Yearly Archives: 2017

FortiSIEM Dashboard Overview

Leave a reply
Dashboard Overview

FortiSIEM includes two types of component dashboards: General, which are used to monitor IT infrastructure components, and VM View, which focus specifically on information about virtual machines in your infrastructure. These two types of component dashboards also include two types of dashboads for collecting different types of information:

Summary dashboards that provide single-line entries for IT infrastructure components based on their system status (Critical, Criitcal + Warning, All) in operational time

Widget-based dashboards that provide metrics and analytics for functional areas using historical data

In addition to the summary and widget-based dashboards, FortiSIEM also includes a specialized Incident dashboard, with features that are detailed in the Incidents – Flash version section.

Topics in this section provide an overview of the Summary and Widget dashboards, as well as how to use the Analysis menu to gain more information about your IT infrastructure components.

Summary Dashboard User Interface Overview

VM Dashboard User Interface Overview

Widget Dashboard User Interface Overview

Network Topology View of Devices

How Values in Dashboard Columns are Derived Using the Analysis Menu

 

Summary Dashboard User Interface Overview

Dashboard Overview

Summary Dashboard UI Controls

Dashboard Overview

Summary dashboards are best used for gathering information about individual infrastructure components in operational time. Summary dashboards include the Exec Summary dashboard, and all the dashboards in the Summary Dashboards and Availability/Performance folders of the Dashboards > General pane. In the Dashboards > VM View pane, summary dashboards include the ESX Host Type dashboards (All ESX Hosts and Standalone ESX Hosts, for example). Metrics for these dashboards are displayed either on a real-time basis, or as an average of ten minute intervals.

This screenshot shows an example of a Biz Service Summary dashboard for a multi-tenant deployment. It contains all the standard user interface controls found in summary dashboard, though some additional UI controls are found in other summary dashboards as described in the table Columnar Dashboard UI Controls. Selecting a business service in the top pane loads all the components associated with that service into the panes below.

Summary Dashboard UI Controls

UI Control Description
Status Filter Filters the view of the components based on component status: Critical, Critical + Warning, All
Organizations

Filter

 For multi-tenant deployments, filter components based on the organization they belong to
Service Info For the Business Services summary dashboard, shows the Quick Info for the business service. For other components, an I nfo link is provided in the same location in the UI.
Analysis

Menu

 The Analysis menu contains a number of options for component analytics, depending on the component selected. See Using the Analysis Menu for more information. You can also access the Analysis menu for a component by hovering your mouse over the component’s Device IP menu until the blue Quick Info icon appears, and then clicking the icon.

 

Customize

Columns

 The Custom Columns control lets you change the columns that are displayed in the dashboard. See Adding Custom Columns to Dashboards for more information.
Performance

Summaries

 Most columns contain a summary or trend view of their display information. Hover your mouse over the metric until a trend line icon appears, and then click to view the summary or trend information. Note that many of these summary pop-ups have their own navigational controls, for example to set the time interval for the summary.
Incident

Summary

 The incident summary shows the number and type of incidents associated with the component. Hover over the number to view a quick summary of the incidents, click on the incident number to view incident details.
Quick Info The Quick Info view of a device, which you can also access through the Analysis menu or hovering your mouse cursor over

the Device IP column, displays General and Health information for the device, and when appropriate, Identity and Location information. It also contains links to additional information about the device:

Incidents

An exportable summary of incidents associated with the device

Health

Availability, Performance, and Security health information for the device. You can also access this information by clicking the Device Health user interface control, or by selecting Device Health in the Analysis menu.

BizService

Any business services impacted by the device. You can also access this information by selecting Impacted Business Services in the Analysis menu.

Applications

Displays a report on the top 10 applications associated with the device by Average CPU Utilization over the past hour Vulnerability and IP Status (Not used in the Dashboard view)

Displays the vulnerability status reports that are also available by selecting Vulnerability and IPS Status in the Analysis menu

Hardware Health (Used only for the CMDB/Storage view)

Displays health information for the hardware being used for storage

Interfaces

Displays a report on the top 10 interfaces associated with the device by average throughput Topology

Shows the device’s location in the network topology. You can also access this information by selecting Topology in the Analysis menu.

The Quick Info view also contains two links, Goto Config Item, which links to the device entry in the CMDB, and Goto Identity, which links to Analytics > Identity and Location Report, where you can edit this information for the device.
Component

Health

 Availability, Performance, and Security health reports for the device. You can also access this information by selecting a device in the Summary dashboard, and then click Health, or by going to Quick Info > Health after selecting the device. If any Incidents are displayed, click the number to view the Incident Summary. Depending on the reported metric, you can zoom in for a closer look at graphs and reports by clicking the Magnifying Glass icon that appears when you hover your mouse cursor over them.
Location

Selection

 Filters components by their geographic locations. See Setting Device Location Information for more information.
Time View and Refresh Interval The Time View has two options for whether you want to view Real Time or Average-10 mins metrics for your component, and for the interval and which you want them to refresh.{to
VM Dashboard User Interface Overview

The Dashboard > VM View provides a complete overview of your virtual infrastructure, including Data Centers, Standalone ESX Hosts, Resource Pools, Clusters, ESXs, and VMs. Over 400 VMs can be discovered, and their metrics pulled via VCenter in under three minutes during initial discovery. As you navigate the Virtual Infrastructure hierarchy, you will see Summary dashboards similar to those in the General > Dashboard view for VM Clusters, All ESX Hosts, and Standalone ESX Hosts, while widget dashboards that provide performance metrics for CPU

Utilization, Memory, Network Interface, Disk I/O and Data Store Utilization are available at the level of VM, ESX, Resource Pool and Cluster.

VM Summary Dashboards Overview

UI Controls for Virtual Infrastructure Summary Dashboards

The ESX Hosts View

The ESX and VM View

VM Summary Dashboards Overview

This screenshot shows the All ESX Hosts summary dashboard, which includes a summary pane for All ESXs at the top, and a summary pane for individual VM instances for selected ESXs at the bottom. The user interface controls for the Virtual Infrastructure summary dashboards are very similar to those in the General summary dashboards.

UI Controls for Virtual Infrastructure Summary Dashboards

Ui Control Description
Organizations

Filter

 For multi-tenant deployments, filter components based on the organization they belong to
Quick Info The Quick Info view of a device, which you can also access through the Analysis menu or hovering your mouse cursor over

the Device IP column, displays General and Health information for the device, and when appropriate, Identity and Location information. It also contains links to additional information about the device:

Incidents

An exportable summary of incidents associated with the device

Health

Availability, Performance, and Security health information for the device. You can also access this information by clicking the Device Health user interface control, or by selecting Device Health in the Analysis menu.

BizService

Any business services impacted by the device. You can also access this information by selecting Impacted Business Services in the Analysis menu.

Applications

Displays a report on the top 10 applications associated with the device by Average CPU Utilization over the past hour Vulnerability and IP Status (Not used in the Dashboard view)

Displays the vulnerability status reports that are also available by selecting Vulnerability and IPS Status in the Analysis menu

Hardware Health (Used only for the CMDB/Storage view)

Displays health information for the hardware being used for storage

Interfaces

Displays a report on the top 10 interfaces associated with the device by average throughput Topology

Shows the device’s location in the network topology. You can also access this information by selecting Topology in the Analysis menu.

The Quick Info view also contains two links, Goto Config Item, which links to the device entry in the CMDB, and Goto Identity, which links to Analytics > Identity and Location Report, where you can edit this information for the device.
Device Health Availability, Performance, and Security health reports for the device. You can also access this information by selecting a device in the Summary dashboard, and then click Health, or by going to Quick Info > Health after selecting the device. If any Incidents are displayed, click the number to view the Incident Summary. Depending on the reported metric, you can zoom in for a closer look at graphs and reports by clicking the Magnifying Glass icon that appears when you hover your mouse cursor over them.
Analysis

Menu

 The Analysis menu contains a number of options for component analytics, depending on the component selected. See Using the Analysis Menu for more information. You can also access the Analysis menu for a component by hovering your mouse over the component’s Device IP menu until the blue Quick Info icon appears, and then clicking the icon.
Locations Filters components by their geographic locations. See Setting Device Location Information for more information.
Customize

Columns

 The Custom Columns control lets you change the columns that are displayed in the dashboard. See Adding Custom Columns to Dashboards for more information.

The ESX Hosts View

When you select an individual ESX Host in the Virtual Infrastructure hierarchy, the ESX Health tab will be selected and you will see a widget dashboard with reports for ESX Statistics, Active Incidents, Performance Metrics, Memory Utilization, and Disk Rate. Additional tabs are VM Summary and Top VMs.

Tab

Name

 Description
ESX

Health

 A widget dashboard with reports for ESX Statistics, Active Incidents, Performance Metrics, Memory Utilization, and Disk

Rate
VM

Summary

 A summary dashboard for VMs on the ESX host.
Top VMs A widget dashboard with reports for Top VMs by CPU Utilization, Top VMs by Memory Utilization, Top VMs by Disk Write

Request Rates, Top VMs by CPU Ready Percentage, and Top VMs by Disk Read Request Rate, all updated hourly

The ESX and VM View

When you select an ESX or VM in the Virtual Infrastructure hierarchy, you will see a widget dashboard that contains reports for VM Statistics, Ac tive Incidents, and Performance Metrics.

Monitoring Operations with FortiSIEM

Leave a reply

Monitoring Operations with FortiSIEM

Dashboards – Flash version

FortiSIEM includes several different types of dashboards and views to monitor your IT infrastructure. Topics in this section provide an overview of the General and VM View dashboards available in the Dashboard tab, along with their user interface controls and customization options.

Dashboard Overview

Summary Dashboard User Interface Overview

VM Dashboard User Interface Overview

Widget Dashboard User Interface Overview

Network Topology View of Devices

How Values in Dashboard Columns are Derived

Using the Analysis Menu

Customizing Dashboards

Adding Custom Columns to Dashboards

Adding Widgets to Dashboards

Creating a Customized Dashboard

Setting a Dashboard to Home

Creating Dashboard Slideshow

Exporting and Importing Dashboards Link Usage Dashboard

FortiSIEM Backing Up and Restoring FortiSIEM Directories and Databases

1 Reply
Backing Up and Restoring FortiSIEM Directories and Databases

Backing Up and Restoring SVN

Backing Up and Restoring the CMDB

Backing Up and Restoring the Event Database

Backing Up and Restoring SVN

Backup and restore SVN

FortiSIEM uses an inbuilt SVN to store network device configuration and installed software versions.

Backup

The SVN files are stored in /data/svn. Copy the entire directory to another location.

Restore

Copy the entire /data/svn from the backup location and rename the directory to /data/svn.

Backing Up and Restoring the CMDB

The FortiSIEM Configuration Management Database (CMDB) contains discovered information about devices, servers, networks and applications. You should create regular backups of the CMDB that you can use to restore it in the event of database corruption.

Backup

The database files are stored in /data/cmdb/data. FortiSIEM automatically backs up this data twice daily and the backup files are stored in /data/archive/cmdb. To

If your database becomes corrupted, restore it from backup by performing these steps on you Supervisor node.

  1. Stop all processes with this phTools command:

These processes will continue to run, which is expected behavior:

  1. Copy the latest phoenixdb_<timestamp> file to a directory like /tmp on the Supervisor host.
  2. Go to /opt/phoenix/deployment.
  3. Run db_restore /tmp/phoenixdb_<timestamp>.
  4. When this process completes, reboot the system.
Backing Up and Restoring the Event Database

Backup

Restore

Backup

The event data is stored in /data/eventdb. Since this data can become very large over time, you should use a program such as rsync to incrementally move the data to another location. From version 4.2.1 the rsync program is installed on FortiSIEM by default.

Use this command to back up the eventdb.

Restore

To restore eventdb there are two options:

Mount the directory where the event database was backed up. Copy the backup to the /data/eventdb directory.

These instructions are for copying the backup to the /data/eventdb directory.

  1. Stop all running processes.
  2. Copy the the event DB to the event DB location /data/eventdb

If you use the cp command it may appear that the command has hung if there is a lot of data to copy

Alternatively you can use rsync and display the process status.

 

  1. Once complete, restart all processes.

Check that all processes have started.

FortiSIEM Creating Outbound Policies for Exporting CMDB Devices to External Helpdesk Systems

Leave a reply
Creating Outbound Policies for Exporting CMDB Devices to External Helpdesk Systems

You can populate an external CMDB from FortiSIEM CMDB. Currently, ServiceNow CMDB population is natively supported. For other CMDB, you need to write a Java class and add some mapping files.

Prerequisites

Make sure you have the URL and the credentials for connecting to external help desk systems. The credentials must have sufficient permission to make changes to the CMDB.

Procedure

Creating an integration policy

  1. Log into your Supervisor node with administrator credentials.
  2. Go to Admin > General Settings > Integration.
  3. Click Add.
  4. For Type, select Device.
  5. For Direction, select Outbound.
  6. For Vendor, select the vendor of the system you want to connect to. ServiceNow is supported out of the box.

When you select the Vendor:

  1. An Instance is created – this is the unique name for this policy. For example if you had 2 ServiceNow installations, each would have different Instance names.
  2. A default Plugin Name is populated – this is the Java code that implements the integration including connecting to the external help desk systems and synching the CMDB elements. The plugin is automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here
  1. For Host/URL, enter the host name or URL of the external system.
  2. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system.
  3. Enter the Maximum number of devices to send to the external system.
  4. For Org Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system.
  5. For ConnectWise, it is possible to define a Content Mapping
    1. Enter Column Mapping
      1. To add a new mapping, Click on the + button
      2. Choose an FortiSIEM CMDB attribute as the Source Column
  • Enter external (ConnectWise) attribute as the Destination Column
  1. Specify Default Mapped Value as the value assigned to the Destination Column if the Source Column is not found in Data Mapping definitions.
  2. Select Put to a Question is the Destination Column is a custom column in ConnectWise b. Enter Data Mapping
  3. Choose the (Destination) Column Name
  4. Enter From as the value in FortiSIEM iii. Enter To as the value in ConnectWise
  1. For Groups, click Edit if you want the policy to only apply to a specific group of CMDB devices.
  2. Select Run after Discovery if you want this export to take place after you have run discovery in your system. This is the only way to push automatic changes from FortiSIEM to the external system.
  3. Click Save.

Updating external CMDB automatically after FortiSIEM discovery

  1. Create an integration policy
  2. Make sure Run after Discovery is checked.
  3. Click Save

Updating external CMDB automatically on a schedule

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to Admin > General Settings > Integration.
  3. Click Schedule and then click +
    1. Select the integration policies
    2. Select a schedule

Updating external CMDB on-demand (one-time)

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to Admin > General Settings > Integration.
  3. Select a specific integration policy and Click Run

Populating custom CMDB or extending current integration

Create a new plugin by following instructions in the FortiSIEM ServiceAPI. The document is available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

Setting Schedules for Receiving Information from External Systems

Prerequisites

Procedure

You can set schedules for when your inbound external integration policies will run and update your incidents or CMDB.

Prerequisites

You should already have created an inbound policy for importing a device from an external system or an an inbound policy for receiving Incidents.

Procedure
  1. Log in to your Supervisor node.
  2. Go to Admin > General Settings > Integration.
  3. Click Schedule.
  4. Click +.
  5. Select the notification policy you want to create a schedule for, and use the arrow buttons to add it to the Selected
  6. Set the parameters for one-time, Hourly, Daily, Weekly, or Monthly scheduled updates.
  7. Click OK.

Using the AccelOps API to Integrate with External Systems

Exporting Events to External Systems via Kafka

This section describes procedures for exporting FortiSIEM events to an external system via the Kafka message bus.

Prerequisites

Make sure you have set up a Kafka Cloud (here) with a specific Topic for FortiSIEM events.

Make sure you have identified a set of Kafka brokers that FortiSIEM is going to send events to.

Make sure you have configured Kafka receivers which can parse FortiSIEM events and store in a database. An example would be Logstash receiver (see here) that can store in a Elastic Search database. Supported Kafka version: 0.8

Procedure

 

 

 

 

 

 

FortiSIEM Creating Inbound Policies for Importing Devices from an External System

Leave a reply
Creating Inbound Policies for Importing Devices from an External System

You can import the contents of other help desk and external system device databases into the FortiSIEM CMDB.

Prerequisites

Procedure

Prerequisites

You will need to have created a CSV file for mapping the contents of the external database to a location on your FortiSIEM Supervisor, which will be periodically updated based on the schedule you set. See Creating the CSV File for Importing Devices from External Systems for more information.

Procedure

  1. Log into your Supervisor node with administrator credentials.
  2. Go to Admin > General Settings > Integration.
  3. Click Add.
  4. For Type, select Device.
  5. For Direction, select Inbound.
  6. Select the Vendor of the external system you want to connect to.
  7. Enter the File Path to the CSV file.
  8. For Column Mapping, click + and enter the mapping between columns in the Source CSV file and the Destination

For example, if the source CSV has a column IP,  and you want to map that to the column Device IP in the CMDB, you would enter IP for Source Column, and select Device IP for Destination Column.

  1. When you are finished creating column mappings, click OK.
  2. For Data Mapping, click + and enter the mapping between data values in the external system and the destination CMDB.

For example, if you wanted to change all instances of California in the entries for the State attribute in the external system to CA in the destination CMDB, you would select the State attribute, enter California for From. and CA for To.

  1. When you are done creating your data mappings, click OK.
  2. Click Save.

 

Creating the CSV File for Importing Devices from External Systems

FortiSIEM Searching for Tickets from or to External Systems

Leave a reply

Searching for Tickets from or to External Systems

This should not be client accessible!

 

Provide a brief (two to three sentence) description of the task or the context for the task.

Prerequisites

Procedure

Related Links

Prerequisites

Optional, list any information the user needs to complete the task, or any tasks they need to complete before this task.

Prerequisite 1

Prerequisite 2

Procedure

  1. A step should be a single sentence telling the user what to do. Use bold for interface elements, monospace for system messages, file names, etc.

Write any results of the step or notes to the user on the line below the step. You can also insert any of the info boxes here.

  1. A step should be a single sentence telling the user what to do. Use bold for interface elements, monospace for system messages, file names, etc.

Write any results of the step or notes to the user on the line below the step. You can also insert any of the info boxes here.

  1. A step should be a single sentence telling the user what to do. Use bold for interface elements, monospace for system messages, file names, etc.

Write any results of the step or notes to the user on the line below the step. You can also insert any of the info boxes here.

 

Post-Requisites

Optional, list anything the user should do after completing the task.

Post-requisite

Post-requisite

Related Links

List any related topics. Do not include topics that are in the same hierarchy as this topic, as the relationship is implied by the hierarchy.

Related link 1

Related link 2

 

 

 

 

External CMDB Integration

FortiSIEM Integrating with External CMDB and Helpdesk SystemsTopics in this section include

Leave a reply
Integrating with External CMDB and Helpdesk SystemsTopics in this section include

FortiSIEM Integration Framework Overview

External Helpdesk System Integration

Creating Inbound Policies for Updating Ticket Status from External Ticketing Systems

Creating Outbound Policies for Creating Tickets in External Helpdesk Systems Searching for Tickets from or to External Systems

External CMDB Integration

Creating Inbound Policies for Importing Devices from an External System

Creating the CSV File for Importing Devices from External Systems

Creating Outbound Policies for Exporting CMDB Devices to External Helpdesk Systems

Setting Schedules for Receiving Information from External Systems

Using the AccelOps API to Integrate with External Systems Exporting Events to External Systems via Kafka

FortiSIEM Integration Framework Overview

The FortiSIEM integration framework provides a way for you create two-way linkages between workflow-based Help centers like ServiceNow and Connectwise, as well as external CMDBs.

The integration framework is based on creating policies for inbound and outbound communications with other systems, including sharing of incident and ticket information, and CMDB updates. Support is provided for creating policies to work with selected vendor systems, while the integration API lets you build modules to integrate with proprietary and other systems. Once you’ve created your integration policies, you can set them to execute once on a defined date and time, or on a regular schedule.

External Helpdesk System Integration

Creating Inbound Policies for Updating Ticket Status from External Ticketing Systems

Once a ticket has been opened in an external ticketing system, the status of the ticket is maintained in external system. This section shows how to synchronize the external ticket status back in FortiSIEM.

Creating a integration policy

Create an integration policy for updating FortiSIEM external ticket state and incident status.

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to Admin > General Settings > Integration.
  3. Click Add.
  4. For Type, select Incident.
  5. For Direction, select Inbound.
  6. For Vendor, select the vendor of the system you want to connect to. ServiceNow and ConnectWise is supported out of the box. When you select the Vendor:
    1. An Instance is created – this is the unique name for this policy. If you had 2 ServiceNow or ConnectWise installations, each would have different Instance names. You can change this instance name.
    2. A default Plugin Name is populated – this is the Java code that implements the integration including connecting to the external help desk systems and creating/updating the ticket. The plugin name is automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system.
  8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system.
  9. Enter the Time Window – external ticket state for tickets closed in the external help desk/workflow system during the time window specified here will be synched back.
  10. Click Save.

Updating FortiSIEM external ticket state and incident status automatically on a schedule

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to Admin > General Settings > Integration.
  3. Click Schedule and then click +
    1. Select the integration policy
    2. Select a schedule

The following fields in an FortiSIEM incident are updated

External Ticket State

Ticket State

External Cleared Time

External Resolve Time

Populating custom CMDB or extending current integration

Create a new plugin by following instructions in the FortiSIEM ServiceAPI. The document is available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

 

 

 

Creating Outbound Policies for Creating Tickets in External Helpdesk Systems

This section explains how to configure FortiSIEM to create tickets in external help desk systems.

Prerequisites

Make sure you have the URL and the credentials for connecting to external help desk systems. The credentials must have sufficient permission to make changes to the Incident view.

Procedure

Creating an integration policy

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to Admin > General Settings > Integration.
  3. Click Add.
  4. For Type, select Incident.
  5. For Direction, select Outbound.
  6. For Vendor, select the vendor of the system you want to connect to. ServiceNow and ConnectWise is supported out of the box. When you select the Vendor:
    1. An Instance is created – this is the unique name for this policy. If you had 2 ServiceNow or ConnectWise installations, each would have different Instance names. You can change this instance name.
    2. A default Plugin Name is populated – this is the Java code that implements the integration including connecting to the external help desk systems and creating/updating the ticket. The plugin name is automatically populated for ServiceNow and ConnectWise. For other vendors, you have to create your own plugin and type in the plugin name here.
  7. For Host/URL, enter the host name or URL of the external system.
  8. For User Name and Password, enter a user name and password that the system can use to authenticate with the external system.
  9. Enter the Maximum number of incidents to be synched with the external system at a time.
  10. For Incident Comment Template, click Edit to format a string using Incident Attributes. This formatted string will be written in the ticket comment field in the external ticketing system. It works similarly as a custom email notification.
  11. For Org Mapping, click Edit to create mappings between the organizations in your FortiSIEM deployment and the names of the organization in the external system.
  12. ConnectWise specific field: ServiceBoard: Enter the name of the ServiceBoard where the incidents would be posted
  13. Click Save.

Creating tickets automatically when incident triggers

  1. Create an integration policy
  2. Go to Analytics > Incident Notification Policy and create a Notification Policy.
  3. For Actions, check Invoke a Notification Policy. Then Click Edit Policy and select an integration policy created in Step 1.
  4. Click Save

The following fields in an FortiSIEM incident are updated after a ticket has been created in external ticketing system

External Ticket ID

External Ticket State

External User (optional)

Creating tickets automatically on a schedule

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to Admin > General Settings > Integration.
  3. Click Schedule and then click +
    1. Select the integration policies
    2. Select a schedule

The following fields in an FortiSIEM incident are updated after a ticket has been created in external ticketing system

External Ticket ID

External Ticket State

External User (optional)

Creating tickets on-demand (one-time)

  1. Log into your FortiSIEM Supervisor with administrator credentials.
  2. Go to Admin > General Settings > Integration.
  3. Select a specific integration policy and Click Run

The following fields in an FortiSIEM incident are updated after a ticket has been created in external ticketing system

External Ticket ID

External Ticket State

External User (optional)

Populating custom CMDB or extending current integration

Create a new plugin by following instructions in the FortiSIEM ServiceAPI. The document is available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

 

FortiSIEM Managing Event Data Archive

Leave a reply
Managing Event Data Archive

Prerequisites

Creating Archive Destination

Creating Offline (Archive) Retention Policy

Prerequisites

Make sure you read the section on Setting Archive and Purge Policies in the topic Creating Event Database Archives before you set up your policy. It is very important that you understand how FortiSIEM moves data into the archive, and purges archived data when the archive destination storage reaches capacity, before you create your policy.

Make sure that your Archive Destination has sufficient storage for your event data + 20GB. When the archive storage reaches 20GB of capacity, FortiSIEM will begin to purge archived data, in daily increments, starting with the oldest data, to maintain a 20GB overhead.

Creating Archive Destination

  1. Log in to your Supervisor node.
  2. Go to Admin > Event DB Management.
  3. Click Retention Policy.
  4. For Archive Destination, enter the full path of the file system directory where you want your event data to be archived, and then click Ap ply.

Offline Storage Capacity for Multi-Tenant Deployments

Note that all organizations will share the same Archive Destination. For this reason, you should make sure that the archive destination has enough capacity to hold the event data for both the number of organizations and the archive retention period that you set for each. If the archive destination does not have enough storage capacity, the archive operation may fail.

Creating Offline (Archive) Retention Policy

This enables you to control which customers data stays in event data archive and for how long.

  1. Log in to your Supervisor node.
  2. Go to Admin > Event DB Management.
  3. Click Retention Policy.
  4. Under Offline Retention Policies, click New.
  5. For multi-tenant installations, select the Organization for which this policy will apply.
  6. For Time Period, enter the number of days that event data should be held in the offline storage before it is purged.
  7. Click Save.
Managing Online Event Data

Creating Online Event Retention Policy

This enables you to control the content of online event data.

  1. Log in to your Supervisor node.
  2. Go to Admin > Event DB Management.
  3. Click Retention Policy.
  4. Under Online Retention Policies, click Add.
  5. Enter the following information
    1. Enabled – Check this box if the policy has to be enforced right away.
    2. Organizations – Choose the organizations for which the policy has to be applied (for Service Provide installs)
    3. Reporting Devices – Choose the reporting devices relevant to this policy
    4. Event Type – Choose the event types or event type groups
    5. Time period – enter the number of days that event data specified by the conditions (Organizations, Reporting Devices and Event Type) should be held in the online storage before it is moved to archive or purged.
    6. Description – enter a description for the policy
  6. Click Save.

Viewing Online Event Data Usage

This enables you to see a summarized view of online event data. These views enables you to manage storage more effectively by writing appropriate event dropping policies or online event retention policies.

Restoring Archived Data

Once your event data has been moved to an offline archive, you can no longer query that data from within FortiSIEM. However, you can restore it to your virtual appliance, and then proceed with any queries or analysis.

  1. Log in to your Supervisor node.
  2. Go to Admin > Event DB Management > Data Manager.
  3. Under Reserved Restore Space (GB), enter the amount of storage space that will be reserved for the restored data.

This should be equal to or larger than the size of the archive to be restored.

  1. Under Archived Data, select the archive that you want to restore.
  2. Click Restore.

The archive data will be moved to the restore space and can be queried in the usual ways.

 

Validating Log Integrity
  1. Security auditors can validate that archived event data has not been tampered with by using the Event Integrity function of Event DB Management.
  2. Log in to your Supervisor node.
  3. Go to Admin > Event DB Management > Event Integrity.
  4. Select the Begin Time and End Times for the time period during which log integrity needs to be validated.
  5. Click Show.

You will see a table of all the logs that are available for the specified time period

  1. Use Validation Status to filter the types of logs you want to validate.
  2. Select the log you want to validate, and click Validate.

A table showing the validation status of logs will be displayed.

Column Description
Start Time The earliest time of the messages in this file. The file does not contain messages that were received by FortiSIEM before this time.
End Time The latest time of the messages in this file. The file does not contain messages that were received by FortiSIEM after this time.
Category Internal: these messages were generated by FortiSIEM for its own use. This includes FortiSIEM system logs and monitoring events such as the ones that begin with PH_DEV_MON.

External: these messages were received by FortiSIEM from an external system

Incident: these corresponds to incidents generated by FortiSIEM
File Name The name of the log file
Event Count The number of events in the file
Checksum

Algorithm

 The checksum algorithm used for computing message integrity
Message

Checksum

 The value of the checksum
Validation

Status

 Not Validated: the event integrity has not been validated yet

Successful: the event integrity has been validated and the return was success. This means that the logs in this file were not altered.

Failed: the event integrity has been validated and the return was failed. This means that the logs in this file were altered.

Archived: the events in this file were archived to offline storage
File

Location

 Local: local to Supervisor node

External: means external to Supervisor node, for example on NFS storage

 

  1. Click Export to create a PDF version of the validation results.