Editing Event Pulling

After discovery is complete, FortiSIEM starts pulling events from devices with correct credentials. Examples include Windows Servers via WMI, VMWare VCenter via VMWare SDK, AWS CloudTrail via AWS SDK etc.

The following section describes the procedures to see the status of these event pulling jobs and turn them on/off.

Viewing event pulling

Follow the procedure below to enable event pulling:

  1. Go to ADMIN > Setup > Pull Events tab.
  2. See the listed jobs:
    • Enabled – the job is enabled at a device level.
    • Device name – name of the device in CMDB.
    • Access IP – IP address with which FortiSIEM accesses this device.
    • Device Type – the device type in CMDB.
    • Organization – the organization to which this device belongs (for a multi-tenant FortiSIEM install).
    • Method – the event pulling method – format - credential name (Access Protocol).
    • Maintenance – indicates if this device is in maintenance or not.
  3. See Enabled option to view the enabled device.
  4. Select Errors to view the list of errors, if any.

Modifying event pulling jobs

Follow the procedure below to enable/disable event pulling at all device level (all jobs will be enabled/disabled).

  1. Go to ADMIN > Setup > Pull Events tab.
  2. Select the device from the list.
  3. Select All check-box to enable all jobs or deselect to disable.
  4. Click Apply.

Follow the procedure below to enable/disable a specific event pulling job for a device

  1. Go to ADMIN > Setup > Pull Events tab.
  2. Select the device from the list.
  3. Click Edit.
  4. Check the specific job to enable/disable.
  5. Click Apply.

Checking status of event pulling jobs

Follow the procedure below to the status of event pulling jobs:

  1. Go to ADMIN > Setup > Pull Events tab.
  2. Select the device from the list.
  3. Hover over the method column – the tool tip shows the Execution Status.
  4. To see the events generated from the event pulling job, click Report.
    A report is run for all the events generated by this event pulling job in the last 10 minutes.

Exporting event pulling jobs into a report

Follow the procedure below to export an event pulling job report:

  1. Go to ADMIN > Setup > Pull Events tab.
  2. Click Export.
  3. Optional - Enter the User Notes.
  4. Select the output format to PDF or CSV and click Generate.
  5. Click View to download and view the report.

Viewing event pulling reports

  1. Go to ADMIN > Setup > Pull Events tab.
  2. Select Super/Local or Org with collector or use the Search field to view any related jobs.