FortiSIEM Audit

Leave a reply
Audit

Audit Reports can be used to determine if a device is running the recommended OS and installed software versions, performance metrics are within bounds and harmful events have not triggered.

Creating Audit Report

Running an Audit

Exporting Audit Results

Scheduling an Audit

 

Creating Audit Report

To create an Audit Report

  1. Go to Analytics tab
  2. Expand Audit node on the left tree and go to the folder to which the new report will belong. You can also create a new folder first by clicking on the + on top of the left tree.
  3. Click New.
  4. Enter the following information for an Audit Report
    1. Name: Name of the Audit Report
    2. Description: Description of the Audit Report
    3. Vendor: Select a specific device vendor from the drop down list. The Audit Report will be specific to the chosen device vendor and model
    4. Model: Select a vendor specific model from the drop down list. The Audit Report will be specific to the chosen device vendor and model
    5. Specify Failed Criteria for the Audit Report. A device will fail the audit if any of the specified criteria is matched. i. OS Version Condition:
      1. Choose an operator: possible choices are IN, NOT IN, CONTAINS, NOT CONTAINS
      2. Specify value to be matched: this can be a comma separated list ii. Install Software Condition:
      3. Specify Condition name. This is just for reference purposes.
      4. Specify Install software name – the name has to be exactly identical to the discovered installed software in CMDB > Devices > Installed Software > Name
      5. Choose an operator: possible choices are IN, NOT IN, CONTAINS, NOT CONTAINS
      6. Specify value to be matched: this can be comma separated list
  • Rules Condition:
    1. Click and the Rule selector dialog appears
    2. Select the appropriate Rule folder from the left most tree. If you do not know the specific folder, then choose the top level Rules folder.
    3. Select the rules from the middle section. You can also type a search string. You can expand the window and shrink the left most section to see more of the rule descriptions. The rules in the selected folder will appear in the middle section.
    4. Click Items >> to place the selected rules on the rightmost section 5. Click
  1. Report Condition:
    1. Click and the Report selector dialog appears
    2. Select the appropriate Report folder from the left most tree. If you do not know the specific folder, then choose the top level Reports folder. The reports in the selected folder will appear in the middle section.
    3. Select the reports from the middle section. You can also type a search string. You can expand the window and shrink the left most section to see more of the report descriptions.
    4. Click Items >> to place the selected reports on the rightmost section 5. Click OK.

 

Audit Policy Criteria Matching Notes

  1. For each criteria, only devices in CMDB with vendor and model specified in the Audit Report is considered
  2. If any of the criteria matches, then the device fails the audit
  3. IN and NOT IN are exact match while CONTAINS and NOT CONTAINS are case insensitive sub-string match
  4. For OS Version match, the entered value is compared with the Version column in CMDB > Device.
  5. For Installed Software Version match, the entered value is compared with the Version column in CMDB > Device > Installed Software
  6. For Rule match, the specified rule must trigger during the time interval specified in the Audit Report. Organization id and access IP of the device is compared to the Organization Id and Host IP in an incident.
  7. For Report match, the specified reports run for the time duration specified in Audit Report must have data.
Running an Audit

To run an Audit,

  1. Select an Audit Policy
  2. Click Run Now
  3. In the follow up dialog,
    1. Select the organizations for which to run the audit (meaningful for Service Provider version)
    2. Choose a time window – absolute or relative
    3. Click OK

The Audit Policy check results are displayed in the right bottom pane.

Summary tab shows a high level overview of the Audit Policy check.

 Audit Result Distribution chart shows the device pass/fail distribution for every selected organization.

Failed Criteria distribution chart shows the contribution of each audit criteria to the devices that failed the audit.

Detail tab shows the Audit Policy check for each device matching the vendor, model specified in the policy.

Organization specifies the entity to which the device belongs

Device Name is the host name of the device in CMDB

Audit Status is the Pass/Fail flag

Details specifes the reasons for Audit Policy check failure

Exporting Audit Results

To export an Audit Report,

  1. Select an Audit Policy
  2. Run the Audit Policy Check. The results will be shown in the bottom right pane.
  3. Click Export
    1. Add User Notes
    2. Choose Output Format – PDF or CSV
    3. Click Generate Report – the PDF file will be stored in local disk
Scheduling an Audit

To schedule a report to run at a later time

  1. Choose between one of two options
    1. Run this report for – If the ‘Run this report for’ button is selected, a report will be scheduled for the super user, containing data from the organizations selected. The super user will be the owner of the report. The recipients of the report may be defined in the ‘Send Notifications’ section below or in Admin -> General Settings -> Analytics.
    2. Schedule this report for – If the ‘Schedule this report for’ button is selected, multiple reports will be scheduled — one for each selected organization — and containing only that organization’s data. The reports will be owned by the respective organizations. The recipients of the report are taken from Admin -> General Settings -> Analytics. When multiple reports are run in this way the notification recipients cannot be indicated in the ‘Send Notifications’ section below.
  2. Select all the Organizations for which to run the Audit Report
  3. Select the Report time range
  4. Specify Schedule settings – when to run this report
  5. Choose Output Format – PDF or CSV
  6. Select notification – report recipients and method
    1. If you choose Send default notification, then the settings in Admin > General Settings > Analytics > Alerts to be sent when scheduler runs any REPORT, is used
    2. If you choose Specify custom notifications, then you can specify email addresses
    3. If you choose Copy to a remote directory, then the settings in Admin > General Settings > Analytics > Reports to be copied to this remote location when scheduler runs any REPORT, is used

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.