User. Worker. Inbound. TCP/22. Admin access via SSH. FortiSIEM 6.1.1 External Systems Configuration Guide. 15. Fortinet Technologies Inc.
Revision 13: added Zeek (Bro) installation instructions for Security Onion, ... LOGbinder SP getting started document - remember to configure LOGbinder SP ...
FortiSIEM - External Systems Configuration Guide Version 6.1.1 FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO GUIDE https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/training-certification NSE INSTITUTE https://training.fortinet.com FORTIGUARD CENTER https://www.fortiguard.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: techdoc@fortinet.com 10/27/2021 FortiSIEM 6.1.1 External Systems Configuration Guide Change Log Date 2018-05-23 2018-07-24 2018-08-07 2018-09-12 2018-09-26 2018-11-28 2019-01-29 2019-03-15 2019-03-28 2019-04-24 2019-07-24 2019-10-22 2019-11-22 2020-01-03 2020-04-15 2020-07-22 2020-10-09 2020-12-18 Change Description Initial version of the guide. Revision 2 with a new section under Windows Server Configuration - Configuring Log Monitoring for Non-Administrative User. Revision 3 with updated section: Fortinet FortiGate Firewall Revision 4 with updated section: Microsoft Azure Audit Revision 5 with updated section: WatchGuard Firebox Firewall Revision 6 with updated section: Fortinet FortiGate Firewall > Configuring SSH on FortiSIEM to communicate with FortiGate Revision 7: updated section: Cisco FireSIGHT Revision 8: new section: Threat Intelligence Revision 9: updates the guide to reflect the new menu hierarchy in the FortiSIEM tool. Revision 10: added Carbon Black Security Platform under End Point Security Software. Revision 11: updated integration instructions for Microsoft Office 365 Audit. Revision 12: added Clavister Firewall and FortiADC devices. Added Active Directory User Discovery section to Microsoft Active Directory device. Corrections to SQL Server DDL Event Creation Script and SQL Server Database Level Event Creation Script. Revision 13: added Zeek (Bro) installation instructions for Security Onion, Cyberoam FortiADC, Epic SecuritySIEM, FortiEDR, FortiNAC, FortiDeceptor, Microsoft Network Policy Server, TrendMicro Deep Discovery. Changed the name of Cisco FireAMP to Cisco AMP Cloud V0. Changed the name of Cisco AMP to Cisco AMP Cloud V1. Revision 14: added CradlePoint. Revision 15: added Alert Logic Iris API, AWS Kinesis, AWS Security Hub, Cisco Amp, GitLab Cli, Azure Event Hub, Azure Compute, McAfee ePolicy Orchestrator, LastLine, Imperva Securesphere Web App Firewall, Imperva Securesphere DB Security Gateway, Imperva Securesphere DB Monitoring Gateway, Green League WVSS, FortiInsight, Damballa Failsafe, AWS EC2, Cisco Fireamp, Novell Netware, Green League RSAS, Checkpoint SmartCenter, FortiTester, Cisco Viptela, MobileIron, Duo, Indegy Industrial Cybersecurity Suite, Netwrix, Darktrace DCIP, Hirschmann SCADA Firewalls and Switches. Revision 16: Edits to Cisco AMP Cloud V0 and Cisco AMP Cloud V1. Revision 17: Added Alcide io KAudit, Stormshield Network Security and Tigera Calico Revision 18: Added note to AWS CloudTrail API Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 3 Fortinet Technologies Inc. Change Log Date 2021-01-05 2021-02-03 2021-03-03 2021-18-03 2021-05-04 2021-07-04 2021-16-04 2021-23-04 2021-18-05 2021-21-05 2021-07-26 2021-07-30 2021-08-02 2021-08-30 2021-09-24 2021-10-27 Change Description Revision 19: Added Mapping Active Directory User Attributes to FortiSIEM User Attributes. Revision 20: Updated Malwarebytes to Malwarebytes Endpoint Protection. Revision 21: Added NetApp Data ONTAP Supported Version. Revision 22: Added Claroty Continuous Threat Detection, Corero Smartwall Threat Defense, Dragos Platform, Malwarebytes Breach Remediation, Oracle Cloud Access Security Broker (CASB), Proofpoint. Revision 23: Updated Linux server section. Revision 24: Updated AWS Kinesis for 6.2.0. Revision 25: Updated Microsoft Office 365 Audit "Create the Office 365 API Credential" steps. Revision 26: Added Salesforce Configuration for 6.2.0, 6.1.x, 5.4.0, 5.3.x, 5.2.x releases. Revision 27: Updated Apache Web Server, AWS EC2 CloudWatch API, and Fortigate Firewall for 6.1.x releases. Added FortiAnalyzer for 6.1.x releases. Revision 28: Updated Windows Agent links for Microsoft sections. Revision 29: Updated Epilog/snare link for Oracle Database Server, Juniper Steel Belted RADIUS, and Apache Web Server configurations. Revision 30: Updated Tenable Nessus Vulnerability Scanner configuration. Revision 31: Updated Cisco FireSIGHT Configuration. Revision 32: Updated Microsoft SQL Server for 6.x guides. Revision 33: Updated Squid Web Proxy with syslog configuration for versions 4.1.1 and later for 6.1.1-6.3.x Guides. Revision 34: Updated Cisco Firepower Management Center (FMC) - Formerly FireSIGHT and FirePower Threat Defense : Using Cisco eStreamer Client for 6.x Guides. FortiSIEM 6.1.1 External Systems Configuration Guide 4 Fortinet Technologies Inc. TABLE OF CONTENTS Change Log Overview FortiSIEM External Ports Supervisor Communication Worker Communication Collector Communication Supported Devices and Applications by Vendor Applications Application Server Apache Tomcat IBM WebSphere Microsoft ASP.NET Oracle GlassFish Server Oracle WebLogic Redhat JBOSS Authentication Server Cisco Access Control Server (ACS) Cisco Identity Solution Engine (ISE) Cisco Duo CyberArk Password Vault Fortinet FortiAuthenticator Juniper Networks Steel-Belted RADIUS Microsoft Internet Authentication Server (IAS) Microsoft Network Policy Server (RAS VPN) OneIdentity Safeguard (previously Balabit Privileged Session Management) Vasco DigiPass Database Server IBM DB2 Server Microsoft SQL Server What is Discovered and Monitored Microsoft SQL Server Scripts MySQL Server Oracle Database Server DHCP and DNS Server Infoblox DNS/DHCP ISC BIND DNS Linux DHCP Microsoft DHCP Microsoft DNS Directory Server Microsoft Active Directory Document Management Server Microsoft SharePoint Healthcare IT FortiSIEM 6.1.1 External Systems Configuration Guide Fortinet Technologies Inc. 3 12 13 13 15 17 19 51 52 53 57 64 65 69 73 77 78 84 85 89 91 92 94 95 96 97 99 100 105 105 125 128 133 140 141 143 145 147 149 151 152 157 158 159 5 Epic EMR/EHR System Mail Server Microsoft Exchange Management Server/Appliance Cisco Application Centric Infrastructure (ACI) What is Discovered and Monitored Fortinet FortiInsight Fortinet FortiManager Remote Desktop Citrix Receiver (ICA) Source Code Control GitHub GitLab API GitLab CLI Unified Communication Server Configuration Avaya Call Manager Cisco Call Manager Cisco Contact Center Cisco Presence Server Cisco Tandeberg Telepresence Video Communication Server (VCS) Cisco Telepresence Multipoint Control Unit (MCU) Cisco Telepresence Video Communication Server Cisco Unity Connection Web Server Apache Web Server Microsoft IIS for Windows 2000 and 2003 Microsoft IIS for Windows 2008 Nginx Web Server Blade Servers Cisco UCS Server HP BladeSystem Cloud Applications Alcide.io KAudit AWS Access Key IAM Permissions and IAM Policies AWS CloudTrail Amazon AWS EC2 AWS EC2 CloudWatch API AWS Kinesis AWS RDS AWS Security Hub Box.com Google Workspace Audit Microsoft Azure Audit Microsoft Office 365 Audit Microsoft Cloud App Security Microsoft Azure Advanced Threat Protection (ATP) Microsoft Azure Compute Microsoft Azure Event Hub FortiSIEM 6.1.1 External Systems Configuration Guide Fortinet Technologies Inc. 160 162 163 166 167 167 171 174 175 176 180 181 183 187 190 191 193 199 200 201 203 204 205 206 207 211 213 215 217 218 221 222 223 224 226 230 232 234 237 239 246 248 253 255 265 268 269 275 6 Microsoft Windows Defender Advanced Threat Protection (ATP) Okta Salesforce CRM Audit Console Access Devices Lantronix SLC Console Manager End Point Security Software Bit9 Security Platform Carbon Black Security Platform Cisco AMP Cloud V0 Cisco AMP Cloud V1 Cisco Security Agent (CSA) CloudPassage Halo CrowdStrike Endpoint Security Digital Guardian CodeGreen DLP ESET NOD32 Anti-Virus FortiClient Fortinet FortiEDR Malwarebytes Endpoint Protection McAfee ePolicy Orchestrator (ePO) MobileIron Sentry and Connector Netwrix Auditor (via Correlog Windows Agent) Palo Alto Traps Endpoint Security Manager SentinelOne Sophos Central Sophos Endpoint Security and Control Symantec Endpoint Protection Symantec SEPM Tanium Connect Trend Micro Interscan Web Filter Trend Micro Intrusion Defense Firewall (IDF) Trend Micro OfficeScan Environmental Sensors APC Netbotz Environmental Monitor APC UPS Generic UPS Liebert FPC Liebert HVAC Liebert UPS Firewalls Check Point FireWall-1 Check Point Provider-1 Firewall Configuring CMA for Check Point Provider-1 Firewalls Configuring CLM for Check Point Provider-1 Firewalls Configuring MDS for Check Point Provider-1 Firewalls Configuring MLM for Check Point Provider-1 Firewalls Check Point VSX Firewall Cisco Adaptive Security Appliance (ASA) Clavister Firewall FortiSIEM 6.1.1 External Systems Configuration Guide Fortinet Technologies Inc. 281 283 288 292 293 294 295 297 299 305 312 315 317 320 321 322 325 327 328 332 333 334 335 337 339 340 342 343 344 346 347 348 349 352 354 355 357 359 361 362 365 367 370 372 375 377 380 386 7 Cyberoam Firewall 388 Dell SonicWALL Firewall 390 Fortinet FortiGate Firewall 392 Imperva Securesphere Web App Firewall 398 Juniper Networks SSG Firewall 400 McAfee Firewall Enterprise (Sidewinder) 404 Palo Alto Firewall 406 Sophos UTM 410 Stormshield Network Security 412 Tigera Calico 413 WatchGuard Firebox Firewall 415 Load Balancers and Application Firewalls 417 Brocade ServerIron ADX 418 Citrix Netscaler Application Delivery Controller (ADC) 421 F5 Networks Application Security Manager 423 F5 Networks Local Traffic Manager 425 Settings for Access Credentials 427 F5 Networks Web Accelerator 428 Fortinet FortiADC 429 Qualys Web Application Firewall 430 Log Aggregators 433 Fortinet FortiAnalyzer 434 Network Compliance Management Applications 437 Cisco Network Compliance Manager 438 PacketFence Network Access Control (NAC) 440 Network Intrusion Prevention Systems (IPS) 441 3Com TippingPoint UnityOne IPS 442 AirTight Networks SpectraGuard 445 Alert Logic IRIS API 447 Cisco Firepower Management Center (FMC) - Formerly FireSIGHT and FirePower Threat Defense 450 Cisco Intrusion Prevention System 455 Cisco Stealthwatch 457 Cylance Protect Endpoint Protection 458 Cyphort Cortex Endpoint Protection 460 Damballa Failsafe 462 Darktrace CyberIntelligence Platform 463 FireEye Malware Protection System (MPS) 465 FortiDDoS 467 Fortinet FortiDeceptor 469 Fortinet FortiNAC 471 Fortinet FortiSandbox 473 Fortinet FortiTester 475 IBM Internet Security Series Proventia 476 Indegy Security Platform 479 Juniper DDoS Secure 480 Juniper Networks IDP Series 482 McAfee IntruShield 484 FortiSIEM 6.1.1 External Systems Configuration Guide 8 Fortinet Technologies Inc. McAfee Stonesoft IPS Motorola AirDefense Nozomi Radware DefensePro Snort Intrusion Prevention System Sourcefire 3D and Defense Center Trend Micro Deep Discovery Zeek (Bro) Installed on Security Onion Routers and Switches Alcatel TiMOS and AOS Switch Arista Router and Switch Brocade NetIron CER Routers Cisco 300 Series Routers Cisco IOS Router and Switch How CPU and Memory Utilization is Collected for Cisco IOS Cisco Meraki Cloud Controller and Network Devices Cisco NX-OS Router and Switch Cisco ONS Cisco Viptela SDWAN Router Dell Force10 Router and Switch Dell NSeries Switch Dell PowerConnect Switch and Router Foundry Networks IronWare Router and Switch HP/3Com ComWare Switch HP ProCurve Switch HP Value Series (19xx) and HP 3Com (29xx) Switch Hirschmann SCADA Firewalls and Switches Juniper Networks JunOS Switch MikroTik Router Nortel ERS and Passport Switch Security Gateways Barracuda Networks Spam Firewall Blue Coat Web Proxy Cisco IronPort Mail Gateway Cisco IronPort Web Gateway Fortinet FortiMail Fortinet FortiWeb Imperva Securesphere DB Monitoring Gateway Imperva Securesphere DB Security Gateway McAfee Vormetric Data Security Manager McAfee Web Gateway Microsoft ISA Server Squid Web Proxy SSH Comm Security CryptoAuditor Websense Web Filter Servers HP UX Server IBM AIX Server FortiSIEM 6.1.1 External Systems Configuration Guide Fortinet Technologies Inc. 487 489 491 493 495 500 502 504 506 507 509 512 514 516 525 527 529 534 536 537 540 543 545 549 551 553 556 557 560 562 564 565 567 571 573 575 578 580 581 583 584 586 592 595 596 598 599 602 9 IBM OS400 Server Linux Server Microsoft Windows Server QNAP Turbo NAS Sun Solaris Server Storage Brocade SAN Switch Configuration Dell Compellent Storage Dell EqualLogic Storage EMC Clariion Storage EMC Isilon Storage EMC VNX Storage Configuration NetApp DataONTAP NetApp Filer Storage Nimble Storage Reports Nutanix Storage Threat Intelligence Fortinet FortiInsight Lastline ThreatConnect Virtualization Hyper-V HyTrust CloudControl VMware ESX VPN Gateways Cisco VPN 3000 Gateway Cyxtera AppGate Software Defined Perimeter (SDP) Juniper Networks SSL VPN Gateway Microsoft PPTP VPN Gateway Pulse Secure Vulnerability Scanners AlertLogic Intrusion Detection and Prevention Systems (IPS) Green League WVSS McAfee Foundstone Vulnerability Scanner Qualys QualysGuard Scanner Qualys Vulnerability Scanner Rapid7 NeXpose Vulnerability Scanner Rapid7 InsightVM Integration Tenable.io Tenable Nessus Vulnerability Scanner Tenable Security Center YXLink Vuln Scanner WAN Accelerators Cisco Wide Area Application Server Riverbed SteelHead WAN Accelerator FortiSIEM 6.1.1 External Systems Configuration Guide Fortinet Technologies Inc. 605 607 613 629 630 633 634 634 636 638 640 645 647 651 653 656 656 658 662 663 666 668 670 671 674 675 677 678 680 681 683 684 686 687 689 690 692 693 695 697 699 701 704 706 707 708 711 10 Wireless LANs 713 Aruba Networks Wireless LAN 714 Reports 714 Cisco Wireless LAN 716 CradlePoint 719 FortiAP 721 FortiWLC 723 Motorola WiNG WLAN AP 726 Ruckus Wireless LAN 728 Using Virtual IPs to Access Devices in Clustered Environments 730 Syslog over TLS 731 Appendix 732 CyberArk to FortiSIEM Log Converter XSL 732 Access Credentials 737 FortiSIEM 6.1.1 External Systems Configuration Guide 11 Fortinet Technologies Inc. Overview This document describes how to configure third party devices for monitoring by FortiSIEM. l Ports Used by FortiSIEM for Discovery and Monitoring l Supported Devices and Applications by Vendor l Windows Agent Installation Guide l Applications l Blade Servers l Cloud Applications l Console Access Devices l End Point Security Software l Environmental Sensors l Firewalls l Load Balancers and Application Firewalls l Log Aggregators l Network Compliance Management Applications l Network Intrusion Protection Systems (IPS) l Routers and Switches l Security Gateways l Servers l Storage l Virtualization l VPN Gateways l Vulnerability Scanners l WAN Accelerators l Wireless LANs l Using Virtual IPs to Access Devices in Clustered Environments l Syslog over TLS FortiSIEM 6.1.1 External Systems Configuration Guide 12 Fortinet Technologies Inc. FortiSIEM External Ports This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are broken down for: l Supervisor Communication l Worker Communication l Collector Communication In release 6.1, some clear communication has been replaced by SSL communication. If an entry in the tables below has 5.3, then that entry is valid for releases 5.3 and below. If an entry in the tables below has 6.1, then that entry is valid for releases 6.1 and above. Supervisor Communication From To FortiSIEM Management User FortiSIEM Management User FortiSIEM Management User Collector, Worker, Windows Agent, Linux Agent Supervisor Worker Supervisor Supervisor Supervisor Supervisor Report Server Supervisor Inbound or Outbound Inbound Ports TCP/22 Inbound ICMP Inbound TCP/443 Inbound TCP/443 Outbound Inbound TCP/5432 SSL/7914 Worker Supervisor Supervisor Worker Inbound SSL/7900 Outbound SSL/7900 Worker Supervisor Inbound SSL/7918 Services Admin access via SSH Monitoring via ICMP GUI access via HTTPS REST API access via HTTPS PostGreSQL (report loading) phParser on Worker to phParser on Supervisor for EPS enforcement phMonitorWorker to phMonitorSuper communication phMonitorSuper to phMonitorWorker Communication phQueryWorker to phQueryMaster Communication FortiSIEM 6.1.1 External Systems Configuration Guide 13 Fortinet Technologies Inc. FortiSIEM External Ports From Supervisor Worker Worker 6.1 To Worker Supervisor Supervisor Inbound or Outbound Outbound Ports SSL/7916 Inbound SSL/7922 Outbound SSL/7920 Worker Worker Supervisor Worker Supervisor External Device External Device External Device External Device External Device External Device Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor Inbound SSL/7934 Supervisor Inbound SSL/7938 Worker Supervisor Outbound Inbound TCP/6666 TCP/5555 External Device Outbound UDP/161 Supervisor Inbound TCP/21 Supervisor Supervisor Supervisor Supervisor Supervisor External Windows Devices External Devices External Devices External Devices Checkpoint Inbound Inbound Inbound Inbound Inbound Outbound UDP/162 UDP/514 TCP/514 SSL/6514 UDP/2055 TCP/135 Outbound TCP/389 Outbound TCP/1433 Outbound UDP/8686 Outbound TCP/18184 Services phQueryMaster to phQueryWorker communication phRuleWorker to phRuleMaster communication phQueryMaster to phDataManager for trigger event query phReportWorker to phReportMaster Communication phIdentityWorker to phIpIdentityMaster Redis communication phFortiInsightAI module data collection SNMP based monitoring FTP (for receiving Bluecoat logs via ftp) SNMP Trap UDP syslog TCP syslog Syslog over TLS NetFlow WMI based monitoring and log collection LDAP discovery JDBC based monitoring and data collection JMX based monitoring and data collection Checkpoint LEA based log collection FortiSIEM 6.1.1 External Systems Configuration Guide 14 Fortinet Technologies Inc. FortiSIEM External Ports From Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor To Checkpoint Inbound or Outbound Outbound Ports TCP/18190 External Device Outbound TCP/443 Services Checkpoint CPMI based data collection HTTPS based log collection External Device Outbound TCP/110 POP3 for email monitoring (STM) External Device Outbound TCP/143 IMAP for email monitoring (STM) External Device Outbound External Device Outbound Mail Gateway NFS Server Outbound Outbound Elasticsearch Coordinating Node Elasticsearch Coordinating Node Spark Master Node HDFS Name Node Outbound Outbound Outbound Outbound TCP/993 TCP/995 TCP/SMTP UDP/111, TCP/111 HTTPS/9200 (configurable) IMAP/SSL for email monitoring (STM) POP/SSL for email monitoring (STM) Sending email notification NFS Portmapper for writing events in NFS based deployments Storing events for Elasticsearch based deployments HTTPS/9300 or HTTPS/443 (configurable) HTTPS/7077 (configurable) HTTPS/9000 (configurable) Querying events for Elasticsearch based deployments Querying events for HDFS based deployments Archiving events for HDFS based deployments Worker Communication From To FortiSIEM Management User Worker Inbound or Outbound Inbound Ports TCP/22 Services Admin access via SSH FortiSIEM 6.1.1 External Systems Configuration Guide 15 Fortinet Technologies Inc. FortiSIEM External Ports From To FortiSIEM Management User Collector Worker Worker Worker Supervisor Inbound or Outbound Inbound Ports ICMP Inbound Outbound TCP/443 SSL/7914 Worker Supervisor Outbound SSL/7900 Supervisor Worker Inbound SSL/7900 Worker Supervisor Outbound SSL/7918 Supervisor Worker Inbound SSL/7916 Worker Supervisor Outbound SSL/7922 Worker 6.1 Supervisor Outbound SSL/7920 Worker Supervisor Outbound SSL/7934 Worker Supervisor Worker Worker External Device External Device External Device External Device External Device External Device Worker Worker Supervisor Worker Supervisor External Device Worker Worker Worker Worker Worker Worker External Windows Devices External Devices Outbound Inbound Outbound Outbound Inbound Inbound Inbound Inbound Inbound Inbound Outbound Outbound SSL/7938 TCP/6666 TCP/5555 UDP/161 TCP/21 UDP/162 UDP/514 TCP/514 SSL/6514 UDP/2055 TCP/135 TCP/389 Services ICMP REST API access via HTTPS phParser on Worker to phParser on Supervisor for EPS enforcement phMonitorWorker to phMonitorSuper communication phMonitorSuper to phMonitorWorker Communication phQueryWorker to phQueryMaster Communication phQueryMaster to phQueryWorker communication phRuleWorker to phRuleMaster communication phQueryMaster to phDataManager for trigger event query phReportWorker to phReportMaster Communication phIdentityWorker to phIpIdentityMaster Redis communication phFortiInsightAI module data collection SNMP based monitoring FTP (for receiving Bluecoat logs via ftp) SNMP Trap UDP syslog TCP syslog Syslog over TLS NetFlow WMI based monitoring and log collection LDAP discovery FortiSIEM 6.1.1 External Systems Configuration Guide 16 Fortinet Technologies Inc. FortiSIEM External Ports From Worker Worker Worker Worker Worker Worker Worker Worker Worker Worker Worker Worker To External Devices Inbound or Outbound Outbound Ports TCP/1433 External Devices Outbound UDP/8686 Checkpoint Checkpoint External Device External Device External Device External Device External Device NFS Server Outbound Outbound Outbound Outbound Outbound Outbound Outbound Outbound Elasticsearch Outbound Coordinating Node TCP/18184 TCP/18190 TCP/443 TCP/110 TCP/143 TCP/993 TCP/995 UDP/111, TCP/111 HTTPS/9200 (configurable) Services JDBC based monitoring and data collection JMX based monitoring and data collection Checkpoint LEA based log collection Checkpoint CPMI based data collection HTTPS based log collection POP3 for email monitoring (STM) IMAP for email monitoring (STM) IMAP/SSL for email monitoring (STM) POP/SSL for email monitoring (STM) NFS Portmapper for writing events in NFS based deployments Storing events for Elasticsearch based deployments HDFS Name Node Outbound HTTPS/9000 (configurable) Archiving events for HDFS based deployments Collector Communication From To FortiSIEM Management User FortiSIEM Management User Collector Collector Worker External Device Worker Worker Worker Supervisor External Device Worker External Device Worker Inbound or Outbound Inbound Inbound Outbound Outbound Outbound Inbound Inbound Ports TCP/22 ICMP TCP/443 TCP/443 UDP/161 TCP/21 UDP/162 Services Admin access via SSH ICMP REST API access via HTTPS REST API access via HTTPS SNMP based monitoring FTP (for receiving Bluecoat logs via ftp) SNMP Trap FortiSIEM 6.1.1 External Systems Configuration Guide 17 Fortinet Technologies Inc. FortiSIEM External Ports From External Device External Device External Device External Device Collector Collector Collector Collector Collector Collector Collector Collector Collector Collector Collector To Worker Worker Worker Worker External Windows Devices External Devices External Devices Inbound or Outbound Inbound Inbound Inbound Inbound Outbound Outbound Outbound External Devices Outbound Checkpoint Outbound Checkpoint Outbound External Device External Device Outbound Outbound External Device Outbound External Device Outbound External Device Outbound Ports Services UDP/514 TCP/514 SSL/6514 UDP/2055 TCP/135 TCP/389 TCP/1433 UDP/8686 TCP/18184 TCP/18190 TCP/443 TCP/110 TCP/143 TCP/993 TCP/995 UDP syslog TCP syslog Syslog over TLS NetFlow WMI based monitoring and log collection LDAP discovery JDBC based monitoring and data collection JMX based monitoring and data collection Checkpoint LEA based log collection Checkpoint CPMI based data collection HTTPS based log collection POP3 for email monitoring (STM) IMAP for email monitoring (STM) IMAP/SSL for email monitoring (STM) POP/SSL for email monitoring (STM) FortiSIEM 6.1.1 External Systems Configuration Guide 18 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor AirTight Networks Alcatel Alcatel Alert Logic Alert Logic Alcide.io Amazon Amazon Amazon Amazon Amazon Model Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Details SpectraGuard Discovered via LOG only Not natively supported - Custom monitoring needed CEF format: Over 125 event types parsed covering various Wireless suspicious activities Currently not natively supported AirTight Networks SpectraGuard TiMOS Routers and Switches SNMP: OS, Hardware SNMP: CPU, memory, interface utilization, hardware status Not natively supported Custom parsing needed Currently not natively supported Alcatel TiMOS and AOS Switch Configuration AOS Routers and SNMP: OS, Switches Hardware SNMP: CPU, memory, interface utilization, hardware status Not natively supported Custom parsing needed Currently not natively supported Alcatel TiMOS and AOS Switch Configuration Intrusion Detection and Prevention Systems (IPS) Host name and Device type Not supported Not supported Alert Logic IPS Iris API Host name and Device type Not supported Not supported Alert Logic IRIS API KAudit Not natively supported Not natively supported Kubernetes Audit logs Not natively supported Alcide io KAudit AWS Servers AWS API: Server Name, Access IP, Instance ID, Image Type, Availability Zone CloudWatch API: System Metrics: CPU, Disk I/O, Network CloudTrail API: Over 325 event types parsed covering various AWS activities CloudTrail API: various administrative changes on AWS systems and users AWS CloudWatchAWS CloudTrail AWS Elastic Block Storage (EBS) CloudWatch API: Volume ID, Status, Attach Time CloudWatch API: Read/Write Bytes, Ops, Disk Queue AWS EBS and RDS AWS EC2 AWS EC2 AWS Relational Database Storage (RDS) CloudWatch API: CPU, Connections, Memory, Swap, Read/Write Latency and Ops AWS EBS and RDS Security Hub AWS Security FortiSIEM 6.1.1 External Systems Configuration Guide 19 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Apache Apache APC APC Arista Networks Aruba Networks Avaya Avaya Barracuda Networks Model Discovery Overview Performance Monitoring Overview Tomcat Application Server Apache Web server JMX: Version JMX: CPU, memory, servlet, session, database, threadpool, request processor metrics SNMP: Process name SNMP: process level cpu, memory HTTPS via the modstatus module: Apache level metrics NetBotz Environmental Monitor UPS Routers and Switches Aruba Wireless LAN SNMP: Host name, Hardware model, Network interfaces SNMP: Temperature, Relative Humidity, Airflow, Dew point, Current, Door switch sensor etc. SNMP: Host name, Hardware model, Network interfaces SNMP: UPS metrics SNMP: OS, Hardwar; SSH: configuration, running processes SNMP: CPU, Memory, Interface utilization, Hardware Status SNMP: Controller OS, hardware, Access Points SNMP: Controller CPU, Memory, Interface utilization, Hardware Status SNMP: Access Point Wireless Channel utilization, noise metrics, user count Call Manager SNMP: OS, Hardware SNMP: CPU, Memory, Interface utilization, Hardware Status Session Manager SNMP: OS, Hardware SNMP: CPU, Memory, Interface utilization, Hardware Status Spam Firewall Application Currently not natively supported type discovery Log Analysis Overview Config Change Monitoring Currently not natively supported - Custom parsing needed Currently not natively supported Syslog: W3C formatted access logs - per HTTP (S) connection: Sent Bytes, Received Bytes, Connection Duration Currently not natively supported SNMP Trap: Over 125 SNMP Trap event types parsed covering various environmental exception conditions Currently not natively supported Details Hub Apache Tomcat Apache Web Server APC Netbotz SNMP Trap: Over 49 SNMP Trap event types parsed covering various environmental exception conditions Currently not natively supported APC UPS Syslog and NetFlow SSH: Running config, Startup config Arista Router and Switch SNMP Trap: Over 165 event types covering Authentication, Association, Rogue detection, Wireless IPS events CDR: Call Records Syslog: Over 20 event types covering mail Currently not natively supported Currently not natively supported Currently not natively supported Currently not natively Aruba WLAN Avaya Call Manager Barracuda Spam FortiSIEM 6.1.1 External Systems Configuration Guide 20 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Model Discovery Overview Performance Monitoring Overview via LOG Bit9 Blue Coat Security platform Application type discovery via LOG Currently not natively supported Security Gateway Versions v4.x and later SNMP: OS, Hardware SNMP: CPU, Memory, Interface utilization, Proxy performance metrics Box.com Brocade Cloud Storage SAN Switch Currently not natively supported SNMP: OS, Hardware Currently not natively supported SNMP: CPU, Memory, Interface utilization Brocade Carbon Black CentOS / Other Linux distributions ServerIron ADX switch SNMP: Host name, serial number, hardware SNMP: Uptime, CPU, Memory, Interface Utilization, Hardware status, Real Server Statistics Security platform Application type discovery via LOG Currently not natively supported Linux SNMP: OS, Hardware, Software, Processes, Open Ports SSH: Hardware details, Linux distribution SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down SSH: Disk I/O, Paging CentOS / Other Linux distributions DHCP Server Currently not natively supported Currently not natively supported Checkpoint FireWall-1 versions NG, SNMP: OS, Hardware SNMP: CPU, Memory, Interface utilization Log Analysis Overview Config Change Monitoring scanning and filtering activity supported Syslog: Over 259 event types covering various file monitoring activities Currently not natively supported Syslog: Admin access to Security Gateway ; SFTP: Proxy traffic analysis Currently not natively supported Box.com API: File creation, deletion, modify, file sharing Currently not natively supported Currently not natively supported Currently not natively supported Details Carbon Black Security Platform Blue Coat Web Proxy Box.com Brocade SAN Switch Brocade ADX Syslog: Over 259 event types covering various file monitoring activities Currently not natively supported Carbon Black Security Platform Syslog: Situations covering Authentication Success/Failure, Privileged logons, User/Group Modification; SSH: File integrity monitoring, Command output monitoring, Target file monitoring; FortiSIEM LinuxFileMon Agent: File integrity monitoring SSH: File integrity monitoring, Target file monitoring; Agent: File integrity monitoring Linux Server Syslog: DHCP activity (Discover, Offer, Request, Release etc) Used in Identity and Location Not Applicable Linux DHCP LEA from SmartCenter or Log Server: Firewall LEA: Firewall Audit trail Check Point Provider-1 FortiSIEM 6.1.1 External Systems Configuration Guide 21 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Checkpoint Checkpoint Checkpoint Citrix Citrix Cisco Cisco Cisco Cisco Model Discovery Overview Performance Monitoring Overview FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, NGX, and R75 GAIA Provider-1 versions NG, FP1, FP2, FP3, AI R54, AI R55, R65, R70, R77, NGX, and R75 VSX Host name and Device type Currently not natively supported Currently not natively supported SNMP: OS, Hardware SNMP: CPU, Memory, Interface utilization NetScaler Application Delivery Controller SNMP: OS, Hardware SNMP: CPU, Memory, Interface utilization, Hardware Status, Application Firewall metrics ICA SNMP: SNMP: Process Utilization; WMI: Process ICA Session metrics Utilization ASA Firewall (single and multicontext) version 7.x and later SNMP: OS, Hardware SSH: interface security level needed for parsing traffic logs, Configuration SNMP: CPU, Memory, Interface utilization, Firewall Connections, Hardware Status AMP FireAMP ASA firepower SFR Module SNMP: OS, Hardware SSH: interface security level needed for parsing traffic SNMP: CPU, Memory, Interface utilization, Firewall Connections, Hardware Status Log Analysis Overview Config Change Monitoring Log, Audit trail, over 940 IPS Signatures Details Firewall Over 9 event types LEA: Firewall Log, Audit trail LEA: Firewall Audit trail Check Point Provider-1 LEA from SmartCenter or Log Server: Firewall Log, Audit trail LEA: Firewall Audit trail Check Point Provider-1 Syslog: Over 465 event types covering admin activity, application firewall events, health events Currently not natively supported Citrix Netscaler Currently not natively supported Currently not natively supported Citrix ICA Syslog: Over 1600 event types parsed for situations covering admin access, configuration change, traffic log, IPS activity; NetFlow V9: Traffic log SSH: Running config, Startup config Cisco ASA Cisco AMP Cisco FireAMP Cloud Syslog: Over 1600 event types parsed for situations covering admin access, configuration change, traffic log, IPS activity; SSH: Running config, Startup config Cisco ASA FortiSIEM 6.1.1 External Systems Configuration Guide 22 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Cisco Cisco Cisco Cisco Cisco Cisco Model Discovery Overview Performance Monitoring Overview CatOS based Switches Duo logs, Configuration SNMP: OS, Hardware (Serial Number, Image file, Interfaces, Components); SSH: configuration running process SNMP: CPU, Memory, Interface utilization, Hardware Status Not natively supported - Custom Monitoring needed PIX Firewall SNMP: OS, Hardware SSH: interface security level needed for parsing traffic logs, Configuration SNMP: CPU, Memory, Interface utilization, Connections, Hardware Status FWSM SNMP: OS, Hardware SSH: interface security level needed for parsing traffic logs, Configuration SNMP: CPU, Memory, Interface utilization, Connections, Hardware Status Identity Services Engine (ISE) Host name and Device type IOS based Routers and Switches SNMP: OS, Hardware; SSH: SNMP: CPU, Memory, Interface utilization, Hardware Status; SNMP: IP SLA metrics; SNMP: Log Analysis Overview Config Change Monitoring NetFlow V9: Traffic log Details Syslog: Over 700 event types parsed for situations covering admin access, configuration change, interface up/down, BGP interface up/down, traffic log, IPS activity NetFlow V5, V9: Traffic logs SSH: Running config, Startup config Cisco IOS Via API Not natively supported Custom Custom Configuration collection needed Cisco Duo Syslog: Over 1600 event types parsed for situations covering admin access, configuration change, traffic log, IPS activity SSH: Running config, Startup config Cisco ASA Syslog: Over 1600 event types parsed for situations covering admin access, configuration change, traffic log, IPS activity SSH: Running config, Startup config Cisco ASA Cisco ISE Syslog: Over 200 event types parsed for situations covering SSH: Running config, Startup config Cisco IOS FortiSIEM 6.1.1 External Systems Configuration Guide 23 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Cisco Cisco Cisco Cisco Cisco Cisco Model Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Details configuration, running process, Layer 2 connectivity BGP metrics, OSPF metrics; SNMP: Class based QoS metrics; SNMP: NBAR metrics admin access, configuration change, interface up/down, BGP interface up/down, traffic log, IPS activity; NetFlow V5, V9: Traffic logs Nexus OS based Routers and Switches SNMP: OS, Hardware; SSH: configuration running process, Layer 2 connectivity SNMP: CPU, Memory, Interface utilization, Hardware Status; SNMP: IP SLA metrics, BGP metrics, OSPF metrics, NBAR metrics; SNMP: Class based QoS metrics Syslog: Over 3500 event types parsed for situations covering admin access, configuration change, interface up/down, BGP interface up/down, traffic log, hardware status, software and hardware errors; NetFlow V5, V9: Traffic logs SSH: Running config, Startup config Cisco NX-OS ONS SNMP: OS, Hardware SNMP Trap: Availability and Performance Alerts Cisco NX-OS ACE Application Firewall SNMP: OS, Hardware UCS Server UCS API: Hardware components processors, chassis, blades, board, cpu, memory, storage, power supply unit, fan unit UCS API: Chassis Status, Memory Status, Processor Status, Power Supply status, Fan status Syslog: Over 500 event types parsed for situations covering hardware errors, internal software errors etc Currently not natively supported Cisco UCS WLAN Controller and Access Points SNMP: OS, Hardware, Access Points SNMP: Controller CPU, Memory, Interface utilization, Hardware Status; SNMP: Access Point Wireless Channel utilization, noise metrics, user count SNMP Trap: Over 88 event types parsed for situations covering Authentication, Association, Rogue detection, Wireless IPS events Currently not natively supported Cisco Wireless LAN Call Manager SNMP: OS, Hardware, VoIP Phones SNMP: Call manager CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage; SNMP: VoIP Syslog: Over 950 messages from Cisco Call Manager as well as Cisco Unified Real Time Currently not natively supported Cisco Call Manager FortiSIEM 6.1.1 External Systems Configuration Guide 24 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Model Discovery Overview Contact Center SNMP: OS, Hardware Presence Server SNMP: OS, Hardware Tandeberg Telepresence Video Communication Server (VCS) SNMP: OS, Hardware Tandeberg Telepresence Multiple Control Unit (MCU) SNMP: OS, Hardware Unity Connection SNMP: OS, Hardware IronPort Mail Gateway SNMP: OS, Hardware IronPort Web Gateway SNMP: OS, Hardware Cisco Network IPS Appliances SNMP: OS, Hardware Sourcefire 3D SNMP: OS, Performance Monitoring Overview Log Analysis Overview Config Change Monitoring phone count, Gateway count, Media Device count, Voice mail server count and SIP Trunks count; SNMP: SIP Trunk Info, Gateway Status Info, H323 Device Info, Voice Mail Device Info, Media Device Info, Computer Telephony Integration (CTI) Device Info Monitoring Tool (RTMT); CDR Records, CMR Records: Call Source and Destination, Time, Call Quality metrics (MOS Score, Jitter, latency) SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change Currently not natively supported - Custom parsing needed Currently not natively supported SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change Currently not natively supported - Custom parsing needed Currently not natively supported SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change Currently not natively supported - Custom parsing needed Currently not natively supported SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change Currently not natively supported - Custom parsing needed Currently not natively supported SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change Currently not natively supported - Custom parsing needed Currently not natively supported SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change Syslog: Over 45 event types covering mail scanning and forwarding status Currently not natively supported SNMP: CPU, Memory, Disk Interface utilization, Hardware Status, Process level resource usage, Install software change W3C Access log (Syslog): Over 9 event types covering web request handling status Currently not natively supported SNMP: CPU, Memory, Disk Interface utilization, Hardware Status SDEE: Over 8000 IPS signatures Currently not natively supported Details Cisco Contact Center Cisco Presence Server Cisco Tandeberg Telepresence VCS Cisco Telepresence MCU Cisco Unity Cisco IronPort Mail Cisco IronPort Web Cisco NIPS Sourcefire 3D FortiSIEM 6.1.1 External Systems Configuration Guide 25 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Cisco Cisco Cisco Cisco Cisco Cisco Cisco Cisco Model Discovery Overview and Defense Center Firepower Management Center (FMC) Formerly FireSIGHT Console Hardware Cisco Security Agent SNMP or WMI: OS, Hardware Cisco Access Control Server (ACS) VPN 3000 SNMP or WMI: OS, Hardware SNMP: OS, Hardware Meraki Cloud Controllers Meraki Firewalls SNMP: OS, Hardware, Meraki devices reporting to the Cloud Controller SNMP: OS, Hardware Meraki SNMP: OS, Routers/Switches Hardware Meraki WLAN Access Points SNMP: OS, Hardware Performance Monitoring Overview Log Analysis Overview Config Change Monitoring eStreamer SDK: Intrusion events, Malware events, File events, Discovery events, User activity events, Impact flag events SNMP or WMI: Process CPU and memory utilization SNMP Trap: Over 25 event types covering Host IPS behavioral signatures. SNMP or WMI: Process CPU and memory utilization Syslog: Passed and Failed authentications, Admin accesses SNMP: CPU, Memory, Interface utilization Syslog: Successful and Failed Admin Authentication, VPN Authentication, IPSec Phase 1 and Phase 2 association, VPN statistics SNMP: Uptime, Network Interface Utilization; SNMP Trap: Various availability scenarios Currently not natively supported - Custom parsing needed Currently not natively supported Currently not natively supported Currently not natively supported Currently not natively supported Details and Defense Center Cisco Firepower Management Center (FMC) Formerly Cisco FireSIGHT Cisco CSA Cisco ACS Cisco VPN 3000 Cisco Meraki Cloud Controller and Network Devices SNMP: Uptime, Network Interface Utilization Syslog: Firewall log analysis SNMP: Uptime, Network Interface Utilization SNMP: Uptime, Network Interface Utilization Currently not natively supported Currently not natively supported Currently not natively supported Cisco Meraki Cloud Controller and Network Devices Cisco Meraki Cloud Controller and Network Devices Cisco Meraki Cloud Controller and Network Devices FortiSIEM 6.1.1 External Systems Configuration Guide 26 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Cisco Cisco Model Discovery Overview Performance Monitoring Overview MDS Storage Switch SNMP: OS, Hardware SNMP: CPU, Memory, Interface utilization, Hardware Status Network Control Manager (NCM) Cisco Cisco Stealthwatch Viptela Host name and Device type Not supported Discovered Via LOG only Not natively supported - Custom monitoring needed Cisco Wide Area Application Services (WAAS) SNMP: Host name, Version, Hardware model, Network interfaces CloudPassage Halo Host name and Device type CradlePoint CradlePoint Discovered via LOG only SNMP: CPU, Memory, Interface utilization, Disk utilization, Process cpu/memory utilization Not supported Not natively supported. Custom monitoring needed CrowdStrike Falcon Cyberoam Cyberoam Host name and Device type Discovered via LOG only Not supported Not natively supported. Custom monitoring needed. Cylance Cylance Protect Log Analysis Overview Config Change Monitoring Details Currently not natively supported - Custom parsing needed Currently not natively supported Syslog: Network device software update, configuration analysis for compliance, admin login Cisco Network Compliance Manager Not supported Cisco Stealthwatch Over 289 Events Types parsed Not natively supported Custom configuration collection needed Cisco Viptela SDWAN Router Cisco WAAS Not supported CloudPassage Halo 29 Event types covering Security Violations, Config Changes, Authentications and informational events Not currently supported. CradlePoint Not supported CrowdStrike Falcon Event, Security, and Traffic logs Syslog: Endpoint Connection permit and deny, system events, maleware events Cyberoam Firewall Cylance Protect FortiSIEM 6.1.1 External Systems Configuration Guide 27 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Cyphort Cyxtera Damballa Darktrace Dell Dell Dell Dell Dell Dell Dell Model Discovery Overview Endpoint Protection Cyphort Cortex Endpoint Protection AppGate SDP Failsafe Host name and Device type CyberIntelligence Discovered Platform via LOG only SonicWall Firewall SNMP: OS, Hardware Force10 Router and Switch SNMP: OS, Hardware NSeries Router and Switch SNMP: OS, Hardware PowerConnect Router and Switch SNMP: OS, Hardware Dell Hardware on Intel-based Servers SNMP: Hardware Compellent Storage SNMP: OS, Hardware EqualLogic Storage SNMP: OS, Hardware (Network interfaces, Physical Performance Monitoring Overview Log Analysis Overview Config Change Monitoring protection alerts Details Syslog: Endpoint protection alerts Cyphort Cortex Not supported Not supported Cyxtera AppGate SDP Not natively supported - Custom monitoring needed Over 40 Events Types parsed SNMP: CPU, Memory, Interface utilization, Firewall session count SNMP: CPU, Memory, Interface utilization, Interface Status, Hardware Status SNMP: CPU, Memory, Interface utilization, Hardware Status SNMP: CPU, Memory, Interface utilization, Hardware Status Syslog: Firewall log analysis (over 1000 event types) Damballa Failsafe Not Natively Supported Custom Configuration collection needed Darktrace CyberIntelligence Platform Currently not natively supported Dell SonicWALL SSH: Running config, Startup config Dell Force10 SSH: Startup config Dell NSeries SSH: Startup config Dell PowerConnect SNMP: Hardware Status: Battery, Disk, Memory, Power supply, Temperature, Fan, Amperage, Voltage SNMP: Network Interface utilization, Volume utilization, Hardware Status (Power, Temperature, Fan) SNMP: Uptime, Network Interface utilization; SNMP: Hardware status: Disk, Power supply, Temperature, Fan, RAID health; SNMP: Overall Disk health Currently not natively supported. Currently not natively supported. Dell Compellent Currently not natively supported. Dell EqualLogic FortiSIEM 6.1.1 External Systems Configuration Guide 28 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Digital Guardian EMC EMC Model Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Disks, Components) metrics: Total disk count, Active disk count, Failed disk count, Spare disk count; SNMP: Connection metrics: IOPS, Throughput; SNMP: Disk performance metrics: IOPS, Throughput; SNMP: Group level performance metrics: Storage, Snapshot Code Green DLP LOG Discovery Currently not natively supported 1 broad event Type Currently not natively supported Clariion Storage Naviseccli: Host name, Operating system version, Hardware model, Serial number, Network interfaces, Installed Software, Storage Controller Ports; Naviseccli: Hardware components, RAID Groups and assigned disks, LUNs and LUN -> RAID Group mappings, Storage Groups and memberships Naviseccli: Storage Processor utilization, Storage Port I/O, RAID Group I/O, LUN I/O, Host HBA Connectivity, Host HBA Unregistered Host, Hardware component health, Overall Disk health, Storage Pool Utilization Currently not natively supported. VNX Storage Naviseccli: Host name, Operating Naviseccli: Storage Processor utilization, Storage Port I/O, RAID Group I/O, LUN I/O, Host HBA Connectivity, Host HBA Unregistered Host, Hardware Details Digital Guardian Code Green DLP EMC Clariion EMC VNX FortiSIEM 6.1.1 External Systems Configuration Guide 29 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor EMC Epic ESET FireEye Model Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring system version, Hardware model, Serial number, Network interfaces, Installed Software, Storage Controller Ports Naviseccli: Hardware components, RAID Groups and assigned disks, LUNs and LUN -> RAID Group mappings, Storage Groups and memberships component health, Overall Disk health, Storage Pool Utilization Isilon Storage SNMP: Host name, Operating system, Hardware (Model, Serial number, Network interfaces, Physical Disks, Components) SNMP: Uptime, Network Interface metrics; SNMP: Hardware component health: Disk, Power supply, Temperature, Fan, Voltage; SNMP: Cluster membership change, Node health and performance (CPU, I/O), Cluster health and performance, Cluster Snapshot, Storage Quota metrics, Disk performance, Protocol performance 5 event types SecuritySIEM Discovered via LOG only Not natively supported. Custom monitoring needed. Authentication Query, Client login Query Currently not natively supported Nod32 Anti-virus Application type discovery via LOG Syslog (CEF format): Virus found/cleaned type of events Malware Application Syslog (CEF format): Details EMC Isilon Epic EMR/EHR System ESET NOD32 FireEye MPS FortiSIEM 6.1.1 External Systems Configuration Guide 30 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor FireEye F5 Networks F5 Networks F5 Networks Fortinet Fortinet Fortinet Fortinet Model Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Details Protection System (MPS) type discovery via LOG Malware found/cleaned type of events HX Appliances for Endpoint protection Application type discovery via LOG Syslog (CEF format): Malware Acquisition, Containment type of events Application Discovery via Security Manager LOG Syslog (CEF Format); Various application level attack scenarios - invalid directory access, SQL injections, cross site exploits F5 Application Security Manager Local Traffic Manager SNMP: Host name, Operating system, Hardware (Model, Serial number, Network interfaces, Physical Disks), Installed Software, Running Software SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start SNMP Trap: Exception situations including hardware failures, certain security attacks, Policy violations etc; Syslog: Permitted and Denied Traffic F5 Networks Local Traffic Manager Web Accelerator Discovery via LOG Syslog: Permitted Traffic F5 Networks Web Accelerator FortiAnalyzer Fortinet FortiAnalyzer FortiAP Access point Name, OS, Interfaces, Controller (FortiGate) FortiAP CPU, Memory, Clients, Sent/Received traffic Wireless events via FortiGate FortiAP FortiAuthenticato r Vendor, OS, Model Interface Stat, Authentication Stat Over 150 event types Currently not natively supported. Fortinet FortiAuthenticato r FortiClient Discovered via LOG only Syslog: Traffic logs, Event logs Not supported FortiClient FortiSIEM 6.1.1 External Systems Configuration Guide 31 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Fortinet Fortinet Fortinet Fortinet Fortinet Fortinet Fortinet Fortinet Model FortiDeceptor FortiEDR FortiGate firewalls FortiInsight FortiManager FortiNAC FortiWLC FortiTester Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Details Discovered via LOG only Not natively supported. Custom monitoring needed. Authentication logs, Decoy activity Currently not natively supported. Fortinet FortiDeceptor Discovered via LOG only Not natively supported. Custom monitoring needed. System and security events (e.g. file blocked) Currently not natively supported Fortinet FortiEDR SNMP: OS, Host name, Hardware (Serial Number, Interfaces, Components) SNMP: Uptime, CPU and Memory utilization, Network Interface metrics Syslog: Over 11000 Traffic and system logs; Netflow: traffic flow, Application flow SSH: Running config, Startup config Fortinet FortiGate FortiInsight SNMP: Host name, Hardware model, Network interfaces, Operating system version SNMP: Uptime, CPU and Memory utilization, Network Interface metrics FortiManager Discovered via LOG only Not natively supported. Custom monitoring needed Administrative and User Admission Control events Currently not natively supported Fortinet FortiNAC SNMP Controller Name, OS, Serial Number, Interfaces, Associated Access Points name, OS, Interfaces Controller CPU, Memory, Disk, Throughput, QoS statistics, Station count Hardware/Software errors, failures, logons, license expiry, Access Point Association / Disassociation Not supported FortiWLC Discovered Via LOG only Not natively supported - Custom monitoring needed CEF format: Over 14 Event types parsed Not natively supported Custom configuration collection needed Fortinet FortiTester FortiSIEM 6.1.1 External Systems Configuration Guide 32 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Model Discovery Overview Performance Monitoring Overview Foundry Networks IronWare Router and Switch SNMP: OS, Hardware SSH: configuration, running process SNMP: Uptime, CPU, Memory, Interface utilization, Hardware Status FreeBSD GitHub.com GitHub Host name and Device type Not supported GitLab API GitLab Host name and Device type Not supported GitLab CLI GitLab Host name and Device type Not supported Green League WVSS Huawei HP HP HP VRP Router and Switch SNMP: OS, Hardware; SSH: configuration, running process, Layer 2 connectivity SNMP: Uptime, CPU, Memory, Interface utilization, Hardware Status BladeSystem SNMP: Host name, Access IP, Hardware components SNMP: hardware status HP-UX servers SNMP: OS, Hardware SNMP: Uptime, CPU, Memory, Network Interface, Disk space utilization, Network Interface Errors, Running Process Count, Running process CPU/memory utilization, Running process start/stop; SNMP: Installed Software change; SSH : Memory paging rate, Disk I/O utilization HP Hardware on Intel-based SNMP: hardware SNMP: hardware status Log Analysis Overview Config Change Monitoring Details Syslog: Over 6000 event types parsed for situations covering admin access, configuration change, interface up/down SSH: Running config, Startup config Foundry Networks IronWare Not supported GitHub Not supported GitLab API Not supported GitLab CLI Syslog: Over 30 event types parsed for situations covering admin access, configuration change, interface up/down Green League WVSS SSH: Running config, Startup config HP BladeSystem HP UX Server SNMP Trap: Over 100 traps covering hardware FortiSIEM 6.1.1 External Systems Configuration Guide 33 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor HP HP HP HP HP Model Servers TippingPoint UnityOne IPS ProCurve Switches and Routers Value Series (19xx) Switches and Routers 3Com (29xx) Switches and Routers HP/3Com Comware Switches and Routers Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Details model, hardware serial, hardware components (fan, power supply, battery, raid, disk, memory) issues SNMP: OS, Hardware SNMP: Uptime, CPU, Memory, Network Interface, Network Interface Errors Syslog: Over 4900 IPS alerts directly or via NMS TippingPoint IPS SNMP: OS, hardware model, hardware serial, hardware components; SSH: configuration SNMP: Uptime, CPU, Memory, Network Interface, Network Interface Errors; SNMP: hardware status SSH: Running config, Startup config HP ProCurve SNMP: OS, hardware model, hardware serial, hardware components; SSH: configuration SNMP: Uptime, CPU, Memory, Network Interface, Network Interface Errors SSH: Startup config HP Value Series (19xx) and HP 3Com (29xx) Switch SNMP: OS, hardware model, hardware serial, hardware components; SSH: configuration SNMP: Uptime, CPU, Memory, Network Interface, Network Interface Errors SSH: Startup config HP Value Series (19xx) and HP 3Com (29xx) Switch SNMP: OS, hardware model, hardware SNMP: Uptime, CPU, Memory, Network Interface, Network Interface Errors; SNMP: hardware status Syslog: Over 6000 vent types parsed for situations covering admin access, SSH: Startup config HP/3Com ComWare FortiSIEM 6.1.1 External Systems Configuration Guide 34 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Hirschmann HyTrust IBM IBM IBM IBM IBM Imperva Model Switches CloudControl Websphere Application Server DB2 Database Server ISS Proventia IPS Appliances AIX Servers OS 400 Securesphere DB Monitoring Gateway Discovery Overview Performance Monitoring Overview serial, hardware components; SSH: configuration Host Name, OS SNMP Uptime, CPU, Memory, Interface utilization, hardware Status, OSPF metrics LOG Discovery Currently not natively supported SNMP or WMI: Running processes HTTP(S): Generic Information, Availability metrics, CPU / Memory metrics, Servlet metrics, Database pool metrics, Thread pool metrics, Application level metrics, EJB metrics SNMP or WMI: Running processes JDBC: Database Audit trail: Log on, Database level and Table level CREATE/DELETE/MODIFY operations SNMP: OS, Hardware, Installed Software, Running Processes, Open Ports; SSH: Hardware details SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down ; SSH: Disk I/O, Paging Log Analysis Overview Config Change Monitoring configuration change, interface up/down and other hardware issues and internal errors Not natively supported Custom parsing needed Not natively supported Custom configuration collection needed Over 70 event types Currently not natively supported SNMP Trap: IPS Alerts: Over 3500 event types Syslog: General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Syslog via PowerTech Agent: Over 560 event types Details Hirschmann SCADA Firfewalls and Switches HyTrust CloudControl IBM WebSphere IBM DB2 IBM ISS Proventia IBM AIX IBM OS400 Imperva Securesphere DB Monitoring FortiSIEM 6.1.1 External Systems Configuration Guide 35 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Imperva Imperva Indegy Intel/McAfee Intel/McAfee Intel/McAfee Intel/McAfee Intel/McAfee Intel/McAfee Infoblox Model Discovery Overview Performance Monitoring Overview Securesphere DB Security Gateway Securesphere Web App Firewall Log Analysis Overview Config Change Monitoring Syslog in CEF format Security Platform McAfee Sidewinder Firewall McAfee ePO Intrushield IPS Stonesoft IPS Discovered via LOG only Not natively supported - Custom monitoring needed Over 14 Events Types parsed SNMP: OS, Hardware, Installed Software, Running Processes SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start SNMP: Related process name and parameters SNMP: Process resource utilization SNMP: OS, Hardware SNMP: Hardware status Syslog: Firewall logs SNMP Trap: Over 170 event types Syslog: IPS Alerts Syslog: IPS Alerts Not natively supported Custom configuration collection needed Web Gateway Syslog: Web server log Foundstone Vulnerability Scanner JDBC: Vulnerability data DNS/DHCP Appliance SNMP: OS, Hardware, Installed Software, Running ; SNMP: Zone transfer metrics, DNS Cluster Replication metrics, DNS Performance metrics, DHCP Performance metrics, DDNS Update metrics, DHCP subnet Syslog: DNS logs - name resolution activity success and failures Details Gateway Imperva Securesphere DB Security Gateway Imperva Securesphere DB Security Gateway Indegy Security Platform McAfee Firewall Enterprise (Sidewinder) McAfee ePolicy Orchestrator (ePO) McAfee IntruShield McAfee Stonesoft McAfee Web Gateway McAfee Foundstone Vulnerability Scanner Infoblox DNS/DHCP FortiSIEM 6.1.1 External Systems Configuration Guide 36 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor ISC Juniper Juniper Juniper Juniper Juniper Juniper Model Bind DNS JunOS Router/Switch SRX Firewalls SSG Firewall ISG Firewall Steelbelted RADIUS Secure Access Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Details Processes usage metrics ; SNMP: Hardware Status ; SNMP Trap: Hardware/Software Errors Syslog: DNS logs - name resolution activity success and failures ISC BIND DNS SNMP: OS, Hardware; SSH: Configuration SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status ; Syslog: Over 1420 event types parsed for situations covering admin access, configuration change, interface up/down and other hardware issues and internal errors SSH: Startup configuration Juniper Networks JunOS SNMP: OS, Hardware SSH: Configuration SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status Syslog: Over 700 event types parsed for situations covering traffic log, admin access, configuration change, interface up/down and other hardware issues and internal errors SSH: Startup configuration Juniper Networks JunOS SNMP: OS, Hardware ; SSH: Configuration SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status Syslog: Over 40 event types parsed for situations covering traffic log, admin access, configuration change, interface up/down and other hardware issues and internal errors SSH: Startup configuration Juniper Networks SSG Firewall SNMP: OS, Hardware ; SSH: Configuration SNMP: CPU, Memory, Disk, Interface utilization, Hardware Status Syslog: Over 40 event types parsed for situations covering traffic log, admin access, configuration change, interface up/down and other hardware issues and internal errors SSH: Startup configuration Juniper Networks SSG Firewall Discovered via LOG Syslog - 4 event types covering admin access and AAA authentication Juniper Networks Steel-Belted RADIUS SNMP: OS, SNMP: CPU, Memory, Disk, Syslog - Over 30 event Juniper Networks FortiSIEM 6.1.1 External Systems Configuration Guide 37 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Model Gateway Discovery Overview Hardware Juniper Netscreen IDP Juniper Lantronix LastLine Liebert DDoS Secure SLC Console Manager HVAC SNMP: Host Name, Hardware model Liebert FPC Liebert UPS SNMP: Host Name, Hardware model SNMP: Host Name, Hardware model Malwarebytes Malwarebytes Endpoint Protection McAfee Vormetric Data LOG Security Manager Discovery Microsoft ASP.NET SNMP: Running Processes Microsoft Azure Advanced Host name Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Details Interface utilization types parsed for situations covering VPN login, Admin access, Configuration Change SSL VPN Gateway Syslog - directly from Firewall or via NSM Over 5500 IPS Alert types parsed Juniper Networks IDP Series Syslog - DDoS Alerts Juniper DDoS Syslog - Admin access, Updates, Commands run Lantronix SLC Console Manager Syslog in CEF format LastLine SNMP: HVAC metrics: Temperature: current value, upper threshold, lower threshold, Relative Humidity: current value, upper threshold, lower threshold, System state etc Liebert HVAC SNMP: Output voltage (X-N, Y-N, Z-N), Output current (X, Y. Z), Neutral Current, Ground current, Output power, Power Factor etc Liebert FPC SNMP: UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated Seconds Remaining, Output voltage etc Liebert UPS Malwarebytes Endpoint Protection Currently not natively supported 1 broad event Type Currently not natively supported McAfee Vormetric Data Security Manager SNMP or WMI: Process level resource usage ; WMI: Request Execution Time, Request Wait Time, Current Requests, Disconnected Requests etc Microsoft ASP.NET Not supported Not supported Microsoft Azure FortiSIEM 6.1.1 External Systems Configuration Guide 38 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Model Discovery Overview Threat Protection and Device (ATP) type Azure Compute Azure Event Hub Cloud App Security DHCP Server 2003, 2008 Host name and Device type SNMP: Running Processes DNS Server 2003, 2008 SNMP: Running Processes Domain Controller / Active Directory - 2003, 2008, 2012 SNMP: Running Processes; LDAP: Users Exchange Server SNMP: Running Processes Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Details ATP Not supported Microsoft Azure Compute Microsoft Azure Event Hub Not supported Microsoft Cloud App Security WMI: DHCP metrics: request rate, release rate, decline rate, Duplicate Drop rate etc FortiSIEM Windows Agent (HTTPS): DHCP logs - release, renew etc; Snare Agent (syslog): DHCP logs - release, renew etc; Correlog Agent (syslog): DHCP logs - release, renew etc Microsoft DHCP (2003, 2008) WMI: DNS metrics: Requests received, Responses sent, WINS requests received, WINS responses sent, Recursive DNS queries received etc FortiSIEM Windows Agent (HTTPS): DNS logs - name resolution activity; Snare Agent (syslog): DNS logs name resolution activity; Correlog Agent (syslog): DNS logs - name resolution activity Microsoft DNS (2003, 2008) WMI: Active Directory metrics: Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate etc; WMI: "dcdiag -e" command output - detect successful and failed domain controller diagnostic tests; WMI: "repadmin /replsummary" command output - Replication statistics; LDAP: Users with stale passwords, insecure password settings Microsoft Active Directory SNMP or WMI: Process level resource usage; WMI: Exchange performance metrics, Exchange Exchange Tracker Logs via FSM Microsoft Exchange FortiSIEM 6.1.1 External Systems Configuration Guide 39 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Microsoft Microsoft Microsoft Microsoft Microsoft Model Hyper-V Hypervisor IIS versions Internet Authentication Server (IAS) Network Policy Server PPTP VPN Gateway Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring error metrics, Exchange mailbox metrics, Exchange SMTP metrics, Exchange ESE Database, Exchange Database Instances, Exchange Mail Submission Metrics, Exchange Store Interface Metrics etc Advanced Windows Agent Powershell over winexe: Guest/Host CPU usage, Memory usage, Page fault, Disk Latency, Network usage ; SNMP: Running Processes SNMP or WMI: Process level resource usage WMI: IIS metrics: Current Connections, Max Connections, Sent Files, Received Files etc FortiSIEM Windows Agent (HTTPS): W3C Access logs - Per instance Per Connection - Sent Bytes, Received Bytes, Duration ; Snare Agent (syslog): W3C Access logs; Correlog Agent (syslog): W3C Access logs SNMP: Running Processes SNMP or WMI: Process level resource usage FortiSIEM Windows Agent (HTTPS): AAA logs - successful and failed authentication ; Snare Agent (syslog): AAA logs - successful and failed authentication ; Correlog Agent (syslog): AAA logs successful and failed authentication Discovered via LOG only. Not natively supported. Custom monitoring needed. AAA-based login events Currently not natively supported FortiSIEM Windows Agent (HTTPS): VPN Access - successful and failed Snare Agent (syslog): VPN Access successful and failed ; Correlog Agent (syslog): VPN Access - successful Details Hyper-V Microsoft IIS for Windows 2000 and 2003; Microsoft IIS for Windows 2008 Microsoft Internet Authentication Server (IAS) Microsoft Network Policy Server Microsoft PPTP FortiSIEM 6.1.1 External Systems Configuration Guide 40 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Microsoft Microsoft Microsoft Microsoft Model Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Details and failed Sharepoint Server SNMP: Running Processes SNMP or WMI: Process level resource usage LOGBinder Agent: SharePoint logs - Audit trail integrity, Access control changes, Document updates, List updates, Container object updates, Object changes, Object Import/Exports, Document views, Information Management Policy changes etc Microsoft SharePoint SQL Server 2005, 2008, 2008R2, 2012, 2014 SNMP: Running Processes SNMP or WMI: Process resource usage; JDBC: General database info, Configuration Info, Backup Info,; JDBC: Per-instance like Buffer cache hit ratio, Log cache hit ratio etc; JDBC: per-instance, per-database Performance metrics Data file size, Log file used, Log growths etc; JDBC: Locking info, Blocking info JDBC: database error log; JDBC: Database audit trail Microsoft SQL Server Windows Defender Advanced Threat Protection (ATP) Host name and Device type Not supported Not supported Windows Defender ATP Windows 2000, Windows 2003, Windows 2008, Windows 2008 R2, Windows 2012, Windows 2012 R2 SNMP: OS, Hardware (for Dell and HP), Installed Software, Running Processes; WMI: OS, Hardware (for Dell and HP), BIOS, Installed Software, Running Processes, SNMP: CPU, Memory, Disk, Interface utilization, Process utilization ; WMI: SNMP: CPU, Memory, Disk, Interface utilization, Detailed CPU/Memory usage, Detailed Process utilization WMI pulling: Security, System and Application logs; FortiSIEM Windows Agent (HTTPS): Security, System and Application logs, File Content change; Snare Agent (syslog): Security, System and Application logs; Correlog Agent (syslog): Security, System and Application logs SNMP: Installed Software Change; FortiSIEM Windows Agent: Installed Software Change, Registry Change; FortiSIEM Windows Agent: File Microsoft Windows Servers FortiSIEM 6.1.1 External Systems Configuration Guide 41 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor MobileIron Sentry and Connector Motorola Motorola Mikrotek NetApp NetApp Nessus Model Sentry AirDefense Wireless IDS WiNG WLAN Access Point Mikrotech Switches and Routers DataONTAP DataONTAP based Filers Vulnerability Scanner Discovery Overview Performance Monitoring Overview Services, Installed Patches Discovered Via LOG only Not natively supported - Custom monitoring needed Host name, OS, Hardware model, Serial number, Components SNMP: Uptime CPU utilization, Network Interface metrics Log Analysis Overview Config Change Monitoring Integrity Monitoring Over 18 Events Types parsed Not natively supported Custom configuration collection needed Syslog: Wireless IDS logs Syslog: All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health SNMP: Host name, OS, Hardware model, Serial number, Network interfaces, Logical volumes, Physical Disks SNMP: CPU utilization, Network Interface metrics, Logical Disk Volume utilization; SNMP: Hardware component health, Disk health ONTAP API: Detailed NFS V3/V4, ISCSI, FCP storage IO metrics, Detailed LUN metrics, Aggregate metrics, Volume metrics, Disk performance metrics SNMP Trap: Over 150 alerts - hardware and software alerts Nessus API: Vulnerability Scan results - Scan name, Host, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulnerability CVE Id and Bugtraq Id, Vulnerability Details MobileIron Sentry Motorola AirDefense Motorola WLAN Mikrotek Router NetApp DataONTAP NetApp Filer Nessus Vulnerability Scanner FortiSIEM 6.1.1 External Systems Configuration Guide 42 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Netwrix Nginx Nimble Nortel Nortel Nozomi Nutanix Model Auditor Web Server NimbleOS Storage ERS Switches and Routers Passport Switches and Routers Guardian Controller VM Discovery Overview Not natively supported SNMP: Application name Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components SNMP: Host name, OS, Hardware model, Serial number, Components SNMP: Host name, OS, Hardware model, Serial number, Components No SNMP: Host name, OS, Hardware model, Serial number, Network Performance Monitoring Overview Log Analysis Overview Config Change Monitoring CVSS Score, Vulnerability Consequence, etc Not natively supported 2 Event Types parsed (via Windows Correlog Agent) Not natively supported SNMP: Application Resource Usage Syslog: W3C access logs: per HTTP(S) connection: Sent Bytes, Received Bytes, Connection Duration SNMP: Uptime, Network Interface metrics, Storage Disk Utilization SNMP: Storage Performance metrics: Read rate (IOPS), Sequential Read Rate (IOPS), Write rate (IOPS), Sequential Write Rate (IOPS), Read latency, etc SNMP: Uptime CPU/memory utilization, Network Interface metrics/errors, Hardware Status SNMP: Uptime CPU/memory utilization, Network Interface metrics/errors, Hardware Status No Yes No SNMP: Uptime CPU/memory utilization, Network Interface metrics/errors, Disk Status, Cluster Status, Service Status, Storage Pool Info, Container Info Details Netwrix Auditor Nginx Web Server Nimble Storage Nortel ERS and Passport Switch Nortel ERS and Passport Switch Nozomi Nutanix FortiSIEM 6.1.1 External Systems Configuration Guide 43 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Okta.com OneIdentity OpenLDAP Oracle Oracle Oracle Model SSO Safeguard Discovery Overview Performance Monitoring Overview interfaces, Physical Disks, Components Okta API: Users Not supported Log Analysis Overview Config Change Monitoring Okta API: Over 90 event types covering user activity in Okta website OpenLDAP LDAP: Users Enterprise Database Server - 10g, 11g, 12c SNMP or WMI: Process resource usage ; JDBC: Database performance metrics: Buffer cache hit ratio, Row cache hit ratio, Library cache hit ratio, Shared pool free ratio, Wait time ratio, Memory Sorts ratio etc ; JDBC: Database Table space information: able space name, table space type, table space usage, table space free space, table space next extent etc; JDBC: Database audit trail: Database logon, Database operations including CREATE/ALTER/DROP/TRUNC ATE operations on tables, table spaces, databases, clusters, users, roles, views, table indices, triggers etc. Syslog: Listener log, Alert log, Audit Log MySQL Server SNMP or WMI: Process resource usage JDBC: User Connections, Table Updates, table Selects, Table Inserts, Table Deletes, Temp Table Creates, Slow Queries etc; JDBC: Table space performance metrics: Table space name, table space type, Character set and Collation, table space usage, table space free space etc; JDBC: Database audit trail: Database log on, Database/Table CREATE/DELETE/MODIFY operations WebLogic SNMP or JMX: Availability metrics, Memory Details Okta Configuration OneIdentity Safeguard Oracle Database MySQL Server Oracle WebLogic FortiSIEM 6.1.1 External Systems Configuration Guide 44 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Oracle Oracle PacketFence Palo Alto Networks Palo Alto Networks PulseSecure QNAP Qualys Qualys Model Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Details Application Server WMI: Process resource usage metrics, Servlet metrics, Database metrics, Thread pool metrics, EJB metrics, Application level metrics Glassfish Application Server SNMP or WMI: Process resource usage JMX: Availability metrics, Memory metrics, Servlet metrics, Session metrics, Database metrics, Request processor metrics, Thread pool metrics, EJB metrics, Application level metrics, Connection metrics Oracle GlassFish Server Sun SunOS and Solaris SNMP: OS, Hardware, Software, Processes, Open Ports ; SSH: Hardware details SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down ; SSH: Disk I/O, Paging Syslog: Situations covering Authentication Success/Failure, Privileged logons, User/Group Modification Sun Solaris Server Network Access Control Host name and Device type Not supported Not supported PacketFence Network Access Control Palo Alto Traps Endpoint Security Manager LOG Discovery Currently not natively supported Over 80 event types Currently not natively supported Palo Alto Traps Endpoint Security Manager PAN-OS based Firewall SNMP: Host name, OS, Hardware, Network interfaces; SSH: Configuration SNMP: Uptime, CPU utilization, Network Interface metrics, Firewall connection count Syslog: Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs SSH: Configuration Change Palo Alto Firewall PulseSecure VPN Syslog: VPN events, Traffic events, Admin events PulseSecure Turbo NAS QNAP Turbo NAS QualysGuard Scanner Qualys QualysGuard Scanner Vulnerability Scanner Qualys API: Vulnerability Scan results - Scan Qualys Vulnerability FortiSIEM 6.1.1 External Systems Configuration Guide 45 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Qualys Radware Rapid7 Rapid7 Riverbed Model Discovery Overview Web Application Firewall DefensePro LOG Discovery InsightVM NeXpose Vulnerability Scanner Host name and Device type Steelhead WAN Accelerators SNMP: Host name, Software version, Hardware model, Network interfaces Performance Monitoring Overview Currently not natively supported Not supported Log Analysis Overview Config Change Monitoring name, Host, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulnerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence etc syslog (JSON formatted): web log analysis Over 120 event types Currently not natively supported Details Scanner Qualys Web Application Firewall Radware DefensePro Rapid7 InsightVM Rapid7 NeXpose API: Vulnerability Scan results - Scan name, Host, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulnerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence etc SNMP: Uptime, CPU / Memory / Network Interface / Disk space metrics, Process cpu/memory utilization; SNMP: Hardware Status SNMP: Bandwidth metrics: (Inbound/Outbound Optimized Bytes - LAN side, WAN side; Connection metrics: Optimized/Pass through / Halfopen optimized connections etc); SNMP: Top Usage metrics: Top source, Top destination, Top Application, Top Talker; SNMP: SNMP Trap: About 115 event types covering software errors, hardware errors, admin login, performance issues - cpu, memory, peer latency issues ; Netflow: Connection statistics Rapid7 NeXpose Vulnerability Scanner Riverbed SteelHead WAN Accelerator FortiSIEM 6.1.1 External Systems Configuration Guide 46 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Model Redhat Linux Redhat JBOSS Application Server Redhat DHCP Server Ruckus Wireless LAN Security Onion Zeek (Bro) SentinelOne SentinelOne Snort IPS Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Peer status: For every peer: State, Connection failures, Request timeouts, Max latency SNMP: OS, Hardware, Software, Processes, Open Ports ; SSH: Hardware details, Linux distribution SNMP: CPU, Memory, Disk, Interface utilization, Process monitoring, Process stop/start, Port up/down ; SSH: Disk I/O, Paging Syslog: Situations covering Authentication Success/Failure, Privileged logons, User/Group Modification SSH: File integrity monitoring, Command output monitoring, Target file monitoring Agent: File integrity monitoring SSH: File integrity monitoring, Target file monitoring Agent: File integrity monitoring SNMP: Process level CPU/Memory usage JMX: CPU metrics, Memory ; metrics, Servlet metrics, Database pool metrics, Thread pool metrics, Application level metrics, EJB metrics SNMP: Process level CPU/Memory usage Syslog: DHCP address release/renew events SNMP: Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points SNMP: Controller Uptime, Controller Network Interface metrics, Controller WLAN Statistics, Access Point Statistics, SSID performance Stats Discovered via LOG only Not natively supported - Custom monitoring needed Syslog JSON format: 6 event types parsed Currently not natively supported Discovered via LOG only Not natively supported. Custom monitoring needed. System and security events (e.g. file blocked) Currently not natively supported SNMP: Syslog: Over 40K IPS Details Linux Server Redhat JBOSS Linux DHCP Ruckus WLAN Zeek (Bro) Installed on Security Onion SentinelOne Snort IPS FortiSIEM 6.1.1 External Systems Configuration Guide 47 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Sophos Sophos Squid SSH Com Security Stormshield Symantec Tanium Tenable Tigera TrendMicro TrendMicro Model Discovery Overview Performance Monitoring Overview Process level CPU/Memory usage Central Host name and Device type Sophos Endpoint Security and Control Not supported Web Proxy SNMP: Process level CPU/Memory usage CryptoAuditor LOG Discovery Currently not natively supported Network Security Not natively supported Symantec Endpoint Protection Not natively supported Connect Tenable.io Calico Deep Discovery Host name and Device type Host name and Device type Not natively supported Discovered via LOG only Not supported Not supported Not natively supported Not natively supportedCustom monitoring needed. Deep Security Log Analysis Overview Config Change Monitoring Details Alerts DBC: Over 40K IPS Alerts - additional details including TCP/UDP/ICMP header and payload in the attack packet Not supported Sophos Central SNMP Trap: Endpoint events including Malware found/deleted, DLP events Sophos Endpoint Security and Control Syslog: W3C formatted access logs - per HTTP (S) connection: Sent Bytes, Received Bytes, Connection Duration Squid Web Proxy Many event types Currently not natively supported SSH Com Security CryptoAuditor Firewall logs Not natively supported Stormshield Network Security Syslog: Over 5000 event types covering end point protection events malware/spyware/adwar e, malicious events Symantec Endpoint Protection Not supported Tanium Connect Not supported Tenable.io Flow, Audit and DNS logs Malicious file detection Syslog: Over 10 event Not natively supported Tigera Calico Currently not natively supported TrendMicro Deep Discovery Not supported FortiSIEM 6.1.1 External Systems Configuration Guide 48 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor TrendMicro TrendMicro TrendMicro Vasco VMware VMware VMware WatchGuard Websense YXLink Model Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Manager types covering end point protection events Interscan Web Filter LOG Discovery Currently not natively supported 15 event Types Currently not natively supported Intrusion Defense Firewall (IDF) Syslog: Over 10 event types covering end point firewall events Office scan SNMP Trap: Over 30 event types covering end point protection events malware/spyware/adwar e, malicious events DigiPass Syslog - Successful and Failed Authentications, Successful and Failed administrative logons VMware ESX and VCenter VMWare SDK: Entire VMware hierarchy and dependencies - Data Center, Resource Pool, Cluster, ESX and VMs VMWare SDK: VM level: CPU, Memory, Disk, Network, VMware tool status VMWare SDK: ESX level: CPU, Memory, Disk, Network, Data store VMWare SDK: ESX level: Hardware Status VMWare SDK: Cluster level: CPU, Memory, Data store, Cluster Status VMWare SDK: Resource pool level: CPU, Memory VMWare SDK: Over 800 VCenter events covering account creation, VM creation, DRS events, hardware/software errors vShield Syslog: Over 10 events covering permitted and denied connections, detected attacks VCloud Network and Security (vCNS) Manager Syslog: Over 10 events covering various activities Firebox Firewall Syslog: Over 20 firewall event types Web Filter Syslog: Over 50 web filtering events and web traffic logs Vulnerability Scanner Details TrendMicro Interscan Web Filter Trend Micro IDF Trend Micro OfficeScan Vasco DigiPass WatchGuard Firebox Firewall Websense Web Filter YXLink Vulnerability FortiSIEM 6.1.1 External Systems Configuration Guide 49 Fortinet Technologies Inc. Supported Devices and Applications by Vendor Vendor Model Discovery Overview Performance Monitoring Overview Log Analysis Overview Config Change Monitoring Details Scanner FortiSIEM 6.1.1 External Systems Configuration Guide 50 Fortinet Technologies Inc. Applications This section describes how to configure applications for discovery and for providing information to FortiSIEM. l Application Server l Authentication Server l Database Server l DHCP and DNS Server l Directory Server l Document Management Server l Healthcare IT l Mail Server l Management Server/Appliance l Remote Desktop l Source Code Control l Unified Communication Server l Web Server FortiSIEM 6.1.1 External Systems Configuration Guide 51 Fortinet Technologies Inc. Application Server FortiSIEM supports the discovery and monitoring of these application servers. l Apache Tomcat l IBM WebSphere l Microsoft ASP.NET l Oracle GlassFish Server l Oracle WebLogic l Redhat JBOSS FortiSIEM 6.1.1 External Systems Configuration Guide 52 Fortinet Technologies Inc. Apache Tomcat l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Event for Tomcat Metrics What is Discovered and Monitored Protocol JMX JMX Information discovered Metrics collected Used for Generic information: Application version, Application port Availability metrics: Uptime, Application Server State CPU metrics: CPU utilization Memory metrics: Total memory, Free memory, Memory utilization, Virtual committed memory, Total Swap Memory, Free Swap Memory, Swap memory utilization, Heap Utilization, Heap Used Memory, Heap max memory, Heap commit memory, Nonheap Utilization, Non-heap used memory, Non-heap max memory, Non-heap commit memory Servlet metrics: Web application name, Servlet Name, Count allocated, Total requests, Request errors, Load time, Avg Request Processing time Session metrics: Web context path, Peak active sessions, Current active sessions, Duplicate sessions, Expired sessions, Rejected sessions, Average session lifetime, Peak session lifetime, Session processing time, Session create rate, Session expire rate, Process expire frequency, Max session limited, Max inactive Interval Performance Monitoring Database metrics: Web context path, Data source, Database driver, Peak active sessions, Current active sessions, Peak idle sessions, Current idle sessions Thread pool metrics: Thread pool name, Application port, Total threads, Busy threads, Keep alive threads, Max threads, Thread priority, Thread pool daemon flag Request processor metrics: Request processor name, Received Bytes, Sent Bytes, Average Request Process time, Max Request Processing time, Request Rate, Request Errors Performance Monitoring Event Types In ADMIN > Device Support > Event, search for "tomcat" in the Device Type and Description column to see the event types associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 53 Fortinet Technologies Inc. Applications Reports In RESOURCE > Reports , search for "tomcat" in the Name column to see the reports associated with this application or device. Configuration JMX Add the necessary parameters to the Tomcat startup script. Windows Modify the file ${CATALINA_BASE}\bin\catalina.bat by adding these arguments for JVM before the comment: rem ----Execute The Requested Command ------ JMX Configuration for Windows set JAVA_OPTS=-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=${Your JMX Port} \ -Dcom.sun.management.jmxremote.authenticate=true \ Dcom.sun.management.jmxremote.ssl=false \ Dcom.sun.management.jmxremote.access.file=jmxremote.access \ Dcom.sun.management.jmxremote.password.file=jmxremote.password \ Linux Modify the file ${CATALINA_BASE}/bin/catalina.sh by adding these arguments for JVM before the comment: # ----Execute The Requested Command ------ JMX Configuration for Linux JAVA_OPTS=" $ JAVA_OPTS -Dcom.sun.management.jmxremote \ Dcom.sun.management.jmxremote.port=${ Your JMX Port} \ Dcom.sun.management.jmxremote.authenticate=true \ -Dcom.sun.management.jmxremote.ssl=false \ -Dcom.sun.management.jmxremote.access.file=jmxremote.access \ Dcom.sun.management.jmxremote.password.file=jmxremote.password" \ 1. Edit the access authorization file jmxremote.access. monitorRole readonly controlRole readwrite 2. Edit the password file jmxremote.password. The first column is user name and the second column is password). FortiSIEM only needs monitor access. monitorRole <FortiSIEMUserName>controlRole <userName> 3. In Linux, set permissions for the jmxremote.access and jmxremote.password files so that they are read-only and accessible only by the Tomcat operating system user. FortiSIEM 6.1.1 External Systems Configuration Guide 54 Fortinet Technologies Inc. Applications chmod 600 jmxremote.access chmod 600 jmxremote.password You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your Apache Tomcat application server over JMX: Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name Password Value Enter a name for the credential. Apache Apache Tomcat JMX 5 0 The user you created in step 3 The password you created in step 3 Sample Event for Tomcat Metrics <134>Jan 22 01:57:32 10.1.2.16 java: [PH_DEV_MON_TOMCAT_CPU]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218, [appVersion]=Apache Tomcat/7.0.27,[appServerState]=STARTED,[sysUpTime]=2458304,[cpuUtil]=0 <134>Jan 22 01:57:32 10.1.2.16 java: [PH_DEV_MON_TOMCAT_MEMORY]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218, [appVersion]=Apache Tomcat/7.0.27,[appServerState]=STARTED,[freeMemKB]=116504, [freeSwapMemKB]=2974020,[memTotalMB]=4095,[swapMemTotalMB]=8189,[virtMemCommitKB]=169900, [memUtil]=98,[swapMemUtil]=65,[heapUsedKB]=18099,[heapMaxKB]=932096,[heapCommitKB]=48896, [heapUtil]=37,[nonHeapUsedKB]=22320,[nonHeapMaxKB]=133120,[nonHeapCommitKB]=24512, [nonHeapUtil]=91 <134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_SERVLET]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218, [appVersion]=Apache Tomcat/7.0.27,[webAppName]=//localhost/host-manager, [servletName]=HTMLHostManager,[countAllocated]=0,[totalRequests]=0,[reqErrors]=0, [loadTime]=0,[reqProcessTimeAvg]=0,[maxInstances]=20,[servletState]=STARTED <134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_SESSION]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218, [appVersion]=Apache Tomcat/7.0.27,[webContextPath]=/host-manager,[activeSessionsPeak]=0, [activeSessions]=0,[duplicateSession]=0,[expiredSession]=0,[rejectedSession]=0, [sessionLifetimeAvg]=0,[sessionLifetimePeak]=0,[sessionProcessTimeMs]=0, [sessionCreateRate]=0,[sessionExpireRate]=0,[webAppState]=STARTED, FortiSIEM 6.1.1 External Systems Configuration Guide 55 Fortinet Technologies Inc. Applications [processExpiresFrequency]=6,[maxSessionLimited]=-1,[maxInactiveInterval]=1800 <134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_DB]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218, [appVersion]=Apache Tomcat/7.0.27,[webContextPath]=/host-manager, [dataSource]="jdbc/postgres1",[dbDriver]=org.postgresql.Driver,[activeSessionsPeak]=20, [activeSessions]=0,[idleSessionsPeak]=10,[idleSessions]=0 <134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_THREAD_POOL]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=9218,[appVersion]=Apache Tomcat/7.0.27,[threadPoolName]=ajp-apr-18009, [appPort]=18009,[totalThreads]=0,[busyThreads]=0,[keepAliveThreads]=0[maxThreads]=200, [threadPriority]=5,[threadPoolIsDaemon]=true <134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_REQUEST_PROCESSOR]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SHWIN08R2-JMX,[destDevPort]=9218,[appVersion]=Apache Tomcat/7.0.27,[reqProcessorName]="httpapr-18080",[recvBytes]=0,[sentBytes]=62748914,[totalRequests]=4481, [reqProcessTimeAvg]=44107,[reqProcessTimeMax]=516,[reqRate]=0,[reqErrors]=7 FortiSIEM 6.1.1 External Systems Configuration Guide 56 Fortinet Technologies Inc. Applications IBM WebSphere l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored HTTPS Preferred for Monitoring over JMX IBM WebSphere performance metrics can be obtained via HTTP(S) or JMX. The HTTP(S) based method is highly recommended since it consumes significantly less resources on FortiSIEM. Protocol HTTP / HTTP(S) JMX Information discovered Metrics collected Generic information: Application version, Application port Availability metrics: Uptime, Application Server State CPU metrics: Application server instance, CPU utilization Memory metrics: Heap utilization, Heap used memory, Heap free memory, Heap max memory, Heap commit memory Servlet metrics: Application name, Web application name, Servlet Name, Invocation count Database pool metrics: Application server instance, JDBC provider, Data source, Pool size, Closed connections, Active Connections, Requests wait for connections, Connection use time, Connection factory type, Peak connections Thread pool metrics: Application server instance, Thread pool name, Execute threads, Peak execute threads Transaction metrics: Application server instance, Active Transaction, Committed Transaction, Rolled back Transaction Authentication metrics: Application name, Application server instance, Authentication Method, Count Generic information: Application version, Application port Availability metrics: Uptime, Application Server State CPU metrics: Application server instance, CPU utilization Memory metrics: Heap utilization, Heap used memory, Heap free memory, Heap max memory, Heap commit memory, Max System dumps on disk, Max heap dumps on disk Servlet metrics: Application name, Web application name, Servlet Name, Invocation count, Request errors Database pool metrics: Application server instance, JDBC provider, Data source, Pool size, Closed connections, Active Connections, Requests wait for connections, Connection use time, Connection factory type, Peak connections Used for Performance Monitoring Performance Monitoring FortiSIEM 6.1.1 External Systems Configuration Guide 57 Fortinet Technologies Inc. Applications Protocol Syslog Information discovered Metrics collected Used for Thread pool metrics: Application server instance, Thread pool name, Execute threads, Peak execute threads Application level metrics: Application name, Web application name, Application server instance, Web application context root, Active sessions, Peak active sessions EJB metrics: Application name, Application server instance, EJB component name Log analysis Event Types In ADMIN > Device Support > Event, search for "websphere" in the Description column to see the event types associated with this device. l PH_DEV_MON_WEBSPHERE_CPU (from HTTPS) <134>Dec 08 16:11:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_CPU]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host-10.1.2.16, [destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1,[cpuUtil]=0, [sysUpTime]=2340206,[appServerState]=RUNNING l PH_DEV_MON_WEBSPHERE_CPU (from JMX) <134>Jan 22 02:15:23 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_CPU]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[cpuUtil]=0,[sysUpTime]=42206,[appServerState]=STARTED l PH_DEV_MON_WEBSPHERE_MEMORY (from HTTPS) <134>Dec 08 16:11:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_MEMORY]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host-10.1.2.16, [destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1, [appServerState]=running,[heapFreeKB]=93208,[heapUsedKB]=168936,[heapCommitKB]=232576, [heapMaxKB]=262144,[heapUtil]=72 l PH_DEV_MON_WEBSPHERE_MEMORY (from JMX) <134>Jan 22 02:15:25 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_MEMORY]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[appServerState]=STARTED,[maxSystemDumpsOnDisk]=10, [maxHeapDumpsOnDisk]=10,[heapFreeKB]=48140,[heapUsedKB]=172018,[heapCommitKB]=217815, [heapMaxKB]=262144,[heapUtil]=78 l PH_DEV_MON_WEBSPHERE_APP (from HTTPS) <134>Dec 08 16:11:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_APP]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host-10.1.2.16, FortiSIEM 6.1.1 External Systems Configuration Guide 58 Fortinet Technologies Inc. Applications [destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1,[appName]=isclite, [webAppName]=ISCAdminPortlet.war,[activeSessions]=0,[activeSessionsPeak]=1 l PH_DEV_MON_WEBSPHERE_APP (from JMX) <134>Jan 22 02:18:24 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_APP]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[appName]=isclite,[webAppName]=isclite.war, [webContextRoot]=admin_host/ibm/console,[activeSessions]=0,[activeSessionsPeak]=1 l PH_DEV_MON_WEBSPHERE_SERVLET (from HTTPS) <134>Dec 08 16:11:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_SERVLET]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host10.1.2.16,[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1, [appName]=isclite,[webAppName]=isclite.war, [servletName]=/com.ibm.ws.console.servermanagement/collectionTableLayout.jsp, [invocationCount]=2 l PH_DEV_MON_WEBSPHERE_SERVLET (from JMX) <134>Jan 22 02:15:24 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_SERVLET]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SHWIN08R2-JMX,[destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[appName]=isclite,[webAppName]=isclite.war, [servletName]=action,[reqErrors]=0,[invocationCount]=14 l PH_DEV_MON_WEBSPHERE_DB_POOL (from HTTPS) <134>Dec 08 16:14:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_DB_POOL]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host-10.1.2.16, [destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1,[jdbcProvider]=Derby JDBC Provider (XA),[dataSource]=jdbc/DefaultEJBTimerDataSource,[poolSize]=0, [closedConns]=0,[activeConns]=0,[waitForConnReqs]=0,[connUseTime]=0 l PH_DEV_MON_WEBSPHERE_DB_POOL (from JMX) <134>Jan 22 02:15:23 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_DB_POOL]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[jdbcProvider]=Derby JDBC Provider (XA), [dataSource]=DefaultEJBTimerDataSource,[poolSize]=0,[closedConns]=0,[activeConns]=0, [waitForConnReqs]=0,[connUseTime]=0,[connFactoryType]=,[peakConns]=0 l PH_DEV_MON_WEBSPHERE_THREAD_POOL (from HTTPS) <134>Dec 08 16:14:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_THREAD_POOL]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host10.1.2.16,[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1, [threadPoolName]=WebContainer,[executeThreads]=2,[executeThreadPeak]=6 l PH_DEV_MON_WEBSPHERE_THREAD_POOL (from JMX) <134>Jan 22 02:18:25 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_THREAD_POOL]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SHWIN08R2-JMX,[destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[threadPoolName]=ORB.thread.pool,[executeThreads]=0, [executeThreadPeak]=0 l PH_DEV_MON_WEBSPHERE_TRANSACTION (from HTTPS) FortiSIEM 6.1.1 External Systems Configuration Guide 59 Fortinet Technologies Inc. Applications <134>Dec 08 16:14:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_TRANSACTION]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host10.1.2.16,[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1, [activeTxCount]=0,[committedTxCount]=3406,[rolledBackTxCount]=0 l PH_DEV_MON_WEBSPHERE_AUTHENTICATION (from HTTPS) <134>Dec 08 16:14:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_AUTHENTICATION]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host10.1.2.16,[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1, [authenMethod]=TokenAuthentication,[count]=0 l PH_DEV_MON_WEBSPHERE_EJB (from JMX) <134>Jan 22 02:15:24 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_EJB]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11, [appServerInstance]=server1,[appName]=SchedulerCalendars, [ejbComponentName]=Calendars.jar Reports In RESOURCE > Reports , search for "websphere" in the Name column to see the reports associated with this device. Configuration HTTP(S) Install the perfServletApp Application 1. Log in to your Websphere administration console. 2. Go to Applications > Application Types > WebSphere enterprise application. 3. Click Install. 4. Select Remote file system and browse to {WebSphere_ Home}/AppServer/installableApps/PerfServletApp.ear. 5. Click Next. The Context Root for the application will be set to /wasPerfTool, but you can edit this during installation. Configure Security for the Application 1. Go to Security > Global Security. 2. Select Enable application security. 3. Go to Applications > Application Types > Websphere Enterprise Applications. 4. Select perfServletApp. 5. Click Security role to user/group mapping. 6. Click Map Users/Groups. 7. Use the Search feature to find and select the FortiSIEM user you want to provide with access to the application, 8. Click Map Special Subjects. FortiSIEM 6.1.1 External Systems Configuration Guide 60 Fortinet Technologies Inc. Applications 9. Select All Authenticated in Application's Realm. 10. Click OK. Start the Application 1. Go to Applications > Application Types > WebSphere enterprise application. 2. Select perfServletApp. 3. Click Start. 4. In a web browser, launch the application by going to http://<ip>:<port>/wasPerfTool/servlet/perfservlet. Default HTTP Port The default port for HTTP is 9080, HTTPS is 9443. You can change these by going to Servers > Server Types > WebSphere application servers > {serverInstance} > Configuration > Ports. JMX Configuring the Default JMX Port By default, your Websphere application server uses port 8880 for JMX. You can change this by logging in to your application server console and going to Application servers > {Server Name} > Ports > SOAP_CONNECTOR_ ADDRESS. The username and password for JMX are the same as the credentials logging into the console. To configure JMX communications between your Websphere application server and FortiSIEM, you must copy several files from your application server to the Websphere configuration directory for each FortiSIEM virtual appliance that will be used for discovery and performance monitoring jobs. FortiSIEM does not include these files because of licensing restrictions. 1. Copy these files to the directory /opt/phoenix/config/websphere/ for each Supervisor, Worker, and Collector in your FortiSIEM deployment. File Type Client Jars SSL files Location l ${WebSphere_ Home}/AppServer/runtimes/ com.ibm.ws.admin.client.jar l ${WebSphere_ Home}/AppServer/plugins/ com.ibm.ws.security.crypto.jar l ${WebSphere_ Home}/AppServer/profiles/${Profile_ Name}/etc/DummyClientKeyFile.jks l ${WebSphere_ Home}/AppServer/profiles/${Profile_ Name}/etc/DummyClientTrustFile.jks 2. Install IBM JDK 1.6 or higher in the location /opt/phoenix/config/websphere/java for each Supervisor, Worker, and Collector in your FortiSIEM deployment. FortiSIEM 6.1.1 External Systems Configuration Guide 61 Fortinet Technologies Inc. Applications You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide > Section: Setting Credentials, and then initiate discovery of the device as described in the topics under Discovery Settings. Settings for Access Credentials Use these Access Method Definition options to let FortiSIEM access your IBM Websphere device over HTTPS and SNMP. When you set the Device Credential Mapping Definition, make sure to map both the HTTPS and SNMP credentials to the same IP address for your Websphere device. HTTPS. Setting Name Device Type Access Protocol Port URL User Name Password Value websphere_https IBM Websphere App Server HTTPS 9443 /wasPerfTools/servlet/perfservlet Use the user name that you provided with access to the application The password associated with the user that has access to the application Settings for IBM Websphere SNMP Access Credentials Use these Access Method Definition settings to let FortiSIEM access your IBM Websphere device over SNMP. When you set the Device Credential Mapping Definition, make sure to map both the HTTPS and SNMP credentials to the same IP address for your Websphere device. SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 62 Fortinet Technologies Inc. Applications Settings for IBM Websphere JMX Access Credentials Use these Access Method Definition settings to let FortiSIEM access your IBM Websphere device over JMX. Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name Password Value websphere IBM Websphere App Server JMX 5 8880 The administrative user for the application server The password associated with the administrative user FortiSIEM 6.1.1 External Systems Configuration Guide 63 Fortinet Technologies Inc. Applications Microsoft ASP.NET l What is Discovered and Monitored l Configuration l Sample Event for ASP.NET Metrics What is Discovered and Monitored Protocol WMI Information discovered Metrics collected Used for Request Execution Time, Request Wait Time, Current Requests, Disconnected Requests, Queued requests, Disconnected Requests Performance Monitoring Event Types In ADMIN > Device Support > Event, search for "asp.net" in the Description column to see the event types associated with this device. Reports In RESOURCE > Reports , search for "asp.net" in the Name column to see the reports associated with this application or device. Configuration WMI See WMI Configurations in the Microsoft Windows Server Configuration section. Sample Event for ASP.NET Metrics [PH_DEV_MON_APP_ASPNET_MET]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=4868,[hostName]=QA-EXCHG,[hostIpAddr]=172.16.10.28, [appGroupName]=Microsoft ASPNET,[aspReqExecTimeMs]=0,[aspReqCurrent]=0, [aspReqDisconnected]=0,[aspReqQueued]=0,[aspReqRejected]=0,[aspReqWaitTimeMs]=0 FortiSIEM 6.1.1 External Systems Configuration Guide 64 Fortinet Technologies Inc. Applications Oracle GlassFish Server l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Event for Glassfish Metrics What is Discovered and Monitored Protocol JMX JMX Information discovered Metrics collected Used for Generic information: Application version, Application port Availability metrics: Uptime, Application Server State CPU metrics: CPU utilization Memory metrics: Total memory, Free memory, Memory utilization, Virtual committed memory, Total Swap Memory, Free Swap Memory, Swap memory utilization, Heap Utilization, Heap Used Memory, Heap max memory, Heap commit memory, Non-heap Utilization, Non-heap used memory, Non-heap max memory, Non-heap commit memory Servlet metrics: Web application name, Servlet Name, Count allocated, Total requests, Request errors, Avg Request Processing time Performance Monitoring Session metrics: Web context path, Peak active sessions, Current active sessions, Duplicate sessions, Expired sessions, Rejected sessions, Average session lifetime, Peak session lifetime, Session processing time, Session create rate, Session expire rate, Process expire frequency, Max session limited, Max inactive Interval Database metrics: Data source Thread pool metrics: Current live threads, Max live threads Request processor metrics: Request processor name, Received Bytes, Sent Bytes, Total requests, Average Request Process time, Max Request Processing time, Request Rate, Request Errors, Max open connections, Current open connections, Last Request URI, Last Request method, Last Request completion time Application level metrics: Cache TTL, Max cache size, Average request processing time, App server start time, Cookies allowed flag, Caching allowed flag, Linking allowed flag, Cross Context Allowed flag EJB metrics: EJB component name, EJB state, EJB start time Performance Monitoring FortiSIEM 6.1.1 External Systems Configuration Guide 65 Fortinet Technologies Inc. Applications Protocol Information discovered Metrics collected Connection metrics: Request processor name, HTTP status code, HTTP total accesses Used for Event Types In ADMIN > Device Support > Event, search for "glassfish" in the Description column to see the event types associated with this device. Reports In RESOURCE > Reports , search for "glassfish" in the Name column to see the reports associated with this application or device. Configuration JMX 1. The default JMX port used by Oracle GlassFish is 8686. If you want to change it, modify the node jmx-connector of the file ${GlassFish_Home}\domains\${Domain_Name}\config\domain.xml. 2. The username and password for JMX are the same as the web console. You can now configure FortiSIEM to communicate with your device by following the instructions in "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Oracle GlassFish JMX Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your Oracle GlassFish device over JMX. Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name Value glassfish SUN Glassfish App Server JMX 5 8686 The administrative user for the application server FortiSIEM 6.1.1 External Systems Configuration Guide 66 Fortinet Technologies Inc. Applications Setting Password Value The password associated with the administrative user Sample Event for Glassfish Metrics <134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_APP]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[webContextRoot]=, [webAppState]=RUNNING,[cacheMaxSize]=10240,[cacheTTL]=5000,[reqProcessTimeAvg]=0, [startTime]=1358755971,[cookiesAllowed]=true,[cachingAllowed]=false,[linkingAllowed]=false, [crossContextAllowed]=true <134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_CPU]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[sysUpTime]=35266, [cpuUtil]=60 <134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_MEMORY]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [freeMemKB]=479928,[freeSwapMemKB]=6289280,[memTotalMB]=16051,[memUtil]=98,[swapMemUtil]=1, [swapMemTotalMB]=6142,[virtMemCommitKB]=4025864,[heapUsedKB]=1182575,[heapMaxKB]=3106432, [heapCommitKB]=3106432,[heapUtil]=38,[nonHeapUsedKB]=193676,[nonHeapMaxKB]=311296, [nonHeapCommitKB]=277120,[nonHeapUtil]=69 <134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_SESSION]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [webContextPath]=/__JWSappclients,[activeSessionsPeak]=0,[duplicateSession]=0, [activeSessions]=0,[expiredSession]=0,[rejectedSession]=0,[sessionProcessTimeMs]=85, [sessionLifetimeAvg]=0,[sessionLifetimePeak]=0,[maxSessionLimited]=-1, [maxInactiveInterval]=1800 <134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_SERVLET]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [webAppName]=phoenix,[webAppState]=RUNNING,[servletName]=DtExportServlet,[totalRequests]=0, [reqErrors]=0,[reqProcessTimeAvg]=0 <134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_CONN_STAT]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [reqProcessorName]=http8181,[httpStatusCode]=304,[httpTotalAccesses]=0 <134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_EJB]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, FortiSIEM 6.1.1 External Systems Configuration Guide 67 Fortinet Technologies Inc. Applications [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [ejbComponentName]=phoenix-domain-1.0.jar,[ejbState]=RUNNING,[startTime]=1358755963, <134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_JMS]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [jmsSource]=jms/RequestQueue <134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_REQUEST_PROCESSOR]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host10.1.2.201,[destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [reqProcessorName]=http4848,[recvBytes]=0,[sentBytes]=0,[totalRequests]=0,[reqRate]=0, [reqProcessTimeAvg]=0,[reqProcessTimeMax]=0,[maxOpenConnections]=0,[lastRequestURI]=null, [lastRequestMethod]=null,[lastRequestCompletionTime]=0,[openConnectionsCount]=0, [reqErrors]=0 <134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_THREAD_POOL]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host10.1.2.201,[destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [liveThreads]=106,[liveThreadsMax]=138 <134>Jan 22 02:06:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_DB_POOL]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.201,[hostIpAddr]=10.1.2.201,[hostName]=Host-10.1.2.201, [destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02, [dataSource]=jdbc/phoenixDS FortiSIEM 6.1.1 External Systems Configuration Guide 68 Fortinet Technologies Inc. Applications Oracle WebLogic l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Event for WebLogic Metrics What is Discovered and Monitored Protocol JMX Information discovered Metrics collected Used for Generic information: Application version, Application port, SSL listen port, Listen port enabled flag, SSL listen port enabled Availability metrics: Uptime, Application Server State Memory metrics: Total memory, Free memory, Used memory, Memory utilization, Heap utilization, Heap used memory, Heap max memory, Heap commit memory, Total nursery memory Servlet metrics: Application name, App server instance, Web application name, Web context name, Servlet name, Invocation count, Servlet execution time Database pool metrics: Application name, App server instance, Data source, Active connection count, Connection limit, Leaked connections, Reserve requests, Requests wait for connections Thread pool metrics: App server instance, Completed requests, Execute threads, Pending requests, Standby threads, Total threads EJB metrics: EJB component name, EJB state, EJB idle beans, EJB used beans, EJB pooled beans, EJB Waiter threads, EJB committed Transactions, EJB timedout transactions, EJB rolledback transactions, EJB activations, EJB Passivations, EJB cache hits, EJB cache misses, EJB cache accesses, EJB cache hit ratio Application level metrics: Application name, App server instance, Web application name, Web context root, Peak active sessions, Current active sessions, Total active sessions, Servlet count, Single threaded servlet pool count, Performance Monitoring Event Types In ADMIN > Device Support > Event, search for "WebLogic in the Description column to see the event types associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 69 Fortinet Technologies Inc. Applications Reports In RESOURCE > Reports , search for "WebLogic" in the Name column to see the reports associated with this application or device. Configuration JMX Enable and Configure Internet Inter-ORB Protocol (IIOP) 1. Log into the administration console of your WebLogic application server. 2. In the Change Center of the administration console, click Lock & Edit. 3. In the left-hand navigation, expand Environment and select Servers. 4. Click the Protocols tab, then select IIOP. 5. Select Enable IIOP. 6. Expand the Advanced options. 7. For Default IIOP Username and Default IIOP Password, enter the username and password that you will use as the access credentials when configuring FortiSIEM to communicate with your application server. Enable IIOP Configuration Changes 1. Go to the Change Center of the administration console. 2. Click Activate Changes. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your Oracle WebLogic application server over JMX. The port for JMX is the same as the web console, and the default value is 7001. Setting Name Device Type Access Protocol Pull Interval (minutes) Port Value weblogic Oracle WebLogic App Server JMX 5 7001 FortiSIEM 6.1.1 External Systems Configuration Guide 70 Fortinet Technologies Inc. Applications Setting User Name Password Value The administrative user you created in step 7. The password you created in step 7. Sample Event for WebLogic Metrics <134>Jan 22 02:12:20 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_GEN]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001, [appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[appServerState]=RUNNING,[sysUpTime]=1358476145, [appPort]=7001,[sslListenPort]=7002,[listenPortEnabled]=true,[sslListenPortEnabled]=true <134>Jan 22 02:12:20 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_MEMORY]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001, [appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[appServerState]=RUNNING,[heapUsedKB]=153128, [heapCommitKB]=262144,[heapFreeKB]=109015,[heapUtil]=59,[heapMaxKB]=524288, [usedMemKB]=4086224,[freeMemKB]=107624,[memTotalMB]=4095,[memUtil]=97,[nurserySizeKB]=88324 <134>Jan 22 02:12:22 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_SERVLET]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001, [appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[appName]=consoleapp,[webAppName]=examplesServer_ /console,[servletName]=/framework/skeletons/wlsconsole/placeholder.jsp, [webContextRoot]=/console,[invocationCount]=1094,[servletExecutionTimeMs]=63 <134>Jan 22 02:15:24 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_DB_POOL]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001, [appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[appName]=examples-demoXA-2,[dataSource]=examples-demoXA2,[activeConns]=0,[connLimit]=1,[leakedConns]=0,[reserveRequests]=0,[waitForConnReqs]=0 <134>Jan 22 02:12:20 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_THREAD_POOL]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=7001,[appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[completedRequests]=14066312,[executeThreads]=7, [pendingRequests]=0,[standbyThreads]=5,[totalThreads]=43 <134>Jan 22 02:12:20 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_EJB]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001, [appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[ejbComponentName]=ejb30,[ejbIdleBeans]=0, [ejbUsedBeans]=0,[ejbPooledBeans]=0,[ejbWaiter]=0,[ejbCommitTransactions]=0, [ejbTimedOutTransactions]=0,[ejbRolledBackTransactions]=0,[ejbActivations]=0, [ejbPassivations]=0,[ejbCacheHits]=0,[ejbCacheMisses]=0,[ejbCacheAccesses]=0, [ejbCacheHitRatio]=0 <134>Jan 22 02:12:23 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_APP]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=7001, [appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 , [appServerInstance]=examplesServer,[appName]=webservicesJwsSimpleEar, [webAppName]=examplesServer_/jws_basic_simple,[webContextRoot]=/jws_basic_simple, FortiSIEM 6.1.1 External Systems Configuration Guide 71 Fortinet Technologies Inc. Applications [activeSessions]=0,[activeSessionsPeak]=0,[activeSessionTotal]=0,[numServlet]=4, [singleThreadedServletPool]=5 FortiSIEM 6.1.1 External Systems Configuration Guide 72 Fortinet Technologies Inc. Applications Redhat JBOSS l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Event for JBOSS Metrics What is Discovered and Monitored Protocol JMX Information discovered Metrics collected Used for Generic information: Application version, Application port Availability metrics: Uptime, Application Server State CPU metrics: Application server instance, CPU utilization Memory metrics: Heap utilization, Heap used memory, Heap free memory, Heap max memory, Heap commit memory, Max System dumps on disk, Max heap dumps on disk Servlet metrics: Application name, Web application name, Servlet Name, Invocation count, Request errors Database pool metrics: Application server instance, JDBC provider, Data source, Pool size, Closed connections, Active Connections, Requests wait for connections, Connection use time, Connection factory type, Peak connections Thread pool metrics: Application server instance, Thread pool name, Execute threads, Peak execute threads Application level metrics: Application name, Web application name, Application server instance, Web application context root, Active sessions, Peak active sessions EJB metrics: Application name, Application server instance, EJB component name Performance Monitoring Event Types In ADMIN > Device Support > Event, search for "boss" in the Description column to see the event types associated with this device. Reports In RESOURCE > Reports , search for jobs" in the Name column to see the reports associated with this application or device. FortiSIEM 6.1.1 External Systems Configuration Guide 73 Fortinet Technologies Inc. Applications Configuration Configuring JMX on the JBOSS Application Server Changing the Default JMX Port The default port for JMX is 1090. If you want to change it, modify the file ${JBoss_ Home}\server\default\conf\bindingservice.beans\META-INF\bindings-jboss-beans.xml. <bean class="org.boss.services.bindging.ServiceBindingMetadata"> <property name="serviceName">jboss.remoting:service=JMXConnectorServer,protocol=rmi</property> <property name="port">1090</property> <property name="description">RMI/JRMP socket for connecting to the JMX MBeanServer</property></bean> 1. Enable authentication security check. Open the file ${JBoss_Home}\server\default\deploy\jmx-jbossbeans.xml, find the JMXConnector bean, and uncomment the securityDomain property. <bean name="JMXConnector" class="org.boss.system.server.jmx.JMXConnector"><!-configuration properties --> <!-- To enable authentication security checks, uncomment the following --!><!--UNCOMMENT THIS --><property name="securityDomain">jmx-console</property> 2. Modify the file ${JBoss_Home}\server\default\conf\props\jmx-console-roles.properties to configure the JMX administrator role. admin=JBossAdmin,HttpInvoker 3. Modify the file ${JBoss_Home}\server\default\conf\props\jmx-console-users.properties to configure the username and password for JMX. admin=yourpassword 4. Configure DNS resolution for the JBOSS application server in your FortiSIEM Supervsior, Workers, and Collectors by adding the IP address and DNS name of the JBOSS application server to their /etc/hosts files. If DNS is already configured to resolve the JBOSS application server name, you can skip this step. 5. Start JBoss. ${JBoss_Home}/bin/run.sh or ${JBoss_Home}/bin/run.sh -b 0.0.0.0 -b ${Binding IP} Configuring FortiSIEM to Use the JMX Protocol with JBOSS Application Server To configure JMX communications between your JBOSS application server and FortiSIEM, you must copy several files from your application server to the JBOSS configuration directory for each FortiSIEM virtual appliance that will be used for discovery and performance monitoring jobs. FortiSIEM does not include these files because of licensing restrictions. JBOSS Version 4.x, 5.x, 6.x Files to Copy Copy ${JBoss_Home}/lib/jbossbootstrapapi.jar to /opt/phoenix/config/JBoss/ FortiSIEM 6.1.1 External Systems Configuration Guide 74 Fortinet Technologies Inc. Applications JBOSS Version Files to Copy 7.0 No copying is necessary 7.1 Copy ${JBoss_ Home}/bin/client/jboss- client.jar to /opt/phoenix/config/JBoss/ You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your Redhat JBOSS device over JMX: Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name Password Value jboss Redhat JBOSS App Server JMX 5 8880 The user you created in step 2 The password you created for the user in step 3 Sample Event for JBOSS Metrics <134>Feb 06 11:38:35 10.1.2.16 java: [PH_DEV_MON_JBOSS_CPU]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090, [appVersion]=6.1.0.Final "Neo",[appServerState]=STARTED,[sysUpTime]=6202359,[cpuUtil]=2 <134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_MEMORY]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090, [appVersion]=6.1.0.Final "Neo",[appServerState]=STARTED,[freeMemKB]=264776, [freeSwapMemKB]=1427864,[memTotalMB]=4095,[memUtil]=94,[swapMemUtil]=83, [swapMemTotalMB]=8189,[virtMemCommitKB]=1167176,[heapUsedKB]=188629,[heapMaxKB]=466048, [heapCommitKB]=283840,[heapUtil]=66,[nonHeapUsedKB]=106751,[nonHeapMaxKB]=311296, [nonHeapCommitKB]=107264,[nonHeapUtil]=99 <134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_APP]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090, [appVersion]=6.1.0.Final "Neo",[webContextRoot]=//localhost/,[webAppState]=RUNNING, [cacheMaxSize]=10240,[cacheTTL]=5000,[reqProcessTimeAvg]=10472,[startTime]=1353919592, [cookiesAllowed]=true,[cachingAllowed]=true,[linkingAllowed]=false, FortiSIEM 6.1.1 External Systems Configuration Guide 75 Fortinet Technologies Inc. Applications [crossContextAllowed]=true <134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_SERVLET]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090, [appVersion]=6.1.0.Final "Neo",[webAppName]=//localhost/admin-console,[servletName]=Faces Servlet,[totalRequests]=6,[reqErrors]=0,[loadTime]=0,[reqProcessTimeAvg]=10610 <134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_DB_POOL]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090, [appVersion]=6.1.0.Final "Neo",[dataSource]=DefaultDS,[dataSourceState]=Started <134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_REQUEST_PROCESSOR]: [eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SHWIN08R2-JMX,[destDevPort]=1090,[appVersion]=6.1.0.Final "Neo",[reqProcessorName]=ajp0.0.0.0-8009,[recvBytes]=0,[sentBytes]=0,[reqProcessTimeAvg]=0,[reqProcessTimeMax]=0, [totalRequests]=0,[reqRate]=0,[reqErrors]=0 <134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_EJB]:[eventSeverity]=PHL_INFO, [destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=1090, [appVersion]=6.1.0.Final "Neo",[ejbComponentName]=ejbjar.jar, [ejbBeanName]=HelloWorldBeanRemote,[ejbAvailCount]=0,[ejbCreateCount]=0,[ejbCurrCount]=0, [ejbMaxCount]=0,[ejbRemovedCount]=0,[ejbInstanceCacheCount]=null,[ejbPassivations]=null, [ejbTotalInstanceCount]=null <134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_THREAD_POOL]:[eventSeverity]=PHL_ INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX, [destDevPort]=1090,[appVersion]=6.1.0.Final "Neo",[threadPoolName]=ajp-0.0.0.0-8009, [appPort]=8009,[totalThreads]=0,[busyThreads]=0,[maxThreads]=2048,[threadPriority]=5, [pollerSize]=32768,[threadPoolIsDaemon]=true FortiSIEM 6.1.1 External Systems Configuration Guide 76 Fortinet Technologies Inc. Applications Authentication Server FortiSIEM supports these authentication servers for discovery and monitoring. l Cisco Access Control Server (ACS) l Cisco Duo l Cisco Identity Solution Engine (ISE) l CyberArk Password Vault l Fortinet FortiAuthenticator l Juniper Networks Steel-Belted RADIUS l Microsoft Internet Authentication Server (IAS) l Microsoft Network Policy Server (RAS VPN) l OneIdentity Safeguard l Vasco DigiPass FortiSIEM 6.1.1 External Systems Configuration Guide 77 Fortinet Technologies Inc. Applications Cisco Access Control Server (ACS) l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP WMI Syslog Information discovered Metrics collected Used for Application type Process level CPU utilization, Memory utilization Performance Monitoring Application type, service mappings Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O Performance Monitoring Application type Successful and Failed Authentications, Successful and Failed administrative logons, RADIUS accounting logs Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "cisco secure acs" in the Device Type and Description column to see the event types associated with this device. Configuration SNMP 1. Log into the device you want to enable SNMP for as an administrator. 2. Go to Control Panel >Program and Features. 3. Click Turn Windows features on or off . 4. If you are installing on a Windows 7 device, select Simple Network Management Protocol (SNMP). If you are installing on a Windows 2008 device, in the Server Manager window, go to Features > Add features > SNMP Services. 5. If necessary, select SNMP to enable the service. 6. Go to Programs > Administrative Tools > Services. 7. to set the SNMP community string and include FortiSIEM in the list of hosts that can access this server via SNMP. 8. Select SNMP Service and right-click Properties. 9. Set the community string to public. 10. Go to the Security tab and enter the FortiSIEM IP Address. 11. Restart the SNMP service. FortiSIEM 6.1.1 External Systems Configuration Guide 78 Fortinet Technologies Inc. Applications WMI Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this: l Creating a Generic User Who Does Not Belong to the Local Administrator Group l Creating a User Who Belongs to the Domain Administrator Group Creating a Generic User Who Does Not Belong to the Local Administrator Group Log in to the machine you want to monitor with an administrator account. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups. 2. Right-click Users and select Add User. 3. Create a user. 4. Go to Groups, right-click Distributed COM Users, and then click Add to group. 5. In the Distributed COM Users Properties dialog, click Add. 6. Find the user you created, and then click OK. This is the account you must use to set up the Performance Monitor Users group permissions. 7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog. 8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. 5. Click OK. 6. Under Access Permissions, click EditDefault. 7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. 8. Click OK. 9. Under Launch and Activation Permissions, click Edit Limits. 10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. Click OK. 12. Under Launch and Activation Permissions, click Edit Defaults. 13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI. FortiSIEM 6.1.1 External Systems Configuration Guide 79 Fortinet Technologies Inc. Applications Creating a User Who Belongs to the Domain Administrator Group Log in to the Domain Controller with an administrator account. Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group 1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users. 2. Right-click Users and select Add User. 3. Create a user for the @accelops.com domain. For example, YJTEST@accelops.com. 4. Go to Groups, right-click Administrators, and then click Add to Group. 5. In the Domain Admins Properties dialog, select the Members tab, and then click Add. 6. For Enter the object names to select, enter the user you created in step 3. 7. Click OK to close the Domain Admins Properties dialog. 8. Click OK. Enable the Monitoring Account to Access the Monitored Device Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then select Properties. 3. Select the Com Security tab, and then under Access Permissions, click Edit Limits. 4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access. 5. Click OK. 6. In the Com Security tab, under Access Permissions, click Edit Defaults. 7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access. 8. Click OK. 9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits. 10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults. 12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. Enable Account Privileges in WMI The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device. 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications. 2. Select WMI Control, and then right-click and select Properties. 3. Select the Security tab. FortiSIEM 6.1.1 External Systems Configuration Guide 80 Fortinet Technologies Inc. Applications 4. Expand the Root directory and select CIMV2. 5. Click Security. 6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable. 7. Click Advanced. 8. Select the user you created for the monitoring account, and then click Edit. 9. In the Apply onto menu, select This namespace and subnamespaces. 10. Click OK to close the Permission Entry for CIMV2 dialog. 11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 12. In the left-hand navigation, under Services and Applications, select Services. 13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003) 1. In the Start menu, select Run. 2. Run gpedit.msc. 3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall. 4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not. 5. Select Windows Firewall: Allow remote administration exception. 6. Run cmd.exe and enter these commands: netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 7. Restart the server. Allow WMI through Windows Firewall (Windows Server 2008, 2012) 1. Go to Control Panel > Windows Firewall. 2. In the left-hand navigation, click Allow a program or feature through Windows Firewall. 3. Select Windows Management Instrumentation, and the click OK. Syslog 1. Log in to your Cisco Access Controls Server as an administrator. 2. Go to Start > All Programs > CiscoSecure ACS v4.1 > ACS Admin. 3. In the left-hand navigation, click System Configuration, then click Logging. 4. Select Syslog for Failed Attempts, Passed Authentication, and RADIUS Accounting to send these reports to FortiSIEM. 5. For each of these reports, click Configure under CSV, and select the following attributes to include in the CSV output. Report Failed Attempts CSV Attributes l Message-Type FortiSIEM 6.1.1 External Systems Configuration Guide 81 Fortinet Technologies Inc. Applications Report Passed Authentication RADIUS Accounting CSV Attributes l User-Name l NAS-IP-Address l Authen-Failure-Code l Author-Failure-Code l Caller-ID l NAS-Port l Author-Date l Group-Name l Filter Information l Access Device l AAA Server l Message-Type l User-Name l NAS-IP-Address l Authen-Failure-Code l Author-Failure-Code l Caller-ID l NAS-Port l Author-Date l Group-Name l Filter Information l Access Device l AAA Server l Proxy-IP-Address l Source-NAS l PEAP/EAP-FAST-Clear-Name l Real Name l User-Name l NAS-IP-Address l NAS-Port l Group-Name l Service-Type l Framed-Protocol l Framed-IP-Address l Calling-Station-Id l Acct-Status-Type l Acct-Input-Octets l Acct-Output-Octets l Acct-Session-Id l Acct-Session-Time l Acct-Input-Packets l Acct-Output-Packets FortiSIEM 6.1.1 External Systems Configuration Guide 82 Fortinet Technologies Inc. Applications 6. For each of these reports, click Configure under Syslog, and for Syslog Server, enter the IP address of the FortiSIEM virtual appliance that will receive the syslog as the syslog server, enter 514 for Port, and set Max message length to 1024. 7. To make sure your changes take effect, go to System Configuration > Service Control, and click Restart ACS. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 83 Fortinet Technologies Inc. Applications Cisco Identity Solution Engine (ISE) l Integration points l Configuring Cisco ISE l Configuring FortiSIEM l Access Credentials l Parsing and Events Integration points Protocol Syslog Information Discovered AAA log - authentication Used For Security and Compliance Configuring Cisco ISE Follow Cisco ISE documentation to send syslog to FortiSIEM. Configuring FortiSIEM FortiSIEM automatically recognizes Cisco ISE syslog as long it follows the following format as shown in the sample syslog: <181>Sep 21 06:50:51 fcmb-hq-psn01 CISE_Passed_Authentications 0000066354 3 0 2016-0921 06:50:51.516 +01:00 2915312533 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=287, Device IP Address=1.1.1.1, DestinationIPAddress=1.1.1.2, DestinationPort=1812, UserName=00-15-65-20-33-E5, Protocol=Radius, RequestLatency=33, NetworkDeviceName=ACME, User-Name=johndoe, NAS-IPAddress=1.1.1.2, NAS-Port=50009, Service-Type=Call Check, Framed-IP-Address=1.1.1.2, Framed-MTU=1500, Called-Station-ID=38-1C-1A-87-87-09, Calling-Station-ID=00-15-65-2033-E5, NAS-Port-Type=Ethernet, NAS-Port-Id=FastEthernet0/9, EAP-Key-Name=, cisco-avpair=service-type=Call Check, cisco-av-pair=audit-session-id=AC1B35F8000001240FC38F8A, OriginalUserName=0015652033e5, AcsSessionID=fcmb-hq-psn01/251903157/22970712, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=IP_Phones, Access Credentials For Device Type Cisco Identity Solutions Engine, see Access Credentials. Parsing and Events Over 20 events are parsed see event Types in Resources > Event Types and search for 'Cisco-ISE'. FortiSIEM 6.1.1 External Systems Configuration Guide 84 Fortinet Technologies Inc. Applications Cisco Duo l What is Discovered and Monitored l Event Types l Rules l Reports l Configuring Cisco Duo l Configuring FortiSIEM l Sample Events What is Discovered and Monitored Protocol API Information Discovered Host name and Device Type from LOG Metrics/LOGs Collected 4 log types Used For Security and Compliance Event Types Go to Admin > Device Type > Event Types and search for "Cisco-Duo". Rules None Reports None Configuring Cisco Duo Follow these steps to configure Cisco Duo to send logs to FortiSIEM. 1. Contact Cisco Duo support to enable the Admin API. 2. Get a credential for Cisco Duo: open the Cisco Duo dashboard and go to Application > Admin API. 3. Select the Integration key, Secret key, and API hostname options. FortiSIEM 6.1.1 External Systems Configuration Guide 85 Fortinet Technologies Inc. Applications Configuring FortiSIEM Follow these steps to configure FortiSIEM to receive Cisco Duo logs. 1. In the FortiSIEM UI, go to ADMIN > Setup > Credentials. 2. Click New to create a Cisco Duo credential. Use these Access Method Definition settings to allow FortiSIEM to access Cisco Duo logs. Setting Name Device Type Access Protocol Pull Interval (minutes) Integration Key Secret Key Value Enter a name for the credential. Cisco Duo Security Cisco Duo Admin REST API 2 Enter the integration key you obtained from Cisco Duo. Enter the secret key you obtained from Cisco Duo. FortiSIEM 6.1.1 External Systems Configuration Guide 86 Fortinet Technologies Inc. Applications Setting Value Description Enter an optional description for the credential. 3. In Step 2, click Add to create a new association between the credential and the API hostname. 4. Select Test Connectivity without Ping. A pop up will appear and show the connectivity results. 5. Go to the ANALYTICS page and check for Cisco Duo logs. Sample Events These events are collected via API: FortiSIEM 6.1.1 External Systems Configuration Guide 87 Fortinet Technologies Inc. Applications FSM-CiscoDuo-Auth] [1] {"access_device":{"browser":"Chrome","browser_ version":"67.0.3396.99","flash_ version":"uninstalled","hostname":"null","ip":"169.232.89.219","java_ version":"uninstalled","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"os":"Mac OS X","os_version":"10.14.1"},"application": {"key":"DIY231J8BR23QK4UKBY8","name":"Microsoft Azure Active Directory"},"auth_device": {"ip":"192.168.225.254","location":{"city":"Ann Arbor","country":"United States","state":"Michigan"},"name":"My iPhone X (734-555-2342)"},"event_ type":"authentication","factor":"duo_push","reason":"user_ approved","result":"success","timestamp":1532951962,"trusted_endpoint_status":"not trusted","txid":"340a23e3-23f3-23c1-87dc-1491a23dfdbb","user": {"key":"DU3KC77WJ06Y5HIV7XKQ","name":"narroway@example.com"}} FortiSIEM 6.1.1 External Systems Configuration Guide 88 Fortinet Technologies Inc. Applications CyberArk Password Vault What is Discovered and Monitored Protocol Syslog (CEF formatted and others) Information discovered Logs parsed CyberArk Safe Activity Used for Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "CyberArk-Vault" in the Device Type column to see the event types associated with this device. Rules In RESOURCE > Rules, search for "CyberArk": l CyberArk Vault Blocked Failure l CyberArk Vault CPM Password Disables l CyberArk Vault Excessive Failed PSM Connections l CyberArk Vault Excessive Impersonations l CyberArk Vault Excessive PSM Keystroke Logging Failure l CyberArk Vault Excessive PSM Session Monitoring Failure l CyberArk Vault Excessive Password Release Failure l CyberArk Vault File Operation Failure l CyberArk Vault Object Content Validation Failure l CyberArk Vault Unauthorized User Stations l CyberArk Vault User History Clear Reports In RESOURCE > Reports, search for "CyberArk": l CyberArk Blocked Operations l CyberArk CPM Password Disables l CyberArk CPM Password Retrieval l CyberArk File Operation Failures l CyberArk Impersonations l CyberArk Object Content Validation Failures l CyberArk PSM Monitoring Failures l CyberArk Password Resets l CyberArk Privileged Command Operations FortiSIEM 6.1.1 External Systems Configuration Guide 89 Fortinet Technologies Inc. Applications l CyberArk Provider Password Retrieval l CyberArk Trusted Network Area Updates l CyberArk Unauthorized Stations l CyberArk User History Clears l CyberArk User/Group Modification Activity l CyberArk Vault CPM Password Reconcilations l CyberArk Vault CPM Password Verifications l CyberArk Vault Configuration Changes l CyberArk Vault Failed PSM connections l CyberArk Vault Modification Activity l CyberArk Vault PSM Keystore Logging Failures l CyberArk Vault Password Changes from CPM l CyberArk Vault Password Release Failures l CyberArk Vault Successful PSM Connections l Top CyberArk Event Types l Top CyberArk Safes, Folders By Activity l Top CyberArk Users By Activity CyberArk Configuration for sending syslog in a specific format 1. Open \PrivateArk\Server\DBParm.ini file and edit the SYSLOG section: a. SyslogServerIP Specify FortiSIEM supervisor, workers and collectors separated by commas. b. SyslogServerProtocol Set to the default value of UDP. c. SyslogServerPort Set to the default value of 514. d. SyslogMessageCodeFilter Set to the default range 0-999. e. SyslogTranslatorFile Set to Syslog\FortiSIEM.xsl. f. UseLegacySyslogFormat - Set to the default value of No. 2. Copy the relevant XSL translator file here to the Syslog subfolder specified in the SyslogTranslatorFile parameter in DBParm.ini. 3. Stop and Start Vault (Central Server Administration) for the changes to take effect. Make sure the syslog format is as follows. <5>1 2016-02-02T17:24:42Z SJCDVVWCARK01 CYBERARK: Product="Vault";Version="9.20.0000";MessageID="295";Message="Retrieve password";Issuer="Administrator";Station="10.10.110.11";File="Root\snmpCommunity"; Safe="TestPasswords";Reason="Test";Severity="Info" <30>Mar 22 20:13:42 VA461_1022 CyberArk AIM[2453]: APPAP097I Connection to the Vault has been restored <27>Mar 22 20:10:50 VA461_1022 CyberArk AIM[2453]: APPAP289E Connection to the Vault has failed. Further attempts to connect to the Vault will be avoided for [1] minutes. <27>Mar 24 23:41:58 VA461_1022 CyberArk AIM[2453]: APPAU002E Provider [Prov_VA461_1022] has failed to fetch password with query [Safe=TestPutta;Object=Telnet91] for application [FortiSIEM]. Fetch reason: [APPAP004E Password object matching query FortiSIEM 6.1.1 External Systems Configuration Guide 90 Fortinet Technologies Inc. Applications Fortinet FortiAuthenticator l What is Discovered and Monitored l Event Types l Configuration What is Discovered and Monitored Protocol SNMP Syslog Information Discovered Vendor, OS, Model, Network Interfaces LOG Discovery Data Collected Interface Stat, Authentication Stat Over 150 event types Used for Performance Monitoring Security and Compliance Event Types In RESOURCE > Event Types, Search for "Fortinet-FortiAuthenticator". Sample Event Type: <14>Aug 14 22:32:52 db[16987]: category="Event" subcategory="Authentication" typeid=20995 level="information" user="admin" nas="" action="Logout" status="" Administrator 'admin' logged out Configuration Configure FortiAuthenticator to send syslog on port 514 to FortiSIEM. FortiSIEM Access Credentials For Device Type Fortinet FortiAuthenticator, see Access Credentials. FortiSIEM 6.1.1 External Systems Configuration Guide 91 Fortinet Technologies Inc. Applications Juniper Networks Steel-Belted RADIUS What is Discovered and Monitored Protocol SNMP Information discovered Application type WMI Syslog Application type, service mappings Application type Metrics collected Used for Process level CPU utilization, Memory utilization Performance Monitoring Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O Performance Monitoring Successful and Failed Authentications, Successful and Failed administrative logons, RADIUS accounting logs Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "Juniper Steel-Belted RADIUS" in the Device Type column to see the event types associated with this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Syslog 1. Login as administrator. 2. Install and configure Epilog application to convert log files written by Steelbelted RADIUS server into syslog for sending to FortiSIEM: a. Download Epilog from snare, information to download here, and install it on your Windows Server. b. Launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows. c. Configure Epilog application as follows: i. Select Log Configuration on left hand panel, click Add button to add log files whose content must be sent to FortiSIEM. These log files are written by the Steelbelted RADIUS server and their paths are correct. Also make sure the Log Type is SteelbeltedLog. ii. Select Network Configuration on left hand panel. On the right, set the destination address to that of FortiSIEM server, port to 514 and make sure that syslog header is enabled. Then click Change Configuration button. FortiSIEM 6.1.1 External Systems Configuration Guide 92 Fortinet Technologies Inc. Applications iii. Click the "Apply the latest audit configuration" link on the left hand side to apply the changes to Epilog applications. DHCP logs will now sent to FortiSIEM in real time. FortiSIEM 6.1.1 External Systems Configuration Guide 93 Fortinet Technologies Inc. Applications Microsoft Internet Authentication Server (IAS) l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol WMI Syslog Windows Agent Information Discovered Metrics Collected Used For IAS logs Event Types In ADMIN > Device Support > Event, search for "microsoft isa" in the Description column to see the event types associated with this device. Configuration WMI See WMI Configurations in the Microsoft Windows Server Configuration section. Syslog You must configure your Microsoft Internet Authentication Server to save logs, and then you can use the Windows Agent Manager to configure the type of log information you want sent to FortiSIEM. 1. Log in to your server as an administrator. 2. Go to Start > Administrative Tools > Internet Authentication Service. 3. In the left-hand navigation, select Remote Access Logging, then select Local File. 4. Right-click on Local File to open the Properties menu, and then select Log File. 5. For Directory, enter C:\WINDOWS\system32\LogFiles\IAS. 6. Click OK. You can now use Windows Agent Installation Guide to configure what information will be sent to FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 94 Fortinet Technologies Inc. Applications Microsoft Network Policy Server (RAS VPN) l Integration Points l Configuration l Setting for Access Credentials l Sample Events Integration Points Method Syslog Information discovered Host name, Reporting IP Metrics collected None LOGs collected AAA based login events Used for Security monitoring Event Types In ADMIN > Device Support > Event, search for "MS-NPS" to see the event types associated with this device. Rules No specific rules are written for Microsoft Network Policy Server but regular AA Server rules apply. Reports No specific reports are written for Microsoft Network Policy Server but regular AA Server reports apply. Configuration Configure Microsoft Network Policy Server system to send logs to FortiSIEM in the supported format (see Sample Events). See https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-accounting-configure. Settings for Access Credentials None required. Sample Events "HOSTXXVPN","RAS",03/10/2019,03:47:04,4,"domain\user",,"10.1.1.130","192.168.22.2",,"172.17. 220.130", "HOSTXXVPN","10.5.5.212",387,,"10.5.5.212","HOSTXXVPN",1552214822,,5,,1,2,,,0, "311 1 fe80::a1bf:5c1c:7ebc:6ab7 02/07/2019 04:24:00 4805",,,,,2,,268050551,253119217,"4806",3,69101,833955,726102,1,"1251",1,,79617,1, "192.168.22.2","10.1.1.130",,,,,,,"MSRASV5.20",311,,"0x00504F4C42",0,, "Microsoft Routing and Remote Access Service Policy",,,,"MSRAS-0-HOST123413","MSRASV5.20" FortiSIEM 6.1.1 External Systems Configuration Guide 95 Fortinet Technologies Inc. Applications OneIdentity Safeguard (previously Balabit Privileged Session Management) l Integration points l Configuring OneIdentity Safeguard l Parsing and Events Integration points Protocol Syslog Information Discovered Privileged session management events Used For Security and Compliance Configuring OneIdentitySafeguard Follow OneIdentity Safeguard documentation to send syslog to FortiSIEM. Configuring FortiSIEM FortiSIEM automatically recognizes OneIdentity Safeguard syslog as long as it follows the following format in the sample syslog: <123>2018-10-08T22:59:49+08:00 scbdemo.balabit zorp/scb_rdp[31769]: core.debug(4): (svc/i9CTbTzV2wrRur3quVRzF4/GET_gateway_rdp:498:2): After NAT mapping; nat_type='0', src_addr='AF_INET(10.19.9.245:0)', dst_addr='AF_INET(10.46.26.196:3389)', new_addr='AF_ INET(10.11.101.30:0)' Parsing and Events Over 50 events are parsed see event Types in Resources > Event Types and search for 'OneIdentity-Safeguard-'. FortiSIEM 6.1.1 External Systems Configuration Guide 96 Fortinet Technologies Inc. Applications Vasco DigiPass What is Discovered and Monitored Protocol Syslog Information discovered Metrics collected Successful and Failed Authentications, Successful and Failed administrative logons Used for Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "Vasco DigiPass" in the Device Type column to see the event types associated with this device. Some important ones are: l Vasco-DigiPass-KeyServer-AdminLogon-Success l Vasco-DigiPass-KeyServer-UserAuth-Success l Vasco-DigiPass-KeyServer-UserAuth-Failed l Vasco-DigiPass-KeyServer-AccountLocked l Vasco-DigiPass-KeyServer-AccountUnlocked Configuration Configure the Vasco DigiPass management Console to send syslog to FortiSIEM. FortiSIEM is going to parse the logs automatically. Make sure the syslog format is as follows. May 16 18:21:50 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-001003}, {A command of type [User] [Unlock] was successful.}, {0xA46B6230BA60B240CE48011B0C30D393}, {Source Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:flast}, {Domain:company.com}, {Input Details: {User ID : flast} {Domain Name : company.com}}, {Output Details: {User ID : flast} {Password : ********} {Created Time : 2013/05/13 19:06:52} {Modified Time : 2013/05/16 18:21:49} {Has Digipass : Unassigned} {Status : 0} {Domain Name : company.com} {Local Authentication : Default} {Back-end Authentication : Default} {Disabled : no} {Lock Count : 0} {Locked : no} {Last Password Set Time : 2013/05/13 19:06:52} {Static Password History : d0NdVMhSdvdNEQJkkKTWmiq8iB4K1dWreMf5FQlZM7U=} {Key ID : SSMINSTALLSENSITIVEKEY}}, {Object:User}, {Command:Unlock}, {Client Type:Administration Program} May 15 20:27:35 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-004001}, {An administrative logon was successful.}, {0x25AB20F3222F554A96CFFD2886AE4C71}, {Source Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:admin}, {Domain:company.com}, {Client Type:Administration Program} May 17 18:43:22 vascoservername ikeyserver[3582]: {Info}, {Initialization}, {I-002010}, {The SOAP protocol handler has been initialized successfully.}, {0x0E736D24D54E717E6F5DA6C09E89F8EE}, {Version:3.4.7.115}, {Configuration Details:IPAddress: 10.1.2.3, IP-Port: 8888, Supported-Cipher-Suite: HIGH, Server-Certificate: FortiSIEM 6.1.1 External Systems Configuration Guide 97 Fortinet Technologies Inc. Applications /var/identikey/conf/certs/soap-custom.pem, Private-Key-Password: ********, CA-CertificateStore: /var/identikey/conf/certs/soap-ca-certificate-store.pem, Client-AuthenticationMethod: none, Reverify-Client-On-Reconnect: False, DPX-Upload-Location: /var/dpx/} FortiSIEM 6.1.1 External Systems Configuration Guide 98 Fortinet Technologies Inc. Applications Database Server FortiSIEM supports these database servers for discovery and monitoring. l IBM DB2 Server l Microsoft SQL Server l Microsoft SQL Server Scripts l MySQL Server l Oracle Database Server FortiSIEM 6.1.1 External Systems Configuration Guide 99 Fortinet Technologies Inc. Applications IBM DB2 Server l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Events What is Discovered and Monitored Protocol SNMP WMI JDBC Information discovered Application type Application type, service mappings None Metrics collected Process level CPU and memory utilization Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Database audit trail: Successful and failed database log on, Database CREATE/DELETE/MODIFY operations, Table CREATE/DELETE/MODIFY/INSERT operations Used for Performance Monitoring Performance Monitoring Security Monitoring Event Types In ADMIN > Device Support > Event, search for "db2" in the Device Type and Description column to see the event types associated with this device. Configuration Configuring IBM DB2 Audit on Linux - DB2 side 1. Log in to IBM Installation Manager. 2. Click the Databases tab, and click the + icon to create a new Database Connection. 3. Enter these settings. Setting Database Connection Name Data Server Type Database Name Value Enter a name for the connection, such as FortiSIEM DB2 for Linux, Unix, and Windows Name of the database FortiSIEM 6.1.1 External Systems Configuration Guide 100 Fortinet Technologies Inc. Applications Setting Value Host name db2.org Port number 50000 JDBC Security Clear text password User ID The username you want to use to access this Server from FortiSIEM JDBC URL jdbc:db2://db2.org:50000/<databasename>: retrieveMessagesFromServerOnGetMessage=true;securi 4. In the Job Manager tab, click Add Job. 5. For Name, enter audit. 6. For Type, select DB2 CLP Script. 7. Click OK. 8. Add script. 9. Add schedule detail to audit task. 10. Add database to audit task. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections 'Discovering Infrastructure' and 'Setting Access Credentials' for Device Discovery under Chapter: Configuring FortiSIEM. Configuring IBM DB2 Audit on Windows - DB2 side 1. Create a non-admin user on Windows, for example "AoAuditUser" , and set password 2. Login DB2 task center, add the user to DB Users, connect it to database 3. Grant Permission (use Administrator), use commands below a. Grant audit permission to db2admin db2 connect to sample user administrator using 'ProspectHills!' DB2 GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_ARCHIVE TO DB2ADMIN DB2 GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_DELIM_EXTRACT TO DB2ADMIN db2 grant load on database to db2admin db2 grant secadm on database to db2admin db2 connect reset b. Grant query permission to non-admin user db2 connect to sample user db2admin using 'ProspectHills!' db2 grant select on AUDIT to AOAuditUser db2 grant select on CHECKING to AOAuditUser db2 grant select on OBJMAINT to AOAuditUser db2 grant select on SECMAINT to AOAuditUser db2 grant select on SYSADMIN to AOAuditUser db2 grant select on VALIDATE to AOAuditUser db2 grant select on CONTEXT to AOAuditUser db2 grant select on EXECUTE to AOAuditUser db2 connect reset FortiSIEM 6.1.1 External Systems Configuration Guide 101 Fortinet Technologies Inc. Applications c. Check permission for non-admin user db2 connect to sample user AOAuditUser using 'ProspectHills!' db2 select count (*) from DB2ADMIN.AUDIT db2 select count (*) from DB2ADMIN.CHECKING db2 select count (*) from DB2ADMIN.OBJMAINT db2 select count (*) from DB2ADMIN.SECMAINT db2 select count (*) from DB2ADMIN.SYSADMIN db2 select count (*) from DB2ADMIN.VALIDATE db2 select count (*) from DB2ADMIN.CONTEXT db2 select count (*) from DB2ADMIN.EXECUTE db2 connect reset 4. Create Catalog with db2admin 5. Create task in DB2 user Administrator: a. Open DB2 task center, create a task like below b. Add schedule c. Add task Settings for Access Credentials Settings for IBM DB2 JDBC Access Credentials Use these Access Method Definition settings to allow FortiSIEM to communicate with your device: Values for Used For = Audit: Setting Name Device Type Access Protocol Used For Pull Interval (minutes) Port Database Name Audit Table Checking Table ObjMaint Table SecMaint Table SysAdmin Table Validate Table Context Table Value db2_linux IBM DB2 JDBC audit 5 50000 <database_name> AUDIT CHECKING OBJMAINT SECMAINT SYSADMIN VALIDATE CONTEXT FortiSIEM 6.1.1 External Systems Configuration Guide 102 Fortinet Technologies Inc. Applications Setting Execute Table Account Name Password Value EXECUTE The administrative user for your IBM DB2 server The password associated with the administrative user for your IBM DB2 server Values for Used For = Synthetic Transaction Monitoring: Setting Name Device Type Access Protocol Used For Pull Interval (minutes) Port Database Name Account Name Password Value db2_linux IBM DB2 JDBC Synthetic Transaction Monitoring 5 50000 <database_name> The administrative user for your IBM DB2 server The password associated with the administrative user for your IBM DB2 server Sample Events IBMDB2_CHECKING_OBJECT <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_OBJECT]:[eventSeverity]=PHL_INFO, [objName]=TABLES,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.41.085567,[user]=db2inst1, [eventCategory]=CHECKING,[dbRetCode]=0 IBMDB2_CHECKING_FUNCTION <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_FUNCTION]:[eventSeverity]=PHL_INFO, [objName]=CHECKING,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.40.739649,[user]=db2inst1, [eventCategory]=CHECKING,[dbRetCode]=0 IBMDB2_STATEMENT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_STATEMENT]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.48.59.433204,[user]=db2inst1, [eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_COMMIT FortiSIEM 6.1.1 External Systems Configuration Guide 103 Fortinet Technologies Inc. Applications <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_COMMIT]:[eventSeverity]=PHL_INFO, [srcIpAddr]=10.1.2.81,[srcApp]=db2jcc_application,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.51.30.447924,[srcName]=SP81, [user]=db2inst1,[eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_ROLLBACK <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_ROLLBACK]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.827986,[user]=db2inst1, [eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_CONNECT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.39.991288,[user]=db2inst1, [eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_CONNECT_RESET <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT_RESET]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.43.829149,[user]=db2inst1, [eventCategory]=EXECUTE,[dbRetCode]=0 IBMDB2_CREATE_OBJECT <134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CREATE_OBJECT]:[eventSeverity]=PHL_INFO, [objName]=CAN_MONITOR=CAN_MONITOR_FUNC,[srcIpAddr]=10.1.2.68,[srcApp]=DS_ConnMgt_, [dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-1413.30.14.827242,[srcName]=10.1.2.68,[user]=db2inst1,[eventCategory]=OBJMAINT,[dbRetCode]=0 IBMDB2_JDBC_PULL_STAT <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_JDBC_PULL_STAT]:[eventSeverity]=PHL_INFO, [reptModel]=DB2,[dbName]=SAMPLE,[instanceName]=db2inst1,[reptVendor]=IBM,[rptIp]=10.1.2.68, [auditEventCount]=30,[relayIp]=10.1.2.68,[dbEventCategory]=db2inst1.AUDIT,[appGroupName]=IBM DB2 Server IBMDB2_ARCHIVE <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_ARCHIVE]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.43.44.002046,[user]=db2inst1, [eventCategory]=AUDIT,[dbRetCode]=0 IBMDB2_EXTRACT <134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_EXTRACT]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.38.45.865016,[user]=db2inst1, [eventCategory]=AUDIT,[dbRetCode]=0 IBMDB2_LIST_LOGS <134>May 14 14:03:39 10.1.2.68 java: [IBMDB2_LIST_LOGS]:[eventSeverity]=PHL_INFO, [srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0, [instanceName]=db2inst1,[eventTime]=2014-05-14-13.58.43.204054,[user]=db2inst1, [eventCategory]=AUDIT,[dbRetCode]=0 FortiSIEM 6.1.1 External Systems Configuration Guide 104 Fortinet Technologies Inc. Applications Microsoft SQL Server l Supported Versions l What is Discovered and Monitored l Recommended Configuration l SNMP Configuration l WMI Configuration l Configuration for Database Audit Logs l JDBC Configuration for Database Performance Metrics l JDBC Configuration for DDL Changes l Sample Events Supported Versions l SQL Server 2014 l SQL Server 2016 l SQL Server 2017 l SQL Server 2019 What is Discovered and Monitored The following protocols are used to discover and monitor various aspects of Microsoft SQL server. Protocol SNMP WMI WMI JDBC Information discovered Application type Application type, service mappings Metrics collected Used for Process level CPU and memory utilization Performance Monitoring Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance Monitoring Windows application event logs - successful and failed login Security Monitoring General database info: database name, database version, database size, database owner, database created date, database status, database compatibility level Database configuration Info: Configure name, Configure value, Configure max and min value, Configure running value Database backup Info: Database name, Last backup date, Days since last backup Availability Monitoring FortiSIEM 6.1.1 External Systems Configuration Guide 105 Fortinet Technologies Inc. Applications Protocol JDBC Information discovered JDBC JDBC JDBC None Metrics collected Used for Database performance metrics (per-instance): Buffer cache hit ratio, Log cache hit ratio, Transactions /sec, Page reads/sec, Page writes/sec, Page splits/sec, Full scans/sec, Deadlocks/sec, Log flush waits/sec, Latch waits/sec, Data file(s) size, Log file(s) used, Log growths, Log shrinks, User connections, Target server memory, Total Server Memory, Active database users, Logged-in database users, Available buffer pool pages, Free buffer pool pages, Average wait time Database performance metrics (per-instance, per-database): Database name, Data file size, Log file used, Log growths, Log shrinks, Log flush waits/sec, Transaction /sec, Log cache hit ratio Performance Monitoring Locking info: Database id, Database object id, Lock type, Locked resource, Lock mode, Lock status Blocking info: Blocked Sp Id, Blocked Login User, Blocked Database, Blocked Command, Blocked Process Name, Blocking Sp Id, Blocking Login User, Blocking Database, Blocking Command, Blocking Process Name, Blocked duration Performance Monitoring Database error log Database audit trail:Failed database logon is also collected through performance monitoring as logon failures cannot be collected via database triggers. Availability / Performance Monitoring Database audit trail: Successful and failed database logon, Various database operation audit trail including CREATE/ALTER/DROP/TRUNCATE operations on tables, table spaces, databases, clusters, users, roles, views, table indices, triggers etc Security Monitoring and compliance Recommended Configuration 1. SNMP or WMI for discovery and system level performance metrics 2. FortiSIEM Windows Agent for Database Audit logs Note that these logs can also be pulled via WMI, however performance is limited because of WMI limitations. 3. JDBC for Database Performance metrics 4. JDBC for DDL changes FortiSIEM 6.1.1 External Systems Configuration Guide 106 Fortinet Technologies Inc. Applications SNMP Configuration See SNMP Configurations in the Microsoft Windows Server Configuration section. WMI Configuration See WMI Configurations in the Microsoft Windows Server Configuration section. Configuration for Database Audit Logs Database Audit logs include failed and successful logons and other C2 audit activity. These logs are written to the Windows Application logs. Configuration occurs in two parts. l SQL Server Configuration l FortiSIEM Configuration SQL Server Configuration Step 1: Configure Login Auditing using SQL Server Management studio Take the following steps to configure Login Auditing. 1. In SQL Server Management Studio, connect to an instance of the SQL Server Database Engine with Object Explorer. 2. In Object Explorer, right-click the server name, and then click Properties. 3. On the Security page, under Login auditing, select the desired option 4. On the Security page, under Options, click on the Enable C2 audit tracing check box and close the Server Properties page. 5. In Object Explorer, right-click the server name, and then click Restart. FortiSIEM 6.1.1 External Systems Configuration Guide 107 Fortinet Technologies Inc. Applications Note: You must restart the SQL Server before this option will take effect. Step 2: Enabling SQL Server Audit Create a Server-level audit object by taking the following steps: 1. In SQL Server Management Studio, connect to an instance of the SQL Server Database Engine with Object Explorer. 2. In the Object Explorer panel on the left, expand Security. 3. Right-click Audits, and select New Audit... from the menu. This will create a new SQL Server Audit object for server-level auditing. FortiSIEM 6.1.1 External Systems Configuration Guide 108 Fortinet Technologies Inc. Applications 4. In the Create Audit window, give the audit settings a name in the Audit name field. 5. For On Audit Log Failure, select the Continue option. 6. For Audit destination, select Application Log from the drop-down list. FortiSIEM 6.1.1 External Systems Configuration Guide 109 Fortinet Technologies Inc. Applications 7. Click OK. 8. You will now find the new audit configuration in Object Explorer below Security > Audits. Right-click the new Audit configuration and select Enable Audit from the menu. FortiSIEM 6.1.1 External Systems Configuration Guide 110 Fortinet Technologies Inc. Applications 9. Click Close in the Enable Audit dialog. FortiSIEM Configuration Step1: Define the Windows Agent Monitor Template for SQL Server Complete these steps to add a Windows Agent Monitor Template: 1. Navigate to ADMIN > Setup and click the Windows Agent tab. 2. Under Windows Agent Monitor Templates click New. 3. In the Windows Agent Monitor Template dialog box, in the Name field, enter a name. 4. Click on Event tab, and take following steps: a. In the Event Log row, click New. b. From the Type drop-down list, select Security and click Save. c. In the Event Log row, click New again. d. From the Type drop-down list, select Application. e. From the Source drop-down list, select SQL Server. FortiSIEM 6.1.1 External Systems Configuration Guide 111 Fortinet Technologies Inc. Applications f. Click Save. Step 2: Associate Windows Agents to Templates Complete these steps to associate a Host to Template: 1. Under Host To Template Associations, click New. 2. In the Host To Template Associations dialog box, enter the following information. Settings Name Organization Host Template Collector Guidelines Name of the Host to Template Association. Select the organization. Use the drop-down list to browse the folders and select the Devices or/and Business Services to monitor and click Save. Select one or more monitoring templates from the list, or select All Templates to include all. You can also use the serarch bar to find any specific template. Select the Collector from the list or select All Collectors to include all. Agents forward events to Collectors via HTTP(S). A Collector is chosen at random and if that Collector is not available or non-responive, then another Collector in the list is chosen. 3. Associate the recently added SQL Server template to SQL server host. 4. Click Save and Apply. Step 3: Check Events via Analytics FortiSIEM 6.1.1 External Systems Configuration Guide 112 Fortinet Technologies Inc. Applications JDBC Configuration for Database Performance Metrics FortiSIEM can pull SQL Server performance metrics via JDBC. Configuration occurs in two parts. l SQL Server Configuration l FortiSIEM Configuration SQL Server Configuration Step 1: Create a Read-Only User for SQL Server Monitoring A regular Windows account cannot be used for SQL Server monitoring. FortiSIEM runs on Linux and certain Windows libraries needed for SQL Server monitoring are not available on Linux. You have to create a separate user with read-only privileges. 1. Log in to your SQL Server with sa account, and then create a read-only user to access system tables. EXEC SP_ADDLOGIN 'AOPerfLogin','ProspectHills!','master'; EXEC SP_ADDROLE 'AOPerfRole'; EXEC SP_ADDUSER 'AOPerfLogin', 'AOPerfUser', 'AOPerfRole'; GRANT VIEW SERVER STATE TO AOPerfLogin; GRANT SELECT ON dbo.sysperfinfo TO AOPerfRole; GRANT EXEC on xp_readerrorlog to AOPerfRole; 2. Log in with your newly created read-only account (AOPerfLogin) and run these commands. SP_WHO2 'active'; SELECT * FROM sys.databases; SELECT * FROM dbo.sysperfinfo; SELECT COUNT(*) as count FROM sysprocesses GROUP BY loginame; FortiSIEM 6.1.1 External Systems Configuration Guide 113 Fortinet Technologies Inc. Applications Check to see if you get the same results with your read-only account (AOPerfLogin) as you do with your sa account. You should get the same results. Step 2: Changing Authentication mode to SQL Server and Windows Authentication Mode It is common practice to enable SQL Server and Windows Authentication mode before accessing read-only user. To enable this mode, take the following steps: 1. In SQL Server Management Studio Object Explorer, right click the server, then click Properties. 2. On the Security page, under Sever authentication, select SQL Server and Windows Authentication mode. 3. Click OK. 4. In the SQL Server Management Studio dialog box, click OK to acknowledge the requirement to restart the SQL Server. 5. In Object Explorer, right click your server, and then click Restart. If the SQL Server Agent is running, it must also be restarted. FortiSIEM Configuration Settings for SQL Server JDBC Access Credentials for Performance Monitoring Use these Access Method Definition settings to allow FortiSIEM to communicate with your SQL Server over JDBC for performance monitoring: Step 1: Create a Separate Credential for Each Database Instance If multiple database instances are running on the same server, then each instance must run on a separate port, and you must create a separate access credential for each instance. You must also remember to associate each instance with the server's IP number for the Device Credential Mapping Definition. Take the following steps: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials, click New to create a new credential. a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box and click Save when done: FortiSIEM 6.1.1 External Systems Configuration Guide 114 Fortinet Technologies Inc. Applications i. Setting Name Access Protocol Used For Pull Interval (minutes) Port Database Name User Name Password Value The name of the database instance you're creating the credential for. JDBC Performance Monitoring 5 1433 <leave this field blank> The user you created in step 1 of the JDBC configuration. The password associated with the user you created in step 1. FortiSIEM 6.1.1 External Systems Configuration Guide 115 Fortinet Technologies Inc. Applications 3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping. a. Select the name of your credential from the Credentials drop-down list. b. In the IP/Host Name field, enter a host name, an IP, or an IP range. c. Click Save. 4. Click the Test drop-down list and select Test Connectivity to test the connection to the Microsoft SQL Server. 5. To discover the device, take the following steps: a. Navigate to ADMIN > Setup > Discovery. b. Create a Discovery entry using the information here. For more information on how to create a discovery entry, see here. FortiSIEM 6.1.1 External Systems Configuration Guide 116 Fortinet Technologies Inc. Applications Setting Value Name Discovery Type Include The name of the device to discover Leave as default (Range Scan). Provide the IP address of the device you want discovered. c. Click Save when done. 6. Select the discovery entry you created and click Discover. 7. After Discovery is completed, navigate to ADMIN > Setup > Monitor Performance to check the monitor performance job. 8. Click on the More drop-down list and select Report to check related events. FortiSIEM 6.1.1 External Systems Configuration Guide 117 Fortinet Technologies Inc. Applications JDBC Configuration for DDL Changes FortiSIEM can pull SQL Server Data Definition Language (DDL) changes via JDBC. These changes include CREATE, ALTER, DROP, GRANT, DENY, REVOKE or UPDATE STATISTICS operations on database tables. This information is not naturally generated by a SQL Server. Hence, this involves creating database tables to store them and then creating triggers to populate those tables. Then FortiSIEM can pull them via JDBC. Configuration occurs in two parts. l SQL Server Configuration l FortiSIEM Configuration SQL Server Configuration 1. Save the SQL Server script (provided link here) as separate file to My Documents > SQL Server Management Studio > SQLServer_DDL_Events.sql. 2. Login to SQL Server Management Studio with sa account. 3. Browse to and execute the SQLServer_DDL_Events.sql script to create the database, tables and trigger events. Creating a Database Truncate Script Since DDL tables grow after time, it is often a good idea to create a database truncate script that can run as a maintenance task and keep the table size under control. it is often necessary to create a database truncate procedure as follows. 1. Log into Microsoft SQL Management Studio and connect to the DB instance. 2. Under Management, go to Maintenance Plans, and create a new plan with the name RemoveOldLogs. 3. For Subplan, enter TRUNCATE, and for Description, enter TRUNCATE TABLE. 4. Click the Calendar icon to create a recurring, daily task starting at 12:00AM and running every 30 minutes until 11:59:59PM. 5. Go to View > Tool Box > Execute T-SQL Statement. A T-SQL box will be added to the subplan. 6. In the T-SQL box, enter this command use PH_Events; FortiSIEM 6.1.1 External Systems Configuration Guide 118 Fortinet Technologies Inc. Applications EXEC sp_MSForEachTable 'TRUNCATE TABLE DDLEvents'; 7. Click OK. You will be able to see the history of this script's actions by right-clicking on the maintenance task, and then selecting View History. FortiSIEM Configuration Settings for SQL Server JDBC Access Ccredentials for DDL Events Collection Use these Access Method Definition settings to allow FortiSIEM to communicate with your SQL Server database instance over JDBC for database DDL events collection. Step 1: Create a Separate Credential for Each Database Instance If multiple database instances are running on the same server, then each instance must run on a separate port, and you must create a separate access credential for each instance. You must also remember to associate each instance with the server's IP number for the Device Credential Mapping Definition. Take the following steps: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials, click New to create a new credential. a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box, and click Save when done: Setting Value Name The name of the database instance you are creating the credential for Device Type Microsoft SQL Server Used For Audit Pull Interval 5 (minutes) Port 1433 Database Name <leave this field blank> Logon Event Table PH_Events.dbo.LogOnEvents DDL Event Table PH_Events.dbo.DDLEvents User Name The user you created in step 1 of the JDBC configuration Password The password associated with the user you created in step 1. FortiSIEM 6.1.1 External Systems Configuration Guide 119 Fortinet Technologies Inc. Applications 3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping. a. Select the name of your credential from the Credentials drop-down list. b. In the IP/Host Name field, enter a host name, an IP, or an IP range. c. Click Save. FortiSIEM 6.1.1 External Systems Configuration Guide 120 Fortinet Technologies Inc. Applications 4. Click the Test drop-down list and select Test Connectivity to test the connection to the Microsoft SQL Server. 5. To discover the device, take the following steps: a. Navigate to ADMIN > Setup > Discovery. b. Create a Discovery entry using the information here. For more information on how to create a discovery entry, see here. Setting Name Discovery Type Include Value The name of the device to discover Leave as default (Range Scan). Provide the IP address of the device you want discovered. c. Click Save when done. 6. Select the discovery entry you created and click Discover. 7. After Discovery is completed, navigate to ADMIN > Setup > Pull Events to check the pull events job. FortiSIEM 6.1.1 External Systems Configuration Guide 121 Fortinet Technologies Inc. Applications 8. Click on Report to check related events. Sample Events l Per Instance Performance Metrics l Per Instance, per Database Performance Metrics l Generic Info l Config Info l Locking Info l Blocking Info l Error Log l Logon Events l DDL Events - Create Database l DDL Events - Create Index Per Instance Performance Metrics <134>Apr 16 10:17:56 172.16.22.100 java: [PH_DEV_MON_PERF_MSSQL_SYS|PH_DEV_MON_PERF_MSSQL_ SYS]:[eventSeverity]=PHL_INFO,[hostIpAddr]=172.16.22.100,[hostName]=wwwin.accelops.net, [appGroupName]=Microsoft SQL Server,[dbDataFileSizeKB]=13149056,[dbLogFileUsedKB]=26326, [dbLogGrowthCount]=4,[dbLogShrinkCount]=0,[dbLogFlushPerSec]=1.69,[dbTransPerSec]=4.44, FortiSIEM 6.1.1 External Systems Configuration Guide 122 Fortinet Technologies Inc. Applications [dbDeadLocksPerSec]=0,[dbLogCacheHitRatio]=60.01,[dbUserConn]=16, [dbTargetServerMemoryKB]=1543232,[dbTotalServerMemoryKB]=1464760,[dbPageSplitsPerSec]=0.45, [dbPageWritesPerSec]=0.01,[dbLatchWaitsPerSec]=0.77,[dbPageReadsPerSec]=0.01, [dbFullScansPerSec]=1.83,[dbBufferCacheHitRatio]=100,[dbCount]=8,[dbUserCount]=25, [dbLoggedinUserCount]=2,[dbPagesInBufferPool]=116850,[dbPagesFreeInBufferPool]=2336, [dbAverageWaitTimeMs]=239376, [appVersion]=Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64),[serverName]=WIN-08VCENTER,[instanceName]=MSSQLSERVER,[appPort]=1433 Per Instance, per Database Performance Metrics [PH_DEV_MON_PERF_MSSQL_PERDB]:[eventSeverity]=PHL_INFO,[hostIpAddr]=172.16.22.100, [hostName]=wwwin.accelops.net,[dbName]=tempdb,[appGroupName]=Microsoft SQL Server, [dbDataFileSizeKB]=109504,[dbLogFileUsedKB]=434,[dbLogGrowthCount]=4,[dbLogShrinkCount]=0, [dbTransPerSec]=0.96,[dbLogFlushPerSec]=0.01,[dbLogCacheHitRatio]=44.44, [appVersion]=Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64),[serverName]=WIN-08VCENTER,[instanceName]=MSSQLSERVER,[appPort]=1433 Generic Info [PH_DEV_MON_PERF_MSSQL_GEN_INFO]:[eventSeverity]=PHL_INFO,[dbName]= tempdb,[dbSize]= 3.0, [dbowner]= sa,[dbId]= 2,[dbcreated]= 1321545600, [dbstatus]= Status=ONLINE; Updateability=READ_WRITE; UserAccess=MULTI_USER; Recovery=SIMPLE; Version=655; Collation=SQL_Latin1_General_CP1_CI_AS; SQLSortOrder=52; IsAutoCreateStatistics; IsAutoUpdateStatistics, [dbcompatibilityLevel]= 100,[spaceAvailable]= 0.9,[appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),[serverName]= WIN03MSSQL\SQLEXPRESS Config Info [PH_DEV_MON_PERF_MSSQL_CONFIG_INFO]:[eventSeverity]=PHL_INFO,[configureName]= user instances enabled,[configMinimum]= 0,[configMaximum]= 1,[dbConfigValue]= 1, [configRunValue]= 1,[appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),[serverName]= WIN03MSSQL\SQLEXPRESS Locking Info [PH_DEV_MON_PERF_MSSQL_LOCK_INFO]:[eventSeverity]=PHL_INFO,[dbId]= 4,[objId]= 1792725439, [lockType]= PAG,[lockedResource]= 1:1256,[lockMode]= IX, [lockStatus]= GRANT,[appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),[serverName]= WIN03MSSQL\SQLEXPRESS Blocking Info [PH_DEV_MON_PERF_MSSQL_BLOCKBY_INFO]:[eventSeverity]=PHL_INFO,[blockedSpId]= 51, [blockedLoginUser]= WIN03MSSQL\Administrator,[blockedDbName]= msdb, [blockedCommand]= UPDATE,[blockedProcessName]= Microsoft SQL Server Management Studio Query,[blockingSpId]= 54,[blockingLoginUser]= WIN03MSSQL\Administrator, [blockingDbName]= msdb,[blockingCommand]= AWAITING COMMAND,[blockingProcessName]= Microsoft SQL Server Management Studio - Query,[blockedDuration]= 5180936, [appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),[serverName]= WIN03MSSQL\SQLEXPRESS FortiSIEM 6.1.1 External Systems Configuration Guide 123 Fortinet Technologies Inc. Applications Error Log [PH_DEV_MON_PERF_MSSQL_ERROR_LOG_INFO]:[eventSeverity]=PHL_INFO,[logDate]= 1321585903, [processInfo]= spid52,[logText]= Starting up database 'ReportServer$SQLEXPRESSTempDB'., [appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),[serverName]= WIN03MSSQL\SQLEXPRESS Logon Events 134>Feb 08 02:55:34 10.1.2.54 java: [MSSQL_Logon_Success]:[eventSeverity]=PHL_INFO, [eventTime]=2014-02-08 02:54:00.977, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54, [srcName]=<local machine>, [user]=NT SERVICE\ReportServer$MSSQLSERVEJIANFA, [srcApp]=Report Server, [instanceName]=MSSQLSERVEJIANFA, [procId]=52, [loginType]=Windows (NT) Login, [securityId]=AQYAAAAAAAVQAAAALJAZf5XMbcLh8PUDY31LioZ3Uwo=, [isPooled]=1, [destName]=WINS2EDLFIUPQK, [destPort]=1437, DDL Events - Create Database <134>Sep 29 15:34:48 10.1.2.54 java: [MSSQL_Create_database]:[eventSeverity]=PHL_INFO, [eventTime]=2013-09-29 15:34:05.687, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54, [user]=WINS2EDLFIUPQK\Administrator, [dbName]=JIANFA, [instanceName]=MSSQLSERVER, [objName]=, [procId]=59, [command]=CREATE DATABASE JIANFA, [destName]=WIN-S2EDLFIUPQK, [destPort]=1433, DDL Events - Create Index <134>Sep 29 15:34:48 10.1.2.54 java: [MSSQL_Create_index]:[eventSeverity]=PHL_INFO, [eventTime]=2013-09-29 15:30:40.557, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54, [user]=WINS2EDLFIUPQK\Administrator, [dbName]=master, [instanceName]=MSSQLSERVER, [objName]=IndexTest, [procId]=58, [command]=create index IndexTest on dbo.MSreplication_options(optname);, [schemaName]=dbo, [objType]=INDEX, [destName]=WIN-S2EDLFIUPQK, [destPort]=1433 FortiSIEM 6.1.1 External Systems Configuration Guide 124 Fortinet Technologies Inc. Applications Microsoft SQL Server Scripts l SQL Server Trigger Creation Script l SQL Server Table Creation Script l SQL Server DDL Event Creation Script l SQL Server Database Level Event Creation Script SQL Server Trigger Creation Script (PH_LogonEventsTrigger.sql) This script is to create a server level trigger called PH_LoginEvents. It will record all logon events when a user establishes a session to the database server. The trigger locates at the database server > Server Objects > Triggers. CREATE TRIGGER PH_LoginEvents ON ALL SERVER WITH EXECUTE AS self FOR LOGON AS BEGIN DECLARE @event XML SET @event = EVENTDATA() INSERT INTO PH_Events.dbo.LogonEvents (EventTime,EventType,SPID,ServerName,LoginName,LoginType,SID,HostName,IsPooled,AppName,XMLEv ent) VALUES(CAST(CAST(@event.query('/EVENT_INSTANCE/PostTime/text()') AS VARCHAR(64)) AS DATETIME), CAST(@event.query('/EVENT_INSTANCE/EventType/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/SPID/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/ServerName/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/LoginName/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/LoginType/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/SID/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/ClientHost/text()') AS VARCHAR(128)), CAST(@event.query('/EVENT_INSTANCE/IsPooled/text()') AS VARCHAR(128)), APP_NAME(), @event) END; SQL Server Table Creation Script (PH_EventDB_Tables_Create.sql) CREATE DATABASE PH_Events GO CREATE TABLE PH_Events.dbo.DDLEvents ( XMLEvent XML, DatabaseName VARCHAR(64), EventTime DATETIME DEFAULT (GETDATE()), EventType VARCHAR(128), SPID VARCHAR(128), ServerName VARCHAR(128), LoginName VARCHAR(128), ObjectName VARCHAR(128), ObjectType VARCHAR(128), SchemaName VARCHAR(128), FortiSIEM 6.1.1 External Systems Configuration Guide 125 Fortinet Technologies Inc. Applications CommandText VARCHAR(128) ) GO CREATE TABLE PH_Events.dbo.LogonEvents ( XMLEvent XML, EventTime DATETIME, EventType VARCHAR(128), SPID VARCHAR(128), ServerName VARCHAR(128), LoginName VARCHAR(128), LoginType VARCHAR(128), SID VARCHAR(128), HostName VARCHAR(128), IsPooled VARCHAR(128), AppName VARCHAR(255) ) SQL Server DDL Event Creation Script (PH_DDL_Server_Level_Events.sql) CREATE TRIGGER PH_DDL_Server_Level_Events ON ALL SERVER FOR DDL_ENDPOINT_EVENTS, DDL_LOGIN_EVENTS, DDL_GDR_SERVER_EVENTS, DDL_AUTHORIZATION_SERVER_ EVENTS, CREATE_DATABASE, ALTER_DATABASE, DROP_DATABASE /**FOR DDL_SERVER_LEVEL_EVENTS**/ AS DECLARE @eventData AS XML; SET @eventData = EVENTDATA(); /**declare @eventData as XML; set @eventData = EVENTDATA();**/ insert into PH_Events.dbo.DDLEvents(EventTime, EventType, SPID, ServerName, LoginName, ObjectName, ObjectType, SchemaName, DatabaseName, CommandText, XMLEvent) values(cast(@eventData.query('data(//PostTime)') as varchar(64)), cast(@eventData.query('data(//EventType)') as varchar(128)), cast(@eventData.query('data(//SPID)') as varchar(128)), cast(@eventData.query('data(//ServerName)') as varchar(128)), cast(@eventData.query('data(//LoginName)') as varchar(128)), cast(@eventData.query('data(//ObjectName)') as varchar(128)), cast(@eventData.query('data(//ObjectType)') as varchar(128)), cast(@eventData.query('data(//SchemaName)') as varchar(128)), cast(@eventData.query('data(//DatabaseName)') as varchar(64)), cast(@eventData.query('data(//TSQLCommand/CommandText)') AS NVARCHAR(MAX)), /** DB_NAME(),**/ @eventData); SQL Server Database Level Event Creation Script (PH_Database_Level_Events.sql) USE master; GO CREATE TRIGGER PH_Database_Level_Events on DATABASE FOR DDL_DATABASE_LEVEL_EVENTS FortiSIEM 6.1.1 External Systems Configuration Guide 126 Fortinet Technologies Inc. Applications AS DECLARE @eventData AS XML; SET @eventData = EVENTDATA(); INSERT INTO PH_Events.dbo.DDLEvents(EventTime, EventType, SPID, ServerName, LoginName, ObjectName, ObjectType, SchemaName, DatabaseName, CommandText, XMLEvent) VALUES(cast(@eventData.query('data(//PostTime)') as varchar(64)), cast(@eventData.query('data(//EventType)') as varchar(128)), cast(@eventData.query('data(//SPID)') as varchar(128)), cast(@eventData.query('data(//ServerName)') as varchar(128)), cast(@eventData.query('data(//LoginName)') as varchar(128)), cast(@eventData.query('data(//ObjectName)') as varchar(128)), cast(@eventData.query('data(//ObjectType)') as varchar(128)), cast(@eventData.query('data(//SchemaName)') as varchar(128)), cast(@eventData.query('data(//DatabaseName)') as varchar(64)), cast(@eventData.query('data(//TSQLCommand/CommandText)') AS NVARCHAR(MAX)), @eventData ); FortiSIEM 6.1.1 External Systems Configuration Guide 127 Fortinet Technologies Inc. Applications MySQL Server l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample events What is Discovered and Monitored Protocol SNMP WMI JDBC JDBC JDBC Information discovered Application type Application type, service mappings None Metrics collected Used for Process level CPU and memory utilization Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance Monitoring Performance Monitoring Generic database information: Version, Character Setting Database performance metrics: User COnnections, Table Updates, table Selects, Table Inserts, Table Deletes, Temp Table Creates, Slow Queries, Query cache Hits, Queries registered in cache, Database Questions, Users, Live Threads Table space performance metrics: Table space name, table space type, Character set and Collation, table space usage, table space free space, Database engine, Table version, Table Row Format, Table Row Count, Average Row Length, Index File length, Table Create time, Table Update Time Performance Monitoring Database audit trail: Successful and failed database log on, Database CREATE/DELETE/MODIFY operations, Table CREATE/DELETE/MODIFY/INSERT operations Security Monitoring Event Types In ADMIN > Device Support > Event, search for "mysql" in the Device Type and Description columns to see the event types associated with this device. Rules In RESOURCE > Rules, search for "mysql" in the Name column to see the rules associated with this application or device. FortiSIEM 6.1.1 External Systems Configuration Guide 128 Fortinet Technologies Inc. Applications Reports In RESOURCE > Reports , search for ""mysql" in the Name and Description columns to see the reports associated with this application or device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. JDBC for Database Auditing - MySQL Server You must configure your MySQL Server to write audit logs to a database table. This topic in the MySQL documentation explains more about how to set the destination tables for log outputs. 1. Start MySQL server with TABLE output enabled. bin/mysqld_safe --user=mysql --log-output=TABLE & 2. Login to mysql, run the following SQL commands to enable general.log in MyISAM. SET @old_log_state = @@global.general_log; SET GLOBAL general_log = 'OFF'; ALTER TABLE mysql.general_log ENGINE = MyISAM; SET GLOBAL general_log = @old_log_state; SET GLOBAL general_log = 'ON'; You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> Settings for MySQL Server JBDC Access Credentials for Performance Monitoring FortiSIEM 6.1.1 External Systems Configuration Guide 129 Fortinet Technologies Inc. Applications Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC for performance monitoring: Setting Name Device Type Access Protocol Used For Pull Interval (minutes) Port User Name Password Value MySQL-Performance-Monitoring Oracle MySQL JBDC Performance Monitoring 5 3306 The administrative user for the database server The password associated with the administrative user Settings for MySQL Server JBDC Access Credentials for Database Auditing Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC for database auditing: Setting Name Device Type Access Protocol Used For Pull Interval (minutes) Port Database Name Audit Table User Name Password Value MySQL-Audit Oracle MySQL JBDC Audit 5 3306 <database name> (mysql) dba_audit_trail The administrative user for the database server The password associated with the administrative user Settings for MySQL Server JBDC Access Credentials for Synthetic Transaction Monitoring, Snort Audit, McAfee VulnMgr Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC for Synthetic Transaction Monitoring, Snort Audit, or McAfee VulnMgr: FortiSIEM 6.1.1 External Systems Configuration Guide 130 Fortinet Technologies Inc. Applications Setting Name Device Type Access Protocol Used For Pull Interval (minutes) Port Database Name User Name Password Value <name> Oracle MySQL JBDC Synthetic Transaction Monitoring, Snort Audit, or McAfee VulnMgr 5 3306 <database name> The administrative user for the database server The password associated with the administrative user Sample events System Level Performance Metrics <134>Apr 21 19:06:07 10.1.2.8 java: [PH_DEV_MON_PERF_MYSQLDB]: [eventSeverity]=PHL_INFO, [hostIpAddr]=172.16.22.227, [hostName]=MYSQL, [appGroupName]=MySQL Database Server, [appVersion]=MySQL 5.6.11, [charSetting]=utf8, [dbConnections]=24, [dbComUpdate]=0, [dbComSelect]=1, [dbComInsert]=0, [dbComDelete]=0, [dbCreatedTmpTables]=0, [dbSlowQueries]=0, [dbQcacheHits]=0, [dbQcacheQueriesinCache]=0, [dbQuestions]=7, [dbThreadsConnected]=1, [dbThreadsRunning]=1 Table Space Performance Metrics <134>Apr 29 10:06:07 172.16.22.227 java: [PH_DEV_MON_PERF_MYSQLDB_TABLESPACE]: [eventSeverity]=PHL_INFO, [appGroupName]=MySQL Database Server, [instanceName]=mysql, [tablespaceName]=general_log, [tablespaceType]=PERMANENT, [tablespaceUsage]=0.01, [tablespaceFreeSpace]=4193886, [dbEngine]=MyISAM, [tableVersion]=10, [tableRowFormat]=dynamic, [tableRows]=124, [tableAvgRowLength]=80, [tableIndexLength]=1024, [tableCreateTime]=2013-04-29 15:12:30, [tableUpdateTime]=2013-04-29 12:35:46, [tableCollation]=utf8_general_ci System Level Performance Metrics <134>Apr 21 19:06:07 10.1.2.8 java: [PH_DEV_MON_PERF_MYSQLDB]: [eventSeverity]=PHL_INFO, [hostIpAddr]=172.16.22.227, [hostName]=MYSQL, [appGroupName]=MySQL Database Server, [appVersion]=MySQL 5.6.11, [charSetting]=utf8, [dbConnections]=24, [dbComUpdate]=0, [dbComSelect]=1, [dbComInsert]=0, [dbComDelete]=0, [dbCreatedTmpTables]=0, [dbSlowQueries]=0, [dbQcacheHits]=0, [dbQcacheQueriesinCache]=0, [dbQuestions]=7, [dbThreadsConnected]=1, [dbThreadsRunning]=1 FortiSIEM 6.1.1 External Systems Configuration Guide 131 Fortinet Technologies Inc. Applications Logon/Logoff Events <134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Success]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54, [logoffTime]=, [actionName]=Connect, [msg]=admin@172.16.22.227 on <134>Apr 10 14:29:22 abc-desktop java: [MYSQL_Logoff]:[eventSeverity]=PHL_INFO, [eventTime]=2013-04-10 14:29:22, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [logonTime]=, [logoffTime]=2014-04-10 14:29:22, [actionName]=quit, [msg]= <134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Fail]: [eventSeverity]=PHL_WARN, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54, [logoffTime]=, [actionName]=Connect, [msg]=Access denied for user 'admin'@'172.16.22.227' (using password: YES) Database CREATE/DELETE/MODIFY Events <134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Create_database]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=create database sliutest <134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Drop_database]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=drop database sliutest Table CREATE/DELETE/MODIFY Events <134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Create_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=CREATE TABLE tutorials_tbl( tutorial_id INT NOT NULL AUTO_INCREMENT, tutorial_title VARCHAR(100) NOT NULL, tutorial_author VARCHAR(40) NOT NULL, submission_date DATE, PRIMARY KEY ( tutorial_id ) ) <134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Delete_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DELETE FROM tutorials_tbl WHERE tutorial_id=2NOT NULL, tutorial_author VARCHAR(40) NOT NULL, submission_date DATE, PRIMARY KEY ( tutorial_ id ) <134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Insert_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=INSERT INTO tutorials_tbl (tutorial_title, tutorial_author, submission_date) VALUES ("Learn Java", "John Smith", NOW()) <134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Drop_table]: [eventSeverity]=PHL_INFO, [eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227, [srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DROP table sliutable FortiSIEM 6.1.1 External Systems Configuration Guide 132 Fortinet Technologies Inc. Applications Oracle Database Server l Supported Versions l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Events Supported Versions l Oracle Database 10g l Oracle Database 11g l Oracle Database 12c What is Discovered and Monitored Protocol SNMP WMI JDBC JDBC Syslog JDBC Information discovered Application type Application type, service mappings None Metrics collected Used for Process level CPU and memory utilization Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance Monitoring Performance Monitoring Generic database information: version, Character Setting, Archive Enabled, Listener Status, Instance Status, Last backup date, Database performance metrics: Buffer cache hit ratio, Row cache hit ratio, Library cache hit ratio, Shared pool free ratio, Wait time ratio, Memory Sorts ratio, Host CPU Util ratio, CPU Time ratio, Disk Read/Write rates (operations and MBps), Network I/O Rate, Enqueue Deadlock rate, Database Request rate, User Transaction rate, User count, Logged on user count, Session Count, System table space usage, User table space usage, Temp table space usage, Last backup date, Days since last backup Table space performance metrics: Table space name, table space type, table space usage, table space free space, table space next extent Performance Monitoring Listener log, Alert log, Audit Log Database audit trail: Successful and failed database logon, Various database operation audit trail including CREATE/ALTER/DROP/TRUNCATE operations on tables, table Security Monitoring FortiSIEM 6.1.1 External Systems Configuration Guide 133 Fortinet Technologies Inc. Applications Protocol Information discovered Metrics collected spaces, databases, clusters, users, roles, views, table indices, triggers etc. Used for Event Types In ADMIN > Device Support > Event, search for "oracle database" in the Description column to see the event types associated with this device. Rules In RESOURCE > Rules, search for "oracle database" in the Description column to see the rules associated with this application or device. Reports In RESOURCE > Reports , search for "oracle database" in the Name column to see the reports associated with this application or device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. JDBC for Database Performance Monitoring - Oracle Database Server To configure your Oracle Database Server for performance monitoring by FortiSIEM, you must create a read-only user who has select permissions for the database. This is the user you will use to create the access credentials for FortiSIEM to communicate with your database server. 1. Open the SQLPlus application. 2. Log in with a system-level account. 3. Connect to your instance as sysdba. SQL> conn / as sysdba; Connected. 4. Create a non-admin user account. (Note: If you already created the phoenix_agent user, you can skip this step.) SQL> create user phoenix_agent identified by "accelops"; User created. FortiSIEM 6.1.1 External Systems Configuration Guide 134 Fortinet Technologies Inc. Applications 5. Assign permissions to the user. grant select on dba_objects to phoenix_agent; grant select on dba_tablespace_usage_metrics to phoenix_agent; grant select on dba_tablespaces to phoenix_agent; grant select on nls_database_parameters to phoenix_agent; grant select on v_$backup_set to phoenix_agent; grant select on v_$instance to phoenix_agent; grant select on v_$parameter to phoenix_agent; grant select on v_$session to phoenix_agent; grant select on v_$sql to phoenix_agent; grant select on v_$sysmetric to phoenix_agent; grant select on v_$version to phoenix_agent; grant select on gv_$session to phoenix_agent; grant select on gv_$service_stats to phoenix_agent; 6. Verily that the permissions were successfully assigned to the user. select count(*) from dba_objects; select count(*) from dba_tablespace_usage_metrics; select count(*) from dba_tablespaces; select count(*) from gv$service_stats; select count(*) from nls_database_parameters; select count(*) from v$backup_set order by start_time desc; select count(*) from v$instance; select count(*) from v$parameter; select count(*) from v$session; select count(*) from v$sql; select count(*) from v$sysmetric; select count(*) from v$version; JDBC for Database Auditing - Oracle Database Server Required Environmental Variables Make sure that these environment variables are set l ORACLE_HOME= C:\app\Administrator\product\11.2.0\dbhome_1 l ORACLE_BASE= C:\app\Administrator 1. Create audit trail views by executing cataaudit.sql as the sysdb user. Linux: su- oracle sqlplus /nolog conn / as sysdba; @$ORACLE_HOME/rdbms/admin/cataudit.sql; quit Windows: sqlplus /nolog conn / as sysdba; @%ORACLE_HOME%/rdbms/admin/cataudit.sql; quit 2. Enable auditing by modifying the Oracle instance initialization file init<SID>.ora. This is typically located in $ORACLE_BASE/admin/<SID>/pfile where DIS is the Oracle instance FortiSIEM 6.1.1 External Systems Configuration Guide 135 Fortinet Technologies Inc. Applications AUDIT_TRAIL = DB or AUDIT_TRAIL = true 3. Restart the database. su - oracle sqlplus /nolog conn / as sysdba; shutdown immediate; startup; quit 4. Create a user account and grant select privileges to that user. su - oracle sqlplus /nolog conn / as sysdba Create user phoenix_agent identified by "phoenix_agent_pwd" (NOTE: please correct this set -- above steps showed that we created phoenix_agent already, just add the grant steps and utilize the "accelops" password; Grant connect to phoenix_agent; Grant select on dba_audit_trail to phoenix_agent; Grant select on v_$session to phoenix_agent; 5. Turn on auditing. su - oracle sqlplus /nolog conn / as sysdba; audit session; quit; 6. Fetch the audit data to make sure the configuration was successful. su - oracle; sqlplus phoenix_agent/phoenix_agent_pwd; select count (*) from dba_audit_trail; You should see the count changing after logging on a few times. Configuring listener log and error log via SNARE - Oracle side 1. Install and configure Epilog application to send syslog to FortiSIEM a. Download Epilog from snare, information to download here, and install it on your Windows Server. b. Launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows c. Configure Epilog application as follows i. Select Log Configuration on left hand panel, click Add button to add Oracle Listener log file to be sent to FortiSIEM. Also make sure the Log Type is OracleListenerLog. ii. Click Add button to add Oracle Alert log file to be sent to FortiSIEM. Also make sure the Log Type is OracleAlertLog. iii. After adding both the files, SNARE Log Configuration will show both the files included as follows iv. Select Network Configuration on left hand panel. On the right, set the destination address to that of FortiSIEM server, port to 514 and make sure that syslog header is enabled. Then click Change Configuration button. FortiSIEM 6.1.1 External Systems Configuration Guide 136 Fortinet Technologies Inc. Applications v. Click the "Apply the latest audit configuration" link on the left hand side to apply the changes to Epilog applications. DHCP logs will now sent to FortiSIEM in real time. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> Settings for Oracle Database Server JDBC Access Credentials for Performance Monitoring Use these Access Method Definition settings to allow FortiSIEM to communicate with your Oracle database server over JDBC: Setting Name Device Type Access Protocol Used For Pull Interval (minutes) Port Instance Name User Name Password Value phoenix_agent_accelops Oracle Database Server JDBC Performance Monitoring 5 1521 orcl2 The user you created for performance monitoring The password associated with the user FortiSIEM 6.1.1 External Systems Configuration Guide 137 Fortinet Technologies Inc. Applications Sample Events System Level Database Performance Metrics [PH_DEV_MON_PERF_ORADB]:[eventSeverity]=PHL_INFO, [hostIpAddr]=10.1.2.8, [hostName]=Host10.1.2.8, [appGroupName]=Oracle Database Server, [appVersion]=Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production, [instanceName]=orcl, [instanceStatus]=OPEN, [charSetting]=ZHS16GBK, [archiveEnabled]=FALSE, [lastBackupDate]=1325566287, [listenerStatus]=OPEN,[dbBufferCacheHitRatio]=100, [dbMemorySortsRatio]=100,[dbUserTransactionPerSec]=0.13,[dbPhysicalReadsPerSec]=0, [dbPhysicalWritesPerSec]=0.48,[dbHostCpuUtilRatio]=0,[dbNetworkKBytesPerSec]=0.58, [dbEnqueueDeadlocksPerSec]=0,[dbCurrentLogonsCount]=32,[dbWaitTimeRatio]=7.13, [dbCpuTimeRatio]=92.87, [dbRowCacheHitRatio]=100,[dbLibraryCacheHitRatio]=99.91,[dbSharedPoolFreeRatio]=18.55, [dbSessionCount]=40,[dbIOKBytesPerSec]=33.26,[dbRequestsPerSec]=3.24, [dbSystemTablespaceUsage]= 2.88,[dbTempTablespaceUsage]= 0,[dbUsersTablespaceUsage]= 0.01, [dbUserCount]= 2,[dbInvalidObjectCount]= 4 Table Space Performance Metrics [PH_DEV_MON_PERF_ORADB_TABLESPACE]:[eventSeverity]=PHL_INFO, [appGroupName]=Oracle Database Server, [instanceName]=orcl, [tablespaceName]=UNDOTBS1, [tablespaceType]=UNDO, [tablespaceUsage]=0.01, [tablespaceFreeSpace]=4193886, [tablespaceNextExtent]=0 [PH_DEV_MON_PERF_ORADB_TABLESPACE]:[eventSeverity]=PHL_INFO, [appGroupName]=Oracle Database Server, [instanceName]=orcl, [tablespaceName]=USERS, [tablespaceType]=PERMANENT, [tablespaceUsage]=0.01, [tablespaceFreeSpace]=4193774, [tablespaceNextExtent]=0 Oracle Audit Trail (FortiSIEM Generated Events) <134>Apr 10 12:51:42 abc-desktop java: [ORADB_PH_Logoff]:[eventSeverity]=PHL_INFO, [retCode]=0, [eventTime]=2009-04-10 14:29:22:111420, [rptIp]=172.16.10.40, [srcIp]=QA-VCtOS-ora.abc.net, [user]=DBSNMP, [logonTime]=2009-04-10 14:29:22:111420, [logoffTime]=200904-10 14:29:22, [privUsed]=CREATE_SESSION, Oracle Audit Log <172>Oracle Audit[25487]: LENGTH : '153' ACTION :[004] 'bjn' DATABASE USER:[9] 'user' PRIVILEGE :[4] 'NONE' CLIENT USER:[9] 'user' CLIENT TERMINAL:[14] 'terminal' STATUS:[1] '0'] <172>Oracle Audit[6561]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[8] 'user' PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'user' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID: [9] '200958341' <172>Oracle Audit[28061]: LENGTH: 265 SESSIONID:[9] 118110747 ENTRYID:[5] 14188 STATEMENT: [5] 28375 USERID:[8] user ACTION:[3] 100 RETURNCODE:[1] 0 COMMENT$TEXT:[99] Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.90.217.247)(PORT=4566)) PRIV$USED:[1] 5 Oracle Listener Log <46>Dec 13 06:07:08 WIN03R2E-110929 OracleListenerLog 0 12-OCT-2011 16:17:52 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=status)(ARGUMENTS=64) FortiSIEM 6.1.1 External Systems Configuration Guide 138 Fortinet Technologies Inc. Applications (SERVICE=LISTENER)(VERSION=185599744)) * status * 0 Oracle Alert Log <46>Dec 13 06:07:08 WIN03R2E-110929 OracleAlertLog 0 'C:\APP\ADMINISTRATOR\ORADATA\ORCL\REDO03.LOG' ORA-00312: online log 3 thread 1: FortiSIEM 6.1.1 External Systems Configuration Guide 139 Fortinet Technologies Inc. Applications DHCP and DNS Server FortiSIEM supports these DHCP and DNS servers for discovery and monitoring. l Infoblox DNS/DHCP l ISC BIND DNS l Linux DHCP l Microsoft DHCP (2003, 2008) l Microsoft DNS (2003, 2008) FortiSIEM 6.1.1 External Systems Configuration Guide 140 Fortinet Technologies Inc. Applications Infoblox DNS/DHCP l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Information discovered Metrics collected Used for SNMP Host Name, Hardware model, Serial number, Network Interfaces, Running processes, Installed software System CPU utilization, Memory utilization, Disk usage, Disk I/O Performance Monitoring SNMP Process level CPU utilization, Memory utilization SNMP Zone Transfer metrics: For each zone: DNS Responses Sent, Failed DNS Queries, DNS Referrals, Non-existent DNS Record Queries, DNS Non-existent Domain Queries, Recursive DNS Query Received DNS Cluster Replication metrics: DNS Replication Queue Status, Sent Queue From Master, Last Sent Time From Master, Sent Queue To Master, Last Sent Time To Master DNS Performance metrics: NonAuth DNS Query Count, NonAuth Avg DNS Latency, Auth DNS Query Count, Auth Avg DNS Latency, Invalid DNS Port Response, Invalid DNS TXID Response DHCP Performance metrics: Discovers/sec, Requests/Sec, Releases/Sec, Offers/sec, Acks/sec, Nacks/sec, Declines/sec, Informs/sec DDNS Update metrics: DDNS Update Success, DDNS Update Fail, DDNS Update Reject, DDNS Prereq Update Reject, DDNS Update Latency, DDNS Update Timeout DHCP subnet usage metrics: For each DHCP Subnet (addr, mask) - percent used Security Monitoring and compliance SNMP Hardware status Availability monitoring SNMP Trap Hardware failures, Software failures Availability monitoring FortiSIEM 6.1.1 External Systems Configuration Guide 141 Fortinet Technologies Inc. Applications Event Types In ADMIN > Device Support > Event, search for "infoblox" in the Device Type and Description columns to see the event types associated with this device. Reports In RESOURCE > Reports , search for "infoblox" in the Name and Description column to see the reports associated with this application or device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. SNMP Trap FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 142 Fortinet Technologies Inc. Applications ISC BIND DNS What is Discovered and Monitored Protocol SNMP Syslog Information discovered Application type Application type Metrics collected Used for Process level CPU utilization, Memory utilization Performance Monitoring DNS name resolution activity: DNS Query Success and Failure by type Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "isc bind" in the Device Type and Description column to see the event types associated with this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Syslog Configure the ISC BIND DNS Server to Send Syslog 1. Edit named.conf and add a new line: include /var/named/conf/logging.conf;. 2. Edit the /var/named/conf/logging.conf file, and in the channel queries_file { } section add syslog local3; 3. Restart BIND by issuing /etc/init.d/named restart. Configure Syslog to Send to FortiSIEM 1. Edit syslog.conf and add a new line: Local7.* @<IP address of the FortiSIEM server>. 2. Restart the syslog daemon by issuing /etc/init.d/syslog restart. Settings for Access Credentials SNMP Access Credentials for All Devices FortiSIEM 6.1.1 External Systems Configuration Guide 143 Fortinet Technologies Inc. Applications Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> Sample BIND DNS Logs <158>Jan 28 20:41:46 100.1.1.1 named[3135]: 28-Jan-2010 20:40:28.809 client 192.168.29.18#34065: query: www.google.com IN A + FortiSIEM 6.1.1 External Systems Configuration Guide 144 Fortinet Technologies Inc. Applications Linux DHCP l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP Syslog Information discovered Application type Application type Metrics collected Used for Process level CPU utilization, Memory utilization DHCP address release/renew events that are used by FortiSIEM for Identity and location: attributes include IP Address, MAC address, Host Name Performance Monitoring Security and compliance (associate machines to IP addresses) Event Types In ADMIN > Device Support > Event, search for "linux dhcp" in the Device Type column to see the event types associated with this device. Configuration SNMP 1. Make sure that snmp libraries are installed. FortiSIEM has been tested to work with net-snmp libraries. 2. Log in to your device with administrator credentials. 3. Modify the /etc/snmp/snmpd.conf file: a. Define the community string for FortiSIEM usage and permit snmp access from FortiSIEM IP. b. Allow FortiSIEM to (read-only) view the mib-2 tree. c. Open up the entire tree for read-only view. 4. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart. 5. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on. 6. Make sure that snmpd is running. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Syslog Configure Linux DHCP to Forward Logs to Syslog Daemon FortiSIEM 6.1.1 External Systems Configuration Guide 145 Fortinet Technologies Inc. Applications 1. Edit dhcpd.conf and insert the line log-facility local7;. 2. Restart dhcpd by issuing /etc/init.d/dhcpd restart. Configure Syslog to Forward to FortiSIEM 1. Edit syslog.conf and add a new line: Local7.* @<IP address of FortiSIEM server>. 2. Restart syslog daemon by issuing /etc/init.d/syslog restart. Sample Syslog <13>Aug 26 19:28:11 DNS-Pri dhcpd: DHCPREQUEST for 172.16.10.200 (172.16.10.8) from 00:50:56:88:4e:17 (26L2233B1-02) Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 146 Fortinet Technologies Inc. Applications Microsoft DHCP l Supported OS l What is Discovered and Monitored l Configuration l Settings for Access Controls Supported OS l Windows 2003 l Windows 2008 and 2008 R2 l Windows 2012 and 2012 R2 l Windows 2016 l Windows 2019 What is Discovered and Monitored Protocol SNMP WMI Windows Agent Information discovered Metrics collected Process details Process level CPU utilization, Memory utilization Process details, process to service mappings Process level metrics (Win32_Process, Win32_ PerfRawData_PerfProc_Process): uptime, CPU utilization, Memory utilization, Read I/O, Write I/O DHCP metrics (Win32_PerfFormattedData_DHCPServer_ DHCPServer): DHCP request rate, release rate, decline rate, Duplicate Drop rate, Packet Rate, Active Queue length, DHCP response time, Conflict queue length Application type DHCP address release/renew events that are used by FortiSIEM for Identity and location: attributes include IP Address, MAC address, Host Name Used for Performance Monitoring Performance Monitoring Security and compliance (associate machines to IP addresses) Event Types In ADMIN > Device Support > Event, search for "microsoft dhcp" in the Description column to see the event types associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 147 Fortinet Technologies Inc. Applications Configuration SNMP See SNMP Configurations in the Microsoft Windows Server Configuration section. WMI See WMI Configurations in the Microsoft Windows Server Configuration section. FortiSIEM Windows Agent For information on configuring DHCP for FortiSIEM Windows Agent, see Configuring Windows DHCP in the Windows Agent Installation Guide. Settings for Access Controls See Setting Access Credentials in the Microsoft Windows Server Configuration section. FortiSIEM 6.1.1 External Systems Configuration Guide 148 Fortinet Technologies Inc. Applications Microsoft DNS l Supported OS l What is Discovered and Monitored l Configuration l Settings for Access Credentials Supported OS l Windows 2003 l Windows 2008 and 2008 R2 l Windows 2012 and 2012 R2 l Windows 2016 l Windows 2019 What is Discovered and Monitored Protocol SNMP WMI Windows Agent Information discovered Application type Application type, service mappings Application type Metrics collected Used for Process level CPU utilization, Memory utilization Performance Monitoring Process level metrics (Win32_Process, Win32_ PerfRawData_PerfProc_Process): uptime, CPU utilization, Memory utilization, Read I/O, Write I/O DNS metrics (Win32_PerfFormattedData_DNS_DNS): DNS requests received, DNS responses sent, WINS requests received, WINS responses sent, Recursive DNS queries received, Recursive DNS queries failed, Recursive DNS queries timeout, Dynamic DNS updates received, Dynamic DNS updates failed, Dynamic DNS updates timeout, Secure DNS update received, Secure DNS update failed, Full DNS Zone Transfer requests sent, Full DNS Zone Transfer requests received, Incremental DNS Zone Transfer requests sent, ncremental DNS Zone Transfer requests received Performance Monitoring DNS name resolution activity: DNS Query Success and Failure Security by type Monitoring Event Types In ADMIN > Device Support > Event, search for "microsoft dans" in the Description column to see the event types associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 149 Fortinet Technologies Inc. Applications Configuration SNMP See SNMP Configurations in the Microsoft Windows Server Configuration section. WMI See WMI Configurations in the Microsoft Windows Server Configuration section. FortiSIEM Windows Agent For information on configuring DNS for FortiSIEM Windows Agent, see Configuring Windows DNS in the Windows Agent 3.2.0 Installation Guide. Settings for Access Credentials See Setting Access Credentials in the Microsoft Windows Server Configuration section. FortiSIEM 6.1.1 External Systems Configuration Guide 150 Fortinet Technologies Inc. Applications Directory Server FortiSIEM supports this directory server for discovery and monitoring. l Microsoft Active Directory FortiSIEM 6.1.1 External Systems Configuration Guide 151 Fortinet Technologies Inc. Applications Microsoft Active Directory l What is Discovered and Monitored l Configuration l Active Directory User Discovery l Mapping Active Directory User Attributes to FortiSIEM User Attributes What is Discovered and Monitored Protocol LDAP WMI WMI WMI Information discovered User details, Password age Metrics collected Used for Security Monitoring, User meta data for log Win32_PerfRawData_NTDS_NTDS class: Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate, New LDAP Connection Rate, Successful LDAP Bind Rate, LDAP Active Threads, LDAP Bind Time, LDAP Client Sessions Performance Monitoring "dcdiag -e" command output - detect successful and failed domain controller diagnostic tests Domain Controller Replication status "repadmin /replsummary" command output - detect replication statistics Domain Controller Replication status Event Types l PH_DISCOV_ADS_ACCOUNT_TO_EXPIRE (Active Directory account to excpire in 2 weeks) l PH_DISCOV_ADS_ACCT_DISABLED (Accounts Disabled) l PH_DISCOV_ADS_DORMANT_ACCT (Dormant User Acounts - not log on in last 30 days) l PH_DISCOV_ADS_PASSWORD_NEVER_EXPIRES (Active Directory user password never expires) l PH_DISCOV_ADS_PASSWORD_NOT_REQD (Active Directory user password not required) l PH_DISCOV_ADS_PASSWORD_STALE (Active Directory user password stale - more than 90 days) l PH_DISCOV_ADS_PASSWORD_TO_EXPIRE (Active Directory user password to excpire in 2 weeks) l PH_DEV_MON_DCDIAG (output of "dcdiag -e" command) [PH_DEV_MON_DCDIAG]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT,[errReason]="", [testResult]="passed",[testSubject]="WIN-IGO8O8M5JVT",[testName]="NCSecDesc" FortiSIEM 6.1.1 External Systems Configuration Guide 152 Fortinet Technologies Inc. Applications l PH_DEV_MON_SRC_AD_REPL_STAT (output of "repadmin /replsummary" command) [PH_DEV_MON_SRC_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00, [srcName]="WIN-IGO8O8M5JVT",[errReason]="" l PH_DEV_MON_DST_AD_REPL_STAT (output of "repadmin /replsummary" command) [PH_DEV_MON_DST_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00, [destName]="WIN-IGO8O8M5JVT",[errReason]="" Rules l Failed Windows DC Diagnostic Test Reports l Successful Windows Domain Controller Diagnostic Tests l Failed Windows Domain Controller Diagnostic Tests l Source Domain Controller Replication Status l Destination Domain Controller Replication Status Configuration WMI See WMI Configurations in the Microsoft Windows Server Configuration section. Active Directory User Discovery If you want to add Active Directory users to FortiSIEM, follow these steps in the FortiSIEM UI. 1. Add the login credentials for Active Directory server and associate them to an IP range. 2. Discover the Active Directory server. If the Active Directory server is discovered successfully, then all of the users and their properties will be added to FortiSIEM. After the users have been added to FortiSIEM, you can re-run discovery to get new changes from Active Directory. You cannot make changes in FortiSIEM as this will inevitably make FortiSIEM out of synch with Active Directory. Since Active Directory can contain many users, it is possible to choose a sub-tree by specifying a base DN (see below). Adding Active Directory login credentials to FortiSIEM 1. Log in to your Supervisor UI. 2. Go to ADMIN > Setup > Credentials. 3. Click New to create an LDAP discovery credential by entering the following in the Access Method Definition dialog box: FortiSIEM 6.1.1 External Systems Configuration Guide 153 Fortinet Technologies Inc. Applications a. Name: a name for the credential. b. Device Type: select Microsoft Windows. c. Access Protocol: i. By default, LDAP servers listen on TCP port 389. ii. LDAPS (LDAP with SSL) defaults to port 636. iii. LDAP Start TLS defaults to port 389. d. Used For: select Microsoft Active Directory. e. Enter the root of the LDAP user tree that you want to discover. For example, dc=companyABC,dc=com or ou=Org1,dc=companyABC,dc=com f. NetBIOS/Domain: enter the NetBIOS/Domain value. g. User Name: enter the user name for your LDAP directory. The user should be a member of the Domain Users group in Active Directory. See the Validating LDAP Credentials and Permissions for information on how to validate this membership. h. Enter and confirm the Password for your User. i. Click Save. Your LDAP credentials will be added to the list of credentials. 4. Under Enter IP Range to Credential Associations, click Add. 5. Select your LDAP credentials from the list of Credentials. Click + to add more. 6. Enter the IP/IP Range or host name for your Active Directory server. 7. Click Save. Your LDAP credentials will appear in the list of credential/IP address associations. 8. Click Test > Test Connectivity to make sure you can connect to the Active Directory server. Discovering users in FortiSIEM 1. Go to ADMIN> Discovery and click Add. 2. For Name, enter Active Directory. 3. For Include Range, enter the IP address or host name for your Active Directory server. 4. Click OK. Active Directory will be added to the list of discoverable devices. 5. Select the Active Directory device and click Discover. 6. After discovery completes, go to CMDB > Users to view the discovered users. You may need to click Refresh to load the user tree hierarchy. To get user updates in Active Directory, simply re-run discovery. Validating LDAP Credentials and Permissions 1. Log in to your Active Directory server. 2. Open the Active Directory console from the command prompt and execute the dsa.msc command. FortiSIEM 6.1.1 External Systems Configuration Guide 154 Fortinet Technologies Inc. Applications 3. From the Active Directory console, select the User that added in FortiSIEM Supervisor. 4. Right click the selected User and check Properties. 5. The User should be a member of Domain Users. 6. On FortiSIEM Base DN should match, example: DC=accelops,DC=net. Mapping Active Directory User Attributes to FortiSIEM User Attributes The following table shows how user attributes in Microsoft Active Directory are shown in the FortiSIEM UI. To find Active Directory user attributes, take the following steps: 1. Log in to Active Directory. 2. Go to Active Directory Users and Computers. 3. Click View > Enable Advanced Features. 4. Find a user, and take the following steps: a. Double click user. b. Click Attribute Editor. You will see a set of attributes and the values they are set to. In FortiSIEM, user details can be found in CMDB > Users. First, click the tree node on the left that you have discovered, then locate the user in the right pane. Attributes are displayed on the main page and under Summary, Contact, and Member Of. Microsoft Active Directory FortiSIEM User Attribute User Attribute sAMAccoutName User Name name Full Name userPrincipalName <Not shown> FortiSIEM 6.1.1 External Systems Configuration Guide 155 Fortinet Technologies Inc. Applications Microsoft Active Directory FortiSIEM User Attribute User Attribute mail Email telephoneNumber Work Phone mobile Mobile Phone title Job Title company Company department <Not shown> employeeID Employee ID manager Manager I <Not shown> postalCode ZIP streetAddress Address homePostalAddress <Not shown> c City st State co Country memberOf Member Of FortiSIEM 6.1.1 External Systems Configuration Guide 156 Fortinet Technologies Inc. Applications Document Management Server FortiSIEM supports this document management server for discovery and monitoring. l Microsoft SharePoint FortiSIEM 6.1.1 External Systems Configuration Guide 157 Fortinet Technologies Inc. Applications Microsoft SharePoint l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol LOGbinder Agent Information discovered Metrics/Logs collected SharePoint logs - Audit trail integrity, Access control changes, Document updates, List updates, Container object updates, Object changes, Object Import/Exports, Document views, Information Management Policy changes Used for Log analysis and compliance Event Types In ADMIN > Device Support > Event, search for "sharepoint" in the Description column to see the event types associated with this device. Reports In RESOURCE > Reports , search for "sharepoint" in the Name column to see the reports associated with this application or device. Configuration Microsoft SharePoint logs are supported via LOGbinder SP agent from Monterey Technology group. The agent must be installed on the SharePoint server. Configure the agent to write logs to Windows Security log. FortiSIEM simply reads the logs from windows security logs via WMI and categorizes the SharePoint specific events and parses SharePoint specific attributes. Installing and Configuring LOGbinder SP Agent l LOGbinder Install web link l LOGbinder Configuration web link - remember to configure LOGbinder SP agent to write to Windows security log l LOGbinder SP getting started document - remember to configure LOGbinder SP agent to write to Windows security log FortiSIEM 6.1.1 External Systems Configuration Guide 158 Fortinet Technologies Inc. Applications Healthcare IT FortiSIEM supports the discovery and monitoring of these healthcare applications. l Epic EMR/EHR System FortiSIEM 6.1.1 External Systems Configuration Guide 159 Fortinet Technologies Inc. Applications Epic EMR/EHR System l Integration Points l Configuration l Settings for Access Credentials l Sample Events Integration Points Method Syslog Information discovered Host name, Reporting IP Metrics collected None LOGs collected Used for Authentication Query, Client login Query Security monitoring Event Types In ADMIN > Device Support > Event, search for "Epic-SecuritySIEM" to see the event types associated with this device. There are two events that are parsed: l Epic-SecuritySIEM-AUTHENTICATION-Query l Epic-SecuritySIEM-LOGIN-Query Rules No specific rules are written for Epic-SecuritySIEM. Reports No specific reports are written for Epic-SecuritySIEM. Configuration Configure the Epic-SecuritySIEM system to send logs to FortiSIEM in the supported format (see Sample Events). Settings for Access Credentials None required. Sample Events Oct 19 05:32:16 10.25.8.111 CEF:0|Epic|Security-SIEM|8.3.0|LOGIN|LOGIN|4|cnt=1 suser=3227^DOE, JOHN L^JOHN-DOE shost=PRD workstationID=WS7946 act=Query FortiSIEM 6.1.1 External Systems Configuration Guide 160 Fortinet Technologies Inc. Applications end=Oct 19 00:30:00 flag=^^Workflow Logging CLIENTNAME=dom1/WS7946 DEP=100000010^RMC ICU MAIN IP=10.25.6.59/10.170.10.66 LOGINLDAPID=JOHN-DOE LOGINREASON= OSUSR=WS7946 ROLE=MODEL IP NURSE SOURCE=1-Hyperspace USERJOB=304401^RMC INPATIENT NURSE TEMPLATE#011 Oct 19 05:32:16 10.25.8.111 CEF:0|Epic|SecuritySIEM|8.3.0|AUTHENTICATION|AUTHENTICATION|4|cnt=1 suser=3055^DOE, JOHN^JOHN-DOE shost=PRD workstationID=WS7610 act=Query end=Oct 19 00:30:00 flag=Access History^^Workflow Logging LOGINCONTEXT=0-Login LOGINDEVICE=10001-ImprivataAuthMultiApp LOGINLDAPID=JOHN-DOE LOGINREVAL= 011 FortiSIEM 6.1.1 External Systems Configuration Guide 161 Fortinet Technologies Inc. Applications Mail Server FortiSIEM supports this mail server for discovery and monitoring. l Microsoft Exchange FortiSIEM 6.1.1 External Systems Configuration Guide 162 Fortinet Technologies Inc. Applications Microsoft Exchange l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Logs What is Discovered and Monitored Protocol Protocol SNMP WMI Information discovered Information discovered Application type Application type, service mappings Metrics collected Used for Metrics collected Used for Process level CPU and memory utilization for the various exchange server processes Performance Monitoring Process level metrics: uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec for the various exchange server processes Performance Monitoring Exchange performance metrics (: VM Largest Block size, VM Large Free Block Size, VM Total Free Blocks, RPC Requests, RPC Request Peak, RPC Average Latency, RPC Operations/sec, User count, Active user Count, Peak User Count, Active Connection Count, Max Connection Count Exchange error metrics (obtained from Win32_PerfRawData_ MSExchangeIS_MSExchangeIS WMI class): RPC Success, RPC Failed, RPC Denied, RPC Failed - Server Busy, RPC Failed Server Unavailable, Foreground RPC Failed, Backgorund RPC Failed Exchange mailbox metrics (obtained from Win32_ PerfRawData_MSExchangeIS_MSExchangeISMailbox and Win32_PerfRawData_MSExchangeIS_MSExchangeISPublic WMI classes): Per Mailbox: Send Queue, Receive Queue, Sent Message, Submitted Message, Delivered Message, Active User, Peak User Exchange SMTP metrics (obtained from Win32_PerfRawData_ SMTPSVC_SMTPServer WMI class): Categorization Queue, Local Queue, Remote Queue, Inbound Connections, Outbound Connections, Sent Bytes/sec, Received Bytes/sec, Retry Count, Local Retry Queue, Remote Retry Queue Exchange ESE Database (Win32_PerfFormattedData_ESE_ MSExchangeDatabase): FortiSIEM 6.1.1 External Systems Configuration Guide 163 Fortinet Technologies Inc. Applications Protocol Windows Agent Information discovered Metrics collected Used for Exchange Database Instances (Win32_PerfFormattedData_ ESE_MSExchangeDatabaseInstances): Exchange Mail Submission Metrics (Win32_ PerfFormattedData_MSExchangeMailSubmission_ MSExchangeMailSubmission): Exchange Replication Metrics (Win32_PerfFormattedData_ MSExchangeReplication_MSExchangeReplication): Exchange Store Interface Metrics (Win32_PerfFormattedData_ MSExchangeStoreInterface_MSExchangeStoreInterface): Exchange Transport Queue Metrics (Win32_ PerfFormattedData_MSExchangeTransportQueues_ MSExchangeTransportQueues): Application Logs Security Monitoring and Compliance Event Types In ADMIN > Device Support > Event, search for "microsoft exchange" in the Description column to see the event types associated with this device. Reports In RESOURCE > Reports , search for "microsoft exchange" in the Name column to see the reports associated with this application or device. Configuration SNMP See SNMP Configurations in the Microsoft Windows Server Configuration section. WMI See WMI Configurations in the Microsoft Windows Server Configuration section. Settings for Access Credentials See Setting Access Credentials in the Microsoft Windows Server Configuration section. FortiSIEM 6.1.1 External Systems Configuration Guide 164 Fortinet Technologies Inc. Applications Sample Logs 2017-10-05T12:06:00Z SRV-EXCH02.uskudar.bld 10.9.1.105 AccelOps-WUA-UserFileExchangeTrackLog [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="d78e4bd5-bc3f4950-bcdf-926947ee1db7" [timeZone]="+0300" [fileName]="C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\MSGTRKMS2017100512-1.LOG" [msg]="201710-05T12:05:56.564Z,fe80::ac4c:6f22:1c25:97d8%13,SRV-EXCH02,,SRVEXCH01.uskudar.bld,\"MDB:d72c63cf-290e-456e-86e5-85dedb1f56de, Mailbox:d7c8c416-c1a7-4225a17f-552d5274703d, Event:4419662, MessageClass:IPM.Note.ProbeMessage.MBTSubmissionServiceHeartbeatProbe, CreationTime:2017-1005T12:05:56.267Z, ClientType:Monitoring, SubmissionAssistant:MailboxTransportSubmissionEmailAssistant\",,STOREDRIVER,SUBMIT,,<e545b61 2256a4c14a563f78a8999fafd@uskudar.bel.tr>,0a21180c-5932-4c7e-388808d50be96f34,HealthMailbox66dd83eddb9b4ee69dbd3fa82c925a3b@uskudar.bel.tr,,,1,,,000000520000-0000-0000-0000ea5a2141MBTSubmissionServiceHeartbeatProbe,HealthMailbox66dd83eddb9b4ee69dbd3fa82c925a3b@uskudar.bel .tr,,2017-10-05T12:05:56.267Z;LSRV=SRV-EXCH02.uskudar.bld:TOTALSUB=0.296|SA=0.078|MTSS=0.209(MTSSD=0.209(MTSSDA=0.005|MTSSDC=0.005|SDSSO=0.161 (SMSC=0.020|SMS=0.140)|X-MTSSDPL=0.004|XMTSSDSS=0.008|MTSSDSDS=0.001)),Originating,,,,S:ItemEntryId=00-00-00-00-ED-99-60-31-E3-763C-4B-BE-FE-5B-27-F0-88-3D-0A-07-00-25-D5-0C-8E-46-5A-51-46-A4-18-7D-65-F7-DF-52-1C-00-0000-00-01-0B-00-00-25-D5-0C-8E-46-5A-51-46-A4-18-7D-65-F7-DF-52-1C-00-00-30-88-0D-FF-0000,Email,92e0d0ab-4670-41e9-d453-08d50be96f50,15.01.0845.034" FortiSIEM 6.1.1 External Systems Configuration Guide 165 Fortinet Technologies Inc. Applications Management Server/Appliance FortiSIEM supports these web servers for discovery and monitoring. l Cisco Application Centric Infrastructure (ACI) l Fortinet FortiInsight l Fortinet FortiManager FortiSIEM 6.1.1 External Systems Configuration Guide 166 Fortinet Technologies Inc. Applications Cisco Application Centric Infrastructure (ACI) What is Discovered and Monitored Protocol Information Discovered Cisco APIC API (REST) Metrics Collected Overall Health, Tenant Health, Node Health, Cluster Health, Application Health, EPG health, Fault Record, Event record, Log Record, Configuration Change Used For Availability and Performance Monitoring Event Types Go to ADMIN > Device Support > Event and search for "Cisco_ACI". Rules Go to RESOURCE > Rules and search for "Cisco ACI". Reports Go to RESOURCE > Reports and search for "Cisco ACI". Configuration Cisco ACI Configuration Please configure Cisco ACI Appliance so that FortiSIEM can access it via APIC API. FortiSIEM Configuration 1. Go to ADMIN > Setup > Credentials 2. In Step 1: Enter Credentials, click New and create a credential. Settings Name Device Type Access Protocol Pull Interval Port Description Enter a name for the credential. CISCO CISCO ACI Cisco APIC API 5 minutes 443 FortiSIEM 6.1.1 External Systems Configuration Guide 167 Fortinet Technologies Inc. Applications Settings Description Password config User Name Password Description See Password Configuration User name for device access Password for the various REST APIs Password for the various REST APIs 3. In Step 2: Enter IP Range to Credential Associations click New and create the association. a. IP - specify the IP address of the ACI Controller b. Credential - specify the Name as in 2a 4. Test Connectivity - Run Test Connectivity with or without ping and make sure the test succeeds 5. Check Pull Events tab to make sure that a event pulling entry is created Sample Events Overall Health Event [Cisco_ACI_Overall_Health]: {"attributes": {"childAction":"","cnt":"29","dn":"topology/HDfabricOverallHealth5min0","healthAvg":"82","he althMax":"89", "healthMin":"0","healthSpct":"0","healthThr":"","healthTr":"1","index":"0","lastCollOffset": "290","repIntvEnd":"2016-09-05T08:13:53.232+00:00","repIntvStart":"2016-0905T08:09:03.128+00:00","status":""}} Tenant Health Event [Cisco_ACI_Tenant_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tnCliQr","lcOwn":"local","modTs":"2016-09-05T07:56:27.164+00:00","monPolDn":"uni/tncommon/monepgdefault","name":"CliQr","ownerKey":"","ownerTag":"","status":"","uid":"15374"},"children": [{"healthInst":{"attributes": {"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","stat us":"", "twScore":"100","updTs":"2016-09-05T08:27:03.584+00:00"}}}] Nodes Health Event [Cisco_ACI_Node_Health]: {"attributes": {"address":"10.0.208.95","childAction":"","configIssues":"","currentTime":"2016-0905T08:15:51.794+00:00","dn":"topology/pod-1/node101/sys","fabricId":"1","fabricMAC":"00:22:BD:F8:19:FF","id":"101","inbMgmtAddr":"0.0.0.0", "inbMgmtAddr6":"0.0.0.0","lcOwn":"local","modTs":"2016-09-05T07:57:29.435+00:00", "mode":"unspecified","monPolDn":"uni/fabric/monfabdefault","name":"Leaf1","oobMgmtAddr":"0.0.0.0","oobMgmtAddr6":"0.0.0.0","podId":"1","role" :"leaf","serial":"TEP-1-101","state":"inservice","status":"","systemUpTime":"00:00:27:05.000"},"children":[{"healthInst": {"attributes":{"childAction":"","chng":"- FortiSIEM 6.1.1 External Systems Configuration Guide 168 Fortinet Technologies Inc. Applications 10","cur":"90","maxSev":"cleared","prev":"100","rn":"health","status":"","twScore":"90","upd Ts":"2016-09-05T07:50:08.415+00:00"}}}] Cluster Health Event [Cisco_ACI_Cluster_Health]: {"attributes":{"addr":"10.0.0.1","adminSt":"inservice","chassis":"10220833-ea00-3bb3-93b2ef1e7e645889","childAction":"","cntrlSbstState":"approved","dn":"topology/pod-1/node1/av/node-1","health":"fully-fit","id":"1","lcOwn":"local","mbSn":"TEP-1-1","modTs":"201609-05T08:00:46.797+00:00","monPolDn":"","mutnTs":"2016-0905T07:50:19.570+00:00","name":"","nodeName":"apic1","operSt":"available","status":"","uid":" 0"} Application Health Event [Cisco_ACI_Application_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tninfra/ap-access","lcOwn":"local","modTs":"2016-09-07T08:17:20.503+00:00","monPolDn":"uni/tncommon/monepgdefault","name":"access","ownerKey":"","ownerTag":"","prio":"unspecified","status":"","uid": "0"}, "children":[{"healthInst":{"attributes": {"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","stat us":"","twScore": "100","updTs":"2016-09-07T08:39:35.531+00:00"}}}]} EPG Health Event [Cisco_ACI_EPG_Health]: {"attributes": {"childAction":"","configIssues":"","configSt":"applied","descr":"","dn":"uni/tn-infra/apaccess/epgdefault","isAttrBasedEPg":"no","lcOwn":"local","matchT":"AtleastOne","modTs":"2016-0907T08:17:20.503+00:00","monPolDn":"uni/tn-common/monepgdefault","name":"default","pcEnfPref":"unenforced","pcTag":"16386","prio":"unspecified", "scope":"16777199","status":"","triggerSt":"triggerable","txId":"5764607523034234882","uid": "0"},"children":[{"healthInst":{"attributes": {"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","stat us":"", "twScore":"100","updTs":"2016-09-07T08:39:35.549+00:00"}}}] Fault Record Event [Cisco_ACI_Fault_Record]: ,"created":"2016-0905T08:00:41.313+00:00","delegated":"no","delegatedFrom":"","descr": "Controller3isunhealthybecause:DataLayerPartiallyDegradedLeadership","dn":"subj[topology/pod-1/node-1/av/node-3]/fr4294967583","domain":"infra","highestSeverity":"critical","id":"4294967583","ind":"modificat ion", "lc":"soaking","modTs":"never","occur":"1","origSeverity":"critical","prevSeverity":"critica l", FortiSIEM 6.1.1 External Systems Configuration Guide 169 Fortinet Technologies Inc. Applications "rule":"infra-wi-nodehealth","severity":"critical","status":"","subject":"controller","type":"operational"} Event Record Event [Cisco_ACI_Event_Record]: {"attributes":{"affected":"topology/pod-1/node-2/lon/svc-ifc_ dhcpd","cause":"state-change","changeSet":"id:ifc_ dhcpd,leCnnct:undefined,leNonOptCnt:undefined,leNotCnnct:undefined,name:ifc_ dhcpd","childAction":"","code":"E4204979","created":"2016-0905T07:57:37.024+00:00","descr":"Allshardsofserviceifc_ dhcpdhaveconnectivitytotheleaderreplicaintheCluster.","dn":"subj-[topology/pod-1/node2/lon/svc-ifc_dhcpd]/rec-8589934722","id":"8589934722","ind":"statetransition","modTs":"never","severity":"info","status":"","trig":"oper","txId": "18374686479671623682","user":"internal"} Log Record Event [Cisco_ACI_Log_Record]: {"attributes":{"affected":"uni/userext/useradmin","cause":"unknown","changeSet":"","childAction":"","clientTag":"","code":"generic","cr eated" :"2016-09-05T07:56:25.825+00:00","descr":"From-198.18.134.150-client-type-REST- Success","dn":"subj-[uni/userext/user-admin]/sess4294967297","id":"4294967297","ind":"special","modTs":"never","severity":"info","status":"", "systemId":"1","trig": "login,session","txId":"0","user":"admin"} Configuration Change Event [Cisco_ACI_Configuration_Chang]: {"attributes":{"affected":"uni/tn-CliQr/out-CliQr-ProdL3Out/instP-CliQr-Prod-L3OutEPG/rscustQosPol","cause":"transition","changeSet":"","childAction":"","clientTag":"","code" :"E4206266", "created":"2016-09-05T07:56:27.099+00:00","descr":"RsCustQosPolcreated","dn":"subj-[uni/tnCliQr/out-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol]/mod4294967308","id":"4294967308","ind":"creation","modTs":"never","severity":"info","status":"" ,"trig":"config","txId": "7493989779944505526","user":"admin"}} FortiSIEM 6.1.1 External Systems Configuration Guide 170 Fortinet Technologies Inc. Applications Fortinet FortiInsight FortiInsight is a unique data security and threat detection solution that delivers advanced threat hunting to help you spot, respond to, and manage risky behaviors that put your business-critical data at risk. It combines powerful and flexible Machine Learning with detailed forensics around user actions to bring focus to the facts more rapidly than other solutions. l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration in FortiInsight l Configuration in FortiSIEM l Sample Events What is Discovered and Monitored Protocol FortiInsight API Information collected Policy based alerts and AI based alerts Used for Data security, threat protection This feature allows FortiSIEM to get Policy-based alerts and AI-based alerts from FortiInsight. Event Types In RESOURCES > Event Types, enter "FortiInsight" in the Search column to see the event types associated with this device. Rules In RESOURCES > Rules, enter "FortiInsight" in the Search column to see the rules associated with this device. Reports No defined reports. Configuration in FortiInsight Get an API Key in FortiInsight Complete these steps in the FortiInsight UI: 1. Login to FortiInsight. 2. Select Admin > Account from the left menu. 3. Click New API Key to open the New API Key dialog box. FortiSIEM 6.1.1 External Systems Configuration Guide 171 Fortinet Technologies Inc. Applications 4. Enter a descriptive Name. 5. Click Save to generate the API key. This will download a file containing the API key information (Client ID, Client Secret, and Name). Make a note of these values; you will need them when you configure FortiSIEM. Configuration in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Settings Name Device Type Access Protocol Pull Interval Client ID Client Secret Organization Description Description Enter a name for the credential Fortinet FortiSIEM FortiInsight API The interval in which FortiSIEM will pull events from FortiInsight. Default is 3 minutes. Access key for your FortiInsight instance. Secret key for your FortiInsight instance The organization the device belongs to. Description of the device. 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your Fortinet FortiInsight credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. 4. Click Test to test the connection to FortiInsight. 5. To see the jobs associated with FortiInsight, select ADMIN > Setup > Pull Events. 6. To see the received events select ANALYTICS, then enter FortiInsight in the search box. Sample Events [FORTIINSIGHT_POLICY_ALERT] = {"description":"","events":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-0318T13:22:24.344+00:00","id":null,"m":"uqP","mn":{"dh":"tcp://server-10-230-2153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Admini strator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc": {"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","long itude":"10.8925"},"p":"tcp-ip- FortiSIEM 6.1.1 External Systems Configuration Guide 172 Fortinet Technologies Inc. Applications 4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret \\prototypedemo1.mkv-> tcp://server-54-230-2-153.lhr5.r.cloudfront.net:443","u":"acmeltd__ engineer2"}],"extendedEvents":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-0318T13:22:24.344+00:00","id":null,"latestHostname":"mimas","latestIp":"10.10.0.1","m":"uqP"," mn":{"dh":"tcp://server-54-230-2153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Admini strator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc": {"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","long itude":"10.8925"},"p":"tcp-ip4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret \\prototypedemo1.mkv-> tcp://server-10-230-2153.lhr5.r.cloudfront.net:443","resolvedUsername":"","u":"acmeltd__ engineer2"}],"id":"AWmQ98PYg7b_-i6_5Rvg","labels":[""],"policyId":"default_ 6COnUMjTCB8N","policyName":"Browser Download","regimes": ["ZoneFox"],"serverIp":"52.209.49.52","serverName":"fortisiemtest.dev.fortiinsight.cloud","s everity":10,"status":"New","time":"2019-03-18T13:22:29.473715+00:00"} FortiSIEM 6.1.1 External Systems Configuration Guide 173 Fortinet Technologies Inc. Applications Fortinet FortiManager l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol SNMP Information Discovered Metrics Collected Host name, Hardware model, Network interfaces, Operating system version Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Used For Availability and Performance Monitoring Event Types Regular monitoring events l PH_DEV_MON_SYS_CPU_UTIL l PH_DEV_MON_SYS_MEM_UTIL l PH_DEV_MON_SYS_DISK_UTIL l PH_DEV_MON_NET_INTF_UTIL Rules Regular monitoring rules Reports Regular monitoring reports Configuration You can now configure FortiSIEM to communicate with FortiManager. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. For Device Type Fortinet FortiManager, see Access Credentials. FortiSIEM 6.1.1 External Systems Configuration Guide 174 Fortinet Technologies Inc. Applications Remote Desktop FortiSIEM supports this remote desktop application for discovery and monitoring. l Citrix Receiver (ICA) FortiSIEM 6.1.1 External Systems Configuration Guide 175 Fortinet Technologies Inc. Applications Citrix Receiver (ICA) l What is Discovered and Monitored l Event Types l Reports l Configuration What is Discovered and Monitored Protocol WMI Information Discovered Metrics Collected From PH_DEV_MON_APP_ICA_SESS_MET: l ICA Latency Last Recorded l ICA Latency Session Average l ICA Latency Session Deviation l ICA Input Session Bandwidth l ICA Input Session Line Speed l ICA Input Session Compression l ICA Input Drive Bandwidth l ICA Input Text Echo Bandwidth l ICA Input SpeedScreen Data Bandwidth l Input Audio Bandwidth l ICA Input VideoFrame Bandwidth l ICA Output Session Bandwidth l ICA Output Session Line Speed l ICA Output Session Compression l ICA Output Drive Bandwidth l ICA Output Text Echo Bandwidth l ICA Output SpeedScreen Data Bandwidth l ICA Output Audio Bandwidth l ICA Output VideoFrame Bandwidth Used For Event Types In ADMIN > Device Support > Event, search for "citrix ICA" in the Description column to see the event types associated with this device. Reports In RESOURCE > Reports , search for "citrix ICA" in the Name column to see the reports associated with this application or device. FortiSIEM 6.1.1 External Systems Configuration Guide 176 Fortinet Technologies Inc. Applications Configuration WMI Required WMI Class Make sure the WMI class Win32_PerfRawData_CitrixICA_ICASession is available on the host machine for Citrix ICA. Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this: l Creating a Generic User Who Does Not Belong to the Local Administrator Group l Creating a User Who Belongs to the Domain Administrator Group Creating a Generic User Who Does Not Belong to the Local Administrator Group Log in to the machine you want to monitor with an administrator account. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups. 2. Right-click Users and select Add User. 3. Create a user. 4. Go to Groups, right-click Distributed COM Users, and then click Add to group. 5. In the Distributed COM Users Properties dialog, click Add. 6. Find the user you created, and then click OK. This is the account you must use to set up the Performance Monitor Users group permissions. 7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog. 8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. 5. Click OK. 6. Under Access Permissions, click EditDefault. 7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. 8. Click OK. 9. Under Launch and Activation Permissions, click Edit Limits. 10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. Click OK. FortiSIEM 6.1.1 External Systems Configuration Guide 177 Fortinet Technologies Inc. Applications 12. Under Launch and Activation Permissions, click Edit Defaults. 13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI. Creating a User Who Belongs to the Domain Administrator Group Log in to the Domain Controller with an administrator account. Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group 1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users. 2. Right-click Users and select Add User. 3. Create a user for the @accelops.com domain. For example, YJTEST@accelops.com. 4. Go to Groups, right-click Administrators, and then click Add to Group. 5. In the Domain Admins Properties dialog, select the Members tab, and then click Add. 6. For Enter the object names to select, enter the user you created in step 3. 7. Click OK to close the Domain Admins Properties dialog. 8. Click OK. Enable the Monitoring Account to Access the Monitored Device Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then select Properties. 3. Select the Com Security tab, and then under Access Permissions, click Edit Limits. 4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access. 5. Click OK. 6. In the Com Security tab, under Access Permissions, click Edit Defaults. 7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access. 8. Click OK. 9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits. 10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults. 12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. FortiSIEM 6.1.1 External Systems Configuration Guide 178 Fortinet Technologies Inc. Applications Enable Account Privileges in WMI The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device. 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications. 2. Select WMI Control, and then right-click and select Properties. 3. Select the Security tab. 4. Expand the Root directory and select CIMV2. 5. Click Security. 6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable. 7. Click Advanced. 8. Select the user you created for the monitoring account, and then click Edit. 9. In the Apply onto menu, select This namespace and subnamespaces. 10. Click OK to close the Permission Entry for CIMV2 dialog. 11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 12. In the left-hand navigation, under Services and Applications, select Services. 13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003) 1. In the Start menu, select Run. 2. Run gpedit.msc. 3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall. 4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not. 5. Select Windows Firewall: Allow remote administration exception. 6. Run cmd.exe and enter these commands: netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 7. Restart the server. Allow WMI through Windows Firewall (Windows Server 2008, 2012) 1. Go to Control Panel > Windows Firewall. 2. In the left-hand navigation, click Allow a program or feature through Windows Firewall. 3. Select Windows Management Instrumentation, and the click OK. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. FortiSIEM 6.1.1 External Systems Configuration Guide 179 Fortinet Technologies Inc. Applications Source Code Control FortiSIEM supports the GitHub and GitLab Source Code Control tools for log collection via an API. l GitHub l GitLab API l GitLab CLI FortiSIEM 6.1.1 External Systems Configuration Guide 180 Fortinet Technologies Inc. Applications GitHub l Integration points l Event Types l Rules l Reports l GitHub API Integration l Configuring GitHub Server l Configuring FortiSIEM Integration points Protocol GitHub API Information collected Logs from the GitHub Service Used for Security and Compliance Event Types In ADMIN > Device Support > Event, search for "GitHub" to see the event types associated with this device. Rules In RESOURCE > Rules, search for "GitHub" to see the rules associated with this device. Reports In RESOURCE > Reports, search for "GitHub" to see the reports associated with this device. Configuring GitHub Server Create an account to be used for FortiSIEM communication. Configuring FortiSIEM Use the account in previous step to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create a GitHub credential. 4. In Step 1: Enter Credentials, enter these settings in the Access Method Definition dialog box: FortiSIEM 6.1.1 External Systems Configuration Guide 181 Fortinet Technologies Inc. Applications Settings Description Name Device Type Access Protocol Pull Interval Password Config User Name and Password Organization Description Enter a name for the credential GitHub.com GitHub GitHub API The interval in which FortiSIEM will pull events. Default is 5 minutes. See Password Configuration Enter the user name and password for the account created while Configuring GitHub Server. Choose the Organization if it is an MSP deployment and the same credential has to be used for multiple customers. Description of the device 5. Enter an IP Range to Credential Association. a. Set IP to the IP address of the GitHub Server. b. Select the Credential created in steps 3 and 4. c. Click Save. 6. Select the entry in step 4 above and click Test Connectivity. 7. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from GitHub server using the API. To test for received GitHub events: 1. Go to ADMIN > Setup > Pull Events. 2. Select the GitHub entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from GitHub in the last 15 minutes. You can modify the time interval to get more events. FortiSIEM 6.1.1 External Systems Configuration Guide 182 Fortinet Technologies Inc. Applications GitLab API l Integration Points l Event Types l Rules l Reports l Syslog Integration l API Integration l Configuring GitLab Server l Configuring FortiSIEM for GitLab API l Sample Event Integration Points Protocol syslog API Information collected 15 Log files including production.log and application.log over 130 event types prefixed with 'GitLab-' Code commit, Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories, User created, deleted, modified. Used for Security and Compliance Security and Compliance Event Types In RESOURCES > Event Types, enter "GitLab" in the Search field to see the events associated with this device. Rules No defined rules. Reports In RESOURCES > Reports, enter "GitLab" in the Search column to see the reports associated with this device. Syslog Integration Configure GitLab to send syslog to FortiSIEM via UDP on port 514. See here for details. FortiSIEM will automatically detect GitHLab log patterns and parse the logs. Currently, the following log files are parsed: api_json.log, application.log, gitaly, gitlab-monitor, gitlab-shell.log, gitlab-workhorse.log, gitlab_ access.log,production.log, production_json.log, Prometheus, Redis, remote-syslog, sidekiq, sidekiq_exporter.log, unicorn_stderr.log. Currently, over 134 GitLab event types are parsed. To see the event types: FortiSIEM 6.1.1 External Systems Configuration Guide 183 Fortinet Technologies Inc. Applications 1. Login to FortiSIEM. 2. Go to RESOURCES > Event Types. 3. Search for 'GitLab'. Use cases covered via syslog: l Failed and Successful Login l Git command execution l Git API requests To test for received GitLab events received via syslog: 1. Login to FortiSIEM. 2. Go to ANALYTICS. 3. Click Edit Filters and Time Range: a. Choose Attributes option. b. Create Search condition 'Event Type CONTAIN GitLab'. c. Select Time Range: Last 1 hour d. Click Apply & Run. 4. See the GitLab events on the GUI. API Integration FortiSIEM can also pull logs from GitLab using GitLab API. Currently, over 134 GitLab event types are parsed. To see the event types: 1. Login to FortiSIEM. 2. Go to RESOURCES > Event Types. 3. Search for 'GitLab'. Use cases covered via API: l Code commit note that the current API does not capture committed files. l Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories etc l User created, deleted, modified For more details, see here. Configuring GitLab Server Create a personal access token to be used for FortiSIEM communication. 1. Login to your GitLab account. 2. Go to your Profile settings. 3. Go to Access tokens. 4. Choose a name and optionally an expiry date for the token. 5. Choose the desired scopes: api is required. 6. Click Create Personal Access Token. Save the personal access token in your local system. Note that once you leave or refresh the page, you won't be able to access it again. For more details, see here. FortiSIEM 6.1.1 External Systems Configuration Guide 184 Fortinet Technologies Inc. Applications Configuring FortiSIEM for GitLab API Use the Personal Access Token in Configuring GitLab Server to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credentials. 3. Click New to create a GitLab credential. 4. In Step 1: Enter Credentials, enter these settings in the Access Method Definition dialog box: Settings Description Name Device Type Access Protocol Pull Interval Password Config Account Name Personal Access Token Description Enter a name for the credential GitLab GitLab (Vendor = GitLab, Model = Gitlab) GitLab API The interval in which FortiSIEM will pull events from GitLab. Default is 5 minutes. Manual Enter an account name. Enter the token you obtained in Configuring GitLab Server. Description of the device 5. Enter an IP range to Credential Association: a. Enter the IP of GitLab Server. b. Select the credential created in step 4 above. c. Click Save. 6. Select the entry in step 4 above and click Test Connectivity. Once successful, an entry will be created in ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from GitLab using the API. To test for received GitLab events: 1. Go to ADMIN > Setup > Pull Events. 2. Select the GitLab entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from GitLab in the last 15 minutes. You can modify the time interval to get more events. Sample Event [GITLAB_EVENT_DATA] = {"action_name":"pushed to","author":{"avatar_ url":"https://abc.cda.com/avatar/62e30f8b2d3cbc60ed22c217c5fa4e57?s=80&d=identicon","id ":185,"name":"user1","state":"active","username":" user1","web_ url":"https://dac.com/gitmirror"},"author_id":185,"author_username":" user1","created_ at":"2018-11-13T22:30:30.340Z","project_id":553,"push_data":{"action":"pushed","commit_ FortiSIEM 6.1.1 External Systems Configuration Guide 185 Fortinet Technologies Inc. Applications count":2,"commit_from":"da5a4fd97fd1f6b7c5a8611c12592eb5e9ff9e2b","commit_title":"Merge \"Fix bizservice popup display issue and switching org in bizs...","commit_ to":"30d863ece3957aacc95ec45c7663c426c73f38f2","ref":"releases/FCS5_2_1","ref_ type":"branch"},"serverIp":"172.30.35.11","serverName":"abc.com","target_ id":null,"target_iid":null,"target_title":null,"target_type":null} FortiSIEM 6.1.1 External Systems Configuration Guide 186 Fortinet Technologies Inc. Applications GitLab CLI Events that are obtained with the GitLab REST API do not contain up-to-date information. To avoid this limitation, FortiSIEM uses the GitLab CLI to obtain events from the GitLab server in real time. l Integration Points l Event Types l Rules l Reports l Generate an SSH Key in FortiSIEM l Configure an SSH Key in GitLab l Configuration in FortiSIEM l Sample Events Integration points Protocol GIT CLI Information collected Git commit history Used for Security and Compliance Event Types In RESOURCES > Event Types, enter "GitLab" in the Search field to see the events associated with this device. Rules No defined rules. Reports In RESOURCES > Reports, enter "GitLab" in the Search column to see the reports associated with this device. Generate an SSH Key in FortiSIEM Generate an SSH key for FortiSIEM. The key will allow you to access the GitLab by using Git commands. Use the following command to generate the public key file and the private key file in the /opt/phoenix/bin/.ssh/ directory. ssh-keygen -t rsa -b 4096 -C "root@localhost" Configure an SSH Key in GitLab Complete these steps to install the SSH key in the GitLab server: FortiSIEM 6.1.1 External Systems Configuration Guide 187 Fortinet Technologies Inc. Applications 1. Login to your GitLab account. 2. Select Settings from your account drop-down list. 3. Select the SSH Keys tab. 4. Add the public part of the key, for example: /opt/phoenix/bin/.ssh/id_rsa.pub 5. Click Add Key. 6. Install Git, for example: yum install git Configuration in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Settings Name Device Type Access Protocol Pull Interval Local Path to Clone Repositories Description Description Enter a name for the credential GitLab GitLab GIT CLI The interval in which FortiSIEM will pull events from GitLab. Default is 5 minutes. The path to the location on your system where the repository will be downloaded. In the case of very large repositories, this gives users the opportunity to specify a location on an external device. The address of the repository in Git. You can enter multiple repositories, separated by whitespaces. Description of the device 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your GitLab credential from the Credentials drop-down list. b. Enter an IP or an IP range in the IP/IP Range field. c. Click Save. 4. Click Test to test the connection to GitLab CLI. 5. To see the jobs associated with GitLab, select ADMIN > Setup > Pull Events. 6. To see the received events, select ANALYTICS, then enter GitLab in the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 188 Fortinet Technologies Inc. Applications Sample Events [PH_DEV_MON_GIT_COMMIT]: [deviceTime]=1547013028,[user]="abc", [exchMboxName]="abc@fortinet.com", [hashCode]="fa408380aa4296d13aeb24418164994eea2c2737", [preHashCode]="d9cd6e31346611a4f75dc7fe768f6202a46dd7e6",[title]="Add new file", [details]="",[updateCount]="1",[deleteCount]="0",[filePath]="testfile2", [fileType]="testfile2",[repoURL]="git@dops-git.fortinet-us.com:abc/testproject_mei_ willremove.git" FortiSIEM 6.1.1 External Systems Configuration Guide 189 Fortinet Technologies Inc. Applications Unified Communication Server Configuration FortiSIEM supports these VoIP servers for discovery and monitoring. l Avaya Call Manager l Cisco Call Manager l Cisco Contact Center l Cisco Presence Server l Cisco Tandeberg Telepresence Video Communication Server (VCS) l Cisco Telepresence Multipoint Control Unit (MCU) l Cisco Telepresence Video Communication Server l Cisco Unity Connection FortiSIEM 6.1.1 External Systems Configuration Guide 190 Fortinet Technologies Inc. Applications Avaya Call Manager l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SFTP Information discovered Application type Metrics collected System metrics: Uptime, Interface utilization Call Description Records (CDR): Calling Phone IP, Called Phone IP, Call Duration Used for Performance Monitoring Performance and Availability Monitoring Event Types Avaya-CM-CDR: Avaya CDR Records Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. SFTP SFTP is used to send Call Description Records (CDRs) to FortiSIEM. Configure FortiSIEM to Receive CDR Records from Avaya Call Manager 1. Log in to your FortiSIEM virtual appliance as root over SSH. 2. Change the directory. cd /opt/phoenix/bin 3. Create an FTP account for user ftpuser with the home directory /opt/phoenix/cache/avayaCM/<call- manager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you will see a Success message when the definition is created. FortiSIEM 6.1.1 External Systems Configuration Guide 191 Fortinet Technologies Inc. Applications 4. The CDR records do not have field definitions, but only values. Field definitions are needed to properly interpret the values. Make sure that the CDR fields definitions matches the default one supplied by FortiSIEM in /opt/phoenix/config/AvayaCDRConfig.csv. FortiSIEM will interpret the CDR record fields according to the field definitions specified in:/opt/phoenix/config/AvayaCDRConfig.csv and generate events like the following: Wed Feb 4 14:37:41 2015 1.2.3.4 FortiSIEM-FileLog-AvayaCM [Time of day-hours]="11" [Time of day-minutes]="36" [Duration-hours]="0" [Duration-minutes]="00" [Durationtenths of minutes]="5" [Condition code]="9" [Dialed number]="5908" [Calling number]="2565522011" [FRL]="5" [Incoming circuit ID]="001" [Feature flag]="0" [Attendant console]="8" [Incoming TAC]="01 1" [INS]="0" [IXC]="00" [Packet count]="12" [TSC flag]="1" Configure Avaya Call Manager to Send CDR Records to FortiSIEM 1. Log in to Avaya Call Manager. 2. Send CDR records to FortiSIEM by using this information Field Host Name/IP Address User Name Password Protocol Directory Path Value <FortiSIEM IP Address> ftpuser <The password you created for ftpuser> SFTP /opt/phoenix/cache/ avayaCM/<call-manager-ip> Settings for Access Credentials in FortiSIEM See Access Credentials to set access and protocol for SMTP, SSH, and Telnet. FortiSIEM 6.1.1 External Systems Configuration Guide 192 Fortinet Technologies Inc. Applications Cisco Call Manager l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SNMP Information discovered Metrics collected Used for Application type System metrics: Uptime, CPU utilization, Memory utilization, Disk utilization, Interface utilization, Process count, Per process: CPU utilization, Memory utilization Performance Monitoring VoIP phones and registration status Call Manager metrics:Global Info: VoIP phone count, Gateway count, Media Device count, Voice mail server count and SIP Trunks count broken down by Registered/Unregistered/Rejected status (FortiSIEM Event Type: PH_DEV_MON_CCM_GLOBAL_ INFO) SIP Trunk Info: Trunk end point, description, status (FortiSIEM Event Type: PH_DEV_MON_CCM_SIP_TRUNK_STAT) SIP Trunk Addition, Deletion: FortiSIEM Event Type: PH_ DEV_MON_CCM_NEW_SIP_TRUNK, PH_DEV_MON_CCM_ DEL_SIP_TRUNK Gateway Status Info: Gateway name, Gateway IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_GW_ STAT) Gateway Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_GW_STAT_CHANGE, PH_DEV_ MON_CCM_NEW_GW, PH_DEV_MON_CCM_DEL_GWH323 Device Info: H323 Device name, H323 Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_H323_ STAT) Gateway Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_H323_STAT_CHANGE, PH_DEV_ MON_CCM_NEW_H323, PH_DEV_MON_CCM_DEL_H323 Voice Mail Device Info: Voice Mail Device name, Voice Mail Device IP, description, status (FortiSIEM Event Types: PH_ DEV_MON_CCM_VM_STAT) Voice Mail Device Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_VM_STAT_ CHANGE, PH_DEV_MON_CCM_NEW_VM, PH_DEV_MON_ CCM_DEL_VM Availability Monitoring FortiSIEM 6.1.1 External Systems Configuration Guide 193 Fortinet Technologies Inc. Applications Protocol WMI (for Windows based Call Managers) SFTP Syslog Information discovered Application type, service mappings Metrics collected Used for Media Device Info: Media Device name, Media Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_ CCM_MEDIA_STAT) Media Device Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_MEDIA_STAT_ CHANGE, PH_DEV_MON_CCM_NEW_MEDIA, PH_DEV_ MON_CCM_DEL_MEDIA Computer Telephony Integration (CTI) Device Info: CTI Device name, CTI Device IP, description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_CTI_STAT) CTI Device Status Change, Addition, Deletion: FortiSIEM Event Type: PH_DEV_MON_CCM_CTI_STAT_CHANGE, PH_ DEV_MON_CCM_NEW_CTI, PH_DEV_MON_CCM_DEL_CTI Process level metrics: Per process: Uptime, CPU utilization, Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Performance Monitoring Call Description Records (CDR): Calling Phone IP, Called Phone IP, Calling Party Number, Original Called Party Number, Final Called Party Number, Call Connect Time, Call Disconnect Time, Call Duration Call Management Records (CMR): Latency, Jitter, Mos Score current, average, min, max for each call in CDR Performance and Availability Monitoring Syslog messages from Cisco Call Manager as well as Cisco Unified Real Time Monitoring Tool (RTMT) Event Types In ADMIN > Device Support > Event, search for "cisco_uc" and "cisco_uc_rtmt" in the Display Name column to see the event types associated with this device. Rules In RESOURCE > Rules, search for "cisco call manager" in the Name column to see the rules associated with this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the FortiSIEM 6.1.1 External Systems Configuration Guide 194 Fortinet Technologies Inc. Applications User Guide. WMI (for Call Manager installed under Windows) Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this: l Creating a Generic User Who Does Not Belong to the Local Administrator Group l Creating a User Who Belongs to the Domain Administrator Group Creating a Generic User Who Does Not Belong to the Local Administrator Group Log in to the machine you want to monitor with an administrator account. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups. 2. Right-click Users and select Add User. 3. Create a user. 4. Go to Groups, right-click Distributed COM Users, and then click Add to group. 5. In the Distributed COM Users Properties dialog, click Add. 6. Find the user you created, and then click OK. This is the account you must use to set up the Performance Monitor Users group permissions. 7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog. 8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. 5. Click OK. 6. Under Access Permissions, click EditDefault. 7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. 8. Click OK. 9. Under Launch and Activation Permissions, click Edit Limits. 10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. Click OK. 12. Under Launch and Activation Permissions, click Edit Defaults. 13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI. FortiSIEM 6.1.1 External Systems Configuration Guide 195 Fortinet Technologies Inc. Applications Creating a User Who Belongs to the Domain Administrator Group Log in to the Domain Controller with an administrator account. Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group 1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users. 2. Right-click Users and select Add User. 3. Create a user for the @accelops.com domain. For example, YJTEST@accelops.com. 4. Go to Groups, right-click Administrators, and then click Add to Group. 5. In the Domain Admins Properties dialog, select the Members tab, and then click Add. 6. For Enter the object names to select, enter the user you created in step 3. 7. Click OK to close the Domain Admins Properties dialog. 8. Click OK. Enable the Monitoring Account to Access the Monitored Device. Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then select Properties. 3. Select the Com Security tab, and then under Access Permissions, click Edit Limits. 4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access. 5. Click OK. 6. In the Com Security tab, under Access Permissions, click Edit Defaults. 7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access. 8. Click OK. 9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits. 10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults. 12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. Enable Account Privileges in WMI The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device. 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications. 2. Select WMI Control, and then right-click and select Properties. 3. Select the Security tab. FortiSIEM 6.1.1 External Systems Configuration Guide 196 Fortinet Technologies Inc. Applications 4. Expand the Root directory and select CIMV2. 5. Click Security. 6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable. 7. Click Advanced. 8. Select the user you created for the monitoring account, and then click Edit. 9. In the Apply onto menu, select This namespace and subnamespaces. 10. Click OK to close the Permission Entry for CIMV2 dialog. 11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 12. In the left-hand navigation, under Services and Applications, select Services. 13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003) 1. In the Start menu, select Run. 2. Run gpedit.msc. 3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall. 4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not. 5. Select Windows Firewall: Allow remote administration exception. 6. Run cmd.exe and enter these commands: netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 7. Restart the server. Allow WMI through Windows Firewall (Windows Server 2008, 2012) 1. Go to Control Panel > Windows Firewall. 2. In the left-hand navigation, click Allow a program or feature through Windows Firewall. 3. Select Windows Management Instrumentation, and the click OK. SFTP SFTP is used to send Call Description Records (CDRs) to FortiSIEM. l Configure FortiSIEM to Receive CDR Records from Cisco Call Manager l Configure Cisco Call Manager to Send CDR Records to FortiSIEM Configure FortiSIEM to Receive CDR Records from Cisco Call Manager 1. Log in to your FortiSIEM virtual appliance as root over SSH. 2. Change the directory. cd /opt/phoenix/bin FortiSIEM 6.1.1 External Systems Configuration Guide 197 Fortinet Technologies Inc. Applications 3. Run ./phCreateCdrDestDir <call-manager-ip>. This creates an FTP account for user ftpuser with the home directory /opt/phoenix/cache/ccm/<callmanager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you will see a Success message when the definition is created. 4. Switch user to admin by issuing "su - admin" 5. Modify phoenix_config.txt entry ccm_ftp_directory = /opt/phoenix/cache/ccm 6. Restart phParser by issuing "killall -9 phParser" Configure Cisco Call Manager to Send CDR Records to FortiSIEM 1. Log in to Cisco Call Manager. 2. Go to Tools > CDR Management Configuration. The CDR Management Configuration window will open. 3. Click Add New. 4. Enter this information. 5. Field Value Host Name/IP Address User Name Password Protocol Directory Path <FortiSIEM IP Address> ftpuser <The password you created for ftpuser> SFTP /opt/phoenix/cache/ccm/<callmanager-ip> 6. Click Save. Settings for Access Credentials See Access Credentials to set access and protocol for SMTP, SSH, and Telnet. FortiSIEM 6.1.1 External Systems Configuration Guide 198 Fortinet Technologies Inc. Applications Cisco Contact Center l What is Discovered and Monitored l Configuration l Setting Access Credentials What is Discovered and Monitored Protocol SNMP SSH Information discovered Application type Metrics collected System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization, Install software change Disk I/O monitoring Used for Performance Monitoring Event Types There are no event types defined specifically for this device. Rules In RESOURCE > Rules, search for "cisco contact center" in the Name column to see the rules associated with this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Setting Access Credentials See Access Credentials to set access and protocol for SMTP, SSH, and Telnet. FortiSIEM 6.1.1 External Systems Configuration Guide 199 Fortinet Technologies Inc. Applications Cisco Presence Server l What is Discovered and Monitored l Configuration l Setting Access Credentials What is Discovered and Monitored Protocol SNMP SSH Information discovered Application type Metrics collected System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization, Install software change Disk I/O monitoring Used for Performance Monitoring Event Types There are no event types defined specifically for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Setting Access Credentials See Access Credentials to set access and protocol for SMTP, SSH, and Telnet. FortiSIEM 6.1.1 External Systems Configuration Guide 200 Fortinet Technologies Inc. Applications Cisco Tandeberg Telepresence Video Communication Server (VCS) l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SSH Information discovered Application type Metrics collected System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization, Install software change Disk I/O monitoring Used for Performance Monitoring Event Types There are no event types defined specifically for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Value <set name> Generic FortiSIEM 6.1.1 External Systems Configuration Guide 201 Fortinet Technologies Inc. Applications Setting Access Protocol Community String Value SNMP <your own> SSH Access Credentials for All Devices These are the generic settings for providing SSH access to your device from FortiSIEM. Setting Name Device Type Access Protocol Port User Name Password Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user FortiSIEM 6.1.1 External Systems Configuration Guide 202 Fortinet Technologies Inc. Applications Cisco Telepresence Multipoint Control Unit (MCU) l What is Discovered and Monitored l Configuration l Setting Access Credentials What is Discovered and Monitored The following protocols are used to discover and monitor various aspects of Cisco Tandeberg VCS Protocol SNMP Information discovered Application type Metrics collected System metrics: Uptime, Interface utilization Used for Performance Monitoring Event Types In ADMIN > Device Support > Event, search for "cisco telepresence" in the Description column to see the event types associated with this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide Setting Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 203 Fortinet Technologies Inc. Applications Cisco Telepresence Video Communication Server What is Discovered and Monitored Protocol Syslog Logs parsed Call attempts, Call rejects, Media stats, Request, response, Search Used for Log Analysis Event Types In ADMIN > Device Support > Event, search for "Cisco-TVCS" in the Description column to see the event types associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 204 Fortinet Technologies Inc. Applications Cisco Unity Connection l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP Information discovered Application type Metrics collected System metrics: CPU utilization, Memory utilization, Disk utilization, Interface utilization, Hardware Status, Process count, Process level CPU and memory utilization Used for Performance Monitoring Event Types In ADMIN > Device Support > Event, search for "cisco unity" in the Description column to see the event types associated with this device. Rules In RESOURCES > Rules, search for "cisco unity" in the Name column to see the rules associated with this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials See Access Credentials to set access and protocol for SMTP, SSH, and Telnet. FortiSIEM 6.1.1 External Systems Configuration Guide 205 Fortinet Technologies Inc. Applications Web Server FortiSIEM supports these web servers for discovery and monitoring. l Apache Web Server l Microsoft IIS for Windows 2000 and 2003 l Microsoft IIS for Windows 2008 l Nginx Web Server FortiSIEM 6.1.1 External Systems Configuration Guide 206 Fortinet Technologies Inc. Applications Apache Web Server l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Information discovered SNMP Application type HTTP(S) via the modstatus module Syslog Application type Metrics collected Used for Process level metrics: CPU utilization, Memory utilization Performance Monitoring Apachemetrics: Uptime, CPU load, Total Accesses, Total Bytes Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Idle Workers Performance Monitoring W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "apache" in the Device Type and Description column to see the event types associated with this device. Reports In RESOURCES > Reports , search for "apache" in the Name column to see the reports associated with this device. Configuration The Apache Web Server Configuration instructions utilizes a reference point for where Apache installs by default. Based on your own configuration, Apache may be installed in the following locations: l /etc l /etc/httpd l /usr/local Adjust your configuration according to your installed Apache directory. FortiSIEM 6.1.1 External Systems Configuration Guide 207 Fortinet Technologies Inc. Applications SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. HTTPS To communicate with FortiSIEM over HTTPS, you must configure the mod_status module in your Apache web server. 1. Log in to your web server as an administrator. 2. Open the configuration file /etc/Httpd.conf. 3. Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without authentication, or over HTTPS with authentication. Without Authentication LoadModule status_module modules/mod_status.so ... ExtendedStatus on ... #Configuration without authentication <Location /server-status> SetHandler server-status Order Deny,Allow Deny from all Allow from .foo.com </Location> With Authentication LoadModule status_module modules/mod_status.so ... ExtendedStatus on ... #Configuration with authentication <Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from all AuthType Basic AuthUserFile /etc/httpd/account/users AuthGroupFile /etc/httpd/account/groups AuthName "Admin" Require group admin Satisfy all </Location> 4. If you are using authentication, you will have to add user authentication credentials. a. Go to /etc/httpd, and if necessary, create an account directory. b. In the account directory, create two files, users and groups. c. In the groups file, enter admin:admin. d. Create a password for the admin user. htpasswd --c users admin FortiSIEM 6.1.1 External Systems Configuration Guide 208 Fortinet Technologies Inc. Applications 5. Reload Apache. /etc/init.d/httpd reload You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Syslog Install and configure Epilog application to send syslog to FortiSIEM 1. Download Epilog from snare, information to download here, and install it on your Windows Server. 2. For Windows, launch Epilog from StartAll ProgramsInterSect AllianceEpilog for windows 3. For Linux, enter http://<yourApacheServerIp>:6162 4. Configure Epilog application as follows a. Go to Log Configuration. Click the Add button and add the following log files to be sent to FortiSIEM l /etc/httpd/logs/access_log l /etc/httpd/logs/ssl_access_log b. Go to Network Configuration i. Set AO System IP(all-in-1 or collector) in Destination Server address (10.1.2.20 here); ii. Set 514 in Destination Port text area iii. Click Change Configuration to save the configuration c. Apply the Latest Audit Configuration. Apache logs will now sent to FortiSIEM in real time. Define the Apache Log Format You must define the format of the logs that Apache will send to FortiSIEM. 1. Open the file /etc/httpd/conf.d/ssl.conf for editing. 2. Add this line to the file. CustomLog logs/ssl_request_log combined 3. Uncomment this line in the file. #CustomLog logs/access_log common 4. Add this line to the file. CustomLog logs/access_log combined 5. Reload Apache. /etc/init.d/httpd reload Apache Syslog Log Format <142>Sep 17 13:27:37 SJ-Dev-S-RH-VMW-01.prospecthills.net ApacheLog 192.168.20.35 - [17/Sep/2009:13:27:37 -0700] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://192.168.0.30/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)"<134>Mar 4 17:08:04 137.146.28.68 httpd: [ID 702911 local0.info] 192.168.20.38 - [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"<142>Sep 17 13:27:37 135.134.33.23 HTTP: [ID 702911 local0.info] 192.168.20.38 - - FortiSIEM 6.1.1 External Systems Configuration Guide 209 Fortinet Technologies Inc. Applications [04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6" Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> Settings for Apache Web Server HTTPS Access Credentials Use these Access Method Definition settings to allow FortiSIEM to communicate with your Apache web server over https. Setting Name Device Type Access Protocol Port URL User Name Password Value Apache-https generic HTTP or HTTPS 80 (HTTP) or 443 (HTTPS) server-status?auto The admin account you created when configuring HTTPS The password associated with the admin account FortiSIEM 6.1.1 External Systems Configuration Guide 210 Fortinet Technologies Inc. Applications Microsoft IIS for Windows 2000 and 2003 l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP WMI Windows Agent Information discovered Application type Application type, service mappings Application type Metrics collected Used for Process level metrics: CPU utilization, memory utilization Performance Monitoring Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O IIS metrics: Current Connections, Max Connections, Sent Files, Received Files, Sent Bytes, Received Bytes, ISAPI Requests, Not Found Errors Performance Monitoring W3C access logs: attributes include IIS Service Instance, Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "microsoft is" in the Description column to see the event types associated with this device. Configuration SNMP See SNMP Configurations in the Microsoft Windows Server Configuration section. WMI See WMI Configurations in the Microsoft Windows Server Configuration section. FortiSIEM Windows Agent For information on configuring IIS for FortiSIEM Windows Agent, see Configuring Windows IIS in the Windows Agent Installation Guide. FortiSIEM 6.1.1 External Systems Configuration Guide 211 Fortinet Technologies Inc. Applications Settings for Access Credentials See Setting Access Credentials in the Microsoft Windows Server Configuration section. FortiSIEM 6.1.1 External Systems Configuration Guide 212 Fortinet Technologies Inc. Applications Microsoft IIS for Windows 2008 l What is Discovered and Monitored l Configuration l Setting Access Credentials l Sample IIS Syslog What is Discovered and Monitored Protocol SNMP WMI Windows Agent Information discovered Application type Application type, service mappings Application type Metrics collected Used for Process level metrics: CPU utilization, memory utilization Performance Monitoring Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O IIS metrics: Current Connections, Max Connections, Sent Files, Received Files, Sent Bytes, Received Bytes, ISAPI Requests, Not Found Errors Performance Monitoring W3C access logs: attributes include IIS Service Instance, Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "microsoft is" in the Description column to see the event types associated with this device. Configuration SNMP See SNMP Configurations in the Microsoft Windows Server Configuration section. WMI See WMI Configurations in the Microsoft Windows Server Configuration section. FortiSIEM Windows Agent For information on configuring IIS for FortiSIEM Windows Agent, see Configuring Windows IIS in the Windows Agent Installation Guide. FortiSIEM 6.1.1 External Systems Configuration Guide 213 Fortinet Technologies Inc. Applications Setting Access Credentials See Setting Access Credentials in the Microsoft Windows Server Configuration section. Sample IIS Syslog <13>Oct 9 12:19:05 ADS-Pri.ACME.net IISWebLog 0 2008-10-09 19:18:43 W3SVC1 ADS-PRI 192.168.0.10 GET /iisstart.htm - 80 - 192.168.20.80 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.0.3)+Gecko/2008092417+Firefox/3.0.3 - - 192.168.0.10 200 0 0 2158 368 156 <46>Mar 29 12:21:03 192.168.0.40 FTPSvcLog 0 2010-03-29 19:20:32 127.0.0.1 - MSFTPSVC1 FILER 127.0.0.1 21 [1]PASS IEUser@ - 530 1326 0 0 0 FTP - - - - FortiSIEM 6.1.1 External Systems Configuration Guide 214 Fortinet Technologies Inc. Applications Nginx Web Server l What is Discovered and Monitored l Configuration The following protocols are used to discover and monitor various aspects of Nginx webserver. What is Discovered and Monitored Protocol SNMP Syslog Information discovered Application type Metrics collected Used for Process level metrics: CPU utilization, Memory utilization W3C access logs: attributes include Client IP, URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration Performance Monitoring Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "nginx" in the Device Type and Description column to see the event types associated with this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Example nginx Syslog <29>Jun 15 07:59:03 ny-n1-p2 nginx: "200.158.115.204","-","Mozilla/5.0 (Windows NT 5.1 WOW64; rv:9.0.1) Gecko/20100178 Firefox/9.0.1","/images/design/header-2logo.jpg","GET","http://wm-center.com/images/design/header-2-logo.jpg","200","0","/ypf- FortiSIEM 6.1.1 External Systems Configuration Guide 215 Fortinet Technologies Inc. Applications cookie_auth/index.html","0.000","877","-","10.4.200.203","80","wm-center.com","no-cache, nostore, must-revalidate","-","1.64","_","-","-" Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 216 Fortinet Technologies Inc. Blade Servers FortiSIEM supports these blade servers for discovery and monitoring. l Cisco UCS Server l HP BladeSystem FortiSIEM 6.1.1 External Systems Configuration Guide 217 Fortinet Technologies Inc. Cisco UCS Server l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Cisco UCS Events What is Discovered and Monitored Protocol Cisco UCS API Information Discovered Metrics collected Used for Host name, Access IP, Hardware components processors, chassis, blades, board, cpu, memory, storage, power supply unit, fan unit Chassis status: Input Power, Input Avg Power, Input Max Power, Input Min Power, Output Power, Output Avg Power, Output Max Power, Output Min Power Memory status: Temp (C), Avg Temp (C), Max Temp (C), Min Temp (C) Processor status: Input Current, Input Avg Current, Input Max Current, Input Min Current, Temp (C), Avg Temp (C), Max Temp (C), Min Temp (C) Power supply status: Temp (C), Max Temp (C), Avg Temp (C), Min Temp (C), Input 210Volt, Avg Input 210Volt, Max Input 210Volt, Min Input 210Volt, Output 12Volt, Avg Output 12Volt, Max Output 12Volt, Min Output 12Volt, Output 3V3Volt, Avg Output 3V3Volt, Max Output 3V3Volt, Min Output 3V3Volt, Output Current, Avg Output Current, Max Output Current, Min Output Current, Output Power, Avg Output Power, Max Output Power,Min Output Power Fan status: Fan Speed, Average Fan Speed, Max Fan Speed, Min Fan Speed Availability and Performance Monitoring Event Types In ADMIN > Device Support > Event, search for "cisco us" in the Description column to see the event types associated with this device. Reports In RESOURCES > Reports , search for "cisco us" in the Name column to see the reports associated with this application or device. FortiSIEM 6.1.1 External Systems Configuration Guide 218 Fortinet Technologies Inc. Blade Servers Configuration UCS XML API FortiSIEM uses Cisco the Cisco UCS XML API to discover Cisco UCS and to collect hardware statistics. See the Cisco UCS documentation for information on how to configure your device to connect to FortiSIEM over the API. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name Password Value ucs Cisco UCS UCS API 5 5988 The user name you set up in your UCS server to communicate with FortiSIEM The password associated with user name Sample Cisco UCS Events Power Supply Status Event [PH_DEV_MON_UCS_HW_PSU_STAT]:[eventSeverity]=PHL_INFO,[hostName]=machine, [hostIpAddr]=10.1.2.36,[hwComponentName]=sys/chassis-1/psu-2, [envTempdDegC]=47.764706,[envTempAvgDegC]=36.176472,[envTempMaxDegC]=47.764706, [envTempMinDegC]=25.529411,[input210Volt]=214.294113, [input210AvgVolt]=210.784317,[input210MaxVolt]=214.294113,[input210MinVolt]=207.823532, [ouput12Volt]=12.188235,[ouput12AvgVolt]=12.109803, [ouput12MaxVolt]=12.376471,[ouput12MinVolt]=11.905882,[ouput3V3Volt]=3.141176, [ouput3V3AvgVolt]=3.374510,[ouput3V3MaxVolt]=3.458823, [ouput3V3MinVolt]=3.141176,[outputCurrentAmp]=15.686275,[outputCurrentAvgAmp]=20.261436, [outputCurrentMaxAmp]=24.509804, [outputCurrentMinAmp]=15.686275,[outputPowerWatt]=191.188004, [outputPowerAvgWatt]=245.736252,[outputPowerMaxWatt]=303.344879, [outputPowerMinWatt]=191.188004 FortiSIEM 6.1.1 External Systems Configuration Guide 219 Fortinet Technologies Inc. Blade Servers Processor Status Event [PH_DEV_MON_UCS_HW_PROCESSOR_STAT]:[eventSeverity]=PHL_INFO, [hostName]=machine, [hostIpAddr]=10.1.2.36, [hwComponentName]=sys/chassis-1/blade-3/board/cpu-2, [inputCurrentAmp]=101.101959,[inputCurrentAvgAmp]=63.420914, [inputCurrentMaxAmp]=101.101959,[inputCurrentMinAmp]=44.580391, [envTempdDegC]=5.788235,[envTempAvgDegC]=6.216993,[envTempMaxDegC]=6.431373, [envTempMinDegC]=5.788235, Chassis Status Event [PH_DEV_MON_UCS_HW_CHASSIS_STAT]:[eventSeverity\]=PHL_INFO,[hostName]=machine, [hostIpAddr]=10.1.2.36,[hwComponentName]=sys/chassis-1, [inputPowerWatt]=7.843137,[inputPowerAvgWatt]=7.843137,[inputPowerMaxWatt]=7.843137, [inputPowerMinWatt]=7.843137, outputPowerWatt]=0.000000,[outputPowerAvgWatt]=0.000000,[outputPowerMaxWatt]=0.000000, [outputPowerMinWatt]=0.000000 Memory Status Event [PH_DEV_MON_UCS_HW_MEMORY_STAT]:[eventSeverity]=PHL_INFO,[hostName]=machine, [hostIpAddr]=10.1.2.36, [hwComponentName]=sys/chassis-1/blade-1/board/memarray-1/mem-9,[envTempdDegC]=51.000000, [envTempAvgDegC]=50.128208, [envTempMaxDegC]=51.000000,[envTempMinDegC]=48.000000 Fan Status Event [PH_DEV_MON_UCS_HW_FAN_STAT]:[eventSeverity]=PHL_INFO,[hostName]=machine, [hostIpAddr]=10.1.2.36, [hwComponentName]=sys/chassis-1/fan-module-1-5/fan-2,[fanSpeed]=7800.000000, [fanSpeedAvg]=7049.000000, [fanSpeedMax]=8550.000000,[fanSpeedMin]=2550.00000 FortiSIEM 6.1.1 External Systems Configuration Guide 220 Fortinet Technologies Inc. Blade Servers HP BladeSystem l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol SNMP Information Discovered Metrics collected Host name, Access IP, Hardware components processors, chassis, blades, board, cpu, memory, storage, power supply unit, fan unit Hardware status:Fan status, Power supply status, power enclosure status, Overall status Used for Availability and Performance Monitoring Configuration SNMP FortiSIEM uses SNMP to discover the HP BladeSystem and collect hardware statistics. See the instructions on configuring SNMP in your Bladesystem documentation to enable communications with FortiSIEM. After you have configured SNMP on your BladeSystem blade server, you can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials in FortiSIEM See Access Credentials to set access and protocol for SSH, and Telnet. FortiSIEM 6.1.1 External Systems Configuration Guide 221 Fortinet Technologies Inc. Cloud Applications FortiSIEM supports these cloud applications for monitoring. l AWS Access Key IAM Permissions and IAM Policies l AWS CloudTrail API l AWS EC2 l AWS EC2 CloudWatch API l AWS Kinesis l AWS RDS l AWS Security Hub l Box.com l Google Workspace Audit l Microsoft Azure Audit l Microsoft Office365 Audit l Microsoft Cloud App Security l Microsoft Azure ATP l Microsoft Azure Compute l Microsoft Azure Event Hub l Microsoft Windows Defender ATP l Okta l Salesforce CRM Audit FortiSIEM 6.1.1 External Systems Configuration Guide 222 Fortinet Technologies Inc. Alcide.io KAudit l Integration Points l Configuring Alcide.io to Send Logs l Configuring FortiSIEM to Receive Logs l Alcid.io Event Types l Alcide.io Sample Log Integration Points Protocol Syslog Information Collected Audit logs Used For Security and Compliance Monitoring Configuring Alcide.io to Send Logs Follow the steps listed here to send syslog to FortiSIEM. 1. In the target section of the ConfigMap, set the following: a. Target-type = syslog b. Syslog host = <fortisiem.host.com> c. Syslog port = 514 d. Syslog-tcp = false Configuring FortiSIEM to Receive Logs No configuration is needed. FortiSIEM can automatically detect and parse Alcide.io logs based on the built in parser. Alcide.io Event Types Go to Resources > Event Type and search "AlcideKAudit." Alcide.io Sample Log <109>Feb 28 07:09:18 AlcideKAudit: {"category":"anomaly","cluster":"devel","etype":"cluster","reasons":[{"values":{"high": [1]},"doc":"change in count of unique unusual URIs in read access attempts","period":180000,"direction":"read"}],"time":1582873380000,"short-doc":"change in targets of access attempts","project":"alcide-rnd","context":{"unusual-uri": ["LHUt"]},"period":180000,"eid":"cluster","confidence":"high","doc":"unusual change in count of unique unusual URIs in access attempts","direction":"read"} FortiSIEM 6.1.1 External Systems Configuration Guide 223 Fortinet Technologies Inc. AWS Access Key IAM Permissions and IAM Policies To monitor AWS resources in FortiSIEM, an access key and a corresponding secret access key is needed. Prior to the availability of AWS IAM users, the recommendation was to create an access key at the level of root AWS account. This practice has been deprecated since the availability of AWS IAM users as you can read from the AWS Security Credentials best practice guide. If you were monitoring AWS using such access keys, the first step is to delete such keys and create keys based on a standalone IAM user dedicated for monitoring purposes in FortiSIEM. This document explains how to create such a user, and what permissions and policies to add to allow FortiSIEM to monitor your AWS environment. Create IAM user for FortiSIEM monitoring 1. Login to the IAM Console - Users Tab. 2. Click Create Users. 3. Type in a username, e.g. aomonitoring under Enter User Names. 4. Leave the checkbox Generate an access key for each user selected or select it if it is not selected. 5. Click Download Credentials and click on Close button. 6. The downloaded CSV file contains the Access Key ID and Secret Access Key that you can use in FortiSIEM to monitor various AWS services. You must add permissions before you can actually add them in FortiSIEM. Change permissions for IAM user 1. Select the user you are monitoring. 2. Switch to tab Permissions. 3. Click Attach Policy. 4. Select AmazonEC2ReadOnlyAccess, AWSCloudTrailReadOnlyAccess, AmazonRDSReadOnlyAccess, CloudWatchRea dOnlyAccess, AmazonSQSFullAccess and click Attach Policy. You can choose to skip attaching some policies if you do not use that service or plan on monitoring that service. For instance, if you do not use RDS, then you do not need to attach AmazonRDSReadOnlyAccess. 5. You can choose to provide blanket read-only access to all S3 buckets by attaching the policy AmazonS3ReadOnlyAccess. Alternatively, you can specificy a more restricted policy as described in the next step. 6. Identify the set of S3 bucket(s) that you have configured to store Cloudtrail logs for each region. You can create an inline policy, choose custom policy, then paste the sample policy below. Make sure you replace the actual S3 bucket names below aocloudtrail1, aocloudtrail2 with the ones you have configured. S3 bucket read-only policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", FortiSIEM 6.1.1 External Systems Configuration Guide 224 Fortinet Technologies Inc. Cloud Applications "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::aocloudtrail1", "arn:aws:s3:::aocloudtrail2" ] } ] } FortiSIEM 6.1.1 External Systems Configuration Guide 225 Fortinet Technologies Inc. Cloud Applications AWS CloudTrail l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample Events for AWS CloudTrail l Performance Tuning for High EPS CloudTrail Events What is Discovered and Monitored Protocol CloudTrail API Information Discovered None Metrics Collected None Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "Cloudtrail" in the Device Type column to see the event types associated with this device. See the Amazon API reference for more information about the event types available for CloudTrail monitoring. Reports In RESOURCE > Reports, search for "cloudtrail" in the Name column to see the rules associated with this device. Configuration If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies. FortiSIEM receives information about AWS events through the CloudTrail API. After creating an S3 bucket for the storage of log files on AWS, you then configure the Simple Notification Service (SNS) and Simple Queue Service (SQS) to create a notification for the log file and have it delivered by SQS. In your FortiSIEM virtual appliance you then enter access credentials so FortiSIEM can communicate with CloudTrail as it would any other device. Note: Do not add any extra SNS notifications in the SQS queue. The queue should only have one SNS subscription, otherwise pulling logs will not function. Create a new CloudTrail 1. Log in to https://console.aws.amazon.com/cloudtrail. 2. Switch to the region for which you want to generate cloud trail logs. 3. Click Trails. 4. Click on Add New Trail FortiSIEM 6.1.1 External Systems Configuration Guide 226 Fortinet Technologies Inc. Cloud Applications 5. Enter a Trail name such as aocloudtrail. 6. Select Yes for Apply Trail to all regions. FortiSIEM can pull trails from all regions via a single credential. 7. Select Yes for Create a new S3 bucket. 8. For S3 bucket, enter a name like s3aocloudtrail. 9. Click Advanced. 10. Select Yes for Create a new SNS topic. 11. For SNS topic, enter a name like snsaocloudtrail. 12. Leave the rest of advanced settings to the default values. 13. Click Create. A dialog will confirm that logging is turned on. Configure Simple Queue Service (SQS) Delivery 1. Log in to https://console.aws.amazon.com/sqs. 2. Switch to the region in which you created a new cloudtrail above 3. Click Create New Queue. 4. Enter a Queue Name such as sqsaocloudtrail Setting Default Visibility Timeout Message Retention Period Value 0 seconds 10 minutes This must be set for between 5 and 50 minutes. A lower value is recommended for high event rates to avoid event loss. Maximum Message Size Delivery Delay Receive Message Wait Time 256 KB 0 seconds 5 seconds 5. Click Create Queue. 6. When the queue is created, click the Details tab and make note of the ARN (Amazon Resource Name), as you will need this when configuring the Simple Notification Service below and when configuring the access credentials for FortiSIEM. Set Up Simple Notification Service (SNS) 1. Log in to https://console.aws.amazon.com/sns. 2. Switch to the region where you created the trail and SQS. 3. Select Topics. 4. Select the SNS topic snsaocloudtrail that you specified when creating a cloudtrail. 5. Click Actions > Subscribe to topic from the menu to launch the popup Create Subscription. 6. For Protocol, select Amazon SQS. FortiSIEM 6.1.1 External Systems Configuration Guide 227 Fortinet Technologies Inc. Cloud Applications 7. For Endpoint, enter the ARN of the queue that you created when setting up SQS. 8. Click Create Subscription. Give Permission for Amazon SNS to Send Messages to SQS 1. Log in to https://console.aws.amazon.com/sqs. 2. Select the queue you created, sqsaocloudtrail. 3. In the Queue Actions menu, select Subscribe Queue to SNS Topic. 4. From the Choose a Topic dropdown, select the SNS topic snsaocloudtrail that you created earlier. 5. The Topic ARN will be automatically filled. 6. Click Subscribe. Note: Ensure that SQS, SNS, S3 bucket and CloudTrail are in the same region. You do not need to initiate discovery of AWS Cloud Trail, but should check that FortiSIEM is pulling events for AWS by checking for an amazon.com entry in ADMIN > Setup > Event Pulling. You can configure FortiSIEM to communicate with your device by following the instructions in "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to communicate with the CloudTrail API. Setting Name Device Type Access Protocol Region Bucket SQS Queue URL Password Config Access Key ID Secret Key Organization Value aocloudtrail Amazon AWS CloudTrail Amazon AWS CloudTrail Region where you created the trail. The name of the S3 bucket you created (s3aocloudtrail) Enter the ARN of your queue without the http:// prefix. See Password Configuration. The access key for your AWS instance. The secret key for your AWS instance. Select an organization from the drop-down list. Sample Events for AWS CloudTrail Fri Oct 10 14:44:23 2014 FortiSIEM-CloudTrail [additionalEventData/LoginTo]=https://console.aws.amazon.com/console/home?state= FortiSIEM 6.1.1 External Systems Configuration Guide 228 Fortinet Technologies Inc. Cloud Applications hashArgs%23&isauthcode=true [additionalEventData/MFAUsed]=No [additionalEventData/MobileVersion]=No [awsRegion]=us-east1 [eventID]=fdf8f837-7e75-46a0-ac95-b6d15993ebf7 [eventName]=ConsoleLogin [eventSource]=SIGNIN [eventTime]=2014-10-10T06:38:11Z [eventVersion]=1.01 [requestParameters]=null [responseElements/ConsoleLogin]=Success [sourceIPAddress]=211.144.207.10 [userAgent]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 [userIdentity/accountId]=623885071509 [userIdentity/arn]=arn:aws:iam::623885071509:user/John.Adams [userIdentity/principalId]=AIDAIUSNMEIUYBS7AN4UW [userIdentity/type]=IAMUser [userIdentity/userName]=John.Adams Fri Oct 10 14:19:45 2014 FortiSIEM-CloudTrail [awsRegion]=us-east-1 [eventID]=351bda80-39d441ed-9e4d-86d6470c2436 [eventName]=DescribeInstances [eventSource]=EC2 [eventTime]=2014-1010T06:12:24Z [eventVersion]=1.01 [requestID]=2d835ae2-176d-4ea2-8523-b1a09585e803 [requestParameters/filterSet/items/0/name]=private-ip-address [requestParameters/filterSet/items/0/valueSet/items/0/value]=10.0.0.233 [responseElements]=null [sourceIPAddress]=211.144.207.10 [userAgent]=aws-sdk-php2/2.4.7 Guzzle/3.7.1 curl/7.19.7 PHP/5.3.3 [userIdentity/accessKeyId]=AKIAI2MUUCROHFSLLT3A [userIdentity/accountId]=623885071509 [userIdentity/arn]=arn:aws:iam::623885071509:root [userIdentity/principalId]=623885071509 [userIdentity/type]=Root [userIdentity/userName]=accelops Performance Tuning for High EPS CloudTrail Events AWS CloudTrail can generate a lot of events. Follow these recommendations to enable FortiSIEM to keep up with high EPS CloudTrail events. 1. In the AWS configuration, change the Message retention period of SQS to 1 day. 2. Adjust the CloudTrail event pulling parameters as follows. Go to the Collector that pulls AWS CloudTrail events. You will find these three relevant parameters in the /opt/phoenix/config/phoenix_config.txt file: l cloudtrail_msg_pull_interval (default 30 seconds, minimum recommended 10 seconds) - how often CloudTrail events are pulled. l cloudtrail_msg_pull_thread_num (default 1, maximum recommended 60) - how many threads are used to pull CloudTrail events. l cloudtrail_file_parse_thread_num (default 3, maximum recommended 60) - how many threads are used to parse CloudTrail events. Since each API call returns maximum 10 files, set the parameters to satisfy the following two constraints. If the thread count is high, then you must increase the number of vCPUs in the Collector. l Set (SQSInputEventRate times cloudtrail_msg_pull_interval) to be smaller than (cloudtrail_msg_ pull_thread_num times 10) l Set cloudtrail_msg_pull_thread_num to be equal to cloudtrail_file_parse_thread_num FortiSIEM 6.1.1 External Systems Configuration Guide 229 Fortinet Technologies Inc. Cloud Applications Amazon AWS EC2 What is Discovered and Monitored Event Types Reports Configuration Setup in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Settings Name Device Type Access Protocol Region Access Key ID Secret Key Description Description <set name> Amazon AWS EC2 AWS SDK [Required] Region in which your AWS instance is located [Required] Access key for your AWS instance [Required] Secret key for your AWS instance Description about the device 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. FortiSIEM 6.1.1 External Systems Configuration Guide 230 Fortinet Technologies Inc. Cloud Applications 4. Click Test to test the connection to Amazon AWS EC2. 5. To see the jobs associated with AWS, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter AWS in the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 231 Fortinet Technologies Inc. Cloud Applications AWS EC2 CloudWatch API l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample events What is Discovered and Monitored Protocol CloudWatch API Information Discovered l Machine name l Internal Access IP l Instance ID l Image ID l Availability Zone l Instance Type l Volume ID l Status l Attach Time Metrics Collected l CPU Utilization l Received Bits/sec l Sent Bits/sec l Disk reads (Instance Store) l Disk writes (Instance Store) l Disk reads/sec (Instance Store) l Disk writes/sec (Instance Store) l Packet loss l Read Bytes (EBS) l Write Bytes (EBS) l Read Ops (EBS) l Write Ops (EBS) l Disk Queue (EBS) Used For Performance Monitoring Event Types l PH_DEV_MON_EBS_METRIC captures EBS metrics Configuration If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. You should also be sure to read the topic Discovering Amazon Web Services (AWS) Infrastructure. VPC Flow logs are supported. For more information, see HOW TO - Integrate Amazon VPC Flows. FortiSIEM 6.1.1 External Systems Configuration Guide 232 Fortinet Technologies Inc. Cloud Applications Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access AWS CloudWatch. Setting Value Name ec2 Device Type Amazon AWS CloudWatch Access Protocol AWS CloudWatch Region The region in which your AWS instance is located AWS Account The name of your AWS account. Log Group Name Name of the log group. Log Stream Name Name of the log stream. Password Config See Password Configuration. Access Key ID The access key for your EC2 instance Secret Key The secret key for your EC2 instance Sample events [PH_DEV_MON_EC2_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=6571,[hostName]=ec2-54-81-216-218.compute-1.amazonaws.com, [hostIpAddr]=10.144.18.131,[cpuUtil]=0.334000,[diskReadKBytesPerSec]=0.000000, [diskWriteKBytesPerSec]=0.000000,[diskReadReqPerSec]=0.000000,[diskWriteReqPerSec]=0.000000, [sentBytes]=131,[recvBytes]=165,[sentBitsPerSec]=17.493333,[recvBitsPerSec]=22.026667, [phLogDetail]= [PH_DEV_MON_EBS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAws.cpp, [lineNumber]=133,[hostName]=ec2-52-69-215-178.ap-northeast-1.compute.amazonaws.com, [hostIpAddr]=172.30.0.50,[diskName]=/dev/sda1,[volumeId]=vol-63287d9f, [diskReadKBytesPerSec]=7.395556,[diskWriteKBytesPerSec]=7.395556,[ioReadsPerSec]=0.000000, [ioWritesPerSec]=0.010000,[diskQLen]=0,[phLogDetail]= FortiSIEM 6.1.1 External Systems Configuration Guide 233 Fortinet Technologies Inc. Cloud Applications AWS Kinesis Amazon Kinesis is an Amazon Web Service (AWS) for processing big data in real time. Kinesis is capable of processing hundreds of terabytes per hour from high volumes of streaming data from sources such as operating logs, financial transactions and social media feeds. l What is Discovered and Monitored l Event Types l Rules l Reports l Configuring AWS Kinesis l Configuring FortiSIEM l Sample Events What is Discovered and Monitored Protocol Amazon AWS Client Library Information collected Streaming data Used for Collect, process, and analyze real-time streaming data. Event Types In RESOURCES > Event Types, enter "Kinesis" in the Search column to see the event types associated with this device. Rules No defined rules. Reports No defined reports. Configuring AWS Kinesis 1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console. 2. In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials. 3. On the AWS IAM Credentials tab, in the Access keys for CLI, SDK, and API access section, do any of the following: l To create an access key, choose Create access key. Then choose Download .csv file to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the .csv file, FortiSIEM 6.1.1 External Systems Configuration Guide 234 Fortinet Technologies Inc. Cloud Applications choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away. l To disable an active access key, choose Make inactive. l To reenable an inactive access key, choose Make active. l To delete an access key, choose its X button at the far right of the row. Then choose Delete to confirm. When you delete an access key, it's gone forever and cannot be retrieved. However, you can always create new keys. Configuring ForitSIEM 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box and click Save: Settings Description Name Enter a name for the credential Device Type Amazon AWS Kinesis Access Protocol AWS Kinesis Client Library Region You can enter one or more regions separated by a space, for example, "useast-1 us-west-2". See Supported Regions in AWS for a list of valid regions. Password Config Choose Manual, CyberArk, or RAX_Janus from the drop down list. For CyberArk , see CyberArk Password Configuration. For RAX_Janus, see RAX_Janus Password Configuration. Access Key Access key for your AWS Kinesis instance. See Configuring AWS Kinesis. Secret Key Secret key for your AWS Security Hub instance Organization The organization the device belongs to. Description Description of the device. 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your AWS Kinesis credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. 4. Click Test to test the connection to AWS Kinesis. 5. To see the jobs associated with AWS Kinesis, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter AWS Kinesisin the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 235 Fortinet Technologies Inc. Cloud Applications Sample Events AWS Kinesis can collect data from different devices or services. The data format is the same as the source data. FortiSIEM 6.1.1 External Systems Configuration Guide 236 Fortinet Technologies Inc. Cloud Applications AWS RDS l What is Discovered and Monitored l Configuration What is Discovered and Monitored Type Protocol Relational Database Storage (RDS) CloudWatch API Information Discovered Metrics Collected l CPU Utilization l User Connections l Free Memory l Free Storage l Used Swap l Read Latency l Write Latency l Read Ops l Write Ops Used For Performance Monitoring Event Types l PH_DEV_MON_RDS_METRIC captures RDS metrics Configuration If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies. Discovering AWS RDS 1. Create a AWS credential a. Go to Admin > Credentials > Step 1: Enter Credentials. b. Click Add. i. Set Device Type to Amazon AWS RDS. ii. Set Access Protocol as AWS SDK. iii. Set Region as the region in which your AWS instance is located. iv. Set Password. See Password Configuration. v. Set Access Key ID as the access key for your EC2 instance. vi. Set Secret Key as the secret key for your EC2 instance. vii. Select an Organization from the drop-down list. c. Click Save. FortiSIEM 6.1.1 External Systems Configuration Guide 237 Fortinet Technologies Inc. Cloud Applications 2. In Step 2: Enter IP Range to Credential Associations: a. Set IP/IP Range to amazon.com b. Choose Credentials to the one created in Step 1b. 3. Click Test > Test Connectivity to make sure the credential is working correctly. 4. Go to Admin > Discovery: a. Set Discovery Type as AWS Scan. b. Click OK to Save. c. Select the entry and Click Discover. 5. After Discovery finishes, check CMDB > Devices > Amazon Web Services > AWS Database. Sample Events [PH_DEV_MON_RDS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAwsRDS.cpp, [lineNumber]=104,[hostName]=mysql1.cmdzvvce07ar.ap-northeast-1.rds.amazonaws.com, [hostIpAddr]=54.64.131.93,[dbCpuTimeRatio]=1.207500,[dbUserConn]=0, [dbEnqueueDeadlocksPerSec]=0.000587,[freeMemKB]=489,[freeDiskMB]=4555, [swapMemUtil]=0.000000,[ioReadsPerSec]=0.219985,[ioWritesPerSec]=0.213329, [devDiskRdLatency]=0.08,[devDiskWrLatency]=0.4029,[phLogDetail]= FortiSIEM 6.1.1 External Systems Configuration Guide 238 Fortinet Technologies Inc. Cloud Applications AWS Security Hub Security Hub collects security data from across AWS accounts, services, and supported third-party partner products. FortiSIEM want to get this data collected by Security Hub and analyze this data to identify the highest priority security issues. What is Discovered and Monitored Protocol AWS Security Hub SDK Information collected Security data Used for Security and compliance Event Types In RESOURCES > Event Types, enter "AWS Sechub" in the Search column to see the event types associated with this device. Rules In RESOURCES > Rules, enter "AWS Sechub" in the Search column to see the rules associated with this device. Reports In RESOURCES > Reports, enter "AWS Security Hub" in the Search column to see the reports associated with this device. Requirements FortiSIEM uses PHP V3 SDK to integrate data from the security hub to perform comprehensive security analytics. Configuring AWS Security Hub Supported Regions in AWS Security Hub only collects events from the region where you enabled Security Hub. If you don't enable the Security Hub for other regions, then you won't get events from those regions. FortiSIEM allows you to specify multiple regions when you create a new credential. In the regions you specify, the Security Hub will be enabled. These regions should use the following AWS region codes: Region Name US East (Ohio) Region Code us-east-2 FortiSIEM 6.1.1 External Systems Configuration Guide 239 Fortinet Technologies Inc. Cloud Applications Region Name Region Code US East (N. Virginia) us-east-1 US West (N. California) us-west-1 US West (Oregon) us-west-2 Asia Pacific (Hong ap-east-1 Kong) Asia Pacific (Mumbai) ap-south-1 Asia Pacific (Seoul) ap-northeast-2 Asia Pacific (Singapore) ap-southeast-1 Asia Pacific (Sydney) ap-southeast-2 Asia Pacific (Tokyo) ap-northeast-1 Canada (Central) ca-central-1 EU (Frankfurt) eu-central-1 EU (Ireland) eu-west-1 EU (London) eu-west-2 EU (Paris) eu-west-3 EU (Stockholm) eu-north-1 South America (São Paulo) sa-east-1 Step 1: Enable Security Hub Permissions required to enable Security Hub 1. The IAM identity (user, role, or group) that you use to enable Security Hub must have the required permissions. To grant the permissions required to enable Security Hub, attach the following policy to an IAM user, group, or role. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "securityhub:*", "Resource": "*" FortiSIEM 6.1.1 External Systems Configuration Guide 240 Fortinet Technologies Inc. Cloud Applications }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "securityhub.amazonaws.com" } } } ] } 2. Use the credentials of the IAM identity from step 1 to sign in to the Security Hub console. When you open the Security Hub console for the first time, choose Get Started and then choose Enable Security Hub. Step 2: Get an Access Key This feature supports long-term access keys. Access keys consist of two parts: an access key ID and a secret access key. Permissions Required To create access keys for your own IAM user, you must have the permissions from the following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "CreateOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:GetUser", "iam:ListAccessKeys" ], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] } FortiSIEM 6.1.1 External Systems Configuration Guide 241 Fortinet Technologies Inc. Cloud Applications To create, modify, or delete your own IAM user access keys (console): 1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console. 2. In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials. 3. On the AWS IAM Credentials tab, in the Access keys for CLI, SDK, and API access section, do any of the following: l To create an access key, choose Create access key. Then choose Download .csv file to save the access key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have access to the secret access key again after this dialog box closes. After you have downloaded the .csv file, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away. l To disable an active access key, choose Make inactive. l To reenable an inactive access key, choose Make active. l To delete an access key, choose its X button at the far right of the row. Then choose Delete to confirm. When you delete an access key, it's gone forever and cannot be retrieved. However, you can always create new keys. Configuring FortiSIEM for AWS Security Hub Access Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box and click Save: Settings Description Name Enter a name for the credential Device Type Amazon AWS Security Hub Access Protocol AWS Security Hub SDK Region You can enter one or more regions separated by a space, for example, "useast-1 us-west-2". See Supported Regions in AWS for a list of valid regions. Password Config Choose Manual, CyberArk, or RAX_Janus from the drop down list. For CyberArk , see CyberArk Password Configuration. For RAX_Janus, see RAX_Janus Password Configuration. Access Key Access key for your AWS Security Hub instance. See Step 2: Get an Access Key. Secret Key Secret key for your AWS Security Hub instance FortiSIEM 6.1.1 External Systems Configuration Guide 242 Fortinet Technologies Inc. Cloud Applications Settings Description Session Token Organization Description The session token is used by credentials from Rax Scan. If you obtained an access key as described in Step 2: Get an Access Key, then leave this field empty. The organization the device belongs to. Description of the device. 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your AWS Security Hub credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. 4. Click Test to test the connection to AWS Security Hub. 5. To see the jobs associated with AWS Security Hub, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter AWS Security Hubin the search box. Sample Events [AWS_SECURITY_HUB_EVENT_DATA] ={ "AwsAccountId": "111111111111", "CreatedAt": "2019-08-06T04:56:44.894Z", "Description": "10.10.10.72 is performing SSH brute force attacks against i- 0100ee1e110c011c1. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.", "FirstObservedAt": "2019-08-06T04:51:14Z", "GeneratorId": "arn:aws:guardduty:us-west2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa", "Id": "arn:aws:guardduty:us-west2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa/finding/8cb632a4b32f7c3b854d9f5347b f07a4", "LastObservedAt": "2019-08-06T05:22:54Z", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "ProductFields": { "action/actionType": "NETWORK_CONNECTION", "action/networkConnectionAction/blocked": "false", "action/networkConnectionAction/connectionDirection": "INBOUND", "action/networkConnectionAction/localPortDetails/port": "22", "action/networkConnectionAction/localPortDetails/portName": "SSH", "action/networkConnectionAction/protocol": "TCP", "action/networkConnectionAction/remoteIpDetails/country/countryName": "China", "action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "34.7725", "action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "113.7266", "action/networkConnectionAction/remoteIpDetails/ipAddressV4": "10.10.10.72", "action/networkConnectionAction/remoteIpDetails/organization/asn": "56047", "action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "China Mobile communications corporation", FortiSIEM 6.1.1 External Systems Configuration Guide 243 Fortinet Technologies Inc. Cloud Applications "action/networkConnectionAction/remoteIpDetails/organization/isp": "China Mobile Guangdong", "action/networkConnectionAction/remoteIpDetails/organization/org": "China Mobile", "action/networkConnectionAction/remotePortDetails/port": "33242", "action/networkConnectionAction/remotePortDetails/portName": "Unknown", "archived": "false", "aws/securityhub/CompanyName": "Amazon", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west2::product/aws/guardduty/arn:aws:guardduty:us-west2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa/finding/8cb632a4b32f7c3b854d9f5347b f07a4", "aws/securityhub/ProductName": "GuardDuty", "aws/securityhub/SeverityLabel": "MEDIUM", "count": "7", "detectorId": "50b2ea07131dbe1530c23facb594b1fa", "resourceRole": "TARGET" }, "RecordState": "ACTIVE", "Resources": [ { "Details": { "AwsEc2Instance": { "ImageId": "ami-f2c2408a", "IpV4Addresses": [ "10.10.10.20", "10.0.0.137" ], "LaunchedAt": "2019-08-05T17:10:47.000Z", "SubnetId": "subnet-931605f1", "Type": "m5.4xlarge", "VpcId": "vpc-c66576a4" } }, "Id": "arn:aws:ec2:us-west-2:111111111111:instance/i-0799ee6e490c078c5", "Partition": "aws", "Region": "us-west-2", "Tags": { "Name": "elasticsearch-node-coordinator" }, "Type": "AwsEc2Instance" } ], "SchemaVersion": "2018-10-08", "Severity": { "Normalized": 40, "Product": 2 }, "Title": "310.10.10.72 is performing SSH brute force attacks against i-0799ee6e490c078c5. ", "Types": [ FortiSIEM 6.1.1 External Systems Configuration Guide 244 Fortinet Technologies Inc. Cloud Applications "TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce" ], "UpdatedAt": "2019-08-06T05:28:24.425Z", "WorkflowState": "NEW", "phCustId": 1, "serverIp": "10.10.10.22", "serverName": "amzon.com" } FortiSIEM 6.1.1 External Systems Configuration Guide 245 Fortinet Technologies Inc. Cloud Applications Box.com l Integration points l Box API Integration l Configuring Box.com Service l Configuring FortiSIEM Integration points Protocol Box.com API Information Discovered Used For Security and Compliance Box API Integration FortiSIEM can pull audit events from Box.com Cloud Service via Box API. Configuring Box.com Service Create an account to be used for FortiSIEM communication. l A general account can pull user events l An Admin account can pull enterprise events Configuring FortiSIEM Use the account in previous step to enable FortiSIEM access. 1. Logon to FortiSIEM. 2. Go to ADMIN > Setup > Credentials. 3. Click New to create a Box.com credential. a. Choose Device Type = Box.com Box (Vendor = Box.com, Model = Box). b. Choose Access Protocol = Box API. c. Choose Account as the email address for the account created while Configuring Box.com Service. d. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers. e. Click Save. f. You will be redirected to the Box.com website. g. Enter credentials for Box.com and click Authorize. h. Click Grant Access to Box. You should see that the authorization for FortiSIEM to access your Box.com account was successful. FortiSIEM 6.1.1 External Systems Configuration Guide 246 Fortinet Technologies Inc. Cloud Applications 4. Enter an IP Range to Credential Association: a. Set Hostname to box.com. b. Select the Credential created in step 3. c. Click Save. 5. Select the entry in step 4 and click Test Connectivity and make sure it succeeds, implying that the credential is correct. 6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Box.com Cloud Service using the Box.com API. To test for received Box.com events: 1. Go to ADMIN > Setup > Pull Events. 2. Select the Box.com entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from Box.com in the last 15 minutes. You can modify the time interval to get more events. FortiSIEM 6.1.1 External Systems Configuration Guide 247 Fortinet Technologies Inc. Cloud Applications Google Workspace Audit l What is Discovered and Monitored l Configuration l Sample Events for Google Workspace Audit What is Discovered and Monitored Protocol Google Apps Admin SDK Logs Collected Configuration Change, Account Create/Delete/Modify, Account Group Create/Delete/Modify, Document Create/Delete/Modify/Download, Document Permission Change, Logon Success, Logon Failure, Device compromise Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "Google_Apps" in the Search column to see the event types associated with this device. Reports There are many reports defined in Resource > Reports > Device > Application > Document Mgmt. Search for "Google Apps". Configuration l Create a Google Workspace Credential in Google API Console l Define Google Workspace Credential in FortiSIEM l Test Connectivity FortiSIEM 6.1.1 External Systems Configuration Guide 248 Fortinet Technologies Inc. Cloud Applications Create a Google Workspace Credential in Google API Console 1. Logon to Google API Console (https://console.developers.google.com). 2. Open the Select a project window and click NEW PROJECT. 3. Under the New Project window: a. Project Name - enter a name. b. Click Create. 4. Open the Select a project window and select the new project that you created in Step 2. 5. Under Dashboard, click Enable API And Services to find the Admin SDK. 6. Select Admin SDK and click Enable to activate the Admin SDK for this project. 7. Create a Service Account for this project: a. Under Credentials, click Create Credentials > Service Account. b. Enter the server account name. c. Click Create. d. Choose Role as Project > Viewer. e. Click Continue>Done. 8. Create key for the Service Account: a. Go to Navigation Menu> IAM &Admin>Service Accounts. b. Go to the Service Account table, choose the service account you create in Step 7. c. Click Actions > Create Key. d. Choose Key type as JSON. e. Click Create f. A JSON file containing the Service Account credentials will be stored in your computer. FortiSIEM 6.1.1 External Systems Configuration Guide 249 Fortinet Technologies Inc. Cloud Applications 9. Enable Google Workspace Domain-wide delegation: a. Go to Navigation Menu> IAM &Admin>Service Accounts b. Go to the Service Account table and choose the service account you created in Step 7. c. Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION. d. Check Enable G Suite Domain-wide Delegation. e. Enter FortiSIEM in the Product name for the consent screen. f. Click Save. 10. View Client ID: a. Go to Navigation Menu> IAM &Admin>Service Accounts. b. Go to the Service Account table and choose the service account you created in Step 7. c. Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION. d. You can find a Client ID. 11. Delegate domain-wide authority to the service account created in Step 7. a. Go to your Google Workspace domain's Admin console (https://admin.google.com). b. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. c. Select Advanced settings from the list of options. d. Click Manage domain wide delegation in the Domain wide delegation section. e. Click Add new. f. In the Client ID field, enter the service account's Client ID you obtained in Step 10d. g. In the OAuth scopes(comma-delimited) field, enter the following scope that FortiSEM should be granted access to: https://www.googleapis.com/auth/admin.reports.audit.readonly h. Click Authorize. Define Google Workspace Credential in FortiSIEM 1. Log in to FortiSIEM Supervisor node. 2. Go to Admin > Setup > Credentials. 3. In Step 1, Click Add to create a new credential. 4. For Device Type, select Google Google Apps. 5. For Access Protocol, select Google Apps Admin SDK. 6. Enter the User Name (this is the account name to log in to the Admin console). 7. For Service Account Key, upload the JSON credential file (see Step 8f in Create a Google Workspace Credential in Google API Console). 8. Click Save. Test Connectivity 1. Log in to the FortiSIEM Supervisor node. 2. Go to Admin > Setup > Credentials. 3. In Step 2, Click Add to create a new association. 4. For Name/IP/IP Range, enter google.com. 5. For Credentials, enter the name of the credential created in Define Google Workspace Credential in FortiSIEM. 6. Click Save. FortiSIEM 6.1.1 External Systems Configuration Guide 250 Fortinet Technologies Inc. Cloud Applications 7. Select the entry just created and click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results. 8. Go to Admin > Setup > Pull Events and make sure an entry is created for Google Audit Log Collection. Sample Events for Google Workspace Audit Logon Success <134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_success]:[eventSeverity]=PHL_ INFO,[actor.profileId]=117858279951236905887,[id.time]=2016-09-09T06:53:58.000Z, [id.applicationName]=login,[kind]=admin#reports#activity,[id.customerId]=C01lzy8ye, [id.uniqueQualifier]=8830301951515521023,[event.parameters.login_type]=google_password, [event.type]=login,[ipAddress]=45.79.100.103,[actor.email]=api1@accelops.net, [event.name]=login_success,[etag]=""6KGrH_ UY2JDZNpgjPKUOF8yJF1A/Nfrg2SFjlC2gR6pJtpP2scVidmc""",Google_Apps_login_login_success,login_ success,1,45.79.100.103, Logon Failure <134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_failure]: [eventSeverity]=PHL_INFO,[actor.profileId]=117858279951236905887, [id.applicationName]=login,[kind]=admin#reports#activity,[event.parameters.login_ type]=google_password,[ipAddress]=45.79.100.103,[event.name]=login_failure,[id.time]=201609-19T09:27:51.000Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=4795688196368428241, [event.type]=login,[actor.email]=api1@accelops.net,[etag]=""6KGrH_ UY2JDZNpgjPKUOF8yJF1A/v5zsUPNoEdXLLK79zQpBcuxNbQU"",[event.parameters.login_failure_ type]=login_failure_invalid_password",Google_Apps_login_login_failure,login_ failure,1,45.79.100.103, Create User <134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_CREATE_USER]: [eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887, [id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103, [event.name]=CREATE_USER,[id.time]=2016-09-19T09:22:44.646Z,[id.customerId]=C01lzy8ye, [id.uniqueQualifier]=-8133102622954793216,[event.type]=USER_SETTINGS, [event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email]=api1@accelops.net, [etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/R5GJyWG9YHSiGRvo3-8ZBM0ZlL0""",Google_Apps_USER_ SETTINGS_CREATE_USER,CREATE_USER,1,45.79.100.103, Delete user <134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_DELETE_USER]: [eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887, [id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103, [event.name]=DELETE_USER,[id.time]=2016-09-19T09:22:28.582Z,[id.customerId]=C01lzy8ye, [id.uniqueQualifier]=-4630441819990099585,[event.type]=USER_SETTINGS,[event.parameters.USER_ EMAIL]=test-user@accelops.org,[actor.email]=api1@accelops.net,[etag]=""6KGrH_ UY2JDZNpgjPKUOF8yJF1A/08MaodxPU6Zv7s6vJtuUQW9ugx0""",Google_Apps_USER_SETTINGS_DELETE_ USER,DELETE_USER,1,45.79.100.103, FortiSIEM 6.1.1 External Systems Configuration Guide 251 Fortinet Technologies Inc. Cloud Applications Move user settings <134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT]: [eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887, [event.parameters.ORG_UNIT_NAME]=/test,[id.applicationName]=admin, [kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[event.name]=MOVE_USER_TO_ORG_UNIT, [id.time]=2016-09-19T09:24:25.285Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=6704816947489240452,[event.type]=USER_SETTINGS,[event.parameters.USER_EMAIL]=testuser@accelops.org,[actor.email]=api1@accelops.net,[event.parameters.NEW_VALUE]=/, [etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/r1v9DiPZbL06fXFFjJlrWf2s3qI""",Google_Apps_USER_ SETTINGS_MOVE_USER_TO_ORG_UNIT,MOVE_USER_TO_ORG_UNIT,1,45.79.100.103,, FortiSIEM 6.1.1 External Systems Configuration Guide 252 Fortinet Technologies Inc. Cloud Applications Microsoft Azure Audit l What is Discovered and Monitored l Configuration l Sample Events for Microsoft Azure Audit What is Discovered and Monitored Protocol Azure CLI Information Discovered None Information Collected Audit Logs Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "Microsoft Azure Audit" in the Search column to see the event types associated with this device. Configuration You must define a user account in Azure for use by FortiSIEM to pull Audit logs. Use any of the following roles: l Owner l Reader l Monitoring Reader l Monitoring Contributor l Contributor FortiSIEM recommends using the 'Monitoring Reader' role, which is the least privileged to do the job. Create Microsoft Azure Audit Credential in FortiSIEM 1. Log in to FortiSIEM Supervisor node. 2. Go to ADMIN > Setup > Credentials. 3. In Step 1, click Add to create a new credential. 4. For Device Type, select Microsoft Azure Audit. 5. For Access Protocol, select Azure CLI. 6. For Password Configuration, select Manual or CyberArk. a. For Manual credential method, enter the username and credentials for an Azure account. FortiSIEM recommends using 'Monitoring Reader' role for this account. b. For CyberArk, see Password Configuration. 7. Click Save. FortiSIEM 6.1.1 External Systems Configuration Guide 253 Fortinet Technologies Inc. Cloud Applications Test Connectivity in FortiSIEM 1. Log in to FortiSIEM Supervisor node. 2. Go to ADMIN > Setup > Credentials. 3. In Step 2, click Add to create a new association. 4. For Name/IP/IP Range, enter any IP Address. 5. For Credentials, enter the name of the credential created in the "Microsoft Azure Audit Credential" step. 6. Click Save. 7. Select the entry just created and click Test Connectivity without Ping. A pop-up appears with the Test Connectivity results. 8. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Microsoft Audit Log Collection. Sample Events for Microsoft Azure Audit 2016-02-26 15:19:10 FortiSIEM-Azure, [action]=Microsoft.ClassicCompute/virtualmachines/shutdown/action, [caller]=Cuiping.Wang@shashiaccelops.onmicrosoft.com,[level]=Error, [resourceId]=/subscriptions/3ed4ee1c-1a83-4e02-a9287ff5e0008e8a/resourcegroups/china/providers/Microsoft.ClassicCompute/virtualmachines/china, [resourceGroupName]=china,[eventTimestamp]=2016-02-14T06:12:18.5539709Z,[status]=Failed, [subStatus]=Conflict,[resourceType]=Microsoft.ClassicCompute/virtualmachines, [category]=Administrative FortiSIEM 6.1.1 External Systems Configuration Guide 254 Fortinet Technologies Inc. Cloud Applications Microsoft Office 365 Audit l What is Discovered and Monitored l Event Types l Reports l Configuration in Office 365 Audit l Configuration in FortiSIEM l Sample Events for Audit What is Discovered and Monitored Office 365 Activity Type Operation File and folder activities FileAccessed, FileCheckedIn, FileCheckedOut, FileCopied, FileDeleted,FileCheckOutDiscarded, FileDownloaded, FileModified, FileMoved, FileRenamed, FileRestored, FileUploaded Sharing and access request activities AccessRequestAccepted, SharingInvitationAccepted, CompanyLinkCreated, AccessRequestCreated, AnonymousLinkCreated, SharingInvitationCreated, AccessRequestDenied, CompanyLinkRemoved, AnonymousLinkRemoved, SharingSet, AnonymousLinkUpdated, AnonymousLinkUsed, SharingRevoked, CompanyLinkUsed, SharingInvitationRevoked Synchronization activities ManagedSyncClientAllowed, UnmanagedSyncClientBlocked, FileSyncDownloadedFull, FileSyncDownloadedPartial, FileSyncUploadedFull, FileSyncUploadedPartial Site administration activities ExemptUserAgentSet, SiteCollectionAdminAdded, AddedToGroup, AllowGroupCreationSet, CustomizeExemptUsers, SharingPolicyChanged, GroupAdded, SendToConnectionAdded, SiteCollectionCreated, GroupRemoved, SendToConnectionRemoved, PreviewModeEnabledSet, LegacyWorkflowEnabledSet, OfficeOnDemandSet, NewsFeedEnabledSet, PeopleResultsScopeSet, SitePermissionsModified, RemovedFromGroup, SiteRenamed, SiteAdminChangeRequest, HostSiteSet, GroupUpdated Exchange mailbox activities Copy, Create, SoftDelete, Move, MoveToDeletedItems, HardDelete, SendAs, SendOnBehalf, Update, MailboxLogin Sway activities SwayChangeShareLevel, SwayCreate, SwayDelete, SwayDisableDuplication, SwayDuplicate, SwayEdit, EnableDuplication, SwayRevokeShare, SwayShare, SwayExternalSharingOff, SwayExternalSharingOn, SwayServiceOff, SwayServiceOn, SwayView User administration activities Add user, Change user license, Change user password, Delete user, Reset user password, Set force change user password, Set license properties, Update user Group administration activities Add group, Add member to group, Delete group, Remove member from group, Update group FortiSIEM 6.1.1 External Systems Configuration Guide 255 Fortinet Technologies Inc. Cloud Applications Office 365 Activity Type Operation Application administration activities Add delegation entry, Add service principal, Add service principal credentials, Remove delegation entry, Remove service principal, Remove service principal credentials, Set delegation entry Role administration activities Add role member to role, Remove role member from role, Set company contact information Directory administration activities Add domain to company, Add partner to company, Remove domain from company, Remove partner from company, Set company information, Set domain authentication, Set federation settings on domain, Set password policy, Set DirSyncEnabled flag on company, Update domain, Verify domain, Verify email verified domain Event Types In ADMIN > Device Support > Event Types, search for "MS_Office365" in the Search field to see the event types associated with Office 365. Reports There are many reports defined in RESOURCES > Reports > Device > Application > Document Mgmt. Search for "Office365" in the main content panel Search... field. Configuration in Office 365 Audit l Enable Office 365 Audit Log Search l Create the Office 365 API Credential Enable Office 365 Audit Log Search To be able to search audit logs, you must first enable Office 365 audit log search. For instructions on how to enable audit log search, see https://docs.microsoft.com/en-us/office365/securitycompliance/turn-audit-log-search-on-or-off. To use the Office 365 Management Activity API to access auditing data for your organization, you must enable audit log search in the Security & Compliance Center. If you do not enable audit log search, you cannot access auditing data for your organization. Before you can enable or disable audit log search for your Microsoft 365 organization, you must be assigned the Audit Logs role in the Exchange admin center. Follow these steps to assign the Audit Logs role and enable audit log search for your organization. FortiSIEM 6.1.1 External Systems Configuration Guide 256 Fortinet Technologies Inc. Cloud Applications 1. Log in to Microsoft Office Online: https://login.microsoftonline.com. 2. Click Admin > Security & compliance. 3. Click Exchange admin center. If you receive the following alert, you must enable Office 365 Exchange Online before proceeding. In this case, go to Step 4. Otherwise, go to Step 6. FortiSIEM 6.1.1 External Systems Configuration Guide 257 Fortinet Technologies Inc. Cloud Applications 4. Click Admin > Purchase services. 5. Select one of Microsoft 365 services. In this example, Microsoft 365 Business Premium Trial is selected. 6. Click Admin > Security & compliance > Exchange admin center. FortiSIEM 6.1.1 External Systems Configuration Guide 258 Fortinet Technologies Inc. Cloud Applications 7. Click Exchange admin center > permissions > admin roles > New to create a new role. FortiSIEM 6.1.1 External Systems Configuration Guide 259 Fortinet Technologies Inc. Cloud Applications 8. Select Audit Logs Roles and add the members you want to add the group. Click Save. 9. The Audit Log role will display in the Exchange admin center > permissions > admin roles table. FortiSIEM 6.1.1 External Systems Configuration Guide 260 Fortinet Technologies Inc. Cloud Applications 10. Go back to the Microsoft 365 Admin center. 11. Click Security & compliance > Report dashboard. When you first go into this page, it will ask you to enable Audit log. After you enable it, the page will display the Search button. Create the Office 365 API Credential Follow these steps to create the Office 365 API credential. 1. Login to https://portal.azure.com. 2. Click All Services. 3. Click Azure Active Directory. 4. Click App Registrations (on the right panel). 5. Click New registration and enter the following information: Name: FSM Supported Account Types: Select Accounts in any organizational directory (Any Azure AD directory Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox). Redirect URI: https://your.internal.fsm.ip 6. Click Register: Copy the Application (client) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM. Copy the Directory (tenant) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM. 7. Click Certificates & secrets (on the right panel). 8. New client secret: Description: FSM Expires in: 2 years Copy the value (for example: AC83J.6_nobD:G1Q=DJe/hFiB3BP4+a) to a text editor. You will need this value when entering Office 365 Credentials in FortiSIEM. 9. Go to API permissions (left panel). 10. Click Add a permission. 11. Select Office 365 Management APIs. 12. Click Application permissions and expand all. 13. Select all permissions with "Read" access (we don't want to write). Click Add permissions. You will see a warning: "Permissions have changed." Users and/or admins will have to consent even if they have already done so previously. We'll need to approve all these permission grants. FortiSIEM 6.1.1 External Systems Configuration Guide 261 Fortinet Technologies Inc. Cloud Applications 14. Click grant admin consent and select Yes when you see the Do you want to grant consent for the requested permissions for all accounts in your_organization? alert. This will update any existing admin consent records this application already has to match what is listed below. Sample API Permission Configuration in FortiSIEM Configuration is done in two parts. Follow the steps in these two sections to configure your FortiSIEM. l Define Office 365 Management Credential in FortiSIEM l Create IP Range to Credential Association and Test Connectivity Define Office 365 Management Credential in FortiSIEM Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node. 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. 1. b. Enter these settings in the Access Method Definition dialog box and click Save: Settings Name Device Type Description Enter a name for the credential Microsoft Office365 FortiSIEM 6.1.1 External Systems Configuration Guide 262 Fortinet Technologies Inc. Cloud Applications Settings Access Protocol Tenant ID Password config Organization Description Description Office 365 Mgmt Activity API Use the ID from Azure Login URL. See Step 5 in Create Office 365 API Credential. If you select Manual, take the following steps: 1. For Client ID, use the value obtained in Step 5 in Create Office 365 API Credential. 2. For Client Secret, use the value obtained in Step 7 in Create Office 365 API Credential. For CyberArk credential method, see CyberArk Password Configuration. The organization the device belongs to. Description of the device. Create IP Range to Credential Association and Test Connectivity From the FortiSIEM Supervisor node, take the following steps. 1. In Step 2: Enter IP Range to Credential Associations, click New to create a new association. a. Enter "manage.office.com" in the IP/Host Name field. b. Select the name of the credential created in the Define Office 365 Management Credential from the Credentials drop-down list. c. Click Save. 2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results. 3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Office 365 Log Collection. Sample Events for Audit [OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"dtomic@my.company.org","Type":5}, {"ID":"10030000873CEE9F","Type":3},{"ID":"18ed3507-a475-4ccb-b669-d66bc9f2a36e","Type":2}, {"ID":"User_68d76168-813d-4b9f-88cd-37b66a5b3841","Type":2}, {"ID":"68d76168-813d-4b9f-88cd-37b66a5b3841","Type":2}, {"ID":"User","Type":2}],"ActorContextId":"653e32e8-fb2d-41aa-8841-90f05b340318","ActorIpAddr ess":"<null>","AzureActiveDirectoryEventType":1,"ClientIP":"<null>","CreationTime":"2019-0723T13:16:05UTC","ExtendedProperties": [{"Name":"actorContextId","Value":"653e32e8-fb2d-41aa-8841-90f05b340318"}, {"Name":"actorObjectId","Value":"68d76168-813d-4b9f-88cd-37b66a5b3841"}, {"Name":"actorObjectClass","Value":"User"}, {"Name":"actorUPN","Value":"dtomic@my.company.org"}, FortiSIEM 6.1.1 External Systems Configuration Guide 263 Fortinet Technologies Inc. Cloud Applications {"Name":"actorAppID","Value":"18ed3507-a475-4ccb-b669-d66bc9f2a36e"}, {"Name":"actorPUID","Value":"10030000873CEE9F"},{"Name":"teamName","Value":"MSODS."}, {"Name":"targetContextId","Value":"653e32e8-fb2d-41aa-8841-90f05b340318"}, {"Name":"targetObjectId","Value":"02232019-4557-45d6-9630-f78694bc8341"}, {"Name":"extendedAuditEventCategory","Value":"Application"}, {"Name":"targetName","Value":"FSM"},{"Name":"targetIncludedUpdatedProperties","Value":" [\"AppAddress\",\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAcce ss\"]"},{"Name":"correlationId","Value":"a854ecc6-31d6-4fea-8d56-aeed05aa1174"}, {"Name":"version","Value":"2"},{"Name":"additionalDetails","Value":"{}"}, {"Name":"resultType","Value":"Success"}, {"Name":"auditEventCategory","Value":"ApplicationManagement"}, {"Name":"nCloud","Value":"<null>"},{"Name":"env_ver","Value":"2.1"},{"Name":"env_ name","Value":"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"},{"Name":"env_ time","Value":"2019-07-23T13:16:05.0208099Z"},{"Name":"env_epoch","Value":"64BOV"}, {"Name":"env_seqNum","Value":"25454285"},{"Name":"env_popSample","Value":"0"},{"Name":"env_ iKey","Value":"ikey"},{"Name":"env_flags","Value":"257"},{"Name":"env_ cv","Value":"##17a913a8-943a-42f3-b8ad-2ea3bc4bf927_00000000-0000-0000-0000-000000000000_ 17a913a8-943a-42f3-b8ad-2ea3bc4bf927"},{"Name":"env_os","Value":"<null>"},{"Name":"env_ osVer","Value":"<null>"},{"Name":"env_appId","Value":"restdirectoryservice"},{"Name":"env_ appVer","Value":"1.0.11219.0"},{"Name":"env_cloud_ver","Value":"1.0"},{"Name":"env_cloud_ name","Value":"MSO-AM5R"},{"Name":"env_cloud_role","Value":"restdirectoryservice"}, {"Name":"env_cloud_roleVer","Value":"1.0.11219.0"},{"Name":"env_cloud_ roleInstance","Value":"AM5RRDSR582"},{"Name":"env_cloud_environment","Value":"PROD"}, {"Name":"env_cloud_ deploymentUnit","Value":"R5"}],"Id":"fc12de96-0cbc-4618-9c8f-cc8ab7891e3b","ModifiedProperti es":[{"Name":"AppAddress","NewValue":"[\r\n {\r\n \"AddressType\": 0,\r\n \"Address\": \"https://10.222.248.17\",\r\n \"ReplyAddressClientType\": 1\r\n }\r\n]","OldValue":"[]"}, {"Name":"AppId","NewValue":"[\r\n \"0388f2da-dbcc-4506-ba57-a85c578297c0\"\r\n]","OldValue":"[]"}, {"Name":"AvailableToOtherTenants","NewValue":"[\r\n false\r\n]","OldValue":"[]"}, {"Name":"DisplayName","NewValue":"[\r\n \"FSM\"\r\n]","OldValue":"[]"}, {"Name":"RequiredResourceAccess","NewValue":"[\r\n {\r\n \"ResourceAppId\": \"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n \"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\": false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\": 1\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AppAddress, AppId, AvailableToOtherTenants, DisplayName, RequiredResourceAccess","OldValue":""}],"ObjectId":"Not Available","Operation":"Add application.","OrganizationId":"653e32e8-fb2d-41aa-8841-90f05b340318","RecordType":8,"Result Status":"Success","SupportTicketId":"","Target":[{"ID":"Application_ 02232019-4557-45d6-9630-f78694bc8341","Type":2}, {"ID":"02232019-4557-45d6-9630-f78694bc8341","Type":2},{"ID":"Application","Type":2}, {"ID":"FSM","Type":1}],"TargetContextId":"653e32e8-fb2d-41aa-8841-90f05b340318","TenantId":" 653e32e8-fb2d-41aa-8841-90f05b340318","UserId":"dtomic@my.company.org","UserKey":"1003000087 3CEE9F@my.company.org","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId" :1} FortiSIEM 6.1.1 External Systems Configuration Guide 264 Fortinet Technologies Inc. Cloud Applications Microsoft Cloud App Security l Integration points l Configuring a SIEM Agent l Connecting Office 365 to Cloud App Security l Event Types l Sample Events Integration points Protocol SIEM Agent Information Discovered Logon, User creation/deletion and other Audit activity for Azure Applications including Office 365, SharePoint, OneDrive, Teams, PowerBI , Exchange Used For Security and Compliance Configuring a SIEM Agent FortiSIEM integrates with Microsoft Cloud App Security to collect alerts and activities from apps to Microsoft Cloud. As new activities and events are supported by connected apps, they become available to FortiSIEM via Microsoft Cloud App Security integration. The integration is done via the Microsoft Cloud App Security SIEM agent. It can run on any server (including FortiSIEM). It pulls alerts and activities from Microsoft Cloud App Security and then streams them into FortiSIEM. For details, see here. FortiSIEM integration is accomplished in three steps: 1. Set up a SIEM Agent in the Microsoft Cloud App Security portal. 2. Download the SIEM agent (JAR file) and run it on a server. The agent would connect to the portal, collect logs and forward to FortiSIEM. The server could be a FortiSIEM node such as Collector. 3. Validate that the SIEM agent is working correctly. 4. Configure an application to connect to Microsoft Cloud App Security portal. See those events in FortiSIEM. Step 1: Set up a SIEM agent in the Microsoft Cloud App Security portal 1. In the Cloud App Security portal, under the Settings cog, click Security extensions and then click on the SIEM agents tab. 2. Click the plus icon to start the Add SIEM agent wizard. 3. In the wizard: a. Click Start Wizard. b. Fill in a name. c. Select your SIEM format as 'Generic CEF'. d. In Advanced settings: i. Set Time Format to 'RFC 5424'. ii. Check Include PRI. FortiSIEM 6.1.1 External Systems Configuration Guide 265 Fortinet Technologies Inc. Cloud Applications iii. Check Include system name. e. Click Next. f. Type in the IP address or hostname FortiSIEM node receiving the events and port 514. Select TCP or UDP as the SIEM protocol. In most common situations, you would choose a FortiSIEM Collector. Click Next. g. Select which data types, Alerts and Activities you want to export to your FortiSIEM. We recommend choosing All Alerts and All Activities. You can use the Apply to drop-down to set filters to send only specific alerts and activities. You can click Edit and preview results to check that the filter works as expected. Click Next. h. The wizard will say that SIEM agent configuration is finished. Copy the token and save it for later. i. After you click Finish and leave the Wizard, back in the SIEM page, you can see the SIEM agent you added in the table. It will show that it's Created until it's connected later. Step 2: Download the SIEM agent (JAR file) and run it on a server 1. In the Microsoft Download Center, after accepting the software license terms, download the .zip file and unzip it. 2. Run the following command: java -jar mcas-siemagent-0.87.20-signed.jar --logsDirectory <DIRNAME> --token <TOKEN> & where: l DIRNAME (optional) is the path to the directory for agent to write debug log. l TOKEN is the SIEM agent token you copied in the previous Step 1 Sub-step 3.h. Step 3: Validate that the SIEM agent is working correctly Make sure the status of the SIEM agent in the Cloud App Security portal is 'Connected'. If the connection is down for more than two hours, then the status may show 'Connection error'. The status will be 'Disconnected' if down for more than 12 hours. Step 4: Configure an application to connect to Microsoft Cloud App Security portal. Cloud App Security currently supports the following Office 365 apps: l Office 365 l Dynamics 365 CRM l Exchange (only appears after activities from Exchange are detected in the portal and requires you to turn on auditing) l OneDrive l PowerBI (only appears after activities from PowerBI are detected in the portal, and requires you to turn on auditing) l SharePoint l Teams (only appears after activities from Teams are detected in the portal) See the Microsoft documentation to setup these applications. Connecting Office 365 to Cloud App Security Use the app connector API to connect Microsoft Cloud App Security to your existing Microsoft Office 365 account. The Microsoft Cloud App Security connection gives you visibility into and control over Office 365 use. For information on how Cloud App Security helps protect your Office 365 environment, see here. FortiSIEM 6.1.1 External Systems Configuration Guide 266 Fortinet Technologies Inc. Cloud Applications For information on the prerequisites and steps to connect Microsoft Cloud App Security to your existing Microsoft Office 365 account, see How to connect Office 365 to Cloud App Security. Event Types Search for 'MS-Azure-CloudAppSec' in Admin > Device Support > Event Types. Sample Events <109>2018-05-22T04:17:28.340Z SP204 CEF:0|MCAS|SIEM_Agent|0.123.162|EVENT_CATEGORY_ LOGIN|Log on|0|externalId=70e988af3b82e19b872d12a91860d300d968f47e0bb245a0e765d9dbfbdb02ce rt=1526962648340 start=1526962648340 end=1526962648340 msg=Log on suser=yanlong@shashiaccelops.onmicrosoft.com destinationServiceName=Microsoft Azure dvc=43.254.220.13 requestClientApplication=;Windows 10;Edge 17.17134; cs1Label=portalURL cs1=https://shashiaccelops.us2.portal.cloudappsecurity.com/#/audits?activity.id\=eq (70e988af3b82e19b872d12a91860d300d968f47e0bb245a0e765d9dbfbdb02ce,) cs2Label=uniqueServiceAppIds cs2=APPID_AZURE cs3Label=targetObjects cs3=Azure Portal,yanlong,yanlong cs4Label=policyIDs cs4= c6a1Label="Device IPv6 Address" c6a1= FortiSIEM 6.1.1 External Systems Configuration Guide 267 Fortinet Technologies Inc. Cloud Applications Microsoft Azure Advanced Threat Protection (ATP) l Integration points l Configuration l Event Types Integration Points Protocol Syslog (CEF) Information Discovered Suspicious alerts occurring on Windows machine in Azure Used For Security and Compliance Configuration FortiSIEM receives alerts via CEF formatted syslog. See here for details. Event Types Search for 'MS-AzureATP' in Admin > Device Support > Event Types. Sample Event 02-21-2018 16:20:21 Auth.Warning 192.168.0.220 1 2018-02-21T14:20:06.156238+00:00 CENTER CEF 6076 LdapBruteForceSecurityAlert 0|Microsoft|Azure ATP|2.22.4228.22540|LdapBruteForceSecurityAlert|Brute force attack using LDAP simple bind|5|start=2018-02-21T14:19:41.7422810Z app=Ldap suser=Wofford Thurston shost=CLIENT1 msg=A brute force attack using the Ldap protocol was attempted on Wofford Thurston (Software Engineer) from CLIENT1 (100 guess attempts). cnt=100 externalId=2004 cs1Label=url cs1=https://contoso-corp.atp.azure.com/securityAlert/57b8ac96-7907-49719b27-ec77ad8c029a FortiSIEM 6.1.1 External Systems Configuration Guide 268 Fortinet Technologies Inc. Cloud Applications Microsoft Azure Compute The purpose of this integration is to discover Virtual Machines running in Azure. It does not collect events or performance statistics. Configuration l Setup in Azure l Setup in FortiSIEM Setup in Azure 1. Log in to the Azure Portal 2. Create an Azure Active Directory application l Sign in to your Azure Account through the Azure portal. l Select Azure Active Directory. l Select App registrations. l Select New registration. FortiSIEM 6.1.1 External Systems Configuration Guide 269 Fortinet Technologies Inc. Cloud Applications 3. Assign the application to a role: l Select Subscriptions on the Home page. l Select the particular subscription to assign your application to. In here, it uses Pay-As-You-GO as the example. Click Pay-AS-You-GO to open it. Save the Subscription ID for FortiSIEM credential. l Copy the Subscription ID, it will be needed when defining the credential in FortiSIEM. l Select Access control (IAM). l Select Add role assignment. FortiSIEM 6.1.1 External Systems Configuration Guide 270 Fortinet Technologies Inc. Cloud Applications l Select Owner to assign to the application and select the app that you created. And then click Save. 4. Get value for FortiSIEM credential l Select Azure Active Directory. l From App registrations in Azure AD, select your application. l Copy the Application (client) ID and Directory (tenant) ID, it will be needed when defining the credential in FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 271 Fortinet Technologies Inc. Cloud Applications l Select Certificate & secrets to generate a secret key. 5. Test l Command: /opt/phoenix/bin/getAzureResourceVM.py {subscriptionId} {tenantId} {clientId} {client secret}. l Example: /opt/phoenix/bin/getAzureResourceVM.py 7327432-1a83-4e02-a928-9032489032898a 05c94b87-da0c-4e11-be1d-789234789432 068863e4-c2fa-48df-8f33-79823478932 jh23hjkb324ugih32hujdsdsvqeP]]' Setup in FortiSIEM Follow these steps in the FortiSIEM UI: FortiSIEM 6.1.1 External Systems Configuration Guide 272 Fortinet Technologies Inc. Cloud Applications 1. Create a new credential. Make sure to select Azure Resource SDK as the Access Protocol. 2. Define a credential. 3. Create a Discovery Definition. FortiSIEM 6.1.1 External Systems Configuration Guide 273 Fortinet Technologies Inc. Cloud Applications 4. The CMDB should then be populated. FortiSIEM 6.1.1 External Systems Configuration Guide 274 Fortinet Technologies Inc. Cloud Applications Microsoft Azure Event Hub FortiSIEM uses the Azure Python SDK to integrate logs from the event hub to perform comprehensive security analysis. Azure Log Integration simplifies the task of integrating Azure logs with your on-premises SIEM system. The recommended method for integrating Azure logs is to stream the logs into event hubs via the Azure Monitor. FortiSIEM provides a connector to further integrate logs from the event hub into the SIEM. Azure produces extensive logging for each Azure service. The logs represent these log types: l Control/management logs: Provide visibility into the Azure Resource Manager CREATE, UPDATE, and DELETE operations. An Azure activity log is an example of this type of log. l Data plane logs: Provide visibility into events that are raised when you use an Azure resource. An example of this type of log is the Windows Event Viewer's System, Security, and Application channels in a Windows virtual machine. Another example is Azure Diagnostics logging, which you configure through Azure Monitor. l Processed events: Provide analyzed event and alert information that are processed for you. An example of this type of event is Azure Security Center alerts. Azure Security Center processes and analyzes your subscription to provide alerts that are relevant to your current security posture. For more information on how to stream any type of log to an event hub, see: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/stream-monitoring-data-event-hubs l What is Discovered sand Monitored l Event Types l Reports l Rules l Configuration in Azure l Configuration in FortiSIEM l Sample Events What is Discovered and Monitored Protocol Azure Python SDK Information Discovered None Information Collected Audit Logs Used For Security Monitoring Event Types No defined event types. Reports No defined reports. Rules No defined rules. FortiSIEM 6.1.1 External Systems Configuration Guide 275 Fortinet Technologies Inc. Cloud Applications Configuration in Azure Create an Event Hub Namespace and Event Hub Complete these steps in the Azure Portal: Step 1: Create a Resource Group in Azure A resource group is a logical collection of Azure resources. All resources are deployed and managed in a resource group. To create a resource group: 1. Login to the Azure portal: https://portal.azure.com/ . 2. Click Resource groups in the left navigation pane. 3. Click Add. 4. For Subscription, select the name of the Azure subscription in which you want to create the resource group. 5. Enter a unique name for the resource group, The system immediately checks to see if the name is available in the currently selected Azure subscription. 6. Select a Region for the resource group. 7. Click Review + Create. 8. Click Create on the Review + Create page. Note: In the example used in step 2, a Resource Group called fsm1 was created. Step 2: Create an Event Hub Namespace An Event Hub namespace provides a unique scoping container, referenced by its fully-qualified domain name, in which you create one or more event hubs. To create a namespace in your resource group using the portal, complete the following steps: 1. In the Azure portal, click Create a resource at the top left of the screen. 2. In the "Search the Market text box, enter Select All services in the left menu, select star (*) next to Event Hubs, and then click the Create button in the ANALYTICS category. 3. On the Create namespace page, complete the following steps: a. Enter a name for the namespace. The system immediately checks to see if the name is available. b. Choose the pricing tier (Basic or Standard). c. Select the subscription in which you want to create the namespace. d. Select a location for the namespace. FortiSIEM 6.1.1 External Systems Configuration Guide 276 Fortinet Technologies Inc. Cloud Applications e. Click Create. You may have to wait a few minutes for the system to fully provision the resources. 4. Refresh the Event Hubs page to see the event hub namespace. You can check the status of the event hub creation in the alerts. 5. Select the namespace. You see the home page for your Event Hubs Namespace in the portal. Step 3: Create an Event Hub To create an event hub within the namespace, follow these steps: 1. In the Event Hubs Namespace page, click Event Hubs in the left menu. 2. At the top of the window, click + Event Hub. FortiSIEM 6.1.1 External Systems Configuration Guide 277 Fortinet Technologies Inc. Cloud Applications 3. Enter a name for your event hub, then click Create. 4. You can check the status of the event hub creation in alerts. After the event hub is created, you see it in the list of event hubs. Step 4: Configure an Event Hub Namespace 1. Select an event hub namespace and go to Shared access policies, and then click +Add. Enter the Policy name, check the Manage box, and then click Create. 2. Select one of the Shared Access policies just created. 3. The Azure Python SDK needs the SAS Policy name (defined in step 4.1) and the Primary key when creating the credential in FortiSIEM. Copy the primary key and policy name to a text editor for later use. Note: When the event hub namespace is created, Azure will also create a default Shared Access Policy named RootManageSharedAcessKey. 4. Select an event hub namespace and go to Event Hubs. 5. Select an event hub and go to Consumer group. You can click +Consumer group or use default group name $default. Note: If you have selected Basic (1 Consumer Group), then there will be no option to add a another Consumer group. Configuration in FortiSIEM Complete these steps in the FortiSIEM UI: FortiSIEM 6.1.1 External Systems Configuration Guide 278 Fortinet Technologies Inc. Cloud Applications 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Settings Description Name Device Type Access Protocol Pull Interval Event Hub Namespace Event Hub Name SAS Policy Name Primary Key Consumer Group Description Enter a name for the credential Microsoft Azure Event Hub AZURE PYTHON SDK The interval in which FortiSIEM will pull events from Azure Event Hub. Default is 5 minutes. The name of the Azure event hub namespace The name of the Azure event hub. Shared Access (SAS) Policy Name The name of the primary key The name of the consumer group Description of the device Based on the example screenshots, this is the configuration in FortiSIEM: 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your Azure event hub credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. For this integration, enter azure.com. c. Click Save. 4. Click Test to test the connection to Azure event hub. 5. To see the jobs associated with Azure, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Azure in the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 279 Fortinet Technologies Inc. Cloud Applications Note: Azure services must be configured to write to the Event Hub before there are any events to be collected. Sample Events {"records": [{ "count": 0, "total": 0, "minimum": 0, "maximum": 0, "average": 0, "resourceId": "/SUBSCRIPTIONS/3ED4EE1C-1A83-4E02-A928-7FF5E0008E8A/RESOURCEGROUPS/ANDY_ TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/FORTISIEMEVENTHUB", "time": "2019-0221T05:21:00.0000000Z", "metricName": "EHAMBS", "timeGrain": "PT1M"},{ "count": 0, "total": 0, "minimum": 0, "maximum": 0, "average": 0, "resourceId": "/SUBSCRIPTIONS/3ED4EE1C-1A83-4E02-A928-7FF5E0008E8A/RESOURCEGROUPS/ANDY_ TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/FORTISIEMEVENTHUB", "time": "2019-0221T05:22:00.0000000Z", "metricName": "EHAMBS", "timeGrain": "PT1M"},{ "count": 0, "total": 0, "minimum": 0, "maximum": 0, "average": 0, "resourceId": "/SUBSCRIPTIONS/3ED4EE1C-1A83-4E02-A928-7FF5E0008E8A/RESOURCEGROUPS/ANDY_ TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/FORTISIEMEVENTHUB", "time": "2019-0221T05:23:00.0000000Z", "metricName": "EHAMBS", "timeGrain": "PT1M"},{ "count": 0, "total": 0, "minimum": 0, "maximum": 0, "average": 0, "resourceId": "/SUBSCRIPTIONS/3ED4EE1C-1A83-4E02-A928-7FF5E0008E8A/RESOURCEGROUPS/ANDY_ TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/FORTISIEMEVENTHUB", "time": "2019-0221T05:24:00.0000000Z", "metricName": "EHAMBS", "timeGrain": "PT1M"}]} FortiSIEM 6.1.1 External Systems Configuration Guide 280 Fortinet Technologies Inc. Cloud Applications Microsoft Windows Defender Advanced Threat Protection (ATP) l Integration points l Configuring Windows Defender for FortiSIEM REST API Access l Configuring FortiSIEM for Windows Defender ATP REST API Access Integration points Protocol Windows Defender API REST API Information Discovered Used For Security and Compliance Configuring Windows Defender for FortiSIEM REST API Access Microsoft provides ample documentation here. Follow the steps specified in 'Enabling SIEM integration', repeated here. 1. Login to Windows Defender Center. 2. Go to Settings > SIEM. 3. Select Enable SIEM integration. 4. Choose Generic API. 5. Click Save Details to File. 6. Click Generate Tokens. Configuring FortiSIEM for Windows Defender ATP REST API Access Use the account in previous step to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create Windows Defender REST API credential: a. Choose Device Type = Microsoft Windows Defender ATP (Vendor = Microsoft, Model = Windows Defender ATP). b. Choose Access Protocol = Windows Defender ATP Alert REST API. c. Enter the Tenant ID for the credential created in Section 10.2. d. Password Config: for Manual, enter the Client ID and Client Secret for the credential created here. For CyberArk, see CyberArk Password Configuration. e. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers. f. Click Save. 4. Enter an IP Range to Credential Association: a. Set Hostname to wdatp-alertexporter-us.windows.com. b. Select the Credential created in step 3 above. c. Click Save. 5. Select the entry in step 4 and click Test Connectivity. If it succeeds, then the credential is correct. FortiSIEM 6.1.1 External Systems Configuration Guide 281 Fortinet Technologies Inc. Cloud Applications 6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Windows Defender Center using the REST API. To test for events received via Windows Defender ATP REST API: 1. Go to ADMIN > Setup > Pull Events. 2. Select the Windows Defender ATP entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from Windows Defender Center in the last 15 minutes. You can modify the time interval to get more events. FortiSIEM 6.1.1 External Systems Configuration Guide 282 Fortinet Technologies Inc. Cloud Applications Okta FortiSIEM can integrate with Okta as a single-sign service for FortiSIEM users, discover Okta users and import them into the CMDB, and collect audit logs from Okta. See Setting Up External Authentication for information on configuring Okta to use as a single-sign on service, and Adding Users from Okta for discovering users and associating them with the Okta authentication profile. Once you have discovered Okta users, FortiSIEM will begin to monitor Okta events. l What is Discovered and Monitored l Configuration l Access Credentials in FortiSIEM l Sample Okta Event l Adding Users from Okta l Configuring Okta Authentication l Logging In to Okta l Setting Up External Authentication What is Discovered and Monitored Protocol Information Discovered Okta API Metrics Col- Used lected For Event Types In ADMIN > Device Support > Event, search for "okta" in the Device Type column to see the event types associated with this device. Configuration l In Okta Administartion -> Security -> API, create a Token. Note, tokens generated by this mechanism will have the permissions of the user who generated them. l Tokens are valid for 30 days and automatically refresh with each API call. Tokens that are not used for 30 days will expire. The token lifetime is currently fixed and cannot be changed. Access Credentials in FortiSIEM Setting Name Device Type Access Protocol Pull Interval Value <name> OKTA.com OKTA OKTA API 5 FortiSIEM 6.1.1 External Systems Configuration Guide 283 Fortinet Technologies Inc. Cloud Applications Setting Domain Security Token Organization Value The name of your OKTA domain The token that has been created in Okta Select an organization from the drop-down list. Sample Okta Event Mon Jul 21 15:50:26 2014 FortiSIEM-Okta [action/message]=Sign-in successful [action/objectType]=core.user_auth.login_success [action/requestUri]=/login/do-login [actors/0/displayName]=CHROME [actors/0/id]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 [actors/0/ipAddress]=211.144.207.10 [actors/0/login]=YaXin.Hu@accelops.com [actors/0/objectType]=Client [eventId]=tev-UlpTnWJRI2vXNRKTJHE4A1405928963000 [eventName]=USER-AUTH-LOGIN-SUCCESS [published]=2014-07-21T07:49:23.000Z [requestId]=U8zGA0zxVNXabfCeka9oGAAAA [sessionId]=s024bi4GPUkRaegPXuA1IFEDQ [targets/0/displayName]=a_name [targets/0/id]=00uvdkhrxcPNGYWISAGK [targets/0/login]=a_ name@doamin.com [targets/0/objectType]=User Adding Users from Okta l Create an Okta API Token l Create Login Credentials and Associate Them with an IP Address l Discover Okta Users Create an Okta API Token 1. Log in to Okta using your Okta credentials. 2. Got to Administration > Security > API Tokens. 3. Click Create Token. You will use this token when you set up the Okta login credentials in the next section. Note that this token will have the same permissions as the person who generated it. Create Login Credentials and Associate Them with an IP Address 1. Log in to your Supervisor node. 2. Go to ADMIN > Setup > Credentials. 3. Enter a Name. 4. For Device Type, select Okta.com. 5. For Access Protocol, select Okta API. 6. Enter the NetBIOS/Domain associated with your Okta account. For example, FortiSIEM.okta.com. 7. For Pull Interval, enter how often, in minutes, you want FortiSIEM to pull information from Okta. 8. Enter and reconfirm the Security Token you created. 9. Click Save. Your LDAP credentials will be added to the list of Credentials. FortiSIEM 6.1.1 External Systems Configuration Guide 284 Fortinet Technologies Inc. Cloud Applications 10. Under Enter IP Range to Credential Associations, click Add. 11. Select your Okta credentials from the list of Credentials. 12. Enter the IP range or host name for your Okta account. 13. Click OK. Your Okta credentials will appear in the list of credential/IP address associations. 14. Click Test Connectivity to make sure you can connect to the Okta server. Discover Okta Users If the number of users are less than 200, then Test Connectivity will discover all the users. Okta API has some restrictions that does not allow FortiSIEM to pull more than 200 users. In this case, follow these steps: 1. Login to Okta. 2. Download user list CSV file (OktaPasswordHealth.csv) from Admin > Reports > Okta Password Health. 3. Rename the CSV file to all_user_list_%s.csv (where %s is the placeholder of token obtained in Create an Okta API Token - Step 3, for example, all_user_list_00UbCrgrU9b1Uab0cHCuup-5h6Hi9ItokVDH8nRRT.csv). 4. Login to FortiSIEM Supervisor node: a. Upload csv file all_user_list_%s.csv to this directory /opt/phoenix/config/okta/ b. Make sure the permissions are admin and admin (Run "chown -R admin:admin /opt/phoenix/config/okta/") c. Go to ADMIN > Setup > Enter IP Range to Credential Associations. Select the Okta entry and run Test connectivity to import all users. Configuring Okta Authentication To use Okta authentication for your FortiSIEM deployment, you must set up a SAML 2.0 Application in Okta, and then use the certificate associated with that application when you configure external authentication. 1. Log in to Okta. 2. In the Applications tab, create a new application using Template SAML 2.0 App. 3. Under Settings, configure the settings similar to the table below: Post Back URL Application label Force Authentication Post Back URL Name ID Format Recipient Audience Restriction authnContextClassRef Response Post Back URL FortiSIEM Demo Enable https://<FortiSIEMIP>/phoenix/okta EmailAddress FortiSIEM Super PasswordProtectedTransport Signed FortiSIEM 6.1.1 External Systems Configuration Guide 285 Fortinet Technologies Inc. Cloud Applications Post Back URL Post Back URL Assertion Request Destination Signed Uncompressed https://<FortiSIEMIP>/phoenix/okta 4. Click Save. 5. In the Sign On tab, click View Setup Instructions. 6. Click Download Certificate. 7. Enter the downloaded certificate for Okta authentication. Logging In to Okta Follow these steps to log in to Okta from the Okta domain https://fortinetfsm.okta.com. You cannot log into Okta from the FortiSIEM UI. 1. Create a new Okta account from https://www.okta.com/ or log in to an existing account, using the domain fortinetfsm.okta.com. 2. Configure users for the account, for example, testone@fortinet.com, testtwo@fortinet.com, and so on. See Adding Users From Okta and Create Login Credentials and Associate Them with an IP Address. 3. Discover the Okta users to ensure that you have users to test. See Discover Okta Users. 4. Create a SAML authentication configuration from Okta based on the OKTA SAML 2.0 template. See Configuring Okta Authentication. 5. Associate the users (for example, testone@fortinet.com and testtwo@fortinet.com) to the external profile in CMDB > Users. 6. Log in to the Okta domain https://fortinetfsm.okta.com as one of the users you defined in Step 2. 7. Click the SAML configuration application in Okta (see Configuring Okta Authentication). You can now log in to Okta. Setting Up External Authentication You have three options for setting up external authentication for your FortiSIEM deployment LDAP, Radius, and Okta. Multiple Authentication Profiles If more than one authentication profile is associated with a user, then the servers will be contacted one-by-one until a connection to one of them is successful. Once a server has been contacted, if the authentication fails, the process ends, and the user is notified that the authentication failed. 1. Log in to your Supervisor node. 2. Go to Admin > General Settings > External Authentication. 3. Click Add. 4. If you are setting up authentication for an organization within a multi-tenant deployment, select the Organization. 5. Select the Protocol. 6. Complete the protocol settings. FortiSIEM 6.1.1 External Systems Configuration Guide 286 Fortinet Technologies Inc. Cloud Applications Protocol User-Defined Settings LDAP RADIUS Okta Access IP Select Set DN Pattern to open a text field in which you can enter the DN pattern if you want to override the discovered pattern, or you want to add a specific LDAP user. Access IP Shared Secret Select CHAP if you are using encrypted authentication to your RADIUS server. See also Juniper Networks Steel-Belted RADIUS. Certificate See Configuring Okta Authentication for more information. 7. Click Test, and then enter credentials associated with the protocol you selected to make sure users can authenticate to your deployment. FortiSIEM 6.1.1 External Systems Configuration Guide 287 Fortinet Technologies Inc. Cloud Applications Salesforce CRM Audit l What is Discovered and Monitored l Event Types l Reports l Configuration l Sample Events for Salesforce Audit What is Discovered and Monitored Protocol Salesforce API Logs Collected Successful/Failed Login, API Query Activity, Dashboard Activity, Opportunity Activity, Report Export Activity, Report Activity, Document Download Activity Used For Security Monitoring Event Types In ADMIN > Device Support > Event Types, search for "Salesforce Audit" in the Search field to see the event types associated with this device. Reports There are many reports defined in RESOURCES > Reports > Device > Application > CRM l Salesforce Failed Logon Activity l Salesforce Successful Logon Activity l Top Browsers By Failed Login Count l Top Browsers By Successful Login Count l Top Salesforce Users By Failed Login Count l Top Salesforce Users By Successful Login Count l Top Successful Salesforce REST API Queries By Count, Run Time l Top Failed Salesforce Failed REST API Queries By Count, Run Time l Top Salesforce API Queries By Count, Run Time l Top Salesforce Apex Executions By Count, Run Time l Top Salesforce Dashboards Views By Count l Top Salesforce Document Downloads By Count l Top Salesforce Opportunity Reports By Count l Top Salesforce Report Exports By Count l Top Salesforce Reports By Count, Run Time l Top Salesforce Events FortiSIEM 6.1.1 External Systems Configuration Guide 288 Fortinet Technologies Inc. Cloud Applications Configuration l Salesforce Configuration l Define Salesforce Audit Credential in FortiSIEM l Create IP Range to Credential Association and Test Connectivity Salesforce Configuration Salesforce saves events in a SQL Database, where FortiSIEM will pull the following events from tables: EventLogFile, LoginHistory,User, Dashboard, Opportunity, Report through SQL commands. If you get an error about missing columns, please make sure your administrator has enabled Set History Tracking for the missing columns in the tables. For more information on how to enable Set History Tracking, please refer to https://help.salesforce.com/articleView?id=sf.updating_picklists.htm&type=5 The required columns are listed in this table. Event EventLogFile LoginHistory Dashboard Opportunity Report User Required Columns Id, EventType, LogFile, LogDate, LogFileLength, LastModifiedDate, LastModifiedDate Id, UserId, LoginTime, Browser, Platform, Status, SourceIp, LoginTime , LoginTime Id, Description, DeveloperName, FolderName, Title, LastModifiedDate, LastModifiedDate LastModifiedDate Id, Amount, CloseDate, Name, OwnerId, Type, LastModifiedDate, LastModifiedDate, LastModifiedDate Id, Name Id, Username For example, if Type in Opportunity is not enabled in Set History Tracking, FortiSIEM will fail to get events in Opportunity. FortiSIEM 6.1.1 External Systems Configuration Guide 289 Fortinet Technologies Inc. Cloud Applications Define Salesforce Audit Credential in FortiSIEM Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node. 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. 1. b. Enter these settings in the Access Method Definition dialog box and click Save: Settings Name Device Type Access Protocol Pull Interval Timeout Password config User Name Password Security Token Description Description Enter a name for the credential Salesforce Salesforce Audit Salesforce API 5 minutes 30 seconds See Password Configuration User name for device access Password for device access Security token Description of the device. Create IP Range to Credential Association and Test Connectivity From the FortiSIEM Supervisor node, take the following steps (From ADMIN > Setup > Credentials). FortiSIEM 6.1.1 External Systems Configuration Guide 290 Fortinet Technologies Inc. Cloud Applications 1. In Step 2: Enter IP Range to Credential Associations, click New. a. Enter "login.salesforce.com" in the IP/Host Name field. b. Select the name of the credential created in the "Define Salesforce Audit Credential in FortiSIEM" from the Credentials drop-down list. c. Click Save. 2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results. 3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Salesforce Audit Log Collection. Sample Events for Salesforce Audit [Salesforce_Activity_Perf]:[activityType]=API,[activityName]=get_user_info, [srcIpAddr]=23.23.13.166,[user]=huiping.hp@gmail.com,[deviceTime]=1458112097, [isSuccess]=false,[runTime]=31,[cpuTime]=9,[dbTime]=19434051,[infoURL]=Api FortiSIEM 6.1.1 External Systems Configuration Guide 291 Fortinet Technologies Inc. Console Access Devices FortiSIEM supports this console access device for discovery and monitoring. l Lantronix SLC Console Manager FortiSIEM 6.1.1 External Systems Configuration Guide 292 Fortinet Technologies Inc. Lantronix SLC Console Manager What is Discovered and Monitored Protocol Syslog Information discovered Metrics/Logs collected Admin access, Updates, Commands run Used for Log analysis and compliance Event Types Around 10 event types are generated by parsing Lantronix SLC logs. The complete list can be found in ADMIN > Device Support > Event by searching for Lantronix-SLC. Some important ones are: l Lantronix-SLC-RunCmd l Lantronix-SLC-Update l Lantronix-SLC-User-Logon-Success Configuration FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Example Syslog <174>xmsd: gen/info-Syslog server changed to 10.4.3.37 <38>xwsd[32415]: auth/info-Web Authentication Success for user andbr003 FortiSIEM 6.1.1 External Systems Configuration Guide 293 Fortinet Technologies Inc. End Point Security Software The following anti-virus and host security (HIPS) applications are supported for discovery and monitoring by FortiSIEM. l Bit9 Security Platform l Carbon Black Security Platform l Cisco AMP Cloud V0 l Cisco AMP Cloud V1 l Cisco Security Agent (CSA) l CloudPassage Halo l CrowdStrike l Digital Guardian CodeGreen DLP l ESET NOD32 Anti-Virus l FortiClient l FortinetFortiEDR l Malwarebytes Endpoint Protection l McAfee ePolicy Orchestrator (ePO) l MobileIron Sentry and Connector l Netwrix Auditor l Palo Alto Traps Endpoint Security Manager l SentinelOne l Sophos Central l Sophos Endpoint Security and Control l Symantec Endpoint Protection l Symantec SEPM l Tanium Connect l Trend Micro Interscan Web Filter l Trend Micro Intrusion Defense Firewall (IDF) l Trend Micro OfficeScan FortiSIEM 6.1.1 External Systems Configuration Guide 294 Fortinet Technologies Inc. Bit9 Security Platform l What is Discovered and Monitored l Bit9 Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Logs Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "Bit9" in the Device Type columns to see the event types associated with this device. Rules l Bit9 Agent Uninstalled or File Tracking Disabled l Bit9 Fatal Errors l Blocked File Execution l Unapproved File Execution Reports l Bit9 Account Group Changes l Bit9 Fatal and Warnings Issues l Bit9 Functionality Stopped l Bit9 Security Configuration Downgrades Bit9 Configuration Syslog FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514. Sample Syslog <14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Bit9 event: text="Server discovered new file 'c:\usersacct\appdata\local\temp\3cziegdd.dll' [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery" FortiSIEM 6.1.1 External Systems Configuration Guide 295 Fortinet Technologies Inc. End Point Security Software subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52 PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_ hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_ name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080" server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_ threat="-1" FortiSIEM 6.1.1 External Systems Configuration Guide 296 Fortinet Technologies Inc. End Point Security Software Carbon Black Security Platform l What is Discovered and Monitored l Carbon Black Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Logs Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "Carbon Black" in the Device Type columns to see the event types associated with this device. Rules l Carbon Black Agent Uninstalled or File Tracking Disabled l Carbon Black Fatal Errors l Blocked File Execution l Unapproved File Execution Reports l Carbon Black Account Group Changes l Carbon Black Fatal and Warnings Issues l Carbon Black Functionality Stopped l Carbon Black Security Configuration Downgrades Carbon Black Configuration Syslog FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514. CEF formatted logs are also supported. Sample Syslog Standard Syslog: FortiSIEM 6.1.1 External Systems Configuration Guide 297 Fortinet Technologies Inc. End Point Security Software <14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Carbon Black event: text="Server discovered new file 'c:\usersacct\appdata\local\temp\3cziegdd.dll' [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery" subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52 PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_ hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_ name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080" server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_ threat="-1 CEF Formatted Syslog: <14>May 06 13:28:09 host1 CEF:0|Carbon Black|Protection|8.0.0.2562|809|Report write (custom rule)|4|externalId=649219 cat=Policy Enforcement start=May 06 13:27:41 UTC rt=May 06 13:28:02 UTC filePath=c:\\windows\\system32\\perfdisk.dll fname=perfdisk.dll fileHash=60b8a55c0f3228b18d918a3fd6684c401442f6447f2cec5dad9860a8c1d6462c fileId=39126 deviceProcessName="C:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.14.17639.180410\\MsMDEV.exe" dst=172.30.31.13 dhost=EXAMPLE\\DC01 duser=NT AUTHORITY\\SYSTEM dvchost=cbprotection msg='c:\\windows\\system32\\perfdisk.dll' was created by 'NT AUTHORITY\\SYSTEM'. sproc=00000000-0000-15b8-01d3-dd191e70c6d3 cs1Label=rootHash cs1=e1c32fca51d86aad28c2dd13ec427eccd03f9d6900f8f1fe90b99f85550a8a98 cs2Label=installerFilename cs2=msi669d.tmp cs3Label=Policy cs3=Domain Controllers cs5Label=ruleName cs5=[File Integrity Monitoring] Changes to system files cfp1Label=fileTrust cfp1=10 flexString1Label=fileThreat flexString1=0 - Clean cfp2Label=processTrust cfp2=10 flexString2Label=processThreat flexString2=0 - Clean FortiSIEM 6.1.1 External Systems Configuration Guide 298 Fortinet Technologies Inc. End Point Security Software Cisco AMP Cloud V0 l What is Discovered and Monitored l Configuration l Sample Events What is Discovered and Monitored Protocol CloudAMP API Logs Collected End point malware activity Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "Cisco FireAMP Cloud" in the Search column to see the event types associated with this device. Configuration l Configure Cisco AMP Cloud V0 l Create Credentials in FortiSIEM Configure Cisco AMP Cloud V0 1. Login in https://auth.amp.cisco.com/. 2. Click Accounts-> API Credentials. FortiSIEM 6.1.1 External Systems Configuration Guide 299 Fortinet Technologies Inc. End Point Security Software 3. Click New API Credential. 4. Input Application name and click Create. FortiSIEM 6.1.1 External Systems Configuration Guide 300 Fortinet Technologies Inc. End Point Security Software 5. Record the API Client ID and API key. You will need them in a later step. Create Credentials in FortiSIEM 1. Log in to the FortiSIEM Supervisor node. 2. Go to ADMIN> Setup > Credentials. 3. Click Add to create a new credential. 4. Set Device Type to Cisco FireAMP Cloud. 5. Set Password config to Manual. 6. Set Client ID to CiscoAMP Client ID. 7. Set Client Secret to CiscoAMP API Key. FortiSIEM 6.1.1 External Systems Configuration Guide 301 Fortinet Technologies Inc. End Point Security Software 8. Click Save. FortiSIEM 6.1.1 External Systems Configuration Guide 302 Fortinet Technologies Inc. End Point Security Software Test Connectivity and Event Pulling 1. Log in to the FortiSIEM Supervisor node. 2. Go to ADMIN> Setup > IP to Credential Mapping. 3. Click Add to create a new mapping. 4. For Name/IP/IP Range, enter api.amp.cisco.com. 5. For Credentials use the credentials you created in Create FireAMP credentials in FortiSIEM. 6. Click Save 7. Go to Admin > Credentials, select the credential, and run Test Connectivity. The result is a success. FortiSIEM 6.1.1 External Systems Configuration Guide 303 Fortinet Technologies Inc. End Point Security Software 8. Go to Admin > Pull Events. An entry will appear in the Event Pulling table. That means events are being pulled. FortiSIEM 6.1.1 External Systems Configuration Guide 304 Fortinet Technologies Inc. End Point Security Software 9. Go to the Analytics page to see the events. Sample Events [FireAMP_Cloud_Threat_Detected]:[eventSeverity]=PHL_CRITICAL, [connectorGUID]=12345, [date]=2015-11- 25T19:17:39+00:00,[detection]=W32.DFC.MalParent, [detectionId]=6159251516445163587,[eventId]=6159251516445163587, [eventType]=Threat Detected,[eventTypeId]=1090519054, [fileDispostion]=Malicious,[fileName]=rjtsbks.exe, [fileSHA256]=3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370, Cisco AMP Cloud V1 Cisco Advanced Malware Protection (AMP) for Endpoints is a lightweight connector that can use the public cloud or be deployed as a private cloud. l What is Discovered and Monitored l Event Types l Rules l Reports l Configure Cisco AMP Cloud V1 l Configure FortiSIEM l Sample Events FortiSIEM 6.1.1 External Systems Configuration Guide 305 Fortinet Technologies Inc. End Point Security Software What is Discovered and Monitored Protocol AMQP Information collected Global threat intelligence, advanced sand boxing, and real-time malware blocking. Used for Intrusion protection system Event Types In RESOURCES > Event Types, enter "Cisco AMP" in the Search column to see the event types associated with this device. Rules No defined rules. Reports No defined reports. Configure Cisco AMP Cloud V1 1. Log in to the Cisco AMP for Endpoints Portal as an administrator. 2. Click Accounts > API Credentials. 3. In the API Credentials pane, click New API Credential. FortiSIEM 6.1.1 External Systems Configuration Guide 306 Fortinet Technologies Inc. End Point Security Software 4. In the Application name field, enter a name, and then select Read & Write. Note: you must have Read & Write access to manage event streams on your Cisco AMP for Endpoints platform. 5. Click Create. 6. In the API Key Details section, make note of the values for the 3rd Party API Client ID and the API Key. You will need these values to manage queues. 7. Click Management > Group 8. In the Groups pane, click Create Group. FortiSIEM 6.1.1 External Systems Configuration Guide 307 Fortinet Technologies Inc. End Point Security Software 9. Enter the group name and click Save. 10. Enter the following curl command to get the group_guid of the group that is created in the previous step. curl -X GET -H 'accept: application/json' \ -H 'content-type: application/json' --compressed \ -H 'Accept-Encoding: gzip, deflate' \ -u <CLIENTID:APIKEY>\ 'https://api.amp.cisco.com/v1/groups' where: l <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6. l If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams. l If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams. 11. Enter the following curl command to create a Cisco AMP event stream: curl -X POST -H 'accept: application/json' \ -H 'content-type: application/json' --compressed \ FortiSIEM 6.1.1 External Systems Configuration Guide 308 Fortinet Technologies Inc. End Point Security Software -H 'Accept-Encoding: gzip, deflate' \ -d '{"name":"<STREAM_NAME>", "group_guid":["<GUID>"]}' \ -u <CLIENTID:APIKEY> \ 'https://api.amp.cisco.com/v1/event_streams' where: l < STREAM_NAME > is the name of your choice for the event stream. l < GUID > is the group GUID that you want to use to link to the event stream in Step 10. l <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6. l If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams. l If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams. 12. Enter the following curl command to get a summary of the information you need to get a CloudAMP V1 credential in FortiSIEM: curl -X POST -H 'accept: application/json' \ -H 'content-type: application/json' --compressed \ -H 'Accept-Encoding: gzip, deflate' \ -d '{"name":"meistream","group_guid":["34e483f4-85a8-412f-9997-07dd3f0c29ea"]}' \ -u a54c0f4c589d72e0c73e:14713974-eb93-420b-ad76-6e13943f87d4 \ 'https://api.amp.cisco.com/v1/event_streams' { "version": "v1.2.0", "metadata": { "links": { "self": "https://api.amp.cisco.com/v1/event_streams" } }, "data": { "id": 8849, "name": "meistream", "group_guids": [ "34e483f4-85a8-412f-9997-07dd3f0c29ea" ], "amqp_credentials": { "user_name": "8849-a54c0f4c589d72e0c73e", "queue_name": "event_stream_8849", "password": "e3298163b3c57e5e4e11ea1b571e85cc2ac45b55", "host": "export-streaming.amp.cisco.com", "port": "443", "proto": "https" } } } FortiSIEM 6.1.1 External Systems Configuration Guide 309 Fortinet Technologies Inc. End Point Security Software Configure ForitSIEM 1. In Admin > Setup > Credentials, create a Cisco CloudAMP Credential. 2. Click New and enter the following information: a. Set Device Type to Cisco AMP. b. Set Access Protocol to AMQP. c. Set Queue Name from queue-name in Step 12 in the previous section. d. Set User Name from user_name in Step 12 in the previous section. e. Set Password from password in Step 12 in the previous section. 3. Click Save. FortiSIEM 6.1.1 External Systems Configuration Guide 310 Fortinet Technologies Inc. End Point Security Software 4. Go to Admin > Setup > IP to Credential Mapping and create an association as follows. Click New and enter the following information: a. Set IP/Host Name to host in Step 12 in previous section. b. Choose Credential to the one created in Steps 1 to Step 3 in the previous section. c. Click Save. 5. Go to Admin > Credentials, select the credential, and run Test Connectivity. 6. If connectivity is successful, go to Admin > Pull Events. An entry will appear in the Event Pulling table. That means events are being pulled. Sample Events Events are in JSON format. [CiscoAMP-Update-Policy-Failure] {"id":6723137944535695384,"timestamp":1565352535,"timestamp_ nanoseconds":82000000,"date":"2019-08-09T12:08:55+00:00","event_type":"Policy Update Failure","event_type_id":2164260866,"connector_guid":"98be064e-2ba5-4482-84054a9268ae9f2e","group_guids":["3c025f05-a2c4-4613-9186-343365f53853"],"error":{"error_ code":3242196993,"description":"Unknown Error"},"computer":{"connector_guid":"98be064e2ba5-4482-8405-4a9268ae9f2e","hostname":"host1","external_ ip":"1.2.3.4","active":true,"network_addresses": [{"ip":"1.2.3.5","mac":"00:21:97:1e:1c:05"}],"links": {"computer":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-84054a9268ae9f2e","trajectory":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-44828405-4a9268ae9f2e/trajectory","group":"https://api.amp.cisco.com/v1/groups/3c025f05a2c4-4613-9186-343365f53853"}}} FortiSIEM 6.1.1 External Systems Configuration Guide 311 Fortinet Technologies Inc. End Point Security Software Cisco Security Agent (CSA) l What is Discovered and Monitored l Configuration l SNMP Trap What is Discovered and Monitored Protocol SNMP Trap Information Discovered Metrics Collected Rules FortiSIEM uses these rules to monitor events for this device: Rule Description Agent service control Attempts to modify agent configuration Agent UI control Attempts to modify agent UI default settings, security settings, configuration, contact information Application control Attempts to invoke processes in certain application classes Buffer overflow attacks Clipboard access Attempts to acccess clipboard data written by control sensitive data applications COM component access control Unusual attempts to access certain COM sets including Email objects Connection rate limit Excessive connections to web servers or from email clients Data access control Unusual attempts to access restricted data sets such as configuration files, password etc. by suspect applications File access control Unusual attempts to read or write restricted files sets such as system executables, boot files etc. by suspect applications Kernel protection Unusual attempts to modify kernel functionality by suspect applications Used For FortiSIEM 6.1.1 External Systems Configuration Guide 312 Fortinet Technologies Inc. End Point Security Software Rule Description Network access control Attempts to connect to local network services Network interface Attempts by local applications to open a stream control connection to the NIC driver Network shield Attacks based on bad IP/TCP/UDP/ICMP headers, port and host scans etc Windows event log Registry access control Attempts to write certain registry entries Resource access Symbolic link protection control Rootkit/kernel protection Unusual attempts to load files after boot Service restart Service restarts Sniffer and Attempts by packet/protocol sniffer to receive protocol detection packets Syslog control Syslog events System API control Attempts to access Windows Security Access Manager (SAM) Reports There are no predefined reports for Cisco Security Agent. Configuration SNMP Trap FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Example SNMP Trap 2008-05-13 11:00:36 192.168.1.39 [192.168.1.39]:SNMPv2-MIB::sysUpTime.0 = Timeticks: (52695748) 6 days, 2:22:37.48 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2SMI::enterprises.8590.3.1 SNMPv2-SMI::enterprises.8590.2.1 = INTEGER: 619 SNMPv2SMI::enterprises.8590.2.2 = INTEGER: 261 SNMPv2-SMI::enterprises.8590.2.3 = STRING: "sjdevVwindb06.ProspectHills.net"SNMPv2-SMI::enterprises.8590.2.4 = STRING: "2008-0513 19:03:21.157" SNMPv2-SMI::enterprises.8590.2.5 = INTEGER: 5 SNMPv2SMI::enterprises.8590.2.6 = INTEGER: 452 SNMPv2-SMI::enterprises.8590.2.7 = STRING: "C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"SNMPv2-SMI::enterprises.8590.2.8 = NULL SNMPv2-SMI::enterprises.8590.2.9 = STRING: "192.168.20.38"SNMPv2SMI::enterprises.8590.2.10 = STRING: "192.168.1.39"SNMPv2-SMI::enterprises.8590.2.11 = FortiSIEM 6.1.1 External Systems Configuration Guide 313 Fortinet Technologies Inc. End Point Security Software STRING: "The process 'C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe' (as user NT AUTHORITY\\SYSTEM) attempted to accept a connection as a server on TCP port 5900 from 192.168.20.38 using interface Wired\\VMware Accelerated AMD PCNet Adapter. The operation was denied." SNMPv2-SMI::enterprises.8590.2.12 = INTEGER: 109 SNMPv2SMI::enterprises.8590.2.13 = STRING: "192.168.1.39" SNMPv2-SMI::enterprises.8590.2.14 = STRING: "W"SNMPv2-SMI::enterprises.8590.2.15 = INTEGER: 3959 SNMPv2SMI::enterprises.8590.2.16 = INTEGER: 5900 SNMPv2-SMI::enterprises.8590.2.17 = STRING: "Network access control"SNMPv2-SMI::enterprises.8590.2.18 = STRING: "Non CSA applications, server for TCP or UDP services"SNMPv2-SMI::enterprises.8590.2.19 = INTEGER: 33 SNMPv2-SMI::enterprises.8590.2.20 = STRING: "CSA MC Security Module"SNMPv2-SMI::enterprises.8590.2.21 = NULL SNMPv2-SMI::enterprises.8590.2.22 = STRING: "NT AUTHORITY\\SYSTEM"SNMPv2-SMI::enterprises.8590.2.23 = INTEGER: 2 FortiSIEM 6.1.1 External Systems Configuration Guide 314 Fortinet Technologies Inc. End Point Security Software CloudPassage Halo l Integration points l CloudPassage REST API Integration Integration points Protocol CloudPassage REST API Information collected Halo events over 110 event types including User login and account activity, server compliance and vulnerability status, server FIM and firewall policy modification etc. Used for Security and Compliance CloudPassage REST API Integration FortiSIEM can pull logs from CloudPassage Halo via CloudPassage REST API. Currently, over 110 CloudPassage event types are parsed. To see the event types: 1. Login to FortiSIEM. 2. Go to ADMIN > Resources > Event Types. 3. Search for 'CloudPassage-Halo'. Use cases covered via API: l User login to Halo and user account creation/deletion/modification activity l Vulnerable software package found and Compromised host detection l Server FIM, Firewall policy modification l Server account creation l Server login via ghostport Configuring CloudPassage Portal Create an API Key to be used for FortiSIEM communication. 1. Log in to your CloudPassage Halo portal. 2. Create an API Key and API Secret for use in FortiSIEM. Configuring FortiSIEM Use the API Key and Secret in previous step to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. FortiSIEM 6.1.1 External Systems Configuration Guide 315 Fortinet Technologies Inc. End Point Security Software 3. Click New to create a CloudPassage Halo credential. a. Choose Device Type = CloudPassage Halo (Vendor = CloudPassage, Model = Halo). b. Choose Access Protocol = Halo REST API. c. Choose Pull Interval = 5 minutes. d. Password Configuration: for CyberArk and RAX_CustomerService, see Password Configuration. For Manual, see the following: i. Set API Key ID to API Key obtained from CloudPassage portal in Configuring CloudPassage Portal. ii. Set API Key Secret to API Secret obtained from from CloudPassage portal in Configuring CloudPassage Portal. e. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers. f. Click Save. 4. Enter an IP range to Credential Association. a. Set Hostname = api.cloudpassage.com b. Select the credential created in step 3. c. Click Save. 5. Select the entry in step 4 and click Test Connectivity. Once successful, an entry will be created in ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from CloudPassage portal using the API. To test for received CloudPassage Halo events: 1. Go to ADMIN > Setup > Pull Events. 2. Select the CloudPassage entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from CloudPassage in the last 15 minutes. You can modify the time interval to get more events. FortiSIEM 6.1.1 External Systems Configuration Guide 316 Fortinet Technologies Inc. End Point Security Software CrowdStrike Endpoint Security l Integration Points l Falcon Streaming API Integration l Falcon Data Replicator Integration Integration Points Protocol Falcon Streaming API Falcon Data Replicator Information Discovered Used For Detection Summary, Authentication Log, Detection Status Update, Security and Indicators of Compromise, Containment Audit Events, IP White-listing Compliance events, Sensor Grouping Events. Detection Summary, User Activity, Authentication Activity. Security and Compliance Falcon Streaming API Integration FortiSIEM can collect following types of events from CrowdStrike Cloud Service via Falcon Streaming API: l Detection Summary l Authentication Log l Detection Status Update l Customer Indicators of Compromise l Containment Audit Events l IP White-listing Events l Sensor Grouping Events CrowdStrike provides details about Falcon Streaming API here. To receive Crowdstrike security events via Falcon Streaming API, follow these two steps: 1. Configure Crowdstrike Service for Falcon Streaming API. 2. Configure FortiSIEM for Falcon Streaming API Based Access. Configure CrowdStrike Service for Falcon Streaming API Create an account to be used for FortiSIEM communication: 1. Login to CrowdStrike as Falcon Customer Admin. 2. Go to Support App > Key page. 3. Click Reset API Key. Copy the API key and UUID for safe keeping. Note that your API key and UUID are assigned one pair per customer account, not one pair per user. Thus, if you generate a new API key, you may be affecting existing applications in your environment. Configure FortiSIEM for Falcon Streaming API Based Access Use the account in previous step to enable FortiSIEM access. FortiSIEM 6.1.1 External Systems Configuration Guide 317 Fortinet Technologies Inc. End Point Security Software 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create CrowdStrike Falcon credential. a. Choose Device Type = CrowdStrike Falcon (Vendor = CrowdStrike, Model = Falcon). b. Choose Access Protocol = Falcon Streaming API. c. Choose UUID and API Key Secret for the credential created while Configuring CrowdStrike Service for Falcon Streaming API. d. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers. e. Click Save. 4. Enter an IP Range to Credential Association. a. Set Hostname to firehose.crowdstrike.com. b. Select the Credential created in step 3. c. Click Save. 5. Select the entry in step 4 and click Test Connectivity and make sure Test Connectivity succeeds, implying that the credential is correct. 6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from CrowdStrike Cloud Service using the Falcon Streaming API. To test for events received via CrowdStrike Streaming API: 1. Go to ADMIN > Setup > Pull Events. 2. Select the CrowdStrike Streaming API entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from CrowdStrike Cloud Service in the last 15 minutes. You can modify the time interval to get more events. Falcon Data Replicator Integration FortiSIEM can collect following types of events from CrowdStrike Cloud Service via Falcon Data Replicator method: l Detection Summary Events l User Activity Audit Events l Auth Activity Audit Events CrowdStrike provides details about Data Replicator method here. To receive Crowdstrike security events via Falcon Data Replication Integration, follow these two steps: 1. Obtain AWS Credentials from Crowdstrike. 2. Configure FortiSIEM for Falcon Data Replicator. Obtain AWS Credentials from CrowdStrike Contact CrowdStrike to obtain AWS credentials for pulling CrowdStrike logs from AWS. 1. Generate a GPG key pair in ASCII format. 2. Send the public part of the GPG key to support@crowdstrike.com. 3. CrowdStrike will encrypt the API key with your public key and send you the encrypted API key. You can decrypt using your private GPG key. 4. CrowdStrike Support will also provide you an SQS Queue URL. Credentials obtained in steps 3 and 4 above will be used in the next step. FortiSIEM 6.1.1 External Systems Configuration Guide 318 Fortinet Technologies Inc. End Point Security Software Configure FortiSIEM for Falcon Data Replicator Use the credentials in previous step to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credentials. 3. In Step 1: Enter Credentials, click New to create CrowdStrike Falcon Data Replicator credential. a. Choose Device Type = CrowdStrike Falcon (Vendor = CrowdStrike, Model = Falcon). b. Choose Access Protocol = CrowdStrike Falcon Data Replicator. c. Enter the Region where the instance is located. d. Enter SQS Queue URL from here. e. Password Config: see Password Configuration. f. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers. g. Click Save. 4. In Step 2: Enter IP Range to Credential Associations, click New. a. Get the Hostname from the SQL Queue URL. For example, for Queue URL: https://us-west-1.queue.amazonaws.com/754656674199/cs-prod-cannon-queued5836cd3792ece8f set host name to us-west-1.queue.amazonaws.com. b. Select the Credential created in step 3 above. c. Click Save. 5. Select the entry in step 4, click the Test drop-down list, and select Test Connectivity. If the test succeeds, then the credential is correct. 6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from CrowdStrike Cloud Service using the Falcon Streaming API. To test for events received via CrowdStrike Falcon Data Replicator: 1. Go to ADMIN > Setup > Pull Events. 2. Select the CrowdStrike Falcon Data Replicator entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from CrowdStrike Cloud Service in the last 15 minutes. You can modify the time interval to get more events. FortiSIEM 6.1.1 External Systems Configuration Guide 319 Fortinet Technologies Inc. End Point Security Software Digital Guardian CodeGreen DLP l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Event What is Discovered and Monitored Protocol Syslog (CEF format) Information Discovered - Data Collected 1 event type Used for Security and Compliance Event Types In RESOURCE > Event Types, Search for "CodeGreen-". Rules There are no specific rules, but generic rules for Data Leak Protection apply. Reports There are no specific reports, but generic rules for Data Leak Protection and Generic Servers apply. Configuration Configure Digital Guardian Code Green DLP to send syslog on port 514 to FortiSIEM. Sample Event <10>1 2017-05-11T12:08:06.380Z ABC-Manager DLP - INCADD incident_id="1.12815.1" managed_ device_id="1" number_of_incidents="1" incident_status="New,Audit Only" matched_policies_by_ severity="High:C_PHI_MRN / C_MRN_>25;" action_taken="NET_NS_H" matches="55" protocol="SMTP" http_url="" inspected_document="Milla_9.16-4.17__UPDATED.XLSX" source="abc@cda.org" source_ ip="1.1.1.1" source_port="21752" destination="abc@bcd.edu" destination_ip="2.2.2.2" destination_port="25" email_subject="RE: Open Encounters" email_sender="abc@cde.org" email_ recipients="abc@bcd.edu;" timestamp="2017-05-11 12:06:09 PDT" incidents_ url=https://aaa.lpch.net/LoadIncidentManagement.do?m=1&id=1,27372 FortiSIEM 6.1.1 External Systems Configuration Guide 320 Fortinet Technologies Inc. End Point Security Software ESET NOD32 Anti-Virus l What is Discovered and Monitored l ESET NOD32 Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Used For ESET NOD32 Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM Supervisor. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Example Syslog <35313912>Jul 26 18:06:12 LMHCAPEAV01 ERA Server: [2011-07-26 13:06:12.784] V5 [4e2f02148110] [00000e9c] <SESSION_INFO> Kernel connection from 10.0.52.25:48071 accepted <35313864>Jul 26 18:06:13 LMHCAPEAV01 ERA Server: [2011-07-26 13:06:13.221] V5 [4e2f02148110] [00000e9c] <SESSION_INFO> Kernel connection from 10.0.52.25:48071 closed (code 0,took 438ms, name 'Lmhathnsmt01', mac '00-1E-4F-E8-49-03', product 'ESET NOD32 Antivirus BUSINESS EDITION', product version '04.00002.00071', virus signature db version '63(20110726)') FortiSIEM 6.1.1 External Systems Configuration Guide 321 Fortinet Technologies Inc. End Point Security Software FortiClient l What is Discovered and Monitored l Configuration l Access Credentials for FortiSIEM l Sample Events What is Discovered and Monitored Protocol Syslog via FortiAnalyzer (FortiClient > FortiAnalyzer -> FortiSIEM) Information Discovered Metrics Collected Traffic logs (IPSec, VPN, File Cleaning/Blocking) Event logs (Antivirus, Web Filter, Vulnerability Scan, Application Firewall, VPN, WAN Optimization, Update logs) Note: FortiSIEM collects logs from FortiAnalyzer (FAZ). Used For Security Monitoring and Log analysis Event Types Search for 'FortiClient' to see the event types associated with this device under RESOURCES > Event Types. Rules There are generic rules that trigger for this device as event types are mapped to specific event type groups. Reports Generic reports are written for this device as event types are mapped to specific event type groups. Configuration 1. Configure FortiClient to send events to FAZ. 2. Configure FAZ to send events to FortiSIEM: a. Login to FAZ. b. Go to System Settings > Advanced > Syslog Server. c. Click Create New. d. Enter the Name. It is recommended to use the name of the FortiSIEM Supervisor node. e. Set the IP address (or FQDN) field to the IP or a fully qualified name of the FortiSIEM node that would parse the log (most likely Collector or Worker/Supervisor). f. Retain the Syslog Server Port default value '514'. g. Click OK to save your entries. FortiSIEM 6.1.1 External Systems Configuration Guide 322 Fortinet Technologies Inc. End Point Security Software h. Go to System Settings > Dashboard > CLI Console. i. Type the following in the CLI Console for: l FAZ 5.1 and older: config system aggregation-client edit 1 (or the number for your FSM syslog entry) set fwd-log-source-ip original_ip end l FAZ 5.6 and newer: config system log-forward edit 1 (or the number for your FSM syslog entry) set fwd-log-source-ip original_ip end j. Go to System Settings > Log Forwarding. k. Click Create New. l. Enter the Name. m. Select 'Syslog' as Remote Server Type. n. Enter the Server IP with the IP of the FortiSIEM Server/Collector. o. Retain the Server Port default value '514'. p. Set Reliable Connection to the default value 'Off'. Note: Setting this to 'On' will make every log sent from FAZ appear with FAZ's IP and NOT that of the firewall (s). In addition, your network must allow UDP connection between FAZ and FortiSIEM Collector. Otherwise, the logs will not reach the Collector. q. Optional Use Log Forwarding Filters to select specific devices you want to forward log for. 3. Follow the steps below to validate that logs are properly flowing from FAZ to FortiSIEM: a. Login to FortiSIEM. b. Click ANALYTICS tab and use the filter to perform a real-time search: i. Click on the Attribute field to select 'Reporting IP' from the list or enter the same in the field to search. ii. Select '=' Operator. iii. In the Value field, enter the name of the Fortinet devices from where logs are expected. Note: This is NOT the IP address of the FAZ but of an original source device, like a FortiGate Firewall. To ensure that everything is being sent/received correctly, you can use multiple IPs. You will now see events from one, to numerous, source device(s), even though they are all forwarded from a single FAZ device. You can also check CMDB > Devices to see whether the devices are appearing within CMDB. Note: The Relaying IP value in FortiSIEM will not show the IP address of the FAZ but that of the original device which sent the logs to FAZ. All the device logs appear within FortiSIEM without configuring numerous devices individually. Access Credentials for FortiSIEM Setting Name Device Type Access Protocol Value <name> Fortinet FortiClient WMI FortiSIEM 6.1.1 External Systems Configuration Guide 323 Fortinet Technologies Inc. End Point Security Software Setting Pull Interval NetBIOS/Domain Password config Value 1 minute The NetBIOS name of servers or domain name See Password Configuration Sample Events Traffic Log <116> device=FCTEMS0000000001 severity=medium from=FAZVM64(FAZ-VM0000000001) trigger=EVT2SIEM log="itime=1489562233 date=2017-03-15 time=00:17:13 logver=2 type=traffic sessionid=N/A hostname=hostname.local uid=1000000000 devid=FCT8000000000008 fgtserial=FCTEMS0000000005 level=warning regip=10.1.1.1 srcname="Opera" srcproduct=N/A srcip=10.1.1.3 srcport=18398 direction=outbound dstip=10.0.0.4 remotename="aa.com" dstport=20480 user="bb.lee" service=http proto=6 rcvdbyte=N/A sentbyte=N/A utmaction=blocked utmevent=webfilter threat="Gambling" vd=root fctver=1.2.1.1 os="Mac OS X 1.1.1" usingpolicy=N/A url=/ userinitiated=0 browsetime=N/A" ET---> FortiClient-traffic-blocked Event Log <116> device=FCTEMS0036759495 severity=medium from=FAZVM64(FAZ-VM0000000001) trigger=EVT2SIEM1 log="itime=1490237155 date=2017-03-22 time=19:45:55 logver=2 level=info uid=C4C4E56CE7B04762B053E8F88B8ECF47 vd=root fctver=5.4.2.0862 os="Microsoft Windows Server 2012 R2 Standard Edition, 64-bit (build 9600)" usingpolicy=AOFCT fgtserial=N/A emsserial=FCTEMS0036759495 devid=FCT8003883203338 hostname=sjcitvwfct01 pcdomain=accelops.net clientfeature=endpoint deviceip=devicemac=N/A type=event user=N/A id=96953 msg="Endpoint Control Status changed - Offline"" FortiSIEM 6.1.1 External Systems Configuration Guide 324 Fortinet Technologies Inc. End Point Security Software Fortinet FortiEDR l Integration Points l Configuration l Settings for Access Credentials l Sample Events Integration Points Method Syslog Information discovered Metrics collected Host name, Reporting None IP LOGs collected System and Security Events (e.g., file blocked) Used for Security monitoring Event Types In ADMIN > Device Support > Event, Search for "FortiEDR" to see the event types associated with this device. Rules No specific rules are written for FortiEDR but generic end point rules apply Reports No specific reports are written for FortiEDR but generic end point rules apply Configuration Configure FortiEDR system to send logs to FortiSIEM in the supported format (see Sample events below) Settings for Access Credentials None required Sample Events <133>1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478; Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N; Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe; Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation; FortiSIEM 6.1.1 External Systems Configuration Guide 325 Fortinet Technologies Inc. End Point Security Software First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1; Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U; MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A FortiSIEM 6.1.1 External Systems Configuration Guide 326 Fortinet Technologies Inc. End Point Security Software Malwarebytes Endpoint Protection l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Malware detection log Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "malwarebytes" to see the event types associated with this device. Rules Malware found but not remediated. Reports In RESOURCE > Reports, search for "malware found" to see the reports associated with this device. Configuration Syslog FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514. Sample Syslog: <45>1 2016-09-23T14:40:35.82-06:00 reportDeviceName Malwarebytes-Endpoint-Security 1552 - {"security_log":{"client_id":"ef5f8fc8-ad0e-46f8-b6d7-1a85d5f73e64","host_name":"Abccbd","domain":"abc.com","mac_address":"FF-FF-FF-FF-FF","ip_ address":"10.1.1.1","time":"2016-09-23T14:40:14","threat_level":"Moderate","object_ type":"FileSystem","object":"HKLM\\SOFTWARE\\POLICIES\\GOOGLE\\UPDATE","threat_ name":"PUM.Optional.DisableChromeUpdates","action":"Quarantine","operation":"QUARANTINE"," resolved":true,"logon_user":"dsamuels","data":"data","description":"No description","source":"MBAM","payload":null,"payload_url":null,"payload_ process":null,"application_path":null,"application":null}} FortiSIEM 6.1.1 External Systems Configuration Guide 327 Fortinet Technologies Inc. End Point Security Software McAfee ePolicy Orchestrator (ePO) l What is Discovered and Monitored l Event Types l Configuration l Sample Access Protection Violation detected SNMP Trap What is Discovered and Monitored Protocol SNMP Traps Information Discovered Metrics Collected Used For Event Types In ADMIN > Device Support > Event Types, search for "mcafee epolicy" to see the event types associated with this application or device. Configuration FortiSIEM processes events via SNMP traps sent by the device. Follow the below procedures to configure McAfee ePO to send Threat based SNMP traps to FortiSIEM. Step 1: Configuring SNMP Server to send Traps from McAfee ePO. FortiSIEM processes events from a device via SNMP traps sent by the device. 1. Log in to the McAfee ePO web console. 2. Go to Main Menu > Configuration > Registered Servers, and click New Server. The Registered Server Builder opens. FortiSIEM 6.1.1 External Systems Configuration Guide 328 Fortinet Technologies Inc. End Point Security Software 3. For Server type, select SNMP Server. 4. For Name, enter the IP address of your SNMP server. 5. Enter any Notes, and click Next to go to the Details page. 6. For Address, select IP4 from the drop-down and enter the IP/DNS Name for the FortiSIEM virtual appliance and SNMP that will receive the SNMP trap. 7. For SNMP Version, select SNMPv1. 8. For Community, enter public. Note: The community string entered here would not be used in FortiSIEM as FortiSIEM accepts traps from McAfee ePO without any configuration. 9. Click Send Test Trap, and then click Save. 10. Log in to your Supervisor node and use Real Time Search to see if FortiSIEM received the trap. Without any configuration on FortiSIEM, the traps are received under Real time/Historical Analytics. (Search using 'Reporting IP' as McAfee ePO's IP.) FortiSIEM 6.1.1 External Systems Configuration Guide 329 Fortinet Technologies Inc. End Point Security Software Step 2: Configuring "Automatic Response" By default, McAfee ePO does not send SNMP Trap alerts for the events that occur. This must be configured. 1. Go to Main Menu > Automation > Automatic Response. 2. By default, there are a few Automatic Response configured, but are in a disabled state. 3. Click on New Response button. 4. Enter a Name for the 'Response'. 5. Set Status as 'Enabled' and click Next. 6. Click the Ellipsis icon and select the top level under Select System Tree Group and click OK. 7. On the left side of the same screen, select Threat Handled. Sample Access Protection Violation detected SNMP Trap 2017-05-30 16:24:27 192.168.100.205TRAP, SNMP v1, community fortisiem SNMPv2SMI::enterprises.3401.12.2.1.1 Enterprise Specific Trap (101) Uptime: 3:56:08.15 SNMPv2- SMI::enterprises.3401.12.2.1.1.5.7 = STRING: "Threat_Trigger_Rule"SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.30 = STRING: "58F5DD64- 43C5-11E7-0584-000C29219964" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.360 = STRING: "My Organization" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.20 = STRING: "05/30/17 13:20:24 UTC" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "ENDP_AM_1050" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.510 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.510 = STRING: "Access Protection" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.520 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.70 = STRING: "WIN2012- SKULLC" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.90 = STRING: "192.168.100.205" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.80 = STRING: "192.168.100.205" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.500 = STRING: "000c29219964" SNMPv2- FortiSIEM 6.1.1 External Systems Configuration Guide 330 Fortinet Technologies Inc. End Point Security Software SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "McAfee Endpoint Security"SNMPv2SMI::enterprises.3401.12.2.1.1.6.0.00 = STRING: "10.5.0" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.370 = STRING: "Access Protection rule violation detected and NOT blocked" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.6 = STRING: "Threat" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.1 = INTEGER: 1 SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.390 = STRING: "Server" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.380 = STRING: "Windows Server 2012 R2" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "05/30/17 13:24:05 UTC" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.530 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.550 = STRING: "192.168.100.205" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.540 = STRING: "192.168.100.205" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.560 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.580 = STRING: "FIREFOX.EXE" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.590 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.570 = STRING: "WIN2012-SKULLC\Administrator" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.500 = STRING: "GlobalRoot\Directory\My Group"SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.280 = STRING: "C:\USERS\ADMINISTRATOR\DOWNLOADS\V3_2994DAT.EXE" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.200 = STRING: "WIN2012- SkullC" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.220 = STRING: "192.168.100.205" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.210 = STRING: "192.168.100.205" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.230 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.250 = STRING: "0" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.270 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.260 = "" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.240 = STRING: "SYSTEM" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.340 = STRING: "IDS_ACTION_WOULD_BLOCK" SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.290 = STRING: "'File' class or access"SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.300 = STRING: "1095"SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.350 = STRING: "True"SNMPv2SMI::enterprises.3401.12.2.1.1.5.2.320 = STRING: "Browsers launching files from the Downloaded Program Files folder"SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.310 = STRING: "Critical" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.330 = STRING: "Access Protection" FortiSIEM 6.1.1 External Systems Configuration Guide 331 Fortinet Technologies Inc. End Point Security Software MobileIron Sentry and Connector l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events What is Discovered and Monitored Protocol Syslog Information Discovered Host name and Device Type from LOG Metrics/LOG collected Over 14 types of security logs Used for Security and Compliance Event Types Go to Admin > Device Type > Event Types and search for "MobileIron-". Rules None Reports None Configuration Configure MobileIron to send syslog in the supported format to FortiSIEM. No configuration is required in FortiSIEM. Sample Events Apr 3 04:16:51 mobile-apptunnel.xxxxx.com mi: PRODUCT=Sentry_9.4.0_4,2019 Apr 3 04:16:48 WARN (Device=bc7b8d61-b003-49e6-9ef5-76ee5bebd6d9, DeviceIPPort=10.1.1.1:60995, User=Username2, Command=POST, Server=25678:domain3.local, Service=Traveler) (AlertOrigin=Sentry, AlertId=HTTP503) Got exception during device-to-server processing, Sentry reporting error to client:java.net.SocketTimeoutException: Read timed out FortiSIEM 6.1.1 External Systems Configuration Guide 332 Fortinet Technologies Inc. End Point Security Software Netwrix Auditor (via Correlog Windows Agent) l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events What is Discovered and Monitored Protocol Via Correlog Windows Agent Information Discovered Metrics/LOG collected Host name and Device Type from 2 Security logs LOG Used for Security and Compliance monitoring Event Types Go to Admin > Device Type > Event Types and search for "Netwrix_Auditor_". Rules None Reports None Configuration Configure Netwrix Auditor to send logs to Correlog Windows Agent. FortiSIEM will automatically parse the logs as long as they appear in the format below. Sample Events <158>2018 Jul 27 07:20:36 CorreLog_Win_Agent ACME-NETWRIX Netwrix_Auditor_Integration 0: Netwrix_Auditor_Integration_API: DataSource : Windows Server Action : Removed Message: Removed DNS A Where : ACME-DC02 ObjectType : DNS A Who : system What : DNS Server\SACDC02\acmegroup.local\ACME-TRADE08 IN A 10.150.90.180 1200 When : 2018-07-27T14:15:43Z Details : IP Address: 10.150.90.180, TTL: 1200, Container name: acmegroup.local, Owner name: acmegroup.local - FortiSIEM 6.1.1 External Systems Configuration Guide 333 Fortinet Technologies Inc. End Point Security Software Palo Alto Traps Endpoint Security Manager l What is Discovered and Monitored l Event Types l Configuration What is Discovered and Monitored Protocol Syslog (CEF format) Information Discovered - Data Collected Over 150 event types Used for Security and Compliance Event Types In RESOURCE > Event Types, Search for "PAN-TrapsESM". Sample Event Type: Sep 28 2016 17:38:48 172.16.183.173 CEF:0|Palo Alto Networks|Traps Agent|3.4.1.16709|Traps Service Status Change|Agent|6|rt=Sep 28 2016 17:38:48 dhost=traps-win7x86 duser=Traps msg=Agent Service Status Changed: Stopped-> Running Sep 28 2016 17:42:04 ESM CEF:0|Palo Alto Networks|Traps ESM|3.4.1.16709|Role Edited|Config|3|rt=Sep 28 2016 17:42:04 shost=ESM suser=administrator msg=Role TechWriter was added\changed Configuration Configure Palo Alto Traps Endpoint Security Manager to send syslog on port 514 to FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 334 Fortinet Technologies Inc. End Point Security Software SentinelOne l Integration Points l Event Types l Rules l Reports l Configuration l Settings for Access Credentials l Sample Events Integration Points Method Syslog Information Discovered Metrics Collected Host name, Reporting None IP Logs Collected Used for System and Security Events (e.g., file blocked) Security monitoring Event Types In ADMIN > Device Support > Event, Search for "SentinelOne" to see the event types associated with this device. Rules No specific rules are written for SentinelOne but generic end point rules apply. Reports No specific reports are written for SentinelOne but generic end point rules apply. Configuration Configure SentinelOne system to send logs to FortiSIEM in the supported format (see Sample Events). Settings for Access Credentials None required. Sample Events <14>CEF:0|SentinelOne|Mgmt|Windows 7|21|Threat marked as resolved|1|rt=Jun 05 2017 09:29:17 uuid=586e7cc578207a3f75361073 FortiSIEM 6.1.1 External Systems Configuration Guide 335 Fortinet Technologies Inc. End Point Security Software fileHash=4b9c5fe8ead300a0be2dbdbcdbd193591451c8b4 filePath=\Device\HarddiskVolume2\Windows\AutoKMS\AutoKMS.exe <14>CEF:0|SentinelOne|Mgmt|1.1.1.1|65|user initiated a fetch full report command to the agent DT-Virus7|1|rt=#arcsightDate(Jun 06 2017 09:29:17) suser=xyz duid=c29ca0cee8a0a989321495b78b1d256ab7189144 cat=SystemEvent FortiSIEM 6.1.1 External Systems Configuration Guide 336 Fortinet Technologies Inc. End Point Security Software Sophos Central l Integration points l Configuring Sophos Central for API Access l Configuring FortiSIEM for Sophos Central for API Access l Parsing and Events Integration points Protocol Sophos Central API Information Discovered Endpoint suspicious activity detected by Sophos agent Used For Security and Compliance Configuring Sophos Central for API Access Sophos provides ample documentation here. 1. Login to Sophos Central Website. 2. Go to Global Settings > API Token Management. Click Add Token. The Token will display. 3. Note the following information for later use: a. Get Host Name from API Access URL (part after https://). b. Get Authorization from API Access URL + Headers (part after Authorization:Basic). c. Get API Key from Headers (part between x-api-key: and Authorization Basic). Configuring FortiSIEM for Sophos Central for API Access Use the account in previous step to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create Sophos Central credential: a. Choose Device Type = Sophos Central. b. Choose Access Protocol = Sophos Central API. c. Enter Authorization created in the previous section - step 3b above. d. Keep User Name empty. e. Leave the URI field empty. FortiSIEM will use gateway/siem/v1/events. f. Enter API Key created in the previous section - step 3c. g. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers. h. Click Save. 4. Enter an IP Range to Credential Association. a. Enter Hostname created here - step 3a. b. Select the Credential created here - step 3. FortiSIEM 6.1.1 External Systems Configuration Guide 337 Fortinet Technologies Inc. End Point Security Software c. Click Save. 5. Select the entry in step 4 and click Test > Test Connectivity. If it succeeds, then the credential is correct. 6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Sophos Central using the Sophos Central API. To test for events received via Windows Defender ATP REST API: 1. Go to ADMIN > Setup > Pull Events. 2. Select the Windows Defender ATP entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from Sophos Central in the last 15 minutes. You can modify the time interval to get more events. Parsing and Events Over 20 events are parsed see event types in Resources > Event Types and search for 'Sophos-Central'. FortiSIEM 6.1.1 External Systems Configuration Guide 338 Fortinet Technologies Inc. End Point Security Software Sophos Endpoint Security and Control l What is Discovered and Monitored l Sophos Configuration What is Discovered and Monitored Protocol SNMP Trap Information Discovered Metrics Collected Used For Event Types In ADMIN > Device Support > Event, search for "sophos endpoint" in the Device Type column to see the event types associated with this application or device. Sophos Configuration SNMP Trap FortiSIEM processes Sophos Endpoint control events via SNMP traps sent from the management console. Configure the management console to send SNMP traps to FortiSIEM, and the system will automatically recognize the messages. SNMP Traps are configured within the Sophos policies. 1. In the Policies pane, double-click the policy you want to change. 2. In the policy dialog, in the Configure panel, click Messaging. 3. In the Messaging dialog, go to the SNMP messaging tab and select Enable SNMP messaging. 4. In the Messages to send panel, select the types of event for which you want Sophos Endpoint Security and Control to send SNMP messages. 5. In the SNMP trap destination field, enter the IP address of the recipient. 6. In the SNMP community name field, enter the SNMP community name. Sample SNMP Trap 2011-05-03 18:22:32 172.15.30.8(via UDP: [172.15.30.8]:1216) TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.2604.2.1.1.1 Enterprise Specific Trap (1) Uptime: 5:59:55.31 SNMPv2-SMI::enterprises.2604.2.1.1.2.1.1 = STRING: "File \"C:\WINDOWS\system32\LDPackage.dll\" belongs to virus/spyware 'Mal/Generic-S'."SNMPv2SMI::enterprises.2604.2.1.1.2.2.2 = STRING: "9.5.5" FortiSIEM 6.1.1 External Systems Configuration Guide 339 Fortinet Technologies Inc. End Point Security Software Symantec Endpoint Protection l What is Discovered and Monitored l Symantec Endpoint Protection Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Logs Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "symantec endpoint" in the Device Type and Description columns to see the event types associated with this device. Symantec Endpoint Protection Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configuring Log Transmission to FortiSIEM 1. Log in to Symantec Endpoint Protection Manager. 2. Go to Admin> Configure External Logging > Servers > General. 3. Select Enable Transmission of Logs to a Syslog Server. 4. For Syslog Server, enter the IP address of the FortiSIEM virtual appliance. 5. For UDP Destination Port, enter 514. Configuring the Types of Logs to Send to FortiSIEM 1. Go to Admin> Configure External Logging > Servers > Log Filter. 2. Select the types of logs and events you want to send to FortiSIEM. Sample Syslog <13>Feb 23 12:36:37 QA-V-Win03-App1.ProspectHills.net SymAntiVirus 0 2701170C2410,3,2,1,QA-V-WIN03-APP1,Administrator,,,,,,,16777216,"Scan started on selected drives and folders and all extensions.",1235421384,,0,,,,,0,,,,,,,,,,,{C11B44CF-35C9-4342AB3D-E0E9E3756510},,(IP)0.0.0.0,,ACME,00:50:56:A3:30:2F,11.0.1000.1112,,,,,,,,,,,,,,,,0,,,,, FortiSIEM 6.1.1 External Systems Configuration Guide 340 Fortinet Technologies Inc. End Point Security Software <54>Jun 11 12:24:38 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server: sjdevswinapp05,Domain: Default,Admin: admin,Administrator log on failed <54>Jun 11 12:24:51 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server: sjdevswinapp05,Domain: Default,Admin: admin,Administrator log on succeeded <54>Feb 23 13:08:29 SymantecServer sjdevswinapp05: Virus found,Computer name: Filer,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:/Documents and Settings/Administrator.PROSPECTHILLS/Local Settings/Temp/vpqz3cxj.com,"",Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2009-02-23 21:06:51,Inserted: 2009-02-23 21:08:29,End: 2009-02-23 21:06:51,Domain: Default,Group: Global\Prospecthills,Server: sjdevswinapp05,User: Administrator,Source computer: ,Source IP: 0.0.0.0 Mar 16 15:11:06 SymantecServer aschq97: NF77088-PCA,Local: 192.168.128.255,Local: 138,Local: FFFFFFFFFFFF,Remote: 192.168.128.86,Remote: ,Remote: 138,Remote: 0015C53B9216,UDP,Inbound,Begin: 2009-03-16 15:05:02,End: 2009-03-16 15:05:02,Occurrences: 1,Application: C:/WINDOWS/system32/ntoskrnl.exe,Rule: Allow local file sharing,Location: Default,User: ,Domain: ASC <54>Feb 24 11:51:19 SymantecServer sjdevswinapp05: QA-V-Win03-App2,[SID: 20352] HTTP Whisker/Libwhisker Scan (1) detected. Traffic has been allowed from this application: C:\WINDOWS\system32 toskrnl.exe,Local: 0.0.0.0,Local: 000000000000,Remote: ,Remote: 192.168.1.4,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2009-02-24 11:50:01,End: 2009-02-24 11:50:01,Occurrences: 1,Application: C:/WINDOWS/system32/ntoskrnl.exe,Location: Default,User: Administrator,Domain: PROSPECTHILLS <54>Jul 28 08:08:52 SymantecServer corpepp01: 6910p-X751008R,Category: 2,Symantec AntiVirus,New virus definition file loaded. Version: 130727ag. <54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category: 2,Symantec AntiVirus,Symantec Endpoint Protection services shutdown was successful. <52>Jul 28 08:10:13 SymantecServer corpepp01: TEMPEXP02,Category: 0,Smc,Failed to disable Windows firewall <54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category: 0,Smc,Connected to Symantec Endpoint Protection Manager (10.0.11.17) <54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category: 0,Smc,Disconnected from Symantec Endpoint Protection Manager (10.0.11.17) <54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category: 0,Smc,Connected to Symantec Endpoint Protection Manager (corphqepp01) <54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category: 0,Smc,Disconnected from Symantec Endpoint Protection Manager (corpepp01) <54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category: 0,Smc,Network Threat Protection - - Engine version: 11.0.480 Windows Version info: Operating System: Windows XP (5.1.2600 Service Pack 3) Network info: No.0 "Local Area Connection 3" 00-15-c5-46-581e "Broadcom NetXtreme 57xx Gigabit Controller" 10.0.208.66 <54>Jul 28 07:55:32 SymantecServer corpepp01: tol-afisk,Blocked,Unauthorized NT call rejected by protection driver.,System,Begin: 2011-07-27 15:29:57,End: 2011-07-27 15:29:57,Rule: Built-in rule,6092,AcroRd32.exe,0,None,"FuncID=74H, RetAddr=18005CH",User: afisk,Domain: HST FortiSIEM 6.1.1 External Systems Configuration Guide 341 Fortinet Technologies Inc. End Point Security Software Symantec SEPM l Configuring Symantec SEPM l Receiving Events in FortiSIEM Configuring Symantec SEPM follow these steps to configure Symantec SEPM to send logs to FortiSIEM. For more information about Symantec SEPM, see the SEPM Installation and Administration Guide: https://support.symantec.com/us/en/article.DOC10654.html 1. In the Symantec SEPM console, go to Admin > Servers. 2. Click the local site or remote site that you want to export log data from. 3. Click Configure External Logging. 4. On the General tab, in the Update Frequency list box, select how often to send the log. 5. In the Master Logging Server list box, select the management server to send the logs to. If you use SQL Server and connect multiple management servers to the database, then specify only one server as the Master Logging Server. 6. Check Enable Transmission of Logs to a Syslog Server (FortiSIEM). 7. Provide the following information. Be sure that syslog server IP and Port can be reached from SEPM. a. Syslog Server--Enter the IP address or domain name of the Syslog server that will receive the log data (in this case, the IP of FortiSIEM). b. Destination Port--Select the protocol to use, and enter the destination port that the Syslog server uses to listen for Syslog messages. (for example, UDP 514 for FortiSIEM). c. Log Facility--Enter the number of the log facility that you want to the Syslog configuration file to use, or use the default value. Valid values range from 0 to 23. 8. On the Log Filter tab, check which logs to export Receiving Events in FortiSIEM 1. Check for events in FortiSIEM. Go to the ANALYTICS page and search on "Symantec". 2. Check for the device added by log. Go to CMDB > Devices. FortiSIEM 6.1.1 External Systems Configuration Guide 342 Fortinet Technologies Inc. End Point Security Software Tanium Connect l Integration points l Configuring Tanium Connect l Configuring FortiSIEM l Parsing and Events Integration points Protocol Sophos Central API Information Discovered Endpoint security logs Used For Security and Compliance Configuring Tanium Connect Follow Tanium Connect documentation to send syslog to FortiSIEM. Configuring FortiSIEM FortiSIEM automatically recognizes Tanium Connect syslog as long it follows the following format as shown in the sample syslog: <134>1 2018-09-06T02:50:02.762000+00:00 tanium-server-1 Tanium 7020 - [ComplyDeployment-Status---Deployment-5@017472 Installed=true Version=3.0.45 Type=full Installed1=true Version1=8u131-e1 Comply---Has-Latest-Tools=true Count=2 Parsing and Events Currently, 4 events are parsed see event Types in Resources > Event Types and search for "TaniumConnect-". User can extend the parser to add other events. FortiSIEM 6.1.1 External Systems Configuration Guide 343 Fortinet Technologies Inc. End Point Security Software Trend Micro Interscan Web Filter l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration What is Discovered and Monitored Protocol Syslog (CEF format) Information Discovered - Data Collected 15 event types Used for Security and Compliance Event Types In RESOURCE > Event Types, Search for "TrendMicro-InterscanWeb-". Sample Event Type: <130>abc.com: <Mon, 18 Sep 2017 10:00:48,IST> [EVT_URL_BLOCKING|LOG_CRIT] Blocked URL log tk_username=1.1.1.1,tk_date_field=2017-09-18 10:00:48+0530,tk_protocol=https,tk_ url=https://google.com:443/,tk_malicious_entity=,tk_file_name=,tk_entity_name=,tk_ action=,tk_scan_type=user defined,tk_blocked_by=rule,tk_rule_name=google.com,tk_opp_id=0,tk_ group_name=None,tk_category=URL Blocking,tk_uid=0099253425-0ecd0076872a9d0ace16,tk_filter_ action=0 <134>abc.com: <Mon, 18 Sep 2017 10:00:48,IST> [EVT_URL_ACCESS_TRACKING|LOG_INFO] Access tracking log tk_username=1.1.1.1,tk_url=http://aaa.com/pc/SHAREitSubscription.xml,tk_ size=0,tk_date_field=2017-09-18 10:00:48+0530,tk_protocol=http,tk_mime_ content=unknown/unknown,tk_server=abc.com,tk_client_ip=1.1.1.1,tk_server_ip=2.2.2.2,tk_ domain=aaa.com,tk_path=pc/SHAREitSubscription.xml,tk_file_name=SHAREitSubscription.xml,tk_ operation=GET,tk_uid=0099253421-bdd7d4ce063b924a2342,tk_category=56,tk_category_type=0 <134>abc.com: <Mon, 18 Sep 2017 10:00:59,IST> [EVT_PERFORMANCE|LOG_INFO] Performance log tk_ server=abc.com,tk_date_field=2017-09-18 10:00:59+0530,tk_metric_id=Number of FTP Processes,tk_metric_value=6, Rules There are no specific rules, but generic rules for Web Filters and Generic Servers apply. Reports There are no specific reports, but generic rules for Web Filters and Generic Servers apply. FortiSIEM 6.1.1 External Systems Configuration Guide 344 Fortinet Technologies Inc. End Point Security Software Configuration Configure TrendMicro Interscan Web Filter to send syslog on port 514 to FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 345 Fortinet Technologies Inc. End Point Security Software Trend Micro Intrusion Defense Firewall (IDF) l What is Discovered and Monitored l Trend Micro Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Used For Trend Micro Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Example Syslog <134>May 31 15:24:34 DSK-FT11XL1 dsa_mpld: REASON=PLD:Disallow_Web_Proxy_Autodiscovery_ Protocol REV IN= OUT=Local_Area_Connection MAC=00:26:B9:80:74:71:2C:6B:F5:35:4E:00:08:00 SRC=192.168.20.2 DST=192.168.13.39 LEN=133 PROTO=UDP SPT=53 DPT=58187 CNT=1 act=Reset POS=0 SPOS=0 NOTE=CVE-2007-5355 FLAGS=0 FortiSIEM 6.1.1 External Systems Configuration Guide 346 Fortinet Technologies Inc. End Point Security Software Trend Micro OfficeScan l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol SNMP Trap Information Discovered Metrics Collected Used For Configuration SNMP Trap FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Example SNMP Trap 2011-04-14 02:17:54 192.168.20.214(via UDP: [192.168.20.214]:45440) TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.6101 Enterprise Specific Trap (5) Uptime: 0:00:00.30 SNMPv2-SMI::enterprises.6101.141 = STRING: "Virus/Malware: Eicar_test_file Computer: SJDEVVWINDB05 Domain: ABC File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yc8eayj0.com Date/Time: 4/10/2008 14:23:26 Result: Virus successfully detected, cannot perform the Clean action (Quarantine) " FortiSIEM 6.1.1 External Systems Configuration Guide 347 Fortinet Technologies Inc. Environmental Sensors FortiSIEM supports these devices for monitoring. l APC Netbotz Environmental Monitor l APC UPS l Generic UPS l Liebert FPC l Liebert HVAC l Liebert UPS FortiSIEM 6.1.1 External Systems Configuration Guide 348 Fortinet Technologies Inc. APC Netbotz Environmental Monitor l What is monitored and collected l Configuration l Setting Access Credentials What is Monitored and Collected Protocol Information Discovered Metrics collected Used for SNMP (V1, V2c) Host name, Hardware model, Network interfaces Temperature: Sensor Id, Sensor label, Enclosure Id, Temperature Relative Humidity: Sensor Id, Sensor label, Enclosure Id, Relative Humidity Air Flow: Sensor Id, Sensor label, Enclosure Id, Air Flow Dew Point Temperature: Sensor Id, Sensor label, Enclosure Id, Dew Point Temperature Current: Sensor Id, Sensor label, Enclosure Id, Current Audio Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Audio Sensor Reading Dry Contact Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Dry Contact Sensor Reading Availability and Performance Monitoring Door Switch Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Door Switch Sensor Reading (Open/Close) Camera Motion Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Camera Motion Sensor Reading (Motion/No Motion) Hadware Status (for NBRK0200): Contact Status, Output Relay Status, Outlet Status, Alarm Device Status, Memory Sensor Status, Memory Output Status, Memory Outlet Status, memory Beacon Status EMS Status (for NBRK0200): EMS Hardware Status, Connection State Hardware Probe (for NBRK0200): Sensor Id, Temperature, Relative Humidity, Connection State Code Module Sensor (for NBRK0200): Sensor Name, Sensor location, Temperature, Relative Humidity, Connection State Code SNMP Trap SNMP Trap (V1, V2c) See Event Types for more information about viewing the SNMP traps collected by FortiSIEM for this device. Availability and Performance Monitoring FortiSIEM 6.1.1 External Systems Configuration Guide 349 Fortinet Technologies Inc. Environmental Sensors Event Types In ADMIN > Device Support > Event, search for "NetBotz" in the Name column to see the event types associated with this application or device. Event types for NetBotz NBRK0200 l PH_DEV_MON_HW_STATUS [PH_DEV_MON_HW_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=deviceNetBotz.cpp, [lineNumber]=1642,[hostName]=Unknown,[hostIpAddr]=10.62.97.61,[hwStatusCode]=2, [hwProbeStatus]=2,[hwInputContactStatus]=2,[hwOutputRelayStatus]=0,[hwOutletStatus]=2, [hwAlarmDeviceStatus]=0,[hwMemSensorStatus]=0,[hwMemOutputStatus]=2, [hwMemOutletStatus]=2,[hwMemBeaconStatus]=2,[phLogDetail]= l PH_DEV_MON_HW_EMS_STATUS [PH_DEV_MON_HW_EMS_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=deviceNetBotz.cpp, [lineNumber]=1871,[hostName]=Unknown,[hostIpAddr]=10.62.97.61,[reptDevName]=Unknown, [emsHwStatus]=0,[phyMachConnectionStateCode]=2,[hwLogStatus]=1,[phLogDetail]= l PH_DEV_MON_HW_PROBE [PH_DEV_MON_HW_PROBE]:[eventSeverity]=PHL_INFO,[fileName]=deviceNetBotz.cpp, [lineNumber]=2100,[hostName]=Unknown,[hostIpAddr]=10.62.97.61,[envSensorLabel]=Sensor MM:4,[envTempDegF]=74,[envTempHighThreshDegF]=138,[envHumidityRel]=51, [envHumidityRelHighThresh]=90,[envHumidityRelLowThresh]=10,[serialNumber]=L3, [phyMachConnectionStateCode]=3,[maxTempThresh]=140,[minTempThresh]=32, [maxHumidityThresh]=99,[minHumidityThresh]=0,[phLogDetail]= l PH_DEV_MON_HW_MODULE_SENSOR [PH_DEV_MON_HW_MODULE_SENSOR]:[eventSeverity]=PHL_INFO,[fileName]=deviceNetBotz.cpp, [lineNumber]=2567,[hostName]=Unknown,[hostIpAddr]=10.62.97.61,[moduleNumber]=0, [envSensorId]=1,[envSensorLabel]=Sensor MM:1,[envSensorLoc]=Orland Park Server, [envTempDegF]=74,[envHumidityRel]=50,[phyMachConnectionStateCode]=1, [hwAlarmDevicetatus]=1,[phLogDetail]= Rules In RESOURCE > Rules, search for "NetBotz" in the Name column to see the rules associated with this application or device. Reports In RESOURCE > Reports, search for "Netbotz" in the Name column to see the reports associated with this application or device. FortiSIEM 6.1.1 External Systems Configuration Guide 350 Fortinet Technologies Inc. Environmental Sensors Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. SNMP Trap FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Setting Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> APC NetBotz See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 351 Fortinet Technologies Inc. Environmental Sensors APC UPS l What is Discovered and Monitored l Configuration l Setting Access Credentials What is Discovered and Monitored Protocol Information Discovered Metrics collected SNMP (V1, V2c) Host name, Hardware model, Network interfaces UPS metrics: Remaining battery charge, Battery status, Replace battery indicator, Time on battery, Output status, Output load, Output voltage, Output frequency SNMP Trap Used for Availability and Performance Monitoring Availability and Performance Monitoring Event Types In ADMIN > Device Support > Event, search for "apc" in the Device Type column to see the event types associated with this device. Rules In RESOURCE > Rules, search for "apc" in the Name column to see the rules associated with this device. Reports In RESOURCE > Reports , search for "apc" in the Name column to see the reports associated with this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. FortiSIEM 6.1.1 External Systems Configuration Guide 352 Fortinet Technologies Inc. Environmental Sensors SNMP Trap FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Setting Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> APC UPS See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 353 Fortinet Technologies Inc. Environmental Sensors Generic UPS l What is Discovered and Monitored l Configuration l Setting Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Information Discovered Metrics collected Host name, Hardware model, Network interfaces UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated Seconds Remaining, Output voltage, Output current, Temperature Used for Availability and Performance Monitoring Configuration SNMP UPS-MIB Required Your device must have a UPS-MIB database to communicate with FortiSIEM over SNMP. FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in "Discovery Settings" and "Setting Credentials" in the User Guide, to establish the connection between the device and FortiSIEM, and to initiate the device discovery process. Setting Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 354 Fortinet Technologies Inc. Environmental Sensors Liebert FPC l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Information Discovered Metrics collected Used for Host name, Hardware model, Network interfaces Output voltage (X-N, Y-N, Z-N), Output current (X, Y. Z), Neutral Current, Ground current, Output power, Power Factor, Output Frequency, Output Voltage THD (Vx, Vy, Vz), Output Current THD (Lx, Ly. Lz), Output KWh, Output Crest factor (Lx, Ly, Lz), Output K-factor (Lx, Ly, Lz), Output Lx Capacity, output Ly capacity Availability and Performance Monitoring Event Types In ADMIN > Device Support > Event, search for "LIebert FPC" in the Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports In RESOURCE > Reports , search for "Liebert FPC" in the Name column to see the reports associated with this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your device. FortiSIEM 6.1.1 External Systems Configuration Guide 355 Fortinet Technologies Inc. Environmental Sensors Setting Name Device Type Access Protocol Port Password config Value <set name> Liebert FPC See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 356 Fortinet Technologies Inc. Environmental Sensors Liebert HVAC l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Information Discovered Metrics collected Used for Host name, Hardware model, Network interfaces HVAC metrics: Temperature: current value, upper threshold, lower threshold, Relative Humidity: current value, upper threshold, lower threshold, System state, Cooling state, Heating state, Humidifying state, Dehumidifying state, Economic cycle, Fan state, Heating capacity, Cooling capacity Availability and Performance Monitoring FortiSIEM uses SNMP to discover and collector metrics from Generic UPS devices. This requires the presence of UPSMIB on the UPS device. See the Liebert HVAC documentation to enable FortiSIEM to poll the device via SNMP. Event Types In ADMIN > Device Support > Event, search for "Liebert HVAC" in the Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports In RESOURCE > Reports , search for "Liebert HVAC" in the Name column to see the reports associated with this device. Configuration SNMP Note: UPS-MIB Required Your device must have a UPS-MIB database to communicate with FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 357 Fortinet Technologies Inc. Environmental Sensors FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Liebert HVAC See Access Credentials See Access Credentials See Access Credentials FortiSIEM 6.1.1 External Systems Configuration Guide 358 Fortinet Technologies Inc. Environmental Sensors Liebert UPS l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Information Discovered Metrics collected Host name, Hardware model, Network interfaces UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated Seconds Remaining, Output voltage, Output current, Temperature Used for Availability and Performance Monitoring Event Types There are no event types defined specifically for this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP Note: UPS-MIB Required Your device must include a UPS-MIB database to communicate with FortiSIEM. FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your device. FortiSIEM 6.1.1 External Systems Configuration Guide 359 Fortinet Technologies Inc. Environmental Sensors Setting Name Device Type Access Protocol Port Password config Value <set name> Liebert UPS See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 360 Fortinet Technologies Inc. Firewalls Firewalls FortiSIEM supports these firewalls for discovery and monitoring. l Check Point FireWall-1 l Check Point Provider-1 l CLM for Check Point Provider-1 l CMA for Check Point Provider-1 l MDS for Check Point Provider-1 l MLM for Check Point Provider-1 l Check Point VSX l Cisco Adaptive Security Appliance (ASA) l Clavister Firewall l Cyberoam Firewall l Dell SonicWALL l Fortinet FortiGate Firewall l Imperva Securesphere Web App Firewall l Juniper Networks SSG l McAfee Firewall Enterprise (Sidewinder) l Palo Alto l Sophos UTM l WatchGuard Firebox FortiSIEM 6.1.1 External Systems Configuration Guide 361 Fortinet Technologies Inc. Firewalls Check Point FireWall-1 l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP LEA Information Discovered Host name, Firewall model and version, Network interfaces Metrics collected Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count All traffic and system logs Used for Availability and Performance Monitoring Security and Compliance Event Types In ADMIN > Device Support > Event, search for "firewall-1" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. FortiSIEM 6.1.1 External Systems Configuration Guide 362 Fortinet Technologies Inc. Firewalls LEA Add FortiSIEM as a Managed Node 1. Log in to your Check Point SmartDomain Manager. 2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard. 3. Select the Firewall tab. 4. Click the Network Objects icon. 5. Select Nodes, and then right-click to select Node > Host... . 6. Select General Properties. 7. Enter a Name for your FortiSIEM host, like FortiSIEMVA. 8. Enter the IP Address of your FortiSIEM virtual appliance. 9. Click OK. Create an OPSEC Application for FortiSIEM 1. In the Firewall tab, click the Servers and OPSEC icon. 2. Select OPSEC Applications, and then right-click to select New > OPSEC Application. 3. Click the General tab. 4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA. 5. For Host, select the FortiSIEM host. 6. Under Client Entities, select LEA and CPMI. For Check Point FireWall-1, also select SNMP. 7. Click Communication. 8. Enter a one-time password. This is the password you will use in setting up access credentials for your firewall in FortiSIEM. 9. Click Initialize. 10. Close and re-open the application. 11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_ FortiSIEMVA,0=MDS..i6g4zq. This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM. Create a Firewall Policy for FortiSIEM 1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application. 2. In the Rules menu, select Top. 3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance. 4. Right-click DESTINATION, then click Add and select your Check Point firewall. 5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI. Also select snmp if you are configuring a Check Point FireWall-1 firewall. 6. Right-click ACTION and select Accept. 7. Right-click TRACK and select Log. FortiSIEM 6.1.1 External Systems Configuration Guide 363 Fortinet Technologies Inc. Firewalls 8. Go to Policy > Install. 9. Click OK. 10. Go to OPSEC Applications and select your FortiSIEM application. 11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and FortiSIEM. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Checkpoint Firewall-1 See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 364 Fortinet Technologies Inc. Firewalls Check Point Provider-1 Firewall l What is Discovered and Monitored l Configuration Overview What is Discovered and Monitored Protocol SNMP LEA Information Discovered Host name, Firewall model and version, Network interfaces Metrics collected Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count All traffic and system logs Used for Availability and Performance Monitoring Security and Compliance Event Types There are no event types defined specifically for this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Overview The configuration of Check Point Provider-1 depends on the type of log that you want sent to FortiSIEM. There are two options: l Domain level audit logs, which contain information such as domain creation, editing, etc. l Firewall logs, which include both audit log for firewall policy creation, editing, etc., and traffic logs These logs are generated and stored among four different components: l Multi-Domain Server (MDS), where domains are configured and certificates have to be generated. l Multi-Domain Log Module (MLM), where domain logs are stored. l Customer Management Add-on (CMA), the customer management module. l Customer Log Module (CLM), which consolidates logs for an individual customer/domain. Discover Paired Components on the Same Collector or Supervisor FortiSIEM 6.1.1 External Systems Configuration Guide 365 Fortinet Technologies Inc. Firewalls Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail. Component Configuration for Domain-Level Audit Logs 1. Configure MDS. 2. Use the Client SIC obtained while configuring MDS to configure MLM. 3. Pull logs from MLM. Component Configuration for Firewall Logs 1. Configure CMA. 2. Use the Client SIC obtained while configuring CMA to configure CLM. 3. Pull logs from CLM. If you want to pull firewall logs from a domain, you have to configure CLM for that domain. See these topics for instructions on how to configure each component for Check Point Provider-1 firewalls. l Configuring MDS for Check Point Provider-1 Firewalls l Configuring MLM for Check Point Provider-1 Firewalls l Configuring CMA for Check Point Provider-1 Firewalls l Configuring CLM for Check Point Provider-1 Firewalls FortiSIEM 6.1.1 External Systems Configuration Guide 366 Fortinet Technologies Inc. Firewalls Configuring CMA for Check Point Provider-1 Firewalls The Check Point Provider-1 Customer Management Add-On (CMA) creates logs that are then consolidated by the Customer Log Module (CLM). If you want the CLM to send logs to FortiSIEM, you must first configure the CMA and obtain the AO Client SIC to configure access credentials for communication between the CLM and FortiSIEM. l Configuration l Settings for Access Credentials Discover Paired Components on the Same Collector or Supervisor Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail. Configuration Get CMA Server SIC for Setting Up FortiSIEM Access Credentials 1. Log in to your Check Point SmartDomain Manager. 2. Click the General tab. 3. Select Domain Contents. 4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard. 5. Select the Desktop tab. 6. Select the Network Objects icon. 7. Double-click on the Domain Management Server to view the General Properties dialog. 8. Click Test SIC Status... . Note the value for DN. You will use this for the CMA Server SIC setting when creating the access credentials for FortiSIEM to access your CMA server. Add FortiSIEM as a Managed Node 1. Log in to your Check Point SmartDomain Manager. 2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard. 3. Select the Firewall tab. 4. Click the Network Objects icon. 5. Select Nodes, and then right-click to select Node > Host... . 6. Select General Properties. 7. Enter a Name for your FortiSIEM host, like FortiSIEMVA. 8. Enter the IP Address of your FortiSIEM virtual appliance. 9. Click OK. FortiSIEM 6.1.1 External Systems Configuration Guide 367 Fortinet Technologies Inc. Firewalls Create an OPSEC Application for FortiSIEM 1. In the Firewall tab, click the Servers and OPSEC icon. 2. Select OPSEC Applications, and then right-click to select New > OPSEC Application. 3. Click the General tab. 4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA. 5. For Host, select the FortiSIEM host. 6. Under Client Entities, select LEA and CPMI. For Check Point FireWall-1, also select SNMP. 7. Click Communication. 8. Enter a one-time password. This is the password you will use in setting up access credentials for your firewall in FortiSIEM. 9. Click Initialize. 10. Close and re-open the application. 11. In the General tab, next to Communication, the DN field will now contain a value like CN= OPSEC_ FortiSIEMVA,0=MDS..i6g4zq. This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM. Create a Firewall Policy for FortiSIEM 1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application. 2. In the Rules menu, select Top. 3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance. 4. Right-click DESTINATION, then click Add and select your Check Point firewall. 5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI. Also select snmp if you are configuring a Check Point FireWall-1 firewall. 6. Right-click ACTION and select Accept. 7. Right-click TRACK and select Log. 8. Go to Policy > Install. 9. Click OK. 10. Go to OPSEC Applications and select your FortiSIEM application. 11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and FortiSIEM. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Settings for Check Point Provider-1 Firewall CLA SSLCA Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your Check Point Provider-1 Firewall CMA. When you complete the access credentials, click Generate Certificate to establish access between your firewall and FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 368 Fortinet Technologies Inc. Firewalls Setting Name Device Type Access Protocol CMA IP Checkpoint LEA Port AO Client SIC CMA Server SIC CPMI Port Activation Key Value CMA Checkpoint Provider-1 CMA CheckPoint SSLCA The IPS address of your server The port used by LEA on your server The DN number of your FortiSIEM OPSEC application The DN number of your server The port used by CPMI on your server The password you used in creating your OPSEC application FortiSIEM 6.1.1 External Systems Configuration Guide 369 Fortinet Technologies Inc. Firewalls Configuring CLM for Check Point Provider-1 Firewalls l Prequisites l Configuration l Settings for Access Credentials Prequisites l You must first configure and discover the Check Point CLA and obtain the AO Client SIC before you can configure the Customer Log Module (CLM). The AO Client SIC is generated when you create the FortiSIEM OPSEC application. Discover Paired Components on the Same Collector or Supervisor Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail. Configuration Get CLM Server SIC for Creating FortiSIEM Access Credentials 1. Log in to your Check Point SmartDomain Manager. 2. Click the General tab. 3. Select Domain Contents. 4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard. 5. Select the Desktop tab. 6. Click the Network Objects icon. 7. Under Check Point, select the CLM host and double-click to open the General Properties dialog. 8. Under Secure Internal Communication, click Test SIC Status... . 9. In the SIC Status dialog, note the value for DN. This is the CLM Server SIC that you will use in setting up access credentials for the CLM in FortiSIEM. 10. Click Close. 11. Click OK. Install the Database 1. In the Actions menu, select Policy > Install Database... . 2. Select the MDS Server and the CLM, and then OK. The database will install in both locations. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Settings for Check Point Provider-1 Firewall CLM SSLCA Access Credentials FortiSIEM 6.1.1 External Systems Configuration Guide 370 Fortinet Technologies Inc. Firewalls Use these Access Method Definition settings to allow FortiSIEM to access your Check Point Provider-1 Firewall CMA. When you complete the access credentials, click Generate Certificate to establish access between your firewall and FortiSIEM. Setting Name Device Type Access Protocol CLM IP Checkpoint LEA Port AO Client SIC CLM Server SIC CPMI Port CMA IP Value CLM Checkpoint Provider-1 CLM CheckPoint SSLCA The IP address of the host where your CLM is located The port used by LEA on your server The DN number of your FortiSIEM OPSEC application The DN number of your server The port used by CPMI on your server The IP address of the host where your CMA is located FortiSIEM 6.1.1 External Systems Configuration Guide 371 Fortinet Technologies Inc. Firewalls Configuring MDS for Check Point Provider-1 Firewalls l Configuration l Settings for Access Credentials The Check Point Provider-1 firewall Multi-Domain Server (MDS) is where domains are configured and certificates are generated for communicating with FortiSIEM. If you want to have domain logs from the Multi-Domain Log Module (MLM) sent from your firewall to FortiSIEM, you must first configure and discover MDS, then use the AO Client SIC created for your FortiSIEM OPSEC application to configure the access credentials for MLM. Discover Paired Components on the Same Collector or Supervisor Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail. Configuration Get the MDS Server SIC for FortiSIEM Access Credentials You will use the MDS Server SIC to create access credentials in FortiSIEM for communicating with your server. 1. Log in to your Check Point SmartDomain Manager. 2. Select Multi-Domain Server Contents. 3. Select MDS, and then right-click to select Configure Multi-Domain Server... . 4. In the General tab, under Secure Internet Communication, note the value for DN. Add FortiSIEM as a Managed Node 1. Log in to your Check Point SmartDomain Manager. 2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard. 3. Select the Firewall tab. 4. Click the Network Objects icon. 5. Select Nodes, and then right-click to select Node > Host... . 6. Select General Properties. 7. Enter a Name for your FortiSIEM host, like FortiSIEMVA. 8. Enter the IP Address of your FortiSIEM virtual appliance. 9. Click OK. Create an OPSEC Application for FortiSIEM 1. In the Firewall tab, click the Servers and OPSEC icon. 2. Select OPSEC Applications, and then right-click to select New > OPSEC Application. 3. Click the General tab. 4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA. 5. For Host, select the FortiSIEM host. FortiSIEM 6.1.1 External Systems Configuration Guide 372 Fortinet Technologies Inc. Firewalls 6. Under Client Entities, select LEA and CPMI. For Check Point FireWall-1, also select SNMP. 7. Click Communication. 8. Enter a one-time password. This is the password you will use in setting up access credentials for your firewall in FortiSIEM. 9. Click Initialize. 10. Close and re-open the application. 11. In the General tab, next to Communication, the DN field will now contain a value like CN= OPSEC_ FortiSIEMVA,0=MDS..i6g4zq. This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM. Create a Firewall Policy for FortiSIEM 1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application. 2. In the Rules menu, select Top. 3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance. 4. Right-click DESTINATION, then click Add and select your Check Point firewall. 5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI. Also select snmp if you are configuring a Check Point FireWall-1 firewall. 6. Right-click ACTION and select Accept. 7. Right-click TRACK and select Log. 8. Go to Policy > Install. 9. Click OK. 10. Go to OPSEC Applications and select your FortiSIEM application. 11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and FortiSIEM. Copy Secure Internal Communication (SIC) certificates Copy Client SIC 1. Go to Manage > Server and OPSEC Applications. 2. Select OPSEC Application and then right-click to select accelops. 3. Click Edit. 4. Enter the SIC DN of your application. Copy Server SIC 1. In the Firewall tab, go to Manage. 2. Click the Network Object icon, and then right-click to select Check Point Gateway. 3. Click Edit. 4. Enter the SIC DN. 5. If there isn't a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. FortiSIEM 6.1.1 External Systems Configuration Guide 373 Fortinet Technologies Inc. Firewalls Settings for Access Credentials Settings for Check Point Provider-1 Firewall SSLCA Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your Check Point Provider-1 Firewall MDS. When you complete the access credentials, click Generate Certificate to establish access between your firewall and FortiSIEM. Setting Name Device Type Access Protocol MDS IP Checkpoint LEA Port AO Client SIC MDS Server SIC Password CPMI Port Activation Key Value MDS Checkpoint Provider-1 MDS CheckPoint SSLCA The IPS address of your server The port used by LEA on your server The DN number of your FortiSIEM OPSEC application The DN number of your server The password associated with the administrative user The port used by CPMI on your server The password you used in creating your OPSEC application 1. Generate a certificate for MDS communication in FortiSIEM. a. Configure Checkpoint Provider-1 MDS credential as shown below. Activation key was the one-time password you input in Create an OPSEC Application for FortiSIEM AO Client SIC was generated in Create an OPSEC Application for FortiSIEM MDS Server SIC was generated in Get the MDS Server SIC for FortiSIEM Access Credentials b. Click Generate Certificate. It should be successful. Note that the button will be labeled Regenerate Certificate if you have already generated the certificate once. FortiSIEM 6.1.1 External Systems Configuration Guide 374 Fortinet Technologies Inc. Firewalls Configuring MLM for Check Point Provider-1 Firewalls l Prerequisites l Configuration l Settings for Access Credentials Prerequisites l You must configure and discover your Check Point Provider-1 MDS before you configure the Multi-Domain Log Module (MLM). You will need the AO Client SIC that was generated when you created your FortiSIEM OPSEC application in the MDS to set up the access credentials for your MLM in FortiSIEM. Discover Paired Components on the Same Collector or Supervisor Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail. Configuration Get MLM Server SIC for Setting Up FortiSIEM Access Credentials 1. Log in to your Check Point SmartDomain Manager. 2. In the General tab, click Multi-Domain Server Contents. 3. Right-click MLM and select Configure Multi-Domain Server... . 4. Next to Communication, note the value for DN. You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Settings for Check Point Provider-1 MLM SSLCA Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your Check Point MLM over SSLCA. Setting Name Device Type Access Protocol MLM IP Checkpoint LEA Port Value MLM Checkpoint Provider-1 MLM CheckPoint SSLCA The IPS address of your module The port used by LEA on your server FortiSIEM 6.1.1 External Systems Configuration Guide 375 Fortinet Technologies Inc. Firewalls Setting AO Client SIC MLM Server SIC CPMI Port MDS IP Value The DN number of your FortiSIEM OPSEC application The DN number of your MLM The port used by CPMI on your server The IP address of your MDS server FortiSIEM 6.1.1 External Systems Configuration Guide 376 Fortinet Technologies Inc. Firewalls Check Point VSX Firewall l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored FortiSIEM uses SNMP, LEA to discover the device and to collect logs, configurations and performance metrics. Protocol SNMP LEA Information Discovered Host name, Firewall model and version, Network interfaces Metrics collected Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count All traffic and system logs Used for Availability and Performance Monitoring Security and Compliance Event Types There are no event types defined specifically for this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. FortiSIEM 6.1.1 External Systems Configuration Guide 377 Fortinet Technologies Inc. Firewalls LEA Add FortiSIEM as a Managed Node 1. Log in to your Check Point SmartDomain Manager. 2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard. 3. Select the Firewall tab. 4. Click the Network Objects icon. 5. Select Nodes, and then right-click to select Node > Host... . 6. Select General Properties. 7. Enter a Name for your FortiSIEM host, like FortiSIEMVA. 8. Enter the IP Address of your FortiSIEM virtual appliance. 9. Click OK. Create an OPSEC Application for FortiSIEM 1. In the Firewall tab, click the Servers and OPSEC icon. 2. Select OPSEC Applications, and then right-click to select New > OPSEC Application. 3. Click the General tab. 4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA. 5. For Host, select the FortiSIEM host. 6. Under Client Entities, select LEA and CPMI. For Check Point FireWall-1, also select SNMP. 7. Click Communication. 8. Enter a one-time password. This is the password you will use in setting up access credentials for your firewall in FortiSIEM. 9. Click Initialize. 10. Close and re-open the application. 11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_ FortiSIEMVA,0=MDS..i6g4zq. This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in FortiSIEM. Create a Firewall Policy for FortiSIEM 1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application. 2. In the Rules menu, select Top. 3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance. 4. Right-click DESTINATION, then click Add and select your Check Point firewall. 5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI. Also select snmp if you are configuring a Check Point FireWall-1 firewall. 6. Right-click ACTION and select Accept. 7. Right-click TRACK and select Log. FortiSIEM 6.1.1 External Systems Configuration Guide 378 Fortinet Technologies Inc. Firewalls 8. Go to Policy > Install. 9. Click OK. 10. Go to OPSEC Applications and select your FortiSIEM application. 11. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and FortiSIEM. Copy Client SIC 1. Go to Manage > Server and OPSEC Applications. 2. Select OPSEC Application and then right-click to select accelops. 3. Click Edit. 4. Enter the SIC DN of your application. Copy Server SIC 1. In the Firewall tab, go to Manage. 2. Click the Network Object icon, and then right-click to select Check Point Gateway. 3. Click Edit. 4. Enter the SIC DN. 5. If there isn't a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Checkpoint VSX See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 379 Fortinet Technologies Inc. Firewalls Cisco Adaptive Security Appliance (ASA) l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) Information Discovered Metrics collected Used for Host name, Hardware model, Network interfaces, Hardware component details: serial number, model, manufacturer, software and firmware versions of components such as fan, power supply, network cards etc., Operating system version, SSM modules such as IPS Uptime, CPU and Memory utilization, Free processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and Performance Monitoring Hardware health: temperature, fan and power supply status OSPF connectivity, neighbors, state, OSPF Area OSPF state change Routing Topology, Availability Monitoring IPSec VPN Phase 1 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent Dropped Packets, Received/Sent Rejected Exchanges, Received/Sent Invalid Exchanges Invalid Received Pkt Dropped, Received Exchanges Rejected, Received Exchanges Invalid IPSec VPN Phase 2 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent Performance Monitoring FortiSIEM 6.1.1 External Systems Configuration Guide 380 Fortinet Technologies Inc. Firewalls Protocol Telnet/SSH Telnet/SSH Netflow (V9) Syslog Information Discovered Running and startup configuration, Interface security levels, Routing tables, Image file name, Flash memory size Open server ports Device type Metrics collected Used for BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent Dropped Packets, Received/Sent Auth Failed, Sent Encrypted Failed, Received Decrupt failed, Received Replay Failed Startup configuration change, delta between running and startup configuration Performance Monitoring, Security and Compliance Virtual context for multi-context firewalls, ASA interface security levels needed for setting source and destination IP address in syslog based on interface security level comparisons, ASA name mappings from IP addresses to locally unique names needed for converting names in syslog to IP addresses Traffic logs (for ASA 8.x and above) Security and Compliance All traffic and system logs Security and Compliance Event Types In ADMIN > Device Support > Event, search for "asa" in the Device Type column to see the event types associated with this device. Rules In RESOURCE > Rules, search for "asa" in the Description column to see the rules associated with this device. Reports In RESOURCE > Reports, search for "asa" in the Description column to see the reports associated with this device. Configuration l Don't Configure SNMP Trap. l Don't configure ASA to send logs via SNMP trap, as FortiSIEM doesn't parse them. Check Security Levels FortiSIEM 6.1.1 External Systems Configuration Guide 381 Fortinet Technologies Inc. Firewalls Make sure interface security levels are appropriately set in FortiSIEM. In your FortiSIEM Supervisor, go to CMDB > Devices > Network Device > Firewall and select your firewall. Click the Interface tab, and make sure that the inside security level is 100, outside is 0 and other interfaces are in between. This information can either be discovered via SSH or entered manually after SNMP discovery. Without correct security level information, ASA traffic built and teardown logs can not be parsed correctly (they may not have correct source and destination addresses and ports). SNMP 1. Log in to your ASA with administrative privileges. 2. Configure SNMP with this command. snmp-server host <ASA Interface name> <FortiSIEM IP> poll community <community string> Syslog 1. Log in to your ASA with administrative privileges. 2. Enter configuration mode (config terminal). 3. Enter the following commands: l no names l logging enable l logging timestamp l logging monitor errors l logging buffered errors l logging trap debugging l logging debug-trace l logging history errors l logging asdm errors l logging mail emergencies l logging facility 16 l logging host <ASA interface name> <FortiSIEM IP> Sample Cisco ASA Syslog <134>Nov 28 2007 17:20:48: %ASA-6-302013: Built outbound TCP connection 76118 for outside:207.68.178.45/80 (207.68.178.45/80) to inside:192.168.20.31/3530 (99.129.50.157/5967) SSH 1. Log in to your ASA with administrative privileges. 2. Configure SSH with this command. ssh <FortiSIEM IP> <FortiSIEM IP netmask> <ASA interface name> FortiSIEM 6.1.1 External Systems Configuration Guide 382 Fortinet Technologies Inc. Firewalls Telnet 1. Log in to your ASA with administrative privileges. 2. Configure telnet with this command. telnet <FortiSIEM IP> <FortiSIEM IP netmask> <ASA interface name> Commands Used During Telnet/SSH Communication The following commands are used for discovery and performance monitoring via SSH. Make sure that the accounts associated with the ASA access credentials you set up in FortiSIEM have permission to execute these commands. Critical Commands It is critical to have no names and logging timestamp commands in the configuration, or logs will not be parsed correctly. 1. show startup-config 2. show running-config 3. show version 4. show flash 5. show context 6. show ip route 7. enable 8. terminal pager 0 9. terminal length 0 NetFlow NetFlow is an optimized protocol for collecting high volume traffic logs. You should configure NetFlow with ASM, the ASA device manager. Set Up FortiSIEM as a NetFlow Receiver 1. Login to ASDM. 2. Go to Configuration > Device Management > Logging > Netflow. 3. Under Collectors, click Add. 4. For Interface, select the ASA interface over which NetFlow will be sent to FortiSIEM. 5. For IP Address or Host Name, enter the IP address or host name for your FortiSIEM virtual appliance that will receive the NetFlow logs. 6. For UDP Port, enter 2055. 7. Click OK. 8. Select Disable redundant syslog messages. This prevents the netflow equivalent events from being also sent via syslog. 9. Click Apply. FortiSIEM 6.1.1 External Systems Configuration Guide 383 Fortinet Technologies Inc. Firewalls Create a NetFlow Service Policy 1. Go to Configuration > Firewall > Service Policy Rules. 2. Click Add. The Service Policy Wizard will launch. 3. Select Global - apply to all interfaces, and then click Next. 4. For Traffic Match Criteria, select Source and Destination IP Address, and then click Next. 5. For Source and Destination, select Any, and then click Next. 6. For Flow Event Type, select All. 7. For Collectors, select the FortiSIEM virtual appliance IP address. 8. Click OK. Configure the Template Refresh Rate This is an optional step. The template refresh rate is the number of minutes between sending a template record to FortiSIEM. The default is 30 minutes, and in most cases this is sufficient. Since flow templates are dynamic, FortiSIEM cannot process a flow until it knows the details of the corresponding template. This command may not always be needed, but if flows are not showing up in FortiSIEM, even if tcpdump indicates that they are, this is worth trying. flow-export template timeout-rate 1 You can find out more about configuring NetFlow in the Cisco support forum. Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> Telnet Access Credentials for All Devices These are the generic settings for providing Telnet access to your device from FortiSIEM. Setting Name Device Type Value Telnet-generic generic FortiSIEM 6.1.1 External Systems Configuration Guide 384 Fortinet Technologies Inc. Firewalls Setting Access Protocol Port User Name Password Value Telnet 23 A user who has permission to access the device over Telnet The password associated with the user SSH Access Credentials for All Devices These are the generic settings for providing SSH access to your device from FortiSIEM. Setting Name Device Type Access Protocol Port User Name Password Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user FortiSIEM 6.1.1 External Systems Configuration Guide 385 Fortinet Technologies Inc. Firewalls Clavister Firewall Integration Points Method syslog Information discovered Host name, Reporting IP Metrics collected None LOGs collected Used for Connection permit and deny, system events Security monitoring Event Types In ADMIN > Device Support > Event, Search for "Clavister" to see the event types associated with this device. Rules No specific rules are written for Clavister firewall but generic firewall rules will apply. Reports No specific reports are written for Clavister firewall but generic firewall rules will apply. Configuration Configure Clavister firewall to send logs to FortiSIEM in the supported format (see Sample Events below). Settings for Access Credentials None required Sample Events <134>[2016-04-26 16:10:07] EFW: CONN: prio=1 id=00600005 rev=1 event=conn_close_natsat action=close rule=if3_net_nat_out conn=close connipproto=TCP connrecvif=If3 connsrcip=192.168.99.13 connsrcport=43347 conndestif=If1 conndestip=1.1.1.1 conndestport=443 connnewsrcip=1.1.1.2 connnewsrcport=65035 connnewdestip=1.1.1.1 connnewdestport=443 origsent=1395 termsent=5763 conntime=83 <134>[2016-04-26 16:10:11] EFW: ALG: prio=1 id=00200001 rev=1 event=alg_session_open algmod=ftp algsesid=95238 connipproto=TCP connrecvif=If1 connsrcip=1.1.1.3 connsrcport=59576 FortiSIEM 6.1.1 External Systems Configuration Guide 386 Fortinet Technologies Inc. Firewalls conndestif=core conndestip=1.1.1.4 conndestport=21 origsent=100 termsent=44 <134>[2016-04-26 16:10:05] EFW: IPSEC: prio=1 id=01800211 rev=2 event=reconfig_IPsec action=ipsec_reconfigured FortiSIEM 6.1.1 External Systems Configuration Guide 387 Fortinet Technologies Inc. Firewalls Cyberoam Firewall l Integration Points l Configuration l Setting for Access Credentials l Sample Events Integration Points Method Syslog Information discovered Host name, Reporting IP Metrics collected None LOGs collected Used for Connection permit and deny, Security system events, malware events monitoring Event Types In ADMIN > Device Support > Event, search for "Cyberoam-" to see the event types associated with this device. Rules No specific rules are written for Cyberoam firewall but generic firewall rules will apply. Reports No specific reports are written for Cyberoam firewall but generic firewall rules will apply. Configuration Configure Cyberoam firewall to send logs to FortiSIEM in the supported format (see Sample Events ). Settings for Access Credentials None required. Sample Events <30>date=2019-07-10 time=11:06:48 timezone="GMT" device_name="CR50iNG" device_ id=C162213098933-QQ6REI log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=12 user_name="" user_gp="" iap=1 ips_policy_id=0 appfilter_policy_id=1 application="" application_risk=0 application_ technology="" application_category="" in_interface="PortA" out_interface="" src_mac=00: 0:00: 0:10: 0 FortiSIEM 6.1.1 External Systems Configuration Guide 388 Fortinet Technologies Inc. Firewalls src_ip=10.0.70.17 src_country_code=AP dst_ip=1.1.1.1 dst_country_code=IRL protocol="TCP" src_port=61244 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip=10.0.0.13 tran_dst_port=8080 srczonetype="LAN" srczone="ZONE1" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3340934816" vconnid="" FortiSIEM 6.1.1 External Systems Configuration Guide 389 Fortinet Technologies Inc. Firewalls Dell SonicWALL Firewall l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP Syslog Information Discovered Metrics collected Host name, Hardware model, Network interfaces, Operating system version CPU Utilization, Memory utilization and Firewall Session Count Device type All traffic and system logs Used for Availability and Performance Monitoring Availability, Security and Compliance Event Types In ADMIN > Device Support > Event, search for "sonicwall" in the Device Type column to see the event types associated with Dell SonicWALL firewalls. Rules There are no predefined rules for Dell SonicWALL firewalls. Reports There are no predefined reports for Dell SonicWALL firewalls. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. l Dell SonicWALL Firewall Administrator's Guide (PDF) FortiSIEM 6.1.1 External Systems Configuration Guide 390 Fortinet Technologies Inc. Firewalls Syslog 1. Log in to your SonicWALL appliance. 2. Go to Log > Syslog. Keep the default settings. 3. Under Syslog Servers, click Add. The Syslog Settings wizard will open. 4. Enter the IP Address of your FortiSIEM Supervisor or Collector. Keep the default Port setting of 514. 5. Click OK. 6. Go to Firewall > Access Rules. 7. Select the rule that you want to use for logging, and then click Edit. 8. In the General tab, select Enable Logging, and then click OK. Repeat for each rule that you want to enable for sending syslog to FortiSIEM. Your Dell SonicWALL firewall should now send syslog to FortiSIEM. Example Syslog Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 391 Fortinet Technologies Inc. Firewalls Fortinet FortiGate Firewall l What is Discovered and Monitored l Configuring SNMP on FortiGate l Configuring SSH on FortiSIEM to communicate with FortiGate l Configuring FortiSIEM for SNMP and SSH to FortiGate l Configuring FortiAnalyzer to send logs to FortiSIEM l Configuring FortiGate to send Netflow via CLI l Configuring FortiGate to send Application names in Netflow via GUI l Example of FortiGate Syslog parsed by FortiSIEM What is Discovered and Monitored Protocol SNMP Telnet/SSH Syslog Netflow Information Discovered Host name, Hardware model, Network interfaces, Operating system version Running configuration Device type Metrics collected Used for Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths). For 5xxx series firewalls, per CPU utilization (event PH_ DEV_MON_FORTINET_PROCESSOR_USGE) Availability and Performance Monitoring Configuration Change Performance Monitoring, Security and Compliance All traffic and system logs Availability, Security and Compliance Firewall traffic, application detection and application link usage metrics Security monitoring and compliance, Firewall Link Usage and Application monitoring Event Types In ADMIN > Device Support > Event, search for "fortigate" in the Name and Description columns to see the event types associated with this device. Rules In Resource > Rules, search for "fortigate" in the Name column to see the rules associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 392 Fortinet Technologies Inc. Firewalls Reports Search for Reports under Network device, Firewall and Security groups. Configuring SNMP on FortiGate Follow these steps to configure SNMP on FortiGate. For more information on configuring the FortiGate to allow detailed interface monitoring using SNMP, see Data Source in the FortiSIEM User's Guide. 1. Log in to your firewall as an administrator. 2. Go to System > Network. 3. Select the FortiGate interface IP that FortiSIEM will use to communicate with your device, and then click Edit. 4. For Administrative Access, makes sure that SSH and SNMP are selected. 5. Click OK 6. Go to System > Config > SNMP v1/v2c. 7. Click Create New to enable the public community. Configuring SSH on FortiSIEM to communicate with FortiGate FortiSIEM Collector SSH Client, when communicating to FortiGate via SSH, may use the public key authentication method first. This may fail and create some alerts in FortiGate. To prevent this, modify the per user config file as follows: 1. Log in to the FortiSIEM node that communicates to FortiGate via SSH, as admin. 2. Open /opt/phoenix/bin/.ssh/config and create a new file, if necessary. 3. Add these two lines and save: PreferredAuthentications password PubkeyAuthentication no 4. Ensure that the owner is admin: chown admin.admin /opt/phoenix/bin/.ssh/config chmod 600 /opt/phoenix/bin/.ssh/config 5. Verify using the commands: su admin ssh -v <fgt host> Verification is successful if the following files are found: Alternatively, modify the global ssh_config file as below. Since this is a global configuration, all programs will use this setting. 1. Log in to a FortiSIEM node that communicates to FortiGate via SSH, as root. 2. Open /etc/ssh/ssh_config 3. Add these two lines: FortiSIEM 6.1.1 External Systems Configuration Guide 393 Fortinet Technologies Inc. Firewalls PreferredAuthentications password PubkeyAuthentication no These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device. show firewall address show full-configuration Sending Logs Over VPN If you are sending these logs across a VPN, Fortigate will try to use the WAN interface for the source of all system traffic. You can change this by setting the source-ip option to the IP used on the Fortigates Internal/LAN interface. With the Web GUI 1. Log in to your firewall as an administrator. 2. Go to Log & Report > Log Config > syslog. 3. Enter the IP Address, Port Number, and Minimum Log Level and Facility for your FortiSIEM virtual appliance. 4. Make sure that CSV format is not selected. With the CLI 1. Connect to the Fortigate firewall over SSH and log in. 2. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 192.168.53.2 with the IP address of your FortiSIEM virtual appliance. config log syslogd setting set status enable set server "192.168.53.2" set port 514 end set facility user 3. Verify the settings. frontend # show log syslogd setting config log syslogd setting set status enable set server "192.168.53.2" set facility user end Configuring FortiSIEM for SNMP and SSH access to FortiGate You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide > Section: Configuring FortiSIEM > Discovering Infrastructure > Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics under Discovering Infrastructure. FortiSIEM 6.1.1 External Systems Configuration Guide 394 Fortinet Technologies Inc. Firewalls Configuring FortiAnalyzer to send logs to FortiSIEM If you are already sending FortiGate logs to FortiAnalyzer, then you can forward those logs to FortiSIEM by configuring FortiAnalyzer as follows: 1. Login to FortiAnalyzer. 2. Go to System Settings > Advanced > Syslog Server. a. Click the Create New button. b. Enter the Name. (It is recommended to use the name of the FortiSIEM server.) c. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server. d. Leave the Syslog Server Port to the default value '514'. e. Click OK to save your entries. 3. Go to System Settings > Dashboard > CLI Console. 4. Click in the CLI Console and enter the following commands: l For FortiAnalyzer versions 6.0 and later: Note: Replace <id> with the actual name of the log forward created earlier. config system log-forward edit <id> set mode forwarding set fwd-max-delay realtime set server-name "<FSM_Collector>" set server-ip "a.b.c.d" set fwd-log-source-ip original_ip set fwd-server-type syslog next end l For FortiAnalyzer versions 5.6 to 5.9: Note: Replace <id> with the actual name of the log forward created earlier. config system log-forward edit <id> set mode forwarding set fwd-max-delay realtime set server-ip "a.b.c.d" set fwd-log-source-ip original_ip set fwd-server-type syslog next end l For FortiAnalyzer versions earlier than 5.6: Note: Replace <id> with the number for your FortiSIEM syslog entry. config system aggregation-client edit <id> set fwd-log-source-ip original_ip end FortiSIEM 6.1.1 External Systems Configuration Guide 395 Fortinet Technologies Inc. Firewalls Configuring FortiGate to send Netflow via CLI 1. Connect to the Fortigate firewall over SSH and log in. 2. To configure your firewall to send Netflow over UDP, enter the following commands: config system netflow set collector-ip <FortiSIEM IP> set collector-port 2055 end 3. Enable Netflow on the appropriate interfaces, replacing port1 with your interface name: config system interface edit port1 set netflow-sampler both end 4. Optional - Using Netflow with VDOMs For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI commands: con global con sys netflow set collector-ip <FortiSIEM IP> set collector-port 2055 set source-ip <source-ip> end end con vdom edit root (root is an example, change to the required VDOM name.) con sys interface edit wan1 (change the interface to the one to use.) set netflow-sampler both end end Configuring FortiGate to send Application names in Netflow via GUI 1. Login to FortiGate. 2. Go to Policy & Objects > IPv4 Policy. 3. Click on the Policy IDs you wish to receive application information from. 4. Add SSL inspection and App Control on the policy by clicking the + button in the Security Profiles column. Example of FortiGate Syslog parsed by FortiSIEM <185>date=2010-04-11 time=20:31:25 devname=APS3012404200944 device_id=APS3012404200944 log_ id=0104032002 type=event subtype=admin pri=alert vd=root user="root" ui=ssh(10.1.20.21) action=login status=failed reason="name_ FortiSIEM 6.1.1 External Systems Configuration Guide 396 Fortinet Technologies Inc. Firewalls invalid"msg="Administrator root login failed from ssh(10.1.20.21) because of invalid user name" FortiSIEM 6.1.1 External Systems Configuration Guide 397 Fortinet Technologies Inc. Firewalls Imperva Securesphere Web App Firewall What is Discovered and Monitored Event Types Reports Configuration Setup in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Setting Name Device Type Access Protocol Port Password config User Name Password Super Password Value <set name> Imperva Securesphere Web App Firewall See Access Credentials See Access Credentials See Password Configuration A user who has access credentials for the device The password for the user Password for Super 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. 4. Click Test to test the connection to Imperva Securesphere Web App Firewall. FortiSIEM 6.1.1 External Systems Configuration Guide 398 Fortinet Technologies Inc. Firewalls 5. To see the jobs associated with Imperva, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Imperva in the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 399 Fortinet Technologies Inc. Firewalls Juniper Networks SSG Firewall l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP Telnet/SSH Syslog Information Discovered Metrics collected Used for Host name, Hardware model, Network interfaces, Operating system version Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and Performance Monitoring Running configuration Configuration Change Performance Monitoring, Security and Compliance Device type Traffic log, Admin login activity logs, Interface up/down logs Availability, Security and Compliance Event Types In ADMIN > Device Support > Event, search for "SSG" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. FortiSIEM 6.1.1 External Systems Configuration Guide 400 Fortinet Technologies Inc. Firewalls Configuration SNMP and SSH Enable SNMP, SSH, and Ping 1. Log in to your firewall's device manager as an administrator. 2. Go to Network > Interfaces > List. 3. Select the interface and click Edit. 4. Under Service Options, for Management Services, select SNMP and SSH. 5. For Other Services, select Ping. Create SNMP Community String and Management Station IP 1. Go to Configuration > Report Settings > SNMP. 2. If the public community is not available, create it and provide it with read-only access. 3. Enter the Host IP address and Netmask of your FortiSIEM virtual appliance. 4. Select the Source Interface that your firewall will use to communicate with FortiSIEM. 5. Click OK. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, see "Discovery Settings" and "Setting Credentials" in the User Guide. Syslog Modify Policies so Traffic Matching a Policy is Sent via Syslog to FortiSIEM 1. Go to Policies. 2. Select a policy and click Options. 3. Select Logging. 4. Click OK. Set FortiSIEM as a Destination Syslog Server 1. Go to Configuration > Report Settings > Syslog. 2. Select Enable syslog messages. 3. Select the Source Interface that your firewall will use to communicate with FortiSIEM. 4. Under Syslog servers, enter the IP/Hostname of your FortiSIEM virtual appliance. 5. For Port, enter 514. 6. For Security Facility, select LOCALD. 7. For Facility, select LOCALD. 8. Select Event Log and Traffic Log. 9. Select Enable. 10. Click Apply. FortiSIEM 6.1.1 External Systems Configuration Guide 401 Fortinet Technologies Inc. Firewalls Set the Severity of Syslog to Send to FortiSIEM 1. Go to Configuration > Report Setting > Log Settings. 2. Click Syslog. 3. Select the Severity Levels of the syslog you want sent to FortiSIEM. 4. Click Apply. Sample Parsed FortiGate Syslog <129>Aug 26 11:09:45 213.181.33.233 20090826, 6219282, 2009/08/26 09:09:40, 2009/08/26 08:09:49, global.CoX, 1363, CoX-eveTd-fw1, 213.181.41.226, traffic, traffic log, untrust, (NULL), 81.243.104.82, 64618, 81.243.104.82, 64618, dmz, (NULL), 213.181.36.162, 443, 213.181.36.162, 443, tcp, global.CoX, 1363, Workaniser_cleanup, fw/vpn, 34, accepted, info, no, (NULL), (NULL), (NULL), (NULL), 3, 858, 1323, 2181, 0, 0, 14, 1, no, 0, Not <129>Aug 26 11:09:45 213.181.33.233 20090826, 6219282, 2009/08/26 09:09:40, 2009/08/26 08:09:49, global.CoX, 1363, CoX-eveTd-fw1, Category, Sub-Category, untrust, (NULL), 81.243.104.82, 64618, 81.243.104.82, 64618, dmz, (NULL), 213.181.36.162, 443, 213.181.36.162, 443, tcp, global.Randstad, 1363, Workaniser_ cleanup, fw/vpn, 34, accepted, info, no, (NULL), (NULL), (NULL), (NULL), 3, 858, 1323, 2181, 0, 0, 14, 1, no, 0, Not Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to access your over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> Telnet Access Credentials for All Devices These are the generic settings for providing Telnet access to your device from FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 402 Fortinet Technologies Inc. Firewalls Setting Name Device Type Access Protocol Port User Name Password Value Telnet-generic generic Telnet 23 A user who has permission to access the device over Telnet The password associated with the user SSH Access Credentials for All Devices These are the generic settings for providing SSH access to your device from FortiSIEM. Setting Name Device Type Access Protocol Port User Name Password Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user FortiSIEM 6.1.1 External Systems Configuration Guide 403 Fortinet Technologies Inc. Firewalls McAfee Firewall Enterprise (Sidewinder) l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Used For Event Types In ADMIN > Device Support > Event, search for "sidewinder" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your device. FortiSIEM 6.1.1 External Systems Configuration Guide 404 Fortinet Technologies Inc. Firewalls Setting Name Device Type Access Protocol Port Password config Value <set name> McAfee Sidewinder Firewall See Access Credentials See Access Credentials See Password Configuration Sample Parsed Sidewinder Syslog Jun 18 10:34:08 192.168.2.10 wcrfw1 auditd: date="2011-06-18 14:34:08 +0000",fac=f_http_ proxy,area=a_libproxycommon, type=t_nettraffic,pri=p_ major,pid=2093,logid=0,cmd=httpp,hostname=wcrfw1.community.int,event="session end",app_ risk=low, app_categories=infrastructure,netsessid=1adc04dfcb760,src_ geo=US,srcip=74.70.205.191,srcport=3393,srczone=external,protocol=6, dstip=10.1.1.27,dstport=80,dstzone=dmz1,bytes_written_to_client=572,bytes_written_to_ server=408,rule_name=BTC-inbound, cache_hit=1,start_time="2011-06-18 14:34:08 +0000",application=HTTP FortiSIEM 6.1.1 External Systems Configuration Guide 405 Fortinet Technologies Inc. Firewalls Palo Alto Firewall l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP Telnet/SSH Syslog Information Discovered Metrics collected Host name, Hardware model, Network interfaces, Operating system version Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Running configuration Configuration Change Device type Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs Used for Availability and Performance Monitoring Performance Monitoring, Security and Compliance Availability, Security and Compliance Event Types In ADMIN > Device Support > Event, search for "palo alto" in the Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports In RESOURCE > Reports , search for "palo alto" in the Description column to see the reports associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 406 Fortinet Technologies Inc. Firewalls Configuration SNMP, SSH, and Ping 1. Log in to the management console for your firewall with administrator privileges. 2. In the Device tab, click Setup. 3. Click Edit. 4. Under MGMT Interface Services, make sure SSH, Ping, and SNMP are selected. 5. For SNMP Community String, enter public. 6. If there are entries in the Permitted IP list, Add the IP address of your FortiSIEM virtual appliance. 7. Click OK. 8. Go to Setup > Management and check that SNMP is enabled on the management interface. Syslog Set FortiSIEM as a Syslog Destination 1. Log in to the management console for your firewall with administrator privileges. 2. In the Device tab, go to Log Destinations > Syslog. 3. Click New. 4. Enter a Name for your FortiSIEM virtual appliance. 5. For Server, enter the IP address of your virtual appliance. 6. For Port, enter 514. 7. For Facility, select LOG_USER. 8. Click OK. Set the Severity of Logs to Send to FortiSIEM 1. In the Device tab, go to Log Settings > System. 2. Click Edit... . 3. For each type of log you want sent to FortiSIEM, select the FortiSIEM virtual appliance in the Syslog menu. 4. Click OK. Create a Log Forwarding Profile 1. In the Objects tab, go to Log Forwarding > System. 2. Create a new log forwarding profile by entering a Name for the profile, and then setting Syslog to the IP address of your FortiSIEM virtual appliance for each type of log you want send to FortiSIEM. 3. Click OK. Use the Log Forwarding Profile in Firewall Policie 1. In the Policies tab, go to Security > System. 2. For each security rule that you want to send logs to FortiSIEM, click Options. 3. For Log Forwarding Profile, select the profile you created for FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 407 Fortinet Technologies Inc. Firewalls 4. Click OK. 5. Commit changes. Logging Permitted Web Traffic By default, Palo Alto firewalls only log web traffic that is blocked by URL filtering policies. If you must log permitted web traffic, follow these steps. 1. In the Objects tab, go to Security Profiles > URL Filtering. 2. Edit an existing profile by clicking on its name, or click Add to create a new one. 3. For website categories that you want to log, select Alert. Traffic matching these website category definitions will be logged. 4. Click OK. 5. For each security rule that you want to send logs to FortiSIEM, edit the rule and add the new url filter. Sample Parsed Palo Alto Syslog Message <14>May 6 15:51:04 1,2010/05/06 15:51:04,0006C101167,TRAFFIC,start,1,2010/05/06 15:50:58,192.168.28.21,172.16.255.78,::172.16.255.78,172.16.255.78,rule3,,,icmp,vsys1,untrus t,untrust,ethernet1/1,ethernet1/1,syslog-172.16.20.152,2010/05/06 15:51:04,600,2,0,0,0,0,0x40,icmp,allow,196,196,196,2,2010/05/06 15:50:58,0,any,0 <14>May 6 15:51:15 1,2010/05/06 15:51:15,0006C101167,SYSTEM,general,0,2010/05/06 15:51:15,,unknown,,0,0,general,informational,User admin logged in via CLI from 192.168.28.21 <14>May 9 17:55:21 1,2010/05/09 17:55:21,0006C101167,THREAT,url,6,2010/05/09 17:55:20,172.16.2.2,216.163.137.68,::172.16.255.78,216.163.137.68,DynamicDefault,,,webbrowsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,syslog-172.16.20.152,2010/05/09 17:55:21,976,1,1126,80,38931,80,0x40,tcp,block-url,"www.playboy.com/favicon.ico", (9999),adult-and-pornography,informational,0 Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> Telnet Access Credentials for All Devices These are the generic settings for providing Telnet access to your device from FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 408 Fortinet Technologies Inc. Firewalls Setting Name Device Type Access Protocol Port User Name Password Value Telnet-generic generic Telnet 23 A user who has permission to access the device over Telnet The password associated with the user SSH Access Credentials for All Devices These are the generic settings for providing SSH access to your device from FortiSIEM. Setting Name Device Type Access Protocol Port User Name Password Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user FortiSIEM 6.1.1 External Systems Configuration Guide 409 Fortinet Technologies Inc. Firewalls Sophos UTM l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Configuration change, command execution Used For Log Management, Compliance and SIEM Event Types In ADMIN > Device Support > Event, search for "sophos-utm" to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your device. Setting Name Value <set name> FortiSIEM 6.1.1 External Systems Configuration Guide 410 Fortinet Technologies Inc. Firewalls Setting Device Type Access Protocol Port Password config Value Sophos UTM See Access Credentials See Access Credentials See Password Configuration Sample Syslog Message <30>2016:07:05-16:57:39 c-server-1 httpproxy[15760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.10.10.10" dstip="1.1.1.1" user="" group="" ad_domain="" statuscode="302" cached="0" profile="REF_ DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffCustoConteFilte (Custom_Default content filter action)" size="0" request="0xdc871600" url="http://a.com" referer="http://foo.com/bar/" error="" authtime="0" dnstime="1" cattime="24080" avscantime="0" fullreqtime="52627" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions="" category="154" reputation="unverified" categoryname="Web Ads" FortiSIEM 6.1.1 External Systems Configuration Guide 411 Fortinet Technologies Inc. Firewalls Stormshield Network Security l Integration Points l Configuring Stormshield to Send Logs l Configuring FortiSIEM to Receive Logs l Stormshield Event Types l Stormshield Sample Logs Integration Points Protocol Syslog Information Collected Firewall logs Used For Security and Compliance Monitoring Configuring Stormshield to Send Logs Follow the steps listed here under the Choose where to save logs section, to save logs. Configuring FortiSIEM to Receive Logs No configuration is needed. FortiSIEM can automatically detect and parse Stormshield logs based on the built in parser. Stormshield Event Types Go to Resources > Event Type and search "Stormshield-" Stormshield Sample Logs id=firewall time="2019-02-24 16:38:01" fw="SN310A17B0323A7" tz=+0100 startime="2019-0224 16:38:00" pri=5 confid=00 slotlevel=2 ruleid=4 rulename="1690fb96019_7" srcif="Ethernet0" srcifname="out" ipproto=udp proto=ssdp src=10.11.11.11 srcport=49907 srcportname=ephemeral_fw_udp srcname=skywalker srcmac=11:11:11:11:11:11 dst=10.10.10.10 dstport=1900 dstportname=sdp ipv=4 sent=0 rcvd=0 duration=0.00 action=pass logtype="filter" FortiSIEM 6.1.1 External Systems Configuration Guide 412 Fortinet Technologies Inc. Firewalls Tigera Calico l Integration Points l Configuring Tigera Calico to Send Logs l Configuring FortiSIEM to Receive Logs l Tigera Calico Event Types l Tigera Calico Sample Logs Integration Points Protocol Syslog Information Collected Flow, Audit and DNS logs Used For Security and Compliance Monitoring Configuring Tigera Calico to Send Logs Follow the steps listed here to send syslog to FortiSIEM. Configuring FortiSIEM to Receive Logs No configuration is needed. FortiSIEM can automatically detect and parse Tigera Calico logs based on the built in parser. Tigera Calico Event Types Go to Resources > Event Type and search "Calico_Enterprise_" Tigera Calico Sample Logs <14>May 8 15:49:58 ip-10-0-0-193.ec2.internal tigera_secure: {"start_ time":1588952982,"end_time":1588952992,"source_ip":"10.48.98.2","source_name":"elasticoperator-0","source_name_aggr":"elastic-operator-*","source_namespace":"tigera-eckoperator","source_port":null,"source_type":"wep","source_labels":{"labels":["k8sapp=elastic-operator","statefulset.kubernetes.io/pod-name=elastic-operator-0","controlplane=elastic-operator","controller-revision-hash=elastic-operator-6fc7545df5"]},"dest_ ip":"10.48.241.198","dest_name":"tigera-secure-es-es-0","dest_name_aggr":"tigerasecure-es-es-*","dest_namespace":"tigera-elasticsearch","dest_port":9200,"dest_ type":"wep","dest_labels":{"labels":["statefulset.kubernetes.io/pod-name=tigera-securees-es-0","elasticsearch.k8s.elastic.co/version=7.3.2","controller-revision-hash=tigerasecure-es-es-757895bb98","elasticsearch.k8s.elastic.co/httpscheme=https","elasticsearch.k8s.elastic.co/statefulset-name=tigera-secure-eses","elasticsearch.k8s.elastic.co/node-data=true","elasticsearch.k8s.elastic.co/confighash=1585026949","elasticsearch.k8s.elastic.co/nodeml=true","common.k8s.elastic.co/type=elasticsearch","elasticsearch.k8s.elastic.co/node- FortiSIEM 6.1.1 External Systems Configuration Guide 413 Fortinet Technologies Inc. Firewalls ingest=true","elasticsearch.k8s.elastic.co/nodemaster=true","elasticsearch.k8s.elastic.co/cluster-name=tigerasecure"]},"proto":"tcp","action":"allow","reporter":"dst","policies":{"all_policies": ["0|allow-tigera|tigera-elasticsearch/allow-tigera.elasticsearchaccess|allow"]},"bytes_in":2593,"bytes_out":4617,"num_flows":3,"num_flows_ started":1,"num_flows_completed":1,"packets_in":17,"packets_out":10,"http_requests_ allowed_in":0,"http_requests_denied_in":0,"original_source_ips":null,"num_original_ source_ips":0,"host":"fluentd-node-xzscj"} FortiSIEM 6.1.1 External Systems Configuration Guide 414 Fortinet Technologies Inc. Firewalls WatchGuard Firebox Firewall l Integration points l Configuring Watchguard Firebox for SNMP Access l Configuring FortiSIEM Integration points Protocol SNMP Information Discovered Performance metrics CPU., Memory, Uptime, Interface Usage statistics, Connection rate and Policy Statistics Used For Performance and Availability Monitoring Configuring Watchguard Firebox for SNMP Access 1. Logon to Watchguard Firebox Management Console. 2. Follow Watchguard Firebox documentation to allow inbound SNMP access (default UDP port 161) to appropriate FortiSIEM node that will communicate to Firebox node. 3. Note the SNMP credentials. FortiSIEM supports versions 1, 2 and 3. Configuring FortiSIEM Use the account in previous step to enable FortiSIEM access: 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create Generic SNMP credential: a. Device Type = Generic b. Access Protocol = SNMP or SNMP V3 c. Choose the SNMP protocol (default 161) d. Password config: Manual or CyberArk. See Password Configuration. e. If Access Protocol was chosen as SNMP, then enter Community string. f. If Access Protocol was chosen as SNMP V3, then enter detailed SNMP V3 security configuration and credentials g. Click Save. 4. Enter an IP Range to Credential Association. a. Enter IP or IP Range containing the Firebox firewall. Allowed formats are comma separated IP, IP Range formatted as IP1-IP2 or IP range in CIDR notation. b. Select the Credential created in step 3 above. c. Click Save. 5. Select the entry in step 4 and click Test Connectivity. If it succeeds, then the credential is correct. 6. Go to ADMIN > Setup > Discover. FortiSIEM 6.1.1 External Systems Configuration Guide 415 Fortinet Technologies Inc. Firewalls 7. Create a discovery entry containing the IP Address of the Firebox firewall and discover the device. Make sure Discovery succeeds. 8. An entry will be created in ADMIN > Setup > Change/Monitor corresponding to this firewall. FortiSIEM will start to pull SNMP metrics from this firewall. FortiSIEM 6.1.1 External Systems Configuration Guide 416 Fortinet Technologies Inc. Load Balancers and Application Firewalls FortiSIEM supports these load balancers and application firewalls for discovery and monitoring. l Brocade ServerIron ADX l Citrix Netscaler Application Delivery Controller (ADC) l F5 Networks Application Security Manager l F5 Networks Local Traffic Manager l F5 Networks Web Accelerator l Fortinet FortiADC l Qualys Web Application Firewall FortiSIEM 6.1.1 External Systems Configuration Guide 417 Fortinet Technologies Inc. Brocade ServerIron ADX l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol SNMP Information discovered Metrics/Logs collected Used for Host name, serial number, hardware (CPU, memory, network interface etc) Uptime, CPU, Memory, Interface Utilization, Hardware status, Real Server Statistics Performance/Availability Monitoring Event Types l PH_DEV_MON_SYS_CPU_UTIL [PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO, [fileName]=deviceBrocadeServerIron.cpp,[lineNumber]=434,[cpuName]=CPU,[hostName]=lb11008-qts,[hostIpAddr]=10.120.3.15,[cpuUtil]=55.000000,[pollIntv]=176,[phLogDetail]= l PH_DEV_MON_SYS_MEM_UTIL [PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO, [fileName]=deviceBrocadeServerIron.cpp,[lineNumber]=456,[memName]=Physical Memory,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15,[memUtil]=10.000000, [pollIntv]=176,[phLogDetail]= l PH_DEV_MON_NET_INTF_UTIL [PH_DEV_MON_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phIntfFilter.cpp, [lineNumber]=323,[intfName]=GigabitEthernet8,[intfAlias]=,[hostName]=lb1-1008-qts, [hostIpAddr]=10.120.3.15,[pollIntv]=56,[recvBytes64]=1000000, [recvBitsPerSec]=142857.142857,[inIntfUtil]=0.014286,[sentBytes64]=2000000, [sentBitsPerSec]=285714.285714,[outIntfUtil]=0.028571,[recvPkts64]=0,[sentPkts64]=0, [inIntfPktErr]=0,[inIntfPktErrPct]=0.000000,[outIntfPktErr]=0, [outIntfPktErrPct]=0.000000,[inIntfPktDiscarded]=0,[inIntfPktDiscardedPct]=0.000000, [outIntfPktDiscarded]=0,[outIntfPktDiscardedPct]=0.000000,[outQLen64]=0, [intfInSpeed64]=1000000000,[intfOutSpeed64]=1000000000,[intfAdminStatus]=up, [intfOperStatus]=up,[daysSinceLastUse]=0,[totIntfPktErr]=0, [totBitsPerSec]=428571.428571,[phLogDetail]= l PH_DEV_MON_SERVERIRON_REAL_SERVER_STAT FortiSIEM 6.1.1 External Systems Configuration Guide 418 Fortinet Technologies Inc. Load Balancers and Application Firewalls [PH_DEV_MON_SERVERIRON_REAL_SERVER_STAT]:[eventSeverity]=PHL_INFO, [fileName]=deviceBrocadeServerIron.cpp,[lineNumber]=507,[hostName]=lb1-1008-qts, [hostIpAddr]=10.120.3.15,[realServerIpAddr]=10.120.10.131,[realServerState]=7, [failedPortExists]=2,[openConnectionsCount]=2,[peakConns]=114,[activeSessions]=4, [phLogDetail]= l PH_DEV_MON_HW_STATUS [PH_DEV_MON_HW_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=deviceBrocadeServerIron.cpp, [lineNumber]=359,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15,[hwStatusCode]=2, [hwPowerSupplyStatus]=0,[hwTempSensorStatus]=2,[hwFanStatus]=0,[phLogDetail]= [PH_DEV_MON_HW_STATUS_TEMP_CRIT]:[eventSeverity]=PHL_CRITICAL,[fileName]=device.cpp, [lineNumber]=13812,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15,[hwStatusCode]=2, [hwComponentName]=1-Temperature sensor,[hwComponentStatus]=Critical,[phLogDetail]= l PH_DEV_MON_HW_TEMP [PH_DEV_MON_HW_TEMP]:[eventSeverity]=PHL_INFO,[fileName]=deviceBrocadeServerIron.cpp, [lineNumber]=401,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15, [hwComponentName]=Temp1,[envTempDegF]=90,[phLogDetail]= Rules There are no predefined rules for this device other than covered by generic network devices. Reports There are no predefined reports for this device other than covered by generic network devices. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your device. Setting Name Value <set name> FortiSIEM 6.1.1 External Systems Configuration Guide 419 Fortinet Technologies Inc. Load Balancers and Application Firewalls Setting Device Type Access Protocol Port Password config Value Brocade ServerIron ADX See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 420 Fortinet Technologies Inc. Load Balancers and Application Firewalls Citrix Netscaler Application Delivery Controller (ADC) l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information discovered Metrics/Logs collected Permitted and Denied traffic Used for Log analysis and compliance Event Types In ADMIN > Device Support > Event, search for "netscaler" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports In RESOURCE > Reports , search for "nestler" in the Name column to see the reports associated with this device. Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your device. FortiSIEM 6.1.1 External Systems Configuration Guide 421 Fortinet Technologies Inc. Load Balancers and Application Firewalls Setting Name Device Type Access Protocol Port Password config Value <set name> Citrix NetScalar See Access Credentials See Access Credentials See Password Configuration Example Syslog <182> 07/25/2012:19:56:41 PPE-0 : UI CMD_EXECUTED 473128 : User nsroot - Remote_ip 10.13.8.75 - Command "show ns hostName" - Status "Success"<181> 07/25/2012:19:56:05 NS2MAIL PPE-0 : EVENT DEVICEUP 33376 : Device "server_vip_NSSVC_SSL_172.17.102.108:443 (accellion:443)" - State UP <181> 07/25/2012:19:55:35 NS2-MAIL PPE-0 : EVENT DEVICEDOWN 33374 : Device "server_vip_ NSSVC_SSL_172.17.102.108:443(accellion:443)" - State DOWN <182> 07/24/2012:15:37:08 PPE-0 : EVENT MONITORDOWN 472795 : Monitor Monitor_http_of_ Domapps:80(10.50.15.14:80) - State DOWN FortiSIEM 6.1.1 External Systems Configuration Guide 422 Fortinet Technologies Inc. Load Balancers and Application Firewalls F5 Networks Application Security Manager l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information discovered Metrics/Logs collected Various application level attack scenarios - invalid directory access, SQL injections, cross site exploits. Used for Log analysis and compliance Event Types In ADMIN > Device Support > Event, search for "f5-asm" in the Name column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. FortiSIEM 6.1.1 External Systems Configuration Guide 423 Fortinet Technologies Inc. Load Balancers and Application Firewalls Example Syslog <134>Jun 26 14:18:56 f5virtual.tdic.ae ASM:CEF:0|F5|ASM|10.2.1|Successful Request|Successful Request|2|dvchost=f5virtual.adic.com dvc=192.168.1.151 cs1=master-key_default cs1Label=policy_name cs2=master-key cs2Label=web_application_name deviceCustomDate1=Jul 13 2011 16:24:25 deviceCustomDate1Label=policy_apply_date externalId=3601068286554428885 act=passed cn1=404 cn1Label=response_code src=10.10.77.54 spt=49399 dst=10.10.175.82 dpt=443 requestMethod=POST app=HTTPS request=/ipp/port1 cs5=N/A cs5Label=x_forwarded_for_header_ value rt=Jun 26 2012 14:18:55 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location cs3Label=full_request cs3=POST /ipp/port1 HTTP/1.1\r\nHost: 127.0.0.1:631\r\nCache-Control: no-cache\r\nContent-Type: application/ipp\r\nAccept: application/ipp\r\nUser-Agent: Hewlett-Packard IPP\r\nContent-Length: 9\r\n\r\n FortiSIEM 6.1.1 External Systems Configuration Guide 424 Fortinet Technologies Inc. Load Balancers and Application Firewalls F5 Networks Local Traffic Manager l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Information discovered SNMP Host name, serial number, hardware (CPU, memory, network interface, disk etc) and software information (running and installed software) SNMP Trap Syslog Metrics/Logs collected Uptime, CPU, Memory, Disk utilization, Interface Utilization, Hardware status, process level CPU and memory urilization Exception situations including hardware failures, certain security attacks, Policy violations etc Permitted and Denied traffic Used for Performance/Availability Monitoring Performance/Availability Monitoring Log analysis and compliance Event Types In ADMIN > Device Support > Event, search for "f5-LTM" in the Name column to see the event types associated with this device. Search for "f5-BigIP" in ADMIN > Device Support > Event to see event types associated with SNMP traps for this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. FortiSIEM 6.1.1 External Systems Configuration Guide 425 Fortinet Technologies Inc. Load Balancers and Application Firewalls Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. SNMP Trap FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Example SNMP Trap 2012-01-18 14:13:43 0.0.0.0(via UDP: [192.168.20.243]:161) TRAP2, SNMP v2c, community public . Cold Start Trap (0) Uptime: 0:00:00.00 DISMAN-EVENT- MIB::sysUpTimeInstance = Timeticks: (33131) 0:05:31.31 SNMPv2- MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3375.2.5.0.1 Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Example Syslog <133>Oct 20 13:52:46 local/tmm notice tmm[5293]: 01200004:5: Packet rejected remote IP 172.16.128.26 port 137 local IP 172.16.128.255 port 137 proto UDP: Port closed. <134>Jul 30 15:28:33 tmm1 info tmm1[7562]: 01070417: 134: ICSA: non-session UDP packet accepted, source: 112.120.125.48 port: 10144, destination: 116.58.240.252 port: 53 <134>Jul 30 15:28:33 tmm1 info tmm1[7562]: 01070417: 134: ICSA: non-session TCP packet accepted, source: 108.83.156.153 port: 59773, destination: 116.58.240.225 port: 80 <134>Jul 30 15:28:33 tmm2 info tmm2[7563]: 01070417: 134: ICSA: non-session ICMP packet accepted, source: 10.11.218.10, destination: 10.255.111.2, type code: Echo Reply FortiSIEM 6.1.1 External Systems Configuration Guide 426 Fortinet Technologies Inc. Load Balancers and Application Firewalls Settings for Access Credentials SNMP Access Credentials for All Devices Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 427 Fortinet Technologies Inc. Load Balancers and Application Firewalls F5 Networks Web Accelerator l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information discovered Metrics/Logs collected Permitted traffic Used for Log analysis and compliance Event Types In ADMIN > Device Support > Event, search for "f5-web" in the Name column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Example Syslog <182>Oct 20 13:52:56 local/BadReligion1 info logger: [ssl_acc] 1.1.1.2 - admin [20/Oct/2011: 13:52:56 -0400] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 654 FortiSIEM 6.1.1 External Systems Configuration Guide 428 Fortinet Technologies Inc. Load Balancers and Application Firewalls Fortinet FortiADC Integration Points Method syslog Information discovered Host name, Reporting IP Metrics collected None LOGs collected Used for Event, Security and Traffic logs Security monitoring Event Types In ADMIN > Device Support > Event, Search for "FortiADC" to see the event types associated with this device. Rules No specific rules are written for FortiADC Web application firewall but generic firewall rules will apply. Reports No specific reports are written for FortiADC Web application firewall but generic firewall rules will apply. Configuration Configure FortiADC Web application firewall to send logs to FortiSIEM in the supported format (see Sample events below) Settings for Access Credentials None required Sample Events <6>date=2019-06-12 time=13:05:52 device_id=FAD2KD3114000026 log_id=0000000100 type=event subtype=config pri=information vd=root msg_id=71118385 user=user1 ui=GUI(1.2.3.4) action=add cfgpath=log setting remote cfgobj=<No.> cfgattr=1 logdesc=Change the configuration msg="added a new entry '1' for "log setting remote" on domain "root"" <1>date=2019-06-12 time=13:06:52 device_id=FAD2KD3114000026 log_id=0003000235 type=event subtype=system pri=alert vd=root msg_id=71118386 submod=update user=system ui=system action=update status=none logdesc=License could not be validated msg="Unable to connect to FDS server" FortiSIEM 6.1.1 External Systems Configuration Guide 429 Fortinet Technologies Inc. Load Balancers and Application Firewalls Qualys Web Application Firewall l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information discovered Metrics/Logs collected Permitted and Denied Web traffic Used for Log analysis and compliance Event Types The following event types are generated by parsing Qualys Web Application Firewall traffic logs and analyzing the HTTP error code. l Qualys-WAF-Web-Request-Success l Qualys-WAF-Web-Bad-Request l Qualys-WAF-Web-Client-Access-Denied l Qualys-WAF-Web-Client-Error l Qualys-WAF-Web-Forbidden-Access-Denied l Qualys-WAF-Web-Length-Reqd-Access-Denied l Qualys-WAF-Web-Request l Qualys-WAF-Web-Request-Redirect l Qualys-WAF-Web-Server-Error Rules There are no predefined rules for this device. Reports Relevant reports are defined in RESOURCE > Reports > Device > Network > Web Gateway. Configuration FortiSIEM processes events from this device via syslog sent in JSON format. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. FortiSIEM 6.1.1 External Systems Configuration Guide 430 Fortinet Technologies Inc. Load Balancers and Application Firewalls Setting Name Device Type Access Protocol Port Password config Value <set name> Qualys Web Application Firewall See Access Credentials See Access Credentials See Password Configuration Example Syslog Note that each JSON formatted syslog contains many logs. <1350>1 2015-05-15T12:57:30.945000+00:00 localhost qualys_waf - QUALYS_WAF {"timestamp":"2015-05-15T12:57:30.945-00:00","duration":6011,"id":"487c116c-4908-4ce3-b05ceda5d5bb7045","clientIp":"172.27.80.170","clientPort":9073,"sensorId":"d3acc41f-d1fc-43beaf71-e7e10e9e66e2","siteId":"41db0970-8413-4648-b7e2-c50ed53cf355","connection": {"id":"bc1379fe-317e-4bae-ae302a382e310170","clientIp":"172.27.80.170","clientPort":9073,"serverIp":"192.168.60.203","serv erPort" :443},"request":{"method":"POST","uri":"/","protocol":"HTTP/1.1","host":"eserstest.foo.org","bandwidth":0,"headers":[{"name":"Content-Length","value":"645"}, {"name":"Accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/web p,*/*; q=0.8"},{"name":"User-Agent","value":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36"},{"name":"ContentType","value":"application/x-www-form-urlencoded"},{"name":"Referer","value":"https://eserstest.ohsers.org/"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"AcceptLanguage","value":"en-US,en;q=0.8"}],"headerOrder":"HILCAUTRELO"},"response": {"protocol":"HTTP/1.1","status":"200","message":"OK","bandwidth":0,"headers": [{"name":"Content-Type","value":"text/html; charset=utf-8"}, {"name":"Server","value":"Microsoft-IIS/8.5"},{"name":"ContentLength","value":"10735"}],"headerOrder":"CTXSDL"},"security":{"auditLogRef":"b02f96e9-26494a83-9459-6a02da1a5f05","threatLevel":60,"events":[{"tags": ["qid/226015","cat/XPATHi","cat/SQLi","qid/150003","loc/req/body/txtUserId","cfg/pol/applica tionSecurity"], "type":"Alert","rule":"main/qrs/sqli/xpathi/condition_escaping/boolean/confidence_ high/3","message":"Condition escaping detected (SQL or XPATH injection) txtUserId.","confidence":80,"severity":60,"id":"262845566"},{"tags": ["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1", "message":"Info: Threat level exceeded blocking threshold (60).","confidence":0,"severity":0,"id":"262846018"},{"tags": ["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1", FortiSIEM 6.1.1 External Systems Configuration Guide 431 Fortinet Technologies Inc. Load Balancers and Application Firewalls "message":"Info: Blocking refused as blocking mode is disabled.","confidence":0,"severity":0,"id":"262846167"},{"tags": ["cat/correlation","cat/XPATHi","qid/226015"],"type":"Alert","rule": "main/correlation/1","message":"Detected: XPATHi.","confidence":80,"severity":60,"id":"268789851"}]}} FortiSIEM 6.1.1 External Systems Configuration Guide 432 Fortinet Technologies Inc. Log Aggregators Log Aggregators FortiSIEM supports these log aggregators. l Fortinet FortiAnalyzer FortiSIEM 6.1.1 External Systems Configuration Guide 433 Fortinet Technologies Inc. Fortinet FortiAnalyzer Fortinet FortiAnalyzer Overview l Configuring FortiAnalyzer l Configuring FortiSIEM Collectors to Receive Logs from FortiAnalyzer Overview Customers of both FortiAnalyzer and FortiSIEM may want to take already aggregated event data received on FortiAnalzyer and forward those events to FortiSIEM. Configuring FortiAnalyzer l Setting Up the Syslog Server l Pre-Configuration for Log Forwarding l Configuring Log Forwarding Setting Up the Syslog Server 1. Login to FortiAnalyzer. 2. Go to System Settings > Advanced > Syslog Server. a. Click the Create New button. b. Enter the Name. (It is recommended to use the name of the FortiSIEM server.) c. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server. d. Leave the Syslog Server Port to the default value '514'. e. Click OK to save your entries. Pre-Configuration for Log Forwarding To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following. 1. 1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events. Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer and collector existed on different subnets. 2. 2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU, 8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with multiple collectors behind it, allowing UDP 514 inbound. Configuring Log Forwarding Take the following steps to configure log forwarding on FortiAnalyzer. FortiSIEM 6.1.1 External Systems Configuration Guide 434 Fortinet Technologies Inc. Fortinet FortiAnalyzer 1. Go to System Settings > Log Forwarding. 2. Click the Create New button in the toolbar. The Create New Log Forwarding pane opens. 3. fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer device will start forwarding logs to the server. Field Name Status Remote Server Type Compression Sending Frequency Log Forwarding Filters Input FortiSIEM-Forwarding On Syslog OFF Real-time Select all desired Administrative Domains (ADOMs) / device logs you'd like to forward 4. Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands. Notes: l Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet overwritten with the IP address of the FortiAnalyzer appliance. This hides the "true" source of the log packet from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received the logs directly from the originating device. l For FortiAnalyzer versions 6.0 and later, use the following CLI: Note: Replace <id> with the actual name of the log forward created earlier. config system log-forward edit <id> set mode forwarding set fwd-max-delay realtime set server-name "<FSM_Collector>" set server-ip "a.b.c.d" set fwd-log-source-ip original_ip set fwd-server-type syslog next end l For FortiAnalyzer versions 5.6 to 5.9, use the following CLI: Note: Replace <id> with the actual name of the log forward created earlier. config system log-forward edit <id> set mode forwarding set fwd-max-delay realtime set server-ip "a.b.c.d" set fwd-log-source-ip original_ip set fwd-server-type syslog FortiSIEM 6.1.1 External Systems Configuration Guide 435 Fortinet Technologies Inc. Fortinet FortiAnalyzer next end l For FortiAnalyzer versions earlier than 5.6, use the following CLI: Note: For <id>, you can choose the number for your FortiSIEM syslog entry. config system aggregation-client edit <id> set fwd-log-source-ip original_ip end Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would normally cause the collector virtual machine from dropping the log packet as it is spoofed. sysctl -w net.ipv4.conf.all.rp_filter=0 To make this change persistent across reboots, add the following code to the /etc/sysctl.conf file. net.ipv4.conf.all.rp_filter=0 FortiSIEM 6.1.1 External Systems Configuration Guide 436 Fortinet Technologies Inc. Network Compliance Management Applications FortiSIEM supports these Network Compliance Management applications and monitoring. l Cisco Network Compliance Manager l PacketFence FortiSIEM 6.1.1 External Systems Configuration Guide 437 Fortinet Technologies Inc. Cisco Network Compliance Manager What is Discovered and Monitored Protocol Syslog Information discovered Metrics/Logs collected Network device software update, configuration analysis for compliance, admin login Used for Log analysis and compliance Event Types Over 40 event types are generated by parsing Cisco Network Configuration Manager logs. The complete list can be found in ADMIN > Device Support > Event by searching for Cisco-NCM. Some important ones are l Cisco-NCM-Device-Software-Change l Cisco-NCM-Software-Update-Succeeded l Cisco-NCM-Software-Update-Failed l Cisco-NCM-Policy-Non-Compliance l Cisco-NCM-Device-Configuration-Deployment l Cisco-NCM-Device-Configuration-Deployment-Failure Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Example Syslog Note that each JSON formatted syslog contains many logs. 490998571 Mon Mar 03 03:09:31 EST 2014 Savvy Device Command Script Completed Successfully server01.foo.com 10.4.161.32 Script 'Re-enable EasyTech port for Cisco IOS configuration' completed. Connect - Succeeded Connected via ssh to 10.170.30.9 [in realm Default Realm] FortiSIEM 6.1.1 External Systems Configuration Guide 438 Fortinet Technologies Inc. Network Compliance Management Applications Login / Authentication - Succeeded Successfully used: Last successful password (Password rule Retail TACACS NCM Login) Optional:Script - Succeeded Successfully executed: prepare configuration for deployment Script - Succeeded Successfully executed: deploy to running configuration via TFTP through CLI Bypassed: deploy to running configuration via SCP through CLI. (Requires SCP, CLI to be enabled.) Tried: deploy to running configuration via FTP through CLI (Warning: SSH server username or password not specified in NA admin settings.) Optional:Script - Succeeded Successfully executed: determine result of deployment operation Script run: ------------------------------------------------------------ ! interface fast0/16 no shut 491354611 Tue Mar 04 03:38:22 EST 2014 FooA Software Update Succeeded server01.foo.com 1.1.1.32 44571 10.173.30.9 $OrignatorEmail$ FooA Update Device Software 2014-03-04 03:30:00.0 usmist_1699295009 (1.13.3.9) Succeeded FortiSIEM 6.1.1 External Systems Configuration Guide 439 Fortinet Technologies Inc. Network Compliance Management Applications PacketFence Network Access Control (NAC) l Integration points l Configuring PacketFence Network Access Control l Parsing and Events Integration points Protocol Syslog Information Discovered User network admission control events Used For Security and Compliance Configuring PacketFence NAC Follow PacketFence NAC documentation to send syslog to FortiSIEM. Configuring FortiSIEM FortiSIEM automatically recognizes PacketFence NAC syslog as long it follows the following format as shown in the sample syslog: Oct 9 11:29:34 10.2.204.81 1 2018-10-09T11:29:34.04189+01:00 example.com packetfence.log - - Oct 11 15:42:00 httpd.aaa(4765) WARN: [mac:40:83:1d:12:2a:cb] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Parsing and Events Over 20 events are parsed see event Types in Resources > Event Types and search for "PacketFence-NAC-". FortiSIEM 6.1.1 External Systems Configuration Guide 440 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) FortiSIEM supports these intrusion prevention systems for discovery and monitoring. l 3COM TippingPoint UnityOne IPS l AirTight Networks SpectraGuard l Alert Logic IRIS API l Cisco Firepower Management Center (FMC) - Formerly Cisco FireSIGHT and FirePower Threat Defence l Cisco Intrusion Prevention System l Cisco Stealthwatch l Cylance Protect Endpoint Protection l Cyphort Cortex Endpoint Protection l Damballa Failsafe l Darktrace CyberIntelligence Platform l FireEye Malware Protection System (MPS) l FortiDDoS l Fortinet FortiDeceptor l Fortinet FortiNAC l Fortinet FortiSandbox Configuration l Fortinet FortiTester l IBM Internet Security Series Proventia l Indegy Security Platform l Juniper DDoS Secure l Juniper Networks IDP Series l McAfee IntruShield l McAfee Stonesoft IPS l Motorola AirDefense l Nozomi l Radware DefensePro l Snort Intrusion Prevention System l Sourcefire 3D and Defense Center l Trend Micro Deep Discovery l Zeek (Bro) Installed on Security Onion FortiSIEM 6.1.1 External Systems Configuration Guide 441 Fortinet Technologies Inc. 3Com TippingPoint UnityOne IPS What is Discovered and Monitored Protocol SNMP Information Discovered Syslog Metrics Collected CPU, memory, Interface utilization IPS Alerts Used For Performance and Availability Monitoring Security Monitoring Event Types In ADMIN > Device Support > Event, search for "tippingpoint" in the Device Type and Description columns to see the event types associated with this device. Configuration SNMP 1. Log in to the TippingPoint appliance or the SMS Console. 2. Go to System > Configuration > SMS/NMS. 3. For SMS Authorized IP Address/CIDR, make sure any is entered. 4. Select Enabled for SNMP V2. 5. For NMS Community String, enter public. 6. Click Apply. Syslog 1. Log in to the TippingPoint appliance or the SMS Console. 2. Go to System > Configuration > Syslog Servers. 3. Under System Log, enter the IP Address of the FortiSIEM virtual appliance. 4. Select Enable syslog offload for System Log. 5. Under Aud Log, enter the IP Address of the FortiSIEM virtual appliance. 6. Select Enable syslog offload for Audit Log. 7. Click Apply. Configure the Syslog Forwarding Policy (Filter Notification Forwarding) The filter log can be configured to generate events related to specific traffic on network segments that must pass through the device. This log includes three categories of events. Event Category Alert Description Alert events indicate that the IPS has detected FortiSIEM 6.1.1 External Systems Configuration Guide 442 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Event Category Block P2P Description suspicious activity in the packet, but still permits the packet to pass through (specific settings are controlled by administrator profile) Block events are malicious packets not permitted to pass Refers to peer-to-peer traffic events In addition, filter events contain a UUID, which is a unique numerical identifier that correlates with the exact security threat defined by Tipping Point Digital Vaccine Files. The FortiSIEM Virtual Appliance will correlate these with authoritative databases of security threats. 1. Go to IPS > Action Sets. 2. Click Permit + Notify. 3. Under Contacts, click Remote Syslog. 4. Under Remote Syslog Information, enter the IP Address of the FortiSIEM virtual appliance. 5. Make sure the Port is set to 514. 6. Make sure Delimiter is set to tab, comma, or semicolon. 7. Click Add to Table Below. You should now see the IP address of the FortiSIEM virtual appliance appear as an entry in the Remote Syslogs table. Sample parsed syslog messages Directly from TippingPoint IPS device <36>Oct 28 13:10:45 9.0.0.1 ALT,v4,20091028T131045+0480,"PH-QATIP1"/20.30.44.44,835197,1,Permit,Minor,00000002-0002-0002-0002-000000000089, "0089: IP: Short Time To Live (1)","0089: IP: Short Time To Live (1)",ip," ",172.16.10.1:0,224.0.0.5:0,20091028T130945+0480,6," ",0,1A-1B <37>Nov 5 20:16:19 20.30.44.44 BLK,v4,20091105T201619+0480,"PH-QATIP1"/20.30.44.44,70,2,Block,Low,00000002-0002-0002-0002-000000004316, "4316: OSPF: OSPF Packet With Time-To-Live of 1","4316: OSPF: OSPF Packet With Time-To-Live of 1",ip," ",172.16.10.1:0,224.0.0.5:0,20091105T201619+0480,1," ",0,1A-1B <37>Jul 12 15:04:01 SOCIPS01 ALT,v5,20110712T1504010500,SOCIPS01/192.168.10.122,3225227,1,Permit,Low,00000002-0002-0002-0002000000010960, "10960: IM: Google GMail Chat SSL Connection Attempt","10960: IM: Google GMail Chat SSL Connection Attempt",tcp," ",156.63.133.8,10948,72.14.204.189,443, 20110712T150239-0500,3," ",0,6A-6B From Tipping Point NMS device <36> 7 2 00000002-0002-0002-0002-000000001919 00000001-0001-0001-0001-000000001919 1919: Backdoor: Psychward 1919 tcp 10.1.1.100 13013 10.1.1.101 1240 3 3 2 207-2400-Jack 33761793 1109876221622 <36> 7 2 00000002-0002-0002-0002-000000001919 00000001-00010001-0001-000000001919 1919: Backdoor: Psychward 1919 tcp 10.1.1.100 13013 10.1.1.101 1240 3 3 2 207-2400-Jack 33761793 1109876221622 FortiSIEM 6.1.1 External Systems Configuration Guide 443 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> 3Com TippingPoint UnityOne IPS See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 444 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) AirTight Networks SpectraGuard l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Used For Event Types In ADMIN > Device Support > Event, search for "airtight" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. FortiSIEM 6.1.1 External Systems Configuration Guide 445 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Setting Name Device Type Access Protocol Port Password config Value <set name> Airtight SpectraGuard See Access Credentials See Access Credentials See Password Configuration Example Syslog <30><2013.09.09 19:45:16>CEF:0|AirTight|SpectraGuard Enterprise|6.7|5.51.515| Authorized AP operating on non-allowed channel|3|msg=Stop: Authorized AP [AP2.12.c11d] is operating on non-allowed channel. rt=Sep 09 2013 19:45:16 UTC dvc=10.255.1.36 externalId=726574 dmac=58:BF:EA:FA:26:EF cs1Label=TargetDeviceName cs1=AP2.12.c11d cs2Label=SSID cs2=WiFiHiSpeed cs3Label=SecuritySetting cs3=802.11i cn1Label=RSSI_dBm cn1=-50 cn2Label=Channel cn2=149 cs4Label=Locationcs4=//FB/FBFL2 FortiSIEM 6.1.1 External Systems Configuration Guide 446 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Alert Logic IRIS API Support for Alert Logic IRIS API allows FortiSIEM to respond to incidents and events in real-time with up-to-date situational awareness and comprehensive security analytics. l Integration Points l Event Types l Reports l Rules l Configuring AlertLogic IRIS for FortiSIEM API Access l Configuring FortiSIEM for AlertLogic IRIS API Access l Sample Events Integration points Protocol AlertLogic Iris API Information Discovered Security Alerts created by AlertLogic Used For Security and Compliance Event Types In RESOURCES > Event Types, enter "AlertLogic" in the Search field to see the event types associated with this device. Rules In RESOURCE > Rules, enter "AlertLogic" in the Search field to see the rules associated with this device. Reports No defined reports. Configuring Alert Logic for FortiSIEM API Access Get API Key from Alert Logic 1. Login to the Alert Logic user interface. 2. On the left menu, select Admin >Account. 3. Click New API Key. 4. Enter a descriptive name in the Generate New API key dialog box. FortiSIEM 6.1.1 External Systems Configuration Guide 447 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) 5. Click Save to generate the API key. A file containing your API key information (ID, ClientSecret, and Name) will be downloaded. The ID and ClientSecret will be used by FortiSIEM. Configuring FortiSIEM for Alert Logic API Access Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box and click Save: Settings Name Device Type Access Protocol Pull Interval Access Key ID Secret Key Organization Description Description Enter a name for the credential Alert Logic IPS Alert Logic IPS The interval in which FortiSIEM will pull events from Alert Logic. Default is 5 minutes. Access key for your Alert Logic instance. Secret key for your Alert Logic instance The organization the device belongs to. Description of the device. 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your Alert Logic credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. 4. Click Test to test the connection to Alert Logic. 5. To see the jobs associated with Alert Logic, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Alert Logicin the search box. Sample Events Raw events of an incident start with [AlertLogic_Incident]: [AlertLogic_Incident]:[reptDevIpAddr]=10.10.10.10, [reptDevName]=api.cloudinsight.alertlogic.com,[accountId]=11111111.0,[phCustId]=1, [inIncidentAcknowledgeStatus]=closed,[inIncidentEventFirstSeen]=1558710055.0, [inIncidentClearedTime]=1558710055.0,[inIncidentCreateTime]=1558710161.9708278, [inIncidentCreatedUserId]=,[inIncidentLastModifiedTime]=0, [inIncidentLastModifiedUser]=,[inCustomerName]=1074822-INT4 - RMS FAWS Test,[msg]=This is a correlation incident,[inIncidentId]=e911347e8c1ca0fa,[inIncidentStatus]=closed, FortiSIEM 6.1.1 External Systems Configuration Guide 448 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) [attackType]=suspicious-activity,[type]=,[count]=0.0,[comment]=Test,[eventSeverity]=5, [eventType]=AlertLogic-Incident-Mei_Test,[srcIpAddr]=255.255.255.255, [destIpAddr]=255.255.255.255 Raw events of an associated event start with [AlertLogic_Incident_Associated_Event]: AlertLogic_Incident_Associated_Event]:[reptDevIpAddr]=10.10.10.10,[phCustId]=, [reptDevIpAddr]=34.192.118.124,[reptDevName]=api.cloudinsight.alertlogic.com, [accountId]=100000,[inIncidentId]=e9113683d6815742,[httpContentType]=application/xalpacket-megmsgs,[description]=meta,[resourceType]=associated log,[resourceName]=Log, [uuid]=UVUxSk5BQ2tNS3NBQUFBQVhQQnNkRnp3YkhRQUFiRE1BQUVBSG1Gd2NHeHBZMkYwYVc5dUwzZ3RZV3h3 WVdOclpYUXRiV1ZuYlhObmN3QUdURTlIVFZOSDphcHBsaWNhdGlvbi94LWFscGFja2V0LW1lZ21zZ3M6ZTkxMTM 2ODNkNjgxNTc0MjoxMDc2MDM2Mw==,[hostName]=meta,[msg]=dddddddd,[eventSeverity]=5, [procId]=0,[procName]=meta,[collectorTime]=1559260276,[reptDevName]=user, [eventType]=AlertLogic_e9113683d6815742_Associated_Event FortiSIEM 6.1.1 External Systems Configuration Guide 449 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Cisco Firepower Management Center (FMC) - Formerly FireSIGHT and FirePower Threat Defense Cisco Firepower Management Center (FMC) provides complete and unified management over firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. It can easily go from managing a firewall to controlling applications to investigating and remediating malware outbreaks. This section describes how FortiSIEM collects logs from Cisco FireSIGHT console and FirePower Threat Defense via the eStreamer API integration. FortiSIEM provides two integrations options, either through the FortiSIEM built-in eStreamer integration or via the Cisco FirePower eStreamer eNcore client. The Cisco eNcore client Collects System intrusion, discovery, and connection data from the Firepower Management Center or managed device (also referred to as the eStreamer server) to external client applications, in this case via Syslog to FortiSIEM. l What is Discovered and Monitored l Using FortiSIEM Client l Using Cisco eStreamer Client What is Discovered and Monitored Protocol eStreamer API Information Discovered Logs Collected Used For Intrusion Events, Malware Events. File Events. Discovery Events, User Activity Events, Impact Flag Events Security Monitoring Rules There are no predefined rules for this device. Reports The following reports are provided: l Top Cisco FireAMP Malware Events l Top Cisco FireAMP File Analysis Events l Top Cisco FireAMP Vulnerable Intrusion Events l Top Cisco FireAMP Discovered Login Events l Top Cisco FireAMP Discovered Network Protocol l Top Cisco FireAMP Discovered Client App l Top Cisco FireAMP Discovered OS Using FortiSIEM Client FortiSIEM obtains events from Cisco FireSIGHT via eStreamer protocol. FortiSIEM 6.1.1 External Systems Configuration Guide 450 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Event Types l Intrusion events: PH_DEV_MON_FIREAMP_INTRUSION [PH_DEV_MON_FIREAMP_INTRUSION]:[eventSeverity]=PHL_CRITICAL, [fileName]=phFireAMPAgent.cpp,[lineNumber]=381,[reptDevIpAddr]=10.1.23.177, [envSensorId]=6,[snortEventId]=393258,[deviceTime]=1430501705,[eventType]=Snort-1, [compEventType]=PH_DEV_MON_FIREAMP_INTRUSION,[ipsGeneratorId]=137,[ipsSignatureId]=2, [ipsClassificationId]=32,[srcIpAddr]=10.131.10.1,[destIpAddr]=10.131.10.120, [srcIpPort]=34730,[destIpPort]=443,[ipProto]=6,[iocNum]=0,[fireAmpImpactFlag]=7, [fireAmpImpact]=2,[eventAction]=1,[mplsLabel]=0,[hostVLAN]=0,[userId]=3013,[webAppId]=0, [clientAppId]=1296,[appProtoId]=1122,[fwRule]=133,[ipsPolicyId]=63098, [srcIntfName]=b16c69fc-cd95-11e4-a8b0-b61685955f02,[destIntfName]=b1a1f900-cd95-11e4a8b0-b61685955f02,[srcFwZone]=9e34052a-9b4f-11e4-9b83-efa88d47586f, [destFwZone]=a7bd89cc-9b4f-11e4-8260-63a98d47586f,[connEventTime]=1430501705, [connCounter]=371,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[phLogDetail]= l Malware events: PH_DEV_MON_FIREAMP_MALWARE [PH_DEV_MON_FIREAMP_MALWARE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp, [lineNumber]=487,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430502934, [srcIpAddr]=10.110.10.73,[destIpAddr]=10.0.112.132,[srcIpPort]=21496,[destIpPort]=80, [ipProto]=6,[fileName]=CplLnk.exe ,[filePath]=,[fileSize64]=716325,[fileType]=1, [fileTimestamp]=0,[hashAlgo]=SHA, [hashCode]=f1bfab10090541a2c3e58b4b93c504be8b65cdc823209c7f4def24acc38d7fd1 , [fileDirection]=1,[fireAmpFileAction]=3,[parentFileName]=,[parentFileHashCode]=, [infoURL]=http://wrl/wrl/CplLnk.exe ,[threatScore]=0,[fireAmpDisposition]=3, [fireAmpRetrospectiveDisposition]=3,[iocNum]=1,[accessCtlPolicyId]=125870424, [srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638, [applicationId]=676,[connEventTime]=1430502933,[connCounter]=409,[cloudSecIntelId]=0, [phLogDetail]= l File events: PH_DEV_MON_FIREAMP_FILE [PH_DEV_MON_FIREAMP_FILE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp, [lineNumber]=541,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430497343, [srcIpAddr]=10.131.15.139,[destIpAddr]=10.0.112.137,[srcIpPort]=1587,[destIpPort]=80, [ipProto]=6,[fileName]=Locksky.exe ,[hashAlgo]=SHA, [hashCode]=aa999f5d948aa1a731f6717484e1db32abf92fdb5f1e7ed73ad6f5a21b0737c1, [fileSize64]=60905,[fileDirection]=1,[fireAmpDisposition]=3,[fireAmpSperoDisposition]=4, [fireAmpFileStorageStatus]=11,[fireAmpFileAnalysisStatus]=0,[threatScore]=0, [fireAmpFileAction]=3,[fileType]=17,[applicationId]=676,[destUserId]=2991, [infoURL]=http://wrl/wrl/Locksky.exe ,[signatureName]=,[accessCtlPolicyId]=125869976, [srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638, [connCounter]=103,[connEventTime]=1430497343,[phLogDetail]= l Discovery events: l PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL]:[eventSeverity]=PHL_INFO, [fileName]=phFireAMPAgent.cpp,[lineNumber]=815,[reptDevIpAddr]=10.1.23.177, [destIpPort]=2054,[ipProto]=54,[phLogDetail]= l PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT [PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT]:[eventSeverity]=PHL_INFO, [fileName]=phFireAMPAgent.cpp,[lineNumber]=737,[reptDevIpAddr]=10.1.23.177, FortiSIEM 6.1.1 External Systems Configuration Guide 451 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) [fingerprintId]=01f772b2-fceb-4777-8a50-1e1f27426ad0,[osType]=Windows 7, [hostVendor]=Microsoft,[osVersion]=NULL,[phLogDetail]= l PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP [PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP]:[eventSeverity]=PHL_INFO, [fileName]=phFireAMPAgent.cpp,[lineNumber]=775,[reptDevIpAddr]=10.1.23.177, [clientAppId]=638,[appName]=Firefox,[phLogDetail]= l PH_DEV_MON_FIREAMP_DISCOVERY_SERVER [PH_DEV_MON_FIREAMP_DISCOVERY_SERVER]:[eventSeverity]=PHL_INFO, [fileName]=phFireAMPAgent.cpp,[lineNumber]=853,[reptDevIpAddr]=10.1.23.177, [applicationId]=676,[appTransportProto]=HTTP,[phLogDetail]= l User activity events: PH_DEV_MON_FIREAMP_USER_LOGIN [PH_DEV_MON_FIREAMP_USER_LOGIN]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp, [lineNumber]=672,[reptDevIpAddr]=10.1.23.177,[deviceTime]=1430490441,[user]=ABerglund , [userId]=0,[ipProto]=710,[emailId]=,[loginType]=0,[destIpAddr]=198.18.133.1 , [phLogDetail]= l Impact Flag events: PH_DEV_MON_FIREAMP_IMPACT_FLAG [PH_DEV_MON_FIREAMP_IMPACT_FLAG]:[eventSeverity]=PHL_CRITICAL, [fileName]=phFireAMPAgent.cpp,[lineNumber]=591,[reptDevIpAddr]=10.1.23.177, [envSensorId]=6,[snortEventId]=34,[deviceTime]=1430491431,[eventType]=Snort-648, [compEventType]=PH_DEV_MON_FIREAMP_IMPACT_FLAG,[ipsGeneratorId]=1,[ipsSignatureId]=14, [ipsClassificationId]=29,[srcIpAddr]=10.131.12.240,[destIpAddr]=10.131.11.46, [srcIpPort]=80,[destIpPort]=8964,[ipProto]=6,[fireAmpImpactFlag]=7,[phLogDetail]= Configuration Cisco FireSIGHT Configuration 1. Login to Cisco FIRESIGHT console. 2. Go to System > Local > Registration > eStreamer 3. Click Create Client a. Enter IP address and Password for FortiSIEM. The password can only contain alpha (a-z, A-Z) and numeric (0-9) characters. Special characters are not allowed. b. Click Save. 4. Select the types of events that should be forwarded to FortiSIEM. 5. Click Download Certificate and save the certificate to a local file. FortiSIEM Configuration 1. Go to ADMIN > Setup > Credentials. 2. Create a credential: a. Set Device Type to Cisco FireAMP. b. Set Access Method to eStreamer. c. Enter the Password as in Step 3a above. d. Click Certificate File > Upload and enter the certificate downloaded in Step 5. e. Click Save. FortiSIEM 6.1.1 External Systems Configuration Guide 452 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) 3. Create an IP range to Credential Association: a. Enter IP address of the FireSIGHT Console b. Enter the credential created in Step 2 above 4. Click Test Connectivity - FortiSIEM will start collecting events from the FIRESIGHT console. Using Cisco eStreamer Client Cisco has published a free eStreamer client to pull events from FireAMP server. This client is more up-to-date than FortiSIEM's own eStreamer client. If you decide to use Cisco's eStreamer client instead of FortiSIEM's eStreamer client, follow these steps. l Step 1: Install a new version of python with a new user 'estreamer' l Step 2: Download and configure eStreamer client l Step 3: Start eStreamer client Step 1: Install a new version of python with a new user 'estreamer' This is required because the python version used by FortiSIEM is compiled with PyUnicodeUCS2, while eStreamer client requires the standard version of python built with PyUnicodeUCS4. 1. Log in to FortiSIEM Collector or the node where eStreamer client is going to be installed. 2. Install openssl-devel and openssl-devel.i686 by running the following command. yum install openssl-devel openssl-devel.i686 3. Create eStreamer user using the command: a. useradd estreamer 4. Download the python library using the commands: a. su estreamer b. mkdir ~/python c. cd ~/python d. wget https://www.python.org/ftp/python/2.7.18/Python-2.7.18.tgz 5. Install python library : a. tar zxfv Python-2.7.18.tgz b. find ~/python -type d | xargs chmod 0755 c. cd Python-2.7.18 d. ./configure --prefix=$HOME/python --enable-unicode=ucs4 e. make && make install f. Add below two lines to ~/.bashrcp: export PATH=$HOME/python/Python-2.7.18/:$PATH export PYTHONPATH=$HOME/python/Python-2.7.18 g. source ~/.bashrc Step 2: Download and configure eStreamer client 1. SSH to FortiSIEM Collector or the node where eStreamer client is going to be installed as estreamer user. 2. Git clone: git://github.com/CiscoSecurity/fp-05-firepower-cef-connector-arcsight.git 3. Change directory using the command: cd fp-05-firepower-cef-connector-arcsight FortiSIEM 6.1.1 External Systems Configuration Guide 453 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) 4. Login to eStreamer server and: a. Go to System > Integration > eStreamer. b. Create a New client and enter the IP address of the Supervisor/Collector as the host. c. Download the pkcs12 file and save it to directory: fp-05-firepower-cef-connector-arcsight 5. Go back to fp-05-firepower-cef-connector-arcsight directory. 6. Run sh encore.sh, and type 2 for selection of output in CEF as prompted. An estreamer.conf file is generated. 7. Edit estreamer.conf with below settings (in JSON format): l handler.outputters.stream.uri : "udp://VA_IP:514" l servers.host : eStreamer_Server_IP l servers.pkcs12Filepath : /path/to/pkcs12 8. Run the below two commands: l openssl pkcs12 -in "client.pkcs12" -nocerts -nodes -out "/path/to/fp-05- firepower-cef-connector-arcsight/client_pkcs.key" l openssl pkcs12 -in "client.pkcs12" -clcerts -nokeys -out "/path/to/fp-05- firepower-cef-connector-arcsight/client_pkcs.cert" Step 3: Start eStreamer client SSH to FortiSIEM Collector or the node where eStreamer client is installed, as estreamer user. Start eStreamer client by entering: encore.sh start Now eStreamer client is ready for use. FortiSIEM 5.2.5 contains an updated parser for the events generated by Cisco eStreamer client. Trigger few events in eStreamer server and query from FortiSIEM to verify if everything is working. FortiSIEM 6.1.1 External Systems Configuration Guide 454 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Cisco Intrusion Prevention System What is Discovered and Monitored Protocol SNMP SDEE Information Discovered Metrics Collected Alerts Used For Performance and Availability Monitoring Security Monitoring Event Types In ADMIN > Device Support > Event, search for "cisco ips" in the Device Type and Description columns to see the event types associated with this device. Rules In RESOURCE > Rules, search for "cisco ips" in the Name column to see the rules associated with this device. Reports In RESOURCE > Reports , search for "cisco ips" in the Name column to see the reports associated with this device. Configuration SNMP 1. Log in to the device manager for your Cisco IPS. 2. Go to Configuration > Allowed Hosts/Networks. 3. Click Add. 4. Enter the IP address of your FortiSIEM virtual appliance to add it to the access control list, and then click OK. 5. Go to Configuration > Sensor Management > SNMP > General Configuration. 6. For Read-Only Community String, enter public. 7. For Sensor Contact and Sensor Location, enter Unknown. 8. For Sensor Agent Port, enter 161. 9. For Sensor Agent Protocol, select udp. If you must create an SDEE account for FortiSIEM to use, go to Configuration > Users and Add a new administrator. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. FortiSIEM 6.1.1 External Systems Configuration Guide 455 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Setting Name Device Type Access Protocol Pull Interval Port Password config Value <set name> Cisco IPS Cisco SDEE 5 minutes 443 See Password Configuration SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with yourdevice over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> Sample XML-Formatted Alert <\!-\- CISCO IPS \--><evAlert eventId="1203541079317487802" severity="low"> <originator> <hostId>MainFW-IPS</hostId> <appName>sensorApp</appName> <appInstanceId>376</appInstanceId> </originator> <time offset="0" timeZone="UTC">1204938398491122000</time> <signature sigName="ICMP Network Sweep w/Echo" sigId="2100" subSigId="0" version="S2"></signature> <interfaceGroup>vs1</interfaceGroup><vlan>0</vlan> <participants> <attack> <attacker> <addr locality="OUT">2.2.2.1</addr> </attacker> <victim> <addr locality="OUT">171.64.10.225</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.87</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.86</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.84</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.85</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.82</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> </attack> </participants> <alertDetails>InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" </alertDetails></evAlert> FortiSIEM 6.1.1 External Systems Configuration Guide 456 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Cisco Stealthwatch l Integration points l Configuring FortiSIEM l Parsing and Events Integration points Protocol syslog Information Discovered Network Anomaly Detection Alerts Used For Security and Compliance Configuring FortiSIEM FortiSIEM automatically recognizes Cisco Stealthwatch syslog as long it follows the following format as shown in the sample syslog: <129>Jun 18 14:56:00 ED2ALENTSVRSMC-1 StealthWatch[2699]: Lancope|StealthWatch|PRIORITY A|time=2018-06-18T14:55:30Z|target_hostname=|alarm_severity_id=5|alarm_type_ id=60|alarm_type_description=Host may be infected with an SMB Parsing and Events Currently over 150 events are parsed see event Types in Resources > Event Types and search for 'CiscoStealthWatch-'. User can extend the parser to add other events. FortiSIEM 6.1.1 External Systems Configuration Guide 457 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Cylance Protect Endpoint Protection l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected End point malware alerts Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "cylance" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Syslog FortiSIEM processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Cylance Protect See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 458 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Example Syslog CylancePROTECT: Event Type: AppControl, Event Name: pechange, Device Name: WIN-7entSh64, IP Address: (192.168.119.128), Action: PEFileChange, Action Type: Deny, File Path: C:\Users\admin\AppData\Local\Temp\MyInstaller.exe, SHA256: 04D4DC02D96673ECA9050FE7201044FDB380E3CFE0D727E93DB35A709B45EDAA FortiSIEM 6.1.1 External Systems Configuration Guide 459 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Cyphort Cortex Endpoint Protection l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected End point malware alerts Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "cyphort" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Syslog FortiSIEM processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Cylance Cortex See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 460 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Example Syslog <134>Feb 23 21:58:05 tap54.eng.cyphort.com cyphort: CEF:0|Cyphort|Cortex|3.2.1.16|http|TROJAN_GIPPERS.DC|8|externalId=374 eventId=13348 lastActivityTime=2015-02-24 05:58:05.151123+00 src=172.16.0.1 dst=10.1.1.26 fileHash=acf69d292d2928c5ddfe5e6af562cd482e6812dc fileName=79ea1163c0844a2d2b6884a31fc32cc4.bin fileType=PE32 executable (GUI) Intel 80386, for MS Windows startTime=2015-02-24 05:58:05.151123+00 FortiSIEM 6.1.1 External Systems Configuration Guide 461 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Damballa Failsafe Configuration in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Setting Value Name A name for the device. Device Type Damballa Failsafe Access Protocol See Access Credentials Port See Access Credentials Password config See Password Configuration 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. 4. Click Test to test the connection to Damballa Failsafe. 5. To see the jobs associated with Damballa, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Damballa in the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 462 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Darktrace CyberIntelligence Platform l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events What is Discovered and Monitored Protocol Information Discovered Metrics/LOGs collected Used for Syslog (CEF formatted) Over 40 security logs Security and Compliance monitoring Event Types Go to Admin > Device Type > Event Types and search for "Darktrace-DCIP". Rules None Reports None Configuration Configure Darktrace to send CEF formatted logs to FortiSIEM. FortiSIEM will automatically parse the logs. No configuration is required in FortiSIEM. Sample Events CEF:0|Darktrace|DCIP|3.0.8|537|Antigena/Network/Compliance/Antigena RDP Block|Low| eventId=2 externalId=1462565 art=1536856095244 deviceSeverity=1 rt=1536856054000 shost=personalpcd698.abccompany.local src=10.10.1.85 sourceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 smac=1:1:1:1:1:1 dst=1.1.1.1 destinationZoneURI=/All Zones/ArcSight System/Public Address Space Zones/APNIC/1.0.0.0-1.1.1.255 (APNIC) dpt=9999 ahost=personalpc123.abccompany.local agt=10.10.28.38 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 av=2.2.2.2.0 atz=CountryA aid=3mAvC02UBABCAa72iNm4jZA\=\= at=syslog FortiSIEM 6.1.1 External Systems Configuration Guide 463 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) dvc=10.10.10.10 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dtz=CountryA _cefVer=0.1 ad.darktraceUrl=https://10.10.10.10/#modelbreach/1462565 FortiSIEM 6.1.1 External Systems Configuration Guide 464 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) FireEye Malware Protection System (MPS) l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Used For Event Types In ADMIN > Device Support > Event, search for "fireeye mps" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. FortiSIEM 6.1.1 External Systems Configuration Guide 465 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Setting Name Device Type Access Protocol Port Password config Value <set name> FireEye MPS See Access Credentials See Access Credentials See Password Configuration Example Syslog <164>fenotify-45640.alert: CEF:0|FireEye|MPS|6.0.0.62528|MC|malware-callback|9|rt=Apr 16 2012 15:54:41 src=192.168.26.142 spt=0 smac=00:14:f1:90:c8:01 dst=2.2.2.2 dpt=80 dmac=00:10:db:ff:50:00 cn1Label=vlan cn1=202 cn2Label=sid cn2=33335390 cs1Label=sname cs1=Trojan.Gen.MFC cs4Label=link cs4=https://10.10.10.10/event_stream/events_for_bot?ev_ id\=45640 cs5Label=ccName cs5=3.3.3.3 cn3Label=ccPort cn3=80 proto=tcp cs6Label=ccChannel cs6= shost=abc.org <http://abc.org> dvchost=ALAXFEYE01 dvc=10.10.10.10 externalId=45640 FortiSIEM 6.1.1 External Systems Configuration Guide 466 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) FortiDDoS l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Host Name, Access IP, Vendor/Model Metrics Collected Over 150 event types to include Protocol Anomaly, Traffic Volume Anomaly, DoS Attacks, Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "FortiDDoS" to see the event types associated with this device. Rules There are many IPS correlation rules for this device under Rules > Security > Exploits. Reports There are many reports for this device under Reports > Function > Security. Configuration Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Fortinet FortiDDos See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 467 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Syslog FortiSIEM processes FortiDDoS events via syslog. Configure FortiDDoS to send syslog to FortiSIEM as directed in the device's product documentation. Example Syslog Jan 10 16:01:50 172.30.84.114 devid=FI400B3913000032 date=2015-01-23 time=17:42:00 type=attack SPP=1 evecode=1 evesubcode=8 dir=0 protocol=1 sIP=0.0.0.0 dIP=0.0.0.0 dropCount=312 devid=FI800B3913000055 date=2017-01-27 time=18:24:00 tz=PST type=attack spp=0 evecode=2 evesubcode=61 description="Excessive Concurrent Connections Per Source flood" dir=1 sip=24.0.0.2 dip=24.255.0.253 subnet_name=default dropcount=40249 facility=Local0 level=Notice FortiSIEM 6.1.1 External Systems Configuration Guide 468 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Fortinet FortiDeceptor l Integration Points l Configuration l Settings for Access Credentials l Sample Events Integration Points Method Syslog Information discovered Metrics collected LOGs collected Used for Host name, Reporting IP None Authentication logs, Decoy activity Security monitoring Event Types In ADMIN > Device Support > Event, search for "FortiDeceptor" to see the event types associated with this device. Rules No specific rules are written for FortiDeceptor. Reports No specific reports are written for FortiDeceptor. Configuration Configure FortiDeceptor system to send logs to FortiSIEM in the supported format (see Sample Events). Settings for Access Credentials None required. Sample Events <27>2019-07-29T10:12:44 devhost=FDC-VM0000000262 devid=FDC-VM0000000262 logver=25 tzone=14400 tz=GST date=2019-07-29 time=10:12:44 logid=0106000001 type=event subtype=system level=error user=system ui=GUI action=update status=failure msg="The authentication to FDN server failed" <14>2019-07-29T10:40:34 devhost=FDC-VM0000000262 devid=FDC-VM0000000262 logver=25 tzone=14400 tz=GST date=2019-07-29 FortiSIEM 6.1.1 External Systems Configuration Guide 469 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) time=10:40:34 logid=0106000001 type=event subtype=system level=information user=admin ui=GUI action=Login status=success msg="Administrator admin logged into website successfully from 10.0.0.254" FortiSIEM 6.1.1 External Systems Configuration Guide 470 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Fortinet FortiNAC l Integration Points l Configuration l Settings for Access Credentials l Sample Events Integration Points Method Syslog Information discovered Host name, Reporting IP Metrics collected None LOGs collected Used for Administrative and User Admission Control Security events monitoring Event Types In ADMIN > Device Support > Event, search for "FortiNAC" to see the event types associated with this device. Rules No specific rules are written for FortiNAC but generic rules for network admission control apply Reports No specific reports are written for FortiNAC but generic reports for network admission control apply Configuration Configuration Configure FortiNAC system to send logs to FortiSIEM in the supported format (see Sample Events). Settings for Access Credentials None required. Sample Events <37>Jan 08 19:03:45 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server|8.3.0.79|426| Adapter Destroyed|1|rt=Jan 08 19:03:45 269 UTC cat=EndStation msg=Adapter 18:5E:0F:AA:56:31 Destroyed. <37>Dec 06 10:34:42 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server| 8.3.1.30|447702|Admin User Login Success|1|rt=Dec 06 10:34:42 736 CET FortiSIEM 6.1.1 External Systems Configuration Guide 471 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) cat= suid=guiadmin msg=Admin user guiadmin logged in. <37>Apr 16 11:06:19 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server|8.3.6.104|605250| Security Risk Host|1|rt=Apr 16 11:06:19 447 CEST cat=EndStation src=192.168.242.20 smac=00:26:9E:D9:87:12 shost=X100e-1 cs1Label=Physical<space>network<space>location cs1=BA-HPswitch GigabitEthernet1/0/10 { GigabitEthernet1/0/10 Interface } msg=Host failed Windows-PA-Notepad Tests: Failed :: Custom :: Notepad MAC Address: 00:26:9E:D9:87:12 Last Known Adapter IP: 192.168.242.20 Host Location: BAHPswitch GigabitEthernet1/0/10 { GigabitEthernet1/0/10 Interface } FortiSIEM 6.1.1 External Systems Configuration Guide 472 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Fortinet FortiSandbox l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol SNMP HTTP(S) Syslog Information Discovered Metrics Collected Used For Host Name, OS, version, CPU, Memory, Disk, Interface utilization Hardware Performance Monitoring Host Name, OS, version, Hardware Log Management, Security Compliance, SIEM Threat feed - Malware URL, Malware Hash Malware found/cleaned, Botnet, Malware URL, System Events Log Management, Security Compliance, SIEM Event Types In ADMIN > Device Support > Event, search for "fortisandbox-" to see the event types associated with this device. Rules In RESOURCE > Rules, search for "fortisandbox-" to see the rules associated with this device. Also, basic availability rules in RESOURCE > Rules > Availability > Network and performance rules in RESOURCE > Rules> Performance > Network also trigger. Reports In RESOURCE > Reports, search for "fortisandbox-" to see the rules associated with this device. Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. FortiSIEM 6.1.1 External Systems Configuration Guide 473 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. For Port, enter 514. Make sure that the syslog format is the same as that shown in the example. Example Syslog: Oct 12 14:35:12 172.16.69.142 devname=turnoff-2016-10-11-18-46-05-172.16.69.142 device_ id=FSA3KE3A13000011 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success reason=none letype=9 msg="Malware package: urlrel version 2.88897 successfully released, total 1000" <14>2016-08-19T06:48:51 devhost=turnoff-2016-08-15-19-24-55-172.16.69.55 devid=FSA35D0000000006 tzone=-25200 tz=PDT date=2016-08-19 time=06:48:51 logid=0106000001 type=event subtype=system level=information user=admin ui=GUI action=update status=success reason=none letype=9 msg="Remote log server was successfully added" Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Fortinet FortiSandbox See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 474 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Fortinet FortiTester l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events What is Discovered and Monitored Protocol Information Discovered Syslog (CEF formatted) Host name and Device Type from LOG Metrics/LOG collected Used for Over 14 log types Security and Compliance Event Types Go to Admin > Device Type > Event Types and search for "FortiTester". Rules None Reports None Configuration Configure FortiTester to send CEF formatted syslog to FortiSIEM. No configuration is required on FortiSIEM. Sample Events CEF:0|Fortinet|FortiTester|3.8|Event|information|category=System deviceExternalId=FTS2KET618000005 msg=The system is started deviceCustomDate1=2019-11-0515:12:30 cs1= cs1Label=Description FortiSIEM 6.1.1 External Systems Configuration Guide 475 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) IBM Internet Security Series Proventia l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol SNMP Traps Information Discovered Metrics Collected Event Types In ADMIN > Device Support > Event, search for "proventia" in the Device Type and Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP Trap FortiSIEM receives SNMP traps from IBM/ISS Proventia IPS appliances that are sent by IBM/ISS SiteProtector Management Console. You must first configure IBM/ISS Proventia to send alerts to IBM/ISS SiteProtector, then configure IBM/ISS SiteProtector to send those alerts as SNMP traps to FortiSIEM. Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console 1. Log in to the IBM Proventia IPS web interface. 2. Click Manage System Settings > SiteProtector Management. 3. Click and select Register withSiteProtector. 4. Click and select Local Settings Override SiteProtector Group Settings. FortiSIEM 6.1.1 External Systems Configuration Guide 476 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) 5. Specify the Group, Heartbeat Interval, and Logging Level. 6. Configure these settings: Setting Description Authentication Level Agent Manager Name Agent Manager Address Agent Manager Port User Name User Password Use Proxy Settings Use the default first-time trust. Enter the Agent Manager name exactly as it appears in SiteProtector. This setting is casesensitive. Enter the Agent Manager's IP address. Use the default value 3995. If the appliance has to log into an account access the Agent Manager, enter the user name for that account here. Click Set Password, enter and confirm the password, and then click OK. If the appliance has to go through a proxy to access the Agent Manager, select the Use Proxy Settings option, and then enter the Proxy Server Address and Proxy Server Port. Define FortiSIEM as a Response Object for SNMP Traps 1. Log in to IBM SiteProtector console. 2. Go to Grouping > Site Management > Central Responses > Edit settings. 3. Select Response Objects > SNMP. 4. Click Add. 5. Enter a Name for your FortiSIEM virtual appliance. 6. For Manager, enter the IP address of your virtual appliance. 7. For Community, enter public. 8. Click OK. Define a Response Rule to Forward SNMP Traps to FortiSIEM 1. Go to Response Rules. 2. Click Add. 3. Select Enabled. 4. Enter a Name and Comment for the response rule. 5. In the Responses tab, select SNMP. 6. Select Enabled for the response object that represents your FortiSIEM virtual appliance. 7. Click OK. FortiSIEM 6.1.1 External Systems Configuration Guide 477 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Refining Rules for Specific IP Addresses By default, a rule matches on any source or destination IP addresses. 1. To refine the rule to match on a specific source IP address, select the rule, click Edit, and then select the Source tab. 2. Select Use specific source addresses to restrict the rule based on IP address of the source. If you set this option, set the Mode to specify that the rule should either be From or Not From the IP address. 3. Click Add to define one or more IP addresses. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> IBM ISS Proventia See Access Credentials See Access Credentials See Password Configuration Sample SNMP trap 2013-02-07 16:52:18 100.0.0.218(via UDP: [192.168.64.218]:55545) TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.2499 Enterprise Specific Trap (4) Uptime: 0:00:00.15 SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.1 = STRING: "SiteProtector_ Central_Response (Response1)" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.2 = STRING: "16:52:18 2013-02-07" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.3 = STRING: "6" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.4 = STRING: "100.0.0.216" SNMPv2SMI::enterprises.2499.1.1.2.1.1.1.1.5 = STRING: "100.0.0.218" SNMPv2SMI::enterprises.2499.1.1.2.1.1.1.1.6 = "" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.7 = "" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.8 = STRING: "48879" SNMPv2SMI::enterprises.2499.1.1.2.1.1.1.1.9 = STRING: "80" SNMPv2SMI::enterprises.2499.1.1.2.1.1.1.1.10 = STRING: "DISPLAY=WithoutRaw:0,BLOCK=Default:0" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.11 = STRING: " SensorName: IBM-IPS ObjectName: 80 DestinationAddress: 100.0.0.218 AlertName: HTTP_OracleAdmin_Web_ Interface AlertTarget: 100.0.0.218 AlertCount: 1 VulnStatus: Simulated block (blocking not enabled) AlertDateTime: 16:52:17 2013-02-07 ObjectType: Target Port SourceAddress: 100.0.0.216 SensorAddress: 192.168.64.15" FortiSIEM 6.1.1 External Systems Configuration Guide 478 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Indegy Security Platform l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events What is Discovered and Monitored Protocol Syslog (CEF formatted) Information Discovered Host name and Device Type from LOG Metrics collected Over 14 types of security logs Used for Security and Compliance Event Types Go to Admin > Device Type > Event Types and search for "Indegy-". Rules None Reports None Configuration Configure Indegy Security Platform to send syslog in the supported format to FortiSIEM. No configuration is required in FortiSIEM. Sample Events <12>Nov 17 09:04:06 10.100.20.40 CEF:0|Indegy|Indegy Security Platform|3.0.33|109|Unauthorized Conversation|7|dvchost=indegy rt=Nov 17 2019 09:04:06 duser=AS_01,Comm. Adapter #2 suser=Eng. Station #9 proto=UDP externalId=125 dst=10.100.102.150 src=10.100.20.34 dpt=47808 cs6Label=policy_name cs6=Use of Unauthorized Protocols in Siemens Controllers cat=NetworkEvents FortiSIEM 6.1.1 External Systems Configuration Guide 479 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Juniper DDoS Secure What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected DDoS Alerts Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "juniper ddos" in the Device Type and Description columns to see the event types associated with this device. l Juniper-DDoS-Secure-WorstOffender l Juniper-DDoS-Secure-Blacklisted l Juniper-DDoS-Secure-Generic Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Juniper DDos Secure See Access Credentials See Access Credentials See Password Configuration Configuration Configure the device to send syslog to FortiSIEM. Make sure that the event matches the format specified below. FortiSIEM 6.1.1 External Systems Configuration Guide 480 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) <134>Juniper: End : 117.217.141.32 : IND: Worst Offender: Last Defended 66.145.37.254: TCP Attack - Port Scan (Peak 55/s, Occurred 554) <134>Juniper: End : 78.143.172.52 : IRL: IP Address Temp Black-Listed (Valid IP) Exceeds SYN + RST + F2D Count (Peak 114/s, Dropped 83.5K pkts) FortiSIEM 6.1.1 External Systems Configuration Guide 481 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Juniper Networks IDP Series l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Used For Event Types In ADMIN > Device Support > Event, search for "juniper_idp" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Juniper Netscreen IDP See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 482 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Example Syslog from NSM <25>Oct 11 14:29:27 10.146.68.68 20101011, 58420089, 2010/10/11 18:29:25, 2010/10/11 18:33:12, global.IDP, 1631, par-real-idp200, 10.146.68.73, traffic, udp port scan in progress, (NULL), (NULL), 161.178.223.221, 0, 0.0.0.0, 0, (NULL), (NULL), 10.248.8.110, 0, 0.0.0.0, 0, udp, global.IDP, 1631, Metro IDP IP / Port Scan Policy, traffic anomalies, 2, accepted, info, yes, 'interface=eth3', (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 0, no, 25, Not FortiSIEM 6.1.1 External Systems Configuration Guide 483 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) McAfee IntruShield l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Used For Event Types There are no event types defined specifically for this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> McAfee Intrushield See Access Credentials See Access Credentials See Password Configuration Configuration Syslog FortiSIEM handles custom syslog messages from McAfee Intrushield. FortiSIEM 6.1.1 External Systems Configuration Guide 484 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) 1. Log in to McAfee Intrushield Manager. 2. Create a customer syslog format with these fields: l AttackName l AttackTime l AttackSeverity l SourceIp l SourcePort l DestinationIp l DestinationPort l AlertId l AlertType l AttackId l AttackSignature l AttackConfidence l AdminDomain l SensorName:ASCDCIPS01 l Interface l Category l SubCategory l Direction l ResultStatus l DetectionMechanism l ApplicationProtocol l NetworkProtocol l Relevance 3. Set the message format as a sequence of Attribute:Value pairs as in this example. AttackName:$IV_ATTACK_NAME$,AttackTime:$IV_ATTACK_TIME$,AttackSeverity::$IV_ATTACK_ SEVERITY$,SourceIp:$IV_SOURCE_IP$,SourcePort:$IV_SOURCE_PORT$, DestinationIp:$IV_DESTINATION_IP$,DistinationPort:$IV_DESTINATION_PORT$,AlertId:$IV_ ALERT_ID$,AlertType:$IV_ALERT_TYPE$,AttackId$IV_ATTACK_ID$, AttackSignature:$IV_ATTACK_SIGNATURE$,AttackConfidence:$IV_ATTACK_ CONFIDENCE$,AdminDomain:$IV_ADMIN_DOMAIN$,SensorName:$IV_SENSOR_NAME$, Interface:$IV_INTERFACE$,Category:$IV_CATEGORY$,SubCategory:$IV_SUB_ CATEGORY$,Direction:$IV_DIRECTION$,ResultStatus:$IV_RESULT_STATUS$, DetectionMechanism:$IV_DETECTION_MECHANISM$,ApplicationProtocol:$IV_APPLICATION_ PROTOCOL$,NetworkProtocol:$IV_NETWORK_PROTOCOL$,Relevance:$IV_RELEVANCE$ 4. Set FortiSIEM as the syslog recipient. Sample Parsed Syslog Message Mar 24 16:23:18 SyslogAlertForwarder: AttackName:Invalid Packets detected,AttackTime:200903-24 16:23:17 EDT,AttackSeverity:Low,SourceIp:127.255.106.236, SourcePort:N/A,DestinationIp:127.255.106.252,DistinationPort:N/A,AlertId:5260607647261334188 ,AlertType:Signature,AttackId: FortiSIEM 6.1.1 External Systems Configuration Guide 485 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) 0x00009300,AttackSignature:N/A, AttackConfidence:N/A,AdminDomain:ASC,SensorName:ASCDCIPS01,Interface:1A1B,Category:Exploit,SubCategory:protocol-violation,Direction:Outbound, ResultStatus:May be successful,DetectionMechanism:signature,ApplicationProtocol:N/A,NetworkProtocol: N/A,Relevance:N/A,HostIsolationEndTime:N/A FortiSIEM 6.1.1 External Systems Configuration Guide 486 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) McAfee Stonesoft IPS l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Network IPS alerts Used For Security Monitoring Event Types In ADMIN > Device Support > Event, search for "stonesoft" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> McAfee Stonesoft IPS See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 487 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Configuration Syslog FortiSIEM processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Example Syslog <6>CEF:0|McAfee|IPS|5.4.3|70018|Connection_Allowed|0|spt=123 deviceExternalId=STP-NY-FOO01 node 1 dmac=84:B2:61:DC:E1:31 dst=169.132.200.3 cat=System Situations app=NTP (UDP) rt=Apr 08 2016 00:26:13 deviceFacility=Inspection act=Allow deviceOutboundInterface=Interface #5 deviceInboundInterface=Interface #4 proto=17 dpt=123 src=10.64.9.3 dvc=12.17.2.17 dvchost=12.17.2.17 smac=78:DA:6E:0D:FF:C0 cs1Label=RuleId cs1=2097152.6 FortiSIEM 6.1.1 External Systems Configuration Guide 488 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Motorola AirDefense What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Wireless IDS logs Used For Security Monitoring Event Types About 37 event types covering various Wireless attack scenarios - search for them by entering "Motorola-AirDefense" in ADMIN > Device Support > Event. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Motorola AirDefense See Access Credentials See Access Credentials See Password Configuration Configuration Configure the device to send logs to FortiSIEM. Make sure that the format is as follows. Nov 8 18:48:00 Time=2014-10-29T05:39:00,Category=Rogue Activity,CriticalityLevel=Severe,Desc=Rogue AP on Wired Network,device=00:22:cf:5d:ee:60 (00:22:cf:5d:ee:60),sensor=fc:0a:81:12:7b:4b(COMP-SENS302EA[a,b,g,n]) Nov 12 13:33:00 Time=2015-11- FortiSIEM 6.1.1 External Systems Configuration Guide 489 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) 12T08:47:00,Category=Exploits,CriticalityLevel=Critical,Desc=NAV Attack CTS,device=5c:0e:8b:cb:d5:40(5c:0e:8b:cb:d5:40),sensor=fc:0a:81:12:77:3f(COMP-SENS201EA [a,b,g,n]) FortiSIEM 6.1.1 External Systems Configuration Guide 490 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Nozomi l What is Discovered and Monitored l Event Types l Rules l Reports l Configuring Syslog on Nozomi What is Discovered and Monitored Protocol Syslog Information discovered Device type Metrics collected Node detection, protocol information, network changes Used for Security and Compliance Event Types In ADMIN > Device Support > Event, search for "Nozomi" in the Name and Description columns to see the event types associated with this device. Rules There are no specific rules for Nozomi, however rules that match the Event Type Groups associated with Nozomi Events may trigger. Reports There are no specific Reports for Nozomi, however reports that match the Event Type Groups associated with Nozomi Events may return results. Configuring Syslog on Nozomi 1. Log in to the Guardian console. 2. Navigate to Administration->Data Integration. 3. Press +Add on the right side of the screen. 4. Select the Common Event Format (CEF) from the drop down. FortiSIEM 6.1.1 External Systems Configuration Guide 491 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) 5. You should see the data entry screen. 6. Enter the appropriate host information. For example udp://<FortiSIEM IP>:514. 7. Select Enable sending Alerts and/or Enable sending Audit Logs and/or Enable sending Health Logs. 8. Press New Endpoint. FortiSIEM 6.1.1 External Systems Configuration Guide 492 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Radware DefensePro l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Data Collected Over 120 event types Used for Security and Compliance Event Types In RESOURCE > Event Types, Search for "Radware-DefensePro". Sample Event Type: <132>DefensePro: 13-09-2017 15:03:21 WARNING 12572 Intrusions "SIP-Scanner-SIPVicious" UDP 1.1.1.1 29992 1.1.1.2 5060 15 Regular "GSN_Web" occur 1 3 N/A 0 N/A high drop FFFFFFFF-FFFFFFFF-9C94-000F57F7595F <132>DefensePro: 13-09-2017 15:18:45 WARNING 150 HttpFlood "HTTP Page Flood Attack" TCP 1.1.1.3 0 1.1.1.4 80 0 Regular "President-1.1.1.4" ongoing 100 0 N/A 0 N/A medium forward FFFFFFFF-FFFF-FFFF-9CCF-000F57F7595F <132>DefensePro: 13-09-2017 14:37:53 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 1.1.1.5 80 0 Regular "GSN_Web" ongoing 1 0 N/A 0 N/A medium challenge FFFFFFFF-FFFF-FFFF9C46-000F57F7595F <134>DefensePro: 13-09-2017 13:56:34 INFO Configuration Auditing manage syslog destinations create 172.16.10.207 -f "Local Use 0", ACTION: Create by user public via SNMP source IP 1.1.1.6 Rules There are no specific rules but generic rules for Network IPS and Generic Servers apply. Reports There are no specific reports but generic rules for Network IPS and Generic Servers apply. FortiSIEM 6.1.1 External Systems Configuration Guide 493 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Configuration Configure Radware DefensePro Security Manager to send syslog on port 514 to FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 494 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Snort Intrusion Prevention System l What is Discovered and Monitored l Event Types l Configuration l JDBC l SNMP Access to the Database Server l Debugging Snort Database Connectivity l Examples of Snort IPS Events Pulled over JDBC l Viewing Snort Packet Payloads in Reports l Exporting Snort IPS Packets as a PCAP File l Settings for Access Credentials What is Discovered and Monitored Protocol Information Discovered Metrics Collected Syslog JDBC Generic information: signature ID, signature name, sensor ID, event occur time, signature priority TCP: packet header, including source IP address, destination IP address, Source Port, Destination Port, TCP Sequence Number, TCP Ack Number, TCP Offset, TCP Reserved, TCP Flags, TCP Window size, TCP Checksum, tTCP Urgent Pointer; and packet payload UDP: packet header, including source IP address, destination IP address, Source Port, Destination Port, UDP Length, checksum; and packet payload ICMP: packet header, including source IP address, destination IP address, ICMP Type, ICMP Code, Checksum, ICMP ID, Sequence Number; and packet payload SNMP (for access to the database server hosting the Snort database) Used For Event Types In ADMIN > Device Support > Event Types, search for "snort-org" to see the event types associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 495 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Configuration Syslog Collecting event information from Snort via syslog has two drawbacks: 1. It is not reliable because it is sent over UDP. 2. Information content is limited because of UDP packet size limit. For these reasons, you should consider using JDBC to collect event information from Snort. These instructions illustrate how to configure Snort on Linux to send syslog to FortiSIEM. For further information, you should consult the Snort product documentation. 1. Log in to your Linux server where Snort is installed. 2. Navigate to and open the file /etc/snort/snort.conf. 3. Modify alert_syslog to use a local log facility, for example: output alert_syslog: LOG_LOCAL4 LOG_ALERT 4. Navigate to and open the file /etc/syslog.conf. 5. Add a redirector to send syslog to FortiSIEM. #Snort log to local4 #local4.* /var/log/snort.log #local4.*@192.168.20.41 local4.alert@10.1.2.171 6. Restart the Snort daemon. Example Parsed Snort Syslog <161>snort[2242]: [1:206:9] BACKDOOR DeepThroat 3.1 CD ROM Open Client Request [Classification: Misc activity] [Priority: 3]: {UDP} 192.168.19.1:6555 -> 172.16.2.5:514 <161>snort[5774]: [1:1560:6] WEB-MISC /doc/ access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.53:41218 -> 192.168.0.26:80 <161>snort[5774]: [1:466:4] ICMP L3retriever Ping [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.20.49 -> 192.168.0.10 <161>snort[5774]: [1:1417:9] SNMP request udp [Classification: Attempted Information Leak] [Priority: 2]: {UDP} 192.168.20.40:1061 -> 192.168.20.2:161 JDBC Supported Databases and Snort Database Schemas When using JDBC to collect IPS information from Snort, FortiSIEM can capture a full packet that is detailed enough to recreate the packet via a PCAP file. FortiSIEM supports collecting Snort event information over JDBC these database types: l Oracle l MS SQL FortiSIEM 6.1.1 External Systems Configuration Guide 496 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) l MySql l PostgreSQL FortiSIEM supports Snort database schema 107 or higher. SNMP Access to the Database Server You must set up an SNMP access credential for the server that hosts the Snort database. See the topics under Database Server Configuration for information on setting up SNMP for communication with FortiSIEM for several common types of database servers. Once you have set up SNMP on your database server, you can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Debugging Snort Database Connectivity Snort IPS alert are pulled over JDBC by a Java agent, which has to join multiple database tables to create the events. An internal log file is created for each pull. 2012-08-07T10:02:27.576777+08:00 AO-foo java:[PH_JAVA_AGENT_INFO]:[eventSeverity]=PHL_INFO, [procName]=phAgentManager,[fileName]=AgentSnort,[phLogDetail]=10.1.20.51:ICMP:Max record id:17848444 Total records in one round of pulling:20 At most 1000 database records (IPS Alerts) are pulled at a time. If FortiSIEM finds more than 1000 new records, then it begins to fall behind and this log is created. 2012-08-07T10:02:27.576777+08:00 AO-foo java:[PH_JAVA_AGENT_INFO]:[eventSeverity]=PHL_INFO, [procName]=phAgentManager,[fileName]=AgentSnort,[phLogDetail]=Event count of snort exceeds the threshold in one round of pulling, which means there may be more events need to be pulled. Examples of Snort IPS Events Pulled over JDBC l UDP Event l TCP Event UDP Event <134>Feb 25 14:27:56 10.1.2.36 java: [Snort-1417]:[eventSeverity]=PHL_INFO, [relayDevIpAddr]=10.1.2.36,[ipsSensorId]=1,[snortEventId]=10343430, [sensorHostname]=10.1.2.36,[signatureId]=1417,[eventName]=SNMP request udp, [eventSeverity]=2,[eventTime]=2012-11-07 17:56:51.0,[srcIpAddr]=10.1.2.245, [destIpAddr]=10.1.2.36,[ipVersion]=4,[ipHeaderLength]=5,[tos]=0,[ipTotalLength]=75,[ipId]=0, [ipFlags]=0,[ipFragOffset]=0,[ipTtl]=64,[ipProto]=17,[ipChecksum]=8584,[srcIpPort]=35876, [destIpPort]=161,[udpLen]=55,[checksum]=39621, [dataPayload]=302D02010104067075626C6963A520... FortiSIEM 6.1.1 External Systems Configuration Guide 497 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) TCP Event <134>Aug 08 09:30:59 10.1.20.51 java: [Snort-1000001]:[eventSeverity]=PHL_INFO,[hostIpAddr]=10.1.20.51,[sensorId]=1, [eventId]=17897184,[signatureId]=1000001,[signatureName]=Snort Alert [1:1000001:0],[signaturePri]=null,[eventTime]=2012-08-08 09:26:24.0,[srcIpAddr]=10.1.2.99,[destIpAddr]=10.1.20.51,[srcIpPort]=52314,[destIpPort]=80, [seqNum]=967675661,[tcpAckNum]=3996354107,[tcpOffset]=5,[tcpReserved]=0,[tcpFlags]=24, [tcpWin]=16695,[checksum]=57367,[tcpUrgentPointer]=0, [dataPayload]=474554202F66617669636F6E2E69636F204... Viewing Snort Packet Payloads in Reports FortiSIEM creates an event for each IPS alert in Snort database. You can view the full payload packet associated with a Snort event when you run a report. 1. Set up a structured historical search. 2. Set these conditions, where Reporting IP is an IP belonging to the Snort Application group. Attribute Operator Value Reporting IP IN Applications: Network IPS App 3. For Display Fields, include Data Payload. When you run the query, Data Payload will be one one of the display columns. 4. When the query runs, select an event, and the data payload will display at the bottom of the search results in a byteby-byte ethereal/wireshark format. Exporting Snort IPS Packets as a PCAP File After running a report, click the Export button and choose the PCAP option. Settings for Access Credentials l Access Credentials for JDBC l Access Credentials for SNMP, Telnet, SSH Access Credentials for JDBC Set these Access Method Definition values to allow FortiSIEM to communicate with your Snort IPS over JDBC. Setting Name Device Type Value <database type>-snort-BT Select the type of database that you are connecting to for Snort alerts FortiSIEM 6.1.1 External Systems Configuration Guide 498 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Setting Access Protocol Used For Pull Interval (minutes) Port Database Name User Name Password Value JDBC Snort Audit 1 3306 The name of the database The administrative user for the Snort database The password associated with the administrative user Access Credentials for SNMP, Telnet, SSH Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP, Telnet, or SSH. Setting Name Device Type Access Protocol Port Password config Value <set name> Snort-org Snort IPS See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 499 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Sourcefire 3D and Defense Center l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Information Discovered Metrics Collected Syslog Used For Event Types In ADMIN > Device Support > Event, search for "sourcefire" in the Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Sourcefire Sourcefire3D IPS See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 500 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Configuration Syslog FortiSIEM handles SourceFire alerts via syslog either from IPS appliances themselves or from DefenseCenter. Events are classified as Snort event types. Simply configure SourceFire appliances or DefenseCenter to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Sample Syslog from SourceFire3D IPS <188>Jul 4 15:07:01 Sourcefire3D Snort: [119:15:1] http_inspect: OVERSIZE REQUEST-URI DIRECTORY [Impact: Unknown] From DetectionEngine_IPS_DMZ2/SourcefireIPS at Thu Jul 4 15:07:01 2013 UTC [Classification: Potentially Bad Traffic] [Priority: 2] {tcp} 10.20.1.12:57689->1.1.1.1:80 Sample Syslog from SourceFire DefenseCenter <46>Jul 17 16:01:54 DefenseCenter SFAppliance: [1:7070:14] "POLICY-OTHER script tag in URI likely cross-site scripting attempt" [Impact: Potentially Vulnerable] From "10.134.96.172" at Wed Jul 17 16:01:52 2013 UTC [Classification: Web Application Attack] [Priority: 1] {tcp} 1.2.3.4:60537->2.3.4.5:80 FortiSIEM 6.1.1 External Systems Configuration Guide 501 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Trend Micro Deep Discovery l Integration Points l Configuration l Settings for Access Credentials l Sample Events Integration Points Method Syslog Information discovered Host name, Reporting IP Metrics collected None LOGs collected Malicious file detection Used for Security monitoring Event Types In ADMIN > Device Support > Event, search for " Trend-DeepDiscoveryAnalyzer " and "TrendDeepDiscoveryInspector" to see the event types associated with this device. Rules No specific rules are written for Trend-DeepDiscoveryAnalyzer and Trend-DeepDiscoveryInspector but regular end point rules apply. Reports No specific reports are written for Trend-DeepDiscoveryAnalyzer and Trend-DeepDiscoveryInspector but regular end point reports apply. Configuration Configure Trend Deep Discovery system to send logs to FortiSIEM in the supported format (see Sample Events). Settings for Access Credentials None required. Sample Events <123>CEF:0|Trend Micro|Deep Discovery Inspector|3.8.1175|20|Malware URL requested - Type 1|6| dvc=10.0.1.50 dvcmac=00:0C:29:A6:53:0C dvchost=ddi38-143 deviceExternalId=6B593E17AFB7-40FBBB28-A4CE-0462-A536 rt=Mar 09 2015 11:58:25 GMT+08:00 app=HTTP deviceDirection=1 dhost=www.example.com dst=10.10.11.99 dpt=80 dmac=00:1b:21:35:8b:98 shost=10.1.1.97 src=10.1.1.197 spt=12121 smac=fe:ed:be:ef:5a:c6 FortiSIEM 6.1.1 External Systems Configuration Guide 502 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) cs3Label=HostName_Ext cs3=www.example.com fname=setting.doc fileType=0 fsize=0 act=not blocked cn3Label=Threat Type cn3=1 destinationTranslatedAddress=10.1.1.2 sourceTranslatedAddress=10.1.1.197 cnt=1 cs5Label=CCCA_DetectionSource cs5=GLOBAL_INTELLIGENCE cn1Label=CCCA_Detection cn1=1 cat=Callback cs6Label=pAttackPhase cs6=Command and Control Communication FortiSIEM 6.1.1 External Systems Configuration Guide 503 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Zeek (Bro) Installed on Security Onion Bro/Zeek is an OpenSource network analysis product that is also installed as part of Security Onion. l What is Discovered and Monitored l Configuration l Sample Events What is Discovered and Monitored Protocol Syslog Information Discovered Metrics collected Used for Event Collection Event Types l Bro-dhcp /Regular Traffic/Permit - Traffic A DHCP conversation l Bro-dns /Regular Traffic/Permit - Traffic DNS activity log l Bro-conn /Regular Traffic/Permit - Traffic TCP/UDP/ICMP connections l Bro-app_stats /Info - Statistics about APP l Bro-radius /Info - RADIUS analysis activity l Bro-known_devices /Info - Bro known devices Rules Generic Rules matching categories. Reports Generic Reports matching categories. Configuration Complete the following task on Onion Security, as this is crucial to get the headers working in the parser: Add the following code in the /etc/syslog-ng/syslog-ng.conf file, but change <IP> to the IP of the FortiSIEM Super/Worker/Collector which will receive the syslog: destination d_fortisiem { tcp("<IP>" port(514));}; log { source(s_bro_dns); source(s_bro_dhcp); log { filter(f_bro_headers); }; log { destination(d_fortisiem);}; }; FortiSIEM 6.1.1 External Systems Configuration Guide 504 Fortinet Technologies Inc. Network Intrusion Prevention Systems (IPS) Sample Events <13>Mar 25 11:02:24 sec-sensor-ps bro_dns: {"ts":"2019-0325T11:02:22.485187Z","uid":"CEBf4c2FoLEBtbPLn6","id.orig_h":"10.8.20.21","id.orig_ p":50837,"id.resp_h":"10.8.1.203","id.resp_p":53,"proto":"udp","trans_ id":25959,"rtt":0.000357,"query":"tsomething.my.somewhere.com","qclass":1,"qclass_name":"C_ INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_ name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["um1.my. somewhere.com","um1-lo3.my. somewhere.com","um1-lo3.lo3.r.my. somewhere.com","55.66.8.24","55.66.8.152","55.66.9.24"],"TTLs": [136.0,5.0,146.0,5.0,5.0,5.0],"rejected":false} FortiSIEM 6.1.1 External Systems Configuration Guide 505 Fortinet Technologies Inc. Routers and Switches FortiSIEM supports these routers and switches for discovery and monitoring. l Alcatel TiMOS and AOS Switch l Arista Router and Switch l Brocade NetIron CER Routers l Cisco 300 Series Routers l Cisco IOS Router and Switch l How CPU and Memory Utilization is Collected for Cisco IOS l Cisco Meraki Cloud Controller and Network Devices l Cisco NX-OS Router and Switch l Cisco ONS l Cisco Viptela SDWAN Router l Dell Force10 Router and Switch l Dell NSeries Switch l Dell PowerConnect Switch and Router l Foundry Networks IronWare Router and Switch l HP/3Com ComWare Switch l HP ProCurve Switch l HP Value Series (19xx) and HP 3Com (29xx) Switch l Hirschmann SCADA Firewalls and Switches l Juniper Networks JunOS Switch l MikroTik Router l Nortel ERS and Passport Switch FortiSIEM 6.1.1 External Systems Configuration Guide 506 Fortinet Technologies Inc. Alcatel TiMOS and AOS Switch l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) SNMP (V1, V2c) SNMP (V1, V2c, V3) Information Discovered Metrics collected Used for Host name, Software version, Hardware model, Network interfaces Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and Performance Monitoring Hardware status: Power Supply, Fan, Temperature Availability Layer 2 port mapping: associating switch ports to directly connected host IP/MAC addresses Identity and location table; Topology Event Types In ADMIN > Device Support > Event, search for "alcatel" in the Device Type and Description columns to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the FortiSIEM 6.1.1 External Systems Configuration Guide 507 Fortinet Technologies Inc. Routers and Switches User Guide. Settings for Access Credentials SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 508 Fortinet Technologies Inc. Routers and Switches Arista Router and Switch l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Telnet/SSH Information Discovered Metrics collected Used for Host name, Serial number, Software version, Hardware model, Network interfaces, Hardware Components Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), CPU utilization, Memory utilization, Flash utilization, Hardware Status Availability and Performance Monitoring Running and Startup configurations Startup Configuration Change, Difference between Running and Startup configurations Change monitoring Event Types There are no event types defined specifically for this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Telnet/SSH FortiSIEM uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH. These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device. l show startup-config l show running-config l show version l show ip route FortiSIEM 6.1.1 External Systems Configuration Guide 509 Fortinet Technologies Inc. Routers and Switches l enable l terminal pager 0 SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> Telnet Access Credentials for All Devices These are the generic settings for providing Telnet access to your device from FortiSIEM. Setting Name Device Type Access Protocol Port User Name Password Value Telnet-generic generic Telnet 23 A user who has permission to access the device over Telnet The password associated with the user SSH Access Credentials for All Devices These are the generic settings for providing SSH access to your device from FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 510 Fortinet Technologies Inc. Routers and Switches Setting Name Device Type Access Protocol Port User Name Password Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user FortiSIEM 6.1.1 External Systems Configuration Guide 511 Fortinet Technologies Inc. Routers and Switches Brocade NetIron CER Routers l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Information Discovered Metrics collected Host name, software version, Hardware model, Network interfaces CPU, Memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware Status, Real Server Status Used for Availability and Performance Monitoring Event Types There are no event types defined specifically for this device. Rules There are no predefined rules specifically for this device. Reports There are no predefined reports specifically for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. FortiSIEM 6.1.1 External Systems Configuration Guide 512 Fortinet Technologies Inc. Routers and Switches Setting Name Device Type Access Protocol Port Password config Value <set name> Brocade NetIron CER See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 513 Fortinet Technologies Inc. Routers and Switches Cisco 300 Series Routers l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Information Discovered Metrics collected Host name, software version, Hardware model, Network interfaces Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards, and queue lengths) Used for Availability and Performance Monitoring Event Types There are no event types defined specifically for this device. Rules There are no predefined rules specifically for this device. Reports There are no predefined reports specifically for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide FortiSIEM 6.1.1 External Systems Configuration Guide 514 Fortinet Technologies Inc. Routers and Switches Settings for Access Credentials SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 515 Fortinet Technologies Inc. Routers and Switches Cisco IOS Router and Switch l What is Discovered and Monitored l Event Types l Configuration l Settings for Access Credentials Issue with Generic Serial Numbers in Older Versions of Cisco IOS Routers FortiSIEM uses serial numbers to uniquely identify a device. For older routers, the serial number is obtained from the OID 1.3.6.1.4.1.9.3.6.3.0. However, this value is often incorrectly set by default to a generic value like MSFC 2A. If multiple routers have a common default value, then these routers will be merged into a single entry in the FortiSIEM CMDB. You can check the current value for the serial number in a Cisco router by doing a SNMP walk of the OID. snmpwalk -v2c -c <cred> <ip> 1.3.6.1.4.1.9.3.6.3.0 If the value is a generic value, then set it to the actual serial number. Router(config)#snmp-server chassis-id Router(config)#exit Router#write memory Run the snmpwalk again to verify that the serial number is updated, then perform discovery of your Cisco router. What is Discovered and Monitored Protocol SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) Information Discovered Metrics collected Host name, IOS version, Hardware model, Memory size, Network interface details name, address, mask and description Uptime, CPU and Memory utilization, Free processor and I/O memory, Free contiguous processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware component details: serial number, model, manufacturer, software firmware versions of hardware components such as chassis, CPU, Hardware health: temperature, fan and power supply Used for Availability and Performance Monitoring Availability FortiSIEM 6.1.1 External Systems Configuration Guide 516 Fortinet Technologies Inc. Routers and Switches Protocol SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) Telnet/SSH Information Discovered Metrics collected Used for fan, power supply, network cards etc. Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association Topology and end-host location BGP connectivity, neighbors, state, AS number BGP state change Routing Topology, Availability Monitoring OSPF connectivity, neighbors, state, OSPF Area OSPF state change Routing Topology, Availability Monitoring IP SLA and VoIP performance metrics: Max/Min/Avg Delay and Jitter - both overall and Source->Destination and Destination->Source, Packets Lost - both overall and Source->Destination and Destination->Source, Packets Missing in Action, Packets Late, Packets out of sequence, VoIP Mean Opinion Score (MOS), VoIP Calculated Planning Impairment Factor (ICPIF) score VoIP Performance Monitoring Class based QoS metrics (from CISCO-CLASS-BASEDQOS-MIB): For (router interface, policy, class map) tuple: class map metrics including Pre-policy rate, post-police rate, drop rate and drop pct; police action metrics including conform rate, exceeded rate and violated rate; queue metrics including current queue length, max queue length and discarded packets QoS performance monitoring NBAR metrics (from CISCO-NBAR-PROTOCOLDISCOVERY-MIB): For each interface and application, sent/receive flows, sent/receive bytes, sent/receive bits/sec Performance Monitoring Running and startup configuration, Image file name, Startup configuration change, delta between running and startup configuration, Running process CPU and memory utilization Performance Monitoring, Security and FortiSIEM 6.1.1 External Systems Configuration Guide 517 Fortinet Technologies Inc. Routers and Switches Protocol Syslog Information Discovered Metrics collected Flash memory size, Running processes Device type System logs and traffic logs matching acl statements Used for Compliance Availability, Security and Compliance Event Types Syslog events In ADMIN > Device Support > Event, search for "cisco_os" in the Description column to see the event types associated with this device. Rules Reports Configuration Telnet/SSH FortiSIEM uses SSH and Telnet to communicate with your device. Follow the instructions in the product documentation for your device to enable SSH and Telnet. These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device. l show startup-config l show running-config l show version l show flash l show ip route l show mac-address-table or show mac address-table l show vlan brief l show process cpu l show process mem l show disk0 l enable l terminal pager 0 FortiSIEM 6.1.1 External Systems Configuration Guide 518 Fortinet Technologies Inc. Routers and Switches SNMP SNMP V1/V2c 1. Log in to the Cisco IOS console or telnet to the device. 2. Enter configuration mode. 3. Create an access list for FortiSIEM. access-list 10 permit <FortiSIEM IP> 4. Set up community strings and access lists. snmp-server community <community string> ro 10 5. Exit configuration mode. SNMP V3 1. Log in to the Cisco IOS console or telnet to the device. 2. Enter configuration mode. 3. Create an access list for FortiSIEM. access-list 10 permit <FortiSIEM IP> 4. Set up SNMP credentials for Authentication only. snmp-server group <grpName> v3 auth #do this for every VLAN for FortiSIEM to discover per VLAN information such Spanning Tree and VTP MIBs snmp-server group <grpName> v3 auth context vlan-<vlanId>snmp-server user <userName> <grpName> v3 auth md5 <password> access 10 5. Set up SNMP credentials for Authentication and Encryption. snmp-server group <grpName> v3 priv #do this for every VLAN for FortiSIEM to discover per VLAN information such Spanning Tree and VTP MIBs snmp-server group <grpName> v3 auth context vlan-<vlanId>snmp-server group <grpName> v3 priv context vlan-<vlanId>snmp-server user <userName> <grpName> v3 auth md5 <password> priv des56 <password> access 10 6. Exit configuration mode. Syslog 1. Login to the Cisco IOS console or telnet to the device. 2. Enter configuration mode. 3. Enable logging with these commands. logging on logging trap informational logging <FortiSIEM IP> FortiSIEM 6.1.1 External Systems Configuration Guide 519 Fortinet Technologies Inc. Routers and Switches 4. Make sure that the timestamp in syslog message sent to FortiSIEM does not contain milliseconds. no service timestamps log datetime msec service timestamps log datetime 5. To log traffic matching acl statements in stateless firewall scenarios, add the log keyword to the acl statements. access-list 102 deny udp any gt 0 any gt 0 log 6. To turn on logging from the IOS Firewall module, use this command. ip inspect audit-trail 7. Exit configuration mode. Sample Cisco IOS Syslog Messages <190>109219: Jan 9 18:03:35.281: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (192.168.20.33:1876) -- responder (192.168.0.10:445) <190>263951: 2w6d: %SEC-6-IPACCESSLOGP: list permit-any permitted udp 192.168.20.35(0) -> 192.168.23.255(0), 1 packet <188>84354: Dec 6 08:15:20: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Admin] [Source: 192.168.135.125] [localport: 80] [Reason: Login Authentication Failed - BadPassword] at 08:15:20 PST Mon Dec 6 2010 <189>217: May 12 13:57:23.720: %SYS-5-CONFIG_I: Configured from console by vty1 (192.168.29.8) <189>Oct 27 20:18:43.254 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP request from host 192.168.2.98 NetFlow Enable NetFlow on the Router 1. Enter configuration mode. 2. For every interface, run this command. interface <interface> <interface_number>ip route-cache flow exit Set Up NetFlow Export 1. Enter configuration mode. 2. Run these commands. ip flow-export version 5|9 ip flow-export destination <Accelops IP> 2055 ip flow-export source <interface> <interface_number>ip flow-cache timeout active 1 ip flow-cache timeout inactive 15 snmp-server ifindex persist On MLS switches, such as the 6500 or 7200 models, also run these commands. FortiSIEM 6.1.1 External Systems Configuration Guide 520 Fortinet Technologies Inc. Routers and Switches mls netflow mls nde sender mls aging long 64 mls flow ip full Exit configuration mode You can verify that you have set up NetFlow correctly by running these commands. #shows the current NetFlow configuration show ip flow export #summarizes the active flows and gives an indication of how much NetFlow data the device is exporting show ip cache flow or show ip cache verbose flow Sample Flexible Netflow Configuration in IOS flow exporter e1 ! destination is the collector address, default port needs to be changed to 2055 destination <accelopsIp> transport udp 2055 ! flow record r1 ! record specifies packet fields to collect match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input collect transport tcp flags collect interface output collect counter bytes collect counter packets ! flow monitor m1 ! monitor refers record configuration and exporter configuration. record r1 exporter e1 cache timeout active 60 cache timeout inactive 30 cache entries 1000 ! interface GigabitEthernet 2/48 ip flow monitor m1 input IP SLA IP SLA is a technology where a pair of routers can run synthetic tests between themselves and report detailed traffic statistics. This enables network administrators to get performance reports between sites without depending on end-host instrumentation. FortiSIEM 6.1.1 External Systems Configuration Guide 521 Fortinet Technologies Inc. Routers and Switches Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP. A variety of IP SLA tests can be run, for example UDP/ICMP Jitter, UDP Jitter for VoIP, UDP/ICMP Echo, TCP Connect, HTTP, etc. You can see the traffic statistics for these these tests by routing appropriate Show commands on the router. However, only these IP SLA tests are exported via RTT-MON SNMP MIB. l UDP Jitter (reported by FortiSIEM event type PH_DEV_MON_IPSLA_MET) l UDP Jitter for VoIP (reported by FortiSIEM event type PH_DEV_MON_IPSLA_VOIP_MET) l HTTP performance (reported by FortiSIEM event type PH_DEV_MON_IPSLA_HTTP_MET) l ICMP Echo (reported by FortiSIEM event type PH_DEV_MON_IPSLA_ICMP_MET) l UDP Echo (reported by FortiSIEM event type PH_DEV_MON_IPSLA_UDP_MET) These are the only IP SLA tests monitored by FortiSIEM. Configuring IP SLA involves choosing and configuring a router to initiate the test and a router to respond. The test statistics are automatically reported by the initiating router via SNMP, so no additional configuration is required. Bidirectional traffic statistics are also reported by the initiating router, so you don't need to set up a reverse test between the original initiating and responding routers. FortiSIEM automatically detects the presence of the IP SLA SNMP MIB (CISCO-RTTMON-MIB) and starts collecting the statistics. Configuring IP SLA Initiator for UDP Jitter ipsla-init>enable ipsla-init#config terminal ipsla-init(config)#ip sla monitor <operation num>ipsla-init(config-sla-monitor)#type jitter dest-ipaddr <responder ip> dest-port <dest port>ipsla-init(config-sla-monitorjitter)#frequency default ipsla-init(config-sla-monitor-jitter)#exit ipsla-init(config)# ip sla monitor schedule <operation num> start-time now life forever Configuring IP SLA Initiator for UDP Jitter for VoIP ipsla-init>enable ipsla-init#config terminal ipsla-init(config)#ip sla monitor <operation num>ipsla-init(config-sla-monitor)#type jitter dest-ipaddr <responder ip> dest-port <dest port> codec <codec type> advantage-factor 0 ipsla-init(config-sla-monitor-jitter)#frequency default ipsla-init(config-sla-monitor-jitter)#exit ipsla-init(config)# ip sla monitor schedule <operation num> start-time now life forever Configuring IP SLA Initiator for ICMP Echo Operation Router> enable Router# configure terminal Router(config)# ip sla monitor 15 Router(config-sla-monitor)# type echo protocol ipIcmpEcho <destination-ip-address>Router (config-sla-monitor-echo)# frequency 30 Router(config-sla-monitor-echo)# exit Router(config)# ip sla monitor schedule 10 start-time now life forever Router(config)# exit FortiSIEM 6.1.1 External Systems Configuration Guide 522 Fortinet Technologies Inc. Routers and Switches Configuring the IP SLA Responder for All Cases ipsla-resp>enable ipsla-resp#config terminal ipsla-resp(config)#ip sla monitor responder Class-Based QoS CBQoS enables routers to enforce traffic dependent Quality of Service policies on router interfaces for to make sure that important traffic such as VoIP and mission critical applications get their allocated network resources. Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP. The CbQoS statistics are automatically reported by the router via SNMP, so no additional configuration is needs. FortiSIEM detects the presence of valid CBQoS MIBs and starts monitoring them. NBAR Cisco provides protocol discovery via NBAR configuration guide. Make sure that the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB is enabled. Sample event generated by FortiSIEM [PH_DEV_MON_CISCO_NBAR_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceCisco.cpp, [lineNumber]=1644,[hostName]=R1.r1.accelops.com,[hostIpAddr]=10.1.20.59, [intfName]=Ethernet0/0,[appTransportProto]=snmp,[totFlows]=4752,[recvFlows]=3168, [sentFlows]=1584,[totBytes64]=510127,[recvBytes64]=277614,[sentBytes64]=232513, [totBitsPerSec]=22528.000000,[recvBitsPerSec]=12288.000000,[sentBitsPerSec]=10240.000000, [phLogDetail]= Settings for Access Credentials SNMP Access Credentials for All Devices These are the generic settings for providing SNMP access to your device from FortiSIEM. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> Telnet Access Credentials for All Devices These are the generic settings for providing Telnet access to your device from FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 523 Fortinet Technologies Inc. Routers and Switches Setting Name Device Type Access Protocol Port User Name Password Value Telnet-generic generic Telnet 23 A user who has access credentials for your device over Telnet The password associated with the user SSH Access Credentials for All Devices These are the generic settings for providing SSH access to your device from FortiSIEM. Setting Name Device Type Access Protocol Port User Name Password Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password associated with the user FortiSIEM 6.1.1 External Systems Configuration Guide 524 Fortinet Technologies Inc. Routers and Switches How CPU and Memory Utilization is Collected for Cisco IOS FortiSIEM follows the process for collecting information about CPU utlization that is recommended by Cisco. l Monitoring CPU l Monitoring Memory using PROCESS-MIB Monitoring CPU The OID is 1.3.6.1.4.1.9.9.109.1.1.1.1.8. The issue there are multiple CPUs which ones to take? A sample SNMP walk for this OID looks like this SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.1 = Gauge32: 46 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.2 = Gauge32: 22 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.3 = Gauge32: 5 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.4 = Gauge32: 4 Note that there are 4 CPUs indexed 1-4. We must identify Control plane CPU and Data plane CPU The cpu Id -> entity Id mapping from the following SNMP walk SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.1 = INTEGER: 3014 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.2 = INTEGER: 3001 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.3 = INTEGER: 1001 SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.4 = INTEGER: 7001 This provides the following cpu Id -> entity Id mapping 1 -> 3014 2 -> 3001 3 -> 1001 4 -> 7001 The following SNMP walk provides the names for each entity Id SNMPv2-SMI::mib-2.47.1.1.1.1.7.1001 = STRING: "Chassis 1 CPU of Module 2"SNMPv2-SMI::mib2.47.1.1.1.1.7.3001 = STRING: "Chassis 1 CPU of Switching Processor 5"SNMPv2-SMI::mib2.47.1.1.1.1.7.3014 = STRING: "Chassis 1 CPU of Routing Processor 5"SNMPv2-SMI::mib2.47.1.1.1.1.7.7001 = STRING: "Chassis 2 CPU of Module 2" Combining all this information, we finally obtain the CPU information for each object Chassis 1 CPU of Routing Processor 5 -> 46% Chassis 1 CPU of Switching Processor 5 -> 22% Chassis 1 CPU of Module 2 -> 5 Chassis 2 CPU of Module 2 -> 4% FortiSIEM reports utilization per cpu utilization [PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9596,[cpuName]=Chassis 1 CPU of Routing Processor 5,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=46.000000,[pollIntv]=176, [phLogDetail]= FortiSIEM 6.1.1 External Systems Configuration Guide 525 Fortinet Technologies Inc. Routers and Switches [PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9596,[cpuName]=Chassis 1 CPU of Switching Processor 5,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=22.000000,[pollIntv]=176, [phLogDetail]= PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9596,[cpuName]=Chassis 1 CPU of Module 2,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=5.000000,[pollIntv]=176, [phLogDetail]= [PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9596,[cpuName]=Chassis 2 CPU of Module 2,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=4.000000,[pollIntv]=176, [phLogDetail]= To get the overall system CPU utilization, we average over "Switching and Routing CPUs"- so CPU Util = (46+22)/2 = 34% PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9611,[cpuName]=RoutingCpu,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2, [cpuUtil]=34.0000,[pollIntv]=176,[phLogDetail]= Monitoring Memory using PROCESS-MIB The relevant OIDs are Used memory OID = 1.3.6.1.4.1.9.9.48.1.1.1.6 Free memory OID = 1.3.6.1.4.1.9.9.48.1.1.1.5 Memory Util = (Used memory) / (Used memory + Free memory) SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.1 = Gauge32: 87360992 <- Processor Memory Used SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.2 = Gauge32: 10715440 <- IO Memory Used SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.1 = Gauge32: 2904976 <- Processor Memory Free SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.2 = Gauge32: 1342944 <- IO Memory Free Therefore Used Memory = 98,076,432 Total Memory = 102,324,352 Memory Util = 96% FortiSIEM 6.1.1 External Systems Configuration Guide 526 Fortinet Technologies Inc. Routers and Switches Cisco Meraki Cloud Controller and Network Devices l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Cisco Meraki Devices are discoverable in either of the following ways l SNMP to the Cloud Controller l SNMP to each Network Device SNMP Traps can be sent from the Cloud Controller. Cisco Meraki Network Devices can also send logs directly to FortiSIEM. Protocol Information Discovered SNMP (V1, V2c) to Cloud Controller or Devices Host name, Software version, Hardware model, Network interfaces syslog from Meraki Firewalls SNMP Traps from Cloud Controller Metrics collected Used for Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and Performance Monitoring Firewall logs Health Security Monitoring Availability Monitoring Event Types l Interface Utilization: PH_DEV_MON_NET_INTF_UTIL Rules Availability (from SNMP Trap) l Meraki Device Cellular Connection Disconnected l Meraki Device Down l Meraki Device IP Conflict l Meraki Device Interface Down l Meraki Device Port Cable Error l Meraki Device VPN Connectivity Down l Meraki Foreign AP Detected FortiSIEM 6.1.1 External Systems Configuration Guide 527 Fortinet Technologies Inc. Routers and Switches l Meraki New DHCP Server l Meraki New Splash User l Meraki No DHCP lease l Meraki Rogue DHCP Server l Meraki Unreachable Device l Meraki Unreachable RADIUS Server l Meraki VPN Failover Performance (Fixed threshold) l Network Intf Error Warning l Network Intf Error Critical l Network Intf Util Warning l Network Intf Util Critical Performance (Dynamic threshold based on baselines) l Sudden Increase in Network Interface Traffic l Sudden Increase in Network Interface Errors Reports None Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Cisco Meraki Cloud Controller See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 528 Fortinet Technologies Inc. Routers and Switches Cisco NX-OS Router and Switch l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) SNMP (V1, V2c, V3) Information Discovered Metrics collected Used for Host name, IOS version, Hardware model, Memory size, Network interface details - name, address, mask and description Uptime, CPU and Memory utilization, Free processor and I/O memory, Free contiguous processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and Performance Monitoring Hardware component details: serial number, model, manufacturer, software and firmware versions of hardware components such as chassis, CPU, fan, power supply, network cards etc. Hardware health: temperature, fan and power supply Availability Trunk port connectivity between switches and VLANs carried over a trunk port (via CDP MIB), ARP table Topology and end-host location BGP connectivity, neighbors, state, AS number BGP state change Routing Topology, Availability Monitoring OSPF connectivity, neighbors, state, OSPF Area OSPF state change Routing Topology, Availability Monitoring FortiSIEM 6.1.1 External Systems Configuration Guide 529 Fortinet Technologies Inc. Routers and Switches Protocol SNMP (V1, V2c, V3) Telnet/SSH Telnet/SSH Syslog Information Discovered Metrics collected Used for Class based QoS metrics: For (router interface, policy, class map) tuple: class map metrics including Prepolicy rate, post-police rate, drop rate and drop pct; police action metrics including conform rate, exceeded rate and violated rate; queue metrics including current queue length, max queue length and discarded packets QoS performance monitoring Running and startup configuration, Image file name, Flash memory size, Running processes Startup configuration change, delta between running and startup configuration, Running process CPU and memory utilization Performance Monitoring, Security and Compliance End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association Device type> System logs and traffic logs matching acl statements Availability, Security and Compliance Event Types In ADMIN > Device Support > Event, search for "nx-os" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide FortiSIEM 6.1.1 External Systems Configuration Guide 530 Fortinet Technologies Inc. Routers and Switches Telnet/SSH FortiSIEM uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH. These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device. l show startup-config l show running-config l show version l show flash l show context l show ip route l show cam dynamic l show mac-address-table l show mac address-table (for Nexus 1000v) l show vlan brief l show process cpu l show process mem l show disk0 l enable l terminal length 0 Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. NetFlow Enable NetFlow on the Router 1. Enter configuration mode. 2. Run this command. feature netflow Create a Flow Template and Define the Fields to Export You can can also try using the pre-defined NetFlow template. FortiSIEM 6.1.1 External Systems Configuration Guide 531 Fortinet Technologies Inc. Routers and Switches # show flow record netflow-original Flow record netflow-original: Description: Traditional IPv4 input NetFlow with origin ASs No. of users: 1 Template ID: 261 Fields: match ipv4 source address match ipv4 destination address match ip protocol match ip tos match transport source-port match transport destination-port match interface input match interface output match flow direction collect routing source as collect routing destination as collect routing next-hop address ipv4 collect transport tcp flags collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last Set up Netflow Exporter Run these commands. flow exporter FortiSIEMFlowAnalyzer description export netflow to FortiSIEM destination <FortiSIEMIp>export Version 9 transport udp 2055 source vlan613 Associate the Record to the Exporter Using a Flow Monitor In this example the flow monitor is called FortiSIEMMonitoring. Run these commands. flow monitor FortiSIEMMonitoring exporter FortiSIEMFlowAnalyzer record netflow-original Apply the Flow Monitor to Every Interface Run these commands. interface Vlan612 ip flow monitor Monitortac7000 input exit FortiSIEM 6.1.1 External Systems Configuration Guide 532 Fortinet Technologies Inc. Routers and Switches interface Vlan613 ip flow monitor Monitortac7000 input exit You can now check the configuration using the show commands. Settings for Access Credentials For SNMP, Telnet, and SSH access credentials, see Access Credentials. FortiSIEM 6.1.1 External Systems Configuration Guide 533 Fortinet Technologies Inc. Routers and Switches Cisco ONS l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Information Discovered SNMP (V1, V2c) Host name, Serial Number, software version, Hardware model, Network interfaces, Hardware Components SNMP Trap Metrics collected Used for Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and Performance Monitoring Alerts Availability and Performance Monitoring Event Types Over 1800 event types defined - search for "Cisco-ONS" in ADMIN > Device Support > Event. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. FortiSIEM 6.1.1 External Systems Configuration Guide 534 Fortinet Technologies Inc. Routers and Switches Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Cisco ONS See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 535 Fortinet Technologies Inc. Routers and Switches Cisco Viptela SDWAN Router l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events What is Discovered and Monitored Protocol Syslog Information Discovered Host name and Device Type from LOG Metrics/LOG collected Over 290 log types Used for Security and Compliance Event Types Go to Admin > Device Type > Event Types and search for "VIPTELA". Rules None Reports None Configuration Configure Cisco Viptela to send syslog in the supported format to FortiSIEM. No configuration is required in FortiSIEM. Sample Events <190>430: *Dec 9 05:41:47.025: %Cisco-SDWAN-Router-OMPD-6-INFO-400005: R0/0: OMPD: Number of vSmarts connected : 2 CDATA[<187>154: *Aug 23 19:57:51.681: %Cisco-SDWAN-RP_0-OMPD-3-ERRO-400002: R0/0: OMPD: vSmart peer 1.1.1.5 state changed to Init FortiSIEM 6.1.1 External Systems Configuration Guide 536 Fortinet Technologies Inc. Routers and Switches Dell Force10 Router and Switch l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Telnet/SSH Information Discovered Host name, Serial number, Software version, Hardware model, Network interfaces, Hardware Components Running and Startup configurations Metrics collected Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), CPU utilization, Hardware Status Startup Configuration Change, Difference between Running and Startup configurations Used for Availability and Performance Monitoring Change monitoring Event Types In ADMIN > Device Support > Event, search for "force10" in the Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. TelNet/SSH FortiSIEM uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH. FortiSIEM 6.1.1 External Systems Configuration Guide 537 Fortinet Technologies Inc. Routers and Switches These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device. To initiate discovery and monitoring of your device over this protocol, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. l show startup-config l show running-config l show version l show ip route l enable l terminal pager 0 Settings for Access Credentials SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> Telnet Access Credentials for All Devices These are the generic settings for providing Telnet access to your device from FortiSIEM Setting Name Device Type Access Protocol Port User Name Password Value Telnet-generic generic Telnet 23 A user who has permission to access the device over Telnet The password associated with the user SSH Access Credentials for All Devices These are the generic settings for providing SSH access to your device from FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 538 Fortinet Technologies Inc. Routers and Switches Setting Name Device Type Access Protocol Port User Name Password Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user FortiSIEM 6.1.1 External Systems Configuration Guide 539 Fortinet Technologies Inc. Routers and Switches Dell NSeries Switch l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) SNMP (V1, V2c) SSH Information Discovered Metrics collected Host name, software version, Hardware model, Network interfaces, Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Hardware Status (Power Supply, Fan) Configuration Used for Availability and Performance Monitoring Availability Monitoring Change management Event Types l CPU Monitoring: PH_DEV_MON_SYS_CPU_UTIL l Memory Monitoring: PH_DEV_MON_SYS_MEM_UTIL l Interface Utilization: PH_DEV_MON_NET_INTF_UTIL l Hardware Status: PH_DEV_MON_HW_STATUS l Configuration Change: PH_DEV_MON_CHANGE_STARTUP_CONFIG Rules Availability l Network Device Degraded - Lossy Ping Response l Network Device Down - no ping response l Network Device Interface Flapping l Critical Network Device Interface Staying Down l Non-critical Network Device Interface Staying Down l Network Device Hardware Warning l Network Device Hardware Critical FortiSIEM 6.1.1 External Systems Configuration Guide 540 Fortinet Technologies Inc. Routers and Switches Performance (Fixed threshold) l Network CPU Warning l Network CPU Critical l Network Memory Warning l Network Memory Critical l Network Intf Error Warning l Network Intf Error Critical l Network Intf Util Warning l Network Intf Util Critical Performance (Dynamic threshold based on baselines) l Sudden Increase In System CPU Usage l Sudden Increase in System Memory Usage l Sudden Increase in Network Interface Traffic l Sudden Increase in Network Interface Errors Change l Startup Config Change Reports Availability l Availability: Router/Switch Ping Monitor Statistics Performance l Performance: Top Routers Ranked By CPU Utilization l Performance: Top Routers By Memory Utilization l Performance: Top Router Network Intf By Util, Error, Discards l Top Routers/Switches by Business Hours Network Ping Uptime Pct (Achieved Network Ping SLA) l Top Routers/Switches by Business Hours System Uptime Pct (Achieved System SLA) l Top Routers/Switches by Network Ping Uptime Pct (Achieved Network Ping SLA) l Top Routers/Switches by System Uptime Pct (Achieved System SLA) l Top Router Interfaces by Days-since-last-use Change l Change: Router Config Changes Detected Via Login FortiSIEM 6.1.1 External Systems Configuration Guide 541 Fortinet Technologies Inc. Routers and Switches Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Dell NSeries See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 542 Fortinet Technologies Inc. Routers and Switches Dell PowerConnect Switch and Router l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Telnet/SSH Information Discovered Host name, Serial number, Software version, Hardware model, Network interfaces, Hardware Components Running and Startup configurations Metrics collected Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), CPU utilization, Hardware Status Startup Configuration Change, Difference between Running and Startup configurations Used for Availability and Performance Monitoring Change monitoring Event Types There are no event types defined specifically for this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Telnet/SSH FortiSIEM uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH. These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device. To FortiSIEM 6.1.1 External Systems Configuration Guide 543 Fortinet Technologies Inc. Routers and Switches initiate discovery and monitoring of your device over this protocol. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. l show startup-config l show running-config l show version l show ip route l enable l terminal pager 0 Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Dell PowerConnect See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 544 Fortinet Technologies Inc. Routers and Switches Foundry Networks IronWare Router and Switch l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Telnet/SSH Information Discovered Host name, Ironware version, Hardware model, Network interfaces, Running and startup configuration Metrics collected Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Startup configuration change, delta between running and startup configuration SNMP (V1, V2c) Syslog Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association Device type System logs and traffic logs matching acl statements Used for Availability and Performance Monitoring Performance Monitoring, Security and Compliance Topology and end-host location Availability, Security and Compliance Event Types In ADMIN > Device Support > Event, search for "foundry_ironware" in the Description column to see the event types associated with this device. Rules There are no predefined rules for this device. FortiSIEM 6.1.1 External Systems Configuration Guide 545 Fortinet Technologies Inc. Routers and Switches Reports There are no predefined reports for this device. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Foundry Ironware See Access Credentials See Access Credentials See Password Configuration Configuration SNMP 1. Log in to the device manager for your switch or router with administrative privileges. 2. Enter configuration mode. 3. Run these commands to set the community string and enable the SNMP service. snmp-server community <community> RO snmp-server enable vlan <vlan id> 4. Exit config mode. 5. Save the configuration. Telnet/SSH FortiSIEM uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH. Syslog 1. Log in to the device manager for your switch or router with administrative privileges. 2. Enter configuration mode. 3. Run this command to set your FortiSIEM virtual appliance as the recipient of syslog from your router or switch. logging host <FortiSIEM Ip> 4. Exit config mode. 5. Save the configuration. FortiSIEM 6.1.1 External Systems Configuration Guide 546 Fortinet Technologies Inc. Routers and Switches Sample Parsed PowerConnect Syslog Message <14>SJ-Dev-A-Fdy-FastIron, running-config was changed from console <14>SJ-Dev-A11-Fdy-FastIron, startup-config was changed from telnet client 192.168.20.18 <14>SJ-Dev-A-Fdy-FastIron, phoenix_agent login to USER EXEC mode <14>SJ-Dev-A-Fdy-FastIron, Interface ethernet3, state up <14>SJ-Dev-A-Fdy-FastIron, Interface ethernet 20/3, state up <12>SJ-QA-A-Fdy-BigIron, list 100 permitted udp 173.9.142.98(ntp)(Ethernet 2/1 0004.23ce.ba11) -> 172.16.20.121(ntp), 1 event(s) <14>SJ-Dev-A-Fdy-FastIron, Bridge root changed, vlan 3, new root ID 80000004806137c6, root interface 3 <14>SJ-QA-A-Fdy-BigIron, VLAN 4 Port 2/7 STP State -> DISABLED (PortDown) Jun 4 15:51:18 172.16.20.99 Security: telnet logout by admin from src IP 137.146.28.75, src MAC 000c.dbff.6d00 Jun 4 15:51:12 172.16.20.100 System: Interface ethernet 4/9, state down Jun 4 03:12:53 172.16.20.100 ACL: ACL: List GWI-in permitted tcp 61.158.162.230(6000) (Ethernet 1/4 0023.3368.f500) -> 137.146.0.0(8082), 1 event(s) Jun 4 02:54:31 172.16.20.100 ACL: ACL: List XCORE denied udp 137.146.28.75(55603)(Ethernet 1/1 000c.dbde.6000) -> 137.146.3.35(snmp), 1 event(s) Jun 4 01:49:09 172.16.20.100 STP: VLAN 3104 Port 4/22 STP State -> LEARNING (FwdDlyExpiry) Settings for Access Credentials SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 547 Fortinet Technologies Inc. Routers and Switches Telnet Access Credentials for All Devices These are the generic settings for providing Telnet access to your device from FortiSIEM. Setting Name Device Type Access Protocol Port User Name Password Value Telnet-generic generic Telnet 23 A user who has permission to access the device over Telnet The password associated with the user SSH Access Credentials for All Devices These are the generic settings for providing SSH access to your device from FortiSIEM. Setting Name Device Type Access Protocol Port User Name Password Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user FortiSIEM 6.1.1 External Systems Configuration Guide 548 Fortinet Technologies Inc. Routers and Switches HP/3Com ComWare Switch l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) SNMP (V1, V2c, V3) Syslog Information Discovered Metrics collected Host name, software version, Hardware model, Network interfaces, Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware status: Power Supply, Fan, Temperature Hardware status: Temperature Used for Availability and Performance Monitoring Availability System logs Availability, Security and Compliance Event Types In ADMIN > Device Support > Event, search for "compare" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. FortiSIEM 6.1.1 External Systems Configuration Guide 549 Fortinet Technologies Inc. Routers and Switches Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Example Syslog for ComWare Switch Messages %Apr 2 11:38:11:113 2010 H3C DEVD/3/BOARD REBOOT:Chasis 0 slot 2 need be rebooted automatically! %Sep 22 20:38:32:947 2009 H3C DEVD/4/BRD MISPLUG: The board or subcard in slot 1 is not supported. %Sep 22 20:38:32:947 2009 H3C DEVD/4/BRD MISPLUG: The board type of MR in 1 is different from the Mate MR's, so the MR can't work properly. %Sep 22 20:38:32:947 2009 H3C DEVD/2/BRD TOO HOT:Temperature of the board is too high! %Sep 22 20:38:32:947 2009 H3C DEVD/2/ FAN CHANGE: Chassis 1: Fan communication state changed: Fan 1 changed to fault. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> H3C Comware See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 550 Fortinet Technologies Inc. Routers and Switches HP ProCurve Switch l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Telnet/SSH SNMP (V1, V2c) Information Discovered Metrics collected Used for Host name, version, Hardware model, Network interfaces, Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware status: Power Supply, Fan, Temperature Availability and Performance Monitoring Running and startup configuration Startup configuration change, delta between running and startup configuration Performance Monitoring, Security and Compliance Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association Topology and end-host location Event Types In ADMIN > Device Support > Event, search for "procurve" in the Device Type and Description columns to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. FortiSIEM 6.1.1 External Systems Configuration Guide 551 Fortinet Technologies Inc. Routers and Switches Configuration SNMP 1. Go to Configuration > SNMP Community > V1/V2 Community. 2. Enter a Community Name. 3. For MIB-View, select Operator. 4. For Write-Access, leave the selection cleared. 5. Click Add. SSH/Telnet 1. Log into the device manager for your ProCurve switch. 2. Go to Security > Device Passwords. 3. Create a user and password for Read-Write Access. Although FortiSIEM does not modify any configurations for your switch, Read-Write Access is needed to read the device configuration. 4. Go to Security > Authorized Addresses and add the FortiSIEM IP to Telnet/SSH. This is an optional step. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> HP ProCurve See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 552 Fortinet Technologies Inc. Routers and Switches HP Value Series (19xx) and HP 3Com (29xx) Switch l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) SSH Information Discovered Metrics collected Host name, software version, Hardware model, Network interfaces, Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Configuration Used for Availability and Performance Monitoring Change management Event Types l CPU Monitoring: PH_DEV_MON_SYS_CPU_UTIL l Memory Monitoring: PH_DEV_MON_SYS_MEM_UTIL l Interface Utilization: PH_DEV_MON_NET_INTF_UTIL l Configuration Change: PH_DEV_MON_CHANGE_STARTUP_CONFIG Rules Availability l Network Device Degraded - Lossy Ping Response l Network Device Down - no ping response l Network Device Interface Flapping l Critical Network Device Interface Staying Down l Non-critical Network Device Interface Staying Down Performance (Fixed threshold) l Network CPU Warning l Network CPU Critical l Network Memory Warning l Network Memory Critical l Network Intf Error Warning FortiSIEM 6.1.1 External Systems Configuration Guide 553 Fortinet Technologies Inc. Routers and Switches l Network Intf Error Critical l Network Intf Util Warning l Network Intf Util Critical Performance (Dynamic threshold based on baselines) l Sudden Increase In System CPU Usage l Sudden Increase in System Memory Usage l Sudden Increase in Network Interface Traffic l Sudden Increase in Network Interface Errors Change l Startup Config Change Reports Availability l Availability: Router/Switch Ping Monitor Statistics Performance l Performance: Top Routers Ranked By CPU Utilization l Performance: Top Routers By Memory Utilization l Performance: Top Router Network Intf By Util, Error, Discards l Top Routers/Switches by Business Hours Network Ping Uptime Pct (Achieved Network Ping SLA) l Top Routers/Switches by Business Hours System Uptime Pct (Achieved System SLA) l Top Routers/Switches by Network Ping Uptime Pct (Achieved Network Ping SLA) l Top Routers/Switches by System Uptime Pct (Achieved System SLA) l Top Router Interfaces by Days-since-last-use Change l Change: Router Config Changes Detected Via Login Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. FortiSIEM 6.1.1 External Systems Configuration Guide 554 Fortinet Technologies Inc. Routers and Switches Setting Name Device Type Access Protocol Port Password config Value <set name> HP VSeries See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 555 Fortinet Technologies Inc. Routers and Switches Hirschmann SCADA Firewalls and Switches l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample Events What is Discovered and Monitored Protocol SNMP Information Discovered Host Name Metrics/LOG collected SNMP Uptime, CPU, Memory, Interface utilization, hardware Status, OSPF metrics Used for Performance Monitoring Event Types The following event types are used for performance monitoring: l PH_DEV_MON_SYS_UPTIME - Uptime monitoring l PH_DEV_MON_SYS_CPU_UTIL CPU utilization l PH_DEV_MON_SYS_MEM_UTIL Memory utilization l PH_DEV_MON_NET_INTF_UTIL Interface utilization l PH_DEV_MON_HW_STATUS Hardware status Rules All performance monitoring rules apply. Reports All performance monitoring reports apply Configuration Configure Hirschmann Firewalls and Switches for SNMP V1/V2c/V3 discovery and performance monitoring. Define the basic SNMP credentials on FortiSIEM and discover these devices. See SNMP Access Credentials. Sample Events The events are standard for all devices. FortiSIEM 6.1.1 External Systems Configuration Guide 556 Fortinet Technologies Inc. Routers and Switches Juniper Networks JunOS Switch l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Telnet/SSH SNMP (V1, V2c, V3) Syslog sflow Information Discovered Metrics collected Used for Host name, JunOS version, Hardware model, Network interfaces, Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware status: Power Supply, Fan, Temperature Availability and Performance Monitoring Running and startup configuration Startup configuration change, delta between running and startup configuration Performance Monitoring, Security and Compliance Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association Topology and end-host location System logs and traffic logs matching acl statements Availability, Security and Compliance Traffic flow Availability, Security and Compliance Event Types In ADMIN > Device Support > Event, search for "junos" in the Device Type column to see the event types associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 557 Fortinet Technologies Inc. Routers and Switches Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP 1. Log in to the device manager for your JunOS switch with administrator privileges. 2. Go to Configure > Services > SNMP. 3. Under Communities, click Add. 4. Enter a Community Name. 5. Set Authorization to read-only. 6. Click OK. Syslog 1. Log in to the device manager for your JunOS switch with administrator privileges. 2. Go to Dashboard > CLI Tools > CLI Editor. Edit the syslog section to send syslog to FortiSIEM. 3. JunOS Syslog Configuration system { .... syslog { user * { any emergency; } host <FortiSIEM Ip> { any any; explicit-priority; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } time-format year millisecond; } .... FortiSIEM 6.1.1 External Systems Configuration Guide 558 Fortinet Technologies Inc. Routers and Switches } 4. Click Commit. Sample JunOS Syslog Messages 190>May 11 13:54:10 20.20.20.20 mgd[5518]: UI_LOGIN_EVENT: User 'phoenix_agent' login, class 'j-super-user' [5518], ssh-connection '192.168.28.21 39109 172.16.5.64 22', client-mode 'cli' <38>Nov 18 17:50:46 login: %AUTH-6-LOGIN_INFORMATION: User phoenix_agent logged in from host 192.168.20.116 on device ttyp0 sFlow Routing the sFlow Datagram in EX Series Switches According to Juniper documentation, the sFlow datagram cannot be routed over the management Ethernet interface (me0) or virtual management interface (vme0) i n an EX Series switch implementation. It can only be exported over the network Gigabit Ethernet or 10-Gigabit Ethernet ports using valid route information in the routing table. 1. Log in to the device manager for your JunOS switch with administrator privileges. 2. Go to Configure > CLI Tools > Point and Click CLI. 3. Expand Protocols and select slow. 4. Next to Collector, click Add new entry. 5. Enter the IP address for your FortiSIEM virtual appliance. 6. For UDP Port, enter 6343. 7. Click Commit. 8. Next to Interfaces, click Add new entry. 9. Enter the Interface Name for all interfaces that will send traffic over sFlow. 10. Click Commit. 11. To disable the management port, go to Configure > Management Access, and remove the address of the management port. You can also disconnect the cable. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Juniper JunOS See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 559 Fortinet Technologies Inc. Routers and Switches MikroTik Router l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) Information Discovered Host name, software version, Hardware model, Network interfaces Metrics collected Used for Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and Performance Monitoring Event Types There are no event types defined specifically for this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Value <set name> FortiSIEM 6.1.1 External Systems Configuration Guide 560 Fortinet Technologies Inc. Routers and Switches Setting Device Type Access Protocol Port Password config Value MikroTik RouterOS See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 561 Fortinet Technologies Inc. Routers and Switches Nortel ERS and Passport Switch l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (V1, V2c) SNMP (V1, V2c) SNMP (V1, V2c, V3) Information Discovered Metrics collected Used for Host name, software version, Hardware model, Network interfaces, Uptime, CPU and Memory utilization, Network Interface Availability and metrics (utilization, bytes sent and received, packets sent Performance and received, errors, discards and queue lengths) Monitoring Hardware status: Temperature Layer 2 port mapping: associating switch ports to directly connected host IP/MAC addresses Identity and location table; Topology Event Types There are no event types defined specifically for this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. FortiSIEM 6.1.1 External Systems Configuration Guide 562 Fortinet Technologies Inc. Routers and Switches Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Nortel ERS / Nortel Passport See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 563 Fortinet Technologies Inc. Security Gateways FortiSIEM supports these security gateways for discovery and monitoring. l Barracuda Networks Spam Firewall l Blue Coat Web Proxy l Cisco IronPort Mail Gateway l Cisco IronPort Web Gateway l Fortinet FortiMail l Fortinet FortiWeb l Imperva Securesphere DB Monitoring Gateway l Imperva Securesphere DB Security Gateway l McAfee Vormetric Data Security Manager l McAfee Web Gateway l Microsoft ISA Server l Squid Web Proxy l SSH Comm Security CryptoAuditor l Websense Web Filter FortiSIEM 6.1.1 External Systems Configuration Guide 564 Fortinet Technologies Inc. Barracuda Networks Spam Firewall l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP Syslog Information discovered Host name, Interfaces, Serial number Metrics collected CPU utilization, Memory utilization, Interface Utilization Various syslog - scenarios include - mail scanned and allowed/denied/quarantined etc; mail sent and reject/delivered/defer/expired; mail received and allow/abort/block/quarantined etc. Used for Performance Monitoring Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "barracuda" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide FortiSIEM 6.1.1 External Systems Configuration Guide 565 Fortinet Technologies Inc. Security Gateways Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Sample Parsed Barracuda Spam Firewall Syslog Message <23>inbound/pass1[923]: 127.0.0.1 1300386119-473aa6a90001-sB89EM 0 0 RECV - 1 4D760309475 250 2.6.0 <E6BB7C56C6761D42AEAFBF7FC6E17E920156A38D@USNSSEXC174.us.kworld.kpmg.com> Queued mail for delivery <23>scan[9390]: mail.netcontentinc.net[207.65.119.227] 1300386126-4739a8be0001-R6OEVB 1300386126 1300386128 SCAN - release@calcium.netcontentinc.net kmcgilvrey@qinprop.com - 7 61 - SZ:34602 SUBJ:How FMLA Leave, ADA and Workers' Compensation Work Together April 28, 2011 Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Barracuda Spam Firewall See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 566 Fortinet Technologies Inc. Security Gateways Blue Coat Web Proxy l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SNMP Information discovered Host name, Interfaces, Serial number SFTP Syslog Metrics collected Used for CPU utilization, Memory utilization Performance Monitoring Proxy performance: Proxy cache object count, Proxy-toserver metrics: HTTP errors, HTTP requests, HTTP traffic (KBps); Server-to-proxy metrics: HTTP traffic (KBps), Clientto-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes) Performance Monitoring Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration Security Monitoring and compliance Admin authentication success and failure Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "blue coat" in the Device Type and Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. FortiSIEM 6.1.1 External Systems Configuration Guide 567 Fortinet Technologies Inc. Security Gateways Configuration SNMP The following procedures enable FortiSIEM to discover Bluecoat web proxy. 1. Log in to your Blue Coat management console. 2. Go to Maintenance > SNMP. 3. Under SNMP General, select Enable SNMP. 4. Under Community Strings, click Change Read Community, and then enter a community string that FortiSIEM can use to access your device. 5. Click OK. Syslog Syslog is used by Blue Coat to send audit logs to FortiSIEM. 1. Log in to your Blue Coat management console. 2. Go to Maintenance > Event Logging. 3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and Informational. 4. Under Syslog, enter the IP address of your FortiSIEM virtual appliance for Loghost. 5. Select Enable syslog. 6. Click Apply. Sample Parsed Blue Coat Audit Syslog <2> Sep 14 19:24:39 ao BluecoatAuthWebLog 0 2010-09-14 14:31:13 36 34.159.60.56 hz13321 - - OBSERVED "Audio/Video Clips" - 200 TCP_NC_MISS POST application/x-fcs http 213.200.94.86 80 /idle/WdPmdz02xSLO2sHS/25136 - - "Shockwave Flash" 34.160.179.201 1087 217 - SFTP SFTP is used to send access logs to FortiSIEM. Access logs includes the traffic that Blue Coat proxies between the client and the server. The access logs are sent via FTP, where Bluecoat is the client and FortiSIEM is the server. You must configure SFTP in FortiSIEM first, and then on your Blue Coat web proxy server. Configure FTP in FortiSIEM 1. Log in to your Supervisor node as root. 2. Change directory to /opt/phoenix/bin. 3. Run the ./phCreateBluecoatDestDir command to create an FTP user account. The files sent from Blue Coat will be temporarily stored in this account. The script will create an user called ftpuser. If the this user already exists, you do not need to create a new one. The script will ask for the IP address of Blue Coat and the password for the user ftpuser, and will then create the directory /opt/phoenix/cache/bluecoat/<Bluecoat IP>. 4. Run vi /etc/passwd to change the home directory for ftpuser to /opt/phoenix/cache/bluecoat. Change only the home directory, do not change any other value. FortiSIEM 6.1.1 External Systems Configuration Guide 568 Fortinet Technologies Inc. Security Gateways Configure an Epilog client in FortiSIEM The Epilog client converts each line of the log files in the /opt/phoenix/cache/bluecoat/<Bluecoat IP> directory in real time into a syslog, and sends it to the FortiSIEM parser for processing. 1. Log in to your Supervisor or the Collector node as root. 2. Update the Epilog configuration in /etc/snare/epilog/epilog.conf as shown in this code block, and then restart the epilog daemon with the /etc/init.d/epilogd restart command. Output network=localhost:514 syslog=2 Input log=BluecoatWebLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_ main.log log=BluecoatImLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_im.log log=BluecoatImLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_ssl.log log=BluecoatP2pLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_ p2p.log Configure FTP in Blue Coat 1. Log in to your Blue Coat management console. 2. Go to Management Console > Configuration > Access Logging > General. 3. Select Enable Access Logging. 4. In the left-hand navigation, select Logs. 5. Under Upload Client, configure these settings. Setting Log Client Type Encryption Certificate Keyring Signing Save the log file as Send partial buffer after Bandwidth Class Value main FTP Client No Encryption No Signing text file 1 seconds <none> 6. Next to Client Type, click Settings. FortiSIEM 6.1.1 External Systems Configuration Guide 569 Fortinet Technologies Inc. Security Gateways 7. Configure these settings. Setting Settings for Host Port Path Username Change Primary Password Filename Value Primary FTP Server IP address of your FortiSIEM virtual appliance 514 /<Blue Coat IP Address> ftpuser Use the password you created for ftpuser in FortiSIEM SG_FortiSIEM_bluecoat_main.log 8. Clear the selections Use Secure Connections (SSL) and Use Local Time. 9. Select Use Pasv. 10. Click OK. 11. Follow this same process to configure the settings for im, ssl and p2p. For each of these, you will refer to a different Filename. l For im the file name is SG_FortiSIEM_bluecoat_im.log l For ssl the file name is SG_FortiSIEM_bluecoat_ssl.log l For p2p the file name is SG_FortiSIEM_bluecoat_p2p.log Sample Parsed Blue Coat Access Syslog <2> Jun 25 11:15:33 SJ-QA-W-FDR-Test-01.prospect-hills.net BluecoatWebLog 0 2010-06-25 18:13:34 2021 192.168.22.21 200 TCP_TUNNELED 820 1075 CONNECT tcp accelops.webex.com 443 / - - - NONE 172.16.0.141 - - "WebEx Outlook Integration Http Agent" PROXIED "none" - 25.24.23.22 Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Blue Coat CacheOS See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 570 Fortinet Technologies Inc. Security Gateways Cisco IronPort Mail Gateway l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP Syslog Information discovered Metrics collected Used for Ping Status, SNMP Ping Stat, Uptime, CPU Util, Mem Util, Net Intf Stat, Hardware Status Mail attributes: attributes include MID, ICID, DCID, Sender address, Receiver Address, Mail Subject, Sent Bytes, Attachment, Spam indicator, Virus indicator, Quarantine indicator, SMTP delivery failures and failure codes, mail action - pass, block, clean. Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "ironport-mail" in the Display Name column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports In RESOURCE > Reports, search for "ironport mail" in the Name and Description columns to see the reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Syslog 1. Log in to your Ironport Mail Gateway device manager with administrator privileges. 2. Edit the Log Subscription settings. FortiSIEM 6.1.1 External Systems Configuration Guide 571 Fortinet Technologies Inc. Security Gateways 3. For Log Name, enter IronPort-Mail. This identifies the log to FortiSIEM as originating from an Ironport mail gateway device. 4. For Retrieval Method, select Syslog Push. 5. For Hostname, enter the IP address of your FortiSIEM virtual appliance. 6. For Protocol, select UDP. Sample Parsed Ironport Mail Gateway Syslog Tue Sep 24 11:39:49 2012 IronPort-Mail: Info: MID 200257071 ready 24663 bytes from <someone@foo.com>Sep 24 11:39:49 18.0.19.8 IronPort-Mail: Info: MID 1347076 ICID 346818 From: <john.doe@abc.com>Tue Sep 24 11:39:49 2012 IronPort-Mail: Info: Message aborted MID 200257071 Dropped by antivirus Tue Sep 24 11:39:49 2012 IronPort-Mail: Info: Delayed: DCID 5 MID 200257071 to RID 0 - 4.1.0 - Unknown address error ('466', ['Mailbox temporarily full.'])[] Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Cisco IronPort AsyncOS Mail See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 572 Fortinet Technologies Inc. Security Gateways Cisco IronPort Web Gateway l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information discovered Metrics collected Squid style web logs: attributes include Source IP Address, Destination Host name, Sent Bytes, Received Bytes, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, HTTP Content type, Web Category, HTTP Proxy Action Used for Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "ironport-web" in the Display Name column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Syslog 1. Log in to your Ironport gateway device manager with administrator privileges. 2. Edit the settings for Log Subscription. Setting Log Type Log Name Value Access Logs IronPort-Web This identifies the log to FortiSIEM as originating from an IronPort web gateway FortiSIEM 6.1.1 External Systems Configuration Guide 573 Fortinet Technologies Inc. Security Gateways Setting Log Style Custom Fields Enable Log Compression Retrieval Method Hostname Protocol Value device Squid %L %B %u Clear the selection Syslog Push The IP address of your FortiSIEM virtual appliance UDP Sample Parsed Ironport Web Gateway Syslog <134>Oct 09 09:19:25 IronPort-Web: Info: 1349795965.314 92 10.163.154.153 TCP_CLIENT_ REFRESH_MISS/200 70798 GET http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky/Package/1210090007/ba ses/base1b1d.kdc.cab - DIRECT/forefrontdl.microsoft.com application/octet-stream ALLOW_ CUSTOMCAT_11-UnAuthenticated_Applications-APU_No_Auth-NONE-NONE-NONE-DefaultGroup <J_ Doe,6.9,-,""-"",-,-,-,-,""-"",-,-,-,""-"",-,-,""-"",""-"",-,-,IW_swup,-,""-"","""",""Unknown"",""Unknown"",""-"",""-"",6156.35,0,-,""-"",""-""> - ""09/Oct/2012:09:19:25 0600"" 71052 ""V3S;{6ADC64A3-11F9-4B04-8257-BEB541BE2975};"" Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Cisco IronPort AsyncOS Web See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 574 Fortinet Technologies Inc. Security Gateways Fortinet FortiMail l What is Discovered and Monitored l Configuration l Rules l Reports l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Used For System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, malware attachments Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "fortimail" to see the event types associated with this device. Rules In RESOURCE > Rules, search for "fortimail" to see the rules associated with this device. For generic availability rules, see RESOURCE > Rules > Availability > Network. For generic performance rules, see RESOURCE > Rules > Performance > Network. Reports In RESOURCE > Reports, search for "fortimail" to see the reports associated with this device. Configuration Syslog Configure FortiMail appliance to send logs to FortiSIEM. Make sure the format matches. In the FortiMail GUI go to Log & Report > Log Setings > Remote (tab) > New. Suggested Logging configuration: FortiSIEM 6.1.1 External Systems Configuration Guide 575 Fortinet Technologies Inc. Security Gateways Name Name Server name/IP Server port Mode Level Facility CSV format Matched session only Description Define a name for the configuration. Enter the resolvable DNS name or IP of the FortiSIEM appliance where logs will be sent. 514 UDP Information kern leave disabled leave disabled FortiSIEM 6.1.1 External Systems Configuration Guide 576 Fortinet Technologies Inc. Security Gateways Sample Parsed FortiMail Syslog: date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg="User admin login successfully from GUI(172.20.120.26)" date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics pri=information session_id="q6GJMuPu003642-q6GJMuPv003642" client_name="[172.20.140.94]" dst_ip="172.20.140.92" endpoint="" from="user@external.lab" to="user5@external.lab" subject=""mailer="mta" resolved="OK" direction="in" virus="" disposition="Reject" classifier="Recipient Verification" message_length="188" Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Fortinet FortiMail See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 577 Fortinet Technologies Inc. Security Gateways Fortinet FortiWeb l What is Discovered and Monitored l Configuration l Rules l Reports l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP Syslog Information Discovered Metrics Collected Host Name, Vendor, Model, Version, Hardware Model, hardware CPU, memory, Disk, Interface, Uptime System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, Security exploits Used For Performance monitoring Security Monitoring and compliance Supported Syslog format Currently FortiSIEM supports FortiWeb native logging format and not CEF format. Event Types In ADMIN > Device Support > Event, search for "fortiweb" to see the event types associated with this device. Rules In RESOURCE > Rules, search for "fortiweb" to see the rules associated with this device. For generic availability rules, see RESOURCE > Rules > Availability > Network. For generic performance rules, see RESOURCE > Rules > Performance > Network. Reports In RESOURCE > Reports, search for "fortiweb" to see the reports associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 578 Fortinet Technologies Inc. Security Gateways Configuration Syslog Configure FortiWenb appliance to send logs to FortiSIEM. Make sure the format matches. Sample FortiWeb Syslog: date=2016-02-18 time=10:00:05 log_id=00001002 msg_id=000067508821 device_ id=FV400D3A15000010 vd="root" timezone="(GMT+3:00)Baghdad" type=event subtype="admin" pri=information trigger_policy="" user=admin ui=GUI action=edit status=success msg="User admin changed global from GUI(172.22.6.66) Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Fortinet FortiWeb See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 579 Fortinet Technologies Inc. Security Gateways Imperva Securesphere DB Monitoring Gateway Configuration in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Setting Value Name <set name> Device Type Imperva Securesphere DB Monitoring Gateway Access Protocol See Access Credentials Port See Access Credentials Password config See Password Configuration User Name A user who has access credentials for the device Password The password for the user Super Password Password for Super 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. 4. Click Test to test the connection to Imperva Securesphere DB Monitoring Gateway. 5. To see the jobs associated with Imperva, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Imperva in the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 580 Fortinet Technologies Inc. Security Gateways Imperva Securesphere DB Security Gateway What is Discovered and Monitored The ImpervaParser parser collects syslog log events in CEF format. Configuration Setup in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Setting Value Name <set name> Device Type Imperva Securesphere DB Security Gateway Access Protocol See Access Credentials Port See Access Credentials Password config See Password Configuration User Name A user who has access credentials for the device Password The password for the user Super Password Password for Super 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. 4. Click Test to test the connection to Imperva Securesphere DB Security Gateway. 5. To see the jobs associated with Imperva, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Imperva in the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 581 Fortinet Technologies Inc. Security Gateways Sample Events <14>CEF:0|Imperva Inc.|SecureSphere|11.5.0.20_0|Audit|Audit|Informative|dst=10.2.6.194 dpt=3306 duser=wf_settlement src=10.2.6.48 spt=59876 proto=TCP rt=11 April 2016 14:07:09 cat=Audit Default Rule - All cs2Label=ServerGroup cs3=ProcessMakerDBFX cs3Label=ServiceName cs4=Default MySql Application cs4Label=ApplicationName cs5=642697783064 cs5Label=EventId cs6=Query cs6Label=EventType cs7=Default MySql group cs7Label=UserGroup cs8=True cs8Label=UserAuthenticated cs9= cs9Label=ApplicationUser cs10= cs10Label=SourceApplication cs11= cs11Label=OSUser cs12= cs12Label=HostName cs13=wf_settlement cs13Label=Database cs14= cs14Label=Schema cs15=SELECT COUNT(APP_CACHE_VIEW.APP_UID) FROM APP_CACHE_VIEW LEFT JOIN USERS CU ON (APP_CACHE_VIEW.USR_UID=CU.USR_UID) LEFT JOIN USERS PU ON (APP_CACHE_ VIEW.PREVIOUS_USR_UID=PU.USR_UID) LEFT JOIN APP_CACHE_VIEW APPCVCR ON (APP_CACHE_VIEW.APP_ UID=APPCVCR.APP_UID AND APPCVCR.DEL_LAST_INDEX=1) LEFT JOIN USERS USRCR ON (APPCVCR.USR_ UID=USRCR.USR_UID) WHERE APP_CACHE_VIEW.APP_STATUS='TO_DO' AND APP_CACHE_VIEW.USR_ UID='2800810224bbdfe1cc8bb02024369548' AND APP_CACHE_VIEW.DEL_FINISH_DATE IS NULL AND APP_ CACHE_VIEW.APP_THREAD_STATUS='OPEN' AND APP_CACHE_VIEW.DEL_THREAD_STATUS='OPEN' cs15Label=RawQuery cs16=select count(app_cache_view.app_uid) from app_cache_view left join users cu on (app_cache_view.usr_uid=cu.usr_uid) left join users pu on (app_cache_ view.previous_usr_uid=pu.usr_uid) left join app_cache_view appcvcr on (app_cache_view.app_ uid=appcvcr.app_uid and appcvcr.del_last_index=?) left join users usrcr on (appcvcr.usr_ uid=usrcr.usr_uid) where app_cache_view.app_status=? and app_cache_view.usr_uid=? and app_ cache_view.del_finish_date is ? and app_cache_view.app_thread_status=? and app_cache_ view.del_thread_status=? cs16Label=ParsedQuery cs17= cs17Label=BindVariables cs18= cs18Label=SQLError cs19=1 cs19Label=ResponseSize cs20=0 cs20Label=ResponseTime cs21=0 cs21Label=AffectedRows FortiSIEM 6.1.1 External Systems Configuration Guide 582 Fortinet Technologies Inc. Security Gateways McAfee Vormetric Data Security Manager l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration What is Discovered and Monitored Protocol Syslog (CEF format) Information Discovered Data Collected 1 event type Used for Security and Compliance Event Types In RESOURCE > Event Types, Search for "Vormetric-". Sample Event Type: <14> 2013-06-29T18:44:42.420Z 10.10.10.1 CEF:0|Vormetric, Inc.|dsm|5.2.0.1|DAO0048I|update host|3|cs4Label=logger cs4=DAO spid=4322 rt=1388986263954 dvchost=example.com suser=USER_1 shost=test_cpu Rules There are no specific rules but generic rules for Security Manager and Generic Servers apply. Reports There are no specific reports but generic rules for Security Manager and Generic Servers apply. Configuration Configure Vormetric Data Security Manager to send syslog in CEF format on port 514 to FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 583 Fortinet Technologies Inc. Security Gateways McAfee Web Gateway l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information discovered Metrics collected Parsed event attributes: include Source IP, Destination URL, HTTP Method, HTTP User agent, HTTP Status Code, HTTP Content Type, Blocked Reason, Risk Used for Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "mcafee_web" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Syslog FortiSIEM processes events from this device via syslog sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. l For Syslog Server, or the server where the syslog should be sent, enter the IP address of your FortiSIEM virtual appliance. l For Port, enter 514. l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Sample Parsed McAffee Web Gateway Syslog Message [21/Feb/2012:11:44:19 -0500] """""""""""" ""10.200.11.170 200 """"GET http://abc.com/ HTTP/1.1"""" """"General News"""" """"Minimal Risk"""" """"text/html"""" 101527 """""""" FortiSIEM 6.1.1 External Systems Configuration Guide 584 Fortinet Technologies Inc. Security Gateways """""""" """"0""""""[30/May/2012:10:39:44 -0400] "" 10.19.2.63 200 "GEThttp://abc.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=126x31_spon2&cnn_ rollup=homepage&page.allowcompete=no¶ms.styles=fs&Params.User.UserID=4fc6251c068c9f0aa51 475025d0040b8&transactionID=7179860628805012&tile=4893878838331&domId=135492 HTTP/1.1" "Web Ads, Forum/Bulletin Boards" "MinimalRisk" "text/html" 1 "" "" "0" Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> McAfee WebGateway See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 585 Fortinet Technologies Inc. Security Gateways Microsoft ISA Server l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP WMI Syslog(via SNARE) Information discovered Application type Application type, service mappings Application type Metrics collected Used for Process level metrics: CPU utilization, memory utilization Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O Performance Monitoring Performance Monitoring W3C proxy logs: attributes include Service Instance, Source IP, User, Destination IP, Destination Port, Service Instance, Sent Bytes, Received Bytes, Connection Duration, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, Source interface, Destination interface, Proxy action Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "isa server" in the Device Type andDescription column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP Enabling SNMP on Windows Server 2003 SNMP is typically enabled by default on Windows Server 2003, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you must make sure that the SNMP Management tool has been enabled for FortiSIEM 6.1.1 External Systems Configuration Guide 586 Fortinet Technologies Inc. Security Gateways your device. 1. In the Start menu, go to Administrative Tools > Services. 2. Go to Control Panel > Add or Remove Programs. 3. Click Add/Remove Windows Components. 4. Select Management and Monitoring Tools and click Details. Make sure that Simple Network Management Tool is selected. If it isn't selected, select it, and then click Next to install. 5. Go to Start > Administrative Tools > Services. 6. Select and open SNMP Service. 7. Click the Security tab. 8. Select Send authentication trap. 9. Under Accepted communities, make sure there is an entry for public that is set to read-only. 10. Select Accept SNMP packets from these hosts. 11. Click Add. 12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP. 13. Click Add. 14. Click Apply. 15. Under SNMP Service, click Restart service. Enabling SNMP on Windows 7 or Windows Server 2008 R2 SNMP is typically enabled by default on Windows Server 2008, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server. 1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator. 2. In the Start menu, select Control Panel. 3. Under Programs, click Turn Windows features on/off. 4. Under Features, see if SNMP Services is installed. If not, click Add Feature, then select SMNP Service and click Next to install the service. 5. In the Server Manager window, go to Services > SNMP Services. 6. Select and open SNMP Service. 7. Click the Security tab. 8. Select Send authentication trap. 9. Under Accepted communities, make sure there is an entry for public that is set to read-only. 10. Select Accept SNMP packets from these hosts. 11. Click Add. 12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP. 13. Click Add. 14. Click Apply. 15. Under SNMP Service, click Restart service. WMI Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this: FortiSIEM 6.1.1 External Systems Configuration Guide 587 Fortinet Technologies Inc. Security Gateways l Creating a Generic User Who Does Not Belong to the Local Administrator Group l Creating a User Who Belongs to the Domain Administrator Group Creating a Generic User Who Does Not Belong to the Local Administrator Group Log in to the machine you want to monitor with an administrator account. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups. 2. Right-click Users and select Add User. 3. Create a user. 4. Go to Groups, right-click Distributed COM Users, and then click Add to group. 5. In the Distributed COM Users Properties dialog, click Add. 6. Find the user you created, and then click OK. This is the account you must use to set up the Performance Monitor Users group permissions. 7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog. 8. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. 5. Click OK. 6. Under Access Permissions, click EditDefault. 7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. 8. Click OK. 9. Under Launch and Activation Permissions, click Edit Limits. 10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. Click OK. 12. Under Launch and Activation Permissions, click Edit Defaults. 13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI. Creating a User Who Belongs to the Domain Administrator Group Log in to the Domain Controller with an administrator account. FortiSIEM 6.1.1 External Systems Configuration Guide 588 Fortinet Technologies Inc. Security Gateways Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group 1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users. 2. Right-click Users and select Add User. 3. Create a user for the @accelops.com domain. For example, YJTEST@accelops.com. 4. Go to Groups, right-click Administrators, and then click Add to Group. 5. In the Domain Admins Properties dialog, select the Members tab, and then click Add. 6. For Enter the object names to select, enter the user you created in step 3. 7. Click OK to close the Domain Admins Properties dialog. 8. Click OK. Enable the Monitoring Account to Access the Monitored Device Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then select Properties. 3. Select the Com Security tab, and then under Access Permissions, click Edit Limits. 4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access. 5. Click OK. 6. In the Com Security tab, under Access Permissions, click Edit Defaults. 7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access. 8. Click OK. 9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits. 10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults. 12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. Enable Account Privileges in WMI The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device. 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications. 2. Select WMI Control, and then right-click and select Properties. 3. Select the Security tab. 4. Expand the Root directory and select CIMV2. 5. Click Security. 6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable. 7. Click Advanced. FortiSIEM 6.1.1 External Systems Configuration Guide 589 Fortinet Technologies Inc. Security Gateways 8. Select the user you created for the monitoring account, and then click Edit. 9. In the Apply onto menu, select This namespace and subnamespaces. 10. Click OK to close the Permission Entry for CIMV2 dialog. 11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 12. In the left-hand navigation, under Services and Applications, select Services. 13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003) 1. In the Start menu, select Run. 2. Run gpedit.msc. 3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall. 4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not. 5. Select Windows Firewall: Allow remote administration exception. 6. Run cmd.exe and enter these commands: netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 7. Restart the server. Allow WMI through Windows Firewall (Windows Server 2008, 2012) 1. Go to Control Panel > Windows Firewall. 2. In the left-hand navigation, click Allow a program or feature through Windows Firewall. 3. Select Windows Management Instrumentation, and the click OK. You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Syslog Use the Windows Agent Installation Guide to configure sending syslog from your device to FortiSIEM. Sample Microsoft ISA Server Syslog <13>Mar 6 20:56:03 ISA.test.local ISAWebLog 0 192.168.69.9 anonymous Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Y 2011-03-05 21:33:55 w3proxy ISA - 212.58.246.82 212.58.246.82 80 156 636 634 http TCP GET http://212.58.246.82/rss/newsonline_uk_ edition/front_page/rss.xml text/html; charset=iso-8859-1 Inet 301 0x41200100 Local Machine Req ID: 07c10445; Compression: client=No, server=No, compress rate=0% decompress rate=0% Local Host External 0x400 Allowed 2011-03-05 21:33:55 - FortiSIEM 6.1.1 External Systems Configuration Guide 590 Fortinet Technologies Inc. Security Gateways Settings for Access Credentials SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 591 Fortinet Technologies Inc. Security Gateways Squid Web Proxy l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol SNMP Syslog Information discovered Host name, Interfaces, Serial number Metrics collected CPU utilization, Memory utilization Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration Used for Performance Monitoring Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "squid" in the Description and Device Type columns to see the event types associated with this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Syslog 1. Add the following line to the logformat section in /etc/squid/squid.conf based of your version of Squid. For Squid versions earlier than 4.1.1: logformat PHCombined %>a %>p %<A %la %lp %tr %ul %ui %un %us %ue [%tl] %rm "%ru" HTTP/%rv %Hs %<st %>st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh For Squid version 4.1.1 and later: logformat PHCombined %>a %>p %<A %la %lp %tr %ul %ui %un [%tl] %rm "%ru" HTTP/%rv %Hs %<st %>st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh FortiSIEM 6.1.1 External Systems Configuration Guide 592 Fortinet Technologies Inc. Security Gateways 2. Add the following line to the access_log section in /etc/squid/squid.conf. access_log syslog:LOG_LOCAL4 PHCombined 3. Restart Squid. Configure syslogd (or rsyslogd) to Forward the Logs to FortiSIEM 1. Modify /etc/syslog.conf (/etc/rsyslog.conf if running rsyslog) . Local4.* @<FortiSIEMIp> 2. Restart syslogd (or rsyslogd). Sample Parsed Squid Syslog Messages Squid on Linux with syslog locally to forward to FortiSIEM <166>squid[28988]: 192.168.25.15 51734 65.54.87.157 172.16.10.40 3128 5989 - - - - [22/Apr/2011:17:17:46 -0700] GET "http://col.stj.s-msn.com/br/sc/js/jquery/jquery1.4.2.min.js" HTTP/1.1 200 26141 407 "http://www.msn.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16" TCP_MISS:DIRECT Squid on Linux with syslog-ng locally to forward to FortiSIEM <166>Oct 20 09:21:54 QA-V-CentOS-Syslog-ng squid[7082]: 192.168.20.42 1107 74.125.19.100 172.16.10.34 3128 291 - - - - - [20/Oct/2009:09:21:54 -0700] GET "http://clients1.google.com/generate_204" HTTP/1.1 204 387 603 "http://www.google.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT Squid on Linux with syslog locally and forward to syslog-ng remotely to forward to FortiSIEM <166>Oct 20 10:21:42 172.16.10.40 squid[26033]: 192.168.20.42 1121 66.235.132.121 172.16.10.40 3128 117 - - - - - [20/Oct/2009:12:05:49 \-0700|] GET "http://metrics.sun.com/b/ss/sunglobal,suncom,sunstruppdev/1/H.14/s21779365053734?" HTTP/1.1 200 746 1177 "http://www.sun.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT Squid on Linux with syslog-ng locally and forward to syslog-ng remotely to forward to FortiSIEM <166>Oct 20 12:44:12 172.16.10.40 squid[26033]: 192.168.20.42 1125 64.213.38.80 172.16.10.40 3128 117 - - - - - [20/Oct/2009:12:44:12 -0700] GET "http://www-cdn.sun.com/images/hp5/hp5b_ enterprise_10-19-09.jpg" HTTP/1.1 200 12271 520 "http://www.sun.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT FortiSIEM 6.1.1 External Systems Configuration Guide 593 Fortinet Technologies Inc. Security Gateways Squid on Solaris with syslog locally to forward to FortiSIEM <166>May 6 17:55:48 squid[1773]: [ID 702911 local4.info] 192.168.20.39 1715 72.14.223.18 172.16.10.6 3128 674 - - - - - [06/May/2008:17:55:48 -0700] GET "http://mail.google.com/mail/?" HTTP/1.1 302 1061 568 "http://www.google.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14" TCP_ MISS:DIRECT Squid on Solaris with syslog locally and forward to syslog-ng remotely to forward to FortiSIEM <166>Oct 20 13:02:19 172.16.10.6 squid[687]: [ID 702911 local4.info] 192.168.20.42 1112 208.92.236.184 172.16.10.6 3128 201 - - - - - [20/Oct/2009:13:02:19 -0700] GET "http://m.webtrends.com/dcs4f6vsz99k7mayiw2jzupyr_1s2e/dcs.gif?" HTTP/1.1 200 685 1604 "http://www.microsoft.com/en/us/default.aspx" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT FortiSIEM 6.1.1 External Systems Configuration Guide 594 Fortinet Technologies Inc. Security Gateways SSH Comm Security CryptoAuditor l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration What is Discovered and Monitored Protocol Syslog (CEF format) Information Discovered - Data Collected 15 event types Used for Security and Compliance Event Types In RESOURCE > Event Types, Search for "CryptoAuditor-". Sample Event Type: <189>Jun 24 15:43:01 auditor ssh-auditor[4067]: CEF:0|SSH|CryptoAuditor|1.6.0|4201|Connection_received|1|rt=Jun 26 2015 07:48:24 SshAuditorSrc=10.1.78.8 spt=34453 SshAuditorDst=10.1.78.8 dpt=10022 SshAuditorSessionId=21 SshAuditorUsername=testuser SshAuditorRemoteusername=testuser SshAuditorProtocolsessionId=C089C55D9ADE0A4F901917D69B46B01223A02B70 SshAuditorVirtualLAN=0 cs1=source connection cs1Label=Text <189>Jun 24 15:43:01 auditor ssh-auditor[4067]: CEF:0|SSH|CryptoAuditor|1.6.0|4201|Connection_received|rt=Jun 26 2015 07:48:24 SshAuditorSrc=10.1.78.8 spt=34453 SshAuditorDst=10.1.78.8 dpt=10022 SshAuditorSessionId=21 SshAuditorUsername=testuser SshAuditorRemoteusername=testuser SshAuditorProtocolsessionId=C089C55D9ADE0A4F901917D69B46B01223A02B70 SshAuditorVirtualLAN=0 cs1=source connection cs1Label=Text Rules There are no specific rules but generic rules for Generic Servers apply. Reports There are no specific reports but generic rules for Generic Servers apply. Configuration Configure SSH Comm Security CryptoAuditor to send syslog on port 514 to FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 595 Fortinet Technologies Inc. Security Gateways Websense Web Filter l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Syslog Information discovered Metrics collected Used for Parsed event attributes: include Source IP, Destination Name, Destination URL, HTTP Method, HTTP User agent, HTTP Status Code, HTTP Content Type, Blocked Reason, Website category, HTTP Disposition, Sent Bytes, Recv Bytes, Duration, File Type etc Security Monitoring and compliance Event Types In ADMIN > Device Support > Event, search for "web sense_mail" in the Display Name column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration FortiSIEM integrates with Websense Web Filter via syslog sent in the SIEM integration format as described in the Websense SEIM guide. See the instructions on how to install a Websense Multiplexer that integrates with Websense Policy server and creates syslog for consumption by SIEM products such as FortiSIEM. Sample Parsed Websense Web Filter Syslog Message <159>Feb 28 14:25:32 10.203.28.21 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type= - FortiSIEM 6.1.1 External Systems Configuration Guide 596 Fortinet Technologies Inc. Security Gateways http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2.23)_Gecko/20110920_ Firefox/3.6.23 http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Log Server IP Pull Interval Port Log Database URL Database URL Category Database Disposition Database User Name Value <set name> Websense Web Security JDBC IP of the log server 5 minutes 1433 wslogdb70_1 wslogdb70 wslogdb70 wslogdb70 Name used to access the database FortiSIEM 6.1.1 External Systems Configuration Guide 597 Fortinet Technologies Inc. Servers FortiSIEM supports these servers for discovery and monitoring. l HP UX Server l IBM AIX Server l IBM OS400 Server l Linux Server l Microsoft Windows Server l QNAP Turbo NAS l Sun Solaris Server FortiSIEM 6.1.1 External Systems Configuration Guide 598 Fortinet Technologies Inc. HP UX Server l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SSH Syslog Information Discovered Metrics collected Used for Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down Performance Monitoring Hardware (cpu details, memory) Memory paging rate, Disk I/O utilization Performance Monitoring Vendor, Model General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and Compliance Event Types In ADMIN > Device Support > Event, search for "hp_ux" in the Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports In RESOURCE > Reports , search for "hp_ux" in the Name column to see the reports associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 599 Fortinet Technologies Inc. Servers Configuration SNMP v1 and v2c 1. Make sure that snmp libraries are installed. FortiSIEM has been tested to work with the default HP UX package that comes with snmpd preinstalled. 2. Start snmpd deamon with the default configuration by issuing /etc/init.d/snmpd restart. 3. Make sure that snmpd is running. SSH 1. Make sure that the vmstat and iostat commands are available. If not, install these libraries. 2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to login to the server. Settings for Access Credentials SNMP, Telnet, and SSH Access Credentials for All Devices See Access Credentials. LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials for All Devices Settings Name Device Type Access Protocol Used For Server Port Base DN Password Config User Name Password Value <set name> HP HPUX LDAP / LDAPS / LDAP Start TLS OpenLDAP 389 for LDAP, LDAP Start TLS; 636 for LDAPS The Distinguished Name (DN) of the starting point for directory server searches See Password Configuration Name of the user able to access this system Password of the user able to access this system LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials for All Devices FortiSIEM 6.1.1 External Systems Configuration Guide 600 Fortinet Technologies Inc. Servers Settings Name Device Type Access Protocol Used For Server Port Base DN NetBIOS/Domain Password Config User Name Password Value <set name> HP HPUX LDAP / LDAPS / LDAP Start TLS Microsoft Active Directory 389 for LDAP, LDAP Start TLS; 636 for LDAPS The Distinguished Name (DN) of the starting point for directory server searches The domain name or NetBIOS name attribute See Password Configuration Name of the user able to access this system Password of the user able to access this system FortiSIEM 6.1.1 External Systems Configuration Guide 601 Fortinet Technologies Inc. Servers IBM AIX Server l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SSH Syslog Information Discovered Metrics collected Used for Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down Performance Monitoring Hardware (cpu details, memory) Memory paging rate, Disk I/O utilization Performance Monitoring Vendor, Model General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and Compliance Event Types In ADMIN > Device Support > Event, search for "ibm_aix" in the Device Type and Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. FortiSIEM 6.1.1 External Systems Configuration Guide 602 Fortinet Technologies Inc. Servers Configuration SNMP v1 and v2c 1. Make sure that snmp libraries are installed. Accelops has been tested to work with the default AIX package that comes with snmpd preinstalled. 2. Start snmpd deamon with the default configuration by issuing /etc/init.d/snmpd restart. 3. Make sure that snmpd is running. SSH 1. Make sure that the vmstat and iostat commands are available. If not, install these libraries. 2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to log in to the server. Syslog 1. Makes sure that /etc/syslog.conf contains a *.* entry and points to a log file. . @<SENSORIPADDRESS> 2. Refresh syslogd. # refresh -s syslogd Settings for Access Credentials SNMP, Telnet, and SSH Access Credentials for All Devices See Access Credentials. LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials for All Devices Settings Name Device Type Access Protocol Used For Server Port Base DN Password Config Value <set name> IBM AIX LDAP / LDAPS / LDAP Start TLS OpenLDAP 389 for LDAP, LDAP Start TLS; 636 for LDAPS The Distinguished Name (DN) of the starting point for directory server searches See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 603 Fortinet Technologies Inc. Servers Settings User Name Password Value Name of the user able to access this system Password of the user able to access this system LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials for All Devices Settings Name Device Type Access Protocol Used For Server Port Base DN NetBIOS/Domain Password Config User Name Password Value <set name> IBM AIX LDAP / LDAPS / LDAP Start TLS Microsoft Active Directory 389 for LDAP, LDAP Start TLS; 636 for LDAPS The Distinguished Name (DN) of the starting point for directory server searches The domain name or NetBIOS name attribute See Password Configuration Name of the user able to access this system Password of the user able to access this system FortiSIEM 6.1.1 External Systems Configuration Guide 604 Fortinet Technologies Inc. Servers IBM OS400 Server l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol Syslog Information Discovered Metrics collected Used for General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and Compliance Event Types In ADMIN > Device Support > Event, search for "os400" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Syslog FortiSIEM parses IBM OS 400 logs received via the PowerTech Agent as described here. The PowerTech agent sends syslog to FortiSIEM. Sample Parsed IBM OS400 Syslog Messages Mar 18 17:49:36 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0603|A File Server transaction was allowed for user BRENDAN.|2| src =10.0.1.60 dst =10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QPWFSERVSO JUSER :BRENDAN JNBR :025355 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: OB BRENDAN *FILESRV CRTSTRMFIL QPWFSERVSO LNS0811 000112 00023 /home/BRENDAN/subfolder Mar 18 17:48:36 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0604|A File Server transaction was FortiSIEM 6.1.1 External Systems Configuration Guide 605 Fortinet Technologies Inc. Servers allowed for user BRENDAN.|2| src =10.0.1.60 dst =10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QPWFSERVSO JUSER :BRENDAN JNBR :025355 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: OB BRENDAN *FILESRV DLTSTRMFIL QPWFSERVSO LNS0811 000112 00025 /home/BRENDAN/BoardReport Mar 18 17:53:00 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0703|A System i FTP Client transaction was allowed for user BRENDAN.|3| src =10.0.1.180 dst =10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB :QTFTP00149 JUSER :BRENDAN JNBR :029256 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: ST BRENDAN *FTPCLIENT DELETEFILE QTFTP00149 LNS0811 000112 00033 /QSYS.LIB/PAYROLL.LIB/NEVADA.FILE FortiSIEM 6.1.1 External Systems Configuration Guide 606 Fortinet Technologies Inc. Servers Linux Server l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SSH Syslog Syslog (via FortiSIEM Linux Agent) Information Discovered Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) OS type, Hardware (cpu details, memory) Vendor, Model Metrics collected Uptime, CPU/Memory/Network Interface/Disk space utilization, Swap space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down Used for Performance Monitoring Memory paging rate, Disk I/O utilization Performance Monitoring General logs including Authentication Success/Failure, Privileged logons, User/Group Modification File or directory change: User, Type of change, directory or file name Security Monitoring and Compliance Security Monitoring and Compliance Event Types In ADMIN > Device Support > Event Types, search for "linux" to see the event types associated with this device. Rules In RESOURCES > Rules, search for "linux" in the main content panel Search... field to see the rules associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 607 Fortinet Technologies Inc. Servers Reports In RESOURCES > Reports , search for "linux" in the main content panel Search... field to see the reports associated with this device. Configuration l SNMP v1 and v2c l SNMP v3 l SSH l Syslog Logging l Basic Linux File Monitoring over Syslog SNMP v1 and v2c 1. Make sure that snmp libraries are installed. FortiSIEM has been tested to work with net-snmp libraries. 2. Log in to your server with administrative access. 3. Make these modifications to the /etc/snmp/snmpd.conf file: a. Define the community string for FortiSIEM usage and permit snmp access from FortiSIEM IP. b. Allow FortiSIEM read-only access to the mib-2 tree. c. Allow Accelops read-only access to the enterprise MIB: UCD-SNMP-MIB. d. Open up the entire tree for read-only view. 4. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details): a. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu) b. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like: # snmpd command line options OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid" c. Change the range from 0-6 to 0-5: # snmpd command line options OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid" 5. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart. 6. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on. 7. Make sure that snmpd is running. FortiSIEM 6.1.1 External Systems Configuration Guide 608 Fortinet Technologies Inc. Servers SNMP v3 FortiSIEM 6.1.1 External Systems Configuration Guide 609 Fortinet Technologies Inc. Servers Configuring rwcommunity/rocommunity or com2sec 1. Log in to your Linux server. 2. Stop SNMP. service snmpd stop 3. Use vi to edit the /etc/snmp/snmpd.conf file. Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file so the snap daemon has correct credentials. vi /etc/snmp/snmpd.conf 4. At the end of the file, add this line, substituting your username for snmpv3user and removing the <> tags: rouser <snmpv3user>. 5. Save the file. 6. Use vi to edit the /var/lib/snmp/snmpd.conf file. Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this file for the SNMP daemon to function correctly. vi /var/lib/snmp/snmpd.conf 7. At the end of the file, add this line, entering the username you entered in step 4, and then passwords for that user for MD5 and DES. If you want to use SHA or AES, then add those credentials as well. createUser <snmpv3user> MD5 <snmpv3md5password> DES <snmpv3despassword> 8. Save the file. 9. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more details) a. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu) b. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like: # snmpd command line options OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid" c. Change the range from 0-6 to 0-5: # snmpd command line options OPTIONS="-LS0-5d -Lf /dev/null -p /var/run/snmpd.pid" 10. Restart SNMP. service snmpd start chkconfig auditd on 11. View the contents of the /var/lib/snmp/snmpd.conf file. If this works, restarting snmpd will have no errors, also the entry that you created under /var/lib/snmp/snmpd.conf will be removed: cat /var/lib/snmp/snmpd.conf 12. Run snmpwalk -v 3 -u <snmpv3user> -l authpriv <IP> -a MD5 -A <snmpv3md5password> -x DES -X <snmpv3despassword> You will see your snmpwalk if this works. If there are any errors, see net-snmp for further instructions. FortiSIEM 6.1.1 External Systems Configuration Guide 610 Fortinet Technologies Inc. Servers Configuring net-smnp-devel If you have net-snmp-devel on your Linux server/client, follow these steps to configure SNMP v3. 1. Stop SNMP. service snmpd stop 2. Run net-snmp-config --create-snmpv3-user -ro -A <MD5passwordhere> -X <DESpasswordhere> -x DES -a MD5 <SNMPUSERNAME>. 3. Restart SNMP. service snmpd start 4. Test by following step 10 from above. SSH 1. Make sure that the vmstat and iostat commands are available. If not, install these libraries. 2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to log in to the server. Syslog Logging Syslog forwarding can be configured on Linux servers to send the logs to FortiSIEM. There are different options regarding syslog configuration, including Syslog over TLS. There are typically two commonly-used Syslog demons: l Syslog-ng l rsyslog Basic Syslog-ng Configuration Follow these steps to enable basic Syslog-ng: 1. Add the following line to your Syslog-ng configuration: { udp("Collector IP" port(514));}; 2. Restart the syslog-ng service or reload the configuration. Basic rsyslog Configuration Follow these steps to enable ryslog: 1. Add the following lines to your ryslog configuration: # Send logs to the FortiSIEM Collector *.* @Collector IP:514 2. Restart the rsyslog service or reload the configuration. Linux File Monitoring FortiSIEM has licensed Linux agents that provide additional capabilities, such as custom log forwarding and central management. See the "Linux Agent Installation Guide" for details on this agent. FortiSIEM 6.1.1 External Systems Configuration Guide 611 Fortinet Technologies Inc. Servers Settings for Access Credentials l SNMP Access Credentials for All Devices l SSH Access Credentials for All Devices SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> SSH Access Credentials for All Devices These are the generic settings for providing SSH access to your device from FortiSIEM. Setting Name Device Type Access Protocol Port User Name Password Value ssh-generic Generic SSH 22 A user who has access credentials for your device over SSH The password for the user FortiSIEM 6.1.1 External Systems Configuration Guide 612 Fortinet Technologies Inc. Servers Microsoft Windows Server l Supported OS l What is Discovered and Monitored l Configuration l Setting Access Credentials Supported OS l Windows 2003 l Windows 2008 and 2008 R2 l Windows 2012 and 2012 R2 l Windows 2016 l Windows 2019 What is Discovered and Monitored Metrics in bold are unique to Microsoft Windows Server monitoring. Installed Software Monitored via SNMP Although information about installed software is available via both SNMP and WMI, FortiSIEM uses SNMP to obtain installed software information to avoid an issue in Microsoft's WMI implementation for the Win32_Product WMI class see Microsoft KB 974524 article for more information. Because of this bug, WMI calls to the Win32_Product class create many unnecessary Windows event log messages indicating that the Windows Installer has reconfigured all installed applications. Winexe execution and its effect FortiSIEM uses the winexe command during discovery and monitoring of Windows servers for the following purposes 1. Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary) 2. HyperV Performance Monitoring 3. Windows Custom performance monitoring to run a command (e.g. powershell) remotely on windows systems Note: Running the winexe command remotely will automatically install the winexesvc command on the windows server. Protocol SNMP SNMP Information Discovered Metrics collected Used for Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, Overall CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down, Performance Monitoring Vendor specific server hardware Hardware module status - fan, power supply, (hardware model, hardware thermal status, battery, disk, memory . Currently FortiSIEM 6.1.1 External Systems Configuration Guide 613 Fortinet Technologies Inc. Servers Protocol Information Discovered Metrics collected serial number, fans, power supply, disk, raid battery). Currently supported vendors include HP and Dell supported vendors include HP and Dell WMI Win32_ComputerSystem: Host name, OS Win32_ WindowsProductActivation: OS Serial Number Win32_ OperatingSystem: Memory, Uptime Win32_BIOS: Bios Win32_Processor: CPU Win32_ LogicalDisk: Disk info Win32_ NetworkAdapterConfiguration: network interface Win32_ Service: Services Win32_ Process: Running processes Win32_QuickFixEngineering: Installed Patches Win32_OperatingSystem: Uptime Win32_ PerfRawData_PerfOS_Processor: Detailed CPU utilization Win32_PerfRawData_PerfOS_ Memory: Memory utilization, paging/swapping metrics Win32_LogicalDisk: Disk space utilization Win32_PerfRawData_PerfOS_ PagingFile: Paging file utilization Win32_ PerfRawData_PerfDisk_LogicalDisk: Disk I/O metrics Win32_PerfRawData_Tcpip_ NetworkInterface: Network Interface utilization Win32_Service: Running process uptime, start/stop status Win32_Process, Win32_ PerfRawData_PerfProc_Process: Process CPU/memory/I/O utilization WMI Security, Application and System Event Logs including logon, file/folder edits, network traffic (Win32_NTLogEvent) Snare agent Security, Application and System Event Logs including logon, file/folder edits, network traffic (Win32_NTLogEvent) Correlog agent Security, Application and System Event Logs ncluding logon, file/folder edits, network traffic (Win32_NTLogEvent) FortiSIEM Agent Security, Application and System Event Logs, DNS, DHCP, IIS, DFS logs, Custom log files, File Integrity Monitoring, Registry Change Monitoring, Installed Software Change Monitoring, WMI and Powershell output monitoring Used for Performance Monitoring Security and Compliance Security and Compliance Security and Compliance Security and Compliance Event Types In ADMIN > Device Support > Event, search for "windows server" in the Description column to see the event types associated with this application or device. Rules In RESOURCE > Rules, search for "windows server" in the Name column to see the rules associated with this application or device. FortiSIEM 6.1.1 External Systems Configuration Guide 614 Fortinet Technologies Inc. Servers Reports In RESOURCE > Reports , search for "windows server" in the Name column to see the reports associated with this application or device. Configuration l WinRM Configurations l SNMP Configurations l WMI Configurations l Windows Agent Configurations l Syslog Configurations WinRM Configurations WinRM is used for some FortiSIEM Remediation actions. If Windows Remediation actions are not used in FortiSIEM, this configuration step is not required. Enable WinRM and set authentication Use the commands below to enable WinRM and set authentication on the target Windows Servers: 1. To configure Windows Server: winrm quickconfig winrm set winrm/config/service/auth `@{Basic="true"}' winrm set winrm/config/service `@{AllowUnencrypted="true"}' Single quotes are needed for Windows 2016 and later. 2. To configure FortiSIEM Client (Super or Collector): pip install pywinrm SNMP Configurations l Enabling SNMP on Windows Server 2012R2, Server 2016, Server 2019 l Enabling SNMP on Windows 7 or Windows Server 2008 R2 l Enabling SNMP on Windows Server 2003 Enabling SNMP on Windows Server 2012R2, Server 2016, Server 2019 SNMP is typically enabled by default on Windows Server 2012R2, Server 2016, and Server 2019. But you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First, you should check that SNMP Services have been enabled for your server. 1. Log in to the Windows 2016 Server where you want to enable SNMP as an administrator. 2. In the Start menu, select Control Panel. 3. Under Programs, click Turn Windows features on/off. 4. The Add Roles and Features Wizard will open automatically. 5. Select Role-based or feature-based installation. Click Next until the Features option appears. FortiSIEM 6.1.1 External Systems Configuration Guide 615 Fortinet Technologies Inc. Servers 6. Under Features, see if SNMP Services is installed. If not, check the checkbox before the SNMP Service and click Next to install the service. 7. From the Start menu, select Services. Go to Services > SNMP Services. 8. Select and open SNMP Service. 9. Click the Security tab. 10. Select Send authentication trap. 11. Under Accepted communities, make sure there is an entry for public that is set to read-only. 12. Select Accept SNMP packets from these hosts. 13. Click Add. 14. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP. 15. Click Add. 16. Click Apply. 17. Under SNMP Service, click Restart service. Enabling SNMP on Windows 7 or Windows Server 2008 R2 SNMP is typically enabled by default on Windows Server 2008, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server. 1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator. 2. In the Start menu, select Control Panel. 3. Under Programs, click Turn Windows features on/off. 4. Under Features, see if SNMP Services is installed. If not, click Add Feature, then select SMNP Service and click Next to install the service. 5. In the Server Manager window, go to Services > SNMP Services. 6. Select and open SNMP Service. 7. Click the Security tab. 8. Select Send authentication trap. 9. Under Accepted communities, make sure there is an entry for public that is set to read-only. 10. Select Accept SNMP packets from these hosts. 11. Click Add. 12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP. 13. Click Add. 14. Click Apply. 15. Under SNMP Service, click Restart service. Enabling SNMP on Windows Server 2003 SNMP is typically enabled by default on Windows Server 2003, but you must still add FortiSIEM to the hosts that are authorized to accept SNMP packets. First you must make sure that the SNMP Management tool has been enabled for your device. 1. In the Start menu, go to Administrative Tools > Services. 2. Go to Control Panel > Add or Remove Programs. 3. Click Add/Remove Windows Components. 4. Select Management and Monitoring Tools and click Details. Make sure that Simple Network Management Tool is selected. If it isn't selected, select it, and then click Next to install. FortiSIEM 6.1.1 External Systems Configuration Guide 616 Fortinet Technologies Inc. Servers 5. Go to Start > Administrative Tools > Services. 6. Select and open SNMP Service. 7. Click the Security tab. 8. Select Send authentication trap. 9. Under Accepted communities, make sure there is an entry for public that is set to read-only. 10. Select Accept SNMP packets from these hosts. 11. Click Add. 12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP. 13. Click Add. 14. Click Apply. 15. Under SNMP Service, click Restart service. WMI Configurations l WMI Configuration for Windows 2012, 2012R2, 2016, 2019 l WMI Configurations for Windows 2008 and 2008R2 WMI Configuration for Windows 2012, 2012R2, 2016, 2019 To configure WMI on your device so that FortiSIEM can discover and monitor it, you must create a user who has access to WMI objects on the device. There are two ways to do this: l Creating a Generic User Who Does Not Belong to the Local Administrator Group l Creating a User Who Belongs to the Domain Administrator Group l Differences Between Administrator and Non-Administrator Account Creating a Generic User Who Does Not Belong to the Local Administrator Group Log in to the machine you want to monitor with an administrator account. Step 1. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups. 2. Right-click Users and select New User. 3. Create a user. 4. Select this user and right-click to select Properties > Member of tab. 5. Click Add > Advanced > Find Now. 6. Select and add the following groups: Note: To select multiple groups, hold down the CTRL key and click the desired groups. l Distributed COM Users group. l Performance Monitor Users group. l Remote Desktop Users group. 7. Click OK to save. FortiSIEM 6.1.1 External Systems Configuration Guide 617 Fortinet Technologies Inc. Servers Step 2. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services > Computers > My Computer. 2. Right-click My Computer, and then Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. 5. Click OK. 6. Under Access Permissions, click Edit Default. 7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1. 8. Click OK. 9. Under Launch and Activation Permissions, click Edit Limits. 10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. Click OK. 12. Under Launch and Activation Permissions, click Edit Defaults. 13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1. 14. Click OK. Step 3. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI. Step 4. Configuring Log Monitoring for Non-Administrative User To configure the non-administrative user to monitor windows event logs, follow the steps below: 1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer Management > Local Users and Groups for servers that are not a domain controller). 2. Right-click the non-admin user and select Properties. 3. Select the Member of tab. 4. Select the group Event Log Reader and click Add. 5. Click Apply. 6. Click OK to complete the configuration. 7. The following groups should be applied to the user: l Distributed COM Users l Domain Users l Event Log Reader Creating a User Who Belongs to the Domain Administrator Group Log in to the Domain Controller with an administrator account. FortiSIEM 6.1.1 External Systems Configuration Guide 618 Fortinet Technologies Inc. Servers Step 1. Enable remote WMI requests by adding a Monitoring Account to the Domain Administrators Group 1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users. 2. Right-click Users and select New > User. 3. Create a user for the @accelops.com domain. For example, YJTEST@accelops.com. 4. Right-click Domain Admins in Users and select Properties. 5. In the Domain Admins Properties dialog, select the Members tab, and then click Add. 6. Click Advanced > Find Now, add the Administrator and the user which you created in Step 3. 7. Click OK to close the User select dialog 8. Click OK to close the Domain Admins Properties dialog. Step 2. Enable the Monitoring Account to Access the Monitored Device Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then select Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access. 5. Click OK. 6. In the COM Security tab, under Access Permissions, click Edit Defaults. 7. Find the user you created for the monitoring account, and make sure that the user has the permission Allow for both Local Access and Remote Access. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1. 8. Click OK. 9. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits. 10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1. 11. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits. 12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add these two groups as described in Step 1. 13. Click OK. Enable Account Privileges in WMI The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device. 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications. 2. Select WMI Control, and then right-click and select Properties. FortiSIEM 6.1.1 External Systems Configuration Guide 619 Fortinet Technologies Inc. Servers 3. Select the Security tab. 4. Expand the Root directory and select CIMV2. 5. Click Security. 6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable. If the user isn ot present, then click Add to add the user you created. 7. Click Advanced. 8. Select the user you created for the monitoring account, and then click Edit. 9. In the Applies onto menu, select This namespace and subnamespaces. 10. Click OK to close the Permission Entry for CIMV2 dialog. 11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 12. In the left-hand navigation, under Services and Applications, select Services. 13. Select Windows Management Instrumentation, and then click Restart. Allow WMI through Windows Firewall (Windows Server 2012, 2016 and 2019) 1. Go to Control Panel > Windows Firewall. 2. In the left-hand navigation, click Allow a program or feature through Windows Firewall. 3. Select Windows Management Instrumentation, and the click OK. You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Differences Between Administrator and Non-Administrator Account Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly. WMI Class Administrator Non-Administrator Win32_BIOS Win32_ComputerSystem Win32_LogicalDisk Win32_NetworkAdapter Win32_NetworkAdapterConfiguration Win32_NTLogEvent Win32_OperatingSystem Win32_Process Win32_Processor Win32_Product Win32_QuickFixEngineering Win32_Service Win32_UserAccount win32_Volume Yes No Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes No Yes No Yes Yes FortiSIEM 6.1.1 External Systems Configuration Guide 620 Fortinet Technologies Inc. Servers WMI Class Administrator Non-Administrator Win32_PerfFormattedData_DHCPServer_DHCPServer Yes Yes Win32_PerfFormattedData_DNS_DNS Yes Yes Win32_PerfFormattedData_W3SVC_WebService Yes Yes Win32_PerfRawData_DirectoryServices_DirectoryServices Yes Yes Win32_PerfRawData_NTDS_NTDS Yes Yes Win32_PerfRawData_PerfDisk_LogicalDisk Yes Yes Win32_PerfRawData_PerfDisk_PhysicalDisk Yes Yes Win32_PerfRawData_PerfOS_Memory Yes Yes Win32_PerfRawData_PerfOS_PagingFile Yes Yes Win32_PerfRawData_PerfOS_Processor Yes Yes Win32_PerfRawData_PerfProc_Process Yes Yes Win32_PerfRawData_Tcpip_NetworkInterface Yes Yes WMI Configurations for Windows 2008 and 2008R2 To configure WMI on your device so that FortiSIEM can discover and monitor it, you must create a user who has access to WMI objects on the device. There are two ways to do this: l Creating a Generic User Who Does Not Belong to the Local Administrator Group l Creating a User Who Belongs to the Domain Administrator Group l Differences Between Administrator and Non-Administrator Account Creating a Generic User Who Does Not Belong to the Local Administrator Group Log in to the machine you want to monitor with an administrator account. Step 1. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups. 2. Right-click Users and select New User. 3. Create a user. 4. Select this user and right-click to select Properties > Member of tab. 5. Select Distributed COM Users and click Add. 6. Click OK to save. This is the account you must use to set up the Performance Monitor Users group permissions. 7. Repeat steps 4 through 6 for the Performance Monitor Users group. FortiSIEM 6.1.1 External Systems Configuration Guide 621 Fortinet Technologies Inc. Servers Step 2. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then Properties. 3. Select the COM Security tab, and then under Access Permissions, click Edit Limits. 4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. 5. Click OK. 6. Under Access Permissions, click EditDefault. 7. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to Allowed. 8. Click OK. 9. Under Launch and Activation Permissions, click Edit Limits. 10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. Click OK. 12. Under Launch and Activation Permissions, click Edit Defaults. 13. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI. Configuring Log Monitoring for Non-Administrative User To configure the non-administrative user to monitor windows event logs, follow the steps below: 1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer Management > Local Users and Groups for servers that are not a domain controller). 2. Right-click the non-admin user and select Properties. 3. Select the Member of tab. 4. Select the group Event Log Reader and click Add. 5. Click Apply. 6. Click OK to complete the configuration. The following groups should be applied to the user: l Distributed COM Users l Domain Users l Event Log Reader Creating a User Who Belongs to the Domain Administrator Group Log in to the Domain Controller with an administrator account. FortiSIEM 6.1.1 External Systems Configuration Guide 622 Fortinet Technologies Inc. Servers Step 1. Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group 1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users. 2. Right-click Users and select Add User. 3. Create a user for the @accelops.com domain. For example, YJTEST@accelops.com. 4. Go to Groups, right-click Administrators, and then click Add to Group. 5. In the Domain Admins Properties dialog, select the Members tab, and then click Add. 6. For Enter the object names to select, enter the user you created in step 3. 7. Click OK to close the Domain Admins Properties dialog. 8. Click OK. Step 2. Enable the Monitoring Account to Access the Monitored Device Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account 1. Go to Start > Control Panel > Administrative Tools > Component Services. 2. Right-click My Computer, and then select Properties. 3. Select the Com Security tab, and then under Access Permissions, click Edit Limits. 4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access. 5. Click OK. 6. In the Com Security tab, under Access Permissions, click Edit Defaults. 7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Remote Access. 8. Click OK. 9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits. 10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. 11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults. 12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. Enable Account Privileges in WMI The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device. 1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications. 2. Select WMI Control, and then right-click and select Properties. 3. Select the Security tab. 4. Expand the Root directory and select CIMV2. 5. Click Security. 6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remote Enable. FortiSIEM 6.1.1 External Systems Configuration Guide 623 Fortinet Technologies Inc. Servers 7. Click Advanced. 8. Select the user you created for the monitoring account, and then click Edit. 9. In the Apply onto menu, select This namespace and subnamespaces. 10. Click OK to close the Permission Entry for CIMV2 dialog. 11. Click OK to close the Advanced Security Settings for CIMV2 dialog. 12. In the left-hand navigation, under Services and Applications, select Services. 13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003) 1. In the Start menu, select Run. 2. Run gpedit.msc. 3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall. 4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not. 5. Select Windows Firewall: Allow remote administration exception. 6. Run cmd.exe and enter these commands: netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP 7. Restart the server. Allow WMI through Windows Firewall (Windows Server 2008, 2012) 1. Go to Control Panel > Windows Firewall. 2. In the left-hand navigation, click Allow a program or feature through Windows Firewall. 3. Select Windows Management Instrumentation, and the click OK.You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Differences Between Administrator and Non-Administrator Account Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly. WMI Class Administrator Non-Administrator Win32_BIOS Win32_ComputerSystem Win32_LogicalDisk Win32_NetworkAdapter Win32_NetworkAdapterConfiguration Win32_NTLogEvent Yes No Yes Yes Yes No Yes Yes Yes Yes Yes Yes FortiSIEM 6.1.1 External Systems Configuration Guide 624 Fortinet Technologies Inc. Servers WMI Class Administrator Non-Administrator Win32_OperatingSystem Yes Yes Win32_Process Yes Yes Win32_Processor Yes Yes Win32_Product Yes Yes Win32_QuickFixEngineering Yes No Win32_Service Yes No Win32_UserAccount Yes No win32_Volume Yes Yes Win32_PerfFormattedData_DHCPServer_DHCPServer Yes Yes Win32_PerfFormattedData_DNS_DNS Yes Yes Win32_PerfFormattedData_W3SVC_WebService Yes Yes Win32_PerfRawData_DirectoryServices_DirectoryServices Yes Yes Win32_PerfRawData_NTDS_NTDS Yes Yes Win32_PerfRawData_PerfDisk_LogicalDisk Yes Yes Win32_PerfRawData_PerfDisk_PhysicalDisk Yes Yes Win32_PerfRawData_PerfOS_Memory Yes Yes Win32_PerfRawData_PerfOS_PagingFile Yes Yes Win32_PerfRawData_PerfOS_Processor Yes Yes Win32_PerfRawData_PerfProc_Process Yes Yes Win32_PerfRawData_Tcpip_NetworkInterface Yes Yes Windows Agent Configurations For information on configuring Windows Agent, see Windows Agent Installation Guide. Syslog Configurations See the Windows Agent Installation Guide for information on configuring the sending of syslog from your device to FortiSIEM. Sample Windows Server Syslog <108>2014 Dec 17 15:05:47 CorreLog_Win_Agent 1NDCITVWCVLT05.tsi.lan Login Monitor: Local Console User Login: User Name: weighalll-admin FortiSIEM 6.1.1 External Systems Configuration Guide 625 Fortinet Technologies Inc. Servers Configuring the Security Audit Logging Policy Because Windows generates a lot of security logs, you should specify the categories of events that you want logged and available for monitoring by FortiSIEM. 1. Log in the machine where you want to configure the policy as an administrator. 2. Go to Programs > Administrative Tools > Local Security Policy. 3. Expand Local Policies and select Audit Policy. You will see the current security audit settings. 4. Selet a policy and edit the Local Security Settings for the events you want audited. Recommended settings are: Policy Audit account logon events and Audit logon events Audit object access events Audit system events Description For auditing logon activity Settings Select Success and Failure For auditing access to files and folders. There is an additional configuration requirement for specifying which files and folders, users and user actions will be audited. See the next section, Configuring the File Auditing Policy. Includes system up/down messages Select Success and Failure Configuring the File Auditing Policy When you enable the policy to audit object access events, you also must specify which files, folders, and user actions will be logged. You should be very specific with these settings, and set their scope to be as narrow as possible to avoid excessive logging. For this reason you should also specify system-level folders for auditing. 1. Log in the machine where you want to set the policy with administrator privileges. On a domain computer, a Domain administrator account is needed 2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select Properties. 3. In the Security tab, click Advanced. 4. Select the Auditing tab, and then click Add. This button is labeled Edit in Windows 2008. 5. In the Select User or Group dialog, click Advanced, and then find and select the users whose access to this file you want to monitor. 6. Click OK when you are done adding users. 7. In the Permissions tab, set the permissions for each user you added. The configuration is now complete. Windows will generate audit events when the users you specified take the actions specified on the files or folders for which you set the audit policies. Setting Access Credentials SNMP, Telnet, and SSH Access Credentials for All Devices See Access Credentials. LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials for All Devices FortiSIEM 6.1.1 External Systems Configuration Guide 626 Fortinet Technologies Inc. Servers Settings Name Device Type Access Protocol Used For Server Port Base DN Password Config User Name Password Value <set name> Microsoft Windows Server * LDAP / LDAPS / LDAP Start TLS OpenLDAP 389 for LDAP, LDAP Start TLS; 636 for LDAPS Specify the root of the LDAP tree as the Base DN. For example: dc=companyABC,dc=com See Password Configuration For user discoveries from an OpenLDAP directory, specify the full DN as the user name. For example: uid=jdoe,ou=hr,ou=unit,dc=companyABC,dc=com Password of the user able to access this system LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials for All Devices Settings Name Device Type Access Protocol Used For Server Port Base DN NetBIOS/Domain Password Config User Name Password Value <set name> Microsoft Windows Server * LDAP / LDAPS / LDAP Start TLS Microsoft Active Directory 389 for LDAP, LDAP Start TLS; 636 for LDAPS Specify the root of the LDAP tree as the Base DN. For example: dc=companyABC,dc=com The domain name or NetBIOS name attribute See Password Configuration For Microsoft Active Directory, the user name can be just the login name. Password of the user able to access this system WMI Access Credentials for All Devices FortiSIEM 6.1.1 External Systems Configuration Guide 627 Fortinet Technologies Inc. Servers Settings Name Device Type Access Protocol Pull Interval NetBIOS/Domain Password Config User Name Password Value <set name> Microsoft Windows Server * WMI 1 minute The domain name or NetBIOS name attribute See Password Configuration Name of the user able to access this system Password of the user able to access this system FortiSIEM 6.1.1 External Systems Configuration Guide 628 Fortinet Technologies Inc. Servers QNAP Turbo NAS Configuration Setup in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Setting Value Name <set name> Device Type QNAP Turbo NAS Access Protocol See Access Credentials Port See Access Credentials Password config See Password Configuration 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. 4. Click Test to test the connection to QNAP Turbo NAS. 5. To see the jobs associated with QNAP, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter QNAP in the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 629 Fortinet Technologies Inc. Servers Sun Solaris Server l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SSH Syslog Information discovered Metrics collected Used for Host name, generic hardware (cpu, memory, network interface, disk), software (operating system version, installed software, running processes, open TCP/UDP ports) Uptime, CPU/Memory/Network Interface/Disk space utilization, Network Interface Errors, Running Process Count, Installed Software change, Running process CPU/memory utilization, Running process start/stop, TCP/UDP port up/down Performance Monitoring Hardware (cpu details, memory) Memory paging rate, Disk I/O utilization Performance Monitoring Vendor, Model General logs including Authentication Success/Failure, Privileged logons, User/Group Modification Security Monitoring and Compliance Event Types In ADMIN > Device Support > Event, search for "solaris" in the Device Type and Description column to see the event types associated with this device. Configuration SNMP v1 and v2c 1. Check if the netsnmp package installed. Solaris has built-in snmp packages. If the netsnmp is not installed, use pkgadd cmd to install it. 2. Start snmnp with the default configuration. FortiSIEM 6.1.1 External Systems Configuration Guide 630 Fortinet Technologies Inc. Servers SSH 1. Make sure that the vmstat and iostat commands are available. If not, install these libraries. 2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to log in to the server. Settings for Access Credentials SNMP, Telnet, and SSH Access Credentials for All Devices See Access Credentials. LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials for All Devices Settings Name Device Type Access Protocol Used For Server Port Base DN Password Config User Name Password Value <set name> Sun Solaris LDAP / LDAPS / LDAP Start TLS OpenLDAP 389 for LDAP, LDAP Start TLS; 636 for LDAPS The Distinguished Name (DN) of the starting point for directory server searches See Password Configuration Name of the user able to access this system Password of the user able to access this system LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials for All Devices Settings Name Device Type Access Protocol Used For Server Port Base DN NetBIOS/Domain Value <set name> Sun Solaris LDAP / LDAPS / LDAP Start TLS Microsoft Active Directory 389 for LDAP, LDAP Start TLS; 636 for LDAPS The Distinguished Name (DN) of the starting point for directory server searches The domain name or NetBIOS name attribute FortiSIEM 6.1.1 External Systems Configuration Guide 631 Fortinet Technologies Inc. Servers Settings Password Config User Name Password Value See Password Configuration Name of the user able to access this system Password of the user able to access this system FortiSIEM 6.1.1 External Systems Configuration Guide 632 Fortinet Technologies Inc. Storage FortiSIEM supports these storage devices for discovery and monitoring. l Brocade SAN Switch l Dell Compellent Storage l Dell EqualLogic Storage l EMC Clariion Storage l EMC Isilon Storage l EMC VNX Storage l NetApp Data ONTAP l NetApp Filer Storage l Nimble Storage l Nutanix Storage FortiSIEM 6.1.1 External Systems Configuration Guide 633 Fortinet Technologies Inc. Brocade SAN Switch l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SNMP Information Discovered Metrics collected Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Hardware Status: Fan, Power Supply, Temperature (FortiSIEM Event Type: PH_DEV_MON_HW_STATUS) Used for Availability and Performance Monitoring Availability Monitoring Event Types In ADMIN > Device Support > Event, search for "brocade" in the Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide FortiSIEM 6.1.1 External Systems Configuration Guide 634 Fortinet Technologies Inc. Storage Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Brocade San Switch See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 635 Fortinet Technologies Inc. Storage Dell Compellent Storage l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SNMP SNMP Information Discovered Metrics collected Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Hardware component health: Power, Temperature, Fan Volume Utilization Used for Availability and Performance Monitoring Availability Monitoring Performance Monitoring Event Types l Ping Monitoring: PH_DEV_MON_PING_STAT l Interface Utilization: PH_DEV_MON_NET_INTF_UTIL l Hardware Status: PH_DEV_MON_HW_STATUS l Disk Utilization: PH_DEV_MON_DISK_UTIL Rules Availability l Storage Hardware Warning l Storage Hardware Critical Performance (Fixed threshold) l NFS Disk space Warning l NFS Disk Space Critical FortiSIEM 6.1.1 External Systems Configuration Guide 636 Fortinet Technologies Inc. Storage Reports l Dell Compellent Hardware Status l Top Dell Compellent Devices By Disk Space Util l Top Dell Compellent Devices By Disk Space Util (Detailed) l Top Dell Compellent modules by fan speed l Top Dell Compellent modules by temperature l Top Dell Compellent modules by voltage Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Dell Compellent Storage See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 637 Fortinet Technologies Inc. Storage Dell EqualLogic Storage l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SNMP SNMP Information Discovered Metrics collected Used for Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and Performance Monitoring Hardware component health: Component name (Disk, Power supply, Temperature, Fan, RAID health), Component status, Host spare ready disk count Overall Disk health metrics: Total disk count, Active disk count, Failed disk count, Spare disk count Availability Monitoring Connection metrics: Connection Count, Read request rate (IOPS), Write request rate (IOPS), Read latency, Write latency, Read volume (KBps), Write volume (KBps) Disk performance metrics: Disk Name, Disk I/O Utilization, Disk I/O Queue, Read volume (KBps), Write volume (KBps) Group level performance metrics: Total storage, Used storage, Reserved storage, Reserved used storage, Total volumes, Used volumes, Online volumes, Total snapshot, Used snapshot, Online snapshot Performance Monitoring Event Types In ADMIN > Device Support > Event, search for "equallogic" in the Description column to see the event types associated with this device. Rules In RESOURCE > Rules, search for "equallogic" in the Name column to see the rules associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 638 Fortinet Technologies Inc. Storage Reports In RESOURCE > Reports , search for "equallogic" in the Name column to see the reports associated with this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Dell EqualLogic See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 639 Fortinet Technologies Inc. Storage EMC Clariion Storage l What is Discovered and Monitored l Configuration What is Discovered and Monitored Protocol NaviSecCLI Information Discovered Metrics collected Used for Host name, Operating system version, Hardware model, Serial number, Network interfaces* Installed Software, Storage Controller Ports Hardware components: Enclosures, Fan, Power Supply, Link Control Card, CPU, Disk RAID Groups and the assigned disk LUNs and LUN -> RAID Group mappings Storage Groups and memberships (Host, Port, LUN). Processor utilization: SP Name, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps) Port I/O: Port name, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps) RAID Group I/O: RAID Group id, RAID type, Total disk, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps) LUN I/O: LUN name, LUN id, Total disk, Used disk, Free disk, Disk util, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps) Host HBA Connectivity: Source IP, Source Name, Source WWN, Dest IP, Destination Name, SP Port Name, Storage Group, LUN Names, Login Status, Registration Status Host HBA Unregistered Host: Source IP, Source Name, Source WWN, Dest IP, Destination Name, SP Port Name Hardware component health: Component name (Disk, Power supply, LCC, Fan, Link, Port), Component status, Host spare ready disk count Overall Disk health: Total disk count, Total disk size (MB), Active disk count, Failed disk count, Spare disk count Availability and Performance Monitoring Event Types In ADMIN > Device Support > Event Types, search for "clariion" to see the event types associated with this device. Rules There are no predefined rules for this device. FortiSIEM 6.1.1 External Systems Configuration Guide 640 Fortinet Technologies Inc. Storage Reports There are no predefined reports for this device. Configuration Installing the NaviSecCLI Library in FortiSIEM Changing NaviSecCLI Credentials If you change the NaviSecCLI credentials on your EMC Clariion device, the certificates may also be changed and naviseccli may prompt you to accept new certificates. This should only happen the first time after a certificate change, however, FortiSIEM discovery and performance monitoring will fail. You must run NaviSecCLI manually on each Supervisor and Worker in your deployment and accept the certificate, and then rediscover your EMC Clariion device for performance monitoring to resume. Configuration of your EMC Clariion storage device involves installing EMC's NaviSecCLI library in your FortiSIEM virtual appliance, and then setting the access credentials that the appliance will use to communicate with your device. 1. Log in to your FortiSIEM virtual appliance as root. 2. Copy the file NaviCLI-Linux-64-x86-versionxyz.rpm to the FortiSIEM directory. 3. Run rpm --Uvh NaviCLI-Linux-64-x86-versionxyz.rpm to install the rpm package. [root@Rob-SP-94 tmp]# rpm -Uvh NaviCLI-Linux-64-x86-en_US-7.30.15.0.44-1.x86_64.rpm Preparing... ########################################### [100%] 1:NaviCLI-Linux-64-x86-en########################################### [100%] Please enter the verifying level(low|medium|l|m) to set? m Setting medium verifying level [root@Rob-SP-94 opt]# ls -la total 40 drwxr-xr-x 8 root root 4096 Aug 22 16:06 . drwxr-xr-x 29 root root 4096 Aug 16 16:46 .. drwxr-xr-x 11 admin admin 4096 Jul 23 18:56 glassfish lrwxrwxrwx 1 root root 16 Aug 16 16:46 Java -> /opt/jdk1.6.0_32 drwxr-xr-x 8 root root 4096 Jun 2 16:35 jdk1.6.0_32 drwxr-xr-x 5 root root 4096 Aug 22 16:06 Navisphere <----Note this directory was created*** drwxrwxr-x 14 admin admin 4096 Jul 24 11:22 phoenix drwxrwxr-x 3 root root 4096 Jun 2 16:36 rpm drwxr-xr-x 8 root root 4096 Jun 18 2010 vmware [root@Rob-SP-94 opt]# 4. Change the user role to the admin su - admin and make sure that the user can run the command naviseccli -h -User <user> -Password <pwd> -Scope global getall -sp from the directory /opt/phoenix/bin . [root@Rob-SP-94 Navisphere]# cd bin [root@Rob-SP-94 bin]# su - admin [admin@Rob-SP-94 ~]$ naviseccli Not enough arguments Usage: [-User <username>] [-Password <password>] FortiSIEM 6.1.1 External Systems Configuration Guide 641 Fortinet Technologies Inc. Storage [-Scope <0 - global; 1 - local; 2 - LDAP>] [-Address <IPAddress | NetworkName> | -h <IPAddress | NetworkName>] [-Port <portnumber>] [-Timeout <timeout> | -t <timeout>] [-AddUserSecurity | -RemoveUserSecurity | -DeleteSecurityEntry] [-Parse | -p] [-NoPoll | -np] [-cmdtime] [-Xml] [-f <filename>] [-Help] CMD <Optional Arguments>[security -certificate] [admin@Rob-SP-94 ~]$ pwd /opt/phoenix/bin 5. Make sure that the Navisphere Analyzer module is on. If the module is off, performance metrics will not be available and discovery will fail. This log shows an example of the module being turned off. [admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100 getall -sp Server IP Address: 192.168.1.100 Agent Rev: 7.32.26 (0.95) SP Information -------------- Storage Processor: SP A Storage Processor Network Name: A-IMAGE Storage Processor IP Address: 192.168.1.100 Storage Processor Subnet Mask: 255.255.255.0 Storage Processor Gateway Address: 192.168.1.254 Storage Processor IPv6 Mode: Not Supported Management Port Settings: Link Status: Link-Up Current Speed: 1000Mbps/full duplex Requested Speed: Auto Auto-Negotiate: YES Capable Speeds: 1000Mbps half/full duplex 10Mbps half/full duplex 100Mbps half/full duplex Auto System Fault LED: OFF Statistics Logging: OFF <----- Note: performance statistics are not being collected <------ so AccelOp can not pull stats and discovery will fail. <------ See how to turn ON Statistics Logging below. SP Read Cache State Enabled SP Write Cache State Enabled .... 6. If the Navisphere Analyzer module is off, turn it on with the setstats -on command. [admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100 setstats -on [admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100 getall -sp Server IP Address: 192.168.1.100 Agent Rev: 7.32.26 (0.95) SP Information -------------Storage Processor: SP A FortiSIEM 6.1.1 External Systems Configuration Guide 642 Fortinet Technologies Inc. Storage Storage Processor Network Name: A-IMAGE Storage Processor IP Address: 192.168.1.100 Storage Processor Subnet Mask: 255.255.255.0 Storage Processor Gateway Address: 192.168.1.254 Storage Processor IPv6 Mode: Not Supported Management Port Settings: Link Status: Link-Up Current Speed: 1000Mbps/full duplex Requested Speed: Auto Auto-Negotiate: YES Capable Speeds: 1000Mbps half/full duplex 10Mbps half/full duplex 100Mbps half/full duplex Auto System Fault LED: OFF Statistics Logging: ON <---NOTE that statistics Logging is now ON. SP Read Cache State Enabled SP Write Cache State Enabled Max Requests: N/A Average Requests: N/A Hard errors: N/A Total Reads: 1012 Total Writes: 8871 Prct Busy: 6.98 Prct Idle: 93.0 System Date: 10/04/2013 Day of the week: Friday System Time: 11:23:48 Read_requests: 1012 Write_requests: 8871 Blocks_read: 26259 Blocks_written: 235896 Sum_queue_lengths_by_arrivals: 27398 Arrivals_to_non_zero_queue: 3649 .... 7. Once this command runs successfully, you are ready to set the access credentials for your device in FortiSIEM and initiate the discovery process. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your EMC Clarion storage device over NaviSecCLI. Setting Name Device Type Access Protocol Value <set name> EMC Clariion Navisec CLI FortiSIEM 6.1.1 External Systems Configuration Guide 643 Fortinet Technologies Inc. Storage Setting Use LDAP User Name Password Value Select to use LDAP to access directory services The user you configured to access NaviSecCLI The password associated with the user FortiSIEM 6.1.1 External Systems Configuration Guide 644 Fortinet Technologies Inc. Storage EMC Isilon Storage l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SNMP Information Discovered Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components Metrics collected Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Hardware component health: Component name (Disk, Power supply, Temperature, Fan), Component status (AO event type: PH_DEV_MON_HW_STATUS) Environmental: Temperature (AO event type: PH_DEV_ MON_HW_TEMP), Voltage readings (AO event type: PH_ DEV_MON_HW_VOLTAGE) Cluster membership change: (AO event type: PH_DEV_ MON_ISILON_CLUSTER_MEMBERSHIP_CHANGE) Used for Availability and Performance Monitoring Availability Monitoring Event Types In ADMIN > Device Support > Event, search for "isilon" in the Description column to see the event types associated with this device. Rules In RESOURCE > Rules, search for "isilon" in the Name column to see the rules associated with this device. Reports In RESOURCE > Reports , search for "isilon" in the Name column to see the reports associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 645 Fortinet Technologies Inc. Storage Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 646 Fortinet Technologies Inc. Storage EMC VNX Storage Configuration Configuring EMC VNX Like EMC Clarion, FortiSIEM uses Navisec CLI to discover the device and to collect performance metrics. The only difference is that a slightly different command and XML formatted output is used. Protocol Information Discovered Metrics collected Used for Navisec CLI Host name, Operating system version, Hardware model, Serial number, Network interfaces* Installed Software, Storage Controller Ports Hardware components: Enclosures, Fan, Power Supply, Link Control Card, CPU, Disk Storage Pools, RAID Groups and the assigned disks LUNs and LUN -> Storage Pool and RAID Group mappings Storage Groups and memberships (Host, Port, LUN) Processor utilization: SP Name, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps) Storage Pool I/O: RAID Group id, RAID type, Total disk, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps) Availability and Performance Monitoring LUN I/O: LUN name, LUN id, Total disk, Used disk, Free disk, Disk util, Read request rate (IOPS), Write request rate (IOPS), Read volume (KBps), Write volume (KBps), Read/Write request rate (IOPS), Read/Write volume (KBps) Host HBA Connectivity: Source IP, Source Name, Source WWN, Dest IP, Destination Name, SP Port Name, Storage Group, LUN Names, Login Status, Registration Status Host HBA Unregistered Host: Source IP, Source Name, Source WWN, Dest IP, Destination Name, SP Port Name Hardware component health: Component name (Disk, Power supply, LCC, Fan, Link, Port), Component status, Host spare ready disk count FortiSIEM 6.1.1 External Systems Configuration Guide 647 Fortinet Technologies Inc. Storage Protocol Information Discovered Metrics collected Used for Overall Disk health: Total disk count, Total disk size (MB), Active disk count, Failed disk count, Spare disk count Configuration Installing the NaviSecCLI Library in FortiSIEM Changing NaviSecCLI Credentials If you change the NaviSecCLI credentials on your EMC Clarion device, the certificates may also be changed and naviseccli may prompt you to accept new certificates. This should only happen the first time after a certificate change, however, FortiSIEM discovery and performance monitoring will fail. You must run NaviSecCLI manually on each Supervisor and Worker in your deployment and accept the certificate, and then rediscover your EMC Clarion device for performance monitoring to resume. Configuration of your EMC Clarion storage device involves installing EMC's NaviSecCLI library in your FortiSIEM virtual appliance, and then setting the access credentials that the appliance will use to communicate with your device. 1. Log in to your FortiSIEM virtual appliance as root. 2. Copy the file NaviCLI-Linux-64-x86-versionxyz.rpm to the FortiSIEM directory. 3. Run rpm --Uvh NaviCLI-Linux-64-x86-versionxyz.rpm to install the rpm package. [root@Rob-SP-94 tmp]# rpm -Uvh NaviCLI-Linux-64-x86-en_US-7.30.15.0.44-1.x86_64.rpm Preparing... ########################################### [100%] 1:NaviCLI-Linux-64-x86-en########################################### [100%] Please enter the verifying level(low|medium|l|m) to set? m Setting medium verifying level [root@Rob-SP-94 opt]# ls -la total 40 drwxr-xr-x 8 root root 4096 Aug 22 16:06 . drwxr-xr-x 29 root root 4096 Aug 16 16:46 .. drwxr-xr-x 11 admin admin 4096 Jul 23 18:56 glassfish lrwxrwxrwx 1 root root 16 Aug 16 16:46 Java -> /opt/jdk1.6.0_32 drwxr-xr-x 8 root root 4096 Jun 2 16:35 jdk1.6.0_32 drwxr-xr-x 5 root root 4096 Aug 22 16:06 Navisphere <----Note this directory was created*** drwxrwxr-x 14 admin admin 4096 Jul 24 11:22 phoenix drwxrwxr-x 3 root root 4096 Jun 2 16:36 rpm drwxr-xr-x 8 root root 4096 Jun 18 2010 vmware [root@Rob-SP-94 opt]# 4. Change the user role to the admin su - admin and make sure that the user can run the command naviseccli -h -User <user> -Password <pwd> -Scope global getall -sp from the directory /opt/phoenix/bin . [root@Rob-SP-94 Navisphere]# cd bin [root@Rob-SP-94 bin]# su - admin [admin@Rob-SP-94 ~]$ naviseccli Not enough arguments FortiSIEM 6.1.1 External Systems Configuration Guide 648 Fortinet Technologies Inc. Storage Usage: [-User <username>] [-Password <password>] [-Scope <0 - global; 1 - local; 2 - LDAP>] [-Address <IPAddress | NetworkName> | -h <IPAddress | NetworkName>] [-Port <portnumber>] [-Timeout <timeout> | -t <timeout>] [-AddUserSecurity | -RemoveUserSecurity | -DeleteSecurityEntry] [-Parse | -p] [-NoPoll | -np] [-cmdtime] [-Xml] [-f <filename>] [-Help] CMD <Optional Arguments>[security -certificate] [admin@Rob-SP-94 ~]$ pwd /opt/phoenix/bin 5. Make sure that the Navisphere Analyzer module is on. If the module is off, performance metrics will not be available and discovery will fail. This log shows an example of the module being turned off. [admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100 getall -sp Server IP Address: 192.168.1.100 Agent Rev: 7.32.26 (0.95) SP Information -------------- Storage Processor: SP A Storage Processor Network Name: A-IMAGE Storage Processor IP Address: 192.168.1.100 Storage Processor Subnet Mask: 255.255.255.0 Storage Processor Gateway Address: 192.168.1.254 Storage Processor IPv6 Mode: Not Supported Management Port Settings: Link Status: Link-Up Current Speed: 1000Mbps/full duplex Requested Speed: Auto Auto-Negotiate: YES Capable Speeds: 1000Mbps half/full duplex 10Mbps half/full duplex 100Mbps half/full duplex Auto System Fault LED: OFF Statistics Logging: OFF <----- Note: performance statistics are not being collected <------ so AccelOp can not pull stats and discovery will fail. <------ See how to turn ON Statistics Logging below. SP Read Cache State Enabled SP Write Cache State Enabled .... 6. If the Navisphere Analyzer module is off, turn it on with the setstats -on command. [admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100 setstats -on [admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100 getall -sp Server IP Address: 192.168.1.100 Agent Rev: 7.32.26 (0.95) SP Information FortiSIEM 6.1.1 External Systems Configuration Guide 649 Fortinet Technologies Inc. Storage -------------- Storage Processor: SP A Storage Processor Network Name: A-IMAGE Storage Processor IP Address: 192.168.1.100 Storage Processor Subnet Mask: 255.255.255.0 Storage Processor Gateway Address: 192.168.1.254 Storage Processor IPv6 Mode: Not Supported Management Port Settings: Link Status: Link-Up Current Speed: 1000Mbps/full duplex Requested Speed: Auto Auto-Negotiate: YES Capable Speeds: 1000Mbps half/full duplex 10Mbps half/full duplex 100Mbps half/full duplex Auto System Fault LED: OFF Statistics Logging: ON <---NOTE that statistics Logging is now ON. SP Read Cache State Enabled SP Write Cache State Enabled Max Requests: N/A Average Requests: N/A Hard errors: N/A Total Reads: 1012 Total Writes: 8871 Prct Busy: 6.98 Prct Idle: 93.0 System Date: 10/04/2013 Day of the week: Friday System Time: 11:23:48 Read_requests: 1012 Write_requests: 8871 Blocks_read: 26259 Blocks_written: 235896 Sum_queue_lengths_by_arrivals: 27398 Arrivals_to_non_zero_queue: 3649 .... 7. Once this command runs successfully, you are ready to set the access credentials for your device in FortiSIEM and initiate the discovery process. Setting the IP Address for Credential Mapping Enter the Storage Processor IP address when you associate your device's access credentials to an IP address during the credential set up process. Do not enter any other IP address, such as the Control Station IP. Settings for Access Credentials Use these Access Method Definition settings to allow FortiSIEM to access your EMC VNX storage device over NaviSecCLI. FortiSIEM 6.1.1 External Systems Configuration Guide 650 Fortinet Technologies Inc. Storage Setting Name Device Type Access Protocol Use LDAP User Name Password Value <set name> EMC VNX Navisec CLI Select to use LDAP to access directory services The user you configured to access NaviSecCLI The password associated with the user NetApp DataONTAP l Supported Version l Configuration Supported Version FortiSIEM supports the latest NetApp ONTAP API version listed here. l NetApp ONTAP API 8.2 Configuration Setup in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Settings Name Device Type Access Protocol Transport Pull Interval User Name Description Enter a name for the credential. NetApp DataONTAP NetApp ONTAPI - HTTP - HTTPS 5 minutes User name for device access FortiSIEM 6.1.1 External Systems Configuration Guide 651 Fortinet Technologies Inc. Storage Settings Description Password Description Settings Password for device access Description about the device Description 3. In Step 2: Enter IP Range to Credential Associations, click New. a. Enter a host name, an IP, or an IP range in the IP/Host Name field. b. Select the name of your credential from the Credentials drop-down list. c. Click Save. 4. Click the Test drop-down list and select Test Connectivity to test the connection to NetApp DataONTAP. 5. To see the jobs associated with DataONTAP, select ADMIN > Setup > Pull Events. 6. To see the received events select ANALYTICS, then enter "DataONTAP" in the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 652 Fortinet Technologies Inc. Storage NetApp Filer Storage l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SNMP SNMP Information Discovered Host name, Operating system version, Hardware model, Serial number, Network interfaces, Logical volumes, Physical Disks Metrics collected Used for Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Logical Disk Volume utilization Availability and Performance Monitoring Hardware component health: Component name (Battery, Disk, Power supply, Temperature, Fan), Component status, Failed power supply count, Failed Fan Count Overall Disk health metrics: Total disk count, Active disk count, Failed disk count, Spare disk count, Reconstructing disk count, Scrubbing disk count, Add spare disk count NFS metrics: Cache age, CIFS request rate (IOPS), NFS request rate (IOPS), Disk read rate (IOPS), Disk write rate (IOPS), Network Sent rate (Kbps), Network received rate (Kbps), RPC Bad calls, NFS Bad calls, CIFS Bad calls Detailed NFS V3 metrics: Read request rate (IOPS), Write request rate (IOPS), Read latency, Write latency, Read volume (KBps), Write volume (KBps) Detailed NFS V4 metrics: Read request rate (IOPS), Write request rate (IOPS), Read latency, Write latency, Read volume (KBps), Write volume (KBps) Detailed CIFS metrics: Total Read/Write rate (IOPS), Latency Detailed ISCSI metrics: Read request rate (IOPS), Write request rate (IOPS), Read latency, Write latency, Read volume (KBps), Write volume (KBps) Detailed FCP metrics: Read request rate (IOPS), Write request rate (IOPS), Read latency, Write latency, Read volume (KBps), Write volume (KBps) Availability Monitoring Performance Monitoring FortiSIEM 6.1.1 External Systems Configuration Guide 653 Fortinet Technologies Inc. Storage Protocol Information Discovered ONTAP API Metrics collected Used for Detailed LUN metrics: LUN Name, Read request rate (IOPS), Write request rate (IOPS), Read/Write latency, Read volume (KBps), Write volume (KBps), Disk queue full Detailed Aggregate metrics: Aggregate name, Read request rate (IOPS), Write request rate (IOPS), Transfer rate, CP Read rate Detailed Volume metrics: Volume Name, Disk Read request rate (IOPS), Disk Write request rate (IOPS), Disk read latency, Disk write latency, NFS Read request rate (IOPS), NFS Write request rate (IOPS), NFS Read latency, NFS Write latency, CIFS Read request rate (IOPS), CIFS Write request rate (IOPS), CIFS Read latency, CIFS Write latency, SAN Read request rate (IOPS), SAN Write request rate (IOPS), SAN Read latency, SAN Write latency Detailed Disk performance metrics: Disk Name, Disk Utilization, Read request rate (IOPS), Write request rate (IOPS), Read latency, Write latency, Transfer operations rate Performance Monitoring Event Types In ADMIN > Device Support > Event, search for "netapp" in the Device Type column to see the event types associated with this device. Rules In RESOURCE > Rules, search for "netapp" in the Name column to see the rules associated with this device. Reports In RESOURCE > Reports , search for "netapp" in the Name column to see the reports associated with this device. Configuration SNMP 1. Log in to your NetApp device with administrative privileges. 2. Go to SNMP > Configure. 3. For SNMP Enabled, select Yes. 4. Under Communities, create a public community with Read-Only permissions. 5. Click Apply. FortiSIEM 6.1.1 External Systems Configuration Guide 654 Fortinet Technologies Inc. Storage Settings for Access Credentials SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 655 Fortinet Technologies Inc. Storage Nimble Storage l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SNMP SNMP Information Discovered Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components Metrics collected Used for Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and Performance Monitoring Storage Disk Utilization: Disk name, Total Disk, Used Disk, Availability Free Disk, Disk Utilization Monitoring Storage Performance metrics: Read rate (IOPS), Sequential Read Rate (IOPS), Write rate (IOPS), Sequential Write Rate (IOPS), Read latency, Write latency, Read volume (KBps), Sequential Read volume (KBps), Sequential Write volume (KBps), Used Volume (MB), Used Snapshot (MB), Non-Sequential Cache Hit Ratio (FortiSIEM Event Type: PH_DEV_MON_NIMBLE_GLOBAL_STAT) Performance Monitoring Event Types In ADMIN > Device Support > Event, search for "nimble" in the Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. FortiSIEM 6.1.1 External Systems Configuration Guide 656 Fortinet Technologies Inc. Storage Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Nimble Storage NimbleOS See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 657 Fortinet Technologies Inc. Storage Nutanix Storage l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SNMP SNMP Information Discovered Metrics collected Used for Host name, Operating system version, Hardware model, Serial number, Network interfaces, Physical Disks, Components Uptime, Process count, CPU utilization, Real and virtual memory utilization, Disk utilization, Process CPU/Memory utilization, Network Interface metrics Availability and Performance Monitoring Disk Status: Cluster, Controller VM, Disk id, Disk serial, Disk utilization, Total Disk, Used Disk, Free Disk Disk Temp: Disk Id, disk serial, Controller VM, temperature Cluster Status: Cluster, Cluster version, storage utilization, total storage, used storage, IOPS, latency Service Status: Cluster, Controller VM, Cluster VM Status, Zeus Status, Stargate Status Availability Monitoring Storage Pool Info: Cluster, storage pool name, storage utilization, total storage, used storage, IOPS, latency Container Info: Cluster, Container name, storage utilization, total storage, used storage, IOPS, latency Performance Monitoring Event Types l PH_DEV_MON_SYS_CPU_UTIL [PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=1468,[cpuName]=Generic CPU,[hostName]=NTNX-14SM15290052-A-CVM, [hostIpAddr]=10.0.252.20,[cpuUtil]=100.000000,[sysCpuUtil]=0.000000, [userCpuUtil]=0.000000,[waitCpuUtil]=0.000000,[kernCpuUtil]=0.000000, [contextSwitchPersec]=0.000000,[cpuInterruptPersec]=0.000000,[pollIntv]=177,[cpuCore]=8, [loadAvg1min]=2.500000,[loadAvg5min]=2.500000,[loadAvg15min]=2.390000,[phLogDetail]= l PH_DEV_MON_SYS_MEM_UTIL FortiSIEM 6.1.1 External Systems Configuration Guide 658 Fortinet Technologies Inc. Storage [PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9587,[memName]=Physical Memory,[hostName]=NTNX-14SM15290052-A-CVM, [hostIpAddr]=10.0.252.20,[memUtil]=93.210754,[pollIntv]=177,[phLogDetail]= l PH_DEV_MON_SYS_VIRT_MEM_UTIL [PH_DEV_MON_SYS_VIRT_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9590,[memName]=Virtual memory,[hostName]=NTNX-14SM15290052-A-CVM, [hostIpAddr]=10.0.252.20,[virtMemUsedKB]=30773124,[virtMemUtil]=93.210754, [pollIntv]=177,[phLogDetail]= l PH_DEV_MON_SYS_UPTIME [PH_DEV_MON_SYS_UPTIME]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=1065,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.252.20, [sysUpTime]=1815730,[sysUpTimePct]=100.000000,[sysDownTime]=0,[pollIntv]=56, [phLogDetail]= l PH_DEV_MON_SYS_DISK_UTIL [PH_DEV_MON_SYS_DISK_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9664,[diskName]=/home/nutanix/data/stargate-storage/disks/9XG6R3HG, [hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.252.20,[appTransportProto]=SNMP (hrStorage),[diskUtil]=9.229729,[totalDiskMB]=938899,[usedDiskMB]=86658, [freeDiskMB]=852241,[pollIntv]=176,[phLogDetail]= l PH_DEV_MON_NET_INTF_UTIL [PH_DEV_MON_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phIntfFilter.cpp, [lineNumber]=319,[intfName]=eth0,[intfAlias]=,[hostName]=NTNX-14SM15290052-A-CVM, [hostIpAddr]=10.0.252.20,[pollIntv]=56,[recvBytes64]=0,[recvBitsPerSec]=0.000000, [inIntfUtil]=0.000000,[sentBytes64]=0,[sentBitsPerSec]=0.000000,[outIntfUtil]=0.000000, [recvPkts64]=0,[sentPkts64]=0,[inIntfPktErr]=0,[inIntfPktErrPct]=0.000000, [outIntfPktErr]=0,[outIntfPktErrPct]=0.000000,[inIntfPktDiscarded]=0, [inIntfPktDiscardedPct]=0.000000,[outIntfPktDiscarded]=0, [outIntfPktDiscardedPct]=0.000000,[outQLen64]=0,[intfInSpeed64]=10000000000, [intfOutSpeed64]=10000000000,[intfAdminStatus]=up,[intfOperStatus]=up, [daysSinceLastUse]=0,[totIntfPktErr]=0,[totBitsPerSec]=0.000000,[phLogDetail]= l PH_DEV_MON_PROC_RESOURCE_UTIL [PH_DEV_MON_PROC_RESOURCE_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=4378,[swProcName]=python,[hostName]=NTNX-14SM15290052-A-CVM, [hostIpAddr]=10.0.23.20,[procOwner]=,[memUtil]=0.379639,[cpuUtil]=0.000000, [appName]=python,[appGroupName]=,[pollIntv]=116,[swParam]=/home/nutanix/ncc/bin/health_ server.py --log_plugin_output=true --logtostderr=true,[phLogDetail]= l PH_DEV_MON_SYS_PROC_COUNT [PH_DEV_MON_SYS_PROC_COUNT]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=11378,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.252.20, [procCount]=327,[pollIntv]=176,[phLogDetail]= l PH_DEV_MON_NUTANIX_DISK_STATUS [PH_DEV_MON_NUTANIX_DISK_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp, [lineNumber]=216,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.23.20, [cluster]=AmanoxLab01,[diskId]=24,[ntxControllerVMId]=7,[hwDiskSerial]=9XG6V4DS, [diskUtil]=35.704633,[totalDiskMB]=916,[freeDiskMBNonRoot]=589,[inodeUsedPct]=0.234492, [inodeMax]=61054976,[inodeFreeNonRoot]=60911807,[phLogDetail]= l PH_DEV_MON_NUTANIX_CLUSTER_STATUS FortiSIEM 6.1.1 External Systems Configuration Guide 659 Fortinet Technologies Inc. Storage [PH_DEV_MON_NUTANIX_CLUSTER_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp, [lineNumber]=272,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.23.20, [cluster]=Lab01,[clusterVersion]=el6-release-danube-4.1.2-stable99e1e2dda7a78989136f39132e1f198989ef03a4,[clusterStatus]=started,[diskUtil]=32.000000, [totalDiskMB]=14482532,[usedDiskMB]=4740567,[diskRWReqPerSec]=3109.000000, [devDiskRWLatency]=0.631000,[phLogDetail]= l PH_DEV_MON_NUTANIX_SERVICE_STATUS [PH_DEV_MON_NUTANIX_SERVICE_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp, [lineNumber]=287,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.23.20, [cluster]=Lab01,[ntxControllerVMId]=5,[ntxClusterVMStatus]=Up,[ntxZeusStatus]=3287, 3310, 3311, 3312, 3389, 3403,[ntxStargateStatus]=5331, 5365, 5366, 5421, 19543, [phLogDetail]= l PH_DEV_MON_NUTANIX_STORAGE_POOL_INFO [PH_DEV_MON_NUTANIX_STORAGE_POOL_INFO]:[eventSeverity]=PHL_INFO, [fileName]=devNutanix.cpp,[lineNumber]=239,[hostName]=NTNX-14SM15290052-A-CVM, [hostIpAddr]=10.0.23.20,[cluster]=Lab01,[spoolId]=1474,[spoolName]=amanoxlab_sp, [diskUtil]=32.733000,[totalDiskMB]=14482532,[usedDiskMB]=4740567, [diskRWReqPerSec]=155.000000,[devDiskRWLatency]=0.631000,[phLogDetail]= l PH_DEV_MON_NUTANIX_CONTAINER_INFO [PH_DEV_MON_NUTANIX_CONTAINER_INFO]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp, [lineNumber]=257,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.23.20, [cluster]=Lab01,[ntxContainerId]=1488,[ntxContainerName]=perflab_ndfs, [diskUtil]=8.357116,[totalDiskMB]=14482532,[usedDiskMB]=1210322, [diskRWReqPerSec]=0.000000,[devDiskRWLatency]=0.000000,[phLogDetail]= Rules Currently there are no system rules defined. Reports l Nutanix Cluster Disk Usage l Nutanix Cluster Performance l Nutanix Cluster Service Status l Nutanix Cluster Storage Usage l Nutanix Container Performance l Nutanix Container Storage Usage l Nutanix Storage Pool Performance l Nutanix Storage Pool Usage Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the FortiSIEM 6.1.1 External Systems Configuration Guide 660 Fortinet Technologies Inc. Storage User Guide. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Nutanix Controller VM See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 661 Fortinet Technologies Inc. Threat Intelligence FortiSIEM supports these threat detection devices: l FortiInsight l LastLine l ThreatConnect External threat intelligence sources provide information about malware actors (Indicators of Compromise or IOCs). FortiSIEM can be configured to download this information periodically, either incrementally or full updates, according to a schedule you define. IOCs can include Malware IP, Domain, URL, and file hashes. You can write rules to look for matches in real time or reports to look for matches in historical data. The following external threat intelligence sources are supported out of the box: l Emerging Threat l FortiGuard l FortiSandbox l Malware Domain l SANS l ThreatStream l ThreatConnect l TruSTAR l Zeus In general, any threat source that provides a CSV file or supports STIC/TAXII standards 1.0, 1.1, and 2.0 can be automatically supported by FortiSIEM. FortiSIEM also provides a Java-based API which can be used to support a new website. FortiSIEM 6.1.1 External Systems Configuration Guide 662 Fortinet Technologies Inc. Fortinet FortiInsight FortiInsight is a unique data security and threat detection solution that delivers advanced threat hunting to help you spot, respond to, and manage risky behaviors that put your business-critical data at risk. It combines powerful and flexible Machine Learning with detailed forensics around user actions to bring focus to the facts more rapidly than other solutions. l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration in FortiInsight l Configuration in FortiSIEM l Sample Events What is Discovered and Monitored Protocol FortiInsight API Information collected Policy based alerts and AI based alerts Used for Data security, threat protection This feature allows FortiSIEM to get Policy-based alerts and AI-based alerts from FortiInsight. Event Types In RESOURCES > Event Types, enter "FortiInsight" in the Search column to see the event types associated with this device. Rules In RESOURCES > Rules, enter "FortiInsight" in the Search column to see the rules associated with this device. Reports No defined reports. Configuration in FortiInsight Get an API Key in FortiInsight Complete these steps in the FortiInsight UI: 1. Login to FortiInsight. 2. Select Admin > Account from the left menu. 3. Click New API Key to open the New API Key dialog box. FortiSIEM 6.1.1 External Systems Configuration Guide 663 Fortinet Technologies Inc. Threat Intelligence 4. Enter a descriptive Name. 5. Click Save to generate the API key. This will download a file containing the API key information (Client ID, Client Secret, and Name). Make a note of these values; you will need them when you configure FortiSIEM. Configuration in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Settings Name Device Type Access Protocol Pull Interval Client ID Client Secret Organization Description Description Enter a name for the credential Fortinet FortiSIEM FortiInsight API The interval in which FortiSIEM will pull events from FortiInsight. Default is 3 minutes. Access key for your FortiInsight instance. Secret key for your FortiInsight instance The organization the device belongs to. Description of the device. 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your Fortinet FortiInsight credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. 4. Click Test to test the connection to FortiInsight. 5. To see the jobs associated with FortiInsight, select ADMIN > Setup > Pull Events. 6. To see the received events select ANALYTICS, then enter FortiInsight in the search box. Sample Events [FORTIINSIGHT_POLICY_ALERT] = {"description":"","events":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-0318T13:22:24.344+00:00","id":null,"m":"uqP","mn":{"dh":"tcp://server-10-230-2153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Admini strator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc": {"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","long itude":"10.8925"},"p":"tcp-ip- FortiSIEM 6.1.1 External Systems Configuration Guide 664 Fortinet Technologies Inc. Threat Intelligence 4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret \\prototypedemo1.mkv-> tcp://server-54-230-2-153.lhr5.r.cloudfront.net:443","u":"acmeltd__ engineer2"}],"extendedEvents":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-0318T13:22:24.344+00:00","id":null,"latestHostname":"mimas","latestIp":"10.10.0.1","m":"uqP"," mn":{"dh":"tcp://server-54-230-2153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Admini strator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc": {"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","long itude":"10.8925"},"p":"tcp-ip4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret \\prototypedemo1.mkv-> tcp://server-10-230-2153.lhr5.r.cloudfront.net:443","resolvedUsername":"","u":"acmeltd__ engineer2"}],"id":"AWmQ98PYg7b_-i6_5Rvg","labels":[""],"policyId":"default_ 6COnUMjTCB8N","policyName":"Browser Download","regimes": ["ZoneFox"],"serverIp":"52.209.49.52","serverName":"fortisiemtest.dev.fortiinsight.cloud","s everity":10,"status":"New","time":"2019-03-18T13:22:29.473715+00:00"} FortiSIEM 6.1.1 External Systems Configuration Guide 665 Fortinet Technologies Inc. Threat Intelligence Lastline The Lastline parser collects syslog log events in CEF format. l What is Discovered and Monitored l Event Types l Rules l Reports l Syslog l Sample Events What is Discovered and Monitored Protocol Syslog Information Discovered Device Type Metrics collected Used for Endpoint activity such as file download, email attachments, network connections. Security and Compliance Event Types In ADMIN > Device Support > Event, search for "Lastline" in the Name and Description columns to see the event types associated with this device. Rules There are no specific rules for Lastline, however rules that match the Event Type Groups associated with Lastline Events may trigger. Reports There are no specific Reports for Lastline, however reports that match the Event Type Groups associated with Lastline Events may return results. Syslog FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514 using CEF formatting. Sample Events Aug 13 14:48:37 fortisiem CEF:0|Lastline|Enterprise|7.10|appliance-status|Appliance Status|1|cat=Online cs1=SENSOR cs1Label=deviceType FortiSIEM 6.1.1 External Systems Configuration Guide 666 Fortinet Technologies Inc. Threat Intelligence cs2=https://example/portal#/appliances/config/status/76b80c7ac11a4d37bc6b29e66726b01d cs2Label=deviceStatusLink deviceExternalId=76b80c7ac11a4d37bc6b29e66726b01d dvc=10.31.61.152 dvchost=example.com end=Aug 13 2018 16:48:37 CEST rt=Aug 13 2018 16:48:37 CEST start=Aug 13 2018 16:48:37 CEST FortiSIEM 6.1.1 External Systems Configuration Guide 667 Fortinet Technologies Inc. Threat Intelligence ThreatConnect Protocol ThreatConnect API Information Collected Malware Domain, IP, URL and Hash Used For Detect threats for Security and Compliance Configuring ThreatConnect Create an API Key to be used for FortiSIEM communication. The details are here: https://kb.threatconnect.com/customer/en/portal/articles/2188549-creating-user-accounts 1. Log in to your ThreatConnect portal as an administrative user. 2. Go to My Profile > ORG Settings. 3. Click Create API User. These credentials will be created: l Access ID l Secret Key 4. Note the Organization Name. You will need it in a later step. 5. ThreatConnect contains many threat feeds. If you want to get specific threatfeeds, then you must know the threat feeds that are available for your account. You can see these feeds by navigating to Browse > Indicators > My ThreatConnect > Intelligent Sources. Configuring FortiSIEM to Download IOCs from ThreatConnect Use the Access ID and Secret Key that were created in the previous section to enable FortiSIEM access. FortiSIEM can provide the following IOCs from ThreatConnect: l Malware Domain l Malware IP l Malware URL l Malware Hash Follow these steps to set up Malware Domain downloads from ThreatConnect. 1. Login to FortiSIEM. 2. Go to RESOURCE > Malware Domain > ThreatConnect Malware Domain. 3. Click More > Update. Select Update via API. 4. Enter the following fields a. Set User Name to Access ID (Step 3a above). b. Set Password to Secret Key (Step 3b above). c. Set Data Format to STIX-TAXII. d. For Collection:, you have two choices: l To get all threatfeeds - enter All:<Organization Name> (Step 4 above), or FortiSIEM 6.1.1 External Systems Configuration Guide 668 Fortinet Technologies Inc. Threat Intelligence l To get specific threatfeeds, enter comma-separated values of threatfeeds (obtained from Step 6 above). e. Set Data Update = Incremental 5. Click Save. 6. Click Schedule to specify how often the threat feed will be updated. a. Choose Start time. b. Choose Recurrence pattern. c. Click Save. 7. Wait until the first scheduled download occurs. Then, navigate to RESOURCE > Malware Domain > ThreatConnect Malware Domain. Downloaded Malware domains will be displayed in the right-hand table. You can use this object in rules and reports to detect hits. Downloading Other IOCs The steps for configuring FortiSIEM to download other IOCs are identical, except for the following details: l Malware IP--Navigate to RESOURCE > Malware Domain > ThreatConnect Malware IP l Malware URL--Navigate to RESOURCE > Malware Domain > ThreatConnect Malware URL l Malware Hash--Navigate to RESOURCE > Malware Domain > ThreatConnect Malware Hash FortiSIEM 6.1.1 External Systems Configuration Guide 669 Fortinet Technologies Inc. Virtualization FortiSIEM supports these virtualization servers for discovery and monitoring. l HyperV l HyTrust CloudControl l VMware ESX FortiSIEM 6.1.1 External Systems Configuration Guide 670 Fortinet Technologies Inc. Hyper-V l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Powershell over WMI Information discovered Metrics collected CPU, Memory, Network and Storage metrics both at Guest and Host level . Used for Performance Monitoring Event Types l PH_DEV_MON_HYPERV_OVERALL_HEALTH: HyperV Machine Health Summary [PH_DEV_MON_HYPERV_OVERALL_HEALTH]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[vmHealthCritCount]=0,[vmHealthOkCount]=10 l PH_DEV_MON_HYPERV_OVERALL_SYSINFO: HyperV System Information [PH_DEV_MON_HYPERV_OVERALL_SYSINFO]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[notificationCount]=10,[virtualProcessors]=52,[totalPages]=67290, [partitionCount]=6,[logicalProcessors]=16 l PH_DEV_MON_HYPERV_CPU_LOGICAL_PROC: HyperV Logical Processor Usage [PH_DEV_MON_HYPERV_CPU_LOGICAL_PROC]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[idleTimePct]=47.30,[guestRunTimePct]=50.88,[hypervisorRunTimePct]=1.97, [totalRunTimePct]=52.84,[cpuInterruptPerSec]=53390.62,[contextSwitchPerSec]=85516.44 l PH_DEV_MON_HYPERV_CPU_ROOT_VIRTUAL_PROC: HyperV Root Virtual Processor Usage [PH_DEV_MON_HYPERV_CPU_ROOT_VIRTUAL_PROC]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR, [guestRunTimePct]=0.19,[hypervisorRunTimePct]=0.04,[totalRunTimePct]=0.23, [cpuInterruptPersec]=4588.63,[interceptCost]=1458 l PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC: HyperV Guest Virtual Processor Usage [PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC]:[hostIpAddr]=172.16.20.185, [hostName]=accelops-reporter-hyperv-4.3.1.1158,[vmName]=accelops-reporter-hyperv4.3.1.1158,[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR, [guestRunTimePct]=1.06,[hypervisorRunTimePct]=0.70,[totalRunTimePct]=1.77, [cpuInterruptPersec]=6474.56,[interceptCost]=1086 l PH_DEV_MON_HYPERV_MEM_PARTITION: HyperV Memory Partition usage [PH_DEV_MON_HYPERV_MEM_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR, [1gGpaPages]=0,[2mGpaPages]=16385,[4kGpaPages]=9949,[depositedGpaPages]=20946 l PH_DEV_MON_HYPERV_MEM_PARTITION_PER_VM: HyperV per-VM Memory Partition usage FortiSIEM 6.1.1 External Systems Configuration Guide 671 Fortinet Technologies Inc. Virtualization [PH_DEV_MON_HYPERV_MEM_PARTITION_PER_VM]:[phyMachIpAddr]=172.16.20.180, [phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostName]=accelops-va-hyperv4.3.1.1158,[vmName]=accelops-va-hyperv-4.3.1.1158,[1gGpaPages]=0,[2mGpaPages]=4096, [4kGpaPages]=2089,[depositedGpaPages]=5044 l PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION: HyperV Root Partition Total Memory Usage [PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[1gGpa]=0,[2mGpa]=32613,[4kGpa]=9760,[depositedGpa]=46344 l PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION_ROOT: HyperV Root Partition Root Memory Usage [PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION_ROOT]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[1gGpa]=0,[2mGpa]=32613,[4kGpa]=9760,[depositedGpa]=46344 l PH_DEV_MON_HYPERV_MEM_VID_PARTITION: HyperV VID Partition Memory Usage [PH_DEV_MON_HYPERV_MEM_VID_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[physicalPages]=8398888,[remotePages]=0 l PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM: HyperV per-VM VID Partition Memory Usage [PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM]:[phyMachIpAddr]=172.16.20.180, [phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.185,[hostName]=accelops-reporterhyperv-4.3.1.1158,[vmName]=accelops-reporter-hyperv-4.3.1.1158,[physicalPages]=1050632, [remotePages]=0 l PH_DEV_MON_HYPERV_MEM_OVERALL: HyperV Root Memory Usage [PH_DEV_MON_HYPERV_MEM_OVERALL]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR, [freeMemKB]=27519348,[pageFaultsPersec]=0 l PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH: HyperV Virtual Switch Network Usage [PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 virtual switch,[recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03, [sentBitsPerSec]=3382443.50,[sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03[PH_DEV_MON_ HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR, [vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 - virtual switch, [recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03,[sentBitsPerSec]=3382443.50, [sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03 l PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER: HyperV Virtual Switch Per Adapter Network Usage [PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WINHH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostName]=accelops-va-hyperv-4.3.1.1158, [vmName]=accelops-va-hyperv-4.3.1.1158,[intfName]=adapter_e1eb0a1f-1b36-48fe-be79fde20d335364--31575d2f-5085-45d3-905f-2f3e17342a81,[recvBitsPerSec]=64970.24, [recvPktsPerSec]=20.86,[sentBitsPerSec]=124741.68,[sentPktsPerSec]=42.61, [totalPktsPerSec]=20.86 l PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE: HyperV Virtual Storage Usage [PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[diskName]=e:-hyperinstance-report431-virtual hard disks-accelops-reporter4.3.1.1158-disk2.vhdx,[diskErrors]=2,[diskFlushes]=1267221,[diskReadKBytesPerSec]=0.00, [diskReadReqPerSec]=0.00,[diskWriteKBytesPerSec]=0.00,[diskWriteReqPerSec]=0.00 l PH_DEV_MON_HYPERV_STORAGE_LOGICAL_DISK: HyperV Logical Disk Usage [PH_DEV_MON_HYPERV_STORAGE_LOGICAL_DISK]:[hostIpAddr]=172.16.20.180,[hostName]=WINHH2MFBPMHMR,[diskName]=e:,[ioReadLatency]=0,[ioWriteLatency]=14 FortiSIEM 6.1.1 External Systems Configuration Guide 672 Fortinet Technologies Inc. Virtualization Rules l HyperV Disk I/O Warning l HyperV Disk I/O Critical l HyperV Guest Critical l HyperV Guest Hypervisor Run Time Percent Warning l HyperV Logical Processor Total Run Time Percent Critical l HyperV Logical Processor Total Run Time Percent Warning l HyperV Page fault Critical l HyperV Page fault Warning l HyperV Remainining Guest Memory Warning Reports Look in RESOURCES > Reports > Device > Server > HyperV l HyperV Configuration and Health l Top HyperV Guests By Virtual Processor Run Time Pct l Top HyperV Guests by Large Page Size Usage l Top HyperV Guests by Remote Physical Page Usage l Top HyperV Root Partitions By Virtual Processor Run Time Pct l Top HyperV Root Partitions by Large Page Size Usage l Top HyperV Servers By Logical Processor Run Time Pct l Top HyperV Servers by Disk Activity l Top HyperV Servers by Disk Latency l Top HyperV Servers by Large Page Size Usage l Top HyperV Servers by Memory Remaining for Guests l Top HyperV Servers by Remote Physical Page Usage Configuration FortiSIEM needs WMI credentials to get the HyperV performance metrics. Configure this following the guidelines described in Microsoft Windows Server Configuration. Settings for Access Credentials Configure WMI on FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 673 Fortinet Technologies Inc. Virtualization HyTrust CloudControl l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration What is Discovered and Monitored Protocol Syslog (CEF format) Information Discovered - Data Collected Over 70 event types Used for Security and Compliance Event Types In RESOURCE > Event Types, Search for "HyTrust-". Sample Event Type: <172>Mar 22 03:32:36 htcc136.test.hytrust.com local5: CEF:0|HyTrust|HyTrust CloudControl|5.0.0.50821|ARC0031|TEMPLATE_OPERATION_ERRORED_ERR|6| rt=Mar 22 2017 03:32:36.196 UTC act=HostOperation dst=192.168.213.154 src=192.168.213.10 suser=ARC deviceExternalId=6u1b-esxi2.test.hytrust.com deviceFacility=HostSystem msg=Template operation VHG6.0 esxi-check-patch-version error on host 6u1b-esxi2.test.hytrust.com (192.168.213.154). privilege={} Rules There are no specific rules but generic rules for Security Manager and Generic Servers apply. Reports There are no specific reports but generic rules for Security Manager and Generic Servers apply. Configuration Configure HyTrust CloudControl to send syslog on port 514 to FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 674 Fortinet Technologies Inc. Virtualization VMware ESX l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol VMWare SDK VMWare SDK Information discovered Metrics collected ESX Server and the Guest hosts running on that server. ESX host clusters. Hardware (CPU, Memory, Disk, network Interface) for all guests, OS vendor and version for all guests. Virtual switch for connecting guest hosts to network interfaces. Both ESX level and guest host level performance metrics. Guest host level metrics include CPU/memory/disk utilization, CPU Run/Ready/Limited percent, memory swap in/out rate, free memory state, disk read/write rate/latency, network interface utilization, errors, bytes in/out. ESX level metrics include physical CPU utilization, ESX kernel disk read/writre latency etc ESX logs include scenarios like ESX level login sucess/failure, configuration change, Guest host movement, account creation and modification Used for Performance Monitoring Availability, Change and Security Monitoring Configuration FortiSIEM discovers and monitors VMware ESX servers and guests over the the VMware SDK. Make sure that VMware Tools is installed on all the guests in your ESX deployment, and FortiSIEM will be able to obtain their IP addresses. Settings for Access Credentials User with System View Credentials Make sure to provide a user with System View permissions who can access the entire vCenter hierarchy when setting up the access credentials for your VMware ESX device. See the VMware documentation on how to se tup a user with System View permissions. FortiSIEM 6.1.1 External Systems Configuration Guide 675 Fortinet Technologies Inc. Virtualization Settings for VMware ESX VMSDK Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol User Name Password Value <set name> VMware ESX Server VM SDK A user with System View permissions The password associated with the user FortiSIEM 6.1.1 External Systems Configuration Guide 676 Fortinet Technologies Inc. VPN Gateways FortiSIEM supports these VPN gateways for discovery and monitoring. l Cisco VPN 3000 Gateway l Cyxtera AppGuard l Juniper Networks SSL VPN Gateway l Microsoft PPTP VPN Gateway l Pulse Secure FortiSIEM 6.1.1 External Systems Configuration Guide 677 Fortinet Technologies Inc. Cisco VPN 3000 Gateway l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP Syslog Information Discovered Metrics Collected Used For Event Types In ADMIN > Device Support > Event, search for "cisco_vpn" in the Name and Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP 1. Log in to your device with administrative credentials. 2. Go to Configuration > System > Management Protocols > SNMP Communities. 3. Click Add. 4. For Community String, enter public. Syslog 1. Go to Configuration > System > Events > Syslog Servers. 2. Click Add. 3. Enter the IP address of your FortiSIEM virtual appliance for Syslog Server. 4. Add a syslog server with FortiSIEM IP Address FortiSIEM 6.1.1 External Systems Configuration Guide 678 Fortinet Technologies Inc. VPN Gateways Sample Parsed Cisco VPN 3000 Syslog Messages <189>18174 01/07/1999 20:25:27.210 SEV=5 AUTH/31 RPT=14 User [ admin ] Protocol [ Telnet ] attempted ADMIN logon. Status: <REFUSED> authentication failure Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Cisco VPN 3K See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 679 Fortinet Technologies Inc. VPN Gateways Cyxtera AppGate Software Defined Perimeter (SDP) l Integration points l Configuring Cyxtera AppGate Software l Parsing and Events Integration points Protocol Syslog Information Discovered Access Control log Used For Security and Compliance Configuring Cyxtera AppGate Software Follow Cyxtera AppGate SDP documentation to send syslog to FortiSIEM. Configuring FortiSIEM FortiSIEM automatically recognizes Cyxtera AppGate syslog, so long as it follows the following format as shown in the sampel syslog: "id":"a51e7e7d-ab5f-444c-b7f8-ca72e4bb940b","timestamp":"2018-1009T10:23:43.992Z","event_type":"ip_access","version":8,"distinguished_ name":"CN=0f1a40d612f741228d7cb73a4308bea8,CN=abc,OU=ACME","entitlement_token_ id":"78174080-a34","action":"allow","direction":"down","client_ip":"1.1.1.1","client_ port":1392,"packet_size":40,"protocol":"TCP","source_ip":"10.1.1.1","destination_ ip":"10.1.1.1","source_port":56100,"destination_port":59721,"connection_ type":"established","rule_name":"rule1" Parsing and Events Over 70 events are parsed see event Types in Resources > Event Types and search for 'Cyxtera-AppGate-SDP'. FortiSIEM 6.1.1 External Systems Configuration Guide 680 Fortinet Technologies Inc. VPN Gateways Juniper Networks SSL VPN Gateway l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP Syslog Information Discovered Metrics Collected Used For Event Types In ADMIN > Device Support > Event, search for "junos_dynamic_vpn" in the Name column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration SNMP 1. Log into your device with administrative credentials. 2. Go to System > Log/Monitoring > SNMP. 3. Under Agent Properties, enter public for Community. Syslog VPN Access Syslog 1. Go to System > Log/Monitoring > User Access > Settings. 2. Under Select Events to Log, select Login/logout, User Settings, and Network Connect. 3. Under Syslog Servers, enter the IP address of your FortiSIEM virtual appliance, and set the Facility to LOCAL0. 4. Click Save Changes. FortiSIEM 6.1.1 External Systems Configuration Guide 681 Fortinet Technologies Inc. VPN Gateways Admin Access Syslog 1. Go to System > Log/Monitoring > Admin Access > Settings. 2. Under Select Events to Log, select Administrator changes, License Changes, and Administrator logins. 3. Under Syslog Servers, enter the IP address of your FortiSIEM virtual appliance, and set the Facility to LOCAL0. 4. Click Save Changes. Sample Parsed Juniper Networks SSL VPN Syslog Messages <134>Juniper: 2008-10-28 04:34:53 - ive - [192.168.20.82] admin(Users)[] - Login failed using auth server SteelBelted (Radius Server). Reason: Failed <134>Juniper: 2008-10-28 03:12:03 - ive - [192.168.20.82] wenyong(Users)[Users] - Login succeeded for wenyong/Users from 192.168.20.82. <134>Juniper: 2008-10-28 03:55:20 - ive - [192.168.20.82] wenyong(Users)[Users] - Network Connect: Session ended for user with IP 172.16.3.240 <134>Juniper: 2008-10-28 03:05:25 - ive - [172.16.3.150] admin(Admin Users)[] - Primary authentication successful for admin/Administrators from 172.16.3.150 <134>Juniper: 2008-10-28 05:33:02 - ive - [172.16.3.150] admin(Admin Users)[] - Primary authentication failed for admin/Administrators from 172.16.3.150 Settings for Access Credentials SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 682 Fortinet Technologies Inc. VPN Gateways Microsoft PPTP VPN Gateway Configuring Microsoft PPTP Windows 2003 Server 1. Logon with administrative rights 2. Configure PPTP VPN a. Go to Start | All Programs | Administrative Tools | Configure Your Server Wizard, select the Remote Access/VPN Server role. The click the next button which runs the the Routing and Remote Access Wizard. b. On the Routing and Remote Access wizard, follow the following steps: i. Select "Virtual Private Network (VPN) and NAT" and click Next ii. Select the network interface for use by VPN connection and click Next. iii. Specify the network that VPN clients should connect to in order to access resources and click Next. iv. Select VPN IP Address assignment methodology (DHCP/VPN pool) and click Next. v. Specify VPN pool if VPN pool was chosen in step d and click Next. vi. Identify the network that has shared access to the Internet and click Next. vii. Select if an external RADIUS server is to be used for central authentication and click Next c. Give users VPN access rights. Open the properties page for a user, select that user's Dial-In properties page and select "Allow access" under Remote Access Permissions. 3. Configure Server Logging - Enable authentication and accounting logging from the Settings tab on the properties of the Local File object in the Remote Access Logging folder in the Routing and Remote Access snap-in. The authentication and accounting information is stored in a configurable log file or files stored in the SystemRoot\System32\LogFiles folder. The log files are saved in Internet Authentication Service (IAS) or database-compatible format, meaning that any database program can read the log file directly for analysis. 4. Configure Snare agent to send logs to FortiSIEM. Sample syslog messages <13>Apr 1 09:28:03 dev-v-win03-vc MSPPTPLog 0 192.168.24.11,administrator,04/01/2009,09:28:00,RAS,DEV-V-WIN03VC,44,29,4,192.168.24.11,6,2,7,1,5,129,61,5,64,1,65,1,31,192.168.20.38,66,192.168.20.38,4108 ,192.168.24.11,4147,311,4148,MSRASV5.20,4155,1,4154,Use Windows authentication for all users,4129,DEV-V-WIN03-VC\administrator,4130,DEV-V-WIN03-VC\administrator,4127,4,25,311 1 192.168.24.11 04/01/2009 16:12:12 3,4149,Connections to Microsoft Routing and Remote Access server,4136,1,4142,0 FortiSIEM 6.1.1 External Systems Configuration Guide 683 Fortinet Technologies Inc. VPN Gateways Pulse Secure l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Used For Security and Performance alerts Security and performance monitoring Event Types In ADMIN > Device Support > Event, search for "PulseSecure" to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Syslog Sample PulseSecure Syslog Messages <134> 2015-12-18T06:30:29-08:00 PulseSecure: 2015-12-18 06:30:29 - XXX-A1234-VPNSSL01 [1.1.1.1] admin(company1 Realm)[some title] - Host Checker policy 'VMS_Host_Checker_Policy' passed on host '1.1.1.1' address '' for user 'admin'. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Value <set name> Pulse Secure Pulse Connect FortiSIEM 6.1.1 External Systems Configuration Guide 684 Fortinet Technologies Inc. VPN Gateways Setting Access Protocol Port Password config Value See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 685 Fortinet Technologies Inc. Vulnerability Scanners FortiSIEM supports these vulnerability scanners for discovery and monitoring. l AlertLogic l Green League WVSS l McAfee Foundstone Vulnerability Scanner l Qualys QualysGuard Scanner l Qualys Vulnerability Scanner l Rapid7 NeXpose Vulnerability Scanner l Rapid7 InsightVM l Tenable.io l Tenable Nessus Vulnerability Scanner l Tenable Security Center l XYLink Vulnerability Scanner FortiSIEM 6.1.1 External Systems Configuration Guide 686 Fortinet Technologies Inc. AlertLogic Intrusion Detection and Prevention Systems (IPS) l Integration points l Configuring AlertLogic for FortiSIEM API Access l Configuring FortiSIEM for AlertLogic API Access Integration points Protocol AlertLogic V3 API Information Discovered Security Alerts created by AlertLogic Used For Security and Compliance Configuring AlertLogic for FortiSIEM API Access Contact AlertLogic for API access key. This must be entered in FortiSIEM in the next step. Configuring FortiSIEM for AlertLogic API Access 1. Logon to FortiSIEM 2. Go to ADMIN > Setup > Credential. 3. Click New to create AlertLogic API credential: For Access Protocol = AlertLogic API V3 Setting Name Device Type Access Protocol Pull Interval Password config API Key Organization Value <set name> Alert Logic IPS AlertLogic API V3 5 minutes See Password Configuration The API Key for device access is provided by AlertLogic Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers For Access Protocol = AlertLogic IPS FortiSIEM 6.1.1 External Systems Configuration Guide 687 Fortinet Technologies Inc. Vulnerability Scanners Settings Description Name Device Type Access Protocol Pull Interval Access Key ID Secret Key Organization Description Enter a name for the credential Alert Logic IPS Alert Logic IPS The interval in which FortiSIEM will pull events from Alert Logic. Default is 5 minutes. Access key for your Alert Logic instance. Secret key for your Alert Logic instance The organization the device belongs to. Description of the device. 4. Enter an IP Range to Credential Association. a. Set Hostname to alertlogic.com b. Select the Credential created in step 3 above. c. Click Save. 5. Select the entry in step 4 and click Test > Test Connectivity. If it succeeds, then the credential is correct. 6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from AlertLogic Cloud service using the AlertLogic V3 API. To test for events received from AlertLogic: 1. Go to ADMIN > Setup > Pull Events. 2. Select the Windows Defender ATP entry and click Report. The system will take you to the ANALYTICS tab and run a query to display the events received from AlertLogic in the last 15 minutes. You can modify the time interval to get more events. FortiSIEM 6.1.1 External Systems Configuration Guide 688 Fortinet Technologies Inc. Vulnerability Scanners Green League WVSS Configuration in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Settings Description Name Device Type Access Protocol Pull Interval Domain User Name Password Description Enter a name for the credential. Green League WVSS WVSS API 60 minutes Domain name User name for device access Password for device access Description of the device 3. In Step 2: Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. 4. Click Test to test the connection to Green League WVSS. 5. To see the jobs associated with Green League, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Green League in the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 689 Fortinet Technologies Inc. Vulnerability Scanners McAfee Foundstone Vulnerability Scanner l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol JDBC (SQL Server) Metrics collected Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id, Vulnerability Score, Vulnerability Consequence Used for Security Monitoring Event Types In ADMIN > Device Support > Event, search for "foundstone" in the Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined rules for this device. Configuration JDBC FortiSIEM connects to the faultline database in the McAfee vulnerability scanner to collect metrics. This is a SQL Server database, so you must have set up access credentials for the database over JDBC to set up access credentials in FortiSIEM and initiate discovery. Settings for Access Credentials Settings for McAfee Foundstone Vulnerability Scanner JDBC Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. FortiSIEM 6.1.1 External Systems Configuration Guide 690 Fortinet Technologies Inc. Vulnerability Scanners Setting Name Device Type Access Protocol Used for Pull Interval (minutes) Port Database name User Name Password Value mcafee_jdbc Microsoft SQL Server JDBC McAfee VulnMgr 5 1433 faultline A user with access to the faultline database over JDBC The password associated with the user FortiSIEM 6.1.1 External Systems Configuration Guide 691 Fortinet Technologies Inc. Vulnerability Scanners Qualys QualysGuard Scanner Configuration in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Settings Description Name Device Type Access Protocol Pull Interval Port User Name Password Description Enter a name for the credential. Qualys QualysGuard Scanner Qualys API 60 minutes 443 A user who has access to the vulnerability scanner over the API. Password associated with the user Description about the device 3. In Step 2, Enter IP Range to Credential Associations: a. Select the name of your credential from the Credentials drop-down list. b. Enter a host name, an IP, or an IP range in the IP/Host Name field. c. Click Save. 4. Click Test to test the connection to Qualys QualysGuard Scanner. 5. To see the jobs associated with Qualys, select ADMIN > Pull Events. 6. To see the received events select ANALYTICS, then enter Qualys in the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 692 Fortinet Technologies Inc. Vulnerability Scanners Qualys Vulnerability Scanner l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Qualys API Metrics collected Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq Id, Vulnerability Consequence Used for Security Monitoring Event Types In ADMIN > Device Support > Event, search for "qualys" in the Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports In RESOURCE > Reports , search for "qualys" in the Description column to see the reports associated with this device. Configuration Qualys API Create a user name and password that FortiSIEM can use as access credentials for the API. You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. . For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Use Host Name for IP Range in Access Credentials Enter the host name for your Qualys service rather than an IP address when associating your access credentials to an IP range. Settings for Qualys Vulnerability Scanner API Access Credentials FortiSIEM 6.1.1 External Systems Configuration Guide 693 Fortinet Technologies Inc. Vulnerability Scanners Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name Password Value qualys Qualys QualysGuard Scanner Qualys API 5 443 A user who has access to the vulnerability scanner over the API The password associated with the user FortiSIEM 6.1.1 External Systems Configuration Guide 694 Fortinet Technologies Inc. Vulnerability Scanners Rapid7 NeXpose Vulnerability Scanner l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Rapid7 Nexpose API Metrics collected Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence Used for Security Monitoring Event Types In ADMIN > Device Support > Event, search for "rapid7" in the Description and Device Type columns to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Rapid7 NeXpose API 1. Log into the device manger for your vulnerability scanner with administrative credentials. 2. Go to Administration > General > User Configuration, and create a user that FortiSIEM can use to access the device. 3. Go to Reports > General > Report Configuration. 4. Create a report with the Report Format set to Simple XML Report Version 1.0 or NeXpose XML Report Version 2.0. FortiSIEM can pull reports only in these formats. Settings for Access Credentials Settings for Rapid7 Nexpose API Access Credentials FortiSIEM 6.1.1 External Systems Configuration Guide 695 Fortinet Technologies Inc. Vulnerability Scanners Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name Password Value <set name> Rapid7 NeXpose Security Scanner Rapid7 NeXpose API 60 3780 A user who can access the device over the API The password associated with the user FortiSIEM 6.1.1 External Systems Configuration Guide 696 Fortinet Technologies Inc. Vulnerability Scanners Rapid7 InsightVM Integration l Integration points l Rapid7 InsightVM API Integration Integration points Protocol InsightVM API Information Collected Vulnerability scan data Used For Security and Compliance Rapid7 InsightVM API Integration FortiSIEM can pull vulnerability scan data from Rapid7 InsightVM Server via InsightVM API. InsightVM scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type Rapid7-InsightVM-Vuln-Detected. Configuring Rapid7 InsightVM Server Create an account to be used for FortiSIEM communication. Configuring FortiSIEM Use the account in previous step to enable FortiSIEM access: 1. Login to FortiSIEM. 2. Go to Admin > Setup > Credential. 3. Click New to create a Rapid7 InsightVM credential. a. Choose Device Type = Rapid7 InsightVM (Vendor = Rapid7, Model = InsightVM). b. Choose Access Protocol = InsightVM API. c. Choose Pull Interval = 5 minutes. d. Choose HTTPS Port (default 3780). e. Choose User name and Password for the account created while Configuring Rapid7 InsightVM Server. f. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers. g. Click Save. 4. Enter an IP Range to Credential Association: a. Set IP to the IP address of the Rapid7 InsightVM Server. b. Select the Credential created in step 3 c. Click Save. FortiSIEM 6.1.1 External Systems Configuration Guide 697 Fortinet Technologies Inc. Vulnerability Scanners 5. Perform Test Connectivity to make sure that the credential works correctly. 6. Discover the Rapid7 InsightVM Server using the IP address used in Step 4. Make sure Discover succeeds. 7. An entry will be created in Admin > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Rapid7 InsightVM Server using the InsightVM REST API. To test for received InsightVM Vulnerability events: 1. Go to Admin > Setup > Pull Events 2. Select the InsightVM entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from InsightVM Server in the last 15 minutes. You can modify the time interval to get more events. FortiSIEM 6.1.1 External Systems Configuration Guide 698 Fortinet Technologies Inc. Vulnerability Scanners Tenable.io l Integration points l Tenable.io API Integration Integration points Protocol Tenable.io API Information collected Vulnerability scan data Used for Security and Compliance Tenable.io API Integration FortiSIEM can pull vulnerability scan data from Tenable.io Cloud Service via Tenable.io API. Tenable.io scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type TenableIO-Vuln-Detected. Configuring Tenable.io Cloud Service Create an API Key to be used for FortiSIEM communication. 1. Login to your Tenable.io portal using your account. 2. Create API Key for use in FortiSIEM: a. For administrative user. b. Click Settings > User. c. In User table, click the name of the User you want to edit. d. Click the API Keys tab in the generate and click Generate. e. Click Save. 3. For regular user: a. Click My Account. b. Click the API Keys tab in the generate and click Generate. c. Click Save. Configuring FortiSIEM Use the API Key and Secret in previous step to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create a Tenable.io credential: a. Choose Device Type = Tenable.io Tenable (Vendor = Tenable, Model = Tenable.io). b. Choose Access Protocol = TenableIO API. c. Choose Pull Interval = 5 minutes. FortiSIEM 6.1.1 External Systems Configuration Guide 699 Fortinet Technologies Inc. Vulnerability Scanners d. Choose Account, Access Key and Secret Key obtained from Tenable.io portal (see Configuring Tenable.io Cloud Service) e. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers f. Click Save. 4. Enter an IP range to Credential Association: a. Set Hostname = cloud.tenable.com b. Select the credential created in step 3. c. Click Save. 5. Select the entry in step 4 and click Test Connectivity. 6. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Tenable.io portal using the API. To test for received Tenable.io events: 1. Go to ADMIN > Setup > Pull Events. 2. Select the Tenable.io entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from Tenable.io in the last 15 minutes. You can modify the time interval to get more events. FortiSIEM 6.1.1 External Systems Configuration Guide 700 Fortinet Technologies Inc. Vulnerability Scanners Tenable Nessus Vulnerability Scanner l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Nessus API Metrics collected Scan name, Scanned Host Name, Host OS, Vulnerability category, Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence Used for Security Monitoring Event Types In ADMIN > Device Support > Event, search for "nessus" in the Description and Device Type column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports In RESOURCE > Reports , search for "nessus" in the Description column to see the reports associated with this device. Configuration To configure a Tenable Nessus Security Scanner, take the following steps: 1. Deploy a Nessus server (5, 6, 7, or 8). 2. Generate an API key. For Nessus 7 or Nessus 8, obtain the Access Key and Secret Key. Note: If using Nessus (5) or Nessus 6, create a username and password that FortiSIEM can use to access the API and make sure the user has permissions to view the scan report files on the Nessus device. You can check if your user has the right permissions by running a scan report as that user. 3. Add a target device IP that will be scanned. 4. Login to the FortiSIEM GUI. 5. Navigate to CMDB > Devices. 6. Add the target device IP to CMDB > Devices in FortiSIEM. 7. Navigate to ADMIN > Setup, and click the Credentials tab. 8. In Step 1: Enter Credentials, click New: FortiSIEM 6.1.1 External Systems Configuration Guide 701 Fortinet Technologies Inc. Vulnerability Scanners a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these Nessus credential settings in the Access Method Definition dialog box and click Save: Setting Name Device Type Access Protocol Pull Interval (minutes) Port User Name (for Nessus and 6) Password (for Nessus and 6) Access Key (for Nessus7 and 8) Secret Key (for Nessus7 and 8) Value <set name> Choose the appropriate device type: -Tenable Nessus Security Scanner -Tenable Nessus6 Security Scanner -Tenable Nessus7 Security Scanner -Tenable Nessus8 Security Scanner The access protocol will auto populate based off the device type selected: -Nessus API -Nessus6 API -Nessus7 API -Nessus8 API 5 (default 60 minutes) 8834 A user who has permission to access the device over the API The password associated with the user Obtain the Access Key from Nessus Obtain the Secret Key from Nessus 9. In Step 2: Enter IP Range to Credential Associations, click New. a. Select the credential you created earlier from the Credentials drop-down list. b. In the IP/Host Name field, enter the IP/IP Range or Host Name. c. Click Save. 10. Select the new mapping and click the Test drop-down list and select Test Connectivity without Ping to start the polling. 11. Navigate to ADMIN > Setup > Pull Events. The yellow star besides the Nessus pull job should turn the color green. 12. Scan the target device IP in the Nessus server, and export the scan report. 13. Navigate to ANALYTICS in FortiSIEM, and query the Nessus events with the condition Event Type = Nessus- Vuln-Detected. 14. Compare the events in the FortiSIEM with the scan report exported from the Nessus server. Note that the severity matching rule between Nessus8 and AO Event are as follows: FortiSIEM 6.1.1 External Systems Configuration Guide 702 Fortinet Technologies Inc. Vulnerability Scanners Nessus Status Critical High Medium Low None FortiSIEM Event Severity Number Event Severity 10 Event Severity 9 Event Severity 6 Event Severity 2 Event Severity 3 If Vulnerability CVE ID in FortiSIEM events is not NULL, the target device IP will be added to INCIDENTS > Risk in FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 703 Fortinet Technologies Inc. Vulnerability Scanners Tenable Security Center l Integration points l Tenable.sc (Security Center) API Integration l Sample Events Integration points Protocol Tenable.sc API Information collected Vulnerability scan data Used for Security and Compliance Tenable.sc (Security Center) API Integration FortiSIEM can pull vulnerability scan data via the Tenable.sc API. Tenable.sc scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate FortiSIEM event with event type TenableSC-Vuln-Detected. l Configuring Tenable.sc for FortiSIEM l Configuring FortiSIEM Configuring Tenable.sc for FortiSIEM Except for setting your Tenable account user name and password, no special configuration is needed for Tenable.sc. Configuring FortiSIEM Use the API Key and Secret in previous step to enable FortiSIEM access. 1. Login to FortiSIEM. 2. Go to ADMIN > Setup > Credential. 3. Click New to create a Tenable.sc credential: a. Enter a Name for the credential. b. Choose Device Type = Tenable Tenable Security Center (Vendor = Tenable, Model = Security Center). c. Choose Access Protocol = Tenable.sc API. d. Choose Pull Interval = 60 minutes. e. Enter the User Name for the account. f. Enter the Password for the account. g. Click Save. 4. Enter an IP range to Credential Association: a. Enter the host's IP or Hostname. b. Select the credential created in Step 3 from the drop-down list. c. Click Save. 5. Select the entry in step 4 and click Test Connectivity. FortiSIEM 6.1.1 External Systems Configuration Guide 704 Fortinet Technologies Inc. Vulnerability Scanners 6. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Tenable Security Center using the API. To test for received Tenable.sc events: 1. Go to ADMIN > Setup > Pull Events. 2. Select the Tenable.sc entry and click Report. The system will take you to the Analytics tab and run a query to display the events received from Tenable.sc in the last 15 minutes. You can modify the time interval to get more events. Sample Events [TenableSc-Vuln-Detected]:[serverIp]=10.10.10.79,[serverName]=sc.tenalab.online, [scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,[policyName]=6e8a5582076f-5798-b0c3-5384b8854cad-501013/Advanced Scan (Vulnerability),[osName]=linux, [hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux Kernel 2.6,[hostName]=targetcent7.lxd,[hostIpAddr]=10.238.64.9,[startTime]=1580538643,[appPort]=22, [appTransportProto]=tcp,[eventSeverity]=1,[nessusPluginId]=70658,[nessusPluginName]=SSH Server CBC Mode Ciphers Enabled,[categoryType]=Misc.,[vulnCVEId]=CVE-2008-5161, [vulnCvssBaseScore]=2.6,[vulnCvssBaseTemporal]=1.9,[cweId]=200,[vulnDesc]=The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.,[fileName]=ssh_cbc_supported_ciphers.nasl,[vulnType]=remote, [threatLevel]=Low,[vulnSolution]=Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption., [vulnCVESummary]=The SSH server is configured to use Cipher Block Chaining., [nessusPluginOutput]= The following client-to-server Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc The following server-to-client Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [TenableSc-Vuln-Detected]:[serverIp]=52.170.35.79,[serverName]=sc.tenalab.online, [scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,[policyName]=6e8a5582076f-5798-b0c3-5384b8854cad-501013/Advanced Scan (Vulnerability),[osName]=linux, [hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux Kernel 2.6,[hostName]=targetcent7.lxd,[hostIpAddr]=10.238.64.9,[startTime]=1580538643,[appPort]=0, [appTransportProto]=tcp,[eventSeverity]=0,[nessusPluginId]=35081,[nessusPluginName]=Xen Guest Detection,[categoryType]=Misc.,[vulnDesc]=According to the MAC address of its network adapter, the remote host is a Xen virtual machine.,[fileName]=xen_detect.nasl, [vulnType]=combined,[threatLevel]=None,[vulnSolution]=Ensure that the host's configuration is in agreement with your organization's security policy., [vulnCVESummary]=The remote host is a Xen virtual machine. FortiSIEM 6.1.1 External Systems Configuration Guide 705 Fortinet Technologies Inc. Vulnerability Scanners YXLink Vuln Scanner Configuration in FortiSIEM Complete these steps in the FortiSIEM UI: 1. Go to the ADMIN > Setup > Credentials tab. 2. In Step 1: Enter Credentials: a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential. b. Enter these settings in the Access Method Definition dialog box: Settings Description Name Device Type Access Protocol Pull Interval Port Domain Description Enter a name for the credential. YXLink Vuln Scanner YX API 60 minutes 0 Domain name Description about the device 3. In Step 2: Enter IP Range to Credential Associations, click New. a. Enter a host name, an IP, or an IP range in the IP/Host Name field. b. Select the name of your credential from the Credentials drop-down list. c. Click Save. 4. Click the Test drop-down list and select Test Connectivity to test the connection to YXLink Vulnerability Scanner. 5. To see the jobs associated with YXLink, select ADMIN > Setup > Pull Events. 6. To see the received events select ANALYTICS, then enter "YXLink" in the search box. FortiSIEM 6.1.1 External Systems Configuration Guide 706 Fortinet Technologies Inc. WAN Accelerators FortiSIEM supports these wide area network accelerators for discovery and monitoring. l Cisco Wide Area Application Server l Riverbed SteelHead WAN Accelerator FortiSIEM 6.1.1 External Systems Configuration Guide 707 Fortinet Technologies Inc. Cisco Wide Area Application Server l What is Discovered and Monitored on page 708 l Event Types l Rules l Reports l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP Information Discovered Host name, Software version, Hardware model, Network interfaces Metrics collected Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Disk space utilization, Process cpu/memory utilization Used for Availability and Performance Monitoring Event Types Regular monitoring events l PH_DEV_MON_SYS_UPTIME [PH_DEV_MON_SYS_UPTIME]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=1053,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,[sysUpTime]=13256948, [sysUpTimePct]=100.000000,[sysDownTime]=0,[pollIntv]=56,[phLogDetail]= l PH_DEV_MON_SYS_CPU_UTIL [PH_DEV_MON_SYS_UPTIME]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=1053,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,[sysUpTime]=13256948, [sysUpTimePct]=100.000000,[sysDownTime]=0,[pollIntv]=56,[phLogDetail]= l PH_DEV_MON_SYS_MEM_UTIL [PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9822,[memName]=Physical Memory,[hostName]=edge.bank.com, [hostIpAddr]=10.19.1.5,[memUtil]=93.438328,[pollIntv]=176,[phLogDetail]= l PH_DEV_MON_SYS_DISK_UTIL [PH_DEV_MON_SYS_DISK_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=9902,[diskName]=/swstore,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5, [appTransportProto]=SNMP (hrStorage),[diskUtil]=56.931633,[totalDiskMB]=992, [usedDiskMB]=565,[freeDiskMB]=427,[pollIntv]=176,[phLogDetail]= l PH_DEV_MON_SYS_PROC_COUNT FortiSIEM 6.1.1 External Systems Configuration Guide 708 Fortinet Technologies Inc. WAN Accelerators [PH_DEV_MON_SYS_PROC_COUNT]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=11710,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,[procCount]=429, [pollIntv]=176,[phLogDetail]= l PH_DEV_MON_NET_INTF_UTIL [PH_DEV_MON_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phIntfFilter.cpp, [lineNumber]=323,[intfName]=GigabitEthernet 1/0,[intfAlias]=,[hostName]=edge.bank.com, [hostIpAddr]=10.19.1.5,[pollIntv]=56,[recvBytes64]=0,[recvBitsPerSec]=0.000000, [inIntfUtil]=0.000000,[sentBytes64]=0,[sentBitsPerSec]=0.000000,[outIntfUtil]=0.000000, [recvPkts64]=0,[sentPkts64]=0,[inIntfPktErr]=0,[inIntfPktErrPct]=0.000000, [outIntfPktErr]=0,[outIntfPktErrPct]=0.000000,[inIntfPktDiscarded]=0, [inIntfPktDiscardedPct]=0.000000,[outIntfPktDiscarded]=0, [outIntfPktDiscardedPct]=0.000000,[outQLen64]=0,[intfInSpeed64]=100000000, [intfOutSpeed64]=100000000,[intfAdminStatus]=,[intfOperStatus]=,[daysSinceLastUse]=0, [totIntfPktErr]=0,[totBitsPerSec]=0.000000,[phLogDetail]= l PH_DEV_MON_PROC_RESOURCE_UTIL [PH_DEV_MON_PROC_RESOURCE_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp, [lineNumber]=4320,[swProcName]=syslogd,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5, [procOwner]=,[memUtil]=0.038191,[cpuUtil]=0.000000,[appName]=Syslog Server, [appGroupName]=Unix Syslog Server,[pollIntv]=116,[swParam]=-s -f /etc/syslog.confdiamond,[phLogDetail]= Rules Regular monitoring rules Reports Regular monitoring reports Configuration FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Value <set name> Cisco WAAS See Access Credentials See Access Credentials FortiSIEM 6.1.1 External Systems Configuration Guide 709 Fortinet Technologies Inc. WAN Accelerators Setting Password config Value See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 710 Fortinet Technologies Inc. WAN Accelerators Riverbed SteelHead WAN Accelerator l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP SNMP Information Discovered Host name, Software version, Hardware model, Network interfaces SNMP SNMP Trap Metrics collected Used for Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Disk space utilization, Process cpu/memory utilization Availability and Performance Monitoring Hardware status Availability and Performance Monitoring Bandwidth metrics: Inbound Optimized Bytes - LAN side, WAN side, Outbound optimized bytes - LAN side and WAN side Connection metrics: Optimized connections, Passthrough connections, Half-open optimized connections, Half-closed Optimized connections, Established optimized connections, Active optimized connections Top Usage metrics: Top source (Source IP, Total Bytes), Top destination (Destination IP, Total Bytes), Top Application (TCP/UDP port, Total Bytes), Top Talker (Source IP, Source Port, Destination IP, Destination Port, Total Bytes) Peer status: For every peer: State, Connection failures, Request timeouts, Max latency Availability and Performance Monitoring All traps: software errors, hardware errors, admin login, performance issues - cpu, memory, peer latency issues. About 115 traps defined in ADMIN > Device Support > Event. The mapped event types start with "Riverbed-". Availability, Security and Compliance Event Types In ADMIN > Device Support > Event, search for "steelhead" in the Description and Device Type columns to see the event types associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 711 Fortinet Technologies Inc. WAN Accelerators Rules In RESOURCE > Rules, search for "steelhead" in the Name column to see the rules associated with this device. Reports There are no predefined reports for this device. Configuration SNMP FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. SNMP Trap FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Riverbed Steelhead See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 712 Fortinet Technologies Inc. Wireless LANs FortiSIEM supports these wireless local area network devices for discovery and monitoring. l Aruba Networks Wireless LAN l Cisco Wireless LAN l CradlePoint l FortiAP l FortiWLC l Motorola WiNG WLAN AP l Ruckus Wireless LAN FortiSIEM 6.1.1 External Systems Configuration Guide 713 Fortinet Technologies Inc. Aruba Networks Wireless LAN l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored FortiSIEM uses SNMP and NMAP to discover the device and to collect logs and performance metrics. FortiSIEM communicates to the WLAN Controller only and discovers all information from the Controller. FortiSIEM does not communicate to the WLAN Access points directly. Protocol Information Discovered SNMP Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points SNMP Trap Controller device type Metrics collected Controller Uptime, Controller Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Radio interface performance metrics All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health Used for Availability and Performance Monitoring Availability, Security and Compliance Event Types In ADMIN > Device Support > Event, search for "aruba" in the Description and Device Type columns to see the event types associated with this device. Rules There are no predefined rules for this device. Reports In RESOURCE > Reports , search for "aruba" in the Name column to see the reports associated with this device. FortiSIEM 6.1.1 External Systems Configuration Guide 714 Fortinet Technologies Inc. Wireless LANs Configuration SNMP V1/V2c 1. Log in to your Aruba wireless controller with administrative privileges. 2. Go to Configuration > Management > SNMP. 3. For Read Community String, enter public. 4. Select Enable Trap Generation. 5. Next to Read Community String, click Add. 6. Under Trap Receivers, click Add and enter the IP address of your FortiSIEM virtual appliance. Sample Aruba Networks Wireless LAN Controller SNMP Trap Messages 2008-06-11 11:38:34 192.168.20.7 [192.168.20.7]:SNMPv2-MIB::sysUpTime.0 = Timeticks: (1355400) 3:45:54.00 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2SMI::enterprises.14823.2.2.1.1.100.1003 SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60 = Hex-STRING: 07 D8 06 0B 13 2E 39 00 2D 07 00 SNMPv2SMI::enterprises.14823.2.2.1.1.2.1.1.2.192.168.180.1 = Hex-STRING: 00 1E 52 72 AF 4B Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Aruba ArubaOS WLAN AP See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 715 Fortinet Technologies Inc. Wireless LANs Cisco Wireless LAN l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Information Discovered SNMP Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points SNMP Trap Controller device type Metrics collected Used for Controller Uptime, Controller CPU and Memory utilization, Controller Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and Performance Monitoring All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health Availability, Security and Compliance Event Types In ADMIN > Device Support > Event, search for "cisco wireless" in the Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. FortiSIEM 6.1.1 External Systems Configuration Guide 716 Fortinet Technologies Inc. Wireless LANs Configuration SNMP V1/V2c and SNMP Traps 1. Log in to your Cisco wireless LAN controller with administrative privileges. 2. Go to MANAGEMENT > SNMP > General. 3. Set both SNMP v1 Mode and SNMP v2c Mode to Enable. 4. Go to SNMP > Communities. 5. Click New and create a public community string with Read-Only privileges. 6. Click Apply. 7. Go to SNMP > Trap Controls. 8. Select the event traps you want to sent to FortiSIEM. 9. Click Apply. 10. Go to SNMP > Trap Receivers. 11. Click New and enter the IP address of your FortiSIEM virtual appliance as a trap receiver. 12. Click Apply. Sample SNMP Trap 2008-06-09 08:59:50 192.168.20.9 [192.168.20.9]:SNMPv2-MIB::sysUpTime.0 = Timeticks: (86919800) 10 days, 1:26:38.00 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2- SMI::enterprises.14179.2.6.3.2 SNMPv2-SMI::enterprises.14179.2.6.2.35.0 = Hex-STRING: 00 21 55 4D 66 B0 SNMPv2-SMI::enterprises.14179.2.6.2.36.0 = INTEGER: 0 SNMPv2- SMI::enterprises.14179.2.6.2.37.0 = INTEGER: 1 SNMPv2-SMI::enterprises.14179.2.6.2.34.0 = Hex-STRING: 00 12 F0 0A 3F 15 2010-11-01 12:59:57 0.0.0.0(via UDP: [172.22.2.25]:32769) TRAP2, SNMP v2c, community 1n3t3ng . Cold Start Trap (0) Uptime: 0:00:00.00 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9165100) 1 day, 1:27:31.00 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2- SMI::enterprises.9.9.599.0.4 SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 00 24 D7 36 A0 00 SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: "AP-2" SNMPv2- SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 00 25 45 B7 66 70 SNMPv2- SMI::enterprises.9.9.513.1.2.1.1.1.0 = INTEGER: 0 SNMPv2- SMI::enterprises.9.9.599.1.3.1.1.10.0 = IpAddress: 172.22.4.54 SNMPv2- SMI::enterprises.9.9.599.1.2.1.0 = STRING: "IE\brouse" SNMPv2- SMI::enterprises.9.9.599.1.2.2.0 = STRING: "IE"2011-04-05 10:37:42 0.0.0.0(via UDP: [10.10.81.240]:32768) TRAP2, SNMP v2c, community FortiSIEM . Cold Start Trap (0) Uptime: 0:00:00.00 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1672429600) 193 days, 13:38:16.00 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9.9.615.0.1 SNMPv2- SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 00 25 BC 80 E8 77 SNMPv2- SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 6C 50 4D 7D AC 50 SNMPv2- SMI::enterprises.9.9.599.1.3.1.1.9.0 = INTEGER: 1 SNMPv2- SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: "AP03-3.rdu2" SNMPv2- SMI::enterprises.9.9.615.1.2.1.0 = INTEGER: 1 SNMPv2-SMI::enterprises.9.9.615.1.2.2.0 = INTEGER: 5000 SNMPv2-SMI::enterprises.9.9.615.1.2.3.0 = INTEGER: 1 SNMPv2- SMI::enterprises.9.9.615.1.2.4.0 = INTEGER: 31 SNMPv2-SMI::enterprises.9.9.615.1.2.5.0 = FortiSIEM 6.1.1 External Systems Configuration Guide 717 Fortinet Technologies Inc. Wireless LANs INTEGER: -60 SNMPv2-SMI::enterprises.9.9.615.1.2.6.0 = INTEGER: -90 SNMPv2SMI::enterprises.9.9.615.1.2.7.0 = STRING: "0,0,0,0,1,20,24,28,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0" SNMPv2SMI::enterprises.9.9.615.1.2.8.0 = INTEGER: 2 SNMPv2-SMI::enterprises.9.9.615.1.2.9.0 = STRING: "6c:50:4d:7d:ac:50,e8:04:62:0b:b5:f0" SNMPv2-SMI::enterprises.9.9.615.1.2.10.0 = STRING: "-83,-85" SNMPv2-SMI::enterprises.9.9.615.1.2.11.0 = STRING: "1,1" SNMPv2SMI::enterprises.9.9.512.1.1.1.1.11.5 = INTEGER: 1 Settings for Access Credentials SNMP Access Credentials for All Devices Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the Name and Community String. Setting Name Device Type Access Protocol Community String Value <set name> Generic SNMP <your own> FortiSIEM 6.1.1 External Systems Configuration Guide 718 Fortinet Technologies Inc. Wireless LANs CradlePoint l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Settings for Access Credentials l Sample Events What is Discovered and Monitored Protocol Syslog Information Discovered Metrics Collected Used For Event Types In ADMIN > Device Support > Event, search for "CradlePoint" in the Description column to see the event types associated with this application or device. Rules No specific rules are written for CradlePoint but generic rules for Firewall, VPN Gateway, WLAN AP, Router Switch apply where there are matching event types. Reports No specific reports are written for CradlePoint but generic reports for Firewall, VPN Gateway, WLAN AP, Router Switch apply where there are matching event types. Configuration Configure syslog forwarding of event information from CradlePoint. Settings for Access Credentials None required. FortiSIEM 6.1.1 External Systems Configuration Guide 719 Fortinet Technologies Inc. Wireless LANs Sample Events <14>(host) dhcp: Updated DHCP client: hostname 10.4.42.222 58:94:6b:8d:2b:94 FortiSIEM 6.1.1 External Systems Configuration Guide 720 Fortinet Technologies Inc. Wireless LANs FortiAP l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Sample events l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP (to FortiGate) Syslog (from FortiGate) Information Discovered Metrics collected Access point Name, OS, Interfaces, Controller (FortiGate) FortiAP CPU, Memory, Clients, Sent/Received traffic Wireless events Used for Performance and Availability Monitoring Security and Log Analysis FortiAPs are discovered from FortiGate firewalls via SNMP. FortiAP logs are received via FortiGate firewalls. Event Types In ADMIN > Device Support > Event, search for "FortiGate-Wireless" and "FortiGate-event" in the Description column to see the event types associated with this device. Rules There are generic rules that trigger for this device as event types are mapped to specific event type groups. Reports Generic reports are written for this device as event types are mapped to specific event type groups. Configuration Configure FortiGate to: 1. Send Syslog to FortiSIEM. 2. Enable SNMP read from FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 721 Fortinet Technologies Inc. Wireless LANs Sample Events FortiSIEM generated performance monitoring events: [PH_DEV_MON_FORTIAP_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortinet.cpp, [lineNumber]=688,[hostName]=FAP320C-default,[hostIpAddr]=,[sysUpTime]=7588440, [wtpDaemonUpTime]=7588440,[wtpSessionUpTime]=63039960,[numWlanClient]=0, [ftntWtpSessionStatus]=55038712,[sentBitsPerSec]=0.000000,[recvBitsPerSec]=0.000000, [pollIntv]=180,[phLogDetail]= [PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortinet.cpp, [lineNumber]=698,[cpuName]=FAP320C-default_WTP_CPU,[hostName]=FAP320C-default, [hostIpAddr]=,[cpuUtil]=0.000000,[pollIntv]=0,[phLogDetail]= [PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortinet.cpp, [lineNumber]=707,[memName]=FAP320C-default_WTP_MEM,[hostName]=FAP320C-default, [hostIpAddr]=,[memUtil]=34,[totalMemKB]= 254256 ,[freeMemKB]=254256,[usedMemKB]=0, [phLogDetail]= Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Fortinet FortiAP See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 722 Fortinet Technologies Inc. Wireless LANs FortiWLC l What is Discovered and Monitored l Configuration l Settings for Access Credentials l Sample events What is Discovered and Monitored Protocol SNMP Syslog Information Discovered Controller Name, OS, Serial Number, Interfaces, Associated Access Points name, OS, Interfaces Metrics collected Controller CPU, Memory, Disk, Throughput, QoS statistics, Station count Hardware/Software errors, failures, logons, license expiry, Access Point Association / Disassociation Used for Performance and Availability Monitoring Security Monitoring and log analysis Event Types In ADMIN > Device Support > Event, search for "FortiWLC" in the Description column to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Configure FortiWLC to: 1. Send Syslog to FortiSIEM. 2. Enable SNMP read from FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 723 Fortinet Technologies Inc. Wireless LANs Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Fortinet FortiWLC See Access Credentials See Access Credentials See Password Configuration Sample events FortiSIEM generated performance monitoring events: [PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp, [lineNumber]=281,[cpuName]=CPU,[hostName]=FWLCDemo,[hostIpAddr]=172.30.72.40, [cpuUtil]=2.000000,[sysCpuUtil]=0.000000,[userCpuUtil]=2.000000,[waitCpuUtil]=98.000000, [pollIntv]=176,[phLogDetail]= [PH_DEV_MON_SYS_DISK_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp, [lineNumber]=286,[diskName]=Disk,[hostName]=FWLCDemo,[hostIpAddr]=172.30.72.40, [diskUtil]=65.000000,[totalDiskMB]=1084,[availDiskMB]=367,[pollIntv]=176,[phLogDetail]= [PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp, [lineNumber]=284,[memName]=PhysicalMemory,[hostName]=FWLCDemo,[hostIpAddr]=172.30.72.40, [memUtil]=9.000000,[totalMemKB]=3922244,[freeMemKB]=3538244,[usedMemKB]=384000, [phLogDetail]= [PH_DEV_MON_FORTIWLC_SYS_THRUPUT]:[eventSeverity]=PHL_INFO, [fileName]=deviceFortiWLCWLAN.cpp,[lineNumber]=343,[hostIpAddr]=172.30.72.40, [pollIntv]=180,[recvBytes]=3940593459,[sentBytes]=4002693999,[recvBitsPerSec]=0.000000, [sentBitsPerSec]=0.000000,[wlanRecvBytes]=10851874907433110752, [wlanSentBytes]=9983789733519268498,[wlanRecvBitsPerSec]=0.000000, [wlanSentBitsPerSec]=0.000000,[phLogDetail]= [PH_DEV_MON_FORTIWLC_QOS_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp, [lineNumber]=426,[hostIpAddr]=172.30.72.40,[pollIntv]=176,[qosSessionCount]=1, [qosH323SessionCount]=2,[qosSipSessionCount]=3,[qosSccpSessionCount]=4, [qosRejectedSessionCount]=5,[qosRejectedH323SessionCount]=6, [qosRejectedSipSessionCount]=7,[qosRejectedSccpSessionCount]=8,[qosPendingSessionCount]=9, [qosH323PendingSessionCount]=10,[qosSipPendingSessionCount]=11, [qosSccpPendingSessionCount]=12,[qosActiveFlowCount]=13,[qosPendingFlowCount]=14, [phLogDetail]= [PH_DEV_MON_FORTIWLC_STATIONS]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp, [lineNumber]=511,[hostIpAddr]=172.30.72.40,[pollIntv]=176,[station11a]=1,[station11an1]=2, [station11an2]=3,[station11an3]=4,[station11b]=5,[station11bg]=6,[station11gn1]=7, [station11gn2]=8,[station11gn3]=9,[stationData]=10,[stationPhone]=11,[stationWired]=12, [station11ac1]=13,[station11ac2]=14,[station11ac3]=15,[stationUnknown]=16,[phLogDetail]= FortiSIEM 6.1.1 External Systems Configuration Guide 724 Fortinet Technologies Inc. Wireless LANs FortiWLC Syslog Apr 09 15:07:54 172.18.37.203 ALARM: 1270826655l | system | info | ALR | RADIUS SERVER SWITCHOVER FAILED MAJOR Primary RADIUS Server <172.18.1.3> failed. No valid Secondary RADIUS Server present. Switchover FAILED for Profile <4089wpa2> FortiSIEM 6.1.1 External Systems Configuration Guide 725 Fortinet Technologies Inc. Wireless LANs Motorola WiNG WLAN AP l What is Discovered and Monitored l Event Types l Rules l Reports l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol Syslog Information Discovered Metrics collected Used for All system logs: User authentication, Admin authentication, WLAN attacks, Wireless link health Availability, Security and Compliance Event Types Over 127 event types - In ADMIN > Device Support > Event, search for "Motorola-WiNG" to see the event types associated with this device. Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Configure devices to send syslog to FortiSIEM - make sure that the version matches the format below 2015-11-11T13:00:16.720960-06:00 co-ap01 %DOT11-5-EAP_FAILED: Client 'FC-C2-DE-B1-43-81' failed 802.1x/EAP authentication on wlan 'OFFICE-WAREHOUSE-RADIUS-WLAN' radio 'co-ap01:R1' 2015-11-11T12:52:20.437659-06:00 us600001 %SMRT-5-COV_HOLE_RECOVERY_DONE: Radio us-ap10:R2 power changed from 19 to 14 Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. FortiSIEM 6.1.1 External Systems Configuration Guide 726 Fortinet Technologies Inc. Wireless LANs Setting Name Device Type Access Protocol Port Password config Value <set name> Motorola WiNG WLAN AP See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 727 Fortinet Technologies Inc. Wireless LANs Ruckus Wireless LAN l What is Discovered and Monitored l Configuration l Settings for Access Credentials What is Discovered and Monitored Protocol SNMP Information Discovered Controller host name, Controller hardware model, Controller network interfaces, Associated WLAN Access Points Metrics collected Used for Controller Uptime, Controller Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Controller WLAN Statistics, Access Point Statistics, SSID performance Stats Availability and Performance Monitoring Event Types l PH_DEV_MON_RUCKUS_CONTROLLER_STAT [PH_DEV_MON_RUCKUS_CONTROLLER_STAT]:[eventSeverity]=PHL_INFO, [fileName]=deviceRuckusWLAN.cpp,[lineNumber]=555,[hostName]=guest-zd-01, [hostIpAddr]=172.17.0.250,[numAp]=41,[numWlanClient]=121,[newRogueAP]=0, [knownRogueAP]=0,[wlanSentBytes]=0,[wlanRecvBytes]=0,[wlanSentBitsPerSec]=0.000000, [wlanRecvBitsPerSec]=0.000000,[lanSentBytes]=166848,[lanRecvBytes]=154704, [lanSentBitsPerSec]=7584.000000,[lanSentBitsPerSec]=7032.000000,[phLogDetail]= l PH_DEV_MON_RUCKUS_ACCESS_POINT_STAT [PH_DEV_MON_RUCKUS_ACCESS_POINT_STAT]:[eventSeverity]=PHL_INFO, [fileName]=deviceRuckusWLAN.cpp,[lineNumber]=470,[hostName]=AP-10.20.30.3, [hostIpAddr]=10.20.30.3,[description]=,[numRadio]=0,[numWlanClient]=0,[knownRogueAP]=0, [connMode]=layer3,[firstJoinTime]=140467251729776,[lastBootTime]=140467251729776, [lastUpgradeTime]=140467251729776,[sentBytes]=0,[recvBytes]=0,[sentBitsPerSec]=0.000000, [recvBitsPerSec]=0.000000,[phLogDetail]= l PH_DEV_MON_RUCKUS_SSID_PERF [PH_DEV_MON_RUCKUS_SSID_PERF]:[eventSeverity]=PHL_INFO,[fileName]=deviceRuckusWLAN.cpp, [lineNumber]=807,[hostName]=c1cs-guestpoint-zd-01,[hostIpAddr]=172.17.0.250, [wlanSsid]=GuestPoint,[description]=Welcome SSID for not yet authorized APs., [wlanName]=Welcome SSID,[authenMethod]=open,[encryptAlgo]=none,[isGuest]=1, [srcVLAN]=598,[sentBytes]=0,[recvBytes]=0,[sentBitsPerSec]=0.000000, [recvBitsPerSec]=0.000000,[authSuccess]=0,[authFailure]=0,[assocSuccess]=0, [assocFailure]=0,[assocDeny]=0,[disassocAbnormal]=0,[disassocLeave]=0,[disassocMisc]=0, [phLogDetail]= FortiSIEM 6.1.1 External Systems Configuration Guide 728 Fortinet Technologies Inc. Wireless LANs Rules There are no predefined rules for this device. Reports There are no predefined reports for this device. Configuration Configure the Controller so that FortiSIEM can connect to via SNMP. Settings for Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device. Setting Name Device Type Access Protocol Port Password config Value <set name> Ruckus SmartOS WLAN AP See Access Credentials See Access Credentials See Password Configuration FortiSIEM 6.1.1 External Systems Configuration Guide 729 Fortinet Technologies Inc. Using Virtual IPs to Access Devices in Clustered Environments FortiSIEM communicates to devices and applications using multiple protocols. In many instances, access credentials for discovery protocols such as SNMP and WMI must be associated to the real IP address (assigned to a network interface) of the device, while application performance or synthetic transaction monitoring protocols (such as JDBC) will need the Virtual IP (VIP) assigned to the cluster. Since FortiSIEM uses a single access IP to communicate to a device, you must create an address translation for the Virtual IPs. 1. Log into your FortiSIEM virtual appliance as root. 2. Update the mapping in your IP table to map the IP address used in setting up your access credentials to the virtual IP. iptables -t nat -A OUTPUT -p tcp --destination <access-ip> --dport <destPort> -j DNAT -to-destination <virtual-ip>:<destPort>' As an example, suppose an Oracle database server is running on a server with a network address of 10.1.1.1, which is in a cluster with a VIP of 192.168.1.1. The port used to communicate with Oracle over JDBC is 1521. In this case, the update command would be: iptables -t nat -A OUTPUT -p tcp --destination 10.1.1.1 --dport 1521 -j DNAT --todestination 192.168.1.1:1521 FortiSIEM 6.1.1 External Systems Configuration Guide 730 Fortinet Technologies Inc. Syslog over TLS To receive syslog over TLS, a port must be enabled and certificates must be defined. The following configurations are already added to phoenix_config.txt in Super/Worker and Collector nodes. listen_tls_port_list=6514 ls_certificate_file=/etc/pki/tls/certs/tls_self_ signed.crt tls_key_file=/etc/pki/tls/private/tls_self_signed.key Note: the syslog over TLS client must be configured to communicate properly with FortiSIEM. FortiSIEM 6.1.1 External Systems Configuration Guide 731 Fortinet Technologies Inc. Appendix CyberArk to FortiSIEM Log Converter XSL <?xml version="1.0" ?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:import href='./Syslog/RFC5424Changes.xsl'/> <xsl:output method="text" version="1.0" encoding="UTF-8" /> <xsl:template match="/"> <xsl:apply-imports /> <xsl:for-each select="syslog/audit_record"> <xsl:text>CYBERARK: Product="</xsl:text> <xsl:value-of select="Product" /> <xsl:text>"</xsl:text> <xsl:text>;Version="</xsl:text> <xsl:value-of select="Version" /> <xsl:text>"</xsl:text> <xsl:text>;Hostname="</xsl:text> <xsl:value-of select="Hostname" /> <xsl:text>"</xsl:text> <xsl:text>;MessageID="</xsl:text> <xsl:value-of select="MessageID" /> <xsl:text>"</xsl:text> <xsl:text>;Message="</xsl:text> <xsl:value-of select="Message" /> <xsl:text>"</xsl:text> <xsl:choose> <xsl:when test="Desc!=''"> <xsl:text>;Desc="</xsl:text> <xsl:value-of select="Desc" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="Action!=''"> <xsl:text>;Action="</xsl:text> <xsl:value-of select="Action" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="Location!=''"> <xsl:text>;Location="</xsl:text> <xsl:value-of select="Location" /> FortiSIEM 6.1.1 External Systems Configuration Guide 732 Fortinet Technologies Inc. Appendix <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:text>;Issuer="</xsl:text> <xsl:value-of select="Issuer" /> <xsl:text>"</xsl:text> <xsl:choose> <xsl:when test="Station!=''"> <xsl:text>;Station="</xsl:text> <xsl:value-of select="Station" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="File!=''"> <xsl:text>;File="</xsl:text> <xsl:value-of select="File" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="Safe!=''"> <xsl:text>;Safe="</xsl:text> <xsl:value-of select="Safe" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="Category!=''"> <xsl:text>;Category="</xsl:text> <xsl:value-of select="Category" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="RequestId!=''"> <xsl:text>;RequestId="</xsl:text> <xsl:value-of select="RequestId" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="Reason!=''"> <xsl:text>;Reason="</xsl:text> <xsl:value-of select="Reason" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> FortiSIEM 6.1.1 External Systems Configuration Guide 733 Fortinet Technologies Inc. Appendix <xsl:when test="SeverityCategory!=''"> <xsl:text>;Severity="</xsl:text> <xsl:value-of select="Severity" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="GatewayStation!=''"> <xsl:text>;GatewayStation="</xsl:text> <xsl:value-of select="GatewayStation" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="SourceUser!=''"> <xsl:text>;SourceUser="</xsl:text> <xsl:value-of select="SourceUser" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="TargetUser!=''"> <xsl:text>;TargetUser="</xsl:text> <xsl:value-of select="TargetUser" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="TicketID!=''"> <xsl:text>;TicketID="</xsl:text> <xsl:value-of select="TicketID" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="LogonDomain!=''"> <xsl:text>;LogonDomain="</xsl:text> <xsl:for-each select="CAProperties/CAProperty"> <xsl:if test="@Name='LogonDomain'"> <xsl:value-of select="@Value" /> </xsl:if> </xsl:for-each> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="Address!=''"> <xsl:text>;Address="</xsl:text> <xsl:for-each select="CAProperties/CAProperty"> FortiSIEM 6.1.1 External Systems Configuration Guide 734 Fortinet Technologies Inc. Appendix <xsl:if test="@Name='Address'"> <xsl:value-of select="@Value" /> </xsl:if> </xsl:for-each> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="CPMStatus!=''"> <xsl:text>;CPMStatus="</xsl:text> <xsl:for-each select="CAProperties/CAProperty"> <xsl:if test="@Name='CPMStatus'"> <xsl:value-of select="@Value" /> </xsl:if> </xsl:for-each> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="Database!=''"> <xsl:text>;Database="</xsl:text> <xsl:for-each select="CAProperties/CAProperty"> <xsl:if test="@Name='Database'"> <xsl:value-of select="@Value" /> </xsl:if> </xsl:for-each> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="DeviceType!=''"> <xsl:text>;DeviceType="</xsl:text> <xsl:for-each select="CAProperties/CAProperty"> <xsl:if test="@Name='DeviceType'"> <xsl:value-of select="@Value" /> </xsl:if> </xsl:for-each> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> <xsl:choose> <xsl:when test="ExtraDetails!=''"> <xsl:text>;ExtraDetails="</xsl:text> <xsl:value-of select="ExtraDetails" /> <xsl:text>"</xsl:text> </xsl:when> </xsl:choose> </xsl:for-each> <xsl:text> </xsl:text> FortiSIEM 6.1.1 External Systems Configuration Guide 735 Fortinet Technologies Inc. Appendix </xsl:template> </xsl:stylesheet> FortiSIEM 6.1.1 External Systems Configuration Guide 736 Fortinet Technologies Inc. Appendix Access Credentials l SNMP Access Credentials l SSH Access Credentials l Telnet Access Credentials l HTTPS Access Credentials l Password Configuration l Manual Password Configuration l CyberArk Password Configuration l RAX_CustomerService Password Configuration l RAX_Janus Password Configuration SNMP Access Credentials Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Setting Name Device Type Access Protocol Community String Value <set name> <device> SNMP <your own> SSH Access Credentials These are the generic settings for providing SSH access to your device from FortiSIEM. Setting Name Device Type Access Protocol Port Password Config User Name Password Super Password Value <set name> <device> SSH 22 See Password Configuration A user who has permission to access the device over SSH The password associated with the user Enter the super password for the system, if required FortiSIEM 6.1.1 External Systems Configuration Guide 737 Fortinet Technologies Inc. Appendix Setting Organization Value Select an organization from the drop-down list Telnet Access Credentials These are the generic settings for providing Telnet access to your device from FortiSIEM Setting Name Device Type Access Protocol Port Password Config User Name Password Super Password Organization Value <set name> <device> Telnet 23 See Password Configuration A user who has permission to access the device over Telnet The password associated with the user Enter the super password for the system, if required Select an organization from the drop-down list HTTPS Access Credentials Setting Name Device Type Access Protocol Port URI Password Config User Name Password Organization Value <set name> <device> HTTPS 443 URI address See Password Configuration A user who has permission to access the device over HTTPS The password associated with the user Select an organization from the drop-down list FortiSIEM 6.1.1 External Systems Configuration Guide 738 Fortinet Technologies Inc. Appendix Password Configuration Manual Password Configuration Settings User Name Password Super Password Organization Description The user name for this account The password for this account The super password for this account Select an organization from the drop-down list CyberArk Password Configuration Settings App ID Safe Folder Object User Name Platform (Policy ID) Database Include Address for Query Organization Description Description Application ID (AccelOps) Safe value Folder location (Root) Object name User name Policy ID Database name Select an organization from the drop-down list Description or comments about the credentials RAX_CustomerService Password Configuration Settings AWS Account Number Azure Subscription ID Description Enter the account number. Enter the subscription ID. RAX_Janus Password Configuration Select RAX_Janus as the Password Config. Supply a Session ID if required. FortiSIEM 6.1.1 External Systems Configuration Guide 739 Fortinet Technologies Inc. Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.madbuild