Analytics Settings
The following section describes the procedures for Analytics settings:
- Scheduled Reports
- Incident Notification
- Setting a Subcategory
- Setting Risk Filters
- Setting UEBA Higher Risk Entities
- UEBA Tags
- Tags
Scheduled Reports
Scheduled Reports allows you to schedule report notifications when a scheduled report is run, and also send a copy of a report to a remote location when a scheduled report is sent.
Scheduling Report Alerts
You can schedule reports to run and send email notifications to specific individuals. This setting is for default email notifications that will be sent when any scheduled report is generated.
- Go to ADMIN > Settings > Analytics > Scheduled Report tab.
- Select the required action under Scheduled Report Alerts section.
- Do not send scheduled emails if report is empty - Sometimes a report may be empty because there are no matching events. If you don't want to send empty reports to users, select this option. If you are running a multi-tenant deployment, and you select this option while in the Super/Global view, this will apply only to Super/Global reports. If you want to suppress delivery of empty reports to individual Organizations, configure this option in the Organizational view.
- Enter the email address in Deliver notification via filed. Click + to add more than one email address, if needed.
- Click Save.
- To receive email notifications, go to ADMIN > Settings > System > Email and configure your mail server.
Scheduling Report Copy
Reports can be copied to a remote location when the scheduler runs any report. Note that this setting only supports copy to Linux remote directory.
- Go to ADMIN > Settings > Analytics > Scheduled Report tab.
- Enter the following information under Scheduled Report Copy section.
- Enter the Host - IP address or name.
- Enter the Path - absolute path, such as
/abc/def
. - Enter the User Name and Password, and enter Confirm Password to reconfirm the password.
- Click Test to check the connection.
- Click Save.
Note: For all of the above configurations, use the Edit button to modify any setting or Delete to remove any setting.
Incident Notification
Incident Notification allows you configure incident notifications in the following ways.
Setting Incident HTTP Notification
You can configure FortiSIEM to send an XML message over HTTP(s) when an incident is triggered by a rule.
- Go to ADMIN > Settings > Analytics > Incident Notification tab.
- Enter the following information under Incident HTTP Notification section.
- For HTTP(S) Server URL, enter the URL of the remote host where the message should be sent.
- Enter the User Name and Password to use when logging in to the remote host, and enter Confirm Password to reconfirm the password.
- Click Test to check the connection.
- Click Save.
Incidents are sent out in XML format. For details, see here.
Setting Incident SNMP Traps
You can define SNMP traps that will be notified when an event triggers an incident.
- Go to ADMIN > Settings > Analytics > Incident Notification tab.
- Enter the following information under Incident SNMP Traps section.
- SNMP Trap IP Address
- SNMP Community String - to authorize sending the trap to the SNMP trap IP address.
- Select the SNMP Trap Type and SNMP Trap Protocol options.
- Click Test to check the connection.
- Click Save.
For the SNMP MIB definition, see here.
Setting Remedy Notification
You can set up Remedy to accept notifications from FortiSIEM and generate tickets from those notifications.
Configuring Remedy to Accept Tickets from FortiSIEM Incident Notifications
Before configuring Remedy to accept tickets, make sure you have configured the Remedy Notifications in FortiSIEM.
- In Remedy, create a new form, FortiSIEM_Incident_Interface, with the incident attributes listed in the table at the end of this topic as the form fields.
- When you have defined the fields in the form, right-click the field and select the Data Type that corresponds to the incident attribute.
- After setting the form field data type, click in the form field again to set the Label for the field.
- When you are done creating the form, go to Servers > localhost > Web Service in Remedy, and select New Web Service.
- For Base Form, enter FortiSIEM_Incident_Interface.
- Click the WSDL tab.
- For the WSDL Handler URL, enter
http://<midtier_server>/arsys/WSDL/public/<servername>/FortiSIEM_Incident_Interface
. - Click the Permissions tab and select Public.
- Click Save.
You can test the configuration by opening a browser window and entering the WSDL handler URL from step 7 above, substituting the Remedy Server IP address for <midtier_server>
and localhost
for <servername>
. If you see an XML page, your configuration was successful.
Incident Attributes for Defining Remedy Forms
Incident Attribute | Data type | Description |
---|---|---|
biz_service | text | Name of the business services affected by this incident |
cleared_events | text | Events which cleared the incident |
cleared_reason | text | Reason for clearing the incident if it was cleared |
cleared_time | bigint | Time at which the incident was cleared |
cleared_user | character varying (255) | User who cleared the incident |
comments | text | Comments |
cust_org_id | bigint | Organization id to which the incident belongs |
first_seen_time | bigint | Time when the incident occurred for the first time |
last_seen_time | bigint | Time when the incident occurred for the last time |
incident_count | integer | Number of times the incident triggered between the first and last seen times |
incident_detail | text | Incident Detail attributes that are not included in incident_src and incident_target |
incident_et | text | Incident Event type |
incident_id | bigint | Incident Id |
incident_src | text | Incident Source |
incident_status | integer | Incident Status |
incident_target | text | Incident Target |
notif_recipients | text | Incident Notification recipients |
notification_action_status | text | Incident Notification Status |
orig_device_ip | text | Originating/Reporting device IP |
ph_incident_category | character varying (255) | FortiSIEM defined category to which the incident belongs: Network, Application, Server, Storage, Environmental, Virtualization, Internal, Other |
rule_id | bigint | Rule id |
severity | integer | Incident Severity 0 (lowest) - 10 (highest) |
severity_cat | character varying (255) | LOW (0-4), MEDIUM (5-8), HIGH (9-10) |
ticket_id | character varying(2048) | Id of the ticket created in FortiSIEM |
ticket_status | integer | Status of ticket created in FortiSIEM |
ticket_user | character varying(1024) | Name of the user to which the ticket is assigned to in FortiSIEM |
view_status | integer | View status |
view_users | text | View users |
Complete these steps to set up the routing to your Remedy server.
- Go to ADMIN > Settings > Analytics > Incident Notification tab.
- Enter the following information under Remedy Notification section.
- For WSDL, enter the URL of the Remedy Server.
- Enter the User Name and Password associated with your Remedy server, and enter Confirm Password to reconfirm the password.
- Click Test to check the connection.
- Click Save.
Setting a Subcategory
FortiSIEM Incidents are grouped into different categories – Availability, Change, Performance, Security and Other. A Category is assigned to every Rule and you can search any Incidents using these Categories. FortiSIEM extends this concept to include Subcategories. A Subcategory is defined for every system-defined rule. You can add a Subcategory for custom rules and also create new Subcategories. Incidents can be searched using both Categories and Subcategories.
Creating a Subcategory
- Go to ADMIN > Settings > Analytics > Subcategory.
- Select the Category from the left-hand panel where you want to create a Subcategory.
- Click Add in the right-hand panel.
- Enter a name for the new Subcategory.
- Click the checkmark icon or click Save All.
Modifying a Subcategory
You can modify only user-defined Subcategories. You cannot modify system-defined Subcategories.
- Select the Subcategory you want to modify.
- Click the edit icon.
- Modify the name in the Subcategory field.
- Click the checkmark icon or Save All.
Deleting a Subcategory
You can delete only user-defined Subcategories. You cannot delete system-defined Subcategories.
- Select the Subcategory you want to delete.
- Click the - icon.
- Click Save All.
Setting Risk Filters
A Risk Filter allows you to include or exclude certain rules from the Risk Score calculation. For more information on Risk Scores, see Risk View. (Note we also have an Entity Risk Score topic which is empty)
In the SP model, you can create a global Risk Filter or filters for individual organizations. A global Risk Filter can include only system rules, and is available to all organizations. You can create only one Risk Filter for an organization. Multiple filters are not allowed. This Risk Filter includes the filter defined for the organization itself and the global filter if one exists.
The VA model allows only one filter.
The Risk Filter view contains a table with three columns. The Scope column lists the organization the filter belongs to. The Included Rules column lists the rules that will be included in the calculation of the risk score. The Excluded Rules columns lists the rules that will not be included in the calculation of the Risk Score.
Creating a Risk Filter
Follow these steps to create a Risk Filter.
- Go to ADMIN > Settings > Analytics > Risk Filter to open the Risk Filter view.
- Click New.
- In the New Risk Filter dialog box, select Super/Local or the name of an organization from the Add filter for drop-down list.
- Click Next.
- In the next dialog box, Include is selected by default. Open the Rules tree under Groups and shuttle the rules you want to include in the filter from the Rules column to the Selection column.
- Select Exclude and repeat the process described in the previous step to exclude rules from the filter.
- Click Save. Your rule selections will appear in the Included Rules and Excluded Rules columns of the table.
Editing a Risk Filter
Follow these steps to edit a Risk Filter.
- Go to ADMIN > Settings > Analytics > Risk Filter to open the Risk Filter view.
- Click Edit.
- In the dialog box, Include is selected by default. Shuttle the rules you do not want to be included in the Risk Score from the Selection column to the Rules column.
- Select Exclude and repeat the process described in the previous step to exclude rules from the filter.
- Click Save.
Deleting a Risk Filter
Follow these steps to delete a Risk Filter.
- Go to ADMIN > Settings > Analytics > Risk Filter to open the Risk Filter view.
- Select the row in the table containing the filter you want to delete.
- Click Delete.
Viewing Risk Filter Results
To see the impact of the filters you defined, go to INCIDENTS. Click the Risk icon () to open the Risk View. For a description of the Risk View, see Risk View.
Tags
Tags allow you to create a keyword or phrase, the "tag", that can be associated with rules that trigger incidents. After creating a tag, you associate it with a rule (See Creating a Rule: Step 3: Define Actions). After this configuration, you can view tags on the Incidents List View page by doing any of the following.
-
Add the Tag column to view tags that were part of a rule triggered incident.
-
Search for tag related incidents by including Incident Tag as part of your search.
Creating a Tag
Follow these steps to create a new tag.
- Navigate to ADMIN > Settings > Analytics > Tags.
- Click New.
- In the Add New Tag window, take the following steps:
- In the Tag field, enter your the name of the tag you wish to create.
- In the Color field, select a color for the tag: Red, Yellow, or Green.
- (Optional) In the Description field, add any information you wish to convey about the tag, such as its intent.
- When done, click Save.
At this point, you tag will be saved, and be available from the Tags drop-down list when creating or editing a Rule.
Editing a Tag
Follow these steps to edit a tag.
- Navigate to ADMIN > Settings > Analytics > Tags.
- Select the tag you wish to edit, and click Edit.
- In the Edit Tag: <Name of Tag> window, make any changes to the Tag, Color, and Description fields.
- When done, click Save.
Deleting a Tag
Follow these steps to delete a tag.
- Navigate to ADMIN > Settings > Analytics > Tags.
- Select the tag you wish to delete.
- Click Delete.