Analytics
FortiSIEM Analytics has three components:
Search
FortiSIEM search functionality includes real time and and historical search of information that has been collected from your IT infrastructure. With real time search, you can see events as they happen, while historical search is based on information stored in the event database. Both types of search include simple keyword searching, and structured searches that let you search based on specific event attributes and values, and then group the results by attributes.
Rules
Because FortiSIEM is continuously monitoring your IT infrastructure, you can also set rules so that when specific conditions are met, it triggers an incident, and, in some cases, sends a notification.
Reports
Reports are pre-defined search queries. FortiSIEM includes a large catalog of reports for common devices and IT analysis tasks that you can use and customize, and you can also save searches that you’ve run as reports to use again later.
Adding a Watch List to a Rule
Cloning a Rule
Running Historical Searches to Test Rule Sub Patterns
Setting Rules for Event Dropping
Setting Rules for Event Forwarding
Setting Global and Per-Device Threshold Properties
Using Geolocation Attributes in Rules
Using Watch Lists as Conditions in Rules and Reports Viewing Rules
Reports
Baseline Reports
System-Defined Baseline Reports
Creating a Report or Baseline Report
Identity and Location Report
Report Bundles
Creating a Report Bundle
Running a Report Bundle
Running System and User-Defined Reports and Baseline Reports
Scheduling Reports
Viewing Available Reports
Audit
Creating Audit Report
Running an Audit
Exporting Audit Results
Scheduling an Audit
Visual Analytics
AccelOps Visual Analytics Architecture
Installation and Configuration of AccelOps Visual Analytics
Requirements for Visual Analytics Report Server
Setting Up Visual Analytics
Hypervisor Installations for Report Server
Installing and Registering AccelOps Report Server in Amazon Web Services
Installing and Registering AccelOps Report Server in KVM
Installing and Registering AccelOps Report Server in Microsoft Hyper-V
Installing and Registering AccelOps Report Server in VMware ESX Syncing with the Report Server
Working with the Report Server
Report Server Architecture: phoenixdb and reportdb
Working with CMDB Data in AccelOps Report Server
Viewing phoenixdb Organization
Querying Incident Data in AccelOps Report Server
Reference: Attribute Columns in the ph_incident_view Table Sample Incident Queries
Querying Other CMDB Tables in AccelOps Report Server
Querying Device Vendor and Model Distribution for Discovered Devices Querying Discovered Devices
Working with Event Data in AccelOps Report Server
Viewing reportdb Organization
Syncing an AccelOps Report with Report Server
Deleting a Report from AccelOps Report Server
Modifying an Existing Report in AccelOps Report Server
Installing and Configuring Tableau Server
Creating and Managing Workbooks
Viewing Workbooks
Creating and Publishing Workbooks
Creating a Single Sheet Workbook
Creating a Multiple Sheet Workbook
Using AccelOps Workbooks with Tableau Visual Analytics Desktop and Server Adding Users to Workbooks
Real Time Performance Probe
Search
Historical and Real Time search is the core functionality of FortiSIEM analytics, enabling you to analyze, report on, and further improve your IT infrastructure.
Historical Search
Overview of the Historical Search User Interface
Example of How a Structured Historical Search is Processed
Sample Historical Searches
Creating a Simple Historical Search
Creating a Structured Historical Search
Using System-Defined Reports for Historical Search
Overview of Historical Search Results and Charts
Refining the Results from Historical Search
Charting a Specific Row from Historical Search Results
Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart
Drilling Down on Search Results by Time Interval
Using Search Results to Refine Historical Searches
Using Tabs to View Multiple Search Results
Converting an Historical Search to a Real Time Search
Converting an Historical Search to a Rule
Real Time Search
Overview of the Real Time Search User Interface
Creating a Simple Real Time Search
Creating a Structured Real Time Search
Viewing and Refining Real Time Search Results
Structured Search Operators
Selecting Attributes for Structured Searches, Display Fields, and Rules
Using Expressions in Structured Searches and Rules
Keywords and Operators for Simple Searches
Using Geolocation Attributes in Searches and Search Results Creating Filter Criteria and Display Column Sets
Historical Search
With the Historical Search feature, you can go back in time and retrieve events from the event database. By using either a simple keyword-based search or a more detailed structured search, you can get quick and valuable insights into events that have occurred over any selected time period.
Overview of the Historical Search User Interface
Example of How a Structured Historical Search is Processed
Sample Historical Searches
Creating a Simple Historical Search
Creating a Structured Historical Search
Using System-Defined Reports for Historical Search
Overview of Historical Search Results and Charts
Refining the Results from Historical Search
Charting a Specific Row from Historical Search Results
Charting Multiple Aggregation Attributes on the Same Historical Search Results Chart
Drilling Down on Search Results by Time Interval
Using Search Results to Refine Historical Searches
Using Tabs to View Multiple Search Results
Converting an Historical Search to a Real Time Search Converting an Historical Search to a Rule
Overview of the Historical Search User Interface
You can run two types of historical searches on FortiSIEM data: simple searches, in which you use a keyword search, and structured searches, in which you can specify search conditions and how the results should be grouped.
Simple Historical Search
Simple Historical Search User Interface Controls Structured Historical Search
Simple Historical Search
When you use simple historical search, you enter a keyword to search for in the logs collected by FortiSIEM, specify any filter criteria, and then run the search, which will produce a chart and a list of results matching your search criteria. You can then use additional user interface controls to change the chart display, filter or find more information about events in the result list, and export or share results.
This screenshot shows the results of simple search using the keyword TCP.
Simple Historical Search User Interface Controls
UI Control | Description |
Search
Criteria |
For simple historical search, use the search box to find keywords in raw event logs. You can also load an existing historical search report to use for your search criteria, or create a rule from your search results. |
List Display
Columns |
Select which columns will be displayed in the search results |
Filters | Set the time interval over which you want to search, and, for multi-tenant deployments, which organization’s logs you want to search |
Report
Management |
Save
Saves the report to Generated Reports where it will be retained for the time period you specify. You can also select whether you want the search criteria to be saved as a report that you can use in the future. Export Export the report, with the option of including the chart, as a PDF or CSV file Email Email the report as a CSV or PDF file, with the option of including the chart Copy to a new tab Load the search into a new tab within FortiSIEM
|
Chart Displa y | You can set both the data you want to display, and how it should be displayed. See Overview of Historical Search Results and Charts for more about the different chart types. |
Event Filter | Select an event from the results, and add its attributes to structured search conditions. |
Event
Information |
Select an event, and view Quick Info about it, or view Location information about it such as source or destination IPs. |
Structured Historical Search
With historical structured search, you can enter conditions for your search based on event attributes, and set which attributes will be used to group the search results in a way that is similar to the use of the of the Group By command in SQL
This screenshot shows a structured historical search for All Non-Reporting Modules selected from the system Reports > Event Status. The screenshot below it shows a close-up of the the Conditions and Group By options dialog. See Creating a Structured Historical Search and Struc tured Search Operators for more information about these options.
Example of How a Structured Historical Search is Processed
When you run a structured historical search, all events within the specified time window are examined and added to the result set following these steps:
- The system fetches the next event within the search time window and applies the filtering criteria. If the event does not pass the filtering criteria, the system fetches the next event.
- If the event passes the filtering criteria, the system then compares the attributes of this event against the other entries in the result set. If the current event contains an attribute that is included in the Group By attribute set, then the results for that attribute are updated. Otherwise, a new entry is created in the result set.
- After all the events in the search time window are processed, the system sorts the results to produce the final result set.
As an example, consider these events in the event database, and running a search for Top Firewall Recorded Conversations Ranked By Total Connections (Descending) and Total Bytes (descending) over them.
Event id | Time | Reporting Device | Source IP | Destination IP | Protocol | Source Port | Destination Port | Total Bytes | ||
1 | 1/1/2010 | 10.1.1.1 | 192.168.1.1 | 192.168.10.4 | TCP | 2033 | 80 | 1024 | ||
2 | 1/2/2010 | 10.1.1.1 | 192.168.1.2 | 192.168.10.4 | TCP | 3000 | 443 | 4096 | ||
3 | 1/3/2010 | 10.1.1.1 | 192.168.1.1 | 192.168.10.4 | TCP | 2034 | 80 | 1024 | ||
4 | 1/4/2010 | 10.1.1.1 | 192.168.1.2 | 192.168.10.5 | TCP | 3001 | 443 | 2048 | ||
5 | 1/4/2010 | 10.1.1.1 | 192.168.1.1 | 192.168.10.4 | TCP | 2035 | 80 | 1024 | ||
6 | 1/5/2010 | 10.1.1.1 | 192.168.1.2 | 192.168.10.6 | TCP | 3002 | 443 | 2048 | ||
7 | 1/5/2010 | 10.1.1.2 | 192.168.1.1 | 192.168.10.4 | TCP | 9000 | 80 | 1024 | ||
Search | Search Criteria | |||||||||
Top Firewall Recorded Conversations Ranked By Total
Connections (Descending) and Total Bytes (descending) |
Filtering criteria: Reporting Device IP IN Firewall AND Event Type IN Permit Traffic
Group-By attributes: Source IP, Destination IP, IP Protocol, Destination Port Display attributes: Source IP, Destination IP, IP Protocol, Destination Port, SUM(Matched Events) DESC, SUM(Total Bytes) DESC Query window: Between 1/2/10 and 1/5/10 |
|||||||||
Result
Source IP | Destination IP | Protocol | Destination Port | COUNT (Matched Events) | SUM(Total Bytes) |
192.1.1.1 | 202.1.1.4 | TCP | 80 | 3 | 3072 |
192.1.1.2 | 202.1.1.4 | TCP | 80 | 1 | 4096 |
192.1.1.2 | 202.1.1.5 | TCP | 443 | 1 | 2048 |
192.1.1.2 | 202.1.1.6 | TCP | 443 | 1 | 2048 |
You could then run another search over these results:
Search | Search Criteria |
Top Destination IPs Ranked By Total Connections (Descending) and
Total Bytes (descending) |
Filtering criteria: Reporting Device IP IN Firewall AND Event Type
IN Permit Traffic Group-By attributes: Destination IP Display attributes: Destination IP, SUM(Matched Events) DESC, SUM(Total Bytes) DESC Query window: Between 1/2/10 and 1/5/10 |
Result
Destination IP | COUNT (Matched Events) | SUM(Total Bytes) |
202.1.1.4 | 4 | 7 KB |
202.1.1.5 | 1 | 2 KB |
202.1.1.6 | 1 | 2KB |
Sample Historical Searches
Sample Filter Criteria
Sample Structured Searches
Sample Filter Criteria
Filter criteria | Type | Meaning |
Raw Event Log CONTAINS “login AND failed” | Simple (keyword) search | Only events that contain both the keywords “logon” and “failed” are part of report |
Raw Event Log CONTAINS “denied” | Simple (keyword) search | Only events that contain the keyword “denied” are part of report |
Reporting Device IP = 10.1.1.1 | Structured search | Only events from the device that is reporting with IP address
10.1.1.1 are part of the report |
Reporting Device IP IN Firewall | Structured search | Only events from firewall devices in CMDB are part of the report |
Reporting Device IP IN Firewall AND
Event Type IN Deny Traffic |
Structured search | Only firewall deny events from firewall devices in CMDB are part of the report |
Reporting Device IP IN Firewall AND
Event Type IN Deny Traffic AND (Source IP = 192.1.1.1 OR Dest IP = 192.1.1.1) |
Structured search | Denied traffic from 192.1.1.1 or to 192.1.1.1 reported by firewall devices in CMDB are part of the report |
Reporting Device IP IN Domain Controller AND
Event Type IN User/Group Change AND user NOT IN Domain Admins |
Structured search | Domain Controller User/Group Changes not performed by users in the Domain Admin group |
Raw Event Log REGEXP “faddr\s+\d+.\d+\d+\d+” | Structured search | Only events that contains strings like “faddr 10.1.1.1”, “faddr 192.168.29.1” are included in the report. |
Sample Structured Searches
The following examples illustrate how to write a search using the AccelOps GUI.
Search | Specification in AccelOps GUI |
Top Reporting Firewalls ranked by event count in the last hour | Filter Criteria: Reporting Device IP IN Firewall
Group By attributes: Reporting Device IP Display attributes: Reporting IP, COUNT(Matched Events) DESC Query window: 1 hour |
Top Reporting Firewalls and Event Types ranked by event count in the last hour | Filte Criteria: Reporting Device IP IN Firewall
Group By attributes: Reporting Device IP, Event Type Display attributes: Reporting IP, Event Type, Severity, COUNT(Matched Events) DESC Query window: 1 hour |
Top Firewall Denied Source IPs ranked by the total number of attempts in the last hour | Filter Criteria: Reporting Device IP IN Firewall AND Event Type IN Deny Traffic
Group By attributes: Source IP Display attributes: Source IP, COUNT(Matched Events) DESC Query window: 1 hour |
Top Firewall Recorded Conversations Ranked By Sent Bytes
(descending), Received Bytes (descending) |
Filter Criteria: Reporting Device IP IN Firewall AND Event Type IN Permit Traffic
Group By attributes: Source IP, Destination IP, IP Protocol, Destination Port Display attributes: Source IP, Destination IP, IP Protocol, Destination Port, SUM(Sent Bytes) DESC, SUM(Received Bytes) DESC Query window: 1 hour |
All unauthorized domain user/group changes in the last week | Filter Criteria: Reporting Device IP IN Domain Controller AND
Event Type IN User/Group Change AND user NOT IN Domain Admins Group By attributes: none Display attributes: Time, event type, user, computer, domain, target user, target domain Query window: 1 week |