:34:08 192.168.2.10 wcrfw1 auditd: date="2011-06-18 14:34:08 +0000",fac=f_http_ proxy,area=a_libproxycommon, type=t_nettraffic,pri=p_ major,pid=2093,logid=0,cmd=httpp,hostname=wcrfw1.community.int,event="session end",app_ risk=low, app_categories=infrastructure,netsessid=1adc04dfcb760,src_ geo=US,srcip=74.70.205.191,srcport=3393,srczone=external,protocol=6, dstip=10.1.1.27,dstport=80,dstzone=dmz1,bytes_written_to_client=572,bytes_written_to_ server=408,rule_name=BTC-inbound, cache_hit=1,start_time="2011-06-18 14:34:08 +0000",application=HTTP
FortiSIEM 6.1.1 External Systems Configuration Guide
405
Fortinet Technologies Inc.
Firewalls
Palo Alto Firewall
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
Telnet/SSH Syslog
Information Discovered
Metrics collected
Host name, Hardware model, Network interfaces, Operating system version
Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count
Running configuration
Configuration Change
Device type
Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs
Used for
Availability and Performance Monitoring
Performance Monitoring, Security and Compliance Availability, Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "palo alto" in the Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCE > Reports , search for "palo alto" in the Description column to see the reports associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
406
Fortinet Technologies Inc.
Firewalls
Configuration
SNMP, SSH, and Ping
1. Log in to the management console for your firewall with administrator privileges. 2. In the Device tab, click Setup. 3. Click Edit. 4. Under MGMT Interface Services, make sure SSH, Ping, and SNMP are selected. 5. For SNMP Community String, enter public. 6. If there are entries in the Permitted IP list, Add the IP address of your FortiSIEM virtual appliance. 7. Click OK. 8. Go to Setup > Management and check that SNMP is enabled on the management interface.
Syslog
Set FortiSIEM as a Syslog Destination
1. Log in to the management console for your firewall with administrator privileges. 2. In the Device tab, go to Log Destinations > Syslog. 3. Click New. 4. Enter a Name for your FortiSIEM virtual appliance. 5. For Server, enter the IP address of your virtual appliance. 6. For Port, enter 514. 7. For Facility, select LOG_USER. 8. Click OK.
Set the Severity of Logs to Send to FortiSIEM
1. In the Device tab, go to Log Settings > System. 2. Click Edit... . 3. For each type of log you want sent to FortiSIEM, select the FortiSIEM virtual appliance in the Syslog menu. 4. Click OK.
Create a Log Forwarding Profile
1. In the Objects tab, go to Log Forwarding > System. 2. Create a new log forwarding profile by entering a Name for the profile, and then setting Syslog to the IP address of
your FortiSIEM virtual appliance for each type of log you want send to FortiSIEM. 3. Click OK.
Use the Log Forwarding Profile in Firewall Policie
1. In the Policies tab, go to Security > System. 2. For each security rule that you want to send logs to FortiSIEM, click Options. 3. For Log Forwarding Profile, select the profile you created for FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
407
Fortinet Technologies Inc.
Firewalls
4. Click OK. 5. Commit changes.
Logging Permitted Web Traffic
By default, Palo Alto firewalls only log web traffic that is blocked by URL filtering policies. If you must log permitted web traffic, follow these steps.
1. In the Objects tab, go to Security Profiles > URL Filtering. 2. Edit an existing profile by clicking on its name, or click Add to create a new one. 3. For website categories that you want to log, select Alert.
Traffic matching these website category definitions will be logged. 4. Click OK. 5. For each security rule that you want to send logs to FortiSIEM, edit the rule and add the new url filter.
Sample Parsed Palo Alto Syslog Message
<14>May 6 15:51:04 1,2010/05/06 15:51:04,0006C101167,TRAFFIC,start,1,2010/05/06 15:50:58,192.168.28.21,172.16.255.78,::172.16.255.78,172.16.255.78,rule3,,,icmp,vsys1,untrus t,untrust,ethernet1/1,ethernet1/1,syslog-172.16.20.152,2010/05/06 15:51:04,600,2,0,0,0,0,0x40,icmp,allow,196,196,196,2,2010/05/06 15:50:58,0,any,0
<14>May 6 15:51:15 1,2010/05/06 15:51:15,0006C101167,SYSTEM,general,0,2010/05/06 15:51:15,,unknown,,0,0,general,informational,User admin logged in via CLI from 192.168.28.21
<14>May 9 17:55:21 1,2010/05/09 17:55:21,0006C101167,THREAT,url,6,2010/05/09 17:55:20,172.16.2.2,216.163.137.68,::172.16.255.78,216.163.137.68,DynamicDefault,,,webbrowsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,syslog-172.16.20.152,2010/05/09 17:55:21,976,1,1126,80,38931,80,0x40,tcp,block-url,"www.playboy.com/favicon.ico", (9999),adult-and-pornography,informational,0
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
Telnet Access Credentials for All Devices
These are the generic settings for providing Telnet access to your device from FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
408
Fortinet Technologies Inc.
Firewalls
Setting Name Device Type Access Protocol Port User Name
Password
Value Telnet-generic generic Telnet 23 A user who has permission to access the device over Telnet The password associated with the user
SSH Access Credentials for All Devices
These are the generic settings for providing SSH access to your device from FortiSIEM.
Setting Name Device Type Access Protocol Port User Name
Password
Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user
FortiSIEM 6.1.1 External Systems Configuration Guide
409
Fortinet Technologies Inc.
Firewalls
Sophos UTM
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected
Configuration change, command execution
Used For
Log Management, Compliance and SIEM
Event Types
In ADMIN > Device Support > Event, search for "sophos-utm" to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your device.
Setting Name
Value <set name>
FortiSIEM 6.1.1 External Systems Configuration Guide
410
Fortinet Technologies Inc.
Firewalls
Setting Device Type Access Protocol Port Password config
Value Sophos UTM See Access Credentials See Access Credentials See Password Configuration
Sample Syslog Message
<30>2016:07:05-16:57:39 c-server-1 httpproxy[15760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.10.10.10" dstip="1.1.1.1" user="" group="" ad_domain="" statuscode="302" cached="0" profile="REF_ DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffCustoConteFilte (Custom_Default content filter action)" size="0" request="0xdc871600" url="http://a.com" referer="http://foo.com/bar/" error="" authtime="0" dnstime="1" cattime="24080" avscantime="0" fullreqtime="52627" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions="" category="154" reputation="unverified" categoryname="Web Ads"
FortiSIEM 6.1.1 External Systems Configuration Guide
411
Fortinet Technologies Inc.
Firewalls
Stormshield Network Security
l Integration Points l Configuring Stormshield to Send Logs l Configuring FortiSIEM to Receive Logs l Stormshield Event Types l Stormshield Sample Logs
Integration Points
Protocol Syslog
Information Collected Firewall logs
Used For Security and Compliance Monitoring
Configuring Stormshield to Send Logs
Follow the steps listed here under the Choose where to save logs section, to save logs.
Configuring FortiSIEM to Receive Logs
No configuration is needed. FortiSIEM can automatically detect and parse Stormshield logs based on the built in parser.
Stormshield Event Types
Go to Resources > Event Type and search "Stormshield-"
Stormshield Sample Logs
id=firewall time="2019-02-24 16:38:01" fw="SN310A17B0323A7" tz=+0100 startime="2019-0224 16:38:00" pri=5 confid=00 slotlevel=2 ruleid=4 rulename="1690fb96019_7" srcif="Ethernet0" srcifname="out" ipproto=udp proto=ssdp src=10.11.11.11 srcport=49907 srcportname=ephemeral_fw_udp srcname=skywalker srcmac=11:11:11:11:11:11 dst=10.10.10.10 dstport=1900 dstportname=sdp ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter"
FortiSIEM 6.1.1 External Systems Configuration Guide
412
Fortinet Technologies Inc.
Firewalls
Tigera Calico
l Integration Points l Configuring Tigera Calico to Send Logs l Configuring FortiSIEM to Receive Logs l Tigera Calico Event Types l Tigera Calico Sample Logs
Integration Points
Protocol Syslog
Information Collected Flow, Audit and DNS logs
Used For Security and Compliance Monitoring
Configuring Tigera Calico to Send Logs
Follow the steps listed here to send syslog to FortiSIEM.
Configuring FortiSIEM to Receive Logs
No configuration is needed. FortiSIEM can automatically detect and parse Tigera Calico logs based on the built in parser.
Tigera Calico Event Types
Go to Resources > Event Type and search "Calico_Enterprise_"
Tigera Calico Sample Logs
<14>May 8 15:49:58 ip-10-0-0-193.ec2.internal tigera_secure: {"start_ time":1588952982,"end_time":1588952992,"source_ip":"10.48.98.2","source_name":"elasticoperator-0","source_name_aggr":"elastic-operator-*","source_namespace":"tigera-eckoperator","source_port":null,"source_type":"wep","source_labels":{"labels":["k8sapp=elastic-operator","statefulset.kubernetes.io/pod-name=elastic-operator-0","controlplane=elastic-operator","controller-revision-hash=elastic-operator-6fc7545df5"]},"dest_ ip":"10.48.241.198","dest_name":"tigera-secure-es-es-0","dest_name_aggr":"tigerasecure-es-es-*","dest_namespace":"tigera-elasticsearch","dest_port":9200,"dest_ type":"wep","dest_labels":{"labels":["statefulset.kubernetes.io/pod-name=tigera-securees-es-0","elasticsearch.k8s.elastic.co/version=7.3.2","controller-revision-hash=tigerasecure-es-es-757895bb98","elasticsearch.k8s.elastic.co/httpscheme=https","elasticsearch.k8s.elastic.co/statefulset-name=tigera-secure-eses","elasticsearch.k8s.elastic.co/node-data=true","elasticsearch.k8s.elastic.co/confighash=1585026949","elasticsearch.k8s.elastic.co/nodeml=true","common.k8s.elastic.co/type=elasticsearch","elasticsearch.k8s.elastic.co/node-
FortiSIEM 6.1.1 External Systems Configuration Guide
413
Fortinet Technologies Inc.
Firewalls
ingest=true","elasticsearch.k8s.elastic.co/nodemaster=true","elasticsearch.k8s.elastic.co/cluster-name=tigerasecure"]},"proto":"tcp","action":"allow","reporter":"dst","policies":{"all_policies": ["0|allow-tigera|tigera-elasticsearch/allow-tigera.elasticsearchaccess|allow"]},"bytes_in":2593,"bytes_out":4617,"num_flows":3,"num_flows_ started":1,"num_flows_completed":1,"packets_in":17,"packets_out":10,"http_requests_ allowed_in":0,"http_requests_denied_in":0,"original_source_ips":null,"num_original_ source_ips":0,"host":"fluentd-node-xzscj"}
FortiSIEM 6.1.1 External Systems Configuration Guide
414
Fortinet Technologies Inc.
Firewalls
WatchGuard Firebox Firewall
l Integration points l Configuring Watchguard Firebox for SNMP Access l Configuring FortiSIEM
Integration points
Protocol SNMP
Information Discovered
Performance metrics CPU., Memory, Uptime, Interface Usage statistics, Connection rate and Policy Statistics
Used For
Performance and Availability Monitoring
Configuring Watchguard Firebox for SNMP Access
1. Logon to Watchguard Firebox Management Console. 2. Follow Watchguard Firebox documentation to allow inbound SNMP access (default UDP port 161) to appropriate
FortiSIEM node that will communicate to Firebox node. 3. Note the SNMP credentials. FortiSIEM supports versions 1, 2 and 3.
Configuring FortiSIEM
Use the account in previous step to enable FortiSIEM access:
1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create Generic SNMP credential:
a. Device Type = Generic b. Access Protocol = SNMP or SNMP V3 c. Choose the SNMP protocol (default 161) d. Password config: Manual or CyberArk. See Password Configuration. e. If Access Protocol was chosen as SNMP, then enter Community string. f. If Access Protocol was chosen as SNMP V3, then enter detailed SNMP V3 security configuration and
credentials g. Click Save. 4. Enter an IP Range to Credential Association. a. Enter IP or IP Range containing the Firebox firewall. Allowed formats are comma separated IP, IP Range
formatted as IP1-IP2 or IP range in CIDR notation. b. Select the Credential created in step 3 above. c. Click Save. 5. Select the entry in step 4 and click Test Connectivity. If it succeeds, then the credential is correct. 6. Go to ADMIN > Setup > Discover.
FortiSIEM 6.1.1 External Systems Configuration Guide
415
Fortinet Technologies Inc.
Firewalls
7. Create a discovery entry containing the IP Address of the Firebox firewall and discover the device. Make sure Discovery succeeds.
8. An entry will be created in ADMIN > Setup > Change/Monitor corresponding to this firewall. FortiSIEM will start to pull SNMP metrics from this firewall.
FortiSIEM 6.1.1 External Systems Configuration Guide
416
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
FortiSIEM supports these load balancers and application firewalls for discovery and monitoring. l Brocade ServerIron ADX l Citrix Netscaler Application Delivery Controller (ADC) l F5 Networks Application Security Manager l F5 Networks Local Traffic Manager l F5 Networks Web Accelerator l Fortinet FortiADC l Qualys Web Application Firewall
FortiSIEM 6.1.1 External Systems Configuration Guide
417
Fortinet Technologies Inc.
Brocade ServerIron ADX
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol SNMP
Information discovered
Metrics/Logs collected
Used for
Host name, serial number, hardware (CPU, memory, network interface etc)
Uptime, CPU, Memory, Interface Utilization, Hardware status, Real Server Statistics
Performance/Availability Monitoring
Event Types
l PH_DEV_MON_SYS_CPU_UTIL [PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO, [fileName]=deviceBrocadeServerIron.cpp,[lineNumber]=434,[cpuName]=CPU,[hostName]=lb11008-qts,[hostIpAddr]=10.120.3.15,[cpuUtil]=55.000000,[pollIntv]=176,[phLogDetail]=
l PH_DEV_MON_SYS_MEM_UTIL
[PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO, [fileName]=deviceBrocadeServerIron.cpp,[lineNumber]=456,[memName]=Physical Memory,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15,[memUtil]=10.000000, [pollIntv]=176,[phLogDetail]=
l PH_DEV_MON_NET_INTF_UTIL
[PH_DEV_MON_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phIntfFilter.cpp, [lineNumber]=323,[intfName]=GigabitEthernet8,[intfAlias]=,[hostName]=lb1-1008-qts, [hostIpAddr]=10.120.3.15,[pollIntv]=56,[recvBytes64]=1000000, [recvBitsPerSec]=142857.142857,[inIntfUtil]=0.014286,[sentBytes64]=2000000, [sentBitsPerSec]=285714.285714,[outIntfUtil]=0.028571,[recvPkts64]=0,[sentPkts64]=0, [inIntfPktErr]=0,[inIntfPktErrPct]=0.000000,[outIntfPktErr]=0, [outIntfPktErrPct]=0.000000,[inIntfPktDiscarded]=0,[inIntfPktDiscardedPct]=0.000000, [outIntfPktDiscarded]=0,[outIntfPktDiscardedPct]=0.000000,[outQLen64]=0, [intfInSpeed64]=1000000000,[intfOutSpeed64]=1000000000,[intfAdminStatus]=up, [intfOperStatus]=up,[daysSinceLastUse]=0,[totIntfPktErr]=0, [totBitsPerSec]=428571.428571,[phLogDetail]=
l PH_DEV_MON_SERVERIRON_REAL_SERVER_STAT
FortiSIEM 6.1.1 External Systems Configuration Guide
418
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
[PH_DEV_MON_SERVERIRON_REAL_SERVER_STAT]:[eventSeverity]=PHL_INFO, [fileName]=deviceBrocadeServerIron.cpp,[lineNumber]=507,[hostName]=lb1-1008-qts, [hostIpAddr]=10.120.3.15,[realServerIpAddr]=10.120.10.131,[realServerState]=7, [failedPortExists]=2,[openConnectionsCount]=2,[peakConns]=114,[activeSessions]=4, [phLogDetail]=
l PH_DEV_MON_HW_STATUS
[PH_DEV_MON_HW_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=deviceBrocadeServerIron.cpp, [lineNumber]=359,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15,[hwStatusCode]=2, [hwPowerSupplyStatus]=0,[hwTempSensorStatus]=2,[hwFanStatus]=0,[phLogDetail]=
[PH_DEV_MON_HW_STATUS_TEMP_CRIT]:[eventSeverity]=PHL_CRITICAL,[fileName]=device.cpp, [lineNumber]=13812,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15,[hwStatusCode]=2, [hwComponentName]=1-Temperature sensor,[hwComponentStatus]=Critical,[phLogDetail]=
l PH_DEV_MON_HW_TEMP
[PH_DEV_MON_HW_TEMP]:[eventSeverity]=PHL_INFO,[fileName]=deviceBrocadeServerIron.cpp, [lineNumber]=401,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15, [hwComponentName]=Temp1,[envTempDegF]=90,[phLogDetail]=
Rules
There are no predefined rules for this device other than covered by generic network devices.
Reports
There are no predefined reports for this device other than covered by generic network devices.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your device.
Setting Name
Value <set name>
FortiSIEM 6.1.1 External Systems Configuration Guide
419
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
Setting Device Type Access Protocol Port Password config
Value Brocade ServerIron ADX See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
420
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
Citrix Netscaler Application Delivery Controller (ADC)
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information discovered
Metrics/Logs collected Permitted and Denied traffic
Used for Log analysis and compliance
Event Types
In ADMIN > Device Support > Event, search for "netscaler" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCE > Reports , search for "nestler" in the Name column to see the reports associated with this device.
Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your device.
FortiSIEM 6.1.1 External Systems Configuration Guide
421
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
Setting Name Device Type Access Protocol Port Password config
Value <set name> Citrix NetScalar See Access Credentials See Access Credentials See Password Configuration
Example Syslog
<182> 07/25/2012:19:56:41 PPE-0 : UI CMD_EXECUTED 473128 : User nsroot - Remote_ip 10.13.8.75 - Command "show ns hostName" - Status "Success"<181> 07/25/2012:19:56:05 NS2MAIL PPE-0 : EVENT DEVICEUP 33376 : Device "server_vip_NSSVC_SSL_172.17.102.108:443 (accellion:443)" - State UP <181> 07/25/2012:19:55:35 NS2-MAIL PPE-0 : EVENT DEVICEDOWN 33374 : Device "server_vip_ NSSVC_SSL_172.17.102.108:443(accellion:443)" - State DOWN <182> 07/24/2012:15:37:08 PPE-0 : EVENT MONITORDOWN 472795 : Monitor Monitor_http_of_ Domapps:80(10.50.15.14:80) - State DOWN
FortiSIEM 6.1.1 External Systems Configuration Guide
422
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
F5 Networks Application Security Manager
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information discovered
Metrics/Logs collected
Various application level attack scenarios - invalid directory access, SQL injections, cross site exploits.
Used for
Log analysis and compliance
Event Types
In ADMIN > Device Support > Event, search for "f5-asm" in the Name column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
FortiSIEM 6.1.1 External Systems Configuration Guide
423
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
Example Syslog
<134>Jun 26 14:18:56 f5virtual.tdic.ae ASM:CEF:0|F5|ASM|10.2.1|Successful Request|Successful Request|2|dvchost=f5virtual.adic.com dvc=192.168.1.151 cs1=master-key_default cs1Label=policy_name cs2=master-key cs2Label=web_application_name deviceCustomDate1=Jul 13 2011 16:24:25 deviceCustomDate1Label=policy_apply_date externalId=3601068286554428885 act=passed cn1=404 cn1Label=response_code src=10.10.77.54 spt=49399 dst=10.10.175.82 dpt=443 requestMethod=POST app=HTTPS request=/ipp/port1 cs5=N/A cs5Label=x_forwarded_for_header_ value rt=Jun 26 2012 14:18:55 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location cs3Label=full_request cs3=POST /ipp/port1 HTTP/1.1\r\nHost: 127.0.0.1:631\r\nCache-Control: no-cache\r\nContent-Type: application/ipp\r\nAccept: application/ipp\r\nUser-Agent: Hewlett-Packard IPP\r\nContent-Length: 9\r\n\r\n
FortiSIEM 6.1.1 External Systems Configuration Guide
424
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
F5 Networks Local Traffic Manager
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
Information discovered
SNMP
Host name, serial number, hardware (CPU, memory, network interface, disk etc) and software information (running and installed software)
SNMP Trap
Syslog
Metrics/Logs collected Uptime, CPU, Memory, Disk utilization, Interface Utilization, Hardware status, process level CPU and memory urilization
Exception situations including hardware failures, certain security attacks, Policy violations etc Permitted and Denied traffic
Used for Performance/Availability Monitoring
Performance/Availability Monitoring Log analysis and compliance
Event Types
In ADMIN > Device Support > Event, search for "f5-LTM" in the Name column to see the event types associated with this device. Search for "f5-BigIP" in ADMIN > Device Support > Event to see event types associated with SNMP traps for this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
425
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
SNMP Trap
FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Example SNMP Trap
2012-01-18 14:13:43 0.0.0.0(via UDP: [192.168.20.243]:161) TRAP2, SNMP v2c, community public
. Cold Start Trap (0) Uptime: 0:00:00.00
DISMAN-EVENT-
MIB::sysUpTimeInstance = Timeticks: (33131) 0:05:31.31
SNMPv2-
MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3375.2.5.0.1
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Example Syslog
<133>Oct 20 13:52:46 local/tmm notice tmm[5293]: 01200004:5: Packet rejected remote IP 172.16.128.26 port 137 local IP 172.16.128.255 port 137 proto UDP: Port closed.
<134>Jul 30 15:28:33 tmm1 info tmm1[7562]: 01070417: 134: ICSA: non-session UDP packet accepted, source: 112.120.125.48 port: 10144, destination: 116.58.240.252 port: 53
<134>Jul 30 15:28:33 tmm1 info tmm1[7562]: 01070417: 134: ICSA: non-session TCP packet accepted, source: 108.83.156.153 port: 59773, destination: 116.58.240.225 port: 80
<134>Jul 30 15:28:33 tmm2 info tmm2[7563]: 01070417: 134: ICSA: non-session ICMP packet accepted, source: 10.11.218.10, destination: 10.255.111.2, type code: Echo Reply
FortiSIEM 6.1.1 External Systems Configuration Guide
426
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
Settings for Access Credentials
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
427
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
F5 Networks Web Accelerator
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information discovered
Metrics/Logs collected Permitted traffic
Used for Log analysis and compliance
Event Types
In ADMIN > Device Support > Event, search for "f5-web" in the Name column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Example Syslog
<182>Oct 20 13:52:56 local/BadReligion1 info logger: [ssl_acc] 1.1.1.2 - admin [20/Oct/2011: 13:52:56 -0400] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 654
FortiSIEM 6.1.1 External Systems Configuration Guide
428
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
Fortinet FortiADC
Integration Points
Method syslog
Information discovered
Host name, Reporting IP
Metrics collected None
LOGs collected
Used for
Event, Security and Traffic logs
Security monitoring
Event Types
In ADMIN > Device Support > Event, Search for "FortiADC" to see the event types associated with this device.
Rules
No specific rules are written for FortiADC Web application firewall but generic firewall rules will apply.
Reports
No specific reports are written for FortiADC Web application firewall but generic firewall rules will apply.
Configuration
Configure FortiADC Web application firewall to send logs to FortiSIEM in the supported format (see Sample events below)
Settings for Access Credentials
None required
Sample Events
<6>date=2019-06-12 time=13:05:52 device_id=FAD2KD3114000026 log_id=0000000100 type=event subtype=config pri=information vd=root msg_id=71118385 user=user1 ui=GUI(1.2.3.4) action=add cfgpath=log setting remote cfgobj=<No.> cfgattr=1 logdesc=Change the configuration msg="added a new entry '1' for "log setting remote" on domain "root"" <1>date=2019-06-12 time=13:06:52 device_id=FAD2KD3114000026 log_id=0003000235 type=event subtype=system pri=alert vd=root msg_id=71118386 submod=update user=system ui=system action=update status=none logdesc=License could not be validated msg="Unable to connect to FDS server"
FortiSIEM 6.1.1 External Systems Configuration Guide
429
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
Qualys Web Application Firewall
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information discovered
Metrics/Logs collected Permitted and Denied Web traffic
Used for Log analysis and compliance
Event Types
The following event types are generated by parsing Qualys Web Application Firewall traffic logs and analyzing the HTTP error code.
l Qualys-WAF-Web-Request-Success l Qualys-WAF-Web-Bad-Request l Qualys-WAF-Web-Client-Access-Denied l Qualys-WAF-Web-Client-Error l Qualys-WAF-Web-Forbidden-Access-Denied l Qualys-WAF-Web-Length-Reqd-Access-Denied l Qualys-WAF-Web-Request l Qualys-WAF-Web-Request-Redirect l Qualys-WAF-Web-Server-Error
Rules
There are no predefined rules for this device.
Reports
Relevant reports are defined in RESOURCE > Reports > Device > Network > Web Gateway.
Configuration
FortiSIEM processes events from this device via syslog sent in JSON format. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
FortiSIEM 6.1.1 External Systems Configuration Guide
430
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
Setting Name Device Type Access Protocol Port Password config
Value <set name> Qualys Web Application Firewall See Access Credentials See Access Credentials See Password Configuration
Example Syslog
Note that each JSON formatted syslog contains many logs.
<1350>1 2015-05-15T12:57:30.945000+00:00 localhost qualys_waf - QUALYS_WAF {"timestamp":"2015-05-15T12:57:30.945-00:00","duration":6011,"id":"487c116c-4908-4ce3-b05ceda5d5bb7045","clientIp":"172.27.80.170","clientPort":9073,"sensorId":"d3acc41f-d1fc-43beaf71-e7e10e9e66e2","siteId":"41db0970-8413-4648-b7e2-c50ed53cf355","connection": {"id":"bc1379fe-317e-4bae-ae302a382e310170","clientIp":"172.27.80.170","clientPort":9073,"serverIp":"192.168.60.203","serv erPort"
:443},"request":{"method":"POST","uri":"/","protocol":"HTTP/1.1","host":"eserstest.foo.org","bandwidth":0,"headers":[{"name":"Content-Length","value":"645"}, {"name":"Accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/web p,*/*;
q=0.8"},{"name":"User-Agent","value":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36"},{"name":"ContentType","value":"application/x-www-form-urlencoded"},{"name":"Referer","value":"https://eserstest.ohsers.org/"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"AcceptLanguage","value":"en-US,en;q=0.8"}],"headerOrder":"HILCAUTRELO"},"response": {"protocol":"HTTP/1.1","status":"200","message":"OK","bandwidth":0,"headers": [{"name":"Content-Type","value":"text/html; charset=utf-8"}, {"name":"Server","value":"Microsoft-IIS/8.5"},{"name":"ContentLength","value":"10735"}],"headerOrder":"CTXSDL"},"security":{"auditLogRef":"b02f96e9-26494a83-9459-6a02da1a5f05","threatLevel":60,"events":[{"tags": ["qid/226015","cat/XPATHi","cat/SQLi","qid/150003","loc/req/body/txtUserId","cfg/pol/applica tionSecurity"],
"type":"Alert","rule":"main/qrs/sqli/xpathi/condition_escaping/boolean/confidence_ high/3","message":"Condition escaping detected (SQL or XPATH injection) txtUserId.","confidence":80,"severity":60,"id":"262845566"},{"tags": ["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1",
"message":"Info: Threat level exceeded blocking threshold (60).","confidence":0,"severity":0,"id":"262846018"},{"tags": ["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1",
FortiSIEM 6.1.1 External Systems Configuration Guide
431
Fortinet Technologies Inc.
Load Balancers and Application Firewalls
"message":"Info: Blocking refused as blocking mode is disabled.","confidence":0,"severity":0,"id":"262846167"},{"tags": ["cat/correlation","cat/XPATHi","qid/226015"],"type":"Alert","rule": "main/correlation/1","message":"Detected: XPATHi.","confidence":80,"severity":60,"id":"268789851"}]}}
FortiSIEM 6.1.1 External Systems Configuration Guide
432
Fortinet Technologies Inc.
Log Aggregators
Log Aggregators
FortiSIEM supports these log aggregators. l Fortinet FortiAnalyzer
FortiSIEM 6.1.1 External Systems Configuration Guide
433
Fortinet Technologies Inc.
Fortinet FortiAnalyzer
Fortinet FortiAnalyzer
Overview l Configuring FortiAnalyzer l Configuring FortiSIEM Collectors to Receive Logs from FortiAnalyzer
Overview
Customers of both FortiAnalyzer and FortiSIEM may want to take already aggregated event data received on FortiAnalzyer and forward those events to FortiSIEM.
Configuring FortiAnalyzer
l Setting Up the Syslog Server l Pre-Configuration for Log Forwarding l Configuring Log Forwarding
Setting Up the Syslog Server
1. Login to FortiAnalyzer. 2. Go to System Settings > Advanced > Syslog Server.
a. Click the Create New button. b. Enter the Name. (It is recommended to use the name of the FortiSIEM server.) c. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server. d. Leave the Syslog Server Port to the default value '514'. e. Click OK to save your entries.
Pre-Configuration for Log Forwarding
To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following. 1. 1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets. 2. 2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound.
Configuring Log Forwarding
Take the following steps to configure log forwarding on FortiAnalyzer.
FortiSIEM 6.1.1 External Systems Configuration Guide
434
Fortinet Technologies Inc.
Fortinet FortiAnalyzer
1. Go to System Settings > Log Forwarding. 2. Click the Create New button in the toolbar. The Create New Log Forwarding pane opens. 3. fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer
device will start forwarding logs to the server.
Field Name Status Remote Server Type Compression Sending Frequency Log Forwarding Filters
Input FortiSIEM-Forwarding On Syslog OFF Real-time Select all desired Administrative Domains (ADOMs) / device logs you'd like to forward
4. Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands. Notes: l Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the "true" source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device. l For FortiAnalyzer versions 6.0 and later, use the following CLI: Note: Replace <id> with the actual name of the log forward created earlier.
config system log-forward edit <id> set mode forwarding set fwd-max-delay realtime set server-name "<FSM_Collector>" set server-ip "a.b.c.d" set fwd-log-source-ip original_ip set fwd-server-type syslog next
end
l For FortiAnalyzer versions 5.6 to 5.9, use the following CLI: Note: Replace <id> with the actual name of the log forward created earlier.
config system log-forward
edit <id>
set mode forwarding
set fwd-max-delay realtime
set server-ip "a.b.c.d"
set fwd-log-source-ip original_ip
set fwd-server-type syslog
FortiSIEM 6.1.1 External Systems Configuration Guide
435
Fortinet Technologies Inc.
Fortinet FortiAnalyzer
next end l For FortiAnalyzer versions earlier than 5.6, use the following CLI: Note: For <id>, you can choose the number for your FortiSIEM syslog entry. config system aggregation-client
edit <id> set fwd-log-source-ip original_ip
end
Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer
To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed. sysctl -w net.ipv4.conf.all.rp_filter=0 To make this change persistent across reboots, add the following code to the /etc/sysctl.conf file. net.ipv4.conf.all.rp_filter=0
FortiSIEM 6.1.1 External Systems Configuration Guide
436
Fortinet Technologies Inc.
Network Compliance Management Applications
FortiSIEM supports these Network Compliance Management applications and monitoring. l Cisco Network Compliance Manager l PacketFence
FortiSIEM 6.1.1 External Systems Configuration Guide
437
Fortinet Technologies Inc.
Cisco Network Compliance Manager
What is Discovered and Monitored
Protocol Syslog
Information discovered
Metrics/Logs collected
Network device software update, configuration analysis for compliance, admin login
Used for
Log analysis and compliance
Event Types
Over 40 event types are generated by parsing Cisco Network Configuration Manager logs. The complete list can be found in ADMIN > Device Support > Event by searching for Cisco-NCM. Some important ones are
l Cisco-NCM-Device-Software-Change l Cisco-NCM-Software-Update-Succeeded l Cisco-NCM-Software-Update-Failed l Cisco-NCM-Policy-Non-Compliance l Cisco-NCM-Device-Configuration-Deployment l Cisco-NCM-Device-Configuration-Deployment-Failure
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Example Syslog
Note that each JSON formatted syslog contains many logs. 490998571 Mon Mar 03 03:09:31 EST 2014 Savvy Device Command Script Completed Successfully server01.foo.com 10.4.161.32 Script 'Re-enable EasyTech port for Cisco IOS configuration' completed. Connect - Succeeded Connected via ssh to 10.170.30.9 [in realm Default Realm]
FortiSIEM 6.1.1 External Systems Configuration Guide
438
Fortinet Technologies Inc.
Network Compliance Management Applications
Login / Authentication - Succeeded Successfully used: Last successful password (Password rule Retail TACACS NCM Login) Optional:Script - Succeeded Successfully executed: prepare configuration for deployment Script - Succeeded Successfully executed: deploy to running configuration via TFTP through CLI Bypassed: deploy to running configuration via SCP through CLI. (Requires SCP, CLI to be enabled.) Tried: deploy to running configuration via FTP through CLI (Warning: SSH server username or password not specified in NA admin settings.) Optional:Script - Succeeded Successfully executed: determine result of deployment operation Script run: ------------------------------------------------------------ ! interface fast0/16 no shut
491354611 Tue Mar 04 03:38:22 EST 2014 FooA Software Update Succeeded server01.foo.com 1.1.1.32 44571 10.173.30.9 $OrignatorEmail$ FooA Update Device Software 2014-03-04 03:30:00.0 usmist_1699295009 (1.13.3.9) Succeeded
FortiSIEM 6.1.1 External Systems Configuration Guide
439
Fortinet Technologies Inc.
Network Compliance Management Applications
PacketFence Network Access Control (NAC)
l Integration points l Configuring PacketFence Network Access Control l Parsing and Events
Integration points
Protocol Syslog
Information Discovered User network admission control events
Used For Security and Compliance
Configuring PacketFence NAC
Follow PacketFence NAC documentation to send syslog to FortiSIEM.
Configuring FortiSIEM
FortiSIEM automatically recognizes PacketFence NAC syslog as long it follows the following format as shown in the sample syslog: Oct 9 11:29:34 10.2.204.81 1 2018-10-09T11:29:34.04189+01:00 example.com packetfence.log - - Oct 11 15:42:00 httpd.aaa(4765) WARN: [mac:40:83:1d:12:2a:cb] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match)
Parsing and Events
Over 20 events are parsed see event Types in Resources > Event Types and search for "PacketFence-NAC-".
FortiSIEM 6.1.1 External Systems Configuration Guide
440
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
FortiSIEM supports these intrusion prevention systems for discovery and monitoring.
l 3COM TippingPoint UnityOne IPS l AirTight Networks SpectraGuard l Alert Logic IRIS API l Cisco Firepower Management Center (FMC) - Formerly Cisco FireSIGHT and FirePower Threat Defence l Cisco Intrusion Prevention System l Cisco Stealthwatch l Cylance Protect Endpoint Protection l Cyphort Cortex Endpoint Protection l Damballa Failsafe l Darktrace CyberIntelligence Platform l FireEye Malware Protection System (MPS) l FortiDDoS l Fortinet FortiDeceptor l Fortinet FortiNAC l Fortinet FortiSandbox Configuration l Fortinet FortiTester l IBM Internet Security Series Proventia l Indegy Security Platform l Juniper DDoS Secure l Juniper Networks IDP Series l McAfee IntruShield l McAfee Stonesoft IPS l Motorola AirDefense l Nozomi l Radware DefensePro l Snort Intrusion Prevention System l Sourcefire 3D and Defense Center l Trend Micro Deep Discovery l Zeek (Bro) Installed on Security Onion
FortiSIEM 6.1.1 External Systems Configuration Guide
441
Fortinet Technologies Inc.
3Com TippingPoint UnityOne IPS
What is Discovered and Monitored
Protocol SNMP
Information Discovered
Syslog
Metrics Collected
CPU, memory, Interface utilization IPS Alerts
Used For
Performance and Availability Monitoring Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "tippingpoint" in the Device Type and Description columns to see the event types associated with this device.
Configuration
SNMP
1. Log in to the TippingPoint appliance or the SMS Console. 2. Go to System > Configuration > SMS/NMS. 3. For SMS Authorized IP Address/CIDR, make sure any is entered. 4. Select Enabled for SNMP V2. 5. For NMS Community String, enter public. 6. Click Apply.
Syslog
1. Log in to the TippingPoint appliance or the SMS Console. 2. Go to System > Configuration > Syslog Servers. 3. Under System Log, enter the IP Address of the FortiSIEM virtual appliance. 4. Select Enable syslog offload for System Log. 5. Under Aud Log, enter the IP Address of the FortiSIEM virtual appliance. 6. Select Enable syslog offload for Audit Log. 7. Click Apply.
Configure the Syslog Forwarding Policy (Filter Notification Forwarding)
The filter log can be configured to generate events related to specific traffic on network segments that must pass through the device. This log includes three categories of events.
Event Category Alert
Description Alert events indicate that the IPS has detected
FortiSIEM 6.1.1 External Systems Configuration Guide
442
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Event Category
Block P2P
Description
suspicious activity in the packet, but still permits the packet to pass through (specific settings are controlled by administrator profile)
Block events are malicious packets not permitted to pass
Refers to peer-to-peer traffic events
In addition, filter events contain a UUID, which is a unique numerical identifier that correlates with the exact security threat defined by Tipping Point Digital Vaccine Files. The FortiSIEM Virtual Appliance will correlate these with authoritative databases of security threats.
1. Go to IPS > Action Sets. 2. Click Permit + Notify. 3. Under Contacts, click Remote Syslog. 4. Under Remote Syslog Information, enter the IP Address of the FortiSIEM virtual appliance. 5. Make sure the Port is set to 514. 6. Make sure Delimiter is set to tab, comma, or semicolon. 7. Click Add to Table Below.
You should now see the IP address of the FortiSIEM virtual appliance appear as an entry in the Remote Syslogs table.
Sample parsed syslog messages
Directly from TippingPoint IPS device
<36>Oct 28 13:10:45 9.0.0.1 ALT,v4,20091028T131045+0480,"PH-QATIP1"/20.30.44.44,835197,1,Permit,Minor,00000002-0002-0002-0002-000000000089, "0089: IP: Short Time To Live (1)","0089: IP: Short Time To Live (1)",ip," ",172.16.10.1:0,224.0.0.5:0,20091028T130945+0480,6," ",0,1A-1B <37>Nov 5 20:16:19 20.30.44.44 BLK,v4,20091105T201619+0480,"PH-QATIP1"/20.30.44.44,70,2,Block,Low,00000002-0002-0002-0002-000000004316, "4316: OSPF: OSPF Packet With Time-To-Live of 1","4316: OSPF: OSPF Packet With Time-To-Live of 1",ip," ",172.16.10.1:0,224.0.0.5:0,20091105T201619+0480,1," ",0,1A-1B <37>Jul 12 15:04:01 SOCIPS01 ALT,v5,20110712T1504010500,SOCIPS01/192.168.10.122,3225227,1,Permit,Low,00000002-0002-0002-0002000000010960, "10960: IM: Google GMail Chat SSL Connection Attempt","10960: IM: Google GMail Chat SSL Connection Attempt",tcp," ",156.63.133.8,10948,72.14.204.189,443, 20110712T150239-0500,3," ",0,6A-6B
From Tipping Point NMS device
<36> 7 2 00000002-0002-0002-0002-000000001919 00000001-0001-0001-0001-000000001919 1919: Backdoor: Psychward 1919 tcp 10.1.1.100 13013 10.1.1.101 1240 3 3 2 207-2400-Jack 33761793 1109876221622 <36> 7 2 00000002-0002-0002-0002-000000001919 00000001-00010001-0001-000000001919 1919: Backdoor: Psychward 1919 tcp 10.1.1.100 13013 10.1.1.101 1240 3 3 2 207-2400-Jack 33761793 1109876221622
FortiSIEM 6.1.1 External Systems Configuration Guide
443
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> 3Com TippingPoint UnityOne IPS See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
444
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
AirTight Networks SpectraGuard
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected
Used For
Event Types
In ADMIN > Device Support > Event, search for "airtight" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
FortiSIEM 6.1.1 External Systems Configuration Guide
445
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Setting Name Device Type Access Protocol Port Password config
Value <set name> Airtight SpectraGuard See Access Credentials See Access Credentials See Password Configuration
Example Syslog
<30><2013.09.09 19:45:16>CEF:0|AirTight|SpectraGuard Enterprise|6.7|5.51.515| Authorized AP operating on non-allowed channel|3|msg=Stop: Authorized AP [AP2.12.c11d] is operating on non-allowed channel. rt=Sep 09 2013 19:45:16 UTC dvc=10.255.1.36 externalId=726574 dmac=58:BF:EA:FA:26:EF cs1Label=TargetDeviceName cs1=AP2.12.c11d cs2Label=SSID cs2=WiFiHiSpeed cs3Label=SecuritySetting cs3=802.11i cn1Label=RSSI_dBm cn1=-50 cn2Label=Channel cn2=149 cs4Label=Locationcs4=//FB/FBFL2
FortiSIEM 6.1.1 External Systems Configuration Guide
446
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Alert Logic IRIS API
Support for Alert Logic IRIS API allows FortiSIEM to respond to incidents and events in real-time with up-to-date situational awareness and comprehensive security analytics.
l Integration Points l Event Types l Reports l Rules l Configuring AlertLogic IRIS for FortiSIEM API Access l Configuring FortiSIEM for AlertLogic IRIS API Access l Sample Events
Integration points
Protocol AlertLogic Iris API
Information Discovered Security Alerts created by AlertLogic
Used For Security and Compliance
Event Types
In RESOURCES > Event Types, enter "AlertLogic" in the Search field to see the event types associated with this device.
Rules
In RESOURCE > Rules, enter "AlertLogic" in the Search field to see the rules associated with this device.
Reports
No defined reports.
Configuring Alert Logic for FortiSIEM API Access
Get API Key from Alert Logic
1. Login to the Alert Logic user interface. 2. On the left menu, select Admin >Account. 3. Click New API Key. 4. Enter a descriptive name in the Generate New API key dialog box.
FortiSIEM 6.1.1 External Systems Configuration Guide
447
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
5. Click Save to generate the API key. A file containing your API key information (ID, ClientSecret, and Name) will be downloaded. The ID and ClientSecret will be used by FortiSIEM.
Configuring FortiSIEM for Alert Logic API Access
Complete these steps in the FortiSIEM UI:
1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box and click Save:
Settings Name Device Type Access Protocol Pull Interval
Access Key ID Secret Key Organization Description
Description Enter a name for the credential Alert Logic IPS Alert Logic IPS The interval in which FortiSIEM will pull events from Alert Logic. Default is 5 minutes. Access key for your Alert Logic instance. Secret key for your Alert Logic instance The organization the device belongs to. Description of the device.
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your Alert Logic credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
4. Click Test to test the connection to Alert Logic. 5. To see the jobs associated with Alert Logic, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Alert Logicin the search box.
Sample Events
Raw events of an incident start with [AlertLogic_Incident]:
[AlertLogic_Incident]:[reptDevIpAddr]=10.10.10.10, [reptDevName]=api.cloudinsight.alertlogic.com,[accountId]=11111111.0,[phCustId]=1, [inIncidentAcknowledgeStatus]=closed,[inIncidentEventFirstSeen]=1558710055.0, [inIncidentClearedTime]=1558710055.0,[inIncidentCreateTime]=1558710161.9708278, [inIncidentCreatedUserId]=,[inIncidentLastModifiedTime]=0, [inIncidentLastModifiedUser]=,[inCustomerName]=1074822-INT4 - RMS FAWS Test,[msg]=This is a correlation incident,[inIncidentId]=e911347e8c1ca0fa,[inIncidentStatus]=closed,
FortiSIEM 6.1.1 External Systems Configuration Guide
448
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
[attackType]=suspicious-activity,[type]=,[count]=0.0,[comment]=Test,[eventSeverity]=5, [eventType]=AlertLogic-Incident-Mei_Test,[srcIpAddr]=255.255.255.255, [destIpAddr]=255.255.255.255
Raw events of an associated event start with [AlertLogic_Incident_Associated_Event]:
AlertLogic_Incident_Associated_Event]:[reptDevIpAddr]=10.10.10.10,[phCustId]=, [reptDevIpAddr]=34.192.118.124,[reptDevName]=api.cloudinsight.alertlogic.com, [accountId]=100000,[inIncidentId]=e9113683d6815742,[httpContentType]=application/xalpacket-megmsgs,[description]=meta,[resourceType]=associated log,[resourceName]=Log, [uuid]=UVUxSk5BQ2tNS3NBQUFBQVhQQnNkRnp3YkhRQUFiRE1BQUVBSG1Gd2NHeHBZMkYwYVc5dUwzZ3RZV3h3 WVdOclpYUXRiV1ZuYlhObmN3QUdURTlIVFZOSDphcHBsaWNhdGlvbi94LWFscGFja2V0LW1lZ21zZ3M6ZTkxMTM 2ODNkNjgxNTc0MjoxMDc2MDM2Mw==,[hostName]=meta,[msg]=dddddddd,[eventSeverity]=5, [procId]=0,[procName]=meta,[collectorTime]=1559260276,[reptDevName]=user, [eventType]=AlertLogic_e9113683d6815742_Associated_Event
FortiSIEM 6.1.1 External Systems Configuration Guide
449
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Cisco Firepower Management Center (FMC) - Formerly FireSIGHT and FirePower Threat Defense
Cisco Firepower Management Center (FMC) provides complete and unified management over firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. It can easily go from managing a firewall to controlling applications to investigating and remediating malware outbreaks.
This section describes how FortiSIEM collects logs from Cisco FireSIGHT console and FirePower Threat Defense via the eStreamer API integration. FortiSIEM provides two integrations options, either through the FortiSIEM built-in eStreamer integration or via the Cisco FirePower eStreamer eNcore client.
The Cisco eNcore client Collects System intrusion, discovery, and connection data from the Firepower Management Center or managed device (also referred to as the eStreamer server) to external client applications, in this case via Syslog to FortiSIEM.
l What is Discovered and Monitored l Using FortiSIEM Client l Using Cisco eStreamer Client
What is Discovered and Monitored
Protocol
eStreamer API
Information Discovered
Logs Collected
Used For
Intrusion Events, Malware Events. File Events. Discovery Events, User Activity Events, Impact Flag Events
Security Monitoring
Rules
There are no predefined rules for this device.
Reports
The following reports are provided: l Top Cisco FireAMP Malware Events l Top Cisco FireAMP File Analysis Events l Top Cisco FireAMP Vulnerable Intrusion Events l Top Cisco FireAMP Discovered Login Events l Top Cisco FireAMP Discovered Network Protocol l Top Cisco FireAMP Discovered Client App l Top Cisco FireAMP Discovered OS
Using FortiSIEM Client
FortiSIEM obtains events from Cisco FireSIGHT via eStreamer protocol.
FortiSIEM 6.1.1 External Systems Configuration Guide
450
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Event Types
l Intrusion events: PH_DEV_MON_FIREAMP_INTRUSION
[PH_DEV_MON_FIREAMP_INTRUSION]:[eventSeverity]=PHL_CRITICAL, [fileName]=phFireAMPAgent.cpp,[lineNumber]=381,[reptDevIpAddr]=10.1.23.177, [envSensorId]=6,[snortEventId]=393258,[deviceTime]=1430501705,[eventType]=Snort-1, [compEventType]=PH_DEV_MON_FIREAMP_INTRUSION,[ipsGeneratorId]=137,[ipsSignatureId]=2, [ipsClassificationId]=32,[srcIpAddr]=10.131.10.1,[destIpAddr]=10.131.10.120, [srcIpPort]=34730,[destIpPort]=443,[ipProto]=6,[iocNum]=0,[fireAmpImpactFlag]=7, [fireAmpImpact]=2,[eventAction]=1,[mplsLabel]=0,[hostVLAN]=0,[userId]=3013,[webAppId]=0, [clientAppId]=1296,[appProtoId]=1122,[fwRule]=133,[ipsPolicyId]=63098, [srcIntfName]=b16c69fc-cd95-11e4-a8b0-b61685955f02,[destIntfName]=b1a1f900-cd95-11e4a8b0-b61685955f02,[srcFwZone]=9e34052a-9b4f-11e4-9b83-efa88d47586f, [destFwZone]=a7bd89cc-9b4f-11e4-8260-63a98d47586f,[connEventTime]=1430501705, [connCounter]=371,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[phLogDetail]=
l Malware events: PH_DEV_MON_FIREAMP_MALWARE
[PH_DEV_MON_FIREAMP_MALWARE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp, [lineNumber]=487,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430502934, [srcIpAddr]=10.110.10.73,[destIpAddr]=10.0.112.132,[srcIpPort]=21496,[destIpPort]=80, [ipProto]=6,[fileName]=CplLnk.exe ,[filePath]=,[fileSize64]=716325,[fileType]=1, [fileTimestamp]=0,[hashAlgo]=SHA, [hashCode]=f1bfab10090541a2c3e58b4b93c504be8b65cdc823209c7f4def24acc38d7fd1 , [fileDirection]=1,[fireAmpFileAction]=3,[parentFileName]=,[parentFileHashCode]=, [infoURL]=http://wrl/wrl/CplLnk.exe ,[threatScore]=0,[fireAmpDisposition]=3, [fireAmpRetrospectiveDisposition]=3,[iocNum]=1,[accessCtlPolicyId]=125870424, [srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638, [applicationId]=676,[connEventTime]=1430502933,[connCounter]=409,[cloudSecIntelId]=0, [phLogDetail]=
l File events: PH_DEV_MON_FIREAMP_FILE
[PH_DEV_MON_FIREAMP_FILE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp, [lineNumber]=541,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430497343, [srcIpAddr]=10.131.15.139,[destIpAddr]=10.0.112.137,[srcIpPort]=1587,[destIpPort]=80, [ipProto]=6,[fileName]=Locksky.exe ,[hashAlgo]=SHA, [hashCode]=aa999f5d948aa1a731f6717484e1db32abf92fdb5f1e7ed73ad6f5a21b0737c1, [fileSize64]=60905,[fileDirection]=1,[fireAmpDisposition]=3,[fireAmpSperoDisposition]=4, [fireAmpFileStorageStatus]=11,[fireAmpFileAnalysisStatus]=0,[threatScore]=0, [fireAmpFileAction]=3,[fileType]=17,[applicationId]=676,[destUserId]=2991, [infoURL]=http://wrl/wrl/Locksky.exe ,[signatureName]=,[accessCtlPolicyId]=125869976, [srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638, [connCounter]=103,[connEventTime]=1430497343,[phLogDetail]=
l Discovery events: l PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL
PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL]:[eventSeverity]=PHL_INFO, [fileName]=phFireAMPAgent.cpp,[lineNumber]=815,[reptDevIpAddr]=10.1.23.177, [destIpPort]=2054,[ipProto]=54,[phLogDetail]=
l PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT
[PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT]:[eventSeverity]=PHL_INFO, [fileName]=phFireAMPAgent.cpp,[lineNumber]=737,[reptDevIpAddr]=10.1.23.177,
FortiSIEM 6.1.1 External Systems Configuration Guide
451
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
[fingerprintId]=01f772b2-fceb-4777-8a50-1e1f27426ad0,[osType]=Windows 7, [hostVendor]=Microsoft,[osVersion]=NULL,[phLogDetail]=
l PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP
[PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP]:[eventSeverity]=PHL_INFO, [fileName]=phFireAMPAgent.cpp,[lineNumber]=775,[reptDevIpAddr]=10.1.23.177, [clientAppId]=638,[appName]=Firefox,[phLogDetail]=
l PH_DEV_MON_FIREAMP_DISCOVERY_SERVER
[PH_DEV_MON_FIREAMP_DISCOVERY_SERVER]:[eventSeverity]=PHL_INFO, [fileName]=phFireAMPAgent.cpp,[lineNumber]=853,[reptDevIpAddr]=10.1.23.177, [applicationId]=676,[appTransportProto]=HTTP,[phLogDetail]=
l User activity events: PH_DEV_MON_FIREAMP_USER_LOGIN
[PH_DEV_MON_FIREAMP_USER_LOGIN]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp, [lineNumber]=672,[reptDevIpAddr]=10.1.23.177,[deviceTime]=1430490441,[user]=ABerglund , [userId]=0,[ipProto]=710,[emailId]=,[loginType]=0,[destIpAddr]=198.18.133.1 , [phLogDetail]=
l Impact Flag events: PH_DEV_MON_FIREAMP_IMPACT_FLAG
[PH_DEV_MON_FIREAMP_IMPACT_FLAG]:[eventSeverity]=PHL_CRITICAL, [fileName]=phFireAMPAgent.cpp,[lineNumber]=591,[reptDevIpAddr]=10.1.23.177, [envSensorId]=6,[snortEventId]=34,[deviceTime]=1430491431,[eventType]=Snort-648, [compEventType]=PH_DEV_MON_FIREAMP_IMPACT_FLAG,[ipsGeneratorId]=1,[ipsSignatureId]=14, [ipsClassificationId]=29,[srcIpAddr]=10.131.12.240,[destIpAddr]=10.131.11.46, [srcIpPort]=80,[destIpPort]=8964,[ipProto]=6,[fireAmpImpactFlag]=7,[phLogDetail]=
Configuration
Cisco FireSIGHT Configuration
1. Login to Cisco FIRESIGHT console. 2. Go to System > Local > Registration > eStreamer 3. Click Create Client
a. Enter IP address and Password for FortiSIEM. The password can only contain alpha (a-z, A-Z) and numeric (0-9) characters. Special characters are not allowed.
b. Click Save. 4. Select the types of events that should be forwarded to FortiSIEM. 5. Click Download Certificate and save the certificate to a local file.
FortiSIEM Configuration
1. Go to ADMIN > Setup > Credentials. 2. Create a credential:
a. Set Device Type to Cisco FireAMP. b. Set Access Method to eStreamer. c. Enter the Password as in Step 3a above. d. Click Certificate File > Upload and enter the certificate downloaded in Step 5. e. Click Save.
FortiSIEM 6.1.1 External Systems Configuration Guide
452
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
3. Create an IP range to Credential Association: a. Enter IP address of the FireSIGHT Console b. Enter the credential created in Step 2 above
4. Click Test Connectivity - FortiSIEM will start collecting events from the FIRESIGHT console.
Using Cisco eStreamer Client
Cisco has published a free eStreamer client to pull events from FireAMP server. This client is more up-to-date than FortiSIEM's own eStreamer client.
If you decide to use Cisco's eStreamer client instead of FortiSIEM's eStreamer client, follow these steps.
l Step 1: Install a new version of python with a new user 'estreamer' l Step 2: Download and configure eStreamer client l Step 3: Start eStreamer client
Step 1: Install a new version of python with a new user 'estreamer'
This is required because the python version used by FortiSIEM is compiled with PyUnicodeUCS2, while eStreamer client requires the standard version of python built with PyUnicodeUCS4. 1. Log in to FortiSIEM Collector or the node where eStreamer client is going to be installed. 2. Install openssl-devel and openssl-devel.i686 by running the following command.
yum install openssl-devel openssl-devel.i686 3. Create eStreamer user using the command:
a. useradd estreamer 4. Download the python library using the commands:
a. su estreamer b. mkdir ~/python c. cd ~/python d. wget https://www.python.org/ftp/python/2.7.18/Python-2.7.18.tgz 5. Install python library : a. tar zxfv Python-2.7.18.tgz b. find ~/python -type d | xargs chmod 0755 c. cd Python-2.7.18 d. ./configure --prefix=$HOME/python --enable-unicode=ucs4 e. make && make install f. Add below two lines to ~/.bashrcp:
export PATH=$HOME/python/Python-2.7.18/:$PATH export PYTHONPATH=$HOME/python/Python-2.7.18 g. source ~/.bashrc
Step 2: Download and configure eStreamer client
1. SSH to FortiSIEM Collector or the node where eStreamer client is going to be installed as estreamer user. 2. Git clone: git://github.com/CiscoSecurity/fp-05-firepower-cef-connector-arcsight.git 3. Change directory using the command:
cd fp-05-firepower-cef-connector-arcsight
FortiSIEM 6.1.1 External Systems Configuration Guide
453
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
4. Login to eStreamer server and: a. Go to System > Integration > eStreamer. b. Create a New client and enter the IP address of the Supervisor/Collector as the host. c. Download the pkcs12 file and save it to directory: fp-05-firepower-cef-connector-arcsight
5. Go back to fp-05-firepower-cef-connector-arcsight directory. 6. Run sh encore.sh, and type 2 for selection of output in CEF as prompted. An estreamer.conf file is generated. 7. Edit estreamer.conf with below settings (in JSON format):
l handler.outputters.stream.uri : "udp://VA_IP:514" l servers.host : eStreamer_Server_IP l servers.pkcs12Filepath : /path/to/pkcs12 8. Run the below two commands: l openssl pkcs12 -in "client.pkcs12" -nocerts -nodes -out "/path/to/fp-05-
firepower-cef-connector-arcsight/client_pkcs.key" l openssl pkcs12 -in "client.pkcs12" -clcerts -nokeys -out "/path/to/fp-05-
firepower-cef-connector-arcsight/client_pkcs.cert"
Step 3: Start eStreamer client
SSH to FortiSIEM Collector or the node where eStreamer client is installed, as estreamer user. Start eStreamer client by entering: encore.sh start
Now eStreamer client is ready for use. FortiSIEM 5.2.5 contains an updated parser for the events generated by Cisco eStreamer client. Trigger few events in eStreamer server and query from FortiSIEM to verify if everything is working.
FortiSIEM 6.1.1 External Systems Configuration Guide
454
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Cisco Intrusion Prevention System
What is Discovered and Monitored
Protocol SNMP SDEE
Information Discovered
Metrics Collected Alerts
Used For Performance and Availability Monitoring Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "cisco ips" in the Device Type and Description columns to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "cisco ips" in the Name column to see the rules associated with this device.
Reports
In RESOURCE > Reports , search for "cisco ips" in the Name column to see the reports associated with this device.
Configuration
SNMP
1. Log in to the device manager for your Cisco IPS. 2. Go to Configuration > Allowed Hosts/Networks. 3. Click Add. 4. Enter the IP address of your FortiSIEM virtual appliance to add it to the access control list, and then click OK. 5. Go to Configuration > Sensor Management > SNMP > General Configuration. 6. For Read-Only Community String, enter public. 7. For Sensor Contact and Sensor Location, enter Unknown. 8. For Sensor Agent Port, enter 161. 9. For Sensor Agent Protocol, select udp. If you must create an SDEE account for FortiSIEM to use, go to Configuration > Users and Add a new administrator.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
FortiSIEM 6.1.1 External Systems Configuration Guide
455
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Setting Name Device Type Access Protocol Pull Interval Port Password config
Value <set name> Cisco IPS Cisco SDEE 5 minutes 443 See Password Configuration
SNMP Access Credentials for All Devices
Set these Access Method Definition values to allow FortiSIEM to communicate with yourdevice over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
Sample XML-Formatted Alert
<\!-\- CISCO IPS \--><evAlert eventId="1203541079317487802" severity="low"> <originator> <hostId>MainFW-IPS</hostId> <appName>sensorApp</appName> <appInstanceId>376</appInstanceId> </originator> <time offset="0" timeZone="UTC">1204938398491122000</time> <signature sigName="ICMP Network Sweep w/Echo" sigId="2100" subSigId="0" version="S2"></signature> <interfaceGroup>vs1</interfaceGroup><vlan>0</vlan> <participants> <attack> <attacker> <addr locality="OUT">2.2.2.1</addr> </attacker> <victim> <addr locality="OUT">171.64.10.225</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.87</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.86</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.84</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.85</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.82</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> </attack> </participants> <alertDetails>InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" </alertDetails></evAlert>
FortiSIEM 6.1.1 External Systems Configuration Guide
456
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Cisco Stealthwatch
l Integration points l Configuring FortiSIEM l Parsing and Events
Integration points
Protocol syslog
Information Discovered Network Anomaly Detection Alerts
Used For Security and Compliance
Configuring FortiSIEM
FortiSIEM automatically recognizes Cisco Stealthwatch syslog as long it follows the following format as shown in the sample syslog: <129>Jun 18 14:56:00 ED2ALENTSVRSMC-1 StealthWatch[2699]: Lancope|StealthWatch|PRIORITY A|time=2018-06-18T14:55:30Z|target_hostname=|alarm_severity_id=5|alarm_type_ id=60|alarm_type_description=Host may be infected with an SMB
Parsing and Events
Currently over 150 events are parsed see event Types in Resources > Event Types and search for 'CiscoStealthWatch-'. User can extend the parser to add other events.
FortiSIEM 6.1.1 External Systems Configuration Guide
457
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Cylance Protect Endpoint Protection
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected End point malware alerts
Used For Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "cylance" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
FortiSIEM processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Cylance Protect See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
458
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Example Syslog
CylancePROTECT: Event Type: AppControl, Event Name: pechange, Device Name: WIN-7entSh64, IP Address: (192.168.119.128), Action: PEFileChange, Action Type: Deny, File Path: C:\Users\admin\AppData\Local\Temp\MyInstaller.exe, SHA256: 04D4DC02D96673ECA9050FE7201044FDB380E3CFE0D727E93DB35A709B45EDAA
FortiSIEM 6.1.1 External Systems Configuration Guide
459
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Cyphort Cortex Endpoint Protection
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected End point malware alerts
Used For Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "cyphort" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
FortiSIEM processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Cylance Cortex See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
460
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Example Syslog
<134>Feb 23 21:58:05 tap54.eng.cyphort.com cyphort: CEF:0|Cyphort|Cortex|3.2.1.16|http|TROJAN_GIPPERS.DC|8|externalId=374 eventId=13348 lastActivityTime=2015-02-24 05:58:05.151123+00 src=172.16.0.1 dst=10.1.1.26 fileHash=acf69d292d2928c5ddfe5e6af562cd482e6812dc fileName=79ea1163c0844a2d2b6884a31fc32cc4.bin fileType=PE32 executable (GUI) Intel 80386, for MS Windows startTime=2015-02-24 05:58:05.151123+00
FortiSIEM 6.1.1 External Systems Configuration Guide
461
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Damballa Failsafe
Configuration in FortiSIEM
Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Setting
Value
Name
A name for the device.
Device Type
Damballa Failsafe
Access Protocol See Access Credentials
Port
See Access Credentials
Password config See Password Configuration
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
4. Click Test to test the connection to Damballa Failsafe. 5. To see the jobs associated with Damballa, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Damballa in the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
462
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Darktrace CyberIntelligence Platform
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events
What is Discovered and Monitored
Protocol
Information Discovered Metrics/LOGs collected Used for
Syslog (CEF formatted)
Over 40 security logs Security and Compliance monitoring
Event Types
Go to Admin > Device Type > Event Types and search for "Darktrace-DCIP".
Rules
None
Reports
None
Configuration
Configure Darktrace to send CEF formatted logs to FortiSIEM. FortiSIEM will automatically parse the logs. No configuration is required in FortiSIEM.
Sample Events
CEF:0|Darktrace|DCIP|3.0.8|537|Antigena/Network/Compliance/Antigena RDP Block|Low| eventId=2 externalId=1462565 art=1536856095244 deviceSeverity=1 rt=1536856054000 shost=personalpcd698.abccompany.local src=10.10.1.85 sourceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 smac=1:1:1:1:1:1 dst=1.1.1.1 destinationZoneURI=/All Zones/ArcSight System/Public Address Space Zones/APNIC/1.0.0.0-1.1.1.255 (APNIC) dpt=9999 ahost=personalpc123.abccompany.local agt=10.10.28.38 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 av=2.2.2.2.0 atz=CountryA aid=3mAvC02UBABCAa72iNm4jZA\=\= at=syslog
FortiSIEM 6.1.1 External Systems Configuration Guide
463
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
dvc=10.10.10.10 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dtz=CountryA _cefVer=0.1 ad.darktraceUrl=https://10.10.10.10/#modelbreach/1462565
FortiSIEM 6.1.1 External Systems Configuration Guide
464
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
FireEye Malware Protection System (MPS)
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected
Used For
Event Types
In ADMIN > Device Support > Event, search for "fireeye mps" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
FortiSIEM 6.1.1 External Systems Configuration Guide
465
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Setting Name Device Type Access Protocol Port Password config
Value <set name> FireEye MPS See Access Credentials See Access Credentials See Password Configuration
Example Syslog
<164>fenotify-45640.alert: CEF:0|FireEye|MPS|6.0.0.62528|MC|malware-callback|9|rt=Apr 16 2012 15:54:41 src=192.168.26.142 spt=0 smac=00:14:f1:90:c8:01 dst=2.2.2.2 dpt=80 dmac=00:10:db:ff:50:00 cn1Label=vlan cn1=202 cn2Label=sid cn2=33335390 cs1Label=sname cs1=Trojan.Gen.MFC cs4Label=link cs4=https://10.10.10.10/event_stream/events_for_bot?ev_ id\=45640 cs5Label=ccName cs5=3.3.3.3 cn3Label=ccPort cn3=80 proto=tcp cs6Label=ccChannel cs6= shost=abc.org <http://abc.org> dvchost=ALAXFEYE01 dvc=10.10.10.10 externalId=45640
FortiSIEM 6.1.1 External Systems Configuration Guide
466
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
FortiDDoS
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Host Name, Access IP, Vendor/Model
Metrics Collected
Over 150 event types to include Protocol Anomaly, Traffic Volume Anomaly, DoS Attacks,
Used For
Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "FortiDDoS" to see the event types associated with this device.
Rules
There are many IPS correlation rules for this device under Rules > Security > Exploits.
Reports
There are many reports for this device under Reports > Function > Security.
Configuration
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Fortinet FortiDDos See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
467
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Syslog
FortiSIEM processes FortiDDoS events via syslog. Configure FortiDDoS to send syslog to FortiSIEM as directed in the device's product documentation.
Example Syslog
Jan 10 16:01:50 172.30.84.114 devid=FI400B3913000032 date=2015-01-23 time=17:42:00 type=attack SPP=1 evecode=1 evesubcode=8 dir=0 protocol=1 sIP=0.0.0.0 dIP=0.0.0.0 dropCount=312 devid=FI800B3913000055 date=2017-01-27 time=18:24:00 tz=PST type=attack spp=0 evecode=2 evesubcode=61 description="Excessive Concurrent Connections Per Source flood" dir=1 sip=24.0.0.2 dip=24.255.0.253 subnet_name=default dropcount=40249 facility=Local0 level=Notice
FortiSIEM 6.1.1 External Systems Configuration Guide
468
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Fortinet FortiDeceptor
l Integration Points l Configuration l Settings for Access Credentials l Sample Events
Integration Points
Method Syslog
Information discovered Metrics collected LOGs collected
Used for
Host name, Reporting IP None
Authentication logs, Decoy activity Security monitoring
Event Types
In ADMIN > Device Support > Event, search for "FortiDeceptor" to see the event types associated with this device.
Rules
No specific rules are written for FortiDeceptor.
Reports
No specific reports are written for FortiDeceptor.
Configuration
Configure FortiDeceptor system to send logs to FortiSIEM in the supported format (see Sample Events).
Settings for Access Credentials
None required.
Sample Events
<27>2019-07-29T10:12:44 devhost=FDC-VM0000000262 devid=FDC-VM0000000262 logver=25 tzone=14400 tz=GST date=2019-07-29
time=10:12:44 logid=0106000001 type=event subtype=system level=error user=system ui=GUI action=update status=failure
msg="The authentication to FDN server failed" <14>2019-07-29T10:40:34 devhost=FDC-VM0000000262 devid=FDC-VM0000000262 logver=25
tzone=14400 tz=GST date=2019-07-29
FortiSIEM 6.1.1 External Systems Configuration Guide
469
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
time=10:40:34 logid=0106000001 type=event subtype=system level=information user=admin ui=GUI action=Login
status=success msg="Administrator admin logged into website successfully from 10.0.0.254"
FortiSIEM 6.1.1 External Systems Configuration Guide
470
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Fortinet FortiNAC
l Integration Points l Configuration l Settings for Access Credentials l Sample Events
Integration Points
Method Syslog
Information discovered
Host name, Reporting IP
Metrics collected
None
LOGs collected
Used for
Administrative and User Admission Control Security
events
monitoring
Event Types
In ADMIN > Device Support > Event, search for "FortiNAC" to see the event types associated with this device.
Rules
No specific rules are written for FortiNAC but generic rules for network admission control apply
Reports
No specific reports are written for FortiNAC but generic reports for network admission control apply Configuration
Configuration
Configure FortiNAC system to send logs to FortiSIEM in the supported format (see Sample Events).
Settings for Access Credentials
None required.
Sample Events
<37>Jan 08 19:03:45 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server|8.3.0.79|426|
Adapter Destroyed|1|rt=Jan 08 19:03:45 269 UTC cat=EndStation msg=Adapter 18:5E:0F:AA:56:31 Destroyed.
<37>Dec 06 10:34:42 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server| 8.3.1.30|447702|Admin User Login Success|1|rt=Dec 06 10:34:42 736 CET
FortiSIEM 6.1.1 External Systems Configuration Guide
471
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
cat= suid=guiadmin msg=Admin user guiadmin logged in.
<37>Apr 16 11:06:19 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server|8.3.6.104|605250|
Security Risk Host|1|rt=Apr 16 11:06:19 447 CEST cat=EndStation src=192.168.242.20 smac=00:26:9E:D9:87:12
shost=X100e-1 cs1Label=Physical<space>network<space>location cs1=BA-HPswitch GigabitEthernet1/0/10
{ GigabitEthernet1/0/10 Interface } msg=Host failed Windows-PA-Notepad Tests: Failed :: Custom :: Notepad
MAC Address: 00:26:9E:D9:87:12 Last Known Adapter IP: 192.168.242.20 Host Location: BAHPswitch
GigabitEthernet1/0/10 { GigabitEthernet1/0/10 Interface }
FortiSIEM 6.1.1 External Systems Configuration Guide
472
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Fortinet FortiSandbox
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol SNMP HTTP(S)
Syslog
Information Discovered
Metrics Collected
Used For
Host Name, OS, version, CPU, Memory, Disk, Interface utilization Hardware
Performance Monitoring
Host Name, OS, version, Hardware
Log Management, Security Compliance, SIEM
Threat feed - Malware URL, Malware Hash
Malware found/cleaned, Botnet, Malware URL, System Events
Log Management, Security Compliance, SIEM
Event Types
In ADMIN > Device Support > Event, search for "fortisandbox-" to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "fortisandbox-" to see the rules associated with this device. Also, basic availability rules in RESOURCE > Rules > Availability > Network and performance rules in RESOURCE > Rules> Performance > Network also trigger.
Reports
In RESOURCE > Reports, search for "fortisandbox-" to see the rules associated with this device.
Configuration Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
FortiSIEM 6.1.1 External Systems Configuration Guide
473
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
For Port, enter 514.
Make sure that the syslog format is the same as that shown in the example.
Example Syslog:
Oct 12 14:35:12 172.16.69.142 devname=turnoff-2016-10-11-18-46-05-172.16.69.142 device_ id=FSA3KE3A13000011 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success reason=none letype=9 msg="Malware package: urlrel version 2.88897 successfully released, total 1000" <14>2016-08-19T06:48:51 devhost=turnoff-2016-08-15-19-24-55-172.16.69.55 devid=FSA35D0000000006 tzone=-25200 tz=PDT date=2016-08-19 time=06:48:51 logid=0106000001 type=event subtype=system level=information user=admin ui=GUI action=update status=success reason=none letype=9 msg="Remote log server was successfully added"
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Fortinet FortiSandbox See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
474
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Fortinet FortiTester
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events
What is Discovered and Monitored
Protocol
Information Discovered
Syslog (CEF formatted) Host name and Device Type from LOG
Metrics/LOG collected Used for
Over 14 log types
Security and Compliance
Event Types
Go to Admin > Device Type > Event Types and search for "FortiTester".
Rules
None
Reports
None
Configuration
Configure FortiTester to send CEF formatted syslog to FortiSIEM. No configuration is required on FortiSIEM.
Sample Events
CEF:0|Fortinet|FortiTester|3.8|Event|information|category=System deviceExternalId=FTS2KET618000005 msg=The system is started deviceCustomDate1=2019-11-0515:12:30 cs1= cs1Label=Description
FortiSIEM 6.1.1 External Systems Configuration Guide
475
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
IBM Internet Security Series Proventia
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol SNMP Traps
Information Discovered
Metrics Collected
Event Types
In ADMIN > Device Support > Event, search for "proventia" in the Device Type and Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP Trap
FortiSIEM receives SNMP traps from IBM/ISS Proventia IPS appliances that are sent by IBM/ISS SiteProtector Management Console. You must first configure IBM/ISS Proventia to send alerts to IBM/ISS SiteProtector, then configure IBM/ISS SiteProtector to send those alerts as SNMP traps to FortiSIEM. Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console 1. Log in to the IBM Proventia IPS web interface. 2. Click Manage System Settings > SiteProtector Management. 3. Click and select Register withSiteProtector. 4. Click and select Local Settings Override SiteProtector Group Settings.
FortiSIEM 6.1.1 External Systems Configuration Guide
476
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
5. Specify the Group, Heartbeat Interval, and Logging Level. 6. Configure these settings:
Setting
Description
Authentication Level Agent Manager Name
Agent Manager Address Agent Manager Port User Name
User Password
Use Proxy Settings
Use the default first-time trust.
Enter the Agent Manager name exactly as it appears in SiteProtector. This setting is casesensitive. Enter the Agent Manager's IP address.
Use the default value 3995.
If the appliance has to log into an account access the Agent Manager, enter the user name for that account here. Click Set Password, enter and confirm the password, and then click OK. If the appliance has to go through a proxy to access the Agent Manager, select the Use Proxy Settings option, and then enter the Proxy Server Address and Proxy Server Port.
Define FortiSIEM as a Response Object for SNMP Traps
1. Log in to IBM SiteProtector console. 2. Go to Grouping > Site Management > Central Responses > Edit settings. 3. Select Response Objects > SNMP. 4. Click Add. 5. Enter a Name for your FortiSIEM virtual appliance. 6. For Manager, enter the IP address of your virtual appliance. 7. For Community, enter public. 8. Click OK.
Define a Response Rule to Forward SNMP Traps to FortiSIEM
1. Go to Response Rules. 2. Click Add. 3. Select Enabled. 4. Enter a Name and Comment for the response rule. 5. In the Responses tab, select SNMP. 6. Select Enabled for the response object that represents your FortiSIEM virtual appliance. 7. Click OK.
FortiSIEM 6.1.1 External Systems Configuration Guide
477
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Refining Rules for Specific IP Addresses
By default, a rule matches on any source or destination IP addresses.
1. To refine the rule to match on a specific source IP address, select the rule, click Edit, and then select the Source tab.
2. Select Use specific source addresses to restrict the rule based on IP address of the source. If you set this option, set the Mode to specify that the rule should either be From or Not From the IP address.
3. Click Add to define one or more IP addresses.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> IBM ISS Proventia See Access Credentials See Access Credentials See Password Configuration
Sample SNMP trap
2013-02-07 16:52:18 100.0.0.218(via UDP: [192.168.64.218]:55545) TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.2499 Enterprise Specific Trap (4) Uptime: 0:00:00.15 SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.1 = STRING: "SiteProtector_ Central_Response (Response1)" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.2 = STRING: "16:52:18 2013-02-07" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.3 = STRING: "6" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.4 = STRING: "100.0.0.216" SNMPv2SMI::enterprises.2499.1.1.2.1.1.1.1.5 = STRING: "100.0.0.218" SNMPv2SMI::enterprises.2499.1.1.2.1.1.1.1.6 = "" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.7 = "" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.8 = STRING: "48879" SNMPv2SMI::enterprises.2499.1.1.2.1.1.1.1.9 = STRING: "80" SNMPv2SMI::enterprises.2499.1.1.2.1.1.1.1.10 = STRING: "DISPLAY=WithoutRaw:0,BLOCK=Default:0" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.11 = STRING: " SensorName: IBM-IPS ObjectName: 80 DestinationAddress: 100.0.0.218 AlertName: HTTP_OracleAdmin_Web_ Interface AlertTarget: 100.0.0.218 AlertCount: 1 VulnStatus: Simulated block (blocking not enabled) AlertDateTime: 16:52:17 2013-02-07 ObjectType: Target Port SourceAddress: 100.0.0.216 SensorAddress: 192.168.64.15"
FortiSIEM 6.1.1 External Systems Configuration Guide
478
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Indegy Security Platform
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events
What is Discovered and Monitored
Protocol
Syslog (CEF formatted)
Information Discovered
Host name and Device Type from LOG
Metrics collected
Over 14 types of security logs
Used for
Security and Compliance
Event Types
Go to Admin > Device Type > Event Types and search for "Indegy-".
Rules
None
Reports
None
Configuration
Configure Indegy Security Platform to send syslog in the supported format to FortiSIEM. No configuration is required in FortiSIEM.
Sample Events
<12>Nov 17 09:04:06 10.100.20.40 CEF:0|Indegy|Indegy Security Platform|3.0.33|109|Unauthorized Conversation|7|dvchost=indegy rt=Nov 17 2019 09:04:06 duser=AS_01,Comm. Adapter #2 suser=Eng. Station #9 proto=UDP externalId=125 dst=10.100.102.150 src=10.100.20.34 dpt=47808 cs6Label=policy_name cs6=Use of Unauthorized Protocols in Siemens Controllers cat=NetworkEvents
FortiSIEM 6.1.1 External Systems Configuration Guide
479
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Juniper DDoS Secure
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected DDoS Alerts
Used For Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "juniper ddos" in the Device Type and Description columns to see the event types associated with this device.
l Juniper-DDoS-Secure-WorstOffender l Juniper-DDoS-Secure-Blacklisted l Juniper-DDoS-Secure-Generic
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Juniper DDos Secure See Access Credentials See Access Credentials See Password Configuration
Configuration
Configure the device to send syslog to FortiSIEM. Make sure that the event matches the format specified below.
FortiSIEM 6.1.1 External Systems Configuration Guide
480
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
<134>Juniper: End : 117.217.141.32 : IND: Worst Offender: Last Defended 66.145.37.254: TCP Attack - Port Scan (Peak 55/s, Occurred 554) <134>Juniper: End : 78.143.172.52 : IRL: IP Address Temp Black-Listed (Valid IP) Exceeds SYN + RST + F2D Count (Peak 114/s, Dropped 83.5K pkts)
FortiSIEM 6.1.1 External Systems Configuration Guide
481
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Juniper Networks IDP Series
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected
Used For
Event Types
In ADMIN > Device Support > Event, search for "juniper_idp" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Juniper Netscreen IDP See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
482
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Example Syslog from NSM
<25>Oct 11 14:29:27 10.146.68.68 20101011, 58420089, 2010/10/11 18:29:25, 2010/10/11 18:33:12, global.IDP, 1631, par-real-idp200, 10.146.68.73, traffic, udp port scan in progress, (NULL), (NULL), 161.178.223.221, 0, 0.0.0.0, 0, (NULL), (NULL), 10.248.8.110, 0, 0.0.0.0, 0, udp, global.IDP, 1631, Metro IDP IP / Port Scan Policy, traffic anomalies, 2, accepted, info, yes, 'interface=eth3', (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 0, no, 25, Not
FortiSIEM 6.1.1 External Systems Configuration Guide
483
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
McAfee IntruShield
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected
Used For
Event Types
There are no event types defined specifically for this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> McAfee Intrushield See Access Credentials See Access Credentials See Password Configuration
Configuration Syslog
FortiSIEM handles custom syslog messages from McAfee Intrushield.
FortiSIEM 6.1.1 External Systems Configuration Guide
484
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
1. Log in to McAfee Intrushield Manager. 2. Create a customer syslog format with these fields:
l AttackName l AttackTime l AttackSeverity l SourceIp l SourcePort l DestinationIp l DestinationPort l AlertId l AlertType l AttackId l AttackSignature l AttackConfidence l AdminDomain l SensorName:ASCDCIPS01 l Interface l Category l SubCategory l Direction l ResultStatus l DetectionMechanism l ApplicationProtocol l NetworkProtocol l Relevance 3. Set the message format as a sequence of Attribute:Value pairs as in this example.
AttackName:$IV_ATTACK_NAME$,AttackTime:$IV_ATTACK_TIME$,AttackSeverity::$IV_ATTACK_ SEVERITY$,SourceIp:$IV_SOURCE_IP$,SourcePort:$IV_SOURCE_PORT$, DestinationIp:$IV_DESTINATION_IP$,DistinationPort:$IV_DESTINATION_PORT$,AlertId:$IV_ ALERT_ID$,AlertType:$IV_ALERT_TYPE$,AttackId$IV_ATTACK_ID$, AttackSignature:$IV_ATTACK_SIGNATURE$,AttackConfidence:$IV_ATTACK_ CONFIDENCE$,AdminDomain:$IV_ADMIN_DOMAIN$,SensorName:$IV_SENSOR_NAME$, Interface:$IV_INTERFACE$,Category:$IV_CATEGORY$,SubCategory:$IV_SUB_ CATEGORY$,Direction:$IV_DIRECTION$,ResultStatus:$IV_RESULT_STATUS$, DetectionMechanism:$IV_DETECTION_MECHANISM$,ApplicationProtocol:$IV_APPLICATION_ PROTOCOL$,NetworkProtocol:$IV_NETWORK_PROTOCOL$,Relevance:$IV_RELEVANCE$
4. Set FortiSIEM as the syslog recipient.
Sample Parsed Syslog Message
Mar 24 16:23:18 SyslogAlertForwarder: AttackName:Invalid Packets detected,AttackTime:200903-24 16:23:17 EDT,AttackSeverity:Low,SourceIp:127.255.106.236,
SourcePort:N/A,DestinationIp:127.255.106.252,DistinationPort:N/A,AlertId:5260607647261334188 ,AlertType:Signature,AttackId:
FortiSIEM 6.1.1 External Systems Configuration Guide
485
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
0x00009300,AttackSignature:N/A, AttackConfidence:N/A,AdminDomain:ASC,SensorName:ASCDCIPS01,Interface:1A1B,Category:Exploit,SubCategory:protocol-violation,Direction:Outbound, ResultStatus:May be successful,DetectionMechanism:signature,ApplicationProtocol:N/A,NetworkProtocol: N/A,Relevance:N/A,HostIsolationEndTime:N/A
FortiSIEM 6.1.1 External Systems Configuration Guide
486
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
McAfee Stonesoft IPS
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected Network IPS alerts
Used For Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "stonesoft" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> McAfee Stonesoft IPS See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
487
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Configuration
Syslog
FortiSIEM processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Example Syslog
<6>CEF:0|McAfee|IPS|5.4.3|70018|Connection_Allowed|0|spt=123 deviceExternalId=STP-NY-FOO01 node 1 dmac=84:B2:61:DC:E1:31 dst=169.132.200.3 cat=System Situations app=NTP (UDP) rt=Apr 08 2016 00:26:13 deviceFacility=Inspection act=Allow deviceOutboundInterface=Interface #5 deviceInboundInterface=Interface #4 proto=17 dpt=123 src=10.64.9.3 dvc=12.17.2.17 dvchost=12.17.2.17 smac=78:DA:6E:0D:FF:C0 cs1Label=RuleId cs1=2097152.6
FortiSIEM 6.1.1 External Systems Configuration Guide
488
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Motorola AirDefense
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected Wireless IDS logs
Used For Security Monitoring
Event Types
About 37 event types covering various Wireless attack scenarios - search for them by entering "Motorola-AirDefense" in ADMIN > Device Support > Event.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Motorola AirDefense See Access Credentials See Access Credentials See Password Configuration
Configuration
Configure the device to send logs to FortiSIEM. Make sure that the format is as follows. Nov 8 18:48:00 Time=2014-10-29T05:39:00,Category=Rogue Activity,CriticalityLevel=Severe,Desc=Rogue AP on Wired Network,device=00:22:cf:5d:ee:60 (00:22:cf:5d:ee:60),sensor=fc:0a:81:12:7b:4b(COMP-SENS302EA[a,b,g,n]) Nov 12 13:33:00 Time=2015-11-
FortiSIEM 6.1.1 External Systems Configuration Guide
489
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
12T08:47:00,Category=Exploits,CriticalityLevel=Critical,Desc=NAV Attack CTS,device=5c:0e:8b:cb:d5:40(5c:0e:8b:cb:d5:40),sensor=fc:0a:81:12:77:3f(COMP-SENS201EA [a,b,g,n])
FortiSIEM 6.1.1 External Systems Configuration Guide
490
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Nozomi
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuring Syslog on Nozomi
What is Discovered and Monitored
Protocol Syslog
Information discovered
Device type
Metrics collected Node detection, protocol information, network changes
Used for
Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "Nozomi" in the Name and Description columns to see the event types associated with this device.
Rules
There are no specific rules for Nozomi, however rules that match the Event Type Groups associated with Nozomi Events may trigger.
Reports
There are no specific Reports for Nozomi, however reports that match the Event Type Groups associated with Nozomi Events may return results.
Configuring Syslog on Nozomi
1. Log in to the Guardian console. 2. Navigate to Administration->Data Integration. 3. Press +Add on the right side of the screen. 4. Select the Common Event Format (CEF) from the drop down.
FortiSIEM 6.1.1 External Systems Configuration Guide
491
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS) 5. You should see the data entry screen.
6. Enter the appropriate host information. For example udp://<FortiSIEM IP>:514. 7. Select Enable sending Alerts and/or Enable sending Audit Logs and/or Enable sending Health Logs. 8. Press New Endpoint.
FortiSIEM 6.1.1 External Systems Configuration Guide
492
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Radware DefensePro
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Data Collected Over 120 event types
Used for Security and Compliance
Event Types
In RESOURCE > Event Types, Search for "Radware-DefensePro".
Sample Event Type:
<132>DefensePro: 13-09-2017 15:03:21 WARNING 12572 Intrusions "SIP-Scanner-SIPVicious" UDP 1.1.1.1 29992 1.1.1.2 5060 15 Regular "GSN_Web" occur 1 3 N/A 0 N/A high drop FFFFFFFF-FFFFFFFF-9C94-000F57F7595F <132>DefensePro: 13-09-2017 15:18:45 WARNING 150 HttpFlood "HTTP Page Flood Attack" TCP 1.1.1.3 0 1.1.1.4 80 0 Regular "President-1.1.1.4" ongoing 100 0 N/A 0 N/A medium forward FFFFFFFF-FFFF-FFFF-9CCF-000F57F7595F <132>DefensePro: 13-09-2017 14:37:53 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 1.1.1.5 80 0 Regular "GSN_Web" ongoing 1 0 N/A 0 N/A medium challenge FFFFFFFF-FFFF-FFFF9C46-000F57F7595F <134>DefensePro: 13-09-2017 13:56:34 INFO Configuration Auditing manage syslog destinations create 172.16.10.207 -f "Local Use 0", ACTION: Create by user public via SNMP source IP 1.1.1.6
Rules
There are no specific rules but generic rules for Network IPS and Generic Servers apply.
Reports
There are no specific reports but generic rules for Network IPS and Generic Servers apply.
FortiSIEM 6.1.1 External Systems Configuration Guide
493
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Configuration
Configure Radware DefensePro Security Manager to send syslog on port 514 to FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
494
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Snort Intrusion Prevention System
l What is Discovered and Monitored l Event Types l Configuration l JDBC l SNMP Access to the Database Server l Debugging Snort Database Connectivity l Examples of Snort IPS Events Pulled over JDBC l Viewing Snort Packet Payloads in Reports l Exporting Snort IPS Packets as a PCAP File l Settings for Access Credentials
What is Discovered and Monitored
Protocol
Information Discovered
Metrics Collected
Syslog
JDBC
Generic information: signature ID, signature name, sensor ID, event occur time, signature priority
TCP: packet header, including source IP address, destination IP address, Source Port, Destination Port, TCP Sequence Number, TCP Ack Number, TCP Offset, TCP Reserved, TCP Flags, TCP Window size, TCP Checksum, tTCP Urgent Pointer; and packet payload
UDP: packet header, including source IP address, destination IP address, Source Port, Destination Port, UDP Length, checksum; and packet payload
ICMP: packet header, including source IP address, destination IP address, ICMP Type, ICMP Code, Checksum, ICMP ID, Sequence Number; and packet payload
SNMP (for access to the database server hosting the Snort database)
Used For
Event Types
In ADMIN > Device Support > Event Types, search for "snort-org" to see the event types associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
495
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Configuration
Syslog
Collecting event information from Snort via syslog has two drawbacks: 1. It is not reliable because it is sent over UDP. 2. Information content is limited because of UDP packet size limit. For these reasons, you should consider using JDBC to collect event information from Snort. These instructions illustrate how to configure Snort on Linux to send syslog to FortiSIEM. For further information, you should consult the Snort product documentation. 1. Log in to your Linux server where Snort is installed. 2. Navigate to and open the file /etc/snort/snort.conf. 3. Modify alert_syslog to use a local log facility, for example:
output alert_syslog: LOG_LOCAL4 LOG_ALERT 4. Navigate to and open the file /etc/syslog.conf. 5. Add a redirector to send syslog to FortiSIEM.
#Snort log to local4 #local4.* /var/log/snort.log #local4.*@192.168.20.41 local4.alert@10.1.2.171 6. Restart the Snort daemon.
Example Parsed Snort Syslog
<161>snort[2242]: [1:206:9] BACKDOOR DeepThroat 3.1 CD ROM Open Client Request [Classification: Misc activity] [Priority: 3]: {UDP} 192.168.19.1:6555 -> 172.16.2.5:514 <161>snort[5774]: [1:1560:6] WEB-MISC /doc/ access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.53:41218 -> 192.168.0.26:80 <161>snort[5774]: [1:466:4] ICMP L3retriever Ping [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.20.49 -> 192.168.0.10 <161>snort[5774]: [1:1417:9] SNMP request udp [Classification: Attempted Information Leak] [Priority: 2]: {UDP} 192.168.20.40:1061 -> 192.168.20.2:161
JDBC
Supported Databases and Snort Database Schemas
When using JDBC to collect IPS information from Snort, FortiSIEM can capture a full packet that is detailed enough to recreate the packet via a PCAP file. FortiSIEM supports collecting Snort event information over JDBC these database types:
l Oracle l MS SQL
FortiSIEM 6.1.1 External Systems Configuration Guide
496
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
l MySql l PostgreSQL FortiSIEM supports Snort database schema 107 or higher.
SNMP Access to the Database Server
You must set up an SNMP access credential for the server that hosts the Snort database. See the topics under Database Server Configuration for information on setting up SNMP for communication with FortiSIEM for several common types of database servers. Once you have set up SNMP on your database server, you can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Debugging Snort Database Connectivity
Snort IPS alert are pulled over JDBC by a Java agent, which has to join multiple database tables to create the events. An internal log file is created for each pull. 2012-08-07T10:02:27.576777+08:00 AO-foo java:[PH_JAVA_AGENT_INFO]:[eventSeverity]=PHL_INFO, [procName]=phAgentManager,[fileName]=AgentSnort,[phLogDetail]=10.1.20.51:ICMP:Max record id:17848444 Total records in one round of pulling:20 At most 1000 database records (IPS Alerts) are pulled at a time. If FortiSIEM finds more than 1000 new records, then it begins to fall behind and this log is created. 2012-08-07T10:02:27.576777+08:00 AO-foo java:[PH_JAVA_AGENT_INFO]:[eventSeverity]=PHL_INFO, [procName]=phAgentManager,[fileName]=AgentSnort,[phLogDetail]=Event count of snort exceeds the threshold in one round of pulling, which means there may be more events need to be pulled.
Examples of Snort IPS Events Pulled over JDBC
l UDP Event l TCP Event
UDP Event
<134>Feb 25 14:27:56 10.1.2.36 java: [Snort-1417]:[eventSeverity]=PHL_INFO, [relayDevIpAddr]=10.1.2.36,[ipsSensorId]=1,[snortEventId]=10343430, [sensorHostname]=10.1.2.36,[signatureId]=1417,[eventName]=SNMP request udp, [eventSeverity]=2,[eventTime]=2012-11-07 17:56:51.0,[srcIpAddr]=10.1.2.245, [destIpAddr]=10.1.2.36,[ipVersion]=4,[ipHeaderLength]=5,[tos]=0,[ipTotalLength]=75,[ipId]=0, [ipFlags]=0,[ipFragOffset]=0,[ipTtl]=64,[ipProto]=17,[ipChecksum]=8584,[srcIpPort]=35876, [destIpPort]=161,[udpLen]=55,[checksum]=39621, [dataPayload]=302D02010104067075626C6963A520...
FortiSIEM 6.1.1 External Systems Configuration Guide
497
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
TCP Event
<134>Aug 08 09:30:59 10.1.20.51 java: [Snort-1000001]:[eventSeverity]=PHL_INFO,[hostIpAddr]=10.1.20.51,[sensorId]=1, [eventId]=17897184,[signatureId]=1000001,[signatureName]=Snort Alert [1:1000001:0],[signaturePri]=null,[eventTime]=2012-08-08 09:26:24.0,[srcIpAddr]=10.1.2.99,[destIpAddr]=10.1.20.51,[srcIpPort]=52314,[destIpPort]=80, [seqNum]=967675661,[tcpAckNum]=3996354107,[tcpOffset]=5,[tcpReserved]=0,[tcpFlags]=24, [tcpWin]=16695,[checksum]=57367,[tcpUrgentPointer]=0, [dataPayload]=474554202F66617669636F6E2E69636F204...
Viewing Snort Packet Payloads in Reports
FortiSIEM creates an event for each IPS alert in Snort database. You can view the full payload packet associated with a Snort event when you run a report.
1. Set up a structured historical search. 2. Set these conditions, where Reporting IP is an IP belonging to the Snort Application group.
Attribute
Operator
Value
Reporting IP IN
Applications: Network IPS App
3. For Display Fields, include Data Payload. When you run the query, Data Payload will be one one of the display columns.
4. When the query runs, select an event, and the data payload will display at the bottom of the search results in a byteby-byte ethereal/wireshark format.
Exporting Snort IPS Packets as a PCAP File
After running a report, click the Export button and choose the PCAP option.
Settings for Access Credentials
l Access Credentials for JDBC l Access Credentials for SNMP, Telnet, SSH
Access Credentials for JDBC
Set these Access Method Definition values to allow FortiSIEM to communicate with your Snort IPS over JDBC.
Setting Name Device Type
Value
<database type>-snort-BT Select the type of database that you are connecting to for Snort alerts
FortiSIEM 6.1.1 External Systems Configuration Guide
498
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Setting Access Protocol Used For Pull Interval (minutes) Port Database Name User Name Password
Value JDBC Snort Audit 1
3306 The name of the database The administrative user for the Snort database The password associated with the administrative user
Access Credentials for SNMP, Telnet, SSH
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP, Telnet, or SSH.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Snort-org Snort IPS See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
499
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Sourcefire 3D and Defense Center
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Information Discovered Metrics Collected
Syslog
Used For
Event Types
In ADMIN > Device Support > Event, search for "sourcefire" in the Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Sourcefire Sourcefire3D IPS See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
500
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Configuration
Syslog
FortiSIEM handles SourceFire alerts via syslog either from IPS appliances themselves or from DefenseCenter. Events are classified as Snort event types. Simply configure SourceFire appliances or DefenseCenter to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Sample Syslog from SourceFire3D IPS
<188>Jul 4 15:07:01 Sourcefire3D Snort: [119:15:1] http_inspect: OVERSIZE REQUEST-URI DIRECTORY [Impact: Unknown] From DetectionEngine_IPS_DMZ2/SourcefireIPS at Thu Jul 4 15:07:01 2013 UTC [Classification: Potentially Bad Traffic] [Priority: 2] {tcp} 10.20.1.12:57689->1.1.1.1:80
Sample Syslog from SourceFire DefenseCenter
<46>Jul 17 16:01:54 DefenseCenter SFAppliance: [1:7070:14] "POLICY-OTHER script tag in URI likely cross-site scripting attempt" [Impact: Potentially Vulnerable] From "10.134.96.172" at Wed Jul 17 16:01:52 2013 UTC [Classification: Web Application Attack] [Priority: 1] {tcp} 1.2.3.4:60537->2.3.4.5:80
FortiSIEM 6.1.1 External Systems Configuration Guide
501
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Trend Micro Deep Discovery
l Integration Points l Configuration l Settings for Access Credentials l Sample Events
Integration Points
Method Syslog
Information discovered Host name, Reporting IP
Metrics collected None
LOGs collected Malicious file detection
Used for Security monitoring
Event Types
In ADMIN > Device Support > Event, search for " Trend-DeepDiscoveryAnalyzer " and "TrendDeepDiscoveryInspector" to see the event types associated with this device.
Rules
No specific rules are written for Trend-DeepDiscoveryAnalyzer and Trend-DeepDiscoveryInspector but regular end point rules apply.
Reports
No specific reports are written for Trend-DeepDiscoveryAnalyzer and Trend-DeepDiscoveryInspector but regular end point reports apply.
Configuration
Configure Trend Deep Discovery system to send logs to FortiSIEM in the supported format (see Sample Events).
Settings for Access Credentials
None required.
Sample Events
<123>CEF:0|Trend Micro|Deep Discovery Inspector|3.8.1175|20|Malware URL requested - Type 1|6|
dvc=10.0.1.50 dvcmac=00:0C:29:A6:53:0C dvchost=ddi38-143 deviceExternalId=6B593E17AFB7-40FBBB28-A4CE-0462-A536 rt=Mar 09 2015 11:58:25 GMT+08:00 app=HTTP deviceDirection=1 dhost=www.example.com dst=10.10.11.99 dpt=80 dmac=00:1b:21:35:8b:98 shost=10.1.1.97 src=10.1.1.197 spt=12121 smac=fe:ed:be:ef:5a:c6
FortiSIEM 6.1.1 External Systems Configuration Guide
502
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
cs3Label=HostName_Ext cs3=www.example.com fname=setting.doc fileType=0 fsize=0 act=not blocked
cn3Label=Threat Type cn3=1 destinationTranslatedAddress=10.1.1.2 sourceTranslatedAddress=10.1.1.197 cnt=1 cs5Label=CCCA_DetectionSource cs5=GLOBAL_INTELLIGENCE cn1Label=CCCA_Detection cn1=1 cat=Callback cs6Label=pAttackPhase cs6=Command and Control Communication
FortiSIEM 6.1.1 External Systems Configuration Guide
503
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Zeek (Bro) Installed on Security Onion
Bro/Zeek is an OpenSource network analysis product that is also installed as part of Security Onion. l What is Discovered and Monitored l Configuration l Sample Events
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics collected
Used for Event Collection
Event Types
l Bro-dhcp /Regular Traffic/Permit - Traffic A DHCP conversation l Bro-dns /Regular Traffic/Permit - Traffic DNS activity log l Bro-conn /Regular Traffic/Permit - Traffic TCP/UDP/ICMP connections l Bro-app_stats /Info - Statistics about APP l Bro-radius /Info - RADIUS analysis activity l Bro-known_devices /Info - Bro known devices
Rules
Generic Rules matching categories.
Reports
Generic Reports matching categories.
Configuration
Complete the following task on Onion Security, as this is crucial to get the headers working in the parser: Add the following code in the /etc/syslog-ng/syslog-ng.conf file, but change <IP> to the IP of the FortiSIEM Super/Worker/Collector which will receive the syslog: destination d_fortisiem { tcp("<IP>" port(514));}; log { source(s_bro_dns); source(s_bro_dhcp); log { filter(f_bro_headers); }; log { destination(d_fortisiem);}; };
FortiSIEM 6.1.1 External Systems Configuration Guide
504
Fortinet Technologies Inc.
Network Intrusion Prevention Systems (IPS)
Sample Events
<13>Mar 25 11:02:24 sec-sensor-ps bro_dns: {"ts":"2019-0325T11:02:22.485187Z","uid":"CEBf4c2FoLEBtbPLn6","id.orig_h":"10.8.20.21","id.orig_ p":50837,"id.resp_h":"10.8.1.203","id.resp_p":53,"proto":"udp","trans_ id":25959,"rtt":0.000357,"query":"tsomething.my.somewhere.com","qclass":1,"qclass_name":"C_ INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_ name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["um1.my. somewhere.com","um1-lo3.my. somewhere.com","um1-lo3.lo3.r.my. somewhere.com","55.66.8.24","55.66.8.152","55.66.9.24"],"TTLs": [136.0,5.0,146.0,5.0,5.0,5.0],"rejected":false}
FortiSIEM 6.1.1 External Systems Configuration Guide
505
Fortinet Technologies Inc.
Routers and Switches
FortiSIEM supports these routers and switches for discovery and monitoring.
l Alcatel TiMOS and AOS Switch l Arista Router and Switch l Brocade NetIron CER Routers l Cisco 300 Series Routers l Cisco IOS Router and Switch
l How CPU and Memory Utilization is Collected for Cisco IOS l Cisco Meraki Cloud Controller and Network Devices l Cisco NX-OS Router and Switch l Cisco ONS l Cisco Viptela SDWAN Router l Dell Force10 Router and Switch l Dell NSeries Switch l Dell PowerConnect Switch and Router l Foundry Networks IronWare Router and Switch l HP/3Com ComWare Switch l HP ProCurve Switch l HP Value Series (19xx) and HP 3Com (29xx) Switch l Hirschmann SCADA Firewalls and Switches l Juniper Networks JunOS Switch l MikroTik Router l Nortel ERS and Passport Switch
FortiSIEM 6.1.1 External Systems Configuration Guide
506
Fortinet Technologies Inc.
Alcatel TiMOS and AOS Switch
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
SNMP (V1, V2c)
SNMP (V1, V2c) SNMP (V1, V2c, V3)
Information Discovered
Metrics collected
Used for
Host name, Software version, Hardware model, Network interfaces
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Availability and Performance Monitoring
Hardware status: Power Supply, Fan, Temperature
Availability
Layer 2 port mapping: associating switch ports to directly connected host IP/MAC addresses
Identity and location table; Topology
Event Types
In ADMIN > Device Support > Event, search for "alcatel" in the Device Type and Description columns to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the
FortiSIEM 6.1.1 External Systems Configuration Guide
507
Fortinet Technologies Inc.
Routers and Switches
User Guide.
Settings for Access Credentials SNMP Access Credentials for All Devices
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
508
Fortinet Technologies Inc.
Routers and Switches
Arista Router and Switch
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP (V1, V2c)
Telnet/SSH
Information Discovered Metrics collected
Used for
Host name, Serial number, Software version, Hardware model, Network interfaces, Hardware Components
Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), CPU utilization, Memory utilization, Flash utilization, Hardware Status
Availability and Performance Monitoring
Running and Startup configurations
Startup Configuration Change, Difference between Running and Startup configurations
Change monitoring
Event Types
There are no event types defined specifically for this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Telnet/SSH
FortiSIEM uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH. These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.
l show startup-config l show running-config l show version l show ip route
FortiSIEM 6.1.1 External Systems Configuration Guide
509
Fortinet Technologies Inc.
Routers and Switches
l enable l terminal pager 0
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
SNMP Access Credentials for All Devices
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
Telnet Access Credentials for All Devices
These are the generic settings for providing Telnet access to your device from FortiSIEM.
Setting Name Device Type Access Protocol Port User Name
Password
Value Telnet-generic generic Telnet 23 A user who has permission to access the device over Telnet The password associated with the user
SSH Access Credentials for All Devices
These are the generic settings for providing SSH access to your device from FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
510
Fortinet Technologies Inc.
Routers and Switches
Setting Name Device Type Access Protocol Port User Name
Password
Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user
FortiSIEM 6.1.1 External Systems Configuration Guide
511
Fortinet Technologies Inc.
Routers and Switches
Brocade NetIron CER Routers
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
SNMP (V1, V2c)
Information Discovered
Metrics collected
Host name, software version, Hardware model, Network interfaces
CPU, Memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware Status, Real Server Status
Used for
Availability and Performance Monitoring
Event Types
There are no event types defined specifically for this device.
Rules
There are no predefined rules specifically for this device.
Reports
There are no predefined reports specifically for this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
FortiSIEM 6.1.1 External Systems Configuration Guide
512
Fortinet Technologies Inc.
Routers and Switches
Setting Name Device Type Access Protocol Port Password config
Value <set name> Brocade NetIron CER See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
513
Fortinet Technologies Inc.
Routers and Switches
Cisco 300 Series Routers
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
SNMP (V1, V2c)
Information Discovered
Metrics collected
Host name, software version, Hardware model, Network interfaces
Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards, and queue lengths)
Used for
Availability and Performance Monitoring
Event Types
There are no event types defined specifically for this device.
Rules
There are no predefined rules specifically for this device.
Reports
There are no predefined reports specifically for this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide
FortiSIEM 6.1.1 External Systems Configuration Guide
514
Fortinet Technologies Inc.
Routers and Switches
Settings for Access Credentials
SNMP Access Credentials for All Devices
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
515
Fortinet Technologies Inc.
Routers and Switches
Cisco IOS Router and Switch
l What is Discovered and Monitored l Event Types l Configuration l Settings for Access Credentials Issue with Generic Serial Numbers in Older Versions of Cisco IOS Routers FortiSIEM uses serial numbers to uniquely identify a device. For older routers, the serial number is obtained from the OID 1.3.6.1.4.1.9.3.6.3.0. However, this value is often incorrectly set by default to a generic value like MSFC 2A. If multiple routers have a common default value, then these routers will be merged into a single entry in the FortiSIEM CMDB. You can check the current value for the serial number in a Cisco router by doing a SNMP walk of the OID. snmpwalk -v2c -c <cred> <ip> 1.3.6.1.4.1.9.3.6.3.0 If the value is a generic value, then set it to the actual serial number.
Router(config)#snmp-server chassis-id Router(config)#exit Router#write memory
Run the snmpwalk again to verify that the serial number is updated, then perform discovery of your Cisco router.
What is Discovered and Monitored
Protocol SNMP (V1, V2c, V3)
SNMP (V1, V2c, V3)
Information Discovered
Metrics collected
Host name, IOS version, Hardware model, Memory size, Network interface details name, address, mask and description
Uptime, CPU and Memory utilization, Free processor and I/O memory, Free contiguous processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths),
Hardware component details: serial number, model, manufacturer, software firmware versions of hardware components such as chassis, CPU,
Hardware health: temperature, fan and power supply
Used for Availability and Performance Monitoring
Availability
FortiSIEM 6.1.1 External Systems Configuration Guide
516
Fortinet Technologies Inc.
Routers and Switches
Protocol
SNMP (V1, V2c, V3)
SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) SNMP (V1, V2c, V3)
SNMP (V1, V2c, V3)
SNMP (V1, V2c, V3) Telnet/SSH
Information Discovered
Metrics collected
Used for
fan, power supply, network cards etc.
Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association
Topology and end-host location
BGP connectivity, neighbors, state, AS number
BGP state change
Routing Topology, Availability Monitoring
OSPF connectivity, neighbors, state, OSPF Area
OSPF state change
Routing Topology, Availability Monitoring
IP SLA and VoIP performance metrics: Max/Min/Avg Delay and Jitter - both overall and Source->Destination and Destination->Source, Packets Lost - both overall and Source->Destination and Destination->Source, Packets Missing in Action, Packets Late, Packets out of sequence, VoIP Mean Opinion Score (MOS), VoIP Calculated Planning Impairment Factor (ICPIF) score
VoIP Performance Monitoring
Class based QoS metrics (from CISCO-CLASS-BASEDQOS-MIB): For (router interface, policy, class map) tuple: class map metrics including Pre-policy rate, post-police rate, drop rate and drop pct; police action metrics including conform rate, exceeded rate and violated rate; queue metrics including current queue length, max queue length and discarded packets
QoS performance monitoring
NBAR metrics (from CISCO-NBAR-PROTOCOLDISCOVERY-MIB): For each interface and application, sent/receive flows, sent/receive bytes, sent/receive bits/sec
Performance Monitoring
Running and startup configuration, Image file name,
Startup configuration change, delta between running and startup configuration, Running process CPU and memory utilization
Performance Monitoring, Security and
FortiSIEM 6.1.1 External Systems Configuration Guide
517
Fortinet Technologies Inc.
Routers and Switches
Protocol Syslog
Information Discovered
Metrics collected
Flash memory size, Running processes
Device type
System logs and traffic logs matching acl statements
Used for
Compliance
Availability, Security and Compliance
Event Types Syslog events
In ADMIN > Device Support > Event, search for "cisco_os" in the Description column to see the event types associated with this device.
Rules
Reports
Configuration
Telnet/SSH
FortiSIEM uses SSH and Telnet to communicate with your device. Follow the instructions in the product documentation for your device to enable SSH and Telnet. These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.
l show startup-config l show running-config l show version l show flash l show ip route l show mac-address-table or show mac address-table l show vlan brief l show process cpu l show process mem l show disk0 l enable l terminal pager 0
FortiSIEM 6.1.1 External Systems Configuration Guide
518
Fortinet Technologies Inc.
Routers and Switches
SNMP
SNMP V1/V2c
1. Log in to the Cisco IOS console or telnet to the device. 2. Enter configuration mode. 3. Create an access list for FortiSIEM.
access-list 10 permit <FortiSIEM IP> 4. Set up community strings and access lists.
snmp-server community <community string> ro 10 5. Exit configuration mode.
SNMP V3
1. Log in to the Cisco IOS console or telnet to the device. 2. Enter configuration mode. 3. Create an access list for FortiSIEM.
access-list 10 permit <FortiSIEM IP> 4. Set up SNMP credentials for Authentication only.
snmp-server group <grpName> v3 auth #do this for every VLAN for FortiSIEM to discover per VLAN information such Spanning Tree and VTP MIBs snmp-server group <grpName> v3 auth context vlan-<vlanId>snmp-server user <userName> <grpName> v3 auth md5 <password> access 10 5. Set up SNMP credentials for Authentication and Encryption. snmp-server group <grpName> v3 priv #do this for every VLAN for FortiSIEM to discover per VLAN information such Spanning Tree and VTP MIBs snmp-server group <grpName> v3 auth context vlan-<vlanId>snmp-server group <grpName> v3 priv context vlan-<vlanId>snmp-server user <userName> <grpName> v3 auth md5 <password> priv des56 <password> access 10
6. Exit configuration mode.
Syslog
1. Login to the Cisco IOS console or telnet to the device. 2. Enter configuration mode. 3. Enable logging with these commands.
logging on logging trap informational logging <FortiSIEM IP>
FortiSIEM 6.1.1 External Systems Configuration Guide
519
Fortinet Technologies Inc.
Routers and Switches
4. Make sure that the timestamp in syslog message sent to FortiSIEM does not contain milliseconds. no service timestamps log datetime msec service timestamps log datetime
5. To log traffic matching acl statements in stateless firewall scenarios, add the log keyword to the acl statements. access-list 102 deny udp any gt 0 any gt 0 log
6. To turn on logging from the IOS Firewall module, use this command. ip inspect audit-trail
7. Exit configuration mode.
Sample Cisco IOS Syslog Messages
<190>109219: Jan 9 18:03:35.281: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (192.168.20.33:1876) -- responder (192.168.0.10:445)
<190>263951: 2w6d: %SEC-6-IPACCESSLOGP: list permit-any permitted udp 192.168.20.35(0) -> 192.168.23.255(0), 1 packet
<188>84354: Dec 6 08:15:20: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Admin] [Source: 192.168.135.125] [localport: 80] [Reason: Login Authentication Failed - BadPassword] at 08:15:20 PST Mon Dec 6 2010
<189>217: May 12 13:57:23.720: %SYS-5-CONFIG_I: Configured from console by vty1 (192.168.29.8)
<189>Oct 27 20:18:43.254 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP request from host 192.168.2.98
NetFlow
Enable NetFlow on the Router
1. Enter configuration mode. 2. For every interface, run this command.
interface <interface> <interface_number>ip route-cache flow exit
Set Up NetFlow Export
1. Enter configuration mode. 2. Run these commands.
ip flow-export version 5|9 ip flow-export destination <Accelops IP> 2055 ip flow-export source <interface> <interface_number>ip flow-cache timeout active 1 ip flow-cache timeout inactive 15 snmp-server ifindex persist On MLS switches, such as the 6500 or 7200 models, also run these commands.
FortiSIEM 6.1.1 External Systems Configuration Guide
520
Fortinet Technologies Inc.
Routers and Switches
mls netflow mls nde sender mls aging long 64 mls flow ip full Exit configuration mode
You can verify that you have set up NetFlow correctly by running these commands.
#shows the current NetFlow configuration show ip flow export #summarizes the active flows and gives an indication of how much NetFlow data the device is exporting show ip cache flow or show ip cache verbose flow
Sample Flexible Netflow Configuration in IOS
flow exporter e1 ! destination is the collector address, default port needs to be changed to 2055 destination <accelopsIp> transport udp 2055
! flow record r1
! record specifies packet fields to collect match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect transport tcp flags collect interface output collect counter bytes collect counter packets ! flow monitor m1 ! monitor refers record configuration and exporter configuration. record r1 exporter e1 cache timeout active 60 cache timeout inactive 30 cache entries 1000 ! interface GigabitEthernet 2/48 ip flow monitor m1 input
IP SLA
IP SLA is a technology where a pair of routers can run synthetic tests between themselves and report detailed traffic statistics. This enables network administrators to get performance reports between sites without depending on end-host instrumentation.
FortiSIEM 6.1.1 External Systems Configuration Guide
521
Fortinet Technologies Inc.
Routers and Switches
Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP. A variety of IP SLA tests can be run, for example UDP/ICMP Jitter, UDP Jitter for VoIP, UDP/ICMP Echo, TCP Connect, HTTP, etc. You can see the traffic statistics for these these tests by routing appropriate Show commands on the router. However, only these IP SLA tests are exported via RTT-MON SNMP MIB.
l UDP Jitter (reported by FortiSIEM event type PH_DEV_MON_IPSLA_MET) l UDP Jitter for VoIP (reported by FortiSIEM event type PH_DEV_MON_IPSLA_VOIP_MET) l HTTP performance (reported by FortiSIEM event type PH_DEV_MON_IPSLA_HTTP_MET) l ICMP Echo (reported by FortiSIEM event type PH_DEV_MON_IPSLA_ICMP_MET) l UDP Echo (reported by FortiSIEM event type PH_DEV_MON_IPSLA_UDP_MET) These are the only IP SLA tests monitored by FortiSIEM. Configuring IP SLA involves choosing and configuring a router to initiate the test and a router to respond. The test statistics are automatically reported by the initiating router via SNMP, so no additional configuration is required. Bidirectional traffic statistics are also reported by the initiating router, so you don't need to set up a reverse test between the original initiating and responding routers. FortiSIEM automatically detects the presence of the IP SLA SNMP MIB (CISCO-RTTMON-MIB) and starts collecting the statistics.
Configuring IP SLA Initiator for UDP Jitter
ipsla-init>enable ipsla-init#config terminal ipsla-init(config)#ip sla monitor <operation num>ipsla-init(config-sla-monitor)#type jitter dest-ipaddr <responder ip> dest-port <dest port>ipsla-init(config-sla-monitorjitter)#frequency default ipsla-init(config-sla-monitor-jitter)#exit ipsla-init(config)# ip sla monitor schedule <operation num> start-time now life forever
Configuring IP SLA Initiator for UDP Jitter for VoIP
ipsla-init>enable ipsla-init#config terminal ipsla-init(config)#ip sla monitor <operation num>ipsla-init(config-sla-monitor)#type jitter dest-ipaddr <responder ip> dest-port <dest port> codec <codec type> advantage-factor 0 ipsla-init(config-sla-monitor-jitter)#frequency default ipsla-init(config-sla-monitor-jitter)#exit ipsla-init(config)# ip sla monitor schedule <operation num> start-time now life forever
Configuring IP SLA Initiator for ICMP Echo Operation
Router> enable Router# configure terminal Router(config)# ip sla monitor 15 Router(config-sla-monitor)# type echo protocol ipIcmpEcho <destination-ip-address>Router (config-sla-monitor-echo)# frequency 30 Router(config-sla-monitor-echo)# exit Router(config)# ip sla monitor schedule 10 start-time now life forever Router(config)# exit
FortiSIEM 6.1.1 External Systems Configuration Guide
522
Fortinet Technologies Inc.
Routers and Switches
Configuring the IP SLA Responder for All Cases
ipsla-resp>enable ipsla-resp#config terminal ipsla-resp(config)#ip sla monitor responder
Class-Based QoS
CBQoS enables routers to enforce traffic dependent Quality of Service policies on router interfaces for to make sure that important traffic such as VoIP and mission critical applications get their allocated network resources. Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP. The CbQoS statistics are automatically reported by the router via SNMP, so no additional configuration is needs. FortiSIEM detects the presence of valid CBQoS MIBs and starts monitoring them.
NBAR
Cisco provides protocol discovery via NBAR configuration guide. Make sure that the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB is enabled. Sample event generated by FortiSIEM [PH_DEV_MON_CISCO_NBAR_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceCisco.cpp, [lineNumber]=1644,[hostName]=R1.r1.accelops.com,[hostIpAddr]=10.1.20.59, [intfName]=Ethernet0/0,[appTransportProto]=snmp,[totFlows]=4752,[recvFlows]=3168, [sentFlows]=1584,[totBytes64]=510127,[recvBytes64]=277614,[sentBytes64]=232513, [totBitsPerSec]=22528.000000,[recvBitsPerSec]=12288.000000,[sentBitsPerSec]=10240.000000, [phLogDetail]=
Settings for Access Credentials
SNMP Access Credentials for All Devices
These are the generic settings for providing SNMP access to your device from FortiSIEM.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
Telnet Access Credentials for All Devices
These are the generic settings for providing Telnet access to your device from FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
523
Fortinet Technologies Inc.
Routers and Switches
Setting Name Device Type Access Protocol Port User Name
Password
Value Telnet-generic generic Telnet 23 A user who has access credentials for your device over Telnet The password associated with the user
SSH Access Credentials for All Devices
These are the generic settings for providing SSH access to your device from FortiSIEM.
Setting Name Device Type Access Protocol Port User Name
Password
Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password associated with the user
FortiSIEM 6.1.1 External Systems Configuration Guide
524
Fortinet Technologies Inc.
Routers and Switches
How CPU and Memory Utilization is Collected for Cisco IOS
FortiSIEM follows the process for collecting information about CPU utlization that is recommended by Cisco. l Monitoring CPU l Monitoring Memory using PROCESS-MIB
Monitoring CPU
The OID is 1.3.6.1.4.1.9.9.109.1.1.1.1.8. The issue there are multiple CPUs which ones to take? A sample SNMP walk for this OID looks like this SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.1 = Gauge32: 46 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.2 = Gauge32: 22 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.3 = Gauge32: 5 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.4 = Gauge32: 4
Note that there are 4 CPUs indexed 1-4. We must identify Control plane CPU and Data plane CPU The cpu Id -> entity Id mapping from the following SNMP walk SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.1 = INTEGER: 3014 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.2 = INTEGER: 3001 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.3 = INTEGER: 1001 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.4 = INTEGER: 7001
This provides the following cpu Id -> entity Id mapping 1 -> 3014 2 -> 3001 3 -> 1001 4 -> 7001
The following SNMP walk provides the names for each entity Id SNMPv2-SMI::mib-2.47.1.1.1.1.7.1001 = STRING: "Chassis 1 CPU of Module 2"SNMPv2-SMI::mib2.47.1.1.1.1.7.3001 = STRING: "Chassis 1 CPU of Switching Processor 5"SNMPv2-SMI::mib2.47.1.1.1.1.7.3014 = STRING: "Chassis 1 CPU of Routing Processor 5"SNMPv2-SMI::mib2.47.1.1.1.1.7.7001 = STRING: "Chassis 2 CPU of Module 2"
Combining all this information, we finally obtain the CPU information for each object Chassis 1 CPU of Routing Processor 5 -> 46% Chassis 1 CPU of Switching Processor 5 -> 22% Chassis 1 CPU of Module 2 -> 5 Chassis 2 CPU of Module 2 -> 4%
FortiSIEM reports utilization per cpu utilization [PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9596,[cpuName]=Chassis 1 CPU of Routing Processor 5,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=46.000000,[pollIntv]=176, [phLogDetail]=
FortiSIEM 6.1.1 External Systems Configuration Guide
525
Fortinet Technologies Inc.
Routers and Switches
[PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9596,[cpuName]=Chassis 1 CPU of Switching Processor 5,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=22.000000,[pollIntv]=176, [phLogDetail]=
PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9596,[cpuName]=Chassis 1 CPU of Module 2,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=5.000000,[pollIntv]=176, [phLogDetail]=
[PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9596,[cpuName]=Chassis 2 CPU of Module 2,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=4.000000,[pollIntv]=176, [phLogDetail]= To get the overall system CPU utilization, we average over "Switching and Routing CPUs"- so CPU Util = (46+22)/2 = 34% PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9611,[cpuName]=RoutingCpu,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2, [cpuUtil]=34.0000,[pollIntv]=176,[phLogDetail]=
Monitoring Memory using PROCESS-MIB
The relevant OIDs are Used memory OID = 1.3.6.1.4.1.9.9.48.1.1.1.6 Free memory OID = 1.3.6.1.4.1.9.9.48.1.1.1.5
Memory Util = (Used memory) / (Used memory + Free memory) SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.1 = Gauge32: 87360992 <- Processor Memory Used SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.2 = Gauge32: 10715440 <- IO Memory Used SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.1 = Gauge32: 2904976 <- Processor Memory Free SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.2 = Gauge32: 1342944 <- IO Memory Free
Therefore Used Memory = 98,076,432 Total Memory = 102,324,352 Memory Util = 96%
FortiSIEM 6.1.1 External Systems Configuration Guide
526
Fortinet Technologies Inc.
Routers and Switches
Cisco Meraki Cloud Controller and Network Devices
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Cisco Meraki Devices are discoverable in either of the following ways l SNMP to the Cloud Controller l SNMP to each Network Device
SNMP Traps can be sent from the Cloud Controller. Cisco Meraki Network Devices can also send logs directly to FortiSIEM.
Protocol
Information Discovered
SNMP (V1, V2c) to Cloud Controller or Devices
Host name, Software version, Hardware model, Network interfaces
syslog from Meraki Firewalls
SNMP Traps from Cloud Controller
Metrics collected
Used for
Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Availability and Performance Monitoring
Firewall logs Health
Security Monitoring
Availability Monitoring
Event Types
l Interface Utilization: PH_DEV_MON_NET_INTF_UTIL
Rules
Availability (from SNMP Trap)
l Meraki Device Cellular Connection Disconnected l Meraki Device Down l Meraki Device IP Conflict l Meraki Device Interface Down l Meraki Device Port Cable Error l Meraki Device VPN Connectivity Down l Meraki Foreign AP Detected
FortiSIEM 6.1.1 External Systems Configuration Guide
527
Fortinet Technologies Inc.
Routers and Switches
l Meraki New DHCP Server l Meraki New Splash User l Meraki No DHCP lease l Meraki Rogue DHCP Server l Meraki Unreachable Device l Meraki Unreachable RADIUS Server l Meraki VPN Failover
Performance (Fixed threshold)
l Network Intf Error Warning l Network Intf Error Critical l Network Intf Util Warning l Network Intf Util Critical
Performance (Dynamic threshold based on baselines)
l Sudden Increase in Network Interface Traffic l Sudden Increase in Network Interface Errors
Reports
None
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Cisco Meraki Cloud Controller See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
528
Fortinet Technologies Inc.
Routers and Switches
Cisco NX-OS Router and Switch
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP (V1, V2c, V3)
SNMP (V1, V2c, V3)
SNMP (V1, V2c, V3)
SNMP (V1, V2c, V3) SNMP (V1, V2c, V3)
Information Discovered
Metrics collected
Used for
Host name, IOS version, Hardware model, Memory size, Network interface details - name, address, mask and description
Uptime, CPU and Memory utilization, Free processor and I/O memory, Free contiguous processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Availability and Performance Monitoring
Hardware component details: serial number, model, manufacturer, software and firmware versions of hardware components such as chassis, CPU, fan, power supply, network cards etc.
Hardware health: temperature, fan and power supply
Availability
Trunk port connectivity between switches and VLANs carried over a trunk port (via CDP MIB), ARP table
Topology and end-host location
BGP connectivity, neighbors, state, AS number
BGP state change
Routing Topology, Availability Monitoring
OSPF connectivity, neighbors, state, OSPF Area
OSPF state change
Routing Topology, Availability Monitoring
FortiSIEM 6.1.1 External Systems Configuration Guide
529
Fortinet Technologies Inc.
Routers and Switches
Protocol SNMP (V1, V2c, V3)
Telnet/SSH
Telnet/SSH
Syslog
Information Discovered
Metrics collected
Used for
Class based QoS metrics: For (router interface, policy, class map) tuple: class map metrics including Prepolicy rate, post-police rate, drop rate and drop pct; police action metrics including conform rate, exceeded rate and violated rate; queue metrics including current queue length, max queue length and discarded packets
QoS performance monitoring
Running and startup configuration, Image file name, Flash memory size, Running processes
Startup configuration change, delta between running and startup configuration, Running process CPU and memory utilization
Performance Monitoring, Security and Compliance
End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association
Device type>
System logs and traffic logs matching acl statements
Availability, Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "nx-os" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide
FortiSIEM 6.1.1 External Systems Configuration Guide
530
Fortinet Technologies Inc.
Routers and Switches
Telnet/SSH
FortiSIEM uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH. These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.
l show startup-config l show running-config l show version l show flash l show context l show ip route l show cam dynamic l show mac-address-table l show mac address-table (for Nexus 1000v) l show vlan brief l show process cpu l show process mem l show disk0 l enable l terminal length 0
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
NetFlow
Enable NetFlow on the Router
1. Enter configuration mode. 2. Run this command.
feature netflow
Create a Flow Template and Define the Fields to Export
You can can also try using the pre-defined NetFlow template.
FortiSIEM 6.1.1 External Systems Configuration Guide
531
Fortinet Technologies Inc.
Routers and Switches
# show flow record netflow-original Flow record netflow-original:
Description: Traditional IPv4 input NetFlow with origin ASs No. of users: 1 Template ID: 261 Fields:
match ipv4 source address match ipv4 destination address match ip protocol match ip tos match transport source-port match transport destination-port match interface input match interface output match flow direction collect routing source as collect routing destination as collect routing next-hop address ipv4 collect transport tcp flags collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last
Set up Netflow Exporter
Run these commands.
flow exporter FortiSIEMFlowAnalyzer description export netflow to FortiSIEM destination <FortiSIEMIp>export Version 9 transport udp 2055 source vlan613
Associate the Record to the Exporter Using a Flow Monitor
In this example the flow monitor is called FortiSIEMMonitoring. Run these commands.
flow monitor FortiSIEMMonitoring exporter FortiSIEMFlowAnalyzer record netflow-original
Apply the Flow Monitor to Every Interface
Run these commands.
interface Vlan612 ip flow monitor Monitortac7000 input exit
FortiSIEM 6.1.1 External Systems Configuration Guide
532
Fortinet Technologies Inc.
Routers and Switches
interface Vlan613 ip flow monitor Monitortac7000 input exit You can now check the configuration using the show commands.
Settings for Access Credentials
For SNMP, Telnet, and SSH access credentials, see Access Credentials.
FortiSIEM 6.1.1 External Systems Configuration Guide
533
Fortinet Technologies Inc.
Routers and Switches
Cisco ONS
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
Information Discovered
SNMP (V1, V2c)
Host name, Serial Number, software version, Hardware model, Network interfaces, Hardware Components
SNMP Trap
Metrics collected
Used for
Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Availability and Performance Monitoring
Alerts
Availability and Performance Monitoring
Event Types
Over 1800 event types defined - search for "Cisco-ONS" in ADMIN > Device Support > Event.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
FortiSIEM 6.1.1 External Systems Configuration Guide
534
Fortinet Technologies Inc.
Routers and Switches
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Cisco ONS See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
535
Fortinet Technologies Inc.
Routers and Switches
Cisco Viptela SDWAN Router
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events
What is Discovered and Monitored
Protocol Syslog
Information Discovered Host name and Device Type from LOG
Metrics/LOG collected Over 290 log types
Used for Security and Compliance
Event Types
Go to Admin > Device Type > Event Types and search for "VIPTELA".
Rules
None
Reports
None
Configuration
Configure Cisco Viptela to send syslog in the supported format to FortiSIEM. No configuration is required in FortiSIEM.
Sample Events
<190>430: *Dec 9 05:41:47.025: %Cisco-SDWAN-Router-OMPD-6-INFO-400005: R0/0: OMPD: Number of vSmarts connected : 2
CDATA[<187>154: *Aug 23 19:57:51.681: %Cisco-SDWAN-RP_0-OMPD-3-ERRO-400002: R0/0: OMPD: vSmart peer 1.1.1.5 state changed to Init
FortiSIEM 6.1.1 External Systems Configuration Guide
536
Fortinet Technologies Inc.
Routers and Switches
Dell Force10 Router and Switch
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP (V1, V2c)
Telnet/SSH
Information Discovered
Host name, Serial number, Software version, Hardware model, Network interfaces, Hardware Components
Running and Startup configurations
Metrics collected
Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), CPU utilization, Hardware Status
Startup Configuration Change, Difference between Running and Startup configurations
Used for Availability and Performance Monitoring
Change monitoring
Event Types
In ADMIN > Device Support > Event, search for "force10" in the Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
TelNet/SSH
FortiSIEM uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.
FortiSIEM 6.1.1 External Systems Configuration Guide
537
Fortinet Technologies Inc.
Routers and Switches
These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device. To initiate discovery and monitoring of your device over this protocol, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
l show startup-config l show running-config l show version l show ip route l enable l terminal pager 0
Settings for Access Credentials
SNMP Access Credentials for All Devices
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
Telnet Access Credentials for All Devices
These are the generic settings for providing Telnet access to your device from FortiSIEM
Setting Name Device Type Access Protocol Port User Name
Password
Value Telnet-generic generic Telnet 23 A user who has permission to access the device over Telnet The password associated with the user
SSH Access Credentials for All Devices
These are the generic settings for providing SSH access to your device from FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
538
Fortinet Technologies Inc.
Routers and Switches
Setting Name Device Type Access Protocol Port User Name
Password
Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user
FortiSIEM 6.1.1 External Systems Configuration Guide
539
Fortinet Technologies Inc.
Routers and Switches
Dell NSeries Switch
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP (V1, V2c)
SNMP (V1, V2c) SSH
Information Discovered
Metrics collected
Host name, software version, Hardware model, Network interfaces,
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Hardware Status (Power Supply, Fan)
Configuration
Used for
Availability and Performance Monitoring
Availability Monitoring Change management
Event Types
l CPU Monitoring: PH_DEV_MON_SYS_CPU_UTIL l Memory Monitoring: PH_DEV_MON_SYS_MEM_UTIL l Interface Utilization: PH_DEV_MON_NET_INTF_UTIL l Hardware Status: PH_DEV_MON_HW_STATUS l Configuration Change: PH_DEV_MON_CHANGE_STARTUP_CONFIG
Rules
Availability
l Network Device Degraded - Lossy Ping Response l Network Device Down - no ping response l Network Device Interface Flapping l Critical Network Device Interface Staying Down l Non-critical Network Device Interface Staying Down l Network Device Hardware Warning l Network Device Hardware Critical
FortiSIEM 6.1.1 External Systems Configuration Guide
540
Fortinet Technologies Inc.
Routers and Switches
Performance (Fixed threshold)
l Network CPU Warning l Network CPU Critical l Network Memory Warning l Network Memory Critical l Network Intf Error Warning l Network Intf Error Critical l Network Intf Util Warning l Network Intf Util Critical
Performance (Dynamic threshold based on baselines)
l Sudden Increase In System CPU Usage l Sudden Increase in System Memory Usage l Sudden Increase in Network Interface Traffic l Sudden Increase in Network Interface Errors
Change
l Startup Config Change
Reports
Availability
l Availability: Router/Switch Ping Monitor Statistics
Performance
l Performance: Top Routers Ranked By CPU Utilization l Performance: Top Routers By Memory Utilization l Performance: Top Router Network Intf By Util, Error, Discards l Top Routers/Switches by Business Hours Network Ping Uptime Pct (Achieved Network Ping SLA) l Top Routers/Switches by Business Hours System Uptime Pct (Achieved System SLA) l Top Routers/Switches by Network Ping Uptime Pct (Achieved Network Ping SLA) l Top Routers/Switches by System Uptime Pct (Achieved System SLA) l Top Router Interfaces by Days-since-last-use
Change
l Change: Router Config Changes Detected Via Login
FortiSIEM 6.1.1 External Systems Configuration Guide
541
Fortinet Technologies Inc.
Routers and Switches
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Dell NSeries See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
542
Fortinet Technologies Inc.
Routers and Switches
Dell PowerConnect Switch and Router
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP (V1, V2c)
Telnet/SSH
Information Discovered
Host name, Serial number, Software version, Hardware model, Network interfaces, Hardware Components
Running and Startup configurations
Metrics collected
Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), CPU utilization, Hardware Status
Startup Configuration Change, Difference between Running and Startup configurations
Used for Availability and Performance Monitoring
Change monitoring
Event Types
There are no event types defined specifically for this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Telnet/SSH
FortiSIEM uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH. These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device. To
FortiSIEM 6.1.1 External Systems Configuration Guide
543
Fortinet Technologies Inc.
Routers and Switches
initiate discovery and monitoring of your device over this protocol. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
l show startup-config l show running-config l show version l show ip route l enable l terminal pager 0
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Dell PowerConnect See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
544
Fortinet Technologies Inc.
Routers and Switches
Foundry Networks IronWare Router and Switch
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP (V1, V2c)
Telnet/SSH
Information Discovered
Host name, Ironware version, Hardware model, Network interfaces,
Running and startup configuration
Metrics collected
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Startup configuration change, delta between running and startup configuration
SNMP (V1, V2c)
Syslog
Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association
Device type
System logs and traffic logs matching acl statements
Used for
Availability and Performance Monitoring
Performance Monitoring, Security and Compliance Topology and end-host location
Availability, Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "foundry_ironware" in the Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
545
Fortinet Technologies Inc.
Routers and Switches
Reports
There are no predefined reports for this device.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Foundry Ironware See Access Credentials See Access Credentials See Password Configuration
Configuration
SNMP
1. Log in to the device manager for your switch or router with administrative privileges. 2. Enter configuration mode. 3. Run these commands to set the community string and enable the SNMP service.
snmp-server community <community> RO snmp-server enable vlan <vlan id> 4. Exit config mode. 5. Save the configuration.
Telnet/SSH
FortiSIEM uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.
Syslog
1. Log in to the device manager for your switch or router with administrative privileges. 2. Enter configuration mode. 3. Run this command to set your FortiSIEM virtual appliance as the recipient of syslog from your router or switch.
logging host <FortiSIEM Ip>
4. Exit config mode. 5. Save the configuration.
FortiSIEM 6.1.1 External Systems Configuration Guide
546
Fortinet Technologies Inc.
Routers and Switches
Sample Parsed PowerConnect Syslog Message
<14>SJ-Dev-A-Fdy-FastIron, running-config was changed from console
<14>SJ-Dev-A11-Fdy-FastIron, startup-config was changed from telnet client 192.168.20.18 <14>SJ-Dev-A-Fdy-FastIron, phoenix_agent login to USER EXEC mode
<14>SJ-Dev-A-Fdy-FastIron, Interface ethernet3, state up
<14>SJ-Dev-A-Fdy-FastIron, Interface ethernet 20/3, state up
<12>SJ-QA-A-Fdy-BigIron, list 100 permitted udp 173.9.142.98(ntp)(Ethernet 2/1 0004.23ce.ba11) -> 172.16.20.121(ntp), 1 event(s)
<14>SJ-Dev-A-Fdy-FastIron, Bridge root changed, vlan 3, new root ID 80000004806137c6, root interface 3
<14>SJ-QA-A-Fdy-BigIron, VLAN 4 Port 2/7 STP State -> DISABLED (PortDown)
Jun 4 15:51:18 172.16.20.99 Security: telnet logout by admin from src IP 137.146.28.75, src MAC 000c.dbff.6d00
Jun 4 15:51:12 172.16.20.100 System: Interface ethernet 4/9, state down
Jun 4 03:12:53 172.16.20.100 ACL: ACL: List GWI-in permitted tcp 61.158.162.230(6000) (Ethernet 1/4 0023.3368.f500) -> 137.146.0.0(8082), 1 event(s)
Jun 4 02:54:31 172.16.20.100 ACL: ACL: List XCORE denied udp 137.146.28.75(55603)(Ethernet 1/1 000c.dbde.6000) -> 137.146.3.35(snmp), 1 event(s)
Jun 4 01:49:09 172.16.20.100 STP: VLAN 3104 Port 4/22 STP State -> LEARNING (FwdDlyExpiry)
Settings for Access Credentials
SNMP Access Credentials for All Devices
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
547
Fortinet Technologies Inc.
Routers and Switches
Telnet Access Credentials for All Devices
These are the generic settings for providing Telnet access to your device from FortiSIEM.
Setting Name Device Type Access Protocol Port User Name
Password
Value Telnet-generic generic Telnet 23 A user who has permission to access the device over Telnet The password associated with the user
SSH Access Credentials for All Devices
These are the generic settings for providing SSH access to your device from FortiSIEM.
Setting Name Device Type Access Protocol Port User Name
Password
Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user
FortiSIEM 6.1.1 External Systems Configuration Guide
548
Fortinet Technologies Inc.
Routers and Switches
HP/3Com ComWare Switch
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP (V1, V2c)
SNMP (V1, V2c, V3) Syslog
Information Discovered
Metrics collected
Host name, software version, Hardware model, Network interfaces,
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware status: Power Supply, Fan, Temperature
Hardware status: Temperature
Used for Availability and Performance Monitoring
Availability
System logs
Availability, Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "compare" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
FortiSIEM 6.1.1 External Systems Configuration Guide
549
Fortinet Technologies Inc.
Routers and Switches
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Example Syslog for ComWare Switch Messages
%Apr 2 11:38:11:113 2010 H3C DEVD/3/BOARD REBOOT:Chasis 0 slot 2 need be rebooted automatically! %Sep 22 20:38:32:947 2009 H3C DEVD/4/BRD MISPLUG: The board or subcard in slot 1 is not supported. %Sep 22 20:38:32:947 2009 H3C DEVD/4/BRD MISPLUG: The board type of MR in 1 is different from the Mate MR's, so the MR can't work properly. %Sep 22 20:38:32:947 2009 H3C DEVD/2/BRD TOO HOT:Temperature of the board is too high! %Sep 22 20:38:32:947 2009 H3C DEVD/2/ FAN CHANGE: Chassis 1: Fan communication state changed: Fan 1 changed to fault.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> H3C Comware See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
550
Fortinet Technologies Inc.
Routers and Switches
HP ProCurve Switch
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP (V1, V2c)
Telnet/SSH
SNMP (V1, V2c)
Information Discovered
Metrics collected
Used for
Host name, version, Hardware model, Network interfaces,
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware status: Power Supply, Fan, Temperature
Availability and Performance Monitoring
Running and startup configuration
Startup configuration change, delta between running and startup configuration
Performance Monitoring, Security and Compliance
Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association
Topology and end-host location
Event Types
In ADMIN > Device Support > Event, search for "procurve" in the Device Type and Description columns to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
551
Fortinet Technologies Inc.
Routers and Switches
Configuration
SNMP
1. Go to Configuration > SNMP Community > V1/V2 Community. 2. Enter a Community Name. 3. For MIB-View, select Operator. 4. For Write-Access, leave the selection cleared. 5. Click Add.
SSH/Telnet
1. Log into the device manager for your ProCurve switch. 2. Go to Security > Device Passwords. 3. Create a user and password for Read-Write Access.
Although FortiSIEM does not modify any configurations for your switch, Read-Write Access is needed to read the device configuration. 4. Go to Security > Authorized Addresses and add the FortiSIEM IP to Telnet/SSH. This is an optional step.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> HP ProCurve See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
552
Fortinet Technologies Inc.
Routers and Switches
HP Value Series (19xx) and HP 3Com (29xx) Switch
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP (V1, V2c)
SSH
Information Discovered
Metrics collected
Host name, software version, Hardware model, Network interfaces,
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Configuration
Used for
Availability and Performance Monitoring
Change management
Event Types
l CPU Monitoring: PH_DEV_MON_SYS_CPU_UTIL l Memory Monitoring: PH_DEV_MON_SYS_MEM_UTIL l Interface Utilization: PH_DEV_MON_NET_INTF_UTIL l Configuration Change: PH_DEV_MON_CHANGE_STARTUP_CONFIG
Rules
Availability
l Network Device Degraded - Lossy Ping Response l Network Device Down - no ping response l Network Device Interface Flapping l Critical Network Device Interface Staying Down l Non-critical Network Device Interface Staying Down
Performance (Fixed threshold)
l Network CPU Warning l Network CPU Critical l Network Memory Warning l Network Memory Critical l Network Intf Error Warning
FortiSIEM 6.1.1 External Systems Configuration Guide
553
Fortinet Technologies Inc.
Routers and Switches
l Network Intf Error Critical l Network Intf Util Warning l Network Intf Util Critical
Performance (Dynamic threshold based on baselines)
l Sudden Increase In System CPU Usage l Sudden Increase in System Memory Usage l Sudden Increase in Network Interface Traffic l Sudden Increase in Network Interface Errors
Change
l Startup Config Change
Reports
Availability
l Availability: Router/Switch Ping Monitor Statistics
Performance
l Performance: Top Routers Ranked By CPU Utilization l Performance: Top Routers By Memory Utilization l Performance: Top Router Network Intf By Util, Error, Discards l Top Routers/Switches by Business Hours Network Ping Uptime Pct (Achieved Network Ping SLA) l Top Routers/Switches by Business Hours System Uptime Pct (Achieved System SLA) l Top Routers/Switches by Network Ping Uptime Pct (Achieved Network Ping SLA) l Top Routers/Switches by System Uptime Pct (Achieved System SLA) l Top Router Interfaces by Days-since-last-use
Change
l Change: Router Config Changes Detected Via Login
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
FortiSIEM 6.1.1 External Systems Configuration Guide
554
Fortinet Technologies Inc.
Routers and Switches
Setting Name Device Type Access Protocol Port Password config
Value <set name> HP VSeries See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
555
Fortinet Technologies Inc.
Routers and Switches
Hirschmann SCADA Firewalls and Switches
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events
What is Discovered and Monitored
Protocol SNMP
Information Discovered
Host Name
Metrics/LOG collected
SNMP Uptime, CPU, Memory, Interface utilization, hardware Status, OSPF metrics
Used for
Performance Monitoring
Event Types
The following event types are used for performance monitoring: l PH_DEV_MON_SYS_UPTIME - Uptime monitoring l PH_DEV_MON_SYS_CPU_UTIL CPU utilization l PH_DEV_MON_SYS_MEM_UTIL Memory utilization l PH_DEV_MON_NET_INTF_UTIL Interface utilization l PH_DEV_MON_HW_STATUS Hardware status
Rules
All performance monitoring rules apply.
Reports
All performance monitoring reports apply
Configuration
Configure Hirschmann Firewalls and Switches for SNMP V1/V2c/V3 discovery and performance monitoring. Define the basic SNMP credentials on FortiSIEM and discover these devices. See SNMP Access Credentials.
Sample Events
The events are standard for all devices.
FortiSIEM 6.1.1 External Systems Configuration Guide
556
Fortinet Technologies Inc.
Routers and Switches
Juniper Networks JunOS Switch
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP (V1, V2c) Telnet/SSH SNMP (V1, V2c, V3)
Syslog sflow
Information Discovered
Metrics collected
Used for
Host name, JunOS version, Hardware model, Network interfaces,
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware status: Power Supply, Fan, Temperature
Availability and Performance Monitoring
Running and startup configuration
Startup configuration change, delta between running and startup configuration
Performance Monitoring, Security and Compliance
Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association
Topology and end-host location
System logs and traffic logs matching acl statements
Availability, Security and Compliance
Traffic flow
Availability, Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "junos" in the Device Type column to see the event types associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
557
Fortinet Technologies Inc.
Routers and Switches
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP
1. Log in to the device manager for your JunOS switch with administrator privileges. 2. Go to Configure > Services > SNMP. 3. Under Communities, click Add. 4. Enter a Community Name. 5. Set Authorization to read-only. 6. Click OK.
Syslog
1. Log in to the device manager for your JunOS switch with administrator privileges. 2. Go to Dashboard > CLI Tools > CLI Editor.
Edit the syslog section to send syslog to FortiSIEM. 3. JunOS Syslog Configuration
system { .... syslog { user * { any emergency; } host <FortiSIEM Ip> { any any; explicit-priority; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } time-format year millisecond; }
....
FortiSIEM 6.1.1 External Systems Configuration Guide
558
Fortinet Technologies Inc.
Routers and Switches
} 4. Click Commit.
Sample JunOS Syslog Messages
190>May 11 13:54:10 20.20.20.20 mgd[5518]: UI_LOGIN_EVENT: User 'phoenix_agent' login, class 'j-super-user' [5518], ssh-connection '192.168.28.21 39109 172.16.5.64 22', client-mode 'cli'
<38>Nov 18 17:50:46 login: %AUTH-6-LOGIN_INFORMATION: User phoenix_agent logged in from host 192.168.20.116 on device ttyp0
sFlow
Routing the sFlow Datagram in EX Series Switches
According to Juniper documentation, the sFlow datagram cannot be routed over the management Ethernet interface (me0) or virtual management interface (vme0) i n an EX Series switch implementation. It can only be exported over the network Gigabit Ethernet or 10-Gigabit Ethernet ports using valid route information in the routing table.
1. Log in to the device manager for your JunOS switch with administrator privileges. 2. Go to Configure > CLI Tools > Point and Click CLI. 3. Expand Protocols and select slow. 4. Next to Collector, click Add new entry. 5. Enter the IP address for your FortiSIEM virtual appliance. 6. For UDP Port, enter 6343. 7. Click Commit. 8. Next to Interfaces, click Add new entry. 9. Enter the Interface Name for all interfaces that will send traffic over sFlow. 10. Click Commit. 11. To disable the management port, go to Configure > Management Access, and remove the address of the
management port. You can also disconnect the cable.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Juniper JunOS See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
559
Fortinet Technologies Inc.
Routers and Switches
MikroTik Router
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
SNMP (V1, V2c)
Information Discovered
Host name, software version, Hardware model, Network interfaces
Metrics collected
Used for
Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Availability and Performance Monitoring
Event Types
There are no event types defined specifically for this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name
Value <set name>
FortiSIEM 6.1.1 External Systems Configuration Guide
560
Fortinet Technologies Inc.
Routers and Switches
Setting Device Type Access Protocol Port Password config
Value MikroTik RouterOS See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
561
Fortinet Technologies Inc.
Routers and Switches
Nortel ERS and Passport Switch
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
SNMP (V1, V2c)
SNMP (V1, V2c) SNMP (V1, V2c, V3)
Information Discovered
Metrics collected
Used for
Host name, software version, Hardware model, Network interfaces,
Uptime, CPU and Memory utilization, Network Interface Availability and
metrics (utilization, bytes sent and received, packets sent Performance
and received, errors, discards and queue lengths)
Monitoring
Hardware status: Temperature
Layer 2 port mapping: associating switch ports to directly connected host IP/MAC addresses
Identity and location table; Topology
Event Types
There are no event types defined specifically for this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
FortiSIEM 6.1.1 External Systems Configuration Guide
562
Fortinet Technologies Inc.
Routers and Switches
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Nortel ERS / Nortel Passport See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
563
Fortinet Technologies Inc.
Security Gateways
FortiSIEM supports these security gateways for discovery and monitoring. l Barracuda Networks Spam Firewall l Blue Coat Web Proxy l Cisco IronPort Mail Gateway l Cisco IronPort Web Gateway l Fortinet FortiMail l Fortinet FortiWeb l Imperva Securesphere DB Monitoring Gateway l Imperva Securesphere DB Security Gateway l McAfee Vormetric Data Security Manager l McAfee Web Gateway l Microsoft ISA Server l Squid Web Proxy l SSH Comm Security CryptoAuditor l Websense Web Filter
FortiSIEM 6.1.1 External Systems Configuration Guide
564
Fortinet Technologies Inc.
Barracuda Networks Spam Firewall
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP Syslog
Information discovered
Host name, Interfaces, Serial number
Metrics collected
CPU utilization, Memory utilization, Interface Utilization
Various syslog - scenarios include - mail scanned and allowed/denied/quarantined etc; mail sent and reject/delivered/defer/expired; mail received and allow/abort/block/quarantined etc.
Used for
Performance Monitoring
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "barracuda" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide
FortiSIEM 6.1.1 External Systems Configuration Guide
565
Fortinet Technologies Inc.
Security Gateways
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Sample Parsed Barracuda Spam Firewall Syslog Message
<23>inbound/pass1[923]: 127.0.0.1 1300386119-473aa6a90001-sB89EM 0 0 RECV - 1 4D760309475 250 2.6.0 <E6BB7C56C6761D42AEAFBF7FC6E17E920156A38D@USNSSEXC174.us.kworld.kpmg.com> Queued mail for delivery
<23>scan[9390]: mail.netcontentinc.net[207.65.119.227] 1300386126-4739a8be0001-R6OEVB 1300386126 1300386128 SCAN - release@calcium.netcontentinc.net kmcgilvrey@qinprop.com - 7 61 - SZ:34602 SUBJ:How FMLA Leave, ADA and Workers' Compensation Work Together April 28, 2011
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Barracuda Spam Firewall See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
566
Fortinet Technologies Inc.
Security Gateways
Blue Coat Web Proxy
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP SNMP
Information discovered
Host name, Interfaces, Serial number
SFTP Syslog
Metrics collected
Used for
CPU utilization, Memory utilization
Performance Monitoring
Proxy performance: Proxy cache object count, Proxy-toserver metrics: HTTP errors, HTTP requests, HTTP traffic (KBps); Server-to-proxy metrics: HTTP traffic (KBps), Clientto-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes)
Performance Monitoring
Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration
Security Monitoring and compliance
Admin authentication success and failure
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "blue coat" in the Device Type and Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
567
Fortinet Technologies Inc.
Security Gateways
Configuration
SNMP
The following procedures enable FortiSIEM to discover Bluecoat web proxy.
1. Log in to your Blue Coat management console. 2. Go to Maintenance > SNMP. 3. Under SNMP General, select Enable SNMP. 4. Under Community Strings, click Change Read Community, and then enter a community string that FortiSIEM can
use to access your device. 5. Click OK.
Syslog
Syslog is used by Blue Coat to send audit logs to FortiSIEM.
1. Log in to your Blue Coat management console. 2. Go to Maintenance > Event Logging. 3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and Informational. 4. Under Syslog, enter the IP address of your FortiSIEM virtual appliance for Loghost. 5. Select Enable syslog. 6. Click Apply.
Sample Parsed Blue Coat Audit Syslog
<2> Sep 14 19:24:39 ao BluecoatAuthWebLog 0
2010-09-14 14:31:13 36 34.159.60.56
hz13321 - - OBSERVED "Audio/Video Clips" - 200 TCP_NC_MISS POST application/x-fcs http
213.200.94.86 80 /idle/WdPmdz02xSLO2sHS/25136 - - "Shockwave Flash" 34.160.179.201 1087 217
-
SFTP
SFTP is used to send access logs to FortiSIEM. Access logs includes the traffic that Blue Coat proxies between the client and the server. The access logs are sent via FTP, where Bluecoat is the client and FortiSIEM is the server. You must configure SFTP in FortiSIEM first, and then on your Blue Coat web proxy server.
Configure FTP in FortiSIEM
1. Log in to your Supervisor node as root. 2. Change directory to /opt/phoenix/bin. 3. Run the ./phCreateBluecoatDestDir command to create an FTP user account.
The files sent from Blue Coat will be temporarily stored in this account. The script will create an user called ftpuser. If the this user already exists, you do not need to create a new one. The script will ask for the IP address of Blue Coat and the password for the user ftpuser, and will then create the directory /opt/phoenix/cache/bluecoat/<Bluecoat IP>. 4. Run vi /etc/passwd to change the home directory for ftpuser to /opt/phoenix/cache/bluecoat. Change only the home directory, do not change any other value.
FortiSIEM 6.1.1 External Systems Configuration Guide
568
Fortinet Technologies Inc.
Security Gateways
Configure an Epilog client in FortiSIEM
The Epilog client converts each line of the log files in the /opt/phoenix/cache/bluecoat/<Bluecoat IP> directory in real time into a syslog, and sends it to the FortiSIEM parser for processing.
1. Log in to your Supervisor or the Collector node as root. 2. Update the Epilog configuration in /etc/snare/epilog/epilog.conf as shown in this code block, and then
restart the epilog daemon with the /etc/init.d/epilogd restart command.
Output network=localhost:514 syslog=2 Input log=BluecoatWebLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_ main.log log=BluecoatImLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_im.log log=BluecoatImLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_ssl.log log=BluecoatP2pLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_ p2p.log
Configure FTP in Blue Coat
1. Log in to your Blue Coat management console. 2. Go to Management Console > Configuration > Access Logging > General. 3. Select Enable Access Logging. 4. In the left-hand navigation, select Logs. 5. Under Upload Client, configure these settings.
Setting
Log Client Type Encryption Certificate Keyring Signing Save the log file as Send partial buffer after Bandwidth Class
Value main FTP Client No Encryption
No Signing text file
1 seconds
<none>
6. Next to Client Type, click Settings.
FortiSIEM 6.1.1 External Systems Configuration Guide
569
Fortinet Technologies Inc.
Security Gateways
7. Configure these settings.
Setting Settings for Host Port Path Username Change Primary Password Filename
Value Primary FTP Server IP address of your FortiSIEM virtual appliance 514 /<Blue Coat IP Address> ftpuser Use the password you created for ftpuser in FortiSIEM SG_FortiSIEM_bluecoat_main.log
8. Clear the selections Use Secure Connections (SSL) and Use Local Time. 9. Select Use Pasv. 10. Click OK. 11. Follow this same process to configure the settings for im, ssl and p2p.
For each of these, you will refer to a different Filename. l For im the file name is SG_FortiSIEM_bluecoat_im.log l For ssl the file name is SG_FortiSIEM_bluecoat_ssl.log l For p2p the file name is SG_FortiSIEM_bluecoat_p2p.log
Sample Parsed Blue Coat Access Syslog
<2> Jun 25 11:15:33 SJ-QA-W-FDR-Test-01.prospect-hills.net BluecoatWebLog
0
2010-06-25
18:13:34 2021 192.168.22.21 200 TCP_TUNNELED 820 1075 CONNECT tcp accelops.webex.com 443 / -
- - NONE 172.16.0.141 - - "WebEx Outlook Integration Http Agent" PROXIED "none" -
25.24.23.22
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Blue Coat CacheOS See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
570
Fortinet Technologies Inc.
Security Gateways
Cisco IronPort Mail Gateway
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP Syslog
Information discovered
Metrics collected
Used for
Ping Status, SNMP Ping Stat, Uptime, CPU Util, Mem Util, Net Intf Stat, Hardware Status
Mail attributes: attributes include MID, ICID, DCID, Sender address, Receiver Address, Mail Subject, Sent Bytes, Attachment, Spam indicator, Virus indicator, Quarantine indicator, SMTP delivery failures and failure codes, mail action - pass, block, clean.
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "ironport-mail" in the Display Name column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCE > Reports, search for "ironport mail" in the Name and Description columns to see the reports for this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
1. Log in to your Ironport Mail Gateway device manager with administrator privileges. 2. Edit the Log Subscription settings.
FortiSIEM 6.1.1 External Systems Configuration Guide
571
Fortinet Technologies Inc.
Security Gateways
3. For Log Name, enter IronPort-Mail. This identifies the log to FortiSIEM as originating from an Ironport mail gateway device.
4. For Retrieval Method, select Syslog Push. 5. For Hostname, enter the IP address of your FortiSIEM virtual appliance. 6. For Protocol, select UDP.
Sample Parsed Ironport Mail Gateway Syslog
Tue Sep 24 11:39:49 2012 IronPort-Mail: Info: MID 200257071 ready 24663 bytes from <someone@foo.com>Sep 24 11:39:49 18.0.19.8 IronPort-Mail: Info: MID 1347076 ICID 346818 From: <john.doe@abc.com>Tue Sep 24 11:39:49 2012 IronPort-Mail: Info: Message aborted MID 200257071 Dropped by antivirus Tue Sep 24 11:39:49 2012 IronPort-Mail: Info: Delayed: DCID 5 MID 200257071 to RID 0 - 4.1.0 - Unknown address error ('466', ['Mailbox temporarily full.'])[]
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Cisco IronPort AsyncOS Mail See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
572
Fortinet Technologies Inc.
Security Gateways
Cisco IronPort Web Gateway
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information discovered
Metrics collected
Squid style web logs: attributes include Source IP Address, Destination Host name, Sent Bytes, Received Bytes, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, HTTP Content type, Web Category, HTTP Proxy Action
Used for
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "ironport-web" in the Display Name column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration Syslog
1. Log in to your Ironport gateway device manager with administrator privileges. 2. Edit the settings for Log Subscription.
Setting Log Type Log Name
Value
Access Logs
IronPort-Web This identifies the log to FortiSIEM as originating from an IronPort web gateway
FortiSIEM 6.1.1 External Systems Configuration Guide
573
Fortinet Technologies Inc.
Security Gateways
Setting
Log Style Custom Fields Enable Log Compression Retrieval Method Hostname
Protocol
Value device Squid %L %B %u Clear the selection
Syslog Push The IP address of your FortiSIEM virtual appliance UDP
Sample Parsed Ironport Web Gateway Syslog
<134>Oct 09 09:19:25 IronPort-Web: Info: 1349795965.314 92 10.163.154.153 TCP_CLIENT_ REFRESH_MISS/200 70798 GET http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky/Package/1210090007/ba ses/base1b1d.kdc.cab - DIRECT/forefrontdl.microsoft.com application/octet-stream ALLOW_ CUSTOMCAT_11-UnAuthenticated_Applications-APU_No_Auth-NONE-NONE-NONE-DefaultGroup <J_ Doe,6.9,-,""-"",-,-,-,-,""-"",-,-,-,""-"",-,-,""-"",""-"",-,-,IW_swup,-,""-"","""",""Unknown"",""Unknown"",""-"",""-"",6156.35,0,-,""-"",""-""> - ""09/Oct/2012:09:19:25 0600"" 71052 ""V3S;{6ADC64A3-11F9-4B04-8257-BEB541BE2975};""
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Cisco IronPort AsyncOS Web See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
574
Fortinet Technologies Inc.
Security Gateways
Fortinet FortiMail
l What is Discovered and Monitored l Configuration l Rules l Reports l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected
Used For
System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, malware attachments
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "fortimail" to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "fortimail" to see the rules associated with this device. For generic availability rules, see RESOURCE > Rules > Availability > Network. For generic performance rules, see RESOURCE > Rules > Performance > Network.
Reports
In RESOURCE > Reports, search for "fortimail" to see the reports associated with this device.
Configuration Syslog
Configure FortiMail appliance to send logs to FortiSIEM. Make sure the format matches. In the FortiMail GUI go to Log & Report > Log Setings > Remote (tab) > New. Suggested Logging configuration:
FortiSIEM 6.1.1 External Systems Configuration Guide
575
Fortinet Technologies Inc.
Security Gateways
Name Name Server name/IP
Server port Mode Level Facility CSV format Matched session only
Description Define a name for the configuration. Enter the resolvable DNS name or IP of the FortiSIEM appliance where logs will be sent. 514 UDP Information kern leave disabled leave disabled
FortiSIEM 6.1.1 External Systems Configuration Guide
576
Fortinet Technologies Inc.
Security Gateways
Sample Parsed FortiMail Syslog:
date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg="User admin login successfully from GUI(172.20.120.26)" date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics pri=information session_id="q6GJMuPu003642-q6GJMuPv003642" client_name="[172.20.140.94]" dst_ip="172.20.140.92" endpoint="" from="user@external.lab" to="user5@external.lab" subject=""mailer="mta" resolved="OK" direction="in" virus="" disposition="Reject" classifier="Recipient Verification" message_length="188"
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Fortinet FortiMail See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
577
Fortinet Technologies Inc.
Security Gateways
Fortinet FortiWeb
l What is Discovered and Monitored l Configuration l Rules l Reports l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
Syslog
Information Discovered
Metrics Collected
Host Name, Vendor, Model, Version, Hardware Model, hardware
CPU, memory, Disk, Interface, Uptime
System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, Security exploits
Used For
Performance monitoring
Security Monitoring and compliance
Supported Syslog format
Currently FortiSIEM supports FortiWeb native logging format and not CEF format.
Event Types
In ADMIN > Device Support > Event, search for "fortiweb" to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "fortiweb" to see the rules associated with this device. For generic availability rules, see RESOURCE > Rules > Availability > Network. For generic performance rules, see RESOURCE > Rules > Performance > Network.
Reports
In RESOURCE > Reports, search for "fortiweb" to see the reports associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
578
Fortinet Technologies Inc.
Security Gateways
Configuration
Syslog
Configure FortiWenb appliance to send logs to FortiSIEM. Make sure the format matches.
Sample FortiWeb Syslog:
date=2016-02-18 time=10:00:05 log_id=00001002 msg_id=000067508821 device_ id=FV400D3A15000010 vd="root" timezone="(GMT+3:00)Baghdad" type=event subtype="admin" pri=information trigger_policy="" user=admin ui=GUI action=edit status=success msg="User admin changed global from GUI(172.22.6.66)
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Fortinet FortiWeb See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
579
Fortinet Technologies Inc.
Security Gateways
Imperva Securesphere DB Monitoring Gateway
Configuration in FortiSIEM
Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Setting
Value
Name
<set name>
Device Type
Imperva Securesphere DB Monitoring Gateway
Access Protocol See Access Credentials
Port
See Access Credentials
Password config See Password Configuration
User Name
A user who has access credentials for the device
Password
The password for the user
Super Password Password for Super
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
4. Click Test to test the connection to Imperva Securesphere DB Monitoring Gateway. 5. To see the jobs associated with Imperva, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Imperva in the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
580
Fortinet Technologies Inc.
Security Gateways
Imperva Securesphere DB Security Gateway What is Discovered and Monitored
The ImpervaParser parser collects syslog log events in CEF format.
Configuration
Setup in FortiSIEM
Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Setting
Value
Name
<set name>
Device Type
Imperva Securesphere DB Security Gateway
Access Protocol See Access Credentials
Port
See Access Credentials
Password config See Password Configuration
User Name
A user who has access credentials for the device
Password
The password for the user
Super Password Password for Super
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
4. Click Test to test the connection to Imperva Securesphere DB Security Gateway. 5. To see the jobs associated with Imperva, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Imperva in the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
581
Fortinet Technologies Inc.
Security Gateways
Sample Events
<14>CEF:0|Imperva Inc.|SecureSphere|11.5.0.20_0|Audit|Audit|Informative|dst=10.2.6.194 dpt=3306 duser=wf_settlement src=10.2.6.48 spt=59876 proto=TCP rt=11 April 2016 14:07:09 cat=Audit Default Rule - All cs2Label=ServerGroup cs3=ProcessMakerDBFX cs3Label=ServiceName cs4=Default MySql Application cs4Label=ApplicationName cs5=642697783064 cs5Label=EventId cs6=Query cs6Label=EventType cs7=Default MySql group cs7Label=UserGroup cs8=True cs8Label=UserAuthenticated cs9= cs9Label=ApplicationUser cs10= cs10Label=SourceApplication cs11= cs11Label=OSUser cs12= cs12Label=HostName cs13=wf_settlement cs13Label=Database cs14= cs14Label=Schema cs15=SELECT COUNT(APP_CACHE_VIEW.APP_UID) FROM APP_CACHE_VIEW LEFT JOIN USERS CU ON (APP_CACHE_VIEW.USR_UID=CU.USR_UID) LEFT JOIN USERS PU ON (APP_CACHE_ VIEW.PREVIOUS_USR_UID=PU.USR_UID) LEFT JOIN APP_CACHE_VIEW APPCVCR ON (APP_CACHE_VIEW.APP_ UID=APPCVCR.APP_UID AND APPCVCR.DEL_LAST_INDEX=1) LEFT JOIN USERS USRCR ON (APPCVCR.USR_ UID=USRCR.USR_UID) WHERE APP_CACHE_VIEW.APP_STATUS='TO_DO' AND APP_CACHE_VIEW.USR_ UID='2800810224bbdfe1cc8bb02024369548' AND APP_CACHE_VIEW.DEL_FINISH_DATE IS NULL AND APP_ CACHE_VIEW.APP_THREAD_STATUS='OPEN' AND APP_CACHE_VIEW.DEL_THREAD_STATUS='OPEN' cs15Label=RawQuery cs16=select count(app_cache_view.app_uid) from app_cache_view left join users cu on (app_cache_view.usr_uid=cu.usr_uid) left join users pu on (app_cache_ view.previous_usr_uid=pu.usr_uid) left join app_cache_view appcvcr on (app_cache_view.app_ uid=appcvcr.app_uid and appcvcr.del_last_index=?) left join users usrcr on (appcvcr.usr_ uid=usrcr.usr_uid) where app_cache_view.app_status=? and app_cache_view.usr_uid=? and app_ cache_view.del_finish_date is ? and app_cache_view.app_thread_status=? and app_cache_ view.del_thread_status=? cs16Label=ParsedQuery cs17= cs17Label=BindVariables cs18= cs18Label=SQLError cs19=1 cs19Label=ResponseSize cs20=0 cs20Label=ResponseTime cs21=0 cs21Label=AffectedRows
FortiSIEM 6.1.1 External Systems Configuration Guide
582
Fortinet Technologies Inc.
Security Gateways
McAfee Vormetric Data Security Manager
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration
What is Discovered and Monitored
Protocol Syslog (CEF format)
Information Discovered
Data Collected 1 event type
Used for Security and Compliance
Event Types
In RESOURCE > Event Types, Search for "Vormetric-".
Sample Event Type:
<14> 2013-06-29T18:44:42.420Z 10.10.10.1 CEF:0|Vormetric, Inc.|dsm|5.2.0.1|DAO0048I|update host|3|cs4Label=logger cs4=DAO spid=4322 rt=1388986263954 dvchost=example.com suser=USER_1 shost=test_cpu
Rules
There are no specific rules but generic rules for Security Manager and Generic Servers apply.
Reports
There are no specific reports but generic rules for Security Manager and Generic Servers apply.
Configuration
Configure Vormetric Data Security Manager to send syslog in CEF format on port 514 to FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
583
Fortinet Technologies Inc.
Security Gateways
McAfee Web Gateway
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information discovered
Metrics collected
Parsed event attributes: include Source IP, Destination URL, HTTP Method, HTTP User agent, HTTP Status Code, HTTP Content Type, Blocked Reason, Risk
Used for
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "mcafee_web" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance.
l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Sample Parsed McAffee Web Gateway Syslog Message [21/Feb/2012:11:44:19 -0500] """""""""""" ""10.200.11.170 200 """"GET http://abc.com/ HTTP/1.1"""" """"General News"""" """"Minimal Risk"""" """"text/html"""" 101527 """"""""
FortiSIEM 6.1.1 External Systems Configuration Guide
584
Fortinet Technologies Inc.
Security Gateways
"""""""" """"0""""""[30/May/2012:10:39:44 -0400] "" 10.19.2.63 200 "GEThttp://abc.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=126x31_spon2&cnn_ rollup=homepage&page.allowcompete=no¶ms.styles=fs&Params.User.UserID=4fc6251c068c9f0aa51 475025d0040b8&transactionID=7179860628805012&tile=4893878838331&domId=135492 HTTP/1.1" "Web Ads, Forum/Bulletin Boards" "MinimalRisk" "text/html" 1 "" "" "0"
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> McAfee WebGateway See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
585
Fortinet Technologies Inc.
Security Gateways
Microsoft ISA Server
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP WMI
Syslog(via SNARE)
Information discovered
Application type
Application type, service mappings
Application type
Metrics collected
Used for
Process level metrics: CPU utilization, memory utilization
Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O
Performance Monitoring
Performance Monitoring
W3C proxy logs: attributes include Service Instance, Source IP, User, Destination IP, Destination Port, Service Instance, Sent Bytes, Received Bytes, Connection Duration, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, Source interface, Destination interface, Proxy action
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "isa server" in the Device Type andDescription column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration SNMP
Enabling SNMP on Windows Server 2003 SNMP is typically enabled by default on Windows Server 2003, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you must make sure that the SNMP Management tool has been enabled for
FortiSIEM 6.1.1 External Systems Configuration Guide
586
Fortinet Technologies Inc.
Security Gateways
your device.
1. In the Start menu, go to Administrative Tools > Services. 2. Go to Control Panel > Add or Remove Programs. 3. Click Add/Remove Windows Components. 4. Select Management and Monitoring Tools and click Details.
Make sure that Simple Network Management Tool is selected. If it isn't selected, select it, and then click Next to install. 5. Go to Start > Administrative Tools > Services. 6. Select and open SNMP Service. 7. Click the Security tab. 8. Select Send authentication trap. 9. Under Accepted communities, make sure there is an entry for public that is set to read-only. 10. Select Accept SNMP packets from these hosts. 11. Click Add. 12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP. 13. Click Add. 14. Click Apply. 15. Under SNMP Service, click Restart service.
Enabling SNMP on Windows 7 or Windows Server 2008 R2
SNMP is typically enabled by default on Windows Server 2008, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.
1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator. 2. In the Start menu, select Control Panel. 3. Under Programs, click Turn Windows features on/off. 4. Under Features, see if SNMP Services is installed.
If not, click Add Feature, then select SMNP Service and click Next to install the service. 5. In the Server Manager window, go to Services > SNMP Services. 6. Select and open SNMP Service. 7. Click the Security tab. 8. Select Send authentication trap. 9. Under Accepted communities, make sure there is an entry for public that is set to read-only. 10. Select Accept SNMP packets from these hosts. 11. Click Add. 12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP. 13. Click Add. 14. Click Apply. 15. Under SNMP Service, click Restart service.
WMI
Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:
FortiSIEM 6.1.1 External Systems Configuration Guide
587
Fortinet Technologies Inc.
Security Gateways
l Creating a Generic User Who Does Not Belong to the Local Administrator Group l Creating a User Who Belongs to the Domain Administrator Group
Creating a Generic User Who Does Not Belong to the Local Administrator Group
Log in to the machine you want to monitor with an administrator account.
Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group
1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups. 2. Right-click Users and select Add User. 3. Create a user. 4. Go to Groups, right-click Distributed COM Users, and then click Add to group. 5. In the Distributed COM Users Properties dialog, click Add. 6. Find the user you created, and then click OK.
This is the account you must use to set up the Performance Monitor Users group permissions. 7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog. 8. Repeat steps 4 through 7 for the Performance Monitor Users group.
Enable DCOM Permissions for the Monitoring Account
1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed. 5. Click OK. 6. Under Access Permissions, click EditDefault. 7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed. 8. Click OK. 9. Under Launch and Activation Permissions, click Edit Limits. 10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the
permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. Click OK. 12. Under Launch and Activation Permissions, click Edit Defaults. 13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the
permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.
Creating a User Who Belongs to the Domain Administrator Group
Log in to the Domain Controller with an administrator account.
FortiSIEM 6.1.1 External Systems Configuration Guide
588
Fortinet Technologies Inc.
Security Gateways
Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group
1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users. 2. Right-click Users and select Add User. 3. Create a user for the @accelops.com domain.
For example, YJTEST@accelops.com. 4. Go to Groups, right-click Administrators, and then click Add to Group. 5. In the Domain Admins Properties dialog, select the Members tab, and then click Add. 6. For Enter the object names to select, enter the user you created in step 3. 7. Click OK to close the Domain Admins Properties dialog. 8. Click OK.
Enable the Monitoring Account to Access the Monitored Device
Log in to the machine you want to monitor with an administrator account.
Enable DCOM Permissions for the Monitoring Account
1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then select Properties. 3. Select the Com Security tab, and then under Access Permissions, click Edit Limits. 4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both
Local Access and Remote Access. 5. Click OK. 6. In the Com Security tab, under Access Permissions, click Edit Defaults. 7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for
both Local Access and Remote Access. 8. Click OK. 9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits. 10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local
Launch, Remote Launch, Local Activation, and Remote Activation. 11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults. 12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local
Launch, Remote Launch, Local Activation, and Remote Activation.
Enable Account Privileges in WMI
The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.
1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications. 2. Select WMI Control, and then right-click and select Properties. 3. Select the Security tab. 4. Expand the Root directory and select CIMV2. 5. Click Security. 6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable
Account and Remote Enable. 7. Click Advanced.
FortiSIEM 6.1.1 External Systems Configuration Guide
589
Fortinet Technologies Inc.
Security Gateways
8. Select the user you created for the monitoring account, and then click Edit. 9. In the Apply onto menu, select This namespace and subnamespaces. 10. Click OK to close the Permission Entry for CIMV2 dialog. 11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 12. In the left-hand navigation, under Services and Applications, select Services. 13. Select Windows Management Instrumentation, and then click Restart.
Allow WMI to Connect Through the Windows Firewall (Windows 2003)
1. In the Start menu, select Run. 2. Run gpedit.msc. 3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network
Connections > Windows Firewall. 4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain
or not. 5. Select Windows Firewall: Allow remote administration exception. 6. Run cmd.exe and enter these commands:
netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 7. Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
1. Go to Control Panel > Windows Firewall. 2. In the left-hand navigation, click Allow a program or feature through Windows Firewall. 3. Select Windows Management Instrumentation, and the click OK. You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
Use the Windows Agent Installation Guide to configure sending syslog from your device to FortiSIEM.
Sample Microsoft ISA Server Syslog
<13>Mar 6 20:56:03 ISA.test.local ISAWebLog 0 192.168.69.9 anonymous Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Y 2011-03-05 21:33:55 w3proxy ISA - 212.58.246.82 212.58.246.82 80 156 636 634 http TCP GET http://212.58.246.82/rss/newsonline_uk_
edition/front_page/rss.xml text/html; charset=iso-8859-1 Inet 301 0x41200100 Local Machine Req ID: 07c10445; Compression: client=No, server=No, compress rate=0% decompress rate=0% Local Host External 0x400 Allowed 2011-03-05 21:33:55 -
FortiSIEM 6.1.1 External Systems Configuration Guide
590
Fortinet Technologies Inc.
Security Gateways
Settings for Access Credentials
SNMP Access Credentials for All Devices
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
591
Fortinet Technologies Inc.
Security Gateways
Squid Web Proxy
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol SNMP Syslog
Information discovered
Host name, Interfaces, Serial number
Metrics collected
CPU utilization, Memory utilization
Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration
Used for
Performance Monitoring
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "squid" in the Description and Device Type columns to see the event types associated with this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
1. Add the following line to the logformat section in /etc/squid/squid.conf based of your version of Squid. For Squid versions earlier than 4.1.1: logformat PHCombined %>a %>p %<A %la %lp %tr %ul %ui %un %us %ue [%tl] %rm "%ru" HTTP/%rv %Hs %<st %>st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh For Squid version 4.1.1 and later: logformat PHCombined %>a %>p %<A %la %lp %tr %ul %ui %un [%tl] %rm "%ru" HTTP/%rv %Hs %<st %>st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
FortiSIEM 6.1.1 External Systems Configuration Guide
592
Fortinet Technologies Inc.
Security Gateways
2. Add the following line to the access_log section in /etc/squid/squid.conf. access_log syslog:LOG_LOCAL4 PHCombined
3. Restart Squid.
Configure syslogd (or rsyslogd) to Forward the Logs to FortiSIEM
1. Modify /etc/syslog.conf (/etc/rsyslog.conf if running rsyslog) . Local4.* @<FortiSIEMIp>
2. Restart syslogd (or rsyslogd).
Sample Parsed Squid Syslog Messages
Squid on Linux with syslog locally to forward to FortiSIEM
<166>squid[28988]: 192.168.25.15 51734 65.54.87.157 172.16.10.40 3128 5989 - - - - [22/Apr/2011:17:17:46 -0700] GET "http://col.stj.s-msn.com/br/sc/js/jquery/jquery1.4.2.min.js" HTTP/1.1 200 26141 407 "http://www.msn.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16" TCP_MISS:DIRECT
Squid on Linux with syslog-ng locally to forward to FortiSIEM
<166>Oct 20 09:21:54 QA-V-CentOS-Syslog-ng squid[7082]: 192.168.20.42 1107 74.125.19.100 172.16.10.34 3128 291 - - - - - [20/Oct/2009:09:21:54 -0700] GET "http://clients1.google.com/generate_204" HTTP/1.1 204 387 603 "http://www.google.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Linux with syslog locally and forward to syslog-ng remotely to forward to FortiSIEM
<166>Oct 20 10:21:42 172.16.10.40 squid[26033]: 192.168.20.42 1121 66.235.132.121 172.16.10.40 3128 117 - - - - - [20/Oct/2009:12:05:49 \-0700|] GET "http://metrics.sun.com/b/ss/sunglobal,suncom,sunstruppdev/1/H.14/s21779365053734?" HTTP/1.1 200 746 1177 "http://www.sun.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Linux with syslog-ng locally and forward to syslog-ng remotely to forward to FortiSIEM
<166>Oct 20 12:44:12 172.16.10.40 squid[26033]: 192.168.20.42 1125 64.213.38.80 172.16.10.40 3128 117 - - - - - [20/Oct/2009:12:44:12 -0700] GET "http://www-cdn.sun.com/images/hp5/hp5b_ enterprise_10-19-09.jpg" HTTP/1.1 200 12271 520 "http://www.sun.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
FortiSIEM 6.1.1 External Systems Configuration Guide
593
Fortinet Technologies Inc.
Security Gateways
Squid on Solaris with syslog locally to forward to FortiSIEM
<166>May 6 17:55:48 squid[1773]: [ID 702911 local4.info] 192.168.20.39 1715 72.14.223.18 172.16.10.6 3128 674 - - - - - [06/May/2008:17:55:48 -0700] GET "http://mail.google.com/mail/?" HTTP/1.1 302 1061 568 "http://www.google.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14" TCP_ MISS:DIRECT
Squid on Solaris with syslog locally and forward to syslog-ng remotely to forward to FortiSIEM
<166>Oct 20 13:02:19 172.16.10.6 squid[687]: [ID 702911 local4.info] 192.168.20.42 1112 208.92.236.184 172.16.10.6 3128 201 - - - - - [20/Oct/2009:13:02:19 -0700] GET "http://m.webtrends.com/dcs4f6vsz99k7mayiw2jzupyr_1s2e/dcs.gif?" HTTP/1.1 200 685 1604 "http://www.microsoft.com/en/us/default.aspx" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
FortiSIEM 6.1.1 External Systems Configuration Guide
594
Fortinet Technologies Inc.
Security Gateways
SSH Comm Security CryptoAuditor
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration
What is Discovered and Monitored
Protocol Syslog (CEF format)
Information Discovered -
Data Collected 15 event types
Used for Security and Compliance
Event Types
In RESOURCE > Event Types, Search for "CryptoAuditor-".
Sample Event Type:
<189>Jun 24 15:43:01 auditor ssh-auditor[4067]: CEF:0|SSH|CryptoAuditor|1.6.0|4201|Connection_received|1|rt=Jun 26 2015 07:48:24 SshAuditorSrc=10.1.78.8 spt=34453 SshAuditorDst=10.1.78.8 dpt=10022 SshAuditorSessionId=21 SshAuditorUsername=testuser SshAuditorRemoteusername=testuser SshAuditorProtocolsessionId=C089C55D9ADE0A4F901917D69B46B01223A02B70 SshAuditorVirtualLAN=0 cs1=source connection cs1Label=Text <189>Jun 24 15:43:01 auditor ssh-auditor[4067]: CEF:0|SSH|CryptoAuditor|1.6.0|4201|Connection_received|rt=Jun 26 2015 07:48:24 SshAuditorSrc=10.1.78.8 spt=34453 SshAuditorDst=10.1.78.8 dpt=10022 SshAuditorSessionId=21 SshAuditorUsername=testuser SshAuditorRemoteusername=testuser SshAuditorProtocolsessionId=C089C55D9ADE0A4F901917D69B46B01223A02B70 SshAuditorVirtualLAN=0 cs1=source connection cs1Label=Text
Rules
There are no specific rules but generic rules for Generic Servers apply.
Reports
There are no specific reports but generic rules for Generic Servers apply.
Configuration
Configure SSH Comm Security CryptoAuditor to send syslog on port 514 to FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
595
Fortinet Technologies Inc.
Security Gateways
Websense Web Filter
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol Syslog
Information discovered
Metrics collected
Used for
Parsed event attributes: include Source IP, Destination Name, Destination URL, HTTP Method, HTTP User agent, HTTP Status Code, HTTP Content Type, Blocked Reason, Website category, HTTP Disposition, Sent Bytes, Recv Bytes, Duration, File Type etc
Security Monitoring and compliance
Event Types
In ADMIN > Device Support > Event, search for "web sense_mail" in the Display Name column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
FortiSIEM integrates with Websense Web Filter via syslog sent in the SIEM integration format as described in the Websense SEIM guide. See the instructions on how to install a Websense Multiplexer that integrates with Websense Policy server and creates syslog for consumption by SIEM products such as FortiSIEM.
Sample Parsed Websense Web Filter Syslog Message
<159>Feb 28 14:25:32 10.203.28.21 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type= -
FortiSIEM 6.1.1 External Systems Configuration Guide
596
Fortinet Technologies Inc.
Security Gateways
http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2.23)_Gecko/20110920_ Firefox/3.6.23 http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Log Server IP Pull Interval Port Log Database URL Database URL Category Database Disposition Database User Name
Value <set name> Websense Web Security JDBC IP of the log server 5 minutes 1433 wslogdb70_1 wslogdb70 wslogdb70
wslogdb70
Name used to access the database
FortiSIEM 6.1.1 External Systems Configuration Guide
597
Fortinet Technologies Inc.
Servers
FortiSIEM supports these servers for discovery and monitoring. l HP UX Server l IBM AIX Server l IBM OS400 Server l Linux Server l Microsoft Windows Server l QNAP Turbo NAS l Sun Solaris Server
FortiSIEM 6.1.1 External Systems Configuration Guide
598
Fortinet Technologies Inc.
HP UX Server
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SSH Syslog
Information Discovered
Metrics collected
Used for
Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports)
Uptime, CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down
Performance Monitoring
Hardware (cpu details, memory)
Memory paging rate, Disk I/O utilization
Performance Monitoring
Vendor, Model
General logs including Authentication Success/Failure, Privileged logons, User/Group Modification
Security Monitoring and Compliance
Event Types
In ADMIN > Device Support > Event, search for "hp_ux" in the Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCE > Reports , search for "hp_ux" in the Name column to see the reports associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
599
Fortinet Technologies Inc.
Servers
Configuration
SNMP v1 and v2c
1. Make sure that snmp libraries are installed. FortiSIEM has been tested to work with the default HP UX package that comes with snmpd preinstalled.
2. Start snmpd deamon with the default configuration by issuing /etc/init.d/snmpd restart. 3. Make sure that snmpd is running.
SSH
1. Make sure that the vmstat and iostat commands are available. If not, install these libraries. 2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to login
to the server.
Settings for Access Credentials
SNMP, Telnet, and SSH Access Credentials for All Devices See Access Credentials.
LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials for All Devices
Settings Name Device Type Access Protocol Used For Server Port Base DN
Password Config User Name Password
Value <set name> HP HPUX LDAP / LDAPS / LDAP Start TLS OpenLDAP 389 for LDAP, LDAP Start TLS; 636 for LDAPS The Distinguished Name (DN) of the starting point for directory server searches See Password Configuration Name of the user able to access this system Password of the user able to access this system
LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials for All Devices
FortiSIEM 6.1.1 External Systems Configuration Guide
600
Fortinet Technologies Inc.
Servers
Settings Name Device Type Access Protocol Used For Server Port Base DN
NetBIOS/Domain Password Config User Name Password
Value <set name> HP HPUX LDAP / LDAPS / LDAP Start TLS Microsoft Active Directory 389 for LDAP, LDAP Start TLS; 636 for LDAPS The Distinguished Name (DN) of the starting point for directory server searches The domain name or NetBIOS name attribute See Password Configuration Name of the user able to access this system Password of the user able to access this system
FortiSIEM 6.1.1 External Systems Configuration Guide
601
Fortinet Technologies Inc.
Servers
IBM AIX Server
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SSH Syslog
Information Discovered
Metrics collected
Used for
Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports)
Uptime, CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down
Performance Monitoring
Hardware (cpu details, memory)
Memory paging rate, Disk I/O utilization
Performance Monitoring
Vendor, Model
General logs including Authentication Success/Failure, Privileged logons, User/Group Modification
Security Monitoring and Compliance
Event Types
In ADMIN > Device Support > Event, search for "ibm_aix" in the Device Type and Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
602
Fortinet Technologies Inc.
Servers
Configuration
SNMP v1 and v2c
1. Make sure that snmp libraries are installed. Accelops has been tested to work with the default AIX package that comes with snmpd preinstalled.
2. Start snmpd deamon with the default configuration by issuing /etc/init.d/snmpd restart. 3. Make sure that snmpd is running.
SSH
1. Make sure that the vmstat and iostat commands are available. If not, install these libraries. 2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to log in
to the server.
Syslog
1. Makes sure that /etc/syslog.conf contains a *.* entry and points to a log file. . @<SENSORIPADDRESS>
2. Refresh syslogd. # refresh -s syslogd
Settings for Access Credentials
SNMP, Telnet, and SSH Access Credentials for All Devices See Access Credentials.
LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials for All Devices
Settings Name Device Type Access Protocol Used For Server Port Base DN
Password Config
Value <set name> IBM AIX LDAP / LDAPS / LDAP Start TLS OpenLDAP 389 for LDAP, LDAP Start TLS; 636 for LDAPS The Distinguished Name (DN) of the starting point for directory server searches See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
603
Fortinet Technologies Inc.
Servers
Settings User Name Password
Value Name of the user able to access this system Password of the user able to access this system
LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials for All Devices
Settings Name Device Type Access Protocol Used For Server Port Base DN
NetBIOS/Domain Password Config User Name Password
Value <set name> IBM AIX LDAP / LDAPS / LDAP Start TLS Microsoft Active Directory 389 for LDAP, LDAP Start TLS; 636 for LDAPS The Distinguished Name (DN) of the starting point for directory server searches The domain name or NetBIOS name attribute See Password Configuration Name of the user able to access this system Password of the user able to access this system
FortiSIEM 6.1.1 External Systems Configuration Guide
604
Fortinet Technologies Inc.
Servers
IBM OS400 Server
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics collected
Used for
General logs including Authentication Success/Failure, Privileged logons, User/Group Modification
Security Monitoring and Compliance
Event Types
In ADMIN > Device Support > Event, search for "os400" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration Syslog
FortiSIEM parses IBM OS 400 logs received via the PowerTech Agent as described here. The PowerTech agent sends syslog to FortiSIEM.
Sample Parsed IBM OS400 Syslog Messages
Mar 18 17:49:36 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0603|A File Server transaction was allowed for user BRENDAN.|2| src =10.0.1.60 dst =10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QPWFSERVSO JUSER :BRENDAN JNBR :025355 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: OB BRENDAN *FILESRV CRTSTRMFIL QPWFSERVSO LNS0811 000112 00023 /home/BRENDAN/subfolder
Mar 18 17:48:36 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0604|A File Server transaction was
FortiSIEM 6.1.1 External Systems Configuration Guide
605
Fortinet Technologies Inc.
Servers
allowed for user BRENDAN.|2| src =10.0.1.60 dst =10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QPWFSERVSO JUSER :BRENDAN JNBR :025355 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: OB BRENDAN *FILESRV DLTSTRMFIL QPWFSERVSO LNS0811 000112 00025 /home/BRENDAN/BoardReport
Mar 18 17:53:00 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0703|A System i FTP Client transaction was allowed for user BRENDAN.|3| src =10.0.1.180 dst =10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QTFTP00149 JUSER :BRENDAN JNBR :029256 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: ST BRENDAN *FTPCLIENT DELETEFILE QTFTP00149 LNS0811 000112 00033 /QSYS.LIB/PAYROLL.LIB/NEVADA.FILE
FortiSIEM 6.1.1 External Systems Configuration Guide
606
Fortinet Technologies Inc.
Servers
Linux Server
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SSH Syslog Syslog (via FortiSIEM Linux Agent)
Information Discovered
Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports)
OS type, Hardware (cpu details, memory)
Vendor, Model
Metrics collected
Uptime, CPU/Memory/Network Interface/Disk space utilization, Swap space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down
Used for
Performance Monitoring
Memory paging rate, Disk I/O utilization
Performance Monitoring
General logs including Authentication Success/Failure, Privileged logons, User/Group Modification
File or directory change: User, Type of change, directory or file name
Security Monitoring and Compliance
Security Monitoring and Compliance
Event Types
In ADMIN > Device Support > Event Types, search for "linux" to see the event types associated with this device.
Rules
In RESOURCES > Rules, search for "linux" in the main content panel Search... field to see the rules associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
607
Fortinet Technologies Inc.
Servers
Reports
In RESOURCES > Reports , search for "linux" in the main content panel Search... field to see the reports associated with this device.
Configuration
l SNMP v1 and v2c l SNMP v3 l SSH l Syslog Logging l Basic Linux File Monitoring over Syslog
SNMP v1 and v2c
1. Make sure that snmp libraries are installed. FortiSIEM has been tested to work with net-snmp libraries. 2. Log in to your server with administrative access. 3. Make these modifications to the /etc/snmp/snmpd.conf file:
a. Define the community string for FortiSIEM usage and permit snmp access from FortiSIEM IP. b. Allow FortiSIEM read-only access to the mib-2 tree. c. Allow Accelops read-only access to the enterprise MIB: UCD-SNMP-MIB. d. Open up the entire tree for read-only view. 4. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details): a. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu) b. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like:
# snmpd command line options OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid" c. Change the range from 0-6 to 0-5: # snmpd command line options OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid"
5. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart. 6. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on. 7. Make sure that snmpd is running.
FortiSIEM 6.1.1 External Systems Configuration Guide
608
Fortinet Technologies Inc.
Servers
SNMP v3
FortiSIEM 6.1.1 External Systems Configuration Guide
609
Fortinet Technologies Inc.
Servers
Configuring rwcommunity/rocommunity or com2sec
1. Log in to your Linux server. 2. Stop SNMP.
service snmpd stop
3. Use vi to edit the /etc/snmp/snmpd.conf file. Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file so the snap daemon has correct credentials.
vi /etc/snmp/snmpd.conf
4. At the end of the file, add this line, substituting your username for snmpv3user and removing the <> tags: rouser <snmpv3user>.
5. Save the file.
6. Use vi to edit the /var/lib/snmp/snmpd.conf file. Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file for the SNMP daemon to function correctly.
vi /var/lib/snmp/snmpd.conf
7. At the end of the file, add this line, entering the username you entered in step 4, and then passwords for that user for MD5 and DES. If you want to use SHA or AES, then add those credentials as well.
createUser <snmpv3user>
MD5 <snmpv3md5password> DES <snmpv3despassword>
8. Save the file. 9. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more
details) a. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu) b. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like:
# snmpd command line options OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"
c. Change the range from 0-6 to 0-5:
# snmpd command line options OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid"
10. Restart SNMP.
service snmpd start chkconfig auditd on
11. View the contents of the /var/lib/snmp/snmpd.conf file. If this works, restarting snmpd will have no errors, also the entry that you created under /var/lib/snmp/snmpd.conf will be removed:
cat /var/lib/snmp/snmpd.conf
12. Run snmpwalk -v 3 -u <snmpv3user> -l authpriv <IP> -a MD5 -A <snmpv3md5password> -x DES -X <snmpv3despassword> You will see your snmpwalk if this works. If there are any errors, see net-snmp for further instructions.
FortiSIEM 6.1.1 External Systems Configuration Guide
610
Fortinet Technologies Inc.
Servers
Configuring net-smnp-devel
If you have net-snmp-devel on your Linux server/client, follow these steps to configure SNMP v3. 1. Stop SNMP.
service snmpd stop 2. Run net-snmp-config --create-snmpv3-user -ro -A <MD5passwordhere> -X
<DESpasswordhere> -x DES -a MD5 <SNMPUSERNAME>. 3. Restart SNMP.
service snmpd start 4. Test by following step 10 from above.
SSH
1. Make sure that the vmstat and iostat commands are available. If not, install these libraries. 2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to log in
to the server.
Syslog Logging
Syslog forwarding can be configured on Linux servers to send the logs to FortiSIEM. There are different options regarding syslog configuration, including Syslog over TLS. There are typically two commonly-used Syslog demons:
l Syslog-ng l rsyslog
Basic Syslog-ng Configuration
Follow these steps to enable basic Syslog-ng: 1. Add the following line to your Syslog-ng configuration:
{ udp("Collector IP" port(514));}; 2. Restart the syslog-ng service or reload the configuration.
Basic rsyslog Configuration
Follow these steps to enable ryslog: 1. Add the following lines to your ryslog configuration:
# Send logs to the FortiSIEM Collector *.* @Collector IP:514 2. Restart the rsyslog service or reload the configuration.
Linux File Monitoring
FortiSIEM has licensed Linux agents that provide additional capabilities, such as custom log forwarding and central management. See the "Linux Agent Installation Guide" for details on this agent.
FortiSIEM 6.1.1 External Systems Configuration Guide
611
Fortinet Technologies Inc.
Servers
Settings for Access Credentials
l SNMP Access Credentials for All Devices l SSH Access Credentials for All Devices
SNMP Access Credentials for All Devices
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
SSH Access Credentials for All Devices
These are the generic settings for providing SSH access to your device from FortiSIEM.
Setting Name Device Type Access Protocol Port User Name
Password
Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user
FortiSIEM 6.1.1 External Systems Configuration Guide
612
Fortinet Technologies Inc.
Servers
Microsoft Windows Server
l Supported OS l What is Discovered and Monitored l Configuration l Setting Access Credentials
Supported OS
l Windows 2003 l Windows 2008 and 2008 R2 l Windows 2012 and 2012 R2 l Windows 2016 l Windows 2019
What is Discovered and Monitored
Metrics in bold are unique to Microsoft Windows Server monitoring.
Installed Software Monitored via SNMP
Although information about installed software is available via both SNMP and WMI, FortiSIEM uses SNMP to obtain installed software information to avoid an issue in Microsoft's WMI implementation for the Win32_Product WMI class see Microsoft KB 974524 article for more information. Because of this bug, WMI calls to the Win32_Product class create many unnecessary Windows event log messages indicating that the Windows Installer has reconfigured all installed applications.
Winexe execution and its effect
FortiSIEM uses the winexe command during discovery and monitoring of Windows servers for the following purposes
1. Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary) 2. HyperV Performance Monitoring 3. Windows Custom performance monitoring to run a command (e.g. powershell) remotely on windows systems
Note: Running the winexe command remotely will automatically install the winexesvc command on the windows server.
Protocol SNMP
SNMP
Information Discovered
Metrics collected
Used for
Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports)
Uptime, Overall CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down,
Performance Monitoring
Vendor specific server hardware Hardware module status - fan, power supply,
(hardware model, hardware
thermal status, battery, disk, memory . Currently
FortiSIEM 6.1.1 External Systems Configuration Guide
613
Fortinet Technologies Inc.
Servers
Protocol Information Discovered
Metrics collected
serial number, fans, power supply, disk, raid battery). Currently supported vendors include HP and Dell
supported vendors include HP and Dell
WMI
Win32_ComputerSystem: Host name, OS Win32_ WindowsProductActivation: OS Serial Number Win32_ OperatingSystem: Memory, Uptime Win32_BIOS: Bios Win32_Processor: CPU Win32_ LogicalDisk: Disk info Win32_ NetworkAdapterConfiguration: network interface Win32_ Service: Services Win32_ Process: Running processes Win32_QuickFixEngineering: Installed Patches
Win32_OperatingSystem: Uptime Win32_ PerfRawData_PerfOS_Processor: Detailed CPU utilization Win32_PerfRawData_PerfOS_ Memory: Memory utilization, paging/swapping metrics Win32_LogicalDisk: Disk space utilization Win32_PerfRawData_PerfOS_ PagingFile: Paging file utilization Win32_ PerfRawData_PerfDisk_LogicalDisk: Disk I/O metrics Win32_PerfRawData_Tcpip_ NetworkInterface: Network Interface utilization Win32_Service: Running process uptime, start/stop status Win32_Process, Win32_ PerfRawData_PerfProc_Process: Process CPU/memory/I/O utilization
WMI
Security, Application and System Event Logs including logon, file/folder edits, network traffic (Win32_NTLogEvent)
Snare agent
Security, Application and System Event Logs including logon, file/folder edits, network traffic (Win32_NTLogEvent)
Correlog agent
Security, Application and System Event Logs ncluding logon, file/folder edits, network traffic (Win32_NTLogEvent)
FortiSIEM Agent
Security, Application and System Event Logs, DNS, DHCP, IIS, DFS logs, Custom log files, File Integrity Monitoring, Registry Change Monitoring, Installed Software Change Monitoring, WMI and Powershell output monitoring
Used for
Performance Monitoring
Security and Compliance Security and Compliance Security and Compliance Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "windows server" in the Description column to see the event types associated with this application or device.
Rules
In RESOURCE > Rules, search for "windows server" in the Name column to see the rules associated with this application or device.
FortiSIEM 6.1.1 External Systems Configuration Guide
614
Fortinet Technologies Inc.
Servers
Reports
In RESOURCE > Reports , search for "windows server" in the Name column to see the reports associated with this application or device.
Configuration
l WinRM Configurations l SNMP Configurations l WMI Configurations l Windows Agent Configurations l Syslog Configurations
WinRM Configurations
WinRM is used for some FortiSIEM Remediation actions. If Windows Remediation actions are not used in FortiSIEM, this configuration step is not required.
Enable WinRM and set authentication
Use the commands below to enable WinRM and set authentication on the target Windows Servers: 1. To configure Windows Server:
winrm quickconfig winrm set winrm/config/service/auth `@{Basic="true"}' winrm set winrm/config/service `@{AllowUnencrypted="true"}' Single quotes are needed for Windows 2016 and later. 2. To configure FortiSIEM Client (Super or Collector): pip install pywinrm
SNMP Configurations
l Enabling SNMP on Windows Server 2012R2, Server 2016, Server 2019 l Enabling SNMP on Windows 7 or Windows Server 2008 R2 l Enabling SNMP on Windows Server 2003
Enabling SNMP on Windows Server 2012R2, Server 2016, Server 2019
SNMP is typically enabled by default on Windows Server 2012R2, Server 2016, and Server 2019. But you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First, you should check that SNMP Services have been enabled for your server. 1. Log in to the Windows 2016 Server where you want to enable SNMP as an administrator. 2. In the Start menu, select Control Panel. 3. Under Programs, click Turn Windows features on/off. 4. The Add Roles and Features Wizard will open automatically. 5. Select Role-based or feature-based installation. Click Next until the Features option appears.
FortiSIEM 6.1.1 External Systems Configuration Guide
615
Fortinet Technologies Inc.
Servers
6. Under Features, see if SNMP Services is installed. If not, check the checkbox before the SNMP Service and click Next to install the service.
7. From the Start menu, select Services. Go to Services > SNMP Services. 8. Select and open SNMP Service. 9. Click the Security tab. 10. Select Send authentication trap. 11. Under Accepted communities, make sure there is an entry for public that is set to read-only. 12. Select Accept SNMP packets from these hosts. 13. Click Add. 14. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP. 15. Click Add. 16. Click Apply. 17. Under SNMP Service, click Restart service.
Enabling SNMP on Windows 7 or Windows Server 2008 R2
SNMP is typically enabled by default on Windows Server 2008, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.
1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator. 2. In the Start menu, select Control Panel. 3. Under Programs, click Turn Windows features on/off. 4. Under Features, see if SNMP Services is installed.
If not, click Add Feature, then select SMNP Service and click Next to install the service. 5. In the Server Manager window, go to Services > SNMP Services. 6. Select and open SNMP Service. 7. Click the Security tab. 8. Select Send authentication trap. 9. Under Accepted communities, make sure there is an entry for public that is set to read-only. 10. Select Accept SNMP packets from these hosts. 11. Click Add. 12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP. 13. Click Add. 14. Click Apply. 15. Under SNMP Service, click Restart service.
Enabling SNMP on Windows Server 2003
SNMP is typically enabled by default on Windows Server 2003, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you must make sure that the SNMP Management tool has been enabled for your device.
1. In the Start menu, go to Administrative Tools > Services. 2. Go to Control Panel > Add or Remove Programs. 3. Click Add/Remove Windows Components. 4. Select Management and Monitoring Tools and click Details.
Make sure that Simple Network Management Tool is selected. If it isn't selected, select it, and then click Next to install.
FortiSIEM 6.1.1 External Systems Configuration Guide
616
Fortinet Technologies Inc.
Servers
5. Go to Start > Administrative Tools > Services. 6. Select and open SNMP Service. 7. Click the Security tab. 8. Select Send authentication trap. 9. Under Accepted communities, make sure there is an entry for public that is set to read-only. 10. Select Accept SNMP packets from these hosts. 11. Click Add. 12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP. 13. Click Add. 14. Click Apply. 15. Under SNMP Service, click Restart service.
WMI Configurations
l WMI Configuration for Windows 2012, 2012R2, 2016, 2019 l WMI Configurations for Windows 2008 and 2008R2
WMI Configuration for Windows 2012, 2012R2, 2016, 2019
To configure WMI on your device so that FortiSIEM can discover and monitor it, you must create a user who has access to WMI objects on the device. There are two ways to do this:
l Creating a Generic User Who Does Not Belong to the Local Administrator Group l Creating a User Who Belongs to the Domain Administrator Group l Differences Between Administrator and Non-Administrator Account
Creating a Generic User Who Does Not Belong to the Local Administrator Group
Log in to the machine you want to monitor with an administrator account.
Step 1. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group
1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups. 2. Right-click Users and select New User. 3. Create a user. 4. Select this user and right-click to select Properties > Member of tab. 5. Click Add > Advanced > Find Now. 6. Select and add the following groups:
Note: To select multiple groups, hold down the CTRL key and click the desired groups. l Distributed COM Users group. l Performance Monitor Users group. l Remote Desktop Users group.
7. Click OK to save.
FortiSIEM 6.1.1 External Systems Configuration Guide
617
Fortinet Technologies Inc.
Servers
Step 2. Enable DCOM Permissions for the Monitoring Account
1. Go to Start > Control Panel > Administrative Tools > Component Services > Computers > My Computer. 2. Right-click My Computer, and then Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed. 5. Click OK. 6. Under Access Permissions, click Edit Default. 7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1. 8. Click OK. 9. Under Launch and Activation Permissions, click Edit Limits. 10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. Click OK. 12. Under Launch and Activation Permissions, click Edit Defaults. 13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1. 14. Click OK.
Step 3. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.
Step 4. Configuring Log Monitoring for Non-Administrative User
To configure the non-administrative user to monitor windows event logs, follow the steps below:
1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer Management > Local Users and Groups for servers that are not a domain controller).
2. Right-click the non-admin user and select Properties. 3. Select the Member of tab. 4. Select the group Event Log Reader and click Add. 5. Click Apply. 6. Click OK to complete the configuration. 7. The following groups should be applied to the user:
l Distributed COM Users l Domain Users l Event Log Reader
Creating a User Who Belongs to the Domain Administrator Group
Log in to the Domain Controller with an administrator account.
FortiSIEM 6.1.1 External Systems Configuration Guide
618
Fortinet Technologies Inc.
Servers
Step 1. Enable remote WMI requests by adding a Monitoring Account to the Domain Administrators Group
1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users. 2. Right-click Users and select New > User. 3. Create a user for the @accelops.com domain.
For example, YJTEST@accelops.com. 4. Right-click Domain Admins in Users and select Properties. 5. In the Domain Admins Properties dialog, select the Members tab, and then click Add. 6. Click Advanced > Find Now, add the Administrator and the user which you created in Step 3. 7. Click OK to close the User select dialog 8. Click OK to close the Domain Admins Properties dialog.
Step 2. Enable the Monitoring Account to Access the Monitored Device
Log in to the machine you want to monitor with an administrator account.
Enable DCOM Permissions for the Monitoring Account
1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then select Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both
Local Access and Remote Access. 5. Click OK. 6. In the COM Security tab, under Access Permissions, click Edit Defaults. 7. Find the user you created for the monitoring account, and make sure that the user has the permission Allow for
both Local Access and Remote Access. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1. 8. Click OK. 9. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits. 10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1. 11. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits. 12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1. 13. Click OK.
Enable Account Privileges in WMI
The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.
1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications. 2. Select WMI Control, and then right-click and select Properties.
FortiSIEM 6.1.1 External Systems Configuration Guide
619
Fortinet Technologies Inc.
Servers
3. Select the Security tab. 4. Expand the Root directory and select CIMV2. 5. Click Security. 6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable
Account and Remote Enable. If the user isn ot present, then click Add to add the user you created. 7. Click Advanced. 8. Select the user you created for the monitoring account, and then click Edit. 9. In the Applies onto menu, select This namespace and subnamespaces. 10. Click OK to close the Permission Entry for CIMV2 dialog. 11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 12. In the left-hand navigation, under Services and Applications, select Services. 13. Select Windows Management Instrumentation, and then click Restart.
Allow WMI through Windows Firewall (Windows Server 2012, 2016 and 2019)
1. Go to Control Panel > Windows Firewall. 2. In the left-hand navigation, click Allow a program or feature through Windows Firewall. 3. Select Windows Management Instrumentation, and the click OK. You can configure FortiSIEM to communicate
with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Differences Between Administrator and Non-Administrator Account
Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly.
WMI Class
Administrator
Non-Administrator
Win32_BIOS Win32_ComputerSystem Win32_LogicalDisk Win32_NetworkAdapter Win32_NetworkAdapterConfiguration Win32_NTLogEvent Win32_OperatingSystem Win32_Process Win32_Processor Win32_Product Win32_QuickFixEngineering Win32_Service Win32_UserAccount win32_Volume
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
No
Yes
No
Yes
Yes
FortiSIEM 6.1.1 External Systems Configuration Guide
620
Fortinet Technologies Inc.
Servers
WMI Class
Administrator
Non-Administrator
Win32_PerfFormattedData_DHCPServer_DHCPServer
Yes
Yes
Win32_PerfFormattedData_DNS_DNS
Yes
Yes
Win32_PerfFormattedData_W3SVC_WebService
Yes
Yes
Win32_PerfRawData_DirectoryServices_DirectoryServices
Yes
Yes
Win32_PerfRawData_NTDS_NTDS
Yes
Yes
Win32_PerfRawData_PerfDisk_LogicalDisk
Yes
Yes
Win32_PerfRawData_PerfDisk_PhysicalDisk
Yes
Yes
Win32_PerfRawData_PerfOS_Memory
Yes
Yes
Win32_PerfRawData_PerfOS_PagingFile
Yes
Yes
Win32_PerfRawData_PerfOS_Processor
Yes
Yes
Win32_PerfRawData_PerfProc_Process
Yes
Yes
Win32_PerfRawData_Tcpip_NetworkInterface
Yes
Yes
WMI Configurations for Windows 2008 and 2008R2
To configure WMI on your device so that FortiSIEM can discover and monitor it, you must create a user who has access to WMI objects on the device. There are two ways to do this:
l Creating a Generic User Who Does Not Belong to the Local Administrator Group l Creating a User Who Belongs to the Domain Administrator Group l Differences Between Administrator and Non-Administrator Account
Creating a Generic User Who Does Not Belong to the Local Administrator Group
Log in to the machine you want to monitor with an administrator account.
Step 1. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group
1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups. 2. Right-click Users and select New User. 3. Create a user. 4. Select this user and right-click to select Properties > Member of tab. 5. Select Distributed COM Users and click Add. 6. Click OK to save.
This is the account you must use to set up the Performance Monitor Users group permissions. 7. Repeat steps 4 through 6 for the Performance Monitor Users group.
FortiSIEM 6.1.1 External Systems Configuration Guide
621
Fortinet Technologies Inc.
Servers
Step 2. Enable DCOM Permissions for the Monitoring Account
1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed. 5. Click OK. 6. Under Access Permissions, click EditDefault. 7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed. 8. Click OK. 9. Under Launch and Activation Permissions, click Edit Limits. 10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the
permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. Click OK. 12. Under Launch and Activation Permissions, click Edit Defaults. 13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the
permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.
Configuring Log Monitoring for Non-Administrative User
To configure the non-administrative user to monitor windows event logs, follow the steps below: 1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer
Management > Local Users and Groups for servers that are not a domain controller). 2. Right-click the non-admin user and select Properties. 3. Select the Member of tab. 4. Select the group Event Log Reader and click Add. 5. Click Apply. 6. Click OK to complete the configuration.
The following groups should be applied to the user: l Distributed COM Users l Domain Users l Event Log Reader
Creating a User Who Belongs to the Domain Administrator Group
Log in to the Domain Controller with an administrator account.
FortiSIEM 6.1.1 External Systems Configuration Guide
622
Fortinet Technologies Inc.
Servers
Step 1. Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group
1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users. 2. Right-click Users and select Add User. 3. Create a user for the @accelops.com domain.
For example, YJTEST@accelops.com. 4. Go to Groups, right-click Administrators, and then click Add to Group. 5. In the Domain Admins Properties dialog, select the Members tab, and then click Add. 6. For Enter the object names to select, enter the user you created in step 3. 7. Click OK to close the Domain Admins Properties dialog. 8. Click OK.
Step 2. Enable the Monitoring Account to Access the Monitored Device
Log in to the machine you want to monitor with an administrator account.
Enable DCOM Permissions for the Monitoring Account
1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then select Properties. 3. Select the Com Security tab, and then under Access Permissions, click Edit Limits. 4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both
Local Access and Remote Access. 5. Click OK. 6. In the Com Security tab, under Access Permissions, click Edit Defaults. 7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for
both Local Access and Remote Access. 8. Click OK. 9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits. 10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local
Launch, Remote Launch, Local Activation, and Remote Activation. 11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults. 12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local
Launch, Remote Launch, Local Activation, and Remote Activation.
Enable Account Privileges in WMI
The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.
1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications. 2. Select WMI Control, and then right-click and select Properties. 3. Select the Security tab. 4. Expand the Root directory and select CIMV2. 5. Click Security. 6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable
Account and Remote Enable.
FortiSIEM 6.1.1 External Systems Configuration Guide
623
Fortinet Technologies Inc.
Servers
7. Click Advanced. 8. Select the user you created for the monitoring account, and then click Edit. 9. In the Apply onto menu, select This namespace and subnamespaces. 10. Click OK to close the Permission Entry for CIMV2 dialog. 11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 12. In the left-hand navigation, under Services and Applications, select Services. 13. Select Windows Management Instrumentation, and then click Restart.
Allow WMI to Connect Through the Windows Firewall (Windows 2003)
1. In the Start menu, select Run. 2. Run gpedit.msc. 3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network
Connections > Windows Firewall. 4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain
or not. 5. Select Windows Firewall: Allow remote administration exception. 6. Run cmd.exe and enter these commands:
netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP
7. Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
1. Go to Control Panel > Windows Firewall. 2. In the left-hand navigation, click Allow a program or feature through Windows Firewall. 3. Select Windows Management Instrumentation, and the click OK.You can configure FortiSIEM to communicate
with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Differences Between Administrator and Non-Administrator Account
Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly.
WMI Class
Administrator
Non-Administrator
Win32_BIOS Win32_ComputerSystem Win32_LogicalDisk Win32_NetworkAdapter Win32_NetworkAdapterConfiguration Win32_NTLogEvent
Yes
No
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
FortiSIEM 6.1.1 External Systems Configuration Guide
624
Fortinet Technologies Inc.
Servers
WMI Class
Administrator
Non-Administrator
Win32_OperatingSystem
Yes
Yes
Win32_Process
Yes
Yes
Win32_Processor
Yes
Yes
Win32_Product
Yes
Yes
Win32_QuickFixEngineering
Yes
No
Win32_Service
Yes
No
Win32_UserAccount
Yes
No
win32_Volume
Yes
Yes
Win32_PerfFormattedData_DHCPServer_DHCPServer
Yes
Yes
Win32_PerfFormattedData_DNS_DNS
Yes
Yes
Win32_PerfFormattedData_W3SVC_WebService
Yes
Yes
Win32_PerfRawData_DirectoryServices_DirectoryServices
Yes
Yes
Win32_PerfRawData_NTDS_NTDS
Yes
Yes
Win32_PerfRawData_PerfDisk_LogicalDisk
Yes
Yes
Win32_PerfRawData_PerfDisk_PhysicalDisk
Yes
Yes
Win32_PerfRawData_PerfOS_Memory
Yes
Yes
Win32_PerfRawData_PerfOS_PagingFile
Yes
Yes
Win32_PerfRawData_PerfOS_Processor
Yes
Yes
Win32_PerfRawData_PerfProc_Process
Yes
Yes
Win32_PerfRawData_Tcpip_NetworkInterface
Yes
Yes
Windows Agent Configurations
For information on configuring Windows Agent, see Windows Agent Installation Guide.
Syslog Configurations
See the Windows Agent Installation Guide for information on configuring the sending of syslog from your device to FortiSIEM.
Sample Windows Server Syslog
<108>2014 Dec 17 15:05:47 CorreLog_Win_Agent 1NDCITVWCVLT05.tsi.lan Login Monitor: Local Console User Login: User Name: weighalll-admin
FortiSIEM 6.1.1 External Systems Configuration Guide
625
Fortinet Technologies Inc.
Servers
Configuring the Security Audit Logging Policy
Because Windows generates a lot of security logs, you should specify the categories of events that you want logged and available for monitoring by FortiSIEM.
1. Log in the machine where you want to configure the policy as an administrator. 2. Go to Programs > Administrative Tools > Local Security Policy. 3. Expand Local Policies and select Audit Policy.
You will see the current security audit settings. 4. Selet a policy and edit the Local Security Settings for the events you want audited. Recommended settings are:
Policy Audit account logon events and Audit logon events Audit object access events
Audit system events
Description For auditing logon activity
Settings
Select Success and Failure
For auditing access to files and folders. There is an additional configuration requirement for specifying which files and folders, users and user actions will be audited. See the next section, Configuring the File Auditing Policy.
Includes system up/down messages
Select Success and Failure
Configuring the File Auditing Policy
When you enable the policy to audit object access events, you also must specify which files, folders, and user actions will be logged. You should be very specific with these settings, and set their scope to be as narrow as possible to avoid excessive logging. For this reason you should also specify system-level folders for auditing.
1. Log in the machine where you want to set the policy with administrator privileges. On a domain computer, a Domain administrator account is needed
2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties.
3. In the Security tab, click Advanced. 4. Select the Auditing tab, and then click Add.
This button is labeled Edit in Windows 2008. 5. In the Select User or Group dialog, click Advanced, and then find and select the users whose access to this file
you want to monitor. 6. Click OK when you are done adding users. 7. In the Permissions tab, set the permissions for each user you added.
The configuration is now complete. Windows will generate audit events when the users you specified take the actions specified on the files or folders for which you set the audit policies.
Setting Access Credentials
SNMP, Telnet, and SSH Access Credentials for All Devices See Access Credentials. LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials for All Devices
FortiSIEM 6.1.1 External Systems Configuration Guide
626
Fortinet Technologies Inc.
Servers
Settings Name Device Type Access Protocol Used For Server Port Base DN
Password Config User Name
Password
Value <set name> Microsoft Windows Server * LDAP / LDAPS / LDAP Start TLS
OpenLDAP 389 for LDAP, LDAP Start TLS; 636 for LDAPS Specify the root of the LDAP tree as the Base DN. For example: dc=companyABC,dc=com See Password Configuration
For user discoveries from an OpenLDAP directory, specify the full DN as the user name. For example: uid=jdoe,ou=hr,ou=unit,dc=companyABC,dc=com Password of the user able to access this system
LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials for All Devices
Settings Name Device Type Access Protocol Used For Server Port Base DN
NetBIOS/Domain Password Config User Name
Password
Value <set name> Microsoft Windows Server * LDAP / LDAPS / LDAP Start TLS Microsoft Active Directory 389 for LDAP, LDAP Start TLS; 636 for LDAPS Specify the root of the LDAP tree as the Base DN. For example: dc=companyABC,dc=com The domain name or NetBIOS name attribute See Password Configuration For Microsoft Active Directory, the user name can be just the login name. Password of the user able to access this system
WMI Access Credentials for All Devices
FortiSIEM 6.1.1 External Systems Configuration Guide
627
Fortinet Technologies Inc.
Servers
Settings Name Device Type Access Protocol Pull Interval NetBIOS/Domain Password Config User Name Password
Value <set name> Microsoft Windows Server * WMI 1 minute The domain name or NetBIOS name attribute See Password Configuration Name of the user able to access this system Password of the user able to access this system
FortiSIEM 6.1.1 External Systems Configuration Guide
628
Fortinet Technologies Inc.
Servers
QNAP Turbo NAS
Configuration
Setup in FortiSIEM
Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Setting
Value
Name
<set name>
Device Type
QNAP Turbo NAS
Access Protocol See Access Credentials
Port
See Access Credentials
Password config See Password Configuration
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
4. Click Test to test the connection to QNAP Turbo NAS. 5. To see the jobs associated with QNAP, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter QNAP in the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
629
Fortinet Technologies Inc.
Servers
Sun Solaris Server
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SSH Syslog
Information discovered
Metrics collected
Used for
Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports)
Uptime, CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down
Performance Monitoring
Hardware (cpu details, memory)
Memory paging rate, Disk I/O utilization
Performance Monitoring
Vendor, Model
General logs including Authentication Success/Failure, Privileged logons, User/Group Modification
Security Monitoring and Compliance
Event Types
In ADMIN > Device Support > Event, search for "solaris" in the Device Type and Description column to see the event types associated with this device.
Configuration
SNMP v1 and v2c
1. Check if the netsnmp package installed. Solaris has built-in snmp packages. If the netsnmp is not installed, use pkgadd cmd to install it.
2. Start snmnp with the default configuration.
FortiSIEM 6.1.1 External Systems Configuration Guide
630
Fortinet Technologies Inc.
Servers
SSH
1. Make sure that the vmstat and iostat commands are available. If not, install these libraries. 2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to log in
to the server.
Settings for Access Credentials
SNMP, Telnet, and SSH Access Credentials for All Devices See Access Credentials.
LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials for All Devices
Settings Name Device Type Access Protocol Used For Server Port Base DN
Password Config User Name Password
Value <set name> Sun Solaris LDAP / LDAPS / LDAP Start TLS OpenLDAP 389 for LDAP, LDAP Start TLS; 636 for LDAPS The Distinguished Name (DN) of the starting point for directory server searches See Password Configuration Name of the user able to access this system Password of the user able to access this system
LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials for All Devices
Settings Name Device Type Access Protocol Used For Server Port Base DN
NetBIOS/Domain
Value <set name> Sun Solaris LDAP / LDAPS / LDAP Start TLS Microsoft Active Directory 389 for LDAP, LDAP Start TLS; 636 for LDAPS The Distinguished Name (DN) of the starting point for directory server searches The domain name or NetBIOS name attribute
FortiSIEM 6.1.1 External Systems Configuration Guide
631
Fortinet Technologies Inc.
Servers
Settings Password Config User Name Password
Value See Password Configuration Name of the user able to access this system Password of the user able to access this system
FortiSIEM 6.1.1 External Systems Configuration Guide
632
Fortinet Technologies Inc.
Storage
FortiSIEM supports these storage devices for discovery and monitoring. l Brocade SAN Switch l Dell Compellent Storage l Dell EqualLogic Storage l EMC Clariion Storage l EMC Isilon Storage l EMC VNX Storage l NetApp Data ONTAP l NetApp Filer Storage l Nimble Storage l Nutanix Storage
FortiSIEM 6.1.1 External Systems Configuration Guide
633
Fortinet Technologies Inc.
Brocade SAN Switch
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SNMP
Information Discovered
Metrics collected
Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components
Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Hardware Status: Fan, Power Supply, Temperature (FortiSIEM Event Type: PH_DEV_MON_HW_STATUS)
Used for Availability and Performance Monitoring
Availability Monitoring
Event Types
In ADMIN > Device Support > Event, search for "brocade" in the Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide
FortiSIEM 6.1.1 External Systems Configuration Guide
634
Fortinet Technologies Inc.
Storage
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Brocade San Switch See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
635
Fortinet Technologies Inc.
Storage
Dell Compellent Storage
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SNMP SNMP
Information Discovered
Metrics collected
Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components
Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Hardware component health: Power, Temperature, Fan
Volume Utilization
Used for
Availability and Performance Monitoring
Availability Monitoring Performance Monitoring
Event Types
l Ping Monitoring: PH_DEV_MON_PING_STAT l Interface Utilization: PH_DEV_MON_NET_INTF_UTIL l Hardware Status: PH_DEV_MON_HW_STATUS l Disk Utilization: PH_DEV_MON_DISK_UTIL
Rules
Availability
l Storage Hardware Warning l Storage Hardware Critical
Performance (Fixed threshold)
l NFS Disk space Warning l NFS Disk Space Critical
FortiSIEM 6.1.1 External Systems Configuration Guide
636
Fortinet Technologies Inc.
Storage
Reports
l Dell Compellent Hardware Status l Top Dell Compellent Devices By Disk Space Util l Top Dell Compellent Devices By Disk Space Util (Detailed) l Top Dell Compellent modules by fan speed l Top Dell Compellent modules by temperature l Top Dell Compellent modules by voltage
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Dell Compellent Storage See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
637
Fortinet Technologies Inc.
Storage
Dell EqualLogic Storage
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SNMP SNMP
Information Discovered
Metrics collected
Used for
Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components
Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Availability and Performance Monitoring
Hardware component health: Component name (Disk, Power supply, Temperature, Fan, RAID health), Component status, Host spare ready disk count
Overall Disk health metrics: Total disk count, Active disk count, Failed disk count, Spare disk count
Availability Monitoring
Connection metrics: Connection Count, Read request rate (IOPS), Write request rate (IOPS), Read latency, Write latency, Read volume (KBps), Write volume (KBps)
Disk performance metrics: Disk Name, Disk I/O Utilization, Disk I/O Queue, Read volume (KBps), Write volume (KBps)
Group level performance metrics: Total storage, Used storage, Reserved storage, Reserved used storage, Total volumes, Used volumes, Online volumes, Total snapshot, Used snapshot, Online snapshot
Performance Monitoring
Event Types
In ADMIN > Device Support > Event, search for "equallogic" in the Description column to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "equallogic" in the Name column to see the rules associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
638
Fortinet Technologies Inc.
Storage
Reports
In RESOURCE > Reports , search for "equallogic" in the Name column to see the reports associated with this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Dell EqualLogic See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
639
Fortinet Technologies Inc.
Storage
EMC Clariion Storage
l What is Discovered and Monitored l Configuration
What is Discovered and Monitored
Protocol NaviSecCLI
Information Discovered
Metrics collected
Used for
Host name, Operating system version, Hardware model, Serial number, Network interfaces* Installed Software, Storage Controller Ports
Hardware components: Enclosures, Fan, Power Supply, Link Control Card, CPU, Disk
RAID Groups and the assigned disk
LUNs and LUN -> RAID Group mappings
Storage Groups and memberships (Host, Port, LUN).
Processor utilization: SP Name, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps)
Port I/O: Port name, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps)
RAID Group I/O: RAID Group id, RAID type, Total disk, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps)
LUN I/O: LUN name, LUN id, Total disk, Used disk, Free disk, Disk util, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps)
Host HBA Connectivity: Source IP, Source Name, Source WWN, Dest IP, Destination Name, SP Port Name, Storage Group, LUN Names, Login Status, Registration Status
Host HBA Unregistered Host: Source IP, Source Name, Source WWN, Dest IP, Destination Name, SP Port Name
Hardware component health: Component name (Disk, Power supply, LCC, Fan, Link, Port), Component status, Host spare ready disk count
Overall Disk health: Total disk count, Total disk size (MB), Active disk count, Failed disk count, Spare disk count
Availability and Performance Monitoring
Event Types
In ADMIN > Device Support > Event Types, search for "clariion" to see the event types associated with this device.
Rules
There are no predefined rules for this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
640
Fortinet Technologies Inc.
Storage
Reports
There are no predefined reports for this device.
Configuration
Installing the NaviSecCLI Library in FortiSIEM
Changing NaviSecCLI Credentials
If you change the NaviSecCLI credentials on your EMC Clariion device, the certificates may also be changed and naviseccli may prompt you to accept new certificates. This should only happen the first time after a certificate change, however, FortiSIEM discovery and performance monitoring will fail. You must run NaviSecCLI manually on each Supervisor and Worker in your deployment and accept the certificate, and then rediscover your EMC Clariion device for performance monitoring to resume.
Configuration of your EMC Clariion storage device involves installing EMC's NaviSecCLI library in your FortiSIEM virtual appliance, and then setting the access credentials that the appliance will use to communicate with your device.
1. Log in to your FortiSIEM virtual appliance as root. 2. Copy the file NaviCLI-Linux-64-x86-versionxyz.rpm to the FortiSIEM directory. 3. Run rpm --Uvh NaviCLI-Linux-64-x86-versionxyz.rpm to install the rpm package.
[root@Rob-SP-94 tmp]# rpm -Uvh NaviCLI-Linux-64-x86-en_US-7.30.15.0.44-1.x86_64.rpm Preparing... ########################################### [100%] 1:NaviCLI-Linux-64-x86-en########################################### [100%] Please enter the verifying level(low|medium|l|m) to set? m Setting medium verifying level [root@Rob-SP-94 opt]# ls -la total 40 drwxr-xr-x 8 root root 4096 Aug 22 16:06 . drwxr-xr-x 29 root root 4096 Aug 16 16:46 .. drwxr-xr-x 11 admin admin 4096 Jul 23 18:56 glassfish lrwxrwxrwx 1 root root 16 Aug 16 16:46 Java -> /opt/jdk1.6.0_32 drwxr-xr-x 8 root root 4096 Jun 2 16:35 jdk1.6.0_32 drwxr-xr-x 5 root root 4096 Aug 22 16:06 Navisphere <----Note this directory was created*** drwxrwxr-x 14 admin admin 4096 Jul 24 11:22 phoenix drwxrwxr-x 3 root root 4096 Jun 2 16:36 rpm drwxr-xr-x 8 root root 4096 Jun 18 2010 vmware [root@Rob-SP-94 opt]#
4. Change the user role to the admin su - admin and make sure that the user can run the command naviseccli -h -User <user> -Password <pwd> -Scope global getall -sp from the directory /opt/phoenix/bin .
[root@Rob-SP-94 Navisphere]# cd bin [root@Rob-SP-94 bin]# su - admin [admin@Rob-SP-94 ~]$ naviseccli Not enough arguments Usage: [-User <username>] [-Password <password>]
FortiSIEM 6.1.1 External Systems Configuration Guide
641
Fortinet Technologies Inc.
Storage
[-Scope <0 - global; 1 - local; 2 - LDAP>] [-Address <IPAddress | NetworkName> | -h <IPAddress | NetworkName>] [-Port <portnumber>] [-Timeout <timeout> | -t <timeout>] [-AddUserSecurity | -RemoveUserSecurity | -DeleteSecurityEntry] [-Parse | -p] [-NoPoll | -np] [-cmdtime] [-Xml] [-f <filename>] [-Help] CMD <Optional Arguments>[security -certificate] [admin@Rob-SP-94 ~]$ pwd /opt/phoenix/bin
5. Make sure that the Navisphere Analyzer module is on. If the module is off, performance metrics will not be available and discovery will fail. This log shows an example of the module being turned off.
[admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100
getall -sp
Server IP Address:
192.168.1.100
Agent Rev:
7.32.26 (0.95)
SP Information
--------------
Storage Processor:
SP A
Storage Processor Network Name:
A-IMAGE
Storage Processor IP Address:
192.168.1.100
Storage Processor Subnet Mask:
255.255.255.0
Storage Processor Gateway Address: 192.168.1.254
Storage Processor IPv6 Mode:
Not Supported
Management Port Settings:
Link Status:
Link-Up
Current Speed:
1000Mbps/full duplex
Requested Speed:
Auto
Auto-Negotiate:
YES
Capable Speeds:
1000Mbps half/full duplex
10Mbps half/full duplex
100Mbps half/full duplex
Auto
System Fault LED:
OFF
Statistics Logging:
OFF <----- Note: performance statistics are not being
collected
<------ so AccelOp can not pull stats and
discovery will fail.
<------ See how to turn ON Statistics Logging
below.
SP Read Cache State
Enabled
SP Write Cache State
Enabled
....
6. If the Navisphere Analyzer module is off, turn it on with the setstats -on command.
[admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100 setstats -on [admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100 getall -sp
Server IP Address:
192.168.1.100
Agent Rev:
7.32.26 (0.95)
SP Information -------------Storage Processor:
SP A
FortiSIEM 6.1.1 External Systems Configuration Guide
642
Fortinet Technologies Inc.
Storage
Storage Processor Network Name:
A-IMAGE
Storage Processor IP Address:
192.168.1.100
Storage Processor Subnet Mask:
255.255.255.0
Storage Processor Gateway Address: 192.168.1.254
Storage Processor IPv6 Mode:
Not Supported
Management Port Settings:
Link Status:
Link-Up
Current Speed:
1000Mbps/full duplex
Requested Speed:
Auto
Auto-Negotiate:
YES
Capable Speeds:
1000Mbps half/full duplex
10Mbps half/full duplex
100Mbps half/full duplex
Auto
System Fault LED:
OFF
Statistics Logging:
ON <---NOTE that statistics Logging is now ON.
SP Read Cache State
Enabled
SP Write Cache State
Enabled
Max Requests:
N/A
Average Requests:
N/A
Hard errors:
N/A
Total Reads:
1012
Total Writes:
8871
Prct Busy:
6.98
Prct Idle:
93.0
System Date:
10/04/2013
Day of the week:
Friday
System Time:
11:23:48
Read_requests:
1012
Write_requests:
8871
Blocks_read:
26259
Blocks_written:
235896
Sum_queue_lengths_by_arrivals: 27398
Arrivals_to_non_zero_queue: 3649
....
7. Once this command runs successfully, you are ready to set the access credentials for your device in FortiSIEM and initiate the discovery process.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your EMC Clarion storage device over NaviSecCLI.
Setting Name Device Type Access Protocol
Value <set name> EMC Clariion Navisec CLI
FortiSIEM 6.1.1 External Systems Configuration Guide
643
Fortinet Technologies Inc.
Storage
Setting Use LDAP User Name Password
Value Select to use LDAP to access directory services The user you configured to access NaviSecCLI The password associated with the user
FortiSIEM 6.1.1 External Systems Configuration Guide
644
Fortinet Technologies Inc.
Storage
EMC Isilon Storage
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SNMP
Information Discovered
Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components
Metrics collected
Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Hardware component health: Component name (Disk, Power supply, Temperature, Fan), Component status (AO event type: PH_DEV_MON_HW_STATUS) Environmental: Temperature (AO event type: PH_DEV_ MON_HW_TEMP), Voltage readings (AO event type: PH_ DEV_MON_HW_VOLTAGE) Cluster membership change: (AO event type: PH_DEV_ MON_ISILON_CLUSTER_MEMBERSHIP_CHANGE)
Used for Availability and Performance Monitoring
Availability Monitoring
Event Types
In ADMIN > Device Support > Event, search for "isilon" in the Description column to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "isilon" in the Name column to see the rules associated with this device.
Reports
In RESOURCE > Reports , search for "isilon" in the Name column to see the reports associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
645
Fortinet Technologies Inc.
Storage
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
SNMP Access Credentials for All Devices
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
646
Fortinet Technologies Inc.
Storage
EMC VNX Storage Configuration
Configuring EMC VNX
Like EMC Clarion, FortiSIEM uses Navisec CLI to discover the device and to collect performance metrics. The only difference is that a slightly different command and XML formatted output is used.
Protocol
Information Discovered
Metrics collected
Used for
Navisec CLI
Host name, Operating system version, Hardware model, Serial number, Network interfaces* Installed Software, Storage Controller Ports
Hardware components: Enclosures, Fan, Power Supply, Link Control Card, CPU, Disk
Storage Pools, RAID Groups and the assigned disks
LUNs and LUN -> Storage Pool and RAID Group mappings
Storage Groups and memberships (Host, Port, LUN)
Processor utilization: SP Name, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps)
Storage Pool I/O: RAID Group id, RAID type, Total disk, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps)
Availability and Performance Monitoring
LUN I/O: LUN name, LUN id, Total disk, Used disk, Free disk, Disk util, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps)
Host HBA Connectivity: Source IP, Source Name, Source WWN, Dest IP, Destination Name, SP Port Name, Storage Group, LUN Names, Login Status, Registration Status
Host HBA Unregistered Host: Source IP, Source Name, Source WWN, Dest IP, Destination Name, SP Port Name
Hardware component health: Component name (Disk, Power supply, LCC, Fan, Link, Port), Component status, Host spare ready disk count
FortiSIEM 6.1.1 External Systems Configuration Guide
647
Fortinet Technologies Inc.
Storage
Protocol
Information Discovered
Metrics collected
Used for
Overall Disk health: Total disk count, Total disk size (MB), Active disk count, Failed disk count, Spare disk count
Configuration
Installing the NaviSecCLI Library in FortiSIEM
Changing NaviSecCLI Credentials
If you change the NaviSecCLI credentials on your EMC Clarion device, the certificates may also be changed and naviseccli may prompt you to accept new certificates. This should only happen the first time after a certificate change, however, FortiSIEM discovery and performance monitoring will fail. You must run NaviSecCLI manually on each Supervisor and Worker in your deployment and accept the certificate, and then rediscover your EMC Clarion device for performance monitoring to resume.
Configuration of your EMC Clarion storage device involves installing EMC's NaviSecCLI library in your FortiSIEM virtual appliance, and then setting the access credentials that the appliance will use to communicate with your device.
1. Log in to your FortiSIEM virtual appliance as root. 2. Copy the file NaviCLI-Linux-64-x86-versionxyz.rpm to the FortiSIEM directory. 3. Run rpm --Uvh NaviCLI-Linux-64-x86-versionxyz.rpm to install the rpm package.
[root@Rob-SP-94 tmp]# rpm -Uvh NaviCLI-Linux-64-x86-en_US-7.30.15.0.44-1.x86_64.rpm Preparing... ########################################### [100%] 1:NaviCLI-Linux-64-x86-en########################################### [100%] Please enter the verifying level(low|medium|l|m) to set? m Setting medium verifying level [root@Rob-SP-94 opt]# ls -la total 40 drwxr-xr-x 8 root root 4096 Aug 22 16:06 . drwxr-xr-x 29 root root 4096 Aug 16 16:46 .. drwxr-xr-x 11 admin admin 4096 Jul 23 18:56 glassfish lrwxrwxrwx 1 root root 16 Aug 16 16:46 Java -> /opt/jdk1.6.0_32 drwxr-xr-x 8 root root 4096 Jun 2 16:35 jdk1.6.0_32 drwxr-xr-x 5 root root 4096 Aug 22 16:06 Navisphere <----Note this directory was created*** drwxrwxr-x 14 admin admin 4096 Jul 24 11:22 phoenix drwxrwxr-x 3 root root 4096 Jun 2 16:36 rpm drwxr-xr-x 8 root root 4096 Jun 18 2010 vmware [root@Rob-SP-94 opt]#
4. Change the user role to the admin su - admin and make sure that the user can run the command naviseccli -h -User <user> -Password <pwd> -Scope global getall -sp from the directory /opt/phoenix/bin .
[root@Rob-SP-94 Navisphere]# cd bin [root@Rob-SP-94 bin]# su - admin [admin@Rob-SP-94 ~]$ naviseccli Not enough arguments
FortiSIEM 6.1.1 External Systems Configuration Guide
648
Fortinet Technologies Inc.
Storage
Usage: [-User <username>] [-Password <password>] [-Scope <0 - global; 1 - local; 2 - LDAP>] [-Address <IPAddress | NetworkName> | -h <IPAddress | NetworkName>] [-Port <portnumber>] [-Timeout <timeout> | -t <timeout>] [-AddUserSecurity | -RemoveUserSecurity | -DeleteSecurityEntry] [-Parse | -p] [-NoPoll | -np] [-cmdtime] [-Xml] [-f <filename>] [-Help] CMD <Optional Arguments>[security -certificate] [admin@Rob-SP-94 ~]$ pwd /opt/phoenix/bin
5. Make sure that the Navisphere Analyzer module is on. If the module is off, performance metrics will not be available and discovery will fail. This log shows an example of the module being turned off.
[admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100
getall -sp
Server IP Address:
192.168.1.100
Agent Rev:
7.32.26 (0.95)
SP Information
--------------
Storage Processor:
SP A
Storage Processor Network Name:
A-IMAGE
Storage Processor IP Address:
192.168.1.100
Storage Processor Subnet Mask:
255.255.255.0
Storage Processor Gateway Address: 192.168.1.254
Storage Processor IPv6 Mode:
Not Supported
Management Port Settings:
Link Status:
Link-Up
Current Speed:
1000Mbps/full duplex
Requested Speed:
Auto
Auto-Negotiate:
YES
Capable Speeds:
1000Mbps half/full duplex
10Mbps half/full duplex
100Mbps half/full duplex
Auto
System Fault LED:
OFF
Statistics Logging:
OFF <----- Note: performance statistics are not being
collected
<------ so AccelOp can not pull stats and
discovery will fail.
<------ See how to turn ON Statistics Logging
below.
SP Read Cache State
Enabled
SP Write Cache State
Enabled
....
6. If the Navisphere Analyzer module is off, turn it on with the setstats -on command.
[admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100 setstats -on [admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100 getall -sp
Server IP Address:
192.168.1.100
Agent Rev:
7.32.26 (0.95)
SP Information
FortiSIEM 6.1.1 External Systems Configuration Guide
649
Fortinet Technologies Inc.
Storage
--------------
Storage Processor:
SP A
Storage Processor Network Name:
A-IMAGE
Storage Processor IP Address:
192.168.1.100
Storage Processor Subnet Mask:
255.255.255.0
Storage Processor Gateway Address: 192.168.1.254
Storage Processor IPv6 Mode:
Not Supported
Management Port Settings:
Link Status:
Link-Up
Current Speed:
1000Mbps/full duplex
Requested Speed:
Auto
Auto-Negotiate:
YES
Capable Speeds:
1000Mbps half/full duplex
10Mbps half/full duplex
100Mbps half/full duplex
Auto
System Fault LED:
OFF
Statistics Logging:
ON <---NOTE that statistics Logging is now ON.
SP Read Cache State
Enabled
SP Write Cache State
Enabled
Max Requests:
N/A
Average Requests:
N/A
Hard errors:
N/A
Total Reads:
1012
Total Writes:
8871
Prct Busy:
6.98
Prct Idle:
93.0
System Date:
10/04/2013
Day of the week:
Friday
System Time:
11:23:48
Read_requests:
1012
Write_requests:
8871
Blocks_read:
26259
Blocks_written:
235896
Sum_queue_lengths_by_arrivals: 27398
Arrivals_to_non_zero_queue: 3649
....
7. Once this command runs successfully, you are ready to set the access credentials for your device in FortiSIEM and initiate the discovery process.
Setting the IP Address for Credential Mapping
Enter the Storage Processor IP address when you associate your device's access credentials to an IP address during the credential set up process. Do not enter any other IP address, such as the Control Station IP.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your EMC VNX storage device over NaviSecCLI.
FortiSIEM 6.1.1 External Systems Configuration Guide
650
Fortinet Technologies Inc.
Storage
Setting Name Device Type Access Protocol Use LDAP User Name Password
Value <set name> EMC VNX Navisec CLI Select to use LDAP to access directory services The user you configured to access NaviSecCLI The password associated with the user
NetApp DataONTAP
l Supported Version l Configuration
Supported Version
FortiSIEM supports the latest NetApp ONTAP API version listed here. l NetApp ONTAP API 8.2
Configuration
Setup in FortiSIEM
Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Settings Name Device Type Access Protocol Transport
Pull Interval User Name
Description Enter a name for the credential. NetApp DataONTAP NetApp ONTAPI - HTTP - HTTPS 5 minutes User name for device access
FortiSIEM 6.1.1 External Systems Configuration Guide
651
Fortinet Technologies Inc.
Storage
Settings
Description
Password Description Settings
Password for device access Description about the device Description
3. In Step 2: Enter IP Range to Credential Associations, click New. a. Enter a host name, an IP, or an IP range in the IP/Host Name field. b. Select the name of your credential from the Credentials drop-down list. c. Click Save.
4. Click the Test drop-down list and select Test Connectivity to test the connection to NetApp DataONTAP. 5. To see the jobs associated with DataONTAP, select ADMIN > Setup > Pull Events. 6. To see the received events select ANALYTICS, then enter "DataONTAP" in the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
652
Fortinet Technologies Inc.
Storage
NetApp Filer Storage
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SNMP SNMP
Information Discovered
Host name, Operating system version, Hardware model, Serial number, Network interfaces, Logical volumes, Physical Disks
Metrics collected
Used for
Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Logical Disk Volume utilization
Availability and Performance Monitoring
Hardware component health: Component name (Battery, Disk, Power supply, Temperature, Fan), Component status, Failed power supply count, Failed Fan Count
Overall Disk health metrics: Total disk count, Active disk count, Failed disk count, Spare disk count, Reconstructing disk count, Scrubbing disk count, Add spare disk count
NFS metrics: Cache age, CIFS request rate (IOPS), NFS request rate (IOPS), Disk read rate (IOPS), Disk write rate (IOPS), Network Sent rate (Kbps), Network received rate (Kbps), RPC Bad calls, NFS Bad calls, CIFS Bad calls
Detailed NFS V3 metrics: Read request rate (IOPS), Write request rate (IOPS), Read latency, Write latency, Read volume (KBps), Write volume (KBps)
Detailed NFS V4 metrics: Read request rate (IOPS), Write request rate (IOPS), Read latency, Write latency, Read volume (KBps), Write volume (KBps)
Detailed CIFS metrics: Total Read/Write rate (IOPS), Latency
Detailed ISCSI metrics: Read request rate (IOPS), Write request rate (IOPS), Read latency, Write latency, Read volume (KBps), Write volume (KBps)
Detailed FCP metrics: Read request rate (IOPS), Write request rate (IOPS), Read latency, Write latency, Read volume (KBps), Write volume (KBps)
Availability Monitoring
Performance Monitoring
FortiSIEM 6.1.1 External Systems Configuration Guide
653
Fortinet Technologies Inc.
Storage
Protocol
Information Discovered
ONTAP API
Metrics collected
Used for
Detailed LUN metrics: LUN Name, Read request rate (IOPS), Write request rate (IOPS), Read/Write latency, Read volume (KBps), Write volume (KBps), Disk queue full
Detailed Aggregate metrics: Aggregate name, Read request rate (IOPS), Write request rate (IOPS), Transfer rate, CP Read rate
Detailed Volume metrics: Volume Name, Disk Read request rate (IOPS), Disk Write request rate (IOPS), Disk read latency, Disk write latency, NFS Read request rate (IOPS), NFS Write request rate (IOPS), NFS Read latency, NFS Write latency, CIFS Read request rate (IOPS), CIFS Write request rate (IOPS), CIFS Read latency, CIFS Write latency, SAN Read request rate (IOPS), SAN Write request rate (IOPS), SAN Read latency, SAN Write latency
Detailed Disk performance metrics: Disk Name, Disk Utilization, Read request rate (IOPS), Write request rate (IOPS), Read latency, Write latency, Transfer operations rate
Performance Monitoring
Event Types
In ADMIN > Device Support > Event, search for "netapp" in the Device Type column to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "netapp" in the Name column to see the rules associated with this device.
Reports
In RESOURCE > Reports , search for "netapp" in the Name column to see the reports associated with this device.
Configuration
SNMP
1. Log in to your NetApp device with administrative privileges. 2. Go to SNMP > Configure. 3. For SNMP Enabled, select Yes. 4. Under Communities, create a public community with Read-Only permissions. 5. Click Apply.
FortiSIEM 6.1.1 External Systems Configuration Guide
654
Fortinet Technologies Inc.
Storage
Settings for Access Credentials
SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
655
Fortinet Technologies Inc.
Storage
Nimble Storage
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SNMP SNMP
Information Discovered
Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components
Metrics collected
Used for
Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Availability and Performance Monitoring
Storage Disk Utilization: Disk name, Total Disk, Used Disk, Availability
Free Disk, Disk Utilization
Monitoring
Storage Performance metrics: Read rate (IOPS), Sequential Read Rate (IOPS), Write rate (IOPS), Sequential Write Rate (IOPS), Read latency, Write latency, Read volume (KBps), Sequential Read volume (KBps), Sequential Write volume (KBps), Used Volume (MB), Used Snapshot (MB), Non-Sequential Cache Hit Ratio (FortiSIEM Event Type: PH_DEV_MON_NIMBLE_GLOBAL_STAT)
Performance Monitoring
Event Types
In ADMIN > Device Support > Event, search for "nimble" in the Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
656
Fortinet Technologies Inc.
Storage
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Nimble Storage NimbleOS See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
657
Fortinet Technologies Inc.
Storage
Nutanix Storage
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SNMP
SNMP
Information Discovered
Metrics collected
Used for
Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components
Uptime, Process count, CPU utilization, Real and virtual memory utilization, Disk utilization, Process CPU/Memory utilization, Network Interface metrics
Availability and Performance Monitoring
Disk Status: Cluster, Controller VM, Disk id, Disk serial, Disk utilization, Total Disk, Used Disk, Free Disk Disk Temp: Disk Id, disk serial, Controller VM, temperature Cluster Status: Cluster, Cluster version, storage utilization, total storage, used storage, IOPS, latency Service Status: Cluster, Controller VM, Cluster VM Status, Zeus Status, Stargate Status
Availability Monitoring
Storage Pool Info: Cluster, storage pool name, storage utilization, total storage, used storage, IOPS, latency
Container Info: Cluster, Container name, storage utilization, total storage, used storage, IOPS, latency
Performance Monitoring
Event Types
l PH_DEV_MON_SYS_CPU_UTIL
[PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=1468,[cpuName]=Generic CPU,[hostName]=NTNX-14SM15290052-A-CVM, [hostIpAddr]=10.0.252.20,[cpuUtil]=100.000000,[sysCpuUtil]=0.000000, [userCpuUtil]=0.000000,[waitCpuUtil]=0.000000,[kernCpuUtil]=0.000000, [contextSwitchPersec]=0.000000,[cpuInterruptPersec]=0.000000,[pollIntv]=177,[cpuCore]=8, [loadAvg1min]=2.500000,[loadAvg5min]=2.500000,[loadAvg15min]=2.390000,[phLogDetail]=
l PH_DEV_MON_SYS_MEM_UTIL
FortiSIEM 6.1.1 External Systems Configuration Guide
658
Fortinet Technologies Inc.
Storage
[PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9587,[memName]=Physical Memory,[hostName]=NTNX-14SM15290052-A-CVM, [hostIpAddr]=10.0.252.20,[memUtil]=93.210754,[pollIntv]=177,[phLogDetail]=
l PH_DEV_MON_SYS_VIRT_MEM_UTIL
[PH_DEV_MON_SYS_VIRT_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9590,[memName]=Virtual memory,[hostName]=NTNX-14SM15290052-A-CVM, [hostIpAddr]=10.0.252.20,[virtMemUsedKB]=30773124,[virtMemUtil]=93.210754, [pollIntv]=177,[phLogDetail]=
l PH_DEV_MON_SYS_UPTIME
[PH_DEV_MON_SYS_UPTIME]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=1065,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.252.20, [sysUpTime]=1815730,[sysUpTimePct]=100.000000,[sysDownTime]=0,[pollIntv]=56, [phLogDetail]=
l PH_DEV_MON_SYS_DISK_UTIL
[PH_DEV_MON_SYS_DISK_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9664,[diskName]=/home/nutanix/data/stargate-storage/disks/9XG6R3HG, [hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.252.20,[appTransportProto]=SNMP (hrStorage),[diskUtil]=9.229729,[totalDiskMB]=938899,[usedDiskMB]=86658, [freeDiskMB]=852241,[pollIntv]=176,[phLogDetail]=
l PH_DEV_MON_NET_INTF_UTIL
[PH_DEV_MON_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phIntfFilter.cpp, [lineNumber]=319,[intfName]=eth0,[intfAlias]=,[hostName]=NTNX-14SM15290052-A-CVM, [hostIpAddr]=10.0.252.20,[pollIntv]=56,[recvBytes64]=0,[recvBitsPerSec]=0.000000, [inIntfUtil]=0.000000,[sentBytes64]=0,[sentBitsPerSec]=0.000000,[outIntfUtil]=0.000000, [recvPkts64]=0,[sentPkts64]=0,[inIntfPktErr]=0,[inIntfPktErrPct]=0.000000, [outIntfPktErr]=0,[outIntfPktErrPct]=0.000000,[inIntfPktDiscarded]=0, [inIntfPktDiscardedPct]=0.000000,[outIntfPktDiscarded]=0, [outIntfPktDiscardedPct]=0.000000,[outQLen64]=0,[intfInSpeed64]=10000000000, [intfOutSpeed64]=10000000000,[intfAdminStatus]=up,[intfOperStatus]=up, [daysSinceLastUse]=0,[totIntfPktErr]=0,[totBitsPerSec]=0.000000,[phLogDetail]=
l PH_DEV_MON_PROC_RESOURCE_UTIL
[PH_DEV_MON_PROC_RESOURCE_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=4378,[swProcName]=python,[hostName]=NTNX-14SM15290052-A-CVM, [hostIpAddr]=10.0.23.20,[procOwner]=,[memUtil]=0.379639,[cpuUtil]=0.000000, [appName]=python,[appGroupName]=,[pollIntv]=116,[swParam]=/home/nutanix/ncc/bin/health_ server.py --log_plugin_output=true --logtostderr=true,[phLogDetail]=
l PH_DEV_MON_SYS_PROC_COUNT
[PH_DEV_MON_SYS_PROC_COUNT]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=11378,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.252.20, [procCount]=327,[pollIntv]=176,[phLogDetail]=
l PH_DEV_MON_NUTANIX_DISK_STATUS
[PH_DEV_MON_NUTANIX_DISK_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp, [lineNumber]=216,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.23.20, [cluster]=AmanoxLab01,[diskId]=24,[ntxControllerVMId]=7,[hwDiskSerial]=9XG6V4DS, [diskUtil]=35.704633,[totalDiskMB]=916,[freeDiskMBNonRoot]=589,[inodeUsedPct]=0.234492, [inodeMax]=61054976,[inodeFreeNonRoot]=60911807,[phLogDetail]=
l PH_DEV_MON_NUTANIX_CLUSTER_STATUS
FortiSIEM 6.1.1 External Systems Configuration Guide
659
Fortinet Technologies Inc.
Storage
[PH_DEV_MON_NUTANIX_CLUSTER_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp, [lineNumber]=272,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.23.20, [cluster]=Lab01,[clusterVersion]=el6-release-danube-4.1.2-stable99e1e2dda7a78989136f39132e1f198989ef03a4,[clusterStatus]=started,[diskUtil]=32.000000, [totalDiskMB]=14482532,[usedDiskMB]=4740567,[diskRWReqPerSec]=3109.000000, [devDiskRWLatency]=0.631000,[phLogDetail]=
l PH_DEV_MON_NUTANIX_SERVICE_STATUS [PH_DEV_MON_NUTANIX_SERVICE_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp, [lineNumber]=287,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.23.20, [cluster]=Lab01,[ntxControllerVMId]=5,[ntxClusterVMStatus]=Up,[ntxZeusStatus]=3287, 3310, 3311, 3312, 3389, 3403,[ntxStargateStatus]=5331, 5365, 5366, 5421, 19543, [phLogDetail]=
l PH_DEV_MON_NUTANIX_STORAGE_POOL_INFO [PH_DEV_MON_NUTANIX_STORAGE_POOL_INFO]:[eventSeverity]=PHL_INFO, [fileName]=devNutanix.cpp,[lineNumber]=239,[hostName]=NTNX-14SM15290052-A-CVM, [hostIpAddr]=10.0.23.20,[cluster]=Lab01,[spoolId]=1474,[spoolName]=amanoxlab_sp, [diskUtil]=32.733000,[totalDiskMB]=14482532,[usedDiskMB]=4740567, [diskRWReqPerSec]=155.000000,[devDiskRWLatency]=0.631000,[phLogDetail]=
l PH_DEV_MON_NUTANIX_CONTAINER_INFO [PH_DEV_MON_NUTANIX_CONTAINER_INFO]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp, [lineNumber]=257,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.23.20, [cluster]=Lab01,[ntxContainerId]=1488,[ntxContainerName]=perflab_ndfs, [diskUtil]=8.357116,[totalDiskMB]=14482532,[usedDiskMB]=1210322, [diskRWReqPerSec]=0.000000,[devDiskRWLatency]=0.000000,[phLogDetail]=
Rules
Currently there are no system rules defined.
Reports
l Nutanix Cluster Disk Usage l Nutanix Cluster Performance l Nutanix Cluster Service Status l Nutanix Cluster Storage Usage l Nutanix Container Performance l Nutanix Container Storage Usage l Nutanix Storage Pool Performance l Nutanix Storage Pool Usage
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the
FortiSIEM 6.1.1 External Systems Configuration Guide
660
Fortinet Technologies Inc.
Storage
User Guide.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Nutanix Controller VM See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
661
Fortinet Technologies Inc.
Threat Intelligence
FortiSIEM supports these threat detection devices: l FortiInsight l LastLine l ThreatConnect
External threat intelligence sources provide information about malware actors (Indicators of Compromise or IOCs). FortiSIEM can be configured to download this information periodically, either incrementally or full updates, according to a schedule you define. IOCs can include Malware IP, Domain, URL, and file hashes. You can write rules to look for matches in real time or reports to look for matches in historical data.
The following external threat intelligence sources are supported out of the box: l Emerging Threat l FortiGuard l FortiSandbox l Malware Domain l SANS l ThreatStream l ThreatConnect l TruSTAR l Zeus
In general, any threat source that provides a CSV file or supports STIC/TAXII standards 1.0, 1.1, and 2.0 can be automatically supported by FortiSIEM. FortiSIEM also provides a Java-based API which can be used to support a new website.
FortiSIEM 6.1.1 External Systems Configuration Guide
662
Fortinet Technologies Inc.
Fortinet FortiInsight
FortiInsight is a unique data security and threat detection solution that delivers advanced threat hunting to help you spot, respond to, and manage risky behaviors that put your business-critical data at risk. It combines powerful and flexible Machine Learning with detailed forensics around user actions to bring focus to the facts more rapidly than other solutions.
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration in FortiInsight l Configuration in FortiSIEM l Sample Events
What is Discovered and Monitored
Protocol FortiInsight API
Information collected Policy based alerts and AI based alerts
Used for Data security, threat protection
This feature allows FortiSIEM to get Policy-based alerts and AI-based alerts from FortiInsight.
Event Types
In RESOURCES > Event Types, enter "FortiInsight" in the Search column to see the event types associated with this device.
Rules
In RESOURCES > Rules, enter "FortiInsight" in the Search column to see the rules associated with this device.
Reports
No defined reports.
Configuration in FortiInsight
Get an API Key in FortiInsight
Complete these steps in the FortiInsight UI: 1. Login to FortiInsight. 2. Select Admin > Account from the left menu. 3. Click New API Key to open the New API Key dialog box.
FortiSIEM 6.1.1 External Systems Configuration Guide
663
Fortinet Technologies Inc.
Threat Intelligence
4. Enter a descriptive Name. 5. Click Save to generate the API key. This will download a file containing the API key information (Client ID, Client
Secret, and Name). Make a note of these values; you will need them when you configure FortiSIEM.
Configuration in FortiSIEM
Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Settings Name Device Type Access Protocol Pull Interval
Client ID Client Secret Organization Description
Description Enter a name for the credential Fortinet FortiSIEM FortiInsight API The interval in which FortiSIEM will pull events from FortiInsight. Default is 3 minutes. Access key for your FortiInsight instance. Secret key for your FortiInsight instance The organization the device belongs to. Description of the device.
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your Fortinet FortiInsight credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
4. Click Test to test the connection to FortiInsight. 5. To see the jobs associated with FortiInsight, select ADMIN > Setup > Pull Events. 6. To see the received events select ANALYTICS, then enter FortiInsight in the search box.
Sample Events
[FORTIINSIGHT_POLICY_ALERT] = {"description":"","events":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-0318T13:22:24.344+00:00","id":null,"m":"uqP","mn":{"dh":"tcp://server-10-230-2153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Admini strator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc": {"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","long itude":"10.8925"},"p":"tcp-ip-
FortiSIEM 6.1.1 External Systems Configuration Guide
664
Fortinet Technologies Inc.
Threat Intelligence
4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret \\prototypedemo1.mkv-> tcp://server-54-230-2-153.lhr5.r.cloudfront.net:443","u":"acmeltd__ engineer2"}],"extendedEvents":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-0318T13:22:24.344+00:00","id":null,"latestHostname":"mimas","latestIp":"10.10.0.1","m":"uqP"," mn":{"dh":"tcp://server-54-230-2153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Admini strator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc": {"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","long itude":"10.8925"},"p":"tcp-ip4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret \\prototypedemo1.mkv-> tcp://server-10-230-2153.lhr5.r.cloudfront.net:443","resolvedUsername":"","u":"acmeltd__ engineer2"}],"id":"AWmQ98PYg7b_-i6_5Rvg","labels":[""],"policyId":"default_ 6COnUMjTCB8N","policyName":"Browser Download","regimes": ["ZoneFox"],"serverIp":"52.209.49.52","serverName":"fortisiemtest.dev.fortiinsight.cloud","s everity":10,"status":"New","time":"2019-03-18T13:22:29.473715+00:00"}
FortiSIEM 6.1.1 External Systems Configuration Guide
665
Fortinet Technologies Inc.
Threat Intelligence
Lastline
The Lastline parser collects syslog log events in CEF format. l What is Discovered and Monitored l Event Types l Rules l Reports l Syslog l Sample Events
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Device Type
Metrics collected
Used for
Endpoint activity such as file download, email attachments, network connections.
Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "Lastline" in the Name and Description columns to see the event types associated with this device.
Rules
There are no specific rules for Lastline, however rules that match the Event Type Groups associated with Lastline Events may trigger.
Reports
There are no specific Reports for Lastline, however reports that match the Event Type Groups associated with Lastline Events may return results.
Syslog
FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514 using CEF formatting.
Sample Events
Aug 13 14:48:37 fortisiem CEF:0|Lastline|Enterprise|7.10|appliance-status|Appliance Status|1|cat=Online cs1=SENSOR cs1Label=deviceType
FortiSIEM 6.1.1 External Systems Configuration Guide
666
Fortinet Technologies Inc.
Threat Intelligence
cs2=https://example/portal#/appliances/config/status/76b80c7ac11a4d37bc6b29e66726b01d cs2Label=deviceStatusLink deviceExternalId=76b80c7ac11a4d37bc6b29e66726b01d dvc=10.31.61.152 dvchost=example.com end=Aug 13 2018 16:48:37 CEST rt=Aug 13 2018 16:48:37 CEST start=Aug 13 2018 16:48:37 CEST
FortiSIEM 6.1.1 External Systems Configuration Guide
667
Fortinet Technologies Inc.
Threat Intelligence
ThreatConnect
Protocol ThreatConnect API
Information Collected Malware Domain, IP, URL and Hash
Used For Detect threats for Security and Compliance
Configuring ThreatConnect
Create an API Key to be used for FortiSIEM communication.
The details are here:
https://kb.threatconnect.com/customer/en/portal/articles/2188549-creating-user-accounts 1. Log in to your ThreatConnect portal as an administrative user. 2. Go to My Profile > ORG Settings. 3. Click Create API User.
These credentials will be created: l Access ID l Secret Key
4. Note the Organization Name. You will need it in a later step. 5. ThreatConnect contains many threat feeds. If you want to get specific threatfeeds, then you must know the threat
feeds that are available for your account. You can see these feeds by navigating to Browse > Indicators > My ThreatConnect > Intelligent Sources.
Configuring FortiSIEM to Download IOCs from ThreatConnect
Use the Access ID and Secret Key that were created in the previous section to enable FortiSIEM access.
FortiSIEM can provide the following IOCs from ThreatConnect: l Malware Domain l Malware IP l Malware URL l Malware Hash
Follow these steps to set up Malware Domain downloads from ThreatConnect. 1. Login to FortiSIEM. 2. Go to RESOURCE > Malware Domain > ThreatConnect Malware Domain. 3. Click More > Update. Select Update via API. 4. Enter the following fields
a. Set User Name to Access ID (Step 3a above). b. Set Password to Secret Key (Step 3b above). c. Set Data Format to STIX-TAXII. d. For Collection:, you have two choices:
l To get all threatfeeds - enter All:<Organization Name> (Step 4 above), or
FortiSIEM 6.1.1 External Systems Configuration Guide
668
Fortinet Technologies Inc.
Threat Intelligence
l To get specific threatfeeds, enter comma-separated values of threatfeeds (obtained from Step 6 above). e. Set Data Update = Incremental 5. Click Save. 6. Click Schedule to specify how often the threat feed will be updated.
a. Choose Start time. b. Choose Recurrence pattern. c. Click Save. 7. Wait until the first scheduled download occurs. Then, navigate to RESOURCE > Malware Domain > ThreatConnect Malware Domain. Downloaded Malware domains will be displayed in the right-hand table. You can use this object in rules and reports to detect hits.
Downloading Other IOCs
The steps for configuring FortiSIEM to download other IOCs are identical, except for the following details: l Malware IP--Navigate to RESOURCE > Malware Domain > ThreatConnect Malware IP l Malware URL--Navigate to RESOURCE > Malware Domain > ThreatConnect Malware URL l Malware Hash--Navigate to RESOURCE > Malware Domain > ThreatConnect Malware Hash
FortiSIEM 6.1.1 External Systems Configuration Guide
669
Fortinet Technologies Inc.
Virtualization
FortiSIEM supports these virtualization servers for discovery and monitoring. l HyperV l HyTrust CloudControl l VMware ESX
FortiSIEM 6.1.1 External Systems Configuration Guide
670
Fortinet Technologies Inc.
Hyper-V
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
Powershell over WMI
Information discovered
Metrics collected
CPU, Memory, Network and Storage metrics both at Guest and Host level .
Used for
Performance Monitoring
Event Types
l PH_DEV_MON_HYPERV_OVERALL_HEALTH: HyperV Machine Health Summary
[PH_DEV_MON_HYPERV_OVERALL_HEALTH]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[vmHealthCritCount]=0,[vmHealthOkCount]=10
l PH_DEV_MON_HYPERV_OVERALL_SYSINFO: HyperV System Information
[PH_DEV_MON_HYPERV_OVERALL_SYSINFO]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[notificationCount]=10,[virtualProcessors]=52,[totalPages]=67290, [partitionCount]=6,[logicalProcessors]=16
l PH_DEV_MON_HYPERV_CPU_LOGICAL_PROC: HyperV Logical Processor Usage
[PH_DEV_MON_HYPERV_CPU_LOGICAL_PROC]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[idleTimePct]=47.30,[guestRunTimePct]=50.88,[hypervisorRunTimePct]=1.97, [totalRunTimePct]=52.84,[cpuInterruptPerSec]=53390.62,[contextSwitchPerSec]=85516.44
l PH_DEV_MON_HYPERV_CPU_ROOT_VIRTUAL_PROC: HyperV Root Virtual Processor Usage
[PH_DEV_MON_HYPERV_CPU_ROOT_VIRTUAL_PROC]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR, [guestRunTimePct]=0.19,[hypervisorRunTimePct]=0.04,[totalRunTimePct]=0.23, [cpuInterruptPersec]=4588.63,[interceptCost]=1458
l PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC: HyperV Guest Virtual Processor Usage
[PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC]:[hostIpAddr]=172.16.20.185, [hostName]=accelops-reporter-hyperv-4.3.1.1158,[vmName]=accelops-reporter-hyperv4.3.1.1158,[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR, [guestRunTimePct]=1.06,[hypervisorRunTimePct]=0.70,[totalRunTimePct]=1.77, [cpuInterruptPersec]=6474.56,[interceptCost]=1086
l PH_DEV_MON_HYPERV_MEM_PARTITION: HyperV Memory Partition usage
[PH_DEV_MON_HYPERV_MEM_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR, [1gGpaPages]=0,[2mGpaPages]=16385,[4kGpaPages]=9949,[depositedGpaPages]=20946
l PH_DEV_MON_HYPERV_MEM_PARTITION_PER_VM: HyperV per-VM Memory Partition usage
FortiSIEM 6.1.1 External Systems Configuration Guide
671
Fortinet Technologies Inc.
Virtualization
[PH_DEV_MON_HYPERV_MEM_PARTITION_PER_VM]:[phyMachIpAddr]=172.16.20.180, [phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostName]=accelops-va-hyperv4.3.1.1158,[vmName]=accelops-va-hyperv-4.3.1.1158,[1gGpaPages]=0,[2mGpaPages]=4096, [4kGpaPages]=2089,[depositedGpaPages]=5044
l PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION: HyperV Root Partition Total Memory Usage
[PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[1gGpa]=0,[2mGpa]=32613,[4kGpa]=9760,[depositedGpa]=46344
l PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION_ROOT: HyperV Root Partition Root Memory Usage
[PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION_ROOT]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[1gGpa]=0,[2mGpa]=32613,[4kGpa]=9760,[depositedGpa]=46344
l PH_DEV_MON_HYPERV_MEM_VID_PARTITION: HyperV VID Partition Memory Usage
[PH_DEV_MON_HYPERV_MEM_VID_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[physicalPages]=8398888,[remotePages]=0
l PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM: HyperV per-VM VID Partition Memory Usage
[PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM]:[phyMachIpAddr]=172.16.20.180, [phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.185,[hostName]=accelops-reporterhyperv-4.3.1.1158,[vmName]=accelops-reporter-hyperv-4.3.1.1158,[physicalPages]=1050632, [remotePages]=0
l PH_DEV_MON_HYPERV_MEM_OVERALL: HyperV Root Memory Usage
[PH_DEV_MON_HYPERV_MEM_OVERALL]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR, [freeMemKB]=27519348,[pageFaultsPersec]=0
l PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH: HyperV Virtual Switch Network Usage
[PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 virtual switch,[recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03, [sentBitsPerSec]=3382443.50,[sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03[PH_DEV_MON_ HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR, [vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 - virtual switch, [recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03,[sentBitsPerSec]=3382443.50, [sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03
l PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER: HyperV Virtual Switch Per Adapter Network Usage
[PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WINHH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostName]=accelops-va-hyperv-4.3.1.1158, [vmName]=accelops-va-hyperv-4.3.1.1158,[intfName]=adapter_e1eb0a1f-1b36-48fe-be79fde20d335364--31575d2f-5085-45d3-905f-2f3e17342a81,[recvBitsPerSec]=64970.24, [recvPktsPerSec]=20.86,[sentBitsPerSec]=124741.68,[sentPktsPerSec]=42.61, [totalPktsPerSec]=20.86
l PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE: HyperV Virtual Storage Usage
[PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[diskName]=e:-hyperinstance-report431-virtual hard disks-accelops-reporter4.3.1.1158-disk2.vhdx,[diskErrors]=2,[diskFlushes]=1267221,[diskReadKBytesPerSec]=0.00, [diskReadReqPerSec]=0.00,[diskWriteKBytesPerSec]=0.00,[diskWriteReqPerSec]=0.00
l PH_DEV_MON_HYPERV_STORAGE_LOGICAL_DISK: HyperV Logical Disk Usage
[PH_DEV_MON_HYPERV_STORAGE_LOGICAL_DISK]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[diskName]=e:,[ioReadLatency]=0,[ioWriteLatency]=14
FortiSIEM 6.1.1 External Systems Configuration Guide
672
Fortinet Technologies Inc.
Virtualization
Rules
l HyperV Disk I/O Warning l HyperV Disk I/O Critical l HyperV Guest Critical l HyperV Guest Hypervisor Run Time Percent Warning l HyperV Logical Processor Total Run Time Percent Critical l HyperV Logical Processor Total Run Time Percent Warning l HyperV Page fault Critical l HyperV Page fault Warning l HyperV Remainining Guest Memory Warning
Reports
Look in RESOURCES > Reports > Device > Server > HyperV l HyperV Configuration and Health l Top HyperV Guests By Virtual Processor Run Time Pct l Top HyperV Guests by Large Page Size Usage l Top HyperV Guests by Remote Physical Page Usage l Top HyperV Root Partitions By Virtual Processor Run Time Pct l Top HyperV Root Partitions by Large Page Size Usage l Top HyperV Servers By Logical Processor Run Time Pct l Top HyperV Servers by Disk Activity l Top HyperV Servers by Disk Latency l Top HyperV Servers by Large Page Size Usage l Top HyperV Servers by Memory Remaining for Guests l Top HyperV Servers by Remote Physical Page Usage
Configuration
FortiSIEM needs WMI credentials to get the HyperV performance metrics. Configure this following the guidelines described in Microsoft Windows Server Configuration.
Settings for Access Credentials
Configure WMI on FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
673
Fortinet Technologies Inc.
Virtualization
HyTrust CloudControl
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration
What is Discovered and Monitored
Protocol Syslog (CEF format)
Information Discovered -
Data Collected Over 70 event types
Used for Security and Compliance
Event Types
In RESOURCE > Event Types, Search for "HyTrust-". Sample Event Type: <172>Mar 22 03:32:36 htcc136.test.hytrust.com local5: CEF:0|HyTrust|HyTrust CloudControl|5.0.0.50821|ARC0031|TEMPLATE_OPERATION_ERRORED_ERR|6| rt=Mar 22 2017 03:32:36.196 UTC act=HostOperation dst=192.168.213.154 src=192.168.213.10 suser=ARC deviceExternalId=6u1b-esxi2.test.hytrust.com deviceFacility=HostSystem msg=Template operation VHG6.0 esxi-check-patch-version error on host 6u1b-esxi2.test.hytrust.com (192.168.213.154). privilege={}
Rules
There are no specific rules but generic rules for Security Manager and Generic Servers apply.
Reports
There are no specific reports but generic rules for Security Manager and Generic Servers apply.
Configuration
Configure HyTrust CloudControl to send syslog on port 514 to FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
674
Fortinet Technologies Inc.
Virtualization
VMware ESX
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol VMWare SDK
VMWare SDK
Information discovered
Metrics collected
ESX Server and the Guest hosts running on that server. ESX host clusters. Hardware (CPU, Memory, Disk, network Interface) for all guests, OS vendor and version for all guests. Virtual switch for connecting guest hosts to network interfaces.
Both ESX level and guest host level performance metrics.
Guest host level metrics include CPU/memory/disk utilization, CPU Run/Ready/Limited percent, memory swap in/out rate, free memory state, disk read/write rate/latency, network interface utilization, errors, bytes in/out.
ESX level metrics include physical CPU utilization, ESX kernel disk read/writre latency etc
ESX logs include scenarios like ESX level login sucess/failure, configuration change, Guest host movement, account creation and modification
Used for Performance Monitoring
Availability, Change and Security Monitoring
Configuration
FortiSIEM discovers and monitors VMware ESX servers and guests over the the VMware SDK. Make sure that VMware Tools is installed on all the guests in your ESX deployment, and FortiSIEM will be able to obtain their IP addresses.
Settings for Access Credentials
User with System View Credentials
Make sure to provide a user with System View permissions who can access the entire vCenter hierarchy when setting up the access credentials for your VMware ESX device. See the VMware documentation on how to se tup a user with System View permissions.
FortiSIEM 6.1.1 External Systems Configuration Guide
675
Fortinet Technologies Inc.
Virtualization
Settings for VMware ESX VMSDK Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol User Name Password
Value <set name> VMware ESX Server VM SDK A user with System View permissions The password associated with the user
FortiSIEM 6.1.1 External Systems Configuration Guide
676
Fortinet Technologies Inc.
VPN Gateways
FortiSIEM supports these VPN gateways for discovery and monitoring. l Cisco VPN 3000 Gateway l Cyxtera AppGuard l Juniper Networks SSL VPN Gateway l Microsoft PPTP VPN Gateway l Pulse Secure
FortiSIEM 6.1.1 External Systems Configuration Guide
677
Fortinet Technologies Inc.
Cisco VPN 3000 Gateway
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP Syslog
Information Discovered
Metrics Collected
Used For
Event Types
In ADMIN > Device Support > Event, search for "cisco_vpn" in the Name and Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP
1. Log in to your device with administrative credentials. 2. Go to Configuration > System > Management Protocols > SNMP Communities. 3. Click Add. 4. For Community String, enter public.
Syslog
1. Go to Configuration > System > Events > Syslog Servers. 2. Click Add. 3. Enter the IP address of your FortiSIEM virtual appliance for Syslog Server. 4. Add a syslog server with FortiSIEM IP Address
FortiSIEM 6.1.1 External Systems Configuration Guide
678
Fortinet Technologies Inc.
VPN Gateways
Sample Parsed Cisco VPN 3000 Syslog Messages
<189>18174 01/07/1999 20:25:27.210 SEV=5 AUTH/31 RPT=14 User [ admin ] Protocol [ Telnet ] attempted ADMIN logon. Status: <REFUSED> authentication failure
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Cisco VPN 3K See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
679
Fortinet Technologies Inc.
VPN Gateways
Cyxtera AppGate Software Defined Perimeter (SDP)
l Integration points l Configuring Cyxtera AppGate Software l Parsing and Events
Integration points
Protocol Syslog
Information Discovered Access Control log
Used For Security and Compliance
Configuring Cyxtera AppGate Software
Follow Cyxtera AppGate SDP documentation to send syslog to FortiSIEM.
Configuring FortiSIEM
FortiSIEM automatically recognizes Cyxtera AppGate syslog, so long as it follows the following format as shown in the sampel syslog: "id":"a51e7e7d-ab5f-444c-b7f8-ca72e4bb940b","timestamp":"2018-1009T10:23:43.992Z","event_type":"ip_access","version":8,"distinguished_ name":"CN=0f1a40d612f741228d7cb73a4308bea8,CN=abc,OU=ACME","entitlement_token_ id":"78174080-a34","action":"allow","direction":"down","client_ip":"1.1.1.1","client_ port":1392,"packet_size":40,"protocol":"TCP","source_ip":"10.1.1.1","destination_ ip":"10.1.1.1","source_port":56100,"destination_port":59721,"connection_ type":"established","rule_name":"rule1"
Parsing and Events
Over 70 events are parsed see event Types in Resources > Event Types and search for 'Cyxtera-AppGate-SDP'.
FortiSIEM 6.1.1 External Systems Configuration Guide
680
Fortinet Technologies Inc.
VPN Gateways
Juniper Networks SSL VPN Gateway
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP Syslog
Information Discovered
Metrics Collected
Used For
Event Types
In ADMIN > Device Support > Event, search for "junos_dynamic_vpn" in the Name column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP
1. Log into your device with administrative credentials. 2. Go to System > Log/Monitoring > SNMP. 3. Under Agent Properties, enter public for Community.
Syslog
VPN Access Syslog 1. Go to System > Log/Monitoring > User Access > Settings. 2. Under Select Events to Log, select Login/logout, User Settings, and Network Connect. 3. Under Syslog Servers, enter the IP address of your FortiSIEM virtual appliance, and set the Facility to LOCAL0. 4. Click Save Changes.
FortiSIEM 6.1.1 External Systems Configuration Guide
681
Fortinet Technologies Inc.
VPN Gateways
Admin Access Syslog
1. Go to System > Log/Monitoring > Admin Access > Settings. 2. Under Select Events to Log, select Administrator changes, License Changes, and Administrator logins. 3. Under Syslog Servers, enter the IP address of your FortiSIEM virtual appliance, and set the Facility to LOCAL0. 4. Click Save Changes.
Sample Parsed Juniper Networks SSL VPN Syslog Messages
<134>Juniper: 2008-10-28 04:34:53 - ive - [192.168.20.82] admin(Users)[] - Login failed using auth server SteelBelted (Radius Server). Reason: Failed
<134>Juniper: 2008-10-28 03:12:03 - ive - [192.168.20.82] wenyong(Users)[Users] - Login succeeded for wenyong/Users from 192.168.20.82.
<134>Juniper: 2008-10-28 03:55:20 - ive - [192.168.20.82] wenyong(Users)[Users] - Network Connect: Session ended for user with IP 172.16.3.240
<134>Juniper: 2008-10-28 03:05:25 - ive - [172.16.3.150] admin(Admin Users)[] - Primary authentication successful for admin/Administrators from 172.16.3.150
<134>Juniper: 2008-10-28 05:33:02 - ive - [172.16.3.150] admin(Admin Users)[] - Primary authentication failed for admin/Administrators from 172.16.3.150
Settings for Access Credentials
SNMP Access Credentials for All Devices
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
682
Fortinet Technologies Inc.
VPN Gateways
Microsoft PPTP VPN Gateway
Configuring Microsoft PPTP
Windows 2003 Server
1. Logon with administrative rights 2. Configure PPTP VPN
a. Go to Start | All Programs | Administrative Tools | Configure Your Server Wizard, select the Remote Access/VPN Server role. The click the next button which runs the the Routing and Remote Access Wizard.
b. On the Routing and Remote Access wizard, follow the following steps: i. Select "Virtual Private Network (VPN) and NAT" and click Next ii. Select the network interface for use by VPN connection and click Next.
iii. Specify the network that VPN clients should connect to in order to access resources and click Next. iv. Select VPN IP Address assignment methodology (DHCP/VPN pool) and click Next. v. Specify VPN pool if VPN pool was chosen in step d and click Next. vi. Identify the network that has shared access to the Internet and click Next. vii. Select if an external RADIUS server is to be used for central authentication and click Next
c. Give users VPN access rights. Open the properties page for a user, select that user's Dial-In properties page and select "Allow access" under Remote Access Permissions.
3. Configure Server Logging - Enable authentication and accounting logging from the Settings tab on the properties of the Local File object in the Remote Access Logging folder in the Routing and Remote Access snap-in. The authentication and accounting information is stored in a configurable log file or files stored in the SystemRoot\System32\LogFiles folder. The log files are saved in Internet Authentication Service (IAS) or database-compatible format, meaning that any database program can read the log file directly for analysis.
4. Configure Snare agent to send logs to FortiSIEM.
Sample syslog messages
<13>Apr 1 09:28:03 dev-v-win03-vc MSPPTPLog 0
192.168.24.11,administrator,04/01/2009,09:28:00,RAS,DEV-V-WIN03VC,44,29,4,192.168.24.11,6,2,7,1,5,129,61,5,64,1,65,1,31,192.168.20.38,66,192.168.20.38,4108 ,192.168.24.11,4147,311,4148,MSRASV5.20,4155,1,4154,Use Windows authentication for all users,4129,DEV-V-WIN03-VC\administrator,4130,DEV-V-WIN03-VC\administrator,4127,4,25,311 1 192.168.24.11 04/01/2009 16:12:12 3,4149,Connections to Microsoft Routing and Remote Access server,4136,1,4142,0
FortiSIEM 6.1.1 External Systems Configuration Guide
683
Fortinet Technologies Inc.
VPN Gateways
Pulse Secure
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol Syslog
Information Discovered Metrics Collected
Used For
Security and Performance alerts Security and performance monitoring
Event Types
In ADMIN > Device Support > Event, search for "PulseSecure" to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
Sample PulseSecure Syslog Messages
<134> 2015-12-18T06:30:29-08:00 PulseSecure: 2015-12-18 06:30:29 - XXX-A1234-VPNSSL01 [1.1.1.1] admin(company1 Realm)[some title] - Host Checker policy 'VMS_Host_Checker_Policy' passed on host '1.1.1.1' address '' for user 'admin'.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type
Value <set name> Pulse Secure Pulse Connect
FortiSIEM 6.1.1 External Systems Configuration Guide
684
Fortinet Technologies Inc.
VPN Gateways
Setting Access Protocol Port Password config
Value See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
685
Fortinet Technologies Inc.
Vulnerability Scanners
FortiSIEM supports these vulnerability scanners for discovery and monitoring. l AlertLogic l Green League WVSS l McAfee Foundstone Vulnerability Scanner l Qualys QualysGuard Scanner l Qualys Vulnerability Scanner l Rapid7 NeXpose Vulnerability Scanner l Rapid7 InsightVM l Tenable.io l Tenable Nessus Vulnerability Scanner l Tenable Security Center l XYLink Vulnerability Scanner
FortiSIEM 6.1.1 External Systems Configuration Guide
686
Fortinet Technologies Inc.
AlertLogic Intrusion Detection and Prevention Systems (IPS)
l Integration points l Configuring AlertLogic for FortiSIEM API Access l Configuring FortiSIEM for AlertLogic API Access
Integration points
Protocol AlertLogic V3 API
Information Discovered Security Alerts created by AlertLogic
Used For Security and Compliance
Configuring AlertLogic for FortiSIEM API Access
Contact AlertLogic for API access key. This must be entered in FortiSIEM in the next step.
Configuring FortiSIEM for AlertLogic API Access
1. Logon to FortiSIEM 2. Go to ADMIN > Setup > Credential. 3. Click New to create AlertLogic API credential:
For Access Protocol = AlertLogic API V3
Setting Name Device Type Access Protocol Pull Interval Password config API Key
Organization
Value
<set name> Alert Logic IPS AlertLogic API V3 5 minutes See Password Configuration The API Key for device access is provided by AlertLogic Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers
For Access Protocol = AlertLogic IPS
FortiSIEM 6.1.1 External Systems Configuration Guide
687
Fortinet Technologies Inc.
Vulnerability Scanners
Settings
Description
Name Device Type Access Protocol Pull Interval
Access Key ID Secret Key Organization Description
Enter a name for the credential Alert Logic IPS Alert Logic IPS The interval in which FortiSIEM will pull events from Alert Logic. Default is 5 minutes. Access key for your Alert Logic instance. Secret key for your Alert Logic instance The organization the device belongs to. Description of the device.
4. Enter an IP Range to Credential Association. a. Set Hostname to alertlogic.com b. Select the Credential created in step 3 above. c. Click Save.
5. Select the entry in step 4 and click Test > Test Connectivity. If it succeeds, then the credential is correct. 6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start
to pull events from AlertLogic Cloud service using the AlertLogic V3 API.
To test for events received from AlertLogic:
1. Go to ADMIN > Setup > Pull Events. 2. Select the Windows Defender ATP entry and click Report.
The system will take you to the ANALYTICS tab and run a query to display the events received from AlertLogic in the last 15 minutes. You can modify the time interval to get more events.
FortiSIEM 6.1.1 External Systems Configuration Guide
688
Fortinet Technologies Inc.
Vulnerability Scanners
Green League WVSS
Configuration in FortiSIEM
Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Settings
Description
Name Device Type Access Protocol Pull Interval Domain User Name Password Description
Enter a name for the credential. Green League WVSS WVSS API 60 minutes Domain name User name for device access Password for device access Description of the device
3. In Step 2: Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
4. Click Test to test the connection to Green League WVSS. 5. To see the jobs associated with Green League, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Green League in the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
689
Fortinet Technologies Inc.
Vulnerability Scanners
McAfee Foundstone Vulnerability Scanner
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol JDBC (SQL Server)
Metrics collected
Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id, Vulnerability Score, Vulnerability Consequence
Used for Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "foundstone" in the Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined rules for this device.
Configuration JDBC
FortiSIEM connects to the faultline database in the McAfee vulnerability scanner to collect metrics. This is a SQL Server database, so you must have set up access credentials for the database over JDBC to set up access credentials in FortiSIEM and initiate discovery.
Settings for Access Credentials
Settings for McAfee Foundstone Vulnerability Scanner JDBC Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
FortiSIEM 6.1.1 External Systems Configuration Guide
690
Fortinet Technologies Inc.
Vulnerability Scanners
Setting Name Device Type Access Protocol Used for Pull Interval (minutes) Port Database name User Name
Password
Value mcafee_jdbc Microsoft SQL Server JDBC McAfee VulnMgr 5
1433 faultline A user with access to the faultline database over JDBC The password associated with the user
FortiSIEM 6.1.1 External Systems Configuration Guide
691
Fortinet Technologies Inc.
Vulnerability Scanners
Qualys QualysGuard Scanner
Configuration in FortiSIEM
Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Settings
Description
Name Device Type Access Protocol Pull Interval Port User Name
Password Description
Enter a name for the credential. Qualys QualysGuard Scanner Qualys API 60 minutes 443 A user who has access to the vulnerability scanner over the API. Password associated with the user Description about the device
3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save.
4. Click Test to test the connection to Qualys QualysGuard Scanner. 5. To see the jobs associated with Qualys, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Qualys in the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
692
Fortinet Technologies Inc.
Vulnerability Scanners
Qualys Vulnerability Scanner
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol Qualys API
Metrics collected
Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq Id, Vulnerability Consequence
Used for Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "qualys" in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCE > Reports , search for "qualys" in the Description column to see the reports associated with this device.
Configuration
Qualys API
Create a user name and password that FortiSIEM can use as access credentials for the API. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. . For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Use Host Name for IP Range in Access Credentials Enter the host name for your Qualys service rather than an IP address when associating your access credentials to an IP range. Settings for Qualys Vulnerability Scanner API Access Credentials
FortiSIEM 6.1.1 External Systems Configuration Guide
693
Fortinet Technologies Inc.
Vulnerability Scanners Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name
Password
Value qualys Qualys QualysGuard Scanner Qualys API 5
443 A user who has access to the vulnerability scanner over the API The password associated with the user
FortiSIEM 6.1.1 External Systems Configuration Guide
694
Fortinet Technologies Inc.
Vulnerability Scanners
Rapid7 NeXpose Vulnerability Scanner
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
Rapid7 Nexpose API
Metrics collected
Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence
Used for Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "rapid7" in the Description and Device Type columns to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Rapid7 NeXpose API
1. Log into the device manger for your vulnerability scanner with administrative credentials. 2. Go to Administration > General > User Configuration, and create a user that FortiSIEM can use to access the
device. 3. Go to Reports > General > Report Configuration. 4. Create a report with the Report Format set to Simple XML Report Version 1.0 or NeXpose XML Report Version
2.0. FortiSIEM can pull reports only in these formats.
Settings for Access Credentials
Settings for Rapid7 Nexpose API Access Credentials
FortiSIEM 6.1.1 External Systems Configuration Guide
695
Fortinet Technologies Inc.
Vulnerability Scanners Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name Password
Value <set name> Rapid7 NeXpose Security Scanner Rapid7 NeXpose API 60
3780 A user who can access the device over the API The password associated with the user
FortiSIEM 6.1.1 External Systems Configuration Guide
696
Fortinet Technologies Inc.
Vulnerability Scanners
Rapid7 InsightVM Integration
l Integration points l Rapid7 InsightVM API Integration
Integration points
Protocol InsightVM API
Information Collected Vulnerability scan data
Used For
Security and Compliance
Rapid7 InsightVM API Integration
FortiSIEM can pull vulnerability scan data from Rapid7 InsightVM Server via InsightVM API. InsightVM scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type Rapid7-InsightVM-Vuln-Detected.
Configuring Rapid7 InsightVM Server
Create an account to be used for FortiSIEM communication.
Configuring FortiSIEM
Use the account in previous step to enable FortiSIEM access: 1. Login to FortiSIEM. 2. Go to Admin > Setup > Credential. 3. Click New to create a Rapid7 InsightVM credential.
a. Choose Device Type = Rapid7 InsightVM (Vendor = Rapid7, Model = InsightVM). b. Choose Access Protocol = InsightVM API. c. Choose Pull Interval = 5 minutes. d. Choose HTTPS Port (default 3780). e. Choose User name and Password for the account created while Configuring Rapid7 InsightVM Server. f. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple
customers. g. Click Save. 4. Enter an IP Range to Credential Association: a. Set IP to the IP address of the Rapid7 InsightVM Server. b. Select the Credential created in step 3 c. Click Save.
FortiSIEM 6.1.1 External Systems Configuration Guide
697
Fortinet Technologies Inc.
Vulnerability Scanners
5. Perform Test Connectivity to make sure that the credential works correctly. 6. Discover the Rapid7 InsightVM Server using the IP address used in Step 4. Make sure Discover succeeds. 7. An entry will be created in Admin > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start
to pull events from Rapid7 InsightVM Server using the InsightVM REST API. To test for received InsightVM Vulnerability events: 1. Go to Admin > Setup > Pull Events 2. Select the InsightVM entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from InsightVM Server in the last 15 minutes. You can modify the time interval to get more events.
FortiSIEM 6.1.1 External Systems Configuration Guide
698
Fortinet Technologies Inc.
Vulnerability Scanners
Tenable.io
l Integration points l Tenable.io API Integration
Integration points
Protocol Tenable.io API
Information collected Vulnerability scan data
Used for Security and Compliance
Tenable.io API Integration
FortiSIEM can pull vulnerability scan data from Tenable.io Cloud Service via Tenable.io API. Tenable.io scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type TenableIO-Vuln-Detected.
Configuring Tenable.io Cloud Service
Create an API Key to be used for FortiSIEM communication. 1. Login to your Tenable.io portal using your account. 2. Create API Key for use in FortiSIEM:
a. For administrative user. b. Click Settings > User. c. In User table, click the name of the User you want to edit. d. Click the API Keys tab in the generate and click Generate. e. Click Save. 3. For regular user: a. Click My Account. b. Click the API Keys tab in the generate and click Generate. c. Click Save.
Configuring FortiSIEM
Use the API Key and Secret in previous step to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create a Tenable.io credential:
a. Choose Device Type = Tenable.io Tenable (Vendor = Tenable, Model = Tenable.io). b. Choose Access Protocol = TenableIO API. c. Choose Pull Interval = 5 minutes.
FortiSIEM 6.1.1 External Systems Configuration Guide
699
Fortinet Technologies Inc.
Vulnerability Scanners
d. Choose Account, Access Key and Secret Key obtained from Tenable.io portal (see Configuring Tenable.io Cloud Service)
e. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers
f. Click Save. 4. Enter an IP range to Credential Association:
a. Set Hostname = cloud.tenable.com b. Select the credential created in step 3. c. Click Save. 5. Select the entry in step 4 and click Test Connectivity. 6. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Tenable.io portal using the API.
To test for received Tenable.io events:
1. Go to ADMIN > Setup > Pull Events. 2. Select the Tenable.io entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from Tenable.io in the last 15 minutes. You can modify the time interval to get more events.
FortiSIEM 6.1.1 External Systems Configuration Guide
700
Fortinet Technologies Inc.
Vulnerability Scanners
Tenable Nessus Vulnerability Scanner
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol Nessus API
Metrics collected
Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence
Used for Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "nessus" in the Description and Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCE > Reports , search for "nessus" in the Description column to see the reports associated with this device.
Configuration
To configure a Tenable Nessus Security Scanner, take the following steps: 1. Deploy a Nessus server (5, 6, 7, or 8). 2. Generate an API key. For Nessus 7 or Nessus 8, obtain the Access Key and Secret Key.
Note: If using Nessus (5) or Nessus 6, create a username and password that FortiSIEM can use to access the API and make sure the user has permissions to view the scan report files on the Nessus device. You can check if your user has the right permissions by running a scan report as that user. 3. Add a target device IP that will be scanned. 4. Login to the FortiSIEM GUI. 5. Navigate to CMDB > Devices. 6. Add the target device IP to CMDB > Devices in FortiSIEM. 7. Navigate to ADMIN > Setup, and click the Credentials tab. 8. In Step 1: Enter Credentials, click New:
FortiSIEM 6.1.1 External Systems Configuration Guide
701
Fortinet Technologies Inc.
Vulnerability Scanners
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these Nessus credential settings in the Access Method Definition dialog box and click Save:
Setting Name Device Type
Access Protocol
Pull Interval (minutes) Port User Name (for Nessus and 6) Password (for Nessus and 6) Access Key (for Nessus7 and 8) Secret Key (for Nessus7 and 8)
Value <set name> Choose the appropriate device type: -Tenable Nessus Security Scanner -Tenable Nessus6 Security Scanner -Tenable Nessus7 Security Scanner -Tenable Nessus8 Security Scanner The access protocol will auto populate based off the device type selected: -Nessus API -Nessus6 API -Nessus7 API -Nessus8 API 5 (default 60 minutes)
8834 A user who has permission to access the device over the API The password associated with the user
Obtain the Access Key from Nessus
Obtain the Secret Key from Nessus
9. In Step 2: Enter IP Range to Credential Associations, click New. a. Select the credential you created earlier from the Credentials drop-down list. b. In the IP/Host Name field, enter the IP/IP Range or Host Name. c. Click Save.
10. Select the new mapping and click the Test drop-down list and select Test Connectivity without Ping to start the polling.
11. Navigate to ADMIN > Setup > Pull Events. The yellow star besides the Nessus pull job should turn the color green.
12. Scan the target device IP in the Nessus server, and export the scan report. 13. Navigate to ANALYTICS in FortiSIEM, and query the Nessus events with the condition Event Type = Nessus-
Vuln-Detected. 14. Compare the events in the FortiSIEM with the scan report exported from the Nessus server.
Note that the severity matching rule between Nessus8 and AO Event are as follows:
FortiSIEM 6.1.1 External Systems Configuration Guide
702
Fortinet Technologies Inc.
Vulnerability Scanners
Nessus Status Critical High Medium Low None
FortiSIEM Event Severity Number Event Severity 10 Event Severity 9 Event Severity 6 Event Severity 2 Event Severity 3
If Vulnerability CVE ID in FortiSIEM events is not NULL, the target device IP will be added to INCIDENTS > Risk in FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
703
Fortinet Technologies Inc.
Vulnerability Scanners
Tenable Security Center
l Integration points l Tenable.sc (Security Center) API Integration l Sample Events
Integration points
Protocol Tenable.sc API
Information collected Vulnerability scan data
Used for Security and Compliance
Tenable.sc (Security Center) API Integration
FortiSIEM can pull vulnerability scan data via the Tenable.sc API. Tenable.sc scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type TenableSC-Vuln-Detected.
l Configuring Tenable.sc for FortiSIEM l Configuring FortiSIEM
Configuring Tenable.sc for FortiSIEM
Except for setting your Tenable account user name and password, no special configuration is needed for Tenable.sc.
Configuring FortiSIEM
Use the API Key and Secret in previous step to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create a Tenable.sc credential:
a. Enter a Name for the credential. b. Choose Device Type = Tenable Tenable Security Center (Vendor = Tenable, Model = Security Center). c. Choose Access Protocol = Tenable.sc API. d. Choose Pull Interval = 60 minutes. e. Enter the User Name for the account. f. Enter the Password for the account. g. Click Save. 4. Enter an IP range to Credential Association: a. Enter the host's IP or Hostname. b. Select the credential created in Step 3 from the drop-down list. c. Click Save. 5. Select the entry in step 4 and click Test Connectivity.
FortiSIEM 6.1.1 External Systems Configuration Guide
704
Fortinet Technologies Inc.
Vulnerability Scanners
6. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Tenable Security Center using the API.
To test for received Tenable.sc events:
1. Go to ADMIN > Setup > Pull Events. 2. Select the Tenable.sc entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from Tenable.sc in the last 15 minutes. You can modify the time interval to get more events.
Sample Events
[TenableSc-Vuln-Detected]:[serverIp]=10.10.10.79,[serverName]=sc.tenalab.online, [scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,[policyName]=6e8a5582076f-5798-b0c3-5384b8854cad-501013/Advanced Scan (Vulnerability),[osName]=linux, [hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux Kernel 2.6,[hostName]=targetcent7.lxd,[hostIpAddr]=10.238.64.9,[startTime]=1580538643,[appPort]=22, [appTransportProto]=tcp,[eventSeverity]=1,[nessusPluginId]=70658,[nessusPluginName]=SSH Server CBC Mode Ciphers Enabled,[categoryType]=Misc.,[vulnCVEId]=CVE-2008-5161, [vulnCvssBaseScore]=2.6,[vulnCvssBaseTemporal]=1.9,[cweId]=200,[vulnDesc]=The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.,[fileName]=ssh_cbc_supported_ciphers.nasl,[vulnType]=remote, [threatLevel]=Low,[vulnSolution]=Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption., [vulnCVESummary]=The SSH server is configured to use Cipher Block Chaining., [nessusPluginOutput]= The following client-to-server Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc The following server-to-client Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc
[TenableSc-Vuln-Detected]:[serverIp]=52.170.35.79,[serverName]=sc.tenalab.online, [scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,[policyName]=6e8a5582076f-5798-b0c3-5384b8854cad-501013/Advanced Scan (Vulnerability),[osName]=linux, [hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux Kernel 2.6,[hostName]=targetcent7.lxd,[hostIpAddr]=10.238.64.9,[startTime]=1580538643,[appPort]=0, [appTransportProto]=tcp,[eventSeverity]=0,[nessusPluginId]=35081,[nessusPluginName]=Xen Guest Detection,[categoryType]=Misc.,[vulnDesc]=According to the MAC address of its network adapter, the remote host is a Xen virtual machine.,[fileName]=xen_detect.nasl, [vulnType]=combined,[threatLevel]=None,[vulnSolution]=Ensure that the host's configuration is in agreement with your organization's security policy., [vulnCVESummary]=The remote host is a Xen virtual machine.
FortiSIEM 6.1.1 External Systems Configuration Guide
705
Fortinet Technologies Inc.
Vulnerability Scanners
YXLink Vuln Scanner
Configuration in FortiSIEM
Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials:
a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box:
Settings
Description
Name Device Type Access Protocol Pull Interval Port Domain Description
Enter a name for the credential. YXLink Vuln Scanner YX API 60 minutes 0 Domain name Description about the device
3. In Step 2: Enter IP Range to Credential Associations, click New. a. Enter a host name, an IP, or an IP range in the IP/Host Name field. b. Select the name of your credential from the Credentials drop-down list. c. Click Save.
4. Click the Test drop-down list and select Test Connectivity to test the connection to YXLink Vulnerability Scanner. 5. To see the jobs associated with YXLink, select ADMIN > Setup > Pull Events. 6. To see the received events select ANALYTICS, then enter "YXLink" in the search box.
FortiSIEM 6.1.1 External Systems Configuration Guide
706
Fortinet Technologies Inc.
WAN Accelerators
FortiSIEM supports these wide area network accelerators for discovery and monitoring. l Cisco Wide Area Application Server l Riverbed SteelHead WAN Accelerator
FortiSIEM 6.1.1 External Systems Configuration Guide
707
Fortinet Technologies Inc.
Cisco Wide Area Application Server
l What is Discovered and Monitored on page 708 l Event Types l Rules l Reports l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
Information Discovered
Host name, Software version, Hardware model, Network interfaces
Metrics collected
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Disk space utilization, Process cpu/memory utilization
Used for
Availability and Performance Monitoring
Event Types
Regular monitoring events l PH_DEV_MON_SYS_UPTIME
[PH_DEV_MON_SYS_UPTIME]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=1053,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,[sysUpTime]=13256948, [sysUpTimePct]=100.000000,[sysDownTime]=0,[pollIntv]=56,[phLogDetail]=
l PH_DEV_MON_SYS_CPU_UTIL
[PH_DEV_MON_SYS_UPTIME]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=1053,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,[sysUpTime]=13256948, [sysUpTimePct]=100.000000,[sysDownTime]=0,[pollIntv]=56,[phLogDetail]=
l PH_DEV_MON_SYS_MEM_UTIL
[PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9822,[memName]=Physical Memory,[hostName]=edge.bank.com, [hostIpAddr]=10.19.1.5,[memUtil]=93.438328,[pollIntv]=176,[phLogDetail]=
l PH_DEV_MON_SYS_DISK_UTIL
[PH_DEV_MON_SYS_DISK_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9902,[diskName]=/swstore,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5, [appTransportProto]=SNMP (hrStorage),[diskUtil]=56.931633,[totalDiskMB]=992, [usedDiskMB]=565,[freeDiskMB]=427,[pollIntv]=176,[phLogDetail]=
l PH_DEV_MON_SYS_PROC_COUNT
FortiSIEM 6.1.1 External Systems Configuration Guide
708
Fortinet Technologies Inc.
WAN Accelerators
[PH_DEV_MON_SYS_PROC_COUNT]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=11710,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,[procCount]=429, [pollIntv]=176,[phLogDetail]=
l PH_DEV_MON_NET_INTF_UTIL
[PH_DEV_MON_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phIntfFilter.cpp, [lineNumber]=323,[intfName]=GigabitEthernet 1/0,[intfAlias]=,[hostName]=edge.bank.com, [hostIpAddr]=10.19.1.5,[pollIntv]=56,[recvBytes64]=0,[recvBitsPerSec]=0.000000, [inIntfUtil]=0.000000,[sentBytes64]=0,[sentBitsPerSec]=0.000000,[outIntfUtil]=0.000000, [recvPkts64]=0,[sentPkts64]=0,[inIntfPktErr]=0,[inIntfPktErrPct]=0.000000, [outIntfPktErr]=0,[outIntfPktErrPct]=0.000000,[inIntfPktDiscarded]=0, [inIntfPktDiscardedPct]=0.000000,[outIntfPktDiscarded]=0, [outIntfPktDiscardedPct]=0.000000,[outQLen64]=0,[intfInSpeed64]=100000000, [intfOutSpeed64]=100000000,[intfAdminStatus]=,[intfOperStatus]=,[daysSinceLastUse]=0, [totIntfPktErr]=0,[totBitsPerSec]=0.000000,[phLogDetail]=
l PH_DEV_MON_PROC_RESOURCE_UTIL
[PH_DEV_MON_PROC_RESOURCE_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=4320,[swProcName]=syslogd,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5, [procOwner]=,[memUtil]=0.038191,[cpuUtil]=0.000000,[appName]=Syslog Server, [appGroupName]=Unix Syslog Server,[pollIntv]=116,[swParam]=-s -f /etc/syslog.confdiamond,[phLogDetail]=
Rules
Regular monitoring rules
Reports
Regular monitoring reports
Configuration
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port
Value <set name> Cisco WAAS See Access Credentials See Access Credentials
FortiSIEM 6.1.1 External Systems Configuration Guide
709
Fortinet Technologies Inc.
WAN Accelerators
Setting Password config
Value See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
710
Fortinet Technologies Inc.
WAN Accelerators
Riverbed SteelHead WAN Accelerator
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
SNMP
Information Discovered
Host name, Software version, Hardware model, Network interfaces
SNMP
SNMP Trap
Metrics collected
Used for
Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Disk space utilization, Process cpu/memory utilization
Availability and Performance Monitoring
Hardware status
Availability and Performance Monitoring
Bandwidth metrics: Inbound Optimized Bytes - LAN side, WAN side, Outbound optimized bytes - LAN side and WAN side
Connection metrics: Optimized connections, Passthrough connections, Half-open optimized connections, Half-closed Optimized connections, Established optimized connections, Active optimized connections
Top Usage metrics: Top source (Source IP, Total Bytes), Top destination (Destination IP, Total Bytes), Top Application (TCP/UDP port, Total Bytes), Top Talker (Source IP, Source Port, Destination IP, Destination Port, Total Bytes)
Peer status: For every peer: State, Connection failures, Request timeouts, Max latency
Availability and Performance Monitoring
All traps: software errors, hardware errors, admin login, performance issues - cpu, memory, peer latency issues. About 115 traps defined in ADMIN > Device Support > Event. The mapped event types start with "Riverbed-".
Availability, Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "steelhead" in the Description and Device Type columns to see the event types associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
711
Fortinet Technologies Inc.
WAN Accelerators
Rules
In RESOURCE > Rules, search for "steelhead" in the Name column to see the rules associated with this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
SNMP Trap
FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Riverbed Steelhead See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
712
Fortinet Technologies Inc.
Wireless LANs
FortiSIEM supports these wireless local area network devices for discovery and monitoring. l Aruba Networks Wireless LAN l Cisco Wireless LAN l CradlePoint l FortiAP l FortiWLC l Motorola WiNG WLAN AP l Ruckus Wireless LAN
FortiSIEM 6.1.1 External Systems Configuration Guide
713
Fortinet Technologies Inc.
Aruba Networks Wireless LAN
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
FortiSIEM uses SNMP and NMAP to discover the device and to collect logs and performance metrics. FortiSIEM communicates to the WLAN Controller only and discovers all information from the Controller. FortiSIEM does not communicate to the WLAN Access points directly.
Protocol
Information Discovered
SNMP
Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points
SNMP Trap Controller device type
Metrics collected
Controller Uptime, Controller Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Radio interface performance metrics
All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health
Used for
Availability and Performance Monitoring
Availability, Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "aruba" in the Description and Device Type columns to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCE > Reports , search for "aruba" in the Name column to see the reports associated with this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
714
Fortinet Technologies Inc.
Wireless LANs
Configuration
SNMP V1/V2c
1. Log in to your Aruba wireless controller with administrative privileges. 2. Go to Configuration > Management > SNMP. 3. For Read Community String, enter public. 4. Select Enable Trap Generation. 5. Next to Read Community String, click Add. 6. Under Trap Receivers, click Add and enter the IP address of your FortiSIEM virtual appliance.
Sample Aruba Networks Wireless LAN Controller SNMP Trap Messages
2008-06-11 11:38:34 192.168.20.7 [192.168.20.7]:SNMPv2-MIB::sysUpTime.0 = Timeticks: (1355400) 3:45:54.00 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2SMI::enterprises.14823.2.2.1.1.100.1003 SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60 = Hex-STRING: 07 D8 06 0B 13 2E 39 00 2D 07 00 SNMPv2SMI::enterprises.14823.2.2.1.1.2.1.1.2.192.168.180.1 = Hex-STRING: 00 1E 52 72 AF 4B
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Aruba ArubaOS WLAN AP See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
715
Fortinet Technologies Inc.
Wireless LANs
Cisco Wireless LAN
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol
Information Discovered
SNMP
Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points
SNMP Trap Controller device type
Metrics collected
Used for
Controller Uptime, Controller CPU and Memory utilization, Controller Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths)
Availability and Performance Monitoring
All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health
Availability, Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "cisco wireless" in the Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
FortiSIEM 6.1.1 External Systems Configuration Guide
716
Fortinet Technologies Inc.
Wireless LANs
Configuration
SNMP V1/V2c and SNMP Traps
1. Log in to your Cisco wireless LAN controller with administrative privileges. 2. Go to MANAGEMENT > SNMP > General. 3. Set both SNMP v1 Mode and SNMP v2c Mode to Enable. 4. Go to SNMP > Communities. 5. Click New and create a public community string with Read-Only privileges. 6. Click Apply. 7. Go to SNMP > Trap Controls. 8. Select the event traps you want to sent to FortiSIEM. 9. Click Apply. 10. Go to SNMP > Trap Receivers. 11. Click New and enter the IP address of your FortiSIEM virtual appliance as a trap receiver. 12. Click Apply.
Sample SNMP Trap
2008-06-09 08:59:50 192.168.20.9 [192.168.20.9]:SNMPv2-MIB::sysUpTime.0 = Timeticks:
(86919800) 10 days, 1:26:38.00
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-
SMI::enterprises.14179.2.6.3.2 SNMPv2-SMI::enterprises.14179.2.6.2.35.0 = Hex-STRING: 00 21
55 4D 66 B0
SNMPv2-SMI::enterprises.14179.2.6.2.36.0 = INTEGER: 0 SNMPv2-
SMI::enterprises.14179.2.6.2.37.0 = INTEGER: 1 SNMPv2-SMI::enterprises.14179.2.6.2.34.0 =
Hex-STRING: 00 12 F0 0A 3F 15
2010-11-01 12:59:57 0.0.0.0(via UDP: [172.22.2.25]:32769) TRAP2, SNMP v2c, community 1n3t3ng
. Cold Start Trap (0) Uptime: 0:00:00.00 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks:
(9165100) 1 day, 1:27:31.00 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-
SMI::enterprises.9.9.599.0.4 SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 00 24
D7 36 A0 00 SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: "AP-2" SNMPv2-
SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 00 25 45 B7 66 70 SNMPv2-
SMI::enterprises.9.9.513.1.2.1.1.1.0 = INTEGER: 0 SNMPv2-
SMI::enterprises.9.9.599.1.3.1.1.10.0 = IpAddress: 172.22.4.54 SNMPv2-
SMI::enterprises.9.9.599.1.2.1.0 = STRING: "IE\brouse" SNMPv2-
SMI::enterprises.9.9.599.1.2.2.0 = STRING: "IE"2011-04-05 10:37:42 0.0.0.0(via UDP:
[10.10.81.240]:32768) TRAP2, SNMP v2c, community FortiSIEM
. Cold Start Trap (0) Uptime:
0:00:00.00 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1672429600) 193 days,
13:38:16.00
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9.9.615.0.1 SNMPv2-
SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 00 25 BC 80 E8 77 SNMPv2-
SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 6C 50 4D 7D AC 50 SNMPv2-
SMI::enterprises.9.9.599.1.3.1.1.9.0 = INTEGER: 1 SNMPv2-
SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: "AP03-3.rdu2" SNMPv2-
SMI::enterprises.9.9.615.1.2.1.0 = INTEGER: 1 SNMPv2-SMI::enterprises.9.9.615.1.2.2.0 =
INTEGER: 5000 SNMPv2-SMI::enterprises.9.9.615.1.2.3.0 = INTEGER: 1 SNMPv2-
SMI::enterprises.9.9.615.1.2.4.0 = INTEGER: 31 SNMPv2-SMI::enterprises.9.9.615.1.2.5.0 =
FortiSIEM 6.1.1 External Systems Configuration Guide
717
Fortinet Technologies Inc.
Wireless LANs
INTEGER: -60 SNMPv2-SMI::enterprises.9.9.615.1.2.6.0 = INTEGER: -90 SNMPv2SMI::enterprises.9.9.615.1.2.7.0 = STRING: "0,0,0,0,1,20,24,28,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0" SNMPv2SMI::enterprises.9.9.615.1.2.8.0 = INTEGER: 2 SNMPv2-SMI::enterprises.9.9.615.1.2.9.0 = STRING: "6c:50:4d:7d:ac:50,e8:04:62:0b:b5:f0" SNMPv2-SMI::enterprises.9.9.615.1.2.10.0 = STRING: "-83,-85" SNMPv2-SMI::enterprises.9.9.615.1.2.11.0 = STRING: "1,1" SNMPv2SMI::enterprises.9.9.512.1.1.1.1.11.5 = INTEGER: 1
Settings for Access Credentials
SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String.
Setting Name Device Type Access Protocol Community String
Value <set name> Generic SNMP <your own>
FortiSIEM 6.1.1 External Systems Configuration Guide
718
Fortinet Technologies Inc.
Wireless LANs
CradlePoint
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Settings for Access Credentials l Sample Events
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics Collected
Used For
Event Types
In ADMIN > Device Support > Event, search for "CradlePoint" in the Description column to see the event types associated with this application or device.
Rules
No specific rules are written for CradlePoint but generic rules for Firewall, VPN Gateway, WLAN AP, Router Switch apply where there are matching event types.
Reports
No specific reports are written for CradlePoint but generic reports for Firewall, VPN Gateway, WLAN AP, Router Switch apply where there are matching event types.
Configuration
Configure syslog forwarding of event information from CradlePoint.
Settings for Access Credentials
None required.
FortiSIEM 6.1.1 External Systems Configuration Guide
719
Fortinet Technologies Inc.
Wireless LANs
Sample Events
<14>(host) dhcp: Updated DHCP client: hostname 10.4.42.222 58:94:6b:8d:2b:94
FortiSIEM 6.1.1 External Systems Configuration Guide
720
Fortinet Technologies Inc.
Wireless LANs
FortiAP
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample events l Settings for Access Credentials
What is Discovered and Monitored
Protocol
SNMP (to FortiGate)
Syslog (from FortiGate)
Information Discovered
Metrics collected
Access point Name, OS, Interfaces, Controller (FortiGate)
FortiAP CPU, Memory, Clients, Sent/Received traffic
Wireless events
Used for
Performance and Availability Monitoring
Security and Log Analysis
FortiAPs are discovered from FortiGate firewalls via SNMP. FortiAP logs are received via FortiGate firewalls.
Event Types
In ADMIN > Device Support > Event, search for "FortiGate-Wireless" and "FortiGate-event" in the Description column to see the event types associated with this device.
Rules
There are generic rules that trigger for this device as event types are mapped to specific event type groups.
Reports
Generic reports are written for this device as event types are mapped to specific event type groups.
Configuration
Configure FortiGate to: 1. Send Syslog to FortiSIEM. 2. Enable SNMP read from FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
721
Fortinet Technologies Inc.
Wireless LANs
Sample Events
FortiSIEM generated performance monitoring events:
[PH_DEV_MON_FORTIAP_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortinet.cpp, [lineNumber]=688,[hostName]=FAP320C-default,[hostIpAddr]=,[sysUpTime]=7588440, [wtpDaemonUpTime]=7588440,[wtpSessionUpTime]=63039960,[numWlanClient]=0, [ftntWtpSessionStatus]=55038712,[sentBitsPerSec]=0.000000,[recvBitsPerSec]=0.000000, [pollIntv]=180,[phLogDetail]=
[PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortinet.cpp, [lineNumber]=698,[cpuName]=FAP320C-default_WTP_CPU,[hostName]=FAP320C-default, [hostIpAddr]=,[cpuUtil]=0.000000,[pollIntv]=0,[phLogDetail]= [PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortinet.cpp, [lineNumber]=707,[memName]=FAP320C-default_WTP_MEM,[hostName]=FAP320C-default, [hostIpAddr]=,[memUtil]=34,[totalMemKB]= 254256 ,[freeMemKB]=254256,[usedMemKB]=0, [phLogDetail]=
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Fortinet FortiAP See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
722
Fortinet Technologies Inc.
Wireless LANs
FortiWLC
l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample events
What is Discovered and Monitored
Protocol SNMP
Syslog
Information Discovered
Controller Name, OS, Serial Number, Interfaces, Associated Access Points name, OS, Interfaces
Metrics collected Controller CPU, Memory, Disk, Throughput, QoS statistics, Station count
Hardware/Software errors, failures, logons, license expiry, Access Point Association / Disassociation
Used for
Performance and Availability Monitoring
Security Monitoring and log analysis
Event Types
In ADMIN > Device Support > Event, search for "FortiWLC" in the Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Configure FortiWLC to: 1. Send Syslog to FortiSIEM. 2. Enable SNMP read from FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
723
Fortinet Technologies Inc.
Wireless LANs
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Fortinet FortiWLC See Access Credentials See Access Credentials See Password Configuration
Sample events
FortiSIEM generated performance monitoring events:
[PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp, [lineNumber]=281,[cpuName]=CPU,[hostName]=FWLCDemo,[hostIpAddr]=172.30.72.40, [cpuUtil]=2.000000,[sysCpuUtil]=0.000000,[userCpuUtil]=2.000000,[waitCpuUtil]=98.000000, [pollIntv]=176,[phLogDetail]= [PH_DEV_MON_SYS_DISK_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp, [lineNumber]=286,[diskName]=Disk,[hostName]=FWLCDemo,[hostIpAddr]=172.30.72.40, [diskUtil]=65.000000,[totalDiskMB]=1084,[availDiskMB]=367,[pollIntv]=176,[phLogDetail]=
[PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp, [lineNumber]=284,[memName]=PhysicalMemory,[hostName]=FWLCDemo,[hostIpAddr]=172.30.72.40, [memUtil]=9.000000,[totalMemKB]=3922244,[freeMemKB]=3538244,[usedMemKB]=384000, [phLogDetail]=
[PH_DEV_MON_FORTIWLC_SYS_THRUPUT]:[eventSeverity]=PHL_INFO, [fileName]=deviceFortiWLCWLAN.cpp,[lineNumber]=343,[hostIpAddr]=172.30.72.40, [pollIntv]=180,[recvBytes]=3940593459,[sentBytes]=4002693999,[recvBitsPerSec]=0.000000, [sentBitsPerSec]=0.000000,[wlanRecvBytes]=10851874907433110752, [wlanSentBytes]=9983789733519268498,[wlanRecvBitsPerSec]=0.000000, [wlanSentBitsPerSec]=0.000000,[phLogDetail]=
[PH_DEV_MON_FORTIWLC_QOS_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp, [lineNumber]=426,[hostIpAddr]=172.30.72.40,[pollIntv]=176,[qosSessionCount]=1, [qosH323SessionCount]=2,[qosSipSessionCount]=3,[qosSccpSessionCount]=4, [qosRejectedSessionCount]=5,[qosRejectedH323SessionCount]=6, [qosRejectedSipSessionCount]=7,[qosRejectedSccpSessionCount]=8,[qosPendingSessionCount]=9, [qosH323PendingSessionCount]=10,[qosSipPendingSessionCount]=11, [qosSccpPendingSessionCount]=12,[qosActiveFlowCount]=13,[qosPendingFlowCount]=14, [phLogDetail]=
[PH_DEV_MON_FORTIWLC_STATIONS]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp, [lineNumber]=511,[hostIpAddr]=172.30.72.40,[pollIntv]=176,[station11a]=1,[station11an1]=2, [station11an2]=3,[station11an3]=4,[station11b]=5,[station11bg]=6,[station11gn1]=7, [station11gn2]=8,[station11gn3]=9,[stationData]=10,[stationPhone]=11,[stationWired]=12, [station11ac1]=13,[station11ac2]=14,[station11ac3]=15,[stationUnknown]=16,[phLogDetail]=
FortiSIEM 6.1.1 External Systems Configuration Guide
724
Fortinet Technologies Inc.
Wireless LANs
FortiWLC Syslog Apr 09 15:07:54 172.18.37.203 ALARM: 1270826655l | system | info | ALR | RADIUS SERVER SWITCHOVER FAILED MAJOR Primary RADIUS Server <172.18.1.3> failed. No valid Secondary RADIUS Server present. Switchover FAILED for Profile <4089wpa2>
FortiSIEM 6.1.1 External Systems Configuration Guide
725
Fortinet Technologies Inc.
Wireless LANs
Motorola WiNG WLAN AP
l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol Syslog
Information Discovered
Metrics collected
Used for
All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health
Availability, Security and Compliance
Event Types
Over 127 event types - In ADMIN > Device Support > Event, search for "Motorola-WiNG" to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Configure devices to send syslog to FortiSIEM - make sure that the version matches the format below 2015-11-11T13:00:16.720960-06:00 co-ap01 %DOT11-5-EAP_FAILED: Client 'FC-C2-DE-B1-43-81' failed 802.1x/EAP authentication on wlan 'OFFICE-WAREHOUSE-RADIUS-WLAN' radio 'co-ap01:R1' 2015-11-11T12:52:20.437659-06:00 us600001 %SMRT-5-COV_HOLE_RECOVERY_DONE: Radio us-ap10:R2 power changed from 19 to 14
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
FortiSIEM 6.1.1 External Systems Configuration Guide
726
Fortinet Technologies Inc.
Wireless LANs
Setting Name Device Type Access Protocol Port Password config
Value <set name> Motorola WiNG WLAN AP See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
727
Fortinet Technologies Inc.
Wireless LANs
Ruckus Wireless LAN
l What is Discovered and Monitored l Configuration l Settings for Access Credentials
What is Discovered and Monitored
Protocol SNMP
Information Discovered
Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points
Metrics collected
Used for
Controller Uptime, Controller Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Controller WLAN Statistics, Access Point Statistics, SSID performance Stats
Availability and Performance Monitoring
Event Types
l PH_DEV_MON_RUCKUS_CONTROLLER_STAT
[PH_DEV_MON_RUCKUS_CONTROLLER_STAT]:[eventSeverity]=PHL_INFO, [fileName]=deviceRuckusWLAN.cpp,[lineNumber]=555,[hostName]=guest-zd-01, [hostIpAddr]=172.17.0.250,[numAp]=41,[numWlanClient]=121,[newRogueAP]=0, [knownRogueAP]=0,[wlanSentBytes]=0,[wlanRecvBytes]=0,[wlanSentBitsPerSec]=0.000000, [wlanRecvBitsPerSec]=0.000000,[lanSentBytes]=166848,[lanRecvBytes]=154704, [lanSentBitsPerSec]=7584.000000,[lanSentBitsPerSec]=7032.000000,[phLogDetail]=
l PH_DEV_MON_RUCKUS_ACCESS_POINT_STAT
[PH_DEV_MON_RUCKUS_ACCESS_POINT_STAT]:[eventSeverity]=PHL_INFO, [fileName]=deviceRuckusWLAN.cpp,[lineNumber]=470,[hostName]=AP-10.20.30.3, [hostIpAddr]=10.20.30.3,[description]=,[numRadio]=0,[numWlanClient]=0,[knownRogueAP]=0, [connMode]=layer3,[firstJoinTime]=140467251729776,[lastBootTime]=140467251729776, [lastUpgradeTime]=140467251729776,[sentBytes]=0,[recvBytes]=0,[sentBitsPerSec]=0.000000, [recvBitsPerSec]=0.000000,[phLogDetail]=
l PH_DEV_MON_RUCKUS_SSID_PERF
[PH_DEV_MON_RUCKUS_SSID_PERF]:[eventSeverity]=PHL_INFO,[fileName]=deviceRuckusWLAN.cpp, [lineNumber]=807,[hostName]=c1cs-guestpoint-zd-01,[hostIpAddr]=172.17.0.250, [wlanSsid]=GuestPoint,[description]=Welcome SSID for not yet authorized APs., [wlanName]=Welcome SSID,[authenMethod]=open,[encryptAlgo]=none,[isGuest]=1, [srcVLAN]=598,[sentBytes]=0,[recvBytes]=0,[sentBitsPerSec]=0.000000, [recvBitsPerSec]=0.000000,[authSuccess]=0,[authFailure]=0,[assocSuccess]=0, [assocFailure]=0,[assocDeny]=0,[disassocAbnormal]=0,[disassocLeave]=0,[disassocMisc]=0, [phLogDetail]=
FortiSIEM 6.1.1 External Systems Configuration Guide
728
Fortinet Technologies Inc.
Wireless LANs
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Configure the Controller so that FortiSIEM can connect to via SNMP.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Name Device Type Access Protocol Port Password config
Value <set name> Ruckus SmartOS WLAN AP See Access Credentials See Access Credentials See Password Configuration
FortiSIEM 6.1.1 External Systems Configuration Guide
729
Fortinet Technologies Inc.
Using Virtual IPs to Access Devices in Clustered Environments
FortiSIEM communicates to devices and applications using multiple protocols. In many instances, access credentials for discovery protocols such as SNMP and WMI must be associated to the real IP address (assigned to a network interface) of the device, while application performance or synthetic transaction monitoring protocols (such as JDBC) will need the Virtual IP (VIP) assigned to the cluster. Since FortiSIEM uses a single access IP to communicate to a device, you must create an address translation for the Virtual IPs. 1. Log into your FortiSIEM virtual appliance as root. 2. Update the mapping in your IP table to map the IP address used in setting up your access credentials to the virtual
IP.
iptables -t nat -A OUTPUT -p tcp --destination <access-ip> --dport <destPort> -j DNAT -to-destination <virtual-ip>:<destPort>'
As an example, suppose an Oracle database server is running on a server with a network address of 10.1.1.1, which is in a cluster with a VIP of 192.168.1.1. The port used to communicate with Oracle over JDBC is 1521. In this case, the update command would be:
iptables -t nat -A OUTPUT -p tcp --destination 10.1.1.1 --dport 1521 -j DNAT --todestination 192.168.1.1:1521
FortiSIEM 6.1.1 External Systems Configuration Guide
730
Fortinet Technologies Inc.
Syslog over TLS
To receive syslog over TLS, a port must be enabled and certificates must be defined. The following configurations are already added to phoenix_config.txt in Super/Worker and Collector nodes. listen_tls_port_list=6514 ls_certificate_file=/etc/pki/tls/certs/tls_self_ signed.crt tls_key_file=/etc/pki/tls/private/tls_self_signed.key Note: the syslog over TLS client must be configured to communicate properly with FortiSIEM.
FortiSIEM 6.1.1 External Systems Configuration Guide
731
Fortinet Technologies Inc.
Appendix
CyberArk to FortiSIEM Log Converter XSL
<?xml version="1.0" ?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:import href='./Syslog/RFC5424Changes.xsl'/> <xsl:output method="text" version="1.0" encoding="UTF-8" /> <xsl:template match="/"> <xsl:apply-imports /> <xsl:for-each select="syslog/audit_record">
<xsl:text>CYBERARK: Product="</xsl:text> <xsl:value-of select="Product" />
<xsl:text>"</xsl:text> <xsl:text>;Version="</xsl:text>
<xsl:value-of select="Version" /> <xsl:text>"</xsl:text> <xsl:text>;Hostname="</xsl:text>
<xsl:value-of select="Hostname" /> <xsl:text>"</xsl:text> <xsl:text>;MessageID="</xsl:text>
<xsl:value-of select="MessageID" /> <xsl:text>"</xsl:text> <xsl:text>;Message="</xsl:text>
<xsl:value-of select="Message" /> <xsl:text>"</xsl:text> <xsl:choose>
<xsl:when test="Desc!=''"> <xsl:text>;Desc="</xsl:text> <xsl:value-of select="Desc" /> <xsl:text>"</xsl:text>
</xsl:when> </xsl:choose> <xsl:choose>
<xsl:when test="Action!=''"> <xsl:text>;Action="</xsl:text> <xsl:value-of select="Action" /> <xsl:text>"</xsl:text>
</xsl:when> </xsl:choose> <xsl:choose>
<xsl:when test="Location!=''"> <xsl:text>;Location="</xsl:text> <xsl:value-of select="Location" />
FortiSIEM 6.1.1 External Systems Configuration Guide
732
Fortinet Technologies Inc.
Appendix
<xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:text>;Issuer="</xsl:text> <xsl:value-of select="Issuer" /> <xsl:text>"</xsl:text> <xsl:choose> <xsl:when test="Station!=''">
<xsl:text>;Station="</xsl:text> <xsl:value-of select="Station" />
<xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="File!=''">
<xsl:text>;File="</xsl:text> <xsl:value-of select="File" />
<xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="Safe!=''">
<xsl:text>;Safe="</xsl:text> <xsl:value-of select="Safe" />
<xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="Category!=''">
<xsl:text>;Category="</xsl:text> <xsl:value-of select="Category" />
<xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="RequestId!=''">
<xsl:text>;RequestId="</xsl:text> <xsl:value-of select="RequestId" />
<xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="Reason!=''">
<xsl:text>;Reason="</xsl:text> <xsl:value-of select="Reason" />
<xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose>
FortiSIEM 6.1.1 External Systems Configuration Guide
733
Fortinet Technologies Inc.
Appendix
<xsl:when test="SeverityCategory!=''"> <xsl:text>;Severity="</xsl:text> <xsl:value-of select="Severity" /> <xsl:text>"</xsl:text>
</xsl:when> </xsl:choose> <xsl:choose>
<xsl:when test="GatewayStation!=''"> <xsl:text>;GatewayStation="</xsl:text> <xsl:value-of select="GatewayStation" /> <xsl:text>"</xsl:text>
</xsl:when> </xsl:choose> <xsl:choose>
<xsl:when test="SourceUser!=''"> <xsl:text>;SourceUser="</xsl:text> <xsl:value-of select="SourceUser" /> <xsl:text>"</xsl:text>
</xsl:when> </xsl:choose> <xsl:choose>
<xsl:when test="TargetUser!=''"> <xsl:text>;TargetUser="</xsl:text> <xsl:value-of select="TargetUser" /> <xsl:text>"</xsl:text>
</xsl:when> </xsl:choose> <xsl:choose>
<xsl:when test="TicketID!=''"> <xsl:text>;TicketID="</xsl:text> <xsl:value-of select="TicketID" /> <xsl:text>"</xsl:text>
</xsl:when> </xsl:choose> <xsl:choose>
<xsl:when test="LogonDomain!=''"> <xsl:text>;LogonDomain="</xsl:text> <xsl:for-each select="CAProperties/CAProperty"> <xsl:if test="@Name='LogonDomain'"> <xsl:value-of select="@Value" /> </xsl:if> </xsl:for-each> <xsl:text>"</xsl:text>
</xsl:when> </xsl:choose> <xsl:choose>
<xsl:when test="Address!=''"> <xsl:text>;Address="</xsl:text> <xsl:for-each select="CAProperties/CAProperty">
FortiSIEM 6.1.1 External Systems Configuration Guide
734
Fortinet Technologies Inc.
Appendix
<xsl:if test="@Name='Address'"> <xsl:value-of select="@Value" />
</xsl:if> </xsl:for-each> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="CPMStatus!=''"> <xsl:text>;CPMStatus="</xsl:text> <xsl:for-each select="CAProperties/CAProperty">
<xsl:if test="@Name='CPMStatus'"> <xsl:value-of select="@Value" />
</xsl:if> </xsl:for-each> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="Database!=''"> <xsl:text>;Database="</xsl:text> <xsl:for-each select="CAProperties/CAProperty">
<xsl:if test="@Name='Database'"> <xsl:value-of select="@Value" />
</xsl:if> </xsl:for-each> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="DeviceType!=''"> <xsl:text>;DeviceType="</xsl:text> <xsl:for-each select="CAProperties/CAProperty">
<xsl:if test="@Name='DeviceType'"> <xsl:value-of select="@Value" />
</xsl:if> </xsl:for-each> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="ExtraDetails!=''"> <xsl:text>;ExtraDetails="</xsl:text> <xsl:value-of select="ExtraDetails" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> </xsl:for-each> <xsl:text> </xsl:text>
FortiSIEM 6.1.1 External Systems Configuration Guide
735
Fortinet Technologies Inc.
Appendix
</xsl:template> </xsl:stylesheet>
FortiSIEM 6.1.1 External Systems Configuration Guide
736
Fortinet Technologies Inc.
Appendix
Access Credentials
l SNMP Access Credentials l SSH Access Credentials l Telnet Access Credentials l HTTPS Access Credentials l Password Configuration
l Manual Password Configuration l CyberArk Password Configuration l RAX_CustomerService Password Configuration l RAX_Janus Password Configuration
SNMP Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP.
Setting Name Device Type Access Protocol Community String
Value <set name> <device> SNMP <your own>
SSH Access Credentials
These are the generic settings for providing SSH access to your device from FortiSIEM.
Setting Name Device Type Access Protocol Port Password Config User Name Password Super Password
Value <set name> <device> SSH 22 See Password Configuration A user who has permission to access the device over SSH The password associated with the user Enter the super password for the system, if required
FortiSIEM 6.1.1 External Systems Configuration Guide
737
Fortinet Technologies Inc.
Appendix
Setting Organization
Value Select an organization from the drop-down list
Telnet Access Credentials
These are the generic settings for providing Telnet access to your device from FortiSIEM
Setting Name Device Type Access Protocol Port Password Config User Name Password Super Password Organization
Value <set name> <device> Telnet 23 See Password Configuration A user who has permission to access the device over Telnet The password associated with the user Enter the super password for the system, if required Select an organization from the drop-down list
HTTPS Access Credentials
Setting Name Device Type Access Protocol Port URI Password Config User Name Password Organization
Value <set name> <device> HTTPS 443 URI address See Password Configuration A user who has permission to access the device over HTTPS The password associated with the user Select an organization from the drop-down list
FortiSIEM 6.1.1 External Systems Configuration Guide
738
Fortinet Technologies Inc.
Appendix
Password Configuration
Manual Password Configuration
Settings User Name Password Super Password Organization
Description The user name for this account The password for this account The super password for this account Select an organization from the drop-down list
CyberArk Password Configuration
Settings App ID Safe Folder Object User Name Platform (Policy ID) Database Include Address for Query Organization Description
Description Application ID (AccelOps) Safe value Folder location (Root) Object name User name Policy ID Database name
Select an organization from the drop-down list Description or comments about the credentials
RAX_CustomerService Password Configuration
Settings AWS Account Number Azure Subscription ID
Description Enter the account number. Enter the subscription ID.
RAX_Janus Password Configuration
Select RAX_Janus as the Password Config. Supply a Session ID if required.
FortiSIEM 6.1.1 External Systems Configuration Guide
739
Fortinet Technologies Inc.
Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
madbuild