Agent-less Target File Monitoring

You can use target file monitoring to make sure that a specific file, for example a device configuration file, is always identical in content to a gold standard target file that you import into FortiSIEM. When you enable a target file monitor, it will:

1. Pre-compute the checksum of the gold standard target file imported into FortiSIEM.
2. Periodically, log in to the system using SSH and compute the checksum of the file.
3. Create an event when the content of the monitored file is different than the gold standard target file.

Supported Servers

Example Events

Adding the File Integrity Monitoring Performance Object

Performance Object Configuration for File Integrity Monitoring

Associating Device Types to Performance Objects

Testing the Performance Monitor

Enabling the Performance Monitor

Checking the Difference between Versions of Monitored Files

Supported Servers

Target file monitoring is supported for these servers:

Linux variants

Unix variants

Windows (with Unix tools installed that allow SSH)

Example Events

Two events that are generated by FortiSIEM when the target file is modified.

File Monitors and Event Types

Unlike other custom monitors, you don’t need to set the event type to associate with the monitor. When you select File Monitor for the Used For option, this automatically associates the event types with the file or directory you specify for monitoring. These examples include the event type associated with each monitoring event.

Event Type: PH_DEV_MON_CUST_TARGET_FILE_CHANGE

This indicates that content of the target file has changed. You can see that the values for prehash and hash are different.

This indicates what was changed, as you can see with theaddedItem, deletedItem, oldSVNVersion, and newSVNVersion attributes.

<14>Mar 27 14:02:28 VA223_TestaThon phPerfMonitor[3740]:

[PH_DEV_MON_CUST_TARGET_FILE_DELTA]:[eventSeverity]=PHL_INFO,

[procName]=phPerfMonitor,[fileName]=phSvnUpdate.cpp,[lineNumber]=205,[ph

CustId]=1,[hostName]=CO228SP222,

[hostIpAddr]=192.168.64.228,[fileName]=/home/admin/TargetFileMon/tartget

1.txt,[oldSVNVersion]=15,[newSVNVersion]=20,

[deletedItem]=(none),[addedItem]=newline;,[phLogDetail]=

Adding the File Integrity Monitoring Performance Object

In multi-tenant deployments, the performance object should be created by the Super/Global account, and will apply to all organizations. For both multi-tenant and enterprise deployments, the performance object can be created for an organization by any user who has access to the Admin ta b.

In this case, you will create one performance object in which you will upload the gold target file and enter the path to the file you want to monitor. You don’t need to create a new event type or event attribute type, as these are automatically associated with the performance object when you select File Monitoring for the Used For field.

Performance Object Configuration for File Integrity Monitoring

Associating Device Types to Performance Objects

You should associate the performance object to the Linux, Unix, or SSH-capable Windows device type that contains the file or directory path you want to monitor.

Testing the Performance Monitor

Before testing the monitor, make sure you have defined the access credentials for the device, created the IP address to credentials mapping, and tested connectivity.

1. Go to Admin > Device Support > Performance Monitoring.
2. Select the performance monitor you created, and then click Test.
3. For IP, enter the address of the device, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
4. Click Test.

You should see succeed under Result, and the parsed event attributes in the test result pane.

5. When the test succeeds, click Close, and then click Apply to register the new monitor with the backend module.

Enabling the Performance Monitor

1. Discover or re-discover the device you want to monitor.
2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

Checking the Difference between Versions of Monitored Files

When the monitor detects a difference between the files, it will trigger the rule Audited target file content modified, and the rule will continue to trigger and generate incidents until the checksums of the files match. You can compare the original monitored file against the new version in the CMDB.

1. Go to CMDB > Devices.
2. Select the device where the monitored filed is located
3. Click the Configuration

In the left pane you will see a list of all the files, and their versions, on the device.

4. To compare files, select one, CNTRL/select the other, and then click Diff.

Custom Configuration Change Monitoring

This features provides a way for collecting configuration files for any device and monitoring changes.

Define a new vendor, model (Optional)

If the device vendor and model is not yet defined in FortiSIEM, then the new definition needs to be added.

To check whether you device is already defined

1. Go to Admin > Device Support > Device/App Types
2. In the Search area, type in the vendor name and see if it exists.

To add a new device type

1. Go to Admin > Device Support > Device/App Types
2. Click New
3. Fill in the following information
   1. Vendor: Type in the name of the Vendor (e.g. Fortinet or Cisco)
   2. Model: Type in the model – be very generic – preferable software model e.g. FortiOS, IOS – do not enter hardware model for appliances
   3. Version: Most of the time ANY
   4. Device/App Group: Select the CMDB Group to which the new device will belong
   5. Business Service Group: Define the Business Service Group to which the new device will belong f. Description: Add description
4. Click Save

Create a valid access method

1. Go to Admin > Setup > Credentials (Step 1)
2. Click Add.
3. Create an SSH credential
   1. Device Type – Select your device
   2. Access Protocol – Set to SSH
   3. Define User Name and Password
4. Click Save
5. Go to Admin > Setup > Step 2: IP Range to Credentials
6. Click Add
7. Enter the following information for IP Range to Credential Mapping
   1. IP/Range – the access IP of the device
   2. Credentials – pick the credential in Step 3
   3. Click OK
8. Select the entry and Click Test Connectivity or Test Connectivity without Ping
9. Make sure Test Connectivity

Create a Performance Object

1. Go to Admin > Device Support > Performance Monitoring
2. Under Enter Performance Object are, Click New
3. Enter the following information to create a new Performance Object
   1. Name – enter a name for reference
   2. Type – set to System
   3. Method – set to LOGIN
   4. Used For – set to Configuration Monitoring
   5. Expect Script – Click Upload to store a configuring pulling expect script in FortiSIEM
   6. Polling Frequency – determines how often configuration will be pulled – recommended 30 minutes
4. Click Save

Create Device Type to Performance Object association

1. Go to Admin > Device Support > Performance Monitoring
2. Under Enter Device Type to Performance Object Association, Click New
3. Enter the following information to create an association
   1. Name – enter a name for reference
   2. Device Types – select the relevant device type for custom configuration polling
   3. Perf Objects – Select the performance object created in previous step 4. Click Save

Discover the device

1. Go to Admin > Setup > Discovery
2. Click Add
3. In Include Range, enter the IP address of the device
4. Click OK
5. Select the entry and then click Discover

Validation Check

The expect script will be executed and configuration will be discovered.

1. Go to Admin > Setup > Monitor Change/Performance. Search for the device and check the configuration monitoring task under Syste m Monitor
2. Go to Search for the device and check for the configuration under Configuration tab for the selected device.

Configuring Event Handling

This section describes certain event handling operations that happen at the moment events are received in AccelOps.

Event Dropping

Event Forwarding

Event Organization Mapping Multi-line Syslog Handling

Event Dropping

Some devices and applications generate a significant number of logs, which may be very verbose, contain little valuable information, and consume storage resources. You can configure Event Dropping rules that will drop events just after they have been received by FortiSIEM, preventing these event logs from being collected and processed. Implementing these rules may require some thought to accurately set the event type, reporting device type, and event regular expression match, for example. However, dropped events do not count towards licensed Events per Second (EPS), and are not stored in the Event database. Dropped event also do not appear in reports, and do not trigger rules. You can also specify that events should be dropped but stored, so event information will be available for searches and reports, but will not trigger rules. And example of an event type that you might want to store but not have trigger any rules would be an IPS event that is a false positive.

Procedure

1. Log in to your Supervisor node.

For multi-tenant deployments you should log in to the Super/Global account if you want to set a system-wide event dropping rule. If you want to set an event-dropping rule for a specific organization, either log in as an administrator for that organization, or or log in using the Super/Global Account and then select the organization to which the rule should apply when you are creating it.

2. Go to Admin > General Settings > Event Handling.
3. Under Event Dropping Rule, click Add.
4. Next to Reporting Device, click Edit, and use the CMDB Browser to find device group or individual device that you want to create the rule for.
5. Next to Event Type, click Edit, and use the Event Type Browser to find the group of event types, or a specific event type, that you want to create the rule for.
6. If the event type you select has an Source IP or Destination IP attribute, you can enter specific IP addresses to which the rule should apply.
7. For Regex Filter, enter any regular expressions you want to use to filter the log files.

If any matches are made against your regular expression, then the event will be dropped.

8. For multi-tenant deployments, select the Organization to which the rule should apply.
9. Select the Action that should be taken when the event dropping rule is triggered.
10. Enter any Description for the rule.
11. Click Save.

Implementation Notes

1. All matching rules are implemented by FortiSIEM, and inter-rule order is not important. If you create a duplicate of an event dropping rule, the first rule is in effect.
2. If you leave a rule definition field blank, then that field is not evaluated. For example, leaving Event Type left blank is the same as selecting All Event Types.
3. FortiSIEM drops the event at the first entry point. If your deployment uses Collectors, events are dropped by the Collectors. If your deployment doesn’t use Collectors, then the event will be droppedby the Worker or Supervisor where the event is received.
4. You can use the report System Event Processing Statistics to view the statistics for dropped events. When you run the report, select AVG(Policy Dropped Event Rate(/sec) as one of the dimensions for Chart For to see events that have been dropped to this policy.

Event Forwarding

n systems management, many servers may need access to forward logs, traps and Netflows from network devices and servers, but it is often resource intensive for network devices and servers to forward logs, traps and netflows to multiple destinations. For example, most Cisco routers can forward Netflow to two locations at most. However, FortiSIEM can forward/relay specific logs, traps and Netflows to one or more destinations. If you want to send a log to multiple destinations, you can send it to FortiSIEM, which will use an event forwarding rule to send it to the desired locations.

1. Log in to your Supervisor node.
2. Go to Admin > General Settings > Event Handling.
3. Under Event Forwarding Rule, for multi-tenant deployments, select the organization for which the rule will apply.
4. Click Add.
5. For Sender IP, enter the IP address of the device that will be sending the logs. The syntax can be one of the following a. a single IP address
   10. an IP address range e.g. 10.1.1.1-10.1.1.10
   11. CIDR notation e.g. 10.1.1.0/8
   12. a combination of the above separated by comma, e.g. 10.1.1.1,10.1.1.3,20.1.1.1-20.1.1.10,30.1.1.0/24
6. For Severity, select an operator and enter a severity level that must match for the log to be forwarded.
7. Select the Traffic Type to which the rule should apply.

The Forward To > Port field will be populated based on your selection here.

8. For Forward to > IP, enter the IP address to which the event should be forwarded.
9. Click OK.

Event Organization Mapping

FortiSIEM can handle reporting devices that are themselves multi-tenant and hence have organization names in events that they send. This section describes how you can map organization names in external events to those on FortiSIEM so that those events have the correct FortiSIEM organizations.

Adding Organization Mapping Rules

1. Go to Admin > General Settings > Event Handling > Event Organization Handling 2. Click Add to add a rule
2. Select Enabled if this rule is to be enforced
3. Select the Device Type of the sender. This has to be a device that FortiSIEM understands and able to parse events.
4. Select the Event Attribute that contains the external organization name. FortiSIEM will map the value in this field to an FortiSIEM organization.
5. Select the Collectors that are going to receive the events. By default any collectors would be able to do this but it is possible to scope down if needed. This field is optional.
6. Specify the Reporting IP/Range of the multi-tenant devices that are sending events. Format of this field is a comma separated list of IP addresses intermixed with IP ranges, e.g. 10.1.1.1,10.1.1.2,10.10.1.1-10.10.1.250.
7. Specify the Org Mapping.
   1. Click Edit
   2. Select the System (FortiSIEM) organization on the left column
   3. Click the Event Organization and enter the external Organization name corresponding to the System Organization on the left column
8. Click OK to Save.

Multi-line Syslog Handling

Often applications generate a single syslog in multiple lines. For analysis purposes, the multiple lines need to put together into a single log. This feature enables you to do that.

User can write multiple multi-line syslog combining rules based on reporting IP and begin and ending patterns. All matching syslog within the begin and ending pattern are combined into a single log.

To create a multi-line syslog rule,

1. Go to Admin > General Settings > Event Handling
2. Scroll down to Multiline syslog section
3. Click Add
4. Enter the following information
   1. Enabled – check this if the rule needs to be effective
   2. Sender IP – the source of the syslog – format is a single IP, IP range, CIDR and a combination of the above separated by comma c. Protocol – TCP or UDP since syslog can come via either of these protocols
   3. Organization – syslog from devices belonging to this organization will be combined into one line
   4. Begin Pattern – combining syslog starts when the regular expression specified here is encountered
   5. End Pattern – combining syslog stops when the regular expression specified here is encountered
5. Click Save

Example 1 – Syslog over UDP

In this case, Begin Pattern is required and End Pattern is optional.

If a packet matches the Begin Pattern, FortiSIEM will hold it in memory and wait for the next packet.

If the 2nd packet also matches the Begin Pattern, continue waiting.

If the 3rd packet doesn’t match the Begin Pattern, flush out the 2 events (1+2 and 3).

If any packet matches the End Pattern, flush out.

The Begin Pattern is in each packet of a multiline syslog. Remove them except the 1st packet.

For example, the receiver gets these packets:

<syslog header> I come to

<syslog header> work

<syslog header> every day

If you set the Begin Pattern to a regular expression to match the <syslog header> and leave the End Pattern to be empty, then the three syslogs are combined into a single syslog

<syslog header> I come to work every day

If you set the Begin Pattern to a regular expression to match the <syslog header> and leave the End Pattern to match work, then the first two syslogs are combined into a single syslog, while the third one is left alone.

<syslog header> I come to work

<syslog header> work

Example 2 – Syslog over TCP – octet counting

Octet counting means that there is a header that specifies the length of the syslog. In this case, syslog is not combined. There is no need to combine, since the source can send large syslog messages.

Example 3 – syslog over TCP – non-transparent framing

In non-transparent framing, two syslogs sent over a TCP stream is delineated by the “\n” character. In this case, either Begin Pattern or End Pattern is required. Both can be present as well.

If the Begin Pattern is matched in the TCP stream, a multi-line syslog combination begins

If the End Pattern is matched in the TCP stream, multi-line syslog combination ends

If the Begin Pattern is again matched in the TCP stream, the previous multi-line syslog combination ends

TCP syslog stream: id=0,name=<1>name=a,id=1<2>name=b,id=2<3>

Begin pattern is <\d+> and end pattern is id=\d+. This results in 3 syslogs id=0,name=

<1>name=a,id=1

<2>name=b,id=2

And <3> will be held for next packet.

If the Begin pattern is <\d+> and end pattern is empty, this also results in 3 syslogs as before.

Managing FortiSIEM

General System Administration

Topics in this section contain information on monitoring the health of your FortiSIEM deployment, general system settings such as language, date format, and system logos, and how to add devices to a maintenance calendar.

FortiSIEM Backend Processes

This topic provides a brief description of FortiSIEM backend system processes, and the nodes (Supervisor, Collector, Worker) that use them.

Administrator Tools

This topic describes administration tools and scripts that are included with your FortiSIEM deployment, along with information on where to find and how to use them.

Managing User Activity

In the User Activity page you can view the users who are logged into your system, user query activity, and locked out users. You can also log users out of the system, stop active user queries, and lock or unlock users from being able to log in. Click the User Activity icon in the upper-right corner of the FortiSIEM web interface to access user activity information.

Managing Logged In Users

In the Logged In Users tab of the User Activity page you can see the users who are currently logged in to your system. You can also log users out of the system, with an option to lock them out as well.

1. Log in to your Supervisor node.
2. In the upper-right corner of the FortiSIEM web interface, click the User Activity

3. Click the Logged In Users

You will see a list of all the users who are currently in your system.

4. If you want to log a user out of the system, select the user and click Log Out.
5. If you want to lock a user out of the system, select the user and click Log Out and Lock Out.

Managing Locked Out Users

In the Locked Users tab of the User Activity page you can see the users who are currently locked out of your system, and also unlock them.

1. Log in to your Supervisor node.
2. In the upper-right corner of the FortiSIEM web interface, click the User Activity
3. Click the Locked Users

You will see a list of all users who are locked out of the system.

4. To unlock a user, select the user and then click Unlock.

Managing Active User Queries

In the User Queries tab of the User Activity page you can see the user queries that are running in your system, and also stop queries.

1. In the upper-right corner of the FortiSIEM web interface, click the User Activity
2. Click the User Queries

You will see a list of all the queries that are currently running in your system.

3. To stop a query, select it and then click Stop Query.

Creating Maintenance Window for Devices

You can add a device to a maintenance window. During this period, the device is not monitored, and alerts for the device are not triggered. If you have an FortiSIEM multi-tenant deployment and you log in as a Super/Global user, you can schedule maintenance events for single organizations, the Super/Global organization, or add devices from multiple organizations to the same maintenance event.

1. Log in to your Supervisor node.
2. Go to Admin > Maintenance Calendar.
3. Click Add.
4. Enter a Name and Description for the maintenance event.
5. Set the Time Range and Date Range for the maintenance event.
6. Under Groups and Devices, click Edit.
7. If you have an FortiSIEM multi-tenant deployment, select the Organization that has the devices you want to add to the maintenance calendar.
8. Add Folders or Items to the maintenance event by selecting them, and then using the Folder >> and Item >> buttons to move them into the selection pane.
9. Click OK when you’re done selecting Folders and Items.
10. Select Generate incidents for devices under active maintenance if you want incidents for devices that are part of this maintenance event to be triggered.
11. Click OK.
12. You will now see your maintenance event listed on the calendar. Mouse over any calendar entry to view details of the maintenance event.

Creating Maintenance Window for Synthetic Transaction Monitoring jobs

You can add a Synthetic Transaction Monitoring (STM) job to a maintenance event. During the maintenance event, the STM job is not executed and hence related alerts do not trigger.

If you have an FortiSIEM multi-tenant deployment and you log in as a Super/Global user, you can schedule maintenance events for single organizations, the Super/Global organization, or add devices from multiple organizations to the same maintenance event.

1. Log in to your Supervisor node.
2. Go to Admin > Maintenance Calendar.
3. Click Add.
4. Enter a Name and Description for the maintenance event.
5. Set the Time Range and Date Range for the maintenance event.
6. Under Groups and Devices, click Edit.
7. If you have an FortiSIEM multi-tenant deployment, select the Organization that has the devices you want to add to the maintenance calendar.
8. Click Synthetic Transaction Monitor (STM) to see all the STM jobs under Items in the windows below.
9. Select the Items from the bottom left and then click Item >> to move them into the selection pane.
10. Click OK to Save the configuration.
11. Select Generate incidents for devices under active maintenance if you want incidents for devices that are part of this maintenance event to be triggered.
12. Click OK.
13. You will now see your maintenance event listed on the calendar. Mouse over any calendar entry to view details of the maintenance event.

Creating Reverse SSH Tunnels to Debug Collector Issues

Using SSH Tunnels to Connect to Managed Endpoints

Browser Plugins and Connectivity Protocol Support

Firewall Configuration

Using Role-Based Access Control to Limit Access to Tunnel Creation, Viewing, and Closing Related Links

Using SSH Tunnels to Connect to Managed Endpoints

When you want to quickly debug an issue, you often need to connect to a managed endpoint directly from a browser using protocols such as Telnet/SSH, RDP, or VNC to HTTP(S), depending on the operating system of the endpoint. However, in a multi-tenant deployment, the managed endpoint could be behind a firewall and across the Internet. To further complicate matters, the firewall may not permit an inbound connection for management protocols for security reasons, and also may not allow quick policy changes.

The FortiSIEM solution to this situation is to build a reverse SSH tunnel between the Collector and the Supervisor. The firewall already allows

HTTP(S) sessions from Collector to Supervisor. After also being configured to also allow SSH connections from Collector to Supervisor, FortiSIEM builds an on-demand reverse SSH Tunnel initiated by the Collector. You can then use the tunnel to open a remote management session from your browser to the remote managed endpoint. This blog post on The Geek Stuff describes the process for setting up reverse SSH tunnels on Linux, and provides some additional technical details.

If the managed endpoint is directly accessible from your browser, FortiSIEM can open a direct session. The devices have to be discovered first, and based on this information, FortiSIEM can determine whether to launch a direct or Collector-based session.

If the device is discovered by the Supervisor, then it opens a direct session

If the device is discovered by a Collector, then it opens a reverse SSH tunnel from the collector, and then initiates a session over this tunnel

FortiSIEM has several features for managing SSH tunnels, including:

You can define the port of the reverse SSH tunnel. By default it is set to 19999, but it can be changed to any port.

FortiSIEM automatically times out each tunnel after a day, although you can manually delete a tunnel at any time

FortiSIEM provides full tunnel management auditing, such as a reporting on who creates and deletes a tunnel

FortiSIEM supports a broad group of connectivity protocols protocols. You can can launch any connectivity application by specifying the port, and FortiSIEM will create the tunnel.

RBAC is supported at the Collector level – if the user can visit the Collector health page, then the user can open a remote collector tunnel.

Browser Plugins and Connectivity Protocol Support

Since FortiSIEM runs from a browser, some integrations are possible if certain browser plugins are installed. The best use case is:

Using the Firefox browser to connect to FortiSIEM

The FireSSH browser plugin is already installed in Firefox

You launch a remote session to the managed endpoint over SSH

FortiSIEM launches the FireSSH browser plugin and passes the managed endpoint IP

You type in your user name and password, and if the authentication succeeds, then the shell appears

This table lists the browsers, and the protocols supported by their plugins, that you can use to connect to the managed endpoint.

Always type the end host/device credentials for direct connections over a reverse tunnel even though the displayed IP/port belongs to the Supervisor.

Firewall Configuration

If there is a firewall between the Collector and the Supervisor, the firewall needs to allow SSH from the Collector to the Supervisor. The default setting uses a non-standard port, 19999, so make sure you configure the firewall between the Collector and the Supervisor to allow outbound TCP connections on port 19999.

Using Role-Based Access Control to Limit Access to Tunnel Creation, Viewing, and Closing

For security and management reasons, you may want to limit the ability of users to create tunnels. The easiest way to do this is through user roles that have defined access capabilities. For example

To prevent the creation of any tunnels for a role, disallow access to the CMDB tab for that role, or disallow access to the particular device or device group. This second option lets you create fine-grained controls for tunnel creation, for example:

Admins who are able to view Network devices can only open tunnels to Network devices

Admins who are able to view Servers can only open tunnels to Servers

Admins who are able to view a custom-created device group can only open tunnel to that specific custom group

To prevent viewing and closing existing tunnels, disallow access to the Admin > Collector Health page

Related Links

Setting Up User Roles

Auditing the Creation and Deletion of SSH Tunnels

FortiSIEM includes a system-defined report that shows the SSH tunnel open/close history for the time range that you specify.

1. Log in to your Supervisor node.
2. Go to Analytics > Reports > System Audit.
3. Select the SSH Tunnel Open/Close History
4. Run the report as described in Running System and User-Defined Reports and Baseline Reports.

Creating a Remote Tunnel to a Device Monitored by a Collector

Prerequisites

You should review the browsers and plugins that are supported for the connectivity protocol you want to use to connect to the device.

Procedure

1. Log in to your Supervisor node.
2. Go to CMDB > Devices.
3. Search for or browse to the device you want to establish the connection to.
4. In the IP Address column for that device, click on the IP address associated with it to open the Options
5. In the Options menu, select Connect To… .
6. Enter the Protocol and Port you want to use to connect to the device.

For SSH this is Port 22.

7. Select Create Tunnel.

A tunnel will be established between the Supervisor and the Collector that is monitoring the device.

8. Use your browser and plugins to establish remote connectivity to the device as described in Creating Reverse SSH Tunnels to Debug Collector Issues.

Managing Remote Tunnels to Collector Devices

After you have created tunnels to collector devices, you can view and manage those tunnels in the Collector Health page.

1. Log in to your Supervisor node.
2. Go to Admin > Collector Health.
3. Click Tunnels.

The existing tunnels will be displayed in a table with these columns:

4. You can close a tunnel by selecting it and then clicking Close, or you can close all tunnels at the same time by clicking Close All.

Managing System Date Format and Logos

The UI page under Admin > General Settings contains fields that you can use to change the date format for your FortiSIEM user interface, and to upload logos to be used within the user interface and on PDF reports.

1. Log in to your Supervisor node.
2. Go to Admin > General Settings > UI.
3. Select the Date Format you want to use to display dates in the user interface, and then click Change.
4. Click Change to choose a UI Logo that will be displayed alongside the main application tabs for your FortiSIEM deployment.

The logo file must be in in PNG format, and should not be more than 200 pixels wide or 60 pixels high (54 pixels is the ideal height).

5. Click Change to choose a Report Logo that will be used in the header of reports you export to PDF.

The logo file must be in SVG format, 160 pixels wide and 40 pixels high, or other dimensions with a 4:1 width/height ratio.

For  Service Provider installs, UI Logos can also be set on a per organization basis.

1. SSH to Supervisor via root
2. Change user to admin ‘su admin’
3. Change directory by running ‘cd /opt/glassfish3/glassfish/domains/domain1/applications/phoenix/phoenix-web-1.0_war/resources/header’
4. Create a logo per organization
   1. mkdir org
   2. cd org
   3. Create Organizations IDs as directories. Eg: ‘mkdir 2001’ (To find Org ids, Goto Admin > Setup Wizard > Organizations > ID)
5. Copy PNG files to respected Organizations as logo.png. For example:

/opt/glassfish3/glassfish/domains/domain1/applications/phoenix/phoenix-web-1.0_war/resources/header/org/2001/logo.png

6. Logon to Organization e.g: Org1 (id: 2001) and make sure that UI logo is updated

Viewing Cloud Health and System Information

The Admin > Cloud Health page shows you the status of the nodes in your deployment, as well as the processes running on them.

1. Go to Admin > Cloud Health.
2. Click on any node to view its Process Details.

See FortiSIEM Backend Processes for more information about the system role played by each process.

3. You can access other information about your FortiSIEM deployment by clicking the Alert icon in the upper-right corner of the user interface, which will show you Alerts and Tasks for the system within the last 24 hours.

Viewing Collector Health

If your FortiSIEM deployment includes Collectors, you can monitor the status of the Collectors in the Admin > Collector Health page. You can also upgrade Collectors from this page, as described in Setting Up the Image Server for Collector Upgrades.

1. Log in to your Supervisor node.
2. Go to Admin > Collector Health.
3. Select a Collector and click Show Processes to see the processes running on that Collector.

See FortiSIEM Backend Processes for more information about the processes that run on Collectors.

4. You can also Stop or Start a Collector by selecting it and clicking the appropriate button.

Properties associated with Collector Health include:

Viewing License Information and Adding Nodes to a License

The License Management page in the Admin tab shows information associated with your current FortiSIEM license, and allows you to add virtual appliances and Report Servers to your deployment as your license allows.

1. Log in to your Supervisor node.
2. Go to Admin > License Management.
3. Under License Information you will see detailed information about both Allowed and Current Usage for the number of virtual appliances, EPS, number of devices, and other attributes associated with you FortiSIEM license.
4. Under VA Information you will see the name and IP address of the virtual appliances, and their roles, in your FortiSIEM deployment. Click Add, and then enter an IP address for other nodes that you want to add to your license.
5. Under Report Server Information you will see the IP address of any Report Servers in your deployment. Click Add, and then enter an IP address for other Report Servers that you want to add to your license.

Calculations for License Usage Statistics

Using Beaconing to Communicate with AccelOps Support

Your FortiSIEM virtual appliance includes a beaconing feature that periodically transmits information about the functioning of your FortiSIEM deployment to FortiSIEM support. This information includes the health of your FortiSIEM virtual appliances, performance data, and summary information about the configuration of your deployment. This information is used exclusively by FortiSIEM support for forensic analysis of your system, and is never shared with anyone.

The basic version of the beaconing feature is included with your FortiSIEM license, but you can opt out of the service at any time by going to Adm in > License Management and clearing the Enable Beaconing Data Upload option. You can also purchase the advanced version of the beaconing service, which includes added support services. Contact FortiSIEM Sales or Support for more information.

To find the level of beaconing support on your deployment, go to the License Information table under Admin > License Management, and scroll down the License Attribute column to look for the row labeled Beaconing Support.

Basic Beaconing Support

Advanced Beaconing Support

Basic Beaconing Support

Basic Beaconing periodically uploads health and usage information from FortiSIEM instance. This includes

Customer Name

Organization Name (for Service Provider installations)

Organization Collector Name

Number of devices discovered by category (Network, Server, Storage) and their types

Performance Monitoring Jobs and their status

Discovery Error Types, Event parsing errors, Operational errors

Incident names, severity and count

Event rate

Event Type

FortiSIEM system incidents and license issues

IP address and host name are not transmitted to the cloud.

For specific details, see these rules and reports which contain data periodic sent to the cloud.

Advanced Beaconing Support

In advanced beaconing support, system logs and audit logs from your FortiSIEM deployment are uploaded to FortiSIEM support in addition to the information listed under basic beaconing support. This allows FortiSIEM support to closely monitor your FortiSIEM deployment for errors and problems remotely without the risk of system log rollover, and to provide an accelerated path to problem resolution.

Advanced beaconing support can be enabled via a license change. You will need to re-register your FortiSIEM deployment after FortiSIEM Sales has enabled advanced beaconing on the license server. During re-registration, FortiSIEM services will continue to run except for a restart of the p hMonitor service.

AccelOps Event Categories and Handling

This topic provides a brief description of various types of event categories in FortiSIEM

Event Categories

Event handling at various nodes

Running “phstatus -a” command at various nodes provides the events handled by that node.The output shows the statistics at 3min, 15min and 30 min averages.

If you run “phstatus -a” at a Supervisor, you get the aggregated view across all nodes

Reported EPS by events

The following events report eps which includes EPS (EXTERNAL) and EPS PERF – to be measured against license

1. PH_SYSTEM_EVENTS_PER_SEC: this reports eps at a organization level
2. PH_SYSTEM_PERF_EVENTS_PER_SEC: this reports performance monitoring related eps (counted against license)
3. PH_SYSTEM_INTERNAL_EVENTS_PER_SEC: this reports internal eps (not counted against license)
4. PH_SYSTEM_IP_EVENTS_PER_SEC: this reports eps reported by a device level
5. PH_SYSTEM_DEVAPP_EVENTS_PER_SEC: his reports eps reported by a device level but also has vendor, model info

Changing Dashboard Theme

The UI page under Admin > General Settings contains fields that you can use to change the theme for widget dashboards

My Dashboard

Availability/Performance > Avail/Perf Widgets

Biz Svc Dashboard

Dashboards By Function

To do this

1. Log in to your Supervisor node.
2. Go to Admin > General Settings > UI.
3. Select the Dashboard Theme you want to use, and then click Change.
4. Refresh the browser.

Installing OS Security Patches

You may want to install OS level security patches to fix some recently found vulnerabilities.

First check whether the CVEs you are interested in have already been patched by the current FortiSIEM version. You can do this by running the following command.

To upgrade OS packages on Super, Worker, or Collectors, run the following command as root

We use a headless chrome browser for STM but chrome is not supported by Google on CentOS6 or 7 platforms. To upgrade that package to the latest version, we use a third party system.

Run the following commands as root on Super/Worker/Collector

Working with the Configuration Management Database (CMDB)

The Configuration Management Database (CMDB) contains:

Discovered information about your IT infrastructure such as devices, networks, applications, and users

Information derived from your discovered infrastructure, including network topology and inter-device relationships such as the relationship of WLAN Access Points to Controller, and Virtual Machines to ESX Hosts.

Information about system objects such as rules, reports, business services, event types, networks, and ports/protocols

You can find and manage all this information under the CMDB tab.

CMDB Categorization of Devices and Applications

Overview of the CMDB User Interface

Managing CMDB Objects

Anonymity Networks and Groups

Setting Up an External Data Source for Anonymity Networks

Applications

Malware Domains

Updating System Defined Malware Domain Groups

Manually Creating Malware Domains and Groups Custom Malware Domain Threat Feed

Updating System-Defined Malware IP Groups

Manually Creating Malware IP Addresses and Groups

Custom Malware IP Threat Feed

Malware URLs

Updating System-Defined Malware URL Group

Manually Creating Malware URLs

Custom Malware URL Threat Feed

Malware Hashes

Updating System Defined Malware Hash Group

Manually Creating Manual Hash

Custom Malware Hash Threat Feed

Malware Processes

Country Groups

Creating CMDB Groups and Adding Objects to Them

Default Passwords

Creating a Watch List

System-Defined Watch Lists

Reporting on CMDB Objects

CMDB Report Types

Running, Saving, and Exporting a CMDB Report

Creating and Modifying CMDB Reports

Importing and Exporting CMDB Report Definitions

CMDB Categorization of Devices and Applications

Categorization of Devices and Applications

From Discovery – Network Devices

From Discovery – Applications

From Logs

Special Cases

Categorizing a Cisco IOS Router/Switch

Categorizing Fortinet Firewalls

Categorizing Microsoft IIS

Categorizing Cisco ASA

Categorizing Microsoft IIS

Categorization of Devices and Applications

FortiSIEM uses four methods to identify and categorize devices and applications in the CMDB.

From Discovery – Network Devices

When FortiSIEM discovers a device, it looks for keywords in the SNMP sysDescr attribute and also probes for the SNMP sysObjectID attribut e. Internal tables are then used to map a discovered device to one or more CMDB device groups based on these attributes.

Keywords from the sysDescr attribute are matched against the system table Device Vendor and Model

Keywords from the sysObjectID attribute are matched against the system table Device Vendor and Model

Matches from the Device Vendor and Model table are then matched against the ApprovedDeviceVendor.csv table that is used to create the categories in the CMDB Devices/Applications.

From Discovery – Applications

FortiSIEM discovers applications by discovering the processes that are running on a server. The table AppMapping.csv maps process names to Applications, Application Groups, and application folders in the CMDB.

From Logs

FortiSIEM includes a large number of log parsers, each of of which is associated with a Device Vendor/Model and Application Vendor/Model. When the log is parsed by FortiSIEM, the Device/Application/Vendor information is matched against the table ApprovedDeviceVendor.csv, which then assigns the application or device to the appropriate CMDB Device/Application folder.

Special Cases

There are some special cases that cannot be categorized using discovery or log information. An example is Microsoft Active Directory. It is an application, but there is no explicit process for i.t as it is part of the kernel or big system service. In this case, specific logs are used: Windows Security logs 672, 673 to detect Microsoft Domain Controller 2000, 2003, and  Windows Security logs 4768, 4769 to detect Microsoft Windows Domain Controller 2008, 2012.

Examples

Categorizing a Cisco IOS Router/Switch

This is an example of categorizing a device using discovery. In this case, the Cisco IOS substring in the SNMP sysDescr attribute is used to detect a Cisco IOS device,

Then this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Cisco IOS to the Router/Switch category in the CMDB. PH_ SYS_DEVICE_ROUTER_SWITCH is the internal ID of the category.

Categorizing Fortinet Firewalls

This is also an example of categorizing a device by discovery. In this case, the SNMPv2-SMI::enterprises.12356 substring in the SNMP sy sObjectId attribute is used to detect a Fortinet Firewall device.

Then this entry in the ApprovedDeviceVendor.csv table maps the Device Vendor/Model Fortinet FortiOS to the Firewall and Network IOS categories in the CMDB, since Fortinet is a UTM device. PH_SYS_DEVICE_FIREWALL and PH_SYS_DEVICE_NETWORK_IPS are the internal IDs of the categories.

Categorizing Microsoft IIS

This is an example of categorizing an application based on a running process. In this case, SNMP discovers a process svchost.exe with the

This entry in the AppMapping.csv table is then used to map the process name svchost.exe with the path name -k iissvcs to a Microsoft IIS application.

Categorizing Cisco ASA

This is an example of categorizing a device based on logs. The Cisco ASA parser has has a Device Vendor/Model associated with it, and when a log from the Cisco ASA device is parsed by FortiSIEM, this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Cisco ASA to the Firewall and VPN Gateway categories in the CMDB. PH_SYS_DEVICE_FIREWALL and PH_SYS_DEVICE_VPN_GATEWAY are the internal IDs of these categories.

Categorizing Microsoft IIS

This is an example of categorizing an application based on logs. The Microsoft IIS (via Snare) parser has a Device Vendor/Model associated with it, and when a log from Microsoft IIS is processed by FortiSIEM, this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Mi crosoft to the Windows Server and Web Server categories in the CMDB. PH_SYS_DEVICE_WINDOWS_SERVER and PH_SYS_APP_WEB_SER

VER are the internal IDs of these categories.

the following entry in

Overview of the CMDB User Interface

While the Summary and Widget dashboard views of your IT infrastructure provide real-time monitoring and reporting on your IT infrastructure, the CMDB view provides more in-depth detail about devices, applications, users, and other IT infrastructure components as they are listed in the CMDB, as well as the ability to manage these objects.

Tab Overview

Inventory Management and Edit Details Controls

User Interface Controls for Device View

Data Collection Status

Tab Overview

This screenshot shows the Device view of the CMDB tab with Devices selected in the Device View of the IT infrastructure hierarchy. For any type of object you select in the hierarchy, the CMDB will load a Summary view of the objects in the top pane, and Details for any individual object you select from the summary in the bottom pane. While the available details will change depending on the type of object you select, all objects in the CMDB view will have Inventory Management controls in the summary pane, and an Edit Details control in the Details pane.

Inventory Management and Edit Details Controls

User Interface Controls for Device View

The view of devices in the CMDB provides you with a number of ways to access information about a device. Some of the device user interface controls in the CMDB view you can also find in the dashboard summary view of devices, such as the Analysis menu and the Quick Info view of a device.

Data Collection Status

Real time data collection status is shown for each device

Performance Monitor Status

Normal – if every performance monitor job status for this device is Normal

Warning – if at least one performance monitor job status for this device is Warning and none is critical Critical – if at least one performance monitor job status for this device is Critical

Event Receive Status

Normal – if the event receive status of every protocol for this device is Normal

Warning – if the event receive status of at least one protocol for this device is Warning and none is critical Critical – if the event receive status of at least one protocol for this device is Critical

Performance Monitor Job Status is computed as follows. Two global constants are defined in Admin > Device Support > Custom Properties.

1. Performance Monitoring Time Gap Warning Threshold – multiples of polling interval (default 3)
2. Performance Monitoring Time Gap Critical Threshold – multiples of polling interval (default 5)

Event Receive Job Status is computed as follows. Two global constants are defined in Admin > Device Support > Custom Properties.

1. Event Receive Time Gap Warning Threshold in minutes (default 10)
2. Event Receive Time Gap Critical Threshold in minutes (default 20)

These constants can also be specified at a per device level from CMDB > Device > Bottom pane Edit > Properties. Write new values for these thresholds in the edit box and click Save.

The following table shows how the various job types are classified into Performance Monitor or Event Received types

The following rules trigger when certain data collection exceptions happen.

Managing CMDB Objects

CMDB objects include discovered devices and their network relationships, as well as system objects like rules and events. You can find the full list of these objects in the Device View of the CMDB tab, and you can add objects to the database or edit ones that are already there.

Anonymity Networks and Groups

Setting Up an External Data Source for Anonymity Networks

Applications

Malware Domains

Updating System Defined Malware Domain Groups

Manually Creating Malware Domains and Groups Custom Malware Domain Threat Feed

Updating System-Defined Malware IP Groups

Manually Creating Malware IP Addresses and Groups

Custom Malware IP Threat Feed

Malware URLs

Updating System-Defined Malware URL Group

Manually Creating Malware URLs

Custom Malware URL Threat Feed

Malware Hashes

Updating System Defined Malware Hash Group

Manually Creating Manual Hash

Custom Malware Hash Threat Feed

Malware Processes

Country Groups

Creating CMDB Groups and Adding Objects to Them

Default Passwords

Creating a Watch List

System-Defined Watch Lists

Anonymity Networks and Groups

An anonymity network is used to hide one’s network identity, and is typically used by malware to hide its originating IP address. Enterprise network traffic should not be originating from or destined to Anonymity network.

When FortiSIEM discovers traffic destined to or originating from anonymity networks, it triggers these rules:

Inbound Traffic from Tor Network

Outbound Traffic to Tor Network

Inbound Traffic from Open Proxies

Outbound Traffic to Open Proxies

Adding an Anonymity Network

1. Log into your Supervisor node.
2. Go to CMDB > Anonymity Networks.
3. Create a group to add the new network to if you are not adding it to an existing group.
4. Select the group where you want to add the anonymity network.
5. Click New.
6. Enter IP, Port, and Country information about the anonymity network.
7. Click the Calendar icon to enter the date you created or updated this entry.
8. Click Save.

Setting Up an External Data Source for Anonymity Networks

This topic describes how to import anonymity networks information into FortiSIEM from external threat feed websites. Anonymity networks are used by malware to hide their own identity. Two prominent examples of anonymity networks are Open Proxies and TOR Nodes.

Prerequisites

Procedure

Websites with built in support

Custom websites – CSV data – one-time manual import

Custom websites – CSV data – programmatic import

New Websites – non-CSV data – programmatic import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Procedure

Websites with built in support

The following websites are supported

Threat Stream Open Proxy  (https://api.threatstream.com)

Threat Stream TOR Node  (https://api.threatstream.com)

To import data from these websites, follow these steps

1. In the CMDB > Anonymity Network, find the website you need to import data from.
2. Select the folder.
3. Click Update.
4. Select Update via API. The link should show in the edit box.
5. Enter a schedule by clicking on the “+” icon.
6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
7. Select the type of template you want to create.

Custom websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

1. Select CMDB>Anonymity Network.
2. Click on the “+” button on the left navigation tree to bring up the Create New Anonymity Network Group
3. Enter Group and add Description. Click OK to create the folder under Anonymity Networks.
4. Select the folder just created.
5. Select Import from a file.
6. Click Browse; enter the file name and click Upload.
7. The imported data will show on the right pane.

Custom websites – CSV data – programmatic import

This requires that the web site data is

1. Select CMDB > Anonymity Networks.
2. Click on the “+” button on the left navigation tree to bring up the Create New Anonymity Network Group
3. Enter Group and add Description. Click OK to create the folder under Anonymity Networks.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
   4. Enter the correct Field separator (by default it is a comma)
   5. Select CSV as the Data Format
   6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the IP is in third position, then choose 3 in the Position
   7. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
9. The imported data will show on the right pane after some time.

New Websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. After the class has been written and fully tested for correctness, follw these steps.

1. Select CMDB > Anonymity Networks.
2. Click on the “+” button on the left navigation tree to bring up the Create New Anonymity Network Group
3. Enter Group and add Description. Click OK to create the folder under Anonymity Networks.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, the custom Java class for this case.
   4. Enter the correct Field separator (by default it is a comma)
   5. Select CSV as the Data Format
   6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the IP address is in third position, then choose 3 in the Position g. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
9. The imported data will show on the right pane after some time.

Applications

Applications in the CMDB are grouped at the highest level by Infrastructure and User apps, with further sub-categorization in each of those two categories.

Adding an Application

1. Log in to your Supervisor node.
2. Go to CMDB > Applications.
3. Create a new application group or select an existing one.
4. Click New.
5. Enter an Application Name and Process.
6. Enter any other information for the application.
7. Click Save.

Malware Domains

The CMDB Malware Domains page lists domains that are known to generate spam, host botnets, create DDoS attacks, and generally contain malware. The three default groups included in your FortiSIEM deployment, MalwareDomainList, Zeus Domains, and SANS Domains, contain malware domains that are derived from the websites malwaredomainlist.com, zeustracker.abuse.ch, and isc.sans.edu. Because malware domains are constantly shifting, FortiSIEM recommends maintaining a dynamically generated list of IP addresses provided by services such as these that is updated on a regular schedule, but you can also add or remove blocked IP addresses from these system-defined groups, and create your own groups based on manual entry of IP addresses or file upload.

Updating System Defined Malware Domain Groups

System defined groups are MalwareDomainList, Zeus Domains, and SANS Domains, which are updated by their corresponding services. You can set these to update automatically on a schedule, or add or remove individual IP addresses from them.

Setting Schedule

1. Log in to your Supervisor node.
2. Click CMDB.
3. Select a system-defined group.
4. Click Update.
5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
6. Set the schedule for how often you want the list to update from the service.
7. Click Save.

Adding/Removing entries

1. If you want to remove a domain or set of domains from the group, clear the Enable selection next to the domain name, and then click Co ntinue to confirm.

The domain will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.

2. If you want to add a malware domain to the group, make sure the group is selected, click New, and enter information about the blocked IP address.

Changing to STIX/TAXII

If the system defined threat feeds are available via STIX/TAXII, then check the STIX/TAXII box.

Manually Creating Malware Domains and Groups

1. Create a group under Blocked Domains as described in Creating CMDB Groups and Adding Objects to Them.
2. Select the group you created and click New.
3. Enter information for the Blocked Domain you want to add, and then click Save.

Custom Malware Domain Threat Feed

This topic describes how to import malware domain information into FortiSIEM from external threat feed websites.

Pre-requisites

Threat feed Websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – programmatic import

Custom threat feed websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Pre-requisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Threat feed Websites with built in support

The following websites are supported

Malware domain list (http://www.malwaredomainlist.com)

Zeus domains (https://zeustracker.abuse.ch)

SANS Domains (https://isc.sans.edu/feeds/)

Threat Stream Domains  (https://api.threatstream.com)

Hail-A-TAXII Domains  (http://hailataxii.com/)

For Threat Stream the following malware domain types are included

Command and Control Domain

Compromised Domain

Malware Domain

Dynamic DNS Domain

APT Domain

To import data from these websites, follow these steps

1. In the CMDB > Malware Domains, find the website you need to import data from.
2. Select the folder.
3. Click Update.
4. Select Update via API. The link should show in the edit box.
5. Enter a schedule by clicking on the “+” icon.
6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
7. Select the type of template you want to create.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

1. Select CMDB>Malware Domains.
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
4. Select the folder just created.
5. Select Import from a file.
6. Click Browse; enter the file name and click Upload.
7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – programmatic import

1. Select CMDB > Malware Domains.
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, the default class FortiSIEM.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
   4. Enter the correct Field separator (by default it is a comma)
   5. Select CSV as the Data Format
   6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the domain name is in third position, then choose 3 in the Position g. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
9. The imported data will show on the right pane after some time.

Custom threat feed websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section. After the class has been written and fully tested for correctness, follow these steps.

1. Select CMDB>Malware Domains.
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, choose the custom Java class for this case.
   4. Enter the correct Field separator (by default it is a comma)
   5. Select CSV as the Data Format
   6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the domain name is in third position, then choose 3 in the Position g. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

1. Select CMDB>Malware Domains.
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Domain Group
3. Enter Group and add Description. Click OK to create the folder under Malware Domains.
4. Select the folder just created. 5. Select Update via API
5. For Website, Click Add.
6. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, choose STIX-TAXII and Full
   4. Click Save
7. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
8. The imported data will show on the right pane after some time.

Malware IPs

The CMDB Malware IPs page lists IP addresses that are known to generate spam, host botnets, create DDoS attacks, and generally contain malware. The two default groups included in your FortiSIEM deployment, Emerging Threats and Zeus, contain IP addresses that are derived from the websites rules.emergingthreats.net and zeustracker.abuse.ch. Because malware IP addresses are constantly shifting, FortiSIEM recommends maintaining a dynamically generated list of IP addresses provided by services such as these that is updated on a regular schedule, but you can also add or remove blocked IP addresses from these system-defined groups, and create your own groups based on manual entry of IP addresses or file upload.

Updating System-Defined Malware IP Groups

System defined groups are Emerging Threats and Zeus, which are updated by their corresponding services. You can set these to update automatically on a schedule, or add or remove individual IP addresses from them.

1. Log in to your Supervisor node.
2. Click CMDB.
3. Select a system-defined group.
4. Click Update.
5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
6. Set the schedule for how often you want the list to update from the service.
7. Click Save.
8. If you want to remove an IP address or set of IP addresses from the group, clear the Enable selection next to the IP address, and then click Continue to confirm.

The IP address will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.

9. If you want to add a malware IP address to the group, make sure the group is selected, click New, and enter information about the blocked IP address.

Manually Creating Malware IP Addresses and Groups

1. Create a group under Blocked IPs as described in Creating CMDB Groups and Adding Objects to Them.
2. Select the group you created and click New.
3. Enter information for the Blocked IP address you want to add, and then click Save.

Custom Malware IP Threat Feed

This topic describes how to import Malware IP information into FortiSIEM from external threat feed websites.

Prerequisites

Websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – programmatic import

Custom threat feed websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Websites with built in support

The following websites are supported

Emerging threat (http://rules.emergingthreats.net)

Zeus (https://zeustracker.abuse.ch)

Threat Stream Malware IP (https://api.threatstream.com)

Hail-A-TAXII Malware IP  (http://hailataxii.com/)

For Threat Stream Malware IP, the following Malware types are imported

Bot IP

Actor IP

APT Email

APT IP

Bruteforce IP

Compromised IP

Malware IP

DDoS IP

Phishing email IP

Phish URL IP

Scan IP

Spam IP

To import data from these websites, follow these steps

1. In the CMDB > Malware IPs, find the website you need to import data from.
2. Select the folder.
3. Click Update.
4. Select Update via API. The link should show in the edit box.
5. Enter a schedule by clicking on the “+” icon.
6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
7. Select the type of template you want to create.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

1. Select CMDB > Malware IP
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
4. Select the folder just created.
5. Select Import from a file.
6. Click Browse; enter the file name and click Upload.
7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – programmatic import

1. Select CMDB > Malware IPs.
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
   4. Enter the correct Field separator (by default it is a comma)
   5. Select CSV as the Data Format
   6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the IP is in third position, then choose 3 in the Position
   7. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
9. The imported data will show on the right pane after some time.

Custom threat feed websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

After the class has been written and fully tested for correctness, follow these steps.

1. Select CMDB>Malware IPs.
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, the custom Java class for this case.
   4. Enter the correct Field separator (by default it is a comma)
   5. Select CSV as the Data Format
   6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the Low IP is in first position, then choose 1 in the Position g. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

1. Select CMDB>Malware IPs.
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware IP Group
3. Enter Group and add Description. Click OK to create the folder under Malware IPs.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, choose STIX-TAXII and Full
   4. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
9. The imported data will show on the right pane after some time.

Malware URLs

The CMDB Malware URLs page lists URLs that are known to host malware.

The Threat Stream Malware URL group is included in your FortiSIEM deployment.

Updating System-Defined Malware URL Group

Current system defined groups are updated by its own service

Threat Stream Malware URL

FortiSandbox Malware URL Hail-A-Taxi Malware URL

You only need to set these to update automatically on a schedule.

1. Log in to your Supervisor node.
2. Click CMDB.
3. Select a system defined group
4. Click Update.
5. Set Schedule
   1. Select Update Automatically to open the update scheduler and verify the URI of the update service.
   2. Set the schedule for how often you want the list to update from the service. c. Click OK.
   3. Click Save
6. Set user name and password
   1. Select the link
   2. Click Edit
   3. Enter User Name and Password
   4. Set Data Format to Custom and Incremental
   5. Click Save

Manually Creating Malware URLs

1. Create a group under Blocked URLs as described in Creating CMDB Groups and Adding Objects to Them.
2. Select the group you created and click New.
3. Enter information for the Blocked URL you want to add, and then click Save.

Custom Malware URL Threat Feed

This topic describes how to import Malware URL information into FortiSIEM from external threat feed websites.

Prerequisites

Threat feed websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – GUI import

Custom threat feed websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL.

If the data is in comma separated value (CSV) format, then a simple integration is possible. Note that the separator need not be a comma but could be any separator.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Threat feed websites with built in support

The following websites are supported

Threat Stream Malware URL (https://api.threatstream.com)

FortiSandbox Malware URL

Hail-A-TAXII Malware IP  (http://hailataxii.com/)

To import data from these websites, follow these steps

1. In the CMDB > Malware URLs, find the website you need to import data from.
2. Select the folder.
3. Click Update.
4. Select Update via API. The link should show in the edit box.
5. Enter a schedule by clicking on the “+” icon.
6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

1. Select CMDB > Malware URL
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
4. Select the folder just created.
5. Select Import from a file.
6. Click Browse; enter the file name and click Upload.
7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – GUI import

This requires that the web site data has the following structure.

The file in comma separated value format (separator can be any special character such as space, tab, hash, dollar etc.)

One line has only one entry

Follow these steps.

1. Select CMDB > Malware URLs.
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
   4. Enter the correct Field separator (by default it is a comma)
   5. Set Data Format to CSV
   6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the URL is in third position, then choose 3 in the Position g. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
9. The imported data will show on the right pane after some time.

Custom threat feed websites – non-CSV data – programmatic import

This is the most general case where the website data format is not CSV. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section.

After the class has been written and fully tested for correctness, follow these steps.

1. Select CMDB>Malware URLs.
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, the custom Java class for this case
   4. Select Custom as the Data Format.
   5. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

1. Select CMDB>Malware URLs.
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware URL Group
3. Enter Group and add Description. Click OK to create the folder under Malware URLs.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, choose STIX-TAXII and Full
   4. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
9. The imported data will show on the right pane after some time.

Malware Hashes

The CMDB Malware Hash page can be used to define a list of malware files and their hash functions. When FortiSIEM monitors a directory, it generates these directory events:

When FortiSIEM scans a file and collects its hash, it uses the system rule Malware Hash Check to check the list of malware hashes, and triggers an alert if a match is found.

Adding a New Malware Hash

1. Log in to your Supervisor node.
2. Go to CMDB > Malware Hash.
3. Select a group where you want to add the malware hash, or create a new one.
4. Click New.
5. Enter information for the malware hash.

Updating System Defined Malware Hash Group

Current system defined groups are updated by its own service

Threat Stream Malware Hash FortiSandbox Malware Hash

You only need to set these to update automatically on a schedule.

1. Log in to your Supervisor node.
2. Click CMDB.
3. Select a system-defined group.
4. Click Update.
5. Select Update Automatically to open the update scheduler and verify the URI of the update service.
6. Set the schedule for how often you want the list to update from the service.
7. Click Save.
8. If you want to remove an IP address or set of IP addresses from the group, clear the Enable selection next to the IP address, and then click Continue to confirm.

The IP address will still be listed in the group, but it will no longer be blocked. Select Enable to resume blocking it.

9. If you want to add a malware IP address to the group, make sure the group is selected, click New, and enter information about the blocked IP address.

Manually Creating Manual Hash

1. Create a group under Malware Hash as described in Creating CMDB Groups and Adding Objects to Them.
2. Select the group you created and click New.
3. Enter information for the Malware Hash you want to add, and then click Save.

Custom Malware Hash Threat Feed

This topic describes how to import Malware Hash information into FortiSIEM from external threat feed websites.

Prerequisites

Threat feed websites with built in support

Custom threat feed websites – CSV data – one-time manual import

Custom threat feed websites – CSV data – programmatic import

Custom threat feed  websites – non-CSV data – programmatic import

Custom threat feed websites – STIX formatted data and TAXII import

Prerequisites

Before proceeding gather the following information about a threat feed web site.

The website URL

Credentials required to access the website (optional)

If the website is not supported by FortiSIEM, you may need to understand the format of the data returned by the URL. if the data is in the comma separated value format (the separator need not be a comma but could be any separator, then a simple integration is possible.

If the data is any other format, e.g. XML, then some code needs to be written for integration using the FortiSIEM provided framework

Threat feed websites with built in support

The following websites are supported

ThreatStream Malware Hash (https://api.threatstream.com)

FortiSandbox Malware Hash

Hail-A-TAXII Malware IP  (http://hailataxii.com/)

To import data from these websites, follow these steps

1. In the CMDB > Malware Hash, find the website you need to import data from.
2. Select the folder.
3. Click Update.
4. Select Update via API. The link should show in the edit box.
5. Enter a schedule by clicking on the “+” icon.
6. Enter the schedule parameters – when to start and how often to import. FortiSIEM recommends no more frequent than hourly.
7. Select the type of template you want to create.

Custom threat feed websites – CSV data – one-time manual import

This requires that the data to be imported is already in a file in comma separated value format. The required format is

1. Select CMDB > Malware Hash
2. Click on the “+” button on the left navigation tree to bring up the “Create New Malware Hash Group” dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
4. Select the folder just created.
5. Select Import from a file.
6. Click Browse; enter the file name and click Upload.
7. The imported data will show on the right pane.

Custom threat feed websites – CSV data – programmatic import

1. Select CMDB > Malware Hash.
2. Click on the “+” button on the left navigation tree to bring up the “Create New Malware Hash Group” dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, the default class AccelOps.service.threatfeed.impl.ThreatFeedWithMappingPolicyService is shown. Do not modify this for this case.
   4. Enter the correct Field separator (by default it is a comma)
   5. Select CSV as the Data Format
   6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the Hash is in third position, then choose 3 in the Position g. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
9. The imported data will show on the right pane after some time.

Custom threat feed  websites – non-CSV data – programmatic import

This is the most general case where the website data format does not satisfy the previous conditions. In this case, user has to write a Java plugin class by modifying the default system provided one. Follow instructions in the FortiSIEM ServiceAPI available at FortiSIEM support portal under FortiSIEM ServiceAPI section. After the class has been written and fully tested for correctness, follow these steps.

1. Select CMDB>Malware Hash.
2. Click on the “+” button on the left navigation tree to bring up the “Create New Malware Hash Group” dialog.
3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, the custom Java class for this case.
   4. Enter the correct Field separator (by default it is a comma)
   5. Select CSV as the Data Format
   6. Enter the Data Mapping by choosing the mapped field and the corresponding position in the website data. For example if the Low Hash is in first position, then choose 1 in the Position g. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new data from the website.
9. The imported data will show on the right pane after some time.

Custom threat feed websites – STIX formatted data and TAXII import

In this case, the threat feed data is available formatted as STIX and follows the TAXII protocol.

1. Select CMDB>Malware Hash.
2. Click on the “+” button on the left navigation tree to bring up the Create New Malware Hash Group
3. Enter Group and add Description. Click OK to create the folder under Malware Hash.
4. Select the folder just created.
5. Select Update via API
6. For Website, Click Add.
7. In the Data Mapping dialog:
   1. Enter the URL of the website
   2. Enter User Name and Password (optional)
   3. For Plugin class, choose STIX-TAXII and Full
   4. Click Save
8. Select a import schedule by clicking + on the Schedule Summary. Select when to start the import and how often to import to get new

data from the website.

9. The imported data will show on the right pane after some time.

Country Groups

The Country Groups page contains a list of all the country names in the FortiSIEM geolocation database. You can also create folders that represent different organizations of countries for use in Analytics.

Adding a New Country or Country Group

1. Log in to your Supervisor node.
2. Go to CMDB > Country Groups.
3. Select an existing country group, or create a new one.
4. Click New.
5. Enter a name and description for the new country.
6. Click Save.

Creating CMDB Groups and Adding Objects to Them

In the CMDB browser pane you will see several categories, or groups, for each type of CMDB object. For example, under Applications, you will see the groups Infrastructure App, User App, and Ungrouped, with additional subcategorization within each of those groups. You can create your own groupings and add CMDB objects to them.

1. Log in to your Supervisor node.
2. Click CMDB.
3. In the CMDB browser pane, select the type of CMDB object you want to create a group for, and then click +.
4. Enter a Group name and Description.
5. Under Select Group Members, select any existing groups from which you would like to add objects to your new group.

The group containing all the CMDB objects of this type is selected by default.

6. Select the objects you want to add to the group, and then click >> to add them to the group.
7. Click OK.

Your new group, and the objects it contains, will be listed under that CMDB object type in the CMDB browser pane. You can add objects directly to the group by selecting it in the CMDB browser pane, and then following the process for adding a new object.

Default Passwords

The CMDB Default Password page contains a list of default vendor credentials. These well-known credentials should never be used in production. During device discovery FortiSIEM checks if the device credentials are still set to default , and the system rule Default Password Detected by System triggers an incident if they are.

A sample raw event log for a default password incident:

<174>Oct 20 22:50:03 [PH_AUDIT_DEFAULT_PWD_MATCH]:[phEventCategory]=2,[appTransportProto]=SNMP,[reptModel]=

Adding a New Default Password

1. Log in to your Supervisor node.
2. Go to CMDB > Default Passwords.
3. Select a group where you want to add the default password, or create a new one.
4. Click New.
5. Select the Vendor and Model of the device for which you want to enter a default password.
6. Select the Access Protocol that is used to connect to the device.
7. Enter the default User Name and Password for the device.

Devices

You would typically add devices to the CMDB through the Discovering Infrastructure process. However, there may be situations in which you want to add devices to the CMDB manually. For example, you may not have access credentials for a device but still want to be able to include network information about it so that logs received by FortiSIEM can be parsed properly. These topics describe those situations and provide instructions for how to successfully add a device to the CMDB:

Adding Devices to the CMDB Outside of Discovery

Adding a Synthetic Monitoring Test to a Business Service

Event Types

The CMDB Event Types page lists the types of events that are collected for supported devices.

Adding a New Event Type

1. Log in to your Supervisor node.
2. Go to CMDB > Event Types.
3. Select a group to add the new event to, or create a new one.
4. Click New.
5. Enter a Name, Display Name, and Description for the event type.
6. Select the Device to associate with this event type.
7. Select the level of Severity associated with this event type.
8. For CVE IDs, enter links to any vulnerabilities associated with this event type as cataloged by the National Vulnerability Database.
9. Click Save.

Networks

The CMDB Networks page lists the defined networks in your IT infrastructure

Adding a New Network

1. Log in to your Supervisor node.
2. Go to CMDB > Networks.
3. Create a new network group or select an existing one.
4. Click New.
5. Enter an Network Name and the Low IP address of the network IP range.
6. Enter any other information about the network.
7. Click Save.

Protocols

The CMDB Protocols page lists the protocols used by applications and devices to communicate with the FortiSIEM virtual appliance.

Adding a Protocol

1. Log in to your Supervisor node.
2. Go to CMDB > Protocols.
3. Create a new protocol group or select an existing one.
4. Click New.
5. Enter an Name and Description for the protocol.
6. Click + to select a protocol and associate it with a port 7. Select or create an Apps Group to associate with the protocol.
7. Click Save.

User Agents

The CMDB User Agent page lists common and uncommon user agents in HTTP communications. The traditional use case for a user agent is to detect browser types so the server can return an optimized page. However, user agents are often misused by malware, and are used to communicate the identity of the client to the BotNet controller over HTTP(S). FortiSIEM monitors HTTP(S) logs and the system rule Blacklist User Agent Match uses regular expression matching to detect blacklisted user agents.

Adding User Agents

1. Log in to your Supervisor node.
2. Go to CMDB > User Agents.
3. Select the User Agent group where you want to add the new user agent.
4. Click New.
5. Enter the User Agent using regular expression notation.