FortiSIEM Change management related reports

Leave a reply
Change management related
Change management related

Network Device Config Changes

Server Change

Network Device Config Changes

Change: Router Configuration Changes Detected From Log: This report provides details about router config changes Change: Router Run versus Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

Change: Router Config Changes Detected Via Login: This report captures detected configuration changes via login

WLAN Config Change: This report tracks all software, hardware and device configuration changes at WLAN Access points and Base stations. The report includes Original Reporting Controller IP, Event Type and MAC address of the AP or Controller where the event happened. If the MAC address is empty then, the event happened at the reporting Controller.

Change: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

Change: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

Server Changes

Change: Database Server DDL Changes: Captures database DDL changes

Change: Top Windows Servers, Users by Account Modification Count: This report ranks the windows servers and their administrative users by the number of user account modification events

Change: Windows Server Account Modification Details: This report captures the details of windows account modification events.

Details include the administrative user, target user, the operation performed and the raw log

Change: Windows File Access Details: This report captures the details of windows server file access events. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Top Windows Servers, Users By Config/Policy Modification Count: This report ranks the windows servers and their administrative users by the number of server configuration or policy modification events

Change: Windows Server Config Modification Details: This report captures the details of windows server configuration or policy

modification events. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Local User Accounts Created: This report captures user accounts added on a server Change: Local User Accounts Deleted: This report captures user accounts removed from a server Change: User Accounts Modified: This report captures local user account modifications.

Change: Users Added To Local Groups: This report captures users added to local groups.

Change: Users Added To Global Groups: This report captures users added to global or univeral groups.

Change: Users Deleted From Local Groups: This report captures users deleted from local groups.

Change: Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

Change: Local Groups Deleted: This report captures local group deletions

Change: Local Groups Modified: This report captures local group modifications

Change: Global Groups Created: This report captures global group creations

Change: Global Groups Deleted: This report captures global group deletions

Change: Global Groups Modified: This report captures global group modifications

Change: Local Groups Created: This report captures local group creations

Change: Windows Server Password Changes: Tracks password changes

Change: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

Change: Windows Audit Policy Changed: This report captures audit policy changes

Change: Windows File Access Failures: This report captures the details of windows server file access failures. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Windows File Access Successes: This report captures the details of windows server file access successes. Details include the administrative user, file/directory, the operation performed and the raw log

Change: All Account/Group Change Events: This report lists all account/group change events

Change: Top Windows Domain Controllers, Users By Account Modification Count: Ranks Domain Controllers and their administrators by the number of account modifications performed

Change: Windows Domain Account Modification Details: Details windows domain account modifications

Change: Top Windows Domain Controllers, Users By File Modification Count: Ranks the Domain Controllers abd their administrators by the number of file modifications performed

Change: Windows Domain Controller File Modification Details: Provides details about domain controller file modifications Change: Top Windows Domain Controllers, Users By Config Modification Count: Ranks Domain Controllers and their administrators by the number of config modifications performed

Change: Windows Domain Controller Config Changes: Provides detailed windows domain controller config changes

Change: Computers added to domain: Captures computers added to a domain

Change: Computers deleted from domain: Captures computers removed from a domain Change: Domain user accounts created: Captures user accounts added to a domain Change: Domain user accounts deleted: Captures user accounts removed from a domain Change: Domain user accounts modified: Captures domain user account modifications.

Change: Domain groups created: Captures domain group creations

Change: Domain groups deleted: Captures domain group deletions

Change: Domain groups modified: Captures domain group modifications

Change: Users Added To Domain Groups: Tracks users added to domain groups

Change: Users Deleted From Domain Groups: Tracks users deleted from domain groups. The information contains who did it (User, Computer, Domain, Source IP) along with the deleted account (Target User) and group (Target User Group).

Change: Domain User Password Changes: Tracks password changes

Change: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

Change: Domain Account Unlocks: Captures account unlocks on domain accounts. Account unlocks happen after lockouts that may happen on repeated login failures

Change: Windows Domain Controller Audit Policy Changed: This report captures audit policy changes

Change: Unix Users Added To Group: Tracks user additions to groups

Change: Unix User Password Changed: Tracks password changes

Change: Audited file changes: Tracks user modifications to files and directories. Both the content and attribute modifications are captured. For actions on directories, the affected files in the directories are also captured.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.