System Settings
The following section describes the procedures for system settings:
- UI Settings
- Email Settings
- Collector Image Server Settings
- Event Worker Settings
- Query Worker Settings
- Lookup Settings
- Kafka Settings
- Dashboard Slideshow Settings
- Dashboard Ownership
- PAYG Report
UI Settings
There are two locations where you can change UI settings in FortiSIEM. One location is in the user profile. The other is in the administrator settings.
User Profile UI Settings
The initial view of FortiSIEM UI after login can be configured using the UI settings including dashboard, logos, and theme.
Click the User Profile icon () in the upper right corner of the UI. The dialog box contains three tabs:
Basic - Use the Basic tab to change your password into the system.
Contact - Use the Contact tab to enter your contact information.
UI Settings - Use the UI Settings tab to set the following:
Settings | Guidelines |
---|---|
Home | Select the tab which opens when you log in to the FortiSIEM UI. |
Incident Home | Select the Overview, List (by Time, by Device, by Incident), Risk, Explorer, or MITRE ATT&CK (Rule Coverage, Incident Coverage, Incident Explorer) display for the INCIDENTS tab. |
Dashboard Home | Select the Dashboard to open by default under the DASHBOARD tab from this drop-down list. |
Dashboard Settings | Select the type of dashboards to be visible/hidden using the left/right arrows. The up/down arrows can be used to sort the Dashboards. |
Language | Specify which language will be used for the UI display. Many UI items have been translated into the languages in the drop-down list, including buttons, labels, top-level headings, and breadcrumbs. Items that are data-driven are not translated. |
Theme | Select Dark or Light theme for FortiSIEM UI. Save and refresh the browser to view the change. |
Date Format |
Select one of the following formats for displaying date and time information.
|
When done configuring, click Save.
Note: All of the above settings will take effect when you log in again or when you refresh the browser in the same login session.
Administrator UI Settings
Click ADMIN > Settings > System > UI to access the administrator UI settings.
Settings |
Guidelines |
---|---|
UI Logo | Click the edit icon to enter the path to the image file for the logo that will be used in the UI. |
Report Logo | Click the edit icon to enter the path to the image file for the logo that will be used in reports. |
Google Maps API Key | Click the edit icon to enter the API key to access Google Maps. |
Login Banner | Administrators can choose a login banner to display to users after login. Click the Enabled checkbox to display a login banner. In the field below Login Banner, enter the text that you want to appear. Some simple BBCode tags are allowed in this message input: “b” - bold “i” - italic “u” - underline “url” - url HTML tags are not allowed. Nested tags are not allowed. When done, click Save. In addition to the banner, the user will see the following:
|
Email Settings
The system can be configured to send email as an incident notification action or send scheduled reports. Use these fields to specify outbound email server settings.
Complete these steps to customize email settings:
- Go to ADMIN > Settings > System > Email tab.
- Enter the following information under Email Settings:
Settings Guidelines Email Gateway Server [Required] Holds the gateway server used for email. Server Account ID [Required] The account name for the gateway. Account password [Required] The password for the account. Enable S/MIME Add a check mark to enable Secure/Multipurpose Internet Mail Extensions (S/MIME) to encrypt your emails. To add a S/MIME certificate, go to CMDB > Users > Ungrouped, create or edit a user, select Contact Info, ensure the Email field is filled out, and upload the certificate in the Certificate field. Send Without Key If this option is selected, then email is sent to a user, even if no S/MIME certificate is defined for that user. The email is encrypted with a default certificate and the user cannot read this email. If this option is unselected, then email is not sent to the user without a S/MIME certificate. Therefore, to use the S/MIME option, certificates must be defined for all users configured to receive email. Server Port Port used by the gateway server. Secure Connection (TLS) Protocol used by the gateway server. This can be Exchange or SMTP. Admin Email Ids Email addresses for all of the admins. Default Email Sender Default email address of the sender. - Click Test Email button to test the new email settings.
- Click Save.
Customizing the Incident Email Template
Use the following procedure to customize the incident email template.
- Click New under the section Incident Email Template.
- Enter the Name of the template.
- Select the Organization from the list.
- Enter the Email Subject. You can also choose the incident attribute variables from Insert Content drop-down as part of Email Subject.
- Enter the Email Body by selecting the attribute variables from Insert Content drop-down into your template, rather than typing.
If required, enable Support HTML for HTML content support.
Incident Attribute
Description
Organization
Organization to which this Incident belongs.
Status
Incident Status – Active (0), Auto Cleared (1), Manually Cleared (2), System Cleared (3)
Host Name
Host Name from Incident Target. If not found then gathered from Incident Source
Incident ID
Incident ID – assigned by FortiSIEM and is unique – this attribute has an URL which takes user to this incident after login
Incident ID Without Link
Incident ID – assigned by FortiSIEM and is unique – this attribute does not have an URL
First Seen Time
First time the incident occurred
Last Seen Time
Last time the incident occurred
Incident Category
Security, Performance, Availability or Change
Incident Severity
A number from 0-10
Incident Severity Category
HIGH (9-10), MEDIUM (5-8) and LOW (1-4)
Incident Count
Number of times the same incident has happened with the same group by parameters
Rule Name
Rule Name
Rule Remediation Note
Remediation note defined for each rule
Rule Description
Rule Description
Incident Source
Source IP, Source Name in an Incident
Incident Target
Destination IP, Destination Host Name, Host IP, Host Name, User in an Incident
Incident Detail
Any group by attribute in an Incident other than those in Incident Source and Incident Target
Affected Business Service
Comma separated list of all business services to which Incident Source, Incident Target or Reporting Device belongs
Identity
Identity and Location for Incident Source
Notify Policy ID
Notification Policy ID that triggered this email notification
Triggering Attributes
List of attributes that trigger a rule – found in Rule > Sub pattern > Aggregate
Raw Events
Triggering events in raw format as sent by the device (up to 10)
Incident Cleared Reason
Value set by user when clearing a rule
Device Annotation
Annotation for the device in Incident Target – set in CMDB
Device Description
Description for the device in Incident Target – set in CMDB
Device Location
Location for the device in Incident Target – set in CMDB
Incident Subcategory
Specific for each category – as set in the Rule definition
Incident Resolution
None, True Positive, False Positive
- Click Preview to preview the email template.
- Click Save to apply the changes.
To set an email template as default, select the template in the list, and then click Set as Default. When you are creating a notification policy and must select an email template, if you leave the option blank, the default template will be used. For Service Provider deployments, to select a template as default for an Organization, first select the Organization, then set the default email template for that organization.
Collector Image Server Settings
Click ADMIN > Settings > System > Collector Image Server to display the location of the image updates. The Image Download URL field cannot be edited.
To update the image, see Upgrade Collectors in the Upgrade Guide for more information.
If the Image Download URL field is empty, then no image updates have been performed.
Event Worker Settings
Collectors upload events and configurations to Worker nodes. Use this field to specify the Worker host names or IP addresses.
There are three cases:
- Explicit list of Worker IP addresses or host names - Collector forwards to this list in a round robin manner.
-
If you are not using Workers and using only a Supervisor and Collector(s) – specify the Supervisor IP addresses or host name. The Collectors will upload directly to the Supervisor node.
- Host name of a load balancer - Collector forwards this to the load balancer which must be configured to distribute events to the workers.
Any Hostnames specified in the Worker Upload must be resolvable by the Collector and similarly, any specified IP addresses must have connectivity from the Collector.
Complete these steps to configure Worker upload settings:
- Go to ADMIN > Settings > System.
- Click Event Worker.
- Enter the IP address of the event worker under Worker Address.
You can click '+' or '-' to add or remove addresses. - Click Save.
Query Worker Settings
Release 5.3 introduces the concept of a Query Worker to handle only query requests, adhoc queries from GUI, and scheduled reports. This allows more system resources to be dedicated to queries and make them run faster.
By default, all Workers are also Query Workers. If you want only a subset of Workers to be Query Workers, then complete these steps:
- Go to ADMIN > Settings > System.
- Click Query Worker.
- Select the Workers you want to use from the list.
Note: Workers will be removed automatically from the Query Worker Settings if they are explicitly listed there. If you used a load balancer or DNS name, then you must manually remove the Query Worker from those configurations.
Lookup Settings
Lookup setting can be used to find any IP or domain by providing the link.
Complete these steps for lookup:
- Go to ADMIN > Settings > System > Lookup tab.
- Enter the Name.
- Select the Client Type to IP or Domain.
- Enter the Link for look-up.
You must enter "
<ip>
” in the link. FortiSIEM will replace "<ip>
” with a proper IP during lookup.For example, to lookup the following URL:
http://whois.domaintools.com/8.8.8.8
Enter the following link in FortiSIEM:
http://whois.domaintools.com/<ip>
- Click Save.
Kafka Settings
FortiSIEM events found in system event database can be exported to an external system via Kafka message bus.
FortiSIEM supports both forwarding events to an external system via Kafka message bus as a 'Producer' and receiving events from a third-party system to FortiSIEM via Kafka message bus as a 'Consumer'.
As a Producer:
- Make sure you have set up a Kafka Cloud (here) with a specific Topic for FortiSIEM events.
- Make sure you have identified a set of Kafka brokers that FortiSIEM is going to send events to.
- Make sure you have configured Kafka receivers which can parse FortiSIEM events and store in a database. An example would be Logstash receiver (see here) that can store in an Elastic Search database.
- Configure event forwarding in order for FortiSIEM to send events to an external Kafka consumer.
- Supported Kafka version: 0.8
As a Consumer:
- Make sure you have set up a Kafka Cloud (here) with a specific Topic, Consumer Group and a Consumer for sending third party events to FortiSIEM.
- Make sure you have identified a set of Kafka brokers that FortiSIEM will receive events from.
- Supported Kafka version: 0.8
Setting up Consumer
Complete these steps to configure Kafka for authentication.
Note: Tested with
- kafka_2.11-0.11.0.2.tgz (Kafka 0.11, Scala 2.11)
- kafka_2.13-2.7.0.tgz (Kafka 2.7, Scala 2.13 which is the latest as of March 2021)
- Download the source code tarball (either one).
https://archive.apache.org/dist/kafka/0.11.0.2/kafka_2.11-0.11.0.2.tgz
https://archive.apache.org/dist/kafka/2.7.0/kafka_2.13-2.7.0.tgz
-
Uncompress the files and enter the "config" folder.
-
Modify the configuration files by appending the following to the end of the files:
# zookeeper.properties authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider requireClientAuthScheme=sasl jaasLoginRenew=3600000 # zookeeper_jaas.conf Server { org.apache.zookeeper.server.auth.DigestLoginModule required user_super="zookeeper" user_alice="alice-secret"; }; Notice the last line is user_{username}="{password}" If the username is ‘admin’, the line will be user_admin="admin-password"; # server.properties host.name=192.0.2.0 port=9092 security.inter.broker.protocol=SASL_PLAINTEXT sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512 sasl.enabled.mechanisms=SCRAM-SHA-512 authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer allow.everyone.if.no.acl.found=true auto.create.topics.enable=true listeners=SASL_PLAINTEXT://192.0.2.10:9092 advertised.listeners=SASL_PLAINTEXT://192.0.2.10:9092 ssl.client.auth=required Note: Change the IP addresses to actual # kafka_server_jaas.conf KafkaServer { org.apache.kafka.common.security.scram.ScramLoginModule required username="alice" password="alice-secret" user_alice="alice-secret"; }; Client { org.apache.zookeeper.server.auth.DigestLoginModule required username="alice" password="alice-secret"; }; # kafka_client_jaas.conf KafkaClient { org.apache.kafka.common.security.scram.ScramLoginModule required username="alice" password="alice-secret" user_alice="alice-secret"; }; Client { org.apache.zookeeper.server.auth.DigestLoginModule required username="alice" password="alice-secret"; }; # consumer.properties security.protocol=SASL_PLAINTEXT sasl.mechanism=SCRAM-SHA-512 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="alice" password="alice-secret";
-
Start zookeeper.
cd .. export KAFKA_OPTS="-Djava.security.auth.login.config=$(\pwd)/config/zookeeper_jaas.conf" bin/zookeeper-server-start.sh config/zookeeper.properties (In another shell window) bin/kafka-configs.sh --zookeeper localhost:2181 --alter --add-config 'SCRAM-SHA-512=[password=alice-secret]' --entity-type users --entity-name alice
-
Start the server (In another shell window)
export KAFKA_OPTS="-Djava.security.auth.login.config=$(pwd)/config/kafka_server_jaas.conf" bin/kafka-server-start.sh config/server.properties
-
Create topic (name=test1) (In another shell window)
bin/kafka-topics.sh --create --topic test1 --zookeeper localhost:2181 --partitions 3 --replication-factor 1
-
Start consumer.
export KAFKA_OPTS="-Djava.security.auth.login.config=$(pwd)/config/kafka_client_jaas.conf" bin/kafka-console-consumer.sh --topic test1 --bootstrap-server=192.0.2.10:9092 --consumer.config=config/consumer.properties
At this point, when FortiSIEM forwards events to this client, contents can be seen in the consumer window.
-
(Optional) Start producer.
export KAFKA_OPTS="-Djava.security.auth.login.config=$(pwd)/config/kafka_client_jaas.conf" bin/kafka-console-producer.sh --topic test1 --broker-list 192.0.2.10:9092 --producer.config config/producer.properties
Setting Up FortiSIEM
Complete these steps for configuring Kafka settings in FortiSIEM:
- Go to ADMIN > Settings > System > Kafka tab.
- Click New.
- Enter the Name and Topic.
- Select or search the Organization from the drop-down.
- Add Brokers by clicking + icon.
- Enter IP address or Host name of the broker.
- Enter Broker port (default 9092).
- Click Save.
- Select the Client Type to Producer or Consumer.
- If the Consumer is selected in step 7, enter the Consumer Name and Group Name fields.
- Enable Authentication if you want to apply Kafka authentication by adding a checkmark to the Authentication checkbox, then take the following steps:
- Protocol should be set as SASL_PLAINTEXT.
- Select your authentication mechanism: PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512.
- In the User Name field, enter the user name to authenticate for the Kafka servers.
- In the Password field, enter the password associated with the user name to authenticate for the Kafka servers.
- In the Confirm Password field, re-enter the password associated with the user name to authenticate for the Kafka servers.
- Click Save.
Dashboard Slideshow Settings
Dashboard Slideshow settings are used to select a set of dashboards and display them in a slideshow mode on big monitors to cover the entire display. This is useful for Network and Security Operation Centers.
Complete these steps to create a Dashboard Slideshow:
- Go to ADMIN > Settings > System > Dashboard Slideshow tab.
- Click New to create a slideshow.
- Enter a Name for the slideshow.
- Select the Interval for switching between dashboards.
- Select the Dashboards from the list and move to the Selected list.
These dashboards will be displayed in a slideshow mode. - Click Save.
For all the above System settings, use the Edit button to modify or Delete button to remove any setting from the list.
Dashboard Ownership
Dashboard Ownership settings are used to transfer editing rights from the current owner of a shared dashboard to another person. It requires that the owner to whom the rights are being transferred to, to have the same exact role permissions as the current owner. This feature can be useful if the current owner is no longer available, and another person is required to handle the shared dashboard of that individual.
Complete these steps to transfer Dashboard Ownership:
- Go to ADMIN > Settings > System > Dashboard Ownership tab.
- Select the Dashboard you wish to transfer ownership of.
- Click Transfer.
- In the Transfer Ownership window, select the new owner from the To: drop-down list.
- Click Save.
You can verify the transfer by looking at the user in the User column.
PAYG Report
If applicable, you can generate a daily or monthly Pay as you Go (PAYG) report.
Complete these steps to generate a daily or monthly PAYG report:
- Go to ADMIN > Settings > System > PAYG Report tab.
- In the Partner ID field, enter the Partner ID.
- Take the following steps to enable Daily Reports.
- Check the Daily Report checkbox.
- In the Email field, enter the email address for a person to whom a daily report should be sent.
- Click + to add another Email field entry.
- Repeat steps b and c to input additional entries.
- Take the following steps to enable Monthly Reports.
- Check the Monthly Report checkbox.
- In the Email field, enter the email address for a person to whom a monthly report should be sent.
- Click + to add another Email field entry.
- Repeat steps b and c to input additional entries.
- When done, click Test to verify your email address distribution.
- Click Save.
- To enable Month Reports, click the Monthly Report checkbox.
- In the Transfer Ownership window, select the new owner from the To: drop-down list.
- Click Save to finish.