Submit Search

PCI Logging Status Dashboard

A PCI Logging Status dashboard provides an overview of which devices in PCI are logging and logging correctly. The devices are displayed by CMDB Device Groups (for example Windows, Linux, Firewalls, and so on) and by Business Units.

Setting Up Data Source
Creating a Dashboard
Analyzing Dashboard Data
Searching Dashboard Data

Setting Up Data Source

Data source setup includes the following steps:

Creating CMDB Devices
Assigning Devices to Business Units
Assigning Devices to PCI Business Service
Specifying the Criteria for Logging Correctly
Specifying the Violation Time Limits

Creating CMDB Devices

The devices must be available in CMDB for displaying in the dashboard. This can be done in any of the following ways:

Manually:
1. Go to CMDB > select the Device Group > click New.
Discovery:
1. Create the credentials in ADMIN > Setup > Credentials.
2. Discover in ADMIN > Setup > Discovery.
Device Import:
1. Go to ADMIN > Settings > General > External Integration.
2. Click New and choose Type as "Device" and Direction as "Inbound".
3. Choose the File Path on the Supervisor node and place the CSV file there.
4. For Content Mapping, click the edit icon.
  1. For Column Mapping, click + and enter the mapping between columns in the Source CSV file and the Destination CMDB.
    1. Enter Source CSV column Name for Source Column.
    2. Check Create Property if it Does not Exist to create the new attribute in FortiSIEM if it does not exist.
      1. Enter a name for the Destination Column of the property from the drop-down list.
      2. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite it's current value.
    3. If the property exists in the CMDB, select FortiSIEM CMDB attribute for Destination Column.
    4. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite its current value.
    5. Click OK.
  2. For Data Mapping, click + and enter the mapping between data values in the external system and the destination CMDB.
5. Click Save.
6. Select the Instance and click Run.

Assigning Devices to Business Units

For the PCI Logging dashboard to display the devices logging and logging correctly by business units, the Business Unit property needs to be set for a device. This can be done in any of the following ways:

Manually:
1. Go to CMDB > select one or more devices > click Edit and set the Business Unit.
2. Click Save.
Device Import:
1. Prepare a CSV file containing Device Host Names and Business Unit as two columns. Note that the Device host names must match the host names in CMDB, if they are present.
2. Go to ADMIN > Settings > General > External Integration.
3. Click New and choose Type as "Device" and Direction as "Inbound".
4. Choose the File Path on the Supervisor node and place the CSV file there.
5. For Content Mapping, click the edit icon.
  1. For Column Mapping, click + and enter the mapping between columns in the Source CSV file and the Destination CMDB.
    1. Enter Source CSV column Name for Source Column
    2. Check Create Property if it Does not Exist to create the new attribute in FortiSIEM if it does not exist
      1. Enter a name for the Destination Column of the property from the drop-down list.
      2. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite it's current value.
    3. If the property exists in the CMDB, select FortiSIEM CMDB attribute for Destination Column.
    4. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite its current value.
    5. Click OK.
  2. For Data Mapping, click + and enter the mapping between data values in the external system and the destination CMDB.
6. Click Save.
7. Select the instance and click Run.

Assigning Devices to PCI Service

Devices in the PCI Logging Status Dashboard belong to the PCI Business Service. Assigning Devices to the PCI Service can be done in any of the following ways:

Manually:
1. Go to CMDB > Business Services > Compliance > select the PCI Service > click Edit and add Devices.
2. Click Save.
Device Import:
1. Prepare a CSV file containing Device Host Names and isPCI property. Host names must match the host names in CMDB. The isPCI Device Property takes TRUE or FALSE values.
2. Go to ADMIN > Settings > General > External Integration.
3. Click New and choose Type as "Device" and Direction as "Inbound".
4. Choose the File Path on the Supervisor node and place the CSV file there.
5. For Content Mapping, click the edit icon.
  1. For Column Mapping, click + and enter the mapping between columns in the Source CSV file and the Destination CMDB.
    1. Enter Source CSV column Name for Source Column
    2. Check Create Property if it Does not Exist to create the new attribute in FortiSIEM if it does not exist
      1. Enter a name for the Destination Column of the property from the drop-down list.
      2. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite it's current value.
    3. If the property exists in the CMDB, select FortiSIEM CMDB attribute for Destination Column.
    4. Select Overwrite Existing Value if the property exists in the CMDB, but you want to overwrite its current value.
    5. Click OK.
  2. For Data Mapping, click + and enter the mapping between data values in the external system and the destination CMDB.
6. Click Save.
7. Select the instance and click Run.

Note: Device Import options in Assigning Devices to Business Units and Assigning Devices to PCI Service can be combined. So it is possible to have a single file with three columns: Host Name, Business Unit, and isPCI.

Specifying Criteria for Logging Correctly

To specify a criteria for logging correctly, define the following:

Correctly Logging Reports – these specify the criteria for devices in a device group to be correctly logging Authentication, FIM, and Change events. Reports must be defined separately for each CMDB device group and each functional category: Authentication, FIM, and Change. Several Correctly Logging Reports are pre-defined in RESOURCES > Reports > Function > Compliance > Compliance Logging Policy.
PCI Logging Policy – these specify whether a CMDB Device Group needs to correctly send logs in the various functional categories: Authentication, FIM, and Change. Currently, these three functional categories are fixed. PCI Logging Policies can be specified in ADMIN > Settings > Compliance > PCI. Several PCI Logging Policies are pre-defined.

Complete these steps to customize correctly logging criteria:

Define a report in RESOURCES > Reports > Function > Compliance > Compliance Logging Policy.
Create a PCI Logging Policy in ADMIN > Settings > Compliance > PCI and specify the new report.

If you create your own correctly logging report, then it must have the following well-defined structure:

Group By Criteria must have Customer ID and Reporting Device Name.
Select Clause must have Customer ID, Reporting Device Name, and Last Event Receive Time.
Filtering Criteria must be specific to the CMDB Device Group (for example: Firewalls, Routers, Windows Server, and so on) and functional logging category (for example: Authentication, FIM, and Change).

Note: It is highly recommended to clone an existing correctly logging report and modify the Filtering Criteria.

Specifying Violation Time Limits

Specify the time duration after which a device is reported to be not logging or not logging correctly. Four properties are defined in ADMIN > Device Support > Custom Properties:

lastAuthTimeLimit - time limit for authentication logs (default 1 day)
lastFIMTimeLimit - time limit for FIM logs (default 1 day)
lastChangeTimeLimit - time limit for authentication log (default 1 day)
lastLogTimeLimit - time limit for sending any log (default 1 day)

Similar to any other device property, you can change the global defaults and set them on a per-device basis.

Creating a Dashboard

Once you setup the data sources following the steps described in Setting up data source, the dashboard must be created manually.

The dashboard is updated nightly at 12:00 am (Supervisor time). At that time, the Supervisor:

Runs the reports specified in ADMIN > Settings > Compliance > PCI.
Updates the last reporting times.
Calculates violations using the thresholds defined in ADMIN > Device Support > Custom Properties.

When you open the PCI Logging Status dashboard, the results are displayed from the daily run of previous night.

Analyzing Dashboard Data

The PCI Logging Status Dashboard displays:

Logging - Percentage of PCI devices logging within the time period lastLogTimeLimit (default 1 day).
Logging Correctly - Percentage of PCI devices logging correctly.
Logging By Group - Percentage of PCI devices logging correctly broken down by Device Group.
Logging Correctly By Group - Percentage of PCI devices logging correctly broken down by Device Group.
Logging Correctly By Business Unit, Group - Percentage of PCI devices logging correctly broken down by Device Group.

The displays are color coded as Red, Yellow, and Green according to the tunable thresholds defined in Dashboard > Threshold Setting. By default:

Red – less than 50%
Yellow – between 50% and 80%
Green – higher than 80%

If you click the entries, the devices in violation are shown in a tabular format along with the last time they reported events in each category.

Searching Dashboard Data

The Dashboard data can be searched by any Device Property, for example a Business Unit defined in ADMIN > Device Support > Custom Properties with Search (check-box) enabled. Click the search field under a specific category and enter the property values. Matches are exact and case sensitive.

FortiSIEM 6.1.1