FortiSIEM Dynamic Population of Location, User, and and Geolocation Information for Events

Dynamic Population of Location, User, and and Geolocation Information for Events

In most cases, network logs only contain IP address information, but to investigate incidents involving that IP, you need additional context for that IP address such as host name, user, and geolocation information. Because FortiSIEM collects detailed IT infrastructure information in the CMDB, it is able to correlate that information to the IP address to create a context for the event, and insert that context information into events in real time as parsed attributes. This topic describes the way in which this context information is populated into events.

Correlating Event Information

Assigning Attributes to Events

Host Name Attribute

User Name Attribute

Geolocation Attribute

Dynamic Updating of Attribute Information

Attributes Added to Events

Correlating Event Information

Event information is derived from several different sources.

  1. During the discovery process, FortiSIEM discovers the host name and network interface address information during discovery and stores them in the CMDB. If any IP address other than the Access IP changes, then running a rediscovery will update the CMDB with the right information.
  2. FortiSIEM collates information from various authentication logs and forms a time-based Identity and Location Report containing the IP address, MAC address, Host Name, Domain, User, Network Access Point, and Network Access Point Port for the event.
  3. The geolocation database maps IP addresses to Country, State, City, Organization, Longitude, and Latitude information.

Assigning Attributes to Events

When FortiSIEM parses an event, attributes are assigned to it following this process:

Host Name Attribute

For each IP address (Host IP, Source IP, Destination IP, Reporting IP):

  1. FortiSIEM checks the CMDB for an associated host name, and if one is found, then the host name is added to the event.
  2. If the host name is not found in then CMDB, then FortiSIEM checks the Identity and Location Report for the host name, and if one is found, then it is added to the event.
  3. If the host name is not found in either the CMDB or Identity and Location Report, then FortiSIEM runs DNS lookup for the host name, and if one is found, then it is added to the event. For performance reasons the DNS result is cached, and because excessive DNS lookups can cause event processing delays, FortiSIEM has an algorithm to dynamically bypass DNS lookup if it begins falling behind in event processing.

User Name Attribute

For Source IP, FortiSIEM checks for user information in the Identity and Location Report, and if anything is found, it is added to the event.

Geolocation Attribute

For each IP address (Host IP, Source IP, Destination IP, Reporting IP), FortiSIEM checks the geolocation database. If geolocation information is found for that IP, then  Country, State, City, Organization, Longitude, and Latitude information is added to it.

Dynamic Updating of Attribute Information

For any of these attributes, when there is a change in the infrastructure (for example, a network device has a new IP or a new user logs on to the system), the change is populated into the CMDB and/or Identity and Location Report, and the event parsing module learns of the change and starts populating events with the new metadata.

Because the FortiSIEM approach to populating event attributes is dynamic and change driven, it is always able to map the right IP address to host names and users in the face of dynamic changes in the IT infrastructure.

Attributes Added to Events

IP Type Attributes

 

Source IP 1.  Source Host Name

2.  User (corresponding to Source IP)

3.  Source Country

4.  Source State

5.  Source City

6.  Source Organization

7.  Source Longitude

8.  Source Latitude

Destination IP 1.  Destination Host Name

2.  Destination Country

3.  Destination State

4.  Destination City

5.  Destination Organization

6.  Destination Longitude

7.  Destination Latitude

Host IP 1.  Host Name

2.  Host Country

3.  Host State

4.  Host City

5.  Host Organization

6.  Host Longitude

7.  Host Latitude

Reporting IP 1.  Reporting Host Name

2.  Reporting Country

3.  Reporting State

4.  Reporting City

5.  Reporting Organization

6.  Reporting Longitude

7.  Reporting Latitude

PostNAT (Network Address Translation) IP 1.  PostNAT Country

2.  PostNAT State

3.  PostNAT City

4.  PostNAT Organization

5.  PostNAT Longitude

6.  PostNAT Latitude


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.