FortiSIEM CMDB Watch Lists

Watch Lists

A Watch List is a smart container of similar items such as host names, IP addresses, or user names, that are of significant interest to an administrator and need to be watched. Examples of watch lists that are already set up in FortiSIEM are

Frequent Account Lockouts – users who are frequently locked out

Host Scanners – IP addresses that scan other devices

Disk space issues – hosts with disks that are running out of capacity

Denied countries – countries with an excessive number of access denials at the firewall

Blacklisted WLAN endpoints – Endpoints that have been blacklisted by Wireless IPS systems

Typically items are added to a watch list dynamically when a rule is triggered, but you can also add items to a watch list manually. When you define a rule, you can also choose a watch list that will be populated with a specific incident attribute, as described in Adding a Watch List to a Rule, and you can use watch lists as conditions when creating reports, as described in Using Watch Lists as Conditions in Rules and Reports. Yo u can also define when an entry leaves a watch list. Typically this is time based. For example, if the rule does not trigger for that attribute for defined time-period, then the entry is removed from the watch list. Watch lists are also multi-tenant aware, with organization IDs tracked in relation to watch list items.

Creating a Watch List

System-Defined Watch Lists

Related Links

Using Watch Lists as Conditions in Rules and Reports

Adding a Watch List to a Rule

Overview of the CMDB User Interface

 

Creating a Watch List
  1. Log in to your Supervisor node.
  2. Go to CMDB > Watch Lists.
  3. Click +.
  4. Choose an Organization to associate with the watch list.
  5. Enter a Group name and Description for the watch list.
  6. Select an object Type for the incident attribute that will be saved to the watch list.
  7. Select Case Sensitive if the object type is String and you want to use case sensitivity to compare strings.
  8. For Values Expire in, set the time period in which items will expire from the watch if there is no activity for that time.
  9. Click OK.

You can now add your new watch list to a rule, so that when the rule is triggered, items will be added to the watch list. You can also use your watch list as a condition in historical search. See Adding a Watch List to a Rule and Using Watch Lists as Conditions in Rules and Reports for more information.

Related Links

Adding a Watch List to a Rule

Using Watch Lists as Conditions in Rules and Reports

 

System-Defined Watch Lists

FortiSIEM includes several pre-defined watch lists that are populated by system-defined rules.

Watch list Description Attribute

Type

Triggering Rules
Accounts

Locked

Domain accounts that are locked out frequently User

(STRING)

Account Locked: Domain

 

 

Application

Issues

Applications exhibiting issues Host Name

(STRING)

IIS Virtual Memory Critical

SQL Server Low Buffer Cache Hit Ratio

SQL Server Low Log Cache Hit Ratio

SQL Server Excessive

Deadlock

SQL Server Excessive Page

Read/Write

SQL Server Low Free Pages In Buffer Pool

SQL Server Excessive

Blocking

Database Server Disk Latency

Critical

SQL Server Excessive Full Scan

SQL Server scheduled job failed

High Oracle Table Scan Usage

High Oracle Non-System

Table Space Usage

Oracle database not backed up for 1 day

Exchange Server SMTP

Queue High

Exchange Server Mailbox

Queue High

Exchange Server RPC

Request High

Exchange Server RPC Latency High

Oracle DB Low Buffer Cache Hit Ratio

Oracle DB Low Library Cache Hit Ratio

Oracle DB Low Row Cache

Hit Ratio

Oracle DB Low Memory Sorts Ratio

Oracle DB Alert Log Error

Excessively Slow Oracle DB Query

Excessively Slow SQL Server DB Query

Excessively Slow MySQL DB Query

 

Availability

Issues

Servers, networks or storage devices or Applications that are exhibiting availability issues Host Name

(STRING)

Network Device Degraded –

Lossy Ping Response

Network Device Down – No

Ping Response

Server Degraded – Lossy Ping Response

Server Down – No Ping Response

Server Network Interface Staying Down

Network Device Interface

Flapping

Server Network Interface

Flapping

Important Process Staying

Down

Important Process Down

Auto Service Stopped

Critical network Interface Staying Down

EC2 Instance Down

Storage Port Down

Oracle Database Instance

Down

Oracle Listener Port Down

MySQL Database Instance Down

SQL Server Instance Down

Service Staying Down – Slow Response To STM

Service Down – No Response to STM

Service Staying Down – No

Response to STM

DNS Violators Sources that send excessive DNS traffic or send traffic to unauthorized DNS gateways Source IP Excessive End User DNS Queries to Unauthorized DNS servers

Excessive End User DNS

Queries

Excessive Denied End User

DNS Queries

Excessive Malware Domain

Name Queries

Excessive uncommon DNS Queries

Excessive Repeated DNS

Queries To The Same

Domain

 

Denied

Countries

Countries that are seeing a high volume of denials on the firewall Destination

Country

(STRING)

Excessive Denied

Connections From An

External Country

Denied Ports Ports that are seeing a high volume of denies on the firewall Destination

Port (INT)

Excessive Denied Connection

To A Port

Environmental

Issues

Environmental Devices that are exhibiting issues Host name

(String)

UPS Battery Metrics Critical

UPS Battery Status Critical

HVAC Temp High

HVAC Temp Low

HVAC Humidity High

HVAC Humidity Low

FPC Voltage THD High

FPC Voltage THD Low

FPC Current THD High

FPC ground current high

NetBoz Module Door Open

NetBotz Camera Motion

Detected

Warning APC Trap

Critical APC Trap

Hardware

Issues

Servers, networks or storage devices that are exhibiting hardware issues Host Name

(String)

Network Device Hardware

Warning

Network Device Hardware

Critical

Server Hardware Warning

Server Hardware Critical

Storage Hardware Warning

Storage Hardware Critical

Warning NetApp Trap

Critical Network Trap

Host

Scanners

Hosts that scan other hosts Source IP Heavy Half-open TCP Host

Scan

Heavy Half-open TCP Host

Scan On Fixed Port

Heavy TCP Host Scan

Heavy TCP Host Scan On Fixed Port

Heavy UDP Host Scan

Heavy UDP Host Scan On Fixed Port

Heavy ICMP Ping Sweep

Multiple IPS Scans From The

Same Src

 

Mail Violators End nodes that send too much mail or send mail to unauthorized gateways   Excessive End User Mail to

Unauthorized Gateways

Excessive End User Mail

Malware

Found

Hosts where malware found by Host IPS /AV based systems and the malware is not remediated Host Name

(String)

Virus found but not remediated

Malware found but not remediated

Phishing attack found but not remediated

Rootkit found

Adware process found

Malware

Likely

Hosts that are likely to have malware – detected by network devices and the determination is not as certain as host based detection Source IP or

Destination

IP

Excessive Denied

Connections From Same Src

Suspicious BotNet Like End host DNS Behavior

Permitted Blacklisted Source

Denied Blacklisted Source

Permitted Blacklisted

Destination

Denied Blacklisted Destination

Spam/malicious Mail Attachment found but not remediated

Spyware found but not remediated

DNS Traffic to Malware Domains

Traffic to Emerging Threat

Shadow server list

Traffic to Emerging Threat

RBN list

Traffic to Emerging Threat

Spamhaus list

Traffic to Emerging Threat Dshield list

Traffic to Zeus Blocked IP list

Permitted traffic from

Emerging Threat Shadow server list

Permitted traffic from

Emerging Threat RBN list

Permitted traffic from

Emerging Threat Spamhaus list

Permitted traffic from

Emerging Threat Dshield list

Permitted traffic from Zeus

Blocked IP list

 

 

Port Scanners Hosts that scan ports on a machine Source IP Heavy Half-open TCP Port

Scan: Single Destination

Heavy Half-open TCP Port

Scan: Multiple Destinations

Heavy TCP Port Scan: Single

Destination

Heavy TCP Port Scan: Multiple Destinations

Heavy UDP Port Scan: Single

Destination

Heavy UDP Port Scan: Multiple Destinations

 

Policy

Violators

End nodes exhibiting behavior that is not acceptable in typical Corporate networks Source IP P2P Traffic detected

IRC Traffic detected

P2P Traffic consuming high network bandwidth

Tunneled Traffic detected

Inappropriate website access

Inappropriate website access

– multiple categories

Inappropriate website access

– high volume

Inbound clear text password usage

Outbound clear text password usage

Remote desktop from Internet

VNC From Internet

Long lasting VPN session

High throughput VPN session

Outbound Traffic to Public

DNS Servers

Resource

Issues

Servers, networks or storage devices that are exhibiting resource issues: CPU, memory, disk space, disk I/O, network I/O, virtualization resources – either at the system level or application level Host Name

(STRING)

High Process CPU: Server

High Process CPU: Network High Process Memory: Server

High Process Memory:

Network

Server CPU Warning

Server CPU Critical

Network CPU Warning

Network CPU Critical

Server Memory Warning

Server Memory Critical

Network Memory Warning

Network Memory Critical

Server Swap Memory Critical

Server Disk space Warning

Server Disk space Critical

Server Disk Latency Warning

Server Disk Latency Critical

Server Intf Util Warning

Server Intf Util Critical

Network Intf Util Warning

Network Intf Util Critical

Network IPS Intf Util Warning

Network IPS Intf Util Critical Network Intf Error Warning

Network Intf Error Critical Server Intf Error Warning

Server Intf Error Critical

Virtual Machine CPU Warning

Virtual Machine CPU Critical

Virtual Machine Memory

Swapping Warning

Virtual Machine Memory

Swapping Critical

ESX CPU Warning

ESX CPU Critical

ESX Memory Warning

ESX Memory Critical

ESX Disk I/O Warning

ESX Disk I/O Critical

ESX Network I/O Warning

ESX Network I/O Critical Storage CPU Warning

Storage CPU Critical

NFS Disk space Warning

NFS Disk space Critical

NetApp NFS Read/Write

Latency Warning

NetApp NFS Read/Write Latency Critical

NetApp CIFS Read/Write

Latency Warning

      NetApp CIFS Read/Write Latency Critical

NetApp ISCSI Read/Write Latency Warning

NetApp ISCSI Read/Write Latency Critical

NetApp FCP Read/Write

Latency Warning

NetApp FCP Read/Write Latency Critical

NetApp Volume Read/Write

Latency Warning

NetApp Volume Read/Write Latency Critical

EqualLogic Connection

Read/Write Latency Warning

EqualLogic Connection

Read/Write Latency Critical

Isilon Protocol Latency

Warning

Routing

Issues

Network devices exhibiting routing related issues Host Name

(STRING)

OSPF Neighbor Down

EIGRP Neighbor down

OSPF Neighbor Down

Scanned

Hosts

Hosts that are scanned Destination

IP

Half-open TCP DDOS Attack

TCP DDOS Attack

Excessive Denied

Connections to Same

Destination

Vulnerable

Systems

Systems that have high severity vulnerabilities from scanners Host Name

(STRING)

Scanner found severe vulnerability
Wireless LAN

Issues

Wireless nodes triggering violations MAC Address

(String)

Rogue or Unsecure AP detected

Wireless Host Blacklisted

Excessive WLAN Exploits

Excessive WLAN Exploits:

Same Source

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.