System Settings

The following section describes the procedures for system settings:

UI Settings

There are two locations where you can change UI settings in FortiSIEM. One location is in the user profile. The other is in the administrator settings.

User Profile UI Settings

The initial view of FortiSIEM UI after login can be configured using the UI settings including dashboard, logos, and theme.

Click the User Profile icon () in the upper right corner of the UI. The dialog box contains three tabs:

Basic - Use the Basic tab to change your password into the system.

Contact - Use the Contact tab to enter your contact information.

UI Settings - Use the UI Settings tab to set the following:

Settings Guidelines
Home Select the tab which opens when you log in to the FortiSIEM UI.
Incident Home Select the Overview, List, Risk, or Explorer display for the INCIDENTS tab.
Dashboard Home Select the Dashboard to open by default under the DASHBOARD tab from this drop-down list.
Dashboard Settings Select the type of dashboards to be visible/hidden using the left/right arrows. The up/down arrows can be used to sort the Dashboards.
Language Specify which language will be used for the UI display. Many UI items have been translated into the languages in the drop-down list, including buttons, labels, top-level headings, and breadcrumbs. Items that are data-driven are not translated.
Theme Select Dark or Light theme for FortiSIEM UI. Save and refresh the browser to view the change.

Note: All of the above settings will take effect when you log in again or when you refresh the browser in the same login session.

Administrator UI Settings

Click ADMIN > Settings > System > UI to access the administrator UI settings.

Settings

Guidelines
UI Logo Click the edit icon to enter the path to the image file for the logo that will be used in the UI.
Report Logo Click the edit icon to enter the path to the image file for the logo that will be used in reports.
Google Maps API Key Click the edit icon to enter the API key to access Google Maps.

 

Email Settings

The system can be configured to send email as an incident notification action or send scheduled reports. Use these fields to specify outbound email server settings.

Complete these steps to customize email settings:

  1. Go to ADMIN > Settings > System > Email tab.
  2. Enter the following information under Email Settings:

    SettingsGuidelines
    Email Gateway Server[Required] Holds the gateway server used for email.
    Server Account ID[Required] The account name for the gateway.
    Account password[Required] The password for the account.
    Server PortPort used by the gateway server.
    Secure Connection (TLS)Protocol used by the gateway server. This can be Exchange or SMTP.
    Admin Email IdsEmail addresses for all of the admins.
    Default Email Sender Default email address of the sender.
  3. Click Test Email button to test the new email settings.
  4. Click Save.

Customizing the Incident Email Template

Use the following procedure to customize the incident email template.

  1. Click New under the section Incident Email Template.
  2. Enter the Name of the template.
  3. Select the Organization from the list.
  4. Enter the Email Subject. You can also choose the incident attribute variables from Insert Content drop-down as part of Email Subject.
  5. Enter the Email Body by selecting the attribute variables from Insert Content drop-down into your template, rather than typing. If required, enable Support HTML for HTML content support.

    Incident Attribute

    Description

    Organization

    Organization to which this Incident belongs.

    Status

    Incident Status – Active (0), Auto Cleared (1), Manually Cleared (2), System Cleared (3)

    Host Name

    Host Name from Incident Target. If not found then gathered from Incident Source

    Incident ID

    Incident ID – assigned by FortiSIEM and is unique – this attribute has an URL which takes user to this incident after login

    Incident ID Without Link

    Incident ID – assigned by FortiSIEM and is unique – this attribute does not have an URL

    First Seen Time

    First time the incident occurred

    Last Seen Time

    Last time the incident occurred

    Incident Category

    Security, Performance, Availability or Change

    Incident Severity

    A number from 0-10

    Incident Severity Category

    HIGH (9-10), MEDIUM (5-8) and LOW (1-4)

    Incident Count

    Number of times the same incident has happened with the same group by parameters

    Rule Name

    Rule Name

    Rule Remediation Note

    Remediation note defined for each rule

    Rule Description

    Rule Description

    Incident Source

    Source IP, Source Name in an Incident

    Incident Target

    Destination IP, Destination Host Name, Host IP, Host Name, User in an Incident

    Incident Detail

    Any group by attribute in an Incident other than those in Incident Source and Incident Target

    Affected Business Service

    Comma separated list of all business services to which Incident Source, Incident Target or Reporting Device belongs

    Identity

    Identity and Location for Incident Source

    Notify Policy ID

    Notification Policy ID that triggered this email notification

    Triggering Attributes

    List of attributes that trigger a rule – found in Rule > Sub pattern > Aggregate

    Raw Events

    Triggering events in raw format as sent by the device (up to 10)

    Incident Cleared Reason

    Value set by user when clearing a rule

    Device Annotation

    Annotation for the device in Incident Target – set in CMDB

    Device Description

    Description for the device in Incident Target – set in CMDB

    Device Location

    Location for the device in Incident Target – set in CMDB

    Incident Subcategory

    Specific for each category – as set in the Rule definition

    Incident Resolution

    None, True Positive, False Positive

  6. Click Preview to preview the email template.
  7. Click Save to apply the changes.

To set an email template as default, select the template in the list, and then click Set as Default. When you are creating a notification policy and must select an email template, if you leave the option blank, the default template will be used. For Service Provider deployments, to select a template as default for an Organization, first select the Organization, then set the default email template for that organization.

Collector Image Server Settings

Click ADMIN > Settings > System > Collector Image Server to display the location of the image updates. The Image Download URL field cannot be edited.

To update the image, see Upgrade Cluster Deployment in the Upgrade Guide for more information.

If the Image Download URL field is empty, then no image updates have been performed.

Event Worker Settings

Collectors upload events and configurations to Worker nodes. Use this field to specify the Worker host names or IP addresses.

There are three cases:

  • Explicit list of Worker IP addresses or host names - Collector forwards to this list in a round robin manner.

  • If you are not using Workers and using only a Supervisor and Collector(s) – specify the Supervisor IP addresses or host name. The Collectors will upload directly to the Supervisor node.

  • Host name of a load balancer - Collector forwards this to the load balancer which must be configured to distribute events to the workers.

Any Hostnames specified in the Worker Upload must be resolvable by the Collector and similarly, any specified IP addresses must have connectivity from the Collector.

Complete these steps to configure Worker upload settings:

  1. Go to ADMIN > Settings > System
  2. Click Event Worker.
  3. Enter the IP address of the event worker under Worker Address.
    You can click '+' or '-' to add or remove addresses.
  4. Click Save.

Query Worker Settings

Release 5.3 introduces the concept of a Query Worker to handle only query requests, adhoc queries from GUI, and scheduled reports. This allows more system resources to be dedicated to queries and make them run faster.

By default, all Workers are also Query Workers. If you want only a subset of Workers to be Query Workers, then complete these steps:

  1. Go to ADMIN > Settings > System.
  2. Click Query Worker.
  3. Select the Workers you want to use from the list.

    Note: Workers will be removed automatically from the Query Worker Settings if they are explicitly listed there. If you used a load balancer or DNS name, then you must manually remove the Query Worker from those configurations.

Lookup Settings

Lookup setting can be used to find any IP or domain by providing the link.

Complete these steps for lookup:

  1. Go to ADMIN > Settings > System > Lookup tab.
  2. Enter the Name.
  3. Select the Client Type to IP or Domain.
  4. Enter the Link for look-up.

    You must enter "<ip>” in the link. FortiSIEM will replace "<ip>” with a proper IP during lookup.

    For example, to lookup the following URL:

    http://whois.domaintools.com/8.8.8.8

    Enter the following link in FortiSIEM:

    http://whois.domaintools.com/<ip>

  5. Click Save.

Kafka Settings

FortiSIEM events found in system event database can be exported to an external system via Kafka message bus.

FortiSIEM supports both forwarding events to an external system via Kafka message bus as a 'Producer' and receiving events from a third-party system to FortiSIEM via Kafka message bus as a 'Consumer'.

As a Producer:

  • Make sure you have set up a Kafka Cloud (here) with a specific Topic for FortiSIEM events.
  • Make sure you have identified a set of Kafka brokers that FortiSIEM is going to send events to.
  • Make sure you have configured Kafka receivers which can parse FortiSIEM events and store in a database. An example would be Logstash receiver (see here) that can store in an Elastic Search database.
  • Configure event forwarding in order for FortiSIEM to send events to an external Kafka consumer.
  • Supported Kafka version: 0.8

As a Consumer:

  • Make sure you have set up a Kafka Cloud (here) with a specific Topic, Consumer Group and a Consumer for sending third party events to FortiSIEM.
  • Make sure you have identified a set of Kafka brokers that FortiSIEM will receive events from.
  • Supported Kafka version: 0.8

Complete these steps for configuring Kafka settings in FortiSIEM:

  1. Go to ADMIN > Settings > System > Kafka tab.
  2. Click New.
  3. Enter the Name and Topic.
  4. Select or search the Organization from the drop-down.
  5. Add Brokers by clicking + icon.
    1. Enter IP address or Host name of the broker.
    2. Enter Broker port (default 9092).
  6. Click Save.
  7. Select the Client Type to Producer or Consumer.
  8. If the Consumer is selected in step 7, enter the Consumer Name and Group Name fields.
  9. Click Save.

Dashboard Slideshow Settings

Dashboard Slideshow settings are used to select a set of dashboards and display them in a slideshow mode on big monitors to cover the entire display. This is useful for Network and Security Operation Centers.

Complete these steps to create a Dashboard Slideshow:

  1. Go to ADMIN > Settings > System > Dashboard Slideshow tab.
  2. Click New to create a slideshow.
  3. Enter a Name for the slideshow.
  4. Select the Interval for switching between dashboards.
  5. Select the Dashboards from the list and move to the Selected list.
    These dashboards will be displayed in a slideshow mode.
  6. Click Save.

For all the above System settings, use the Edit button to modify or Delete button to remove any setting from the list.