Analytics Settings

The following section describes the procedures for Analytics settings:

Scheduling Report Alerts

You can schedule reports to run and send email notifications to specific individuals. This setting is for default email notifications that will be sent when any scheduled report is generated.

  1. Go to ADMIN > Settings > AnalyticsScheduled Report tab.
  2. Select the required action under Scheduled Report Alerts section.
    • Do not send scheduled emails if report is empty - Sometimes a report may be empty because there are no matching events. If you don't want to send empty reports to users, select this option. If you are running a multi-tenant deployment, and you select this option while in the Super/Global view, this will apply only to Super/Global reports. If you want to suppress delivery of empty reports to individual Organizations, configure this option in the Organizational view.
  3. Enter the email address in Deliver notification via filed. Click + to add more than one email address, if needed.
  4. Click Save.
  5. To receive email notifications, go to ADMIN > Settings > System > Email and configure your mail server.

Scheduling Report Copy

Reports can be copied to a remote location when the scheduler runs any report. Note that this setting only supports copy to Linux remote directory.

  1. Go to ADMIN > Settings > AnalyticsScheduled Report tab.
  2. Enter the following information under Scheduled Report Copy section.
  3. Enter the Host - IP address or name.
  4. Enter the Path - absolute path, such as /abc/def.
  5. Enter the User Name and Password, and enter Confirm Password to reconfirm the password.
  6. Click Test to check the connection.
  7. Click Save.

Note: For all of the above configurations, use the Edit button to modify any setting or Delete to remove any setting.

Setting Incident SNMP Traps

You can define SNMP traps that will be notified when an event triggers an incident.

  1. Go to ADMIN > Settings > AnalyticsIncident Notification tab.
  2. Enter the following information under Incident SNMP Traps section.
    1. SNMP Trap IP Address
    2. SNMP Community String - to authorize sending the trap to the SNMP trap IP address.
  3. Select the SNMP Trap Type and SNMP Trap Protocol options.
  4. Click Test to check the connection.
  5. Click Save.

For the SNMP MIB definition, see here.

Setting Incident HTTP Notification

You can configure FortiSIEM to send an XML message over HTTP(s) when an incident is triggered by a rule.

  1. Go to ADMIN > Settings > AnalyticsIncident Notification tab.
  2. Enter the following information under Incident HTTP Notification section.
  3. For HTTP(S) Server URL, enter the URL of the remote host where the message should be sent.
  4. Enter the User Name and Password to use when logging in to the remote host, and enter Confirm Password to reconfirm the password.
  5. Click Test to check the connection.
  6. Click Save.

Incidents are sent out in XML format. For details, see here.

Setting Remedy Notification

You can set up Remedy to accept notifications from FortiSIEM and generate tickets from those notifications.

Configuring Remedy to Accept Tickets from FortiSIEM Incident Notifications

Before configuring Remedy to accept tickets, make sure you have configured the Remedy Notifications in FortiSIEM.

  1. In Remedy, create a new form, FortiSIEM_Incident_Interface, with the incident attributes listed in the table at the end of this topic as the form fields.
  2. When you have defined the fields in the form, right-click the field and select the Data Type that corresponds to the incident attribute.
  3. After setting the form field data type, click in the form field again to set the Label for the field.
  4. When you are done creating the form, go to Servers > localhost > Web Service in Remedy, and select New Web Service.
  5. For Base Form, enter FortiSIEM_Incident_Interface.
  6. Click the WSDL tab.
  7. For the WSDL Handler URL, enter http://<midtier_server>/arsys/WSDL/public/<servername>/FortiSIEM_Incident_Interface.
  8. Click the Permissions tab and select Public.
  9. Click Save.

You can test the configuration by opening a browser window and entering the WSDL handler URL from step 7 above, substituting the Remedy Server IP address for <midtier_server> and localhost for <servername>. If you see an XML page, your configuration was successful. 

Incident Attributes for Defining Remedy Forms

Incident Attribute Data type Description
biz_service text Name of the business services affected by this incident
cleared_events text Events which cleared the incident
cleared_reason text Reason for clearing the incident if it was cleared
cleared_time bigint Time at which the incident was cleared
cleared_user character varying (255) User who cleared the incident
comments text Comments
cust_org_id bigint Organization id to which the incident belongs
first_seen_time bigint Time when the incident occurred for the first time
last_seen_time bigint Time when the incident occurred for the last time
incident_count integer Number of times the incident triggered between the first and last seen times
incident_detail text Incident Detail attributes that are not included in incident_src and incident_target
incident_et text Incident Event type
incident_id bigint Incident Id
incident_src text Incident Source
incident_status integer Incident Status
incident_target text Incident Target
notif_recipients text Incident Notification recipients
notification_action_status text Incident Notification Status
orig_device_ip text Originating/Reporting device IP
ph_incident_category character varying (255) FortiSIEM defined category to which the incident belongs: Network, Application, Server, Storage, Environmental, Virtualization, Internal, Other
rule_id bigint Rule id
severity integer Incident Severity 0 (lowest) - 10 (highest)
severity_cat character varying (255) LOW (0-4),  MEDIUM (5-8), HIGH (9-10)
ticket_id character varying(2048) Id of the ticket created in FortiSIEM
ticket_status integer Status of ticket created in FortiSIEM
ticket_user character varying(1024) Name of the user to which the ticket is assigned to in FortiSIEM
view_status integer View status
view_users text View users

 

Complete these steps to set up the routing to your Remedy server.

  1. Go to ADMIN > Settings > AnalyticsIncident Notification tab.
  2. Enter the following information under Remedy Notification section.
  3. For WSDL, enter the URL of the Remedy Server.
  4. Enter the User Name and Password associated with your Remedy server, and enter Confirm Password to reconfirm the password.
  5. Click Test to check the connection.
  6. Click Save.

Setting a Subcategory

FortiSIEM Incidents are grouped into different categories – Availability, Change, Performance, Security and Other. A Category is assigned to every Rule and you can search any Incidents using these Categories. FortiSIEM extends this concept to include Subcategories. A Subcategory is defined for every system-defined rule. You can add a Subcategory for custom rules and also create new Subcategories. Incidents can be searched using both Categories and Subcategories.

Creating a Subcategory

  1. Go to ADMIN > Settings > Analytics > Subcategory.
  2. Select the Category from the left-hand panel where you want to create a Subcategory.
  3. Click Add in the right-hand panel.
  4. Enter a name for the new Subcategory.
  5. Click the checkmark icon or click Save All.

Modifying a Subcategory

You can modify only user-defined Subcategories. You cannot modify system-defined Subcategories.

  1. Select the Subcategory you want to modify.
  2. Click the edit icon.
  3. Modify the name in the Subcategory field.
  4. Click the checkmark icon or Save All.

Deleting a Subcategory

You can delete only user-defined Subcategories. You cannot delete system-defined Subcategories.

  1. Select the Subcategory you want to delete.
  2. Click the - icon.
  3. Click Save All.

Setting Risk Filters

A Risk Filter allows you to include or exclude certain rules from the Risk Score calculation. For more information on Risk Scores, see Risk View. (Note we also have an Entity Risk Score topic which is empty)

In the SP model, you can create a global Risk Filter or filters for individual organizations. A global Risk Filter can include only system rules, and is available to all organizations. You can create only one Risk Filter for an organization. Multiple filters are not allowed. This Risk Filter includes the filter defined for the organization itself and the global filter if one exists.

The VA model allows only one filter.

The Risk Filter view contains a table with three columns. The Scope column lists the organization the filter belongs to. The Included Rules column lists the rules that will be included in the calculation of the risk score. The Excluded Rules columns lists the rules that will not be included in the calculation of the Risk Score.

Creating a Risk Filter

Follow these steps to create a Risk Filter.

  1. Go to ADMIN > Settings > Analytics > Risk Filter to open the Risk Filter view.
  2. Click New.
  3. In the New Risk Filter dialog box, select Super/Local or the name of an organization from the Add filter for drop-down list.
  4. Click Next.
  5. In the next dialog box, Include is selected by default. Open the Rules tree under Groups and shuttle the rules you want to include in the filter from the Rules column to the Selection column.
  6. Select Exclude and repeat the process described in the previous step to exclude rules from the filter.
  7. Click Save. Your rule selections will appear in the Included Rules and Excluded Rules columns of the table.

Editing a Risk Filter

Follow these steps to edit a Risk Filter.

  1. Go to ADMIN > Settings > Analytics > Risk Filter to open the Risk Filter view.
  2. Click Edit.
  3. In the dialog box, Include is selected by default. Shuttle the rules you do not want to be included in the Risk Score from the Selection column to the Rules column.
  4. Select Exclude and repeat the process described in the previous step to exclude rules from the filter.
  5. Click Save.

Deleting a Risk Filter

Follow these steps to delete a Risk Filter.

  1. Go to ADMIN > Settings > Analytics > Risk Filter to open the Risk Filter view.
  2. Select the row in the table containing the filter you want to delete.
  3. Click Delete.

Viewing Risk Filter Results

To see the impact of the filters you defined, go to INCIDENTS. Click the Risk icon () to open the Risk View. For a description of the Risk View, see Risk View.

Tags

Tags allow you to create a keyword or phrase, the "tag", that can be associated with rules that trigger incidents. After creating a tag, you associate it with a rule (See Creating a Rule: Step 3: Define Actions). After this configuration, you can view tags on the Incidents List View page by doing any of the following.

  • Add the Tag column to view tags that were part of a rule triggered incident.

  • Search for tag related incidents by including Incident Tag as part of your search.

Creating a Tag

Follow these steps to create a new tag.

  1. Navigate to ADMIN > Settings > Analytics > Tags.

  2. Click New.

  3. In the Add New Tag window, take the following steps:

    1. In the Tag field, enter your the name of the tag you wish to create.

    2. In the Color field, select a color for the tag: Red, Yellow, or Green.

    3. (Optional) In the Description field, add any information you wish to convey about the tag, such as its intent.

    4. When done, click Save.

At this point, you tag will be saved, and be available from the Tags drop-down list when creating or editing a Rule.

Editing a Tag

Follow these steps to edit a tag.

  1. Navigate to ADMIN > Settings > Analytics > Tags.

  2. Select the tag you wish to edit, and click Edit.

  3. In the Edit Tag: <Name of Tag> window, make any changes to the Tag, Color, and Description fields.

  4. When done, click Save.

Deleting a Tag

Follow these steps to delete a tag.

  1. Navigate to ADMIN > Settings > Analytics > Tags.

  2. Select the tag you wish to delete.

  3. Click Delete.