FortiSIEM Dynamic Population of Location, User, and and Geolocation Information for Events

Dynamic Population of Location, User, and and Geolocation Information for Events

In most cases, network logs only contain IP address information, but to investigate incidents involving that IP, you need additional context for that IP address such as host name, user, and geolocation information. Because FortiSIEM collects detailed IT infrastructure information in the CMDB, it is able to correlate that information to the IP address to create a context for the event, and insert that context information into events in real time as parsed attributes. This topic describes the way in which this context information is populated into events.

Correlating Event Information

Assigning Attributes to Events

Host Name Attribute

User Name Attribute

Geolocation Attribute

Dynamic Updating of Attribute Information

Attributes Added to Events

Correlating Event Information

Event information is derived from several different sources.

  1. During the discovery process, FortiSIEM discovers the host name and network interface address information during discovery and stores them in the CMDB. If any IP address other than the Access IP changes, then running a rediscovery will update the CMDB with the right information.
  2. FortiSIEM collates information from various authentication logs and forms a time-based Identity and Location Report containing the IP address, MAC address, Host Name, Domain, User, Network Access Point, and Network Access Point Port for the event.
  3. The geolocation database maps IP addresses to Country, State, City, Organization, Longitude, and Latitude information.

Assigning Attributes to Events

When FortiSIEM parses an event, attributes are assigned to it following this process:

Host Name Attribute

For each IP address (Host IP, Source IP, Destination IP, Reporting IP):

  1. FortiSIEM checks the CMDB for an associated host name, and if one is found, then the host name is added to the event.
  2. If the host name is not found in then CMDB, then FortiSIEM checks the Identity and Location Report for the host name, and if one is found, then it is added to the event.
  3. If the host name is not found in either the CMDB or Identity and Location Report, then FortiSIEM runs DNS lookup for the host name, and if one is found, then it is added to the event. For performance reasons the DNS result is cached, and because excessive DNS lookups can cause event processing delays, FortiSIEM has an algorithm to dynamically bypass DNS lookup if it begins falling behind in event processing.

User Name Attribute

For Source IP, FortiSIEM checks for user information in the Identity and Location Report, and if anything is found, it is added to the event.

Geolocation Attribute

For each IP address (Host IP, Source IP, Destination IP, Reporting IP), FortiSIEM checks the geolocation database. If geolocation information is found for that IP, then  Country, State, City, Organization, Longitude, and Latitude information is added to it.

Dynamic Updating of Attribute Information

For any of these attributes, when there is a change in the infrastructure (for example, a network device has a new IP or a new user logs on to the system), the change is populated into the CMDB and/or Identity and Location Report, and the event parsing module learns of the change and starts populating events with the new metadata.

Because the FortiSIEM approach to populating event attributes is dynamic and change driven, it is always able to map the right IP address to host names and users in the face of dynamic changes in the IT infrastructure.

Attributes Added to Events

IP Type Attributes

 

Source IP 1.  Source Host Name

2.  User (corresponding to Source IP)

3.  Source Country

4.  Source State

5.  Source City

6.  Source Organization

7.  Source Longitude

8.  Source Latitude

Destination IP 1.  Destination Host Name

2.  Destination Country

3.  Destination State

4.  Destination City

5.  Destination Organization

6.  Destination Longitude

7.  Destination Latitude

Host IP 1.  Host Name

2.  Host Country

3.  Host State

4.  Host City

5.  Host Organization

6.  Host Longitude

7.  Host Latitude

Reporting IP 1.  Reporting Host Name

2.  Reporting Country

3.  Reporting State

4.  Reporting City

5.  Reporting Organization

6.  Reporting Longitude

7.  Reporting Latitude

PostNAT (Network Address Translation) IP 1.  PostNAT Country

2.  PostNAT State

3.  PostNAT City

4.  PostNAT Organization

5.  PostNAT Longitude

6.  PostNAT Latitude


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiSIEM Dynamic Population of Location, User, and and Geolocation Information for Events

  1. Gopal Pun

    Hello,
    My FortiSIEM is showing wrong source country attribute for a pool of public IP addresses; others are correct. What can I do to resolve this?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.