Dynamic Population of Location, User, and and Geolocation Information for Events

In most cases, network logs only contain IP address information, but to investigate incidents involving that IP, you need additional context for that IP address such as host name, user, and geolocation information. Because FortiSIEM collects detailed IT infrastructure information in the CMDB, it is able to correlate that information to the IP address to create a context for the event, and insert that context information into events in real time as parsed attributes. This topic describes the way in which this context information is populated into events.

Correlating Event Information

Assigning Attributes to Events

Host Name Attribute

User Name Attribute

Geolocation Attribute

Dynamic Updating of Attribute Information

Attributes Added to Events

Correlating Event Information

Event information is derived from several different sources.

1. During the discovery process, FortiSIEM discovers the host name and network interface address information during discovery and stores them in the CMDB. If any IP address other than the Access IP changes, then running a rediscovery will update the CMDB with the right information.
2. FortiSIEM collates information from various authentication logs and forms a time-based Identity and Location Report containing the IP address, MAC address, Host Name, Domain, User, Network Access Point, and Network Access Point Port for the event.
3. The geolocation database maps IP addresses to Country, State, City, Organization, Longitude, and Latitude information.

Assigning Attributes to Events

When FortiSIEM parses an event, attributes are assigned to it following this process:

Host Name Attribute

For each IP address (Host IP, Source IP, Destination IP, Reporting IP):

1. FortiSIEM checks the CMDB for an associated host name, and if one is found, then the host name is added to the event.
2. If the host name is not found in then CMDB, then FortiSIEM checks the Identity and Location Report for the host name, and if one is found, then it is added to the event.
3. If the host name is not found in either the CMDB or Identity and Location Report, then FortiSIEM runs DNS lookup for the host name, and if one is found, then it is added to the event. For performance reasons the DNS result is cached, and because excessive DNS lookups can cause event processing delays, FortiSIEM has an algorithm to dynamically bypass DNS lookup if it begins falling behind in event processing.

User Name Attribute

For Source IP, FortiSIEM checks for user information in the Identity and Location Report, and if anything is found, it is added to the event.

Geolocation Attribute

For each IP address (Host IP, Source IP, Destination IP, Reporting IP), FortiSIEM checks the geolocation database. If geolocation information is found for that IP, then  Country, State, City, Organization, Longitude, and Latitude information is added to it.

Dynamic Updating of Attribute Information

For any of these attributes, when there is a change in the infrastructure (for example, a network device has a new IP or a new user logs on to the system), the change is populated into the CMDB and/or Identity and Location Report, and the event parsing module learns of the change and starts populating events with the new metadata.

Because the FortiSIEM approach to populating event attributes is dynamic and change driven, it is always able to map the right IP address to host names and users in the face of dynamic changes in the IT infrastructure.

Attributes Added to Events

IP Type

Attributes

 

Source IP	1.  Source Host Name 2.  User (corresponding to Source IP) 3.  Source Country 4.  Source State 5.  Source City 6.  Source Organization 7.  Source Longitude 8.  Source Latitude
Destination IP	1.  Destination Host Name 2.  Destination Country 3.  Destination State 4.  Destination City 5.  Destination Organization 6.  Destination Longitude 7.  Destination Latitude
Host IP	1.  Host Name 2.  Host Country 3.  Host State 4.  Host City 5.  Host Organization 6.  Host Longitude 7.  Host Latitude
Reporting IP	1.  Reporting Host Name 2.  Reporting Country 3.  Reporting State 4.  Reporting City 5.  Reporting Organization 6.  Reporting Longitude 7.  Reporting Latitude
PostNAT (Network Address Translation) IP	1.  PostNAT Country 2.  PostNAT State 3.  PostNAT City 4.  PostNAT Organization 5.  PostNAT Longitude 6.  PostNAT Latitude

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Miscellaneous Operations

Exporting Events to Files

You can run the phExportEvent tool from a Supervisor or Worker node to export events to CSV files. The file will contain these fields:

phExportEvent Command	Description
DESTINATION_DIR	Destination directory where the exported event files are saved
START_TIME	Starting time of events to be exported. The format is YYYY-MM-DD HH:MM:SS {+|-} TZ. If TZ is not given, local time zone of the machine where the script is running will be used. Example: 2010-03-10 23:00:00 -8 means Pacific Standard Time, 23:00:00 03/10/2010. 2010-07-29 10:20:00 +5:30 means India Standard Time 10:20:00 07/29/2010.
RELATIVE_START_TIME	Starting time of events to be exported relative backward to the end time as specified using –endtime END_TIME . The format is where NUM is the number of days or hours or minutes. For example, –relstarttime 5d means the starting time is 5 days prior to the ending time.
END_TIME	Ending time of events to be exported. The format is the same as START_TIME.
RELATIVE_END_TIME	Ending time of events to be exported relative forward to the start time as specified using START_TIME. The format is same as RELATIVE_START_TIME.
DEVICE_NAME	Host name or IP address of the device with the events to be exported. Use a comma-separated list to specify multiple IPs or host names, for example, –dev 10.1.1.1,10.10.10.1,router1,router2. Host name is case insensitive
ORGANIZATION_NAME	Used only for multi-tenant deployments. The name of the organization with the events to be exported. To specify multiple organizations, enter a commandeach for one organization, for example, –org “Public Bank” –org “Private Bank”. The organization name is case insensitive.
TIME_ZONE	Specifies the time zone used to format the event received time in the exported event files. The format is {+|-}TZ, for example, -8 means Pacific Standard Time, +5:30 means India Standard Time.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Device Risk Score Computation

Risk computation algorithms are proprietary and this section presents only the knobs that user is able to tweak to change the score.

Risk score components

The following factors affect risk score of a device

1. Device Importance (also called Asset Weight)
2. Count and CVS Score for non-remediated vulnerabilities found for that device
3. Severity and Frequency of Security incidents triggering with that device as source or destination
4. Severity and Frequency of Other (performance, availability and change) incidents triggering on that device

Overall Score (0-100) is a weighted average of 3 components – Vulnerability Score, Security Incident Score and Other Incident Score, computed as follows.

User controllable constants

1. Device Importance – this can be set in CMDB > Device > Summary. You can select multiple devices and set the Importance in one shot.

Values are

1. Mission Critical – 10
2. Critical – 7
3. Important – 4
4. Normal – 1

2. Relative weights of Vulnerabilities, Security and Other incidents to the risk score. The default values of the constants are defined in phoenix_config.txt:
   1. vul_weight = 0.6
   2. security_inci_weight = 0.3
   3. security_inci_weight = 0.1
3. Maximum number of high-severity events that a mission-critical host can tolerate for each of the 3 score components. These default thresholds are defined in ‘phoenix_config.txt:
   1. vul_threshold = 1
   2. security_inci_threshold = 3
   3. other_inci_threshold = 6

Time varying Risk score

Risk scores are computed for each day. Current risk score is a exponentially weighted average of today’s risk and yesterday’s risk.

The algorithm also reduces the score for earlier vulnerabilities that are now patched. Such vulnerabilities have a weight of 0.7 while new and old but existing vulnerabilities have weight 1

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Incidents – HTML5 version

Incident tab allows users to view and manage incidents.

Incident Attributes

This topic describes all the columns that can be used to create views in the Incident Dashboard. You can add or remove columns from the dashboard by clicking the Columns icon.

Column Name	Description
Severity	The severity of the incident, High, Medium, or Low
Last Occurred	The last time that the incident was triggered
First Occurred	The first time that the incident was triggered
Incident	The name of the rule that triggered the incident
Incident ID	The unique ID assigned to the incident
Source	The source IP or host name that triggered the incident
Target	The IP or host name where the incident occurred
Detail	Event attributes that triggered the incident
Status	The status of the incident, Active, Cleared, Cleared Manually, System Cleared
Cleared Reason	For manually cleared incidents, this displays the reason the incident was cleared
Cleared Time	The time an incident was cleared
Cleared User	The person who cleared the incident
Comments	Any comments that users have entered for the incident
Ticket Status	Status of any tickets associated with the incident
Ticket ID	The ID number of any tickets generated by the incident
Ticket User	The person assigned to any tickets generated by the event
External User	If the ticket was cleared in an external ticket-handling system, this lists the name of the person the ticket was assigned to
External Cleared Time	If the ticket was cleared in an external ticket-handling system, this lists the time it was cleared
External Resolved Time	If the ticket was resolved in an external ticket-handling system, this lists the time it was resolved
External Ticket ID	The ID of the incident in an external ticket-handling system
External Ticket State	The state of the incident ticket in an external ticket-handling system
External Ticket Type	The type assigned to the incident ticket in an external ticket-handling system
Organization	The organization reporting the event
Impacts	Organizations impacted by the event
Business Service	Business services impacted by the incident
Incident Notification Status	Status of any notifications that were sent because of the incident
Notification Recipients	Who received notification of the incident
Incident Count	How many times the incident has occurred during the selected time interval

 

 

Viewing Incidents

Device Risk View of all incidents

List view of all incidents

Viewing incident details

Grouped View of all incidents

Device Risk View of all incidents

This is the default view when user clicks the Incident tab. It shows a list of devices that triggered incidents. Devices are ranked by a risk score that is computed by combining asset criticality, triggered incidents and found security vulnerabilities (details – here).

To see the incidents for a device, click that device. The incidents show up in a time line view.

List view of all incidents

This view provides a list of all incidents over a time period. By default:

Active Incidents over the last 2 hours are displayed

The following incident attributes are shown

Severity – High, Medium, Low – shown by colored icons

Last Occurred – the last time the Incident happened

Reporting Device Name – names of devices that reported the events that led to the incident Incident – rule name

Source – incident source

Target – incident target

Detail – incident parameters other than source and target

Count – number of times the same incident has triggered

To show incidents over a different time interval

Click Time Range Button

A search window appears

To choose a relative time window

Choose Time Range Operator as LAST.

Specify the number of Minutes/Hours/Days/Weeks.

Click Check button.

The Incident page will automatically refresh to show all the incidents over the time window.

To choose an absolute time window

Choose Time Range Operator as FROM.

Specify the starting and end times.

Click Check button.

The Incident page will automatically refresh to show all the incidents over the time window

An incident can be in any of the following states

Active

Cleared

Cleared Manually

System Cleared

By default only Active Incidents are shown. To show Incidents in other states

Click Incident Status Button  A search window appears

To add a new value, click on the white space next to the selected value. A menu appears. Select the needed values one by one.

Click Check button

The Incident page will automatically refresh to show all the incidents in selected state(s)

To select a different set of Incident attributes

Click Choose columns icon

In the popup, select the columns you want to display by moving them to the right. You can re-order the position of the columns. ClickOK.To force a refresh of the incident view, click the Refresh icon

Incidents may be displayed over multiple pages. To see incidents on a different page,

Select the Page Selector icon

Either enter the page number or click on the Next or Previous icon to go to the right page

To view incidents for a different organization (Service Provider version),

Click the User icon on top right

Choose the right organization

Click Change View

Viewing incident details

In the default view, an incident is shown in a single line. To see the details of the incident,

Click anywhere on the incident line

Basic incident attributes are shown immediately below the incident More advanced incident attributes are shown in a bottom pane

To revert to the single line incident view, click anywhere on the incident line. Detailed views will disappear.

To view the rule that triggered the incident,

Click anywhere on the incident line in the single line incident view In the bottom pane, Click Rule tab. Rule details are displayed.

To view the events that triggered the incident

Click anywhere on the incident line in the single line incident view

In the bottom pane, Click Events tab. Basic Event attributes are displayed in a single line. To see the raw events, click on the Basic Event line. Raw events are displayed.

Grouped View of all incidents

Sometimes user may need a grouped view of incidents to get an overview of what incidents have triggered and involves which devices. The following grouped views are provided

Severity – Ranks Incident Severities By Count

Name – Ranks the Incidents By Count

Name, Target – Ranks Incident Name and Incident Target By Count

Name, Source – Ranks Incident Name and Incident Source By Count

Name, Source, Target – Ranks Incident Name, Incident Source and Incident Target By Count

Name, Source, Target, Business Service – Ranks Incident Name, Incident Source, Incident Target and Business Services By Count Name, Source, Target, Business Service, Organizations – Ranks Incident Name, Incident Source, Incident Target, Business Services and Organizations By Count

Searching Incidents

Searchable Incident Attributes

Constructing Search Condition

Searchable Incident Attributes

Incident Attribute	Description
Time Range	In
ID	Incident ID
IP	Incident Source IP or Incident Target IP
Host	Host name associated with Incident Source IP or Incident Target IP
User	User field specified in Incident Target or Incident Details
Severity	Incident Severity category – High, Medium or Low
Function	Security, Availability, Performance or Change. This is a property of an Incident.
Incident Status	Possible values are Active, Cleared, Cleared Manually, System Cleared
Ticket Status	Possible values are New, Open, Closed, External, reopened, None. External means opened in an external system.
Incident	Rule name
Biz Service	Business Service name
Organization	Organization name

Constructing Search Condition

To construct a Search condition from a displayed Incident,

Mouse over the cell containing the specific Incident attribute

Right click and choose Add to filter

The condition will be added to existing search string

Matching incidents will be displayed

To construct a Search condition from scratch

Click on the Add filter edit area. Three fields are displayed

Incident Attribute

Operator

Value

Select one of the Incident Attributes from the drop down

Select an Operator from =, != IN, NOT IN, CONTAINS, NOT CONTAINS Select one or more Values from the displayed choices Click the Check button.

Matching incidents will be displayed

 

Managing Incidents

Adding Comments

Clearing Incidents

Exporting Incidents to a PDF document

Adding Comments

Click on an Incident in the un-grouped view From Actions drop down, select Add Comments Write the comment and click OK.

Clearing Incidents

Click on an Incident in the un-grouped view

If you have more incidents to clear, then press Shift and click on the second incident. This will will select all incidents between the first one and this one. To get this approach to work effectively,

Create a filter to get all the incidents to be cleared in view

Select the first incident

Press Shift and click on the last incident – all incidents are now selected From Actions drop down, select Clear Click OK

Exporting Incidents to a PDF document

Click on an Incident in the un-grouped view

If you have more incidents to export, then press Shift and click on the second incident. This will will select all incidents between the first one and this one. To get this approach to work effectively,

Create a filter to get all the incidents to be exported in view

Select the first incident

Press Shift and click on the last incident – all incidents are now selected From Actions drop down, select Export Click OK

 

 

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Creating Tickets in External Ticketing System

See External Helpdesk System Integration.

Using Incidents in Searches and Rules

Creating an Historical Search from an Incident

Creating a Real Time Search from an Incident Editing Rules from Incidents

Creating an Historical Search from an Incident

When you are viewing an incident, you may want to about other events related to the source or target of the incident. This topic describes how to create an historical search from an incident.

1. In the Incident Dashboard, select the incident you want to use.
2. Select the Incident Source or Incident Target you want to use, and then select Show Related Historical Events.

The Historical Search interface will load, with the IP address of the selected incident attribute loaded in the Filter By conditions, and the Display Fields set to the incident attributes.

3. Click Run.
4. You will see a list of events for the Incident Source or Target, which you can further analyze as described in Refining the Results from Historical Search.

Creating a Real Time Search from an Incident

When you are viewing an incident, you may want to about other events related to the source or target of the incident. This topic describes how to create a real time search from an incident.

1. In the Incident Dashboard, select the incident you want to use.
2. Select the Incident Source or Incident Target you want to use, and then select Show Related Real Time Events.

The real time search interface will load, with the IP address of the selected incident attribute loaded in the Filter By conditions, and the Di splay Fields set to the incident attributes.

3. Click Run.
4. You will see a list of events for the Incident Source or Target, which you can further analyze as described in Viewing and Refining Real Time Search Results.

Editing Rules from Incidents

If you need to edit the rule associated with an incident, you can do so directly from the Incident Dashboard.

1. In the Incident Dashboard, select an incident based on the rule you want to edit.
2. Click in any column of the selected incident to open the Options menu, and then select Edit Rule.
3. Edit the rule as necessary, and then click Save.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Ticket Related Operations

Creating a ticket without an Incident

1. Go to Incidents > Tickets.
2. Click New.
3. Enter a Summary and Description for the ticket. Both of these fields are required.
4. For Assigned To, select a user from the menu.
5. Set any Due Date for the ticket.
6. Select a Priority for the ticket.
7. Click Save.

Creating a ticket from an Incident

1. In the Incident Dashboard, select the incident you want to create a ticket for.
2. Click Ticket.

The Incident ID, Summary and Description for the ticket will be populated from the incident information.

3. Select the person you want to assign the ticket to.
4. Enter a Due Date for the ticket.
5. Set a Priority for the ticket.
6. Click Save.

Closing a ticket

1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. For State drop down, select Closed
5. Click

Changing the assignee in a ticket

1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. For Assigned drop down, select the new Assignee
5. Click

Changing the due date in a ticket

1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. For Due Date edit box, select the date and then the time Click Save.

Adding notes to a ticket

1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. Add to Description
5. Click Save

Adding attachments to a ticket

1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. Click PDF or PNG under Attach file
5. Include the file and Click Upload.
6. Click Save

Exporting a ticket

1. Go to Incidents > Tickets. 2. Select a ticket
2. Click Export

Viewing Ticket History

1. Go to Incidents > Tickets.
2. Select a ticket
3. Click Edit
4. See Action History on bottom right pane

Searching tickets

This can be done in two ways

Type in key words in Search box

Use the Attribute Value Search –

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Creating Tickets In FortiSIEM In-built Ticketing System

AccelOps includes a feature that will let you create and assign tickets for IT infrastructure tasks, and create tickets directly from incidents. You can see all tickets that have been created by going to Incidents > Tickets, and then use the filter controls to view tickets by assignee, organization, priority, and other attributes. You can also configure AccelOps and you Remedy system so that Remedy will take tickets created by incident notification actions.

Configuring Remedy to Accept Tickets from AccelOps Incident Notifications Ticket Related Operations

Configuring Remedy to Accept Tickets from AccelOps Incident Notifications

This topic describes how to configure Remedy to accept tickets as notification actions from AccelOps.

Prerequisites

Procedure

Incident Attributes for Defining Remedy Forms

Prerequisites

Make sure you have configured the Remedy server settings in AccelOps.

Procedure

• In Remedy, create a new form, AccelOps_Incident_Interface, with the incident attributes listed in the table at the end of this topic as the form fields.

2. When you have defined the fields in the form, right-click on the field and select the Data Type that corresponds to the incident attribute.
3. After setting the form field data type, click in the form field again to set the Label for the field.
4. When you are done creating the form, go to Servers > localhost > Web Service in Remedy, and select New Web Service.
5. For Base Form, enter AccelOps_Incident_Interface.
6. Click the WSDL
7. For the WSDL Handler URL, enter http://<midtier_server>/arsys/WSDL/public/<servername>/AccelOps_Incident_I nterface.
8. Click the Permissions tab and select
9. Click

You can test the configuration by opening a browser window and entering the WSDL handler URL from step 7, substituting the Remedy Server IP address for <midtier_server> and localhost for <servername>. If you see an XML page, your configuration was successful.

Incident Attributes for Defining Remedy Forms

Incident Attribute	Data Type	Description
biz_service	text	Name of the business services affected by this incident
cleared_events	text
cleared_reason	text	The reason for clearing the incident if it was cleared,
cleared_time	bigint	The time at which the incident was cleared
cleared_user	character varying(255)	The user who cleared the incident
comments	text	Comments
cust_org_id	bigint	The organization id to which the incident belongs
first_seen_time	bigint	Time when the incident occurred for the first time
last_seen_time	bigint	Time when the incident occurred for the last time
incident_count	integer	Number of times the incident triggered between the first and last seen times
incident_detail	text	Incident Detail attributes that are not included in incident_src and incident_target
incident_et	text	Incident Event type
incident_id	bigint	Incident Id
incident_src	text	Incident Source
incident_status	integer	Incident Status
incident_target	text	Incident Target
notif_recipients	text	Incident Notification recipients
notification_action_status	text

 

orig_device_ip	text
ph_incident_category	character varying(255)	AccelOps defined category to which the incident belongs: Network, Application, Server, Storage, Environmental, Virtualization, Internal, Other
rule_id	bigint	Rule id
severity	integer	Incident Severity 0 (lowest) – 10 (highest)
severity_cat	character varying(255)	LOW (0-4),  MEDIUM (5-8), HIGH (9-10)
ticket_id	character varying(2048)	Id of the ticket created in AccelOps
ticket_status	integer	Status of ticket created in AccelOps
ticket_user	character varying(1024)	Name of the user to which the ticket is assigned to in AccelOps
view_status	integer
view_users	text

 

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!