System Settings

The following section describes the procedures for system settings:

• UI settings
• Email settings
• Collector Image Server settings
• Worker Upload settings
• Data Update Server settings
• Lookup settings
• Kafka settings

UI settings

The initial view of FortiSIEM UI after login can be configured using the UI settings including dashboard, logos and theme.

Follow the procedure below to set FortiSIEM UI:

1. Go to ADMIN > General Settings > System > UI tab.
2. Select and enter the following information under UI Settings:
   

   Settings	Guidelines
   Home	Select the tab to display when you login to FortiSIEM.
   Incident Home	Select List or Risk view of display for INCIDENTS tab.
   Dashboard Home	Select the dashboard to display by default on DASHBOARD tab from the drop-down.
   Dashboard Theme	Select dark or light theme. Currently, the dark theme setting is a global setting - so all users would have the same theme.
   Dashboard Settings	Select the type of dashboards to be visible/hidden using the left/right arrows. The up/down arrows can be used to sort the Dashboards.
   UI Logo/Report Logo	Select the UI and Report logo using these options. The supported image formats are PNG for UI Logo and SVG for Report Logo.
   Google Maps API Key	FortiSIEM uses Google Maps to show location related information. Google requires that you have a registered API key to use this service. You can start with a free key and upgrade later. Go to https://developers.google.com/maps/documentation/javascript/get-api-key and follow the steps below to get an API key: Sign in to your Google account. Click the GET STARTED button. Select Maps and click CONTINUE. Enter a project name and select Yes to agree to the 'Terms of Service'. Click NEXT. Set up the billing information and get the key.

3. Click Save.

Note: All the above settings will take effect when you login again the next time or refresh the browser in the same login session.

Email settings

The system can be configured to send email as an incident notification action or send scheduled reports. Use these fields to specify outbound email server settings.

Follow the procedure below to configure email settings:

1. Go to ADMIN > General Settings > System > Email tab.
2. Enter the following information under Email Settings:
   
   

   Settings	Guidelines
   Email Gateway Server	[Required] Holds the gateway server used for email.
   Server Account ID	[Required] The account name for the gateway.
   Account password	[Required] The password for the account.
   Server Port	Port used by the gateway server.
   Secure Connection (TLS)	Protocol used by the gateway server. This can be Exchange or SMTP.
   Admin Email Ids	Email addresses for all of the admins.
   Default Email Sender	Default email address of the sender.

3. Click Test Email button to test the new email settings.
4. Click Save.

Configuring Incident Email Template

1. Click New under the section Incident Email Template.
2. Enter the Name of the template.
3. Select the Organization from the list.
4. Enter the Email Subject. You can also choose the incident attribute variables from Insert Content drop-down as part of Email Subject.
5. Enter the Email Body by selecting the attribute variables from Insert Content drop-down into your template, rather than typing. If required, enable Support HTML for HTML content support.
6. Click Preview to preview the email template.
7. Click Save to apply the changes.

To set an email template as default, select the template in the list, and then click Set as Default. When you are creating a notification policy and need to select an email template, if you leave the option blank, the default template will be used. For Service Provider deployments, to select a template as default for an organization, first select the organization, then set the default email template for that organization.

Collector Image Server settings

Collector image can be upgraded using this field by specifying the location of the upgrade images and the credentials to access them.

Follow the procedure below to configure Collector Image Server image settings:

1. Go to ADMIN > General Settings > System > Collector Image Server tab.
2. Enter the following information:
   • Image Download URL - URL to download the Collector image.
   • Image Server Username - user name to login
   • Image Server Password - password corresponding to the user name
3. Click Save.

Worker Upload settings

Collectors upload events and configurations to Worker nodes. Use this field to specify the Worker host names or IP addresses.

There are two cases:

• Explicit list of Worker IP addresses or host names - Collector forwards to this list in a round robin manner.
• Host name of a load balancer - Collector forwards this to the load balancer which needs to be configured to distribute events to the workers.

Follow the procedure below to configure Worker upload settings:

1. Go to ADMIN > General Settings > System > Worker Upload tab.
2. Enter the IP under Worker Address.
   You can add more by clicking '+' or use '-' to remove any added address.
3. Click Save.

Data Update Server settings

Data Update Server settings are used to specify the location of the data update images and the credentials needed to access them.

Prerequisites

• Contact FortiSIEM support and make sure that your license includes Data Update Service.
• Make sure you have the Data Update URL which is typically https://images.FortiSIEM.net/upgrade/ds- contact FortiSIEM to make sure that this information has not changed.
• Make sure you have license credentials.

Follow the procedure below to configure Data Update server settings:

1. Go to ADMIN > General Settings > System > Data Update Server tab.
2. Enter the following information:
   • Data Update URL
   • Server Username and Server Password - these are the license credentials.
   • Notify Email - you will receive an email notification when new data updates are available.
3. Click Save.

Lookup settings

Lookup setting can be used to find any IP or domain by providing the link.

Follow the procedure below for lookup:

1. Go to ADMIN > General Settings > System > Lookup tab.
2. Enter the Name.
3. Select the Client Type to IP or Domain.
4. Enter the Link for look-up.
5. Click Save.

Kafka settings

FortiSIEM events found in system event database can be exported to an external system via Kafka message bus.

FortiSIEM supports both forwarding events to an external system via Kafka message bus as a 'Producer' and receiving events from a third-party system to FortiSIEM via Kafka message bus as a 'Consumer'.

As a Producer:

• Make sure you have set up a Kafka Cloud (here) with a specific Topic for FortiSIEM events.
• Make sure you have identified a set of Kafka brokers that FortiSIEM is going to send events to.
• Make sure you have configured Kafka receivers which can parse FortiSIEM events and store in a database. An example would be Logstash receiver (see here) that can store in an Elastic Search database.
• Supported Kafka version: 0.8

As a Consumer:

• Make sure you have set up a Kafka Cloud (here) with a specific Topic, Consumer Group and a Consumer for sending third party events to FortiSIEM.
• Make sure you have identified a set of Kafka brokers that FortiSIEM will receive events from.
• Supported Kafka version: 0.8

Follow the procedure below for configuring Kafka settings in FortiSIEM:

1. Go to ADMIN > General Settings > Kafka tab.
2. Click New.
3. Enter the Name and Topic.
4. Select or search the Organization from the drop-down.
5. Add Brokers by clicking + icon.
   1. Enter IP address or Host name of the broker.
   2. Enter Broker port (default 9092).
6. Click Save.
7. Select the Client Type to Producer or Consumer.
8. If the Consumer is selected in step 7, enter the Consumer Name and Group Name fields.
9. Click Save.

For all the above settings, you can use the Edit button to modify or Delete button to remove any setting from the list.