FortiSIEM Categorization of Devices and Applications

Leave a reply
Categorization of Devices and Applications

FortiSIEM uses four methods to identify and categorize devices and applications in the CMDB.

From Discovery – Network Devices

When FortiSIEM discovers a device, it looks for keywords in the SNMP sysDescr attribute and also probes for the SNMP sysObjectID attribut e. Internal tables are then used to map a discovered device to one or more CMDB device groups based on these attributes.

Keywords from the sysDescr attribute are matched against the system table Device Vendor and Model

Keywords from the sysObjectID attribute are matched against the system table Device Vendor and Model

Matches from the Device Vendor and Model table are then matched against the ApprovedDeviceVendor.csv table that is used to create the categories in the CMDB Devices/Applications.

From Discovery – Applications

FortiSIEM discovers applications by discovering the processes that are running on a server. The table AppMapping.csv maps process names to Applications, Application Groups, and application folders in the CMDB.

From Logs

FortiSIEM includes a large number of log parsers, each of of which is associated with a Device Vendor/Model and Application Vendor/Model. When the log is parsed by FortiSIEM, the Device/Application/Vendor information is matched against the table ApprovedDeviceVendor.csv, which then assigns the application or device to the appropriate CMDB Device/Application folder.

Special Cases

There are some special cases that cannot be categorized using discovery or log information. An example is Microsoft Active Directory. It is an application, but there is no explicit process for i.t as it is part of the kernel or big system service. In this case, specific logs are used: Windows Security logs 672, 673 to detect Microsoft Domain Controller 2000, 2003, andĀ  Windows Security logs 4768, 4769 to detect Microsoft Windows Domain Controller 2008, 2012.

Examples

Categorizing a Cisco IOS Router/Switch

This is an example of categorizing a device using discovery. In this case, the Cisco IOS substring in the SNMP sysDescr attribute is used to detect a Cisco IOS device,

Then this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Cisco IOS to the Router/Switch category in the CMDB. PH_ SYS_DEVICE_ROUTER_SWITCH is the internal ID of the category.

Categorizing Fortinet Firewalls

This is also an example of categorizing a device by discovery. In this case, the SNMPv2-SMI::enterprises.12356 substring in the SNMP sy sObjectId attribute is used to detect a Fortinet Firewall device.

Then this entry in the ApprovedDeviceVendor.csv table maps the Device Vendor/Model Fortinet FortiOS to the Firewall and Network IOS categories in the CMDB, since Fortinet is a UTM device. PH_SYS_DEVICE_FIREWALL and PH_SYS_DEVICE_NETWORK_IPS are the internal IDs of the categories.

Categorizing Microsoft IIS

This is an example of categorizing an application based on a running process. In this case, SNMP discovers a process svchost.exe with the

This entry in the AppMapping.csv table is then used to map the process name svchost.exe with the path name -k iissvcs to a Microsoft IIS application.

Categorizing Cisco ASA

This is an example of categorizing a device based on logs. The Cisco ASA parser has has a Device Vendor/Model associated with it, and when a log from the Cisco ASA device is parsed by FortiSIEM, this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Cisco ASA to the Firewall and VPN Gateway categories in the CMDB. PH_SYS_DEVICE_FIREWALL and PH_SYS_DEVICE_VPN_GATEWAY are the internal IDs of these categories.

Categorizing Microsoft IIS

This is an example of categorizing an application based on logs. The Microsoft IIS (via Snare) parser has a Device Vendor/Model associated with it, and when a log from Microsoft IIS is processed by FortiSIEM, this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Mi crosoft to the Windows Server and Web Server categories in the CMDB. PH_SYS_DEVICE_WINDOWS_SERVER and PH_SYS_APP_WEB_SER

VER are the internal IDs of these categories.

the following entry in


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.