FortiSIEM Analytics

Analytics

FortiSIEM Analytics has three components:

Search

FortiSIEM search functionality includes real time and and historical search of information that has been collected from your IT infrastructure. With real time search, you can see events as they happen, while historical search is based on information stored in the event database. Both types of search include simple keyword searching, and structured searches that let you search based on specific event attributes and values, and then group the results by attributes.

Rules

Because FortiSIEM is continuously monitoring your IT infrastructure, you can also set rules so that when specific conditions are met, it triggers an incident, and, in some cases, sends a notification.

Reports

Reports are pre-defined search queries. FortiSIEM includes a large catalog of reports for common devices and IT analysis tasks that you can use and customize, and you can also save searches that you’ve run as reports to use again later.

Adding a Watch List to a Rule

Cloning a Rule

Running Historical Searches to Test Rule Sub Patterns

Setting Rules for Event Dropping

Setting Rules for Event Forwarding

Setting Global and Per-Device Threshold Properties

Using Geolocation Attributes in Rules

Using Watch Lists as Conditions in Rules and Reports Viewing Rules

Reports

Baseline Reports

System-Defined Baseline Reports

Creating a Report or Baseline Report

Identity and Location Report

Report Bundles

Creating a Report Bundle

Running a Report Bundle

Running System and User-Defined Reports and Baseline Reports

Scheduling Reports

Viewing Available Reports

Audit

Creating Audit Report

Running an Audit

Exporting Audit Results

Scheduling an Audit

Visual Analytics

AccelOps Visual Analytics Architecture

Installation and Configuration of AccelOps Visual Analytics

Requirements for Visual Analytics Report Server

Setting Up Visual Analytics

Hypervisor Installations for Report Server

Installing and Registering AccelOps Report Server in Amazon Web Services

Installing and Registering AccelOps Report Server in KVM

Installing and Registering AccelOps Report Server in Microsoft Hyper-V

Installing and Registering AccelOps Report Server in VMware ESX Syncing with the Report Server

Working with the Report Server

Report Server Architecture: phoenixdb and reportdb

Working with CMDB Data in AccelOps Report Server

Viewing phoenixdb Organization

Querying Incident Data in AccelOps Report Server

Reference: Attribute Columns in the ph_incident_view Table Sample Incident Queries

Querying Other CMDB Tables in AccelOps Report Server

Querying Device Vendor and Model Distribution for Discovered Devices Querying Discovered Devices

Working with Event Data in AccelOps Report Server

Viewing reportdb Organization

Syncing an AccelOps Report with Report Server

Deleting a Report from AccelOps Report Server

Modifying an Existing Report in AccelOps Report Server

Installing and Configuring Tableau Server

Creating and Managing Workbooks

Viewing Workbooks

Creating and Publishing Workbooks

Creating a Single Sheet Workbook

Creating a Multiple Sheet Workbook

Using AccelOps Workbooks with Tableau Visual Analytics Desktop and Server Adding Users to Workbooks

Real Time Performance Probe

 

Search

Historical and Real Time search is the core functionality of FortiSIEM analytics, enabling you to analyze, report on, and further improve your IT infrastructure.

Historical Search

Overview of the Historical Search User Interface

Example of How a Structured Historical Search is Processed

Sample Historical Searches

Creating a Simple Historical Search

Creating a Structured Historical Search

Using System-Defined Reports for Historical Search

Overview of Historical Search Results and Charts

Refining the Results from Historical Search

Charting a Specific Row from Historical Search Results

Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart

Drilling Down on Search Results by Time Interval

Using Search Results to Refine Historical Searches

Using Tabs to View Multiple Search Results

Converting an Historical Search to a Real Time Search

Converting an Historical Search to a Rule

Real Time Search

Overview of the Real Time Search User Interface

Creating a Simple Real Time Search

Creating a Structured Real Time Search

Viewing and Refining Real Time Search Results

Structured Search Operators

Selecting Attributes for Structured Searches, Display Fields, and Rules

Using Expressions in Structured Searches and Rules

Keywords and Operators for Simple Searches

Using Geolocation Attributes in Searches and Search Results Creating Filter Criteria and Display Column Sets

Historical Search

With the Historical Search feature, you can go back in time and retrieve events from the event database. By using either a simple keyword-based search or a more detailed structured search, you can get quick and valuable insights into events that have occurred over any selected time period.

Overview of the Historical Search User Interface

Example of How a Structured Historical Search is Processed

Sample Historical Searches

Creating a Simple Historical Search

Creating a Structured Historical Search

Using System-Defined Reports for Historical Search

Overview of Historical Search Results and Charts

Refining the Results from Historical Search

Charting a Specific Row from Historical Search Results

Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart

Drilling Down on Search Results by Time Interval

Using Search Results to Refine Historical Searches

Using Tabs to View Multiple Search Results

Converting an Historical Search to a Real Time Search Converting an Historical Search to a Rule

Overview of the Historical Search User Interface

You can run two types of historical searches on FortiSIEM data: simple searches, in which you use a keyword search, and structured searches, in which you can specify search conditions and how the results should be grouped.

Simple Historical Search

Simple Historical Search User Interface Controls Structured Historical Search

Simple Historical Search

When you use simple historical search, you enter a keyword to search for in the logs collected by FortiSIEM, specify any filter criteria, and then run the search, which will produce a chart and a list of results matching your search criteria. You can then use additional user interface controls to change the chart display, filter or find more information about events in the result list, and export or share results.

This screenshot shows the results of simple search using the keyword TCP.

Simple Historical Search User Interface Controls

UI Control Description
Search

Criteria

For simple historical search, use the search box to find keywords in raw event logs. You can also load an existing historical search report to use for your search criteria, or create a rule from your search results.
List Display

Columns

Select which columns will be displayed in the search results
Filters Set the time interval over which you want to search, and, for multi-tenant deployments, which organization’s logs you want to search
Report

Management

Save

Saves the report to Generated Reports where it will be retained for the time period you specify. You can also select whether you want the search criteria to be saved as a report that you can use in the future.

Export

Export the report, with the option of including the chart, as a PDF or CSV file Email

Email the report as a CSV or PDF file, with the option of including the chart

Copy to a new tab

Load the search into a new tab within FortiSIEM

 

Chart Displa y You can set both the data you want to display, and how it should be displayed. See Overview of Historical Search Results and Charts for more about the different chart types.
Event Filter Select an event from the results, and add its attributes to structured search conditions.
Event

Information

Select an event, and view Quick Info about it, or view Location information about it such as source or destination IPs.

Structured Historical Search

With historical structured search, you can enter conditions for your search based on event attributes, and set which attributes will be used to group the search results in a way that is similar to the use of the of the Group By command in SQL

This screenshot shows a structured historical search for All Non-Reporting Modules selected from the system Reports > Event Status. The screenshot below it shows a close-up of the the Conditions and Group By options dialog. See Creating a Structured Historical Search and Struc tured Search Operators for more information about these options.

Example of How a Structured Historical Search is Processed

When you run a structured historical search, all events within the specified time window are examined and added to the result set following these steps:

  1. The system fetches the next event within the search time window and applies the filtering criteria. If the event does not pass the filtering criteria, the system fetches the next event.
  2. If the event passes the filtering criteria, the system then compares the attributes of this event against the other entries in the result set. If the current event contains an attribute that is included in the Group By attribute set, then the results for that attribute are updated. Otherwise, a new entry is created in the result set.
  3. After all the events in the search time window are processed, the system sorts the results to produce the final result set.

As an example, consider these events in the event database, and running a search for Top Firewall Recorded Conversations Ranked By Total Connections (Descending) and Total Bytes (descending) over them.

Event id Time Reporting Device Source IP Destination IP Protocol Source Port Destination Port Total Bytes
1 1/1/2010 10.1.1.1 192.168.1.1 192.168.10.4 TCP 2033 80 1024
2 1/2/2010 10.1.1.1 192.168.1.2 192.168.10.4 TCP 3000 443 4096
3 1/3/2010 10.1.1.1 192.168.1.1 192.168.10.4 TCP 2034 80 1024
4 1/4/2010 10.1.1.1 192.168.1.2 192.168.10.5 TCP 3001 443 2048
5 1/4/2010 10.1.1.1 192.168.1.1 192.168.10.4 TCP 2035 80 1024
6 1/5/2010 10.1.1.1 192.168.1.2 192.168.10.6 TCP 3002 443 2048
7 1/5/2010 10.1.1.2 192.168.1.1 192.168.10.4 TCP 9000 80 1024
Search Search Criteria
Top Firewall Recorded Conversations Ranked By Total

Connections (Descending) and Total Bytes (descending)

Filtering criteria: Reporting Device IP IN Firewall AND Event Type IN Permit Traffic

Group-By attributes: Source IP, Destination IP, IP Protocol, Destination Port

Display attributes: Source IP, Destination IP, IP Protocol, Destination Port,

SUM(Matched Events) DESC, SUM(Total Bytes) DESC

Query window: Between 1/2/10 and 1/5/10

Result

Source IP Destination IP Protocol Destination Port COUNT (Matched Events) SUM(Total Bytes)
192.1.1.1 202.1.1.4 TCP 80 3 3072
192.1.1.2 202.1.1.4 TCP 80 1 4096
192.1.1.2 202.1.1.5 TCP 443 1 2048
192.1.1.2 202.1.1.6 TCP 443 1 2048

You could then run another search over these results:

Search Search Criteria
Top Destination IPs Ranked By Total Connections (Descending) and

Total Bytes (descending)

Filtering criteria: Reporting Device IP IN Firewall AND Event Type

IN Permit Traffic

Group-By attributes: Destination IP

Display attributes: Destination IP, SUM(Matched Events) DESC,

SUM(Total Bytes) DESC

Query window: Between 1/2/10 and 1/5/10

Result

Destination IP COUNT (Matched Events) SUM(Total Bytes)
202.1.1.4 4 7 KB
202.1.1.5 1 2 KB
202.1.1.6 1 2KB

Sample Historical Searches

Sample Filter Criteria

Sample Structured Searches

Sample Filter Criteria

Filter criteria Type Meaning
Raw Event Log CONTAINS “login AND failed” Simple (keyword) search Only events that contain both the keywords “logon” and “failed” are part of report
Raw Event Log CONTAINS “denied” Simple (keyword) search Only events that contain the keyword “denied” are part of report
Reporting Device IP = 10.1.1.1 Structured search Only events from the device that is reporting with IP address

10.1.1.1 are part of the report

Reporting Device IP IN Firewall Structured search Only events from firewall devices in CMDB are part of the report
Reporting Device IP IN Firewall AND

Event Type IN Deny Traffic

Structured search Only firewall deny events from firewall devices in CMDB are part of the report
Reporting Device IP IN Firewall AND

Event Type IN Deny Traffic AND (Source IP =

192.1.1.1 OR Dest IP = 192.1.1.1)

Structured search Denied traffic from 192.1.1.1 or to 192.1.1.1 reported by firewall devices in CMDB are part of the report
Reporting Device IP IN Domain Controller AND

Event Type IN User/Group Change AND user NOT IN Domain Admins

Structured search Domain Controller User/Group Changes not performed by users in the Domain Admin group
Raw Event Log REGEXP “faddr\s+\d+.\d+\d+\d+” Structured search Only events that contains strings like “faddr 10.1.1.1”, “faddr 192.168.29.1” are included in the report.

Sample Structured Searches

The following examples illustrate how to write a search using the AccelOps GUI.

Search Specification in AccelOps GUI
Top Reporting Firewalls ranked by event count in the last hour Filter Criteria: Reporting Device IP IN Firewall

Group By attributes: Reporting Device IP

Display attributes: Reporting IP, COUNT(Matched Events) DESC Query window: 1 hour

Top Reporting Firewalls and Event Types ranked by event count in the last hour Filte Criteria: Reporting Device IP IN Firewall

Group By attributes: Reporting Device IP, Event Type

Display attributes: Reporting IP, Event Type, Severity, COUNT(Matched

Events) DESC

Query window: 1 hour

Top Firewall Denied Source IPs ranked by the total number of attempts in the last hour Filter Criteria: Reporting Device IP IN Firewall AND Event Type IN Deny Traffic

Group By attributes: Source IP

Display attributes: Source IP, COUNT(Matched Events) DESC Query window: 1 hour

Top Firewall Recorded Conversations Ranked By Sent Bytes

(descending), Received Bytes (descending)

Filter Criteria: Reporting Device IP IN Firewall AND Event Type IN Permit Traffic

Group By attributes: Source IP, Destination IP, IP Protocol, Destination Port

Display attributes: Source IP, Destination IP, IP Protocol, Destination Port,

SUM(Sent Bytes) DESC, SUM(Received Bytes) DESC Query window: 1 hour

 

All unauthorized domain user/group changes in the last week Filter Criteria: Reporting Device IP IN Domain Controller AND

Event Type IN User/Group ChangeĀ  AND user NOT IN Domain Admins Group By attributes: none

Display attributes: Time, event type, user, computer, domain, target user, target domain

Query window: 1 week

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.