Category Archives: Administration Guides

FortiSIEM Identity and Location Report

1 Reply
Identity and Location Report

Overview

The Identity and Location Report Display Fields

Report Information and Event Types

Creating New Identity Events

Overview

The Identity and Location report is constructed by associating a network identity like an IP address, or MAC address, to a user identity like a user name, computer name, or domain, and tying that to a location, like a wired switch port, a wireless LAN controller, or VPN gateway. When any element of these associations changes, a new entry is created in the report.

The associations between IP addresses, users, and locations are obtained by combining Windows Active Directory events, DHCP events, and WLAN and VPN logon events, with discovery results to produce a report combining all of this information into a comprehensive listing of users and machines by their identity and location.

The Identity and Location Report Display Fields

The Identity and Location Report contains these display fields:

Display

Field

 Description
IP

Address

 IP adress of a host whose identity and location is recorded in this result. You can view IP addresses with country flags in a map by clicking Locations.
MAC

Address

 MAC address of the host
User User associated with this IP Address. Obtained from one of these event types: Windows Domain Logon, WLAN Login, VPN Logon, AAA Authentication. See the section on Report Information and Event Types on this topic for more information.
Host

Name

 Obtained from the Windows Domain Logon and WLAN Authentication event types.
Domain Information displayed here depends on the logon event type it was obtained from:

Windows Domain Logon: the Domain name

VPN Logon: the reporting IP address of the VPN gateway

WLAN Logon: the reporting IP address of the WLAN controller

AAA Logon: the reporting IP of the AAA server
VLAN ID For hosts directly attached to a switch, this is the VLAN ID of the switch port
Location For hosts attached to a switch port, this is the switch name, reporting IP address, and interface name
First

Seen

 The time at which this entry was first created in the AccelOps Identity and Location table
Last

Seen

 The time at which some attribute of this entry was last updated. If there is a conflict, for example a host acquiring a new IP address because of DHCP, then the original entry is closed and a new entry is created. A closed entry will never be updated.

Report Information and Event Types

This table lists the events and event types that contribute to information in the Identity and Location Report, as well as what information is collected for each type of event.

  IP MAC Host Name User Domain VLAN Location Contributing Event Types
DHCP Renew Events x x WIN-DHCP-IP-LEASE-RENEW

WIN-DHCP-IP-ASSIGN

Linux_DHCPACK

Generic_DHCPACK
AD Successful Login

Events

 x x (resolvable by DNS or in AccelOps CMDB) x (if in

Event)

 x Win-Security-540

Win-Security-4624
AAA Successful Login

Events

 x x x Win-IAS-PassedAuth

CisACS_01_PassedAuth
VPN Successful Login

Events

 x x x Cisco-VPN3K-IKE/25

ASA-722022

ASA-713228

ASA-713049-Client-VPN-Logon-success
WLAN Successful

Login Events

 x (if in

Event)

 x x (if in

Event)

 x  Cisco-WLC-53-bsnDot11StationAssociate
WLAN Discovery

Events

 x (if in

Event)

 x x (if in

Event)

 x PH_DISCOV_CISCO_WLAN_HOST_LOCATION

PH_DISCOV_ARUBA_WLAN_HOST_LOCATION
VoIP Call Manager

Discovery Events

 x x x x  PH_DISCOV_VOIP_PHONE_ID
AccelOps L2 discovery

Events

 x x x (if resolvable by DNS or in AccelOps CMDB) x x  PH_DISCOV_HOST_LOCATION

Creating New Identity Events

There may be a situation in which a new event type is added to AccelOps, and you want to use the parsed attributes of that event in the Identity and Location report. Once you have made sure that the event will parse correctly, you will need to edit the identityDef.xml file for your Supervisor and any Worker nodes in your deployment.

  1. Log in to your Supervisor host machine as admin.
  2. Change the directory to /opt/phoenix/config/xml.
  3. Logon to AccelOps Super as admin
  4. Edit the xml file:
    1. Create a new <identityEvent>.
    2. For <eventType>, enter the ID of the event containing the identity attribute.
    3. For <eventAttributes>, enter the name of the event attribute and its corresponding identity attribute. For reqd, enter yes if t he event must have this event attribute for use in the identity and location report. Possible location attributes include: ipAddr macAddr computerName domain domainUser aaaUser vpnUser geoCountry geoState geoCity geoLatitude vlanId netEntryPt netEntryPort
  5. Restart identityMaster and identityWorker
  6. Repeat for any Worker nodes.

This code sample is an example of a new <identityEvent> entry in the identityDef.xml file

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Creating a Report or Baseline Report

Leave a reply
Creating a Report or Baseline Report

Creating a report or baseline report is like creating a structured historical search, because you set the Conditions and Group By attributes that will be used to process the report data, and specify Display Fields to use in the report summary.

  1. Log in to your Supervisor node.
  2. Go to Analytics > Reports, and select the category for your new report.

Select Baseline for baseline reports.

  1. Click New.
  2. Enter a report Name and Description.
  3. For baseline reports, select Anomaly Detection Baseline.
  4. Enter the Conditions to use in your report.

See Selecting Attributes for Structured Searches, Display Fields, and Rules and Using Expressions in Structured Searches and Rules for more information on setting conditions. For creating baseline reports, see Baseline Reports for information on how to use the STAT_AVG and STAT_STDDEV functions in creating expressions for baseline reports.

  1. Select the Group By attribute to use in processing the search results.

The topic Example of How a Structured Historical Search is Processed explains how the Group By attribute is used in search results.

  1. Set the Display Fields to use in your search results.

See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information on using event attributes in display fields.

  1. Click Save.

Your report will be saved into the selected category, and you can now run it or schedule it to run later.

Related Links

Creating a Structured Historical Search

Selecting Attributes for Structured Searches, Display Fields, and Rules

Example of How a Structured Historical Search is Processed

Using Expressions in Structured Searches and Rules Baseline Reports


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM System-Defined Baseline Reports

Leave a reply

System-Defined Baseline Reports

The following system provided baseline reports are continuously running in the system.

Network Traffic Analysis

Performance / Availability Monitoring

Logon Activity

 

Report Description ID Fields
DNS Request

Profile

 This report baselines DNS requests on a per client basis: the number of requests and distinct destinations it attempted to resolve 113 Key: Source IP

Values: Number of Requests, Distinct Destination Count – means and standard deviation for each
DNS Traffic

Profile

 This report baselines DNS traffic characteristics on a per client basis: sent and receive bytes and packets. 113 Key: Source IP

Values: Sent Bytes, Received Bytes, Total Bytes – mean and standard deviation for each
Destination

Traffic Profile

 This report baselines traffic destined to a server. The data is reported by network flow (Netflow, Sflow) and firewall logs. For each destination IP, the number of distinct peers, the number of distinct ports opened on the server and the total number of flows are tracked. 126 Key: Destination IP

Values: Distinct Source IP, Distinct

Destination Ports, Total Flows –  mean and standard deviation for each
Source Traffic

Profile

 This report baselines traffic generated by a source. The data is reported by network flow (Netflow, Sflow) and firewall logs. For each source IP, the number of distinct peers, the number of distinct ports opened by the source, the total number of flows and total bytes exchanged are tracked. 125 Key: Source IP

Values: Distinct Destination IP, Distinct

Destination Ports, Total Flows, Total Bytes

–  mean and standard deviation for each
Firewall

Connection

Count Profile

 This report provides baseline of permitted firewall connection count typically gathered by

SNMP.

 112 Key: Firewall Name, Firewall IP

Values: Firewall Connection Count – mean and standard deviation for each
Firewall Denied

Aggregate

Traffic Profile

 This profile baselines denied firewall traffic from firewall logs – volume of denied traffic, distinct attacker count, distinct target IP and port. 108 Key: Firewall Name, Firewall IP

Values: Denied Flows, Distinct Denied

Source IP,  Distinct Denied Destination IP, Distinct Denied Destination Port –  mean and standard deviation for each
ICMP Traffic

Profile

 This report baselines generated ICMP traffic by each source: number of ICMP packets and number of distinct destinations 114 Key: Source IP

Values: Distinct Destinations, Total Flows, Total Bytes –  mean and standard deviation for each
Inbound

Firewall Denied

TCP/UDP Port

Profile

 This report provides baseline of denied inbound TCP/UDP port usage as reported by firewall logs. For every port, the number of denied attempts and the number of distinct source are profiled. 106 Key: Destination Protocol, Port

Values: Distinct Source IP, Total Flows – mean and standard deviation for each
Inbound

Firewall Permitt

edTCP/UDP

Port Usage

Profile

 This report provides baseline of permitted inbound TCP/UDP port usage. The data is reported by firewall logs. For every inbound destination port and protocol combination, the total number of unique sources, destinations and the total bytes and flows are profiled 104 Key: Destination Protocol, Port

Values: Distinct Source IP, Distinct Destination IP, Total Flows, Total Bytes – mean and standard deviation for each
Outbound

Firewall Denied

TCP/UDP Port

Profile

 This report provides baseline of denied outbound TCP/UDP port usage as reported by firewall logs. For every port, the number of denied attempts and the number of distinct destinations are profiled. 107 Key: Destination Protocol, Port

Values: Distinct Destination IP, Total Flows –  mean and standard deviation for each
Outbound

Firewall Permitt

edTCP/UDP

Port Usage

Profile

 This report provides baseline of permitted inbound TCP/UDP port usage. The data is reported by firewall logs. For every inbound destination port and protocol combination, the total number of unique sources, destinations and the total bytes and flows are profiled 105 Key: Destination Protocol, Port

Values: Distinct Source IP, Distinct Destination IP, Total Flows, Total Bytes – mean and standard deviation for each

Network Traffic Analysis

Performance / Availability Monitoring

Report Description ID Fields
Device CPU,

Memory

Usage Profile

 This report provides baselines cpu, memory usage – the data is collected by SNMP or

WMI. For every host, CPU, real and virtual memory utilization are profiled

 109 Key: Host Name

Values: CPU Utilization, Memory Utilization, Virtual Memory Utilization –  mean and standard deviation for each
Device Disk

I/O Profile

 This report provides baselines disk I/O usage for servers, VMs and ESX – the data is collected by SNMP or WMI or VCenter API. For every host and disk combination, read and write volumes are profiled 121 Key: Host Name, Datastore Name, Disk

Name

Values: Disk Read KBps, Disk Write KBps – mean and standard deviation for each
Network

Interface

Traffic Profile

 This report provides baselines network interface traffic. The data is collected by SNMP. For each network interface, the total sent and received bytes are profiled. 110 Key: Host Name, Interface name

Values: Sent Bytes, Received Bytes –  mean and standard deviation for each
Network

Interface Error

Profile

 This report provides baselines network interface errors and discards. The data is collected by SNMP. For each network interface, the total errors and discards are profiled. 111 Key: Host Name, Interface name

Values: Errors, Discards –  inbound and outbound – mean for each
Server

Process

Count profile

 This report baselines the number of processes running at a server. The data is collected by SNMP. 123 Key: Host name

Values: Process Count –  mean and

standard deviation
Reporting

EPS Profile

 This report baselines the rate at which devices sends events to AccelOps. 116 Key: Host Name, Host IP

Values: Events/sec –  mean and standard deviation
Reported

Event Type

Profile

 This report provides baselines for distinct event types reported by a device. 119 Key: Host Name, Host IP

Values: Distinct Event Type –  mean and standard deviation
Reported

Error Log

Profile

 This report baselines the number of system errors reported in logs on a per device basis. 120 Key: Host Name, Host IP

Values: Number of events classified as system errors –  mean
STM

Response

Time Profile

 This report baselines Synthetic Transaction Monitoring response times 123 Key: Host Name, Monitor Name Values: Response Time –  mean and standard deviation

Logon Activity

Report Description ID Fields
Successful

Logon Profile

 This report baseline successful log on activity at a host. The data is collected from logs. 115 Key: Host Name, Host IP

Values: Successful Logons, Distinct Source IP, Distinct Users – mean and standard deviation
Failed Logon

Profile

 This report baseline failed log on activity at a host. The data is collected from logs. Key: Host Name, Host IP

Values: Failed Logons, Distinct Source IP, Distinct Users –  mean and standard deviation
Privileged Logon

Profile

 This report baseline successful log on activity at a host. The data is collected from logs. 118 Key: Host Name, Host IP

Values: Privileged Logons –  mean and standard deviation

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Reports

Leave a reply
Reports

You can think of reports as saved or pre-defined versions of searches that you can load and run at any time. AccelOps includes over 2000 pre-defined reports that you can access in Analytics > Reports. Topics in this section describe how to access and view information about reports, how to create baseline reports, and how to use specialized reports like the Identity and Location report. You can refine the results of your reports in the same way that you would refine the results of an historical search or a real time search.

Baseline Reports

System-Defined Baseline Reports

Creating a Report or Baseline Report

Identity and Location Report

Report Bundles

Creating a Report Bundle

Running a Report Bundle

Running System and User-Defined Reports and Baseline Reports

Scheduling Reports

Viewing Available Reports

 

Baseline Reports

How AccelOps Sets Baselines

Evaluating Rules and Detecting Deviations

When you are setting up AccelOps to monitor your IT infrastructure, you may want to define what is “normal” activity within your systems, and have incidents triggered when a a deviation from that normal activity occurs. For example, you can always assume that there will be some logon failures to a server on a daily basis. Rather than creating a rule that will trigger an incident when a certain hard-coded number of failures occurs, you can set up baseline reports that will trigger an incident when the total number of logon failures over a time period is twice the average over the same time period, or when the deviation from the average is threee times the standard deviation over a specific time period.

By creating a baseline report, you can set mean and standard deviations for any metric and use them in rule, and AccelOps will evaluate the current monitored values against the mean and standard deviation for that time period.

How AccelOps Sets Baselines

Establishing a baseline means recognizing that data center resource usage is time dependent:

Usage is different during weekdays and weekends, and may also be different depending on the day of the week or month Usage is dramatically higher during business hours, typically 8am-5pm

AccelOps maintains distinct baselines for weekdays, weekends and for each hour of day – a total of 24*2 = 48 buckets. Baselines for days of the week or month are not maintained to save memory usage, as this would require 31*24 = 1764 buckets, a 15 fold-increase of memory.

A baseline report is a set of Keys that represent the baselined metrics, and a collection of Values. You can see examples of these Keys and Values in the System-Defined Baseline Reports. These are then used in this process to build the report:

  1. During the current hour, the Supervisor and any Worker nodes operate in parallel to save a baseline report in memory by analyzing the report events as a stream.
  2. When the hour finishes:
    1. The report is written to disk (on NFS for AccelOps cluster).
    2. The Supervisor module summarizes individual baseline reports from all nodes and forms the baseline for the current hour. c. The baselines are stored in a SQLite database on a local Supervisor.
    3. The Supervisor module reads the previous baseline for the current time interval from the SQLite database. Then it combines the previous values with the current values to create a new baseline.
    4. The new baseline is then stored in SQLite database.
  3. For the new hour, a new baseline is created following this process

As this process illustrates, baselining is continuous in AccelOps, and new baseline values are learned adaptively.

Evaluating Rules and Detecting Deviations

A baseline rule contains expressions that involve using the functions STAT_AVG() and STAT_STDDEV() to set dynamic thresholds.

These examples show how STAT_AVG() and STAT_STDDEV() would be used to evaluate the conditions for the example of logon failures in the introduction to this topic.

Condition Statement How the Baseline is Evaluated
Current value of X is more than 2 times the statistical average of X for the current hour Baseline evaluated using Baseline Report with ID X > 2 *

STAT_AVG(X:ID)
Deviation of X from its statistical average is more than 3 times its standard deviation for the current hour All baselines evaluated using Baseline Report with ID ABS(X –

STAT_AVG(X:ID) > 3 * STAT_STDDEV(X:ID)

When AccelOps processes these rules:

  1. Rule engine computes the current values in memory.
  2. Every 5 minutes:
    1. It looks for STAT_AVG(X:ID) and STAT_STDDEV(X:ID) in memory
    2. If it fails, it retrieves them from the SQLite database and caches them for future use during the hour. c. Evaluates the rule conditions

A sample rule condition involving statistical functions is shown below with (X = AVG(fwConnCount); ID = 112).


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Viewing Rules

Leave a reply
Viewing Rules

AccelOps includes a large set of rules for Availability, Performance, Change, and Security incidents in addition to the rules that you can define for your system.

  1. To view all system and user-defined rules, go to Analytics > Rules.
  2. For multi-tenant deployments, use the Organizations menu in the upper-right corner of the Rules List pane to filter rules by organization.
  3. Select any rule in the Rules List to view information about it.

All rules have three information tabs:

Tab Description
Summary This tab provides an overview of the rule’s logic, its status, and its notification settings.
Definition An XML definition of the rule. This is what will be copied to your clipboard if you Export a rule.
Test Results If you are testing a rule, you can view the results here.

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Using Watch Lists as Conditions in Rules and Reports

Leave a reply
Using Watch Lists as Conditions in Rules and Reports

You may want to create a rule that refers to the attributes in a watch list, for example if you want to create a condition in which a Source IP listed in your DNS Violators watch list will trigger an incident.

  1. Go to the rule or report where you want to use the watch list.
  2. Under Conditions for the report, or under Filters in your rule subpattern, enter the watch list attribute you want to filter for in the Attribut e

For example, Source IP.

  1. For Operator, select IN.
  2. Click next to Value, and use the CMDB Browser to find and select the watch list you want to use.

For example, DNS Violators.

  1. Click Folder >> to select the watch list, and then click OK.
  2. Continue with creating your search criteria or rule sub pattern as you normally would.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Using Geolocation Attributes in Rules

Leave a reply
Using Geolocation Attributes in Rules

In the same way that you can use geolocation attributes in searches and search results, you can also use them in creating rules. AccelOps includes four system-level rules based on geolocation attributes:

Failed VPN Logon from Outside My Country

Successful VPN Logon from Outside My Country

Large Inbound Transfer From Outside My Country

Large Outbound Transfer To Outside My Country

This screenshot shows the sub pattern for Failed VPN Logon from Outside My Country as an illustration of the way you can use geolocation attributes in a rule.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Setting Global and Per-Device Threshold Properties

Leave a reply
Setting Global and Per-Device Threshold Properties

Overview

Defining a Global Threshold Property

Defining Per-Device Threshold Properties

Using the DeviceToCMDBAttr Function in a Rule

Overview

In many cases when you create a rule, you set values for device thresholds that should trigger an incident. The example of a rule with a single sub-pattern, for example, contains a condition where if the average CPU utilization of a server exceeds 95% over 3 samples, an incident should be triggered. This is an example of setting an absolute value for the threshold in the rule itself.

Instead of setting an absolute value for the threshold, you can define global threshold properties that you can use as functions within a rule, and also define these threshold properties on a per-device basis. The advantage of this approach is that if you want to change the threshold values in a rule, you can edit the threshold property, rather than having to edit the rule. This is accomplished by using the DeviceToCMDBAttr function to return the value set for that device in the rule.

This table illustrates the difference between using an absolute value, shown in the first column, and threshold property, shown in the second column, in the aggregation conditions for a rule. For the threshold property, the function takes the form of DeviceToCMDBAttr(Host IP,

Threshold Property), while it takes the form of DeviceToCMDBAttr(Host IP, Component, Threshold) for devices with components as shown in the second example.

Rule Name Aggregate Condition based on

Absolute Value

 Aggregate Condition based on Threshold Property Value
Server CPU Critical AVG(CPU Utilization) > 95 AVG(CPU Utilization) > DeviceToCMDBAttr (Host IP,Server CPU Util Critical Threshold)
Server Disk Space

Critical

 AVG(Disk Utilization) > 99 AVG(Disk Utilization) > DeviceToCMDBAttr(Host IP,Disk Name,Disk Space Util Critical Threshold)

In the first example, when the rule evaluates the function, the Server CPU Critical rule will return the value of Server CPU Util Critical

Threshold for the host IP if that has been defined for the reporting device, otherwise the global threshold value will return. In the second example, if the Disk Space Util Critical Threshold is defined for a (Host IP,Disk Name) tuple, then the function returns that value, otherwise the global threshold value returns. This is an example of a Map threshold, in which there is one threshold value for each component, and which apply only to disk and interface components.

Defining a Global Threshold Property

AccelOps includes over 30+ pre-defined global threshold properties that you can edit and use in rules, but you can also create custom threshold properties.

  1. Go to Admin > Device Support.
  2. Click the Custom Properties
  3. Click Add.
  4. Enter a Name and Display Name for the new threshold property.
  5. Enter the Default Value for the threshold.
  6. Select the Type of threshold value.

For most global threshold values you will select Double. For Map thresholds, which apply to disks and interfaces, select the Item Type fo r the threshold value, and then select the Component Type to which it applies.

  1. Click Save.
Defining Per-Device Threshold Properties
  1. Go to CDMB > Devices.
  2. Select a device.
  3. In the Device Details pane, click Edit.
  4. Click the Properties
  5. For any of the threshold properties, enter a value.

If you want to edit a Map property, click Edit next to the property name, and then enter the value. If that device does not have any components to which that property could apply, you will see an error message.

  1. Click OK.
Using the DeviceToCMDBAttr Function in a Rule

Using the example of the Server CPU Critical rule, you would use the DeviceToCMDB function to set a threshold for the aggregation conditions of the rule in this way:

  1. In the sub pattern of the rule, under Aggregation Conditions, click the expression builder icon next to the Attribute
  2. In the expression builder, under Add Function, select AVG.
  3. In the Add Event Attribute field, select CPU Utilization.
  4. Click OK.

The expression builder will close, and you will see the function and event attribute you selected listed as the Attribute for the Aggregate Conditions.

  1. For Operator, select =.
  2. Click the expression builder icon next to the Value
  3. In the Add Function menu, select DeviceToCMDBAttr.
  4. In the Select Function Pattern dialog, select DeviceToCMDBAttr(EventAttr,CMDBAttr).
  5. Under Add Event Attribute, select Host IP.
  6. Under Add CMDB Attribute, select Server CPU Util Critical Threshold.
  7. Click OK.
  8. Click Save.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!