Category Archives: Administration Guides

FortiSIEM Application Performance Reports

Application Performance Reports

Performance: Top Oracle Database servers by buffer cache hit ratio: Ranks the Oracle database servers by buffer cache hit ratio and presents other metrics

Performance: Top Oracle Database servers by table space usage: Ranks the Oracle databases by table space usage

Performance: Top MS SQL Database servers by buffer cache hit ratio: Ranks the MS SQL Servers by buffer cache hit ratio and presents other metrics

Performance: Top MS SQL Database servers by space usage: Ranks the MS SQL Servers by space usage


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Performance related Reports

Performance related

Network Performance Rules

 

Network Performance Reports

Top Routers Ranked By CPU Utilization: Ranks the routers by average cpu utilization over a window

Top Router Network Intf By Util, Error, Discards: Ranks the firewalls and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

Top Routers By Memory Utilization: Ranks the firewalls by average memory utilization over a window

Top Firewalls By CPU Utilization: Ranks the firewalls by average cpu utilization over a window

Top Firewalls By Connection Count: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.

Top Firewall Network Intf By Util, Error, Discards: Ranks the firewalls and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

Top Firewalls By Memory Utilization: Ranks the firewalls by average memory utilization over a window

Server Performance Rules

 

Server Performance Reports

Top Windows Servers By CPU Util: Ranks the windows servers by average cpu utilization over a window

Top Windows Servers By Memory Util and swap rate: Ranks the devices by average memory utilization and swap rate

Least Loaded Windows Servers By CPU Util: Ranks the windows servers by average cpu utilization over a window

Top Windows Servers By Disk I/O Activity: Ranks the windows servers by average disk I/O utilization over a window. This requires WMI.

Top Windows Servers By Disk Space Util: Ranks the devices by average system disk utilization over a window

Top Unix Devices By CPU Util: Ranks the devices by average cpu utilization

Top Unix Devices By Memory Util and Swap Rate: Ranks the unix devices by average memory utilization over a window and provides details of memory utilization components such as buffered and cached memory

Top Unix Devices By Disk Space Util: Ranks the devices by average system disk utilization over a window

Top Unix Servers By Disk I/O Activity: Ranks the unix servers by average disk I/O utilization over a window

Virtualization Performance Rules

 

Virtualization Performance Reports

VM level

Performance: Top VMs By CPU Utilization: This report ranks virtual machines by cpu utilization

Performance: Top VMs By CPU Utilization With Details: This report ranks virtual machines by cpu utilization. Other CPU usage metrics are included.

Performance: Top VMs By CPU Ready Pct: This report ranks virtual machines by cpu ready percent. A high number indicates the VMis starved of CPU

Performance: Least utilized VMs By CPU: This report ranks virtual machines in the descending order of cpu utilization

Performance: Top VMs By Memory Utilization With Details: This report ranks virtual machines by memory utilization. Other memory usage metrics are included.

Performance: Top VMs By Swap Activity: This report ranks virtual machines by swapping activity

Performance: Top VMs By Memory Utilization: This report ranks virtual machines by memory utilization

Performance: Top VMs By Disk I/O Activity With Details: This report ranks virtual machines by disk I/O activity. Other disk I/O usage metrics are included.

Performance: Top VMs By Disk I/O Read Latency: This report ranks virtual machines by disk I/O latency

Performance: Top VMs By Disk I/O Write Latency: This report ranks virtual machines by disk I/O latency

Performance: Top VMs By Disk I/O Read Volume (MBps): This report ranks virtual machines by disk I/O read (MBps)

Performance: Top VMs By Disk I/O Write Volume (MBps): This report ranks virtual machines by disk I/O writes (MBps)

 

Performance: Top VMs By Datastore I/O Activity With Details: This report ranks virtual machines by datastore I/O activity. Other datastore I/O usage metrics are included.

Performance: Top VMs By Datastore I/O Read Latency: This report ranks virtual machines by datastore I/O latency

Performance: Top VMs By Datastore I/O Write Latency: This report ranks virtual machines by datastore I/O latency

Performance: Top VMs By Datastore I/O Read Volume (MBps): This report ranks virtual machines by datastore I/O read (MBps)

Performance: Top VMs By Datastore I/O Write Volume (MBps): This report ranks virtual machines by datastore I/O writes (MBps)

ESX level

Performance: Top ESX Hosts By CPU Utilization: This report ranks ESX hosts by aggregate cpu utilization. Other CPU usage metrics are included.

Performance: Top ESX Hosts By Memory Utilization With Details: This report ranks ESX hosts by memory utilization. Other memory usage metrics are included.

Performance: Top ESX Hosts By Memory Utilization: This report ranks ESX hosts by memory utilization.

Performance: Top ESX Hosts By Swap Activity: This report ranks ESX hosts by swap activity

Performance: ESX Hosts With Balooning Memory: This report identifies ESX hosts with low enough memory where memory balooning technique is used for memory management

Performance: ESX Hosts With Swapping Memory: This report identifies ESX hosts with low memory where swapping memory technique is used for memory management

Performance: Top ESX Hosts By Disk I/O Activity With Details: This report ranks ESX hosts by disk I/O operations. Other disk I/O usage metrics are included.

Performance: Top ESX Hosts By Disk I/O Read Volume (MBps): This report ranks ESX hosts by read disk I/O (MBps)

Performance: Top ESX Hosts By Disk I/O Write Volume (MBps): This report ranks ESX hosts by write disk I/O (MBps)

Performance: Top ESX Hosts By Disk I/O Latency With Details: This report ranks ESX hosts by disk I/O latency. Other disk I/O usage metrics are included.

Performance: Top ESX Hosts By Kernel Disk I/O Read Latency: This report ranks ESX hosts by kernel disk I/O read latency.

Performance: Top ESX Hosts By Kernel Disk I/O Write Latency: This report ranks ESX hosts by kernel disk I/O write latency. Performance: Top ESX Hosts By Device Disk I/O Read Latency: This report ranks ESX hosts by device disk I/O read latency Performance: Top ESX Hosts By Device Disk I/O Write Latency: This report ranks ESX hosts by device disk I/O write latency.

Performance: Top ESX Hosts By Network Activity With Details: This report ranks ESX hosts by network activity.

Performance: Top ESX Hosts By Inbound Network Utilization: This report ranks ESX hosts by inbound network utilization

Performance: Top ESX Hosts By Outbbound Network Utilization: This report ranks ESX hosts by outbound network utilization

Performance: Datastores with Highest Utilization: This report ranks ESX hosts by datastore utlization

Performance: Datastores with Lowest Free Space: This report ranks ESX datastore with lowest free space

Performance: Top ESX Hosts By Datastore I/O Activity With Details: This report ranks ESX hosts by datsatore I/O operations. Other datastore I/O usage metrics are included.

Performance: Top ESX Hosts By Datastore I/O Read Volume (MBps: This report ranks ESX hosts by read datastore I/O (MBps)

Performance: Top ESX Hosts By Datastore I/O Write Volume (MBps): This report ranks ESX hosts by write datastore I/O (MBps) Performance: Top ESX Hosts By Datastore I/O Latency With Details: This report ranks ESX hosts by datastore I/O latency. Other datastore I/O usage metrics are included.

Performance: Top ESX Hosts By Kernel Datastore I/O Read Latency: This report ranks ESX hosts by kernel datastore I/O read latency.

Performance: Top ESX Hosts By Kernel Datastore I/O Write Latency: This report ranks ESX hosts by kernel datastore I/O write latency.

Performance: Top ESX Hosts By Device Datastore I/O Read Latency: This report ranks ESX hosts by device datastore I/O read latency

Performance: Top ESX Hosts By Device Datastore I/O Write Latency: This report ranks ESX hosts by device datastore I/O write latency.

Cluster level

Performance: Top VMWare Clusters By CPU Utilization: This report ranks VMWare clusters by CPU utilization

Performance: Top VMWare Clusters By Memory Utilization: This report ranks VMWare clusters by memory utilization

Performance: Top VMWare Clusters By Device Datastore Read Latency: This report ranks VMWare clusters by datastore read latency

Performance: Top VMWare Clusters By Device Datastore Write Latency: This report ranks VMWare clusters by datastore write latency

Performance: Top VMWare Clusters By Datastore I/O Activity With Details: This report ranks VMWare Clusters by datsatore I/O operations. Other datastore I/O usage metrics are included.

Performance: Top VMWare Clusters By Datastore I/O Read Volume (MBps): This report ranks ESX hosts by read datastore I/O (MBps)

Performance: Top VMWare Clusters By Datastore I/O Write Volume (MBps): This report ranks ESX hosts by write datastore I/O (MBps)

Performance: Top VMWare Clusters By Datastore I/O Latency With Details: This report ranks ESX hosts by datastore I/O latency.

Other datastore I/O usage metrics are included.

Performance: Top VMWare Clusters By Kernel Datastore I/O Read Latency: This report ranks ESX hosts by kernel datastore I/O read latency.

Performance: Top VMWare Clusters By Kernel Datastore I/O Write Latency: This report ranks ESX hosts by kernel datastore I/O write latency.

Performance: Least Utilized VMWare Clusters By CPU: This report ranks least utilized VMWare clusters by CPU utilization

Performance: Least Utilized VMWare Clusters By Memory: This report ranks least utilized VMWare clusters by memory utilization Performance: Least Utilized VMWare Clusters By Device Datastore Read Latency: This report ranks least utilized VMWare clusters by datastore read latency

Performance: Least Utilized VMWare Clusters By Device Datastore Write Latency: This report ranks least utilized VMWare clusters by datastore write latency

Performance: Least Utilized VMWare Clusters By Disk I/O Read Volume (MBps): This report ranks least utlized VMware clusters by disk I/O read (MBps)

Performance: Least Utilized VMware Clusters By Disk I/O Write Volume (MBps): This report ranks least utilized VMWare clusters by disk I/O write volume (MBps)

Resource pool level

 Performance: Top VMWare Resource Pools By CPU Utilization: This report ranks VMWare resource pools by CPU utilization Performance: Top VMWare Resource Pools By Memory Utilization: This report ranks least utilized VMWare resource pools by memory utilization


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Compliance related Reports

Compliance related
Compliance related

PCI

COBIT

SOX

HIPAA

PCI

PCI 1.x: Top Reporting Firewalls By Event Count: Ranks the firewalls by the number of events sent

PCI 1.x: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

PCI 1.x: Router Config Changes Detected From Log: This report provides details about router config changes

PCI 1.x: Router Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

PCI 1.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a firewall’s running and startup config

PCI 1.x: Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

PCI 1.x: Router Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

PCI 1.x: Firewall Admin Activity Details: Provides details about firewall admin activity – logons, command executions and logoff

PCI 1.x: Router Admin Activity Details: Provides details about router admin activity – logons, command executions and logoff

PCI 1.x: Firewall NAT Translations: This report captures the NAT translations over a time window

PCI 1.x: Top Firewalls and Outbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

PCI 1.x: Top Firewalls and Inbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

PCI 1.x: Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

PCI 1.x: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

PCI 1.x: Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

PCI 1.x: Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined

connections – these connections would be typically be for administrative and monitoring purposes PCI 5.x: Top Reporting Security Management Servers:

PCI 1.x: Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

PCI 5.x: Spyware found but not remediated by Host Antivirus:

PCI 5.x: Top hosts with Malware found by Host Antivirus:

PCI 5.x: Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS

PCI 5.x: Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

PCI 5.x: Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.

PCI 8.x,10.x: Detailed Successful Login At PCI Device: Captures detailed successful logins at any device or application including servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

PCI 8.x: Windows Server Account Lockouts: This report captures account lockouts on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation

PCI 8.x: Windows Domain Account Lockouts: This report details windows domain account lockouts

PCI 8.x: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

PCI 8.x: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

PCI 8.x: Server Password Changes: Tracks password changes

PCI 8.x: Local Windows User Accounts Created: This report captures user accounts added on a server

PCI 8.x: Local Windows User Accounts Deleted: This report captures user accounts removed from a server PCI 8.x: Local Windows User Accounts Modified: This report captures local user account modifications.

PCI 8.x: Users Added To Local Groups: This report captures users added to local groups.

PCI 8.x: Users Added To Global Groups: This report captures users added to global or univeral groups.

PCI 8.x: Users Deleted From Local Groups: This report captures users deleted from local groups.

PCI 8.x: Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

PCI 8.x: Local Windows Groups Deleted: This report captures local group deletions

PCI 8.x: Local Windows Groups Modified: This report captures local group modifications

PCI 8.x: Local Windows Groups Created: This report captures local group creations

PCI 8.x: Global Windows Groups Created: This report captures global group creations

PCI 8.x: Global Windows Groups Deleted: This report captures global group deletions

PCI 8.x: Global Windows Groups Modified: This report captures global group modifications

PCI 10.x: Detailed Failed Login At PCI System: Captures detailed failed logins at any device or application – servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

PCI 10.x: Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account

PCI 10.x: Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections PCI 10.x: Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

PCI 10.x: Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

PCI 10.x: Successful Firewall Admin Logon Details: Details about successful firewall logons

PCI 10.x: Failed Firewall Admin Logon Details: Details about failed firewall logons

PCI 10.x: Successful Router Admin Logon Details: Details about successful router logons

PCI 10.x: Failed Router Admin Logon Details: Details about failed router logons

PCI 10.x: Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

PCI 10.x: Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

PCI 10.x: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

PCI 10.x: Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

PCI 10.x: Network Device Down/Restart: Tracks network device down and restart events

PCI 10.x: Server Down/Restart: Tracks server down and restart events

PCI 10.x: Application Down/Restart: Tracks application stop and start events

PCI 10.x: Network Device Link Module Down/Up: Tracks network device miscellaneous module (e.g. fan, power etc.) down/up events

PCI 10.x: Network Device Errors: Tracks errors reported by network device

COBIT

COBIT AI2.4: Successful Database Server Logon Details: Captures successful database server logons

COBIT AI2.4: Failed Database Server Logon Details: Captures failed database server logons

COBIT AI2.4: Top App Servers By Current Uptime: Ranks App servers by current uptime (i.e. time since last reboot)

COBIT AI2.5: Server Installed Software Changes: This report captures detected installed software changes

COBIT DS3.x: Top Devices By CPU Util: Ranks the devices by average cpu utilization over a window

COBIT DS3.x: Top Devices By Memory Util: Ranks the devices by average memory utilization over a window

COBIT DS3.x: Top Devices By Disk Util: Ranks the devices by average system disk utilization over a window

COBIT DS3.x: Top Firewalls By Connections: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.

COBIT DS3.x: Top Device Intf By Util, Error, Discards: Ranks the devices and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

COBIT DS3.x: Top Server Apps By CPU, Mem Util: Ranks the server processes by first average cpu utilization and then by memory utilization over a window

COBIT DS3.x: Top Network Device Processes By CPU, Mem Util: Ranks the host processes by average cpu utilization over a window COBIT DS3.x: Top App Servers By CPU Usage With Other Performance Metrics: Ranks App servers by the amount of CPU usage this report provides details on other performance aspects such as memory, threads and classes

COBIT DS3.x: All devices under performance monitoring: Captures all devices under performance monitoring

COBIT DS4.x: Device Ping Monitor Statistics: Tracks the PING response times and packet loss for the monitored devices

COBIT DS4.x: Network Device Down/Restart: Tracks network device down and restart events

COBIT DS4.x: Server Down/Restart: Tracks server down and restart events

COBIT AI2.4,DS4.x: Application Down/Restart: Tracks application stop and start events

COBIT DS4.x: Network Device Failover: Tracks network device failovers

COBIT DS4.x: Network Device Interface Down/Up: Tracks network device interface down and up events

COBIT AI2.4,DS4.x: Server Interface Down/Up: Tracks server network interface down and up events

COBIT DS4.x: Network Device License Expiry: Tracks network device license expiry events

COBIT DS4.x: Application License Expiry: Tracks application license expiry events

COBIT DS4.x: Network Device Link Module Down/Up: Tracks network device miscellaneous module (e.g. fan, power etc.) down/up events

COBIT DS4.x: Top Network Devices, Errors By Count: Ranks network devices by reported error count

COBIT DS4.x: Top Devices by Accumulated Downtime: Ranks the devices by total system downtime over the last week

COBIT AI2.4,DS4.x: Top Applications By Response Time: Ranks the services by average application level probe response times COBIT DS5.4: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

COBIT DS5.4: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

COBIT DS5.4: Server Password Changes: Tracks password changes

COBIT DS5.4: Local Windows User Accounts Created: This report captures user accounts added on a server

COBIT DS5.4: Local Windows User Accounts Deleted: This report captures user accounts removed from a server COBIT DS5.4: Local Windows User Accounts Modified: This report captures local user account modifications.

COBIT DS5.4: Users Added To Local Windows User Groups: This report captures users added to local groups.

COBIT DS5.4: Users Added To Global Windows User Groups: This report captures users added to global or univeral groups.

COBIT DS5.4: Users Deleted From Local Windows User Groups: This report captures users deleted from local groups.

COBIT DS5.4: Users Deleted From Global Windows User Groups: This report captures users deleted from global or univeral groups.

COBIT DS5.4: Local Windows Groups Deleted: This report captures local group deletions

COBIT DS5.4: Local Windows Groups Modified: This report captures local group modifications

COBIT DS5.4: Local Windows Groups Created: This report captures local group creations

COBIT DS5.4: Global Windows Groups Created: This report captures global group creations

COBIT DS5.4: Global Windows Groups Deleted: This report captures global group deletions

COBIT DS5.4: Global Windows Groups Modified: This report captures global group modifications

COBIT DS5.4: Unix Users Added To Group: Tracks user additions to groups

COBIT DS5.4: Unix User Password Changed: Tracks password changes

COBIT DS5.5: Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account

COBIT DS5.5: Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections

COBIT DS5.5: Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

COBIT DS5.5: Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

COBIT DS5.5: Successful Firewall Admin Logon Details: Details about successful firewall logons

COBIT DS5.5: Failed Firewall Admin Logon Details: Details about failed firewall logons

COBIT DS5.5: Successful Router Admin Logon Details: Details about successful router logons

COBIT DS5.5: Failed Router Admin Logon Details: Details about failed router logons

COBIT DS5.5: Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

COBIT DS5.5: Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

COBIT DS5.5: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

COBIT DS5.5: Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

COBIT DS5.6: Top Incidents Ranked By Severity, Count: Ranks the incidents by first their severity and then by their count.

COBIT DS5.6: All Availability Incidents: Captures the availability incidents

COBIT DS5.6: Performance Incidents: Captures the performance related incidents

COBIT DS5.6: Security Incidents: Captures the security related incidents

COBIT DS5.9: Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

COBIT DS5.9: Spyware found but not remediated by Host Antivirus:

COBIT DS5.9: Top Hosts with Malware found by Host Antivirus:

COBIT DS5.9: Top Hosts with Malware Found By Network IPS and Firewalls: Tracks IP addresses with Malware as found by IPS

COBIT DS5.9: Top Hosts with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

COBIT DS5.9: Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.

COBIT DS5.10: Top Firewalls and Permitted Outbound Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

COBIT DS5.10: Top Firewalls and Permitted Inbound Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

COBIT DS5.10: Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

COBIT DS5.10: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

COBIT DS5.10: Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

COBIT DS5.10: Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes

COBIT DS5.10: Top Blocked Internal Sources, Services, Destinations: Ranks blocked Internal Sources, Services, Destinations Ranked By Connection Count

COBIT DS5.10: Top Blocked Internal Destinations, Services Ranked By Connection Count: Ranks blocked Internal Destinations, Services Ranked By Connection Count

COBIT DS5.10: Top Network IPS events By Severity, Count: Ranks the network IPS events by count

COBIT DS5.10: Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

COBIT DS5.10: Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS

COBIT DS5.10: Top Web Users By Uncommon HTTP Method Connections: Ranks web users by uncommon HTTP methods used COBIT DS5.10: Top Web Users By HTTP POST Exchanged Bytes: Ranks web clients by HTTP POST byte count – can catch malware sending confidential information out

COBIT DS5.10: Top Visited Web Sites And Categories By Connections: Ranks (successfully) visited web sites and categories by the number of connections

COBIT DS5.10: Top Denied Web Sites And Categories By Connections: Ranks web sites and categories that were denied by policy, by the number of connections

COBIT DS5.10: Top Web Users, Denied Sites And Categories By Connections: Ranks users, web sites and categories that were denied by policy, by the number of connections

COBIT DS5.10: Top Inbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

COBIT DS5.10: Top Inbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

COBIT DS5.10: Filtered Inbound Spam Count: Counts total inbound spam denied by spam filtering policy

COBIT DS5.10: Top Outbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

COBIT DS5.10: Top Outbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

COBIT DS5.10: Filtered Outbound Spam Count: Counts total outbound spam denied by policy

COBIT DS5.10: Total Denied Web Connections By Policy: Counts denied web site connections because of policy violations

COBIT DS5.10: Top Mail Security Gateway Actions By Count: Ranks the actions taken by the mail security gateway – actions include blocking an inbound/outbound mail gateway because of RBL or other SMTP violations, blocking a mail because of spam or other policy violations and delivering a mail

COBIT DS9.x: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

COBIT DS9.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

COBIT DS9.x: Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

COBIT DS9.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

SOX

SOX (AI2.4): Successful Database Server Logons: Captures successful database server logons

SOX (AI2.4): Failed Database Server Logons: Captures failed database server logons

SOX (AI2.4,DS4.x): Top Applications By Response Time: Ranks the services by average application level probe response times

SOX (AI2.4): Top App Servers By Current Uptime: Ranks App servers by current uptime (i.e. time since last reboot)

SOX (AI2.4,DS4.x): Application Down/Restart: Tracks application stop and start events

SOX (AI2.4,DS4.x): Server Interface Down/Up: Tracks server network interface down and up events

SOX (AI2.5): Server Installed Software Changes: This report captures detected installed software changes

SOX (DS3.x): Top Devices By CPU Util: Ranks the devices by average cpu utilization over a window

SOX (DS3.x): Top Devices By Memory Util: Ranks the devices by average memory utilization over a window

SOX (DS3.x): Top Devices By Disk Util: Ranks the devices by average system disk utilization over a window

SOX (DS3.x): Top Firewalls By Connections: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.

SOX (DS3.x): Top Device Intf By Util, Error, Discards: Ranks the devices and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

SOX (DS3.x): Top Server Apps By CPU, Mem Util: Ranks the server processes by first average cpu utilization and then by memory utilization over a window

SOX (DS3.x): Top Network Device Processes By CPU, Mem Util: Ranks the host processes by average cpu utilization over a window SOX (DS3.x): Top App Servers By CPU Usage With Other Performance Metrics: Ranks App servers by the amount of CPU usage this report provides details on other performance aspects such as memory, threads and classes

COBIT DS5.6: All Availability Incidents: Captures the availability incidents

SOX (DS5.6): Performance Incidents: Captures the performance related incidents

SOX (DS3.x): All devices under performance monitoring: Captures all devices under performance monitoring

SOX (DS5.4): Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

SOX (DS5.4,PCI1.x)): Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

SOX (DS5.4,PCI1.x): Server Password Changes: Tracks password changes

SOX (DS5.4,PCI1.x): Local Windows User Accounts Created: This report captures user accounts added on a server

SOX (DS5.4,PCI1.x): Local Windows User Accounts Deleted: This report captures user accounts removed from a server SOX (DS5.4,PCI1.x): Local Windows User Accounts Modified: This report captures local user account modifications.

SOX (DS5.4,PCI1.x): Users Added To Local Windows User Groups: This report captures users added to local groups.

SOX (DS5.4): Users Added To Global Windows User Groups: This report captures users added to global or univeral groups.

SOX (DS5.4,PCI1.x): Users Deleted From Local Windows User Groups: This report captures users deleted from local groups. SOX (DS5.4,PCI1.x): Users Deleted From Global Windows User Groups: This report captures users deleted from global or univeral groups.

SOX (DS5.4,PCI1.x): Local Windows Groups Deleted: This report captures local group deletions

SOX (DS5.4,PCI1.x): Local Windows Groups Modified: This report captures local group modifications

SOX (DS5.4,PCI1.x): Local Windows Groups Created: This report captures local group creations

SOX (DS5.4,PCI1.x): Global Windows Groups Created: This report captures global group creations

SOX (DS5.4,PCI1.x): Global Windows Groups Deleted: This report captures global group deletions

SOX (DS5.4,PCI1.x): Global Windows Groups Modified: This report captures global group modifications

SOX (DS5.4,PCI1.x): Unix Users Added To Group: Tracks user additions to groups

SOX (DS5.4,PCI1.x): Unix User Password Changed: Tracks password changes

SOX (DS5.5,PCI1.x): Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged

logon attempts to a windows server using the Administrator account

SOX (DS5.5,PCI1.x): Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections

SOX (DS5.5,PCI1.x): Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

SOX (DS5.5,PCI1.x): Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

COBIT DS5.5: Successful Firewall Admin Logon Details: Details about successful firewall logons

COBIT DS5.5: Failed Firewall Admin Logon Details: Details about failed firewall logons

SOX (DS5.5,PCI1.x): Successful Router Admin Logon Details: Details about successful router logons

SOX (DS5.5,PCI1.x): Failed Router Admin Logon Details: Details about failed router logons

SOX (DS5.5,PCI1.x): Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

SOX (DS5.5,PCI1.x): Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

SOX (DS5.5,PCI1.x): Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

SOX (DS5.5,PCI1.x): Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

SOX (DS5.6): Security Incidents: Captures the security related incidents

SOX (DS5.9): Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

SOX (DS5.9): Spyware found but not remediated by Host Antivirus:

SOX (DS5.9): Top Hosts with Malware found by Host Antivirus:

SOX (DS5.9): Top Hosts with Malware Found By Network IPS and Firewalls: Tracks IP addresses with Malware as found by IPS

SOX (DS5.9): Top Hosts with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

SOX (DS5.9): Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.

SOX (DS5.10): Top Firewalls and Permitted Outbound Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

SOX (DS5.10): Top Firewalls and Permitted Inbound Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

SOX (DS5.10): Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

SOX (DS5.10): Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

SOX (DS5.10): Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

SOX (DS5.10): Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes

SOX (DS5.10): Top Blocked Internal Sources, Services, Destinations: Ranks blocked Internal Sources, Services, Destinations Ranked By Connection Count

SOX (DS5.10): Top Blocked Internal Destinations, Services Ranked By Connection Count: Ranks blocked Internal Destinations, Services Ranked By Connection Count

SOX (DS5.10): Top Network IPS events By Severity, Count: Ranks the network IPS events by count

SOX (DS5.10): Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

SOX (DS5.10): Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS

SOX (DS5.10): Top Web Users By Uncommon HTTP Method Connections: Ranks web users by uncommon HTTP methods used SOX (DS5.10): Top Web Users By HTTP POST Exchanged Bytes: Ranks web clients by HTTP POST byte count – can catch malware sending confidential information out

SOX (DS5.10): Top Visited Web Sites And Categories By Connections: Ranks (successfully) visited web sites and categories by the number of connections

SOX (DS5.10): Top Denied Web Sites And Categories By Connections: Ranks web sites and categories that were denied by policy, by the number of connections

SOX (DS5.10): Top Web Users, Denied Sites And Categories By Connections: Ranks users, web sites and categories that were denied by policy, by the number of connections

SOX (DS5.10): Top Inbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

SOX (DS5.10): Top Inbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

SOX (DS5.10): Filtered Inbound Spam Count: Counts total inbound spam denied by spam filtering policy

SOX (DS5.10): Top Outbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

SOX (DS5.10): Top Outbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

SOX (DS5.10): Filtered Outbound Spam Count: Counts total outbound spam denied by policy

SOX (DS5.10): Total Denied Web Connections By Policy: Counts denied web site connections because of policy violations

SOX (DS5.10): Top Mail Security Gateway Actions By Count: Ranks the actions taken by the mail security gateway – actions include blocking an inbound/outbound mail gateway because of RBL or other SMTP violations, blocking a mail because of spam or other policy violations and delivering a mail

SOX (DS9.x): Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

SOX (DS9.x): Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

SOX (DS9.x): Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

SOX (DS9.x): Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

HIPAA

HIPAA 164.308(a)(3): Server Password Changes: Tracks password changes

HIPAA 164.308(a)(3),164.312(a)(2): Local Windows User Accounts Created: This report captures user accounts added on a server HIPAA 164.308(a)(3): Local Windows User Accounts Deleted: This report captures user accounts removed from a server HIPAA 164.308(a)(3): Local Windows User Accounts Modified: This report captures local user account modifications.

HIPAA 164.308(a)(3): Users Added To Local Groups: This report captures users added to local groups.

HIPAA 164.308(a)(3): Users Added To Global Groups: This report captures users added to global or univeral groups.

HIPAA 164.308(a)(3): Users Deleted From Local Groups: This report captures users deleted from local groups.

HIPAA 164.308(a)(3): Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

HIPAA 164.308(a)(3): Local Windows Groups Deleted: This report captures local group deletions

HIPAA 164.308(a)(3): Local Windows Groups Modified: This report captures local group modifications

HIPAA 164.308(a)(3): Local Windows Groups Created: This report captures local group creations

HIPAA 164.308(a)(3): Global Windows Groups Created: This report captures global group creations

HIPAA 164.308(a)(3): Global Windows Groups Deleted: This report captures global group deletions

HIPAA 164.308(a)(3): Global Windows Groups Modified: This report captures global group modifications

HIPAA 164.308(a)(4): Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

HIPAA 164.308(a)(4): Router Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

HIPAA 164.308(a)(4): Router Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

HIPAA 164.308(a)(4): Top Firewalls and Outbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

HIPAA 164.308(a)(4): Top Firewalls and Inbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

HIPAA 164.308(a)(4): Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

HIPAA 1.x: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

HIPAA 164.308(a)(4): Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139),

MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

HIPAA 164.308(a)(4): Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Detailed Successful Login At HIPAA Device: Captures detailed successful logins at any device or application including servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Detailed Failed Login At HIPAA System: Captures detailed failed logins at any

device or application – servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful Firewall Admin Logon Details: Details about successful firewall logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed Firewall Admin Logon Details: Details about failed firewall logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful Router Admin Logon Details: Details about successful router logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed Router Admin Logon Details: Details about failed router logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

HIPAA 10.x: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Successful Windows Server Logons: This report records successful windows server logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Failed Windows Server Logons: This report reports failed windows servers logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Successful Unix Server Logons: This report details successful unix server logons with all parsed fields and raw logs

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Failed Unix Server Logons: This report details failed unix server logons with all parsed fields and raw logs

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

HIPAA 164.308(a)(5)(ii)(c): Windows Server Account Lockouts: This report captures account lockouts on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation HIPAA 164.308(a)(5)(ii)(c): Windows Server Account Unlocks: Captures account unlocks on windows servers. Account unlocks happen after lockouts that may happen on repeated login failures

HIPAA 164.308(a)(5): Server Password Changes: Tracks password changes

HIPAA 164.308(a)(6): Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

HIPAA 164.308(a)(6): Spyware found but not remediated by Host Antivirus:

HIPAA 164.308(a)(6): Top hosts with Malware found by Host Antivirus:

HIPAA 164.308(a)(6): Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS HIPAA 164.308(a)(6): Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

HIPAA 164.308(a)(6): Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities. HIPAA 164.308(a)(6): Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

HIPAA 164.308(a)(6): Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS HIPAA 164.308(a)(6): Top Network IPS events (affecting HIPAA devices) Ranked By Severity, Count: Ranks the network IPS events affecting HIPAA devices

HIPAA 164.308(a)(6): Top System detected Security Incidents (affecting HIPAA devices) Ranked By Severity, Count: Ranks the security related incidents by first their severity and then by their count – restricted to HIPAA devices

HIPAA 164.312(a)(2): Successful VPN Logons: Captures successful VPN logons

HIPAA 164.312(a)(2): Failed VPN Logons: Captures failed VPN logons

HIPAA 164.312(a)(2): Successful Wireless Logons: Captures successful wireless logons

HIPAA 164.312(a)(2): Failed Wireless Logons: Captures failed wireless logons

HIPAA 164.312(a)(2): Successful Windows Domain Authentications: Captures successful domain authentications

HIPAA 164.312(a)(2): Failed Windows Domain Authentications: Captures failed domain authentications

HIPAA 164.312(a)(2): Successful Database Server Logons: Captures successful database server logons

HIPAA 164.312(a)(2): Failed Database Server Logons: Captures failed database server logons

HIPAA 164.312(b): Windows Audit Policy Changed: This report captures audit policy changes

HIPAA 164.312(b): All System Admin User Logon Attempts: Details all System Admin User Logon Attempts

HIPAA 164.312(b): System Operational Warnings: Detects System operational errors including license limits, down collector


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Change management related reports

Change management related
Change management related

Network Device Config Changes

Server Change

Network Device Config Changes

Change: Router Configuration Changes Detected From Log: This report provides details about router config changes Change: Router Run versus Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

Change: Router Config Changes Detected Via Login: This report captures detected configuration changes via login

WLAN Config Change: This report tracks all software, hardware and device configuration changes at WLAN Access points and Base stations. The report includes Original Reporting Controller IP, Event Type and MAC address of the AP or Controller where the event happened. If the MAC address is empty then, the event happened at the reporting Controller.

Change: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

Change: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

Server Changes

Change: Database Server DDL Changes: Captures database DDL changes

Change: Top Windows Servers, Users by Account Modification Count: This report ranks the windows servers and their administrative users by the number of user account modification events

Change: Windows Server Account Modification Details: This report captures the details of windows account modification events.

Details include the administrative user, target user, the operation performed and the raw log

Change: Windows File Access Details: This report captures the details of windows server file access events. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Top Windows Servers, Users By Config/Policy Modification Count: This report ranks the windows servers and their administrative users by the number of server configuration or policy modification events

Change: Windows Server Config Modification Details: This report captures the details of windows server configuration or policy

modification events. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Local User Accounts Created: This report captures user accounts added on a server Change: Local User Accounts Deleted: This report captures user accounts removed from a server Change: User Accounts Modified: This report captures local user account modifications.

Change: Users Added To Local Groups: This report captures users added to local groups.

Change: Users Added To Global Groups: This report captures users added to global or univeral groups.

Change: Users Deleted From Local Groups: This report captures users deleted from local groups.

Change: Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

Change: Local Groups Deleted: This report captures local group deletions

Change: Local Groups Modified: This report captures local group modifications

Change: Global Groups Created: This report captures global group creations

Change: Global Groups Deleted: This report captures global group deletions

Change: Global Groups Modified: This report captures global group modifications

Change: Local Groups Created: This report captures local group creations

Change: Windows Server Password Changes: Tracks password changes

Change: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

Change: Windows Audit Policy Changed: This report captures audit policy changes

Change: Windows File Access Failures: This report captures the details of windows server file access failures. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Windows File Access Successes: This report captures the details of windows server file access successes. Details include the administrative user, file/directory, the operation performed and the raw log

Change: All Account/Group Change Events: This report lists all account/group change events

Change: Top Windows Domain Controllers, Users By Account Modification Count: Ranks Domain Controllers and their administrators by the number of account modifications performed

Change: Windows Domain Account Modification Details: Details windows domain account modifications

Change: Top Windows Domain Controllers, Users By File Modification Count: Ranks the Domain Controllers abd their administrators by the number of file modifications performed

Change: Windows Domain Controller File Modification Details: Provides details about domain controller file modifications Change: Top Windows Domain Controllers, Users By Config Modification Count: Ranks Domain Controllers and their administrators by the number of config modifications performed

Change: Windows Domain Controller Config Changes: Provides detailed windows domain controller config changes

Change: Computers added to domain: Captures computers added to a domain

Change: Computers deleted from domain: Captures computers removed from a domain Change: Domain user accounts created: Captures user accounts added to a domain Change: Domain user accounts deleted: Captures user accounts removed from a domain Change: Domain user accounts modified: Captures domain user account modifications.

Change: Domain groups created: Captures domain group creations

Change: Domain groups deleted: Captures domain group deletions

Change: Domain groups modified: Captures domain group modifications

Change: Users Added To Domain Groups: Tracks users added to domain groups

Change: Users Deleted From Domain Groups: Tracks users deleted from domain groups. The information contains who did it (User, Computer, Domain, Source IP) along with the deleted account (Target User) and group (Target User Group).

Change: Domain User Password Changes: Tracks password changes

Change: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

Change: Domain Account Unlocks: Captures account unlocks on domain accounts. Account unlocks happen after lockouts that may happen on repeated login failures

Change: Windows Domain Controller Audit Policy Changed: This report captures audit policy changes

Change: Unix Users Added To Group: Tracks user additions to groups

Change: Unix User Password Changed: Tracks password changes

Change: Audited file changes: Tracks user modifications to files and directories. Both the content and attribute modifications are captured. For actions on directories, the affected files in the directories are also captured.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Security Information Management

Security Information Management

User Password Monitoring Events

AccelOps generates the following events related to user password monitoring during LDAP discoveries.

LDAP Password Never Expire Events

LDAP Password Not Required Events

LDAP Password Expiry Event

LDAP Password Stale Events

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_DISCOV_ADS_PASSWORD_NEVER_EXPIRES
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

userDN string User Distinguishing name
Password Age passwordAge uint64 Password age in days
Password Last

Set

passwordLastSet Date Time when password was last set

LDAP Password Not Required Events

Event Type: PH_DISCOV_ADS_PASSWORD_NOT_REQD

Description: Event contains users whose password is not required

Source: Windows Active Directory Discovery via LDAP Sample event

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_DISCOV_ADS_PASSWORD_NEVER_EXPIRES
Event Severity eventSeverity uint16 Set to 1.
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

userDN string User Distinguishing name

LDAP Password Expiry Event

Event Type: PH_DISCOV_ADS_PASSWORD_TO_EXPIRE

Description: Event contains users and the times when their passwords were last set and when their passwords are about to expire Source: Windows Active Directory Discovery via LDAP

Sample event

<174>Feb 12 12:09:29 PH-QA-AUTOTEST phDiscover[22677]: [PH_DISCOV_ADS_PASSWORD_TO_EXPIRE]:[eventSeverity]=PHL_INFO,[procNa me]=phDiscover,[fileName]=dirUser.cpp,[lineNumber]=1750,[hostIpAddr ]=192.168.0.10,[user]=testuser,[userFullName]=Testuser,[userDN]=CN=

Testuser,CN=Users,DC=acme,DC=net,[daysToPasswordExpiry]=0,[password

LastSet]=1360606672,[phLogDetail]=

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DISCOV_ADS_PASSWORD_TO_EXPIRE
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High

 

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

userDN string User Distinguishing name
Days to

Password

Expiry

daysToPasswordExpiry uint64 Number of days until the password will expire
Password Last

Set

passwordLastSet Date Time when password was last set
Name Id Type Description
Event Type eventType string Event type set to PH_DISCOV_ADS_PASSWORD_STALE
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High

Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name

 

User

Distinguishing

Name

userDN string User Distinguishing name
Password Age passwordAge uint64 Age of the password in days
Password Last

Set

passwordLastSet Date Time when password was last set

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Network Flow Monitoring Events

Network Flow Monitoring Events

Network Flow Events

These events are generated from Cisco Netflow and SFlow.

Event Type: IOS-NETFLOW-BI (BI standing for bidirecational: two unidirectional netflow messages are combined into one), SFLOW-BI

Description: Event containing netflow data Source: Cisco IOS (Netflow) Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to IOS-NETFLOW-BI, SFLOW-BI
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

phRecvTime Date Time at which AccelOps generated this event (after receiving netflow)
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Source IP srcIpAddr IP Source IP address of the flow
Dest IP destIpAddr IP Destination IP address of the flow
IP Protocol ipProto uint16 IP protocol e.g. TCP/UDP/GRE/ICMP etc
Source TCP/UDP

Port

srcIpPort uint16 Source TCP/UDP port
Dest TCP/UDP

Port

destIpPort uint16 Destination TCP/UDP port
ICMP Type icmpType uint16 ICMP type
ICMP Code icmpCode uint16 ICMP code
IP Type of Service tos uchar IP Type of Service
Sent TCP flags srcDestTCPFlags uchar OR-ed TCP Flags from Source to Destination
Received TCP

flags

destSrcTCPFlags uchar OR-ed TCP Flags from Destination to Source
Source Intf SNMP

Index

srcSnmpIntfIndex uint16 Source SNMP interface index
Source Interface

Name

srcIntfName string Source Interface name
Dest Intf SNMP

Index

destSnmpIntfIndex uint16 Destination SNMP interface index
Destination

Interface Name

destIntfName string Destination Interface name
Source

Autonomous

System Number

srcASNum uint16 Source Autonomous number
Dest Autonomous

System Number

destASNum uint16 Destination Autonomous number
Sent Bytes sentBytes uint32 Sent Bytes in this flow
Sent Packets sentPkts uint32 Sent Packets in this flow
Received Bytes recvBytes uint32 Received Bytes in this flow
Received Packets recvPkts uint32 received Packets in this flow

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Application Monitoring Events

Application Monitoring Events

Application Monitoring Events

AccelOps generates the following events related to application monitoring

Process Resource Utilization

Apache Performance Metrics

Microsoft ASP.NET Metrics

Exchange RPC Metrics

Exchange RPC Error Metrics

Exchange Mailbox Metrics

Exchange SMTP Metrics

Microsoft DNS Performance Metrics

Microsoft DHCP Performance Metrics

Microsoft Active Directory Performance Metrics

IP SLA VoIP Metrics

IP SLA HTTP metrics

IP SLA ICMP metrics

Generic IPSLA metrics

Tomcat Application Server Monitoring Metrics

Glassfish Application Server Monitoring Metrics

Weblogic Application Server Monitoring Metrics

Websphere Application Server Monitoring Metrics

JBOSS Application Server Monitoring Metrics

Process Resource Utilization


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM VM Network IO Monitoring

VM Network IO Monitoring

Event Type: PH_DEV_MON_VM_STATE

Description: Event containing VM CPU metrics Source: All

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)

Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName string
phyMachIpAddr IP
vSwitch string
intfName string
sentPkts uint32 Sent Packets
recvPkts uint32 Received Packets
sentBytes uint32 Sent Bytes
recvBytes uint32 Received Bytes
Poll Interval pollIntv uint32 Polling interval in seconds

Sample event:

<134>Feb 08 18:22:16 10.1.2.11 java:

[PH_DEV_MON_VM_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[phyMachName

]=HOST-10.1.2.51,

[phyMachIpAddr]=10.1.2.51, [pollIntv]=180, [vmName]=CO159,

[morId]=vm-194, [hostName]=CO159, [hostIpAddr]=10.1.2.159,

[vSwitch]=vSwitch0, [intfName]=Network adapter 1, [sentPkts]=454,

[recvPkts]=939, [sentBytes]=102400, [recvBytes]=307200

VM Cluster CPU Utilization

VM Cluster Memory Utilization

VM Cluster Datastore I/O Utilization

VM Resource pool CPU Utilization

 

VM Resource pool Memory Utilization

ESX State Monitoring

ESX Datastore Utilization Monitoring

ESX Disk I/O Monitoring

<134>Oct 02 12:00:42 192.168.1.3 java:

[PH_DEV_MON_ESX_DISK_IO]:[eventSeverity]=PHL_INFO,

[hostName]=ESX3i-QA-01.prospecthills.net, [hostIpAddr]=192.168.1.3,

[pollIntv]=180, [morId]=ha-host, [diskName]=mpx.vmhba32:C0:T0:L0,

[diskReadKBytesPerSec]=9.9, [diskWriteKBytesPerSec]=0.3,

[diskReadReqPerSec]=1.215, [diskWriteReqPerSec]=0.045,

[devDiskRdLatency]=0.1, [devDiskWrLatency]=0.4, [kernDiskRdLatency]=0.0,

[totDiskRdLatency]=0.1, [totDiskWrLatency]=0.4, [kernDiskWrLatency]=0.0

ESX Datastore I/O Monitoring


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!