Dynamic Population of Location, User, and and Geolocation Information for Events
In most cases, network logs only contain IP address information, but to investigate incidents involving that IP, you need additional context for that IP address such as host name, user, and geolocation information. Because FortiSIEM collects detailed IT infrastructure information in the CMDB, it is able to correlate that information to the IP address to create a context for the event, and insert that context information into events in real time as parsed attributes. This topic describes the way in which this context information is populated into events.
Correlating Event Information
Assigning Attributes to Events
Host Name Attribute
User Name Attribute
Geolocation Attribute
Dynamic Updating of Attribute Information
Attributes Added to Events
Correlating Event Information
Event information is derived from several different sources.
- During the discovery process, FortiSIEM discovers the host name and network interface address information during discovery and stores them in the CMDB. If any IP address other than the Access IP changes, then running a rediscovery will update the CMDB with the right information.
- FortiSIEM collates information from various authentication logs and forms a time-based Identity and Location Report containing the IP address, MAC address, Host Name, Domain, User, Network Access Point, and Network Access Point Port for the event.
- The geolocation database maps IP addresses to Country, State, City, Organization, Longitude, and Latitude information.
Assigning Attributes to Events
When FortiSIEM parses an event, attributes are assigned to it following this process:
Host Name Attribute
For each IP address (Host IP, Source IP, Destination IP, Reporting IP):
- FortiSIEM checks the CMDB for an associated host name, and if one is found, then the host name is added to the event.
- If the host name is not found in then CMDB, then FortiSIEM checks the Identity and Location Report for the host name, and if one is found, then it is added to the event.
- If the host name is not found in either the CMDB or Identity and Location Report, then FortiSIEM runs DNS lookup for the host name, and if one is found, then it is added to the event. For performance reasons the DNS result is cached, and because excessive DNS lookups can cause event processing delays, FortiSIEM has an algorithm to dynamically bypass DNS lookup if it begins falling behind in event processing.
User Name Attribute
For Source IP, FortiSIEM checks for user information in the Identity and Location Report, and if anything is found, it is added to the event.
Geolocation Attribute
For each IP address (Host IP, Source IP, Destination IP, Reporting IP), FortiSIEM checks the geolocation database. If geolocation information is found for that IP, then Country, State, City, Organization, Longitude, and Latitude information is added to it.
Dynamic Updating of Attribute Information
For any of these attributes, when there is a change in the infrastructure (for example, a network device has a new IP or a new user logs on to the system), the change is populated into the CMDB and/or Identity and Location Report, and the event parsing module learns of the change and starts populating events with the new metadata.
Because the FortiSIEM approach to populating event attributes is dynamic and change driven, it is always able to map the right IP address to host names and users in the face of dynamic changes in the IT infrastructure.
Attributes Added to Events
IP Type | Attributes |
Source IP | 1. Source Host Name
2. User (corresponding to Source IP) 3. Source Country 4. Source State 5. Source City 6. Source Organization 7. Source Longitude 8. Source Latitude |
Destination IP | 1. Destination Host Name
2. Destination Country 3. Destination State 4. Destination City 5. Destination Organization 6. Destination Longitude 7. Destination Latitude |
Host IP | 1. Host Name
2. Host Country 3. Host State 4. Host City 5. Host Organization 6. Host Longitude 7. Host Latitude |
Reporting IP | 1. Reporting Host Name
2. Reporting Country 3. Reporting State 4. Reporting City 5. Reporting Organization 6. Reporting Longitude 7. Reporting Latitude |
PostNAT (Network Address Translation) IP | 1. PostNAT Country
2. PostNAT State 3. PostNAT City 4. PostNAT Organization 5. PostNAT Longitude 6. PostNAT Latitude |