Adding Users

The following section describes how to add users to FortiSIEM CMDB. Once an user is defined, you can do the following functions:

  • Allow the user to log in to FortiSIEM GUI
  • Allow the user to receive FortiSIEM notification
  • Use the users in Analytics (Rules and Reports)

You can add users in one of the following ways:

See Implementation Notes for additional information.

Add Users Manually

Complete these steps to add a user:

  1. Navigate to CMDB > Users.
  2. Select a Users Folder/Group with new user creation permission, such as FortiSIEM Users, and click New to create a new user.
  3. Click on the General tab.
    1. Add the user profile information in the User Name, Full Name, Job Title and Company fields.
    2. Click the Importance drop-down list to select the importance of this user - "Normal", "Important", "Critical", or "Mission Critical".
    3. Enable Active if this is an active user.
    4. Enter the user's Domain.
    5. Enter the user's Distinguished Name DN.
    6. Enter the Employee ID of the user.
    7. Select the Manager to which this user belongs.
    8. Click Alias to enter any alias information for the user.
      1. In the Alias field, provide the alias user name.
      2. From the Identity Provider field, enter/select from AWS IAM, DUO, or Microsoft AD.
      3. In the Description field, enter any additional information about the alias.
      4. If another Alias is needed, in the Row column, click + to add another row for another alias, and repeat steps i-iii.
      5. Click Save when done.
    9. Click the Team Lead checkbox to define a user as a Team Lead for Case Management.
      Note: This option is only available for users created under FortiSIEM Analysts Group.
    10. Enter any Description about the user.
  4. Click on the Contact tab.
    1. Add user contact information to the appropriate contact information fields - Work Phone, Mobile Phone, Home Phone, SMS, SMS Provider, ZIP, Email, Address, City, State, and Country field.
    2. If your company uses S/MIME for email, make sure the Email field is filled out, and upload the S/MIME certificate in the Certificate field by clicking Upload, and selecting your certificate.
    3. Click Save when done.
  5. Click on the FortiSIEM Attributes tab.
    1. For User Unlock, select Unlock by Administrator or Delay next login for ## minutes. If Delay next login for ## minutes is selected, enter the number of minutes the user will be unable to log into the system after five successive authentication failures.
    2. For Idle Timeout, enter the number of minutes after which an inactive user will be logged out. 
      Note: By design, this is currently disabled, and cannot be edited.
    3. For Password Reset, enter the number of days after which a user’s current password for logging in to the system will automatically expire. If left blank, the user's password will never expire. 
    4. For FortiSIEM Role, enable by selecting the FortiSIEM Role checkbox.
      1. For Mode, select Local or External.
        If you select Local, enter and then reconfirm the user password. For External, see Authentication Settings for more information about using external authentication.
        Notes:
        • If more than one authentication profile is associated with a user, then the servers will be contacted one-by-one until a connection to one of them is successful. Once a server has been contacted, if the authentication fails, the process ends, and the user is notified that the authentication failed.
        • For local users, passwords must contain between 8 and 64 characters, and must include 1 letter, 1 numeric character and 1 special character.
      2. Select a Default Role for the user.
        See the topic Role Settings for a list of default roles and permission. You can also create new roles, which will be available in this menu after you create them. 

        If this FortiSIEM Role user should be allowed to approve de-anonymization requests, ensure the Deobfuscation Approver role has been configured in Role Settings and that this configured role is selected here.

        If the FortiSIEM Role user should be allowed to approve remediation requests, ensure the Remediation Approver role has been configured in Role Settings and that this configured role is selected here.

        For Case Management, FortiSIEM recommends choosing Full Admin to get the permissions needed to handle any case.
      3. Click Save when done.
    5. Click on Work Schedule to configure the user's work schedule.
      Note: This option is only available for users created under FortiSIEM Analysts Group.
      1. Under Time Range, enter the Start Time, End Time, and select the Time Zone from the Time and Region drop-down lists.
      2. Under Recurrence Pattern, select Recurring Days, then select the Repeat Days and Repeat Months, or select Recurring Dates, followed by selecting the Repeat Dates, and Repeat Months.
      3. Under Recurrence Range, click on the Start From field, and select the start date. Next, select No end date or End By. If End By is selected, click on the End By field, and select the end date.
      4. Click Save when done.

    6. Click on Time Off Schedule to configure when a user plans to be off work.
      Notes
      This option is only available for users created under FortiSIEM Analysts Group.
      When you configure Time Off, you should only select the period of time that will be taken off from the work schedule, i.e., if a user works from 8:00am-5:00pm, then the time off period should be 8:00am-5:00pm.
      1. Under Time Range, enter the Start Time, End Time, and select the Time Zone from the Time and Region drop-down lists.
      2. Under Recurrence Pattern, select Recurring Days, then select the Repeat Days and Repeat Months, or select Recurring Dates, followed by selecting the Repeat Dates, and Repeat Months.
      3. Under Recurrence Range, click on the Start From field, and select the start date. Next, select No end date or End By. If End By is selected, click on the End By field, and select the end date.
      4. Click Save when done.
    7. Click Save when done.

Discover Users from Microsoft Active Directory

Step 1: Create LDAP Login Credentials and Associate with LDAP Server IP Address

  1. Log in to your Supervisor node.
  2. Go to ADMIN > Setup > Credentials.
  3. Click New.
  4. Enter a Name.
  5. For Device Type, select Microsoft Windows.
  6. Select your Access Protocol.

    FortiSIEM supports these LDAP protocols:
  7. Protocol Settings
    LDAP [Required] IP Host - Access IP for LDAP

    Port - Non-secure version on port 389
    LDAPS [Required] IP Host - Access IP for LDAPS

    Port - Secure version on port 636

    LDAP Start TLS [Required] IP Host - Access IP for LDAP Start TLS

    Port - Secure version on port 389

  8. For Used For, select Microsoft Active Directory
  9. For Base DN, enter the root of the LDAP user tree. 
  10. Enter the NetBIOS/Domain for your LDAP directory.
  11. Enter the User Name for your LDAP directory.

    For user discovery from OpenLDAP, specify the full DN as the user name. For Active Directory, use your server login name.
  12. Enter and confirm the Password for your User Name
  13. Click Save.

    Your LDAP credentials will be added to the list of Credentials.
  14. Under Enter IP Range to Credential Associations, click Add
  15. Select your LDAP credentials from the list of Credentials. Click + to add more.
  16. Enter the IP/IP Range or host name for your Active Directory server.
  17. Click Save.

    Your LDAP credentials will appear in the list of credential/IP address associations.
  18. Click Test > Test Connectivity to make sure you can connect to the Active Directory server.

Step 2: Discover Active Directory Server and Users

  1. Go to ADMIN > Setup Discovery.
  2. Click New.
  3. For Name, enter Active Directory.
  4. For Include Range, enter the IP address or host name for your Active Directory server. 
  5. Leave all the default settings, but clear the Discover Routes under Options
  6. Click OK.

    Active Directory will be added to the list of discoverable devices.
  7. Select the Active Directory device and click Discover
  8. After discovery completes, go to CMDB > Users to view the discovered users. 
    You may need to click Refresh for the user tree hierarchy to load.

Step 3: Set FortiSIEM Attributes for Users

  1. From the CMDB > Users page, select the user, and click Edit.
  2. From the Manager drop-down list, select the Manager which this user belongs.
  3. For System Admin, enable by selecting the System Admin checkbox.
    1. For Mode, select Local or External.
      If you select Local, enter and then reconfirm the user password. For External, see Authentication Settings for more information about using external authentication.
      Note: If more than one authentication profile is associated with a user, then the servers will be contacted one-by-one until a connection to one of them is successful. Once a server has been contacted, if the authentication fails, the process ends, and the user is notified that the authentication failed.
    2. Select a Default Role for the user.
      See the topic Role Settings for a list of default roles and permission. You can also create new roles, which will be available in this menu after you create them. 
  4. Click Save.

Discover Users from OKTA

Step 1: Prepare OKTA for Authentication

To use Okta authentication for your FortiSIEM deployment, you must set up a SAML 2.0 Application in Okta, and then use the certificate associated with that application when you configure external authentication.

  1. Log into Okta.
  2. In the Applications tab, create a new application using Template SAML 2.0 App
  3. Under Settings, configure the settings similar to the table below:

    Post Back URLPost Back URL
    Application labelFortiSIEM Demo
    Force AuthenticationEnable
    Post Back URLhttps://<FortiSIEMIP>/phoenix/okta
    Name ID FormatEmailAddress
    RecipientFortiSIEM
    Audience RestrictionSuper
    authnContextClassRefPasswordProtectedTransport
    ResponseSigned
    AssertionSigned
    RequestUncompressed
    Destinationhttps://<FortiSIEMIP>/phoenix/okta
  4. Click Save.
  5. In the Sign On tab, click View Setup Instructions.
  6. Click Download Certificate
  7. Follow the instructions above and enter the downloaded certificate for Okta authentication. 

Step 2: Create an OKTA API Token

  1. Log in to Okta using your Okta credentials. 
  2. Got to Administration > Security > API Tokens.
  3. Click Create Token.

    You will use this token when you set up the Okta login credentials in the next section. Note that this token will have the same permissions as the person who generated it. 

Step 3: Create OKTA Login Credentials in FortiSIEM and Associate with OKTA Server

  1. Log in to your Supervisor node.
  2. Go to ADMIN > Setup > Credentials.
  3. Click New.
  4. Enter a Name.
  5. For Device Type, select OKTA.com OKTA.
  6. For Access Protocol, select OKTA API.
  7. Enter the Pull Interval in minutes.
  8. Enter the Domain associated with your Okta account.

    For example, FortiSIEM.okta.com
  9. Enter and reconfirm the Security Token you created.
  10. Enter any related information in Description.
  11. Click Save.

    Your Okta credentials will be added to the list of Credentials.
  12. Under Enter IP Range to Credential Associations, click New
  13. Enter the IP/IP range or host name for your Okta account.
  14. Select your Okta credentials from the list of Credentials. Click + to add more.
  15. Click Save.

    Your Okta credentials will appear in the list of credential/IP address associations.
  16. Click Test > Test Connectivity to make sure you can connect to the Okta server.

Step 4: Discover OKTA Users

If the number of users is less than 200, then Test Connectivity will discover all the users. Okta API has some restrictions that do not allow FortiSIEM to pull more than 200 users. In this case, follow these steps:

  1. Log in to Okta.
  2. Download user list CSV file (OktaPasswordHealth.csv) by visiting Admin > Reports > Okta Password Health.
  3. Rename the CSV file to all_user_list_%s.csv. (%s is the placeholder of token obtained in Create an Okta API Token - Step 3, e.g. all_user_list_00UbCrgrU9b1Uab0cHCuup-5h-6Hi9ItokVDH8nRRT.csv).
  4. Log in to FortiSIEM Supervisor node:
    1. Upload CSV file all_user_list_%s.csv to this directory /opt/phoenix/config/okta/
    2. Make sure the permissions are admin and admin (Run chown -R admin:admin /opt/phoenix/config/okta/)
    3. Go to ADMIN > Setup > Credentials > Enter IP Range to Credential Associations.
    4. Select the Okta entry and run Test > Test connectivity to import all users.

Step 5: Set FortiSIEM Attributes for Users

  1. From the CMDB > Users page, select the user, and click Edit.
  2. From the Manager drop-down list, select the Manager which this user belongs.
  3. For System Admin, enable by selecting the System Admin checkbox.
    1. For Mode, select Local or External.

      If you select Local, enter and then reconfirm the user password. For External, see Authentication Settings for more information about using external authentication.

      Note: If more than one authentication profile is associated with a user, then the servers will be contacted one-by-one until a connection to one of them is successful. Once a server has been contacted, if the authentication fails, the process ends, and the user is notified that the authentication failed.
    2. Select a Default Role for the user.

      See the topic Role Settings for a list of default roles and permission. You can also create new roles, which will be available in this menu after you create them. 

  4. Click Save.

Implementation Notes

  • For Service Provider deployments:
    • If you add users as a Super/Global admin, then the added users will be in the Super/Global group.
    • If you login to a specific Organization and create users there, then the users will belong to that Organization.
  • When viewing this user list as a Super global user, you may see repetitions of a few User Names, where those names exist in multiple Organizations. This can be determined by checking the contents of the Organization column.
  • Repetition of User Names may also occur if an LDAP server has moved from one Organization to another and discovery of that LDAP server introduces users from the previous organization who may share the same user name. In this case, the administrator may wish to remove users that are no longer applicable.
  • An Agent User can be created by navigating to ADMIN > Setup > Organization, and clicking New or Edit. These types of Admin Users are not allowed to log into the UI. Their primary purpose is for Windows and Linux Agent registration against the FortiSIEM environment. See Setting Organizations and Collectors (Service Provider) for more information.