Advanced Operations

FortiSIEM enables you to perform the following advanced operations:

Discovering Users

Users can be discovered via LDAP, OpenLDAP or added manually. Discovering users via OpenLDAP or OKTA are similar.

To discover users in Windows Active Directory, discover the Windows Domain Controller:

  1. Go to ADMIN > Setup > Credentials.
  2. Create an LDAP discovery credential by entering:
    1. Device Type as 'Microsoft Windows Server 2012 R2'
    2. Access Protocol as 'LDAP'.
    3. Used For as 'Microsoft Active Directory'
    4. Enter the Base DN and NetBios Domain.
  3. Test the LDAP Credentials.
  4. Run discovery.
  5. Go to CMDB > Users.
  6. Click the 'Refresh' icon on left panel and see the users displayed on the right panel.

To add users manually:

  1. Go to CMDB > Users.
  2. Click New and add the user information.

For details about Discovering Users, see here (Refer to the table by searching: Credentials for Microsoft Windows Server)

For details about Adding Users, see here.

Creating FortiSIEM Users

To create users that access FortiSIEM:

  1. Login as a user with 'Full Admin' rights.
  2. Create the user in CMDB.
  3. Set a password – after logging in, the user can set a new password.
  4. Select the user and click Edit.
  5. Select System Admin and enter the following:
    1. Authentication Mode - 'Local' or 'External'
    2. Enterprise case - select the Role.
    3. Service Provide Case - select the Role for each Organization.

For details about creating users, see here.

To change the password:

  1. Login as the user.
  2. Click the 'Edit user Profile' icon on the top-right corner.
  3. Click Save.

Setting External Authentication

FortiSIEM users can be authenticated in two ways:

  • Local authentication – user credentials are stored in FortiSIEM.
  • External authentication – user credentials are stored in an external database (AAA Server or Active Directory) and FortiSIEM communicates with the external database to authenticate the user.

Step 1: Set up an Authentication Profile

  1. Login as a user with Full Admin rights.
  2. Create an authentication profile by visiting ADMIN > General Settings > Authentication.
    1. Set Protocol appropriately (for example, LDAP or LDAPS or LDAPTLS for Active Directory).
    2. Make sure the credentials are defined in ADMIN > Setup > Credentials.
    3. Select the entry and click Test to ensure it works correctly.

Step 2: Attach the Authentication Profile to the user

  1. Select the user under CMDB > User and click Edit.
  2. Select System Admin and click on the 'Edit' icon.
  3. Set Mode to 'External' and set the Authentication Profile created.

For details about Setting up Authentication Profiles, see here.

For details about Editing Users, see here.

Setting 2-factor Authentication

FortiSIEM supports Duo as 2-factor authentication for FortiSIEM users:

Step 1: Set up an Authentication Profile

  1. Login as a user with Full Admin rights.
  2. Create an authentication profile by visiting ADMIN > General Settings > Authentication:
    1. Set Protocol to 'Duo'.
    2. Make sure the credentials are defined in ADMIN > Setup > Credentials.
    3. Select the entry and click Test to make sure it works correctly.

Step 2: Attach the Authentication Profile to the user

  • Select the user CMDB > User and click Edit.
  • Select System Admin and click on the Edit icon.
  • Set Mode to 'External' and set the Authentication Profile created.

For details about Setting up Authentication Profiles, see here.

For details about Editing Users, see here.

Assigning FortiSIEM Roles to Users

FortiSIEM allows the admin user to create Roles based on what data the user can see what the user can do with the data. To set up Roles:

Step 1: Create a Role of your choice

  1. Login as a user with Full Admin rights.
  2. Go to ADMIN > General Settings > Role.
  3. Make sure there is a Role that suits your needs. If not, then create a new one by clicking New and entering the required information. You can also Clone an existing Role and make the changes.

Step 2: Attach the Role to the user

  1. Select the user CMDB > User and click Edit
  2. Select System Admin and click on Edit icon.
  3. Set Role:
    1. Enterprise case – select the Role.
    2. Service Provide Case – select Role for each Organization.

For details about Setting up Roles, see here.

For details about Editing Users, see here.

Creating Business Services

Business Service is a smart grouping of devices. Once created, incidents are tagged with the impacted Business Service(s) and you can see business service health in a custom Business Service dashboard.

For details about creating a Business Service, see here.

For details about setting up Dynamic Business Service, see here.

For details about viewing Business Service health, see here.

Creating Dynamic CMDB Groups and Business Services

CMDB Groups are a key concept in FortiSIEM. Rules and Reports make extensive use of CMDB Groups. While inbuilt CMDB Groups are auto-populated by Discovery, user-defined ones and Business Services are not. You can use the Dynamic CMDB Group feature to make mass changes to user-defined CMDB Groups and Business Services.

To create Dynamic CMDB Group Assignment Rules:

  1. Login as a user with ADMIN tab modification rights.
  2. Go to ADMIN > General Settings > Discovery > CMDB Group.
  3. Click New.
  4. Enter CMDB Membership Criteria based on Vendor, Model, Host Name and IP Range.
  5. Select the CMDB group or Business Services to which the Device would belong if the criteria in Step 3 is met.
  6. Click Save.

You can now click Apply to immediately move the Devices to the desired CMDB Groups and Business Services. Discovery will also honor those rules – so newly discovered devices would belong to the desired CMDB Groups and Business Services.

For details about Setting up Dynamic CMDB Groups and Business Services, see here.

Setting Device Geo-Location

FortiSIEM has location information for public IP addresses. For private address space, you can define the locations as follows:

  1. Login as a user with ADMIN tab modification rights.
  2. Go to ADMIN > General Settings > Discovery > Location.
  3. Click New.
  4. Enter IP/IP Range.
  5. Specify the Corresponding Location for the IP address Range.
  6. Select Update Manual Devices if you want already discovered device locations to be updated.
  7. Click Save.
    You can now click Apply to set the geo-locations for all devices matching the IP ranges.

For details about Setting Device Location, see here.

Creating CMDB Reports

If you want to extract data from FortiSIEM CMDB and produce a report, FortiSIEM can run a CMDB Report and display the values on the screen and allows you to export the data into a PDF or CSV file.

For details about Creating CMDB Reports, see here.

Searching Incidents

If you want to search for specific incidents, go to INCIDENTS > List > Actions > Search. A Search Windows appears on left. First, select the Time Window of interest. Then by clicking on any of the criteria, you can see the current values. You can select values to see matches incidents in the right pane.

For details about Searching Incidents, see here.

Tuning Incidents via Exceptions

If you do not want a rule to trigger for a specific Incident Attribute, then you can create an exception.

  1. Go to INCIDENTS > List view.
  2. Search the Incident or make sure that Incident shows in the right pane.
  3. Highlight the Incident.
  4. Click Actions > Edit Rule Exception.
  5. Enter the exception criteria – attribute based or time-based.

For details about Tuning Incidents via Exceptions, see here.

Tuning Incidents via Modifying Rules

Sometimes modifying the rule is a better idea than creating exceptions. For example, if you do not want a rule to trigger for DNS Servers, simply modify the rule condition by stating something like “Source IP NOT CONTAIN DNS Server”. To do this:

  1. Go to INCIDENTS > List view.
  2. Search the Incident or make sure that Incident shows in the right pane.
  3. Highlight the Incident
  4. Click Actions > Edit Rule
  5. Edit the Rule.
    If it is a System Rule, then you will need to save it as a User Rule and then deactivate the old System Rule and activating the new User Rule.

For details, see here.

Tuning Incidents via Drop Rules

Sometimes the rule can be prevented from triggering by dropping the event from rule considerations. There are two choices - (a) store the event in database but not trigger the rule or (b) drop the event completely.

To do this:

  1. Go to INCIDENTS > List view.
  2. Search the Incident or make sure that Incident shows in the right pane.
  3. Highlight the Incident.
  4. Click Actions > Create Event Dropping Rule.
  5. Specify event drop criteria and action. Events can be dropped on certain parsed fields (like Reporting/Source/Destination IP and Regex filter on the content).

For details, see here.

Tuning Incidents by Adjusting Thresholds

Some performance rules are written using global thresholds, for example - the Rule “High Process CPU: Server” uses the global threshold “Process CPU Util Critical Threshold” defined in ADMIN > Device Support > Custom Property.

You have two choices – (a) modify the global threshold or (b) modify the threshold for a specific device or a group of devices. If you change the global threshold, then the threshold will change for all devices.

To modify the global threshold, follow these steps:

  1. Go ADMIN > Device Support > Custom Property.
  2. Select the property and click Edit.
  3. Enter the new value and click Save.

For details, see here.

To modify the threshold for one device, follow these steps:

  1. Go to CMDB.
  2. Select the device and click Edit.
  3. In the Properties tab, enter the new value and click Save.
  4. To modify the threshold for a group of devices, repeat the above step for all devices.

Clearing Incidents

In some cases, the Incident may not be happening anymore as the exception condition was corrected.

 To clear one or more Incidents:

  1. Go to INCIDENTS > List view.
  2. Search the Incident or make sure that Incidents show in the right pane.
  3. Highlight the Incidents.
  4. Click Actions > Clear Incident.
  5. Enter Reason and click OK.

For details, see here.

Adding Comments or Remediation Advice to an Incident

To add a comment to an Incident:

  1. Go to INCIDENTS > List view.
  2. Search the Incident or make sure that Incidents show in the right pane.
  3. Highlight the Incidents.
  4. Click Actions > Edit Comment
  5. Enter the Comment and click OK.

For details, see here.

Sometimes, it is necessary to add Remediation advice for the recipient of an Incident, so he can take some action to remediate the Incident. This has to be done by editing the Rule.

  1. Go to RESOURCES > Rules
  2. Select a Rule and click Edit.
  3. Enter Remediation text and click Save.

For details, see here.

The Remediation text can be added to the Incident Notification email template.

For details, see here.

Remediating an Incident

This can be done either on an ad-hoc basis (for example, user selects an Incident that has already occurred to Remediate) or using a Notification Policy where the system takes the Remediation action when Incident happens.

First, make sure the Remediation script for your scenario is defined. Check the existing Remediation scripts in ADMIN > Remediations. If your device is not in the list, add the needed Remediation script.

To set Adhoc remediation:

  1. Go to INCIDENTS > List view.
  2. Search the Incident or make sure that Incidents show in the right pane.
  3. Highlight the Incidents.
  4. Click Actions > Remediate Incident.
  5. Enter Remediation Script and select the Enforced On device.
  6. Click Run.

For details, see here.


To set policy-based remediation:

  1. Go to ADMIN > General Settings > Notification
  2. Click New.
  3. Under Action, click Remediation Script.
  4. Enter Remediation Script, Enforced On Device and Run On Node.
  5. Click Save.

For details, see here.


To see the Notification history of an Incident:

  1. Go to INCIDENTS > List view.
  2. Search the Incident or make sure that Incidents show in the right pane.
  3. Highlight the Incidents.
  4. Click Actions > Show Notification History

For details, see here.

To configure Windows Servers:

  1. Use the commands below to enable WinRM and set authentication:
    winrm quickconfig
    winrm set winrm/config/service/auth @{Basic="true"}
    winrm set winrm/config/service/auth @{AllowUnencrypter="true"}

Notifying an Incident via Email

Notifying an Incident can be done either on ad-hoc basis (for example - user selects an Incident that has already occurred to notify) or using a Notification Policy where the system takes the notification action when Incident happens.

First, make sure that Email Server has been properly defined in ADMIN > General Settings > Email > Email Settings.

FortiSIEM has a built-in Incident Notification Email template. If you want a different one, please define it under ADMIN > General Settings > Email > Incident Email Template.

For details, see here.

To set Adhoc notifications:

  1. Go to INCIDENTS > List view.
  2. Search the Incident or make sure that Incidents show in the right pane.
  3. Highlight the Incidents.
  4. Click Actions > Notify Via Email.
  5. Choose Receive Email Address and Email Template.
  6. Click Send.

For details, see here.

For Policy based Notification

To send policy-based notifications:

  1. Go to ADMIN > General Settings > Notification.
  2. Click New.
  3. Specify the Incident Filter Conditions (Severity, Rules, Time Range, Affected Items, Affected Organizations) carefully to avoid excessive emails.
  4. Under Action, click Send Email/SMS to Target Users.
  5. Enter Email Address or Users from CMDB.
  6. Click Save.

For details, see here.


To see the Notification history of an Incident:

  • Go to INCIDENTS > List view.
  • Search the Incident or make sure that Incidents show in the right pane.
  • Highlight the Incidents.
  • Click Actions > Show Notification History

For details, see here.

Creating New Rules

Sometime, you may want to create a new rule from scratch.

For details, see here.

Creating a FortiSIEM Ticket

First make sure that:

  • Ticket’s assigned user is in CMDB
  • Assigned user’s Manager that is going to handle escalation is in CMDB
  • A Ticket Escalation Policy is defined

For adding users see Advanced Operations > Creating System users.

For defining ticket escalation policy, see here.

To create a FortiSIEM ticket:

  • Go to INCIDENTS > List view.
  • Search the Incident or make sure that Incidents show in the right pane.
  • Highlight the Incidents.
  • Click Actions > Create Ticket.
  • Click Save

Note that you can put multiple Incidents on one ticket or add an Incident to an existing ticket.

For details, see here.

Creating a Ticket in External Ticketing System

First, define an Incident Outbound Integration Policy by visiting ADMIN > General Settings > Integration.

For details, see here.

Then set the Incident Outbound Integration Policy in Notification Policy Action:

  1. Go to ADMIN > General Settings > Notification.
  2. Click New.
  3. Specify the Incident Filter Conditions (Severity, Rules, Time Range, Affected Items, Affected Organizations) carefully to avoid excessive emails.
  4. Under Action, click Invoke an Integration Policy.
  5. Choose the Integration Policy.
  6. Click Save.

For details, see here.


To update external ticket state in FortiSIEM:

  1. Define an Incident Inbound Integration Policy by visiting ADMIN > General Settings > Integration.
  2. Select the Policy and click Schedule to run the Incident Inbound Integration Policy.

For details, see here.

Checking Device Monitoring Status and Health

For Performance Monitoring scenarios, you would like to know:

  • Is FortiSIEM is able to monitor the devices on time? Is FortiSIEM falling behind?
  • Are there monitoring errors?
  • What is the current health of monitored devices?

To check whether FortiSIEM is able to collect monitoring data on time:

  1. Go to CMDB.
  2. Search for the device and by typing in a string in the search window.
  3. Check the Monitor Status column.
  4. If Monitor Status Warning or Critical, then select the Device and check the Monitor sub-tab in the bottom pane to find out the reason.

FortiSIEM is an optimized multi-threaded solution. If one node is given too many devices to monitor, each device with many metrics, then it may not be able to keep up. If FortiSIEM is not able to keep up (e.g. polling interval is 1 minute and last poll was 3 minutes ago), then you can do one of the following:

  1. Check the Monitored Device resources (CPU, memory) and the network between FortiSIEM and the Monitored Device. Many monitoring protocols such as SNMP, WMI will not operate under WAN type latencies (greater than 10 msec).
  2. Increase the polling intervals by visiting ADMIN > Setup > Monitor Performance > More > Edit Intervals.
    Note: If you increase polling intervals, some performance monitoring rules that require a certain number of polls in a time window may not trigger. Please adjust those rules either by reducing the number of polls or increasing the time window. For example, if a rule needs 3 events (polls) for a 10 min time window with original polling interval as 3 min, the rule will not trigger if polling interval is changed to 4 min or higher. To make the rule trigger again, either reduce the number of events needed (for example, from 3 to 2) or increase the time window (for example, from 10 min to 15 min).
  3. Turn off some other jobs by visiting ADMIN > Setup > Monitor Performance > More > Edit Intervals.
  4. Deploy Collectors close to the Monitored Devices or deploy more Collectors and distribute performance monitoring jobs to Collectors by doing re-discovery.

To check for Monitoring errors:

  • Go to ADMIN > Setup > Monitor Performance > More > Show Errors.

For details see here.

To see current health of a monitored device:

  1. Go to CMDB.
  2. Search for the device and by typing in a string in search window.
  3. Choose Actions > Device Health.

For details, see here.

Setting Devices Under Maintenance

If a device will undergo maintenance and you do not want to trigger performance and availability rules while the device is in maintenance, then

  1. Go to ADMIN > Setup > Maintenance
  2. Select the Maintenance Schedule.
  3. Select the Group of Devices or Synthetic Transaction Monitors (STM) for maintenance.
  4. Make sure the Generate Incidents for Devices under Maintenance is checked off.

For details, see here

Creating Custom Monitors

Although FortiSIEM provides out of the box monitoring for many devices and applications, user can add monitoring for custom device types or add monitoring for supported device types.

  1. Go to ADMIN > Device Support > Monitoring
  2. Click Performance Object > New and enter the specification of Performance Object.
  3. Select the Performance Object and click Test.
  4. Click Device Type to Performance Object Association > New and choose a set of Device Types and associated Performance Objects.
  5. Go to ADMIN > Setup > Credentials and enter the Device Credentials for a set of device types specified in Step 4.
  6. Go to ADMIN > Setup > Discovery and discover these devices.
  7. FortiSIEM will pick the customer monitors defined in Step 2 if the Tests in Step 3 succeeded.
  8. Go to ADMIN > Setup > Monitor Performance and see the monitors
    From the same tab, Select one or more devices and Click More > Report and check whether the monitoring events are generated correctly.

Steps 1-4 are described here.

Steps 5 is described here.

Steps 6 is described here.

Step 8-9 are here.

Setting Important Interfaces and Processes

A network may have hundreds of interfaces and you have may have hundreds of network devices. Not all interfaces may not be interesting for up/down and utilization monitoring. For example, you may only want to monitor WAN links and trunk ports and leave out Access Ports. This saves you lots of CPU and storage. Similar logic applies to critical processes on servers.

Since FortiSIEM discovers interfaces and processes, it is rather easy to select Critical Interfaces and Processes for Monitoring.

  1. Go to ADMIN > General Settings > Monitoring
  2. Click Important Interfaces> Enable > New and select the Interfaces.
  3. Click Important Processes> Enable> New and select the Processes.

Note that once you select Important Interfaces and Processes, only these Interfaces and Processes will be monitored for availability and Performance.

For details, see here.

Modifying System Parsers

If you want to modify a built-in log parser, then do the following steps:

  1. Go to ADMIN > Device Support > Parser.
  2. Select a Parser and click Disable since you have two parsers for the same device.
  3. Select the same Parser and click Clone.
  4. Make the required modifications to the parser.
  5. Click Validate to check the modified Parser syntax.
  6. Click Test to check the semantics of the modified Parser.
  7. If both Validate and Test pass, then click Enable and then Save.
    The modified Parser should show Enabled
  8. Click Apply to deploy the modified Parser to all the nodes.

For details, see here.

Creating Custom Parsers

If you want to create a completely new log parser, then do the following steps:

  1. Go to ADMIN > Device Support > Parser.
  2. Parsers are evaluated serially from top to bottom in the list. Select the parser just before the current custom parser and click New.
  3. Fill in the parser details – Vendor, Model, test Events and the parser itself.
  4. Click Validate to check the syntax
  5. Click Test to check the semantics of the modified parser.
  6. If all passes, then click Enable and then click Save.
    The newly added parser should show Enabled.
  7. Click Apply to deploy the change to all the nodes.

For details, see here.

Handling Multi-line Syslog

When devices send the same log in multiple log messages, you can combine them into one log in FortiSIEM to facilitate analysis and correlation.

  1. Go to ADMIN > General Settings > Event Handling > Multi-line Syslog
  2. Click New to begin a multi-line syslog handling rule.
  3. Enter a Protocol – TCP or UDP.
  4. Enter a Begin Pattern and End Pattern regular expressions.
    All the logs matching a begin pattern and an end pattern are combined into a single log

For details, see here.

Creating Synthetic Transaction Monitors

You can define a Synthetic Transaction Monitor to monitor the health an application or a web service. To do this:

  1. Go to ADMIN > Setup > STM.
  2. Step 1: Create a monitoring definition, click New and enter the required fields. When the protocol is HTTP, then a Selenium script can be input. Specify the timeout values for detecting STM failures.
  3. Step 2: Apply the monitoring definition to a host
  4. Step 3: Make sure it is working correctly - click Monitor Status.

For details, see here.

Mapping Events to Organizations

In most cases, the events received by a Collector is tagged with the Organization to which the Collector belongs. In some cases, events for multiple Organizations are aggregated by an upstream device and then forwarded to FortiSIEM. In this case, FortiSIEM needs to map events to organizations based on some parsed event attribute. An example is the FortiGate VDOM attribute.

This is accomplished as follows:

  1. Go to ADMIN > General Settings > Event Handling > Event Org Mapping.
  2. Click New to create an Event Org mapping definition.
  3. Specify the Collectors that will do this Event Org Mapping.
  4. Specify the Event Attribute that contains the Organization information.
  5. Specify the mapping rules – which Event Attribute value maps to which Organization.

For details, see here.

Adding Windows Agents

Adding FortiSIEM Windows Agents also needs a FortiSIEM Windows Agent Manager (WAM). The overall steps are:

  1. Make sure you have Windows Agent Licenses (See ADMIN > License > License)
  2. Go to ADMIN > Setup > Windows Agent and specify a Windows Agent Manager.
    You can split up Windows Agent licenses across multiple WAMs. In the WAM definition, you also specify where the Windows Agent will upload Events – Supervisor or Collectors (recommended for high availability and load balancing)
  3. Install WAM and Register the WAM to the Supervisor.
    The WAMs will get their own Windows Agent licenses and event upload destinations.
  4. Install Windows Agents and configure them from the WAM.

For details about Configuring Windows Agent in FortiSIEM (Steps 1-2), see here.

For details about Installing WAM (Step 3) and configuring Windows Agents in WAM (Step 4), see FortiSIEM - Windows Agent & Agent Manager Installation Guide here.

Forwarding Events to External Systems

Events received by FortiSIEM can be forwarded to external systems. FortiSIEM provides a flexible way to define forwarding criteria and forwarding mechanism such as syslog, Kafka and Netflow.

For details, see here.

Creating New Rules

To create new Rules, go to RESOURCES > Rules, choose a folder and click New. Remember to test and activate the rule.

For details, see here.

Rules can also be created from ANALYTICS tab. Once you have run a search, create a rule from it by clicking Actions > Create Rule.

For details, see here.

Creating New Reports

New Reports can be created from RESOURCES > Reports > Choose a Folder > Click New.

For details, see here.

Reports can also be created from ANALYTICS tab. Once you have run a search, you can save it as a Report by clicking Actions > Save Result.

For details, see here.

Scheduling Reports

Reports can be scheduled to run at later time and contain data for a specific period of time. Go to RESOURCES > Reports > Choose a Report > More > Schedule.

For details, see here.

Customizing Built-in Dashboards

FortiSIEM Built-in Dashboards are organized in Folders with multiple Dashboards in each Folder. You can add dashboards to any Folder or modify the dashboards in any built-in folder. Dashboard modification can include – modifying chart layout, chart settings or even adding new widgets for widget dashboards.

For details, see here.

You can also choose to display only a set of Dashboard Folders by visiting ADMIN > General Settings > System > UI > Dashboard Settings.

Creating Custom Dashboards

You can either create a new Dashboard Folder and move dashboards in it or add dashboards to an existing folder.

To create a new Dashboard folder, click DASHBOARD, scroll down the dashboard folder drop-down and click New.

To create an new Dashboard, select the folder from the drop-down, click +. For Widget Dashboards, click + on the top-left to add Widgets to the Dashboard.

For details, see here.

Creating Business Service Dashboards

After creating a new Dashboard, choose Type = Business Service Dashboard. Then Select the Business Service Selector on the top right to add Business Services to the Dashboard.

For details, see here.

Monitoring System Health

To see the system level health of every FortiSIEM Supervisor/Worker node, go to ADMIN > Health > Cloud Health. The top pane shows the overall health of various nodes – Supervisor and Workers. Click on any one node and the bottom pane shows the health of the various processes in that node.

For details, see here.

Monitoring Collector Health

To see the system level health of every FortiSIEM Collector node, go to ADMIN > Health > Collector Health.

For details, see here.

Monitoring Windows Agent Health

To see the Windows Agent health information, go to ADMIN > Health > Windows Agent Health.

For details, see here.

Monitoring Elasticsearch Health

To see the Elasticsearch health information, go to ADMIN > Health > Elasticsearch Health.

For details, see here.

System Errors

To see the system errors, click the 'Task and Error' icon on the top-right corner of FortiSIEM GUI and select the Error tab. You can also run a report in ANALYTICS > Folders > Shortcuts > Top FortiSIEM Operational Errors.

Monitoring User Activity

To see FortiSIEM User Activity, click the 'User Activity' icon on the top-right corner of FortiSIEM GUI. You can see Logged in Users and what Queries they are doing and Locked out users. You can also forcefully log out specific users.