Yearly Archives: 2017

FortiSIEM Inspecting Changes Since Last Discovery

Leave a reply
Inspecting Changes Since Last Discovery

After you run discovery for the first time, FortiSIEM keeps track of changes to your discovered devices during subsequent discovery runs, including new devices, changed devices, and failed devices.

  1. Log in to your Supervisor node.
  2. Go to Admin > Discovery Results.
  3. Select a discovery result.
  4. Click View Changes.
  5. Expand the folder Discovery Delta.
  6. Move your mouse cursor over a folder or item until a blue Information icon appears, and then click on the icon to view basic information about the item.

 

FortiSIEM Inspecting Event Pulling Methods for Devices

Leave a reply
Inspecting Event Pulling Methods for Devices

Once you have discovered and approved the devices in your IT infrastructure, you should verify that the FortiSIEM perfMonitor module is polling them over the correct access protocol and pulling event information from them. If you are having issues collecting performance metrics from your devices, you should begin troubleshooting by first checking the status of the event pulling method for the device.

  1. Go to Admin > Setup Wizard > Pull Events.
  2. Review the Event Pulling Status for each of your discovered devices.
Status Description
Successful If event information is being pulled from the device, you will see the name of the event pulling method rendered in plain black text.
Added but

Not

Monitored

 If the name of the event pulling method has a Star icon next to it, event information can be successfully pulled from the device, but the perfMonitor module has not yet initiated monitoring.
Paused A Pause icon indicates that event information is not being pulled from the device because it failed the verification check at the beginning of the monitoring cycle. This is usually caused by an issue with the access protocol credentials. The credential was valid when discovery succeeded, and so the event pulling method was able to monitor the associated metrics, but the perfMonitor module failed on the credential at a later time. You should check the access protocol credentials associated with the devices and event pulling methods, and then re-initiate discovery of the device.
Failed An Alert icon and the name of the event pulling method in red indicates that adding that event pulling method for the device failed.
  1. Click Show Errors to view a more detailed description of any errors associated with an event pulling method.
  2. Click Edit to change any of the event pulling methods associated with a device.
  3. Click Apply to apply any changes to your event pulling methods.
  4. Click Test Pull Events to test any changes you make.

 

FortiSIEM Approving Newly Discovered Devices

Leave a reply
Approving Newly Discovered Devices

When devices are discovered by FortiSIEM, monitoring of them begins automatically, and incidents for those devices will trigger automatically based on the rules associated with that device. However, you can configure the Discovery Settings so incidents will be triggered only for devices you approve. If you select Approved Devices Only for Allow Incident Firing On, then you will need to approve devices before incidents will be triggered for those devices, but they will still be monitored and added to the CMDB.

  1. Log in to your Supervisor node.
  2. Go to Admin > Discovery Results.
  3. Select a discovery result.
  4. Click View Changes.
  5. Expand the folder Discovery Delta.
  6. Expand the folder New Devices.
  7. Select the devices you want to approve, and click Approve Selected.

You can approve all the new devices by selecting the New Devices folder, and then click Approve All.

Related Links

Discovery Settings

FortiSIEM Discovering Microsoft Azure Infrastructure

Leave a reply
Discovering Microsoft Azure Infrastructure

Discovering Microsoft Azure Cloud infrastructure follows the same basic process described in Setting Access Credentials for Device Discovery an d Discovering Devices, but requires a different approach to associating credentials to IP addresses, since Azure uses dynamic, rather than static, IP address assignment.

Create a Certificate file for communicating to Azure Management Server

Setting Access Credentials for Microsoft Azure Discovery

Associating Microsoft Azure with Credentials

Discovering Microsoft Azure Compute Nodes

Create a Certificate file for communicating to Azure Management Server

 

  1. Login to the Azure old portal, upload the .cer to the Settings->”Management Certificates” section.

 

Setting Access Credentials for Microsoft Azure Discovery
  1. Log into your Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. Under Enter Credentials, click Add.
  4. Enter a Name for the credential.
  5. For Device Type, select Microsoft Azure Compute.
  6. For Subscription ID, enter .
  7. Upload the Certificate File, enter the region where your AWS instance is located.
  8. Enter the Access Key ID and Secret Access Key associated with your AWS instance.
  9. Click Save.
Associating Microsoft Azure with Credentials

After you’ve defined all the credentials associated with the access protocols used by devices in your Microsoft Azure instance, you need to associate those credentials.

  1. Log into your Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. Under Enter IP Range to Credential Associations, click Add.
  4. For IP/Host Name, enter com.
  5. Click +, and add the Microsoft Azure Compute credential created in “Setting Access Credentials for Microsoft Azure Discovery”, as well as any other generic credentials you’ve created.
  6. Click OK.
  7. Click Test Connectivity to make sure you can reach your instance and that all credentials are entered correctly before you initiate discovery.
Discovering Microsoft Azure Compute Nodes

After you’ve defined and tested all the credentials, you can proceed to discovery.

  1. Log into your Supervisor node.
  2. Go to Admin > Setup Wizard > Discovery.
  3. Click Add
  4. For Discovery Type, select Azure Scan.
  5. Click
  6. Select the entry just created and click

If discovery is successful, your discovered instances will be added to Admin > Setup wizard > Monitor Change/Performance and CMDB > Devices > Microsoft Azure Cloud > Azure Compute.

 

FortiSIEM Discovering Amazon Web Services (AWS) Infrastructure

Leave a reply
Discovering Amazon Web Services (AWS) Infrastructure

Discovering infrastructure in AWS follows the same basic process described in Setting Access Credentials for Device Discovery and Discovering Devices, but requires a different approach to associating credentials to IP addresses, since AWS uses dynamic, rather than static, IP address assignment. The generic AWS SDK credential is used to discover Amazon Machine Instances (AMIs) and associated information such as host name, instance ID, and instance state, while credentials for generic versions of WMI, SMTP, and other access protocols are used to discover associated devices as you would for any other discovery process.

Setting Access Credentials for AWS Instances

Associating the AWS Host with Credentials

If you have not already configured Access Keys and permissions on AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies.

Setting Access Credentials for AWS Instances
  1. Log into your Supervisor node.
  2. Go to Admin > Setup Wizard > Discovery.
  3. Under Enter Credentials, click Add.
  4. Enter a Name for the credential.
  5. For Device Type, select Amazon AWS SDK.
  6. For Access Protocol, select AWS SDK.
  7. For Region, enter the region where your AWS instance is located.
  8. Enter the Access Key ID and Secret Access Key associated with your AWS instance.
  9. Click Save.
Associating the AWS Host with Credentials

After you’ve defined all the credentials associated with the access protocols used by devices in your AWS instance, you need to associate those credentials to the AWS host. In other deployment configurations, you would associate credentials with IP addresses corresponding to your device locations, but since AWS uses dynamic IP addressing, you need to associate all your credentials to the same host.

  1. Under Enter IP Range to Credential Associations, click Add.
  2. For IP/Host Name, enter com.
  3. Click +, and add the AWS SDK credential, as well as any other generic credentials you’ve created.
  4. Click OK.
  5. Click Test Connectivity to make sure you can reach your instance and that all credentials are entered correctly before you initiate discovery.

Both the connectivity test and the discovery process will try to connect to the Amazon instances first, and from there will try to connect to the private IPs of discovered instances using the other access protocols.

  1. You can now initiate discovery of your instances and associated devices as described in Discovering Devices, but for Discovery Type, select AWS Scan.

If discovery is successful, your discovered instances and devices will be added to Admin > Setup wizard > Monitor Change/Performance, and in CMDB > Devices, you will see an Amazon EC2 directory, which will include your discovered instances. If you have defined other access credentials, the discovered devices will also appear in that directory, as well as under CMDB > Server. You can query these devices from either directory.

 

FortiSIEM Discovering Devices

Leave a reply
Discovering Devices
Prerequisites

Make sure you have configured the Discovery Settings for your deployment

Set up the Access Credentials for your devices so FortiSIEM can communicate with them

Procedure

After you have set up the access protocols for your devices as described in Setting Access Credentials for Device Discovery, you are ready to discover devices in your IT infrastructure.

  1. Log in to your Supervisor node.

Discovering Devices for Multi-Tenant Deployments

If you have a multi-tenant FortiSIEM deployment that uses Collectors and you and want to discover devices for a specific organization, rather than the Global organization, log into your Supervisor node as an admin user for that organization. See Dis covery for Multi-Tenant Deployments for more information about how discovery works for multi-tenant deployments with and without Collectors.

  1. Go to Admin > Setup Wizard > Discovery.
  2. Click Add.

You can also schedule single or recurring discovery processes as described in Scheduling a Discovery.

  1. In the Range Definition dialog, set the options for this discovery.

See Discovery Range Definition Options for more information about the options available in this dialog.

  1. Click OK.

Your range definition will be added to the list.

  1. Select your range definition, and then click Discover.

A discovery dialog will show you the progress of your discovery. For long-running discoveries, you can use the Run in Background optio n.

  1. When discovery completes, the results will be displayed in the dialog. Click Errors to view any errors.

Possible Causes of Discovery Errors

If there are errors during the discovery process, the Errors screen will inform you of their severity, impact, and potential resolution. Some possible reasons for errors include:

A device is not online or not reachable via ping. FortiSIEM will attempt to ping devices before initiating a full discovery to save time.

A device is not responding to SNMP or WMI requests, or there is a firewall blocking these requests from FortiSIEM The SNMP/WMI credentials are incorrect

WMI may not have been set up correctly on the server. See the appropriate topic under Configuring External Systems for Discovery, Monitoring and Log Collection for how to configure WMI for your device.

Approving Newly Discovered Devices

If you selected Approved Devices Only for the discovery setting Allow Incident Firing On, as described in Discovery Settings, then you will need to approve your newly discovered devices before incidents will be triggered for those devices. See Approving Newly Discovered Devices for more information.

FortiSIEM Setting Access Credentials for Device Discovery

Leave a reply
Setting Access Credentials for Device Discovery

Before you can discover devices, you need to provide the access protocol and credentials associated with the IP address or range where your devices are located. FortiSIEM will then use this information to access your devices, pull information from them, and begin monitoring them.

Access Protocols Required for Discovery

SNMP, VM SDK (for VMware vCenter), or WMI (for Windows devices) must be one of the access protocols for which you provide credentials in order for the devices associated with an IP address or range to be discovered. If your device does not use one of these protocols, then you must configure it to communicate with FortiSIEM as described in the topics under Configuring External Systems for Discovery, Monitoring and Log Collection. As described in those topics, you may also need to set up additional configurations within your devices to send logs and other information to FortiSIEM.

Associate Credentials Only with the IP Address Where They Will be Used

Credentials should only be associated with IP addresses where they can be used. Assigning multiple credentials to IP addresses where they are not used will trigger discovery operations for each credential, and the system will wait for a timeout to occur for each credential before it moves to the next one. This will cause the discovery process to require much more processing time and processing power from the FortiSIEM system. You can, however, associate the same credential (for example, a generic SNMP access credential) to multiple IP addresses where it will be used to communicate with a device over that protocol.

 

Before starting the discovery process, credentials need to be defined and then associated to specific IP addresses.

 

Define Credentials
  1. Log into your Supervisor node.
  2. Go to Admin > Setup Wizard > Discovery.
  3. Under Enter Credentials, click Add.
  4. Enter a Name for the credential.
  5. Select a Device Type to associate with the credential.
  6. Select the Access Protocol for which you want to enter credentials.

Note that the Device Type selection determines which Access Protocols are available. Change the default destination ports only if needed

  1. Choose Password Configuration method
    1. Manual – means that you have to define credentials in FortiSIEM
    2. CyberArk – means Accelps will fetch credentials from CyberArk
  2. If you choose Password Configuration as Manual, then enter the credentials required for the Access Protocol.
  3. If you choose Password Configuration as CyberArk, then choose CyberArk parameters
    1. AppID must be set to FortiSIEM
    2. Specify Safe, Folder, Object: This is the CyberArk Vault Safe, Folder, Object where the credential is defined.
    3. Specify User Name: This is the User Name of the credential
    4. Specify Platform (Policy ID): This is the platform related property for the credential. Specify this only if this property is also set in CyberArk. The match will be case sensitive.
    5. Specify Database: This is a property for the database credential. Specify this only if this property is also set in CyberArk. The match will be case sensitive.
    6. Check Include Address for Query: If checked, FortiSIEM will query the CyberArk credential by IP or host name. Specify this if CyberArk credential objects are specified by IP.
  4. Click Save. The credentials you created will be added to the list.
Specify Device to Credential Mapping
  1. Under Enter IP Range to Credential Associations, click Add.
  2. Select the credential you just created from the list.

Note that you can add multiple credentials to the same IP/host information in this step by clicking +.

  1. Enter an IP address, IP range, or Host Name to associate with the credential.
Test Connectivity

You need to perform a Test Connectivity to make sure that the credentials are correct.

  1. Select the IP/credential association you just created, and click Test Connectivity. A ping will be performed first to make sure that the host is alive. If ping is disabled in your network, then choose Test Connectivity without ping.

A dialog will show you the results of your connectivity tests. Note that the connectivity tests can take several minutes, so you may want to use the Run in Background option.

 

FortiSIEM Setting up CyberArk

Leave a reply
Setting up CyberArk

This section specifies how FortiSIEM can be configured to fetch credentials from CyberArk.

Installing CyberArk Provider in FortiSIEM
  1. Login to FortiSIEM as root
  2. Run the rpm command to begin the installation:

The installation runs automatically and does not require any interactive response from the user. When the installation is complete, the following message appears: “Installation process completed successfully.”

Configuring CyberArk Provider in FortiSIEM
  1. Login as root
  2. Open the Vault.ini file and specify the parameters of the Vault that will be accessed by the Provider
  3. Run CreateCredFile to create a credential file for the administrative user that will create the Vault environment during installation.
  4. Check the log file /var/tmp/aim-install-logs/CreateEnv.log to make sure that the Provider environment was created successfully
  5. Start the CyberArk Application Password Provider service manually as a privileged user
  6. Run ldconfig
Configuring CyberArk for communication with FortiSIEM
  1. Login to CyberArk Password Vault Web Access (PVWA) Interface as an user allowed to managed applications (it requires Manage Users authorization).
  2. Add FortiSIEM as an Application
    1. Go to Applications and click Add Application.
    2. Set Name to FortiSIEM
    3. In the Description, specify a short description of the application that will help you identify it (e.g. FortiSIEM SIEM)
    4. In the Business owner section, specify contact information about the application’s Business owner.
    5. In the lowest section, specify the Location of the application in the Vault hierarchy. If a Location is not selected, the application will be added in the same Location as the user who is creating this application.
    6. Click Add; the application is added and is displayed in the Application Detailspage
  3. Check Allow extended authentication restrictions – this enables you to specify an unlimited number of machines and Windows domain OS users for a single application
  4. Specify the application’s (FortiSIEM) Authentication This information enables the Credential Provider to check certain application characteristics before retrieving the application password.
    1. In the Authentication tab, click Add; a drop-down list of authentication characteristics is displayed.
    2. Specify the OS user as “admin” and Click
    3. Specify the application path as “/opt/phoenix/bin”. Make sure Path is folder and Allow internal scripts to request credentials… check boxes are checked
    4. Do not specify a hash
    5. In the Allowed Machines tab, click Add and specify the IP/host name of the FortiSIEM Supervisor, Workers and Collectors 5.  Authorize FortiSIEM to retrieve accounts.
    6. Go to Policies > Access Control (Safes)
    7. For every Safe, Click on Members.
    8. Click on Add Safe Member
    9. Search for FortiSIEM. An entry will already exist. Select that entry.
    10. Check Retrieve accounts.
    11. Click Add

Now FortiSIEM should be ready to retrieve passwords from CyberArk via Test Connectivity and Discovery.