Event Attribute Master List

This section describes the master list of event attributes. Events are parsed into these attributes and used in Accelops analytics. There are 4 broad categories of event attributes

Generic Attributes

Network Attributes

System Attributes

Application Attributes

Environmental Attributes

Generic Attributes

Name	Id	Type	Description
Event Type	eventType	string	Event type set to PH_DEV_MON_SYS_CPU_UTIL
Event Name	eventName	string
Event Severity	eventSeverity	uint16	Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity Category	eventSeverityCat	string	Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
IPS Event Risk Rating	ipsEvRR
IPS Event Threat Rating	ipsEvTR
Event ID	eventId
Event Receive Time	phRecvTime	Date	Time at which AccelOps generated this event
Device Time	deviceTime	Date
Event Action	eventAction	uint16
Reporting IP	reptDevIpAddr	Date	IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Reporting Device Name	reptDevName	string
Relaying IP	relayDevIpAddr	Date	IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Relaying Device Name	relayDevName	string
Raw Event Log	rawEventMsg	string	Raw event containing all attributes in comma separated “[Attribute] = value” format.
Poll Interval	pollIntv	uint32	Polling interval in seconds
Customer ID	phCustId
Customer Name	customer
Agent ID	phAgentId
Event Rate (/sec)	eventsPerSec
Peak Event Rate (/sec)	peakEventsPerSec
Event Parse Status	eventParsedOK
Incident Source	incidentSrc
Incident Target	incidentTarget
Incident Reporting IP	incidentRptIp
Incident Trigger Attribute List	triggerAttrList
Incident Detail	incidentDetail
Incident ID	incidentId
Incident Status	incidentStatus
Incident First Occurrence Time	incidentFirstSeen
Incident Last Occurrence Time	incidentLastSeen
Incident Ticket ID	incidentTicketId
Incident Ticket Status	incidentTicketStatus
Incident Ticket User	incidentTicketUser
Incident Comments	incidentComments
Incident View Status	incidentViewStatus
Incident View Users	incidentViewUsers
Incident Cleared Time	incidentClearedTime
Incident Cleared User	incidentClearedUser
Incident Cleared Reason	incidentClearedReason
Incident Notification Recipients	incidentNotiRecipients

Network Attributes

Name	Id	Type	Description
Source IP	srcIpAddr	IP	Source IP address of the flow
Source Host Name	srcName
Host IP	hostIpAddr	IP
Host Name	hostName
Dest IP	destIpAddr	IP	Destination IP address of the flow
Dest Name	destName
Source MAC	srcMACAddr
Dest MAC	destMACAddr
Host MAC	hostMACAddr
IP Protocol	ipProto	uint16	IP protocol e.g. TCP/UDP/GRE/ICMP etc
Source TCP/UDP Port	srcIpPort	uint16	Source TCP/UDP port
Dest TCP/UDP Port	destIpPort	uint16	Destination TCP/UDP port
ICMP Type	icmpType	uint16	ICMP type
ICMP Code	icmpCode	uint16	ICMP code
IP Type of Service	tos	uchar	IP Type of Service
Sent TCP flags	srcDestTCPFlags	uchar	OR-ed TCP Flags from Source to Destination
Received TCP flags	destSrcTCPFlags	uchar	OR-ed TCP Flags from Destination to Source
Source Intf SNMP Index	srcSnmpIntfIndex	uint16	Source SNMP interface index
Dest Intf SNMP Index	destSnmpIntfIndex	uint16	Destination SNMP interface index
Source Intf name	srcIntfName
Dest Intf Name	destIntfName
Host Intf Name	intfName
Source Autonomous System Number	srcASNum	uint16	Source Autonomous number

 

Dest Autonomous System Number	destASNum	uint16	Destination Autonomous number
Source VLAN	srcVLAN
Dest VLAN	destVLAN
Host VLAN	hostVLAN
Sent Bytes	sentBytes	uint32	Sent Bytes in this flow
Sent Packets	sentPkts	uint32	Sent Packets in this flow
Sent Bytes Rate (/sec)	sentBytesPerSec
Received Bytes	recvBytes	uint32	Received Bytes in this flow
Received Packets	recvPkts	uint32	received Packets in this flow
Received Bytes Rate (/sec)	recvBytesPerSec
Total Bytes	totBytes
Total Packets	totPkts
Total Byte rate (/sec)	totBytesPerSec
Total Packet Rate (/sec)	totPktsPerSec
Duration	durationMsec
Intf Out Queue Length	outQlen
In Packet Error	inIntfPktErr
Out Packet Error	outIntfPktErr
In Packet Error Pct	inIntfPktErrPct
Out Packet Error Pct	outIntfPktErrPct
In Intf Util	inIntfUtil	double
Out Intf Util	outIntfUtil	double
In Packet Discard	inIntfPktDiscarded
Out Packet Discard	outIntfPktDiscarded
In Packet Discard Pct	inIntfPktDiscardedPct
Out Packet Discard Pct	outIntfPktDiscarded
Source Firewall Zone	srcFwZone
Dest Firewall Zone	destFwZone
Min Jitter	minJitterMs
Max Jitter	maxJitterMs
Avg Jitter	avgJitterMs
Min SD Jitter	minJitterSDMs
Max SD Jitter	maxJitterSDMs
Avg SD Jitter	avgJitterSDMs
Min DS Jitter	minJitterDSMs
Max DS Jitter	maxJitterDSMs
Avg DS Jitter	avgJitterDSMs
Packets Lost	pktLost
Packets SD Lost	pktLostSD
Packets DS Lost	pktLostDS
Packets Missing	pktMIA
Packets Late	pktLate
Packets Out-of-Seq	pktOutSeq
VoIP MOS Score	mosScore
VoIP ICPIF Score	icpifScore
VoIP Codec	codec
VoIP Phone Status	voIPPhoneStatus
Calling Party Number	callingPartyNumber
Original Called Party Number	originalCalledPartyNumber

 

Final Called Party Number	finalCalledPartyNumber
Call Connect Time	dateTimeConnect
Call Disconnect Time	dateTimeDisconnect
Call Duration	callDuration
CBQoS Policy Name	qosPolicy
CBQoS Class Name	qosClass
CBQoS Conform KBps	qosConformRate
CBQoS Exceeded KBps	qosExceedRate
CBQoS Violated KBps	qosViolateRate
CBQoS PrePolice KBps	qosPrePoliceRate
CBQoS PostPolice KBps	qosPostPoliceRate
CBQoS Drop KBps	qosDropRate
CBQoS Drop Pct	qosDropPct
CBQoS Curr Queue Length	qosCurrQueue
CBQoS Max Queue Length	qosMaxQueue
CBQoS Discarded Pkt	qosDiscardPkt
OSPF State	ospfState
BGP State	bgpState
OSPF Area Id	ospfAreaId
Source FiberChannel WWN Id	srcWWN
Dest FiberChannel WWN Id	destWWN
	wlanSsid
	wlanControllerIp
	wlanContrHostName
	wlanUserCount
	wlanSuppChannels
	wlanSendutil
	wlanRecvUtil
	wlanChannelUtil
	wlanPoorSNRUserCount
	ifLoadProfile
	ifIntefProfile
	ifCoverageProfile
	ifNoiseProfile
	wlanRssi
	wlanSnr
	wlanMobilityStatus
	wlanProtocol
	wlanAssocUpTime
	wlanMaxHostTxmitRate
	ifCoverageIndx
	ifNoseIndx
	ifIntefIndex

System Attributes

Name	Id	Type	Description
Computer	computer
Target Computer	targetComputer

 

Domain	domain
Target Domain	targetDomain
Source Domain	srcDomain
Destination Domain	destDomain
Operating System Type	osType
Operating System Version	osVersion
File Name	fileName
Object Type	osObjType
Object Name	osObjName
Target Object Type	targetOsObjType
Target Object Name	targetOsObjName
Object Handle	osObjHandleID
Object Access Type	osObjAccessType
Object Action	osObjAction
System Uptime	sysUpTime
System Uptime Pct	sysUpTimePct	double
System Downtime	sysDownTime
CPU Name	cpuName	string
CPU utilization	cpuUtil	double	Overall CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system.
User CPU Utilization	userCpuUtil	double	User CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system. Available for Linux (via SNMP) only.
System CPU Utilization	sysCpuUtil	double	System CPU utilization (between 0-100). The number is an average over all CPUs in a multi-cpu system. Available for Linux (via SNMP) only.
Memory Name	memName	string
Memory Utilization	memUtil	double
Free memory (KB)	freeMemKB	uint32
Buffer Memory (KB)	bufMemKB	uint32
Cache Memory (KB)	cacheMemKB	uint32
Swap Memory Utilization	swapMemUtil	double
Free Swap Memory (KB)	freeSwapMemKB	uint32
Minimum Swap Memory (KB)	memMinimumSwap	uint32
Swap Memory Error Message	swapMemErrorString	string
Swap Read (Pages/sec)	swapInRate	double
Swap Write (Pages/sec)	swapOutRate	double
Total Swap (Pages/sec)	swapRate	double
Swap Read (KBps)	swapReadKBytesPerSec
Swap Write (KBps)	swapWriteKBytesPerSec
Total Read I/O Rate (KBps)	ioReadKBytesPerSec
Total Write I/O Rate (KBps)	ioWriteKBytesPerSec
Disk Name	diskName
Disk Utilization	diskUtil
Free Disk (MB)	freeDiskMB
Total Disk (MB)	totalDiskMB
Used Disk (MB)	usedDiskMB
Disk Queue Length	diskQLen

 

Current Daily Disk Growth	diskGrowthMBDaily
Current Weekly Disk Growth	diskGrowthMBWeekly
Current Monthly Disk Growth	diskGrowthMBMonthly
Average Daily Disk Growth	avgDiskGrowthMBDaily
Average Weekly Disk Growth	avgDiskGrowthMBWeekly
Average Monthly Disk Growth	avgDiskGrowthMBMonthly
Days To Disk Full	timeToDiskFull
RAID Group Id	raidGrpId
RAID Type	raidType

Application Attributes

Name	Id	Type	Description
Application Name	appName	string	Short descriptive name of the process, e.g. “Microsoft IIS”
Application Group Name	appGroupName	string	Name of the application group to which the process belongs; e.g. “Microsoft IIS”
Software Name	swProcName	string	Process/Executable name; e.g. svchost.exe
Software Param	swParam	string	Process/Executable parameters, e.g. “-k iissvc”
CPU utilization	cpuUtil	double	Process CPU utilization (between 0-100).
Memory utilization	memUtil	double	Process memory utilization (between 0-100).
Real Peak Memory (KB)	realMemPeakKBytes	uint32	Peak real memory usage (KBytes).
Disk Read Rate (KBps)	diskReadKBytesPerSec	double	Process disk read rate (KBytes/sec).
Disk Write Rate (KBps)	diskWriteKBytesPerSec	double	Process disk write rate (KBytes/sec).

Environmental Attributes

Name	Id	Type	Description
Hardware Status	hwStatusCode	string
Hardware Battery Status	hwBatteryStatus
Hardware Disk Status	hwDiskStatus
Hardware Power Supply Status	hwPowerSupplyStatus
Hardware Temp Sensor Status	hwTempSensorStatus
Hardware Fan Status	hwFanStatus
Hardware Amp Status	hwAmpStatus
Hardware Voltage Status	hwVoltageStatus
Hardware Memory Status	hwMemoryStatus
Hardware Log Status	hwLogStatus
Hardware Processor Status	hwProcStatus
Hardware Power Chord Status	hwPowerChordStatus
Hardware Storage Controller Status	hwStorageControllerStatus
HardwareStorage Channel  Status	hwStorageChannelStatus
Hardware Storage Enclosure Status	hwStorageEnclosureStatus

 

Hardware Power Supply Status	hwStoragePowerSupplyStatus
Hardware Storage Fan Status	hwStorageFanStatus
Hardware Storage Temp Status	hwStorageTempStatus
Hardware EMM Status	hwStorageEMMStatus
Hardware Log Disk Status	logDiskStatus
Failed Power Supply Count	hwFailedPowerSupplyCount
Storage LLC Status	hwLLCStatus
Storage Link Status	hwLinkStatus
Storage Port Status	hwPortStatus
Hardware Misc Component Status	hwMiscCompStatus
Host Spare Disk Count	hwHotSpareDiskCount
UPS Battery Status	upsBatteryStatus
UPS Remaining Battery Charge (Pct)	upsRemainBatteryChargePct
UPS Replace Battery Indicator	upsReplaceBatteryIndicator
UPS Time On Battery (sec)	upsTimeOnBattery
UPS Output Status	upsBasicOutputStatus
UPS Output Load	upsAdvOutputLoad
UPS Output Voltage (V)	upsAdvOutputVoltage
UPS Output Frequency (Hz)	upsAdvOutputFreq
UPS  Battery Current (Amp)	upsBatteryCurrent
UPS Battery Temperature (C)	upsBatteryTempC
UPS Battery Voltage	upsBatteryVoltage
UPS Estimated Time Remaining (sec)	upsEstSecRemain
Temperature (C)	envTempDegC
High Temperature Threshold (C)	envTempHighThreshDegC
Low Temperature Threshold (C)	envTempLowThreshDegC
Temperature Offset High (C)	envTempOffHighDegC
Temperature Offset Low (C)	envTempOffLowDegC
Temperature (F)	envTempDegF
High Temperature Threshold (F)	envTempHighThreshDegF
Low Temperature Threshold (F)	envTempLowThreshDegF
Temperature Offset High (F)	envTempOffHighDegF
Low Temperature Threshold (F)	envTempOffLowDegF
Relative Humidity	envHumidityRel
High Relative Humidity Threshold	envHumidityRelHighThresh
Low Relative Humidity Threshold	envHumidityRelLowThresh
Humidity Offset High	envHumidityOffHigh
Humidity Offset Low	envHumidityOffLow
Liebert HVAC System State	lgpSystemState
Liebert HVAC Cooling State	lgpCoolingState
Liebert HVAC Heating State	lgpHeatingState
Liebert HVAC Humidifying State	lgpHumidState
Liebert HVAC Dehumidifying State	lgpDehumidState
Liebert HVAC Economy Cycle State	lgpEconCycle
Liebert HVAC Fan State	lgpFanState
Liebert HVAC Cooling capacity	envCoolCap
Liebert HVAC Heating Capacity	envHeatCap
	outputVoltageXNVolts

 

 

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

The IPS Vulnerability Map

The IPS Vulnerability Map lists devices that have a known vulnerability. You can view the IPS Vulnerability Map by going to Incidents > IPS Vunerability Map, and you can also add new devices to the map.

The IPS Vulnerability Map includes these columns.

Column	Description
IPS Event Types	The event types associated with the vulnerability
Vendor Vulnerability ID	The vulnerability ID provided by the device vendor
CVE IDs	The vulnerability ID provided by Common Vulnerabilities and Exposures
Vulnerability Description	A brief description of the device’s vulnerability
Found in Device Type	Specific devices or applications that have the vulnerability
Found in Version	The version of the device or application that has the vulnerability
Fixed in Version	The version in which the vulnerability was fixed
Fixed via Patches	The patch version in which the vulnerability was fixed

 

Adding Entries to the IPS Vulnerabilities Map

 

Adding Entries to the IPS Vulnerabilities Map

2. Go to Incidents > IPS Vulnerability Map.
3. Click Add.
4. Select the IPS Event Type associated with the vulnerability.
5. Enter any Vendor Vulnerability ID
6. Enter any CVE ID

See the Common Vulnerability and Exposures website for CVE IDs. Separate multiple IDs with commas.

7. Enter a Vulnerability Description.
8. For Affected Software, click Add, and then select the affected devices or applications from the Found in Device Type
9. Enter any Found in Version information for the affected software.
10. Enter any fix information for the vulnerability.
11. Click OK.
12. Click Save.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Monitoring Custom Applications

While FortiSIEM provides support for many applications, there may also be situations in which you have a custom application running in your infrastructure that you want to monitor. This topic explains how to set up FortiSIEM to monitor that application, and add it to a business service.

1. Log in to your Supervisor.
2. Go to CMDB > Applications, and either select a group where you want to add the application, or create a new one.
3. Click New, and enter an Application Name and a Process Name.
4. Click Save.
5. Initiate discovery of the server where the application is running.
6. Go to CMDB > Devices and select the server.
7. Click the Software tab and make sure the application has been discovered.
8. Go to General Settings > Monitoring > Important Processes.
9. Click Add and enter the name of the process that the application is running on.
10. Click Apply All.
11. Run a structured historical search using these attributes to make sure the process utilization metrics are being received by FortiSIEM.

Attribute	Value
Reporting IP	The IP address of the server where the application is running
Event Type	PH_DEV_MON_PROC_RESOURCE_UTIL
Application Name	The name of the application

12. Add your application to a business service.

You should now be able to go Dashboard > Summary Dashboards > Biz Service Summary and see your process running under Top Monitored Processes when you select the associated business service.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Dynamic Population of Location, User, and and Geolocation Information for Events

In most cases, network logs only contain IP address information, but to investigate incidents involving that IP, you need additional context for that IP address such as host name, user, and geolocation information. Because FortiSIEM collects detailed IT infrastructure information in the CMDB, it is able to correlate that information to the IP address to create a context for the event, and insert that context information into events in real time as parsed attributes. This topic describes the way in which this context information is populated into events.

Correlating Event Information

Assigning Attributes to Events

Host Name Attribute

User Name Attribute

Geolocation Attribute

Dynamic Updating of Attribute Information

Attributes Added to Events

Correlating Event Information

Event information is derived from several different sources.

1. During the discovery process, FortiSIEM discovers the host name and network interface address information during discovery and stores them in the CMDB. If any IP address other than the Access IP changes, then running a rediscovery will update the CMDB with the right information.
2. FortiSIEM collates information from various authentication logs and forms a time-based Identity and Location Report containing the IP address, MAC address, Host Name, Domain, User, Network Access Point, and Network Access Point Port for the event.
3. The geolocation database maps IP addresses to Country, State, City, Organization, Longitude, and Latitude information.

Assigning Attributes to Events

When FortiSIEM parses an event, attributes are assigned to it following this process:

Host Name Attribute

For each IP address (Host IP, Source IP, Destination IP, Reporting IP):

1. FortiSIEM checks the CMDB for an associated host name, and if one is found, then the host name is added to the event.
2. If the host name is not found in then CMDB, then FortiSIEM checks the Identity and Location Report for the host name, and if one is found, then it is added to the event.
3. If the host name is not found in either the CMDB or Identity and Location Report, then FortiSIEM runs DNS lookup for the host name, and if one is found, then it is added to the event. For performance reasons the DNS result is cached, and because excessive DNS lookups can cause event processing delays, FortiSIEM has an algorithm to dynamically bypass DNS lookup if it begins falling behind in event processing.

User Name Attribute

For Source IP, FortiSIEM checks for user information in the Identity and Location Report, and if anything is found, it is added to the event.

Geolocation Attribute

For each IP address (Host IP, Source IP, Destination IP, Reporting IP), FortiSIEM checks the geolocation database. If geolocation information is found for that IP, then  Country, State, City, Organization, Longitude, and Latitude information is added to it.

Dynamic Updating of Attribute Information

For any of these attributes, when there is a change in the infrastructure (for example, a network device has a new IP or a new user logs on to the system), the change is populated into the CMDB and/or Identity and Location Report, and the event parsing module learns of the change and starts populating events with the new metadata.

Because the FortiSIEM approach to populating event attributes is dynamic and change driven, it is always able to map the right IP address to host names and users in the face of dynamic changes in the IT infrastructure.

Attributes Added to Events

IP Type

Attributes

 

Source IP	1.  Source Host Name 2.  User (corresponding to Source IP) 3.  Source Country 4.  Source State 5.  Source City 6.  Source Organization 7.  Source Longitude 8.  Source Latitude
Destination IP	1.  Destination Host Name 2.  Destination Country 3.  Destination State 4.  Destination City 5.  Destination Organization 6.  Destination Longitude 7.  Destination Latitude
Host IP	1.  Host Name 2.  Host Country 3.  Host State 4.  Host City 5.  Host Organization 6.  Host Longitude 7.  Host Latitude
Reporting IP	1.  Reporting Host Name 2.  Reporting Country 3.  Reporting State 4.  Reporting City 5.  Reporting Organization 6.  Reporting Longitude 7.  Reporting Latitude
PostNAT (Network Address Translation) IP	1.  PostNAT Country 2.  PostNAT State 3.  PostNAT City 4.  PostNAT Organization 5.  PostNAT Longitude 6.  PostNAT Latitude

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Miscellaneous Operations

Exporting Events to Files

You can run the phExportEvent tool from a Supervisor or Worker node to export events to CSV files. The file will contain these fields:

phExportEvent Command	Description
DESTINATION_DIR	Destination directory where the exported event files are saved
START_TIME	Starting time of events to be exported. The format is YYYY-MM-DD HH:MM:SS {+|-} TZ. If TZ is not given, local time zone of the machine where the script is running will be used. Example: 2010-03-10 23:00:00 -8 means Pacific Standard Time, 23:00:00 03/10/2010. 2010-07-29 10:20:00 +5:30 means India Standard Time 10:20:00 07/29/2010.
RELATIVE_START_TIME	Starting time of events to be exported relative backward to the end time as specified using –endtime END_TIME . The format is where NUM is the number of days or hours or minutes. For example, –relstarttime 5d means the starting time is 5 days prior to the ending time.
END_TIME	Ending time of events to be exported. The format is the same as START_TIME.
RELATIVE_END_TIME	Ending time of events to be exported relative forward to the start time as specified using START_TIME. The format is same as RELATIVE_START_TIME.
DEVICE_NAME	Host name or IP address of the device with the events to be exported. Use a comma-separated list to specify multiple IPs or host names, for example, –dev 10.1.1.1,10.10.10.1,router1,router2. Host name is case insensitive
ORGANIZATION_NAME	Used only for multi-tenant deployments. The name of the organization with the events to be exported. To specify multiple organizations, enter a commandeach for one organization, for example, –org “Public Bank” –org “Private Bank”. The organization name is case insensitive.
TIME_ZONE	Specifies the time zone used to format the event received time in the exported event files. The format is {+|-}TZ, for example, -8 means Pacific Standard Time, +5:30 means India Standard Time.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Device Risk Score Computation

Risk computation algorithms are proprietary and this section presents only the knobs that user is able to tweak to change the score.

Risk score components

The following factors affect risk score of a device

1. Device Importance (also called Asset Weight)
2. Count and CVS Score for non-remediated vulnerabilities found for that device
3. Severity and Frequency of Security incidents triggering with that device as source or destination
4. Severity and Frequency of Other (performance, availability and change) incidents triggering on that device

Overall Score (0-100) is a weighted average of 3 components – Vulnerability Score, Security Incident Score and Other Incident Score, computed as follows.

User controllable constants

1. Device Importance – this can be set in CMDB > Device > Summary. You can select multiple devices and set the Importance in one shot.

Values are

1. Mission Critical – 10
2. Critical – 7
3. Important – 4
4. Normal – 1

2. Relative weights of Vulnerabilities, Security and Other incidents to the risk score. The default values of the constants are defined in phoenix_config.txt:
   1. vul_weight = 0.6
   2. security_inci_weight = 0.3
   3. security_inci_weight = 0.1
3. Maximum number of high-severity events that a mission-critical host can tolerate for each of the 3 score components. These default thresholds are defined in ‘phoenix_config.txt:
   1. vul_threshold = 1
   2. security_inci_threshold = 3
   3. other_inci_threshold = 6

Time varying Risk score

Risk scores are computed for each day. Current risk score is a exponentially weighted average of today’s risk and yesterday’s risk.

The algorithm also reduces the score for earlier vulnerabilities that are now patched. Such vulnerabilities have a weight of 0.7 while new and old but existing vulnerabilities have weight 1

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Incidents – HTML5 version

Incident tab allows users to view and manage incidents.

Incident Attributes

This topic describes all the columns that can be used to create views in the Incident Dashboard. You can add or remove columns from the dashboard by clicking the Columns icon.

Column Name	Description
Severity	The severity of the incident, High, Medium, or Low
Last Occurred	The last time that the incident was triggered
First Occurred	The first time that the incident was triggered
Incident	The name of the rule that triggered the incident
Incident ID	The unique ID assigned to the incident
Source	The source IP or host name that triggered the incident
Target	The IP or host name where the incident occurred
Detail	Event attributes that triggered the incident
Status	The status of the incident, Active, Cleared, Cleared Manually, System Cleared
Cleared Reason	For manually cleared incidents, this displays the reason the incident was cleared
Cleared Time	The time an incident was cleared
Cleared User	The person who cleared the incident
Comments	Any comments that users have entered for the incident
Ticket Status	Status of any tickets associated with the incident
Ticket ID	The ID number of any tickets generated by the incident
Ticket User	The person assigned to any tickets generated by the event
External User	If the ticket was cleared in an external ticket-handling system, this lists the name of the person the ticket was assigned to
External Cleared Time	If the ticket was cleared in an external ticket-handling system, this lists the time it was cleared
External Resolved Time	If the ticket was resolved in an external ticket-handling system, this lists the time it was resolved
External Ticket ID	The ID of the incident in an external ticket-handling system
External Ticket State	The state of the incident ticket in an external ticket-handling system
External Ticket Type	The type assigned to the incident ticket in an external ticket-handling system
Organization	The organization reporting the event
Impacts	Organizations impacted by the event
Business Service	Business services impacted by the incident
Incident Notification Status	Status of any notifications that were sent because of the incident
Notification Recipients	Who received notification of the incident
Incident Count	How many times the incident has occurred during the selected time interval

 

 

Viewing Incidents

Device Risk View of all incidents

List view of all incidents

Viewing incident details

Grouped View of all incidents

Device Risk View of all incidents

This is the default view when user clicks the Incident tab. It shows a list of devices that triggered incidents. Devices are ranked by a risk score that is computed by combining asset criticality, triggered incidents and found security vulnerabilities (details – here).

To see the incidents for a device, click that device. The incidents show up in a time line view.

List view of all incidents

This view provides a list of all incidents over a time period. By default:

Active Incidents over the last 2 hours are displayed

The following incident attributes are shown

Severity – High, Medium, Low – shown by colored icons

Last Occurred – the last time the Incident happened

Reporting Device Name – names of devices that reported the events that led to the incident Incident – rule name

Source – incident source

Target – incident target

Detail – incident parameters other than source and target

Count – number of times the same incident has triggered

To show incidents over a different time interval

Click Time Range Button

A search window appears

To choose a relative time window

Choose Time Range Operator as LAST.

Specify the number of Minutes/Hours/Days/Weeks.

Click Check button.

The Incident page will automatically refresh to show all the incidents over the time window.

To choose an absolute time window

Choose Time Range Operator as FROM.

Specify the starting and end times.

Click Check button.

The Incident page will automatically refresh to show all the incidents over the time window

An incident can be in any of the following states

Active

Cleared

Cleared Manually

System Cleared

By default only Active Incidents are shown. To show Incidents in other states

Click Incident Status Button  A search window appears

To add a new value, click on the white space next to the selected value. A menu appears. Select the needed values one by one.

Click Check button

The Incident page will automatically refresh to show all the incidents in selected state(s)

To select a different set of Incident attributes

Click Choose columns icon

In the popup, select the columns you want to display by moving them to the right. You can re-order the position of the columns. ClickOK.To force a refresh of the incident view, click the Refresh icon

Incidents may be displayed over multiple pages. To see incidents on a different page,

Select the Page Selector icon

Either enter the page number or click on the Next or Previous icon to go to the right page

To view incidents for a different organization (Service Provider version),

Click the User icon on top right

Choose the right organization

Click Change View

Viewing incident details

In the default view, an incident is shown in a single line. To see the details of the incident,

Click anywhere on the incident line

Basic incident attributes are shown immediately below the incident More advanced incident attributes are shown in a bottom pane

To revert to the single line incident view, click anywhere on the incident line. Detailed views will disappear.

To view the rule that triggered the incident,

Click anywhere on the incident line in the single line incident view In the bottom pane, Click Rule tab. Rule details are displayed.

To view the events that triggered the incident

Click anywhere on the incident line in the single line incident view

In the bottom pane, Click Events tab. Basic Event attributes are displayed in a single line. To see the raw events, click on the Basic Event line. Raw events are displayed.

Grouped View of all incidents

Sometimes user may need a grouped view of incidents to get an overview of what incidents have triggered and involves which devices. The following grouped views are provided

Severity – Ranks Incident Severities By Count

Name – Ranks the Incidents By Count

Name, Target – Ranks Incident Name and Incident Target By Count

Name, Source – Ranks Incident Name and Incident Source By Count

Name, Source, Target – Ranks Incident Name, Incident Source and Incident Target By Count

Name, Source, Target, Business Service – Ranks Incident Name, Incident Source, Incident Target and Business Services By Count Name, Source, Target, Business Service, Organizations – Ranks Incident Name, Incident Source, Incident Target, Business Services and Organizations By Count

Searching Incidents

Searchable Incident Attributes

Constructing Search Condition

Searchable Incident Attributes

Incident Attribute	Description
Time Range	In
ID	Incident ID
IP	Incident Source IP or Incident Target IP
Host	Host name associated with Incident Source IP or Incident Target IP
User	User field specified in Incident Target or Incident Details
Severity	Incident Severity category – High, Medium or Low
Function	Security, Availability, Performance or Change. This is a property of an Incident.
Incident Status	Possible values are Active, Cleared, Cleared Manually, System Cleared
Ticket Status	Possible values are New, Open, Closed, External, reopened, None. External means opened in an external system.
Incident	Rule name
Biz Service	Business Service name
Organization	Organization name

Constructing Search Condition

To construct a Search condition from a displayed Incident,

Mouse over the cell containing the specific Incident attribute

Right click and choose Add to filter

The condition will be added to existing search string

Matching incidents will be displayed

To construct a Search condition from scratch

Click on the Add filter edit area. Three fields are displayed

Incident Attribute

Operator

Value

Select one of the Incident Attributes from the drop down

Select an Operator from =, != IN, NOT IN, CONTAINS, NOT CONTAINS Select one or more Values from the displayed choices Click the Check button.

Matching incidents will be displayed

 

Managing Incidents

Adding Comments

Clearing Incidents

Exporting Incidents to a PDF document

Adding Comments

Click on an Incident in the un-grouped view From Actions drop down, select Add Comments Write the comment and click OK.

Clearing Incidents

Click on an Incident in the un-grouped view

If you have more incidents to clear, then press Shift and click on the second incident. This will will select all incidents between the first one and this one. To get this approach to work effectively,

Create a filter to get all the incidents to be cleared in view

Select the first incident

Press Shift and click on the last incident – all incidents are now selected From Actions drop down, select Clear Click OK

Exporting Incidents to a PDF document

Click on an Incident in the un-grouped view

If you have more incidents to export, then press Shift and click on the second incident. This will will select all incidents between the first one and this one. To get this approach to work effectively,

Create a filter to get all the incidents to be exported in view

Select the first incident

Press Shift and click on the last incident – all incidents are now selected From Actions drop down, select Export Click OK

 

 

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Creating Tickets in External Ticketing System

See External Helpdesk System Integration.

Using Incidents in Searches and Rules

Creating an Historical Search from an Incident

Creating a Real Time Search from an Incident Editing Rules from Incidents

Creating an Historical Search from an Incident

When you are viewing an incident, you may want to about other events related to the source or target of the incident. This topic describes how to create an historical search from an incident.

1. In the Incident Dashboard, select the incident you want to use.
2. Select the Incident Source or Incident Target you want to use, and then select Show Related Historical Events.

The Historical Search interface will load, with the IP address of the selected incident attribute loaded in the Filter By conditions, and the Display Fields set to the incident attributes.

3. Click Run.
4. You will see a list of events for the Incident Source or Target, which you can further analyze as described in Refining the Results from Historical Search.

Creating a Real Time Search from an Incident

When you are viewing an incident, you may want to about other events related to the source or target of the incident. This topic describes how to create a real time search from an incident.

1. In the Incident Dashboard, select the incident you want to use.
2. Select the Incident Source or Incident Target you want to use, and then select Show Related Real Time Events.

The real time search interface will load, with the IP address of the selected incident attribute loaded in the Filter By conditions, and the Di splay Fields set to the incident attributes.

3. Click Run.
4. You will see a list of events for the Incident Source or Target, which you can further analyze as described in Viewing and Refining Real Time Search Results.

Editing Rules from Incidents

If you need to edit the rule associated with an incident, you can do so directly from the Incident Dashboard.

1. In the Incident Dashboard, select an incident based on the rule you want to edit.
2. Click in any column of the selected incident to open the Options menu, and then select Edit Rule.
3. Edit the rule as necessary, and then click Save.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!