Advanced Operations

FortiSIEM enables you to perform the following advanced operations:

Discovering Users

Users can be discovered via LDAP, OpenLDAP, or they can be added manually. Discovering users via OpenLDAP or OKTA are similar.

To discover users in Windows Active Directory, discover the Windows Domain Controller:

  1. Go to ADMIN > Setup > Credentials.
  2. Click New to create an LDAP discovery credential by entering the following in the Access Method Definition dialog box:
    1. Name for the credential
    2. Device Type as "Microsoft Windows Server 2012 R2"
    3. Access Protocol as "LDAP"
    4. Used For as "Microsoft Active Directory"
    5. Enter the Base DN and NetBios Domain
  3. Test the LDAP Credentials.
  4. Run discovery.
  5. Go to CMDB > Users.
  6. Click the "Refresh" icon on left panel and see the users displayed on the right panel.

To add users manually:

  1. Go to CMDB > Users.
  2. Click New and add the user information.

For details about Discovering Users, see here (Refer to the table by searching: Credentials for Microsoft Windows Server)

For details about Adding Users, see here.

Creating FortiSIEM Users

To create users that access FortiSIEM:

  1. Login as a user with "Full Admin" rights.
  2. Create the user in CMDB.
  3. Set a password – after logging in, the user can set a new password.
  4. Select the user and click Edit.
  5. Select System Admin and enter the following:
    1. Authentication Mode - "Local" or "External"
    2. Enterprise case - select the Role
    3. Service Provide Case - select the Role for each Organization

For details about creating users, see here.

To change the password:

  1. Login as the user.
  2. Click the "User Profile" icon on the top-right corner.
  3. Click Save.

Setting External Authentication

FortiSIEM users can be authenticated in two ways:

  • Local authentication – user credentials are stored in FortiSIEM
  • External authentication – user credentials are stored in an external database (AAA Server or Active Directory) and FortiSIEM communicates with the external database to authenticate the user

Step 1: Set up an Authentication Profile

  1. Login as a user with Full Admin rights.
  2. Create an authentication profile by visiting ADMIN > Settings > General > External Authentication.
  3.  Click New.
  4.  Provide the following information in the External Authentication Profile dialog box:
    1. Enter a Name for the profile
    2. Select an Organization from the drop-down list
    3. Set Protocol appropriately (for example, LDAP, LDAPS, or LDAPTLS for Active Directory)
    4. Enter the IP/Host and Port number
  5. Make sure the credentials are defined in ADMIN > Setup > Credentials.
  6. Select the entry and click Test to ensure it works correctly.

Step 2: Attach the Authentication Profile to the user

  1. Select the user under CMDB > User and click Edit.
  2. Select System Admin and click the edit icon.
  3. Set Mode to "External" and set the Authentication Profile created.

For details about Setting up Authentication Profiles, see here.

For details about Editing Users, see here.

Setting 2-factor Authentication

FortiSIEM supports Duo as 2-factor authentication for FortiSIEM users:

Step 1: Set up an Authentication Profile

  1. Login as a user with Full Admin rights.
  2. Create an authentication profile by visiting ADMIN > Settings > General > External Authentication:
    1. Set Protocol to "Duo"
    2. Make sure the credentials are defined in ADMIN > Setup > Credentials
    3. Select the entry and click Test to make sure it works correctly

Step 2: Attach the Authentication Profile to the user

  • Select the user CMDB > Users and click Edit
  • Select System Admin and click the edit icon
  • Set Mode to "External" and set the Authentication Profile created

For details about Setting up Authentication Profiles, see here.

For details about Editing Users, see here.

Assigning FortiSIEM Roles to Users

FortiSIEM allows the admin user to create Roles based on what data the user can see what the user can do with the data. To set up Roles:

Step 1: Create a Role of your choice

  1. Login as a user with Full Admin rights.
  2. Go to ADMIN > Settings > Role > Role Management.
  3. Make sure there is a Role that suits your needs. If not, then create a new one by clicking New and entering the required information. You can also Clone an existing Role and make the changes.

Step 2: Attach the Role to the user

  1. Select the user CMDB > Users and click Edit
  2. Select System Admin and click the edit icon.
  3. Set Default Role:
    1. Enterprise case – select the Role
    2. Service Provide Case – select Role for each Organization

For details about Setting up Roles, see here.

For details about Editing Users,see here.

Creating Business Services

Business Service is a smart grouping of devices. Once created, incidents are tagged with the impacted Business Service(s) and you can see business service health in a custom Business Service dashboard.

For details about creating a Business Service, see here.

For details about setting up Dynamic Business Service, see here.

For details about viewing Business Service health, see here.

Creating Dynamic CMDB Groups and Business Services

CMDB Groups are a key concept in FortiSIEM. Rules and Reports make extensive use of CMDB Groups. While inbuilt CMDB Groups are auto-populated by Discovery, user-defined ones and Business Services are not. You can use the Dynamic CMDB Group feature to make mass changes to user-defined CMDB Groups and Business Services.

To create Dynamic CMDB Group Assignment Rules:

  1. Login as a user with ADMIN tab modification rights.
  2. Go to ADMIN > Settings > Discovery > CMDB Group.
  3. Click New.
  4. Enter CMDB Membership Criteria based on Vendor, Model, Host Name and IP Range.
  5. Select the CMDB group (Groups) or Business Services (Biz Services) to which the Device would belong if the criteria in Step 3 is met.
  6. Click Save.

You can now click Apply to immediately move the Devices to the desired CMDB Groups and Business Services. Discovery will also honor those rules – so newly discovered devices would belong to the desired CMDB Groups and Business Services.

For details about Setting up Dynamic CMDB Groups and Business Services, see here.

Setting Device Geo-Location

FortiSIEM has location information for public IP addresses. For private address space, you can define the locations as follows:

  1. Login as a user with ADMIN tab modification rights.
  2. Go to ADMIN > Settings > Discovery > Location.
  3. Click New.
  4. Enter IP/IP Range.
  5. Specify the Corresponding Location for the IP address Range.
  6. Select Update Manual Devices if you want already discovered device locations to be updated.
  7. Click Save.
    You can now click Apply to set the geo-locations for all devices matching the IP ranges.

For details about Setting Device Location, see here.

Creating CMDB Reports

If you want to extract data from FortiSIEM CMDB and produce a report, FortiSIEM can run a CMDB Report and display the values on the screen and allows you to export the data into a PDF or CSV file.

For details about Creating CMDB Reports, see here.

Changing the Home Country

Many rules and reports use the My Home CMDB Object as defined in RESOURCES > Country Groups > My Home. By default, it is set to United States of America.

For details on changing this, see here.

 

Searching Incidents

If you want to search for specific incidents, go to INCIDENTS > List > Actions > Search. A Search Windows appears on left. First, select the Time Window of interest. Then by clicking on any of the criteria, you can see the current values. You can select values to see matches incidents in the right pane.

For details about Searching Incidents, see here.

Tuning Incidents via Exceptions

If you do not want a rule to trigger for a specific Incident Attribute, then you can create an exception.

  1. Go to INCIDENTS > List view.
  2. Search the Incident (Actions > Search) or make sure that Incident shows in the right pane.
  3. Highlight the Incident.
  4. Click Actions > Edit Rule Exception.
  5. Enter the exception criteria – attribute based or time-based.

For details about Tuning Incidents via Exceptions, see here.

Tuning Incidents via Modifying Rules

Sometimes modifying the rule is a better idea than creating exceptions. For example, if you do not want a rule to trigger for DNS Servers, simply modify the rule condition by stating something like “Source IP NOT CONTAIN DNS Server”. To do this:

  1. Go to INCIDENTS > List view.
  2. Search the Incident (Actions > Search) or make sure that Incident shows in the right pane.
  3. Highlight the Incident
  4. Click Actions > Edit Rule
  5. Edit the Rule.
    If it is a System Rule, then you must save it as a User Rule. Deactivate the old System Rule and activate the new User Rule.

For details, see here.

Tuning Incidents via Drop Rules

Sometimes the rule can be prevented from triggering by dropping the event from rule considerations. There are two choices - (a) store the event in database but not trigger the rule or (b) drop the event completely.

To do this:

  1. Go to INCIDENTS > List view.
  2. Search the Incident (Actions > Search) or make sure that Incident shows in the right pane.
  3. Highlight the Incident.
  4. Click Actions > Create Event Dropping Rule.
  5. Specify event drop criteria and action. Events can be dropped on certain parsed fields (like Reporting/Source/Destination IP and Regex filter on the content).

For details, see here.

Tuning Incidents by Adjusting Thresholds

Some performance rules are written using global thresholds, for example - the Rule “High Process CPU: Server” uses the global threshold “Process CPU Util Critical Threshold” defined in ADMIN > Device Support > Custom Properties.

You have two choices – (a) modify the global threshold or (b) modify the threshold for a specific device or a group of devices. If you change the global threshold, then the threshold will change for all devices.

To modify the global threshold, follow these steps:

  1. Go ADMIN > Device Support > Custom Properties.
  2. Select the property and click Edit.
  3. Enter the new value and click Save.

For details, see here.

To modify the threshold for one device, follow these steps:

  1. Go to CMDB.
  2. Select the device and click Edit.
  3. In the Properties tab, enter the new value and click Save.

    4. To modify the threshold for a group of devices, repeat the above step for all devices.

Clearing Incidents

In some cases, the Incident may not be happening anymore as the exception condition was corrected.

 To clear one or more Incidents:

  1. Go to INCIDENTS > List view.
  2. Search the Incident (Actions > Search) or make sure that Incidents show in the right pane.
  3. Highlight the Incidents.
  4. Click Actions > Clear Incident
  5. Enter Reason and click OK.

For details, see here.

Adding Comments or Remediation Advice to an Incident

To add a comment to an Incident:

  1. Go to INCIDENTS > List view.
  2. Search the Incident or make sure that Incidents show in the right pane.
  3. Highlight the Incidents.
  4. Click Actions > Edit Comment
  5. Enter the Comment and click OK.

For details, see here.

Sometimes, it is necessary to add Remediation advice for the recipient of an Incident, so he can take some action to remediate the Incident. This has to be done by editing the Rule.

  1. Go to RESOURCES > Rules.
  2. Select a Rule and click Edit.
  3. Enter Remediation Note text and click Save.

For details, see here.

The Remediation text can be added to the Incident Notification email template.

For details, see here.

Remediating an Incident

You can use the following commands to enable Windows Remote Management (WinRM) and set authentication on the target Windows Servers. See Remediations for information on adding, editing, and deleting a remeditation from the FortiSIEM UI.

In the remediation script:

  1. When you initiate the WinRM session, set transport parameter to ssl.
  2. Set the server_cert_validation option accordingly. If you do not need to validate the certificate, set to ignore. For example:

    session = winrm.Session(enforceOn, auth = (user, password), transport="ssl", server_cert_validation = "ignore")

In the target Windows server:

Note: You might need to disable Windows Firewall before running remediation.

  1. Create the self-signed certificate in the certificate store, for example:

    New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName "mySubjectName.lan"

    where Cert:\LocalMachine\My is the location of the certificate store and mySubjectName.lan is the subject alternate name extension of the certificate.

  2. Create an HTTPS listener, for example:

    winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Port ="5986";Hostname="{your host name}"; CertificateThumbprint="{CertificateThumbprint}"}'

  3. Start the WinRM service and set the service startup type to auto-start. The quickconfig command also configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address.

    winrm quickconfig -transport:https

  4. Validate the WinRM service configuration and Listener.
    1. Check whether basic authentication is allowed, for example:

      winrm get winrm/config/service

    2. Check whether a listener is running, and verify the default ports, for example:

      winrm get winrm/config/listener

Remediation can be done either on an ad hoc basis (for example, user selects an Incident that has already occurred to Remediate) or using a Notification Policy where the system takes the Remediation action when Incident happens. First, make sure the Remediation script for your scenario is defined. Check the existing Remediation scripts in ADMIN > Settings > General > Notification > Remediation settings. If your device is not in the list, add the needed Remediation script.

To set ad hoc remediation:

  1. Go to INCIDENTS > List view.
  2. Search the Incident (Actions > Search) or make sure that Incidents show in the right pane.
  3. Highlight the Incident you want to remediate (you can remediate only one Incident at a time)..
  4. Click Actions > Remediate Incident.
  5. In the Run Remediation dialog box:
    1. Select the script in the Remediation drop-down list that you want to run.
    2. Select the role that the script will run on from the Run On drop-down list.
    3. Open the Enforce On drop-down list to choose which devices the remediation script will run on. In the Run Remediation dialog box, open the Device tree. Select individual devices and shuttle them to the Selections column. (You can choose only individual devices; you cannot choose device groups.)
  6. Click Run in the Run Remediation dialog box.

For details, see here.


To set policy-based remediation:

  1. Go to ADMIN > Settings > General > Notification Policy.
  2. Click New.
  3. Under Action, click the edit icon next to Run Remediation/Script.
  4. In the Notification Policy - Define Script/Remediation dialog box click New.
  5. In the dialog box tha topens click either Legacy Script or Remediation:
    • Legacy Script
      • Enter the name and path to the script in the Script field.
      • Select the role the script will run on from the Run On drop-down list.
    • Remediation:
      • Select a remediation script from the Script drop-down list.
      • Select the role that the script will run on from the Run On drop-down list.
      • Open the Enforce On drop-down list to choose which devices the remediation script will run on. In theNotification Policy - Define Script/Remediation - Enforce On dialog box, open the Device tree. Select individual devices and shuttle them to the Selections column. (You can choose only individual devices; you cannot choose device groups.)
  6. Click Save.

For details, see here.


To see the Notification history of an Incident:

  1. Go to INCIDENTS > List view.
  2. Search the Incident (Actions > Search) or make sure that Incidents show in the right pane.
  3. Highlight the Incidents.
  4. Click Actions > Show Notification History

For details, see here.

Notifying an Incident via Email

Notifying an Incident can be done either on ad hoc basis (for example - user selects an Incident that has already occurred to notify) or using a Notification Policy where the system takes the notification action when Incident happens.

First, make sure that Email Server has been properly defined in ADMIN > Settings > Email > Email Settings.

FortiSIEM has a built-in Incident Notification Email template. If you want a different one, please define it under ADMIN > Settings > Email > Incident Email Template.

For details, see here.

To set ad hoc notifications:

  1. Go to INCIDENTS > List view.
  2. Search the Incident (Actions > Search) or make sure that Incidents show in the right pane.
  3. Highlight the Incidents.
  4. Click Actions > Notify via Email.
  5. Choose Receive Email Address and Email Template.
  6. Click Send.

For details, see here.

For Policy based Notification

To send policy-based notifications:

  1. Go to ADMIN > Settings > General > Notification Policy.
  2. Click New.
  3. Specify the Incident Filter Conditions (Severity, Rules, Time Range, Affected Items, Affected Organizations) carefully to avoid excessive emails.
  4. Under Action, click Send Email/SMS to Target Users.
  5. Enter Email Address or Users from CMDB.
  6. Click Save.

For details, see here.


To see the Notification history of an Incident:

  • Go to INCIDENTS > List view.
  • Search the Incident (Actions > Search) or make sure that Incidents show in the right pane.
  • Highlight the Incidents.
  • Click Actions > Show Notification History

For details, see here.

Creating New Rules

Sometime, you may want to create a new rule from scratch.

For details, see here.

Creating a FortiSIEM Ticket

First make sure that:

  • Ticket’s assigned user is in CMDB
  • Assigned user’s Manager that is going to handle escalation is in CMDB
  • A Ticket Escalation Policy is defined

For adding users see Advanced Operations > Creating System users.

For defining ticket escalation policy, see here.

To create a FortiSIEM ticket:

  • Go to INCIDENTS > List view.
  • Search the Incident (Action > Search) or make sure that Incidents show in the right pane.
  • Highlight the Incidents.
  • Click Actions > Create Ticket.
  • Click Save

Note that you can put multiple Incidents on one ticket or add an Incident to an existing ticket.

For details, see here.

Creating a Ticket in External Ticketing System

First, define an Incident Outbound Integration Policy by visiting ADMIN > Settings > General > Integration.

For details, see here.

Then set the Incident Outbound Integration Policy in Notification Policy Action:

  1. Go to ADMIN > Settings > General > Notification Policy.
  2. Click New.
  3. Specify the Incident Filter Conditions (Severity, Rules, Time Range, Affected Items, Affected Organizations) carefully to avoid excessive emails.
  4. Under Action, click Invoke an Integration Policy.
  5. Choose the Integration Policy.
  6. Click Save.

For details, see here.


To update external ticket state in FortiSIEM:

  1. Define an Incident Inbound Integration Policy by visiting ADMIN > Settings > General > External Integration.
  2. Select the Policy and click Schedule to run the Incident Inbound Integration Policy.

For details, see here.

Checking Device Monitoring Status and Health

For Performance Monitoring scenarios, you would like to know:

  • Is FortiSIEM is able to monitor the devices on time? Is FortiSIEM falling behind?
  • Are there monitoring errors?
  • What is the current health of monitored devices?

To check whether FortiSIEM is able to collect monitoring data on time:

  1. Go to CMDB.
  2. Search for the device and by typing in a string in the search window.
  3. Check the Monitor Status column.
  4. If Monitor Status Warning or Critical, then select the Device and check the Monitor sub-tab in the bottom pane to find out the reason.

FortiSIEM is an optimized multi-threaded solution. If one node is given too many devices to monitor, each device with many metrics, then it may not be able to keep up. If FortiSIEM is not able to keep up (e.g. polling interval is 1 minute and last poll was 3 minutes ago), then you can do one of the following:

  1. Check the Monitored Device resources (CPU, memory) and the network between FortiSIEM and the Monitored Device. Many monitoring protocols such as SNMP, WMI will not operate under WAN type latencies (greater than 10 msec).
  2. Increase the polling intervals by visiting ADMIN > Setup > Monitor Performance > More > Edit Intervals.
    Note: If you increase polling intervals, some performance monitoring rules that require a certain number of polls in a time window may not trigger. Please adjust those rules either by reducing the number of polls or increasing the time window. For example, if a rule needs 3 events (polls) for a 10 min time window with original polling interval as 3 min, the rule will not trigger if polling interval is changed to 4 min or higher. To make the rule trigger again, either reduce the number of events needed (for example, from 3 to 2) or increase the time window (for example, from 10 min to 15 min).
  3. Turn off some other jobs by visiting ADMIN > Setup > Monitor Performance > More > Edit Intervals.
  4. Deploy Collectors close to the Monitored Devices or deploy more Collectors and distribute performance monitoring jobs to Collectors by doing re-discovery.

To check for Monitoring errors:

  • Go to ADMIN > Setup > Monitor Performance > More > Errors.

For details see here.

To see current health of a monitored device:

  1. Go to CMDB.
  2. Search for the device and by typing in a string in search window.
  3. Choose Actions > Device Health.

For details, see here.

Setting Devices Under Maintenance

If a device will undergo maintenance and you do not want to trigger performance and availability rules while the device is in maintenance, then

  1. Go to ADMIN > Setup > Maintenance
  2. Select the Maintenance Schedule.
  3. Select the Group of Devices or Synthetic Transaction Monitors (STM) for maintenance.
  4. Make sure the Generate Incidents for Devices under Maintenance is checked.

For details, see here

Creating Custom Monitors

Although FortiSIEM provides out of the box monitoring for many devices and applications, user can add monitoring for custom device types or add monitoring for supported device types.

  1. Go to ADMIN > Device Support > Monitoring.
  2. Click Enter Performance Object > New and enter the specification of the Performance Object.
  3. Select the Performance Object and click Test.
  4. Click Enter Device Type to Performance Object Association > New and choose a set of Device Types and associated Performance Objects.
  5. Go to ADMIN > Setup > Credentials and enter the Device Credentials for a set of device types specified in Step 4.
  6. Go to ADMIN > Setup > Discovery and discover these devices.
  7. FortiSIEM will pick the customer monitors defined in Step 2 if the Tests in Step 3 succeeded.
  8. Go to ADMIN > Setup > Monitor Performance and see the monitors
    From the same tab, Select one or more devices and Click More > Report and check whether the monitoring events are generated correctly.

Steps 1-4 are described here.

Steps 5 is described here.

Steps 6 is described here.

Step 8-9 are here.

Setting Important Interfaces and Processes

A network may have hundreds of interfaces and you have may have hundreds of network devices. Not all interfaces may not be interesting for up/down and utilization monitoring. For example, you may only want to monitor WAN links and trunk ports and leave out Access Ports. This saves you lots of CPU and storage. Similar logic applies to critical processes on servers.

Since FortiSIEM discovers interfaces and processes, it is easy to select Critical Interfaces and Processes for Monitoring.

  1. Go to ADMIN > Settings > Monitoring.
  2. Click Important Interfaces> Enable > New and select the Interfaces.
  3. Click Important Processes> Enable> New and select the Processes.

Note that once you select Important Interfaces and Processes, only these Interfaces and Processes will be monitored for availability and performance.

For details, see here.

Modifying System Parsers

If you want to modify a built-in log parser, then do the following steps:

  1. Go to ADMIN > Device Support > Parsers.
  2. Select a Parser and click Disable since you have two parsers for the same device.
  3. Select the same Parser and click Clone.
  4. Make the required modifications to the parser.
  5. Click Validate to check the modified Parser syntax.
  6. Click Test to check the semantics of the modified Parser.
  7. If both Validate and Test pass, then click Enable and then Save.
    The modified Parser should show Enabled
  8. Click Apply to deploy the modified Parser to all the nodes.

For details, see here.

Creating Custom Parsers

If you want to create a completely new log parser, then do the following steps:

  1. Go to ADMIN > Device Support > Parsers.
  2. Parsers are evaluated serially from top to bottom in the list. Select the parser just before the current custom parser and click New.
  3. Fill in the parser details – Name, Device Type, test Events and the parser itself.
  4. Click Validate to check the syntax
  5. Click Test to check the semantics of the modified parser.
  6. If all passes, then click Enable and then click Save.
    The newly added parser should show Enabled.
  7. Click Apply to deploy the change to all the nodes.

For details, see here.

Handling Multiline Syslog

When devices send the same log in multiple log messages, you can combine them into one log in FortiSIEM to facilitate analysis and correlation.

  1. Go to ADMIN > Settings > Event Handling > Multiline Syslog.
  2. Click New to begin a multi-line syslog handling rule.
  3. Enter a Protocol – TCP or UDP.
  4. Enter a Begin Pattern and End Pattern regular expressions.
    All the logs matching a begin pattern and an end pattern are combined into a single log
  5. Click Save.

For details, see here.

Creating Synthetic Transaction Monitors

You can define a Synthetic Transaction Monitor to monitor the health an application or a web service. To do this:

  1. Go to ADMIN > Setup > STM.
  2. Step 1: Create a monitoring definition, click New and enter the required fields. When the protocol is HTTP, then a Selenium script can be input. Specify the timeout values for detecting STM failures.
  3. Step 2: Apply the monitoring definition to a host
  4. Step 3: Make sure it is working correctly - click Monitor Status.

For details, see here.

Mapping Events to Organizations

In most cases, the events received by a Collector is tagged with the Organization to which the Collector belongs. In some cases, events for multiple Organizations are aggregated by an upstream device and then forwarded to FortiSIEM. In this case, FortiSIEM needs to map events to organizations based on some parsed event attribute. An example is the FortiGate VDOM attribute.

This is accomplished as follows:

  1. Go to ADMIN > Settings > Event Handling > Event Org Mapping.
  2. Click New to create an Event Org mapping definition.
  3. Select a Device Type from the drop-down list.
  4. Specify the Event Attribute that contains the Organization information.
  5. Specify the Collector that will do this Event Org Mapping.
  6. Specify an IP or IP Range.
  7. Specify the mapping rules by clicking the edit icon next to Org mapping. In the Event Organization Mapping dialog box, map Event Attribute values to Organizations.

For details, see here.

Adding Windows Agents

FortiSIEM Windows Agents provides a scalable way to collect performance metrics, logs and other audit violations from a large number of Windows servers. Windows Agents (version 3.1 onwards) can be configured and managed from the FortiSIEM GUI. Windows Agent Manager is not required. As long as license is available, you can install Windows Agents and register to the FortiSIEM Supervisor node.

For details about Installing Windows Agents, see the latest Windows Agent Installation Guide.

For details about Configuring Windows Agent in FortiSIEM, see here.

Adding Linux Agents

Starting release 5.2.1, Linux Agent requires a license. Install a Linux Agent and register to the FortiSIEM Supervisor node. As long as the license is available, you can install Linux Agent and register to the FortiSIEM Supervisor node. Linux Agents can be configured and managed from the FortiSIEM GUI.

For details about Installing Linux Agents, see Linux Agent Installation Guide.

For details about Configuring Linux Agent in FortiSIEM, see here.

Forwarding Events to External Systems

Events received by FortiSIEM can be forwarded to external systems. FortiSIEM provides a flexible way to define forwarding criteria and forwarding mechanism such as syslog, Kafka and Netflow.

For details, see here.

Creating New Rules

To create new Rules, go to RESOURCES > Rules, choose a folder and click New. Remember to test and activate the rule.

For details, see here.

Rules can also be created from ANALYTICS tab. Once you have run a search, create a rule from it by clicking Action > Create Rule.

For details, see here.

Creating New Reports

New Reports can be created from RESOURCES > Reports > Choose a Folder > Click New.

For details, see here.

Reports can also be created from ANALYTICS tab. Once you have run a search, you can save it as a Report by clicking Actions > Save Result.

For details, see here.

Scheduling Reports

Reports can be scheduled to run at later time and contain data for a specific period of time. Go to RESOURCES > Reports > Choose a Report > More > Schedule.

For details, see here.

Customizing Built-in Dashboards

FortiSIEM Built-in Dashboards are organized in Folders with multiple Dashboards in each Folder. You can add dashboards to any Folder or modify the dashboards in any built-in folder. Dashboard modification can include – modifying chart layout, chart settings or even adding new widgets for widget dashboards.

For details, see here.

You can also choose to display only a set of Dashboard Folders by visiting ADMIN > Settings > System > UI > Dashboard Settings.

Creating Custom Dashboards

You can either create a new Dashboard Folder and move dashboards in it or add dashboards to an existing folder.

To create a new Dashboard folder:

  1. Click DASHBOARD
  2. Open the Dashboard Folder drop-down list.
  3. Click New.

To create a new Dashboard for the folder:

  1. Select the Dashboard Folder from the drop-down list.
  2. Click + to the right of the selected folder.
  3. Enter a Name and Dashboard Type from the drop-down list in the Create New Dashboard dialog box.
  4. If you created a Widget Dashboard, click + beneath the folder name to add Widgets to the Dashboard.

For details, see here.

Creating Business Service Dashboards

After creating a new Dashboard, choose Type = Business Service Dashboard. Then select the Business Service Selector on the top right to add Business Services to the Dashboard.

For details, see here.

Monitoring System Health

To see the system level health of every FortiSIEM Supervisor/Worker node, go to ADMIN > Health > Cloud Health. The top pane shows the overall health of various nodes – Supervisor and Workers. Click any one node and the bottom pane shows the health of the various processes in that node.

For details, see here.

Monitoring Collector Health

To see the system level health of every FortiSIEM Collector node, go to ADMIN > Health > Collector Health.

For details, see here.

Monitoring Elasticsearch Health

To see the Elasticsearch health information, go to ADMIN > Health > Elasticsearch Health.

For details, see here.

System Errors

To see the system errors, click the Jobs/Errors icon on the top-right corner of FortiSIEM GUI and select the Error tab. You can also run a report in ANALYTICS > click the Folders icon > Shortcuts > Top FortiSIEM Operational Errors.

Monitoring User and Query Activity

To see FortiSIEM User and Query Activity, click the User Activity icon () on the top-right corner of FortiSIEM GUI. The User Activity dialog box contains these tabs:

All of the tabs in the User Activity dialog box contain the time of the last refresh and the number of seconds until the next automatic refresh. By default, the automatic refresh interval is 60 seconds. To refresh the table on demand, click the Refresh button.

Logged in Users

This tab displays a table listing the users currently logged in to FortiSIEM. You can perform the following operations on this tab:

  • Log Out - Select one or more users in the table and click Log Out. The selected users will be logged out of FortiSIEM.
  • Log Out and Lock Out - Select one or more users in the table and click Log Out and Lock Out. The selected users will be logged out of FortiSIEM and prevented from logging back in.

The Logged in Users table contains the following information:

Column Description
Organization The Organization to which the user belongs.
User The name of the user.
Full Name The full name of the user.
Login IP The IP address from which the user logged in.
Role The name of the user's role.

Login Time

 The date and time when the user logged in.
Session ID The ID of the user's FortiSIEM session.

 

Locked Users

This tab displays a table listing the users currently locked out of FortiSIEM. Typically, user access to FortiSIEM can be locked due to multiple login failures. You can perform the following operations on this tab:

  • Unlock - Select one or more users in the table and click Unlock.

Note: Users can also be unlocked by going to CMDB > Users > Actions > Unlock.

The Locked Users table contains the following information:

Column Description
Organization The Organization to which the user belongs.
User The name of the user.
Full Name The full name of the user.
Login IP The IP address from which the user logged in.
Role The name of the user's role.

Locked Time

 The date and time when the user was locked out of FortiSIEM.

Query Status

This tab displays a table listing the status of current and recent queries. You can perform the following operations on this tab:

  • Stop Query - Select a query from the table and click Stop Query. The selected query will be stopped remotely. If the query was sent from the ANALYTICS page, you should see a warning message saying this query was stopped manually. You should also be able to see the partial results you received before it was stopped.
  • Search - Click the Search button to search for queries by Query name (plain text search), User name (multiple options selected via a checkbox), and/or query Type (multiple options selected via a checkbox).
  • Sort - Click a column name. You can sort the column data in ascending or descending order.
  • Job Distribution for Query - Click a query in the Query Status table to see the Job Distribution for Query <query_name> table. This table identifies the Worker nodes employed in processing the query and their status. For more information, see Obtaining Job Distribution for Query.

The Query Status table contains the following information:

Column Description
Query ID The ID of the query.
Query Name The name of the query.
User The name of the user who issued the query.
Type The value of Type can be:
  • Interactive - Queries executed directly from the ANALYTICS page.
  • Scheduled - Queries scheduled from RESOURCE > Reports.
Start Time The date and time when the query was issued.
Status The value of Status can be:
  • Running - The query is currently running.
  • Waiting - The query is waiting in the queue because the maximum number of running queries has been reached.
Progress The percent of progress the query has made towards completion.
Elapsed The time, in seconds, that the query has run.

Obtaining Job Distribution for Query

To see how the query job is distributed between Worker nodes, click a query in the Query Status table. The Job Distribution for Query <query_name> table appears beneath the Query Status table.

  • Sort - Click a column name. You can sort the column data in ascending or descending order.

The Job Distribution for Query <query_name> table contains the following information:

Column Description
Node The Worker IP address.
Status The value of Status can be:
  • Unknown - The query process is in an unknown state.
  • Starting - The query has started processing.
  • Running - The query is currently processing.
  • Pausing - The query is in the process of pausing processing.
  • Resuming - The query has resumed processing.
  • Stopping - the query is in the process of stopping processing.
  • Paused - The query has temporarily paused processing.
  • Stopped - The query has stopped processing.
  • Completed - The query has completed processing.
Progress The percent of progress the query has made towards completion.
Running For The time (in seconds) elapsed since the Start Time. Note: This value is calculated from the last refresh time, not the Last Update minus the Start Time.
Start Time The date and time when the query began processing.
Last Update The data and time when the Worker last reported a progress update.

Query Workload

This tab displays a table listing the available Worker nodes for a query job. You can perform the following operations on this tab:

  • Sort - Click a column name. You can sort the column data in ascending or descending order.
  • Status of Running Tasks - Click a Worker node row in the Query Workload table to display the Tasks Running On <Worker_IP_address> table. For more information, see Obtaining Running Tasks.

The Query Workload table contains the following information:

Column Description
Node The Worker IP address.
Status The value of Status can be:
  • Online - The Worker node is currently online.
  • Offline - The Worker node is currently offline.
Interactive Tasks The number of interactive tasks (that is, sent from the ANALYTICS page) assigned to the Worker node.
Scheduled Tasks The number of scheduled tasks assigned to the Worker node.
Task Workload The total number of tasks assigned to the Worker node.

Obtaining Running Tasks

To see the status of running tasks, click a Worker node in the Query Workload table. The Tasks Running On <Worker_IP_address> table appears beneath the Query Workload table. You can perform the following operations on this tab:

  • Sort - Click a column name. You can sort the column data in ascending or descending order.

The Tasks Running On <Worker_IP_address> table contains the following information:

Column Description
Query ID The ID of the query.
Query Name The name of the query.
User The name of the user who issued the query.
Type The value of Type can be:
  • Interactive - Queries executed directly from the ANALYTICS page.
  • Scheduled - Queries scheduled from RESOURCES > Reports.
Start Time The date and time when the query began processing.
Status See Status in Obtaining Job Distribution for Query.
Progress The percent of progress the query has made towards completion.