FortiSIEM Agent-less Target File Monitoring

Agent-less Target File Monitoring

You can use target file monitoring to make sure that a specific file, for example a device configuration file, is always identical in content to a gold standard target file that you import into FortiSIEM. When you enable a target file monitor, it will:

  1. Pre-compute the checksum of the gold standard target file imported into FortiSIEM.
  2. Periodically, log in to the system using SSH and compute the checksum of the file.
  3. Create an event when the content of the monitored file is different than the gold standard target file.

Supported Servers

Example Events

Adding the File Integrity Monitoring Performance Object

Performance Object Configuration for File Integrity Monitoring

Associating Device Types to Performance Objects

Testing the Performance Monitor

Enabling the Performance Monitor

Checking the Difference between Versions of Monitored Files

Supported Servers

Target file monitoring is supported for these servers:

Linux variants

Unix variants

Windows (with Unix tools installed that allow SSH)

Example Events

Two events that are generated by FortiSIEM when the target file is modified.

File Monitors and Event Types

Unlike other custom monitors, you don’t need to set the event type to associate with the monitor. When you select File Monitor for the Used For option, this automatically associates the event types with the file or directory you specify for monitoring. These examples include the event type associated with each monitoring event.

Event Type: PH_DEV_MON_CUST_TARGET_FILE_CHANGE

This indicates that content of the target file has changed. You can see that the values for prehash and hash are different.

This indicates what was changed, as you can see with theaddedItem, deletedItem, oldSVNVersion, and newSVNVersion attributes.

<14>Mar 27 14:02:28 VA223_TestaThon phPerfMonitor[3740]:

[PH_DEV_MON_CUST_TARGET_FILE_DELTA]:[eventSeverity]=PHL_INFO,

[procName]=phPerfMonitor,[fileName]=phSvnUpdate.cpp,[lineNumber]=205,[ph

CustId]=1,[hostName]=CO228SP222,

[hostIpAddr]=192.168.64.228,[fileName]=/home/admin/TargetFileMon/tartget

1.txt,[oldSVNVersion]=15,[newSVNVersion]=20,

[deletedItem]=(none),[addedItem]=newline;,[phLogDetail]=

Adding the File Integrity Monitoring Performance Object

In multi-tenant deployments, the performance object should be created by the Super/Global account, and will apply to all organizations. For both multi-tenant and enterprise deployments, the performance object can be created for an organization by any user who has access to the Admin ta b.

In this case, you will create one performance object in which you will upload the gold target file and enter the path to the file you want to monitor. You don’t need to create a new event type or event attribute type, as these are automatically associated with the performance object when you select File Monitoring for the Used For field.

Performance Object Configuration for File Integrity Monitoring

Field Setting
Name LinuxTargetFileMon
Type Application
Method Login
Used For File Monitor
File Path home/admin/FileMon/file.txt
Target File Click Upload and browse to the location of the file that you want to use as the gold target

Associating Device Types to Performance Objects

You should associate the performance object to the Linux, Unix, or SSH-capable Windows device type that contains the file or directory path you want to monitor.

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the device, created the IP address to credentials mapping, and tested connectivity.

  1. Go to Admin > Device Support > Performance Monitoring.
  2. Select the performance monitor you created, and then click Test.
  3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
  4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

  1. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

  1. Discover or re-discover the device you want to monitor.
  2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Checking the Difference between Versions of Monitored Files

When the monitor detects a difference between the files, it will trigger the rule Audited target file content modified, and the rule will continue to trigger and generate incidents until the checksums of the files match. You can compare the original monitored file against the new version in the CMDB.

  1. Go to CMDB > Devices.
  2. Select the device where the monitored filed is located
  3. Click the Configuration

In the left pane you will see a list of all the files, and their versions, on the device.

  1. To compare files, select one, CNTRL/select the other, and then click Diff.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.