Discovering Devices

FortiSIEM automatically discovers devices, applications, and users in your IT infrastructure and start monitoring them. You can initiate device discovery by providing the credentials that are needed to access the infrastructure component, and from there FortiSIEM will discover information about your component such as the host name, operating system, hardware information such as CPU and memory, software information such as running processes and services, and configuration information. Once discovered, FortiSIEM will also begin monitoring your component on an ongoing basis.

This section provides the procedures for discovering devices.

Creating a discovery entry

Follow the procedure below to create a discovery:

  1. Go to ADMIN > Setup > Discovery tab.
  2. Click New.
  3. In the Discovery Definition dialog box, enter the information below.

    SettingsGuidelines
    Name[Required] Name of the discovery entry that will be used for reference.
    Discovery TypeSelect the type of discovery:
    • Range Scan - FortiSIEM will sequentially discover each device in one or more IP ranges and CIDR subnets.
    • Smart Scan - FortiSIEM will first discover the Root IP, which will provide a list of devices that it knows about. Then FortiSIEM will discover each of the devices learnt from the Root IP device. Each of these devices will provide a list of devices they know about, which FortiSIEM will then discover. This process continues until the list of known devices is exhausted.
    • AWS Scan - FortiSIEM will discover the devices in Amazon Web Services (AWS) Cloud learnt via AWS SDK. For AWS Scan to succeed, there needs to be an AWS Credential mapped to aws.com or amazon.com in the IP to Credential mapping.
    • L2 Scan - FortiSIEM will discover only the Layer 2 connectivity of the devices.
    • Azure Scan - FortiSIEM will discover the devices in Azure Cloud learnt via Azure SDK. For Azure Scan to succeed, there needs to be a Credential mapped to azure.com in the IP to Credential mapping.
    Root IPsIP address of the Starting device for Smart Scan. See Smart scan definition above.
    Include[Required] A list of IP addresses that will be included for discovery. Allowed IP range syntax is single IP, single range, single CIDR or a list separated by comma – e.g. 10.1.1.1, 10.1.1.2,20.1.1.0/24, 30.1.1.1-30.1.1.10.
    ExcludeA list of IP addresses that will be excluded for discovery. Allowed IP range syntax is single IP, single range, single CIDR or a list separated by comma – e.g. 10.1.1.1, 10.1.1.2,20.1.1.0/24, 30.1.1.1-30.1.1.10.
    Include TypesA list of device Types that will be included for discovery.
    Exclude TypesA list of device Types that will be excluded for discovery.
    Name resolutionHost names can learn from DNS look up or SNMP/WMI. If these do not match, then choose which discovery method with higher priority. For example, if DNS is chosen then FortiSIEM will get host names from DNS. If DNS lookup fails for an IP, the host names will be obtained from SNMP/WMI.
    OptionsSelect the options for this discovery:
    - Do not ping before discovery: Device will not be pinged before attempting the credentials.
    - Ping before discovery: Device will be pinged before attempting the credentials. A successful ping can shorten discovery times; since FortiSIEM may have to wait for a protocol timeout in case of failed credentials.
    - Winexe based discovery - for windows servers, we discover HyperV metrics and other AD replication metrics via Winexe. However, winexe installs a service and uninstalls the service after it finishes for certain old OS. This setting enables to control this behavior.
    - Only discover devices not in CMDB
    - Discover Routes: Routes help to discover neighboring devices for Smart Scan but “show route” can be expensive for BGP routers. This selection provides a way to control this behavior.
    - Include powered off VMs: This allows the administrator to control whether powered off VMs will be discovered during VCenter discovery
    - Include VM templates: This allows the administrator to control whether VM templates will be discovered during VCenter discovery.
  4. Click Save.

Discovering on demand

  1. Go to ADMIN > Setup > Discovery.
  2. Select the required discovery from the table.
  3. Click Discover.
  4. Click Results to view the discovery result.
  5. Click Errors to check for any errors found during discovery.
    Use the Run in Background to run discovery in background while performing other operations.
  6. After successful discovery, Discovery Completed. message is displayed with the discovery results.

Scheduling a discovery

Discovery can be a long-running process when performed on a large network, or over a large IP range, and so you may want to schedule it to occur when there is less load on your network or during off hours. You may also want to set up a schedule for the process to run and discover new devices on a regular basis. 

  1. Go to ADMIN > Setup > Discovery.
  2. Click Scheduled.
  3. Under Discovery Schedule dialog box, click New.
  4. Select from the available ranges.
    You can select multiple ranges and set the order in which discovery will run on them using the up and down arrows.
  5. Set the time at which you want discovery to run. 
    • For a one-time scheduled discovery, select the Start Time.
    • For recurring discoveries, select how often (hourly, daily, weekly, monthly), you want discovery to run, and then enter other scheduling options.   
  6. Click Save.

Searching previous discovery results

Follow the procedure below to search previously discovered results:

  1. Go to ADMIN > Setup > Discovery.
  2. Select a discovery result.
  3. Click History.
  4. In the Discovery History dialog box, click View Results, View Errors or View Changes to see the related information.

Editing a discovery

Follow the procedure below to modify discovery settings:

  1. Select the required option from the table below.
    • Edit - to edit any scheduled discovery settings.
    • Delete - to delete any scheduled discovery.
  2. Click OK.

Exporting discovery results

Follow the procedure below to export discovery history:

  1. Click History.
  2. In the Discovery History dialog box, select the discovery type.
  3. Based on the type of information required, select the required option:
    - View Results
    - View Errors
    - View Changes
  4. Click Export.
  5. Select the Output Format as PDF or CSV.
  6. Click Generate.
    'Export successful message' is displayed under Export Report dialog box.
  7. Click Open Report File to view and save the generated report.