FortiSIEM-6.1.2-External Systems Configuration Guide

FortiSIEM - External Systems Configuration Guide
Version 6.1.2
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
05/21/2021
FortiSIEM 6.1.2 External Systems Configuration Guide
Change Log
Date Change Description
2018-05-23 Initial version of the guide.
2018-07-24 Revision 2 with a new section under Windows Server Configuration - Configuring Log
Monitoring for Non-Administrative User.
2018-08-07 Revision 3 with updated section: Fortinet FortiGate Firewall
2018-09-12 Revision 4 with updated section: Microsoft Azure Audit
2018-09-26 Revision 5 with updated section: WatchGuard Firebox Firewall
2018-11-28 Revision 6 with updated section: Fortinet FortiGate Firewall > Configuring SSH on FortiSIEM
to communicate with FortiGate
2019-01-29 Revision 7: updated section: Cisco FireSIGHT
2019-03-15 Revision 8: new section: Threat Intelligence
2019-03-28 Revision 9: updates the guide to reflect the new menu hierarchy in the FortiSIEM tool.
2019-04-24 Revision 10: added Carbon Black Security Platform under End Point Security Software.
2019-07-24 Revision 11: updated integration instructions for Microsoft Office 365 Audit.
2019-10-22 Revision 12: added Clavister Firewall and FortiADC devices. Added Active Directory User
Discovery section to Microsoft Active Directory device. Corrections to SQL Server DDL Event
Creation Script and SQL Server Database Level Event Creation Script.
2019-11-22 Revision 13: added Zeek (Bro) installation instructions for Security Onion, Cyberoam
FortiADC, Epic SecuritySIEM, FortiEDR, FortiNAC, FortiDeceptor, Microsoft Network Policy
Server, TrendMicro Deep Discovery. Changed the name of Cisco FireAMP to Cisco AMP
Cloud V0. Changed the name of Cisco AMP to Cisco AMP Cloud V1.
2020-01-03 Revision 14: added CradlePoint.
2020-04-15 Revision 15: added Alert Logic Iris API, AWS Kinesis, AWS Security Hub, Cisco Amp, GitLab
Cli, Azure Event Hub, Azure Compute, McAfee ePolicy Orchestrator, LastLine, Imperva
Securesphere Web App Firewall, Imperva Securesphere DB Security Gateway, Imperva
Securesphere DB Monitoring Gateway, Green League WVSS, FortiInsight, Damballa
Failsafe, AWS EC2, Cisco Fireamp, Novell Netware, Green League RSAS, Checkpoint
SmartCenter, FortiTester, Cisco Viptela, MobileIron, Duo, Indegy Industrial Cybersecurity
Suite, Netwrix, Darktrace DCIP, Hirschmann SCADA Firewalls and Switches.
2020-07-22 Revision 16: Edits to Cisco AMP Cloud V0 and Cisco AMP Cloud V1.
2020-10-09 Revision 17: Added Alcide io KAudit, Stormshield Network Security and Tigera Calico
2020-12-18 Revision 18: Added note to AWS CloudTrail API Configuration
FortiSIEM 6.1.2 External Systems Configuration Guide 3

Fortinet Technologies Inc.
Change Log
Date Change Description
2021-01-05 Revision 19: Added Mapping Active Directory User Attributes to FortiSIEM User Attributes.
2021-02-03 Revision 20: Updated Malwarebytes to Malwarebytes Endpoint Protection.
2021-03-03 Revision 21: Added NetApp Data ONTAP Supported Version.
2021-18-03 Revision 22: Added Claroty Continuous Threat Detection, Corero Smartwall Threat Defense,
Dragos Platform, Malwarebytes Breach Remediation, Oracle Cloud Access Security Broker
(CASB), Proofpoint.
2021-05-04 Revision 23: Updated Linux server section.
2021-07-04 Revision 24: Updated AWS Kinesis for 6.2.0.
2021-16-04 Revision 25: Updated Microsoft Office 365 Audit "Create the Office 365 API Credential"
steps.
2021-23-04 Revision 26: Added Salesforce Configuration for 6.2.0, 6.1.x, 5.4.0, 5.3.x, 5.2.x releases.
2021-18-05 Revision 27: Updated Apache Web Server, AWS EC2 CloudWatch API, and Fortigate
Firewall for 6.1.x releases.
Added FortiAnalyzer for 6.1.x releases.
2021-21-05 Revision 28: Updated Windows Agent links for Microsoft sections.

TABLE OF CONTENTS
Change Log 3
Overview 12
FortiSIEM External Ports 13
Supervisor Communication 13
Worker Communication 15
Collector Communication 17
Supported Devices and Applications by Vendor 19
Applications 51
Application Server 52
Apache Tomcat 53
IBM WebSphere 57
Microsoft ASP.NET 64
Oracle GlassFish Server 65
Oracle WebLogic 69
Redhat JBOSS 73
Authentication Server 77
Cisco Access Control Server (ACS) 78
Cisco Identity Solution Engine (ISE) 84
Cisco Duo 85
CyberArk Password Vault 89
Fortinet FortiAuthenticator 91
Juniper Networks Steel-Belted RADIUS 92
Microsoft Internet Authentication Server (IAS) 94
Microsoft Network Policy Server (RAS VPN) 95
OneIdentity Safeguard (previously Balabit Privileged Session Management) 96
Vasco DigiPass 97
Database Server 99
IBM DB2 Server 100
Microsoft SQL Server 105
Microsoft SQL Server Scripts 114
MySQL Server 117
Oracle Database Server 122
DHCP and DNS Server 129
Infoblox DNS/DHCP 130
ISC BIND DNS 132
Linux DHCP 134
Microsoft DHCP 136
Microsoft DNS 138
Directory Server 140
Microsoft Active Directory 141
Document Management Server 146
Microsoft SharePoint 147
Healthcare IT 148
Epic EMR/EHR System 149

Mail Server 151
Microsoft Exchange 152
Management Server/Appliance 155
Cisco Application Centric Infrastructure (ACI) 156
What is Discovered and Monitored 156
Fortinet FortiInsight 160
Fortinet FortiManager 163
Remote Desktop 164
Citrix Receiver (ICA) 165
Source Code Control 170
GitHub 171
GitLab API 173
GitLab CLI 177
Unified Communication Server Configuration 180
Avaya Call Manager 181
Cisco Call Manager 183
Cisco Contact Center 189
Cisco Presence Server 190
Cisco Tandeberg Telepresence Video Communication Server (VCS) 191
Cisco Telepresence Multipoint Control Unit (MCU) 193
Cisco Telepresence Video Communication Server 194
Cisco Unity Connection 195
Web Server 196
Apache Web Server 197
Microsoft IIS for Windows 2000 and 2003 201
Microsoft IIS for Windows 2008 203
Nginx Web Server 205
Blade Servers 207
Cisco UCS Server 208
HP BladeSystem 211
Cloud Applications 212
Alcide.io KAudit 213
AWS Access Key IAM Permissions and IAM Policies 214
AWS CloudTrail 216
Amazon AWS EC2 220
AWS EC2 CloudWatch API 222
AWS Kinesis 224
AWS RDS 227
AWS Security Hub 229
Box.com 236
Google Workspace Audit 238
Microsoft Azure Audit 243
Microsoft Office 365 Audit 245
Microsoft Cloud App Security 255
Microsoft Azure Advanced Threat Protection (ATP) 258
Microsoft Azure Compute 259
Microsoft Azure Event Hub 265
Microsoft Windows Defender Advanced Threat Protection (ATP) 271

Okta 273
Salesforce CRM Audit 278
Console Access Devices 282
Lantronix SLC Console Manager 283
End Point Security Software 284
Bit9 Security Platform 285
Carbon Black Security Platform 287
Cisco AMP Cloud V0 289
Cisco AMP Cloud V1 295
Cisco Security Agent (CSA) 302
CloudPassage Halo 305
CrowdStrike Endpoint Security 307
Digital Guardian CodeGreen DLP 310
ESET NOD32 Anti-Virus 311
FortiClient 312
Fortinet FortiEDR 315
Malwarebytes Endpoint Protection 317
McAfee ePolicy Orchestrator (ePO) 318
MobileIron Sentry and Connector 322
Netwrix Auditor (via Correlog Windows Agent) 323
Palo Alto Traps Endpoint Security Manager 324
SentinelOne 325
Sophos Central 327
Sophos Endpoint Security and Control 329
Symantec Endpoint Protection 330
Symantec SEPM 332
Tanium Connect 333
Trend Micro Interscan Web Filter 334
Trend Micro Intrusion Defense Firewall (IDF) 336
Trend Micro OfficeScan 337
Environmental Sensors 338
APC Netbotz Environmental Monitor 339
APC UPS 342
Generic UPS 344
Liebert FPC 345
Liebert HVAC 347
Liebert UPS 349
Firewalls 351
Check Point FireWall-1 352
Check Point Provider-1 Firewall 355
Configuring CMA for Check Point Provider-1 Firewalls 357
Configuring CLM for Check Point Provider-1 Firewalls 360
Configuring MDS for Check Point Provider-1 Firewalls 362
Configuring MLM for Check Point Provider-1 Firewalls 365
Check Point VSX Firewall 367
Cisco Adaptive Security Appliance (ASA) 370
Clavister Firewall 376
Cyberoam Firewall 378

Dell SonicWALL Firewall 380
Fortinet FortiGate Firewall 382
Imperva Securesphere Web App Firewall 388
Juniper Networks SSG Firewall 390
McAfee Firewall Enterprise (Sidewinder) 394
Palo Alto Firewall 396
Sophos UTM 400
Stormshield Network Security 402
Tigera Calico 403
WatchGuard Firebox Firewall 405
Load Balancers and Application Firewalls 407
Brocade ServerIron ADX 408
Citrix Netscaler Application Delivery Controller (ADC) 411
F5 Networks Application Security Manager 413
F5 Networks Local Traffic Manager 415
Settings for Access Credentials 417
F5 Networks Web Accelerator 418
Fortinet FortiADC 419
Qualys Web Application Firewall 420
Log Aggregators 423
Fortinet FortiAnalyzer 424
Network Compliance Management Applications 427
Cisco Network Compliance Manager 428
PacketFence Network Access Control (NAC) 430
Network Intrusion Protection Systems (IPS) 431
3Com TippingPoint UnityOne IPS 432
AirTight Networks SpectraGuard 435
Alert Logic IRIS API 437
Cisco FireSIGHT and FirePower Threat Defence 440
Cisco Intrusion Protection System 445
Cisco Stealthwatch 447
Cylance Protect Endpoint Protection 448
Cyphort Cortex Endpoint Protection 450
Damballa Failsafe 452
Darktrace CyberIntelligence Platform 453
FireEye Malware Protection System (MPS) 455
FortiDDoS 457
Fortinet FortiDeceptor 459
Fortinet FortiNAC 461
Fortinet FortiSandbox 463
Fortinet FortiTester 465
IBM Internet Security Series Proventia 466
Indegy Security Platform 469
Juniper DDoS Secure 470
Juniper Networks IDP Series 472
McAfee IntruShield 474
McAfee Stonesoft IPS 477
Motorola AirDefense 479

Nozomi 481
Radware DefensePro 483
Snort Intrusion Protection System 485
Sourcefire 3D and Defense Center 490
Trend Micro Deep Discovery 492
Zeek (Bro) Installed on Security Onion 494
Routers and Switches 496
Alcatel TiMOS and AOS Switch 497
Arista Router and Switch 499
Brocade NetIron CER Routers 502
Cisco 300 Series Routers 504
Cisco IOS Router and Switch 506
How CPU and Memory Utilization is Collected for Cisco IOS 515
Cisco Meraki Cloud Controller and Network Devices 517
Cisco NX-OS Router and Switch 519
Cisco ONS 524
Cisco Viptela SDWAN Router 526
Dell Force10 Router and Switch 527
Dell NSeries Switch 530
Dell PowerConnect Switch and Router 533
Foundry Networks IronWare Router and Switch 535
HP/3Com ComWare Switch 539
HP ProCurve Switch 541
HP Value Series (19xx) and HP 3Com (29xx) Switch 543
Hirschmann SCADA Firewalls and Switches 546
Juniper Networks JunOS Switch 547
MikroTik Router 550
Nortel ERS and Passport Switch 552
Security Gateways 554
Barracuda Networks Spam Firewall 555
Blue Coat Web Proxy 557
Cisco IronPort Mail Gateway 561
Cisco IronPort Web Gateway 563
Fortinet FortiMail 565
Fortinet FortiWeb 568
Imperva Securesphere DB Monitoring Gateway 570
Imperva Securesphere DB Security Gateway 571
McAfee Vormetric Data Security Manager 573
McAfee Web Gateway 574
Microsoft ISA Server 576
Squid Web Proxy 582
SSH Comm Security CryptoAuditor 585
Websense Web Filter 586
Servers 588
HP UX Server 589
IBM AIX Server 592
IBM OS400 Server 595
Linux Server 597

Microsoft Windows Server 602
QNAP Turbo NAS 618
Sun Solaris Server 619
Storage 622
Brocade SAN Switch 623
Configuration 623
Dell Compellent Storage 625
Dell EqualLogic Storage 627
EMC Clariion Storage 629
EMC Isilon Storage 634
EMC VNX Storage Configuration 636
NetApp DataONTAP 640
NetApp Filer Storage 642
Nimble Storage 645
Reports 645
Nutanix Storage 647
Threat Intelligence 651
Fortinet FortiInsight 652
Lastline 655
ThreatConnect 657
Virtualization 659
Hyper-V 660
HyTrust CloudControl 663
VMware ESX 664
VPN Gateways 666
Cisco VPN 3000 Gateway 667
Cyxtera AppGate Software Defined Perimeter (SDP) 669
Juniper Networks SSL VPN Gateway 670
Microsoft PPTP VPN Gateway 672
Pulse Secure 673
Vulnerability Scanners 675
AlertLogic Intrusion Detection and Prevention Systems (IPS) 676
Green League WVSS 678
McAfee Foundstone Vulnerability Scanner 679
Qualys QualysGuard Scanner 681
Qualys Vulnerability Scanner 682
Rapid7 NeXpose Vulnerability Scanner 684
Rapid7 InsightVM Integration 686
Tenable.io 688
Tenable Nessus Vulnerability Scanner 690
Tenable Security Center 692
YXLink Vuln Scanner 694
WAN Accelerators 695
Cisco Wide Area Application Server 696
Riverbed SteelHead WAN Accelerator 699
Wireless LANs 701
Aruba Networks Wireless LAN 702

Reports 702
Cisco Wireless LAN 704
CradlePoint 707
FortiAP 709
FortiWLC 711
Motorola WiNG WLAN AP 713
Ruckus Wireless LAN 715
Using Virtual IPs to Access Devices in Clustered Environments 717
Syslog over TLS 718
Appendix 719
CyberArk to FortiSIEM Log Converter XSL 719
Access Credentials 724

Overview
This document describes how to configure third party devices for monitoring by FortiSIEM.
l Ports Used by FortiSIEM for Discovery and Monitoring
l Supported Devices and Applications by Vendor
l Windows Agent Installation Guide
l Applications
l Blade Servers
l Cloud Applications
l Console Access Devices
l End Point Security Software
l Environmental Sensors
l Firewalls
l Load Balancers and Application Firewalls
l Log Aggregators
l Network Compliance Management Applications
l Network Intrusion Protection Systems (IPS)
l Routers and Switches
l Security Gateways
l Servers
l Storage
l Virtualization
l VPN Gateways
l Vulnerability Scanners
l WAN Accelerators
l Wireless LANs
l Using Virtual IPs to Access Devices in Clustered Environments
l Syslog over TLS

FortiSIEM External Ports
This chapter describes the external communication ports needed for various FortiSIEM nodes to work. The ports are
broken down for:
l Supervisor Communication
l Worker Communication
l Collector Communication
In release 6.1, some clear communication has been replaced by SSL communication. If an entry in the tables below has
5.3, then that entry is valid for releases 5.3 and below. If an entry in the tables below has 6.1, then that entry is valid for
releases 6.1 and above.
Supervisor Communication
From To Inbound Ports Services

or
Outbound
FortiSIEM Supervisor Inbound TCP/22 Admin access via SSH
Management User
FortiSIEM Supervisor Inbound ICMP Monitoring via ICMP

Management User
FortiSIEM Supervisor Inbound TCP/443 GUI access via HTTPS

Management User
Collector, Worker, Supervisor Inbound TCP/443 REST API access via HTTPS
Windows Agent, Linux
Agent
Supervisor Report Server Outbound TCP/5432 PostGreSQL (report loading)
Worker Supervisor Inbound SSL/7914 phParser on Worker to phParser

on Supervisor for EPS
enforcement
Worker Supervisor Inbound SSL/7900 phMonitorWorker to

phMonitorSuper communication
Supervisor Worker Outbound SSL/7900 phMonitorSuper to

phMonitorWorker Communication
Worker Supervisor Inbound SSL/7918 phQueryWorker to

phQueryMaster Communication


or
Outbound
Supervisor Worker Outbound SSL/7916 phQueryMaster to
phQueryWorker communication
Worker Supervisor Inbound SSL/7922 phRuleWorker to phRuleMaster

communication
Worker 6.1 Supervisor Outbound SSL/7920 phQueryMaster to

phDataManager for trigger event
query
Worker Supervisor Inbound SSL/7934 phReportWorker to

phReportMaster Communication
Worker Supervisor Inbound SSL/7938 phIdentityWorker to

phIpIdentityMaster
Supervisor Worker Outbound TCP/6666 Redis communication
Worker Supervisor Inbound TCP/5555 phFortiInsightAI module data

collection
Supervisor External Device Outbound UDP/161 SNMP based monitoring
External Device Supervisor Inbound TCP/21 FTP (for receiving Bluecoat logs
via ftp)
External Device Supervisor Inbound UDP/162 SNMP Trap
External Device Supervisor Inbound UDP/514 UDP syslog
External Device Supervisor Inbound TCP/514 TCP syslog
External Device Supervisor Inbound SSL/6514 Syslog over TLS
External Device Supervisor Inbound UDP/2055 NetFlow
Supervisor External Outbound TCP/135 WMI based monitoring and log

Windows collection
Devices
Supervisor External Outbound TCP/389 LDAP discovery

Devices
Supervisor External Outbound TCP/1433 JDBC based monitoring and data

Devices collection
Supervisor External Outbound UDP/8686 JMX based monitoring and data

Devices collection
Supervisor Checkpoint Outbound TCP/18184 Checkpoint LEA based log

collection


or
Outbound
Supervisor Checkpoint Outbound TCP/18190 Checkpoint CPMI based data
collection
Supervisor External Device Outbound TCP/443 HTTPS based log collection
Supervisor External Device Outbound TCP/110 POP3 for email monitoring (STM)
Supervisor External Device Outbound TCP/143 IMAP for email monitoring (STM)
Supervisor External Device Outbound TCP/993 IMAP/SSL for email monitoring

(STM)
Supervisor External Device Outbound TCP/995 POP/SSL for email monitoring

(STM)
Supervisor Mail Gateway Outbound TCP/SMTP Sending email notification
Supervisor NFS Server Outbound UDP/111, TCP/111 NFS Portmapper for writing
events in NFS based deployments
Supervisor Elasticsearch Outbound HTTPS/9200 Storing events for Elasticsearch

Coordinating (configurable) based deployments
Node
Supervisor Elasticsearch Outbound HTTPS/9300 or Querying events for Elasticsearch

Coordinating HTTPS/443 based deployments
Node (configurable)
Supervisor Spark Master Outbound HTTPS/7077 Querying events for HDFS based
Node (configurable) deployments
Supervisor HDFS Name Outbound HTTPS/9000 Archiving events for HDFS based
Node (configurable) deployments
Worker Communication
From To Inbound or Ports Services

Outbound
FortiSIEM Worker Inbound TCP/22 Admin access via SSH

Management
User
FortiSIEM Worker Inbound ICMP ICMP

Management
User


Outbound
Collector Worker Inbound TCP/443 REST API access via HTTPS
Worker Supervisor Outbound SSL/7914 phParser on Worker to phParser on

Supervisor for EPS enforcement
Worker Supervisor Outbound SSL/7900 phMonitorWorker to phMonitorSuper

communication
Supervisor Worker Inbound SSL/7900 phMonitorSuper to phMonitorWorker

Communication
Worker Supervisor Outbound SSL/7918 phQueryWorker to phQueryMaster

Communication
Supervisor Worker Inbound SSL/7916 phQueryMaster to phQueryWorker

communication
Worker Supervisor Outbound SSL/7922 phRuleWorker to phRuleMaster

communication
Worker 6.1 Supervisor Outbound SSL/7920 phQueryMaster to phDataManager for

trigger event query
Worker Supervisor Outbound SSL/7934 phReportWorker to phReportMaster

Communication
Worker Supervisor Outbound SSL/7938 phIdentityWorker to phIpIdentityMaster
Supervisor Worker Inbound TCP/6666 Redis communication
Worker Supervisor Outbound TCP/5555 phFortiInsightAI module data collection
Worker External Device Outbound UDP/161 SNMP based monitoring
External Device Worker Inbound TCP/21 FTP (for receiving Bluecoat logs via ftp)
External Device Worker Inbound UDP/162 SNMP Trap
External Device Worker Inbound UDP/514 UDP syslog
External Device Worker Inbound TCP/514 TCP syslog
External Device Worker Inbound SSL/6514 Syslog over TLS
External Device Worker Inbound UDP/2055 NetFlow
Worker External Windows Outbound TCP/135 WMI based monitoring and log
Devices collection
Worker External Devices Outbound TCP/389 LDAP discovery
Worker External Devices Outbound TCP/1433 JDBC based monitoring and data
collection
Worker External Devices Outbound UDP/8686 JMX based monitoring and data
collection


Outbound
Worker Checkpoint Outbound TCP/18184 Checkpoint LEA based log collection
Worker Checkpoint Outbound TCP/18190 Checkpoint CPMI based data collection
Worker External Device Outbound TCP/443 HTTPS based log collection
Worker External Device Outbound TCP/110 POP3 for email monitoring (STM)
Worker External Device Outbound TCP/143 IMAP for email monitoring (STM)
Worker External Device Outbound TCP/993 IMAP/SSL for email monitoring (STM)
Worker External Device Outbound TCP/995 POP/SSL for email monitoring (STM)
Worker NFS Server Outbound UDP/111, NFS Portmapper for writing events in
TCP/111 NFS based deployments
Worker Elasticsearch Outbound HTTPS/9200 Storing events for Elasticsearch based

Coordinating Node (configurable) deployments
Worker HDFS Name Node Outbound HTTPS/9000 Archiving events for HDFS based
(configurable) deployments
Collector Communication

Outbound
FortiSIEM Worker Inbound TCP/22 Admin access via SSH

Management User
FortiSIEM Worker Inbound ICMP ICMP

Management User
Collector Worker Outbound TCP/443 REST API access via HTTPS
Collector Supervisor Outbound TCP/443 REST API access via HTTPS
Worker External Device Outbound UDP/161 SNMP based monitoring
External Device Worker Inbound TCP/21 FTP (for receiving Bluecoat logs
via ftp)
External Device Worker Inbound UDP/162 SNMP Trap
External Device Worker Inbound UDP/514 UDP syslog
External Device Worker Inbound TCP/514 TCP syslog
External Device Worker Inbound SSL/6514 Syslog over TLS


Outbound
External Device Worker Inbound UDP/2055 NetFlow
Collector External Windows Outbound TCP/135 WMI based monitoring and log
Devices collection
Collector External Devices Outbound TCP/389 LDAP discovery
Collector External Devices Outbound TCP/1433 JDBC based monitoring and data
collection
Collector External Devices Outbound UDP/8686 JMX based monitoring and data
collection
Collector Checkpoint Outbound TCP/18184 Checkpoint LEA based log

collection
Collector Checkpoint Outbound TCP/18190 Checkpoint CPMI based data

collection
Collector External Device Outbound TCP/443 HTTPS based log collection
Collector External Device Outbound TCP/110 POP3 for email monitoring

(STM)
Collector External Device Outbound TCP/143 IMAP for email monitoring (STM)
Collector External Device Outbound TCP/993 IMAP/SSL for email monitoring

(STM)
Collector External Device Outbound TCP/995 POP/SSL for email monitoring

(STM)

Supported Devices and Applications by Vendor
Vendor Model Discovery Performance Monitoring Log Analysis Overview Config Details
Overview Overview Change
Monitoring
AirTight SpectraGuard Discovered Not natively supported - Custom CEF format: Over 125 Currently not AirTight
Networks via LOG only monitoring needed event types parsed natively Networks
covering various Wireless supported SpectraGuard
suspicious activities
Alcatel TiMOS Routers SNMP: OS, SNMP: CPU, memory, interface Not natively supported - Currently not Alcatel TiMOS
and Switches Hardware utilization, hardware status Custom parsing needed natively and AOS Switch
supported Configuration
Alcatel AOS Routers and SNMP: OS, SNMP: CPU, memory, interface Not natively supported - Currently not Alcatel TiMOS
Switches Hardware utilization, hardware status Custom parsing needed natively and AOS Switch
supported Configuration
Alert Logic Intrusion Host name Not supported Not Alert Logic IPS
Detection and and Device supported
Prevention type
Systems (IPS)
Alert Logic Iris API Host name Not supported Not Alert Logic IRIS
and Device supported API
type
Alcide.io KAudit Not natively Not natively supported Kubernetes Audit logs Not natively Alcide io KAudit
supported supported
Amazon AWS Servers AWS API: CloudWatch API: System Metrics: CloudTrail API: Over 325 CloudTrail AWS
Server CPU, Disk I/O, Network event types parsed API: various CloudWatch
Name, covering various AWS administrativ AWS CloudTrail
Access IP, activities e changes on
Instance ID, AWS
Image Type, systems and
Availability users
Zone
Amazon AWS Elastic CloudWatch CloudWatch API: Read/Write Bytes, AWS EBS and
Block Storage API: Volume Ops, Disk Queue RDS
(EBS) ID, Status,
Attach Time
Amazon AWS EC2 AWS EC2
Amazon AWS Relational CloudWatch API: CPU, AWS EBS and

Database Connections, Memory, Swap, RDS
Storage (RDS) Read/Write Latency and Ops
Amazon Security Hub AWS Security

Monitoring
Hub
Apache Tomcat JMX: JMX: CPU, memory, servlet, Currently not natively Currently not Apache Tomcat
Application Version session, database, threadpool, supported - Custom natively
Server request processor metrics parsing needed supported
Apache Apache Web SNMP: SNMP: process level cpu, memory Syslog: W3C formatted Currently not Apache Web
server Process HTTPS via the mod-status module: access logs - per HTTP natively Server
name Apache level metrics (S) connection: Sent supported
Bytes, Received Bytes,
Connection Duration
APC NetBotz SNMP: Host SNMP: Temperature, Relative SNMP Trap: Over 125 Currently not APC Netbotz
Environmental name, Humidity, Airflow, Dew point, SNMP Trap event types natively
Monitor Hardware Current, Door switch sensor etc. parsed covering various supported
model, environmental exception
Network conditions
interfaces
APC UPS SNMP: Host SNMP: UPS metrics SNMP Trap: Over 49 Currently not APC UPS
name, SNMP Trap event types natively
Hardware parsed covering various supported
model, environmental exception
Network conditions
interfaces
Arista Routers and SNMP: OS, SNMP: CPU, Memory, Interface Syslog and NetFlow SSH: Arista Router and
Networks Switches Hardwar; utilization, Hardware Status Running Switch
SSH: config,
configuration, Startup
running config
processes
Aruba Aruba Wireless SNMP: SNMP: Controller CPU, Memory, SNMP Trap: Over 165 Currently not Aruba WLAN
Networks LAN Controller Interface utilization, Hardware event types covering natively
OS, Status SNMP: Access Point Authentication, supported
hardware, Wireless Channel utilization, noise Association, Rogue
Access metrics, user count detection, Wireless IPS
Points events
Avaya Call Manager SNMP: OS, SNMP: CPU, Memory, Interface CDR: Call Records Currently not Avaya Call
Hardware utilization, Hardware Status natively Manager
supported
Avaya Session Manager SNMP: OS, SNMP: CPU, Memory, Interface Currently not
Hardware utilization, Hardware Status natively
supported
Barracuda Spam Firewall Application Currently not natively supported Syslog: Over 20 event Currently not Barracuda Spam
Networks type types covering mail natively

Monitoring
discovery via scanning and filtering supported

LOG activity
Bit9 Security platform Application Currently not natively supported Syslog: Over 259 event Currently not Carbon Black
type types covering various natively Security Platform
discovery via file monitoring activities supported
LOG
Blue Coat Security SNMP: OS, SNMP: CPU, Memory, Interface Syslog: Admin access to Currently not Blue Coat Web
Gateway Hardware utilization, Proxy performance Security Gateway ; natively Proxy
Versions v4.x metrics SFTP: Proxy traffic supported
and later analysis
Box.com Cloud Storage Currently not Currently not natively supported Box.com API: File Currently not Box.com
natively creation, deletion, natively
supported modify, file sharing supported
Brocade SAN Switch SNMP: OS, SNMP: CPU, Memory, Interface Currently not natively Currently not Brocade SAN
Hardware utilization supported natively Switch
supported
Brocade ServerIron ADX SNMP: Host SNMP: Uptime, CPU, Memory, Brocade ADX
switch name, serial Interface Utilization, Hardware
number, status, Real Server Statistics
hardware
Carbon Black Security platform Application Currently not natively supported Syslog: Over 259 event Currently not Carbon Black
type types covering various natively Security Platform
discovery via file monitoring activities supported
LOG
CentOS / Linux SNMP: OS, SNMP: CPU, Memory, Disk, Syslog: Situations SSH: File Linux Server
Other Linux Hardware, Interface utilization, Process covering Authentication integrity
distributions Software, monitoring, Process stop/start, Port Success/Failure, monitoring,
Processes, up/down SSH: Disk I/O, Paging Privileged logons, Target file
Open Ports User/Group Modification; monitoring;
SSH: SSH: File integrity Agent: File
Hardware monitoring, Command integrity
details, Linux output monitoring, Target monitoring
distribution file monitoring; FortiSIEM
LinuxFileMon Agent: File
integrity monitoring
CentOS / DHCP Server Currently not Currently not natively supported Syslog: DHCP activity Not Linux DHCP
Other Linux natively (Discover, Offer, Applicable
distributions supported Request, Release etc) -
Used in Identity and
Location
Checkpoint FireWall-1 SNMP: OS, SNMP: CPU, Memory, Interface LEA from SmartCenter or LEA: Firewall Check Point

Monitoring
versions NG, Hardware utilization Log Server: Firewall Log, Audit trail Provider-1
FP1, FP2, FP3, Audit trail, over 940 IPS Firewall
AI R54, AI R55, Signatures
R65, R70, R77,
NGX, and R75
Checkpoint GAIA Host name Over 9 event types

and Device
type
Checkpoint Provider-1 Currently not Currently not natively supported LEA: Firewall Log, Audit LEA: Firewall Check Point
versions NG, natively trail Audit trail Provider-1
FP1, FP2, FP3, supported
AI R54, AI R55,
R65, R70, R77,
NGX, and R75
Checkpoint VSX SNMP: OS, SNMP: CPU, Memory, Interface LEA from SmartCenter or LEA: Firewall Check Point
Hardware utilization Log Server: Firewall Log, Audit trail Provider-1
Audit trail
Citrix NetScaler SNMP: OS, SNMP: CPU, Memory, Interface Syslog: Over 465 event Currently not Citrix Netscaler
Application Hardware utilization, Hardware Status, types covering admin natively
Delivery Application Firewall metrics activity, application supported
Controller firewall events, health
events
Citrix ICA SNMP: SNMP: Process Utilization; WMI: Currently not natively Currently not Citrix ICA
Process ICA Session metrics supported natively
Utilization supported
Cisco ASA Firewall SNMP: OS, SNMP: CPU, Memory, Interface Syslog: Over 1600 event SSH: Cisco ASA
(single and multi- Hardware utilization, Firewall Connections, types parsed for Running
context) version SSH: Hardware Status situations covering admin config,
7.x and later interface access, configuration Startup
security level change, traffic log, IPS config
needed for activity; NetFlow V9:
parsing traffic Traffic log
logs,
Configuration
Cisco AMP Cisco AMP
Cisco FireAMP Cisco FireAMP

Cloud
Cisco ASA firepower SNMP: OS, SNMP: CPU, Memory, Interface Syslog: Over 1600 event SSH: Cisco ASA
SFR Module Hardware utilization, Firewall Connections, types parsed for Running
SSH: Hardware Status situations covering admin config,
interface access, configuration Startup

Monitoring

needed for activity; NetFlow V9:
parsing traffic Traffic log
logs,
Configuration
Cisco CatOS based SNMP: OS, SNMP: CPU, Memory, Interface Syslog: Over 700 event SSH: Cisco IOS
Switches Hardware utilization, Hardware Status types parsed for Running
(Serial situations covering admin config,
Number, access, configuration Startup
Image file, change, interface config
Interfaces, up/down, BGP interface
Component up/down, traffic log, IPS
s); SSH: activity NetFlow V5, V9:
configuration Traffic logs
running
process
Cisco Duo Not natively supported - Custom Via API Not natively Cisco Duo
Monitoring needed supported -
Custom
Custom
Configuration
collection
needed
Cisco PIX Firewall SNMP: OS, SNMP: CPU, Memory, Interface Syslog: Over 1600 event SSH: Cisco ASA
Hardware utilization, Connections, Hardware types parsed for Running
SSH: Status situations covering admin config,
needed for activity
parsing traffic
logs,
Configuration
Cisco FWSM SNMP: OS, SNMP: CPU, Memory, Interface Syslog: Over 1600 event SSH: Cisco ASA
Hardware utilization, Connections, Hardware types parsed for Running
needed for activity
parsing traffic
logs,
Configuration

Monitoring
Cisco Identity Services Host name Cisco ISE

Engine (ISE) and Device
type
Cisco IOS based SNMP: OS, SNMP: CPU, Memory, Interface Syslog: Over 200 event SSH: Cisco IOS
Routers and Hardware; utilization, Hardware Status; SNMP: types parsed for Running
Switches SSH: IP SLA metrics; SNMP: BGP situations covering admin config,
configuration, metrics, OSPF metrics; SNMP: access, configuration Startup
running Class based QoS metrics; SNMP: change, interface config
process, NBAR metrics up/down, BGP interface
Layer 2 up/down, traffic log, IPS
connectivity activity; NetFlow V5, V9:
Traffic logs
Cisco Nexus OS based SNMP: OS, SNMP: CPU, Memory, Interface Syslog: Over 3500 event SSH: Cisco NX-OS
Routers and Hardware; utilization, Hardware Status; SNMP: types parsed for Running
Switches SSH: IP SLA metrics, BGP metrics, OSPF situations covering admin config,
configuration metrics, NBAR metrics; SNMP: access, configuration Startup
running Class based QoS metrics change, interface config
process, up/down, BGP interface
Layer 2 up/down, traffic log,
connectivity hardware status,
software and hardware
errors; NetFlow V5, V9:
Traffic logs
Cisco ONS SNMP: OS, SNMP Trap: Availability Cisco NX-OS

Hardware and Performance Alerts
Cisco ACE Application SNMP: OS,

Firewall Hardware
Cisco UCS Server UCS API: UCS API: Chassis Status, Memory Syslog: Over 500 event Currently not Cisco UCS
Hardware Status, Processor Status, Power types parsed for natively
components - Supply status, Fan status situations covering supported
processors, hardware errors, internal
chassis, software errors etc
blades,
board, cpu,
memory,
storage,
power supply
unit, fan unit
Cisco WLAN Controller SNMP: OS, SNMP: Controller CPU, Memory, SNMP Trap: Over 88 Currently not Cisco Wireless
and Access Hardware, Interface utilization, Hardware event types parsed for natively LAN
Points Access Status; SNMP: Access Point situations covering supported
Points Wireless Channel utilization, noise Authentication,

Monitoring
metrics, user count Association, Rogue

detection, Wireless IPS
events
Cisco Call Manager SNMP: OS, SNMP: Call manager CPU, Memory, Syslog: Over 950 Currently not Cisco Call
Hardware, Disk Interface utilization, Hardware messages from Cisco natively Manager
VoIP Phones Status, Process level resource Call Manager as well as supported
usage; SNMP: VoIP phone count, Cisco Unified Real Time
Gateway count, Media Device Monitoring Tool (RTMT);
count, Voice mail server count and CDR Records, CMR
SIP Trunks count; SNMP: SIP Trunk Records: Call Source and
Info, Gateway Status Info, H323 Destination, Time, Call
Device Info, Voice Mail Device Info, Quality metrics (MOS
Media Device Info, Computer Score, Jitter, latency)
Telephony Integration (CTI) Device
Info
Cisco Contact Center SNMP: OS, SNMP: CPU, Memory, Disk Currently not natively Currently not Cisco Contact
Hardware Interface utilization, Hardware supported - Custom natively Center
Status, Process level resource parsing needed supported
usage, Install software change
Cisco Presence Server SNMP: OS, SNMP: CPU, Memory, Disk Currently not natively Currently not Cisco Presence
Hardware Interface utilization, Hardware supported - Custom natively Server
Cisco Tandeberg Tele- SNMP: OS, SNMP: CPU, Memory, Disk Currently not natively Currently not Cisco Tandeberg
presence Video Hardware Interface utilization, Hardware supported - Custom natively Telepresence
Communication Status, Process level resource parsing needed supported VCS
Server (VCS) usage, Install software change
Cisco Tandeberg Tele- SNMP: OS, SNMP: CPU, Memory, Disk Currently not natively Currently not Cisco
presence Hardware Interface utilization, Hardware supported - Custom natively Telepresence
Multiple Control Status, Process level resource parsing needed supported MCU
Unit (MCU) usage, Install software change
Cisco Unity Connection SNMP: OS, SNMP: CPU, Memory, Disk Currently not natively Currently not Cisco Unity
Hardware Interface utilization, Hardware supported - Custom natively
Cisco IronPort Mail SNMP: OS, SNMP: CPU, Memory, Disk Syslog: Over 45 event Currently not Cisco IronPort
Gateway Hardware Interface utilization, Hardware types covering mail natively Mail
Status, Process level resource scanning and forwarding supported
usage, Install software change status
Cisco IronPort Web SNMP: OS, SNMP: CPU, Memory, Disk W3C Access log Currently not Cisco IronPort
Gateway Hardware Interface utilization, Hardware (Syslog): Over 9 event natively Web
Status, Process level resource types covering web supported

Monitoring
usage, Install software change request handling status
Cisco Cisco Network SNMP: OS, SNMP: CPU, Memory, Disk SDEE: Over 8000 IPS Currently not Cisco NIPS
IPS Appliances Hardware Interface utilization, Hardware signatures natively
Status supported
Cisco Sourcefire 3D SNMP: OS, Sourcefire 3D

and Defense Hardware and Defense
Center Center
Cisco FireSIGHT eStreamer SDK: Intrusion Cisco FireSIGHT

Console events, Malware events,
File events, Discovery
events, User activity
events, Impact flag
events
Cisco Cisco Security SNMP or SNMP or WMI: Process CPU and SNMP Trap: Over 25 Currently not Cisco CSA
Agent WMI: OS, memory utilization event types covering natively
Hardware Host IPS behavioral supported
signatures.
Cisco Cisco Access SNMP or SNMP or WMI: Process CPU and Syslog: Passed and Currently not Cisco ACS
Control Server WMI: OS, memory utilization Failed authentications, natively
(ACS) Hardware Admin accesses supported
Cisco VPN 3000 SNMP: OS, SNMP: CPU, Memory, Interface Syslog: Successful and Currently not Cisco VPN 3000
Hardware utilization Failed Admin natively
Authentication, VPN supported
Authentication, IPSec
Phase 1 and Phase 2
association, VPN
statistics
Cisco Meraki Cloud SNMP: OS, SNMP: Uptime, Network Interface Currently not natively Currently not Cisco Meraki
Controllers Hardware, Utilization; SNMP Trap: Various supported - Custom natively Cloud Controller
Meraki availability scenarios parsing needed supported and Network
devices Devices
reporting to
the Cloud
Controller
Cisco Meraki Firewalls SNMP: OS, SNMP: Uptime, Network Interface Syslog: Firewall log Currently not Cisco Meraki
Hardware Utilization analysis natively Cloud Controller
supported and Network
Devices
Cisco Meraki SNMP: OS, SNMP: Uptime, Network Interface Currently not Cisco Meraki
Routers/Switche Hardware Utilization natively Cloud Controller
s supported and Network

Monitoring
Devices
Cisco Meraki WLAN SNMP: OS, SNMP: Uptime, Network Interface Currently not Cisco Meraki
Access Points Hardware Utilization natively Cloud Controller
supported and Network
Devices
Cisco MDS Storage SNMP: OS, SNMP: CPU, Memory, Interface Currently not natively Currently not
Switch Hardware utilization, Hardware Status supported - Custom natively
parsing needed supported
Cisco Network Control Syslog: Network device Cisco Network

Manager (NCM) software update, Compliance
configuration analysis for Manager
compliance, admin login
Cisco Stealthwatch Host name Not supported Not Cisco

and Device supported Stealthwatch
type
Cisco Viptela Discovered Not natively supported - Custom Over 289 Events Types Not natively Cisco Viptela
Via LOG only monitoring needed parsed supported - SDWAN Router
Custom
configuration
collection
needed
Cisco Wide Area SNMP: Host SNMP: CPU, Memory, Interface Cisco WAAS
Application name, utilization, Disk utilization, Process
Services (WAAS) Version, cpu/memory utilization
Hardware
model,
Network
interfaces
CloudPassag Halo Host name Not supported Not CloudPassage

e and Device supported Halo
type
CradlePoint CradlePoint Discovered Not natively supported. Custom 29 Event types covering Not currently CradlePoint
via LOG only monitoring needed Security Violations, supported.
Config Changes,
Authentications and
informational events
CrowdStrike Falcon Host name Not supported Not CrowdStrike

and Device supported Falcon
type
Cyberoam Cyberoam Discovered Not natively supported. Custom Event, Security, and Connection - Cyberoam
via LOG only monitoring needed. Traffic logs Firewall

Monitoring
permit and
deny,
system
events,
maleware
events
Cylance Cylance Protect Syslog: Endpoint Cylance Protect

Endpoint protection alerts
Protection
Cyphort Cyphort Cortex Syslog: Endpoint Cyphort Cortex

Endpoint protection alerts
Protection
Cyxtera AppGate SDP Host name Not supported Not Cyxtera AppGate
and Device supported SDP
type
Damballa Failsafe Damballa

Failsafe
Darktrace Discovered Not natively supported - Custom Over 40 Events Types Not Natively Darktrace
CyberIntelligenc via LOG only monitoring needed parsed Supported - CyberIntelligenc
e Platform Custom e Platform
Configuration
collection
needed
Dell SonicWall SNMP: OS, SNMP: CPU, Memory, Interface Syslog: Firewall log Currently not Dell SonicWALL
Firewall Hardware utilization, Firewall session count analysis (over 1000 event natively
types) supported
Dell Force10 Router SNMP: OS, SNMP: CPU, Memory, Interface SSH: Dell Force10
and Switch Hardware utilization, Interface Status, Running
Hardware Status config,
Startup
config
Dell NSeries Router SNMP: OS, SNMP: CPU, Memory, Interface SSH: Startup Dell NSeries
and Switch Hardware utilization, Hardware Status config
Dell PowerConnect SNMP: OS, SNMP: CPU, Memory, Interface SSH: Startup Dell
Router and Hardware utilization, Hardware Status config PowerConnect
Switch
Dell Dell Hardware on SNMP: SNMP: Hardware Status: Battery, Currently not
Intel-based Hardware Disk, Memory, Power supply, natively
Servers Temperature, Fan, Amperage, supported.
Voltage

Monitoring
Dell Compellent SNMP: OS, SNMP: Network Interface utilization, Currently not Dell Compellent
Storage Hardware Volume utilization, Hardware Status natively
(Power, Temperature, Fan) supported.
Dell EqualLogic SNMP: OS, SNMP: Uptime, Network Interface Currently not Dell EqualLogic
Storage Hardware utilization; SNMP: Hardware status: natively
(Network Disk, Power supply, Temperature, supported.
interfaces, Fan, RAID health; SNMP: Overall
Physical Disk health metrics: Total disk
Disks, count, Active disk count, Failed disk
Components) count, Spare disk count; SNMP:
Connection metrics: IOPS,
Throughput; SNMP: Disk
performance metrics: IOPS,
Throughput; SNMP: Group level
performance metrics: Storage,
Snapshot
Digital Code Green DLP LOG Currently not natively supported 1 broad event Type Currently not Digital Guardian
Guardian Discovery natively Code Green DLP
supported
EMC Clariion Storage Naviseccli: Naviseccli: Storage Processor Currently not EMC Clariion
Host name, utilization, Storage Port I/O, RAID natively
Operating Group I/O, LUN I/O, Host HBA supported.
system Connectivity, Host HBA
version, Unregistered Host, Hardware
Hardware component health, Overall Disk
model, Serial health, Storage Pool Utilization
number,
Network
interfaces,
Installed
Software,
Storage
Controller
Ports;
Naviseccli:
Hardware
components,
RAID Groups
and assigned
disks, LUNs
and LUN ->
RAID Group
mappings,
Storage

Monitoring
Groups and
memberships
EMC VNX Storage Naviseccli: Naviseccli: Storage Processor EMC VNX

Host name, utilization, Storage Port I/O, RAID
Operating Group I/O, LUN I/O, Host HBA
system Connectivity, Host HBA
version, Unregistered Host, Hardware
Hardware component health, Overall Disk
model, Serial health, Storage Pool Utilization
number,
Network
interfaces,
Installed
Software,
Storage
Controller
Ports
Naviseccli:
Hardware
components,
RAID Groups
and assigned
disks, LUNs
and LUN ->
RAID Group
mappings,
Storage
Groups and
memberships
EMC Isilon Storage SNMP: Host SNMP: Uptime, Network Interface 5 event types EMC Isilon
name, metrics; SNMP: Hardware
Operating component health: Disk, Power
system, supply, Temperature, Fan, Voltage;
Hardware SNMP: Cluster membership change,
(Model, Serial Node health and performance (CPU,
number, I/O), Cluster health and
Network performance, Cluster Snapshot,
interfaces, Storage Quota metrics, Disk
Physical performance, Protocol performance
Disks,
Components)
Epic SecuritySIEM Discovered Not natively supported. Custom Authentication Query, Currently not Epic EMR/EHR
via LOG only monitoring needed. Client login Query natively System
supported

Monitoring
ESET Nod32 Anti-virus Application Syslog (CEF format): ESET NOD32

type Virus found/cleaned type
discovery via of events
LOG
FireEye Malware Application Syslog (CEF format): FireEye MPS

Protection type Malware found/cleaned
System (MPS) discovery via type of events
LOG
FireEye HX Appliances Application Syslog (CEF format):

for Endpoint type Malware Acquisition,
protection discovery via Containment type of
LOG events
F5 Networks Application Discovery via Syslog (CEF Format); F5 Application

Security LOG Various application level Security
Manager attack scenarios - invalid Manager
directory access, SQL
injections, cross site
exploits
F5 Networks Local Traffic SNMP: Host SNMP: CPU, Memory, Disk, SNMP Trap: Exception F5 Networks
Manager name, Interface utilization, Process situations including Local Traffic
Operating monitoring, Process stop/start hardware failures, certain Manager
system, security attacks, Policy
Hardware violations etc; Syslog:
(Model, Serial Permitted and Denied
number, Traffic
Network
interfaces,
Physical
Disks),
Installed
Software,
Running
Software
F5 Networks Web Accelerator Discovery via Syslog: Permitted Traffic F5 Networks

LOG Web Accelerator
Fortinet FortiAnalyzer Fortinet

FortiAnalyzer
Fortinet FortiAP Access point FortiAP CPU, Memory, Clients, Wireless events via FortiAP
– Name, OS, Sent/Received traffic FortiGate
Interfaces,
Controller
(FortiGate)

Monitoring
Fortinet FortiAuthenticat Vendor, OS, Interface Stat, Authentication Stat Over 150 event types Currently not Fortinet
or Model natively FortiAuthenticat
supported. or
Fortinet FortiClient Discovered Syslog: Traffic logs, Not FortiClient

via LOG only Event logs supported
Fortinet FortiDeceptor Discovered Not natively supported. Custom Authentication logs, Currently not Fortinet
via LOG only monitoring needed. Decoy activity natively FortiDeceptor
supported.
Fortinet FortiEDR Discovered Not natively supported. Custom System and security Currently not Fortinet
via LOG only monitoring needed. events (e.g. file blocked) natively FortiEDR
supported
Fortinet FortiGate SNMP: OS, SNMP: Uptime, CPU and Memory Syslog: Over 11000 SSH: Fortinet
firewalls Host name, utilization, Network Interface Traffic and system logs; Running FortiGate
Hardware metrics Netflow: traffic flow, config,
(Serial Application flow Startup
Number, config
Interfaces,
Components)
Fortinet FortiInsight FortiInsight
Fortinet FortiManager SNMP: Host SNMP: Uptime, CPU and Memory FortiManager
name, utilization, Network Interface
Hardware metrics
model,
Network
interfaces,
Operating
system
version
Fortinet FortiNAC Discovered Not natively supported. Custom Administrative and User Currently not Fortinet
via LOG only monitoring needed Admission Control events natively FortiNAC
supported
Fortinet FortiWLC SNMP - Controller – CPU, Memory, Disk, Hardware/Software Not FortiWLC
Controller – Throughput, QoS statistics, Station errors, failures, logons, supported
Name, OS, count license expiry, Access
Serial Point Association /
Number, Disassociation
Interfaces,
Associated
Access
Points –
name, OS,
Interfaces

Monitoring
Fortinet FortiTester Discovered Not natively supported - Custom CEF format: Over 14 Not natively Fortinet
Via LOG only monitoring needed Event types parsed supported - FortiTester
Custom
configuration
collection
needed
Foundry IronWare Router SNMP: OS, SNMP: Uptime, CPU, Memory, Syslog: Over 6000 event SSH: Foundry
Networks and Switch Hardware Interface utilization, Hardware types parsed for Running Networks
SSH: Status situations covering admin config, IronWare
configuration, access, configuration Startup
running change, interface config
process up/down
FreeBSD
GitHub.com GitHub Host name Not supported Not GitHub

and Device supported
type
GitLab API GitLab Host name Not supported Not GitLab API
type
GitLab CLI GitLab Host name Not supported Not GitLab CLI
type
Green League WVSS Green League

WVSS
Huawei VRP Router and SNMP: OS, SNMP: Uptime, CPU, Memory, Syslog: Over 30 event SSH:
Switch Hardware; Interface utilization, Hardware types parsed for Running
configuration, access, configuration Startup
running change, interface config
process, up/down
Layer 2
connectivity
HP BladeSystem SNMP: Host SNMP: hardware status HP BladeSystem

name,
Access IP,
Hardware
components
HP HP-UX servers SNMP: OS, SNMP: Uptime, CPU, Memory, HP UX Server

Hardware Network Interface, Disk space
utilization, Network Interface Errors,
Running Process Count, Running

Monitoring
process CPU/memory utilization,

Running process start/stop; SNMP:
Installed Software change; SSH :
Memory paging rate, Disk I/O
utilization
HP HP Hardware on SNMP: SNMP: hardware status SNMP Trap: Over 100

Intel-based hardware traps covering hardware
Servers model, issues
hardware
serial,
hardware
components
(fan, power
supply,
battery, raid,
disk,
memory)
HP TippingPoint SNMP: OS, SNMP: Uptime, CPU, Memory, Syslog: Over 4900 IPS TippingPoint IPS
UnityOne IPS Hardware Network Interface, Network alerts directly or via NMS
Interface Errors
HP ProCurve SNMP: OS, SNMP: Uptime, CPU, Memory, SSH: HP ProCurve

Switches and hardware Network Interface, Network Running
Routers model, Interface Errors; SNMP: hardware config,
hardware status Startup
serial, config
hardware
components;
SSH:
configuration
HP Value Series SNMP: OS, SNMP: Uptime, CPU, Memory, SSH: Startup HP Value Series
(19xx) Switches hardware Network Interface, Network config (19xx) and HP
and Routers model, Interface Errors 3Com (29xx)
hardware Switch
serial,
hardware
components;
SSH:
configuration
HP 3Com (29xx) SNMP: OS, SNMP: Uptime, CPU, Memory, SSH: Startup HP Value Series
Switches and hardware Network Interface, Network config (19xx) and HP
Routers model, Interface Errors 3Com (29xx)
hardware Switch
serial,

Monitoring
hardware
components;
SSH:
configuration
HP HP/3Com SNMP: OS, SNMP: Uptime, CPU, Memory, Syslog: Over 6000 vent SSH: Startup HP/3Com
Comware hardware Network Interface, Network types parsed for config ComWare
Switches and model, Interface Errors; SNMP: hardware situations covering admin
Routers hardware status access, configuration
serial, change, interface
hardware up/down and other
components; hardware issues and
SSH: internal errors
configuration
Hirschmann Switches Host Name, SNMP – Uptime, CPU, Memory, Not natively supported - Not natively Hirschmann
OS Interface utilization, hardware Custom parsing needed supported - SCADA
Status, OSPF metrics Custom Firfewalls and
configuration Switches
collection
needed
HyTrust CloudControl LOG Currently not natively supported Over 70 event types Currently not HyTrust
Discovery natively CloudControl
supported
IBM Websphere SNMP or HTTP(S): Generic Information, IBM WebSphere

Application WMI: Availability metrics, CPU / Memory
Server Running metrics, Servlet metrics, Database
processes pool metrics, Thread pool metrics,
Application level metrics, EJB
metrics
IBM DB2 Database SNMP or JDBC: Database Audit trail: Log on, IBM DB2
Server WMI: Database level and Table level
Running CREATE/DELETE/MODIFY
processes operations
IBM ISS Proventia SNMP Trap: IPS Alerts: IBM ISS

IPS Appliances Over 3500 event types Proventia
IBM AIX Servers SNMP: OS, SNMP: CPU, Memory, Disk, Syslog: General logs IBM AIX
Hardware, Interface utilization, Process including Authentication
Installed monitoring, Process stop/start, Port Success/Failure,
Software, up/down ; SSH: Disk I/O, Paging Privileged logons,
Running User/Group Modification
Processes,
Open Ports;
SSH:

Monitoring
Hardware
details
IBM OS 400 Syslog via PowerTech IBM OS400

Agent: Over 560 event
types
Imperva Securesphere Imperva

DB Monitoring Securesphere
Gateway DB Monitoring
Gateway
Imperva Securesphere Syslog in CEF format Imperva

DB Security Securesphere
Gateway DB Security
Gateway
Imperva Securesphere Imperva

Web App Firewall Securesphere
DB Security
Gateway
Indegy Security Discovered Not natively supported - Custom Over 14 Events Types Not natively Indegy Security
Platform via LOG only monitoring needed parsed supported - Platform
Custom
configuration
collection
needed
Intel/McAfee McAfee SNMP: OS, SNMP: CPU, Memory, Disk, Syslog: Firewall logs McAfee Firewall
Sidewinder Hardware, Interface utilization, Process Enterprise
Firewall Installed monitoring, Process stop/start (Sidewinder)
Software,
Running
Processes
Intel/McAfee McAfee ePO SNMP: SNMP: Process resource utilization SNMP Trap: Over 170 McAfee ePolicy
Related event types Orchestrator
process (ePO)
name and
parameters
Intel/McAfee Intrushield IPS SNMP: OS, SNMP: Hardware status Syslog: IPS Alerts McAfee
Hardware IntruShield
Intel/McAfee Stonesoft IPS Syslog: IPS Alerts McAfee

Stonesoft
Intel/McAfee Web Gateway Syslog: Web server log McAfee Web

Gateway

Monitoring
Intel/McAfee Foundstone JDBC: Vulnerability data McAfee

Vulnerability Foundstone
Scanner Vulnerability
Scanner
Infoblox DNS/DHCP SNMP: OS, ; SNMP: Zone transfer metrics, DNS Syslog: DNS logs - name Infoblox
Appliance Hardware, Cluster Replication metrics, DNS resolution activity - DNS/DHCP
Installed Performance metrics, DHCP success and failures
Software, Performance metrics, DDNS Update
Running metrics, DHCP subnet usage
Processes metrics ; SNMP: Hardware Status ;
SNMP Trap: Hardware/Software
Errors
ISC Bind DNS Syslog: DNS logs - name ISC BIND DNS
resolution activity -
success and failures
Juniper JunOS SNMP: OS, SNMP: CPU, Memory, Disk, Syslog: Over 1420 event SSH: Startup Juniper
Router/Switch Hardware; Interface utilization, Hardware types parsed for configuration Networks JunOS
SSH: Status ; situations covering admin
Configuration access, configuration
change, interface
up/down and other
hardware issues and
internal errors
Juniper SRX Firewalls SNMP: OS, SNMP: CPU, Memory, Disk, Syslog: Over 700 event SSH: Startup Juniper
Hardware Interface utilization, Hardware types parsed for configuration Networks JunOS
SSH: Status situations covering traffic
Configuration log, admin access,
configuration change,
interface up/down and
other hardware issues
and internal errors
Juniper SSG Firewall SNMP: OS, SNMP: CPU, Memory, Disk, Syslog: Over 40 event SSH: Startup Juniper
Hardware ; Interface utilization, Hardware types parsed for configuration Networks SSG
SSH: Status situations covering traffic Firewall
and internal errors
Juniper ISG Firewall SNMP: OS, SNMP: CPU, Memory, Disk, Syslog: Over 40 event SSH: Startup Juniper
Hardware ; Interface utilization, Hardware types parsed for configuration Networks SSG
SSH: Status situations covering traffic Firewall

Monitoring

and internal errors
Juniper Steelbelted Discovered Syslog - 4 event types Juniper

RADIUS via LOG covering admin access Networks Steel-
and AAA authentication Belted RADIUS
Juniper Secure Access SNMP: OS, SNMP: CPU, Memory, Disk, Syslog - Over 30 event Juniper
Gateway Hardware Interface utilization types parsed for Networks SSL
situations covering VPN VPN Gateway
login, Admin access,
Configuration Change
Juniper Netscreen IDP Syslog - directly from Juniper

Firewall or via NSM - Networks IDP
Over 5500 IPS Alert types Series
parsed
Juniper DDoS Secure Syslog - DDoS Alerts Juniper DDoS
Lantronix SLC Console Syslog - Admin access, Lantronix SLC

Manager Updates, Commands run Console
Manager
LastLine Syslog in CEF format LastLine
Liebert HVAC SNMP: Host SNMP: HVAC metrics: Liebert HVAC

Name, Temperature: current value, upper
Hardware threshold, lower threshold, Relative
model Humidity: current value, upper
threshold, lower threshold, System
state etc
Liebert FPC SNMP: Host SNMP: Output voltage (X-N, Y-N, Z- Liebert FPC
Name, N), Output current (X, Y. Z), Neutral
Hardware Current, Ground current, Output
model power, Power Factor etc
Liebert UPS SNMP: Host SNMP: UPS metrics: Remaining Liebert UPS
Name, battery charge, Battery status, Time
Hardware on battery, Estimated Seconds
model Remaining, Output voltage etc
Malwarebyte Malwarebytes Malwarebytes

s Endpoint Endpoint
Protection Protection
McAfee Vormetric Data LOG Currently not natively supported 1 broad event Type Currently not McAfee

Monitoring
Security Discovery natively Vormetric Data

Manager supported Security
Manager
Microsoft ASP.NET SNMP: SNMP or WMI: Process level Microsoft

Running resource usage ; WMI: Request ASP.NET
Processes Execution Time, Request Wait
Time, Current Requests,
Disconnected Requests etc
Microsoft Azure Advanced Host name Not supported Not Microsoft Azure
Threat Protection and Device supported ATP
(ATP) type
Microsoft Azure Compute Microsoft Azure

Compute
Microsoft Azure Event Hub Microsoft Azure

Event Hub
Microsoft Cloud App Host name Not supported Not Microsoft Cloud
Security and Device supported App Security
type
Microsoft DHCP Server - SNMP: WMI: DHCP metrics: request rate, FortiSIEM Windows Microsoft DHCP
2003, 2008 Running release rate, decline rate, Duplicate Agent (HTTPS): DHCP (2003, 2008)
Processes Drop rate etc logs - release, renew etc;
Snare Agent (syslog):
DHCP logs - release,
renew etc; Correlog
Agent (syslog): DHCP
logs - release, renew etc
Microsoft DNS Server - SNMP: WMI: DNS metrics: Requests FortiSIEM Windows Microsoft DNS
2003, 2008 Running received, Responses sent, WINS Agent (HTTPS): DNS (2003, 2008)
Processes requests received, WINS responses logs - name resolution
sent, Recursive DNS queries activity; Snare Agent
received etc (syslog): DNS logs -
name resolution activity;
Correlog Agent (syslog):
DNS logs - name
resolution activity
Microsoft Domain SNMP: WMI: Active Directory metrics: Microsoft Active

Controller / Running Directory Search Rate, Read Rate, Directory
Active Directory - Processes; Write Rate, Browse Rate, LDAP
2003, 2008, 2012 LDAP: Users search rate, LDAP Bind Rate etc;
WMI: "dcdiag -e" command output -
detect successful and failed domain

Monitoring
controller diagnostic tests; WMI:

"repadmin /replsummary" command
output - Replication statistics;
LDAP: Users with stale passwords,
insecure password settings
Microsoft Exchange Server SNMP: SNMP or WMI: Process level Exchange Microsoft
Running resource usage; WMI: Exchange Tracker Logs Exchange
Processes performance metrics, Exchange via FSM
error metrics, Exchange mailbox Advanced
metrics, Exchange SMTP metrics, Windows
Exchange ESE Database, Exchange Agent
Database Instances, Exchange Mail
Submission Metrics, Exchange
Store Interface Metrics etc
Microsoft Hyper-V Powershell over winexe: Guest/Host Hyper-V

Hypervisor CPU usage, Memory usage, Page
fault, Disk Latency, Network usage ;
Microsoft IIS versions SNMP: SNMP or WMI: Process level FortiSIEM Windows Microsoft IIS for
Running resource usage WMI: IIS metrics: Agent (HTTPS): W3C Windows 2000
Processes Current Connections, Max Access logs - Per and 2003;
Connections, Sent Files, Received instance Per Connection - Microsoft IIS for
Files etc Sent Bytes, Received Windows 2008
Bytes, Duration ; Snare
Agent (syslog): W3C
Access logs; Correlog
Agent (syslog): W3C
Access logs
Microsoft Internet SNMP: SNMP or WMI: Process level FortiSIEM Windows Microsoft
Authentication Running resource usage Agent (HTTPS): AAA logs Internet
Server (IAS) Processes - successful and failed Authentication
authentication ; Snare Server (IAS)
Agent (syslog): AAA logs
- successful and failed
authentication ; Correlog
Agent (syslog): AAA logs
- successful and failed
authentication
Microsoft Network Policy Discovered Not natively supported. Custom AAA-based login events Currently not Microsoft
Server via LOG only. monitoring needed. natively Network Policy
supported Server
Microsoft PPTP VPN FortiSIEM Windows Microsoft PPTP

Gateway Agent (HTTPS): VPN

Monitoring
Access - successful and

failed Snare Agent
(syslog): VPN Access -
successful and failed ;
Correlog Agent (syslog):
VPN Access - successful
and failed
Microsoft Sharepoint SNMP: SNMP or WMI: Process level LOGBinder Agent: Microsoft
Server Running resource usage SharePoint logs - Audit SharePoint
Processes trail integrity, Access
control changes,
Document updates, List
updates, Container object
updates, Object changes,
Object Import/Exports,
Document views,
Information Management
Policy changes etc
Microsoft SQL Server - SNMP: SNMP or WMI: Process resource JDBC: database error Microsoft SQL
2005, 2008, Running usage; JDBC: General database log; JDBC: Database Server
2008R2, 2012, Processes info, Configuration Info, Backup audit trail
2014 Info,; JDBC: Per-instance like Buffer
cache hit ratio, Log cache hit ratio
etc; JDBC: per-instance, per-
database Performance metrics Data
file size, Log file used, Log growths
etc; JDBC: Locking info, Blocking
info
Microsoft Windows Host name Not supported Not Windows

Defender and Device supported Defender ATP
Advanced Threat type
Protection (ATP)
Microsoft Windows 2000, SNMP: OS, SNMP: CPU, Memory, Disk, WMI pulling: Security, SNMP: Microsoft
Windows 2003, Hardware (for Interface utilization, Process System and Application Installed Windows
Windows 2008, Dell and HP), utilization ; WMI: SNMP: CPU, logs; FortiSIEM Windows Software Servers
Windows 2008 Installed Memory, Disk, Interface utilization, Agent (HTTPS): Security, Change;
R2, Windows Software, Detailed CPU/Memory usage, System and Application FortiSIEM
2012, Windows Running Detailed Process utilization logs, File Content Windows
2012 R2 Processes; change; Snare Agent Agent:
WMI: OS, (syslog): Security, Installed
Hardware (for System and Application Software
Dell and HP), logs; Correlog Agent Change,
BIOS, (syslog): Security, Registry

Monitoring
Installed System and Application Change;

Software, logs FortiSIEM
Running Windows
Processes, Agent: File
Services, Integrity
Installed Monitoring
Patches
MobileIron Sentry Discovered Not natively supported - Custom Over 18 Events Types Not natively MobileIron
Sentry and Via LOG only monitoring needed parsed supported - Sentry
Connector Custom
configuration
collection
needed
Motorola AirDefense Syslog: Wireless IDS Motorola

Wireless IDS logs AirDefense
Motorola WiNG WLAN Syslog: All system logs: Motorola WLAN

Access Point User authentication,
Admin authentication,
WLAN attacks, Wireless
link health
Mikrotek Mikrotech Host name, SNMP: Uptime CPU utilization, Mikrotek Router
Switches and OS, Network Interface metrics
Routers Hardware
model, Serial
number,
Components
NetApp DataONTAP NetApp

DataONTAP
NetApp DataONTAP SNMP: Host SNMP: CPU utilization, Network SNMP Trap: Over 150 NetApp Filer
based Filers name, OS, Interface metrics, Logical Disk alerts - hardware and
Hardware Volume utilization; SNMP: Hardware software alerts
model, Serial component health, Disk health
number, ONTAP API: Detailed NFS V3/V4,
Network ISCSI, FCP storage IO metrics,
interfaces, Detailed LUN metrics, Aggregate
Logical metrics, Volume metrics, Disk
volumes, performance metrics
Physical
Disks
Nessus Vulnerability Nessus API: Vulnerability Nessus

Scanner Scan results - Scan Vulnerability
name, Host, Host OS, Scanner

Monitoring
Vulnerability category,
Vulnerability name,
Vulnerability severity,
Vulnerability CVE Id and
Bugtraq Id, Vulnerability
CVSS Score,
Vulnerability
Consequence, etc
Netwrix Auditor Not natively Not natively supported 2 Event Types parsed Not natively Netwrix Auditor
supported (via Windows Correlog supported
Agent)
Nginx Web Server SNMP: SNMP: Application Resource Usage Syslog: W3C access Nginx Web
Application logs: per HTTP(S) Server
name connection: Sent Bytes,
Received Bytes,
Connection Duration
Nimble NimbleOS Host name, SNMP: Uptime, Network Interface Nimble Storage
Storage Operating metrics, Storage Disk Utilization
system SNMP: Storage Performance
version, metrics: Read rate (IOPS),
Hardware Sequential Read Rate (IOPS), Write
model, Serial rate (IOPS), Sequential Write Rate
number, (IOPS), Read latency, etc
Network
interfaces,
Physical
Disks,
Components
Nortel ERS Switches SNMP: Host SNMP: Uptime CPU/memory Nortel ERS and
and Routers name, OS, utilization, Network Interface Passport Switch
Hardware metrics/errors, Hardware Status
model, Serial
number,
Components
Nortel Passport SNMP: Host SNMP: Uptime CPU/memory Nortel ERS and
Switches and name, OS, utilization, Network Interface Passport Switch
Routers Hardware metrics/errors, Hardware Status
model, Serial
number,
Components
Nozomi Guardian No No Yes No Nozomi

Monitoring
Nutanix Controller VM SNMP: Host SNMP: Uptime CPU/memory Nutanix

name, OS, utilization, Network Interface
Hardware metrics/errors, Disk Status, Cluster
model, Serial Status, Service Status, Storage Pool
number, Info, Container Info
Network
interfaces,
Physical
Disks,
Components
Okta.com SSO Okta API: Okta API: Over 90 event Okta

Users types covering user Configuration
activity in Okta website
OneIdentity Safeguard Not supported OneIdentity

Safeguard
OpenLDAP OpenLDAP LDAP: Users
Oracle Enterprise SNMP or JDBC: Database performance Syslog: Listener log, Alert Oracle Database
Database Server WMI: Proces metrics: Buffer cache hit ratio, Row log, Audit Log
- 10g, 11g, 12c s resource cache hit ratio, Library cache hit
usage ; ratio, Shared pool free ratio, Wait
time ratio, Memory Sorts ratio etc ;
JDBC: Database Table space
information: able space name, table
space type, table space usage,
table space free space, table space
next extent etc; JDBC: Database
audit trail: Database logon,
Database operations including
CREATE/ALTER/DROP/TRUNCAT
E operations on tables, table spaces,
databases, clusters, users, roles,
views, table indices, triggers etc.
Oracle MySQL Server SNMP or JDBC: User Connections, Table MySQL Server
WMI: Updates, table Selects, Table
Process Inserts, Table Deletes, Temp Table
resource Creates, Slow Queries etc; JDBC:
usage Table space performance metrics:
Table space name, table space type,
Character set and Collation, table
space usage, table space free
space etc; JDBC: Database audit
trail: Database log on,
Database/Table

Monitoring
CREATE/DELETE/MODIFY
operations
Oracle WebLogic SNMP or JMX: Availability metrics, Memory Oracle WebLogic

Application WMI: Proces metrics, Servlet metrics, Database
Server s resource metrics, Thread pool metrics, EJB
usage metrics, Application level metrics
Oracle Glassfish SNMP or JMX: Availability metrics, Memory Oracle GlassFish

Application WMI: Proces metrics, Servlet metrics, Session Server
Server s resource metrics, Database metrics, Request
usage processor metrics, Thread pool
metrics, EJB metrics, Application
level metrics, Connection metrics
Oracle Sun SunOS and SNMP: OS, SNMP: CPU, Memory, Disk, Syslog: Situations Sun Solaris
Solaris Hardware, Interface utilization, Process covering Authentication Server
Software, monitoring, Process stop/start, Port Success/Failure,
Processes, up/down ; SSH: Disk I/O, Paging Privileged logons,
Open Ports ; User/Group Modification
SSH:
Hardware
details
PacketFence Network Access Host name Not supported Not PacketFence

Control and Device supported Network Access
type Control
Palo Alto Palo Alto Traps LOG Currently not natively supported Over 80 event types Currently not Palo Alto Traps
Networks Endpoint Discovery natively Endpoint
Security supported Security
Manager Manager
Palo Alto PAN-OS based SNMP: Host SNMP: Uptime, CPU utilization, Syslog: Traffic log, SSH: Palo Alto Firewall
Networks Firewall name, OS, Network Interface metrics, Firewall Threat log (URL, Virus, Configuration
Hardware, connection count Spyware, Vulnerability, Change
Network File, Scan, Flood and
interfaces; data subtypes), config
SSH: and system logs
Configuration
PulseSecure PulseSecure Syslog: VPN events, PulseSecure

VPN Traffic events, Admin
events
QNAP Turbo NAS QNAP Turbo

NAS
Qualys QualysGuard Qualys

Scanner QualysGuard

Monitoring
Scanner
Qualys Vulnerability Qualys API: Vulnerability Qualys

Scanner Scan results - Scan Vulnerability
name, Host, Host OS, Scanner
Vulnerability category,
Vulnerability name,
Vulnerability severity,
Vulnerability CVE Id and
Bugtraq Id, Vulnerability
CVSS Score,
Vulnerability
Consequence etc
Qualys Web Application syslog (JSON formatted): Qualys Web

Firewall web log analysis Application
Firewall
Radware DefensePro LOG Currently not natively supported Over 120 event types Currently not Radware
Discovery natively DefensePro
supported
Rapid7 InsightVM Host name Not supported Rapid7

and Device InsightVM
type
Rapid7 NeXpose Rapid7 NeXpose API: Rapid7 NeXpose

Vulnerability Vulnerability Scan results Vulnerability
Scanner - Scan name, Host, Host Scanner
OS, Vulnerability
category, Vulnerability
name, Vulnerability
severity, Vulnerability
CVE Id and Bugtraq Id,
Vulnerability CVSS
Score, Vulnerability
Consequence etc
Riverbed Steelhead WAN SNMP: Host SNMP: Uptime, CPU / Memory / SNMP Trap: About 115 Riverbed
Accelerators name, Network Interface / Disk space event types covering SteelHead WAN
Software metrics, Process cpu/memory software errors, hardware Accelerator
version, utilization; SNMP: Hardware Status errors, admin login,
Hardware SNMP: Bandwidth metrics: performance issues -
model, (Inbound/Outbound Optimized cpu, memory, peer
Network Bytes - LAN side, WAN side; latency issues ; Netflow:
interfaces Connection metrics: Connection statistics
Optimized/Pass through / Half-open
optimized connections etc); SNMP:

Monitoring
Top Usage metrics: Top source, Top

destination, Top Application, Top
Talker; SNMP: Peer status: For
every peer: State, Connection
failures, Request timeouts, Max
latency
Redhat Linux SNMP: OS, SNMP: CPU, Memory, Disk, Syslog: Situations SSH: File Linux Server
Hardware, Interface utilization, Process covering Authentication integrity
Software, monitoring, Process stop/start, Port Success/Failure, monitoring,
Processes, up/down ; SSH: Disk I/O, Paging Privileged logons, Target file
Open Ports ; User/Group Modification monitoring
SSH: SSH: File integrity Agent: File
Hardware monitoring, Command integrity
details, Linux output monitoring, Target monitoring
distribution file monitoring Agent: File
integrity monitoring
Redhat JBOSS SNMP: JMX: CPU metrics, Memory ; Redhat JBOSS

Application Process level metrics, Servlet metrics, Database
Server CPU/Memor pool metrics, Thread pool metrics,
y usage Application level metrics, EJB
metrics
Redhat DHCP Server SNMP: Syslog: DHCP address Linux DHCP

Process level release/renew events
CPU/Memor
y usage
Ruckus Wireless LAN SNMP: SNMP: Controller Uptime, Controller Ruckus WLAN
Controller Network Interface metrics,
host name, Controller WLAN Statistics, Access
Controller Point Statistics, SSID performance
hardware Stats
model,
Controller
network
interfaces,
Associated
WLAN
Access
Points
Security Zeek (Bro) Discovered Not natively supported - Custom Syslog JSON format: 6 Currently not Zeek (Bro)
Onion via LOG only monitoring needed event types parsed natively Installed on
supported Security Onion
SentinelOne SentinelOne Discovered Not natively supported. Custom System and security Currently not SentinelOne

Monitoring
via LOG only monitoring needed. events (e.g. file blocked) natively
supported
Snort IPS SNMP: Syslog: Over 40K IPS Snort IPS

Process level Alerts DBC: Over 40K
CPU/Memor IPS Alerts - additional
y usage details including
TCP/UDP/ICMP header
and payload in the attack
packet
Sophos Central Host name Not supported Not Sophos Central

type
Sophos Sophos Endpoint SNMP Trap: Endpoint Sophos Endpoint

Security and events including Malware Security and
Control found/deleted, DLP Control
events
Squid Web Proxy SNMP: Syslog: W3C formatted Squid Web Proxy
Process level access logs - per HTTP
CPU/Memor (S) connection: Sent
y usage Bytes, Received Bytes,
Connection Duration
SSH Com CryptoAuditor LOG Currently not natively supported Many event types Currently not SSH Com
Security Discovery natively Security
supported CryptoAuditor
Stormshield Network Security Not natively Not natively supported Firewall logs Not natively Stormshield
supported supported Network Security
Symantec Symantec Syslog: Over 5000 event Symantec

Endpoint types covering end point Endpoint
Protection protection events - Protection
malware/spyware/adwar
e, malicious events
Tanium Connect Host name Not supported Not Tanium Connect

type
Tenable Tenable.io Host name Not supported Not Tenable.io

type
Tigera Calico Not natively Not natively supported Flow, Audit and DNS logs Not natively Tigera Calico
supported supported
TrendMicro Deep Discovery Discovered Not natively supportedCustom Malicious file detection Currently not TrendMicro Deep

Monitoring
via LOG only monitoring needed. natively Discovery

supported
TrendMicro Deep Security Syslog: Over 10 event Not

Manager types covering end point supported
protection events
TrendMicro Interscan Web LOG Currently not natively supported 15 event Types Currently not TrendMicro
Filter Discovery natively Interscan Web
supported Filter
TrendMicro Intrusion Syslog: Over 10 event Trend Micro IDF

Defense Firewall types covering end point
(IDF) firewall events
TrendMicro Office scan SNMP Trap: Over 30 Trend Micro

event types covering end OfficeScan
point protection events -
malware/spyware/adwar
e, malicious events
Vasco DigiPass Syslog - Successful and Vasco DigiPass

Failed Authentications,
Successful and Failed
administrative logons
VMware VMware ESX and VMWare VMWare SDK: VM level: CPU, VMWare SDK: Over 800
VCenter SDK: Entire Memory, Disk, Network, VMware VCenter events covering
VMware tool status VMWare SDK: ESX level: account creation, VM
hierarchy and CPU, Memory, Disk, Network, Data creation, DRS events,
dependencie store VMWare SDK: ESX level: hardware/software errors
s - Data Hardware Status VMWare SDK:
Center, Cluster level: CPU, Memory, Data
Resource store, Cluster Status VMWare SDK:
Pool, Cluster, Resource pool level: CPU, Memory
ESX and VMs
VMware vShield Syslog: Over 10 events

covering permitted and
denied connections,
detected attacks
VMware VCloud Network Syslog: Over 10 events

and Security covering various
(vCNS) Manager activities
WatchGuard Firebox Firewall Syslog: Over 20 firewall WatchGuard

event types Firebox Firewall
Websense Web Filter Syslog: Over 50 web Websense Web

Monitoring
filtering events and web Filter

traffic logs
YXLink Vulnerability YXLink

Scanner Vulnerability
Scanner

Applications
This section describes how to configure applications for discovery and for providing information to FortiSIEM.
l Application Server
l Authentication Server
l Database Server
l DHCP and DNS Server
l Directory Server
l Document Management Server
l Healthcare IT
l Mail Server
l Management Server/Appliance
l Remote Desktop
l Source Code Control
l Unified Communication Server
l Web Server

Application Server
FortiSIEM supports the discovery and monitoring of these application servers.

l Apache Tomcat
l IBM WebSphere
l Microsoft ASP.NET
l Oracle GlassFish Server
l Oracle WebLogic
l Redhat JBOSS

Apache Tomcat
l What is Discovered and Monitored

l Configuration
l Settings for Access Credentials
l Sample Event for Tomcat Metrics
What is Discovered and Monitored
Protocol Information Metrics collected Used for

discovered
JMX Generic information: Application version, Application port Performance

Availability metrics: Uptime, Application Server State Monitoring
CPU metrics: CPU utilization
Memory metrics: Total memory, Free memory, Memory utilization,
Virtual committed memory, Total Swap Memory, Free Swap
Memory, Swap memory utilization, Heap Utilization, Heap Used
Memory, Heap max memory, Heap commit memory, Non-heap
Utilization, Non-heap used memory, Non-heap max memory, Non-
heap commit memory
Servlet metrics: Web application name, Servlet Name, Count
allocated, Total requests, Request errors, Load time, Avg Request
Processing time
Session metrics: Web context path, Peak active sessions, Current
active sessions, Duplicate sessions, Expired sessions, Rejected
sessions, Average session lifetime, Peak session lifetime, Session
processing time, Session create rate, Session expire rate, Process
expire frequency, Max session limited, Max inactive Interval
JMX Database metrics: Web context path, Data source, Database Performance
driver, Peak active sessions, Current active sessions, Peak idle Monitoring
sessions, Current idle sessions
Thread pool metrics: Thread pool name, Application port, Total
threads, Busy threads, Keep alive threads, Max threads, Thread
priority, Thread pool daemon flag
Request processor metrics: Request processor name, Received
Bytes, Sent Bytes, Average Request Process time, Max Request
Processing time, Request Rate, Request Errors
Event Types
In ADMIN > Device Support > Event, search for "tomcat" in the Device Type and Description column to see the
event types associated with this device.

Applications
Reports
In RESOURCE > Reports , search for "tomcat" in the Name column to see the reports associated with this
application or device.
Configuration
JMX
Add the necessary parameters to the Tomcat startup script.
Windows
Modify the file ${CATALINA_BASE}\bin\catalina.bat by adding these arguments for JVM before the
comment:
rem ----Execute The Requested Command ------
JMX Configuration for Windows
set JAVA_OPTS=-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=${Your

JMX Port} \ -Dcom.sun.management.jmxremote.authenticate=true \ -
Dcom.sun.management.jmxremote.ssl=false \ -
Dcom.sun.management.jmxremote.access.file=jmxremote.access \ -
Dcom.sun.management.jmxremote.password.file=jmxremote.password \
Linux
Modify the file ${CATALINA_BASE}/bin/catalina.sh by adding these arguments for JVM before the comment:
# ----Execute The Requested Command ------
JMX Configuration for Linux
JAVA_OPTS=" $ JAVA_OPTS -Dcom.sun.management.jmxremote \ -

Dcom.sun.management.jmxremote.port=${ Your JMX Port} \ -
Dcom.sun.management.jmxremote.authenticate=true \ -Dcom.sun.management.jmxremote.ssl=false
\ -Dcom.sun.management.jmxremote.access.file=jmxremote.access \ -
Dcom.sun.management.jmxremote.password.file=jmxremote.password" \
1. Edit the access authorization file jmxremote.access.
monitorRole readonly
controlRole readwrite
2. Edit the password file jmxremote.password.

The first column is user name and the second column is password). FortiSIEM only needs monitor access.
monitorRole <FortiSIEMUserName>controlRole <userName>
3. In Linux, set permissions for the jmxremote.access and jmxremote.password files so that they are read-only and
accessible only by the Tomcat operating system user.

Applications
chmod 600 jmxremote.access

chmod 600 jmxremote.password
You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. For more
information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your Apache Tomcat application server
over JMX:
Setting Value
Name Enter a name for the credential.
Device Type Apache Apache Tomcat
Access Protocol JMX
Pull Interval 5
(minutes)
Port 0
User Name The user you created in step 3
Password The password you created in step 3
Sample Event for Tomcat Metrics
<134>Jan 22 01:57:32 10.1.2.16 java: [PH_DEV_MON_TOMCAT_CPU]:[eventSeverity]=PHL_INFO,

[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,[destDevPort]=9218,
[appVersion]=Apache Tomcat/7.0.27,[appServerState]=STARTED,[sysUpTime]=2458304,[cpuUtil]=0
<134>Jan 22 01:57:32 10.1.2.16 java: [PH_DEV_MON_TOMCAT_MEMORY]:[eventSeverity]=PHL_INFO,

[appVersion]=Apache Tomcat/7.0.27,[appServerState]=STARTED,[freeMemKB]=116504,
[freeSwapMemKB]=2974020,[memTotalMB]=4095,[swapMemTotalMB]=8189,[virtMemCommitKB]=169900,
[memUtil]=98,[swapMemUtil]=65,[heapUsedKB]=18099,[heapMaxKB]=932096,[heapCommitKB]=48896,
[heapUtil]=37,[nonHeapUsedKB]=22320,[nonHeapMaxKB]=133120,[nonHeapCommitKB]=24512,
[nonHeapUtil]=91
<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_SERVLET]:[eventSeverity]=PHL_INFO,

[appVersion]=Apache Tomcat/7.0.27,[webAppName]=//localhost/host-manager,
[servletName]=HTMLHostManager,[countAllocated]=0,[totalRequests]=0,[reqErrors]=0,[loadTime]=0,
[reqProcessTimeAvg]=0,[maxInstances]=20,[servletState]=STARTED
<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_SESSION]:[eventSeverity]=PHL_INFO,

[appVersion]=Apache Tomcat/7.0.27,[webContextPath]=/host-manager,[activeSessionsPeak]=0,
[activeSessions]=0,[duplicateSession]=0,[expiredSession]=0,[rejectedSession]=0,
[sessionLifetimeAvg]=0,[sessionLifetimePeak]=0,[sessionProcessTimeMs]=0,[sessionCreateRate]=0,
[sessionExpireRate]=0,[webAppState]=STARTED,[processExpiresFrequency]=6,[maxSessionLimited]=-

Applications
1,[maxInactiveInterval]=1800
<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_DB]:[eventSeverity]=PHL_INFO,

[appVersion]=Apache Tomcat/7.0.27,[webContextPath]=/host-manager,
[dataSource]="jdbc/postgres1",[dbDriver]=org.postgresql.Driver,[activeSessionsPeak]=20,
[activeSessions]=0,[idleSessionsPeak]=10,[idleSessions]=0
<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_THREAD_POOL]:[eventSeverity]=PHL_INFO,

[appVersion]=Apache Tomcat/7.0.27,[threadPoolName]=ajp-apr-18009,[appPort]=18009,
[totalThreads]=0,[busyThreads]=0,[keepAliveThreads]=0[maxThreads]=200,[threadPriority]=5,
[threadPoolIsDaemon]=true
<134>Jan 22 01:57:33 10.1.2.16 java: [PH_DEV_MON_TOMCAT_REQUEST_PROCESSOR]:

[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-
JMX,[destDevPort]=9218,[appVersion]=Apache Tomcat/7.0.27,[reqProcessorName]="http-apr-18080",
[recvBytes]=0,[sentBytes]=62748914,[totalRequests]=4481,[reqProcessTimeAvg]=44107,
[reqProcessTimeMax]=516,[reqRate]=0,[reqErrors]=7

Applications
IBM WebSphere

l Configuration
HTTPS Preferred for Monitoring over JMX IBM WebSphere performance metrics can be obtained via HTTP(S) or
JMX. The HTTP(S) based method is highly recommended since it consumes significantly less resources on FortiSIEM.

discovered
HTTP / Generic information: Application version, Application port Performance

HTTP(S) Availability metrics: Uptime, Application Server State Monitoring
CPU metrics: Application server instance, CPU utilization
Memory metrics: Heap utilization, Heap used memory, Heap free
memory, Heap max memory, Heap commit memory
Servlet metrics: Application name, Web application name, Servlet
Name, Invocation count
Database pool metrics: Application server instance, JDBC
provider, Data source, Pool size, Closed connections, Active
Connections, Requests wait for connections, Connection use time,
Connection factory type, Peak connections
Thread pool metrics: Application server instance, Thread pool
name, Execute threads, Peak execute threads
Transaction metrics: Application server instance, Active
Transaction, Committed Transaction, Rolled back Transaction
Authentication metrics: Application name, Application server
instance, Authentication Method, Count

memory, Heap max memory, Heap commit memory, Max System
dumps on disk, Max heap dumps on disk
Name, Invocation count, Request errors

Applications

discovered

Application level metrics: Application name, Web application
name, Application server instance, Web application context root,
Active sessions, Peak active sessions
EJB metrics: Application name, Application server instance, EJB
component name
Syslog Log analysis
Event Types
In ADMIN > Device Support > Event, search for "websphere" in the Description column to see the event types
associated with this device.
l PH_DEV_MON_WEBSPHERE_CPU (from HTTPS)
<134>Dec 08 16:11:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_CPU]:[eventSeverity]=PHL_INFO,
[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host-10.1.2.16,[destDevPort]=9443,
[appVersion]=8.5.5.3,[appServerInstance]=server1,[cpuUtil]=0,[sysUpTime]=2340206,
[appServerState]=RUNNING
l PH_DEV_MON_WEBSPHERE_CPU (from JMX)
<134>Jan 22 02:15:23 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_CPU]:[eventSeverity]=PHL_INFO,
[appVersion]=IBM WebSphere Application Server 7.0.0.11,[appServerInstance]=server1,
[cpuUtil]=0,[sysUpTime]=42206,[appServerState]=STARTED
l PH_DEV_MON_WEBSPHERE_MEMORY (from HTTPS)
<134>Dec 08 16:11:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_MEMORY]:[eventSeverity]=PHL_
INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host-10.1.2.16,
[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1,
[appServerState]=running,[heapFreeKB]=93208,[heapUsedKB]=168936,[heapCommitKB]=232576,
[heapMaxKB]=262144,[heapUtil]=72
l PH_DEV_MON_WEBSPHERE_MEMORY (from JMX)
<134>Jan 22 02:15:25 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_MEMORY]:[eventSeverity]=PHL_
INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-WIN08R2-JMX,
[destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11,
[appServerInstance]=server1,[appServerState]=STARTED,[maxSystemDumpsOnDisk]=10,
[maxHeapDumpsOnDisk]=10,[heapFreeKB]=48140,[heapUsedKB]=172018,[heapCommitKB]=217815,
[heapMaxKB]=262144,[heapUtil]=78
l PH_DEV_MON_WEBSPHERE_APP (from HTTPS)
<134>Dec 08 16:11:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_APP]:[eventSeverity]=PHL_INFO,

Applications
[appVersion]=8.5.5.3,[appServerInstance]=server1,[appName]=isclite,
[webAppName]=ISCAdminPortlet.war,[activeSessions]=0,[activeSessionsPeak]=1
l PH_DEV_MON_WEBSPHERE_APP (from JMX)
<134>Jan 22 02:18:24 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_APP]:[eventSeverity]=PHL_INFO,
[appName]=isclite,[webAppName]=isclite.war,[webContextRoot]=admin_host/ibm/console,
[activeSessions]=0,[activeSessionsPeak]=1
l PH_DEV_MON_WEBSPHERE_SERVLET (from HTTPS)
<134>Dec 08 16:11:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_SERVLET]:[eventSeverity]=PHL_
[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1,[appName]=isclite,
[webAppName]=isclite.war,
[servletName]=/com.ibm.ws.console.servermanagement/collectionTableLayout.jsp,
[invocationCount]=2
l PH_DEV_MON_WEBSPHERE_SERVLET (from JMX)
<134>Jan 22 02:15:24 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_SERVLET]:[eventSeverity]=PHL_
[appServerInstance]=server1,[appName]=isclite,[webAppName]=isclite.war,
[servletName]=action,[reqErrors]=0,[invocationCount]=14
l PH_DEV_MON_WEBSPHERE_DB_POOL (from HTTPS)
<134>Dec 08 16:14:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_DB_POOL]:[eventSeverity]=PHL_
[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1,[jdbcProvider]=Derby
JDBC Provider (XA),[dataSource]=jdbc/DefaultEJBTimerDataSource,[poolSize]=0,
[closedConns]=0,[activeConns]=0,[waitForConnReqs]=0,[connUseTime]=0
l PH_DEV_MON_WEBSPHERE_DB_POOL (from JMX)
<134>Jan 22 02:15:23 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_DB_POOL]:[eventSeverity]=PHL_
[appServerInstance]=server1,[jdbcProvider]=Derby JDBC Provider (XA),
[dataSource]=DefaultEJBTimerDataSource,[poolSize]=0,[closedConns]=0,[activeConns]=0,
[waitForConnReqs]=0,[connUseTime]=0,[connFactoryType]=,[peakConns]=0
l PH_DEV_MON_WEBSPHERE_THREAD_POOL (from HTTPS)
<134>Dec 08 16:14:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_THREAD_POOL]:
[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=Host-
10.1.2.16,[destDevPort]=9443,[appVersion]=8.5.5.3,[appServerInstance]=server1,
[threadPoolName]=WebContainer,[executeThreads]=2,[executeThreadPeak]=6
l PH_DEV_MON_WEBSPHERE_THREAD_POOL (from JMX)
<134>Jan 22 02:18:25 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_THREAD_POOL]:
[eventSeverity]=PHL_INFO,[destIpAddr]=10.1.2.16,[hostIpAddr]=10.1.2.16,[hostName]=SH-
WIN08R2-JMX,[destDevPort]=8880,[appVersion]=IBM WebSphere Application Server 7.0.0.11,
[appServerInstance]=server1,[threadPoolName]=ORB.thread.pool,[executeThreads]=0,
[executeThreadPeak]=0
l PH_DEV_MON_WEBSPHERE_TRANSACTION (from HTTPS)

Applications
<134>Dec 08 16:14:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_TRANSACTION]:

[activeTxCount]=0,[committedTxCount]=3406,[rolledBackTxCount]=0
l PH_DEV_MON_WEBSPHERE_AUTHENTICATION (from HTTPS)
<134>Dec 08 16:14:55 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_AUTHENTICATION]:
[authenMethod]=TokenAuthentication,[count]=0
l PH_DEV_MON_WEBSPHERE_EJB (from JMX)
<134>Jan 22 02:15:24 10.1.2.16 java: [PH_DEV_MON_WEBSPHERE_EJB]:[eventSeverity]=PHL_INFO,
[appName]=SchedulerCalendars,[ejbComponentName]=Calendars.jar
Reports
In RESOURCE > Reports , search for "websphere" in the Name column to see the reports associated with this
device.
Configuration
HTTP(S)
Install the perfServletApp Application
1. Log in to your Websphere administration console.

2. Go to Applications > Application Types > WebSphere enterprise application.
3. Click Install.
4. Select Remote file system and browse to {WebSphere_
Home}/AppServer/installableApps/PerfServletApp.ear.
5. Click Next.
The Context Root for the application will be set to /wasPerfTool, but you can edit this during installation.
Configure Security for the Application
1. Go to Security > Global Security.

2. Select Enable application security.
3. Go to Applications > Application Types > Websphere Enterprise Applications.
4. Select perfServletApp.
5. Click Security role to user/group mapping.
6. Click Map Users/Groups.
7. Use the Search feature to find and select the FortiSIEM user you want to provide with access to the application,

Applications
8. Click Map Special Subjects.

9. Select All Authenticated in Application's Realm.
10. Click OK.
Start the Application
1. Go to Applications > Application Types > WebSphere enterprise application.

2. Select perfServletApp.
3. Click Start.
4. In a web browser, launch the application by going
to http://<ip>:<port>/wasPerfTool/servlet/perfservlet. Default HTTP Port The default port for
HTTP is 9080, HTTPS is 9443. You can change these by going to Servers > Server Types > WebSphere
application servers > {serverInstance} > Configuration > Ports.
JMX
Configuring the Default JMX Port
By default, your Websphere application server uses port 8880 for JMX. You can change this by logging in to your
application server console and going to Application servers > {Server Name} > Ports > SOAP_CONNECTOR_
ADDRESS. The username and password for JMX are the same as the credentials logging into the console. To
configure JMX communications between your Websphere application server and FortiSIEM, you must copy several files
from your application server to the Websphere configuration directory for each FortiSIEM virtual appliance that will be
used for discovery and performance monitoring jobs. FortiSIEM does not include these files because of licensing
restrictions.
1. Copy these files to the directory /opt/phoenix/config/websphere/ for each Supervisor, Worker, and
Collector in your FortiSIEM deployment.
File Location
Type
Client l ${WebSphere_
Jars Home}/AppServer/runtimes/
com.ibm.ws.admin.client.jar
l ${WebSphere_
Home}/AppServer/plugins/
com.ibm.ws.security.crypto.jar
SSL l ${WebSphere_
files Home}/AppServer/profiles/${Profile_
Name}/etc/DummyClientKeyFile.jks
l ${WebSphere_
Home}/AppServer/profiles/${Profile_
Name}/etc/DummyClientTrustFile.jks
2. Install IBM JDK 1.6 or higher in the location /opt/phoenix/config/websphere/java for each Supervisor,
Worker, and Collector in your FortiSIEM deployment.

Applications
You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide >
Section: Setting Credentials, and then initiate discovery of the device as described in the topics under Discovery
Settings.
Use these Access Method Definition options to let FortiSIEM access your IBM Websphere device over HTTPS and
SNMP. When you set the Device Credential Mapping Definition, make sure to map both the HTTPS and SNMP
credentials to the same IP address for your Websphere device. HTTPS.
Setting Value
Name websphere_https
Device Type IBM Websphere App Server
Access Protocol HTTPS
Port 9443
URL /wasPerfTools/servlet/perfservlet
User Name Use the user name that you provided with
access to the application
Password The password associated with the user that has

access to the application
Settings for IBM Websphere SNMP Access Credentials
Use these Access Method Definition settings to let FortiSIEM access your IBM Websphere device over SNMP. When
you set the Device Credential Mapping Definition, make sure to map both the HTTPS and SNMP credentials to the
same IP address for your Websphere device.
SNMP Access Credentials for All Devices
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device over SNMP. Set
the Name and Community String.
Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP

Applications
Setting Value
Community String <your own>
Settings for IBM Websphere JMX Access Credentials
Use these Access Method Definition settings to let FortiSIEM access your IBM Websphere device over JMX.
Setting Value
Name websphere
Device Type IBM Websphere App Server
Access Protocol JMX
Pull Interval 5
(minutes)
Port 8880
User Name The administrative user for the application

server
Password The password associated with the

administrative user

Applications
Microsoft ASP.NET

l Configuration
l Sample Event for ASP.NET Metrics

discovered
WMI Request Execution Time, Request Wait Time, Current Requests, Performance
Disconnected Requests, Queued requests, Disconnected Requests Monitoring
Event Types
In ADMIN > Device Support > Event, search for "asp.net" in the Description column to see the event types
Reports
In RESOURCE > Reports , search for "asp.net" in the Name column to see the reports associated with this
Configuration
WMI
See WMI Configurations in the Microsoft Windows Server Configuration section.
Sample Event for ASP.NET Metrics
[PH_DEV_MON_APP_ASPNET_MET]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=4868,[hostName]=QA-EXCHG,[hostIpAddr]=172.16.10.28,
[appGroupName]=Microsoft ASPNET,[aspReqExecTimeMs]=0,[aspReqCurrent]=0,[aspReqDisconnected]=0,
[aspReqQueued]=0,[aspReqRejected]=0,[aspReqWaitTimeMs]=0

Applications
Oracle GlassFish Server

l Configuration
l Sample Event for Glassfish Metrics

discovered

CPU metrics: CPU utilization
Memory metrics: Total memory, Free memory, Memory utilization,
Virtual committed memory, Total Swap Memory, Free Swap
Memory,
Swap memory utilization, Heap Utilization, Heap Used Memory,
Heap max memory, Heap commit memory, Non-heap Utilization,
Non-heap used memory, Non-heap max memory, Non-heap commit
memory
Servlet metrics: Web application name, Servlet Name, Count
allocated, Total requests, Request errors, Avg Request Processing
time
JMX Session metrics: Web context path, Peak active sessions, Current Performance
active sessions, Duplicate sessions, Expired sessions, Rejected Monitoring
sessions, Average session lifetime, Peak session lifetime, Session
processing time, Session create rate, Session expire rate, Process
expire frequency, Max session limited, Max inactive Interval
Database metrics: Data source
Thread pool metrics: Current live threads, Max live threads
Request processor metrics: Request processor name, Received
Bytes, Sent Bytes, Total requests, Average Request Process time,
Max Request Processing time, Request Rate, Request Errors, Max
open connections, Current open connections, Last Request URI,
Last Request method, Last Request completion time
Application level metrics: Cache TTL, Max cache size, Average
request processing time, App server start time, Cookies allowed flag,
Caching allowed flag, Linking allowed flag, Cross Context Allowed
flag
EJB metrics: EJB component name, EJB state, EJB start time
Connection metrics: Request processor name, HTTP status code,
HTTP total accesses

Applications
Event Types
In ADMIN > Device Support > Event, search for "glassfish" in the Description column to see the event types
Reports
In RESOURCE > Reports , search for "glassfish" in the Name column to see the reports associated with this
Configuration
JMX
1. The default JMX port used by Oracle GlassFish is 8686. If you want to change it, modify the node jmx-
connector of the file ${GlassFish_Home}\domains\${Domain_Name}\config\domain.xml.
2. The username and password for JMX are the same as the web console.
You can now configure FortiSIEM to communicate with your device by following the instructions in "Discovery Settings"
and "Setting Credentials" in the User Guide.
Settings for Oracle GlassFish JMX Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your Oracle GlassFish device over JMX.
Setting Value
Name glassfish
Device Type SUN Glassfish App Server
Access Protocol JMX
Pull Interval 5
(minutes)
Port 8686
User Name The administrative user for the application

server

administrative user

Applications
Sample Event for Glassfish Metrics
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_APP]:[eventSeverity]=PHL_INFO,

[appVersion]=Sun Java System Application Server 9.1_02,[webContextRoot]=,
[webAppState]=RUNNING,[cacheMaxSize]=10240,[cacheTTL]=5000,[reqProcessTimeAvg]=0,
[startTime]=1358755971,[cookiesAllowed]=true,[cachingAllowed]=false,[linkingAllowed]=false,
[crossContextAllowed]=true
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_CPU]:[eventSeverity]=PHL_INFO,

[appVersion]=Sun Java System Application Server 9.1_02,[sysUpTime]=35266,[cpuUtil]=60
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_MEMORY]:[eventSeverity]=PHL_INFO,

[appVersion]=Sun Java System Application Server 9.1_02,[freeMemKB]=479928,
[freeSwapMemKB]=6289280,[memTotalMB]=16051,[memUtil]=98,[swapMemUtil]=1,[swapMemTotalMB]=6142,
[virtMemCommitKB]=4025864,[heapUsedKB]=1182575,[heapMaxKB]=3106432,[heapCommitKB]=3106432,
[nonHeapUtil]=69
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_SESSION]:[eventSeverity]=PHL_INFO,

[appVersion]=Sun Java System Application Server 9.1_02,[webContextPath]=/__JWSappclients,
[activeSessionsPeak]=0,[duplicateSession]=0,[activeSessions]=0,[expiredSession]=0,
[rejectedSession]=0,[sessionProcessTimeMs]=85,[sessionLifetimeAvg]=0,[sessionLifetimePeak]=0,
[maxSessionLimited]=-1,[maxInactiveInterval]=1800
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_SERVLET]:[eventSeverity]=PHL_INFO,

[appVersion]=Sun Java System Application Server 9.1_02,[webAppName]=phoenix,
[webAppState]=RUNNING,[servletName]=DtExportServlet,[totalRequests]=0,[reqErrors]=0,
[reqProcessTimeAvg]=0
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_CONN_STAT]:[eventSeverity]=PHL_

[destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,
[reqProcessorName]=http8181,[httpStatusCode]=304,[httpTotalAccesses]=0
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_EJB]:[eventSeverity]=PHL_INFO,

[appVersion]=Sun Java System Application Server 9.1_02,[ejbComponentName]=phoenix-domain-
1.0.jar,[ejbState]=RUNNING,[startTime]=1358755963,
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_JMS]:[eventSeverity]=PHL_INFO,

[appVersion]=Sun Java System Application Server 9.1_02,[jmsSource]=jms/RequestQueue

Applications
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_REQUEST_PROCESSOR]:

10.1.2.201,[destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,
[reqProcessorName]=http4848,[recvBytes]=0,[sentBytes]=0,[totalRequests]=0,[reqRate]=0,
[reqProcessTimeAvg]=0,[reqProcessTimeMax]=0,[maxOpenConnections]=0,[lastRequestURI]=null,
[lastRequestMethod]=null,[lastRequestCompletionTime]=0,[openConnectionsCount]=0,[reqErrors]=0
<134>Jan 22 02:00:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_THREAD_POOL]:[eventSeverity]=PHL_

[destDevPort]=8686,[appVersion]=Sun Java System Application Server 9.1_02,[liveThreads]=106,
[liveThreadsMax]=138
<134>Jan 22 02:06:29 10.1.2.201 java: [PH_DEV_MON_GLASSFISH_DB_POOL]:[eventSeverity]=PHL_INFO,

[appVersion]=Sun Java System Application Server 9.1_02,[dataSource]=jdbc/phoenixDS

Applications
Oracle WebLogic

l Configuration
l Sample Event for WebLogic Metrics

discovered
JMX Generic information: Application version, Application port, SSL Performance

listen port, Listen port enabled flag, SSL listen port enabled Monitoring
Availability metrics: Uptime, Application Server State
Memory metrics: Total memory, Free memory, Used memory,
Memory utilization, Heap utilization, Heap used memory, Heap max
memory, Heap commit memory, Total nursery memory
Servlet metrics: Application name, App server instance, Web
application name, Web context name, Servlet name, Invocation
count, Servlet execution time
Database pool metrics: Application name, App server instance,
Data source, Active connection count, Connection limit, Leaked
connections, Reserve requests, Requests wait for connections
Thread pool metrics: App server instance, Completed requests,
Execute threads, Pending requests, Standby threads, Total threads
EJB metrics: EJB component name, EJB state, EJB idle beans,
EJB used beans, EJB pooled beans, EJB Waiter threads, EJB
committed Transactions, EJB timedout transactions, EJB rolledback
transactions, EJB activations, EJB Passivations, EJB cache hits, EJB
cache misses, EJB cache accesses, EJB cache hit ratio
Application level metrics: Application name, App server instance,
Web application name, Web context root, Peak active sessions,
Current active sessions, Total active sessions, Servlet count, Single
threaded servlet pool count,
Event Types
In ADMIN > Device Support > Event, search for "WebLogic in the Description column to see the event types

Applications
Reports
In RESOURCE > Reports , search for "WebLogic" in the Name column to see the reports associated with this
Configuration
JMX
Enable and Configure Internet Inter-ORB Protocol (IIOP)

1. Log into the administration console of your WebLogic application server.
2. In the Change Center of the administration console, click Lock & Edit.
3. In the left-hand navigation, expand Environment and select Servers.
4. Click the Protocols tab, then select IIOP.
5. Select Enable IIOP.
6. Expand the Advanced options.
7. For Default IIOP Username and Default IIOP Password, enter the username and password that you will use
as the access credentials when configuring FortiSIEM to communicate with your application server.
Enable IIOP Configuration Changes

1. Go to the Change Center of the administration console.
2. Click Activate Changes.
You can now configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery
Settings" and "Setting Credentials" in the User Guide.
Use these Access Method Definition settings to allow FortiSIEM to access your Oracle WebLogic application server
over JMX.
The port for JMX is the same as the web console, and the default value is 7001.
Setting Value
Name weblogic
Device Type Oracle WebLogic App Server
Access Protocol JMX
Pull Interval 5
(minutes)
Port 7001

Applications
Setting Value
User Name The administrative user you created in step 7.
Password The password you created in step 7.
Sample Event for WebLogic Metrics
<134>Jan 22 02:12:20 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_GEN]:[eventSeverity]=PHL_INFO,

[appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 ,
[appServerInstance]=examplesServer,[appServerState]=RUNNING,[sysUpTime]=1358476145,
[appPort]=7001,[sslListenPort]=7002,[listenPortEnabled]=true,[sslListenPortEnabled]=true
<134>Jan 22 02:12:20 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_MEMORY]:[eventSeverity]=PHL_INFO,

[appServerInstance]=examplesServer,[appServerState]=RUNNING,[heapUsedKB]=153128,
[heapCommitKB]=262144,[heapFreeKB]=109015,[heapUtil]=59,[heapMaxKB]=524288,
[usedMemKB]=4086224,[freeMemKB]=107624,[memTotalMB]=4095,[memUtil]=97,[nurserySizeKB]=88324
<134>Jan 22 02:12:22 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_SERVLET]:[eventSeverity]=PHL_INFO,

[appServerInstance]=examplesServer,[appName]=consoleapp,[webAppName]=examplesServer_/console,
[servletName]=/framework/skeletons/wlsconsole/placeholder.jsp,[webContextRoot]=/console,
[invocationCount]=1094,[servletExecutionTimeMs]=63
<134>Jan 22 02:15:24 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_DB_POOL]:[eventSeverity]=PHL_INFO,

[appServerInstance]=examplesServer,[appName]=examples-demoXA-2,[dataSource]=examples-demoXA-2,
[activeConns]=0,[connLimit]=1,[leakedConns]=0,[reserveRequests]=0,[waitForConnReqs]=0
<134>Jan 22 02:12:20 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_THREAD_POOL]:[eventSeverity]=PHL_

[destDevPort]=7001,[appVersion]=WebLogic Server 10.3 Fri Jul 25 16:30:05 EDT 2008 1137967 ,
[appServerInstance]=examplesServer,[completedRequests]=14066312,[executeThreads]=7,
[pendingRequests]=0,[standbyThreads]=5,[totalThreads]=43
<134>Jan 22 02:12:20 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_EJB]:[eventSeverity]=PHL_INFO,

[appServerInstance]=examplesServer,[ejbComponentName]=ejb30,[ejbIdleBeans]=0,[ejbUsedBeans]=0,
[ejbPooledBeans]=0,[ejbWaiter]=0,[ejbCommitTransactions]=0,[ejbTimedOutTransactions]=0,
[ejbRolledBackTransactions]=0,[ejbActivations]=0,[ejbPassivations]=0,[ejbCacheHits]=0,
[ejbCacheMisses]=0,[ejbCacheAccesses]=0,[ejbCacheHitRatio]=0
<134>Jan 22 02:12:23 10.1.2.16 java: [PH_DEV_MON_WEBLOGIC_APP]:[eventSeverity]=PHL_INFO,

[appServerInstance]=examplesServer,[appName]=webservicesJwsSimpleEar,
[webAppName]=examplesServer_/jws_basic_simple,[webContextRoot]=/jws_basic_simple,

Applications
[activeSessions]=0,[activeSessionsPeak]=0,[activeSessionTotal]=0,[numServlet]=4,
[singleThreadedServletPool]=5

Applications
Redhat JBOSS

l Configuration
l Sample Event for JBOSS Metrics

discovered

memory, Heap max memory, Heap commit memory, Max System
dumps on disk, Max heap dumps on disk
Name, Invocation count, Request errors
Application level metrics: Application name, Web application
name, Application server instance, Web application context root,
Active sessions, Peak active sessions
EJB metrics: Application name, Application server instance, EJB
component name
Event Types
In ADMIN > Device Support > Event, search for "boss" in the Description column to see the event types associated
with this device.
Reports
In RESOURCE > Reports , search for jobs" in the Name column to see the reports associated with this application
or device.

Applications
Configuration
Configuring JMX on the JBOSS Application Server
Changing the Default JMX Port

The default port for JMX is 1090. If you want to change it, modify the file ${JBoss_
Home}\server\default\conf\bindingservice.beans\META-INF\bindings-jboss-beans.xml.
<bean class="org.boss.services.bindging.ServiceBindingMetadata"> <property
name="serviceName">jboss.remoting:service=JMXConnectorServer,protocol=rmi</property>
<property name="port">1090</property> <property name="description">RMI/JRMP socket for
connecting to the JMX MBeanServer</property></bean>
1. Enable authentication security check. Open the file ${JBoss_Home}\server\default\deploy\jmx-

jboss-beans.xml, find the JMXConnector bean, and uncomment the securityDomain property.
<bean name="JMXConnector" class="org.boss.system.server.jmx.JMXConnector">
<property name="securityDomain">jmx-console</property>
2. Modify the file ${JBoss_Home}\server\default\conf\props\jmx-console-

roles.properties to configure the JMX administrator role.
admin=JBossAdmin,HttpInvoker
3. Modify the file ${JBoss_Home}\server\default\conf\props\jmx-console-

users.properties to configure the username and password for JMX.
admin=yourpassword
4. Configure DNS resolution for the JBOSS application server in your FortiSIEM Supervsior, Workers, and Collectors
by adding the IP address and DNS name of the JBOSS application server to their /etc/hosts files. If DNS is
already configured to resolve the JBOSS application server name, you can skip this step.
5. Start JBoss.
${JBoss_Home}/bin/run.sh -b 0.0.0.0
or
${JBoss_Home}/bin/run.sh -b ${Binding IP}
Configuring FortiSIEM to Use the JMX Protocol with JBOSS Application Server
To configure JMX communications between your JBOSS application server and FortiSIEM, you must copy several files
from your application server to the JBOSS configuration directory for each FortiSIEM virtual appliance that will be used
for discovery and performance monitoring jobs. FortiSIEM does not include these files because of licensing restrictions.
JBOSS Version Files to Copy
4.x, 5.x, 6.x Copy ${JBoss_Home}/lib/jboss-

bootstrap-
api.jar
to /opt/phoenix/config/JBoss/

Applications
JBOSS Version Files to Copy
7.0 No copying is necessary
7.1 Copy ${JBoss_

Home}/bin/client/jboss-
client.jar
to /opt/phoenix/config/JBoss/
Use these Access Method Definition settings to allow FortiSIEM to access your Redhat JBOSS device over JMX:
Setting Value
Name jboss
Device Type Redhat JBOSS App Server
Access Protocol JMX
Pull Interval 5
(minutes)
Port 8880
User Name The user you created in step 2
Password The password you created for the user in step 3
Sample Event for JBOSS Metrics
<134>Feb 06 11:38:35 10.1.2.16 java: [PH_DEV_MON_JBOSS_CPU]:[eventSeverity]=PHL_INFO,

[appVersion]=6.1.0.Final "Neo",[appServerState]=STARTED,[sysUpTime]=6202359,[cpuUtil]=2
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_MEMORY]:[eventSeverity]=PHL_INFO,

[appVersion]=6.1.0.Final "Neo",[appServerState]=STARTED,[freeMemKB]=264776,
[freeSwapMemKB]=1427864,[memTotalMB]=4095,[memUtil]=94,[swapMemUtil]=83,[swapMemTotalMB]=8189,
[virtMemCommitKB]=1167176,[heapUsedKB]=188629,[heapMaxKB]=466048,[heapCommitKB]=283840,
[nonHeapUtil]=99
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_APP]:[eventSeverity]=PHL_INFO,

[appVersion]=6.1.0.Final "Neo",[webContextRoot]=//localhost/,[webAppState]=RUNNING,
[cacheMaxSize]=10240,[cacheTTL]=5000,[reqProcessTimeAvg]=10472,[startTime]=1353919592,
[cookiesAllowed]=true,[cachingAllowed]=true,[linkingAllowed]=false,[crossContextAllowed]=true

Applications
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_SERVLET]:[eventSeverity]=PHL_INFO,

[appVersion]=6.1.0.Final "Neo",[webAppName]=//localhost/admin-console,[servletName]=Faces
Servlet,[totalRequests]=6,[reqErrors]=0,[loadTime]=0,[reqProcessTimeAvg]=10610
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_DB_POOL]:[eventSeverity]=PHL_INFO,

[appVersion]=6.1.0.Final "Neo",[dataSource]=DefaultDS,[dataSourceState]=Started
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_REQUEST_PROCESSOR]:[eventSeverity]=PHL_

[destDevPort]=1090,[appVersion]=6.1.0.Final "Neo",[reqProcessorName]=ajp-0.0.0.0-8009,
[recvBytes]=0,[sentBytes]=0,[reqProcessTimeAvg]=0,[reqProcessTimeMax]=0,[totalRequests]=0,
[reqRate]=0,[reqErrors]=0
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_EJB]:[eventSeverity]=PHL_INFO,

[appVersion]=6.1.0.Final "Neo",[ejbComponentName]=ejbjar.jar,
[ejbBeanName]=HelloWorldBeanRemote,[ejbAvailCount]=0,[ejbCreateCount]=0,[ejbCurrCount]=0,
[ejbMaxCount]=0,[ejbRemovedCount]=0,[ejbInstanceCacheCount]=null,[ejbPassivations]=null,
[ejbTotalInstanceCount]=null
<134>Feb 06 11:38:36 10.1.2.16 java: [PH_DEV_MON_JBOSS_THREAD_POOL]:[eventSeverity]=PHL_INFO,

[appVersion]=6.1.0.Final "Neo",[threadPoolName]=ajp-0.0.0.0-8009,[appPort]=8009,
[totalThreads]=0,[busyThreads]=0,[maxThreads]=2048,[threadPriority]=5,[pollerSize]=32768,
[threadPoolIsDaemon]=true

Applications
Authentication Server
FortiSIEM supports these authentication servers for discovery and monitoring.

l Cisco Access Control Server (ACS)
l Cisco Duo
l Cisco Identity Solution Engine (ISE)
l CyberArk Password Vault
l Fortinet FortiAuthenticator
l Juniper Networks Steel-Belted RADIUS
l Microsoft Internet Authentication Server (IAS)
l Microsoft Network Policy Server (RAS VPN)
l OneIdentity Safeguard
l Vasco DigiPass

Applications
Cisco Access Control Server (ACS)

l Configuration
Protocol Information discovered Metrics collected Used for
SNMP Application type Process level CPU utilization, Memory Performance

utilization Monitoring
WMI Application type, service Process level metrics: uptime, CPU Performance
mappings Utilization, Memory utilization, Read I/O, Monitoring
Write I/O
Syslog Application type Successful and Failed Authentications, Security Monitoring

Successful and Failed administrative logons, and compliance
RADIUS accounting logs
Event Types
In ADMIN > Device Support > Event, search for "cisco secure acs" in the Device Type and Description column to
see the event types associated with this device.
Configuration
SNMP
1. Log into the device you want to enable SNMP for as an administrator.
2. Go to Control Panel >Program and Features.
3. Click Turn Windows features on or off .
4. If you are installing on a Windows 7 device, select Simple Network Management Protocol (SNMP).
If you are installing on a Windows 2008 device, in the Server Manager window, go to Features > Add features
> SNMP Services.
5. If necessary, select SNMP to enable the service.
6. Go to Programs > Administrative Tools > Services.
7. to set the SNMP community string and include FortiSIEM in the list of hosts that can access this server via SNMP.
8. Select SNMP Service and right-click Properties.
9. Set the community string to public.
10. Go to the Security tab and enter the FortiSIEM IP Address.
11. Restart the SNMP service.

Applications
WMI
Configuring WMI on your device so FortiSIEM can discover and monitor it requires you to create a user who has access
to WMI objects on the device. There are two ways to do this:
l Creating a Generic User Who Does Not Belong to the Local Administrator Group
l Creating a User Who Belongs to the Domain Administrator Group
Creating a Generic User Who Does Not Belong to the Local Administrator Group
Log in to the machine you want to monitor with an administrator account.
Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users
Group and the Performance Monitor Users Group
1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and
Groups.
2. Right-click Users and select Add User.
3. Create a user.
4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
5. In the Distributed COM Users Properties dialog, click Add.
6. Find the user you created, and then click OK.
This is the account you must use to set up the Performance Monitor Users group permissions.
7. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
8. Repeat steps 4 through 7 for the Performance Monitor Users group.
Enable DCOM Permissions for the Monitoring Account
1. Go to Start > Control Panel > Administrative Tools > Component Services.
2. Right-click My Computer, and then Properties.
3. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
4. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local
Access and Remote Access set to Allowed.
5. Click OK.
6. Under Access Permissions, click EditDefault.
8. Click OK.
9. Under Launch and Activation Permissions, click Edit Limits.
10. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the
permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
11. Click OK.
12. Under Launch and Activation Permissions, click Edit Defaults.

Applications
See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the
Domain Admin User set up instructions for the remaining steps to configure WMI.
Creating a User Who Belongs to the Domain Administrator Group
Log in to the Domain Controller with an administrator account.
Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators
Group
1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
3. Create a user for the @accelops.com domain.
For example, [email protected].
4. Go to Groups, right-click Administrators, and then click Add to Group.
5. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
6. For Enter the object names to select, enter the user you created in step 3.
7. Click OK to close the Domain Admins Properties dialog.
8. Click OK.
Enable the Monitoring Account to Access the Monitored Device
2. Right-click My Computer, and then select Properties.
3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both
Local Access and Remote Access.
5. Click OK.
6. In the Com Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for
both Local Access and Remote Access.
8. Click OK.
9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local
Launch, Remote Launch, Local Activation, and Remote Activation.
11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.

Applications
Enable Account Privileges in WMI
The monitoring account you created must have access to the namespace and sub-namespaces of the monitored
device.
1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and
Applications.
2. Select WMI Control, and then right-click and select Properties.
3. Select the Security tab.
4. Expand the Root directory and select CIMV2.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the
permission Allow for Enable Account and Remote Enable.
7. Click Advanced.
8. Select the user you created for the monitoring account, and then click Edit.
9. In the Apply onto menu, select This namespace and subnamespaces.
10. Click OK to close the Permission Entry for CIMV2 dialog.
11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
12. In the left-hand navigation, under Services and Applications, select Services.
13. Select Windows Management Instrumentation, and then click Restart.
Allow WMI to Connect Through the Windows Firewall (Windows 2003)
1. In the Start menu, select Run.

2. Run gpedit.msc.
3. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network >
Network Connections > Windows Firewall.
4. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the
domain or not.
5. Select Windows Firewall: Allow remote administration exception.
6. Run cmd.exe and enter these commands:
netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135"netsh firewall add
allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=UNSECAPP
7. Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
1. Go to Control Panel > Windows Firewall.

2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
3. Select Windows Management Instrumentation, and the click OK.

Applications
Syslog
1. Log in to your Cisco Access Controls Server as an administrator.

2. Go to Start > All Programs > CiscoSecure ACS v4.1 > ACS Admin.
3. In the left-hand navigation, click System Configuration, then click Logging.
4. Select Syslog for Failed Attempts, Passed Authentication, and RADIUS Accounting to send these reports
to FortiSIEM.
5. For each of these reports, click Configure under CSV, and select the following attributes to include in the CSV
output.
Report CSV Attributes
Failed Attempts l Message-Type

l User-Name
l NAS-IP-Address
l Authen-Failure-Code
l Author-Failure-Code
l Caller-ID
l NAS-Port
l Author-Date
l Group-Name
l Filter Information
l Access Device
l AAA Server
Passed l Message-Type
Authentication l User-Name
l NAS-IP-Address
l Authen-Failure-Code
l Author-Failure-Code
l Caller-ID
l NAS-Port
l Author-Date
l Group-Name
l Filter Information
l Access Device
l AAA Server
l Proxy-IP-Address
l Source-NAS
l PEAP/EAP-FAST-Clear-Name
l Real Name
RADIUS l User-Name
Accounting l NAS-IP-Address
l NAS-Port
l Group-Name

Applications
Report CSV Attributes
l Service-Type
l Framed-Protocol
l Framed-IP-Address
l Calling-Station-Id
l Acct-Status-Type
l Acct-Input-Octets
l Acct-Output-Octets
l Acct-Session-Id
l Acct-Session-Time
l Acct-Input-Packets
l Acct-Output-Packets
6. For each of these reports, click Configure under Syslog, and for Syslog Server, enter the IP address of the
FortiSIEM virtual appliance that will receive the syslogs as the syslog server, enter 514 for Port, and set Max
message length to 1024.
7. To make sure your changes take effect, go to System Configuration > Service Control, and click Restart
ACS.
Setting Value
Name <set name>
Device Type Generic

Applications
Cisco Identity Solution Engine (ISE)
l Integration points
l Configuring Cisco ISE
l Configuring FortiSIEM
l Access Credentials
l Parsing and Events
Integration points
Protocol Information Discovered Used For
Syslog AAA log - authentication Security and Compliance
Configuring Cisco ISE
Follow Cisco ISE documentation to send syslog to FortiSIEM.
Configuring FortiSIEM
FortiSIEM automatically recognizes Cisco ISE syslog as long it follows the following format as shown in the sample
syslog:
<181>Sep 21 06:50:51 fcmb-hq-psn01 CISE_Passed_Authentications 0000066354 3 0 2016-
09-21 06:50:51.516 +01:00 2915312533 5200 NOTICE Passed-Authentication:
Authentication succeeded, ConfigVersionId=287, Device IP Address=1.1.1.1,
DestinationIPAddress=1.1.1.2, DestinationPort=1812, UserName=00-15-65-20-33-E5,
Protocol=Radius, RequestLatency=33, NetworkDeviceName=ACME, User-Name=johndoe, NAS-
IP-Address=1.1.1.2, NAS-Port=50009, Service-Type=Call Check, Framed-IP-
Address=1.1.1.2, Framed-MTU=1500, Called-Station-ID=38-1C-1A-87-87-09, Calling-
Station-ID=00-15-65-20-33-E5, NAS-Port-Type=Ethernet, NAS-Port-Id=FastEthernet0/9,
EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-
id=AC1B35F8000001240FC38F8A, OriginalUserName=0015652033e5, AcsSessionID=fcmb-hq-
psn01/251903157/22970712, AuthenticationIdentityStore=Internal Endpoints,
AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access,
SelectedAuthorizationProfiles=IP_Phones,
Access Credentials
For Device Type Cisco Identity Solutions Engine, see Access Credentials.
Parsing and Events
Over 20 events are parsed – see event Types in Resources > Event Types and search for 'Cisco-ISE'.

Applications
Cisco Duo

l Event Types
l Rules
l Reports
l Configuring Cisco Duo
l Sample Events
Protocol Information Discovered Metrics/LOGs Collected Used For
API Host name and Device Type from LOG 4 log types Security and Compliance
Event Types
Go to Admin > Device Type > Event Types and search for “Cisco-Duo”.
Rules
None
Reports
None
Configuring Cisco Duo
Follow these steps to configure Cisco Duo to send logs to FortiSIEM.

1. Contact Cisco Duo support to enable the Admin API.
2. Get a credential for Cisco Duo: open the Cisco Duo dashboard and go to Application > Admin API.
3. Select the Integration key, Secret key, and API hostname options.

Applications
Follow these steps to configure FortiSIEM to receive Cisco Duo logs.

1. In the FortiSIEM UI, go to ADMIN > Setup > Credentials.
2. Click New to create a Cisco Duo credential.
Use these Access Method Definition settings to allow FortiSIEM to access Cisco Duo logs.
Setting Value
Device Type Cisco Duo Security
Access Protocol Cisco Duo Admin REST API
Pull Interval 2
(minutes)
Integration Key Enter the integration key you obtained from

Cisco Duo.
Secret Key Enter the secret key you obtained from Cisco
Duo.

Applications
Setting Value
Description Enter an optional description for the

credential.
3. In Step 2, click Add to create a new association between the credential and the API hostname.
4. Select Test Connectivity without Ping. A pop up will appear and show the connectivity results.
5. Go to the ANALYTICS page and check for Cisco Duo logs.
Sample Events
These events are collected via API:

Applications
FSM-CiscoDuo-Auth] [1] {"access_device":{"browser":"Chrome","browser_

version":"67.0.3396.99","flash_
version":"uninstalled","hostname":"null","ip":"169.232.89.219","java_
version":"uninstalled","location":{"city":"Ann Arbor","country":"United
States","state":"Michigan"},"os":"Mac OS X","os_version":"10.14.1"},"application":
{"key":"DIY231J8BR23QK4UKBY8","name":"Microsoft Azure Active Directory"},"auth_device":
{"ip":"192.168.225.254","location":{"city":"Ann Arbor","country":"United
States","state":"Michigan"},"name":"My iPhone X (734-555-2342)"},"event_
type":"authentication","factor":"duo_push","reason":"user_
approved","result":"success","timestamp":1532951962,"trusted_endpoint_status":"not
trusted","txid":"340a23e3-23f3-23c1-87dc-1491a23dfdbb","user":
{"key":"DU3KC77WJ06Y5HIV7XKQ","name":"[email protected]"}}

Applications
CyberArk Password Vault
Protocol Information Logs parsed Used for

discovered
Syslog (CEF formatted and CyberArk Safe Security Monitoring and

others) Activity compliance
Event Types
In ADMIN > Device Support > Event, search for "CyberArk-Vault" in the Device Type column to see the event types
Rules
In RESOURCE > Rules, search for "CyberArk":

l CyberArk Vault Blocked Failure
l CyberArk Vault CPM Password Disables
l CyberArk Vault Excessive Failed PSM Connections
l CyberArk Vault Excessive Impersonations
l CyberArk Vault Excessive PSM Keystroke Logging Failure
l CyberArk Vault Excessive PSM Session Monitoring Failure
l CyberArk Vault Excessive Password Release Failure
l CyberArk Vault File Operation Failure
l CyberArk Vault Object Content Validation Failure
l CyberArk Vault Unauthorized User Stations
l CyberArk Vault User History Clear
Reports
In RESOURCE > Reports, search for "CyberArk":

l CyberArk Blocked Operations
l CyberArk CPM Password Disables
l CyberArk CPM Password Retrieval
l CyberArk File Operation Failures
l CyberArk Impersonations
l CyberArk Object Content Validation Failures
l CyberArk PSM Monitoring Failures
l CyberArk Password Resets
l CyberArk Privileged Command Operations

Applications
l CyberArk Provider Password Retrieval

l CyberArk Trusted Network Area Updates
l CyberArk Unauthorized Stations
l CyberArk User History Clears
l CyberArk User/Group Modification Activity
l CyberArk Vault CPM Password Reconcilations
l CyberArk Vault CPM Password Verifications
l CyberArk Vault Configuration Changes
l CyberArk Vault Failed PSM connections
l CyberArk Vault Modification Activity
l CyberArk Vault PSM Keystore Logging Failures
l CyberArk Vault Password Changes from CPM
l CyberArk Vault Password Release Failures
l CyberArk Vault Successful PSM Connections
l Top CyberArk Event Types
l Top CyberArk Safes, Folders By Activity
l Top CyberArk Users By Activity
CyberArk Configuration for sending syslog in a specific format
1. Open \PrivateArk\Server\DBParm.ini file and edit the SYSLOG section:

a. SyslogServerIP – Specify FortiSIEM supervisor, workers and collectors separated by commas.
b. SyslogServerProtocol – Set to the default value of UDP.
c. SyslogServerPort – Set to the default value of 514.
d. SyslogMessageCodeFilter – Set to the default range 0-999.
e. SyslogTranslatorFile – Set to Syslog\FortiSIEM.xsl.
f. UseLegacySyslogFormat - Set to the default value of No.
2. Copy the relevant XSL translator file here to the Syslog subfolder specified in the SyslogTranslatorFile parameter
in DBParm.ini.
3. Stop and Start Vault (Central Server Administration) for the changes to take effect.
Make sure the syslog format is as follows.
<5>1 2016-02-02T17:24:42Z SJCDVVWCARK01 CYBERARK:
Product="Vault";Version="9.20.0000";MessageID="295";Message="Retrieve
password";Issuer="Administrator";Station="10.10.110.11";File="Root\snmpCommunity";
Safe="TestPasswords";Reason="Test";Severity="Info"
<30>Mar 22 20:13:42 VA461_1022 CyberArk AIM[2453]: APPAP097I Connection to the Vault has been
restored
<27>Mar 22 20:10:50 VA461_1022 CyberArk AIM[2453]: APPAP289E Connection to the Vault has
failed. Further attempts to connect to the Vault will be avoided for [1] minutes.
<27>Mar 24 23:41:58 VA461_1022 CyberArk AIM[2453]: APPAU002E Provider [Prov_VA461_1022] has
failed to fetch password with query [Safe=TestPutta;Object=Telnet91] for application
[FortiSIEM]. Fetch reason: [APPAP004E Password object matching query

Applications
Fortinet FortiAuthenticator

l Event Types
l Configuration
Protocol Information Discovered Data Collected Used for
SNMP Vendor, OS, Model, Network Interface Stat, Authentication Stat Performance Monitoring
Interfaces
Syslog LOG Discovery Over 150 event types Security and Compliance
Event Types
In RESOURCE > Event Types, Search for “Fortinet-FortiAuthenticator”.

Sample Event Type:
<14>Aug 14 22:32:52 db[16987]: category="Event" subcategory="Authentication" typeid=20995
level="information" user="admin" nas="" action="Logout" status="" Administrator 'admin' logged
out
Configuration
Configure FortiAuthenticator to send syslog on port 514 to FortiSIEM.
FortiSIEM Access Credentials
For Device Type Fortinet FortiAuthenticator, see Access Credentials.

Applications
Juniper Networks Steel-Belted RADIUS

discovered
SNMP Application type Process level CPU utilization, Memory utilization Performance
Monitoring
WMI Application type, Process level metrics: uptime, CPU Utilization, Performance
service mappings Memory utilization, Read I/O, Write I/O Monitoring
Syslog Application type Successful and Failed Authentications, Successful Security Monitoring and
and Failed administrative logons, RADIUS compliance
accounting logs
Event Types
In ADMIN > Device Support > Event, search for "Juniper Steel-Belted RADIUS" in the Device Type column to see
the event types associated with this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its
product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the
User Guide.
Syslog
1. Login as administrator.
2. Install and configure Epilog application to convert log files written by Steelbelted RADIUS server into syslogs for
sending to FortiSIEM:
a. Download Epilog from Epilog download site and install it on your Windows Server.
b. Launch Epilog from Start→All Programs→InterSect Alliance→Epilog for windows.
c. Configure Epilog application as follows:
i. Select Log Configuration on left hand panel, click Add button to add log files whose content must be sent
to FortiSIEM. These log files are written by the Steelbelted RADIUS server and their paths are correct.
Also make sure the Log Type is SteelbeltedLog.
ii. Select Network Configuration on left hand panel. On the right, set the destination address to that of
FortiSIEM server, port to 514 and make sure that syslog header is enabled. Then click Change
Configuration button.

Applications
iii. Click the "Apply the latest audit configuration" link on the left hand side to apply the changes to Epilog
applications. DHCP logs will now sent to FortiSIEM in real time.

Applications
Microsoft Internet Authentication Server (IAS)

l Configuration
Protocol Information Discovered Metrics Collected Used For
WMI
Syslog
Windows Agent IAS logs
Event Types
In ADMIN > Device Support > Event, search for "microsoft isa" in the Description column to see the event types
Configuration
WMI
Syslog
You must configure your Microsoft Internet Authentication Server to save logs, and then you can use the Windows
Agent Manager to configure the type of log information you want sent to FortiSIEM.
1. Log in to your server as an administrator.
2. Go to Start > Administrative Tools > Internet Authentication Service.
3. In the left-hand navigation, select Remote Access Logging, then select Local File.
4. Right-click on Local File to open the Properties menu, and then select Log File.
5. For Directory, enter C:\WINDOWS\system32\LogFiles\IAS.
6. Click OK.
You can now use Windows Agent Installation Guide to configure what information will be sent to FortiSIEM.

Applications
Microsoft Network Policy Server (RAS VPN)
l Integration Points
l Configuration
l Setting for Access Credentials
l Sample Events
Integration Points
Method Information discovered Metrics collected LOGs collected Used for
Syslog Host name, Reporting IP None AAA based login events Security monitoring
Event Types
In ADMIN > Device Support > Event, search for "MS-NPS" to see the event types associated with this device.
Rules
No specific rules are written for Microsoft Network Policy Server but regular AA Server rules apply.
Reports
No specific reports are written for Microsoft Network Policy Server but regular AA Server reports apply.
Configuration
Configure Microsoft Network Policy Server system to send logs to FortiSIEM in the supported format (see Sample
Events). See https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-accounting-
configure.
None required.
Sample Events
"HOSTXXVPN","RAS",03/10/2019,03:47:04,4,"domain\user",,"10.1.1.130","192.168.22.2",,"172.17.22
0.130",
"HOSTXXVPN","10.5.5.212",387,,"10.5.5.212","HOSTXXVPN",1552214822,,5,,1,2,,,0,
"311 1 fe80::a1bf:5c1c:7ebc:6ab7 02/07/2019 04:24:00
4805",,,,,2,,268050551,253119217,"4806",3,69101,833955,726102,1,"1251",1,,79617,1,
"192.168.22.2","10.1.1.130",,,,,,,"MSRASV5.20",311,,"0x00504F4C42",0,,
"Microsoft Routing and Remote Access Service Policy",,,,"MSRAS-0-HOST123413","MSRASV5.20"

Applications
OneIdentity Safeguard (previously Balabit Privileged Session Management)
l Configuring OneIdentity Safeguard
Integration points
Syslog Privileged session management events Security and Compliance
Configuring OneIdentitySafeguard
Follow OneIdentity Safeguard documentation to send syslog to FortiSIEM.
FortiSIEM automatically recognizes OneIdentity Safeguard syslog as long as it follows the following format in the
sample syslog:
<123>2018-10-08T22:59:49+08:00 scbdemo.balabit zorp/scb_rdp[31769]: core.debug(4):
(svc/i9CTbTzV2wrRur3quVRzF4/GET_gateway_rdp:498:2): After NAT mapping; nat_
type='0', src_addr='AF_INET(10.19.9.245:0)', dst_addr='AF_INET(10.46.26.196:3389)',
new_addr='AF_INET(10.11.101.30:0)'
Parsing and Events
Over 50 events are parsed – see event Types in Resources > Event Types and search for 'OneIdentity-Safeguard-'.

Applications
Vasco DigiPass

discovered
Syslog Successful and Failed Authentications, Successful and Failed Security

administrative logons Monitoring and
compliance
Event Types
In ADMIN > Device Support > Event, search for "Vasco DigiPass" in the Device Type column to see the event types
associated with this device. Some important ones are:
l Vasco-DigiPass-KeyServer-AdminLogon-Success
l Vasco-DigiPass-KeyServer-UserAuth-Success
l Vasco-DigiPass-KeyServer-UserAuth-Failed
l Vasco-DigiPass-KeyServer-AccountLocked
l Vasco-DigiPass-KeyServer-AccountUnlocked
Configuration
Configure the Vasco DigiPass management Console to send syslog to FortiSIEM. FortiSIEM is going to parse the logs
automatically. Make sure the syslog format is as follows.
May 16 18:21:50 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-001003}, {A
command of type [User] [Unlock] was successful.}, {0xA46B6230BA60B240CE48011B0C30D393},
{Source Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:flast}, {Domain:company.com},
{Input Details: {User ID : flast} {Domain Name : company.com}}, {Output Details: {User ID :
flast} {Password : ********} {Created Time : 2013/05/13 19:06:52} {Modified Time : 2013/05/16
18:21:49} {Has Digipass : Unassigned} {Status : 0} {Domain Name : company.com} {Local
Authentication : Default} {Back-end Authentication : Default} {Disabled : no} {Lock Count : 0}
{Locked : no} {Last Password Set Time : 2013/05/13 19:06:52} {Static Password History :
d0NdVMhSdvdNEQJkkKTWmiq8iB4K1dWreMf5FQlZM7U=} {Key ID : SSMINSTALLSENSITIVEKEY}},
{Object:User}, {Command:Unlock}, {Client Type:Administration Program}
May 15 20:27:35 vascoservername ikeyserver[3575]: {Success}, {Administration}, {S-004001}, {An

administrative logon was successful.}, {0x25AB20F3222F554A96CFFD2886AE4C71}, {Source
Location:10.1.2.3}, {Client Location:10.1.2.3}, {User ID:admin}, {Domain:company.com}, {Client
Type:Administration Program}
May 17 18:43:22 vascoservername ikeyserver[3582]: {Info}, {Initialization}, {I-002010}, {The

SOAP protocol handler has been initialized successfully.},
{0x0E736D24D54E717E6F5DA6C09E89F8EE}, {Version:3.4.7.115}, {Configuration Details:IP-Address:
10.1.2.3, IP-Port: 8888, Supported-Cipher-Suite: HIGH, Server-Certificate:
/var/identikey/conf/certs/soap-custom.pem, Private-Key-Password: ********, CA-Certificate-

Applications
Store: /var/identikey/conf/certs/soap-ca-certificate-store.pem, Client-Authentication-Method:

none, Reverify-Client-On-Reconnect: False, DPX-Upload-Location: /var/dpx/}

Applications
Database Server
FortiSIEM supports these database servers for discovery and monitoring.

l IBM DB2 Server
l Microsoft SQL Server
l Microsoft SQL Server Scripts
l MySQL Server
l Oracle Database Server

Applications
IBM DB2 Server

l Configuration
l Sample Events

discovered
SNMP Application Process level CPU and memory utilization Performance

type Monitoring
WMI Application Process level metrics: uptime, CPU utilization, Memory utilization, Performance
type, service Read I/O KBytes/sec, Write I/O KBytes/sec Monitoring
mappings
JDBC None Database audit trail: Successful and failed database log on, Security
Database CREATE/DELETE/MODIFY operations, Table Monitoring
CREATE/DELETE/MODIFY/INSERT operations
Event Types
In ADMIN > Device Support > Event, search for "db2" in the Device Type and Description column to see the
Configuration
Configuring IBM DB2 Audit on Linux - DB2 side
1. Log in to IBM Installation Manager.

2. Click the Databases tab, and click the + icon to create a new Database Connection.
3. Enter these settings.
Setting Value
Database Enter a name for the connection, such as FortiSIEM

Connection
Name
Data Server Type DB2 for Linux, Unix, and Windows
Database Name Name of the database
Host name db2.org

Applications
Setting Value
Port number 50000
JDBC Security Clear text password
User ID The username you want to use to access this Server from
FortiSIEM
JDBC URL jdbc:db2://db2.org:50000/<databasename>:

retrieveMessagesFromServerOnGetMessage=true;securi
4. In the Job Manager tab, click Add Job.

5. For Name, enter audit.
6. For Type, select DB2 CLP Script.
7. Click OK.
8. Add script.
9. Add schedule detail to audit task.
10. Add database to audit task.
information, refer to sections 'Discovering Infrastructure' and 'Setting Access Credentials' for Device Discovery under
Chapter: Configuring FortiSIEM.
Configuring IBM DB2 Audit on Windows - DB2 side
1. Create a non-admin user on Windows, for example “AoAuditUser” , and set password
2. Login DB2 task center, add the user to DB Users, connect it to database
3. Grant Permission (use Administrator), use commands below
a. Grant audit permission to db2admin
db2 connect to sample user administrator using 'ProspectHills!'
DB2 GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_ARCHIVE TO DB2ADMIN
DB2 GRANT EXECUTE ON PROCEDURE SYSPROC.AUDIT_DELIM_EXTRACT TO DB2ADMIN
db2 grant load on database to db2admin
db2 grant secadm on database to db2admin
db2 connect reset
b. Grant query permission to non-admin user

db2 connect to sample user db2admin using 'ProspectHills!'
db2 grant select on AUDIT to AOAuditUser
db2 grant select on CHECKING to AOAuditUser
db2 grant select on OBJMAINT to AOAuditUser
db2 grant select on SECMAINT to AOAuditUser
db2 grant select on SYSADMIN to AOAuditUser
db2 grant select on VALIDATE to AOAuditUser
db2 grant select on CONTEXT to AOAuditUser
db2 grant select on EXECUTE to AOAuditUser
db2 connect reset

Applications
c. Check permission for non-admin user

db2 connect to sample user AOAuditUser using 'ProspectHills!'
db2 select count (*) from DB2ADMIN.AUDIT
db2 select count (*) from DB2ADMIN.CHECKING
db2 select count (*) from DB2ADMIN.OBJMAINT
db2 select count (*) from DB2ADMIN.SECMAINT
db2 select count (*) from DB2ADMIN.SYSADMIN
db2 select count (*) from DB2ADMIN.VALIDATE
db2 select count (*) from DB2ADMIN.CONTEXT
db2 select count (*) from DB2ADMIN.EXECUTE
db2 connect reset
4. Create Catalog with db2admin

5. Create task in DB2 user Administrator:
a. Open DB2 task center, create a task like below
b. Add schedule
c. Add task
Settings for IBM DB2 JDBC Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to communicate with your device:
Values for Used For = Audit:
Setting Value
Name db2_linux
Device Type IBM DB2
Access Protocol JDBC
Used For audit
Pull Interval 5
(minutes)
Port 50000
Database Name <database_name>
Audit Table AUDIT
Checking Table CHECKING
ObjMaint Table OBJMAINT
SecMaint Table SECMAINT
SysAdmin Table SYSADMIN
Validate Table VALIDATE

Applications
Setting Value
Context Table CONTEXT
Execute Table EXECUTE
Account Name The administrative user for your IBM DB2

server

administrative user for your IBM DB2 server
Values for Used For = Synthetic Transaction Monitoring:
Setting Value
Name db2_linux
Device Type IBM DB2
Used For Synthetic Transaction Monitoring
Pull Interval 5
(minutes)
Port 50000
Database Name <database_name>
Account Name The administrative user for your IBM DB2

server

administrative user for your IBM DB2 server
Sample Events
IBMDB2_CHECKING_OBJECT
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_OBJECT]:[eventSeverity]=PHL_INFO,
[objName]=TABLES,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2
v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.41.085567,[user]=db2inst1,
[eventCategory]=CHECKING,[dbRetCode]=0
IBMDB2_CHECKING_FUNCTION
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_CHECKING_FUNCTION]:[eventSeverity]=PHL_INFO,
[objName]=CHECKING,[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2
v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-13.44.40.739649,[user]=db2inst1,
[eventCategory]=CHECKING,[dbRetCode]=0
IBMDB2_STATEMENT
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_STATEMENT]:[eventSeverity]=PHL_INFO,
[srcIpAddr]=127.0.0.1,[srcApp]=db2bp,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,
[instanceName]=db2inst1,[eventTime]=2014-05-14-13.48.59.433204,[user]=db2inst1,

Applications
[eventCategory]=EXECUTE,[dbRetCode]=0
IBMDB2_COMMIT
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_COMMIT]:[eventSeverity]=PHL_INFO,
[srcIpAddr]=10.1.2.81,[srcApp]=db2jcc_application,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,
[instanceName]=db2inst1,[eventTime]=2014-05-14-13.51.30.447924,[srcName]=SP81,[user]=db2inst1,
IBMDB2_ROLLBACK
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_ROLLBACK]:[eventSeverity]=PHL_INFO,
IBMDB2_CONNECT
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT]:[eventSeverity]=PHL_INFO,
[srcIpAddr]=127.0.0.1,[srcApp]=DB2HMON,[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,
IBMDB2_CONNECT_RESET
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CONNECT_RESET]:[eventSeverity]=PHL_INFO,
IBMDB2_CREATE_OBJECT
<134>May 14 13:57:40 10.1.2.68 java: [IBMDB2_CREATE_OBJECT]:[eventSeverity]=PHL_INFO,
[objName]=CAN_MONITOR=CAN_MONITOR_FUNC,[srcIpAddr]=10.1.2.68,[srcApp]=DS_ConnMgt_,
[dbName]=SAMPLE,[appVersion]=DB2 v10.1.0.0,[instanceName]=db2inst1,[eventTime]=2014-05-14-
13.30.14.827242,[srcName]=10.1.2.68,[user]=db2inst1,[eventCategory]=OBJMAINT,[dbRetCode]=0
IBMDB2_JDBC_PULL_STAT
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_JDBC_PULL_STAT]:[eventSeverity]=PHL_INFO,
[reptModel]=DB2,[dbName]=SAMPLE,[instanceName]=db2inst1,[reptVendor]=IBM,[rptIp]=10.1.2.68,
[auditEventCount]=30,[relayIp]=10.1.2.68,[dbEventCategory]=db2inst1.AUDIT,[appGroupName]=IBM
DB2 Server
IBMDB2_ARCHIVE
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_ARCHIVE]:[eventSeverity]=PHL_INFO,
[eventCategory]=AUDIT,[dbRetCode]=0
IBMDB2_EXTRACT
<134>May 14 13:57:39 10.1.2.68 java: [IBMDB2_EXTRACT]:[eventSeverity]=PHL_INFO,
IBMDB2_LIST_LOGS
<134>May 14 14:03:39 10.1.2.68 java: [IBMDB2_LIST_LOGS]:[eventSeverity]=PHL_INFO,

Applications
Microsoft SQL Server
l Supported Versions
l Configuration
l Sample Events
Supported Versions
l SQL Server 2005

l SQL Server 2008
l SQL Server 2008 R2
l SQL Server 2012
l SQL Server 2014
The following protocols are used to discover and monitor various aspects of Microsoft SQL server.
SNMP Application type Process level CPU and memory Performance Monitoring
utilization
WMI Application type, service Process level metrics: uptime, Performance Monitoring
mappings CPU utilization, Memory utilization,
Read I/O KBytes/sec, Write I/O
KBytes/sec
WMI Windows application event logs - Security Monitoring

successful and failed login
JDBC General database info: database Availability Monitoring

name, database version, database
size, database owner, database
created date, database status,
database compatibility level
Database configuration Info:
Configure name, Configure value,
Configure max and min value,
Configure running value
Database backup Info: Database
name, Last backup date, Days since
last backup

Applications
JDBC Database performance metrics Performance Monitoring

(per-instance): Buffer cache hit
ratio, Log cache hit ratio,
Transactions /sec, Page reads/sec,
Page writes/sec, Page splits/sec,
Full scans/sec, Deadlocks/sec, Log
flush waits/sec, Latch waits/sec,
Data file(s) size, Log file(s) used, Log
growths, Log shrinks, User
connections, Target server memory,
Total Server Memory, Active
database users, Logged-in database
users, Available buffer pool pages,
Free buffer pool pages, Average wait
time
Database performance metrics
(per-instance, per-database):
Database name, Data file size, Log
file used, Log growths, Log shrinks,
Log flush waits/sec, Transaction
/sec, Log cache hit ratio
JDBC Locking info: Database id, Performance Monitoring

Database object id, Lock type,
Locked resource, Lock mode, Lock
status
Blocking info: Blocked Sp Id,
Blocked Login User, Blocked
Database, Blocked Command,
Blocked Process Name, Blocking Sp
Id, Blocking Login User, Blocking
Database, Blocking Command,
Blocking Process Name, Blocked
duration
JDBC Database error log Availability / Performance

Database audit trail:Failed Monitoring
database logon is also collected
through performance monitoring as
logon failures cannot be collected via
database triggers.
JDBC None Database audit trail: Successful Security Monitoring and

and failed database logon, Various compliance
database operation audit trail
including
CREATE/ALTER/DROP/TRUNCATE
operations on tables, table spaces,

Applications
databases, clusters, users, roles,

views, table indices, triggers etc
Event Types
In ADMIN > Device Support > Event, search for "sql server" in the Device Name and Description column to see
Rules
In RESOURCE > Rules, search for " sql server" in the Name column to see the rules associated with this application
or device.
Reports
In RESOURCE > Reports , search for "sql server" in the Name column to see the reports associated with this
Configuration
SNMP
See SNMP Configurations in the Microsoft Windows Server Configuration section.
WMI
JDBC for Performance Monitoring
Creating an User for SQL Server Monitoring

A regular Windows account cannot be used for SQL Server monitoring. FortiSIEM runs on Linux and certain windows
libraries needed to do so are not available on Linux. You have to create a separate user with read-only privileges.
Create a Read-Only User to Access System Tables
1. Log in to your SQL Server with an sa account, and then create a read-only user to access system tables.
EXEC SP_ADDLOGIN 'AOPerfLogin', 'ProspectHills!', 'master';
EXEC SP_ADDROLE 'AOPerfRole';
EXEC SP_ADDUSER 'AOPerfLogin', 'AOPerfUser', 'AOPerfRole';
GRANT VIEW SERVER STATE TO AOPerfLogin;
GRANT SELECT ON dbo.sysperfinfo TO AOPerfRole;
GRANT EXEC on xp_readerrorlog to AOPerfRole

Applications
2. Log in with your newly created read-only account and run these commands.
Check to see if you get the same results with your read-only account as you do with your sa account.
SP_WHO2 'active';
SELECT * FROM sys.databases;
SELECT * FROM dbo.sysperfinfo;
SELECT COUNT(*) as count FROM sysprocesses GROUP BY loginame;
3. The following additional configuration steps should be performed for the collection of Logon Failures.
l For Server 2012 - https://technet.microsoft.com/en-us/library/ms175850(v=sql.110).aspx
l For Server 2014 - https://technet.microsoft.com/sr-latn-rs/library/ms175850(v=sql.120)

l For Server 2016 - https://msdn.microsoft.com/en-us/library/ms175850.aspx
JDBC for Database Audit Trail Collection
Creating a User for SQL Server Monitoring

A regular Windows account cannot be used for SQL Server monitoring. FortiSIEM runs on Linux and certain windows
libraries needed to do so are not available on Linux. You have to create a separate user with read-only privileges.
Create a Read-Only User to Access System Tables
1. Log in to your SQL Server with an sa account, and then create a read-only user to access system tables.
EXEC SP_ADDLOGIN 'AOPerfLogin', 'ProspectHills!', 'master';
EXEC SP_ADDROLE 'AOPerfRole';
EXEC SP_ADDUSER 'AOPerfLogin', 'AOPerfUser', 'AOPerfRole';
GRANT VIEW SERVER STATE TO AOPerfLogin;
GRANT SELECT ON dbo.sysperfinfo TO AOPerfRole;
GRANT EXEC on xp_readerrorlog to AOPerfRole
2. Save the four SQL Server Scripts as separate files to My Documents > SQL Server Management Studio >
Projects:
l SQL Server database-level event creation script (PH_Database_Level_Events.sql)
l SQL Server trigger creation script (PH_LogonEventsTrigger.sql)
l SQL Server DDL event creation script (PH_DDL_Server_Level_Events.sql)
l SQL Server table creation script (PH_EventDB_Tables_Create.sql)
3. Login to SQL Server Management Studio with an sa account.

4. Browse to and execute the Database and Table Creation script to create the database and tables.
5. Browse to and execute the Logon Trigger Creation script to create triggers.
SQL Server introduced Logon Trigger in SQL Server 2005 SP2, so the database version must be greater than 2005
SP2 for logon trigger creation to succeed.
6. Browse to and execute the DDL Server Level Trigger Creation script to create database events.

Applications
See Setting Access Credentials in the Microsoft Windows Server Configuration section.
Settings for SQL Server JDBC Access Credentials for Performance Monitoring
Use these Access Method Definition settings to allow FortiSIEM to communicate with your SQL Server over JDBC
for performance monitoring:
Create a Separate Credential for Each Database Instance
If multiple database instances are running on the same server, then each instance must run on a separate port, and you
must create a separate access credential for each instance. You must also remember to associate each instance with
the server's IP number for the Device Credential Mapping Definition.
Setting Value
Name The name of the database instance you're

creating the credential for
Device Type Microsoft SQL Server
Used For Performance Monitoring
Pull Interval 5
(minutes)
Port 1433
Database Name <leave this field blank>
User Name The user you created in step 1 of the JDBC

configuration
Password The password associated with the user you

created in step 1
Settings for SQL Server JDBC Access Credentials for Database Audit Trail Collection
Use these Access Method Definition settings to allow FortiSIEM to communicate with your SQL Server database
instance over JDBC for database audit trail collection:

Applications
Create a Separate Credential for Each Database Instance
If multiple database instances are running on the same server, then each instance must run on a separate port, and you
must create a separate access credential for each instance. You must also remember to associate each instance with
the server's IP number for the Device Credential Mapping Definition.
Setting Value
Name The name of the database instance you are

creating the credential for
Used For Audit
Pull Interval 5
(minutes)
Port 1433
Database Name <leave this field blank>
Logon Event Table PH_Events.dbo.LogOnEvents
DDL Event Table PH_Events.dbo.DDLEvents
User Name The user you created in step 1 of the JDBC

configuration
Password The password associated with the user you

created in step 1
Creating a Database Truncate Script
Since audit tables grow after time, it is often a good idea to create a database truncate script that can run as a
maintenance task and keep the table size under control. it is often necessary to create a database truncate procedure
as follows
1. Log into Microsoft SQL Management Studio and connect to the DB instance.
2. Under Management, go to Maintenance Plans, and create a new plan with the name RemoveOldLogs.
3. For Subplan, enter TRUNCATE, and for Description, enter TRUNCATE TABLE.
4. Click the Calendar icon to create a recurring, daily task starting at 12:00AM and running every 30 minutes until
11:59:59PM.
5. Go to View > Tool Box > Execute T-SQL Statement.
A T-SQL box will be added to the subplan.
6. In the T-SQL box, enter this command
use PH_Events;
EXEC sp_MSForEachTable 'TRUNCATE TABLE ?';

Applications
7. Click OK.
8. You will be able to see the history of this script's actions by right-clicking on the maintenance task, and then
selecting View History.
Settings for MySQL Server JBDC Access Credentials for Synthetic Transaction Monitoring, Snort Audit,
McAfee VulnMgr
Use these Access Method Definition settings to allow FortiSIEM to communicate with your Microsoft SQL Server
over JDBC for Synthetic Transaction Monitoring, Snort Audit, or McAfee VulnMgr:
Setting Value
Name <name>
Access Protocol JBDC
Used For Synthetic Transaction Monitoring, Snort Audit,

or McAfee VulnMgr
Pull Interval 5
(minutes)
Port 1433
Database Name <database name>
User Name The administrative user for the database server

administrative user
Sample Events
Per Instance Performance Metrics

<134>Apr 16 10:17:56 172.16.22.100 java: [PH_DEV_MON_PERF_MSSQL_SYS|PH_DEV_MON_PERF_MSSQL_
SYS]:[eventSeverity]=PHL_INFO,[hostIpAddr]=172.16.22.100,[hostName]=wwwin.accelops.net,
[appGroupName]=Microsoft SQL Server,[dbDataFileSizeKB]=13149056,[dbLogFileUsedKB]=26326,
[dbLogGrowthCount]=4,[dbLogShrinkCount]=0,[dbLogFlushPerSec]=1.69,[dbTransPerSec]=4.44,
[dbDeadLocksPerSec]=0,[dbLogCacheHitRatio]=60.01,[dbUserConn]=16,
[dbTargetServerMemoryKB]=1543232,[dbTotalServerMemoryKB]=1464760,[dbPageSplitsPerSec]=0.45,
[dbPageWritesPerSec]=0.01,[dbLatchWaitsPerSec]=0.77,[dbPageReadsPerSec]=0.01,
[dbFullScansPerSec]=1.83,[dbBufferCacheHitRatio]=100,[dbCount]=8,[dbUserCount]=25,
[dbLoggedinUserCount]=2,[dbPagesInBufferPool]=116850,[dbPagesFreeInBufferPool]=2336,
[dbAverageWaitTimeMs]=239376,
[appVersion]=Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64),[serverName]=WIN-08-
VCENTER,[instanceName]=MSSQLSERVER,[appPort]=1433
Per Instance, per Database Performance Metrics

[PH_DEV_MON_PERF_MSSQL_PERDB]:[eventSeverity]=PHL_INFO,[hostIpAddr]=172.16.22.100,
[hostName]=wwwin.accelops.net,[dbName]=tempdb,[appGroupName]=Microsoft SQL Server,

Applications
[dbDataFileSizeKB]=109504,[dbLogFileUsedKB]=434,[dbLogGrowthCount]=4,[dbLogShrinkCount]=0,
[dbTransPerSec]=0.96,[dbLogFlushPerSec]=0.01,[dbLogCacheHitRatio]=44.44,
[appVersion]=Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64),[serverName]=WIN-08-
VCENTER,[instanceName]=MSSQLSERVER,[appPort]=1433
Generic Info
[PH_DEV_MON_PERF_MSSQL_GEN_INFO]:[eventSeverity]=PHL_INFO,[dbName]= tempdb,[dbSize]= 3.0,
[dbowner]= sa,[dbId]= 2,[dbcreated]= 1321545600,
[dbstatus]= Status=ONLINE; Updateability=READ_WRITE; UserAccess=MULTI_USER; Recovery=SIMPLE;
Version=655; Collation=SQL_Latin1_General_CP1_CI_AS; SQLSortOrder=52; IsAutoCreateStatistics;
IsAutoUpdateStatistics,
[dbcompatibilityLevel]= 100,[spaceAvailable]= 0.9,[appVersion]= Microsoft SQL Server 2008
(RTM) - 10.0.1600.22 (Intel X86),[serverName]= WIN03MSSQL\SQLEXPRESS
Config Info
[PH_DEV_MON_PERF_MSSQL_CONFIG_INFO]:[eventSeverity]=PHL_INFO,[configureName]= user instances
enabled,[configMinimum]= 0,[configMaximum]= 1,[dbConfigValue]= 1,
[configRunValue]= 1,[appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),
[serverName]= WIN03MSSQL\SQLEXPRESS
Locking Info
[PH_DEV_MON_PERF_MSSQL_LOCK_INFO]:[eventSeverity]=PHL_INFO,[dbId]= 4,[objId]= 1792725439,
[lockType]= PAG,[lockedResource]= 1:1256,[lockMode]= IX,
[lockStatus]= GRANT,[appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),
[serverName]= WIN03MSSQL\SQLEXPRESS
Blocking Info
[PH_DEV_MON_PERF_MSSQL_BLOCKBY_INFO]:[eventSeverity]=PHL_INFO,[blockedSpId]= 51,
[blockedLoginUser]= WIN03MSSQL\Administrator,[blockedDbName]= msdb,
[blockedCommand]= UPDATE,[blockedProcessName]= Microsoft SQL Server Management Studio - Query,
[blockingSpId]= 54,[blockingLoginUser]= WIN03MSSQL\Administrator,
[blockingDbName]= msdb,[blockingCommand]= AWAITING COMMAND,[blockingProcessName]= Microsoft
SQL Server Management Studio - Query,[blockedDuration]= 5180936,
[appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),[serverName]=
WIN03MSSQL\SQLEXPRESS
Error Log
[PH_DEV_MON_PERF_MSSQL_ERROR_LOG_INFO]:[eventSeverity]=PHL_INFO,[logDate]= 1321585903,
[processInfo]= spid52,[logText]= Starting up database 'ReportServer$SQLEXPRESSTempDB'.,
[appVersion]= Microsoft SQL Server 2008 (RTM) - 10.0.1600.22 (Intel X86),[serverName]=
WIN03MSSQL\SQLEXPRESS
Logon Events
134>Feb 08 02:55:34 10.1.2.54 java: [MSSQL_Logon_Success]:[eventSeverity]=PHL_INFO,
[eventTime]=2014-02-08 02:54:00.977, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54, [srcName]=<local
machine>, [user]=NT SERVICE\ReportServer$MSSQLSERVEJIANFA, [srcApp]=Report Server,
[instanceName]=MSSQLSERVEJIANFA, [procId]=52, [loginType]=Windows (NT) Login,

Applications
[securityId]=AQYAAAAAAAVQAAAALJAZf5XMbcLh8PUDY31LioZ3Uwo=, [isPooled]=1, [destName]=WIN-

S2EDLFIUPQK, [destPort]=1437,
DDL Events - Create Database

<134>Sep 29 15:34:48 10.1.2.54 java: [MSSQL_Create_database]:[eventSeverity]=PHL_INFO,
[eventTime]=2013-09-29 15:34:05.687, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54, [user]=WIN-
S2EDLFIUPQK\Administrator, [dbName]=JIANFA, [instanceName]=MSSQLSERVER, [objName]=,
[procId]=59, [command]=CREATE DATABASE JIANFA, [destName]=WIN-S2EDLFIUPQK, [destPort]=1433,
DDL Events - Create index

<134>Sep 29 15:34:48 10.1.2.54 java: [MSSQL_Create_index]:[eventSeverity]=PHL_INFO,
[eventTime]=2013-09-29 15:30:40.557, [rptIp]=10.1.2.54, [relayIp]=10.1.2.54, [user]=WIN-
S2EDLFIUPQK\Administrator, [dbName]=master, [instanceName]=MSSQLSERVER, [objName]=IndexTest,
[procId]=58, [command]=create index IndexTest on dbo.MSreplication_options(optname);,
[schemaName]=dbo, [objType]=INDEX, [destName]=WIN-S2EDLFIUPQK, [destPort]=1433

Applications
Microsoft SQL Server Scripts
l SQL Server Trigger Creation Script

l SQL Server Table Creation Script
l SQL Server DDL Event Creation Script
l SQL Server Database Level Event Creation Script
SQL Server Trigger Creation Script (PH_LogonEventsTrigger.sql)
This script is to create a server level trigger called PH_LoginEvents. It will record all logon events when a user
establishes a session to the database server. The trigger locates at the database server > Server Objects >
Triggers.
CREATE TRIGGER PH_LoginEvents
ON ALL SERVER WITH EXECUTE AS self
FOR LOGON
AS
BEGIN
DECLARE @event XML
SET @event = EVENTDATA()
INSERT INTO PH_Events.dbo.LogonEvents
(EventTime,EventType,SPID,ServerName,LoginName,LoginType,SID,HostName,IsPooled,AppName,XMLEven
t)
VALUES(CAST(CAST(@event.query('/EVENT_INSTANCE/PostTime/text()') AS VARCHAR(64)) AS DATETIME),
CAST(@event.query('/EVENT_INSTANCE/EventType/text()') AS VARCHAR(128)),
CAST(@event.query('/EVENT_INSTANCE/SPID/text()') AS VARCHAR(128)),
CAST(@event.query('/EVENT_INSTANCE/ServerName/text()') AS VARCHAR(128)),
CAST(@event.query('/EVENT_INSTANCE/LoginName/text()') AS VARCHAR(128)),
CAST(@event.query('/EVENT_INSTANCE/LoginType/text()') AS VARCHAR(128)),
CAST(@event.query('/EVENT_INSTANCE/SID/text()') AS VARCHAR(128)),
CAST(@event.query('/EVENT_INSTANCE/ClientHost/text()') AS VARCHAR(128)),
CAST(@event.query('/EVENT_INSTANCE/IsPooled/text()') AS VARCHAR(128)),
APP_NAME(),
@event)
END;
SQL Server Table Creation Script (PH_EventDB_Tables_Create.sql)
CREATE DATABASE PH_Events
GO
CREATE TABLE PH_Events.dbo.DDLEvents
(
XMLEvent XML,
DatabaseName VARCHAR(64),
EventTime DATETIME DEFAULT (GETDATE()),
EventType VARCHAR(128),
SPID VARCHAR(128),
ServerName VARCHAR(128),
LoginName VARCHAR(128),
ObjectName VARCHAR(128),
ObjectType VARCHAR(128),

Applications
SchemaName VARCHAR(128),
CommandText VARCHAR(128)
)
GO
CREATE TABLE PH_Events.dbo.LogonEvents
(
XMLEvent XML,
EventTime DATETIME,
EventType VARCHAR(128),
SPID VARCHAR(128),
ServerName VARCHAR(128),
LoginName VARCHAR(128),
LoginType VARCHAR(128),
SID VARCHAR(128),
HostName VARCHAR(128),
IsPooled VARCHAR(128),
AppName VARCHAR(255)
)
SQL Server DDL Event Creation Script (PH_DDL_Server_Level_Events.sql)
CREATE TRIGGER PH_DDL_Server_Level_Events

ON ALL SERVER
FOR DDL_ENDPOINT_EVENTS, DDL_LOGIN_EVENTS, DDL_GDR_SERVER_EVENTS, DDL_AUTHORIZATION_SERVER_

EVENTS,
CREATE_DATABASE, ALTER_DATABASE, DROP_DATABASE
/**FOR DDL_SERVER_LEVEL_EVENTS**/
AS
DECLARE @eventData AS XML;
SET @eventData = EVENTDATA();
/**declare @eventData as XML;
set @eventData = EVENTDATA();**/
insert into PH_Events.dbo.DDLEvents(EventTime, EventType, SPID, ServerName, LoginName,
ObjectName, ObjectType, SchemaName, DatabaseName, CommandText, XMLEvent)
values(cast(@eventData.query('data(//PostTime)') as varchar(64)),
cast(@eventData.query('data(//EventType)') as varchar(128)),
cast(@eventData.query('data(//SPID)') as varchar(128)),
cast(@eventData.query('data(//ServerName)') as varchar(128)),
cast(@eventData.query('data(//LoginName)') as varchar(128)),
cast(@eventData.query('data(//ObjectName)') as varchar(128)),
cast(@eventData.query('data(//ObjectType)') as varchar(128)),
cast(@eventData.query('data(//SchemaName)') as varchar(128)),
cast(@eventData.query('data(//DatabaseName)') as varchar(64)),
cast(@eventData.query('data(//TSQLCommand/CommandText)') AS NVARCHAR(MAX)),
/** DB_NAME(),**/
@eventData);
SQL Server Database Level Event Creation Script (PH_Database_Level_Events.sql)
USE master;
GO
CREATE TRIGGER PH_Database_Level_Events on DATABASE

Applications
FOR DDL_DATABASE_LEVEL_EVENTS
AS
DECLARE @eventData AS XML;
SET @eventData = EVENTDATA();
INSERT INTO PH_Events.dbo.DDLEvents(EventTime, EventType, SPID, ServerName, LoginName,
ObjectName, ObjectType, SchemaName, DatabaseName, CommandText, XMLEvent)
VALUES(cast(@eventData.query('data(//PostTime)') as varchar(64)),
cast(@eventData.query('data(//EventType)') as varchar(128)),
cast(@eventData.query('data(//SPID)') as varchar(128)),
cast(@eventData.query('data(//ServerName)') as varchar(128)),
cast(@eventData.query('data(//LoginName)') as varchar(128)),
cast(@eventData.query('data(//ObjectName)') as varchar(128)),
cast(@eventData.query('data(//ObjectType)') as varchar(128)),
cast(@eventData.query('data(//SchemaName)') as varchar(128)),
cast(@eventData.query('data(//DatabaseName)') as varchar(64)),
cast(@eventData.query('data(//TSQLCommand/CommandText)') AS NVARCHAR(MAX)),
@eventData
);

Applications
MySQL Server

l Configuration
l Sample events

discovered

type Monitoring
mappings
JDBC Generic database information: Version, Character Setting

JDBC Database performance metrics: User COnnections, Table Performance
Updates, table Selects, Table Inserts, Table Deletes, Temp Table Monitoring
Creates, Slow Queries, Query cache Hits, Queries registered in
cache, Database Questions, Users, Live Threads
Table space performance metrics: Table space name, table
space type, Character set and Collation, table space usage, table
space free space, Database engine, Table version, Table Row
Format, Table Row Count, Average Row Length, Index File length,
Table Create time, Table Update Time
JDBC None Database audit trail: Successful and failed database log on, Security
Database CREATE/DELETE/MODIFY operations, Table Monitoring
CREATE/DELETE/MODIFY/INSERT operations
Event Types
In ADMIN > Device Support > Event, search for "mysql" in the Device Type and Description columns to see the
Rules
In RESOURCE > Rules, search for "mysql" in the Name column to see the rules associated with this application or
device.

Applications
Reports
In RESOURCE > Reports , search for ""mysql" in the Name and Description columns to see the reports associated
with this application or device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device. For more
JDBC for Database Auditing - MySQL Server
You must configure your MySQL Server to write audit logs to a database table. This topic in the MySQL documentation
explains more about how to set the destination tables for log outputs.
1. Start MySQL server with TABLE output enabled.
bin/mysqld_safe --user=mysql --log-output=TABLE &
2. Login to mysql, run the following SQL commands to enable general.log in MyISAM.
SET @old_log_state = @@global.general_log;
SET GLOBAL general_log = 'OFF';
ALTER TABLE mysql.general_log ENGINE = MyISAM;
SET GLOBAL general_log = @old_log_state;
SET GLOBAL general_log = 'ON';

Setting Value
Name <set name>
Device Type Generic
Settings for MySQL Server JBDC Access Credentials for Performance Monitoring

Applications
Use these Access Method Definition settings to allow FortiSIEM to communicate with your MySQL Server over JDBC
for performance monitoring:
Setting Value
Name MySQL-Performance-Monitoring
Device Type Oracle MySQL
Pull Interval 5
(minutes)
Port 3306

administrative user
Settings for MySQL Server JBDC Access Credentials for Database Auditing
for database auditing:
Setting Value
Name MySQL-Audit
Used For Audit
Pull Interval 5
(minutes)
Port 1433
Database Name <database name> (mysql)
Audit Table dba_audit_trail

administrative user
Settings for MySQL Server JBDC Access Credentials for Synthetic Transaction Monitoring, Snort Audit,
McAfee VulnMgr
for Synthetic Transaction Monitoring, Snort Audit, or McAfee VulnMgr:

Applications
Setting Value
Name <name>
Used For Synthetic Transaction Monitoring, Snort Audit,

or McAfee VulnMgr
Pull Interval 5
(minutes)
Port 1433
Database Name <database name>

administrative user
Sample events
System Level Performance Metrics

<134>Apr 21 19:06:07 10.1.2.8 java: [PH_DEV_MON_PERF_MYSQLDB]: [eventSeverity]=PHL_INFO,
[hostIpAddr]=172.16.22.227, [hostName]=MYSQL, [appGroupName]=MySQL Database
Server, [appVersion]=MySQL 5.6.11, [charSetting]=utf8, [dbConnections]=24, [dbComUpdate]=0,
[dbComSelect]=1, [dbComInsert]=0,
[dbComDelete]=0, [dbCreatedTmpTables]=0, [dbSlowQueries]=0, [dbQcacheHits]=0,
[dbQcacheQueriesinCache]=0,
[dbQuestions]=7, [dbThreadsConnected]=1, [dbThreadsRunning]=1
Table Space Performance Metrics

<134>Apr 29 10:06:07 172.16.22.227 java: [PH_DEV_MON_PERF_MYSQLDB_TABLESPACE]:
[eventSeverity]=PHL_INFO, [appGroupName]=MySQL Database Server,
[instanceName]=mysql, [tablespaceName]=general_log, [tablespaceType]=PERMANENT,
[tablespaceUsage]=0.01, [tablespaceFreeSpace]=4193886,
[dbEngine]=MyISAM, [tableVersion]=10, [tableRowFormat]=dynamic, [tableRows]=124,
[tableAvgRowLength]=80, [tableIndexLength]=1024,
[tableCreateTime]=2013-04-29 15:12:30, [tableUpdateTime]=2013-04-29 12:35:46,
[tableCollation]=utf8_general_ci
System Level Performance Metrics

<134>Apr 21 19:06:07 10.1.2.8 java: [PH_DEV_MON_PERF_MYSQLDB]: [eventSeverity]=PHL_INFO,
[hostIpAddr]=172.16.22.227, [hostName]=MYSQL, [appGroupName]=MySQL Database
Server, [appVersion]=MySQL 5.6.11, [charSetting]=utf8, [dbConnections]=24, [dbComUpdate]=0,
[dbComSelect]=1, [dbComInsert]=0,
[dbComDelete]=0, [dbCreatedTmpTables]=0, [dbSlowQueries]=0, [dbQcacheHits]=0,
[dbQcacheQueriesinCache]=0,
[dbQuestions]=7, [dbThreadsConnected]=1, [dbThreadsRunning]=1

Applications
Logon/Logoff Events
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Success]: [eventSeverity]=PHL_INFO,
[eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54, [logoffTime]=,
[actionName]=Connect, [msg][email protected] on
<134>Apr 10 14:29:22 abc-desktop java: [MYSQL_Logoff]:[eventSeverity]=PHL_INFO,

[eventTime]=2013-04-10 14:29:22, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [logonTime]=, [logoffTime]=2014-04-10 14:29:22,
[actionName]=quit, [msg]=
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_ Logon_Fail]: [eventSeverity]=PHL_WARN,

[eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [logonTime]=2013-04-29 15:14:54, [logoffTime]=,
[actionName]=Connect,
[msg]=Access denied for user 'admin'@'172.16.22.227' (using password: YES)
Database CREATE/DELETE/MODIFY Events

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Create_database]: [eventSeverity]=PHL_INFO,
[eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=create database sliutest
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Drop_database]: [eventSeverity]=PHL_INFO,

[eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=drop database sliutest
Table CREATE/DELETE/MODIFY Events

<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Create_table]: [eventSeverity]=PHL_INFO,
[eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=CREATE TABLE tutorials_tbl(
tutorial_id INT NOT NULL AUTO_INCREMENT,
tutorial_title VARCHAR(100) NOT NULL, tutorial_author VARCHAR(40) NOT NULL,
submission_date DATE, PRIMARY KEY ( tutorial_id ) )
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Delete_table]: [eventSeverity]=PHL_INFO,

[eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DELETE FROM tutorials_tbl WHERE
tutorial_id=2NOT NULL,
tutorial_author VARCHAR(40) NOT NULL, submission_date DATE, PRIMARY KEY ( tutorial_id
)
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Insert_table]: [eventSeverity]=PHL_INFO,

[eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=INSERT INTO tutorials_tbl
(tutorial_title, tutorial_author, submission_date)
VALUES ("Learn Java", "John Smith", NOW())
<134>Apr 29 15:14:54 abc-desktop java: [MYSQL_Drop_table]: [eventSeverity]=PHL_INFO,

[eventTime]=2013-04-29 15:14:54, [rptIp]=172.16.22.227,
[srcIp]=172.16.22.227, [user]=admin, [actionName]=Query, [msg]=DROP table sliutable

Applications
Oracle Database Server
l Supported Versions
l Configuration
l Sample Events
Supported Versions
l Oracle Database 10g

l Oracle Database 11g
l Oracle Database 12c

discovered

type Monitoring
mappings
JDBC Generic database information: version, Character Setting, Archive

Enabled, Listener Status, Instance Status, Last backup date,
JDBC Database performance metrics: Buffer cache hit ratio, Row cache Performance
hit ratio, Library cache hit ratio, Shared pool free ratio, Wait time Monitoring
ratio, Memory Sorts ratio, Host CPU Util ratio, CPU Time ratio, Disk
Read/Write rates (operations and MBps), Network I/O Rate,
Enqueue Deadlock rate, Database Request rate, User Transaction
rate, User count, Logged on user count, Session Count, System
table space usage, User table space usage, Temp table space
usage, Last backup date, Days since last backup
Table space performance metrics: Table space name, table
space type, table space usage, table space free space, table space
next extent
Syslog Listener log, Alert log, Audit Log

JDBC None Database audit trail: Successful and failed database logon, Various Security
database operation audit trail including Monitoring
CREATE/ALTER/DROP/TRUNCATE operations on tables, table
spaces, databases, clusters, users, roles, views, table indices,

Applications

discovered
triggers etc.
Event Types
In ADMIN > Device Support > Event, search for "oracle database" in the Description column to see the event types
Rules
In RESOURCE > Rules, search for "oracle database" in the Description column to see the rules associated with this
Reports
In RESOURCE > Reports , search for "oracle database" in the Name column to see the reports associated with this
Configuration
SNMP
User Guide.
JDBC for Database Performance Monitoring - Oracle Database Server
To configure your Oracle Database Server for performance monitoring by FortiSIEM, you must create a read-only user
who has select permissions for the database. This is the user you will use to create the access credentials for FortiSIEM
to communicate with your database server.
1. Open the SQLPlus application.
2. Log in with a system-level account.
3. Connect to your instance as sysdba.
SQL> conn / as sysdba;
Connected.
4. Create a non-admin user account. (Note: If you already created the phoenix_agent user, you can skip this
step.)
SQL> create user phoenix_agent identified by
"accelops";
User created.

Applications
5. Assign permissions to the user.

grant select on dba_objects to phoenix_agent;
grant select on dba_tablespace_usage_metrics to phoenix_agent;
grant select on dba_tablespaces to phoenix_agent;
grant select on nls_database_parameters to phoenix_agent;
grant select on v_$backup_set to phoenix_agent;
grant select on v_$instance to phoenix_agent;
grant select on v_$parameter to phoenix_agent;
grant select on v_$session to phoenix_agent;
grant select on v_$sql to phoenix_agent;
grant select on v_$sysmetric to phoenix_agent;
grant select on v_$version to phoenix_agent;
grant select on gv_$session to phoenix_agent;
grant select on gv_$service_stats to phoenix_agent;
6. Verily that the permissions were successfully assigned to the user.
select count(*) from dba_objects;
select count(*) from dba_tablespace_usage_metrics;
select count(*) from dba_tablespaces;
select count(*) from gv$service_stats;
select count(*) from nls_database_parameters;
select count(*) from v$backup_set order by start_time desc;
select count(*) from v$instance;
select count(*) from v$parameter;
select count(*) from v$session;
select count(*) from v$sql;
select count(*) from v$sysmetric;
select count(*) from v$version;
JDBC for Database Auditing - Oracle Database Server
Required Environmental Variables

Make sure that these environment variables are set
l ORACLE_HOME= C:\app\Administrator\product\11.2.0\dbhome_1
l ORACLE_BASE= C:\app\Administrator
1. Create audit trail views by executing cataaudit.sql as the sysdb user.
Linux:
su- oracle
sqlplus /nolog
conn / as sysdba;
@$ORACLE_HOME/rdbms/admin/cataudit.sql;
quit
Windows:
sqlplus /nolog
conn / as sysdba;
@%ORACLE_HOME%/rdbms/admin/cataudit.sql;
quit
2. Enable auditing by modifying the Oracle instance initialization file init<SID>.ora.

This is typically located in $ORACLE_BASE/admin/<SID>/pfile where DIS is the Oracle instance

Applications
AUDIT_TRAIL = DB
or
AUDIT_TRAIL = true
3. Restart the database.

su - oracle
sqlplus /nolog
conn / as sysdba;
shutdown immediate;
startup;
quit
4. Create a user account and grant select privileges to that user.

su - oracle
sqlplus /nolog
conn / as sysdba
Create user phoenix_agent identified by "phoenix_agent_pwd" (NOTE: please correct this
set -- above steps showed that we created phoenix_agent already, just add the grant steps
and utilize the "accelops" password;
Grant connect to phoenix_agent;
Grant select on dba_audit_trail to phoenix_agent;
Grant select on v_$session to phoenix_agent;
5. Turn on auditing.
su - oracle
sqlplus /nolog
conn / as sysdba;
audit session;
quit;
6. Fetch the audit data to make sure the configuration was successful.
su - oracle;
sqlplus phoenix_agent/phoenix_agent_pwd;
select count (*) from dba_audit_trail;
You should see the count changing after logging on a few times.
Configuring listener log and error log via SNARE - Oracle side
1. Install and configure Epilog application to send syslog to FortiSIEM

a. Download Epilog from Epilog download site and install it on your Windows Server.
b. Launch Epilog from Start→All Programs→InterSect Alliance→Epilog for windows
c. Configure Epilog application as follows
i. Select Log Configuration on left hand panel, click Add button to add Oracle Listener log file to be sent to
FortiSIEM. Also make sure the Log Type is OracleListenerLog.
ii. Click Add button to add Oracle Alert log file to be sent to FortiSIEM. Also make sure the Log Type is
OracleAlertLog.
iii. After adding both the files, SNARE Log Configuration will show both the files included as follows
iv. Select Network Configuration on left hand panel. On the right, set the destination address to that of
FortiSIEM server, port to 514 and make sure that syslog header is enabled. Then click Change
Configuration button.

Applications
v. Click the "Apply the latest audit configuration" link on the left hand side to apply the changes to Epilog
applications. DHCP logs will now sent to FortiSIEM in real time.

Setting Value
Name <set name>
Device Type Generic
Settings for Oracle Database Server JDBC Access Credentials for Performance Monitoring
Use these Access Method Definition settings to allow FortiSIEM to communicate with your Oracle database server
over JDBC:
Setting Value
Name phoenix_agent_accelops
Device Type Oracle Database Server
Pull Interval 5
(minutes)
Port 1521
Instance Name orcl2
User Name The user you created for performance

monitoring
Password The password associated with the user

Applications
Sample Events
System Level Database Performance Metrics

[PH_DEV_MON_PERF_ORADB]:[eventSeverity]=PHL_INFO, [hostIpAddr]=10.1.2.8, [hostName]=Host-
10.1.2.8, [appGroupName]=Oracle Database Server,
[appVersion]=Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production,
[instanceName]=orcl, [instanceStatus]=OPEN, [charSetting]=ZHS16GBK, [archiveEnabled]=FALSE,
[lastBackupDate]=1325566287, [listenerStatus]=OPEN,[dbBufferCacheHitRatio]=100,
[dbMemorySortsRatio]=100,[dbUserTransactionPerSec]=0.13,[dbPhysicalReadsPerSec]=0,
[dbPhysicalWritesPerSec]=0.48,[dbHostCpuUtilRatio]=0,[dbNetworkKBytesPerSec]=0.58,
[dbEnqueueDeadlocksPerSec]=0,[dbCurrentLogonsCount]=32,[dbWaitTimeRatio]=7.13,
[dbCpuTimeRatio]=92.87,
[dbRowCacheHitRatio]=100,[dbLibraryCacheHitRatio]=99.91,[dbSharedPoolFreeRatio]=18.55,
[dbSessionCount]=40,[dbIOKBytesPerSec]=33.26,[dbRequestsPerSec]=3.24,
[dbSystemTablespaceUsage]= 2.88,[dbTempTablespaceUsage]= 0,[dbUsersTablespaceUsage]= 0.01,
[dbUserCount]= 2,[dbInvalidObjectCount]= 4
Table Space Performance Metrics

[PH_DEV_MON_PERF_ORADB_TABLESPACE]:[eventSeverity]=PHL_INFO, [appGroupName]=Oracle Database
Server, [instanceName]=orcl, [tablespaceName]=UNDOTBS1, [tablespaceType]=UNDO,
[tablespaceUsage]=0.01, [tablespaceFreeSpace]=4193886, [tablespaceNextExtent]=0
[PH_DEV_MON_PERF_ORADB_TABLESPACE]:[eventSeverity]=PHL_INFO, [appGroupName]=Oracle Database

Server, [instanceName]=orcl, [tablespaceName]=USERS, [tablespaceType]=PERMANENT,
[tablespaceUsage]=0.01, [tablespaceFreeSpace]=4193774, [tablespaceNextExtent]=0
Oracle Audit Trail (FortiSIEM Generated Events)

<134>Apr 10 12:51:42 abc-desktop java: [ORADB_PH_Logoff]:[eventSeverity]=PHL_INFO,
[retCode]=0, [eventTime]=2009-04-10 14:29:22:111420, [rptIp]=172.16.10.40, [srcIp]=QA-V-CtOS-
ora.abc.net, [user]=DBSNMP, [logonTime]=2009-04-10 14:29:22:111420, [logoffTime]=2009-04-10
14:29:22, [privUsed]=CREATE_SESSION,
Oracle Audit Log

<172>Oracle Audit[25487]: LENGTH : '153' ACTION :[004] 'bjn' DATABASE USER:[9] 'user'
PRIVILEGE :[4] 'NONE' CLIENT USER:[9] 'user' CLIENT TERMINAL:[14] 'terminal' STATUS:[1] '0']
<172>Oracle Audit[6561]: LENGTH : '158' ACTION :[6] 'COMMIT' DATABASE USER:[8] 'user'
PRIVILEGE :[6] 'SYSDBA' CLIENT USER:[6] 'user' CLIENT TERMINAL:[0] '' STATUS:[1] '0' DBID:[9]
'200958341'
<172>Oracle Audit[28061]: LENGTH: 265 SESSIONID:[9] 118110747 ENTRYID:[5] 14188 STATEMENT:[5]

28375 USERID:[8] user ACTION:[3] 100 RETURNCODE:[1] 0 COMMENT$TEXT:[99] Authenticated by:
DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.90.217.247)(PORT=4566)) PRIV$USED:
[1] 5
Oracle Listener Log

<46>Dec 13 06:07:08 WIN03R2E-110929 OracleListenerLog 0 12-OCT-2011 16:17:52 *
(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=Administrator))(COMMAND=status)(ARGUMENTS=64)

Applications
(SERVICE=LISTENER)(VERSION=185599744)) * status * 0
Oracle Alert Log

<46>Dec 13 06:07:08 WIN03R2E-110929 OracleAlertLog 0 ORA-00312: online log 3 thread 1:
'C:\APP\ADMINISTRATOR\ORADATA\ORCL\REDO03.LOG'

Applications
DHCP and DNS Server
FortiSIEM supports these DHCP and DNS servers for discovery and monitoring.
l Infoblox DNS/DHCP
l ISC BIND DNS
l Linux DHCP
l Microsoft DHCP (2003, 2008)
l Microsoft DNS (2003, 2008)

Applications
Infoblox DNS/DHCP

l Configuration

discovered
SNMP Host Name, System CPU utilization, Memory utilization, Disk usage, Disk Performance
Hardware model, I/O Monitoring
Serial number,
Network Interfaces,
Running processes,
Installed software
SNMP Process level CPU utilization, Memory utilization
SNMP Zone Transfer metrics: For each zone: DNS Responses Security
Sent, Failed DNS Queries, DNS Referrals, Non-existent DNS Monitoring and
Record Queries, DNS Non-existent Domain Queries, Recursive compliance
DNS Query Received
DNS Cluster Replication metrics: DNS Replication Queue
Status, Sent Queue From Master, Last Sent Time From
Master, Sent Queue To Master, Last Sent Time To Master
DNS Performance metrics: NonAuth DNS Query Count,
NonAuth Avg DNS Latency, Auth DNS Query Count, Auth Avg
DNS Latency, Invalid DNS Port Response, Invalid DNS TXID
Response
DHCP Performance metrics: Discovers/sec, Requests/Sec,
Releases/Sec, Offers/sec, Acks/sec, Nacks/sec, Declines/sec,
Informs/sec
DDNS Update metrics: DDNS Update Success, DDNS
Update Fail, DDNS Update Reject, DDNS Prereq Update
Reject, DDNS Update Latency, DDNS Update Timeout
DHCP subnet usage metrics: For each DHCP Subnet (addr,
mask) - percent used
SNMP Hardware status Availability

monitoring
SNMP Hardware failures, Software failures Availability

Trap monitoring

Applications
Event Types
In ADMIN > Device Support > Event, search for "infoblox" in the Device Type and Description columns to see the
Reports
In RESOURCE > Reports , search for "infoblox" in the Name and Description column to see the reports associated
Configuration
SNMP
User Guide.
SNMP Trap
FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send send
SNMP traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Setting Value
Name <set name>
Device Type Generic

Applications
ISC BIND DNS

discovered
SNMP Application Process level CPU utilization, Memory utilization Performance

type Monitoring
Syslog Application DNS name resolution activity: DNS Query Success and Failure by Security
type type Monitoring and
compliance
Event Types
In ADMIN > Device Support > Event, search for "isc bind" in the Device Type and Description column to see the
Configuration
SNMP
User Guide.
Syslog
Configure the ISC BIND DNS Server to Send Syslogs
1. Edit named.conf and add a new line: include /var/named/conf/logging.conf;.

2. Edit the /var/named/conf/logging.conf file, and in the channel queries_file { } section add
syslog local3;
3. Restart BIND by issuing /etc/init.d/named restart.
Configure Syslog to Send to FortiSIEM
1. Edit syslog.conf and add a new line: Local7.* @<IP address of the FortiSIEM server>.
2. Restart the syslog daemon by issuing /etc/init.d/syslog restart.

Applications
Setting Value
Name <set name>
Device Type Generic
Sample BIND DNS Logs
<158>Jan 28 20:41:46 100.1.1.1 named[3135]: 28-Jan-2010 20:40:28.809 client

192.168.29.18#34065: query: www.google.com IN A +

Applications
Linux DHCP

l Configuration

discovered

type Monitoring
Syslog Application DHCP address release/renew events that are used by FortiSIEM Security and
type for Identity and location: attributes include IP Address, MAC address, compliance
Host Name (associate
machines to IP
addresses)
Event Types
In ADMIN > Device Support > Event, search for "linux dhcp" in the Device Type column to see the event types
Configuration
SNMP
1. Make sure that snmp libraries are installed.

FortiSIEM has been tested to work with net-snmp libraries.
2. Log in to your device with administrator credentials.
3. Modify the /etc/snmp/snmpd.conf file:
a. Define the community string for FortiSIEM usage and permit snmp access from FortiSIEM IP.
b. Allow FortiSIEM to (read-only) view the mib-2 tree.
c. Open up the entire tree for read-only view.
4. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart.
5. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on.
6. Make sure that snmpd is running.

Applications
Syslog
Configure Linux DHCP to Forward Logs to Syslog Daemon

1. Edit dhcpd.conf and insert the line log-facility local7;.
2. Restart dhcpd by issuing /etc/init.d/dhcpd restart.
Configure Syslog to Forward to FortiSIEM
1. Edit syslog.conf and add a new line: Local7.* @<IP address of FortiSIEM server>.
2. Restart syslog daemon by issuing /etc/init.d/syslog restart.
Sample Syslog
<13>Aug 26 19:28:11 DNS-Pri dhcpd: DHCPREQUEST for 172.16.10.200 (172.16.10.8) from
00:50:56:88:4e:17 (26L2233B1-02)

Setting Value
Name <set name>
Device Type Generic

Applications
Microsoft DHCP
l Supported OS
l Configuration
l Settings for Access Controls
Supported OS
l Windows 2003
l Windows 2008 and 2008 R2
l Windows 2016
l Windows 2019

discovered
SNMP Process details Process level CPU utilization, Memory utilization Performance
Monitoring
WMI Process Process level metrics (Win32_Process, Win32_PerfRawData_ Performance

details, PerfProc_Process): uptime, CPU utilization, Memory utilization, Monitoring
process to Read I/O, Write I/O
service DHCP metrics (Win32_PerfFormattedData_DHCPServer_
mappings DHCPServer): DHCP request rate, release rate, decline rate,
Duplicate Drop rate, Packet Rate, Active Queue length, DHCP
response time, Conflict queue length
Windows Application DHCP address release/renew events that are used by FortiSIEM Security and
Agent type for Identity and location: attributes include IP Address, MAC address, compliance
Host Name (associate
machines to IP
addresses)
Event Types
In ADMIN > Device Support > Event, search for "microsoft dhcp" in the Description column to see the event types

Applications
Configuration
SNMP
WMI
FortiSIEM Windows Agent
For information on configuring DHCP for FortiSIEM Windows Agent, see Configuring Windows DHCP in the Windows
Agent Installation Guide.
Settings for Access Controls

Applications
Microsoft DNS
l Supported OS
l Configuration
Supported OS
l Windows 2003
l Windows 2016
l Windows 2019

discovered

type Monitoring
WMI Application Process level metrics (Win32_Process, Win32_PerfRawData_ Performance

type, service PerfProc_Process): uptime, CPU utilization, Memory utilization, Monitoring
mappings Read I/O, Write I/O
DNS metrics (Win32_PerfFormattedData_DNS_DNS): DNS
requests received, DNS responses sent, WINS requests received,
WINS responses sent, Recursive DNS queries received, Recursive
DNS queries failed, Recursive DNS queries timeout, Dynamic DNS
updates received, Dynamic DNS updates failed, Dynamic DNS
updates timeout, Secure DNS update received, Secure DNS update
failed, Full DNS Zone Transfer requests sent, Full DNS Zone
Transfer requests received, Incremental DNS Zone Transfer
requests sent, ncremental DNS Zone Transfer requests received
Windows Application DNS name resolution activity: DNS Query Success and Failure by Security
Agent type type Monitoring
Event Types
In ADMIN > Device Support > Event, search for "microsoft dans" in the Description column to see the event types

Applications
Configuration
SNMP
WMI
For information on configuring DNS for FortiSIEM Windows Agent, see Configuring Windows DNS in the Windows
Agent 3.2.0 Installation Guide.

Applications
Directory Server
FortiSIEM supports this directory server for discovery and monitoring.

l Microsoft Active Directory

Applications
Microsoft Active Directory

l Configuration
l Active Directory User Discovery
l Mapping Active Directory User Attributes to FortiSIEM User Attributes

discovered
LDAP User details, Security

Password age Monitoring,
User meta data
for log
WMI Win32_PerfRawData_NTDS_NTDS class: Directory Search Rate, Performance

Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Monitoring
Rate, New LDAP Connection Rate, Successful LDAP Bind Rate,
LDAP Active Threads, LDAP Bind Time, LDAP Client Sessions
WMI "dcdiag -e" command output - detect successful and failed domain Domain
controller diagnostic tests Controller
Replication
status
WMI "repadmin /replsummary" command output - detect replication Domain

statistics Controller
Replication
status
Event Types
l PH_DISCOV_ADS_ACCOUNT_TO_EXPIRE (Active Directory account to excpire in 2 weeks)

l PH_DISCOV_ADS_ACCT_DISABLED (Accounts Disabled)
l PH_DISCOV_ADS_DORMANT_ACCT (Dormant User Acounts - not log on in last 30 days)
l PH_DISCOV_ADS_PASSWORD_NEVER_EXPIRES (Active Directory user password never expires)
l PH_DISCOV_ADS_PASSWORD_NOT_REQD (Active Directory user password not required)
l PH_DISCOV_ADS_PASSWORD_STALE (Active Directory user password stale - more than 90 days)
l PH_DISCOV_ADS_PASSWORD_TO_EXPIRE (Active Directory user password to excpire in 2 weeks)
l PH_DEV_MON_DCDIAG (output of "dcdiag -e" command)
[PH_DEV_MON_DCDIAG]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT,[errReason]="",
[testResult]="passed",[testSubject]="WIN-IGO8O8M5JVT",[testName]="NCSecDesc"

Applications
l PH_DEV_MON_SRC_AD_REPL_STAT (output of "repadmin /replsummary" command)

[PH_DEV_MON_SRC_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT,
[largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,
[srcName]="WIN-IGO8O8M5JVT",[errReason]=""
l PH_DEV_MON_DST_AD_REPL_STAT (output of "repadmin /replsummary" command)

[PH_DEV_MON_DST_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT,
[largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,
[destName]="WIN-IGO8O8M5JVT",[errReason]=""
Rules
l Failed Windows DC Diagnostic Test
Reports
l Successful Windows Domain Controller Diagnostic Tests

l Failed Windows Domain Controller Diagnostic Tests
l Source Domain Controller Replication Status
l Destination Domain Controller Replication Status
Configuration
WMI
Active Directory User Discovery
If you want to add Active Directory users to FortiSIEM, follow these steps in the FortiSIEM UI.
1. Add the login credentials for Active Directory server and associate them to an IP range.
2. Discover the Active Directory server.
If the Active Directory server is discovered successfully, then all of the users and their properties will be added to
FortiSIEM.
After the users have been added to FortiSIEM, you can re-run discovery to get new changes from Active Directory. You
cannot make changes in FortiSIEM as this will inevitably make FortiSIEM out of synch with Active Directory.
Since Active Directory can contain many users, it is possible to choose a sub-tree by specifying a base DN (see below).
Adding Active Directory login credentials to FortiSIEM
1. Log in to your Supervisor UI.

2. Go to ADMIN > Setup > Credentials.
3. Click New to create an LDAP discovery credential by entering the following in the Access Method Definition dialog
box:

Applications
a. Name: a name for the credential.

b. Device Type: select Microsoft Windows.
c. Access Protocol:
i. By default, LDAP servers listen on TCP port 389.
ii. LDAPS (LDAP with SSL) defaults to port 636.
iii. LDAP Start TLS defaults to port 389.
d. Used For: select Microsoft Active Directory.
e. Enter the root of the LDAP user tree that you want to discover. For example, dc=companyABC,dc=com or
ou=Org1,dc=companyABC,dc=com
f. NetBIOS/Domain: enter the NetBIOS/Domain value.
g. User Name: enter the user name for your LDAP directory.
The user should be a member of the Domain Users group in Active Directory. See the Validating LDAP
Credentials and Permissions for information on how to validate this membership.
h. Enter and confirm the Password for your User.
i. Click Save. Your LDAP credentials will be added to the list of credentials.
4. Under Enter IP Range to Credential Associations, click Add.
5. Select your LDAP credentials from the list of Credentials. Click + to add more.
6. Enter the IP/IP Range or host name for your Active Directory server.
7. Click Save. Your LDAP credentials will appear in the list of credential/IP address associations.
8. Click Test > Test Connectivity to make sure you can connect to the Active Directory server.
Discovering users in FortiSIEM
1. Go to ADMIN> Discovery and click Add.

2. For Name, enter Active Directory.
3. For Include Range, enter the IP address or host name for your Active Directory server.
4. Click OK. Active Directory will be added to the list of discoverable devices.
5. Select the Active Directory device and click Discover.
6. After discovery completes, go to CMDB > Users to view the discovered users. You may need to click Refresh to
load the user tree hierarchy.
To get user updates in Active Directory, simply re-run discovery.
Validating LDAP Credentials and Permissions
1. Log in to your Active Directory server.

2. Open the Active Directory console from the command prompt and execute the dsa.msc command.

Applications
3. From the Active Directory console, select the User that added in FortiSIEM Supervisor.
4. Right click the selected User and check Properties.

5. The User should be a member of Domain Users.
6. On FortiSIEM Base DN should match, example: DC=accelops,DC=net.
Mapping Active Directory User Attributes to FortiSIEM User Attributes
The following table shows how user attributes in Microsoft Active Directory are shown in the FortiSIEM UI. To find Active
Directory user attributes, take the following steps:
1. Log in to Active Directory.
2. Go to Active Directory Users and Computers.
3. Click View > Enable Advanced Features.
4. Find a user, and take the following steps:
a. Double click user.
b. Click Attribute Editor.
You will see a set of attributes and the values they are set to.
In FortiSIEM, user details can be found in CMDB > Users. First, click the tree node on the left that you have
discovered, then locate the user in the right pane. Attributes are displayed on the main page and under Summary,
Contact, and Member Of.
Microsoft Active Directory FortiSIEM User Attribute

User Attribute
sAMAccoutName User Name
name Full Name

Applications
Microsoft Active Directory FortiSIEM User Attribute

User Attribute
userPrincipalName <Not shown>
mail Email
telephoneNumber Work Phone
mobile Mobile Phone
title Job Title
company Company
department <Not shown>
employeeID Employee ID
manager Manager
I <Not shown>
postalCode ZIP
streetAddress Address
homePostalAddress <Not shown>
c City
st State
co Country
memberOf Member Of

Applications
Document Management Server
FortiSIEM supports this document management server for discovery and monitoring.
l Microsoft SharePoint

Applications
Microsoft SharePoint

l Configuration
Protocol Information Metrics/Logs collected Used for

discovered
LOGbinder SharePoint logs - Audit trail integrity, Access control changes, Log analysis
Agent Document updates, List updates, Container object updates, Object and
changes, Object Import/Exports, Document views, Information compliance
Management Policy changes
Event Types
In ADMIN > Device Support > Event, search for "sharepoint" in the Description column to see the event types
Reports
In RESOURCE > Reports , search for "sharepoint" in the Name column to see the reports associated with this
Configuration
Microsoft SharePoint logs are supported via LOGbinder SP agent from Monterey Technology group. The agent must be
installed on the SharePoint server. Configure the agent to write logs to Windows Security log. FortiSIEM simply
reads the logs from windows security logs via WMI and categorizes the SharePoint specific events and parses
SharePoint specific attributes.
Installing and Configuring LOGbinder SP Agent
l LOGbinder Install web link

l LOGbinder Configuration web link - remember to configure LOGbinder SP agent to write to Windows security log
l LOGbinder SP getting started document - remember to configure LOGbinder SP agent to write to Windows
security log

Applications
Healthcare IT
FortiSIEM supports the discovery and monitoring of these healthcare applications.

l Epic EMR/EHR System

Applications
Epic EMR/EHR System
l Configuration
l Sample Events
Integration Points
Method Information Metrics collected LOGs collected Used for

discovered
Syslog Host name, None Authentication Security

Reporting IP Query, Client login monitoring
Query
Event Types
In ADMIN > Device Support > Event, search for "Epic-SecuritySIEM" to see the event types associated with this
device. There are two events that are parsed:
l Epic-SecuritySIEM-AUTHENTICATION-Query
l Epic-SecuritySIEM-LOGIN-Query
Rules
No specific rules are written for Epic-SecuritySIEM.
Reports
No specific reports are written for Epic-SecuritySIEM.
Configuration
Configure the Epic-SecuritySIEM system to send logs to FortiSIEM in the supported format (see Sample Events).
None required.
Sample Events
Oct 19 05:32:16 10.25.8.111 CEF:0|Epic|Security-SIEM|8.3.0|LOGIN|LOGIN|4|cnt=1

Applications
suser=3227^DOE, JOHN L^JOHN-DOE shost=PRD workstationID=WS7946 act=Query

end=Oct 19 00:30:00 flag=^^Workflow Logging CLIENTNAME=dom1/WS7946
DEP=100000010^RMC ICU MAIN IP=10.25.6.59/10.170.10.66 LOGINLDAPID=JOHN-DOE
LOGINREASON= OSUSR=WS7946 ROLE=MODEL IP NURSE SOURCE=1-Hyperspace
USERJOB=304401^RMC INPATIENT NURSE TEMPLATE#011
Oct 19 05:32:16 10.25.8.111 CEF:0|Epic|Security-

SIEM|8.3.0|AUTHENTICATION|AUTHENTICATION|4|cnt=1
suser=3055^DOE, JOHN^JOHN-DOE shost=PRD workstationID=WS7610 act=Query end=Oct 19 00:30:00
flag=Access History^^Workflow Logging LOGINCONTEXT=0-Login
LOGINDEVICE=10001-ImprivataAuthMultiApp LOGINLDAPID=JOHN-DOE LOGINREVAL= 011

Applications
Mail Server
FortiSIEM supports this mail server for discovery and monitoring.

l Microsoft Exchange

Applications
Microsoft Exchange

l Configuration
l Sample Logs

discovered

discovered
SNMP Application Process level CPU and memory utilization for the various exchange Performance
type server processes Monitoring
type, service Read I/O KBytes/sec, Write I/O KBytes/sec for the various exchange Monitoring
mappings server processes
Exchange performance metrics (: VM Largest Block size, VM

Large Free Block Size, VM Total Free Blocks, RPC Requests, RPC
Request Peak, RPC Average Latency, RPC Operations/sec, User
count, Active user Count, Peak User Count, Active Connection
Count, Max Connection Count
Exchange error metrics (obtained from Win32_PerfRawData_
MSExchangeIS_MSExchangeIS WMI class): RPC Success, RPC
Failed, RPC Denied, RPC Failed - Server Busy, RPC Failed - Server
Unavailable, Foreground RPC Failed, Backgorund RPC Failed
Exchange mailbox metrics (obtained from Win32_PerfRawData_
MSExchangeIS_MSExchangeISMailbox and Win32_PerfRawData_
MSExchangeIS_MSExchangeISPublic WMI classes): Per Mailbox:
Send Queue, Receive Queue, Sent Message, Submitted Message,
Delivered Message, Active User, Peak User
Exchange SMTP metrics (obtained from Win32_PerfRawData_

SMTPSVC_SMTPServer WMI class): Categorization Queue, Local
Queue, Remote Queue, Inbound Connections, Outbound
Connections, Sent Bytes/sec, Received Bytes/sec, Retry Count,
Local Retry Queue, Remote Retry Queue
Exchange ESE Database (Win32_PerfFormattedData_ESE_
MSExchangeDatabase):
Exchange Database Instances (Win32_PerfFormattedData_ESE_
MSExchangeDatabaseInstances):

Applications

discovered
Exchange Mail Submission Metrics (Win32_

PerfFormattedData_MSExchangeMailSubmission_
MSExchangeMailSubmission):
Exchange Replication Metrics (Win32_PerfFormattedData_
MSExchangeReplication_MSExchangeReplication):
Exchange Store Interface Metrics (Win32_PerfFormattedData_
MSExchangeStoreInterface_MSExchangeStoreInterface):
Exchange Transport Queue Metrics (Win32_
PerfFormattedData_MSExchangeTransportQueues_
MSExchangeTransportQueues):
Windows Application Logs Security

Agent Monitoring and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "microsoft exchange" in the Description column to see the event
types associated with this device.
Reports
In RESOURCE > Reports , search for "microsoft exchange" in the Name column to see the reports associated with
this application or device.
Configuration
SNMP
WMI

Applications
Sample Logs
2017-10-05T12:06:00Z SRV-EXCH02.uskudar.bld 10.9.1.105 AccelOps-WUA-UserFile-ExchangeTrackLog

[monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="d78e4bd5-bc3f-4950-bcdf-
926947ee1db7" [timeZone]="+0300" [fileName]="C:\\Program Files\\Microsoft\\Exchange
Server\\V15\\TransportRoles\\Logs\\MessageTracking\\MSGTRKMS2017100512-1.LOG" [msg]="2017-10-
05T12:05:56.564Z,fe80::ac4c:6f22:1c25:97d8%13,SRV-EXCH02,,SRV-
EXCH01.uskudar.bld,\"MDB:d72c63cf-290e-456e-86e5-85dedb1f56de, Mailbox:d7c8c416-c1a7-4225-
a17f-552d5274703d, Event:4419662,
MessageClass:IPM.Note.ProbeMessage.MBTSubmissionServiceHeartbeatProbe, CreationTime:2017-10-
05T12:05:56.267Z, ClientType:Monitoring,
SubmissionAssistant:MailboxTransportSubmissionEmailAssistant\",,STOREDRIVER,SUBMIT,,<e545b6122
[email protected]>,0a21180c-5932-4c7e-3888-
08d50be96f34,[email protected],,,1,,,00000052-0000-
0000-0000-0000ea5a2141-
MBTSubmissionServiceHeartbeatProbe,[email protected]
r,,2017-10-05T12:05:56.267Z;LSRV=SRV-EXCH02.uskudar.bld:TOTAL-SUB=0.296|SA=0.078|MTSS=0.209
(MTSSD=0.209(MTSSDA=0.005|MTSSDC=0.005|SDSSO=0.161(SMSC=0.020|SMS=0.140)|X-MTSSDPL=0.004|X-
MTSSDSS=0.008|MTSSDSDS=0.001)),Originating,,,,S:ItemEntryId=00-00-00-00-ED-99-60-31-E3-76-3C-
4B-BE-FE-5B-27-F0-88-3D-0A-07-00-25-D5-0C-8E-46-5A-51-46-A4-18-7D-65-F7-DF-52-1C-00-00-00-00-
01-0B-00-00-25-D5-0C-8E-46-5A-51-46-A4-18-7D-65-F7-DF-52-1C-00-00-30-88-0D-FF-00-
00,Email,92e0d0ab-4670-41e9-d453-08d50be96f50,15.01.0845.034"

Applications
Management Server/Appliance
FortiSIEM supports these web servers for discovery and monitoring.

l Cisco Application Centric Infrastructure (ACI)
l Fortinet FortiInsight
l Fortinet FortiManager

Applications
Cisco Application Centric Infrastructure (ACI)
Protocol Information Metrics Collected Used For

Discovered
Cisco Overall Health, Tenant Health, Node Health, Cluster Health, Availability and
APIC API Application Health, EPG health, Fault Record, Event record, Log Performance
(REST) Record, Configuration Change Monitoring
Event Types
Go to ADMIN > Device Support > Event and search for "Cisco_ACI".
Rules
Go to RESOURCE > Rules and search for "Cisco ACI".
Reports
Go to RESOURCE > Reports and search for "Cisco ACI".
Configuration
Cisco ACI Configuration
Please configure Cisco ACI Appliance so that FortiSIEM can access it via APIC API.
FortiSIEM Configuration
1. Go to ADMIN > Setup > Credentials

2. In Step 1: Enter Credentials, click New and create a credential.
Settings Description
Device Type CISCO CISCO ACI
Access Protocol Cisco APIC API
Pull Interval 5 minutes
Port 443

Applications
Password config See Password Configuration
User Name User name for device access
Password Password for the various REST APIs
Description Password for the various REST APIs
3. In Step 2: Enter IP Range to Credential Associations click New and create the association.
a. IP - specify the IP address of the ACI Controller
b. Credential - specify the Name as in 2a
4. Test Connectivity - Run Test Connectivity with or without ping and make sure the test succeeds
5. Check Pull Events tab to make sure that a event pulling entry is created
Sample Events
Overall Health Event

[Cisco_ACI_Overall_Health]: {"attributes":
{"childAction":"","cnt":"29","dn":"topology/HDfabricOverallHealth5min0","healthAvg":"82","heal
thMax":"89",
"healthMin":"0","healthSpct":"0","healthThr":"","healthTr":"1","index":"0","lastCollOffset":"2
90","repIntvEnd":"2016-09-05T08:13:53.232+00:00","repIntvStart":"2016-09-
05T08:09:03.128+00:00","status":""}}
Tenant Health Event

[Cisco_ACI_Tenant_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tn-
CliQr","lcOwn":"local","modTs":"2016-09-05T07:56:27.164+00:00","monPolDn":"uni/tn-
common/monepg-
default","name":"CliQr","ownerKey":"","ownerTag":"","status":"","uid":"15374"},"children":
[{"healthInst":{"attributes":
{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","statu
s":"",
"twScore":"100","updTs":"2016-09-05T08:27:03.584+00:00"}}}]
Nodes Health Event

[Cisco_ACI_Node_Health]: {"attributes":
{"address":"10.0.208.95","childAction":"","configIssues":"","currentTime":"2016-09-
05T08:15:51.794+00:00","dn":"topology/pod-1/node-
101/sys","fabricId":"1","fabricMAC":"00:22:BD:F8:19:FF","id":"101","inbMgmtAddr":"0.0.0.0",
"inbMgmtAddr6":"0.0.0.0","lcOwn":"local","modTs":"2016-09-05T07:57:29.435+00:00",
"mode":"unspecified","monPolDn":"uni/fabric/monfab-
default","name":"Leaf1","oobMgmtAddr":"0.0.0.0","oobMgmtAddr6":"0.0.0.0","podId":"1","role"
:"leaf","serial":"TEP-1-101","state":"in-
service","status":"","systemUpTime":"00:00:27:05.000"},"children":[{"healthInst":
{"attributes":{"childAction":"","chng":"-

Applications
10","cur":"90","maxSev":"cleared","prev":"100","rn":"health","status":"","twScore":"90","updTs
":"2016-09-05T07:50:08.415+00:00"}}}]
Cluster Health Event

[Cisco_ACI_Cluster_Health]: {"attributes":{"addr":"10.0.0.1","adminSt":"in-
service","chassis":"10220833-ea00-3bb3-93b2-
ef1e7e645889","childAction":"","cntrlSbstState":"approved","dn":"topology/pod-1/node-
1/av/node-1","health":"fully-fit","id":"1","lcOwn":"local","mbSn":"TEP-1-1","modTs":"2016-09-
05T08:00:46.797+00:00","monPolDn":"","mutnTs":"2016-09-
05T07:50:19.570+00:00","name":"","nodeName":"apic1","operSt":"available","status":"","uid":"
0"}
Application Health Event

[Cisco_ACI_Application_Health]: {"attributes":{"childAction":"","descr":"","dn":"uni/tn-
infra/ap-access","lcOwn":"local","modTs":"2016-09-07T08:17:20.503+00:00","monPolDn":"uni/tn-
common/monepg-
default","name":"access","ownerKey":"","ownerTag":"","prio":"unspecified","status":"","uid":"
0"},
"children":[{"healthInst":{"attributes":
{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","status
":"","twScore":
"100","updTs":"2016-09-07T08:39:35.531+00:00"}}}]}
EPG Health Event

[Cisco_ACI_EPG_Health]: {"attributes":
{"childAction":"","configIssues":"","configSt":"applied","descr":"","dn":"uni/tn-infra/ap-
access/epg-default","isAttrBasedEPg":"no","lcOwn":"local","matchT":"AtleastOne","modTs":"2016-
09-07T08:17:20.503+00:00","monPolDn":"uni/tn-common/monepg-
default","name":"default","pcEnfPref":"unenforced","pcTag":"16386","prio":"unspecified",
"scope":"16777199","status":"","triggerSt":"triggerable","txId":"5764607523034234882","uid":"0
"},"children":[{"healthInst":{"attributes":
{"childAction":"","chng":"0","cur":"100","maxSev":"cleared","prev":"100","rn":"health","statu
s":"",
"twScore":"100","updTs":"2016-09-07T08:39:35.549+00:00"}}}]
Fault Record Event

[Cisco_ACI_Fault_Record]: ,"created":"2016-09-
05T08:00:41.313+00:00","delegated":"no","delegatedFrom":"","descr":
"Controller3isunhealthybecause:DataLayerPartiallyDegradedLeadership","dn":"subj-[topology/pod-
1/node-1/av/node-3]/fr-
4294967583","domain":"infra","highestSeverity":"critical","id":"4294967583","ind":"modificatio
n",
"lc":"soaking","modTs":"never","occur":"1","origSeverity":"critical","prevSeverity":"critica
l",
"rule":"infra-wi-node-
health","severity":"critical","status":"","subject":"controller","type":"operational"}

Applications
Event Record Event

[Cisco_ACI_Event_Record]: {"attributes":{"affected":"topology/pod-1/node-2/lon/svc-ifc_
dhcpd","cause":"state-change","changeSet":"id:ifc_
dhcpd,leCnnct:undefined,leNonOptCnt:undefined,leNotCnnct:undefined,name:ifc_
dhcpd","childAction":"","code":"E4204979","created":"2016-09-
05T07:57:37.024+00:00","descr":"Allshardsofserviceifc_
dhcpdhaveconnectivitytotheleaderreplicaintheCluster.","dn":"subj-[topology/pod-1/node-
2/lon/svc-ifc_dhcpd]/rec-8589934722","id":"8589934722","ind":"state-
transition","modTs":"never","severity":"info","status":"","trig":"oper","txId":
"18374686479671623682","user":"internal"}
Log Record Event

[Cisco_ACI_Log_Record]: {"attributes":{"affected":"uni/userext/user-
admin","cause":"unknown","changeSet":"","childAction":"","clientTag":"","code":"generic","crea
ted"
:"2016-09-05T07:56:25.825+00:00","descr":"From-198.18.134.150-client-type-REST-
Success","dn":"subj-[uni/userext/user-admin]/sess-
4294967297","id":"4294967297","ind":"special","modTs":"never","severity":"info","status":"","s
ystemId":"1","trig":
"login,session","txId":"0","user":"admin"}
Configuration Change Event

[Cisco_ACI_Configuration_Chang]: {"attributes":{"affected":"uni/tn-CliQr/out-CliQr-Prod-
L3Out/instP-CliQr-Prod-L3Out-
EPG/rscustQosPol","cause":"transition","changeSet":"","childAction":"","clientTag":"","code":"
E4206266",
"created":"2016-09-05T07:56:27.099+00:00","descr":"RsCustQosPolcreated","dn":"subj-[uni/tn-
CliQr/out-CliQr-Prod-L3Out/instP-CliQr-Prod-L3Out-EPG/rscustQosPol]/mod-
4294967308","id":"4294967308","ind":"creation","modTs":"never","severity":"info","status":"","
trig":"config","txId":
"7493989779944505526","user":"admin"}}

Applications
Fortinet FortiInsight
FortiInsight is a unique data security and threat detection solution that delivers advanced threat hunting to help you
spot, respond to, and manage risky behaviors that put your business-critical data at risk. It combines powerful and
flexible Machine Learning with detailed forensics around user actions to bring focus to the facts more rapidly than other
solutions.
l Event Types
l Rules
l Reports
l Configuration in FortiInsight
l Configuration in FortiSIEM
l Sample Events
Protocol Information collected Used for
FortiInsight API Policy based alerts and AI based alerts Data security, threat protection
This feature allows FortiSIEM to get Policy-based alerts and AI-based alerts from FortiInsight.
Event Types
In RESOURCES > Event Types, enter "FortiInsight" in the Search column to see the event types associated with this
device.
Rules
In RESOURCES > Rules, enter "FortiInsight" in the Search column to see the rules associated with this device.
Reports
No defined reports.
Configuration in FortiInsight
Get an API Key in FortiInsight
Complete these steps in the FortiInsight UI:

1. Login to FortiInsight.
2. Select Admin > Account from the left menu.

Applications
3. Click New API Key to open the New API Key dialog box.
4. Enter a descriptive Name.
5. Click Save to generate the API key. This will download a file containing the API key information (Client ID, Client
Secret, and Name). Make a note of these values; you will need them when you configure FortiSIEM.
Configuration in FortiSIEM
Complete these steps in the FortiSIEM UI:

1. Go to the ADMIN > Setup > Credentials tab.
2. In Step 1: Enter Credentials:
a. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
b. Enter these settings in the Access Method Definition dialog box:
Name Enter a name for the credential
Device Type Fortinet FortiSIEM
Access Protocol FortiInsight API
Pull Interval The interval in which FortiSIEM will pull

events from FortiInsight. Default is 3
minutes.
Client ID Access key for your FortiInsight instance.
Client Secret Secret key for your FortiInsight instance
Organization The organization the device belongs to.
Description Description of the device.
3. In Step 2, Enter IP Range to Credential Associations:

a. Select the name of your Fortinet FortiInsight credential from the Credentials drop-down list.
b. Enter a host name, an IP, or an IP range in the IP/Host Name field.
c. Click Save.
4. Click Test to test the connection to FortiInsight.
5. To see the jobs associated with FortiInsight, select ADMIN > Setup > Pull Events.
6. To see the received events select ANALYTICS, then enter FortiInsight in the search box.
Sample Events
[FORTIINSIGHT_POLICY_ALERT] = {"description":"","events":[{"act":"file
downloaded","app":"chrome.exe","childId":null,"d":"2019-03-
18T13:22:24.344+00:00","id":null,"m":"uqP","mn":{"dh":"tcp://server-10-230-2-
153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Administ
rator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc":

Applications
{"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","longit
ude":"10.8925"},"p":"tcp-ip-
4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret\\
prototypedemo1.mkv-> tcp://server-54-230-2-153.lhr5.r.cloudfront.net:443","u":"acmeltd__
engineer2"}],"extendedEvents":[{"act":"file
18T13:22:24.344+00:00","id":null,"latestHostname":"mimas","latestIp":"10.10.0.1","m":"uqP","m
n":{"dh":"tcp://server-54-230-2-
ude":"10.8925"},"p":"tcp-ip-
prototypedemo1.mkv-> tcp://server-10-230-2-
153.lhr5.r.cloudfront.net:443","resolvedUsername":"","u":"acmeltd__
engineer2"}],"id":"AWmQ98PYg7b_-i6_5Rvg","labels":[""],"policyId":"default_
6COnUMjTCB8N","policyName":"Browser Download","regimes":
["ZoneFox"],"serverIp":"52.209.49.52","serverName":"fortisiemtest.dev.fortiinsight.cloud","sev
erity":10,"status":"New","time":"2019-03-18T13:22:29.473715+00:00"}

Applications
Fortinet FortiManager

l Configuration

Discovered
SNMP Host name, Uptime, CPU and Memory utilization, Network Interface metrics Availability and
Hardware (utilization, bytes sent and received, packets sent and received, Performance
model, errors, discards and queue lengths) Monitoring
Network
interfaces,
Operating
system version
Event Types
Regular monitoring events

l PH_DEV_MON_SYS_CPU_UTIL
l PH_DEV_MON_SYS_MEM_UTIL
l PH_DEV_MON_SYS_DISK_UTIL
l PH_DEV_MON_NET_INTF_UTIL
Rules
Regular monitoring rules
Reports
Regular monitoring reports
Configuration
You can now configure FortiSIEM to communicate with FortiManager. For more information, refer to sections
"Discovery Settings" and "Setting Credentials" in the User Guide. For Device Type Fortinet FortiManager, see
Access Credentials.

Applications
Remote Desktop
FortiSIEM supports this remote desktop application for discovery and monitoring.
l Citrix Receiver (ICA)

Applications
Citrix Receiver (ICA)

l Event Types
l Reports
l Configuration

Discovered
WMI From PH_DEV_MON_APP_ICA_SESS_MET:

l ICA Latency Last Recorded
l ICA Latency Session Average
l ICA Latency Session Deviation
l ICA Input Session Bandwidth
l ICA Input Session Line Speed
l ICA Input Session Compression
l ICA Input Drive Bandwidth
l ICA Input Text Echo Bandwidth
l ICA Input SpeedScreen Data Bandwidth
l Input Audio Bandwidth
l ICA Input VideoFrame Bandwidth
l ICA Output Session Bandwidth
l ICA Output Session Line Speed
l ICA Output Session Compression
l ICA Output Drive Bandwidth
l ICA Output Text Echo Bandwidth
l ICA Output SpeedScreen Data Bandwidth
l ICA Output Audio Bandwidth
l ICA Output VideoFrame Bandwidth
Event Types
In ADMIN > Device Support > Event, search for "citrix ICA" in the Description column to see the event types
Reports
In RESOURCE > Reports , search for "citrix ICA" in the Name column to see the reports associated with this

Applications
Configuration
WMI
Required WMI Class

Make sure the WMI class Win32_PerfRawData_CitrixICA_ICASession is available on the host machine for
Citrix ICA.
Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users
Groups.
3. Create a user.
5. Click OK.
8. Click OK.

Applications
11. Click OK.
Group
8. Click OK.
5. Click OK.
8. Click OK.

Applications
device.
Applications.
5. Click Security.
7. Click Advanced.

2. Run gpedit.msc.
domain or not.


Applications

Applications
Source Code Control
FortiSIEM supports the GitHub and GitLab Source Code Control tools for log collection via an API.
l GitHub
l GitLab API
l GitLab CLI

Applications
GitHub
l Event Types
l Rules
l Reports
l GitHub API Integration
l Configuring GitHub Server
Integration points
GitHub API Logs from the GitHub Service Security and Compliance
Event Types
In ADMIN > Device Support > Event, search for "GitHub" to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "GitHub" to see the rules associated with this device.
Reports
In RESOURCE > Reports, search for "GitHub" to see the reports associated with this device.
Configuring GitHub Server
Create an account to be used for FortiSIEM communication.
Use the account in previous step to enable FortiSIEM access.

1. Login to FortiSIEM.
2. Go to ADMIN > Setup > Credential.
3. Click New to create a GitHub credential.
4. In Step 1: Enter Credentials, enter these settings in the Access Method Definition dialog box:

Applications
Device Type GitHub.com GitHub
Access Protocol GitHub API

events. Default is 5 minutes.
Password Config See Password Configuration
User Name and Enter the user name and password for the
Password account created while Configuring GitHub
Server.
Organization Choose the Organization if it is an MSP
deployment and the same credential has to
be used for multiple customers.
Description Description of the device
5. Enter an IP Range to Credential Association.

a. Set IP to the IP address of the GitHub Server.
b. Select the Credential created in steps 3 and 4.
c. Click Save.
6. Select the entry in step 4 above and click Test Connectivity.
7. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to
this event pulling job. FortiSIEM will start to pull events from GitHub server using the API.
To test for received GitHub events:
1. Go to ADMIN > Setup > Pull Events.
2. Select the GitHub entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from GitHub in the last 15
minutes. You can modify the time interval to get more events.

Applications
GitLab API
l Event Types
l Rules
l Reports
l Syslog Integration
l API Integration
l Configuring GitLab Server
l Configuring FortiSIEM for GitLab API
l Sample Event
Integration Points
syslog 15 Log files including production.log and application.log – over 130 event types pre- Security and
fixed with 'GitLab-' Compliance
API Code commit, Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Security and
Snippets, Repositories, User created, deleted, modified. Compliance
Event Types
In RESOURCES > Event Types, enter "GitLab" in the Search field to see the events associated with this device.
Rules
No defined rules.
Reports
In RESOURCES > Reports, enter "GitLab" in the Search column to see the reports associated with this device.
Syslog Integration
Configure GitLab to send syslog to FortiSIEM via UDP on port 514. See here for details.
FortiSIEM will automatically detect GitHLab log patterns and parse the logs. Currently, the following log files are
parsed: api_json.log, application.log, gitaly, gitlab-monitor, gitlab-shell.log, gitlab-workhorse.log, gitlab_
access.log,production.log, production_json.log, Prometheus, Redis, remote-syslog, sidekiq, sidekiq_exporter.log,
unicorn_stderr.log.
Currently, over 134 GitLab event types are parsed. To see the event types:

Applications
2. Go to RESOURCES > Event Types.
3. Search for 'GitLab'.
Use cases covered via syslog:
l Failed and Successful Login
l Git command execution
l Git API requests
To test for received GitLab events received via syslog:
2. Go to ANALYTICS.
3. Click Edit Filters and Time Range:
a. Choose Attributes option.
b. Create Search condition 'Event Type CONTAIN GitLab'.
c. Select Time Range: Last 1 hour
d. Click Apply & Run.
4. See the GitLab events on the GUI.
API Integration
FortiSIEM can also pull logs from GitLab using GitLab API.
Currently, over 134 GitLab event types are parsed. To see the event types:
2. Go to RESOURCES > Event Types.
3. Search for 'GitLab'.
Use cases covered via API:
l Code commit – note that the current API does not capture committed files.
l Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories etc
l User created, deleted, modified
For more details, see here.
Configuring GitLab Server
Create a personal access token to be used for FortiSIEM communication.

1. Login to your GitLab account.
2. Go to your Profile settings.
3. Go to Access tokens.
4. Choose a name and optionally an expiry date for the token.
5. Choose the desired scopes: api is required.
6. Click Create Personal Access Token. Save the personal access token in your local system. Note that once you
leave or refresh the page, you won't be able to access it again.

Applications
For more details, see here.
Configuring FortiSIEM for GitLab API
Use the Personal Access Token in Configuring GitLab Server to enable FortiSIEM access.
3. Click New to create a GitLab credential.
4. In Step 1: Enter Credentials, enter these settings in the Access Method Definition dialog box:
Device Type GitLab GitLab (Vendor = GitLab, Model =

Gitlab)
Access Protocol GitLab API

events from GitLab. Default is 5 minutes.
Password Config Manual
Account Name Enter an account name.
Personal Access Enter the token you obtained in Configuring

Token GitLab Server.
5. Enter an IP range to Credential Association:

a. Enter the IP of GitLab Server.
b. Select the credential created in step 4 above.
c. Click Save.
6. Select the entry in step 4 above and click Test Connectivity. Once successful, an entry will be created in ADMIN
> Setup > Pull Events. FortiSIEM will start to pull events from GitLab using the API.
To test for received GitLab events:
2. Select the GitLab entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from GitLab in the last 15
Sample Event
[GITLAB_EVENT_DATA] = {"action_name":"pushed to","author":{"avatar_

url":"https://abc.cda.com/avatar/62e30f8b2d3cbc60ed22c217c5fa4e57?s=80&d=identicon
","id":185,"name":"user1","state":"active","username":" user1","web_

Applications
url":"https://dac.com/gitmirror"},"author_id":185,"author_username":"
user1","created_at":"2018-11-13T22:30:30.340Z","project_id":553,"push_data":
{"action":"pushed","commit_count":2,"commit_
from":"da5a4fd97fd1f6b7c5a8611c12592eb5e9ff9e2b","commit_title":"Merge \"Fix
bizservice popup display issue and switching org in bizs...","commit_
to":"30d863ece3957aacc95ec45c7663c426c73f38f2","ref":"releases/FCS5_2_1","ref_
type":"branch"},"serverIp":"172.30.35.11","serverName":"abc.com","target_
id":null,"target_iid":null,"target_title":null,"target_type":null}

Applications
GitLab CLI
Events that are obtained with the GitLab REST API do not contain up-to-date information. To avoid this limitation,
FortiSIEM uses the GitLab CLI to obtain events from the GitLab server in real time.
l Event Types
l Rules
l Reports
l Generate an SSH Key in FortiSIEM
l Configure an SSH Key in GitLab
l Sample Events
Integration points
GIT CLI Git commit history Security and Compliance
Event Types
In RESOURCES > Event Types, enter "GitLab" in the Search field to see the events associated with this device.
Rules
No defined rules.
Reports
In RESOURCES > Reports, enter "GitLab" in the Search column to see the reports associated with this device.
Generate an SSH Key in FortiSIEM
Generate an SSH key for FortiSIEM. The key will allow you to access the GitLab by using Git commands. Use the
following command to generate the public key file and the private key file in the /opt/phoenix/bin/.ssh/
directory.
ssh-keygen -t rsa -b 4096 -C "root@localhost"
Configure an SSH Key in GitLab
Complete these steps to install the SSH key in the GitLab server:

Applications
1. Login to your GitLab account.

2. Select Settings from your account drop-down list.
3. Select the SSH Keys tab.
4. Add the public part of the key, for example:
/opt/phoenix/bin/.ssh/id_rsa.pub
5. Click Add Key.
6. Install Git, for example:
yum install git

Device Type GitLab GitLab
Access Protocol GIT CLI

events from GitLab. Default is 5 minutes.
Local Path to The path to the location on your system

Clone where the repository will be downloaded. In
the case of very large repositories, this
gives users the opportunity to specify a
location on an external device.
Repositories The address of the repository in Git. You

can enter multiple repositories, separated
by whitespaces.

a. Select the name of your GitLab credential from the Credentials drop-down list.
b. Enter an IP or an IP range in the IP/IP Range field.
c. Click Save.
4. Click Test to test the connection to GitLab CLI.
5. To see the jobs associated with GitLab, select ADMIN > Setup > Pull Events.
6. To see the received events, select ANALYTICS, then enter GitLab in the search box.

Applications
Sample Events
[PH_DEV_MON_GIT_COMMIT]: [deviceTime]=1547013028,[user]="abc",
[exchMboxName]="[email protected]",
[hashCode]="fa408380aa4296d13aeb24418164994eea2c2737",
[preHashCode]="d9cd6e31346611a4f75dc7fe768f6202a46dd7e6",[title]="Add new file",
[details]="",[updateCount]="1",[deleteCount]="0",[filePath]="testfile2",
[fileType]="testfile2",[repoURL]="[email protected]:abc/testproject_mei_
willremove.git"

Applications
Unified Communication Server Configuration
FortiSIEM supports these VoIP servers for discovery and monitoring.

l Avaya Call Manager
l Cisco Call Manager
l Cisco Contact Center
l Cisco Presence Server
l Cisco Tandeberg Telepresence Video Communication Server (VCS)
l Cisco Telepresence Multipoint Control Unit (MCU)
l Cisco Telepresence Video Communication Server
l Cisco Unity Connection

Applications
Avaya Call Manager

l Configuration

discovered
SNMP Application System metrics: Uptime, Interface utilization Performance

type Monitoring
SFTP Call Description Records (CDR): Calling Phone IP, Called Phone Performance
IP, Call Duration and Availability
Monitoring
Event Types
Avaya-CM-CDR: Avaya CDR Records
Configuration
SNMP
User Guide.
SFTP
SFTP is used to send Call Description Records (CDRs) to FortiSIEM.
Configure FortiSIEM to Receive CDR Records from Avaya Call Manager
1. Log in to your FortiSIEM virtual appliance as root over SSH.

2. Change the directory.
cd /opt/phoenix/bin
3. Create an FTP account for user ftpuser with the home directory /opt/phoenix/cache/avayaCM/<call-
manager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the
ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you
will see a Success message when the definition is created.

Applications
4. The CDR records do not have field definitions, but only values. Field definitions are needed to properly interpret the
values. Make sure that the CDR fields definitions matches the default one supplied by FortiSIEM in
/opt/phoenix/config/AvayaCDRConfig.csv.
FortiSIEM will interpret the CDR record fields according to the field definitions specified
in: /opt/phoenix/config/AvayaCDRConfig.csv and generate events like the following:
Wed Feb 4 14:37:41 2015 1.2.3.4 FortiSIEM-FileLog-AvayaCM [Time of day-
hours]="11" [Time of day-minutes]="36" [Duration-hours]="0" [Duration-
minutes]="00" [Duration-tenths of minutes]="5" [Condition code]="9" [Dialed
number]="5908" [Calling number]="2565522011" [FRL]="5" [Incoming circuit
ID]="001" [Feature flag]="0" [Attendant console]="8" [Incoming TAC]="01 1"
[INS]="0" [IXC]="00" [Packet count]="12" [TSC flag]="1"
Configure Avaya Call Manager to Send CDR Records to FortiSIEM
1. Log in to Avaya Call Manager.

2. Send CDR records to FortiSIEM by using this information
Field Value
Host Name/IP <FortiSIEM IP Address>

Address
User Name ftpuser
Password <The password you created for ftpuser>
Protocol SFTP
Directory Path / opt/phoenix/cache/

avayaCM/<call-manager-ip>
Settings for Access Credentials in FortiSIEM
See Access Credentials to set access and protocol for SMTP, SSH, and Telnet.

Applications
Cisco Call Manager

l Configuration

discovered
SNMP Application System metrics: Uptime, CPU utilization, Memory utilization, Disk Performance
type utilization, Interface utilization, Process count, Per process: CPU Monitoring
utilization, Memory utilization
SNMP VoIP phones Call Manager metrics:Global Info: VoIP phone count, Gateway Availability
and count, Media Device count, Voice mail server count and SIP Trunks Monitoring
registration count broken down by Registered/Unregistered/Rejected status
status (FortiSIEM Event Type: PH_DEV_MON_CCM_GLOBAL_INFO)
SIP Trunk Info: Trunk end point, description, status (FortiSIEM
Event Type: PH_DEV_MON_CCM_SIP_TRUNK_STAT)
SIP Trunk Addition, Deletion: FortiSIEM Event Type: PH_DEV_
MON_CCM_NEW_SIP_TRUNK, PH_DEV_MON_CCM_DEL_SIP_
TRUNK
Gateway Status Info: Gateway name, Gateway IP, description,
status (FortiSIEM Event Types: PH_DEV_MON_CCM_GW_STAT)
Gateway Status Change, Addition, Deletion: FortiSIEM Event
Type: PH_DEV_MON_CCM_GW_STAT_CHANGE, PH_DEV_
MON_CCM_NEW_GW, PH_DEV_MON_CCM_DEL_GWH323
Device Info: H323 Device name, H323 Device IP, description,
status (FortiSIEM Event Types: PH_DEV_MON_CCM_H323_
STAT)
Gateway Status Change, Addition, Deletion: FortiSIEM Event
Type: PH_DEV_MON_CCM_H323_STAT_CHANGE, PH_DEV_
MON_CCM_NEW_H323, PH_DEV_MON_CCM_DEL_H323
Voice Mail Device Info: Voice Mail Device name, Voice Mail
Device IP, description, status (FortiSIEM Event Types: PH_DEV_
MON_CCM_VM_STAT)
Voice Mail Device Status Change, Addition, Deletion:
FortiSIEM Event Type: PH_DEV_MON_CCM_VM_STAT_
CHANGE, PH_DEV_MON_CCM_NEW_VM, PH_DEV_MON_
CCM_DEL_VM
Media Device Info: Media Device name, Media Device IP,
description, status (FortiSIEM Event Types: PH_DEV_MON_CCM_
MEDIA_STAT)

Applications

discovered
Media Device Status Change, Addition, Deletion: FortiSIEM

Event Type: PH_DEV_MON_CCM_MEDIA_STAT_CHANGE, PH_
DEV_MON_CCM_NEW_MEDIA, PH_DEV_MON_CCM_DEL_
MEDIA
Computer Telephony Integration (CTI) Device Info: CTI
Device name, CTI Device IP, description, status (FortiSIEM Event
Types: PH_DEV_MON_CCM_CTI_STAT)
CTI Device Status Change, Addition, Deletion: FortiSIEM
Event Type: PH_DEV_MON_CCM_CTI_STAT_CHANGE, PH_
DEV_MON_CCM_NEW_CTI, PH_DEV_MON_CCM_DEL_CTI
WMI (for Application Process level metrics: Per process: Uptime, CPU utilization, Performance
Windows type, service Memory utilization, Read I/O KBytes/sec, Write I/O KBytes/sec Monitoring
based Call mappings
Managers)
SFTP Call Description Records (CDR): Calling Phone IP, Called Performance
Phone IP, Calling Party Number, Original Called Party Number, and Availability
Final Called Party Number, Call Connect Time, Call Disconnect Monitoring
Time, Call Duration
Call Management Records (CMR): Latency, Jitter, Mos Score -
current, average, min, max for each call in CDR
Syslog Syslog messages from Cisco Call Manager as well as Cisco Unified
Real Time Monitoring Tool (RTMT)
Event Types
In ADMIN > Device Support > Event, search for "cisco_uc" and "cisco_uc_rtmt" in the Display Name column to see
Rules
In RESOURCE > Rules, search for "cisco call manager" in the Name column to see the rules associated with this
device.
Configuration
SNMP
User Guide.

Applications
WMI (for Call Manager installed under Windows)
Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and
the Performance Monitor Users Group
Groups.
3. Create a user.
5. Click OK.
8. Click OK.
11. Click OK.

Applications
Group
8. Click OK.
Enable the Monitoring Account to Access the Monitored Device.

5. Click OK.
8. Click OK.

Applications
device.
Applications.
5. Click Security.
7. Click Advanced.

2. Run gpedit.msc.
domain or not.

SFTP
SFTP is used to send Call Description Records (CDRs) to FortiSIEM.

Applications
l Configure FortiSIEM to Receive CDR Records from Cisco Call Manager

l Configure Cisco Call Manager to Send CDR Records to FortiSIEM
Configure FortiSIEM to Receive CDR Records from Cisco Call Manager
1. Log in to your FortiSIEM virtual appliance as root over SSH.

2. Change the directory.
cd /opt/phoenix/bin
3. Run ./phCreateCdrDestDir <call-manager-ip>.

This creates an FTP account for user ftpuser with the home directory /opt/phoenix/cache/ccm/<call-
manager-ip>. If this is the first time you have created a Call Manager definition, you will be prompted for the
ftpuser password. When you create subsequent Call Manager definitions, the same password will be used, and you
will see a Success message when the definition is created.
4. Switch user to admin by issuing "su - admin"
5. Modify phoenix_config.txt entry
ccm_ftp_directory = /opt/phoenix/cache/ccm
6. Restart phParser by issuing "killall -9 phParser"
Configure Cisco Call Manager to Send CDR Records to FortiSIEM
1. Log in to Cisco Call Manager.

2. Go to Tools > CDR Management Configuration.
The CDR Management Configuration window will open.
3. Click Add New.
4. Enter this information.
5. Field Value
Host Name/IP <FortiSIEM IP Address>

Address
User Name ftpuser
Password <The password you created for ftpuser>
Protocol SFTP
Directory Path / opt/phoenix/cache/ccm/<call-

manager-ip>
6. Click Save.

Applications
Cisco Contact Center

l Configuration
l Setting Access Credentials

discovered
SNMP Application System metrics: CPU utilization, Memory utilization, Disk Performance
type utilization, Interface utilization, Hardware Status, Process count, Monitoring
Process level CPU and memory utilization, Install software change
SSH Disk I/O monitoring
Event Types
There are no event types defined specifically for this device.
Rules
In RESOURCE > Rules, search for "cisco contact center" in the Name column to see the rules associated with this
device.
Configuration
SNMP
User Guide.
Setting Access Credentials

Applications
Cisco Presence Server

l Configuration

discovered
Event Types
Configuration
SNMP
User Guide.

Applications
Cisco Tandeberg Telepresence Video Communication Server (VCS)

l Configuration

discovered
Event Types
Configuration
SNMP
User Guide
Setting Value
Name <set name>
Device Type Generic

Applications
SSH Access Credentials for All Devices
These are the generic settings for providing SSH access to your device from FortiSIEM.
Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22
User Name A user who has access credentials for your

device over SSH
Password The password for the user

Applications
Cisco Telepresence Multipoint Control Unit (MCU)

l Configuration
The following protocols are used to discover and monitor various aspects of Cisco Tandeberg VCS

discovered
SNMP Application System metrics: Uptime, Interface utilization Performance

type Monitoring
Event Types
In ADMIN > Device Support > Event, search for "cisco telepresence" in the Description column to see the event
Configuration
SNMP
User Guide
Setting Value
Name <set name>
Device Type Generic

Applications
Cisco Telepresence Video Communication Server
Protocol Logs parsed Used for
Syslog Call attempts, Call rejects, Media stats, Request, response, Search Log Analysis
Event Types
In ADMIN > Device Support > Event, search for "Cisco-TVCS" in the Description column to see the event types

Applications
Cisco Unity Connection

l Configuration

discovered
Process level CPU and memory utilization
Event Types
In ADMIN > Device Support > Event, search for "cisco unity" in the Description column to see the event types
Rules
In RESOURCES > Rules, search for "cisco unity" in the Name column to see the rules associated with this device.
Configuration
SNMP
User Guide.

Applications
Web Server
FortiSIEM supports these web servers for discovery and monitoring.

l Apache Web Server
l Microsoft IIS for Windows 2000 and 2003
l Microsoft IIS for Windows 2008
l Nginx Web Server

Applications
Apache Web Server

l Configuration

discovered
SNMP Application Process level metrics: CPU utilization, Memory utilization Performance
type Monitoring
HTTP(S) Apachemetrics: Uptime, CPU load, Total Accesses, Total Bytes Performance
via the Connections, Requests/sec, Bytes/sec, Bytes/req, Busy Workers, Monitoring
mod- Idle Workers
status
module
Syslog Application W3C access logs: attributes include Client IP, URL, User Agent, Security
type Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Monitoring and
Bytes, Received Bytes, Connection Duration compliance
Event Types
In ADMIN > Device Support > Event, search for "apache" in the Device Type and Description column to see the
Reports
In RESOURCES > Reports , search for "apache" in the Name column to see the reports associated with this device.
Configuration
The Apache Web Server Configuration instructions utilizes a reference point for where Apache installs by default. Based
on your own configuration, Apache may be installed in the following locations:
l /etc
l /etc/httpd
l /usr/local
Adjust your configuration according to your installed Apache directory.

Applications
SNMP
User Guide.
HTTPS
To communicate with FortiSIEM over HTTPS, you must configure the mod_status module in your Apache web server.
1. Log in to your web server as an administrator.
2. Open the configuration file /etc/Httpd.conf.
3. Modify the file as shown in these code blocks, depending on whether you are connecting over HTTP without
authentication, or over HTTPS with authentication.
Without Authentication
LoadModule status_module modules/mod_status.so
...
ExtendedStatus on
...
#Configuration without authentication
<Location /server-status> SetHandler server-status
Order Deny,Allow
Deny from all
Allow from .foo.com
</Location>
With Authentication
LoadModule status_module modules/mod_status.so
...
ExtendedStatus on
...
#Configuration with authentication
<Location /server-status> SetHandler server-status
Order deny,allow
Deny from all
Allow from all
AuthType Basic
AuthUserFile /etc/httpd/account/users
AuthGroupFile /etc/httpd/account/groups
AuthName "Admin" Require group admin
Satisfy all
</Location>
4. If you are using authentication, you will have to add user authentication credentials.
a. Go to /etc/httpd, and if necessary, create an account directory.
b. In the account directory, create two files, users and groups.
c. In the groups file, enter admin:admin.
d. Create a password for the admin user.
htpasswd --c users admin

Applications
5. Reload Apache.
/etc/init.d/httpd reload
Syslog
Install and configure Epilog application to send syslog to FortiSIEM

1. Download Epilog from Epilog download site and install it on your Windows Server.
2. For Windows, launch Epilog from Start→All Programs→InterSect Alliance→Epilog for windows
3. For Linux, enter http://<yourApacheServerIp>:6162
4. Configure Epilog application as follows
a. Go to Log Configuration. Click the Add button and add the following log files to be sent to FortiSIEM
l /etc/httpd/logs/access_log
/etc/httpd/logs/ssl_access_log
l
b. Go to Network Configuration
i. Set AO System IP(all-in-1 or collector) in Destination Server address (10.1.2.20 here);
ii. Set 514 in Destination Port text area
iii. Click Change Configuration to save the configuration
c. Apply the Latest Audit Configuration. Apache logs will now sent to FortiSIEM in real time.
Define the Apache Log Format
You must define the format of the logs that Apache will send to FortiSIEM.
1. Open the file /etc/httpd/conf.d/ssl.conf for editing.
2. Add this line to the file.
CustomLog logs/ssl_request_log combined
3. Uncomment this line in the file.

#CustomLog logs/access_log common
4. Add this line to the file.

CustomLog logs/access_log combined
5. Reload Apache.
/etc/init.d/httpd reload
Apache Syslog Log Format
<142>Sep 17 13:27:37 SJ-Dev-S-RH-VMW-01.prospecthills.net ApacheLog 192.168.20.35 - -

[17/Sep/2009:13:27:37 -0700] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414
"http://192.168.0.30/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727)"<134>Mar 4 17:08:04 137.146.28.68 httpd: [ID 702911 local0.info] 192.168.20.38 - -
[04/Mar/2010:16:35:21 -0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0
(Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"<142>Sep 17

Applications
13:27:37 135.134.33.23 HTTP: [ID 702911 local0.info] 192.168.20.38 - - [04/Mar/2010:16:35:21 -

0800] "GET /bugzilla-3.0.4/ HTTP/1.1" 200 10791 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0;
en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 GTB6"
Setting Value
Name <set name>
Device Type Generic
Settings for Apache Web Server HTTPS Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to communicate with your Apache web server over
https.
Setting Value
Name Apache-https
Device Type generic
Access Protocol HTTP or HTTPS
Port 80 (HTTP) or 443 (HTTPS)
URL server-status?auto
User Name The admin account you created when

configuring HTTPS
Password The password associated with the admin

account

Applications
Microsoft IIS for Windows 2000 and 2003

l Configuration

discovered
SNMP Application Process level metrics: CPU utilization, memory utilization Performance
type Monitoring
WMI Application Process level metrics: uptime, CPU Utilization, Memory Performance
type, service utilization, Read I/O, Write I/O Monitoring
mappings IIS metrics: Current Connections, Max Connections, Sent Files,
Received Files, Sent Bytes, Received Bytes, ISAPI Requests, Not
Found Errors
Windows Application W3C access logs: attributes include IIS Service Instance, Client IP, Security
Agent type URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Monitoring and
Status Code, Sent Bytes, Received Bytes, Connection Duration compliance
Event Types
In ADMIN > Device Support > Event, search for "microsoft is" in the Description column to see the event types
Configuration
SNMP
WMI
For information on configuring IIS for FortiSIEM Windows Agent, see Configuring Windows IIS in the Windows Agent
Installation Guide.

Applications

Applications
Microsoft IIS for Windows 2008

l Configuration
l Sample IIS Syslog

discovered
type Monitoring
mappings IIS metrics: Current Connections, Max Connections, Sent Files,
Received Files, Sent Bytes, Received Bytes, ISAPI Requests, Not
Found Errors
Windows Application W3C access logs: attributes include IIS Service Instance, Client IP, Security
Agent type URL, User Agent, Referrer, HTTP Version, HTTP Method, HTTP Monitoring and
Status Code, Sent Bytes, Received Bytes, Connection Duration compliance
Event Types
In ADMIN > Device Support > Event, search for "microsoft is" in the Description column to see the event types
Configuration
SNMP
WMI
For information on configuring IIS for FortiSIEM Windows Agent, see Configuring Windows IIS in the Windows Agent
Installation Guide.

Applications
Sample IIS Syslog
<13>Oct 9 12:19:05 ADS-Pri.ACME.net IISWebLog 0 2008-10-09 19:18:43

W3SVC1 ADS-PRI 192.168.0.10 GET /iisstart.htm - 80 - 192.168.20.80 HTTP/1.1 Mozilla/5.0+
(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.0.3)+Gecko/2008092417+Firefox/3.0.3 - -
192.168.0.10 200 0 0 2158 368 156
<46>Mar 29 12:21:03 192.168.0.40 FTPSvcLog 0 2010-03-29 19:20:32 127.0.0.1 - MSFTPSVC1 FILER
127.0.0.1 21 [1]PASS IEUser@ - 530 1326 0 0 0 FTP - - - -

Applications
Nginx Web Server

l Configuration
The following protocols are used to discover and monitor various aspects of Nginx webserver.

discovered
SNMP Application Process level metrics: CPU utilization, Memory utilization Performance
type Monitoring
Syslog W3C access logs: attributes include Client IP, URL, User Agent, Security
Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Monitoring and
Bytes, Received Bytes, Connection Duration compliance
Event Types
In ADMIN > Device Support > Event, search for "nginx" in the Device Type and Description column to see the
Configuration
SNMP
User Guide.
Syslog
FortiSIEM processes events from this device via syslogs sent by the device. Configure the device to send syslogs to
FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
l For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your FortiSIEM virtual
appliance.
l For Port, enter 514.
l Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that
shown in the example.
Example nginx Syslog
<29>Jun 15 07:59:03 ny-n1-p2 nginx: "200.158.115.204","-","Mozilla/5.0 (Windows NT 5.1 WOW64;
rv:9.0.1) Gecko/20100178 Firefox/9.0.1","/images/design/header-2-logo.jpg","GET","http://wm-
center.com/images/design/header-2-logo.jpg","200","0","/ypf-cookie_

Applications
auth/index.html","0.000","877","-","10.4.200.203","80","wm-center.com","no-cache, no-store,
must-revalidate","-","1.64","_","-","-"
Setting Value
Name <set name>
Device Type Generic

Blade Servers
FortiSIEM supports these blade servers for discovery and monitoring.

l Cisco UCS Server
l HP BladeSystem

Cisco UCS Server

l Configuration
l Sample Cisco UCS Events

Discovered
Cisco Host name, Chassis status: Input Power, Input Avg Power, Input Max Power, Availability and
UCS API Access IP, Input Min Power, Output Power, Output Avg Power, Output Max Performance
Hardware Power, Output Min Power Monitoring
components - Memory status: Temp (C), Avg Temp (C), Max Temp (C), Min
processors, Temp (C)
chassis, Processor status: Input Current, Input Avg Current, Input Max
blades, board, Current, Input Min Current, Temp (C), Avg Temp (C), Max Temp (C),
cpu, memory, Min Temp (C)
storage, power
Power supply status: Temp (C), Max Temp (C), Avg Temp (C),
supply unit, fan
Min Temp (C), Input 210Volt, Avg Input 210Volt, Max Input 210Volt,
unit
Min Input 210Volt, Output 12Volt, Avg Output 12Volt, Max Output
12Volt, Min Output 12Volt, Output 3V3Volt, Avg Output 3V3Volt,
Max Output 3V3Volt, Min Output 3V3Volt, Output Current, Avg
Output Current, Max Output Current, Min Output Current, Output
Power, Avg Output Power, Max Output Power,Min Output Power
Fan status: Fan Speed, Average Fan Speed, Max Fan Speed, Min
Fan Speed
Event Types
In ADMIN > Device Support > Event, search for "cisco us" in the Description column to see the event types
Reports
In RESOURCES > Reports , search for "cisco us" in the Name column to see the reports associated with this

Blade Servers
Configuration
UCS XML API
FortiSIEM uses Cisco the Cisco UCS XML API to discover Cisco UCS and to collect hardware statistics. See the Cisco
UCS documentation for information on how to configure your device to connect to FortiSIEM over the API.
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting Value
Name ucs
Device Type Cisco UCS
Access Protocol UCS API
Pull Interval 5
(minutes)
Port 5988
User Name The user name you set up in your UCS server to
communicate with FortiSIEM
Password The password associated with user name
Sample Cisco UCS Events
Power Supply Status Event
[PH_DEV_MON_UCS_HW_PSU_STAT]:[eventSeverity]=PHL_INFO,[hostName]=machine,
[hostIpAddr]=10.1.2.36,[hwComponentName]=sys/chassis-1/psu-2,
[envTempdDegC]=47.764706,[envTempAvgDegC]=36.176472,[envTempMaxDegC]=47.764706,
[envTempMinDegC]=25.529411,[input210Volt]=214.294113,
[input210AvgVolt]=210.784317,[input210MaxVolt]=214.294113,[input210MinVolt]=207.823532,
[ouput12Volt]=12.188235,[ouput12AvgVolt]=12.109803,
[ouput12MaxVolt]=12.376471,[ouput12MinVolt]=11.905882,[ouput3V3Volt]=3.141176,
[ouput3V3AvgVolt]=3.374510,[ouput3V3MaxVolt]=3.458823,
[ouput3V3MinVolt]=3.141176,[outputCurrentAmp]=15.686275,[outputCurrentAvgAmp]=20.261436,
[outputCurrentMaxAmp]=24.509804,
[outputCurrentMinAmp]=15.686275,[outputPowerWatt]=191.188004,[outputPowerAvgWatt]=245.736252,
[outputPowerMaxWatt]=303.344879,
[outputPowerMinWatt]=191.188004

Blade Servers
Processor Status Event
[PH_DEV_MON_UCS_HW_PROCESSOR_STAT]:[eventSeverity]=PHL_INFO, [hostName]=machine,
[hostIpAddr]=10.1.2.36,
[hwComponentName]=sys/chassis-1/blade-3/board/cpu-2,
[inputCurrentAmp]=101.101959,[inputCurrentAvgAmp]=63.420914, [inputCurrentMaxAmp]=101.101959,
[inputCurrentMinAmp]=44.580391,
[envTempdDegC]=5.788235,[envTempAvgDegC]=6.216993,[envTempMaxDegC]=6.431373,
[envTempMinDegC]=5.788235,
Chassis Status Event
[PH_DEV_MON_UCS_HW_CHASSIS_STAT]:[eventSeverity\]=PHL_INFO,[hostName]=machine,
[hostIpAddr]=10.1.2.36,[hwComponentName]=sys/chassis-1,
[inputPowerWatt]=7.843137,[inputPowerAvgWatt]=7.843137,[inputPowerMaxWatt]=7.843137,
[inputPowerMinWatt]=7.843137,
outputPowerWatt]=0.000000,[outputPowerAvgWatt]=0.000000,[outputPowerMaxWatt]=0.000000,
[outputPowerMinWatt]=0.000000
Memory Status Event
[PH_DEV_MON_UCS_HW_MEMORY_STAT]:[eventSeverity]=PHL_INFO,[hostName]=machine,
[hwComponentName]=sys/chassis-1/blade-1/board/memarray-1/mem-9,[envTempdDegC]=51.000000,
[envTempAvgDegC]=50.128208,
[envTempMaxDegC]=51.000000,[envTempMinDegC]=48.000000
Fan Status Event
[PH_DEV_MON_UCS_HW_FAN_STAT]:[eventSeverity]=PHL_INFO,[hostName]=machine,
[hwComponentName]=sys/chassis-1/fan-module-1-5/fan-2,[fanSpeed]=7800.000000,
[fanSpeedAvg]=7049.000000,
[fanSpeedMax]=8550.000000,[fanSpeedMin]=2550.00000

Blade Servers
HP BladeSystem

l Configuration

Discovered
SNMP Host name, Access Hardware status:Fan status, Power supply status, power Availability and
IP, Hardware enclosure status, Overall status Performance
components - Monitoring
processors, chassis,
blades, board, cpu,
memory, storage,
power supply unit,
fan unit
Configuration
SNMP
FortiSIEM uses SNMP to discover the HP BladeSystem and collect hardware statistics. See the instructions on
configuring SNMP in your Bladesystem documentation to enable communications with FortiSIEM.
After you have configured SNMP on your BladeSystem blade server, you can configure FortiSIEM to communicate with
your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Settings for Access Credentials in FortiSIEM
See Access Credentials to set access and protocol for SSH, and Telnet.

Cloud Applications
FortiSIEM supports these cloud applications for monitoring.

l AWS Access Key IAM Permissions and IAM Policies
l AWS CloudTrail API
l AWS EC2
l AWS EC2 CloudWatch API
l AWS Kinesis
l AWS RDS
l AWS Security Hub
l Box.com
l Google Workspace Audit
l Microsoft Azure Audit
l Microsoft Office365 Audit
l Microsoft Cloud App Security
l Micorosft Azure ATP
l Microsoft Azure Compute
l Microsoft Azure Event Hub
l Microsoft Windows Defender ATP
l Okta
l Salesforce CRM Audit

Alcide.io KAudit
l Configuring Alcide.io to Send Logs
l Configuring FortiSIEM to Receive Logs
l Alcid.io Event Types
l Alcide.io Sample Log
Integration Points
Protocol Information Collected Used For
Syslog Audit logs Security and Compliance Monitoring
Configuring Alcide.io to Send Logs
Follow the steps listed here to send syslog to FortiSIEM.

1. In the target section of the ConfigMap, set the following:
a. Target-type = syslog
b. Syslog host = <fortisiem.host.com>
c. Syslog port = 514
d. Syslog-tcp = false
Configuring FortiSIEM to Receive Logs
No configuration is needed. FortiSIEM can automatically detect and parse Alcide.io logs based on the built in parser.
Alcide.io Event Types
Go to Resources > Event Type and search "AlcideKAudit."
Alcide.io Sample Log
<109>Feb 28 07:09:18 AlcideKAudit:

{"category":"anomaly","cluster":"devel","etype":"cluster","reasons":[{"values":
{"high":[1]},"doc":"change in count of unique unusual URIs in read access
attempts","period":180000,"direction":"read"}],"time":1582873380000,"short-
doc":"change in targets of access attempts","project":"alcide-rnd","context":
{"unusual-uri":
["LHUt"]},"period":180000,"eid":"cluster","confidence":"high","doc":"unusual change
in count of unique unusual URIs in access attempts","direction":"read"}

AWS Access Key IAM Permissions and IAM Policies
To monitor AWS resources in FortiSIEM, an access key and a corresponding secret access key is needed. Prior to the
availability of AWS IAM users, the recommendation was to create an access key at the level of root AWS account. This
practice has been deprecated since the availability of AWS IAM users as you can read from the AWS Security
Credentials best practice guide. If you were monitoring AWS using such access keys, the first step is to delete such
keys and create keys based on a standalone IAM user dedicated for monitoring purposes in FortiSIEM. This document
explains how to create such a user, and what permissions and policies to add to allow FortiSIEM to monitor your AWS
environment.
Create IAM user for FortiSIEM monitoring
1. Login to the IAM Console - Users Tab.

2. Click Create Users.
3. Type in a username, e.g. aomonitoring under Enter User Names.
4. Leave the checkbox Generate an access key for each user selected or select it if it is not selected.
5. Click Download Credentials and click on Close button.
6. The downloaded CSV file contains the Access Key ID and Secret Access Key that you can use in FortiSIEM to
monitor various AWS services. You must add permissions before you can actually add them in FortiSIEM.
Change permissions for IAM user
1. Select the user you are monitoring.

2. Switch to tab Permissions.
3. Click Attach Policy.
4. Select
AmazonEC2ReadOnlyAccess, AWSCloudTrailReadOnlyAccess, AmazonRDSReadOnlyAccess, CloudWatc
hReadOnlyAccess, AmazonSQSFullAccess and click Attach Policy. You can choose to skip attaching some
policies if you do not use that service or plan on monitoring that service. For instance, if you do not use RDS, then
you do not need to attach AmazonRDSReadOnlyAccess.
5. You can choose to provide blanket read-only access to all S3 buckets by attaching the
policy AmazonS3ReadOnlyAccess. Alternatively, you can specificy a more restricted policy as described in the
next step.
6. Identify the set of S3 bucket(s) that you have configured to store Cloudtrail logs for each region. You can create an
inline policy, choose custom policy, then paste the sample policy below. Make sure you replace the actual S3
bucket names below aocloudtrail1, aocloudtrail2 with the ones you have configured.
S3 bucket read-only policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",

Cloud Applications
"Action": [
"s3:Get*",
"s3:List*" ],
"Resource": [
"arn:aws:s3:::aocloudtrail1",
"arn:aws:s3:::aocloudtrail2" ]
}
]
}

Cloud Applications
AWS CloudTrail

l Configuration
l Sample Events for AWS CloudTrail
l Performance Tuning for High EPS CloudTrail Events

Discovered
CloudTrail API None None Security

Monitoring
Event Types
In ADMIN > Device Support > Event, search for "Cloudtrail" in the Device Type column to see the event types
associated with this device. See the Amazon API reference for more information about the event types available for
CloudTrail monitoring.
Reports
In RESOURCE > Reports, search for "cloudtrail" in the Name column to see the rules associated with this device.
Configuration
If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS
Access Key IAM Permissions and IAM Policies.
FortiSIEM receives information about AWS events through the CloudTrail API. After creating an S3 bucket for the
storage of log files on AWS, you then configure the Simple Notification Service (SNS) and Simple Queue Service (SQS)
to create a notification for the log file and have it delivered by SQS. In your FortiSIEM virtual appliance you then enter
access credentials so FortiSIEM can communicate with CloudTrail as it would any other device.
Note: Do not add any extra SNS notifications in the SQS queue. The queue should only have one SNS subscription,
otherwise pulling logs will not function.
Create a new CloudTrail
1. Log in to https://console.aws.amazon.com/cloudtrail.
2. Switch to the region for which you want to generate cloud trail logs.
3. Click Trails.
4. Click on Add New Trail

Cloud Applications
5. Enter a Trail name such as aocloudtrail.

6. Select Yes for Apply Trail to all regions.
FortiSIEM can pull trails from all regions via a single credential.
7. Select Yes for Create a new S3 bucket.
8. For S3 bucket, enter a name like s3aocloudtrail.
9. Click Advanced.
10. Select Yes for Create a new SNS topic.
11. For SNS topic, enter a name like snsaocloudtrail.
12. Leave the rest of advanced settings to the default values.
13. Click Create.
A dialog will confirm that logging is turned on.
Configure Simple Queue Service (SQS) Delivery
1. Log in to https://console.aws.amazon.com/sqs.
2. Switch to the region in which you created a new cloudtrail above
3. Click Create New Queue.
4. Enter a Queue Name such as sqsaocloudtrail
Setting Value
Default Visibility Timeout 0 seconds
Message Retention Period 10 minutes
This must be set for between 5 and 50

minutes. A lower value is recommended for
high event rates to avoid event loss.
Maximum Message Size 256 KB
Delivery Delay 0 seconds
Receive Message Wait Time 5 seconds
5. Click Create Queue.

6. When the queue is created, click the Details tab and make note of the ARN (Amazon Resource Name), as you will
need this when configuring the Simple Notification Service below and when configuring the access credentials for
FortiSIEM.
Set Up Simple Notification Service (SNS)
1. Log in to https://console.aws.amazon.com/sns.
2. Switch to the region where you created the trail and SQS.
3. Select Topics.
4. Select the SNS topic snsaocloudtrail that you specified when creating a cloudtrail.
5. Click Actions > Subscribe to topic from the menu to launch the popup Create Subscription.
6. For Protocol, select Amazon SQS.

Cloud Applications
7. For Endpoint, enter the ARN of the queue that you created when setting up SQS.
8. Click Create Subscription.
Give Permission for Amazon SNS to Send Messages to SQS
1. Log in to https://console.aws.amazon.com/sqs.
2. Select the queue you created, sqsaocloudtrail.
3. In the Queue Actions menu, select Subscribe Queue to SNS Topic.
4. From the Choose a Topic dropdown, select the SNS topic snsaocloudtrail that you created earlier.
5. The Topic ARN will be automatically filled.
6. Click Subscribe.
Note: Ensure that SQS, SNS, S3 bucket and CloudTrail are in the same region.
You do not need to initiate discovery of AWS Cloud Trail, but should check that FortiSIEM is pulling events for AWS by
checking for an amazon.com entry in ADMIN > Setup > Event Pulling.
You can configure FortiSIEM to communicate with your device by following the instructions in "Discovery Settings" and
"Setting Credentials" in the User Guide.
Use these Access Method Definition settings to allow FortiSIEM to communicate with the CloudTrail API.
Setting Value
Name aocloudtrail
Device Type Amazon AWS CloudTrail
Access Protocol Amazon AWS CloudTrail
Region Region where you created the trail.
Bucket The name of the S3 bucket you created

(s3aocloudtrail)
SQS Queue URL Enter the ARN of your queue without the
http:// prefix.
Password Config See Password Configuration.
Access Key ID The access key for your AWS instance.
Secret Key The secret key for your AWS instance.
Organization Select an organization from the drop-down list.
Sample Events for AWS CloudTrail
Fri Oct 10 14:44:23 2014 FortiSIEM-CloudTrail

[additionalEventData/LoginTo]=https://console.aws.amazon.com/console/home?state=

Cloud Applications
hashArgs%23&isauthcode=true
[additionalEventData/MFAUsed]=No [additionalEventData/MobileVersion]=No [awsRegion]=us-east-1
[eventID]=fdf8f837-7e75-46a0-ac95-b6d15993ebf7 [eventName]=ConsoleLogin [eventSource]=SIGNIN
[eventTime]=2014-10-10T06:38:11Z [eventVersion]=1.01 [requestParameters]=null
[responseElements/ConsoleLogin]=Success [sourceIPAddress]=211.144.207.10
[userAgent]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/37.0.2062.120 Safari/537.36 [userIdentity/accountId]=623885071509
[userIdentity/arn]=arn:aws:iam::623885071509:user/John.Adams
[userIdentity/principalId]=AIDAIUSNMEIUYBS7AN4UW [userIdentity/type]=IAMUser
[userIdentity/userName]=John.Adams
Fri Oct 10 14:19:45 2014 FortiSIEM-CloudTrail [awsRegion]=us-east-1 [eventID]=351bda80-39d4-

41ed-9e4d-86d6470c2436 [eventName]=DescribeInstances [eventSource]=EC2 [eventTime]=2014-10-
10T06:12:24Z [eventVersion]=1.01 [requestID]=2d835ae2-176d-4ea2-8523-b1a09585e803
[requestParameters/filterSet/items/0/name]=private-ip-address
[requestParameters/filterSet/items/0/valueSet/items/0/value]=10.0.0.233
[responseElements]=null [sourceIPAddress]=211.144.207.10 [userAgent]=aws-sdk-php2/2.4.7
Guzzle/3.7.1 curl/7.19.7 PHP/5.3.3 [userIdentity/accessKeyId]=AKIAI2MUUCROHFSLLT3A
[userIdentity/accountId]=623885071509 [userIdentity/arn]=arn:aws:iam::623885071509:root
[userIdentity/principalId]=623885071509 [userIdentity/type]=Root
[userIdentity/userName]=accelops
Performance Tuning for High EPS CloudTrail Events
AWS CloudTrail can generate a lot of events. Follow these recommendations to enable FortiSIEM to keep up with high
EPS CloudTrail events.
1. In the AWS configuration, change the Message retention period of SQS to 1 day.
2. Adjust the CloudTrail event pulling parameters as follows. Go to the Collector that pulls AWS CloudTrail
events. You will find these three relevant parameters in the /opt/phoenix/config/phoenix_config.txt
file:
l cloudtrail_msg_pull_interval (default 30 seconds, minimum recommended 10 seconds) - how
often CloudTrail events are pulled.

l cloudtrail_msg_pull_thread_num (default 1, maximum recommended 60) - how many threads are
used to pull CloudTrail events.

l cloudtrail_file_parse_thread_num (default 3, maximum recommended 60) - how many threads
are used to parse CloudTrail events.

Since each API call returns maximum 10 files, set the parameters to satisfy the following two constraints. If the thread
count is high, then you must increase the number of vCPUs in the Collector.
l Set (SQSInputEventRate times cloudtrail_msg_pull_interval) to be smaller than (cloudtrail_
msg_pull_thread_num times 10)
l Set cloudtrail_msg_pull_thread_num to be equal to cloudtrail_file_parse_thread_num

Cloud Applications
Amazon AWS EC2
Event Types
Reports
Configuration
Setup in FortiSIEM

Name <set name>
Device Type Amazon AWS EC2
Access Protocol AWS SDK
Region [Required] Region in which your AWS

instance is located
Access Key ID [Required] Access key for your AWS

instance
Secret Key [Required] Secret key for your AWS

instance
Description Description about the device

a. Select the name of your credential from the Credentials drop-down list.

Cloud Applications
c. Click Save.
4. Click Test to test the connection to Amazon AWS EC2.
5. To see the jobs associated with AWS, select ADMIN > Pull Events.
6. To see the received events select ANALYTICS, then enter AWS in the search box.

Cloud Applications
AWS EC2 CloudWatch API

l Configuration
l Sample events

Discovered
CloudWatch l Machine l CPU Utilization Performance

API name l Received Bits/sec Monitoring
l Internal l Sent Bits/sec
Access IP l Disk reads (Instance Store)
l Instance l Disk writes (Instance Store)
ID l Disk reads/sec (Instance Store)
l Image ID l Disk writes/sec (Instance Store)
l Availability l Packet loss
Zone l Read Bytes (EBS)
l Instance l Write Bytes (EBS)
Type l Read Ops (EBS)
l Volume ID l Write Ops (EBS)
l Status l Disk Queue (EBS)
l Attach
Time
Event Types
l PH_DEV_MON_EBS_METRIC captures EBS metrics
Configuration
information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide. You should also be
sure to read the topic Discovering Amazon Web Services (AWS) Infrastructure.
VPC Flow logs are supported. For more information, see HOW TO - Integrate Amazon VPC Flows.

Cloud Applications
Use these Access Method Definition settings to allow FortiSIEM to access AWS CloudWatch.
Setting Value
Name ec2
Device Type Amazon AWS CloudWatch
Access Protocol AWS CloudWatch
Region The region in which your AWS instance is

located
AWS Account The name of your AWS account.
Log Group Name Name of the log group.
Log Stream Name Name of the log stream.
Password Config See Password Configuration.
Access Key ID The access key for your EC2 instance
Secret Key The secret key for your EC2 instance
Sample events
[PH_DEV_MON_EC2_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=6571,[hostName]=ec2-54-81-216-218.compute-1.amazonaws.com,
[hostIpAddr]=10.144.18.131,[cpuUtil]=0.334000,[diskReadKBytesPerSec]=0.000000,
[diskWriteKBytesPerSec]=0.000000,[diskReadReqPerSec]=0.000000,[diskWriteReqPerSec]=0.000000,
[sentBytes]=131,[recvBytes]=165,[sentBitsPerSec]=17.493333,[recvBitsPerSec]=22.026667,
[phLogDetail]=
[PH_DEV_MON_EBS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAws.cpp,
[lineNumber]=133,[hostName]=ec2-52-69-215-178.ap-northeast-1.compute.amazonaws.com,
[hostIpAddr]=172.30.0.50,[diskName]=/dev/sda1,[volumeId]=vol-63287d9f,
[diskReadKBytesPerSec]=7.395556,[diskWriteKBytesPerSec]=7.395556,[ioReadsPerSec]=0.000000,
[ioWritesPerSec]=0.010000,[diskQLen]=0,[phLogDetail]=

Cloud Applications
AWS Kinesis
Amazon Kinesis is an Amazon Web Service (AWS) for processing big data in real time. Kinesis is capable of processing
hundreds of terabytes per hour from high volumes of streaming data from sources such as operating logs, financial
transactions and social media feeds.
l Event Types
l Rules
l Reports
l Configuring AWS Kinesis
l Sample Events
Amazon AWS Client Library Streaming data Collect, process, and analyze real-time streaming data.
Event Types
In RESOURCES > Event Types, enter "Kinesis" in the Search column to see the event types associated with this
device.
Rules
No defined rules.
Reports
No defined reports.
Configuring AWS Kinesis
1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.
2. In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials.
3. On the AWS IAM Credentials tab, in the Access keys for CLI, SDK, and API access section, do any of the
following:
l To create an access key, choose Create access key. Then choose Download .csv file to save the access
key ID and secret access key to a .csv file on your computer. Store the file in a secure location. You will not
have access to the secret access key again after this dialog box closes. After you have downloaded the .csv

Cloud Applications
file, choose Close. When you create an access key, the key pair is active by default, and you can use the pair
right away.
l To disable an active access key, choose Make inactive.
l To reenable an inactive access key, choose Make active.
l To delete an access key, choose its X button at the far right of the row. Then choose Delete to confirm. When
you delete an access key, it's gone forever and cannot be retrieved. However, you can always create new keys.
Configuring ForitSIEM

b. Enter these settings in the Access Method Definition dialog box and click Save:
Device Type Amazon AWS Kinesis
Access Protocol AWS Kinesis Client Library
Region You can enter one or more regions

separated by a space, for example, “us-
east-1 us-west-2”. See Supported Regions
in AWS for a list of valid regions.
Password Config Choose Manual, CyberArk, or RAX_Janus
from the drop down list. For CyberArk , see
CyberArk Password Configuration. For
RAX_Janus, see RAX_Janus Password
Configuration.
Access Key Access key for your AWS Kinesis instance.
See Configuring AWS Kinesis.
Secret Key Secret key for your AWS Security Hub

instance

a. Select the name of your AWS Kinesis credential from the Credentials drop-down list.
c. Click Save.
4. Click Test to test the connection to AWS Kinesis.
5. To see the jobs associated with AWS Kinesis, select ADMIN > Pull Events.
6. To see the received events select ANALYTICS, then enter AWS Kinesisin the search box.

Cloud Applications
Sample Events
AWS Kinesis can collect data from different devices or services. The data format is the same as the source data.

Cloud Applications
AWS RDS

l Configuration
Type Protocol Information Dis- Metrics Collected Used For

covered
Relational CloudWatch l CPU Utilization Performance

Database API l User Connections Monitoring
Storage (RDS) l Free Memory
l Free Storage
l Used Swap
l Read Latency
l Write Latency
l Read Ops
l Write Ops
Event Types
l PH_DEV_MON_RDS_METRIC captures RDS metrics
Configuration
Discovering AWS RDS
1. Create a AWS credential

a. Go to Admin > Credentials > Step 1: Enter Credentials.
b. Click Add.
i. Set Device Type to Amazon AWS RDS.
ii. Set Access Protocol as AWS SDK.
iii. Set Region as the region in which your AWS instance is located.
iv. Set Password. See Password Configuration.
v. Set Access Key ID as the access key for your EC2 instance.
vi. Set Secret Key as the secret key for your EC2 instance.
vii. Select an Organization from the drop-down list.
c. Click Save.

Cloud Applications
2. In Step 2: Enter IP Range to Credential Associations:

a. Set IP/IP Range to amazon.com
b. Choose Credentials to the one created in Step 1b.
3. Click Test > Test Connectivity to make sure the credential is working correctly.
4. Go to Admin > Discovery:
a. Set Discovery Type as AWS Scan.
b. Click OK to Save.
c. Select the entry and Click Discover.
5. After Discovery finishes, check CMDB > Devices > Amazon Web Services > AWS Database.
Sample Events
[PH_DEV_MON_RDS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAwsRDS.cpp,[lineNumber]=104,
[hostName]=mysql1.cmdzvvce07ar.ap-northeast-1.rds.amazonaws.com,[hostIpAddr]=54.64.131.93,
[dbCpuTimeRatio]=1.207500,[dbUserConn]=0,[dbEnqueueDeadlocksPerSec]=0.000587,[freeMemKB]=489,
[freeDiskMB]=4555,[swapMemUtil]=0.000000,[ioReadsPerSec]=0.219985,[ioWritesPerSec]=0.213329,
[devDiskRdLatency]=0.08,[devDiskWrLatency]=0.4029,[phLogDetail]=

Cloud Applications
AWS Security Hub
Security Hub collects security data from across AWS accounts, services, and supported third-party partner products.
FortiSIEM want to get this data collected by Security Hub and analyze this data to identify the highest priority security
issues.
AWS Security Hub SDK Security data Security and compliance
Event Types
In RESOURCES > Event Types, enter "AWS Sechub" in the Search column to see the event types associated with
this device.
Rules
In RESOURCES > Rules, enter "AWS Sechub" in the Search column to see the rules associated with this device.
Reports
In RESOURCES > Reports, enter "AWS Security Hub" in the Search column to see the reports associated with this
device.
Requirements
FortiSIEM uses PHP V3 SDK to integrate data from the security hub to perform comprehensive security analytics.
Configuring AWS Security Hub
Supported Regions in AWS
Security Hub only collects events from the region where you enabled Security Hub. If you don't enable the Security Hub
for other regions, then you won't get events from those regions. FortiSIEM allows you to specify multiple regions when
you create a new credential. In the regions you specify, the Security Hub will be enabled. These regions should use the
following AWS region codes:
Region Name Region Code
US East (Ohio) us-east-2

Cloud Applications
Region Name Region Code
US East (N. us-east-1

Virginia)
US West (N. us-west-1

California)
US West (Oregon) us-west-2
Asia Pacific (Hong ap-east-1

Kong)
Asia Pacific ap-south-1

(Mumbai)
Asia Pacific ap-northeast-2

(Seoul)
Asia Pacific ap-southeast-1

(Singapore)
Asia Pacific ap-southeast-2

(Sydney)
Asia Pacific ap-northeast-1

(Tokyo)
Canada (Central) ca-central-1
EU (Frankfurt) eu-central-1
EU (Ireland) eu-west-1
EU (London) eu-west-2
EU (Paris) eu-west-3
EU (Stockholm) eu-north-1
South America sa-east-1

(São Paulo)
Step 1: Enable Security Hub
Permissions required to enable Security Hub

1. The IAM identity (user, role, or group) that you use to enable Security Hub must have the required permissions. To
grant the permissions required to enable Security Hub, attach the following policy to an IAM user, group, or role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "securityhub:*",
"Resource": "*"

Cloud Applications
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "securityhub.amazonaws.com"
}
}
}
]
}
2. Use the credentials of the IAM identity from step 1 to sign in to the Security Hub console. When you open the
Security Hub console for the first time, choose Get Started and then choose Enable Security Hub.
Step 2: Get an Access Key
This feature supports long-term access keys. Access keys consist of two parts: an access key ID and a secret access
key.
Permissions Required
To create access keys for your own IAM user, you must have the permissions from the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:GetUser",
"iam:ListAccessKeys"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}

Cloud Applications
To create, modify, or delete your own IAM user access keys (console):
1. Use your AWS account ID or account alias, your IAM user name, and your password to sign in to the IAM console.
2. In the navigation bar on the upper right, choose your user name, and then choose My Security Credentials.
3. On the AWS IAM Credentials tab, in the Access keys for CLI, SDK, and API access section, do any of the following:
l To create an access key, choose Create access key. Then choose Download .csv file to save the access key ID
and secret access key to a .csv file on your computer. Store the file in a secure location. You will not have
access to the secret access key again after this dialog box closes. After you have downloaded the .csv file,
choose Close. When you create an access key, the key pair is active by default, and you can use the pair right
away.
l To disable an active access key, choose Make inactive.
l To reenable an inactive access key, choose Make active.
l To delete an access key, choose its X button at the far right of the row. Then choose Delete to confirm. When
you delete an access key, it's gone forever and cannot be retrieved. However, you can always create new keys.
Configuring FortiSIEM for AWS Security Hub Access

Device Type Amazon AWS Security Hub
Access Protocol AWS Security Hub SDK
Region You can enter one or more regions

separated by a space, for example, “us-
east-1 us-west-2”. See Supported Regions
in AWS for a list of valid regions.
Password Config Choose Manual, CyberArk, or RAX_Janus
from the drop down list. For CyberArk , see
CyberArk Password Configuration. For
RAX_Janus, see RAX_Janus Password
Configuration.
Access Key Access key for your AWS Security Hub
instance. See Step 2: Get an Access Key.
Secret Key Secret key for your AWS Security Hub

instance

Cloud Applications
Session Token The session token is used by credentials

from Rax Scan. If you obtained an access
key as described in Step 2: Get an Access
Key, then leave this field empty.

a. Select the name of your AWS Security Hub credential from the Credentials drop-down list.
c. Click Save.
4. Click Test to test the connection to AWS Security Hub.
5. To see the jobs associated with AWS Security Hub, select ADMIN > Pull Events.
6. To see the received events select ANALYTICS, then enter AWS Security Hubin the search box.
Sample Events
[AWS_SECURITY_HUB_EVENT_DATA] ={
"AwsAccountId": "111111111111",
"CreatedAt": "2019-08-06T04:56:44.894Z",
"Description": "10.10.10.72 is performing SSH brute force attacks against i-
0100ee1e110c011c1. Brute force attacks are used to gain unauthorized access to your instance
by guessing the SSH password.",
"FirstObservedAt": "2019-08-06T04:51:14Z",
"GeneratorId": "arn:aws:guardduty:us-west-
2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa",
"Id": "arn:aws:guardduty:us-west-
2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa/finding/8cb632a4b32f7c3b854d9f5347bf0
7a4",
"LastObservedAt": "2019-08-06T05:22:54Z",
"ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty",
"ProductFields": {
"action/actionType": "NETWORK_CONNECTION",
"action/networkConnectionAction/blocked": "false",
"action/networkConnectionAction/connectionDirection": "INBOUND",
"action/networkConnectionAction/localPortDetails/port": "22",
"action/networkConnectionAction/localPortDetails/portName": "SSH",
"action/networkConnectionAction/protocol": "TCP",
"action/networkConnectionAction/remoteIpDetails/country/countryName": "China",
"action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "34.7725",
"action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "113.7266",
"action/networkConnectionAction/remoteIpDetails/ipAddressV4": "10.10.10.72",
"action/networkConnectionAction/remoteIpDetails/organization/asn": "56047",
"action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "China Mobile

Cloud Applications
communications corporation",
"action/networkConnectionAction/remoteIpDetails/organization/isp": "China Mobile Guangdong",
"action/networkConnectionAction/remoteIpDetails/organization/org": "China Mobile",
"action/networkConnectionAction/remotePortDetails/port": "33242",
"action/networkConnectionAction/remotePortDetails/portName": "Unknown",
"archived": "false",
"aws/securityhub/CompanyName": "Amazon",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-west-
2::product/aws/guardduty/arn:aws:guardduty:us-west-
2:111111111111:detector/50b2ea07131dbe1530c23facb594b1fa/finding/8cb632a4b32f7c3b854d9f5347bf0
7a4",
"aws/securityhub/ProductName": "GuardDuty",
"aws/securityhub/SeverityLabel": "MEDIUM",
"count": "7",
"detectorId": "50b2ea07131dbe1530c23facb594b1fa",
"resourceRole": "TARGET"
},
"RecordState": "ACTIVE",
"Resources": [
{
"Details": {
"AwsEc2Instance": {
"ImageId": "ami-f2c2408a",
"IpV4Addresses": [
"10.10.10.20",
"10.0.0.137"
],
"LaunchedAt": "2019-08-05T17:10:47.000Z",
"SubnetId": "subnet-931605f1",
"Type": "m5.4xlarge",
"VpcId": "vpc-c66576a4"
}
},
"Id": "arn:aws:ec2:us-west-2:111111111111:instance/i-0799ee6e490c078c5",
"Partition": "aws",
"Region": "us-west-2",
"Tags": {
"Name": "elasticsearch-node-coordinator"
},
"Type": "AwsEc2Instance"
}
],
"SchemaVersion": "2018-10-08",
"Severity": {
"Normalized": 40,
"Product": 2
},
"Title": "310.10.10.72 is performing SSH brute force attacks against i-0799ee6e490c078c5. ",
"Types": [

Cloud Applications
"TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce"
],
"UpdatedAt": "2019-08-06T05:28:24.425Z",
"WorkflowState": "NEW",
"phCustId": 1,
"serverIp": "10.10.10.22",
"serverName": "amzon.com"
}

Cloud Applications
Box.com
l Box API Integration
l Configuring Box.com Service
Integration points
Box.com API Security and Compliance
Box API Integration
FortiSIEM can pull audit events from Box.com Cloud Service via Box API.
Configuring Box.com Service

l A general account can pull user events
l An Admin account can pull enterprise events

1. Logon to FortiSIEM.
3. Click New to create a Box.com credential.
a. Choose Device Type = Box.com Box (Vendor = Box.com, Model = Box).
b. Choose Access Protocol = Box API.
c. Choose Account as the email address for the account created while Configuring Box.com Service.
d. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple
customers.
e. Click Save.
f. You will be redirected to the Box.com website.
g. Enter credentials for Box.com and click Authorize.
h. Click Grant Access to Box. You should see that the authorization for FortiSIEM to access your Box.com
account was successful.

Cloud Applications
4. Enter an IP Range to Credential Association:

a. Set Hostname to box.com.
b. Select the Credential created in step 3.
c. Click Save.
5. Select the entry in step 4 and click Test Connectivity and make sure it succeeds, implying that the credential is
correct.
6. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will
start to pull events from Box.com Cloud Service using the Box.com API.
To test for received Box.com events:
2. Select the Box.com entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from Box.com in the last 15

Cloud Applications
Google Workspace Audit

l Configuration
l Sample Events for Google Workspace Audit
Protocol Logs Collected Used For
Google Apps Admin Configuration Change, Account Create/Delete/Modify, Account Group Security
SDK Create/Delete/Modify, Document Create/Delete/Modify/Download, Monitoring
Document Permission Change, Logon Success, Logon Failure, Device
compromise
Event Types
In ADMIN > Device Support > Event, search for "Google_Apps" in the Search column to see the event types
Reports
There are many reports defined in Resource > Reports > Device > Application > Document Mgmt. Search for
"Google Apps".
Configuration
l Create a Google Workspace Credential in Google API Console

l Define Google Workspace Credential in FortiSIEM
l Test Connectivity

Cloud Applications
Create a Google Workspace Credential in Google API Console
1. Logon to Google API Console (https://console.developers.google.com).

2. Open the Select a project window and click NEW PROJECT.
3. Under the New Project window:

a. Project Name - enter a name.
b. Click Create.
4. Open the Select a project window and select the new project that you created in Step 2.
5. Under Dashboard, click Enable API And Services to find the Admin SDK.
6. Select Admin SDK and click Enable to activate the Admin SDK for this project.
7. Create a Service Account for this project:
a. Under Credentials, click Create Credentials > Service Account.
b. Enter the server account name.
c. Click Create.
d. Choose Role as Project > Viewer.
e. Click Continue>Done.
8. Create key for the Service Account:
a. Go to Navigation Menu> IAM &Admin>Service Accounts.
b. Go to the Service Account table, choose the service account you create in Step 7.
c. Click Actions > Create Key.
d. Choose Key type as JSON.
e. Click Create
f. A JSON file containing the Service Account credentials will be stored in your computer.

Cloud Applications
9. Enable Google Workspace Domain-wide delegation:

a. Go to Navigation Menu> IAM &Admin>Service Accounts
b. Go to the Service Account table and choose the service account you created in Step 7.
c. Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION.
d. Check Enable G Suite Domain-wide Delegation.
e. Enter FortiSIEM in the Product name for the consent screen.
f. Click Save.
10. View Client ID:
a. Go to Navigation Menu> IAM &Admin>Service Accounts.
b. Go to the Service Account table and choose the service account you created in Step 7.
c. Click Actions > Edit > SHOW DOMAIN-WIDE DELEGATION.
d. You can find a Client ID.
11. Delegate domain-wide authority to the service account created in Step 7.
a. Go to your Google Workspace domain’s Admin console (https://admin.google.com).
b. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray
bar at the bottom of the page, then select Security from the list of controls.
c. Select Advanced settings from the list of options.
d. Click Manage domain wide delegation in the Domain wide delegation section.
e. Click Add new.
f. In the Client ID field, enter the service account's Client ID you obtained in Step 10d.
g. In the OAuth scopes(comma-delimited) field, enter the following scope that FortiSEM should be granted
access to:
https://www.googleapis.com/auth/admin.reports.audit.readonly
h. Click Authorize.
Define Google Workspace Credential in FortiSIEM
1. Log in to FortiSIEM Supervisor node.

2. Go to Admin > Setup > Credentials.
3. In Step 1, Click Add to create a new credential.
4. For Device Type, select Google Google Apps.
5. For Access Protocol, select Google Apps Admin SDK.
6. Enter the User Name (this is the account name to log in to the Admin console).
7. For Service Account Key, upload the JSON credential file (see Step 8f in Create a Google Workspace
Credential in Google API Console).
8. Click Save.
Test Connectivity
1. Log in to the FortiSIEM Supervisor node.

2. Go to Admin > Setup > Credentials.
3. In Step 2, Click Add to create a new association.
4. For Name/IP/IP Range, enter google.com.
5. For Credentials, enter the name of the credential created in Define Google Workspace Credential in FortiSIEM.

Cloud Applications
6. Click Save.
7. Select the entry just created and click Test Connectivity without Ping. A pop up will appear and show the Test
Connectivity results.
8. Go to Admin > Setup > Pull Events and make sure an entry is created for Google Audit Log Collection.
Sample Events for Google Workspace Audit
Logon Success
<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_success]:[eventSeverity]=PHL_

INFO,[actor.profileId]=117858279951236905887,[id.time]=2016-09-09T06:53:58.000Z,
[id.applicationName]=login,[kind]=admin#reports#activity,[id.customerId]=C01lzy8ye,
[id.uniqueQualifier]=8830301951515521023,[event.parameters.login_type]=google_password,
[event.type]=login,[ipAddress]=45.79.100.103,[actor.email][email protected],
[event.name]=login_success,[etag]=""6KGrH_
UY2JDZNpgjPKUOF8yJF1A/Nfrg2SFjlC2gR6pJtpP2scVidmc""",Google_Apps_login_login_success,login_
success,1,45.79.100.103,
Logon Failure
<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_failure]:
[eventSeverity]=PHL_INFO,[actor.profileId]=117858279951236905887,
[id.applicationName]=login,[kind]=admin#reports#activity,[event.parameters.login_
type]=google_password,[ipAddress]=45.79.100.103,[event.name]=login_failure,[id.time]=2016-
09-19T09:27:51.000Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=4795688196368428241,
[event.type]=login,[actor.email][email protected],[etag]=""6KGrH_
UY2JDZNpgjPKUOF8yJF1A/v5zsUPNoEdXLLK79zQpBcuxNbQU"",[event.parameters.login_failure_
type]=login_failure_invalid_password",Google_Apps_login_login_failure,login_
failure,1,45.79.100.103,
Create User
<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_CREATE_USER]:
[eventSeverity]=PHL_INFO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,
[id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,
[event.name]=CREATE_USER,[id.time]=2016-09-19T09:22:44.646Z,[id.customerId]=C01lzy8ye,
[id.uniqueQualifier]=-8133102622954793216,[event.type]=USER_SETTINGS,
[event.parameters.USER_EMAIL][email protected],[actor.email][email protected],
[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/R5GJyWG9YHSiGRvo3-8ZBM0ZlL0""",Google_Apps_USER_
SETTINGS_CREATE_USER,CREATE_USER,1,45.79.100.103,
Delete user
<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_DELETE_USER]:

[id.applicationName]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,
[event.name]=DELETE_USER,[id.time]=2016-09-19T09:22:28.582Z,[id.customerId]=C01lzy8ye,
[id.uniqueQualifier]=-4630441819990099585,[event.type]=USER_SETTINGS,[event.parameters.USER_
EMAIL][email protected],[actor.email][email protected],[etag]=""6KGrH_
UY2JDZNpgjPKUOF8yJF1A/08MaodxPU6Zv7s6vJtuUQW9ugx0""",Google_Apps_USER_SETTINGS_DELETE_

Cloud Applications
USER,DELETE_USER,1,45.79.100.103,
Move user settings
<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT]:

[event.parameters.ORG_UNIT_NAME]=/test,[id.applicationName]=admin,
[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[event.name]=MOVE_USER_TO_ORG_UNIT,
[id.time]=2016-09-19T09:24:25.285Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=-
6704816947489240452,[event.type]=USER_SETTINGS,[event.parameters.USER_EMAIL]=test-
[email protected],[actor.email][email protected],[event.parameters.NEW_VALUE]=/,
[etag]=""6KGrH_UY2JDZNpgjPKUOF8yJF1A/r1v9DiPZbL06fXFFjJlrWf2s3qI""",Google_Apps_USER_SETTINGS_
MOVE_USER_TO_ORG_UNIT,MOVE_USER_TO_ORG_UNIT,1,45.79.100.103,,

Cloud Applications
Microsoft Azure Audit

l Configuration
l Sample Events for Microsoft Azure Audit
Protocol Information Discovered Information Collected Used For
Azure CLI None Audit Logs Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "Microsoft Azure Audit" in the Search column to see the event types
Configuration
You must define a user account in Azure for use by FortiSIEM to pull Audit logs. Use any of the following roles:
l Owner
l Reader
l Monitoring Reader
l Monitoring Contributor
l Contributor
FortiSIEM recommends using the 'Monitoring Reader' role, which is the least privileged to do the job.
Create Microsoft Azure Audit Credential in FortiSIEM

3. In Step 1, click Add to create a new credential.
4. For Device Type, select Microsoft Azure Audit.
5. For Access Protocol, select Azure CLI.
6. For Password Configuration, select Manual or CyberArk.
a. For Manual credential method, enter the username and credentials for an Azure account.
FortiSIEM recommends using 'Monitoring Reader' role for this account.
b. For CyberArk, see Password Configuration.
7. Click Save.

Cloud Applications
Test Connectivity in FortiSIEM

3. In Step 2, click Add to create a new association.
4. For Name/IP/IP Range, enter any IP Address.
5. For Credentials, enter the name of the credential created in the "Microsoft Azure Audit Credential" step.
6. Click Save.
7. Select the entry just created and click Test Connectivity without Ping.
A pop-up appears with the Test Connectivity results.
8. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Microsoft Audit Log Collection.
Sample Events for Microsoft Azure Audit
2016-02-26 15:19:10 FortiSIEM-Azure,

[action]=Microsoft.ClassicCompute/virtualmachines/shutdown/action,
[caller][email protected],[level]=Error,
[resourceId]=/subscriptions/3ed4ee1c-1a83-4e02-a928-
7ff5e0008e8a/resourcegroups/china/providers/Microsoft.ClassicCompute/virtualmachines/china,
[resourceGroupName]=china,[eventTimestamp]=2016-02-14T06:12:18.5539709Z,[status]=Failed,
[subStatus]=Conflict,[resourceType]=Microsoft.ClassicCompute/virtualmachines,
[category]=Administrative

Cloud Applications
Microsoft Office 365 Audit

l Event Types
l Reports
l Configuration in Office 365 Audit
l Sample Events for Audit
Office 365 Activity Type Operation
File and folder activities FileAccessed, FileCheckedIn, FileCheckedOut, FileCopied,

FileDeleted,FileCheckOutDiscarded, FileDownloaded, FileModified, FileMoved,
FileRenamed, FileRestored, FileUploaded
Sharing and access AccessRequestAccepted, SharingInvitationAccepted, CompanyLinkCreated,

request activities AccessRequestCreated, AnonymousLinkCreated, SharingInvitationCreated,
AccessRequestDenied, CompanyLinkRemoved, AnonymousLinkRemoved,
SharingSet, AnonymousLinkUpdated, AnonymousLinkUsed, SharingRevoked,
CompanyLinkUsed, SharingInvitationRevoked
Synchronization activities ManagedSyncClientAllowed, UnmanagedSyncClientBlocked,

FileSyncDownloadedFull, FileSyncDownloadedPartial, FileSyncUploadedFull,
FileSyncUploadedPartial
Site administration ExemptUserAgentSet, SiteCollectionAdminAdded, AddedToGroup,

activities AllowGroupCreationSet, CustomizeExemptUsers, SharingPolicyChanged,
GroupAdded, SendToConnectionAdded, SiteCollectionCreated, GroupRemoved,
SendToConnectionRemoved, PreviewModeEnabledSet, LegacyWorkflowEnabledSet,
OfficeOnDemandSet, NewsFeedEnabledSet, PeopleResultsScopeSet,
SitePermissionsModified, RemovedFromGroup, SiteRenamed,
SiteAdminChangeRequest, HostSiteSet, GroupUpdated
Exchange mailbox Copy, Create, SoftDelete, Move, MoveToDeletedItems, HardDelete, SendAs,

activities SendOnBehalf, Update, MailboxLogin
Sway activities SwayChangeShareLevel, SwayCreate, SwayDelete, SwayDisableDuplication,

SwayDuplicate, SwayEdit, EnableDuplication, SwayRevokeShare, SwayShare,
SwayExternalSharingOff, SwayExternalSharingOn, SwayServiceOff, SwayServiceOn,
SwayView
User administration Add user, Change user license, Change user password, Delete user, Reset user
activities password, Set force change user password, Set license properties, Update user
Group administration Add group, Add member to group, Delete group, Remove member from group, Update
activities group

Cloud Applications
Office 365 Activity Type Operation
Application administration Add delegation entry, Add service principal, Add service principal credentials, Remove
activities delegation entry, Remove service principal, Remove service principal credentials, Set
delegation entry
Role administration Add role member to role, Remove role member from role, Set company contact
activities information
Directory administration Add domain to company, Add partner to company, Remove domain from company,
activities Remove partner from company, Set company information, Set domain authentication,
Set federation settings on domain, Set password policy, Set DirSyncEnabled flag on
company, Update domain, Verify domain, Verify email verified domain
Event Types
In ADMIN > Device Support > Event Types, search for "MS_Office365" in the Search field to see the event types
associated with Office 365.
Reports
There are many reports defined in RESOURCES > Reports > Device > Application > Document Mgmt. Search
for "Office365" in the main content panel Search... field.
Configuration in Office 365 Audit
l Enable Office 365 Audit Log Search

l Create the Office 365 API Credential
Enable Office 365 Audit Log Search
To be able to search audit logs, you must first enable Office 365 audit log search. For instructions on how to enable
audit log search, see https://docs.microsoft.com/en-us/office365/securitycompliance/turn-audit-log-search-on-or-off.
To use the Office 365 Management Activity API to access auditing data for your organization, you must enable audit log
search in the Security & Compliance Center.
If you do not enable audit log search, you cannot access auditing data for your organization.
Before you can enable or disable audit log search for your Microsoft 365 organization, you must be assigned the Audit
Logs role in the Exchange admin center.
Follow these steps to assign the Audit Logs role and enable audit log search for your organization.

Cloud Applications
1. Log in to Microsoft Office Online: https://login.microsoftonline.com.

2. Click Admin > Security & compliance.
3. Click Exchange admin center.

If you receive the following alert, you must enable Office 365 Exchange Online before proceeding. In this case, go
to Step 4. Otherwise, go to Step 6.

Cloud Applications
4. Click Admin > Purchase services.
5. Select one of Microsoft 365 services. In this example, Microsoft 365 Business Premium Trial is selected.
6. Click Admin > Security & compliance > Exchange admin center.

Cloud Applications
7. Click Exchange admin center > permissions > admin roles > New to create a new role.

Cloud Applications
8. Select Audit Logs Roles and add the members you want to add the group. Click Save.
9. The Audit Log role will display in the Exchange admin center > permissions > admin roles table.

Cloud Applications
10. Go back to the Microsoft 365 Admin center.

11. Click Security & compliance > Report dashboard.
When you first go into this page, it will ask you to enable Audit log. After you enable it, the page will display the
Search button.
Create the Office 365 API Credential
Follow these steps to create the Office 365 API credential.

1. Login to https://portal.azure.com.
2. Click All Services.
3. Click Azure Active Directory.
4. Click App Registrations (on the right panel).
5. Click New registration and enter the following information:
Name: FSM
Supported Account Types: Select Accounts in any organizational directory (Any Azure AD directory –
Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox).
Redirect URI: https://your.internal.fsm.ip
6. Click Register:
Copy the Application (client) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM.
Copy the Directory (tenant) ID to a text editor, you'll need this when entering Office 365 Credentials in FortiSIEM.
7. Click Certificates & secrets (on the right panel).
8. New client secret:
Description: FSM
Expires in: 2 years
Copy the value (for example: AC83J.6_nobD:G1Q=DJe/hFiB3BP4+a) to a text editor. You will need this value
when entering Office 365 Credentials in FortiSIEM.
9. Go to API permissions (left panel).
10. Click Add a permission.
11. Select Office 365 Management APIs.
12. Click Application permissions and expand all.
13. Select all permissions with "Read" access (we don't want to write). Click Add permissions.
You will see a warning: "Permissions have changed." Users and/or admins will have to consent even if they have
already done so previously.

Cloud Applications
We'll need to approve all these permission grants.

14. Click grant admin consent and select Yes when you see the Do you want to grant consent for the
requested permissions for all accounts in your_organization? alert. This will update any existing admin
consent records this application already has to match what is listed below.
Sample API Permission
Configuration is done in two parts. Follow the steps in these two sections to configure your FortiSIEM.
l Define Office 365 Management Credential in FortiSIEM
l Create IP Range to Credential Association and Test Connectivity
Define Office 365 Management Credential in FortiSIEM
Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.
1. b. Enter these settings in the Access Method Definition dialog box and click Save:

Cloud Applications
Device Type Microsoft Office365
Access Protocol Office 365 Mgmt Activity API
Tenant ID Use the ID from Azure Login URL. See Step 5

in Create Office 365 API Credential.
Password config If you select Manual, take the following

steps:
1. For Client ID, use the value obtained in
Step 5 in Create Office 365 API
Credential.
2. For Client Secret, use the value
obtained in Step 7 in Create Office 365
API Credential.
For CyberArk credential method, see
CyberArk Password Configuration.
Create IP Range to Credential Association and Test Connectivity
From the FortiSIEM Supervisor node, take the following steps.

1. In Step 2: Enter IP Range to Credential Associations, click New to create a new association.
a. Enter "manage.office.com" in the IP/Host Name field.
b. Select the name of the credential created in the Define Office 365 Management Credential from the
Credentials drop-down list.
c. Click Save.
2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop
up will appear and show the Test Connectivity results.
3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Office 365 Log Collection.
Sample Events for Audit
[OFFICE365_EVENT_DATA] = {"Actor":[{"ID":"[email protected]","Type":5},
{"ID":"10030000873CEE9F","Type":3},{"ID":"18ed3507-a475-4ccb-b669-d66bc9f2a36e","Type":2},
{"ID":"User_68d76168-813d-4b9f-88cd-37b66a5b3841","Type":2},
{"ID":"68d76168-813d-4b9f-88cd-37b66a5b3841","Type":2},
{"ID":"User","Type":2}],"ActorContextId":"653e32e8-fb2d-41aa-8841-90f05b340318","ActorIpAddres
s":"<null>","AzureActiveDirectoryEventType":1,"ClientIP":"<null>","CreationTime":"2019-07-23T1
3:16:05UTC","ExtendedProperties":
[{"Name":"actorContextId","Value":"653e32e8-fb2d-41aa-8841-90f05b340318"},

Cloud Applications
{"Name":"actorObjectId","Value":"68d76168-813d-4b9f-88cd-37b66a5b3841"},
{"Name":"actorObjectClass","Value":"User"},
{"Name":"actorUPN","Value":"[email protected]"},
{"Name":"actorAppID","Value":"18ed3507-a475-4ccb-b669-d66bc9f2a36e"},
{"Name":"actorPUID","Value":"10030000873CEE9F"},{"Name":"teamName","Value":"MSODS."},
{"Name":"targetContextId","Value":"653e32e8-fb2d-41aa-8841-90f05b340318"},
{"Name":"targetObjectId","Value":"02232019-4557-45d6-9630-f78694bc8341"},
{"Name":"extendedAuditEventCategory","Value":"Application"},
{"Name":"targetName","Value":"FSM"},{"Name":"targetIncludedUpdatedProperties","Value":"
[\"AppAddress\",\"AppId\",\"AvailableToOtherTenants\",\"DisplayName\",\"RequiredResourceAcces
s\"]"},{"Name":"correlationId","Value":"a854ecc6-31d6-4fea-8d56-aeed05aa1174"},
{"Name":"version","Value":"2"},{"Name":"additionalDetails","Value":"{}"},
{"Name":"resultType","Value":"Success"},
{"Name":"auditEventCategory","Value":"ApplicationManagement"},
{"Name":"nCloud","Value":"<null>"},{"Name":"env_ver","Value":"2.1"},{"Name":"env_
name","Value":"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"},{"Name":"env_
time","Value":"2019-07-23T13:16:05.0208099Z"},{"Name":"env_epoch","Value":"64BOV"},
{"Name":"env_seqNum","Value":"25454285"},{"Name":"env_popSample","Value":"0"},{"Name":"env_
iKey","Value":"ikey"},{"Name":"env_flags","Value":"257"},{"Name":"env_
cv","Value":"##17a913a8-943a-42f3-b8ad-2ea3bc4bf927_00000000-0000-0000-0000-000000000000_
17a913a8-943a-42f3-b8ad-2ea3bc4bf927"},{"Name":"env_os","Value":"<null>"},{"Name":"env_
osVer","Value":"<null>"},{"Name":"env_appId","Value":"restdirectoryservice"},{"Name":"env_
appVer","Value":"1.0.11219.0"},{"Name":"env_cloud_ver","Value":"1.0"},{"Name":"env_cloud_
name","Value":"MSO-AM5R"},{"Name":"env_cloud_role","Value":"restdirectoryservice"},
{"Name":"env_cloud_roleVer","Value":"1.0.11219.0"},{"Name":"env_cloud_
roleInstance","Value":"AM5RRDSR582"},{"Name":"env_cloud_environment","Value":"PROD"},
{"Name":"env_cloud_
deploymentUnit","Value":"R5"}],"Id":"fc12de96-0cbc-4618-9c8f-cc8ab7891e3b","ModifiedPropertie
s":[{"Name":"AppAddress","NewValue":"[\r\n {\r\n \"AddressType\": 0,\r\n \"Address\":
\"https://10.222.248.17\",\r\n \"ReplyAddressClientType\": 1\r\n }\r\n]","OldValue":"[]"},
{"Name":"AppId","NewValue":"[\r\n \"0388f2da-dbcc-4506-ba57-a85c578297c0\"\r\n]","OldValue":"
[]"},{"Name":"AvailableToOtherTenants","NewValue":"[\r\n false\r\n]","OldValue":"[]"},
{"Name":"DisplayName","NewValue":"[\r\n \"FSM\"\r\n]","OldValue":"[]"},
{"Name":"RequiredResourceAccess","NewValue":"[\r\n {\r\n \"ResourceAppId\":
\"00000003-0000-0000-c000-000000000000\",\r\n \"RequiredAppPermissions\": [\r\n {\r\n
\"EntitlementId\": \"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\r\n \"DirectAccessGrant\":
false,\r\n \"ImpersonationAccessGrants\": [\r\n 20\r\n ]\r\n }\r\n ],\r\n \"EncodingVersion\":
1\r\n }\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AppAddress,
AppId, AvailableToOtherTenants, DisplayName,
RequiredResourceAccess","OldValue":""}],"ObjectId":"Not Available","Operation":"Add
application.","OrganizationId":"653e32e8-fb2d-41aa-8841-90f05b340318","RecordType":8,"ResultSt
atus":"Success","SupportTicketId":"","Target":[{"ID":"Application_
02232019-4557-45d6-9630-f78694bc8341","Type":2},
{"ID":"02232019-4557-45d6-9630-f78694bc8341","Type":2},{"ID":"Application","Type":2},
{"ID":"FSM","Type":1}],"TargetContextId":"653e32e8-fb2d-41aa-8841-90f05b340318","TenantId":"65
3e32e8-fb2d-41aa-8841-90f05b340318","UserId":"[email protected]","UserKey":"10030000873CEE
[email protected]","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","phCustId":1}

Cloud Applications
Microsoft Cloud App Security
l Configuring a SIEM Agent
l Connecting Office 365 to Cloud App Security
l Event Types
l Sample Events
Integration points
SIEM Agent Logon, User creation/deletion and other Audit activity for Azure Applications Security and
including Office 365, SharePoint, OneDrive, Teams, PowerBI , Exchange Compliance
Configuring a SIEM Agent
FortiSIEM integrates with Microsoft Cloud App Security to collect alerts and activities from apps to Microsoft Cloud. As
new activities and events are supported by connected apps, they become available to FortiSIEM via Microsoft Cloud
App Security integration.
The integration is done via the Microsoft Cloud App Security SIEM agent. It can run on any server (including FortiSIEM).
It pulls alerts and activities from Microsoft Cloud App Security and then streams them into FortiSIEM.
For details, see here.
FortiSIEM integration is accomplished in three steps:
1. Set up a SIEM Agent in the Microsoft Cloud App Security portal.
2. Download the SIEM agent (JAR file) and run it on a server. The agent would connect to the portal, collect logs and
forward to FortiSIEM. The server could be a FortiSIEM node such as Collector.
3. Validate that the SIEM agent is working correctly.
4. Configure an application to connect to Microsoft Cloud App Security portal. See those events in FortiSIEM.
Step 1: Set up a SIEM agent in the Microsoft Cloud App Security portal
1. In the Cloud App Security portal, under the Settings cog, click Security extensions and then click on the SIEM
agents tab.
2. Click the plus icon to start the Add SIEM agent wizard.
3. In the wizard:
a. Click Start Wizard.
b. Fill in a name.
c. Select your SIEM format as 'Generic CEF'.

Cloud Applications
d. In Advanced settings:
i. Set Time Format to 'RFC 5424'.
ii. Check Include PRI.
iii. Check Include system name.
e. Click Next.
f. Type in the IP address or hostname FortiSIEM node receiving the events and port 514. Select TCP or UDP as
the SIEM protocol. In most common situations, you would choose a FortiSIEM Collector. Click Next.
g. Select which data types, Alerts and Activities you want to export to your FortiSIEM. We recommend
choosing All Alerts and All Activities. You can use the Apply to drop-down to set filters to send only
specific alerts and activities. You can click Edit and preview results to check that the filter works as
expected. Click Next.
h. The wizard will say that SIEM agent configuration is finished. Copy the token and save it for later.
i. After you click Finish and leave the Wizard, back in the SIEM page, you can see the SIEM agent you added in
the table. It will show that it's Created until it’s connected later.
Step 2: Download the SIEM agent (JAR file) and run it on a server
1. In the Microsoft Download Center, after accepting the software license terms, download the .zip file and unzip it.
2. Run the following command:
java -jar mcas-siemagent-0.87.20-signed.jar --logsDirectory <DIRNAME> --token <TOKEN> &
where:
l DIRNAME (optional) is the path to the directory for agent to write debug log.
l TOKEN is the SIEM agent token you copied in the previous Step 1 Sub-step 3.h.
Step 3: Validate that the SIEM agent is working correctly
Make sure the status of the SIEM agent in the Cloud App Security portal is 'Connected'.
If the connection is down for more than two hours, then the status may show 'Connection error'. The status will be
'Disconnected' if down for more than 12 hours.
Step 4: Configure an application to connect to Microsoft Cloud App Security portal.
Cloud App Security currently supports the following Office 365 apps:
l Office 365
l Dynamics 365 CRM
l Exchange (only appears after activities from Exchange are detected in the portal and requires you to turn on
auditing)
l OneDrive
l PowerBI (only appears after activities from PowerBI are detected in the portal, and requires you to turn on auditing)
l SharePoint
l Teams (only appears after activities from Teams are detected in the portal)
See the Microsoft documentation to setup these applications.

Cloud Applications
Connecting Office 365 to Cloud App Security
Use the app connector API to connect Microsoft Cloud App Security to your existing Microsoft Office 365 account. The
Microsoft Cloud App Security connection gives you visibility into and control over Office 365 use.
For information on how Cloud App Security helps protect your Office 365 environment, see here.
For information on the prerequisites and steps to connect Microsoft Cloud App Security to your existing Microsoft Office
365 account, see How to connect Office 365 to Cloud App Security.
Event Types
Search for 'MS-Azure-CloudAppSec' in Admin > Device Support > Event Types.
Sample Events
<109>2018-05-22T04:17:28.340Z SP204 CEF:0|MCAS|SIEM_Agent|0.123.162|EVENT_CATEGORY_

LOGIN|Log
on|0|externalId=70e988af3b82e19b872d12a91860d300d968f47e0bb245a0e765d9dbfbdb02ce
rt=1526962648340 start=1526962648340 end=1526962648340 msg=Log on
[email protected] destinationServiceName=Microsoft Azure
dvc=43.254.220.13 requestClientApplication=;Windows 10;Edge 17.17134;
cs1Label=portalURL
cs1=https://shashiaccelops.us2.portal.cloudappsecurity.com/#/audits?activity.id\=eq
(70e988af3b82e19b872d12a91860d300d968f47e0bb245a0e765d9dbfbdb02ce,)
cs2Label=uniqueServiceAppIds cs2=APPID_AZURE cs3Label=targetObjects cs3=Azure
Portal,yanlong,yanlong cs4Label=policyIDs cs4= c6a1Label="Device IPv6 Address"
c6a1=

Cloud Applications
Microsoft Azure Advanced Threat Protection (ATP)
l Configuration
l Event Types
Integration Points
Syslog (CEF) Suspicious alerts occurring on Windows machine in Azure Security and Compliance
Configuration
FortiSIEM receives alerts via CEF formatted syslog. See here for details.
Event Types
Search for 'MS-AzureATP' in Admin > Device Support > Event Types.
Sample Event
02-21-2018 16:20:21 Auth.Warning 192.168.0.220 1 2018-02-21T14:20:06.156238+00:00

CENTER CEF 6076 LdapBruteForceSecurityAlert 0|Microsoft|Azure
ATP|2.22.4228.22540|LdapBruteForceSecurityAlert|Brute force attack using LDAP
simple bind|5|start=2018-02-21T14:19:41.7422810Z app=Ldap suser=Wofford Thurston
shost=CLIENT1 msg=A brute force attack using the Ldap protocol was attempted on
Wofford Thurston (Software Engineer) from CLIENT1 (100 guess attempts). cnt=100
externalId=2004 cs1Label=url cs1=https://contoso-
corp.atp.azure.com/securityAlert/57b8ac96-7907-4971-9b27-ec77ad8c029a

Cloud Applications
Microsoft Azure Compute
The purpose of this integration is to discover Virtual Machines running in Azure. It does not collect events or
performance statistics.
Configuration
l Setup in Azure
l Setup in FortiSIEM
Setup in Azure
1. Log in to the Azure Portal

2. Create an Azure Active Directory application
l Sign in to your Azure Account through the Azure portal.
l Select Azure Active Directory.
l Select App registrations.

l Select New registration.

Cloud Applications
3. Assign the application to a role:

l Select Subscriptions on the Home page.
l Select the particular subscription to assign your application to. In here, it uses Pay-As-You-GO as the example.
Click Pay-AS-You-GO to open it. Save the Subscription ID for FortiSIEM credential.
l Copy the Subscription ID, it will be needed when defining the credential in FortiSIEM.
l Select Access control (IAM).
l Select Add role assignment.

Cloud Applications
l Select Owner to assign to the application and select the app that you created. And then click Save.
4. Get value for FortiSIEM credential

l Select Azure Active Directory.
l From App registrations in Azure AD, select your application.
l Copy the Application (client) ID and Directory (tenant) ID, it will be needed when defining the credential in
FortiSIEM.

Cloud Applications
l Select Certificate & secrets to generate a secret key.
5. Test
l Command:
/opt/phoenix/bin/getAzureResourceVM.py {subscriptionId} {tenantId}

{clientId} {client secret}.
l Example:
/opt/phoenix/bin/getAzureResourceVM.py 7327432-1a83-4e02-a928-9032489032898a
05c94b87-da0c-4e11-be1d-789234789432 068863e4-c2fa-48df-8f33-79823478932
jh23hjkb324ugih32hujdsdsvqeP]]'
Setup in FortiSIEM
Follow these steps in the FortiSIEM UI:

Cloud Applications
1. Create a new credential. Make sure to select Azure Resource SDK as the Access Protocol.
2. Define a credential.
3. Create a Discovery Definition.

Cloud Applications
4. The CMDB should then be populated.

Cloud Applications
Microsoft Azure Event Hub
FortiSIEM uses the Azure Python SDK to integrate logs from the event hub to perform comprehensive security analysis.
Azure Log Integration simplifies the task of integrating Azure logs with your on-premises SIEM system. The
recommended method for integrating Azure logs is to stream the logs into event hubs via the Azure Monitor. FortiSIEM
provides a connector to further integrate logs from the event hub into the SIEM.
Azure produces extensive logging for each Azure service. The logs represent these log types:
l Control/management logs: Provide visibility into the Azure Resource Manager CREATE, UPDATE, and DELETE
operations. An Azure activity log is an example of this type of log.
l Data plane logs: Provide visibility into events that are raised when you use an Azure resource. An example of this
type of log is the Windows Event Viewer's System, Security, and Application channels in a Windows virtual
machine. Another example is Azure Diagnostics logging, which you configure through Azure Monitor.
l Processed events: Provide analyzed event and alert information that are processed for you. An example of this
type of event is Azure Security Center alerts. Azure Security Center processes and analyzes your subscription to
provide alerts that are relevant to your current security posture.
For more information on how to stream any type of log to an event hub, see:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/stream-monitoring-data-event-hubs
l What is Discovered sand Monitored
l Event Types
l Reports
l Rules
l Configuration in Azure
l Sample Events
Protocol Information Discovered Information Collected Used For
Azure Python SDK None Audit Logs Security Monitoring
Event Types
No defined event types.
Reports
No defined reports.
Rules
No defined rules.

Cloud Applications
Configuration in Azure
Create an Event Hub Namespace and Event Hub
Complete these steps in the Azure Portal:
Step 1: Create a Resource Group in Azure
A resource group is a logical collection of Azure resources. All resources are deployed and managed in a resource group.
To create a resource group:
1. Login to the Azure portal: https://portal.azure.com/ .
2. Click Resource groups in the left navigation pane.
3. Click Add.
4. For Subscription, select the name of the Azure subscription in which you want to create the resource group.
5. Enter a unique name for the resource group, The system immediately checks to see if the name is available in the
currently selected Azure subscription.
6. Select a Region for the resource group.
7. Click Review + Create.
8. Click Create on the Review + Create page.
Note: In the example used in step 2, a Resource Group called fsm1 was created.
Step 2: Create an Event Hub Namespace
An Event Hub namespace provides a unique scoping container, referenced by its fully-qualified domain name, in which
you create one or more event hubs. To create a namespace in your resource group using the portal, complete the
following steps:
1. In the Azure portal, click Create a resource at the top left of the screen.
2. In the “Search the Market text box, enter Select All services in the left menu, select star (*) next to Event
Hubs, and then click the Create button in the ANALYTICS category.
3. On the Create namespace page, complete the following steps:

a. Enter a name for the namespace. The system immediately checks to see if the name is available.
b. Choose the pricing tier (Basic or Standard).
c. Select the subscription in which you want to create the namespace.

Cloud Applications
d. Select a location for the namespace.

e. Click Create. You may have to wait a few minutes for the system to fully provision the resources.
4. Refresh the Event Hubs page to see the event hub namespace. You can check the status of the event hub
creation in the alerts.
5. Select the namespace. You see the home page for your Event Hubs Namespace in the portal.
Step 3: Create an Event Hub
To create an event hub within the namespace, follow these steps:

1. In the Event Hubs Namespace page, click Event Hubs in the left menu.
2. At the top of the window, click + Event Hub.

Cloud Applications
3. Enter a name for your event hub, then click Create.
4. You can check the status of the event hub creation in alerts. After the event hub is created, you see it in the list of
event hubs.
Step 4: Configure an Event Hub Namespace
1. Select an event hub namespace and go to Shared access policies, and then click +Add. Enter the Policy
name, check the Manage box, and then click Create.
2. Select one of the Shared Access policies just created.

3. The Azure Python SDK needs the SAS Policy name (defined in step 4.1) and the Primary key when creating the
credential in FortiSIEM. Copy the primary key and policy name to a text editor for later use.
Note: When the event hub namespace is created, Azure will also create a default Shared Access Policy named
RootManageSharedAcessKey.
4. Select an event hub namespace and go to Event Hubs.
5. Select an event hub and go to Consumer group. You can click +Consumer group or use default group name
$default.
Note: If you have selected Basic (1 Consumer Group), then there will be no option to add a another Consumer
group.

Cloud Applications

a. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
Device Type Microsoft Azure Event Hub
Access Protocol AZURE PYTHON SDK
Pull Interval The interval in which FortiSIEM will pull events from Azure Event Hub.
Default is 5 minutes.
Event Hub Namespace The name of the Azure event hub namespace
Event Hub Name The name of the Azure event hub.
SAS Policy Name Shared Access (SAS) Policy Name
Primary Key The name of the primary key
Consumer Group The name of the consumer group
Based on the example screenshots, this is the configuration in FortiSIEM:

a. Select the name of your Azure event hub credential from the Credentials drop-down list.
b. Enter a host name, an IP, or an IP range in the IP/Host Name field. For this integration, enter azure.com.

Cloud Applications
c. Click Save.
4. Click Test to test the connection to Azure event hub.

5. To see the jobs associated with Azure, select ADMIN > Pull Events.
6. To see the received events select ANALYTICS, then enter Azure in the search box.
Note: Azure services must be configured to write to the Event Hub before there are any events to be collected.
Sample Events
{"records": [{ "count": 0, "total": 0, "minimum": 0, "maximum": 0, "average": 0,

"resourceId": "/SUBSCRIPTIONS/3ED4EE1C-1A83-4E02-A928-
7FF5E0008E8A/RESOURCEGROUPS/ANDY_
TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/FORTISIEMEVENTHUB", "time": "2019-02-
21T05:21:00.0000000Z", "metricName": "EHAMBS", "timeGrain": "PT1M"},{ "count": 0,
"total": 0, "minimum": 0, "maximum": 0, "average": 0, "resourceId":
"/SUBSCRIPTIONS/3ED4EE1C-1A83-4E02-A928-7FF5E0008E8A/RESOURCEGROUPS/ANDY_
21T05:24:00.0000000Z", "metricName": "EHAMBS", "timeGrain": "PT1M"}]}

Cloud Applications
Microsoft Windows Defender Advanced Threat Protection (ATP)
l Configuring Windows Defender for FortiSIEM REST API Access
l Configuring FortiSIEM for Windows Defender ATP REST API Access
Integration points
Windows Defender API REST API Security and Compliance
Configuring Windows Defender for FortiSIEM REST API Access
Microsoft provides ample documentation here.

Follow the steps specified in 'Enabling SIEM integration', repeated here.
1. Login to Windows Defender Center.
2. Go to Settings > SIEM.
3. Select Enable SIEM integration.
4. Choose Generic API.
5. Click Save Details to File.
6. Click Generate Tokens.
Configuring FortiSIEM for Windows Defender ATP REST API Access

3. Click New to create Windows Defender REST API credential:
a. Choose Device Type = Microsoft Windows Defender ATP (Vendor = Microsoft, Model = Windows Defender
ATP).
b. Choose Access Protocol = Windows Defender ATP Alert REST API.
c. Enter the Tenant ID for the credential created in Section 10.2.
d. Password Config: for Manual, enter the Client ID and Client Secret for the credential created here. For
CyberArk, see CyberArk Password Configuration.
e. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple
customers.
f. Click Save.
a. Set Hostname to wdatp-alertexporter-us.windows.com.
b. Select the Credential created in step 3 above.

Cloud Applications
c. Click Save.
5. Select the entry in step 4 and click Test Connectivity. If it succeeds, then the credential is correct.
start to pull events from Windows Defender Center using the REST API.
To test for events received via Windows Defender ATP REST API:
2. Select the Windows Defender ATP entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from Windows Defender
Center in the last 15 minutes. You can modify the time interval to get more events.

Cloud Applications
Okta
FortiSIEM can integrate with Okta as a single-sign service for FortiSIEM users, discover Okta users and import them
into the CMDB, and collect audit logs from Okta. See Setting Up External Authentication for information on configuring
Okta to use as a single-sign on service, and Adding Users from Okta for discovering users and associating them with
the Okta authentication profile. Once you have discovered Okta users, FortiSIEM will begin to monitor Okta events.
l Configuration
l Access Credentials in FortiSIEM
l Sample Okta Event
l Adding Users from Okta
l Configuring Okta Authentication
l Logging In to Okta
l Setting Up External Authentication
Protocol Information Discovered Metrics Used

Collected For
Okta API
Event Types
In ADMIN > Device Support > Event, search for "okta" in the Device Type column to see the event types associated
with this device.
Configuration
l In Okta Administartion -> Security -> API, create a Token. Note, tokens generated by this mechanism will
have the permissions of the user who generated them.
l Tokens are valid for 30 days and automatically refresh with each API call. Tokens that are not used for 30 days will
expire. The token lifetime is currently fixed and cannot be changed.
Access Credentials in FortiSIEM
Setting Value
Name <name>
Device Type OKTA.com OKTA
Access Protocol OKTA API

Cloud Applications
Setting Value
Pull Interval 5
Domain The name of your OKTA domain
Security Token The token that has been created in Okta
Organization Select an organization from the drop-down list.
Sample Okta Event
Mon Jul 21 15:50:26 2014 FortiSIEM-Okta [action/message]=Sign-in successful

[action/objectType]=core.user_auth.login_success [action/requestUri]=/login/do-login
[actors/0/displayName]=CHROME [actors/0/id]=Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
[actors/0/ipAddress]=211.144.207.10 [actors/0/login][email protected]
[actors/0/objectType]=Client [eventId]=tev-UlpTnWJRI2vXNRKTJHE4A1405928963000
[eventName]=USER-AUTH-LOGIN-SUCCESS [published]=2014-07-21T07:49:23.000Z
[requestId]=U8zGA0zxVNXabfCeka9oGAAAA [sessionId]=s024bi4GPUkRaegPXuA1IFEDQ
[targets/0/displayName]=a_name [targets/0/id]=00uvdkhrxcPNGYWISAGK [targets/0/login]=a_
[email protected] [targets/0/objectType]=User
Adding Users from Okta
l Create an Okta API Token

l Create Login Credentials and Associate Them with an IP Address
l Discover Okta Users
Create an Okta API Token
1. Log in to Okta using your Okta credentials.

2. Got to Administration > Security > API Tokens.
3. Click Create Token.
You will use this token when you set up the Okta login credentials in the next section. Note that this token will have
the same permissions as the person who generated it.
Create Login Credentials and Associate Them with an IP Address
1. Log in to your Supervisor node.

3. Enter a Name.
4. For Device Type, select Okta.com.
5. For Access Protocol, select Okta API.
6. Enter the NetBIOS/Domain associated with your Okta account.
For example, FortiSIEM.okta.com.
7. For Pull Interval, enter how often, in minutes, you want FortiSIEM to pull information from Okta.
8. Enter and reconfirm the Security Token you created.

Cloud Applications
9. Click Save.
Your LDAP credentials will be added to the list of Credentials.
10. Under Enter IP Range to Credential Associations, click Add.
11. Select your Okta credentials from the list of Credentials.
12. Enter the IP range or host name for your Okta account.
13. Click OK.
Your Okta credentials will appear in the list of credential/IP address associations.
14. Click Test Connectivity to make sure you can connect to the Okta server.
Discover Okta Users
If the number of users are less than 200, then Test Connectivity will discover all the users.
Okta API has some restrictions that does not allow FortiSIEM to pull more than 200 users. In this case, follow these
steps:
1. Login to Okta.
2. Download user list CSV file (OktaPasswordHealth.csv) from Admin > Reports > Okta Password Health.
3. Rename the CSV file to all_user_list_%s.csv (where %s is the placeholder of token obtained in Create an
Okta API Token - Step 3, for example, all_user_list_00UbCrgrU9b1Uab0cHCuup-5h-
6Hi9ItokVDH8nRRT.csv).
4. Login to FortiSIEM Supervisor node:
a. Upload csv file all_user_list_%s.csv to this directory /opt/phoenix/config/okta/
b. Make sure the permissions are admin and admin (Run "chown -R admin:admin
/opt/phoenix/config/okta/")
c. Go to ADMIN > Setup > Enter IP Range to Credential Associations. Select the Okta entry and run Test
connectivity to import all users.
Configuring Okta Authentication
To use Okta authentication for your FortiSIEM deployment, you must set up a SAML 2.0 Application in Okta, and then
use the certificate associated with that application when you configure external authentication.
1. Log in to Okta.
2. In the Applications tab, create a new application using Template SAML 2.0 App.
3. Under Settings, configure the settings similar to the table below:
Post Back URL Post Back URL
Application label FortiSIEM Demo
Force Authentication Enable
Post Back URL https://<FortiSIEMIP>/phoenix/okta
Name ID Format EmailAddress
Recipient FortiSIEM
Audience Restriction Super

Cloud Applications
Post Back URL Post Back URL
authnContextClassRef PasswordProtectedTransport
Response Signed
Assertion Signed
Request Uncompressed
Destination https://<FortiSIEMIP>/phoenix/okta
4. Click Save.
5. In the Sign On tab, click View Setup Instructions.
6. Click Download Certificate.
7. Enter the downloaded certificate for Okta authentication.
Logging In to Okta
Follow these steps to log in to Okta from the Okta domain https://fortinetfsm.okta.com. You cannot log into
Okta from the FortiSIEM UI.
1. Create a new Okta account from https://www.okta.com/ or log in to an existing account, using the domain
fortinetfsm.okta.com.
2. Configure users for the account, for example, [email protected], [email protected], and so
on. See Adding Users From Okta and Create Login Credentials and Associate Them with an IP Address.
3. Discover the Okta users to ensure that you have users to test. See Discover Okta Users.
4. Create a SAML authentication configuration from Okta based on the OKTA SAML 2.0 template. See Configuring
Okta Authentication.
5. Associate the users (for example, [email protected] and [email protected]) to the external
profile in CMDB > Users.
6. Log in to the Okta domain https://fortinetfsm.okta.com as one of the users you defined in Step 2.
7. Click the SAML configuration application in Okta (see Configuring Okta Authentication). You can now log in to
Okta.
Setting Up External Authentication
You have three options for setting up external authentication for your FortiSIEM deployment LDAP, Radius, and Okta.
Multiple Authentication Profiles
If more than one authentication profile is associated with a user, then the servers will be contacted one-by-one until a
connection to one of them is successful. Once a server has been contacted, if the authentication fails, the process ends,
and the user is notified that the authentication failed.
1. Log in to your Supervisor node.
2. Go to Admin > General Settings > External Authentication.
3. Click Add.
4. If you are setting up authentication for an organization within a multi-tenant deployment, select the Organization.
5. Select the Protocol.

Cloud Applications
6. Complete the protocol settings.
Protocol User-Defined Settings
LDAP Access IP
Select Set DN Pattern to open a text field in which you
can enter the DN pattern if you want to override the
discovered pattern, or you want to add a specific LDAP
user.
RADIUS Access IP
Shared Secret
Select CHAP if you are using encrypted authentication
to your RADIUS server. See also Juniper Networks
Steel-Belted RADIUS.
Okta Certificate
See Configuring Okta Authentication for more
information.
7. Click Test, and then enter credentials associated with the protocol you selected to make sure users can
authenticate to your deployment.

Cloud Applications
Salesforce CRM Audit

l Event Types
l Reports
l Configuration
l Sample Events for Salesforce Audit
Salesforce API Successful/Failed Login, API Query Activity, Dashboard Activity, Security Monitoring
Opportunity Activity, Report Export Activity, Report Activity,
Document Download Activity
Event Types
In ADMIN > Device Support > Event Types, search for "Salesforce Audit" in the Search field to see the event types
Reports
There are many reports defined in RESOURCES > Reports > Device > Application > CRM
l Salesforce Failed Logon Activity
l Salesforce Successful Logon Activity
l Top Browsers By Failed Login Count
l Top Browsers By Successful Login Count
l Top Salesforce Users By Failed Login Count
l Top Salesforce Users By Successful Login Count
l Top Successful Salesforce REST API Queries By Count, Run Time
l Top Failed Salesforce Failed REST API Queries By Count, Run Time
l Top Salesforce API Queries By Count, Run Time
l Top Salesforce Apex Executions By Count, Run Time
l Top Salesforce Dashboards Views By Count
l Top Salesforce Document Downloads By Count
l Top Salesforce Opportunity Reports By Count
l Top Salesforce Report Exports By Count
l Top Salesforce Reports By Count, Run Time
l Top Salesforce Events

Cloud Applications
Configuration
l Salesforce Configuration
l Define Salesforce Audit Credential in FortiSIEM
l Create IP Range to Credential Association and Test Connectivity
Salesforce Configuration
Salesforce saves events in a SQL Database, where FortiSIEM will pull the following events from tables: EventLogFile,
LoginHistory,User, Dashboard, Opportunity, Report through SQL commands.
If you get an error about missing columns, please make sure your administrator has enabled Set History Tracking for
the missing columns in the tables.
For more information on how to enable Set History Tracking, please refer to
https://help.salesforce.com/articleView?id=sf.updating_picklists.htm&type=5
The required columns are listed in this table.
Event Required Columns
EventLogFile Id, EventType, LogFile, LogDate, LogFileLength, LastModifiedDate,

LastModifiedDate
LoginHistory Id, UserId, LoginTime, Browser, Platform, Status, SourceIp, LoginTime ,

LoginTime
Dashboard Id, Description, DeveloperName, FolderName, Title, LastModifiedDate,

LastModifiedDate LastModifiedDate
Opportunity Id, Amount, CloseDate, Name, OwnerId, Type, LastModifiedDate,

LastModifiedDate, LastModifiedDate
Report Id, Name
User Id, Username
For example, if Type in Opportunity is not enabled in Set History Tracking, FortiSIEM will fail to get events in
Opportunity.

Cloud Applications
Define Salesforce Audit Credential in FortiSIEM
Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.
1. b. Enter these settings in the Access Method Definition dialog box and click Save:
Device Type Salesforce Salesforce Audit
Access Protocol Salesforce API
Timeout 30 seconds
Password Password for device access
Security Token Security token
Create IP Range to Credential Association and Test Connectivity
From the FortiSIEM Supervisor node, take the following steps (From ADMIN > Setup > Credentials).

Cloud Applications
1. In Step 2: Enter IP Range to Credential Associations, click New.

a. Enter "login.salesforce.com" in the IP/Host Name field.
b. Select the name of the credential created in the "Define Salesforce Audit Credential in FortiSIEM" from the
Credentials drop-down list.
c. Click Save.
2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop
up will appear and show the Test Connectivity results.
3. Go to ADMIN > Setup > Pull Events and make sure an entry is created for Salesforce Audit Log Collection.
Sample Events for Salesforce Audit
[Salesforce_Activity_Perf]:[activityType]=API,[activityName]=get_user_info,
[srcIpAddr]=23.23.13.166,[user][email protected],[deviceTime]=1458112097,
[isSuccess]=false,[runTime]=31,[cpuTime]=9,[dbTime]=19434051,[infoURL]=Api

Console Access Devices
FortiSIEM supports this console access device for discovery and monitoring.
l Lantronix SLC Console Manager

Lantronix SLC Console Manager

discovered
Syslog Admin access, Updates, Commands run Log analysis

and
compliance
Event Types
Around 10 event types are generated by parsing Lantronix SLC logs. The complete list can be found in ADMIN >
Device Support > Event by searching for Lantronix-SLC. Some important ones are:
l Lantronix-SLC-RunCmd
l Lantronix-SLC-Update
l Lantronix-SLC-User-Logon-Success
Configuration
FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM as directed in
the device's product documentation, and FortiSIEM will parse the contents.
Example Syslog
<174>xmsd: gen/info-Syslog server changed to 10.4.3.37

<38>xwsd[32415]: auth/info-Web Authentication Success for user andbr003

End Point Security Software
The following anti-virus and host security (HIPS) applications are supported for discovery and monitoring by FortiSIEM.
l Bit9 Security Platform
l Carbon Black Security Platform
l Cisco AMP Cloud V0
l Cisco AMP Cloud V1
l Cisco Security Agent (CSA)
l CloudPassage Halo
l CrowdStrike
l Digital Guardian CodeGreen DLP
l ESET NOD32 Anti-Virus
l FortiClient
l FortinetFortiEDR
l Malwarebytes Endpoint Protection
l McAfee ePolicy Orchestrator (ePO)
l MobileIron Sentry and Connector
l Netwrix Auditor
l Palo Alto Traps Endpoint Security Manager
l SentinelOne
l Sophos Central
l Sophos Endpoint Security and Control
l Symantec Endpoint Protection
l Symantec SEPM
l Tanium Connect
l Trend Micro Interscan Web Filter
l Trend Micro Intrusion Defense Firewall (IDF)
l Trend Micro OfficeScan

Bit9 Security Platform

l Bit9 Configuration

Discovered
Syslog Logs Security

Monitoring
Event Types
In ADMIN > Device Support > Event, search for "Bit9" in the Device Type columns to see the event types
Rules
l Bit9 Agent Uninstalled or File Tracking Disabled

l Bit9 Fatal Errors
l Blocked File Execution
l Unapproved File Execution
Reports
l Bit9 Account Group Changes

l Bit9 Fatal and Warnings Issues
l Bit9 Functionality Stopped
l Bit9 Security Configuration Downgrades
Bit9 Configuration
Syslog
FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514.
Sample Syslog
<14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Bit9 event: text="Server discovered new

file 'c:\usersacct\appdata\local\temp\3cziegdd.dll'
[361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery"

subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52

PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_
path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_
hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_
name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080"
server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_
threat="-1"

Carbon Black Security Platform

l Carbon Black Configuration

Discovered
Syslog Logs Security

Monitoring
Event Types
In ADMIN > Device Support > Event, search for "Carbon Black" in the Device Type columns to see the event types
Rules
l Carbon Black Agent Uninstalled or File Tracking Disabled

l Carbon Black Fatal Errors
l Blocked File Execution
l Unapproved File Execution
Reports
l Carbon Black Account Group Changes

l Carbon Black Fatal and Warnings Issues
l Carbon Black Functionality Stopped
l Carbon Black Security Configuration Downgrades
Carbon Black Configuration
Syslog
CEF formatted logs are also supported.
Sample Syslog
Standard Syslog:

<14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Carbon Black event: text="Server

discovered new file 'c:\usersacct\appdata\local\temp\3cziegdd.dll'
[361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery"
subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52
PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_
path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_
hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_
name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080"
server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_
threat="-1
CEF Formatted Syslog:

<14>May 06 13:28:09 host1 CEF:0|Carbon Black|Protection|8.0.0.2562|809|Report write (custom
rule)|4|externalId=649219 cat=Policy Enforcement start=May 06 13:27:41 UTC rt=May 06 13:28:02
UTC filePath=c:\\windows\\system32\\perfdisk.dll fname=perfdisk.dll
fileHash=60b8a55c0f3228b18d918a3fd6684c401442f6447f2cec5dad9860a8c1d6462c fileId=39126
deviceProcessName="C:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.14.17639.18041-
0\\MsMDEV.exe" dst=172.30.31.13 dhost=EXAMPLE\\DC01 duser=NT AUTHORITY\\SYSTEM
dvchost=cbprotection msg='c:\\windows\\system32\\perfdisk.dll' was created by 'NT
AUTHORITY\\SYSTEM'. sproc=00000000-0000-15b8-01d3-dd191e70c6d3 cs1Label=rootHash
cs1=e1c32fca51d86aad28c2dd13ec427eccd03f9d6900f8f1fe90b99f85550a8a98
cs2Label=installerFilename cs2=msi669d.tmp cs3Label=Policy cs3=Domain Controllers
cs5Label=ruleName cs5=[File Integrity Monitoring] Changes to system files cfp1Label=fileTrust
cfp1=10 flexString1Label=fileThreat flexString1=0 - Clean cfp2Label=processTrust cfp2=10
flexString2Label=processThreat flexString2=0 - Clean

Cisco AMP Cloud V0

l Configuration
l Sample Events
CloudAMP API End point malware activity Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "Cisco FireAMP Cloud" in the Search column to see the event types
Configuration
l Configure Cisco AMP Cloud V0

l Create Credentials in FortiSIEM
Configure Cisco AMP Cloud V0
1. Login in https://auth.amp.cisco.com/.
2. Click Accounts-> API Credentials.

3. Click New API Credential.
4. Input Application name and click Create.

5. Record the API Client ID and API key. You will need them in a later step.
Create Credentials in FortiSIEM

2. Go to ADMIN> Setup > Credentials.
3. Click Add to create a new credential.
4. Set Device Type to Cisco FireAMP Cloud.
5. Set Password config to Manual.
6. Set Client ID to CiscoAMP Client ID.
7. Set Client Secret to CiscoAMP API Key.

8. Click Save.

Test Connectivity and Event Pulling

2. Go to ADMIN> Setup > IP to Credential Mapping.
3. Click Add to create a new mapping.
4. For Name/IP/IP Range, enter api.amp.cisco.com.
5. For Credentials use the credentials you created in Create FireAMP credentials in FortiSIEM.
6. Click Save
7. Go to Admin > Credentials, select the credential, and run Test Connectivity.
The result is a success.

8. Go to Admin > Pull Events. An entry will appear in the Event Pulling table. That means events are being
pulled.

9. Go to the Analytics page to see the events.
Sample Events
[FireAMP_Cloud_Threat_Detected]:[eventSeverity]=PHL_CRITICAL,
[connectorGUID]=12345,[date]=2015-11- 25T19:17:39+00:00,
[detection]=W32.DFC.MalParent, [detectionId]=6159251516445163587,
[eventId]=6159251516445163587, [eventType]=Threat Detected,
[eventTypeId]=1090519054, [fileDispostion]=Malicious,[fileName]=rjtsbks.exe,
[fileSHA256]=3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370,
Cisco AMP Cloud V1
Cisco Advanced Malware Protection (AMP) for Endpoints is a lightweight connector that can use the public cloud or be
deployed as a private cloud.
l Event Types
l Rules
l Reports
l Configure Cisco AMP Cloud V1
l Configure FortiSIEM
l Sample Events

AMQP Global threat intelligence, advanced sand boxing, and real-time malware Intrusion protection
blocking. system
Event Types
In RESOURCES > Event Types, enter "Cisco AMP" in the Search column to see the event types associated with this
device.
Rules
No defined rules.
Reports
No defined reports.
Configure Cisco AMP Cloud V1
1. Log in to the Cisco AMP for Endpoints Portal as an administrator.

2. Click Accounts > API Credentials.
3. In the API Credentials pane, click New API Credential.

4. In the Application name field, enter a name, and then select Read & Write.
Note: you must have Read & Write access to manage event streams on your Cisco AMP for Endpoints platform.
5. Click Create.
6. In the API Key Details section, make note of the values for the 3rd Party API Client ID and the API Key. You
will need these values to manage queues.
7. Click Management > Group
8. In the Groups pane, click Create Group.

9. Enter the group name and click Save.
10. Enter the following curl command to get the group_guid of the group that is created in the previous step.
curl -X GET -H 'accept: application/json' \
-H 'content-type: application/json' --compressed \
-H 'Accept-Encoding: gzip, deflate' \
-u <CLIENTID:APIKEY>\
'https://api.amp.cisco.com/v1/groups'
where:
l <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
l If you are in the Asia Pacific Japan and China (APJC) region, change
https://api.amp.cisco.com/v1/event_streams to
https://api.apjc.amp.cisco.com/v1/event_streams.
l If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to
https://api.eu.amp.cisco.com/v1/event_streams.
11. Enter the following curl command to create a Cisco AMP event stream:
curl -X POST -H 'accept: application/json' \


-d '{"name":"<STREAM_NAME>", "group_guid":["<GUID>"]}' \
-u <CLIENTID:APIKEY> \
'https://api.amp.cisco.com/v1/event_streams'
where:
l < STREAM_NAME > is the name of your choice for the event stream.
l < GUID > is the group GUID that you want to use to link to the event stream in Step 10.
l <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
l If you are in the Asia Pacific Japan and China (APJC) region, change
https://api.amp.cisco.com/v1/event_streams to
https://api.apjc.amp.cisco.com/v1/event_streams.
l If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to
https://api.eu.amp.cisco.com/v1/event_streams.
12. Enter the following curl command to get a summary of the information you need to get a CloudAMP V1
credential in FortiSIEM:
curl -X POST -H 'accept: application/json' \
-d '{"name":"meistream","group_guid":["34e483f4-85a8-412f-9997-07dd3f0c29ea"]}' \
-u a54c0f4c589d72e0c73e:14713974-eb93-420b-ad76-6e13943f87d4 \
'https://api.amp.cisco.com/v1/event_streams'
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.amp.cisco.com/v1/event_streams"
}
},
"data": {
"id": 8849,
"name": "meistream",
"group_guids": [
"34e483f4-85a8-412f-9997-07dd3f0c29ea"
],
"amqp_credentials": {
"user_name": "8849-a54c0f4c589d72e0c73e",
"queue_name": "event_stream_8849",
"password": "e3298163b3c57e5e4e11ea1b571e85cc2ac45b55",
"host": "export-streaming.amp.cisco.com",
"port": "443",
"proto": "https"
}
}
}

Configure ForitSIEM
1. In Admin > Setup > Credentials, create a Cisco CloudAMP Credential.

2. Click New and enter the following information:
a. Set Device Type to Cisco AMP.
b. Set Access Protocol to AMQP.
c. Set Queue Name from queue-name in Step 12 in the previous section.
d. Set User Name from user_name in Step 12 in the previous section.
e. Set Password from password in Step 12 in the previous section.
3. Click Save.

4. Go to Admin > Setup > IP to Credential Mapping and create an association as follows.
Click New and enter the following information:
a. Set IP/Host Name to host in Step 12 in previous section.
b. Choose Credential to the one created in Steps 1 to Step 3 in the previous section.
c. Click Save.
5. Go to Admin > Credentials, select the credential, and run Test Connectivity.
6. If connectivity is successful, go to Admin > Pull Events. An entry will appear in the Event Pulling table. That
means events are being pulled.
Sample Events
Events are in JSON format.

[CiscoAMP-Update-Policy-Failure]
{"id":6723137944535695384,"timestamp":1565352535,"timestamp_
nanoseconds":82000000,"date":"2019-08-09T12:08:55+00:00","event_type":"Policy
Update Failure","event_type_id":2164260866,"connector_guid":"98be064e-2ba5-4482-
8405-4a9268ae9f2e","group_guids":["3c025f05-a2c4-4613-9186-343365f53853"],"error":
{"error_code":3242196993,"description":"Unknown Error"},"computer":{"connector_
guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","hostname":"host1","external_
ip":"1.2.3.4","active":true,"network_addresses":
[{"ip":"1.2.3.5","mac":"00:21:97:1e:1c:05"}],"links":
{"computer":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-
4a9268ae9f2e","trajectory":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-
4482-8405-
4a9268ae9f2e/trajectory","group":"https://api.amp.cisco.com/v1/groups/3c025f05-
a2c4-4613-9186-343365f53853"}}}

Cisco Security Agent (CSA)

l Configuration
l SNMP Trap
SNMP Trap
Rules
FortiSIEM uses these rules to monitor events for this device:
Rule Description
Agent service Attempts to modify agent configuration

control
Agent UI control Attempts to modify agent UI default settings,

security settings, configuration, contact
information
Application control Attempts to invoke processes in certain

application classes
Buffer overflow
attacks
Clipboard access Attempts to acccess clipboard data written by

control sensitive data applications
COM component Unusual attempts to access certain COM sets

access control including Email objects
Connection rate Excessive connections to web servers or from

limit email clients
Data access Unusual attempts to access restricted data sets

control such as configuration files, password etc. by
suspect applications
File access control Unusual attempts to read or write restricted

files sets such as system executables, boot
files etc. by suspect applications
Kernel protection Unusual attempts to modify kernel functionality

Rule Description
by suspect applications
Network access Attempts to connect to local network services

control
Network interface Attempts by local applications to open a stream

control connection to the NIC driver
Network shield Attacks based on bad IP/TCP/UDP/ICMP

headers, port and host scans etc
Windows event log
Registry access Attempts to write certain registry entries

control
Resource access Symbolic link protection

control
Rootkit/kernel Unusual attempts to load files after boot

protection
Service restart Service restarts
Sniffer and Attempts by packet/protocol sniffer to receive

protocol detection packets
Syslog control Syslog events
System API control Attempts to access Windows Security Access

Manager (SAM)
Reports
There are no predefined reports for Cisco Security Agent.
Configuration
SNMP Trap
Example SNMP Trap

2008-05-13 11:00:36 192.168.1.39 [192.168.1.39]:SNMPv2-MIB::sysUpTime.0 = Timeticks:
(52695748) 6 days, 2:22:37.48 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-
SMI::enterprises.8590.3.1 SNMPv2-SMI::enterprises.8590.2.1 = INTEGER: 619 SNMPv2-
SMI::enterprises.8590.2.2 = INTEGER: 261 SNMPv2-SMI::enterprises.8590.2.3 = STRING:
"sjdevVwindb06.ProspectHills.net"SNMPv2-SMI::enterprises.8590.2.4 = STRING: "2008-05-13
19:03:21.157" SNMPv2-SMI::enterprises.8590.2.5 = INTEGER: 5 SNMPv2-
"C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"SNMPv2-SMI::enterprises.8590.2.8 = NULL

SNMPv2-SMI::enterprises.8590.2.9 = STRING: "192.168.20.38"SNMPv2-

SMI::enterprises.8590.2.10 = STRING: "192.168.1.39"SNMPv2-SMI::enterprises.8590.2.11 =
STRING: "The process 'C:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe' (as user NT
AUTHORITY\\SYSTEM) attempted to accept a connection as a server on TCP port 5900 from
192.168.20.38 using interface Wired\\VMware Accelerated AMD PCNet Adapter. The operation
was denied." SNMPv2-SMI::enterprises.8590.2.12 = INTEGER: 109 SNMPv2-
SMI::enterprises.8590.2.13 = STRING: "192.168.1.39" SNMPv2-SMI::enterprises.8590.2.14 =
STRING: "W"SNMPv2-SMI::enterprises.8590.2.15 = INTEGER: 3959 SNMPv2-
"Network access control"SNMPv2-SMI::enterprises.8590.2.18 = STRING: "Non CSA
applications, server for TCP or UDP services"SNMPv2-SMI::enterprises.8590.2.19 = INTEGER:
33 SNMPv2-SMI::enterprises.8590.2.20 = STRING: "CSA MC Security Module"SNMPv2-
SMI::enterprises.8590.2.21 = NULL SNMPv2-SMI::enterprises.8590.2.22 = STRING: "NT
AUTHORITY\\SYSTEM"SNMPv2-SMI::enterprises.8590.2.23 = INTEGER: 2

CloudPassage Halo
l CloudPassage REST API Integration
Integration points
CloudPassage Halo events – over 110 event types including User login and account activity, server Security
REST API compliance and vulnerability status, server FIM and firewall policy modification etc. and
Compliance
CloudPassage REST API Integration
FortiSIEM can pull logs from CloudPassage Halo via CloudPassage REST API. Currently, over 110 CloudPassage event
types are parsed.
To see the event types:
2. Go to ADMIN > Resources > Event Types.
3. Search for 'CloudPassage-Halo'.
Use cases covered via API:
l User login to Halo and user account creation/deletion/modification activity
l Vulnerable software package found and Compromised host detection
l Server FIM, Firewall policy modification
l Server account creation
l Server login via ghostport
Configuring CloudPassage Portal
Create an API Key to be used for FortiSIEM communication.

1. Log in to your CloudPassage Halo portal.
2. Create an API Key and API Secret for use in FortiSIEM.
Use the API Key and Secret in previous step to enable FortiSIEM access.

3. Click New to create a CloudPassage Halo credential.

a. Choose Device Type = CloudPassage Halo (Vendor = CloudPassage, Model = Halo).
b. Choose Access Protocol = Halo REST API.
c. Choose Pull Interval = 5 minutes.
d. Password Configuration: for CyberArk and RAX_CustomerService, see Password Configuration. For
Manual, see the following:
i. Set API Key ID to API Key obtained from CloudPassage portal in Configuring CloudPassage Portal.
ii. Set API Key Secret to API Secret obtained from from CloudPassage portal in Configuring
CloudPassage Portal.
customers.
f. Click Save.
4. Enter an IP range to Credential Association.
a. Set Hostname = api.cloudpassage.com
b. Select the credential created in step 3.
c. Click Save.
5. Select the entry in step 4 and click Test Connectivity. Once successful, an entry will be created in ADMIN >
Setup > Pull Events. FortiSIEM will start to pull events from CloudPassage portal using the API.
To test for received CloudPassage Halo events:
2. Select the CloudPassage entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from CloudPassage in the
last 15 minutes. You can modify the time interval to get more events.

CrowdStrike Endpoint Security
l Falcon Streaming API Integration
l Falcon Data Replicator Integration
Integration Points
Falcon Streaming Detection Summary, Authentication Log, Detection Status Update, Security and
API Indicators of Compromise, Containment Audit Events, IP White- Compliance
listing events, Sensor Grouping Events.
Falcon Data Detection Summary, User Activity, Authentication Activity. Security and
Replicator Compliance
Falcon Streaming API Integration
FortiSIEM can collect following types of events from CrowdStrike Cloud Service via Falcon Streaming API:
l Detection Summary
l Authentication Log
l Detection Status Update
l Customer Indicators of Compromise
l Containment Audit Events
l IP White-listing Events
l Sensor Grouping Events
CrowdStrike provides details about Falcon Streaming API here.
To receive Crowdstrike security events via Falcon Streaming API, follow these two steps:
1. Configure Crowdstrike Service for Falcon Streaming API.
2. Configure FortiSIEM for Falcon Streaming API Based Access.
Configure CrowdStrike Service for Falcon Streaming API
Create an account to be used for FortiSIEM communication:

1. Login to CrowdStrike as Falcon Customer Admin.
2. Go to Support App > Key page.
3. Click Reset API Key. Copy the API key and UUID for safe keeping. Note that your API key and UUID are assigned
one pair per customer account, not one pair per user. Thus, if you generate a new API key, you may be affecting
existing applications in your environment.

Configure FortiSIEM for Falcon Streaming API Based Access

3. Click New to create CrowdStrike Falcon credential.
a. Choose Device Type = CrowdStrike Falcon (Vendor = CrowdStrike, Model = Falcon).
b. Choose Access Protocol = Falcon Streaming API.
c. Choose UUID and API Key Secret for the credential created while Configuring CrowdStrike Service for
Falcon Streaming API.
d. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple
customers.
e. Click Save.
a. Set Hostname to firehose.crowdstrike.com.
b. Select the Credential created in step 3.
c. Click Save.
5. Select the entry in step 4 and click Test Connectivity and make sure Test Connectivity succeeds, implying that
the credential is correct.
start to pull events from CrowdStrike Cloud Service using the Falcon Streaming API.
To test for events received via CrowdStrike Streaming API:
2. Select the CrowdStrike Streaming API entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from CrowdStrike Cloud
Service in the last 15 minutes. You can modify the time interval to get more events.
Falcon Data Replicator Integration
FortiSIEM can collect following types of events from CrowdStrike Cloud Service via Falcon Data Replicator method:
l Detection Summary Events
l User Activity Audit Events
l Auth Activity Audit Events
CrowdStrike provides details about Data Replicator method here.
To receive Crowdstrike security events via Falcon Data Replication Integration, follow these two steps:
1. Obtain AWS Credentials from Crowdstrike.
2. Configure FortiSIEM for Falcon Data Replicator.
Obtain AWS Credentials from CrowdStrike
Contact CrowdStrike to obtain AWS credentials for pulling CrowdStrike logs from AWS.

1. Generate a GPG key pair in ASCII format.

2. Send the public part of the GPG key to [email protected].
3. CrowdStrike will encrypt the API key with your public key and send you the encrypted API key. You can decrypt
using your private GPG key.
4. CrowdStrike Support will also provide you an SQS Queue URL.
Credentials obtained in steps 3 and 4 above will be used in the next step.
Configure FortiSIEM for Falcon Data Replicator
Use the credentials in previous step to enable FortiSIEM access.

3. In Step 1: Enter Credentials, click New to create CrowdStrike Falcon Data Replicator credential.
a. Choose Device Type = CrowdStrike Falcon (Vendor = CrowdStrike, Model = Falcon).
b. Choose Access Protocol = CrowdStrike Falcon Data Replicator.
c. Enter the Region where the instance is located.
d. Enter SQS Queue URL from here.
e. Password Config: see Password Configuration.
f. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple
customers.
g. Click Save.
a. Get the Hostname from the SQL Queue URL. For example, for Queue URL:
https://us-west-1.queue.amazonaws.com/754656674199/cs-prod-cannon-queue-
d5836cd3792ece8f
set host name to us-west-1.queue.amazonaws.com.
c. Click Save.
5. Select the entry in step 4, click the Test drop-down list, and select Test Connectivity. If the test succeeds, then
the credential is correct.
start to pull events from CrowdStrike Cloud Service using the Falcon Streaming API.
To test for events received via CrowdStrike Falcon Data Replicator:
2. Select the CrowdStrike Falcon Data Replicator entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from CrowdStrike Cloud
Service in the last 15 minutes. You can modify the time interval to get more events.

Digital Guardian CodeGreen DLP

l Event Types
l Rules
l Reports
l Configuration
l Sample Event
Syslog (CEF format) - 1 event type Security and Compliance
Event Types
In RESOURCE > Event Types, Search for “CodeGreen-”.
Rules
There are no specific rules, but generic rules for Data Leak Protection apply.
Reports
There are no specific reports, but generic rules for Data Leak Protection and Generic Servers apply.
Configuration
Configure Digital Guardian Code Green DLP to send syslog on port 514 to FortiSIEM.
Sample Event
<10>1 2017-05-11T12:08:06.380Z ABC-Manager DLP - INCADD incident_id="1.12815.1" managed_

device_id="1" number_of_incidents="1" incident_status="New,Audit Only" matched_policies_by_
severity="High:C_PHI_MRN / C_MRN_>25;" action_taken="NET_NS_H" matches="55" protocol="SMTP"
http_url="" inspected_document="Milla_9.16-4.17__UPDATED.XLSX" source="[email protected]" source_
ip="1.1.1.1" source_port="21752" destination="[email protected]" destination_ip="2.2.2.2"
destination_port="25" email_subject="RE: Open Encounters" email_sender="[email protected]" email_
recipients="[email protected];" timestamp="2017-05-11 12:06:09 PDT" incidents_
url=https://aaa.lpch.net/LoadIncidentManagement.do?m=1&id=1,27372

ESET NOD32 Anti-Virus

l ESET NOD32 Configuration
Syslog
ESET NOD32 Configuration
Syslog
l For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your FortiSIEM
Supervisor.
Example Syslog
<35313912>Jul 26 18:06:12 LMHCAPEAV01 ERA Server: [2011-07-26 13:06:12.784] V5 [4e2f02148110]

[00000e9c] <SESSION_INFO> Kernel connection from 10.0.52.25:48071 accepted
<35313864>Jul 26 18:06:13 LMHCAPEAV01 ERA Server: [2011-07-26 13:06:13.221] V5 [4e2f02148110]

[00000e9c] <SESSION_INFO> Kernel connection from
10.0.52.25:48071 closed (code 0,took 438ms, name 'Lmhathnsmt01', mac '00-1E-4F-E8-49-03',
product 'ESET NOD32 Antivirus BUSINESS EDITION',
product version '04.00002.00071', virus signature db version '63(20110726)')

FortiClient

l Configuration
l Access Credentials for FortiSIEM
l Sample Events

Discovered
Syslog via Traffic logs (IPSec, VPN, File Cleaning/Blocking) Event logs Security
FortiAnalyzer (Antivirus, Web Filter, Vulnerability Scan, Application Monitoring
(FortiClient > Firewall, VPN, WAN Optimization, Update logs) and Log
FortiAnalyzer -> analysis
FortiSIEM)
Note: FortiSIEM collects logs from FortiAnalyzer (FAZ).
Event Types
Search for 'FortiClient' to see the event types associated with this device under RESOURCES > Event Types.
Rules
There are generic rules that trigger for this device as event types are mapped to specific event type groups.
Reports
Generic reports are written for this device as event types are mapped to specific event type groups.
Configuration
1. Configure FortiClient to send events to FAZ.

2. Configure FAZ to send events to FortiSIEM:
a. Login to FAZ.
b. Go to System Settings > Advanced > Syslog Server.
c. Click Create New.
d. Enter the Name. It is recommended to use the name of the FortiSIEM Supervisor node.
e. Set the IP address (or FQDN) field to the IP or a fully qualified name of the FortiSIEM node that would parse
the log (most likely Collector or Worker/Supervisor).
f. Retain the Syslog Server Port default value '514'.

g. Click OK to save your entries.

h. Go to System Settings > Dashboard > CLI Console.
i. Type the following in the CLI Console for:
l FAZ 5.1 and older:
config system aggregation-client
edit 1 (or the number for your FSM syslog entry)
set fwd-log-source-ip original_ip
end
l FAZ 5.6 and newer:

config system log-forward
edit 1 (or the number for your FSM syslog entry)
end
j. Go to System Settings > Log Forwarding.

k. Click Create New.
l. Enter the Name.
m. Select 'Syslog' as Remote Server Type.
n. Enter the Server IP with the IP of the FortiSIEM Server/Collector.
o. Retain the Server Port default value '514'.
p. Set Reliable Connection to the default value 'Off'.
Note: Setting this to 'On' will make every log sent from FAZ appear with FAZ’s IP and NOT that of the firewall
(s). In addition, your network must allow UDP connection between FAZ and FortiSIEM Collector. Otherwise,
the logs will not reach the Collector.
q. Optional – Use Log Forwarding Filters to select specific devices you want to forward log for.
3. Follow the steps below to validate that logs are properly flowing from FAZ to FortiSIEM:
a. Login to FortiSIEM.
b. Click ANALYTICS tab and use the filter to perform a real-time search:
i. Click on the Attribute field to select 'Reporting IP' from the list or enter the same in the field to search.
ii. Select '=' Operator.
iii. In the Value field, enter the name of the Fortinet devices from where logs are expected.
Note: This is NOT the IP address of the FAZ but of an original source device, like a FortiGate Firewall. To
ensure that everything is being sent/received correctly, you can use multiple IPs.
You will now see events from one, to numerous, source device(s), even though they are all forwarded from a single
FAZ device. You can also check CMDB > Devices to see whether the devices are appearing within CMDB.
Note: The Relaying IP value in FortiSIEM will not show the IP address of the FAZ but that of the original device
which sent the logs to FAZ.
All the device logs appear within FortiSIEM without configuring numerous devices individually.
Access Credentials for FortiSIEM
Setting Value
Name <name>

Setting Value
Device Type Fortinet FortiClient
Access Protocol WMI
Pull Interval 1 minute
NetBIOS/Domain The NetBIOS name of servers or domain name
Sample Events
Traffic Log
<116> device=FCTEMS0000000001 severity=medium from=FAZVM64(FAZ-VM0000000001)

trigger=EVT2SIEM log="itime=1489562233 date=2017-03-15 time=00:17:13 logver=2
type=traffic sessionid=N/A hostname=hostname.local uid=1000000000
devid=FCT8000000000008 fgtserial=FCTEMS0000000005 level=warning regip=10.1.1.1
srcname="Opera" srcproduct=N/A srcip=10.1.1.3 srcport=18398 direction=outbound
dstip=10.0.0.4 remotename="aa.com" dstport=20480 user="bb.lee" service=http proto=6
rcvdbyte=N/A sentbyte=N/A utmaction=blocked utmevent=webfilter threat="Gambling"
vd=root fctver=1.2.1.1 os="Mac OS X 1.1.1" usingpolicy=N/A url=/ userinitiated=0
browsetime=N/A" ET---> FortiClient-traffic-blocked
Event Log
<116> device=FCTEMS0036759495 severity=medium from=FAZVM64(FAZ-VM0000000001)

trigger=EVT2SIEM1 log="itime=1490237155 date=2017-03-22 time=19:45:55 logver=2
level=info uid=C4C4E56CE7B04762B053E8F88B8ECF47 vd=root fctver=5.4.2.0862
os="Microsoft Windows Server 2012 R2 Standard Edition, 64-bit (build 9600)"
usingpolicy=AOFCT fgtserial=N/A emsserial=FCTEMS0036759495 devid=FCT8003883203338
hostname=sjcitvwfct01 pcdomain=accelops.net clientfeature=endpoint
deviceip=devicemac=N/A type=event user=N/A id=96953 msg="Endpoint Control Status
changed - Offline""

Fortinet FortiEDR
l Configuration
l Sample Events
Integration Points
Method Information Metrics LOGs collected Used for

discovered collected
Syslog Host name, Reporting None System and Security Events (e.g., file Security
IP blocked) monitoring
Event Types
In ADMIN > Device Support > Event, Search for "FortiEDR " to see the event types associated with this device.
Rules
No specific rules are written for FortiEDR but generic end point rules apply
Reports
No specific reports are written for FortiEDR but generic end point rules apply
Configuration
Configure FortiEDR system to send logs to FortiSIEM in the supported format (see Sample events below)
None required
Sample Events
<133>1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478;
Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N;
Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe;
Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation;

First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1;

Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U;
MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A

Malwarebytes Endpoint Protection

l Configuration
Syslog Malware detection log Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "malwarebytes" to see the event types associated with this device.
Rules
Malware found but not remediated.
Reports
In RESOURCE > Reports, search for "malware found" to see the reports associated with this device.
Configuration
Syslog
Sample Syslog:
<45>1 2016-09-23T14:40:35.82-06:00 reportDeviceName Malwarebytes-Endpoint-Security 1552 -
- {"security_log":{"client_id":"ef5f8fc8-ad0e-46f8-b6d7-1a85d5f73e64","host_name":"Abc-
cbd","domain":"abc.com","mac_address":"FF-FF-FF-FF-FF","ip_
address":"10.1.1.1","time":"2016-09-23T14:40:14","threat_level":"Moderate","object_
type":"FileSystem","object":"HKLM\\SOFTWARE\\POLICIES\\GOOGLE\\UPDATE","threat_
name":"PUM.Optional.DisableChromeUpdates","action":"Quarantine","operation":"QUARANTINE","
resolved":true,"logon_user":"dsamuels","data":"data","description":"No
description","source":"MBAM","payload":null,"payload_url":null,"payload_
process":null,"application_path":null,"application":null}}

McAfee ePolicy Orchestrator (ePO)

l Event Types
l Configuration
l Sample Access Protection Violation detected SNMP Trap
SNMP Traps
Event Types
In ADMIN > Device Support > Event Types, search for "mcafee epolicy" to see the event types associated with this
Configuration
FortiSIEM processes events via SNMP traps sent by the device.

Follow the below procedures to configure McAfee ePO to send Threat based SNMP traps to FortiSIEM.
Step 1: Configuring SNMP Server to send Traps from McAfee ePO.
FortiSIEM processes events from a device via SNMP traps sent by the device.
1. Log in to the McAfee ePO web console.
2. Go to Main Menu > Configuration > Registered Servers, and click New Server.
The Registered Server Builder opens.

3. For Server type, select SNMP Server.

4. For Name, enter the IP address of your SNMP server.
5. Enter any Notes, and click Next to go to the Details page.
6. For Address, select IP4 from the drop-down and enter the IP/DNS Name for the FortiSIEM virtual appliance and
SNMP that will receive the SNMP trap.
7. For SNMP Version, select SNMPv1.
8. For Community, enter public.
Note: The community string entered here would not be used in FortiSIEM as FortiSIEM accepts traps from McAfee
ePO without any configuration.
9. Click Send Test Trap, and then click Save.
10. Log in to your Supervisor node and use Real Time Search to see if FortiSIEM received the trap. Without any
configuration on FortiSIEM, the traps are received under Real time/Historical Analytics. (Search using 'Reporting IP'
as McAfee ePO’s IP.)

Step 2: Configuring “Automatic Response”
By default, McAfee ePO does not send SNMP Trap alerts for the events that occur. This must be configured.
1. Go to Main Menu > Automation > Automatic Response.
2. By default, there are a few Automatic Response configured, but are in a disabled state.
3. Click on New Response button.
4. Enter a Name for the 'Response'.
5. Set Status as 'Enabled' and click Next.
6. Click the Ellipsis icon and select the top level under Select System Tree Group and click OK.
7. On the left side of the same screen, select Threat Handled.
Sample Access Protection Violation detected SNMP Trap
2017-05-30 16:24:27 192.168.100.205TRAP, SNMP v1, community fortisiem SNMPv2-

SMI::enterprises.3401.12.2.1.1 Enterprise Specific Trap (101) Uptime: 3:56:08.15
SNMPv2- SMI::enterprises.3401.12.2.1.1.5.7 = STRING: "Threat_Trigger_Rule"SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.30 = STRING: "58F5DD64- 43C5-11E7-0584-
000C29219964" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.360 = STRING: "My
Organization" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.20 = STRING: "05/30/17
13:20:24 UTC" SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "ENDP_AM_
1050" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.510 = "" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.510 = STRING: "Access Protection" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.520 = "" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.70 = STRING: "WIN2012- SKULLC" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.90 = STRING: "192.168.100.205" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.500 = STRING: "000c29219964" SNMPv2-

SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "McAfee Endpoint Security"SNMPv2-

SMI::enterprises.3401.12.2.1.1.6.0.00 = STRING: "10.5.0" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.370 = STRING: "Access Protection rule violation
detected and NOT blocked" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.6 = STRING:
"Threat" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.1 = INTEGER: 1 SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.390 = STRING: "Server" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.380 = STRING: "Windows Server 2012 R2" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.50 = STRING: "05/30/17 13:24:05 UTC" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.580 = STRING: "FIREFOX.EXE" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.570 = STRING: "WIN2012-SKULLC\Administrator"
SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.500 = STRING: "GlobalRoot\Directory\My
Group"SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.280 = STRING:
"C:\USERS\ADMINISTRATOR\DOWNLOADS\V3_2994DAT.EXE" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.200 = STRING: "WIN2012- SkullC" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.250 = STRING: "0" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.240 = STRING: "SYSTEM" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.340 = STRING: "IDS_ACTION_WOULD_BLOCK" SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.290 = STRING: "'File' class or access"SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.300 = STRING: "1095"SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.350 = STRING: "True"SNMPv2-
SMI::enterprises.3401.12.2.1.1.5.2.320 = STRING: "Browsers launching files from the
Downloaded Program Files folder"SNMPv2- SMI::enterprises.3401.12.2.1.1.5.2.310 =
STRING: "Critical" SNMPv2-SMI::enterprises.3401.12.2.1.1.5.2.330 = STRING: "Access
Protection"

MobileIron Sentry and Connector

l Event Types
l Rules
l Reports
l Configuration
l Sample Events
Protocol Information Discovered Metrics/LOG collected Used for
Syslog Host name and Device Type from LOG Over 14 types of security logs Security and Compliance
Event Types
Go to Admin > Device Type > Event Types and search for “MobileIron-”.
Rules
None
Reports
None
Configuration
Configure MobileIron to send syslog in the supported format to FortiSIEM. No configuration is required in FortiSIEM.
Sample Events
Apr 3 04:16:51 mobile-apptunnel.xxxxx.com mi: PRODUCT=Sentry_9.4.0_4,2019 Apr 3 04:16:48

WARN (Device=bc7b8d61-b003-49e6-9ef5-76ee5bebd6d9, DeviceIPPort=10.1.1.1:60995,
User=Username2, Command=POST, Server=25678:domain3.local, Service=Traveler)
(AlertOrigin=Sentry, AlertId=HTTP503) Got exception during device-to-server processing, Sentry
reporting error to client:java.net.SocketTimeoutException: Read timed out

Netwrix Auditor (via Correlog Windows Agent)

l Event Types
l Rules
l Reports
l Configuration
l Sample Events
Protocol Information Discovered Metrics/LOG Used for

collected
Via Correlog Windows Host name and Device Type from 2 Security logs Security and Compliance
Agent LOG monitoring
Event Types
Go to Admin > Device Type > Event Types and search for “Netwrix_Auditor_”.
Rules
None
Reports
None
Configuration
Configure Netwrix Auditor to send logs to Correlog Windows Agent. FortiSIEM will automatically parse the logs as long
as they appear in the format below.
Sample Events
<158>2018 Jul 27 07:20:36 CorreLog_Win_Agent ACME-NETWRIX Netwrix_Auditor_Integration 0:

Netwrix_Auditor_Integration_API: DataSource : Windows Server Action : Removed Message: Removed
DNS A Where : ACME-DC02 ObjectType : DNS A Who : system What : DNS Server\SAC-
DC02\acmegroup.local\ACME-TRADE08 IN A 10.150.90.180 1200 When : 2018-07-27T14:15:43Z Details
: IP Address: 10.150.90.180, TTL: 1200, Container name: acmegroup.local, Owner name:
acmegroup.local -

Palo Alto Traps Endpoint Security Manager

l Event Types
l Configuration
Syslog (CEF format) - Over 150 event types Security and Compliance
Event Types
In RESOURCE > Event Types, Search for “PAN-TrapsESM”.
Sample Event Type:
Sep 28 2016 17:38:48 172.16.183.173 CEF:0|Palo Alto Networks|Traps Agent|3.4.1.16709|Traps

Service Status Change|Agent|6|rt=Sep 28 2016 17:38:48 dhost=traps-win7x86 duser=Traps
msg=Agent Service Status Changed: Stopped-> Running
Sep 28 2016 17:42:04 ESM CEF:0|Palo Alto Networks|Traps ESM|3.4.1.16709|Role

Edited|Config|3|rt=Sep 28 2016 17:42:04 shost=ESM suser=administrator msg=Role TechWriter was
added\changed
Configuration
Configure Palo Alto Traps Endpoint Security Manager to send syslog on port 514 to FortiSIEM.

SentinelOne
l Event Types
l Rules
l Reports
l Configuration
l Sample Events
Integration Points
Method Information Metrics Logs Collected Used for

Discovered Collected
Syslog Host name, Reporting None System and Security Events (e.g., file Security
IP blocked) monitoring
Event Types
In ADMIN > Device Support > Event, Search for "SentinelOne" to see the event types associated with this device.
Rules
No specific rules are written for SentinelOne but generic end point rules apply.
Reports
No specific reports are written for SentinelOne but generic end point rules apply.
Configuration
Configure SentinelOne system to send logs to FortiSIEM in the supported format (see Sample Events).
None required.
Sample Events
<14>CEF:0|SentinelOne|Mgmt|Windows 7|21|Threat marked as resolved|1|rt=Jun 05 2017

09:29:17 uuid=586e7cc578207a3f75361073

fileHash=4b9c5fe8ead300a0be2dbdbcdbd193591451c8b4
filePath=\Device\HarddiskVolume2\Windows\AutoKMS\AutoKMS.exe
<14>CEF:0|SentinelOne|Mgmt|1.1.1.1|65|user initiated a fetch full report command to

the agent DT-Virus7|1|rt=#arcsightDate(Jun 06 2017 09:29:17) suser=xyz
duid=c29ca0cee8a0a989321495b78b1d256ab7189144 cat=SystemEvent

Sophos Central
l Configuring Sophos Central for API Access
l Configuring FortiSIEM for Sophos Central for API Access
Integration points
Sophos Central API Endpoint suspicious activity detected by Sophos agent Security and Compliance
Configuring Sophos Central for API Access
Sophos provides ample documentation here.

1. Login to Sophos Central Website.
2. Go to Global Settings > API Token Management. Click Add Token.
The Token will display.
3. Note the following information for later use:
a. Get Host Name from API Access URL (part after https://).
b. Get Authorization from API Access URL + Headers (part after Authorization:Basic).
c. Get API Key from Headers (part between x-api-key: and Authorization Basic).
Configuring FortiSIEM for Sophos Central for API Access

3. Click New to create Sophos Central credential:
a. Choose Device Type = Sophos Central.
b. Choose Access Protocol = Sophos Central API.
c. Enter Authorization created in the previous section - step 3b above.
d. Keep User Name empty.
e. Leave the URI field empty. FortiSIEM will use gateway/siem/v1/events.
f. Enter API Key created in the previous section - step 3c.
g. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple
customers.
h. Click Save.


a. Enter Hostname created here - step 3a.
b. Select the Credential created here - step 3.
c. Click Save.
5. Select the entry in step 4 and click Test > Test Connectivity. If it succeeds, then the credential is correct.
start to pull events from Sophos Central using the Sophos Central API.
To test for events received via Windows Defender ATP REST API:
The system will take you to the Analytics tab and run a query to display the events received from Sophos Central in the
Parsing and Events
Over 20 events are parsed – see event types in Resources > Event Types and search for 'Sophos-Central'.

Sophos Endpoint Security and Control

l Sophos Configuration
SNMP Trap
Event Types
In ADMIN > Device Support > Event, search for "sophos endpoint" in the Device Type column to see the event
types associated with this application or device.
Sophos Configuration
SNMP Trap
FortiSIEM processes Sophos Endpoint control events via SNMP traps sent from the management console. Configure
the management console to send SNMP traps to FortiSIEM, and the system will automatically recognize the messages.
SNMP Traps are configured within the Sophos policies.
1. In the Policies pane, double-click the policy you want to change.
2. In the policy dialog, in the Configure panel, click Messaging.
3. In the Messaging dialog, go to the SNMP messaging tab and select Enable SNMP messaging.
4. In the Messages to send panel, select the types of event for which you want Sophos Endpoint Security and
Control to send SNMP messages.
5. In the SNMP trap destination field, enter the IP address of the recipient.
6. In the SNMP community name field, enter the SNMP community name.
Sample SNMP Trap
2011-05-03 18:22:32 172.15.30.8(via UDP: [172.15.30.8]:1216) TRAP, SNMP v1, community public
SNMPv2-SMI::enterprises.2604.2.1.1.1 Enterprise Specific Trap (1) Uptime: 5:59:55.31
SNMPv2-SMI::enterprises.2604.2.1.1.2.1.1 = STRING: "File \"C:\WINDOWS\system32\LDPackage.dll\"
belongs to virus/spyware 'Mal/Generic-S'."SNMPv2-SMI::enterprises.2604.2.1.1.2.2.2 = STRING:
"9.5.5"

Symantec Endpoint Protection

l Symantec Endpoint Protection Configuration
Syslog Logs Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "symantec endpoint" in the Device Type
and Description columns to see the event types associated with this device.
Symantec Endpoint Protection Configuration
Syslog
FortiSIEM processes events from this device via syslogs sent by the device.
Configuring Log Transmission to FortiSIEM
1. Log in to Symantec Endpoint Protection Manager.

2. Go to Admin> Configure External Logging > Servers > General.
3. Select Enable Transmission of Logs to a Syslog Server.
4. For Syslog Server, enter the IP address of the FortiSIEM virtual appliance.
5. For UDP Destination Port, enter 514.
Configuring the Types of Logs to Send to FortiSIEM
1. Go to Admin> Configure External Logging > Servers > Log Filter.

2. Select the types of logs and events you want to send to FortiSIEM.
Sample Syslog
<13>Feb 23 12:36:37 QA-V-Win03-App1.ProspectHills.net SymAntiVirus 0

2701170C2410,3,2,1,QA-V-WIN03-APP1,Administrator,,,,,,,16777216,"Scan started on selected
drives and folders and all extensions.",1235421384,,0,,,,,0,,,,,,,,,,,{C11B44CF-35C9-4342-
AB3D-E0E9E3756510},,(IP)-0.0.0.0,,ACME,00:50:56:A3:30:2F,11.0.1000.1112,,,,,,,,,,,,,,,,0,,,,,
<54>Jun 11 12:24:38 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server:

sjdevswinapp05,Domain: Default,Admin: admin,Administrator log on failed

<54>Jun 11 12:24:51 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server:
sjdevswinapp05,Domain: Default,Admin: admin,Administrator log on succeeded
<54>Feb 23 13:08:29 SymantecServer sjdevswinapp05: Virus found,Computer name: Filer,Source:
Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:/Documents and
Settings/Administrator.PROSPECTHILLS/Local Settings/Temp/vpqz3cxj.com,"",Actual action:
Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2009-
02-23 21:06:51,Inserted: 2009-02-23 21:08:29,End: 2009-02-23 21:06:51,Domain: Default,Group:
Global\Prospecthills,Server: sjdevswinapp05,User: Administrator,Source computer: ,Source IP:
0.0.0.0
Mar 16 15:11:06 SymantecServer aschq97: NF77088-PCA,Local: 192.168.128.255,Local: 138,Local:

FFFFFFFFFFFF,Remote: 192.168.128.86,Remote: ,Remote: 138,Remote:
0015C53B9216,UDP,Inbound,Begin: 2009-03-16 15:05:02,End: 2009-03-16 15:05:02,Occurrences:
1,Application: C:/WINDOWS/system32/ntoskrnl.exe,Rule: Allow local file sharing,Location:
Default,User: ,Domain: ASC
<54>Feb 24 11:51:19 SymantecServer sjdevswinapp05: QA-V-Win03-App2,[SID: 20352] HTTP
Whisker/Libwhisker Scan (1) detected. Traffic has been allowed from this application:
C:\WINDOWS\system32 toskrnl.exe,Local: 0.0.0.0,Local: 000000000000,Remote: ,Remote:
192.168.1.4,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2009-02-24 11:50:01,End:
2009-02-24 11:50:01,Occurrences: 1,Application: C:/WINDOWS/system32/ntoskrnl.exe,Location:
Default,User: Administrator,Domain: PROSPECTHILLS
<54>Jul 28 08:08:52 SymantecServer corpepp01: 6910p-X751008R,Category: 2,Symantec
AntiVirus,New virus definition file loaded. Version: 130727ag.
<54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category: 2,Symantec
AntiVirus,Symantec Endpoint Protection services shutdown was successful.
<52>Jul 28 08:10:13 SymantecServer corpepp01: TEMPEXP02,Category: 0,Smc,Failed to disable
Windows firewall
<54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category: 0,Smc,Connected to
Symantec Endpoint Protection Manager (10.0.11.17)
<54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category: 0,Smc,Disconnected from
Symantec Endpoint Protection Manager (10.0.11.17)
<54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category: 0,Smc,Connected to
Symantec Endpoint Protection Manager (corphqepp01)
<54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category: 0,Smc,Disconnected from
Symantec Endpoint Protection Manager (corpepp01)
<54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category: 0,Smc,Network Threat
Protection - - Engine version: 11.0.480 Windows Version info: Operating System: Windows XP
(5.1.2600 Service Pack 3) Network info: No.0 "Local Area Connection 3" 00-15-c5-46-58-1e
"Broadcom NetXtreme 57xx Gigabit Controller" 10.0.208.66
<54>Jul 28 07:55:32 SymantecServer corpepp01: tol-afisk,Blocked,Unauthorized NT call rejected
by protection driver.,System,Begin: 2011-07-27 15:29:57,End: 2011-07-27 15:29:57,Rule: Built-
in rule,6092,AcroRd32.exe,0,None,"FuncID=74H, RetAddr=18005CH",User: afisk,Domain: HST

Symantec SEPM
l Configuring Symantec SEPM

l Receiving Events in FortiSIEM
Configuring Symantec SEPM
follow these steps to configure Symantec SEPM to send logs to FortiSIEM. For more information about Symantec
SEPM, see the SEPM Installation and Administration Guide:
https://support.symantec.com/us/en/article.DOC10654.html
1. In the Symantec SEPM console, go to Admin > Servers.
2. Click the local site or remote site that you want to export log data from.
3. Click Configure External Logging.
4. On the General tab, in the Update Frequency list box, select how often to send the log.
5. In the Master Logging Server list box, select the management server to send the logs to. If you use SQL Server
and connect multiple management servers to the database, then specify only one server as the Master Logging
Server.
6. Check Enable Transmission of Logs to a Syslog Server (FortiSIEM).
7. Provide the following information. Be sure that syslog server IP and Port can be reached from SEPM.
a. Syslog Server—Enter the IP address or domain name of the Syslog server that will receive the log data (in
this case, the IP of FortiSIEM).
b. Destination Port—Select the protocol to use, and enter the destination port that the Syslog server uses to
listen for Syslog messages. (for example, UDP 514 for FortiSIEM).
c. Log Facility—Enter the number of the log facility that you want to the Syslog configuration file to use, or use
the default value. Valid values range from 0 to 23.
8. On the Log Filter tab, check which logs to export
Receiving Events in FortiSIEM
1. Check for events in FortiSIEM. Go to the ANALYTICS page and search on "Symantec".
2. Check for the device added by log. Go to CMDB > Devices.

Tanium Connect
l Configuring Tanium Connect
Integration points
Sophos Central API Endpoint security logs Security and Compliance
Configuring Tanium Connect
Follow Tanium Connect documentation to send syslog to FortiSIEM.
FortiSIEM automatically recognizes Tanium Connect syslog as long it follows the following format as shown in the
sample syslog:
<134>1 2018-09-06T02:50:02.762000+00:00 tanium-server-1 Tanium 7020 - [Comply-
Deployment-Status---Deployment-5@017472 Installed=true Version=3.0.45 Type=full
Installed1=true Version1=8u131-e1 Comply---Has-Latest-Tools=true Count=2
Parsing and Events
Currently, 4 events are parsed – see event Types in Resources > Event Types and search for “TaniumConnect-“. User
can extend the parser to add other events.

Trend Micro Interscan Web Filter

l Event Types
l Rules
l Reports
l Configuration
Syslog (CEF format) - 15 event types Security and Compliance
Event Types
In RESOURCE > Event Types, Search for “TrendMicro-InterscanWeb-”.
Sample Event Type:
<130>abc.com: <Mon, 18 Sep 2017 10:00:48,IST> [EVT_URL_BLOCKING|LOG_CRIT] Blocked URL log tk_
username=1.1.1.1,tk_date_field=2017-09-18 10:00:48+0530,tk_protocol=https,tk_
url=https://google.com:443/,tk_malicious_entity=,tk_file_name=,tk_entity_name=,tk_action=,tk_
scan_type=user defined,tk_blocked_by=rule,tk_rule_name=google.com,tk_opp_id=0,tk_group_
name=None,tk_category=URL Blocking,tk_uid=0099253425-0ecd0076872a9d0ace16,tk_filter_action=0
<134>abc.com: <Mon, 18 Sep 2017 10:00:48,IST> [EVT_URL_ACCESS_TRACKING|LOG_INFO] Access

tracking log tk_username=1.1.1.1,tk_url=http://aaa.com/pc/SHAREitSubscription.xml,tk_
size=0,tk_date_field=2017-09-18 10:00:48+0530,tk_protocol=http,tk_mime_
content=unknown/unknown,tk_server=abc.com,tk_client_ip=1.1.1.1,tk_server_ip=2.2.2.2,tk_
domain=aaa.com,tk_path=pc/SHAREitSubscription.xml,tk_file_name=SHAREitSubscription.xml,tk_
operation=GET,tk_uid=0099253421-bdd7d4ce063b924a2342,tk_category=56,tk_category_type=0
<134>abc.com: <Mon, 18 Sep 2017 10:00:59,IST> [EVT_PERFORMANCE|LOG_INFO] Performance log tk_

server=abc.com,tk_date_field=2017-09-18 10:00:59+0530,tk_metric_id=Number of FTP Processes,tk_
metric_value=6,
Rules
There are no specific rules, but generic rules for Web Filters and Generic Servers apply.
Reports
There are no specific reports, but generic rules for Web Filters and Generic Servers apply.

Configuration
Configure TrendMicro Interscan Web Filter to send syslog on port 514 to FortiSIEM.

Trend Micro Intrusion Defense Firewall (IDF)

l Trend Micro Configuration
Syslog
Trend Micro Configuration
Syslog
appliance.
Example Syslog
<134>May 31 15:24:34 DSK-FT11XL1 dsa_mpld: REASON=PLD:Disallow_Web_Proxy_Autodiscovery_

Protocol REV IN= OUT=Local_Area_Connection
MAC=00:26:B9:80:74:71:2C:6B:F5:35:4E:00:08:00 SRC=192.168.20.2 DST=192.168.13.39 LEN=133
PROTO=UDP SPT=53 DPT=58187 CNT=1 act=Reset POS=0
SPOS=0 NOTE=CVE-2007-5355 FLAGS=0

Trend Micro OfficeScan

l Configuration
SNMP Trap
Configuration
SNMP Trap
Example SNMP Trap
2011-04-14 02:17:54 192.168.20.214(via UDP: [192.168.20.214]:45440) TRAP, SNMP v1, community

public SNMPv2-SMI::enterprises.6101 Enterprise Specific Trap (5) Uptime: 0:00:00.30
SNMPv2-SMI::enterprises.6101.141 = STRING: "Virus/Malware: Eicar_test_file Computer:
SJDEVVWINDB05 Domain: ABC File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yc8eayj0.com Date/Time:
4/10/2008 14:23:26 Result: Virus successfully detected, cannot perform the Clean action
(Quarantine) "

Environmental Sensors
FortiSIEM supports these devices for monitoring.

l APC Netbotz Environmental Monitor
l APC UPS
l Generic UPS
l Liebert FPC
l Liebert HVAC
l Liebert UPS

APC Netbotz Environmental Monitor
l What is monitored and collected

l Configuration
What is Monitored and Collected

Discovered
SNMP Host name, Temperature: Sensor Id, Sensor label, Enclosure Id, Temperature Availability and
(V1, V2c) Hardware Relative Humidity: Sensor Id, Sensor label, Enclosure Id, Relative Performance
model, Humidity Monitoring
Network Air Flow: Sensor Id, Sensor label, Enclosure Id, Air Flow
interfaces
Dew Point Temperature: Sensor Id, Sensor label, Enclosure Id,
Dew Point Temperature
Current: Sensor Id, Sensor label, Enclosure Id, Current
Audio Sensor Reading: Sensor Id, Sensor label, Enclosure Id,
Audio Sensor Reading
Dry Contact Sensor Reading: Sensor Id, Sensor label, Enclosure
Id, Dry Contact Sensor Reading
Door Switch Sensor Reading: Sensor Id, Sensor label, Enclosure

Id, Door Switch Sensor Reading (Open/Close)
Camera Motion Sensor Reading: Sensor Id, Sensor label,
Enclosure Id, Camera Motion Sensor Reading (Motion/No Motion)
Hadware Status (for NBRK0200): Contact Status, Output Relay
Status, Outlet Status, Alarm Device Status, Memory Sensor Status,
Memory Output Status, Memory Outlet Status, memory Beacon
Status
EMS Status (for NBRK0200): EMS Hardware Status, Connection
State
Hardware Probe (for NBRK0200): Sensor Id, Temperature,
Relative Humidity, Connection State Code
Module Sensor (for NBRK0200): Sensor Name, Sensor location,
Temperature, Relative Humidity, Connection State Code
SNMP SNMP Trap See Event Types for more information about viewing the SNMP Availability and
Trap (V1, traps collected by FortiSIEM for this device. Performance
V2c) Monitoring

Event Types
In ADMIN > Device Support > Event, search for "NetBotz" in the Name column to see the event types associated
Event types for NetBotz NBRK0200
l PH_DEV_MON_HW_STATUS
[PH_DEV_MON_HW_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=deviceNetBotz.cpp,
[lineNumber]=1642,[hostName]=Unknown,[hostIpAddr]=10.62.97.61,[hwStatusCode]=2,
[hwProbeStatus]=2,[hwInputContactStatus]=2,[hwOutputRelayStatus]=0,[hwOutletStatus]=2,
[hwAlarmDeviceStatus]=0,[hwMemSensorStatus]=0,[hwMemOutputStatus]=2,[hwMemOutletStatus]=2,
[hwMemBeaconStatus]=2,[phLogDetail]=
l PH_DEV_MON_HW_EMS_STATUS
[PH_DEV_MON_HW_EMS_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=deviceNetBotz.cpp,
[lineNumber]=1871,[hostName]=Unknown,[hostIpAddr]=10.62.97.61,[reptDevName]=Unknown,
[emsHwStatus]=0,[phyMachConnectionStateCode]=2,[hwLogStatus]=1,[phLogDetail]=
l PH_DEV_MON_HW_PROBE
[PH_DEV_MON_HW_PROBE]:[eventSeverity]=PHL_INFO,[fileName]=deviceNetBotz.cpp,
[lineNumber]=2100,[hostName]=Unknown,[hostIpAddr]=10.62.97.61,[envSensorLabel]=Sensor MM:4,
[envTempDegF]=74,[envTempHighThreshDegF]=138,[envHumidityRel]=51,
[envHumidityRelHighThresh]=90,[envHumidityRelLowThresh]=10,[serialNumber]=L3,
[phyMachConnectionStateCode]=3,[maxTempThresh]=140,[minTempThresh]=32,
[maxHumidityThresh]=99,[minHumidityThresh]=0,[phLogDetail]=
l PH_DEV_MON_HW_MODULE_SENSOR
[PH_DEV_MON_HW_MODULE_SENSOR]:[eventSeverity]=PHL_INFO,[fileName]=deviceNetBotz.cpp,
[lineNumber]=2567,[hostName]=Unknown,[hostIpAddr]=10.62.97.61,[moduleNumber]=0,
[envSensorId]=1,[envSensorLabel]=Sensor MM:1,[envSensorLoc]=Orland Park Server,
[envTempDegF]=74,[envHumidityRel]=50,[phyMachConnectionStateCode]=1,[hwAlarmDevicetatus]=1,
[phLogDetail]=
Rules
In RESOURCE > Rules, search for "NetBotz" in the Name column to see the rules associated with this application or
device.
Reports
In RESOURCE > Reports, search for "Netbotz" in the Name column to see the reports associated with this

Configuration
SNMP
User Guide.
SNMP Trap
FortiSIEM processes events from this device via SNMP traps sent by the device. Configure the device to send SNMP
traps to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Setting Value
Name <set name>
Device Type APC NetBotz
Access Protocol See Access Credentials
Port See Access Credentials

APC UPS

l Configuration

Discovered
SNMP Host name, UPS metrics: Remaining battery charge, Battery status, Replace Availability and
(V1, V2c) Hardware battery indicator, Time on battery, Output status, Output load, Performance
model, Output voltage, Output frequency Monitoring
Network
interfaces
SNMP Availability and

Trap Performance
Monitoring
Event Types
In ADMIN > Device Support > Event, search for "apc" in the Device Type column to see the event types
Rules
In RESOURCE > Rules, search for "apc" in the Name column to see the rules associated with this device.
Reports
In RESOURCE > Reports , search for "apc" in the Name column to see the reports associated with this device.
Configuration
SNMP
User Guide.

SNMP Trap
Setting Value
Name <set name>
Device Type APC UPS

Generic UPS

l Configuration

Discovered
SNMP Host name, UPS metrics: Remaining battery charge, Battery status, Time on Availability and
(V1, V2c) Hardware battery, Estimated Seconds Remaining, Output voltage, Output Performance
model, current, Temperature Monitoring
Network
interfaces
Configuration
SNMP
UPS-MIB Required
Your device must have a UPS-MIB database to communicate with FortiSIEM over SNMP.
product documentation, then follow the instructions in "Discovery Settings" and "Setting Credentials" in the User
Guide, to establish the connection between the device and FortiSIEM, and to initiate the device discovery process.
Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name
and Community String.
Setting Value
Name <set name>
Device Type Generic

Liebert FPC

l Configuration

Discovered
SNMP Host name, Output voltage (X-N, Y-N, Z-N), Output current (X, Y. Z), Neutral Availability and
(V1, V2c) Hardware Current, Ground current, Output power, Power Factor, Output Performance
model, Frequency, Output Voltage THD (Vx, Vy, Vz), Output Current THD Monitoring
Network (Lx, Ly. Lz), Output KWh, Output Crest factor (Lx, Ly, Lz), Output K-
interfaces factor (Lx, Ly, Lz), Output Lx Capacity, output Ly capacity
Event Types
In ADMIN > Device Support > Event, search for "LIebert FPC" in the Description column to see the event types
Rules
There are no predefined rules for this device.
Reports
In RESOURCE > Reports , search for "Liebert FPC" in the Name column to see the reports associated with this
device.
Configuration
SNMP
User Guide.
Use these Access Method Definition settings to allow FortiSIEM to access your device.

Setting Value
Name <set name>
Device Type Liebert FPC

Liebert HVAC

l Configuration

Discovered
SNMP Host name, HVAC metrics: Temperature: current value, upper threshold, lower Availability and
(V1, V2c) Hardware threshold, Relative Humidity: current value, upper threshold, lower Performance
model, threshold, System state, Cooling state, Heating state, Humidifying Monitoring
Network state, Dehumidifying state, Economic cycle, Fan state, Heating
interfaces capacity, Cooling capacity
FortiSIEM uses SNMP to discover and collector metrics from Generic UPS devices. This requires the presence of UPS-
MIB on the UPS device.
See the Liebert HVAC documentation to enable FortiSIEM to poll the device via SNMP.
Event Types
In ADMIN > Device Support > Event, search for "Liebert HVAC" in the Description column to see the event types
Rules
Reports
In RESOURCE > Reports , search for "Liebert HVAC" in the Name column to see the reports associated with this
device.
Configuration
SNMP
Note: UPS-MIB Required

Your device must have a UPS-MIB database to communicate with FortiSIEM.

User Guide.
Setting Value
Name <set name>
Device Type Liebert HVAC
Password config See Access Credentials

Liebert UPS

l Configuration

Discovered
SNMP Host name, UPS metrics: Remaining battery charge, Battery status, Time on Availability and
(V1, V2c) Hardware battery, Estimated Seconds Remaining, Output voltage, Output Performance
model, current, Temperature Monitoring
Network
interfaces
Event Types
Rules
Reports
There are no predefined reports for this device.
Configuration
SNMP
Note: UPS-MIB Required

Your device must include a UPS-MIB database to communicate with FortiSIEM.
User Guide.

Setting Value
Name <set name>
Device Type Liebert UPS

Firewalls
Firewalls
FortiSIEM supports these firewalls for discovery and monitoring.

l Check Point FireWall-1
l Check Point Provider-1
l CLM for Check Point Provider-1
l CMA for Check Point Provider-1
l MDS for Check Point Provider-1
l MLM for Check Point Provider-1
l Check Point VSX
l Cisco Adaptive Security Appliance (ASA)
l Clavister Firewall
l Cyberoam Firewall
l Dell SonicWALL
l Fortinet FortiGate Firewall
l Imperva Securesphere Web App Firewall
l Juniper Networks SSG
l McAfee Firewall Enterprise (Sidewinder)
l Palo Alto
l Sophos UTM
l WatchGuard Firebox

Firewalls
Check Point FireWall-1

l Configuration

Discovered
Firewall model (utilization, bytes sent and received, packets sent and received, Performance
and version, errors, discards and queue lengths), Firewall connection count Monitoring
Network
interfaces
LEA All traffic and system logs Security and

Compliance
Event Types
In ADMIN > Device Support > Event, search for "firewall-1" in the Device Type column to see the event types
Rules
Reports
Configuration
SNMP
User Guide.

Firewalls
LEA
Add FortiSIEM as a Managed Node
1. Log in to your Check Point SmartDomain Manager.

2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch
Global SmartDashboard.
3. Select the Firewall tab.
4. Click the Network Objects icon.
5. Select Nodes, and then right-click to select Node > Host... .
6. Select General Properties.
7. Enter a Name for your FortiSIEM host, like FortiSIEMVA.
8. Enter the IP Address of your FortiSIEM virtual appliance.
9. Click OK.
Create an OPSEC Application for FortiSIEM
1. In the Firewall tab, click the Servers and OPSEC icon.

2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
3. Click the General tab.
4. Enter a Name for your OPSEC application, like OPSEC_FortiSIEMVA.
5. For Host, select the FortiSIEM host.
6. Under Client Entities, select LEA and CPMI.
For Check Point FireWall-1, also select SNMP.
7. Click Communication.
8. Enter a one-time password.
This is the password you will use in setting up access credentials for your firewall in FortiSIEM.
9. Click Initialize.
10. Close and re-open the application.
11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_
FortiSIEMVA,0=MDS..i6g4zq.
This is the FortiSIEM Client SIC DN that you will need when you copy the secure internal communication
certificates and set the access credentials for your firewall in FortiSIEM.
Create a Firewall Policy for FortiSIEM
1. In Servers and Opsec > OPSEC Applications, select your FortiSIEM application.
2. In the Rules menu, select Top.
3. Right-click SOURCE, then click Add and select your FortiSIEM virtual appliance.
4. Right-click DESTINATION, then click Add and select your Check Point firewall.
5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.
Also select snmp if you are configuring a Check Point FireWall-1 firewall.
6. Right-click ACTION and select Accept.

Firewalls
7. Right-click TRACK and select Log.

8. Go to Policy > Install.
9. Click OK.
10. Go to OPSEC Applications and select your FortiSIEM application.
11. In the General tab of the Properties window, make sure that the communications have been enabled between
your firewall and FortiSIEM.
Setting Value
Name <set name>
Device Type Checkpoint Firewall-1

Firewalls
Check Point Provider-1 Firewall

l Configuration Overview

Discovered
Network
interfaces

Compliance
Event Types
Rules
Reports
Configuration Overview
The configuration of Check Point Provider-1 depends on the type of log that you want sent to FortiSIEM. There are two
options:
l Domain level audit logs, which contain information such as domain creation, editing, etc.
l Firewall logs, which include both audit log for firewall policy creation, editing, etc., and traffic logs
These logs are generated and stored among four different components:
l Multi-Domain Server (MDS), where domains are configured and certificates have to be generated.
l Multi-Domain Log Module (MLM), where domain logs are stored.
l Customer Management Add-on (CMA), the customer management module.
l Customer Log Module (CLM), which consolidates logs for an individual customer/domain.

Firewalls
Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA.
Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you
attempt to discover them on separate Collectors, discovery will fail.
Component Configuration for Domain-Level Audit Logs
1. Configure MDS.
2. Use the Client SIC obtained while configuring MDS to configure MLM.
3. Pull logs from MLM.
Component Configuration for Firewall Logs
1. Configure CMA.
2. Use the Client SIC obtained while configuring CMA to configure CLM.
3. Pull logs from CLM.
If you want to pull firewall logs from a domain, you have to configure CLM for that domain.
See these topics for instructions on how to configure each component for Check Point Provider-1 firewalls.
l Configuring MDS for Check Point Provider-1 Firewalls
l Configuring MLM for Check Point Provider-1 Firewalls
l Configuring CMA for Check Point Provider-1 Firewalls
l Configuring CLM for Check Point Provider-1 Firewalls

Firewalls
Configuring CMA for Check Point Provider-1 Firewalls
The Check Point Provider-1 Customer Management Add-On (CMA) creates logs that are then consolidated by the
Customer Log Module (CLM). If you want the CLM to send logs to FortiSIEM, you must first configure the CMA and
obtain the AO Client SIC to configure access credentials for communication between the CLM and FortiSIEM.
l Configuration
Configuration
Get CMA Server SIC for Setting Up FortiSIEM Access Credentials

3. Select Domain Contents.
4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard.
5. Select the Desktop tab.
6. Select the Network Objects icon.
7. Double-click on the Domain Management Server to view the General Properties dialog.
8. Click Test SIC Status... .
Note the value for DN. You will use this for the CMA Server SIC setting when creating the access credentials for
FortiSIEM to access your CMA server.

9. Click OK.

Firewalls

11. In the General tab, next to Communication, the DN field will now contain a value like CN= OPSEC_
9. Click OK.
Settings for Check Point Provider-1 Firewall CLA SSLCA Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your Check Point Provider-1 Firewall
CMA. When you complete the access credentials, click Generate Certificate to establish access between your firewall
and FortiSIEM.

Firewalls
Setting Value
Name CMA
Device Type Checkpoint Provider-1 CMA
Access Protocol CheckPoint SSLCA
CMA IP The IPS address of your server
Checkpoint LEA The port used by LEA on your server

Port
AO Client SIC The DN number of your FortiSIEM OPSEC

application
CMA Server SIC The DN number of your server
CPMI Port The port used by CPMI on your server
Activation Key The password you used in creating your OPSEC

application

Firewalls
Configuring CLM for Check Point Provider-1 Firewalls
l Prequisites
l Configuration
Prequisites
l You must first configure and discover the Check Point CLA and obtain the AO Client SIC before you can configure
the Customer Log Module (CLM). The AO Client SIC is generated when you create the FortiSIEM OPSEC
application.
Configuration
Get CLM Server SIC for Creating FortiSIEM Access Credentials

3. Select Domain Contents.
4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard.
5. Select the Desktop tab.
7. Under Check Point, select the CLM host and double-click to open the General Properties dialog.
8. Under Secure Internal Communication, click Test SIC Status... .
9. In the SIC Status dialog, note the value for DN.
This is the CLM Server SIC that you will use in setting up access credentials for the CLM in FortiSIEM.
10. Click Close.
11. Click OK.
Install the Database
1. In the Actions menu, select Policy > Install Database... .

2. Select the MDS Server and the CLM, and then OK.
The database will install in both locations.

Firewalls
Settings for Check Point Provider-1 Firewall CLM SSLCA Access Credentials
CMA. When you complete the access credentials, click Generate Certificate to establish access between your firewall
and FortiSIEM.
Setting Value
Name CLM
Device Type Checkpoint Provider-1 CLM
CLM IP The IP address of the host where your CLM is

located

Port

application
CLM Server SIC The DN number of your server
CMA IP The IP address of the host where your CMA is

located

Firewalls
Configuring MDS for Check Point Provider-1 Firewalls
l Configuration
The Check Point Provider-1 firewall Multi-Domain Server (MDS) is where domains are configured and certificates are
generated for communicating with FortiSIEM. If you want to have domain logs from the Multi-Domain Log Module
(MLM) sent from your firewall to FortiSIEM, you must first configure and discover MDS, then use the AO Client SIC
created for your FortiSIEM OPSEC application to configure the access credentials for MLM.
Configuration
Get the MDS Server SIC for FortiSIEM Access Credentials
You will use the MDS Server SIC to create access credentials in FortiSIEM for communicating with your server.
2. Select Multi-Domain Server Contents.
3. Select MDS, and then right-click to select Configure Multi-Domain Server... .
4. In the General tab, under Secure Internet Communication, note the value for DN.

9. Click OK.


Firewalls

11. In the General tab, next to Communication, the DN field will now contain a value like CN= OPSEC_
9. Click OK.
Copy Secure Internal Communication (SIC) certificates
Copy Client SIC
1. Go to Manage > Server and OPSEC Applications.

2. Select OPSEC Application and then right-click to select accelops.
3. Click Edit.
4. Enter the SIC DN of your application.
Copy Server SIC
1. In the Firewall tab, go to Manage.

2. Click the Network Object icon, and then right-click to select Check Point Gateway.
3. Click Edit.
4. Enter the SIC DN.
5. If there isn't a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN.

Firewalls
Settings for Check Point Provider-1 Firewall SSLCA Access Credentials

MDS. When you complete the access credentials, click Generate Certificate to establish access between your firewall
and FortiSIEM.
Setting Value
Name MDS
Device Type Checkpoint Provider-1 MDS
MDS IP The IPS address of your server

Port

application
MDS Server SIC The DN number of your server

administrative user
Activation Key The password you used in creating your OPSEC

application
1. Generate a certificate for MDS communication in FortiSIEM.

a. Configure Checkpoint Provider-1 MDS credential as shown below.
Activation key was the one-time password you input in Create an OPSEC Application for FortiSIEM
AO Client SIC was generated in Create an OPSEC Application for FortiSIEM
MDS Server SIC was generated in Get the MDS Server SIC for FortiSIEM Access Credentials
b. Click Generate Certificate. It should be successful. Note that the button will be labeled Regenerate
Certificate if you have already generated the certificate once.

Firewalls
Configuring MLM for Check Point Provider-1 Firewalls
l Prerequisites
l Configuration
Prerequisites
l You must configure and discover your Check Point Provider-1 MDS before you configure the Multi-Domain Log
Module (MLM). You will need the AO Client SIC that was generated when you created your FortiSIEM OPSEC
application in the MDS to set up the access credentials for your MLM in FortiSIEM.
Configuration
Get MLM Server SIC for Setting Up FortiSIEM Access Credentials

2. In the General tab, click Multi-Domain Server Contents.
3. Right-click MLM and select Configure Multi-Domain Server... .
4. Next to Communication, note the value for DN.
Settings for Check Point Provider-1 MLM SSLCA Access Credentials

Use these Access Method Definition settings to allow FortiSIEM to access your Check Point MLM over SSLCA.
Setting Value
Name MLM
Device Type Checkpoint Provider-1 MLM
MLM IP The IPS address of your module

Port

Firewalls
Setting Value

application
MLM Server SIC The DN number of your MLM
MDS IP The IP address of your MDS server

Firewalls
Check Point VSX Firewall

l Configuration
FortiSIEM uses SNMP, LEA to discover the device and to collect logs, configurations and performance metrics.

Discovered
Network
interfaces

Compliance
Event Types
Rules
Reports
Configuration
SNMP
User Guide.

Firewalls
LEA

9. Click OK.

11. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_

Firewalls

9. Click OK.
Copy Client SIC
1. Go to Manage > Server and OPSEC Applications.

2. Select OPSEC Application and then right-click to select accelops.
3. Click Edit.
4. Enter the SIC DN of your application.
Copy Server SIC
1. In the Firewall tab, go to Manage.

2. Click the Network Object icon, and then right-click to select Check Point Gateway.
3. Click Edit.
4. Enter the SIC DN.
5. If there isn't a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN.
Setting Value
Name <set name>
Device Type Checkpoint VSX

Firewalls
Cisco Adaptive Security Appliance (ASA)

l Configuration

Discovered
SNMP (V1, Host name, Uptime, CPU and Memory utilization, Free processor and I/O Availability and
V2c, V3) Hardware model, memory, Network Interface metrics (utilization, bytes sent Performance
Network interfaces, and received, packets sent and received, errors, discards and Monitoring
Hardware queue lengths), Firewall connection count
component details:
serial number,
model,
manufacturer,
software and
firmware versions of
components such as
fan, power supply,
network cards etc.,
Operating system
version, SSM
modules such as IPS
SNMP (V1, Hardware health: temperature, fan and power supply status
V2c, V3)
SNMP (V1, OSPF connectivity, OSPF state change Routing

V2c, V3) neighbors, state, Topology,
OSPF Area Availability
Monitoring
SNMP (V1, IPSec VPN Phase 1 tunnel metrics: local and remote Vpn Performance
V2c, V3) Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent Monitoring
BitsPerSec, Received/Sent Packets, Received/Sent
BitsPerSec, Received/Sent Dropped Packets, Received/Sent
Rejected Exchanges, Received/Sent Invalid Exchanges
Invalid Received Pkt Dropped, Received Exchanges
Rejected, Received Exchanges Invalid IPSec VPN Phase
2 tunnel metrics: local and remote Vpn Ip addresses,
Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec,
Received/Sent Packets, Received/Sent BitsPerSec,
Received/Sent Dropped Packets, Received/Sent Auth Failed,

Firewalls

Discovered
Sent Encrypted Failed, Received Decrupt failed, Received

Replay Failed
Telnet/SSH Running and startup Startup configuration change, delta between running and Performance
configuration, startup configuration Monitoring,
Interface security Security and
levels, Routing Compliance
tables, Image file
name, Flash
memory size
Telnet/SSH Virtual context for multi-context firewalls, ASA interface

security levels needed for setting source and destination IP
address in syslog based on interface security level
comparisons, ASA name mappings from IP addresses to
locally unique names needed for converting names in syslog
to IP addresses
Netflow Open server ports Traffic logs (for ASA 8.x and above) Security and
(V9) Compliance
Syslog Device type All traffic and system logs Security and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "asa" in the Device Type column to see the event types associated
with this device.
Rules
In RESOURCE > Rules, search for "asa" in the Description column to see the rules associated with this device.
Reports
In RESOURCE > Reports, search for "asa" in the Description column to see the reports associated with this device.
Configuration
l Don't Configure SNMP Trap.

l Don't configure ASA to send logs via SNMP trap, as FortiSIEM doesn't parse them.
Check Security Levels
Make sure interface security levels are appropriately set in FortiSIEM. In your FortiSIEM Supervisor, go to CMDB >
Devices > Network Device > Firewall and select your firewall. Click the Interface tab, and make sure that the inside

Firewalls
security level is 100, outside is 0 and other interfaces are in between. This information can either be discovered via SSH
or entered manually after SNMP discovery. Without correct security level information, ASA traffic built and teardown
logs can not be parsed correctly (they may not have correct source and destination addresses and ports).
SNMP
1. Log in to your ASA with administrative privileges.

2. Configure SNMP with this command.
snmp-server host <ASA Interface name> <FortiSIEM IP> poll community <community string>
Syslog

2. Enter configuration mode (config terminal).
3. Enter the following commands:
l no names
l logging enable
l logging timestamp
l logging monitor errors
l logging buffered errors
l logging trap debugging
l logging debug-trace
l logging history errors
l logging asdm errors
l logging mail emergencies
l logging facility 16
l logging host <ASA interface name> <FortiSIEM IP>
Sample Cisco ASA Syslog
<134>Nov 28 2007 17:20:48: %ASA-6-302013: Built outbound TCP connection 76118 for
outside:207.68.178.45/80 (207.68.178.45/80)
to inside:192.168.20.31/3530 (99.129.50.157/5967)
SSH

2. Configure SSH with this command.
ssh <FortiSIEM IP> <FortiSIEM IP netmask> <ASA interface name>
Telnet

2. Configure telnet with this command.
telnet <FortiSIEM IP> <FortiSIEM IP netmask> <ASA interface name>

Firewalls
Commands Used During Telnet/SSH Communication
The following commands are used for discovery and performance monitoring via SSH. Make sure that the accounts
associated with the ASA access credentials you set up in FortiSIEM have permission to execute these commands.
Critical Commands
It is critical to have no names and logging timestamp commands in the configuration, or logs will not be parsed
correctly.
1. show startup-config
2. show running-config
3. show version
4. show flash
5. show context
6. show ip route
7. enable
8. terminal pager 0
9. terminal length 0
NetFlow
NetFlow is an optimized protocol for collecting high volume traffic logs. You should configure NetFlow with ASM, the
ASA device manager.
Set Up FortiSIEM as a NetFlow Receiver
1. Login to ASDM.
2. Go to Configuration > Device Management > Logging > Netflow.
3. Under Collectors, click Add.
4. For Interface, select the ASA interface over which NetFlow will be sent to FortiSIEM.
5. For IP Address or Host Name, enter the IP address or host name for your FortiSIEM virtual appliance that will
receive the NetFlow logs.
6. For UDP Port, enter 2055.
7. Click OK.
8. Select Disable redundant syslog messages.
This prevents the netflow equivalent events from being also sent via syslog.
9. Click Apply.
Create a NetFlow Service Policy
1. Go to Configuration > Firewall > Service Policy Rules.

2. Click Add.
The Service Policy Wizard will launch.
3. Select Global - apply to all interfaces, and then click Next.
4. For Traffic Match Criteria, select Source and Destination IP Address, and then click Next.
5. For Source and Destination, select Any, and then click Next.

Firewalls
6. For Flow Event Type, select All.

7. For Collectors, select the FortiSIEM virtual appliance IP address.
8. Click OK.
Configure the Template Refresh Rate
This is an optional step. The template refresh rate is the number of minutes between sending a template record to
FortiSIEM. The default is 30 minutes, and in most cases this is sufficient. Since flow templates are dynamic, FortiSIEM
cannot process a flow until it knows the details of the corresponding template. This command may not always be
needed, but if flows are not showing up in FortiSIEM, even if tcpdump indicates that they are, this is worth trying.
flow-export template timeout-rate 1
You can find out more about configuring NetFlow in the Cisco support forum.
Setting Value
Name <set name>
Device Type Generic
Telnet Access Credentials for All Devices
These are the generic settings for providing Telnet access to your device from FortiSIEM.
Setting Value
Name Telnet-generic
Device Type generic
Access Protocol Telnet
Port 23
User Name A user who has permission to access the device

over Telnet

Firewalls
Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22

device over SSH

Firewalls
Clavister Firewall
Integration Points

discovered
syslog Host name, None Connection – permit and deny, Security

Reporting IP system events monitoring
Event Types
In ADMIN > Device Support > Event, Search for "Clavister" to see the event types associated with this device.
Rules
No specific rules are written for Clavister firewall but generic firewall rules will apply.
Reports
No specific reports are written for Clavister firewall but generic firewall rules will apply.
Configuration
Configure Clavister firewall to send logs to FortiSIEM in the supported format (see Sample Events below).
None required
Sample Events
<134>[2016-04-26 16:10:07] EFW: CONN: prio=1 id=00600005 rev=1 event=conn_close_natsat

action=close rule=if3_net_nat_out conn=close connipproto=TCP connrecvif=If3
connsrcip=192.168.99.13 connsrcport=43347 conndestif=If1 conndestip=1.1.1.1 conndestport=443
connnewsrcip=1.1.1.2 connnewsrcport=65035 connnewdestip=1.1.1.1 connnewdestport=443
origsent=1395 termsent=5763 conntime=83
<134>[2016-04-26 16:10:11] EFW: ALG: prio=1 id=00200001 rev=1 event=alg_session_open

algmod=ftp algsesid=95238 connipproto=TCP connrecvif=If1 connsrcip=1.1.1.3 connsrcport=59576

Firewalls
conndestif=core conndestip=1.1.1.4 conndestport=21 origsent=100 termsent=44
<134>[2016-04-26 16:10:05] EFW: IPSEC: prio=1 id=01800211 rev=2 event=reconfig_IPsec

action=ipsec_reconfigured

Firewalls
Cyberoam Firewall
l Configuration
l Setting for Access Credentials
l Sample Events
Integration Points

discovered
Syslog Host name, None Connection – permit and deny, Security

Reporting IP system events, malware events monitoring
Event Types
In ADMIN > Device Support > Event, search for "Cyberoam-" to see the event types associated with this device.
Rules
No specific rules are written for Cyberoam firewall but generic firewall rules will apply.
Reports
No specific reports are written for Cyberoam firewall but generic firewall rules will apply.
Configuration
Configure Cyberoam firewall to send logs to FortiSIEM in the supported format (see Sample Events ).
None required.
Sample Events
<30>date=2019-07-10 time=11:06:48 timezone="GMT" device_name="CR50iNG" device_

id=C162213098933-QQ6REI
log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed"
status="Allow" priority=Information duration=0 fw_rule_id=12 user_name="" user_gp="" iap=1
ips_policy_id=0 appfilter_policy_id=1 application="" application_risk=0 application_
technology=""
application_category="" in_interface="PortA" out_interface="" src_mac=00: 0:00: 0:10: 0

Firewalls
src_ip=10.0.70.17 src_country_code=AP dst_ip=1.1.1.1 dst_country_code=IRL protocol="TCP"

src_port=61244 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=
tran_src_port=0
tran_dst_ip=10.0.0.13 tran_dst_port=8080 srczonetype="LAN" srczone="ZONE1"
dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3340934816" vconnid=""

Firewalls
Dell SonicWALL Firewall

l Configuration

Discovered
SNMP Host name, CPU Utilization, Memory utilization and Firewall Session Count Availability and
Hardware model, Performance
Network interfaces, Monitoring
Operating system
version
Syslog Device type All traffic and system logs Availability,

Security and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "sonicwall" in the Device Type column to see the event types
associated with Dell SonicWALL firewalls.
Rules
There are no predefined rules for Dell SonicWALL firewalls.
Reports
There are no predefined reports for Dell SonicWALL firewalls.
Configuration
SNMP
User Guide.
l Dell SonicWALL Firewall Administrator's Guide (PDF)

Firewalls
Syslog
1. Log in to your SonicWALL appliance.

2. Go to Log > Syslog.
Keep the default settings.
3. Under Syslog Servers, click Add.
The Syslog Settings wizard will open.
4. Enter the IP Address of your FortiSIEM Supervisor or Collector.
Keep the default Port setting of 514.
5. Click OK.
6. Go to Firewall > Access Rules.
7. Select the rule that you want to use for logging, and then click Edit.
8. In the General tab, select Enable Logging, and then click OK.
Repeat for each rule that you want to enable for sending syslogs to FortiSIEM.
Your Dell SonicWALL firewall should now send syslogs to FortiSIEM.
Example Syslog
Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1

pri=6 c=262144 m=98
msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000

Setting Value
Name <set name>
Device Type Generic

Firewalls
Fortinet FortiGate Firewall

l Configuring SNMP on FortiGate
l Configuring SSH on FortiSIEM to communicate with FortiGate
l Configuring FortiSIEM for SNMP and SSH to FortiGate
l Configuring FortiAnalyzer to send logs to FortiSIEM
l Configuring FortiGate to send Netflow via CLI
l Configuring FortiGate to send Application names in Netflow via GUI
l Example of FortiGate Syslog parsed by FortiSIEM

Discovered
SNMP Host name, Uptime, CPU and Memory utilization, Network Interface Availability and
Hardware model, metrics (utilization, bytes sent and received, packets sent Performance
Network and received, errors, discards and queue lengths). Monitoring
interfaces, Operating For 5xxx series firewalls, per CPU utilization (event PH_DEV_
system version MON_FORTINET_PROCESSOR_USGE)
Telnet/SSH Running Configuration Change Performance

configuration Monitoring,
Security and
Compliance
Syslog Device type All traffic and system logs Availability,

Security and
Compliance
Netflow Firewall traffic, application detection and application link Security

usage metrics monitoring and
compliance,
Firewall Link
Usage and
Application
monitoring
Event Types
In ADMIN > Device Support > Event, search for "fortigate" in the Name and Description columns to see the event

Firewalls
Rules
In Resource > Rules, search for "fortigate" in the Name column to see the rules associated with this device.
Reports
Search for Reports under Network device, Firewall and Security groups.
Configuring SNMP on FortiGate
Follow these steps to configure SNMP on FortiGate. For more information on configuring the FortiGate to allow
detailed interface monitoring using SNMP, see Data Source in the FortiSIEM User’s Guide.
1. Log in to your firewall as an administrator.
2. Go to System > Network.
3. Select the FortiGate interface IP that FortiSIEM will use to communicate with your device, and then click Edit.
4. For Administrative Access, makes sure that SSH and SNMP are selected.
5. Click OK
6. Go to System > Config > SNMP v1/v2c.
7. Click Create New to enable the public community.
Configuring SSH on FortiSIEM to communicate with FortiGate
FortiSIEM Collector SSH Client, when communicating to FortiGate via SSH, may use the
public key authentication method first. This may fail and create some alerts in FortiGate. To
prevent this, modify the per user config file as follows:
1. Log in to the FortiSIEM node that communicates to FortiGate via SSH, as admin.
2. Open /opt/phoenix/bin/.ssh/config and create a new file, if necessary.
3. Add these two lines and save:
PreferredAuthentications password
PubkeyAuthentication no
4. Ensure that the owner is admin:
chown admin.admin /opt/phoenix/bin/.ssh/config
chmod 600 /opt/phoenix/bin/.ssh/config
5. Verify using the commands:
su admin
ssh -v <fgt host>
Verification is successful if the following files are found:

Firewalls
Alternatively, modify the global ssh_config file as below. Since this is a global
configuration, all programs will use this setting.
1. Log in to a FortiSIEM node that communicates to FortiGate via SSH, as root.
2. Open /etc/ssh/ssh_config
3. Add these two lines:
PreferredAuthentications password
PubkeyAuthentication no
These commands are used for discovery and performance monitoring via SSH. Please make sure that the access
credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device.
show firewall address
show full-configuration
Sending Logs Over VPN
If you are sending these logs across a VPN, Fortigate will try to use the WAN interface for the source of all system
traffic. You can change this by setting the source-ip option to the IP used on the Fortigates Internal/LAN interface.
With the Web GUI
1. Log in to your firewall as an administrator.

2. Go to Log & Report > Log Config > syslog.
3. Enter the IP Address, Port Number, and Minimum Log Level and Facility for your FortiSIEM virtual
appliance.
4. Make sure that CSV format is not selected.
With the CLI
1. Connect to the Fortigate firewall over SSH and log in.

2. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 192.168.53.2
with the IP address of your FortiSIEM virtual appliance.
config log syslogd setting
set status enable
set server "192.168.53.2" set facility user
set port 514
end
3. Verify the settings.

frontend # show log syslogd setting
config log syslogd setting
set status enable
set server "192.168.53.2" set facility user
end

Firewalls
Configuring FortiSIEM for SNMP and SSH access to FortiGate
You can now configure FortiSIEM to communicate with your device by following the instructions in the User Guide >
Section: Configuring FortiSIEM > Discovering Infrastructure > Setting Access Credentials for Device Discovery,
and then initiate discovery of the device as described in the topics under Discovering Infrastructure.
Configuring FortiAnalyzer to send logs to FortiSIEM
If you are already sending FortiGate logs to FortiAnalyzer, then you can forward those logs to FortiSIEM by configuring
FortiAnalyzer as follows:
1. Login to FortiAnalyzer.
2. Go to System Settings > Advanced > Syslog Server.
a. Click the Create New button.
b. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
c. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
d. Leave the Syslog Server Port to the default value '514'.
e. Click OK to save your entries.
3. Go to System Settings > Dashboard > CLI Console.
4. Click in the CLI Console and enter the following commands:
l For FortiAnalyzer versions 6.0 and later:
Note: Replace <id> with the actual name of the log forward created earlier.
edit <id>
set mode forwarding
set fwd-max-delay realtime
set server-name "<FSM_Collector>"
set server-ip "a.b.c.d"
set fwd-server-type syslog
next
end
l For FortiAnalyzer versions 5.6 to 5.9:

edit <id>
set mode forwarding
next
end
l For FortiAnalyzer versions earlier than 5.6:
Note: Replace <id> with the number for your FortiSIEM syslog entry.
edit <id>

Firewalls

end
Configuring FortiGate to send Netflow via CLI
1. Connect to the Fortigate firewall over SSH and log in.

2. To configure your firewall to send Netflow over UDP, enter the following commands:
config system netflow
set collector-ip <FortiSIEM IP>
set collector-port 2055
end
3. Enable Netflow on the appropriate interfaces, replacing port1 with your interface name:
config system interface
edit port1
set netflow-sampler both
end
4. Optional - Using Netflow with VDOMs
For VDOM environments, excluding the management VDOM, Netflow must be configured using the following CLI
commands:
con global
con sys netflow
set collector-ip <FortiSIEM IP>
set collector-port 2055
set source-ip <source-ip>
end
end
con vdom
edit root ( root is an example, change to the required VDOM name.)
con sys interface
edit wan1 (change the interface to the one to use.)
set netflow-sampler both
end
end
Configuring FortiGate to send Application names in Netflow via GUI
1. Login to FortiGate.
2. Go to Policy & Objects > IPv4 Policy.
3. Click on the Policy IDs you wish to receive application information from.
4. Add SSL inspection and App Control on the policy by clicking the + button in the Security Profiles column.

Firewalls
Example of FortiGate Syslog parsed by FortiSIEM
<185>date=2010-04-11 time=20:31:25 devname=APS3012404200944 device_id=APS3012404200944 log_

id=0104032002 type=event subtype=admin
pri=alert vd=root user="root" ui=ssh(10.1.20.21) action=login status=failed reason="name_
invalid"msg="Administrator root login failed from ssh(10.1.20.21) because of invalid user
name"

Firewalls
Imperva Securesphere Web App Firewall
Event Types
Reports
Configuration
Setup in FortiSIEM

Setting Value
Name <set name>
Device Type Imperva Securesphere Web App Firewall
User Name A user who has access credentials for the

device
Super Password Password for Super

c. Click Save.
4. Click Test to test the connection to Imperva Securesphere Web App Firewall.

Firewalls
5. To see the jobs associated with Imperva, select ADMIN > Pull Events.
6. To see the received events select ANALYTICS, then enter Imperva in the search box.

Firewalls
Juniper Networks SSG Firewall

l Configuration

Discovered
SNMP Host name, Uptime, CPU and Memory utilization, Network Interface Availability and
Hardware model, metrics (utilization, bytes sent and received, packets sent and Performance
Network interfaces, received, errors, discards and queue lengths), Firewall Monitoring
Operating system connection count
version

Security and
Compliance
Syslog Device type Traffic log, Admin login activity logs, Interface up/down logs Availability,
Security and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "SSG" in the Device Type column to see the event types
Rules
Reports

Firewalls
Configuration
SNMP and SSH
Enable SNMP, SSH, and Ping
1. Log in to your firewall's device manager as an administrator.

2. Go to Network > Interfaces > List.
3. Select the interface and click Edit.
4. Under Service Options, for Management Services, select SNMP and SSH.
5. For Other Services, select Ping.
Create SNMP Community String and Management Station IP
1. Go to Configuration > Report Settings > SNMP.

2. If the public community is not available, create it and provide it with read-only access.
3. Enter the Host IP address and Netmask of your FortiSIEM virtual appliance.
4. Select the Source Interface that your firewall will use to communicate with FortiSIEM.
5. Click OK.
information, see "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
Modify Policies so Traffic Matching a Policy is Sent via Syslog to FortiSIEM
1. Go to Policies.
2. Select a policy and click Options.
3. Select Logging.
4. Click OK.
Set FortiSIEM as a Destination Syslog Server
1. Go to Configuration > Report Settings > Syslog.

2. Select Enable syslog messages.
3. Select the Source Interface that your firewall will use to communicate with FortiSIEM.
4. Under Syslog servers, enter the IP/Hostname of your FortiSIEM virtual appliance.
5. For Port, enter 514.
6. For Security Facility, select LOCALD.
7. For Facility, select LOCALD.
8. Select Event Log and Traffic Log.
9. Select Enable.
10. Click Apply.

Firewalls
Set the Severity of Syslogs to Send to FortiSIEM
1. Go to Configuration > Report Setting > Log Settings.

2. Click Syslog.
3. Select the Severity Levels of the syslogs you want sent to FortiSIEM.
4. Click Apply.
Sample Parsed FortiGate Syslog
<129>Aug 26 11:09:45 213.181.33.233 20090826, 6219282, 2009/08/26 09:09:40, 2009/08/26

08:09:49, global.CoX, 1363,
CoX-eveTd-fw1, 213.181.41.226, traffic, traffic log, untrust, (NULL), 81.243.104.82, 64618,
81.243.104.82,
64618, dmz, (NULL), 213.181.36.162, 443, 213.181.36.162, 443, tcp, global.CoX, 1363,
Workaniser_cleanup, fw/vpn, 34,
accepted, info, no, (NULL), (NULL), (NULL), (NULL), 3, 858, 1323, 2181, 0, 0, 14, 1, no, 0,
Not
<129>Aug 26 11:09:45 213.181.33.233 20090826, 6219282, 2009/08/26 09:09:40, 2009/08/26

08:09:49, global.CoX, 1363,
CoX-eveTd-fw1, Category, Sub-Category, untrust, (NULL), 81.243.104.82, 64618, 81.243.104.82,
64618, dmz,
(NULL), 213.181.36.162, 443, 213.181.36.162, 443, tcp, global.Randstad, 1363, Workaniser_
cleanup, fw/vpn, 34, accepted,
info, no, (NULL), (NULL), (NULL), (NULL), 3, 858, 1323, 2181, 0, 0, 14, 1, no, 0, Not
Use these Access Method Definition settings to allow FortiSIEM to access your over SNMP. Set the Name and
Community String.
Setting Value
Name <set name>
Device Type Generic

Firewalls
Setting Value
Name Telnet-generic
Device Type generic
Port 23

over Telnet
Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22

device over SSH

Firewalls
McAfee Firewall Enterprise (Sidewinder)

l Configuration
Syslog
Event Types
In ADMIN > Device Support > Event, search for "sidewinder" in the Device Type column to see the event types
Rules
Reports
Configuration
Syslog
appliance.

Firewalls
Setting Value
Name <set name>
Device Type McAfee Sidewinder Firewall
Sample Parsed Sidewinder Syslog
Jun 18 10:34:08 192.168.2.10 wcrfw1 auditd: date="2011-06-18 14:34:08 +0000",fac=f_http_

proxy,area=a_libproxycommon,
type=t_nettraffic,pri=p_
major,pid=2093,logid=0,cmd=httpp,hostname=wcrfw1.community.int,event="session end",app_
risk=low,
app_categories=infrastructure,netsessid=1adc04dfcb760,src_
geo=US,srcip=74.70.205.191,srcport=3393,srczone=external,protocol=6,
dstip=10.1.1.27,dstport=80,dstzone=dmz1,bytes_written_to_client=572,bytes_written_to_
server=408,rule_name=BTC-inbound,
cache_hit=1,start_time="2011-06-18 14:34:08 +0000",application=HTTP

Firewalls
Palo Alto Firewall

l Configuration

Discovered
SNMP Host name, Uptime, CPU utilization, Network Interface metrics (utilization, Availability and
Hardware bytes sent and received, packets sent and received, errors, discards Performance
model, and queue lengths), Firewall connection count Monitoring
Network
interfaces,
Operating
system version

Security and
Compliance
Syslog Device type Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Availability,
Scan, Flood and data subtypes), config and system logs Security and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "palo alto" in the Description column to see the event types
Rules
Reports
In RESOURCE > Reports , search for "palo alto" in the Description column to see the reports associated with this
device.

Firewalls
Configuration
SNMP, SSH, and Ping
1. Log in to the management console for your firewall with administrator privileges.
2. In the Device tab, click Setup.
3. Click Edit.
4. Under MGMT Interface Services, make sure SSH, Ping, and SNMP are selected.
5. For SNMP Community String, enter public.
6. If there are entries in the Permitted IP list, Add the IP address of your FortiSIEM virtual appliance.
7. Click OK.
8. Go to Setup > Management and check that SNMP is enabled on the management interface.
Syslog
Set FortiSIEM as a Syslog Destination
1. Log in to the management console for your firewall with administrator privileges.
2. In the Device tab, go to Log Destinations > Syslog.
3. Click New.
4. Enter a Name for your FortiSIEM virtual appliance.
5. For Server, enter the IP address of your virtual appliance.
6. For Port, enter 514.
7. For Facility, select LOG_USER.
8. Click OK.
Set the Severity of Logs to Send to FortiSIEM
1. In the Device tab, go to Log Settings > System.

2. Click Edit... .
3. For each type of log you want sent to FortiSIEM, select the FortiSIEM virtual appliance in the Syslog menu.
4. Click OK.
Create a Log Forwarding Profile
1. In the Objects tab, go to Log Forwarding > System.

2. Create a new log forwarding profile by entering a Name for the profile, and then setting Syslog to the IP address
of your FortiSIEM virtual appliance for each type of log you want send to FortiSIEM.
3. Click OK.
Use the Log Forwarding Profile in Firewall Policie
1. In the Policies tab, go to Security > System.

2. For each security rule that you want to send logs to FortiSIEM, click Options.
3. For Log Forwarding Profile, select the profile you created for FortiSIEM.

Firewalls
4. Click OK.
5. Commit changes.
Logging Permitted Web Traffic
By default, Palo Alto firewalls only log web traffic that is blocked by URL filtering policies. If you must log permitted web
traffic, follow these steps.
1. In the Objects tab, go to Security Profiles > URL Filtering.
2. Edit an existing profile by clicking on its name, or click Add to create a new one.
3. For website categories that you want to log, select Alert.
Traffic matching these website category definitions will be logged.
4. Click OK.
5. For each security rule that you want to send logs to FortiSIEM, edit the rule and add the new url filter.
Sample Parsed Palo Alto Syslog Message
<14>May 6 15:51:04 1,2010/05/06 15:51:04,0006C101167,TRAFFIC,start,1,2010/05/06

15:50:58,192.168.28.21,172.16.255.78,::172.16.255.78,172.16.255.78,rule3,,,icmp,vsys1,untrust,
untrust,ethernet1/1,ethernet1/1,syslog-172.16.20.152,2010/05/06
15:51:04,600,2,0,0,0,0,0x40,icmp,allow,196,196,196,2,2010/05/06 15:50:58,0,any,0
<14>May 6 15:51:15 1,2010/05/06 15:51:15,0006C101167,SYSTEM,general,0,2010/05/06

15:51:15,,unknown,,0,0,general,informational,User admin logged in via CLI from 192.168.28.21
<14>May 9 17:55:21 1,2010/05/09 17:55:21,0006C101167,THREAT,url,6,2010/05/09

17:55:20,172.16.2.2,216.163.137.68,::172.16.255.78,216.163.137.68,DynamicDefault,,,web-
browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,syslog-172.16.20.152,2010/05/09
17:55:21,976,1,1126,80,38931,80,0x40,tcp,block-url,"www.playboy.com/favicon.ico",(9999),adult-
and-pornography,informational,0
Setting Value
Name <set name>
Device Type Generic

Firewalls
Setting Value
Name Telnet-generic
Device Type generic
Port 23

over Telnet
Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22

device over SSH

Firewalls
Sophos UTM

l Configuration

Discovered
Syslog Configuration change, command Log Management, Compliance and

execution SIEM
Event Types
In ADMIN > Device Support > Event, search for "sophos-utm" to see the event types associated with this device.
Rules
Reports
Configuration
Syslog
FortiSIEM processes events from this device via syslogs sent by the device. Configure the device to send syslog to
appliance.
Setting Value
Name <set name>

Firewalls
Setting Value
Device Type Sophos UTM
Sample Syslog Message
<30>2016:07:05-16:57:39 c-server-1 httpproxy[15760]: id="0001" severity="info" sys="SecureWeb"

sub="http" name="http access" action="pass" method="GET" srcip="10.10.10.10" dstip="1.1.1.1"
user="" group="" ad_domain="" statuscode="302" cached="0" profile="REF_DefaultHTTPProfile
(Default Web Filter Profile)" filteraction="REF_HttCffCustoConteFilte (Custom_Default content
filter action)" size="0" request="0xdc871600" url="http://a.com" referer="http://foo.com/bar/"
error="" authtime="0" dnstime="1" cattime="24080" avscantime="0" fullreqtime="52627"
device="0" auth="0" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
exceptions="" category="154" reputation="unverified" categoryname="Web Ads"

Firewalls
Stormshield Network Security
l Configuring Stormshield to Send Logs
l Stormshield Event Types
l Stormshield Sample Logs
Integration Points
Syslog Firewall logs Security and Compliance Monitoring
Configuring Stormshield to Send Logs
Follow the steps listed here under the Choose where to save logs section, to save logs.
No configuration is needed. FortiSIEM can automatically detect and parse Stormshield logs based on the built in parser.
Stormshield Event Types
Go to Resources > Event Type and search "Stormshield-"
Stormshield Sample Logs
id=firewall time="2019-02-24 16:38:01" fw="SN310A17B0323A7" tz=+0100

startime="2019-02-24 16:38:00" pri=5 confid=00 slotlevel=2 ruleid=4
rulename="1690fb96019_7" srcif="Ethernet0" srcifname="out" ipproto=udp proto=ssdp
src=10.11.11.11 srcport=49907 srcportname=ephemeral_fw_udp srcname=skywalker
srcmac=11:11:11:11:11:11 dst=10.10.10.10 dstport=1900 dstportname=sdp ipv=4 sent=0
rcvd=0 duration=0.00 action=pass logtype="filter"

Firewalls
Tigera Calico
l Configuring Tigera Calico to Send Logs
l Tigera Calico Event Types
l Tigera Calico Sample Logs
Integration Points
Syslog Flow, Audit and DNS logs Security and Compliance Monitoring
Configuring Tigera Calico to Send Logs
Follow the steps listed here to send syslog to FortiSIEM.
No configuration is needed. FortiSIEM can automatically detect and parse Tigera Calico logs based on the built in
parser.
Tigera Calico Event Types
Go to Resources > Event Type and search "Calico_Enterprise_"
Tigera Calico Sample Logs
<14>May 8 15:49:58 ip-10-0-0-193.ec2.internal tigera_secure: {"start_

time":1588952982,"end_time":1588952992,"source_ip":"10.48.98.2","source_
name":"elastic-operator-0","source_name_aggr":"elastic-operator-*","source_
namespace":"tigera-eck-operator","source_port":null,"source_type":"wep","source_
labels":{"labels":["k8s-app=elastic-operator","statefulset.kubernetes.io/pod-
name=elastic-operator-0","control-plane=elastic-operator","controller-revision-
hash=elastic-operator-6fc7545df5"]},"dest_ip":"10.48.241.198","dest_name":"tigera-
secure-es-es-0","dest_name_aggr":"tigera-secure-es-es-*","dest_namespace":"tigera-
elasticsearch","dest_port":9200,"dest_type":"wep","dest_labels":{"labels":
["statefulset.kubernetes.io/pod-name=tigera-secure-es-es-
0","elasticsearch.k8s.elastic.co/version=7.3.2","controller-revision-hash=tigera-
secure-es-es-757895bb98","elasticsearch.k8s.elastic.co/http-
scheme=https","elasticsearch.k8s.elastic.co/statefulset-name=tigera-secure-es-
es","elasticsearch.k8s.elastic.co/node-

Firewalls
data=true","elasticsearch.k8s.elastic.co/config-
hash=1585026949","elasticsearch.k8s.elastic.co/node-
ml=true","common.k8s.elastic.co/type=elasticsearch","elasticsearch.k8s.elastic.co/
node-ingest=true","elasticsearch.k8s.elastic.co/node-
master=true","elasticsearch.k8s.elastic.co/cluster-name=tigera-
secure"]},"proto":"tcp","action":"allow","reporter":"dst","policies":{"all_
policies":["0|allow-tigera|tigera-elasticsearch/allow-tigera.elasticsearch-
access|allow"]},"bytes_in":2593,"bytes_out":4617,"num_flows":3,"num_flows_
started":1,"num_flows_completed":1,"packets_in":17,"packets_out":10,"http_requests_
allowed_in":0,"http_requests_denied_in":0,"original_source_ips":null,"num_original_
source_ips":0,"host":"fluentd-node-xzscj"}

Firewalls
WatchGuard Firebox Firewall
l Configuring Watchguard Firebox for SNMP Access
Integration points
SNMP Performance metrics – CPU., Memory, Uptime, Interface Usage statistics, Performance and
Connection rate and Policy Statistics Availability
Monitoring
Configuring Watchguard Firebox for SNMP Access
1. Logon to Watchguard Firebox Management Console.

2. Follow Watchguard Firebox documentation to allow inbound SNMP access (default UDP port 161) to appropriate
FortiSIEM node that will communicate to Firebox node.
3. Note the SNMP credentials. FortiSIEM supports versions 1, 2 and 3.
Use the account in previous step to enable FortiSIEM access:

3. Click New to create Generic SNMP credential:
a. Device Type = Generic
b. Access Protocol = SNMP or SNMP V3
c. Choose the SNMP protocol (default 161)
d. Password config: Manual or CyberArk. See Password Configuration.
e. If Access Protocol was chosen as SNMP, then enter Community string.
f. If Access Protocol was chosen as SNMP V3, then enter detailed SNMP V3 security configuration and
credentials
g. Click Save.
a. Enter IP or IP Range containing the Firebox firewall. Allowed formats are comma separated IP, IP Range
formatted as IP1-IP2 or IP range in CIDR notation.
c. Click Save.
5. Select the entry in step 4 and click Test Connectivity. If it succeeds, then the credential is correct.
6. Go to ADMIN > Setup > Discover.

Firewalls
7. Create a discovery entry containing the IP Address of the Firebox firewall and discover the device. Make sure
Discovery succeeds.
8. An entry will be created in ADMIN > Setup > Change/Monitor corresponding to this firewall. FortiSIEM will start
to pull SNMP metrics from this firewall.

Load Balancers and Application Firewalls
FortiSIEM supports these load balancers and application firewalls for discovery and monitoring.
l Brocade ServerIron ADX
l Citrix Netscaler Application Delivery Controller (ADC)
l F5 Networks Application Security Manager
l F5 Networks Local Traffic Manager
l F5 Networks Web Accelerator
l Fortinet FortiADC
l Qualys Web Application Firewall

Brocade ServerIron ADX

l Configuration

discovered
SNMP Host name, Uptime, CPU, Memory, Interface Utilization, Hardware Performance/Availability
serial number, status, Real Server Statistics Monitoring
hardware
(CPU,
memory,
network
interface etc)
Event Types
[PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceBrocadeServerIron.cpp,
[lineNumber]=434,[cpuName]=CPU,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15,
[cpuUtil]=55.000000,[pollIntv]=176,[phLogDetail]=
[PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceBrocadeServerIron.cpp,
[lineNumber]=456,[memName]=Physical
Memory,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15,[memUtil]=10.000000,[pollIntv]=176,
[phLogDetail]=
[PH_DEV_MON_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phIntfFilter.cpp,
[lineNumber]=323,[intfName]=GigabitEthernet8,[intfAlias]=,[hostName]=lb1-1008-qts,
[hostIpAddr]=10.120.3.15,[pollIntv]=56,[recvBytes64]=1000000,
[recvBitsPerSec]=142857.142857,[inIntfUtil]=0.014286,[sentBytes64]=2000000,
[sentBitsPerSec]=285714.285714,[outIntfUtil]=0.028571,[recvPkts64]=0,[sentPkts64]=0,
[inIntfPktErr]=0,[inIntfPktErrPct]=0.000000,[outIntfPktErr]=0,[outIntfPktErrPct]=0.000000,
[inIntfPktDiscarded]=0,[inIntfPktDiscardedPct]=0.000000,[outIntfPktDiscarded]=0,
[outIntfPktDiscardedPct]=0.000000,[outQLen64]=0,[intfInSpeed64]=1000000000,
[intfOutSpeed64]=1000000000,[intfAdminStatus]=up,[intfOperStatus]=up,[daysSinceLastUse]=0,
[totIntfPktErr]=0,[totBitsPerSec]=428571.428571,[phLogDetail]=
l PH_DEV_MON_SERVERIRON_REAL_SERVER_STAT

[PH_DEV_MON_SERVERIRON_REAL_SERVER_STAT]:[eventSeverity]=PHL_INFO,
[fileName]=deviceBrocadeServerIron.cpp,[lineNumber]=507,[hostName]=lb1-1008-qts,
[hostIpAddr]=10.120.3.15,[realServerIpAddr]=10.120.10.131,[realServerState]=7,
[failedPortExists]=2,[openConnectionsCount]=2,[peakConns]=114,[activeSessions]=4,
[phLogDetail]=
l PH_DEV_MON_HW_STATUS
[PH_DEV_MON_HW_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=deviceBrocadeServerIron.cpp,
[lineNumber]=359,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15,[hwStatusCode]=2,
[hwPowerSupplyStatus]=0,[hwTempSensorStatus]=2,[hwFanStatus]=0,[phLogDetail]=
[PH_DEV_MON_HW_STATUS_TEMP_CRIT]:[eventSeverity]=PHL_CRITICAL,[fileName]=device.cpp,
[lineNumber]=13812,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15,[hwStatusCode]=2,
[hwComponentName]=1-Temperature
sensor,[hwComponentStatus]=Critical,[phLogDetail]=
l PH_DEV_MON_HW_TEMP
[PH_DEV_MON_HW_TEMP]:[eventSeverity]=PHL_INFO,[fileName]=deviceBrocadeServerIron.cpp,
[lineNumber]=401,[hostName]=lb1-1008-qts,[hostIpAddr]=10.120.3.15,[hwComponentName]=Temp1,
[envTempDegF]=90,[phLogDetail]=
Rules
There are no predefined rules for this device other than covered by generic network devices.
Reports
There are no predefined reports for this device other than covered by generic network devices.
Configuration
SNMP
User Guide.
Setting Value
Name <set name>

Setting Value
Device Type Brocade ServerIron ADX

Citrix Netscaler Application Delivery Controller (ADC)

l Configuration
Protocol Information discovered Metrics/Logs collected Used for
Syslog Permitted and Denied traffic Log analysis and compliance
Event Types
In ADMIN > Device Support > Event, search for "netscaler" in the Device Type column to see the event types
Rules
Reports
In RESOURCE > Reports , search for "nestler" in the Name column to see the reports associated with this device.
Configuration
Syslog
appliance.

Setting Value
Name <set name>
Device Type Citrix NetScalar
Example Syslog
<182> 07/25/2012:19:56:41 PPE-0 : UI CMD_EXECUTED 473128 : User nsroot - Remote_ip

10.13.8.75 - Command "show ns hostName" - Status "Success"<181> 07/25/2012:19:56:05 NS2-MAIL
PPE-0 : EVENT DEVICEUP 33376 : Device "server_vip_NSSVC_SSL_172.17.102.108:443
(accellion:443)" - State UP
<181> 07/25/2012:19:55:35 NS2-MAIL PPE-0 : EVENT DEVICEDOWN 33374 : Device "server_vip_
NSSVC_SSL_172.17.102.108:443(accellion:443)" - State DOWN
<182> 07/24/2012:15:37:08 PPE-0 : EVENT MONITORDOWN 472795 : Monitor Monitor_http_of_
Domapps:80(10.50.15.14:80) - State DOWN

F5 Networks Application Security Manager

l Configuration

discovered
Syslog Various application level attack scenarios - invalid directory access, Log analysis
SQL injections, cross site exploits. and
compliance
Event Types
In ADMIN > Device Support > Event, search for "f5-asm" in the Name column to see the event types associated
with this device.
Rules
Reports
Configuration
Syslog
appliance.

Example Syslog
<134>Jun 26 14:18:56 f5virtual.tdic.ae ASM:CEF:0|F5|ASM|10.2.1|Successful Request|Successful

Request|2|dvchost=f5virtual.adic.com dvc=192.168.1.151 cs1=master-key_default cs1Label=policy_
name cs2=master-key cs2Label=web_application_name deviceCustomDate1=Jul 13 2011 16:24:25
deviceCustomDate1Label=policy_apply_date externalId=3601068286554428885 act=passed cn1=404
cn1Label=response_code src=10.10.77.54 spt=49399 dst=10.10.175.82 dpt=443 requestMethod=POST
app=HTTPS request=/ipp/port1 cs5=N/A cs5Label=x_forwarded_for_header_value rt=Jun 26 2012
14:18:55 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location
cs3Label=full_request cs3=POST /ipp/port1 HTTP/1.1\r\nHost: 127.0.0.1:631\r\nCache-Control:
no-cache\r\nContent-Type: application/ipp\r\nAccept: application/ipp\r\nUser-Agent: Hewlett-
Packard IPP\r\nContent-Length: 9\r\n\r\n

F5 Networks Local Traffic Manager

l Configuration

discovered
SNMP Host name, serial Uptime, CPU, Memory, Disk utilization, Interface Performance/Availability
number, hardware Utilization, Hardware status, process level CPU and Monitoring
(CPU, memory, memory urilization
network interface, disk
etc) and software
information (running
and installed
software)
SNMP Exception situations including hardware failures, Performance/Availability

Trap certain security attacks, Policy violations etc Monitoring
Syslog Permitted and Denied traffic Log analysis and

compliance
Event Types
In ADMIN > Device Support > Event, search for "f5-LTM" in the Name column to see the event types associated
with this device.
Search for "f5-BigIP" in ADMIN > Device Support > Event to see event types associated with SNMP traps for this
device.
Rules
Reports

Configuration
SNMP
User Guide.
SNMP Trap
Example SNMP Trap
2012-01-18 14:13:43 0.0.0.0(via UDP: [192.168.20.243]:161) TRAP2, SNMP v2c, community public
. Cold Start Trap (0) Uptime: 0:00:00.00 DISMAN-EVENT-
MIB::sysUpTimeInstance = Timeticks: (33131) 0:05:31.31 SNMPv2-
MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.3375.2.5.0.1
Syslog
appliance.
Example Syslog
<133>Oct 20 13:52:46 local/tmm notice tmm[5293]: 01200004:5: Packet rejected remote IP

172.16.128.26 port 137 local IP 172.16.128.255 port 137 proto UDP: Port closed.
<134>Jul 30 15:28:33 tmm1 info tmm1[7562]: 01070417: 134: ICSA: non-session UDP packet
accepted, source: 112.120.125.48 port: 10144, destination: 116.58.240.252 port: 53
<134>Jul 30 15:28:33 tmm1 info tmm1[7562]: 01070417: 134: ICSA: non-session TCP packet
accepted, source: 108.83.156.153 port: 59773, destination: 116.58.240.225 port: 80
<134>Jul 30 15:28:33 tmm2 info tmm2[7563]: 01070417: 134: ICSA: non-session ICMP packet
accepted, source: 10.11.218.10, destination: 10.255.111.2, type code: Echo Reply


Setting Value
Name <set name>
Device Type Generic

F5 Networks Web Accelerator

l Configuration
Syslog Permitted traffic Log analysis and compliance
Event Types
In ADMIN > Device Support > Event, search for "f5-web" in the Name column to see the event types associated with
this device.
Rules
Reports
Configuration
Syslog
appliance.
Example Syslog
<182>Oct 20 13:52:56 local/BadReligion1 info logger: [ssl_acc] 1.1.1.2 - admin [20/Oct/2011:

13:52:56 -0400] "POST /iControl/iControlPortal.cgi HTTP/1.1" 200 654

Fortinet FortiADC
Integration Points

discovered
syslog Host name, None Event, Security and Traffic logs Security
Reporting IP monitoring
Event Types
In ADMIN > Device Support > Event, Search for "FortiADC" to see the event types associated with this device.
Rules
No specific rules are written for FortiADC Web application firewall but generic firewall rules will apply.
Reports
No specific reports are written for FortiADC Web application firewall but generic firewall rules will apply.
Configuration
Configure FortiADC Web application firewall to send logs to FortiSIEM in the supported format (see Sample events
below)
None required
Sample Events
<6>date=2019-06-12 time=13:05:52 device_id=FAD2KD3114000026 log_id=0000000100 type=event

subtype=config pri=information vd=root msg_id=71118385 user=user1 ui=GUI(1.2.3.4) action=add
cfgpath=log setting remote cfgobj=<No.> cfgattr=1 logdesc=Change the configuration msg="added
a new entry '1' for "log setting remote" on domain "root””
<1>date=2019-06-12 time=13:06:52 device_id=FAD2KD3114000026 log_id=0003000235 type=event

subtype=system pri=alert vd=root msg_id=71118386 submod=update user=system ui=system
action=update status=none logdesc=License could not be validated msg="Unable to connect to FDS
server"

Qualys Web Application Firewall

l Configuration
Syslog Permitted and Denied Web traffic Log analysis and compliance
Event Types
The following event types are generated by parsing Qualys Web Application Firewall traffic logs and analyzing the
HTTP error code.
l Qualys-WAF-Web-Request-Success
l Qualys-WAF-Web-Bad-Request
l Qualys-WAF-Web-Client-Access-Denied
l Qualys-WAF-Web-Client-Error
l Qualys-WAF-Web-Forbidden-Access-Denied
l Qualys-WAF-Web-Length-Reqd-Access-Denied
l Qualys-WAF-Web-Request
l Qualys-WAF-Web-Request-Redirect
l Qualys-WAF-Web-Server-Error
Rules
Reports
Relevant reports are defined in RESOURCE > Reports > Device > Network > Web Gateway.
Configuration
FortiSIEM processes events from this device via syslog sent in JSON format. Configure the device to send syslog to

Setting Value
Name <set name>
Device Type Qualys Web Application Firewall
Example Syslog
Note that each JSON formatted syslog contains many logs.

<1350>1 2015-05-15T12:57:30.945000+00:00 localhost qualys_waf - QUALYS_WAF -
{"timestamp":"2015-05-15T12:57:30.945-00:00","duration":6011,"id":"487c116c-4908-4ce3-b05c-
eda5d5bb7045","clientIp":"172.27.80.170","clientPort":9073,"sensorId":"d3acc41f-d1fc-43be-
af71-e7e10e9e66e2","siteId":"41db0970-8413-4648-b7e2-c50ed53cf355","connection":
{"id":"bc1379fe-317e-4bae-ae30-
2a382e310170","clientIp":"172.27.80.170","clientPort":9073,"serverIp":"192.168.60.203","server
Port"
:443},"request":{"method":"POST","uri":"/","protocol":"HTTP/1.1","host":"esers-
test.foo.org","bandwidth":0,"headers":[{"name":"Content-Length","value":"645"},
{"name":"Accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/web
p,*/*;
q=0.8"},{"name":"User-Agent","value":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36"},{"name":"Content-
Type","value":"application/x-www-form-urlencoded"},{"name":"Referer","value":"https://esers-
test.ohsers.org/"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"Accept-
Language","value":"en-US,en;q=0.8"}],"headerOrder":"HILCAUTRELO"},"response":
{"protocol":"HTTP/1.1","status":"200","message":"OK","bandwidth":0,"headers":
[{"name":"Content-Type","value":"text/html; charset=utf-8"},
{"name":"Server","value":"Microsoft-IIS/8.5"},{"name":"Content-
Length","value":"10735"}],"headerOrder":"CTXSDL"},"security":{"auditLogRef":"b02f96e9-2649-
4a83-9459-6a02da1a5f05","threatLevel":60,"events":[{"tags":
["qid/226015","cat/XPATHi","cat/SQLi","qid/150003","loc/req/body/txtUserId","cfg/pol/applicati
onSecurity"],
"type":"Alert","rule":"main/qrs/sqli/xpathi/condition_escaping/boolean/confidence_
high/3","message":"Condition escaping detected (SQL or XPATH injection) -
txtUserId.","confidence":80,"severity":60,"id":"262845566"},{"tags":
["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1",
"message":"Info: Threat level exceeded blocking threshold

(60).","confidence":0,"severity":0,"id":"262846018"},{"tags":
["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1",

"message":"Info: Blocking refused as blocking mode is

disabled.","confidence":0,"severity":0,"id":"262846167"},{"tags":
["cat/correlation","cat/XPATHi","qid/226015"],"type":"Alert","rule":
"main/correlation/1","message":"Detected:
XPATHi.","confidence":80,"severity":60,"id":"268789851"}]}}

Log Aggregators
Log Aggregators
FortiSIEM supports these log aggregators.

l Fortinet FortiAnalyzer

Fortinet FortiAnalyzer
Overview
l Configuring FortiAnalyzer
l Configuring FortiSIEM Collectors to Receive Logs from FortiAnalyzer
Overview
Customers of both FortiAnalyzer and FortiSIEM may want to take already aggregated event data received on
FortiAnalzyer and forward those events to FortiSIEM.
Configuring FortiAnalyzer
l Setting Up the Syslog Server

l Pre-Configuration for Log Forwarding
l Configuring Log Forwarding
Setting Up the Syslog Server
1. Login to FortiAnalyzer.
2. Go to System Settings > Advanced > Syslog Server.
a. Click the Create New button.
b. Enter the Name. (It is recommended to use the name of the FortiSIEM server.)
c. Fill in the IP address (or FQDN) with the IP or a fully qualified name of the FortiSIEM server.
d. Leave the Syslog Server Port to the default value '514'.
e. Click OK to save your entries.
Pre-Configuration for Log Forwarding
To configure FortiAnalyzer event forwarding to FortiSIEM, you must first set up the following.
1. 1. Install a FortiSIEM collector in the same subnet as FortiAnalyzer that will be forwarding the events.
Note: The same subnet request is required as FortiAnalyzer will later be configured to spoof packets to the
collector. RPF (reverse path forwarding checks) on network equipment would have to be disabled if FortiAnalyzer
and collector existed on different subnets.
2. 2. It is recommended that for every 5,000 EPS (events per second) ingested, you add 1 collector that is 8vCPU,
8GB RAM. If you have more than 5,000 EPS forwarding from FortiAnalyzer, please set up a load balancer with
multiple collectors behind it, allowing UDP 514 inbound.
Configuring Log Forwarding
Take the following steps to configure log forwarding on FortiAnalyzer.

1. Go to System Settings > Log Forwarding.

2. Click the Create New button in the toolbar. The Create New Log Forwarding pane opens.
3. fill in the information as per the below table, then click OK to create the new log forwarding. The FortiAnalyzer
device will start forwarding logs to the server.
Field Input
Name FortiSIEM-Forwarding
Status On
Remote Server Type Syslog
Compression OFF
Sending Frequency Real-time
Log Forwarding Filters Select all desired Administrative Domains (ADOMs) / device logs you’d like to
forward
4. Go to the CLI Console and configure the CLI only log forward option by running the following CLI commands.
Notes:
l Logs received by FortiAnalyzer, and then forwarded to FortiSIEM, have the source IP of the log packet
overwritten with the IP address of the FortiAnalyzer appliance. This hides the “true” source of the log packet
from FortiSIEM. To override this behavior, FortiAnalyzer can spoof the original log sender's IP address when
forwarding to FortiSIEM. This allows FortiSIEM collectors to receive all the original information as if it received
the logs directly from the originating device.
l For FortiAnalyzer versions 6.0 and later, use the following CLI:
edit <id>
set mode forwarding
set server-name "<FSM_Collector>"
next
end
l For FortiAnalyzer versions 5.6 to 5.9, use the following CLI:

edit <id>
set mode forwarding

next
end
l For FortiAnalyzer versions earlier than 5.6, use the following CLI:
Note: For <id>, you can choose the number for your FortiSIEM syslog entry.
edit <id>
end
Configuring FortiSIEM Collector to Receive Logs from FortiAnalyzer
To configure the FortiSIEM collector to receive logs from FortiAnalyzer, you will need to disable RPF checks that would
normally cause the collector virtual machine from dropping the log packet as it is spoofed.
sysctl -w net.ipv4.conf.all.rp_filter=0
To make this change persistent across reboots, add the following code to the /etc/sysctl.conf file.
net.ipv4.conf.all.rp_filter=0

Network Compliance Management Applications
FortiSIEM supports these Network Compliance Management applications and monitoring.

l Cisco Network Compliance Manager
l PacketFence

Cisco Network Compliance Manager

discovered
Syslog Network device software update, configuration analysis for Log analysis
compliance, admin login and
compliance
Event Types
Over 40 event types are generated by parsing Cisco Network Configuration Manager logs. The complete list can be
found in ADMIN > Device Support > Event by searching for Cisco-NCM. Some important ones are
l Cisco-NCM-Device-Software-Change
l Cisco-NCM-Software-Update-Succeeded
l Cisco-NCM-Software-Update-Failed
l Cisco-NCM-Policy-Non-Compliance
l Cisco-NCM-Device-Configuration-Deployment
l Cisco-NCM-Device-Configuration-Deployment-Failure
Rules
Reports
Configuration
FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM as directed in
the device's product documentation, and FortiSIEM will parse the contents.
Example Syslog
Note that each JSON formatted syslog contains many logs.

490998571 Mon Mar 03 03:09:31 EST 2014 Savvy Device Command Script Completed Successfully
server01.foo.com 10.4.161.32 Script 'Re-enable EasyTech port for Cisco IOS configuration'
completed. Connect - Succeeded Connected via ssh to 10.170.30.9 [in realm Default Realm]

Login / Authentication - Succeeded Successfully used: Last successful password (Password rule
Retail TACACS NCM Login) Optional:Script - Succeeded Successfully executed: prepare
configuration for deployment Script - Succeeded Successfully executed: deploy to running
configuration via TFTP through CLI Bypassed: deploy to running configuration via SCP through
CLI. (Requires SCP, CLI to be enabled.) Tried: deploy to running configuration via FTP
through CLI (Warning: SSH server username or password not specified in NA admin settings.)
Optional:Script - Succeeded Successfully executed: determine result of deployment operation
Script run: ------------------------------------------------------------ ! interface fast0/16
no shut
491354611 Tue Mar 04 03:38:22 EST 2014 FooA Software Update Succeeded server01.foo.com
1.1.1.32 44571 10.173.30.9 $OrignatorEmail$ FooA Update Device Software 2014-03-04 03:30:00.0
usmist_1699295009 (1.13.3.9) Succeeded

PacketFence Network Access Control (NAC)
l Configuring PacketFence Network Access Control
Integration points
Syslog User network admission control events Security and Compliance
Configuring PacketFence NAC
Follow PacketFence NAC documentation to send syslog to FortiSIEM.
FortiSIEM automatically recognizes PacketFence NAC syslog as long it follows the following format as shown in the
sample syslog:
Oct 9 11:29:34 10.2.204.81 1 2018-10-09T11:29:34.04189+01:00 example.com packetfence.log - - -
Oct 11 15:42:00 httpd.aaa(4765) WARN: [mac:40:83:1d:12:2a:cb] Calling match with empty/invalid
rule class. Defaulting to 'authentication' (pf::authentication::match)
Parsing and Events
Over 20 events are parsed – see event Types in Resources > Event Types and search for “PacketFence-NAC-“.

Network Intrusion Protection Systems (IPS)
FortiSIEM supports these intrusion protection systems for discovery and monitoring.
l 3COM TippingPoint UnityOne IPS
l AirTight Networks SpectraGuard
l Alert Logic IRIS API
l Cisco FireSIGHT and FirePower Threat Defence
l Cisco Intrusion Protection System
l Cisco Stealthwatch
l Cylance Protect Endpoint Protection
l Cyphort Cortex Endpoint Protection
l Damballa Failsafe
l Darktrace CyberIntelligence Platform
l FireEye Malware Protection System (MPS)
l FortiDDoS
l Fortinet FortiDeceptor
l Fortinet FortiNAC
l Fortinet FortiSandbox Configuration
l Fortinet FortiTester
l IBM Internet Security Series Proventia
l Indegy Security Platform
l Juniper DDoS Secure
l Juniper Networks IDP Series
l McAfee IntruShield
l McAfee Stonesoft IPS
l Motorola AirDefense
l Nozomi
l Radware DefensePro
l Snort Intrusion Protection System
l Sourcefire 3D and Defense Center
l Trend Micro Deep Discovery
l Zeek (Bro) Installed on Security Onion

3Com TippingPoint UnityOne IPS

Discovered
SNMP CPU, memory, Interface Performance and Availability

utilization Monitoring
Syslog IPS Alerts Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "tippingpoint" in the Device Type and Description columns to see
Configuration
SNMP
1. Log in to the TippingPoint appliance or the SMS Console.

2. Go to System > Configuration > SMS/NMS.
3. For SMS Authorized IP Address/CIDR, make sure any is entered.
4. Select Enabled for SNMP V2.
5. For NMS Community String, enter public.
6. Click Apply.
Syslog
1. Log in to the TippingPoint appliance or the SMS Console.

2. Go to System > Configuration > Syslog Servers.
3. Under System Log, enter the IP Address of the FortiSIEM virtual appliance.
4. Select Enable syslog offload for System Log.
5. Under Aud Log, enter the IP Address of the FortiSIEM virtual appliance.
6. Select Enable syslog offload for Audit Log.
7. Click Apply.
Configure the Syslog Forwarding Policy (Filter Notification Forwarding)
The filter log can be configured to generate events related to specific traffic on network segments that must pass
through the device. This log includes three categories of events.

Event Category Description
Alert Alert events indicate that the IPS has detected

suspicious activity in the packet, but still
permits the packet to pass through (specific
settings are controlled by administrator profile)
Block Block events are malicious packets not

permitted to pass
P2P Refers to peer-to-peer traffic events
In addition, filter events contain a UUID, which is a unique numerical identifier that correlates with the exact security
threat defined by Tipping Point Digital Vaccine Files. The FortiSIEM Virtual Appliance will correlate these with
authoritative databases of security threats.
1. Go to IPS > Action Sets.
2. Click Permit + Notify.
3. Under Contacts, click Remote Syslog.
4. Under Remote Syslog Information, enter the IP Address of the FortiSIEM virtual appliance.
5. Make sure the Port is set to 514.
6. Make sure Delimiter is set to tab, comma, or semicolon.
7. Click Add to Table Below.
You should now see the IP address of the FortiSIEM virtual appliance appear as an entry in the Remote Syslogs
table.
Sample parsed syslog messages
Directly from TippingPoint IPS device

<36>Oct 28 13:10:45 9.0.0.1 ALT,v4,20091028T131045+0480,"PH-QA-
TIP1"/20.30.44.44,835197,1,Permit,Minor,00000002-0002-0002-0002-000000000089, "0089: IP:
Short Time To Live (1)","0089: IP: Short Time To Live (1)",ip,"
",172.16.10.1:0,224.0.0.5:0,20091028T130945+0480,6," ",0,1A-1B <37>Nov 5 20:16:19
20.30.44.44 BLK,v4,20091105T201619+0480,"PH-QA-TIP1"/20.30.44.44,70,2,Block,Low,00000002-
0002-0002-0002-000000004316, "4316: OSPF: OSPF Packet With Time-To-Live of 1","4316:
OSPF: OSPF Packet With Time-To-Live of 1",ip,"
",172.16.10.1:0,224.0.0.5:0,20091105T201619+0480,1," ",0,1A-1B <37>Jul 12 15:04:01
SOCIPS01 ALT,v5,20110712T150401-
0500,SOCIPS01/192.168.10.122,3225227,1,Permit,Low,00000002-0002-0002-0002-000000010960,
"10960: IM: Google GMail Chat SSL Connection Attempt","10960: IM: Google GMail Chat SSL
Connection Attempt",tcp," ",156.63.133.8,10948,72.14.204.189,443, 20110712T150239-
0500,3," ",0,6A-6B
From Tipping Point NMS device

<36> 7 2 00000002-0002-0002-0002-000000001919 00000001-0001-0001-0001-000000001919 1919:
Backdoor: Psychward 1919 tcp 10.1.1.100 13013 10.1.1.101 1240 3 3 2 207-2400-Jack
33761793 1109876221622 <36> 7 2 00000002-0002-0002-0002-000000001919 00000001-0001-0001-
0001-000000001919 1919: Backdoor: Psychward 1919 tcp 10.1.1.100 13013 10.1.1.101 1240 3 3
2 207-2400-Jack 33761793 1109876221622

Setting Value
Name <set name>
Device Type 3Com TippingPoint UnityOne IPS

AirTight Networks SpectraGuard

l Configuration
Syslog
Event Types
In ADMIN > Device Support > Event, search for "airtight" in the Device Type column to see the event types
Rules
Reports
Configuration
Syslog
appliance.

Setting Value
Name <set name>
Device Type Airtight SpectraGuard
Example Syslog
<30><2013.09.09 19:45:16>CEF:0|AirTight|SpectraGuard Enterprise|6.7|5.51.515|

Authorized AP operating on non-allowed channel|3|msg=Stop:
Authorized AP [AP2.12.c11d] is operating on non-allowed channel.
rt=Sep 09 2013 19:45:16 UTC dvc=10.255.1.36 externalId=726574
dmac=58:BF:EA:FA:26:EF cs1Label=TargetDeviceName
cs1=AP2.12.c11d cs2Label=SSID cs2=WiFiHiSpeed cs3Label=SecuritySetting
cs3=802.11i cn1Label=RSSI_dBm cn1=-50 cn2Label=Channel cn2=149
cs4Label=Locationcs4=//FB/FBFL2

Alert Logic IRIS API
Support for Alert Logic IRIS API allows FortiSIEM to respond to incidents and events in real-time with up-to-date
situational awareness and comprehensive security analytics.
l Event Types
l Reports
l Rules
l Configuring AlertLogic IRIS for FortiSIEM API Access
l Configuring FortiSIEM for AlertLogic IRIS API Access
l Sample Events
Integration points
AlertLogic Iris API Security Alerts created by AlertLogic Security and Compliance
Event Types
In RESOURCES > Event Types, enter "AlertLogic" in the Search field to see the event types associated with this
device.
Rules
In RESOURCE > Rules, enter "AlertLogic" in the Search field to see the rules associated with this device.
Reports
No defined reports.
Configuring Alert Logic for FortiSIEM API Access
Get API Key from Alert Logic
1. Login to the Alert Logic user interface.

2. On the left menu, select Admin >Account.
3. Click New API Key.
4. Enter a descriptive name in the Generate New API key dialog box.

5. Click Save to generate the API key.

A file containing your API key information (ID, ClientSecret, and Name) will be downloaded. The ID and
ClientSecret will be used by FortiSIEM.
Configuring FortiSIEM for Alert Logic API Access

Device Type Alert Logic IPS
Access Protocol Alert Logic IPS

events from Alert Logic. Default is 5
minutes.
Access Key ID Access key for your Alert Logic instance.
Secret Key Secret key for your Alert Logic instance

a. Select the name of your Alert Logic credential from the Credentials drop-down list.
c. Click Save.
4. Click Test to test the connection to Alert Logic.
5. To see the jobs associated with Alert Logic, select ADMIN > Pull Events.
6. To see the received events select ANALYTICS, then enter Alert Logicin the search box.
Sample Events
Raw events of an incident start with [AlertLogic_Incident]:

[AlertLogic_Incident]:[reptDevIpAddr]=10.10.10.10,
[reptDevName]=api.cloudinsight.alertlogic.com,[accountId]=11111111.0,[phCustId]=1,
[inIncidentAcknowledgeStatus]=closed,[inIncidentEventFirstSeen]=1558710055.0,
[inIncidentClearedTime]=1558710055.0,[inIncidentCreateTime]=1558710161.9708278,
[inIncidentCreatedUserId]=,[inIncidentLastModifiedTime]=0,
[inIncidentLastModifiedUser]=,[inCustomerName]=1074822-INT4 - RMS FAWS Test,
[msg]=This is a correlation incident,[inIncidentId]=e911347e8c1ca0fa,

[inIncidentStatus]=closed,[attackType]=suspicious-activity,[type]=,[count]=0.0,
[comment]=Test,[eventSeverity]=5,[eventType]=AlertLogic-Incident-Mei_Test,
[srcIpAddr]=255.255.255.255,[destIpAddr]=255.255.255.255
Raw events of an associated event start with [AlertLogic_Incident_Associated_Event]:
AlertLogic_Incident_Associated_Event]:[reptDevIpAddr]=10.10.10.10,[phCustId]=,
[reptDevIpAddr]=34.192.118.124,[reptDevName]=api.cloudinsight.alertlogic.com,
[accountId]=100000,[inIncidentId]=e9113683d6815742,[httpContentType]=application/x-
alpacket-megmsgs,[description]=meta,[resourceType]=associated log,
[resourceName]=Log,
[uuid]=UVUxSk5BQ2tNS3NBQUFBQVhQQnNkRnp3YkhRQUFiRE1BQUVBSG1Gd2NHeHBZMkYwYVc5dUwzZ3R
ZV3h3WVdOclpYUXRiV1ZuYlhObmN3QUdURTlIVFZOSDphcHBsaWNhdGlvbi94LWFscGFja2V0LW1lZ21zZ
3M6ZTkxMTM2ODNkNjgxNTc0MjoxMDc2MDM2Mw==,[hostName]=meta,[msg]=dddddddd,
[eventSeverity]=5,[procId]=0,[procName]=meta,[collectorTime]=1559260276,
[reptDevName]=user,[eventType]=AlertLogic_e9113683d6815742_Associated_Event

Cisco FireSIGHT and FirePower Threat Defence
This section describes how FortiSIEM collects logs from Cisco FireSIGHT console and FirePower Threat Defence via
the eStreamer API integration. FortiSIEM provides two integrations options, either through the FortiSIEM built-in
eStreamer integration or via the Cisco FirePower eStreamer eNcore client.
The Cisco eNcore client Collects System intrusion, discovery, and connection data from Firepower Management Center
or managed device (also referred to as the eStreamer server) to external client applications, in this case via Syslog to
FortiSIEM.
l Using FortiSIEM Client
l Using Cisco eStreamer Client
Protocol Information Logs Collected Used For

Discovered
eStreamer Intrusion Events, Malware Events. File Events. Discovery Security

API Events, User Activity Events, Impact Flag Events Monitoring
Rules
Reports
The following reports are provided:

l Top Cisco FireAMP Malware Events
l Top Cisco FireAMP File Analysis Events
l Top Cisco FireAMP Vulnerable Intrusion Events
l Top Cisco FireAMP Discovered Login Events
l Top Cisco FireAMP Discovered Network Protocol
l Top Cisco FireAMP Discovered Client App
l Top Cisco FireAMP Discovered OS
Using FortiSIEM Client
FortiSIEM obtains events from Cisco FireSIGHT via eStreamer protocol.

Event Types
l Intrusion events: PH_DEV_MON_FIREAMP_INTRUSION

[PH_DEV_MON_FIREAMP_INTRUSION]:[eventSeverity]=PHL_CRITICAL,[fileName]=phFireAMPAgent.cpp,
[lineNumber]=381,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[snortEventId]=393258,
[deviceTime]=1430501705,[eventType]=Snort-1,[compEventType]=PH_DEV_MON_FIREAMP_INTRUSION,
[ipsGeneratorId]=137,[ipsSignatureId]=2,[ipsClassificationId]=32,[srcIpAddr]=10.131.10.1,
[destIpAddr]=10.131.10.120,[srcIpPort]=34730,[destIpPort]=443,[ipProto]=6,[iocNum]=0,
[fireAmpImpactFlag]=7,[fireAmpImpact]=2,[eventAction]=1,[mplsLabel]=0,[hostVLAN]=0,
[userId]=3013,[webAppId]=0,[clientAppId]=1296,[appProtoId]=1122,[fwRule]=133,
[ipsPolicyId]=63098,[srcIntfName]=b16c69fc-cd95-11e4-a8b0-b61685955f02,
[destIntfName]=b1a1f900-cd95-11e4-a8b0-b61685955f02,[srcFwZone]=9e34052a-9b4f-11e4-9b83-
efa88d47586f,[destFwZone]=a7bd89cc-9b4f-11e4-8260-63a98d47586f,[connEventTime]=1430501705,
[connCounter]=371,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[phLogDetail]=
l Malware events: PH_DEV_MON_FIREAMP_MALWARE

[PH_DEV_MON_FIREAMP_MALWARE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,
[lineNumber]=487,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430502934,
[srcIpAddr]=10.110.10.73,[destIpAddr]=10.0.112.132,[srcIpPort]=21496,[destIpPort]=80,
[ipProto]=6,[fileName]=CplLnk.exe ,[filePath]=,[fileSize64]=716325,[fileType]=1,
[fileTimestamp]=0,[hashAlgo]=SHA,
[hashCode]=f1bfab10090541a2c3e58b4b93c504be8b65cdc823209c7f4def24acc38d7fd1 ,
[fileDirection]=1,[fireAmpFileAction]=3,[parentFileName]=,[parentFileHashCode]=,
[infoURL]=http://wrl/wrl/CplLnk.exe ,[threatScore]=0,[fireAmpDisposition]=3,
[fireAmpRetrospectiveDisposition]=3,[iocNum]=1,[accessCtlPolicyId]=125870424,
[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,
[applicationId]=676,[connEventTime]=1430502933,[connCounter]=409,[cloudSecIntelId]=0,
[phLogDetail]=
l File events: PH_DEV_MON_FIREAMP_FILE

[PH_DEV_MON_FIREAMP_FILE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,
[lineNumber]=541,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430497343,
[ipProto]=6,[fileName]=Locksky.exe ,[hashAlgo]=SHA,
[hashCode]=aa999f5d948aa1a731f6717484e1db32abf92fdb5f1e7ed73ad6f5a21b0737c1,
[fileSize64]=60905,[fileDirection]=1,[fireAmpDisposition]=3,[fireAmpSperoDisposition]=4,
[fireAmpFileStorageStatus]=11,[fireAmpFileAnalysisStatus]=0,[threatScore]=0,
[fireAmpFileAction]=3,[fileType]=17,[applicationId]=676,[destUserId]=2991,
[infoURL]=http://wrl/wrl/Locksky.exe ,[signatureName]=,[accessCtlPolicyId]=125869976,
[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,
[connCounter]=103,[connEventTime]=1430497343,[phLogDetail]=
l Discovery events:
l PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL
PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL]:[eventSeverity]=PHL_INFO,
[fileName]=phFireAMPAgent.cpp,[lineNumber]=815,[reptDevIpAddr]=10.1.23.177,
[destIpPort]=2054,[ipProto]=54,[phLogDetail]=
l PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT
[PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT]:[eventSeverity]=PHL_INFO,
[fingerprintId]=01f772b2-fceb-4777-8a50-1e1f27426ad0,[osType]=Windows 7,
[hostVendor]=Microsoft,[osVersion]=NULL,[phLogDetail]=

l PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP
[PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP]:[eventSeverity]=PHL_INFO,
[clientAppId]=638,[appName]=Firefox,[phLogDetail]=
l PH_DEV_MON_FIREAMP_DISCOVERY_SERVER
[PH_DEV_MON_FIREAMP_DISCOVERY_SERVER]:[eventSeverity]=PHL_INFO,
[applicationId]=676,[appTransportProto]=HTTP,[phLogDetail]=
l User activity events: PH_DEV_MON_FIREAMP_USER_LOGIN

[PH_DEV_MON_FIREAMP_USER_LOGIN]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,
[lineNumber]=672,[reptDevIpAddr]=10.1.23.177,[deviceTime]=1430490441,[user]=ABerglund ,
[userId]=0,[ipProto]=710,[emailId]=,[loginType]=0,[destIpAddr]=198.18.133.1 ,[phLogDetail]=
l Impact Flag events: PH_DEV_MON_FIREAMP_IMPACT_FLAG

[PH_DEV_MON_FIREAMP_IMPACT_FLAG]:[eventSeverity]=PHL_CRITICAL,
[fileName]=phFireAMPAgent.cpp,[lineNumber]=591,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,
[snortEventId]=34,[deviceTime]=1430491431,[eventType]=Snort-648,[compEventType]=PH_DEV_MON_
FIREAMP_IMPACT_FLAG,[ipsGeneratorId]=1,[ipsSignatureId]=14,[ipsClassificationId]=29,
[ipProto]=6,[fireAmpImpactFlag]=7,[phLogDetail]=
Configuration
Cisco FireSIGHT Configuration
1. Login to Cisco FIRESIGHT console.

2. Go to System > Local > Registration > eStreamer
3. Click Create Client
a. Enter IP address and Password for FortiSIEM.
b. Click Save.
4. Select the types of events that should be forwarded to FortiSIEM.
5. Click Download Certificate and save the certificate to a local file.
FortiSIEM Configuration

2. Create a credential:
a. Set Device Type to Cisco FireAMP.
b. Set Access Method to eStreamer.
c. Enter the Password as in Step 3a above.
d. Click Certificate File > Upload and enter the certificate downloaded in Step 5.
e. Click Save.
3. Create an IP range to Credential Association:
a. Enter IP address of the FireSIGHT Console
b. Enter the credential created in Step 2 above
4. Click Test Connectivity - FortiSIEM will start collecting events from the FIRESIGHT console.

Using Cisco eStreamer Client
Cisco has published a free eStreamer client to pull events from FireAMP server. This client is more up-to-date than
FortiSIEM’s own eStreamer client.
If you decide to use Cisco’s eStreamer client instead of FortiSIEM’s eStreamer client, follow these steps.
Step 1: Install a new version of python with a new user 'estreamer'
This is required because the python version used by FortiSIEM is compiled with PyUnicodeUCS2, while eStreamer
client requires the standard version of python built with PyUnicodeUCS4.
1. Log in to FortiSIEM Collector or the node where eStreamer client is going to be installed.
2. Create eStreamer user using the command:
a. useradd estreamer
3. Download the python library using the commands:
a. su estreamer
b. mkdir ~/python
c. cd ~/python
d. wget https://www.python.org/ftp/python/2.7.11/Python-2.7.11.tgz
4. Install python library :
a. tar zxfv Python-2.7.11.tgz
b. find ~/python -type d | xargs chmod 0755
c. cd Python-2.7.11
d. ./configure --prefix=$HOME/python --enable-unicode=ucs4
e. make && make install
f. Add below two lines to ~/.bashrcp:
export PATH=$HOME/python/Python-2.7.11/:$PATH
export PYTHONPATH=$HOME/python/Python-2.7.11
g. source ~/.bashrc
Step 2: Download and configure eStreamer client
1. SSH to FortiSIEM Collector or the node where eStreamer client is going to be installed as estreamer user.
2. Git clone: git://github.com/CiscoSecurity/fp-05-firepower-cef-connector-arcsight.git
3. Change directory using the command:
cd fp-05-firepower-cef-connector-arcsight
4. Login to eStreamer server and:
a. Go to System > Integration > eStreamer.
b. Create a New client and enter the IP address of the Supervisor/Collector as the host.
c. Download the pkcs12 file and save it to directory:
fp-05-firepower-cef-connector-arcsight
5. Go back to fp-05-firepower-cef-connector-arcsight directory.
6. Run sh encore.sh, and type 2 for selection of output in CEF as prompted. An estreamer.conf file is generated.

7. Edit estreamer.conf with below settings (in JSON format):

l handler.outputters.stream.uri : "udp://VA_IP:514"
l servers.host : eStreamer_Server_IP
l servers.pkcs12Filepath : /path/to/pkcs12
8. Run the below two commands:

l openssl pkcs12 -in "client.pkcs12" -nocerts -nodes -out "/path/to/fp-05-
firepower-cef-connector-arcsight/client_pkcs.key"
l openssl pkcs12 -in "client.pkcs12" -clcerts -nokeys -out "/path/to/fp-05-
firepower-cef-connector-arcsight/client_pkcs.cert"
Step 3: Start eStreamer client
SSH to FortiSIEM Collector or the node where eStreamer client is installed, as estreamer user. Start eStreamer client by
entering:
encore.sh start
Now eStreamer client is ready for use. FortiSIEM 5.2.5 contains an updated parser for the events generated by Cisco
eStreamer client. Trigger few events in eStreamer server and query from FortiSIEM to verify if everything is working.

Cisco Intrusion Protection System
SNMP Performance and Availability Monitoring
SDEE Alerts Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "cisco ips" in the Device Type and Description columns to see the
Rules
In RESOURCE > Rules, search for "cisco ips" in the Name column to see the rules associated with this device.
Reports
In RESOURCE > Reports , search for "cisco ips" in the Name column to see the reports associated with this device.
Configuration
SNMP
1. Log in to the device manager for your Cisco IPS.

2. Go to Configuration > Allowed Hosts/Networks.
3. Click Add.
4. Enter the IP address of your FortiSIEM virtual appliance to add it to the access control list, and then click OK.
5. Go to Configuration > Sensor Management > SNMP > General Configuration.
6. For Read-Only Community String, enter public.
7. For Sensor Contact and Sensor Location, enter Unknown.
8. For Sensor Agent Port, enter 161.
9. For Sensor Agent Protocol, select udp.
If you must create an SDEE account for FortiSIEM to use, go to Configuration > Users and Add a new administrator.

Setting Value
Name <set name>
Device Type Cisco IPS
Access Protocol Cisco SDEE
Port 443
Set these Access Method Definition values to allow FortiSIEM to communicate with yourdevice over SNMP. Set the
Name and Community String.
Setting Value
Name <set name>
Device Type Generic
Sample XML-Formatted Alert
<\!-\- CISCO IPS \--><evAlert eventId="1203541079317487802" severity="low"> <originator>

<hostId>MainFW-IPS</hostId> <appName>sensorApp</appName>
<appInstanceId>376</appInstanceId> </originator> <time offset="0"
timeZone="UTC">1204938398491122000</time> <signature sigName="ICMP Network Sweep w/Echo"
sigId="2100" subSigId="0" version="S2"></signature>
<interfaceGroup>vs1</interfaceGroup><vlan>0</vlan> <participants> <attack> <attacker>
<addr locality="OUT">2.2.2.1</addr> </attacker> <victim> <addr
locality="OUT">171.64.10.225</addr> <os idSource="unknown" type="unknown"
relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.87</addr>
<os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr
<os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr
<os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> </attack>
</participants> <alertDetails>InterfaceAttributes: context="single_vf" physical="Unknown"
backplane="GigabitEthernet0/1" </alertDetails></evAlert>

Cisco Stealthwatch
Integration points
syslog Network Anomaly Detection Alerts Security and Compliance
FortiSIEM automatically recognizes Cisco Stealthwatch syslog as long it follows the following format as shown in the
sample syslog:
<129>Jun 18 14:56:00 ED2ALENTSVRSMC-1 StealthWatch[2699]:
Lancope|StealthWatch|PRIORITY A|time=2018-06-18T14:55:30Z|target_hostname=|alarm_
severity_id=5|alarm_type_id=60|alarm_type_description=Host may be infected with an
SMB
Parsing and Events
Currently over 150 events are parsed – see event Types in Resources > Event Types and search for 'Cisco-
StealthWatch-'. User can extend the parser to add other events.

Cylance Protect Endpoint Protection

l Configuration
Syslog End point malware alerts Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "cylance" in the Device Type column to see the event types
Rules
Reports
Configuration
Syslog
FortiSIEM processes events from this device via CEF formatted syslog sent by the device. Configure the device to
send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Setting Value
Name <set name>
Device Type Cylance Protect

Example Syslog
CylancePROTECT: Event Type: AppControl, Event Name: pechange, Device Name: WIN-7entSh64, IP
Address: (192.168.119.128), Action: PEFileChange, Action Type: Deny, File Path:
C:\Users\admin\AppData\Local\Temp\MyInstaller.exe, SHA256:
04D4DC02D96673ECA9050FE7201044FDB380E3CFE0D727E93DB35A709B45EDAA

Cyphort Cortex Endpoint Protection

l Configuration
Syslog End point malware alerts Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "cyphort" in the Device Type column to see the event types
Rules
Reports
Configuration
Syslog
Setting Value
Name <set name>
Device Type Cylance Cortex

Example Syslog
<134>Feb 23 21:58:05 tap54.eng.cyphort.com cyphort: CEF:0|Cyphort|Cortex|3.2.1.16|http|TROJAN_

GIPPERS.DC|8|externalId=374 eventId=13348 lastActivityTime=2015-02-24 05:58:05.151123+00
src=172.16.0.1 dst=10.1.1.26 fileHash=acf69d292d2928c5ddfe5e6af562cd482e6812dc
fileName=79ea1163c0844a2d2b6884a31fc32cc4.bin fileType=PE32 executable (GUI) Intel 80386, for
MS Windows startTime=2015-02-24 05:58:05.151123+00

Damballa Failsafe

Setting Value
Name A name for the device.
Device Type Damballa Failsafe

c. Click Save.
4. Click Test to test the connection to Damballa Failsafe.
5. To see the jobs associated with Damballa, select ADMIN > Pull Events.
6. To see the received events select ANALYTICS, then enter Damballa in the search box.

Darktrace CyberIntelligence Platform

l Event Types
l Rules
l Reports
l Configuration
l Sample Events
Protocol Information Discovered Metrics/LOGs collected Used for
Syslog (CEF formatted) Over 40 security logs Security and Compliance monitoring
Event Types
Go to Admin > Device Type > Event Types and search for “Darktrace-DCIP”.
Rules
None
Reports
None
Configuration
Configure Darktrace to send CEF formatted logs to FortiSIEM. FortiSIEM will automatically parse the logs. No
configuration is required in FortiSIEM.
Sample Events
CEF:0|Darktrace|DCIP|3.0.8|537|Antigena/Network/Compliance/Antigena RDP Block|Low| eventId=2

externalId=1462565 art=1536856095244 deviceSeverity=1 rt=1536856054000
shost=personalpcd698.abccompany.local src=10.10.1.85 sourceZoneURI=/All Zones/ArcSight
System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 smac=1:1:1:1:1:1
dst=1.1.1.1 destinationZoneURI=/All Zones/ArcSight System/Public Address Space
Zones/APNIC/1.0.0.0-1.1.1.255 (APNIC) dpt=9999 ahost=personalpc123.abccompany.local
agt=10.10.28.38 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918:
10.0.0.0-10.255.255.255 av=2.2.2.2.0 atz=CountryA aid=3mAvC02UBABCAa72iNm4jZA\=\= at=syslog

dvc=10.10.10.10 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918:

10.0.0.0-10.255.255.255 dtz=CountryA _cefVer=0.1
ad.darktraceUrl=https://10.10.10.10/#modelbreach/1462565

FireEye Malware Protection System (MPS)

l Configuration
Syslog
Event Types
In ADMIN > Device Support > Event, search for "fireeye mps" in the Device Type column to see the event types
Rules
Reports
Configuration
Syslog
appliance.

Setting Value
Name <set name>
Device Type FireEye MPS
Example Syslog
<164>fenotify-45640.alert: CEF:0|FireEye|MPS|6.0.0.62528|MC|malware-callback|9|rt=Apr 16 2012

15:54:41 src=192.168.26.142 spt=0 smac=00:14:f1:90:c8:01 dst=2.2.2.2 dpt=80
dmac=00:10:db:ff:50:00 cn1Label=vlan cn1=202 cn2Label=sid cn2=33335390 cs1Label=sname
cs1=Trojan.Gen.MFC cs4Label=link cs4=https://10.10.10.10/event_stream/events_for_bot?ev_
id\=45640 cs5Label=ccName cs5=3.3.3.3 cn3Label=ccPort cn3=80 proto=tcp cs6Label=ccChannel cs6=
shost=abc.org <http://abc.org> dvchost=ALAXFEYE01 dvc=10.10.10.10 externalId=45640

FortiDDoS

l Configuration

Discovered
Syslog Host Name, Access Over 150 event types to include Protocol Anomaly, Traffic Security
IP, Vendor/Model Volume Anomaly, DoS Attacks, Monitoring
Event Types
In ADMIN > Device Support > Event, search for "FortiDDoS" to see the event types associated with this device.
Rules
There are many IPS correlation rules for this device under Rules > Security > Exploits.
Reports
There are many reports for this device under Reports > Function > Security.
Configuration
Setting Value
Name <set name>
Device Type Fortinet FortiDDos

Syslog
FortiSIEM processes FortiDDoS events via syslog. Configure FortiDDoS to send syslog to FortiSIEM as directed in the
device's product documentation.
Example Syslog
Jan 10 16:01:50 172.30.84.114 devid=FI400B3913000032 date=2015-01-23 time=17:42:00

type=attack SPP=1 evecode=1 evesubcode=8 dir=0 protocol=1 sIP=0.0.0.0 dIP=0.0.0.0
dropCount=312
devid=FI800B3913000055 date=2017-01-27 time=18:24:00 tz=PST type=attack spp=0 evecode=2
evesubcode=61 description="Excessive Concurrent Connections Per Source flood" dir=1
sip=24.0.0.2 dip=24.255.0.253 subnet_name=default dropcount=40249 facility=Local0
level=Notice

Fortinet FortiDeceptor
l Configuration
l Sample Events
Integration Points
Syslog Host name, Reporting IP None Authentication logs, Decoy activity Security monitoring
Event Types
In ADMIN > Device Support > Event, search for "FortiDeceptor" to see the event types associated with this device.
Rules
No specific rules are written for FortiDeceptor.
Reports
No specific reports are written for FortiDeceptor.
Configuration
Configure FortiDeceptor system to send logs to FortiSIEM in the supported format (see Sample Events).
None required.
Sample Events
<27>2019-07-29T10:12:44 devhost=FDC-VM0000000262 devid=FDC-VM0000000262 logver=25 tzone=14400

tz=GST date=2019-07-29
time=10:12:44 logid=0106000001 type=event subtype=system level=error user=system ui=GUI
action=update status=failure
msg="The authentication to FDN server failed"
<14>2019-07-29T10:40:34 devhost=FDC-VM0000000262 devid=FDC-VM0000000262 logver=25 tzone=14400

tz=GST date=2019-07-29

time=10:40:34 logid=0106000001 type=event subtype=system level=information user=admin ui=GUI

action=Login
status=success msg="Administrator admin logged into website successfully from 10.0.0.254"

Fortinet FortiNAC
l Configuration
l Sample Events
Integration Points
Method Information Metrics LOGs collected Used for

discovered collected
Syslog Host name, Reporting None Administrative and User Admission Control Security
IP events monitoring
Event Types
In ADMIN > Device Support > Event, search for "FortiNAC " to see the event types associated with this device.
Rules
No specific rules are written for FortiNAC but generic rules for network admission control apply
Reports
No specific reports are written for FortiNAC but generic reports for network admission control apply Configuration
Configuration
Configure FortiNAC system to send logs to FortiSIEM in the supported format (see Sample Events).
None required.
Sample Events
<37>Jan 08 19:03:45 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application

Server|8.3.0.79|426|
Adapter Destroyed|1|rt=Jan 08 19:03:45 269 UTC cat=EndStation msg=Adapter 18:5E:0F:AA:56:31
Destroyed.
<37>Dec 06 10:34:42 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application Server|

8.3.1.30|447702|Admin User Login Success|1|rt=Dec 06 10:34:42 736 CET

cat= suid=guiadmin msg=Admin user guiadmin logged in.
<37>Apr 16 11:06:19 : CEF:0|Bradford Networks|FortiNAC-VM-Control and Application

Server|8.3.6.104|605250|
Security Risk Host|1|rt=Apr 16 11:06:19 447 CEST cat=EndStation src=192.168.242.20
smac=00:26:9E:D9:87:12
shost=X100e-1 cs1Label=Physical<space>network<space>location cs1=BA-HPswitch
GigabitEthernet1/0/10
{ GigabitEthernet1/0/10 Interface } msg=Host failed Windows-PA-Notepad Tests: Failed :: Custom
:: Notepad
MAC Address: 00:26:9E:D9:87:12 Last Known Adapter IP: 192.168.242.20 Host Location: BA-
HPswitch
GigabitEthernet1/0/10 { GigabitEthernet1/0/10 Interface }

Fortinet FortiSandbox

l Configuration
SNMP Host Name, OS, version, CPU, Memory, Disk, Interface utilization Performance
Hardware Monitoring
HTTP(S) Host Name, OS, version, Log

Hardware Management,
Security
Compliance,
SIEM
Syslog Threat feed - Malware Malware found/cleaned, Botnet, Malware URL, System Log
URL, Malware Hash Events Management,
Security
Compliance,
SIEM
Event Types
In ADMIN > Device Support > Event, search for "fortisandbox-" to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "fortisandbox-" to see the rules associated with this device.
Also, basic availability rules in RESOURCE > Rules > Availability > Network and performance rules in
RESOURCE > Rules> Performance > Network also trigger.
Reports
In RESOURCE > Reports, search for "fortisandbox-" to see the rules associated with this device.
Configuration
Syslog

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your FortiSIEM virtual
appliance.
For Port, enter 514.
Make sure that the syslog format is the same as that shown in the example.
Example Syslog:
Oct 12 14:35:12 172.16.69.142 devname=turnoff-2016-10-11-18-46-05-172.16.69.142 device_
id=FSA3KE3A13000011 logid=0106000001 type=event subtype=system pri=debug user=system
ui=system action= status=success reason=none letype=9 msg="Malware package: urlrel version
2.88897 successfully released, total 1000"
<14>2016-08-19T06:48:51 devhost=turnoff-2016-08-15-19-24-55-172.16.69.55
devid=FSA35D0000000006 tzone=-25200 tz=PDT date=2016-08-19 time=06:48:51 logid=0106000001
type=event subtype=system level=information user=admin ui=GUI action=update status=success
reason=none letype=9 msg="Remote log server was successfully added"
Setting Value
Name <set name>
Device Type Fortinet FortiSandbox

Fortinet FortiTester

l Event Types
l Rules
l Reports
l Configuration
l Sample Events
Protocol Information Discovered Metrics/LOG Used for

collected
Syslog (CEF Host name and Device Type from Over 14 log types Security and
formatted) LOG Compliance
Event Types
Go to Admin > Device Type > Event Types and search for “FortiTester”.
Rules
None
Reports
None
Configuration
Configure FortiTester to send CEF formatted syslog to FortiSIEM. No configuration is required on FortiSIEM.
Sample Events
CEF:0|Fortinet|FortiTester|3.8|Event|information|category=System
deviceExternalId=FTS2KET618000005 msg=The system is started deviceCustomDate1=2019-11-05-
15:12:30 cs1= cs1Label=Description

IBM Internet Security Series Proventia

l Configuration
Protocol Information Discovered Metrics Collected
SNMP Traps
Event Types
In ADMIN > Device Support > Event, search for "proventia" in the Device Type and Description column to see the
Rules
Reports
Configuration
SNMP Trap
FortiSIEM receives SNMP traps from IBM/ISS Proventia IPS appliances that are sent by IBM/ISS SiteProtector
Management Console. You must first configure IBM/ISS Proventia to send alerts to IBM/ISS SiteProtector, then
configure IBM/ISS SiteProtector to send those alerts as SNMP traps to FortiSIEM.
Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector
Management Console
1. Log in to the IBM Proventia IPS web interface.
2. Click Manage System Settings > SiteProtector Management.
3. Click and select Register withSiteProtector.
4. Click and select Local Settings Override SiteProtector Group Settings.

5. Specify the Group, Heartbeat Interval, and Logging Level.

6. Configure these settings:
Setting Description
Authentication Use the default first-time trust.

Level
Agent Manager Enter the Agent Manager name exactly as it

Name appears in SiteProtector. This setting is case-
sensitive.
Agent Manager Enter the Agent Manager's IP address.

Address
Agent Manager Use the default value 3995.

Port
User Name If the appliance has to log into an account

access the Agent Manager, enter the user
name for that account here.
User Password Click Set Password, enter and confirm the

password, and then click OK.
Use Proxy If the appliance has to go through a proxy to

Settings access the Agent Manager, select the Use
Proxy Settings option, and then enter the
Proxy Server Address and Proxy Server
Port.
Define FortiSIEM as a Response Object for SNMP Traps
1. Log in to IBM SiteProtector console.

2. Go to Grouping > Site Management > Central Responses > Edit settings.
3. Select Response Objects > SNMP.
4. Click Add.
5. Enter a Name for your FortiSIEM virtual appliance.
6. For Manager, enter the IP address of your virtual appliance.
7. For Community, enter public.
8. Click OK.
Define a Response Rule to Forward SNMP Traps to FortiSIEM
1. Go to Response Rules.
2. Click Add.
3. Select Enabled.
4. Enter a Name and Comment for the response rule.
5. In the Responses tab, select SNMP.

6. Select Enabled for the response object that represents your FortiSIEM virtual appliance.
7. Click OK.
Refining Rules for Specific IP Addresses
By default, a rule matches on any source or destination IP addresses.

1. To refine the rule to match on a specific source IP address, select the rule, click Edit, and then select the Source
tab.
2. Select Use specific source addresses to restrict the rule based on IP address of the source.
If you set this option, set the Mode to specify that the rule should either be From or Not From the IP address.
3. Click Add to define one or more IP addresses.
Setting Value
Name <set name>
Device Type IBM ISS Proventia
Sample SNMP trap
2013-02-07 16:52:18 100.0.0.218(via UDP: [192.168.64.218]:55545) TRAP, SNMP v1,

community public SNMPv2-SMI::enterprises.2499 Enterprise Specific Trap (4) Uptime:
0:00:00.15 SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.1 = STRING: "SiteProtector_
Central_Response (Response1)" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.2 =
STRING: "16:52:18 2013-02-07" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.3 =
STRING: "6" SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.4 = STRING: "100.0.0.216"
SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.5 = STRING: "100.0.0.218" SNMPv2-
SMI::enterprises.2499.1.1.2.1.1.1.1.6 = "" SNMPv2-
SMI::enterprises.2499.1.1.2.1.1.1.1.7 = "" SNMPv2-
SMI::enterprises.2499.1.1.2.1.1.1.1.8 = STRING: "48879" SNMPv2-
SMI::enterprises.2499.1.1.2.1.1.1.1.9 = STRING: "80" SNMPv2-
SMI::enterprises.2499.1.1.2.1.1.1.1.10 = STRING:
"DISPLAY=WithoutRaw:0,BLOCK=Default:0" SNMPv2-
SMI::enterprises.2499.1.1.2.1.1.1.1.11 = STRING: " SensorName: IBM-IPS ObjectName:
80 DestinationAddress: 100.0.0.218 AlertName: HTTP_OracleAdmin_Web_Interface
AlertTarget: 100.0.0.218 AlertCount: 1 VulnStatus: Simulated block (blocking not
enabled) AlertDateTime: 16:52:17 2013-02-07 ObjectType: Target Port SourceAddress:
100.0.0.216 SensorAddress: 192.168.64.15"

Indegy Security Platform

l Event Types
l Rules
l Reports
l Configuration
l Sample Events
Protocol Information Discovered Metrics collected Used for
Syslog (CEF Host name and Device Type from Over 14 types of security Security and
formatted) LOG logs Compliance
Event Types
Go to Admin > Device Type > Event Types and search for “Indegy-”.
Rules
None
Reports
None
Configuration
Configure Indegy Security Platform to send syslog in the supported format to FortiSIEM. No configuration is required in
FortiSIEM.
Sample Events
<12>Nov 17 09:04:06 10.100.20.40 CEF:0|Indegy|Indegy Security Platform|3.0.33|109|Unauthorized

Conversation|7|dvchost=indegy rt=Nov 17 2019 09:04:06 duser=AS_01,Comm. Adapter #2 suser=Eng.
Station #9 proto=UDP externalId=125 dst=10.100.102.150 src=10.100.20.34 dpt=47808
cs6Label=policy_name cs6=Use of Unauthorized Protocols in Siemens Controllers
cat=NetworkEvents

Juniper DDoS Secure
Syslog DDoS Alerts Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "juniper ddos" in the Device Type and Description columns to see
l Juniper-DDoS-Secure-WorstOffender
l Juniper-DDoS-Secure-Blacklisted
l Juniper-DDoS-Secure-Generic
Rules
Reports
Setting Value
Name <set name>
Device Type Juniper DDos Secure
Configuration
Configure the device to send syslog to FortiSIEM. Make sure that the event matches the format specified below.

<134>Juniper: End : 117.217.141.32 : IND: Worst Offender: Last Defended 66.145.37.254: TCP
Attack - Port Scan (Peak 55/s, Occurred 554)
<134>Juniper: End : 78.143.172.52 : IRL: IP Address Temp Black-Listed (Valid IP) Exceeds SYN +
RST + F2D Count (Peak 114/s, Dropped 83.5K pkts)

Juniper Networks IDP Series

l Configuration
Syslog
Event Types
In ADMIN > Device Support > Event, search for "juniper_idp" in the Device Type column to see the event types
Rules
Reports
Setting Value
Name <set name>
Device Type Juniper Netscreen IDP

Configuration
Syslog
appliance.
Example Syslog from NSM
<25>Oct 11 14:29:27 10.146.68.68 20101011, 58420089, 2010/10/11 18:29:25,

2010/10/11 18:33:12, global.IDP, 1631, par-real-idp200, 10.146.68.73, traffic, udp
port scan in progress, (NULL), (NULL), 161.178.223.221, 0, 0.0.0.0, 0, (NULL),
(NULL), 10.248.8.110, 0, 0.0.0.0, 0, udp, global.IDP, 1631, Metro IDP IP / Port
Scan Policy, traffic anomalies, 2, accepted, info, yes, 'interface=eth3', (NULL),
(NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 0, no, 25, Not

McAfee IntruShield

l Configuration
Syslog
Event Types
Rules
Reports
Setting Value
Name <set name>
Device Type McAfee Intrushield
Configuration
Syslog
FortiSIEM handles custom syslog messages from McAfee Intrushield.

1. Log in to McAfee Intrushield Manager.

2. Create a customer syslog format with these fields:
l AttackName
l AttackTime
l AttackSeverity
l SourceIp
l SourcePort
l DestinationIp
l DestinationPort
l AlertId
l AlertType
l AttackId
l AttackSignature
l AttackConfidence
l AdminDomain
l SensorName:ASCDCIPS01
l Interface
l Category
l SubCategory
l Direction
l ResultStatus
l DetectionMechanism
l ApplicationProtocol
l NetworkProtocol
l Relevance
3. Set the message format as a sequence of Attribute:Value pairs as in this example.
AttackName:$IV_ATTACK_NAME$,AttackTime:$IV_ATTACK_TIME$,AttackSeverity::$IV_ATTACK_
SEVERITY$,SourceIp:$IV_SOURCE_IP$,SourcePort:$IV_SOURCE_PORT$,
DestinationIp:$IV_DESTINATION_IP$,DistinationPort:$IV_DESTINATION_PORT$,AlertId:$IV_ALERT_
ID$,AlertType:$IV_ALERT_TYPE$,AttackId$IV_ATTACK_ID$,
AttackSignature:$IV_ATTACK_SIGNATURE$,AttackConfidence:$IV_ATTACK_
CONFIDENCE$,AdminDomain:$IV_ADMIN_DOMAIN$,SensorName:$IV_SENSOR_NAME$,
Interface:$IV_INTERFACE$,Category:$IV_CATEGORY$,SubCategory:$IV_SUB_
CATEGORY$,Direction:$IV_DIRECTION$,ResultStatus:$IV_RESULT_STATUS$,
DetectionMechanism:$IV_DETECTION_MECHANISM$,ApplicationProtocol:$IV_APPLICATION_
PROTOCOL$,NetworkProtocol:$IV_NETWORK_PROTOCOL$,Relevance:$IV_RELEVANCE$
4. Set FortiSIEM as the syslog recipient.
Sample Parsed Syslog Message
Mar 24 16:23:18 SyslogAlertForwarder: AttackName:Invalid Packets detected,AttackTime:2009-03-

24 16:23:17 EDT,AttackSeverity:Low,SourceIp:127.255.106.236,
SourcePort:N/A,DestinationIp:127.255.106.252,DistinationPort:N/A,AlertId:5260607647261334188,A
lertType:Signature,AttackId:

0x00009300,AttackSignature:N/A,
AttackConfidence:N/A,AdminDomain:ASC,SensorName:ASCDCIPS01,Interface:1A-
1B,Category:Exploit,SubCategory:protocol-violation,Direction:Outbound,
ResultStatus:May be
successful,DetectionMechanism:signature,ApplicationProtocol:N/A,NetworkProtocol:
N/A,Relevance:N/A,HostIsolationEndTime:N/A

McAfee Stonesoft IPS

l Configuration
Syslog Network IPS alerts Security Monitoring
Event Types
In ADMIN > Device Support > Event, search for "stonesoft" in the Device Type column to see the event types
Rules
Reports
Setting Value
Name <set name>
Device Type McAfee Stonesoft IPS

Configuration
Syslog
Example Syslog
<6>CEF:0|McAfee|IPS|5.4.3|70018|Connection_Allowed|0|spt=123 deviceExternalId=STP-NY-FOO01
node 1 dmac=84:B2:61:DC:E1:31 dst=169.132.200.3 cat=System Situations app=NTP (UDP) rt=Apr 08
2016 00:26:13 deviceFacility=Inspection act=Allow deviceOutboundInterface=Interface #5
deviceInboundInterface=Interface #4 proto=17 dpt=123 src=10.64.9.3 dvc=12.17.2.17
dvchost=12.17.2.17 smac=78:DA:6E:0D:FF:C0 cs1Label=RuleId cs1=2097152.6

Motorola AirDefense
Syslog Wireless IDS logs Security Monitoring
Event Types
About 37 event types covering various Wireless attack scenarios - search for them by entering "Motorola-AirDefense" in
ADMIN > Device Support > Event.
Rules
Reports
Setting Value
Name <set name>
Device Type Motorola AirDefense
Configuration
Configure the device to send logs to FortiSIEM. Make sure that the format is as follows.
Nov 8 18:48:00 Time=2014-10-29T05:39:00,Category=Rogue
Activity,CriticalityLevel=Severe,Desc=Rogue AP on Wired Network,device=00:22:cf:5d:ee:60
(00:22:cf:5d:ee:60),sensor=fc:0a:81:12:7b:4b(COMP-SENS302EA[a,b,g,n])
Nov 12 13:33:00 Time=2015-11-12T08:47:00,Category=Exploits,CriticalityLevel=Critical,Desc=NAV

Attack - CTS,device=5c:0e:8b:cb:d5:40(5c:0e:8b:cb:d5:40),sensor=fc:0a:81:12:77:3f(COMP-
SENS201EA[a,b,g,n])

Nozomi

l Event Types
l Rules
l Reports
l Configuring Syslog on Nozomi

discovered
Syslog Device type Node detection, protocol information, network changes Security and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "Nozomi" in the Name and Description columns to see the event
Rules
There are no specific rules for Nozomi, however rules that match the Event Type Groups associated with Nozomi
Events may trigger.
Reports
There are no specific Reports for Nozomi, however reports that match the Event Type Groups associated with
Nozomi Events may return results.
Configuring Syslog on Nozomi
1. Log in to the Guardian console.

2. Navigate to Administration->Data Integration.
3. Press +Add on the right side of the screen.
4. Select the Common Event Format (CEF) from the drop down.

5. You should see the data entry screen.
6. Enter the appropriate host information. For example udp://<FortiSIEM IP>:514.

7. Select Enable sending Alerts and/or Enable sending Audit Logs and/or Enable sending Health Logs.
8. Press New Endpoint.

Radware DefensePro

l Event Types
l Rules
l Reports
l Configuration
Syslog Over 120 event types Security and Compliance
Event Types
In RESOURCE > Event Types, Search for “Radware-DefensePro”.
Sample Event Type:
<132>DefensePro: 13-09-2017 15:03:21 WARNING 12572 Intrusions "SIP-Scanner-SIPVicious" UDP

1.1.1.1 29992 1.1.1.2 5060 15 Regular "GSN_Web" occur 1 3 N/A 0 N/A high drop FFFFFFFF-FFFF-
FFFF-9C94-000F57F7595F
<132>DefensePro: 13-09-2017 15:18:45 WARNING 150 HttpFlood "HTTP Page Flood Attack" TCP
1.1.1.3 0 1.1.1.4 80 0 Regular "President-1.1.1.4" ongoing 100 0 N/A 0 N/A medium forward
FFFFFFFF-FFFF-FFFF-9CCF-000F57F7595F
<132>DefensePro: 13-09-2017 14:37:53 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0
1.1.1.5 80 0 Regular "GSN_Web" ongoing 1 0 N/A 0 N/A medium challenge FFFFFFFF-FFFF-FFFF-9C46-
000F57F7595F
<134>DefensePro: 13-09-2017 13:56:34 INFO Configuration Auditing manage syslog destinations

create 172.16.10.207 -f "Local Use 0", ACTION: Create by user public via SNMP source IP
1.1.1.6
Rules
There are no specific rules but generic rules for Network IPS and Generic Servers apply.
Reports
There are no specific reports but generic rules for Network IPS and Generic Servers apply.

Configuration
Configure Radware DefensePro Security Manager to send syslog on port 514 to FortiSIEM.

Snort Intrusion Protection System

l Event Types
l Configuration
l JDBC
l SNMP Access to the Database Server
l Debugging Snort Database Connectivity
l Examples of Snort IPS Events Pulled over JDBC
l Viewing Snort Packet Payloads in Reports
l Exporting Snort IPS Packets as a PCAP File
Syslog
JDBC Generic information: signature ID,

signature name, sensor ID, event occur time,
signature priority
TCP: packet header, including source IP
address, destination IP address, Source Port,
Destination Port, TCP Sequence Number,
TCP Ack Number, TCP Offset, TCP
Reserved, TCP Flags, TCP Window size,
TCP Checksum, tTCP Urgent Pointer; and
packet payload
UDP: packet header, including source IP
address, destination IP address, Source Port,
Destination Port, UDP Length, checksum;
and packet payload
ICMP: packet header, including source IP
address, destination IP address, ICMP Type,
ICMP Code, Checksum, ICMP ID, Sequence
Number; and packet payload
SNMP (for access to

the database server
hosting the Snort
database)

Event Types
In ADMIN > Device Support > Event Types, search for "snort-org" to see the event types associated with this
device.
Configuration
Syslog
Collecting event information from Snort via syslog has two drawbacks:
1. It is not reliable because it is sent over UDP.
2. Information content is limited because of UDP packet size limit.
For these reasons, you should consider using JDBC to collect event information from Snort.
These instructions illustrate how to configure Snort on Linux to send syslogs to FortiSIEM. For further information, you
should consult the Snort product documentation.
1. Log in to your Linux server where Snort is installed.
2. Navigate to and open the file /etc/snort/snort.conf.
3. Modify alert_syslog to use a local log facility, for example:
output alert_syslog: LOG_LOCAL4 LOG_ALERT
4. Navigate to and open the file /etc/syslog.conf.

5. Add a redirector to send syslogs to FortiSIEM.
#Snort log to local4
#local4.*
/var/log/snort.log
#local4.*@192.168.20.41
[email protected]
6. Restart the Snort daemon.
Example Parsed Snort Syslog
<161>snort[2242]: [1:206:9] BACKDOOR DeepThroat 3.1 CD ROM Open Client Request

[Classification: Misc activity] [Priority: 3]: {UDP} 192.168.19.1:6555 -> 172.16.2.5:514
<161>snort[5774]: [1:1560:6] WEB-MISC /doc/ access [Classification: access to a potentially
vulnerable web application] [Priority: 2]: {TCP} 192.168.20.53:41218 -> 192.168.0.26:80
<161>snort[5774]: [1:466:4] ICMP L3retriever Ping [Classification: Attempted Information Leak]
[Priority: 2]: {ICMP} 192.168.20.49 -> 192.168.0.10
<161>snort[5774]: [1:1417:9] SNMP request udp [Classification: Attempted Information Leak]
[Priority: 2]: {UDP} 192.168.20.40:1061 -> 192.168.20.2:161

JDBC
Supported Databases and Snort Database Schemas
When using JDBC to collect IPS information from Snort, FortiSIEM can capture a full packet that is detailed enough to
recreate the packet via a PCAP file.
FortiSIEM supports collecting Snort event information over JDBC these database types:
l Oracle
l MS SQL
l MySql
l PostgreSQL
FortiSIEM supports Snort database schema 107 or higher.
SNMP Access to the Database Server
You must set up an SNMP access credential for the server that hosts the Snort database. See the topics
under Database Server Configuration for information on setting up SNMP for communication with FortiSIEM for
several common types of database servers.
Once you have set up SNMP on your database server, you can now configure FortiSIEM to communicate with your
device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Debugging Snort Database Connectivity
Snort IPS alert are pulled over JDBC by a Java agent, which has to join multiple database tables to create the events.
An internal log file is created for each pull.
2012-08-07T10:02:27.576777+08:00 AO-foo java:[PH_JAVA_AGENT_INFO]:[eventSeverity]=PHL_INFO,
[procName]=phAgentManager,[fileName]=AgentSnort,[phLogDetail]=10.1.20.51:ICMP:Max record
id:17848444 Total records in one round of pulling:20
At most 1000 database records (IPS Alerts) are pulled at a time. If FortiSIEM finds more than 1000 new records, then it
begins to fall behind and this log is created.
2012-08-07T10:02:27.576777+08:00 AO-foo java:[PH_JAVA_AGENT_INFO]:[eventSeverity]=PHL_INFO,
[procName]=phAgentManager,[fileName]=AgentSnort,[phLogDetail]=Event count of snort exceeds the
threshold in one round of pulling, which means there may be more events need to be pulled.
Examples of Snort IPS Events Pulled over JDBC
l UDP Event
l TCP Event

UDP Event
<134>Feb 25 14:27:56 10.1.2.36 java: [Snort-1417]:[eventSeverity]=PHL_INFO,

[relayDevIpAddr]=10.1.2.36,[ipsSensorId]=1,[snortEventId]=10343430,[sensorHostname]=10.1.2.36,
[signatureId]=1417,[eventName]=SNMP request udp,[eventSeverity]=2,[eventTime]=2012-11-07
17:56:51.0,[srcIpAddr]=10.1.2.245,[destIpAddr]=10.1.2.36,[ipVersion]=4,[ipHeaderLength]=5,
[tos]=0,[ipTotalLength]=75,[ipId]=0,[ipFlags]=0,[ipFragOffset]=0,[ipTtl]=64,[ipProto]=17,
[ipChecksum]=8584,[srcIpPort]=35876,[destIpPort]=161,[udpLen]=55,[checksum]=39621,
[dataPayload]=302D02010104067075626C6963A520...
TCP Event
<134>Aug 08 09:30:59 10.1.20.51

java: [Snort-1000001]:[eventSeverity]=PHL_INFO,[hostIpAddr]=10.1.20.51,[sensorId]=1,
[eventId]=17897184,[signatureId]=1000001,[signatureName]=Snort
Alert [1:1000001:0],[signaturePri]=null,[eventTime]=2012-08-08
09:26:24.0,[srcIpAddr]=10.1.2.99,[destIpAddr]=10.1.20.51,[srcIpPort]=52314,[destIpPort]=80,
[seqNum]=967675661,[tcpAckNum]=3996354107,[tcpOffset]=5,[tcpReserved]=0,[tcpFlags]=24,
[tcpWin]=16695,[checksum]=57367,[tcpUrgentPointer]=0,
[dataPayload]=474554202F66617669636F6E2E69636F204...
Viewing Snort Packet Payloads in Reports
FortiSIEM creates an event for each IPS alert in Snort database. You can view the full payload packet associated with a
Snort event when you run a report.
1. Set up a structured historical search.
2. Set these conditions, where Reporting IP is an IP belonging to the Snort Application group.
Attribute Operator Value
Reporting IP IN Applications: Network

IPS App
3. For Display Fields, include Data Payload.

When you run the query, Data Payload will be one one of the display columns.
4. When the query runs, select an event, and the data payload will display at the bottom of the search results in a
byte-by-byte ethereal/wireshark format.
Exporting Snort IPS Packets as a PCAP File
After running a report, click the Export button and choose the PCAP option.
l Access Credentials for JDBC

l Access Credentials for SNMP, Telnet, SSH

Access Credentials for JDBC
Set these Access Method Definition values to allow FortiSIEM to communicate with your Snort IPS over JDBC.
Setting Value
Name <database type>-snort-BT
Device Type Select the type of database that you are

connecting to for Snort alerts
Used For Snort Audit
Pull Interval 1
(minutes)
Port 3306
Database Name The name of the database
User Name The administrative user for the Snort database

administrative user
Access Credentials for SNMP, Telnet, SSH
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP, Telnet,
or SSH.
Setting Value
Name <set name>
Device Type Snort-org Snort IPS

Sourcefire 3D and Defense Center

l Configuration

Discovered
Syslog
Event Types
In ADMIN > Device Support > Event, search for "sourcefire" in the Description column to see the event types
Rules
Reports
Setting Value
Name <set name>
Device Type Sourcefire Sourcefire3D IPS

Configuration
Syslog
FortiSIEM handles SourceFire alerts via syslog either from IPS appliances themselves or from DefenseCenter. Events
are classified as Snort event types.
Simply configure SourceFire appliances or DefenseCenter to send syslogs to FortiSIEM as directed in the device's
product documentation, and FortiSIEM will parse the contents.
appliance.
Sample Syslogs from SourceFire3D IPS
<188>Jul 4 15:07:01 Sourcefire3D Snort: [119:15:1] http_inspect: OVERSIZE REQUEST-URI

DIRECTORY [Impact: Unknown] From DetectionEngine_IPS_DMZ2/SourcefireIPS at Thu Jul 4 15:07:01
2013 UTC [Classification: Potentially Bad Traffic] [Priority: 2] {tcp} 10.20.1.12:57689-
>1.1.1.1:80
Sample Syslogs from SourceFire DefenseCenter
<46>Jul 17 16:01:54 DefenseCenter SFAppliance: [1:7070:14] "POLICY-OTHER script tag in URI -

likely cross-site scripting attempt" [Impact: Potentially Vulnerable] From "10.134.96.172" at
Wed Jul 17 16:01:52 2013 UTC [Classification: Web Application Attack] [Priority: 1] {tcp}
1.2.3.4:60537->2.3.4.5:80

Trend Micro Deep Discovery
l Configuration
l Sample Events
Integration Points
Syslog Host name, Reporting IP None Malicious file detection Security monitoring
Event Types
In ADMIN > Device Support > Event, search for " Trend-DeepDiscoveryAnalyzer " and “Trend-
DeepDiscoveryInspector” to see the event types associated with this device.
Rules
No specific rules are written for Trend-DeepDiscoveryAnalyzer and Trend-DeepDiscoveryInspector but regular end point
rules apply.
Reports
No specific reports are written for Trend-DeepDiscoveryAnalyzer and Trend-DeepDiscoveryInspector but regular end
point reports apply.
Configuration
Configure Trend Deep Discovery system to send logs to FortiSIEM in the supported format (see Sample Events).
None required.
Sample Events
<123>CEF:0|Trend Micro|Deep Discovery Inspector|3.8.1175|20|Malware URL requested - Type 1|6|

dvc=10.0.1.50 dvcmac=00:0C:29:A6:53:0C dvchost=ddi38-143
deviceExternalId=6B593E17AFB7-40FBBB28-A4CE-0462-A536 rt=Mar 09 2015 11:58:25 GMT+08:00
app=HTTP deviceDirection=1 dhost=www.example.com dst=10.10.11.99 dpt=80
dmac=00:1b:21:35:8b:98 shost=10.1.1.97 src=10.1.1.197 spt=12121 smac=fe:ed:be:ef:5a:c6

cs3Label=HostName_Ext cs3=www.example.com fname=setting.doc fileType=0 fsize=0 act=not blocked

cn3Label=Threat Type cn3=1 destinationTranslatedAddress=10.1.1.2
sourceTranslatedAddress=10.1.1.197 cnt=1 cs5Label=CCCA_DetectionSource
cs5=GLOBAL_INTELLIGENCE cn1Label=CCCA_Detection cn1=1 cat=Callback cs6Label=pAttackPhase
cs6=Command and Control Communication

Zeek (Bro) Installed on Security Onion
Bro/Zeek is an OpenSource network analysis product that is also installed as part of Security Onion.
l Configuration
l Sample Events
Syslog Event Collection
Event Types
l Bro-dhcp /Regular Traffic/Permit - Traffic A DHCP conversation

l Bro-dns /Regular Traffic/Permit - Traffic DNS activity log
l Bro-conn /Regular Traffic/Permit - Traffic TCP/UDP/ICMP connections
l Bro-app_stats /Info - Statistics about APP
l Bro-radius /Info - RADIUS analysis activity
l Bro-known_devices /Info - Bro known devices
Rules
Generic Rules matching categories.
Reports
Generic Reports matching categories.
Configuration
Complete the following task on Onion Security, as this is crucial to get the headers working in the parser:
Add the following code in the /etc/syslog-ng/syslog-ng.conf file, but change <IP> to the IP of the FortiSIEM
Super/Worker/Collector which will receive the syslog:
destination d_fortisiem { tcp("<IP>" port(514));};
log {
source(s_bro_dns);
source(s_bro_dhcp);
log { filter(f_bro_headers); };
log { destination(d_fortisiem);};
};

Sample Events
<13>Mar 25 11:02:24 sec-sensor-ps bro_dns: {"ts":"2019-03-

25T11:02:22.485187Z","uid":"CEBf4c2FoLEBtbPLn6","id.orig_h":"10.8.20.21","id.orig_
p":50837,"id.resp_h":"10.8.1.203","id.resp_p":53,"proto":"udp","trans_
id":25959,"rtt":0.000357,"query":"tsomething.my.somewhere.com","qclass":1,"qclass_name":"C_
INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_
name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["um1.my.
somewhere.com","um1-lo3.my. somewhere.com","um1-lo3.lo3.r.my.
somewhere.com","55.66.8.24","55.66.8.152","55.66.9.24"],"TTLs":
[136.0,5.0,146.0,5.0,5.0,5.0],"rejected":false}

Routers and Switches
FortiSIEM supports these routers and switches for discovery and monitoring.
l Alcatel TiMOS and AOS Switch
l Arista Router and Switch
l Brocade NetIron CER Routers
l Cisco 300 Series Routers
l Cisco IOS Router and Switch
l How CPU and Memory Utilization is Collected for Cisco IOS
l Cisco Meraki Cloud Controller and Network Devices
l Cisco NX-OS Router and Switch
l Cisco ONS
l Cisco Viptela SDWAN Router
l Dell Force10 Router and Switch
l Dell NSeries Switch
l Dell PowerConnect Switch and Router
l Foundry Networks IronWare Router and Switch
l HP/3Com ComWare Switch
l HP ProCurve Switch
l HP Value Series (19xx) and HP 3Com (29xx) Switch
l Hirschmann SCADA Firewalls and Switches
l Juniper Networks JunOS Switch
l MikroTik Router
l Nortel ERS and Passport Switch

Alcatel TiMOS and AOS Switch

l Configuration

Discovered
SNMP (V1, Host name, Software Uptime, CPU and Memory utilization, Network Interface Availability and
V2c) version, Hardware metrics (utilization, bytes sent and received, packets sent Performance
model, Network and received, errors, discards and queue lengths) Monitoring
interfaces
SNMP (V1, Hardware status: Power Supply, Fan, Temperature Availability

V2c)
SNMP (V1, Layer 2 port Identity and

V2c, V3) mapping: associating location table;
switch ports to Topology
directly connected
host IP/MAC
addresses
Event Types
In ADMIN > Device Support > Event, search for "alcatel" in the Device Type and Description columns to see the
Rules
Reports
Configuration
SNMP

User Guide.
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP. Set the
Setting Value
Name <set name>
Device Type Generic

Arista Router and Switch

l Configuration
SNMP (V1, Host name, Serial number, Uptime, Network Interface metrics (utilization, bytes Availability
V2c) Software version, Hardware sent and received, packets sent and received, errors, and
model, Network interfaces, discards and queue lengths), CPU utilization, Memory Performance
Hardware Components utilization, Flash utilization, Hardware Status Monitoring
Telnet/SSH Running and Startup Startup Configuration Change, Difference between Change
configurations Running and Startup configurations monitoring
Event Types
Rules
Reports
Configuration
Telnet/SSH
FortiSIEM uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to
enable Telnet/SSH.
l show startup-config
l show running-config
l show version
l show ip route

l enable
l terminal pager 0
SNMP
product documentation.

Setting Value
Name <set name>
Device Type Generic
Setting Value
Name Telnet-generic
Device Type generic
Port 23

over Telnet

Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22

device over SSH

Brocade NetIron CER Routers

l Configuration

Discovered
SNMP Host name, CPU, Memory, Network Interface metrics (utilization, bytes sent and Availability and
(V1, V2c) software received, packets sent and received, errors, discards and queue Performance
version, lengths), Hardware Status, Real Server Status Monitoring
Hardware
model,
Network
interfaces
Event Types
Rules
There are no predefined rules specifically for this device.
Reports
There are no predefined reports specifically for this device.
Configuration
SNMP
User Guide.

Setting Value
Name <set name>
Device Type Brocade NetIron CER

Cisco 300 Series Routers

l Configuration

Discovered
SNMP Host name, Network Interface metrics (utilization, bytes sent and received, Availability and
(V1, V2c) software packets sent and received, errors, discards, and queue lengths) Performance
version, Monitoring
Hardware
model,
Network
interfaces
Event Types
Rules
There are no predefined rules specifically for this device.
Reports
There are no predefined reports specifically for this device.
Configuration
SNMP
User Guide

Setting Value
Name <set name>
Device Type Generic

Cisco IOS Router and Switch

l Event Types
l Configuration
Issue with Generic Serial Numbers in Older Versions of Cisco IOS Routers
FortiSIEM uses serial numbers to uniquely identify a device. For older routers, the serial number is obtained from the
OID 1.3.6.1.4.1.9.3.6.3.0. However, this value is often incorrectly set by default to a generic value like MSFC
2A. If multiple routers have a common default value, then these routers will be merged into a single entry in the
FortiSIEM CMDB.
You can check the current value for the serial number in a Cisco router by doing a SNMP walk of the OID.
snmpwalk -v2c -c <cred> <ip> 1.3.6.1.4.1.9.3.6.3.0
If the value is a generic value, then set it to the actual serial number.
Router(config)#snmp-server chassis-id
Router(config)#exit
Router#write memory
Run the snmpwalk again to verify that the serial number is updated, then perform discovery of your Cisco router.

Discovered
SNMP (V1, Host name, IOS Uptime, CPU and Memory utilization, Free processor and I/O Availability and
V2c, V3) version, Hardware memory, Free contiguous processor and I/O memory, Performance
model, Memory Network Interface metrics (utilization, bytes sent and Monitoring
size, Network received, packets sent and received, errors, discards and
interface details - queue lengths),
name, address,
mask and
description
SNMP (V1, Hardware Hardware health: temperature, fan and power supply Availability
V2c, V3) component details:
serial number,
model,
manufacturer,
software firmware
versions of hardware
components such as
chassis, CPU, fan,
power supply,


Discovered
network cards etc.
SNMP (V1, Trunk port Topology and

V2c, V3) connectivity end-host
between switches location
and VLANs carried
over a trunk port,
End host Layer 2
port mapping:
switch interface to
VLAN id, end host
IP/MAC address
association
SNMP (V1, BGP connectivity, BGP state change Routing

V2c, V3) neighbors, state, AS Topology,
number Availability
Monitoring

Monitoring
SNMP (V1, IP SLA and VoIP performance metrics: Max/Min/Avg VoIP

V2c, V3) Delay and Jitter - both overall and Source->Destination and Performance
Destination->Source, Packets Lost - both overall and Source- Monitoring
>Destination and Destination->Source, Packets Missing in
Action, Packets Late, Packets out of sequence, VoIP Mean
Opinion Score (MOS), VoIP Calculated Planning Impairment
Factor (ICPIF) score
SNMP (V1, Class based QoS metrics (from CISCO-CLASS-BASED- QoS

V2c, V3) QOS-MIB): For (router interface, policy, class map) tuple: performance
class map metrics including Pre-policy rate, post-police monitoring
rate, drop rate and drop pct; police action metrics including
conform rate, exceeded rate and violated rate; queue
metrics including current queue length, max queue length
and discarded packets
SNMP (V1, NBAR metrics (from CISCO-NBAR-PROTOCOL- Performance

V2c, V3) DISCOVERY-MIB): For each interface and application, Monitoring
sent/receive flows, sent/receive bytes, sent/receive bits/sec
configuration, startup configuration, Running process CPU and memory Monitoring,
Image file name, utilization Security and
Flash memory size, Compliance
Running processes


Discovered
Syslog Device type System logs and traffic logs matching acl statements Availability,
Security and
Compliance
Event Types
Syslog events
In ADMIN > Device Support > Event, search for "cisco_os" in the Description column to see the event types
Rules
Reports
Configuration
Telnet/SSH
FortiSIEM uses SSH and Telnet to communicate with your device. Follow the instructions in the product documentation
for your device to enable SSH and Telnet.
l show version
l show flash
l show ip route
l show mac-address-table or show mac address-table
l show vlan brief
l show process cpu
l show process mem
l show disk0
l enable
l terminal pager 0

SNMP
SNMP V1/V2c
1. Log in to the Cisco IOS console or telnet to the device.

2. Enter configuration mode.
3. Create an access list for FortiSIEM.
access-list 10 permit <FortiSIEM IP>
4. Set up community strings and access lists.

snmp-server community <community string> ro 10
5. Exit configuration mode.
SNMP V3
1. Log in to the Cisco IOS console or telnet to the device.

3. Create an access list for FortiSIEM.
access-list 10 permit <FortiSIEM IP>
4. Set up SNMP credentials for Authentication only.

snmp-server group <grpName> v3 auth
#do this for every VLAN for FortiSIEM to discover per VLAN information such Spanning Tree
and VTP MIBs
snmp-server group <grpName> v3 auth context vlan-<vlanId>snmp-server user <userName>
<grpName> v3 auth md5 <password> access 10
5. Set up SNMP credentials for Authentication and Encryption.

snmp-server group <grpName> v3 priv
#do this for every VLAN for FortiSIEM to discover per VLAN information such Spanning Tree
and VTP MIBs
snmp-server group <grpName> v3 auth context vlan-<vlanId>snmp-server group <grpName> v3
priv context vlan-<vlanId>snmp-server user <userName> <grpName> v3 auth md5 <password> priv
des56 <password> access 10
Syslog
1. Login to the Cisco IOS console or telnet to the device.

3. Enable logging with these commands.
logging on
logging trap informational
logging <FortiSIEM IP>

4. Make sure that the timestamp in syslog message sent to FortiSIEM does not contain milliseconds.
no service timestamps log datetime msec
service timestamps log datetime
5. To log traffic matching acl statements in stateless firewall scenarios, add the log keyword to the acl statements.
access-list 102 deny udp any gt 0 any gt 0 log
6. To turn on logging from the IOS Firewall module, use this command.
ip inspect audit-trail
Sample Cisco IOS Syslog Messages
<190>109219: Jan 9 18:03:35.281: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator

(192.168.20.33:1876) -- responder (192.168.0.10:445)
<190>263951: 2w6d: %SEC-6-IPACCESSLOGP: list permit-any permitted udp 192.168.20.35(0) ->

192.168.23.255(0), 1 packet
<188>84354: Dec 6 08:15:20: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Admin] [Source:

192.168.135.125] [localport: 80] [Reason: Login Authentication Failed - BadPassword] at
08:15:20 PST Mon Dec 6 2010
<189>217: May 12 13:57:23.720: %SYS-5-CONFIG_I: Configured from console by vty1 (192.168.29.8)
<189>Oct 27 20:18:43.254 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP request from
host 192.168.2.98
NetFlow
Enable NetFlow on the Router

2. For every interface, run this command.
interface <interface> <interface_number>ip route-cache flow
exit
Set Up NetFlow Export

2. Run these commands.
ip flow-export version 5|9
ip flow-export destination <Accelops IP> 2055
ip flow-export source <interface> <interface_number>ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist
On MLS switches, such as the 6500 or 7200 models, also run these commands.

mls netflow
mls nde sender
mls aging long 64
mls flow ip full
Exit configuration mode
You can verify that you have set up NetFlow correctly by running these commands.
#shows the current NetFlow configuration
show ip flow export
#summarizes the active flows and gives an indication of how much NetFlow data the device is
exporting
show ip cache flow or show ip cache verbose flow
Sample Flexible Netflow Configuration in IOS
flow exporter e1
! destination is the collector address, default port needs to be changed to 2055
destination <accelopsIp> transport udp 2055
!
flow record r1
! record specifies packet fields to collect
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
!
flow monitor m1
! monitor refers record configuration and exporter configuration.
record r1
exporter e1
cache timeout active 60
cache timeout inactive 30
cache entries 1000
!
interface GigabitEthernet 2/48
ip flow monitor m1 input
IP SLA
IP SLA is a technology where a pair of routers can run synthetic tests between themselves and report detailed traffic
statistics. This enables network administrators to get performance reports between sites without depending on end-host
instrumentation.

Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP.
A variety of IP SLA tests can be run, for example UDP/ICMP Jitter, UDP Jitter for VoIP, UDP/ICMP Echo, TCP Connect,
HTTP, etc. You can see the traffic statistics for these these tests by routing appropriate Show commands on the router.
However, only these IP SLA tests are exported via RTT-MON SNMP MIB.
l UDP Jitter (reported by FortiSIEM event type PH_DEV_MON_IPSLA_MET)
l UDP Jitter for VoIP (reported by FortiSIEM event type PH_DEV_MON_IPSLA_VOIP_MET)
l HTTP performance (reported by FortiSIEM event type PH_DEV_MON_IPSLA_HTTP_MET)
l ICMP Echo (reported by FortiSIEM event type PH_DEV_MON_IPSLA_ICMP_MET)
l UDP Echo (reported by FortiSIEM event type PH_DEV_MON_IPSLA_UDP_MET)
These are the only IP SLA tests monitored by FortiSIEM.
Configuring IP SLA involves choosing and configuring a router to initiate the test and a router to respond. The test
statistics are automatically reported by the initiating router via SNMP, so no additional configuration is required. Bi-
directional traffic statistics are also reported by the initiating router, so you don't need to set up a reverse test between
the original initiating and responding routers. FortiSIEM automatically detects the presence of the IP SLA SNMP MIB
(CISCO-RTTMON-MIB) and starts collecting the statistics.
Configuring IP SLA Initiator for UDP Jitter
ipsla-init>enable
ipsla-init#config terminal
ipsla-init(config)#ip sla monitor <operation num>ipsla-init(config-sla-monitor)#type jitter
dest-ipaddr <responder ip> dest-port <dest port>ipsla-init(config-sla-monitor-
jitter)#frequency default
ipsla-init(config-sla-monitor-jitter)#exit
ipsla-init(config)# ip sla monitor schedule <operation num> start-time now life forever
Configuring IP SLA Initiator for UDP Jitter for VoIP
ipsla-init>enable
ipsla-init#config terminal
ipsla-init(config)#ip sla monitor <operation num>ipsla-init(config-sla-monitor)#type jitter
dest-ipaddr <responder ip> dest-port <dest port> codec <codec type> advantage-factor 0
ipsla-init(config-sla-monitor-jitter)#frequency default
ipsla-init(config-sla-monitor-jitter)#exit
ipsla-init(config)# ip sla monitor schedule <operation num> start-time now life forever
Configuring IP SLA Initiator for ICMP Echo Operation
Router> enable
Router# configure terminal
Router(config)# ip sla monitor 15
Router(config-sla-monitor)# type echo protocol ipIcmpEcho <destination-ip-address>Router
(config-sla-monitor-echo)# frequency 30
Router(config-sla-monitor-echo)# exit
Router(config)# ip sla monitor schedule 10 start-time now life forever
Router(config)# exit

Configuring the IP SLA Responder for All Cases
ipsla-resp>enable
ipsla-resp#config terminal
ipsla-resp(config)#ip sla monitor responder
Class-Based QoS
CBQoS enables routers to enforce traffic dependent Quality of Service policies on router interfaces for to make sure that
important traffic such as VoIP and mission critical applications get their allocated network resources.
Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP.
The CbQoS statistics are automatically reported by the router via SNMP, so no additional configuration is needs.
FortiSIEM detects the presence of valid CBQoS MIBs and starts monitoring them.
NBAR
Cisco provides protocol discovery via NBAR configuration guide.

Make sure that the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB is enabled.
Sample event generated by FortiSIEM
[PH_DEV_MON_CISCO_NBAR_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceCisco.cpp,
[lineNumber]=1644,[hostName]=R1.r1.accelops.com,[hostIpAddr]=10.1.20.59,
[intfName]=Ethernet0/0,[appTransportProto]=snmp,[totFlows]=4752,[recvFlows]=3168,
[sentFlows]=1584,[totBytes64]=510127,[recvBytes64]=277614,[sentBytes64]=232513,
[totBitsPerSec]=22528.000000,[recvBitsPerSec]=12288.000000,[sentBitsPerSec]=10240.000000,
[phLogDetail]=
These are the generic settings for providing SNMP access to your device from FortiSIEM.
Setting Value
Name <set name>
Device Type Generic

Setting Value
Name Telnet-generic
Device Type generic
Port 23

device over Telnet
Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22

device over SSH

How CPU and Memory Utilization is Collected for Cisco IOS
FortiSIEM follows the process for collecting information about CPU utlization that is recommended by Cisco.
l Monitoring CPU
l Monitoring Memory using PROCESS-MIB
Monitoring CPU
The OID is 1.3.6.1.4.1.9.9.109.1.1.1.1.8. The issue there are multiple CPUs – which ones to take? A sample SNMP
walk for this OID looks like this
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.8.1 = Gauge32: 46
Note that there are 4 CPUs – indexed 1-4. We must identify Control plane CPU and Data plane CPU
The cpu Id -> entity Id mapping from the following SNMP walk
SNMPv2-SMI::enterprises.9.9.109.1.1.1.1.2.1 = INTEGER: 3014
This provides the following cpu Id -> entity Id mapping

1 -> 3014
2 -> 3001
3 -> 1001
4 -> 7001
The following SNMP walk provides the names for each entity Id
SNMPv2-SMI::mib-2.47.1.1.1.1.7.1001 = STRING: "Chassis 1 CPU of Module 2"SNMPv2-SMI::mib-
2.47.1.1.1.1.7.3001 = STRING: "Chassis 1 CPU of Switching Processor 5"SNMPv2-SMI::mib-
2.47.1.1.1.1.7.3014 = STRING: "Chassis 1 CPU of Routing Processor 5"SNMPv2-SMI::mib-
2.47.1.1.1.1.7.7001 = STRING: "Chassis 2 CPU of Module 2"
Combining all this information, we finally obtain the CPU information for each object
Chassis 1 CPU of Routing Processor 5 -> 46%
Chassis 1 CPU of Switching Processor 5 -> 22%
Chassis 1 CPU of Module 2 -> 5
Chassis 2 CPU of Module 2 -> 4%
FortiSIEM reports utilization per cpu utilization

[PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=9596,[cpuName]=Chassis 1 CPU of Routing Processor
5,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=46.000000,[pollIntv]=176,
[phLogDetail]=

[lineNumber]=9596,[cpuName]=Chassis 1 CPU of Switching Processor
[phLogDetail]=
PH_DEV_MON_SYS_PER_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=9596,[cpuName]=Chassis 1 CPU of Module
[phLogDetail]=
[lineNumber]=9596,[cpuName]=Chassis 2 CPU of Module
[phLogDetail]=
To get the overall system CPU utilization, we average over “Switching and Routing CPUs”- so CPU Util = (46+22)/2 =
34%
PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,[lineNumber]=9611,
[cpuName]=RoutingCpu,[hostName]=UB-CORE-SW,[hostIpAddr]=10.11.1.2,[cpuUtil]=34.0000,
[pollIntv]=176,[phLogDetail]=
Monitoring Memory using PROCESS-MIB
The relevant OIDs are

Used memory OID = 1.3.6.1.4.1.9.9.48.1.1.1.6
Free memory OID = 1.3.6.1.4.1.9.9.48.1.1.1.5
Memory Util = (Used memory) / (Used memory + Free memory)

SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.1 = Gauge32: 87360992 <- Processor Memory Used
SNMPv2-SMI::enterprises.9.9.48.1.1.1.5.2 = Gauge32: 10715440 <- IO Memory Used
SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.1 = Gauge32: 2904976 <- Processor Memory Free
SNMPv2-SMI::enterprises.9.9.48.1.1.1.6.2 = Gauge32: 1342944 <- IO Memory Free
Therefore
Used Memory = 98,076,432
Total Memory = 102,324,352
Memory Util = 96%

Cisco Meraki Cloud Controller and Network Devices

l Configuration
Cisco Meraki Devices are discoverable in either of the following ways

l SNMP to the Cloud Controller
l SNMP to each Network Device
SNMP Traps can be sent from the Cloud Controller. Cisco Meraki Network Devices can also send logs directly to
FortiSIEM.

Discovered
SNMP (V1, V2c) Host name, Software Uptime, Network Interface metrics (utilization, bytes Availability
to Cloud version, Hardware sent and received, packets sent and received, and
Controller or model, Network errors, discards and queue lengths) Performance
Devices interfaces Monitoring
syslog from Firewall logs Security

Meraki Firewalls Monitoring
SNMP Traps Health Availability

from Cloud Monitoring
Controller
Event Types
l Interface Utilization: PH_DEV_MON_NET_INTF_UTIL
Rules
Availability (from SNMP Trap)
l Meraki Device Cellular Connection Disconnected

l Meraki Device Down
l Meraki Device IP Conflict
l Meraki Device Interface Down
l Meraki Device Port Cable Error
l Meraki Device VPN Connectivity Down
l Meraki Foreign AP Detected

l Meraki New DHCP Server

l Meraki New Splash User
l Meraki No DHCP lease
l Meraki Rogue DHCP Server
l Meraki Unreachable Device
l Meraki Unreachable RADIUS Server
l Meraki VPN Failover
Performance (Fixed threshold)
l Network Intf Error Warning

l Network Intf Error Critical
l Network Intf Util Warning
l Network Intf Util Critical
Performance (Dynamic threshold based on baselines)
l Sudden Increase in Network Interface Traffic

l Sudden Increase in Network Interface Errors
Reports
None
Configuration
SNMP
User Guide.
Setting Value
Name <set name>
Device Type Cisco Meraki Cloud Controller

Cisco NX-OS Router and Switch

l Configuration

Discovered
SNMP (V1, Host name, IOS Uptime, CPU and Memory utilization, Free processor Availability and
V2c, V3) version, Hardware and I/O memory, Free contiguous processor and I/O Performance
model, Memory size, memory, Network Interface metrics (utilization, bytes Monitoring
Network interface sent and received, packets sent and received, errors,
details - name, discards and queue lengths)
address, mask and
description
SNMP (V1, Hardware Hardware health: temperature, fan and power supply Availability
V2c, V3) component details:
serial number,
model,
manufacturer,
software and
firmware versions of
hardware
components such as
chassis, CPU, fan,
power supply,
network cards etc.

V2c, V3) connectivity between end-host
switches and VLANs location
carried over a trunk
port (via CDP MIB),
ARP table
SNMP (V1, BGP connectivity, BGP state change Routing

V2c, V3) neighbors, state, AS Topology,
number Availability
Monitoring

Monitoring


Discovered
SNMP (V1, Class based QoS metrics: For (router interface, QoS
V2c, V3) policy, class map) tuple: class map metrics including performance
Pre-policy rate, post-police rate, drop rate and drop pct; monitoring
police action metrics including conform rate,
exceeded rate and violated rate; queue metrics
including current queue length, max queue length and
discarded packets
configuration, Image startup configuration, Running process CPU and memory Monitoring,
file name, Flash utilization Security and
memory size, Compliance
Running processes
Telnet/SSH End host Layer 2

port mapping:
switch interface to
VLAN id, end host
IP/MAC address
association
Syslog Device type> System logs and traffic logs matching acl statements Availability,
Security and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "nx-os" in the Device Type column to see the event types
Rules
Reports
Configuration
SNMP
User Guide

Telnet/SSH
enable Telnet/SSH.
l show version
l show flash
l show context
l show ip route
l show cam dynamic
l show mac-address-table
l show mac address-table (for Nexus 1000v)
l show vlan brief
l show process cpu
l show process mem
l show disk0
l enable
l terminal length 0
Syslog
appliance.
NetFlow
Enable NetFlow on the Router

2. Run this command.
feature netflow
Create a Flow Template and Define the Fields to Export
You can can also try using the pre-defined NetFlow template.

# show flow record netflow-original

Flow record netflow-original:
Description: Traditional IPv4 input NetFlow with origin ASs
No. of users: 1
Template ID: 261
Fields:
match ipv4 source address
match ipv4 destination address
match ip protocol
match ip tos
match transport source-port
match transport destination-port
match interface input
match interface output
match flow direction
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
Set up Netflow Exporter
Run these commands.

flow exporter FortiSIEMFlowAnalyzer
description export netflow to FortiSIEM
destination <FortiSIEMIp>export Version 9
transport udp 2055
source vlan613
Associate the Record to the Exporter Using a Flow Monitor
In this example the flow monitor is called FortiSIEMMonitoring.
Run these commands.

flow monitor FortiSIEMMonitoring
exporter FortiSIEMFlowAnalyzer
record netflow-original
Apply the Flow Monitor to Every Interface
Run these commands.

interface Vlan612
ip flow monitor Monitortac7000 input
exit

interface Vlan613
ip flow monitor Monitortac7000 input
exit
You can now check the configuration using the show commands.
For SNMP, Telnet, and SSH access credentials, see Access Credentials.

Cisco ONS

l Configuration

Discovered
SNMP Host name, Serial Uptime, Network Interface metrics (utilization, bytes sent and Availability and
(V1, V2c) Number, software received, packets sent and received, errors, discards and Performance
version, Hardware queue lengths) Monitoring
model, Network
interfaces, Hardware
Components
SNMP Alerts Availability and

Trap Performance
Monitoring
Event Types
Over 1800 event types defined - search for "Cisco-ONS" in ADMIN > Device Support > Event.
Rules
Reports
Configuration
SNMP
User Guide.

Setting Value
Name <set name>
Device Type Cisco ONS

Cisco Viptela SDWAN Router

l Event Types
l Rules
l Reports
l Configuration
l Sample Events
Protocol Information Discovered Metrics/LOG collected Used for
Syslog Host name and Device Type from LOG Over 290 log types Security and Compliance
Event Types
Go to Admin > Device Type > Event Types and search for “VIPTELA”.
Rules
None
Reports
None
Configuration
Configure Cisco Viptela to send syslog in the supported format to FortiSIEM. No configuration is required in FortiSIEM.
Sample Events
<190>430: *Dec 9 05:41:47.025: %Cisco-SDWAN-Router-OMPD-6-INFO-400005: R0/0: OMPD: Number of

vSmarts connected : 2
CDATA[<187>154: *Aug 23 19:57:51.681: %Cisco-SDWAN-RP_0-OMPD-3-ERRO-400002: R0/0: OMPD: vSmart

peer 1.1.1.5 state changed to Init

Dell Force10 Router and Switch

l Configuration
V2c) Software version, Hardware sent and received, packets sent and received, and
model, Network interfaces, errors, discards and queue lengths), CPU utilization, Performance
Hardware Components Hardware Status Monitoring
Event Types
In ADMIN > Device Support > Event, search for "force10" in the Description column to see the event types
Rules
Reports
Configuration
SNMP
User Guide.
TelNet/SSH
enable Telnet/SSH.

credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device. To
initiate discovery and monitoring of your device over this protocol, refer to sections "Discovery Settings" and "Setting
Credentials" in the User Guide.
l show version
l show ip route
l enable
l terminal pager 0
Setting Value
Name <set name>
Device Type Generic
These are the generic settings for providing Telnet access to your device from FortiSIEM
Setting Value
Name Telnet-generic
Device Type generic
Port 23

over Telnet

Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22

device over SSH

Dell NSeries Switch

l Configuration

Discovered
(V1, V2c) software (utilization, bytes sent and received, packets sent and received, Performance
version, errors, discards and queue lengths) Monitoring
Hardware
model,
Network
interfaces,
SNMP Hardware Status (Power Supply, Fan) Availability

(V1, V2c) Monitoring
SSH Configuration Change

management
Event Types
l CPU Monitoring: PH_DEV_MON_SYS_CPU_UTIL

l Memory Monitoring: PH_DEV_MON_SYS_MEM_UTIL
l Hardware Status: PH_DEV_MON_HW_STATUS
l Configuration Change: PH_DEV_MON_CHANGE_STARTUP_CONFIG
Rules
Availability
l Network Device Degraded - Lossy Ping Response

l Network Device Down - no ping response
l Network Device Interface Flapping
l Critical Network Device Interface Staying Down
l Non-critical Network Device Interface Staying Down
l Network Device Hardware Warning
l Network Device Hardware Critical

l Network CPU Warning

l Network CPU Critical
l Network Memory Warning
l Network Memory Critical
l Sudden Increase In System CPU Usage

l Sudden Increase in System Memory Usage
Change
l Startup Config Change
Reports
Availability
l Availability: Router/Switch Ping Monitor Statistics
Performance
l Performance: Top Routers Ranked By CPU Utilization

l Performance: Top Routers By Memory Utilization
l Performance: Top Router Network Intf By Util, Error, Discards
l Top Routers/Switches by Business Hours Network Ping Uptime Pct (Achieved Network Ping SLA)
l Top Routers/Switches by Business Hours System Uptime Pct (Achieved System SLA)
l Top Routers/Switches by Network Ping Uptime Pct (Achieved Network Ping SLA)
l Top Routers/Switches by System Uptime Pct (Achieved System SLA)
l Top Router Interfaces by Days-since-last-use
Change
l Change: Router Config Changes Detected Via Login

Configuration
SNMP
User Guide.
Setting Value
Name <set name>
Device Type Dell NSeries

Dell PowerConnect Switch and Router

l Configuration
V2c) Software version, Hardware sent and received, packets sent and received, and
model, Network interfaces, errors, discards and queue lengths), CPU utilization, Performance
Hardware Components Hardware Status Monitoring
Event Types
Rules
Reports
Configuration
SNMP
User Guide.
Telnet/SSH
enable Telnet/SSH.
credentials you provide in FortiSIEM have the permissions necessary to execute these commands on the device. To

initiate discovery and monitoring of your device over this protocol. For more information, refer to sections "Discovery
l show version
l show ip route
l enable
l terminal pager 0
Setting Value
Name <set name>
Device Type Dell PowerConnect

Foundry Networks IronWare Router and Switch

l Configuration

Discovered
SNMP (V1, Host name, Uptime, CPU and Memory utilization, Network Interface Availability and
V2c) Ironware version, metrics (utilization, bytes sent and received, packets sent and Performance
Hardware model, received, errors, discards and queue lengths) Monitoring
Network interfaces,
configuration startup configuration Monitoring,
Security and
Compliance

V2c) connectivity end-host
and VLANs carried
over a trunk port,
End host Layer 2
port mapping:
switch interface to
VLAN id, end host
IP/MAC address
association
Syslog Device type System logs and traffic logs matching acl statements Availability,
Security and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "foundry_ironware" in the Description column to see the event
Rules

Reports
Setting Value
Name <set name>
Device Type Foundry Ironware
Configuration
SNMP
1. Log in to the device manager for your switch or router with administrative privileges.
3. Run these commands to set the community string and enable the SNMP service.
snmp-server community <community> RO
snmp-server enable vlan <vlan id>
4. Exit config mode.

5. Save the configuration.
Telnet/SSH
enable Telnet/SSH.
Syslog
1. Log in to the device manager for your switch or router with administrative privileges.
3. Run this command to set your FortiSIEM virtual appliance as the recipient of syslogs from your router or switch.
logging host <FortiSIEM Ip>
4. Exit config mode.

5. Save the configuration.

Sample Parsed PowerConnect Syslog Message
<14>SJ-Dev-A-Fdy-FastIron, running-config was changed from console
<14>SJ-Dev-A11-Fdy-FastIron, startup-config was changed from telnet client 192.168.20.18

<14>SJ-Dev-A-Fdy-FastIron, phoenix_agent login to USER EXEC mode
<14>SJ-Dev-A-Fdy-FastIron, Interface ethernet3, state up
<14>SJ-Dev-A-Fdy-FastIron, Interface ethernet 20/3, state up
<12>SJ-QA-A-Fdy-BigIron, list 100 permitted udp 173.9.142.98(ntp)(Ethernet 2/1 0004.23ce.ba11)

-> 172.16.20.121(ntp), 1 event(s)
<14>SJ-Dev-A-Fdy-FastIron, Bridge root changed, vlan 3, new root ID 80000004806137c6, root

interface 3
<14>SJ-QA-A-Fdy-BigIron, VLAN 4 Port 2/7 STP State -> DISABLED (PortDown)
Jun 4 15:51:18 172.16.20.99 Security: telnet logout by admin from src IP 137.146.28.75, src
MAC 000c.dbff.6d00
Jun 4 15:51:12 172.16.20.100 System: Interface ethernet 4/9, state down
Jun 4 03:12:53 172.16.20.100 ACL: ACL: List GWI-in permitted tcp 61.158.162.230(6000)
(Ethernet 1/4 0023.3368.f500) -> 137.146.0.0(8082), 1 event(s)
Jun 4 02:54:31 172.16.20.100 ACL: ACL: List XCORE denied udp 137.146.28.75(55603)(Ethernet
1/1 000c.dbde.6000) -> 137.146.3.35(snmp), 1 event(s)
Jun 4 01:49:09 172.16.20.100 STP: VLAN 3104 Port 4/22 STP State -> LEARNING (FwdDlyExpiry)
Setting Value
Name <set name>
Device Type Generic

Setting Value
Name Telnet-generic
Device Type generic
Port 23

over Telnet
Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22

device over SSH

HP/3Com ComWare Switch

l Configuration

Discovered
SNMP (V1, Host name, Uptime, CPU and Memory utilization, Network Interface Availability and
V2c) software metrics (utilization, bytes sent and received, packets sent and Performance
version, received, errors, discards and queue lengths), Hardware Monitoring
Hardware status: Power Supply, Fan, Temperature
model,
Network
interfaces,
SNMP (V1, Hardware status: Temperature Availability

V2c, V3)
Syslog System logs Availability,

Security and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "compare" in the Device Type column to see the event types
Rules
Reports
Configuration
SNMP

User Guide.
Syslog
appliance.
Example Syslog for ComWare Switch Messages
%Apr 2 11:38:11:113 2010 H3C DEVD/3/BOARD REBOOT:Chasis 0 slot 2 need be rebooted

automatically!
%Sep 22 20:38:32:947 2009 H3C DEVD/4/BRD MISPLUG: The board or subcard in slot 1 is not
supported.
%Sep 22 20:38:32:947 2009 H3C DEVD/4/BRD MISPLUG: The board type of MR in 1 is different from
the Mate MR's, so the MR can't work properly.
%Sep 22 20:38:32:947 2009 H3C DEVD/2/BRD TOO HOT:Temperature of the board is too high!
%Sep 22 20:38:32:947 2009 H3C DEVD/2/ FAN CHANGE: Chassis 1: Fan communication state changed:
Fan 1 changed to fault.
Setting Value
Name <set name>
Device Type H3C Comware

HP ProCurve Switch

l Configuration

Discovered
SNMP (V1, Host name, version, Uptime, CPU and Memory utilization, Network Interface Availability and
V2c) Hardware model, metrics (utilization, bytes sent and received, packets sent and Performance
Network interfaces, received, errors, discards and queue lengths), Hardware Monitoring
status: Power Supply, Fan, Temperature
Security and
Compliance

V2c) connectivity end-host
and VLANs carried
over a trunk port,
End host Layer 2
port mapping:
switch interface to
VLAN id, end host
IP/MAC address
association
Event Types
In ADMIN > Device Support > Event, search for "procurve" in the Device Type and Description columns to see the
Rules
Reports

Configuration
SNMP
1. Go to Configuration > SNMP Community > V1/V2 Community.

2. Enter a Community Name.
3. For MIB-View, select Operator.
4. For Write-Access, leave the selection cleared.
5. Click Add.
SSH/Telnet
1. Log into the device manager for your ProCurve switch.

2. Go to Security > Device Passwords.
3. Create a user and password for Read-Write Access.
Although FortiSIEM does not modify any configurations for your switch, Read-Write Access is needed to read the
device configuration.
4. Go to Security > Authorized Addresses and add the FortiSIEM IP to Telnet/SSH.
This is an optional step.
Setting Value
Name <set name>
Device Type HP ProCurve

HP Value Series (19xx) and HP 3Com (29xx) Switch

l Configuration

Discovered
(V1, V2c) software (utilization, bytes sent and received, packets sent and received, Performance
version, errors, discards and queue lengths) Monitoring
Hardware
model,
Network
interfaces,
SSH Configuration Change

management
Event Types
l CPU Monitoring: PH_DEV_MON_SYS_CPU_UTIL

l Memory Monitoring: PH_DEV_MON_SYS_MEM_UTIL
l Configuration Change: PH_DEV_MON_CHANGE_STARTUP_CONFIG
Rules
Availability
l Network Device Degraded - Lossy Ping Response

l Network Device Down - no ping response
l Network Device Interface Flapping
l Critical Network Device Interface Staying Down
l Non-critical Network Device Interface Staying Down
l Network CPU Warning

l Network CPU Critical
l Network Memory Warning
l Network Memory Critical


l Sudden Increase In System CPU Usage

l Sudden Increase in System Memory Usage
Change
l Startup Config Change
Reports
Availability
l Availability: Router/Switch Ping Monitor Statistics
Performance
l Performance: Top Routers Ranked By CPU Utilization

l Performance: Top Routers By Memory Utilization
l Performance: Top Router Network Intf By Util, Error, Discards
l Top Routers/Switches by Business Hours Network Ping Uptime Pct (Achieved Network Ping SLA)
l Top Routers/Switches by Business Hours System Uptime Pct (Achieved System SLA)
l Top Routers/Switches by Network Ping Uptime Pct (Achieved Network Ping SLA)
l Top Routers/Switches by System Uptime Pct (Achieved System SLA)
l Top Router Interfaces by Days-since-last-use
Change
l Change: Router Config Changes Detected Via Login
Configuration
SNMP
User Guide.

Setting Value
Name <set name>
Device Type HP VSeries

Hirschmann SCADA Firewalls and Switches

l Event Types
l Rules
l Reports
l Configuration
l Sample Events
Protocol Information Metrics/LOG collected Used for

Discovered
SNMP Host Name SNMP – Uptime, CPU, Memory, Interface utilization, hardware Performance
Status, OSPF metrics Monitoring
Event Types
The following event types are used for performance monitoring:

l PH_DEV_MON_SYS_UPTIME - Uptime monitoring
l PH_DEV_MON_SYS_CPU_UTIL – CPU utilization
l PH_DEV_MON_SYS_MEM_UTIL – Memory utilization
l PH_DEV_MON_NET_INTF_UTIL – Interface utilization
l PH_DEV_MON_HW_STATUS – Hardware status
Rules
All performance monitoring rules apply.
Reports
All performance monitoring reports apply
Configuration
Configure Hirschmann Firewalls and Switches for SNMP V1/V2c/V3 discovery and performance monitoring. Define the
basic SNMP credentials on FortiSIEM and discover these devices. See SNMP Access Credentials.
Sample Events
The events are standard for all devices.

Juniper Networks JunOS Switch

l Configuration

Discovered
SNMP (V1, Host name, JunOS Uptime, CPU and Memory utilization, Network Interface Availability and
V2c) version, Hardware metrics (utilization, bytes sent and received, packets sent and Performance
model, Network received, errors, discards and queue lengths), Hardware Monitoring
interfaces, status: Power Supply, Fan, Temperature
Security and
Compliance

V2c, V3) connectivity end-host
and VLANs carried
over a trunk port,
End host Layer 2
port mapping:
switch interface to
VLAN id, end host
IP/MAC address
association
Syslog System logs and traffic logs matching acl statements Availability,
Security and
Compliance
sflow Traffic flow Availability,

Security and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "junos" in the Device Type column to see the event types

Rules
Reports
Configuration
SNMP
1. Log in to the device manager for your JunOS switch with administrator privileges.
2. Go to Configure > Services > SNMP.
3. Under Communities, click Add.
4. Enter a Community Name.
5. Set Authorization to read-only.
6. Click OK.
Syslog
2. Go to Dashboard > CLI Tools > CLI Editor.
Edit the syslog section to send syslogs to FortiSIEM.
3. JunOS Syslog Configuration
system {
....
syslog {
user * {
any emergency;
}
host <FortiSIEM Ip> {
any any;
explicit-priority;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
time-format year millisecond;
}
....

4. Click Commit.
Sample JunOS Syslog Messages
190>May 11 13:54:10 20.20.20.20 mgd[5518]: UI_LOGIN_EVENT: User 'phoenix_agent' login, class

'j-super-user' [5518], ssh-connection '192.168.28.21 39109 172.16.5.64 22', client-mode 'cli'
<38>Nov 18 17:50:46 login: %AUTH-6-LOGIN_INFORMATION: User phoenix_agent logged in from host

192.168.20.116 on device ttyp0
sFlow
Routing the sFlow Datagram in EX Series Switches

According to Juniper documentation, the sFlow datagram cannot be routed over the management Ethernet interface
(me0) or virtual management interface (vme0) i n an EX Series switch implementation. It can only be exported over the
network Gigabit Ethernet or 10-Gigabit Ethernet ports using valid route information in the routing table.
2. Go to Configure > CLI Tools > Point and Click CLI.
3. Expand Protocols and select slow.
4. Next to Collector, click Add new entry.
5. Enter the IP address for your FortiSIEM virtual appliance.
6. For UDP Port, enter 6343.
7. Click Commit.
8. Next to Interfaces, click Add new entry.
9. Enter the Interface Name for all interfaces that will send traffic over sFlow.
10. Click Commit.
11. To disable the management port, go to Configure > Management Access, and remove the address of the
management port.
You can also disconnect the cable.
Setting Value
Name <set name>
Device Type Juniper JunOS

MikroTik Router

l Configuration

Discovered
SNMP Host name, software Uptime, Network Interface metrics (utilization, bytes sent and Availability and
(V1, V2c) version, Hardware received, packets sent and received, errors, discards and Performance
model, Network queue lengths) Monitoring
interfaces
Event Types
Rules
Reports
Configuration
SNMP
User Guide.

Setting Value
Name <set name>
Device Type MikroTik RouterOS

Nortel ERS and Passport Switch

l Configuration

Discovered
SNMP (V1, Host name, software Uptime, CPU and Memory utilization, Network Interface Availability and
V2c) version, Hardware metrics (utilization, bytes sent and received, packets sent Performance
model, Network and received, errors, discards and queue lengths) Monitoring
interfaces,
SNMP (V1, Hardware status: Temperature

V2c)
SNMP (V1, Layer 2 port mapping: associating switch ports to directly Identity and
V2c, V3) connected host IP/MAC addresses location table;
Topology
Event Types
Rules
Reports
Configuration
SNMP
User Guide.

Setting Value
Name <set name>
Device Type Nortel ERS / Nortel Passport

Security Gateways
FortiSIEM supports these security gateways for discovery and monitoring.

l Barracuda Networks Spam Firewall
l Blue Coat Web Proxy
l Cisco IronPort Mail Gateway
l Cisco IronPort Web Gateway
l Fortinet FortiMail
l Fortinet FortiWeb
l Imperva Securesphere DB Monitoring Gateway
l Imperva Securesphere DB Security Gateway
l McAfee Vormetric Data Security Manager
l McAfee Web Gateway
l Microsoft ISA Server
l Squid Web Proxy
l SSH Comm Security CryptoAuditor
l Websense Web Filter

Barracuda Networks Spam Firewall

l Configuration

discovered
SNMP Host name, CPU utilization, Memory utilization, Interface Utilization Performance
Interfaces, Monitoring
Serial number
Syslog Various syslogs - scenarios include - mail scanned and Security

allowed/denied/quarantined etc; mail sent and Monitoring and
reject/delivered/defer/expired; mail received and compliance
allow/abort/block/quarantined etc.
Event Types
In ADMIN > Device Support > Event, search for "barracuda" in the Device Type column to see the event types
Rules
Reports
Configuration
SNMP
User Guide

Security Gateways
Syslog
appliance.
Sample Parsed Barracuda Spam Firewall Syslog Message
<23>inbound/pass1[923]: 127.0.0.1 1300386119-473aa6a90001-sB89EM 0 0 RECV - 1 4D760309475 250

2.6.0 <E6BB7C56C6761D42AEAFBF7FC6E17E920156A38D@USNSSEXC174.us.kworld.kpmg.com> Queued mail
for delivery
<23>scan[9390]: mail.netcontentinc.net[207.65.119.227] 1300386126-4739a8be0001-R6OEVB

1300386126 1300386128 SCAN - [email protected] [email protected] - 7 61 -
SZ:34602 SUBJ:How FMLA Leave, ADA and Workers' Compensation Work Together April 28, 2011
Setting Value
Name <set name>
Device Type Barracuda Spam Firewall

Security Gateways
Blue Coat Web Proxy

l Configuration

discovered
SNMP Host name, CPU utilization, Memory utilization Performance

Interfaces, Serial Monitoring
number
SNMP Proxy performance: Proxy cache object count, Proxy-to- Performance

server metrics: HTTP errors, HTTP requests, HTTP traffic Monitoring
(KBps); Server-to-proxy metrics: HTTP traffic (KBps), Client-to-
proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors,
HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic
(KBytes)
SFTP Proxy traffic: attributes include Source IP, Destination IP, Security
Destination Name, Destination Port, URL, Web category, Monitoring and
Proxy action, HTTP User Agent, HTTP Referrer, HTTP compliance
Version, HTTP Method, HTTP Status Code, Sent Bytes,
Received Bytes, Connection Duration
Syslog Admin authentication success and failure Security

Monitoring and
compliance
Event Types
In ADMIN > Device Support > Event, search for "blue coat" in the Device Type and Description column to see the
Rules
Reports

Security Gateways
Configuration
SNMP
The following procedures enable FortiSIEM to discover Bluecoat web proxy.

1. Log in to your Blue Coat management console.
2. Go to Maintenance > SNMP.
3. Under SNMP General, select Enable SNMP.
4. Under Community Strings, click Change Read Community, and then enter a community string that FortiSIEM can
use to access your device.
5. Click OK.
Syslog
Syslog is used by Blue Coat to send audit logs to FortiSIEM.

2. Go to Maintenance > Event Logging.
3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and Informational.
4. Under Syslog, enter the IP address of your FortiSIEM virtual appliance for Loghost.
5. Select Enable syslog.
6. Click Apply.
Sample Parsed Blue Coat Audit Syslog
<2> Sep 14 19:24:39 ao BluecoatAuthWebLog 0 2010-09-14 14:31:13 36 34.159.60.56

hz13321 - - OBSERVED "Audio/Video Clips" - 200 TCP_NC_MISS POST application/x-fcs http
213.200.94.86 80 /idle/WdPmdz02xSLO2sHS/25136 - - "Shockwave Flash" 34.160.179.201 1087 217 -
SFTP
SFTP is used to send access logs to FortiSIEM. Access logs includes the traffic that Blue Coat proxies between the
client and the server. The access logs are sent via FTP, where Bluecoat is the client and FortiSIEM is the server. You
must configure SFTP in FortiSIEM first, and then on your Blue Coat web proxy server.
Configure FTP in FortiSIEM
1. Log in to your Supervisor node as root.

2. Change directory to /opt/phoenix/bin.
3. Run the ./phCreateBluecoatDestDir command to create an FTP user account.
The files sent from Blue Coat will be temporarily stored in this account. The script will create an user
called ftpuser. If the this user already exists, you do not need to create a new one. The script will ask for the IP
address of Blue Coat and the password for the user ftpuser, and will then create the directory
/opt/phoenix/cache/bluecoat/<Bluecoat IP>.
4. Run vi /etc/passwd to change the home directory for ftpuser to /opt/phoenix/cache/bluecoat.
Change only the home directory, do not change any other value.

Security Gateways
Configure an Epilog client in FortiSIEM
The Epilog client converts each line of the log files in the /opt/phoenix/cache/bluecoat/<Bluecoat IP>
directory in real time into a syslog, and sends it to the FortiSIEM parser for processing.
1. Log in to your Supervisor or the Collector node as root.
2. Update the Epilog configuration in /etc/snare/epilog/epilog.conf as shown in this code block, and then
restart the epilog daemon with the /etc/init.d/epilogd restart command.
Output
network=localhost:514
syslog=2
Input
log=BluecoatWebLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_main.log
log=BluecoatImLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_im.log
log=BluecoatImLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_ssl.log
log=BluecoatP2pLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_p2p.log
Configure FTP in Blue Coat

2. Go to Management Console > Configuration > Access Logging > General.
3. Select Enable Access Logging.
4. In the left-hand navigation, select Logs.
5. Under Upload Client, configure these settings.
Setting Value
Log main
Client Type FTP Client
Encryption No Encryption
Certificate
Keyring Signing No Signing
Save the log file text file

as
Send partial 1 seconds

buffer after
Bandwidth Class <none>
6. Next to Client Type, click Settings.

Security Gateways
7. Configure these settings.
Setting Value
Settings for Primary FTP Server
Host IP address of your FortiSIEM virtual appliance
Port 514
Path /<Blue Coat IP Address>
Username ftpuser
Change Primary Use the password you created for ftpuser

Password in FortiSIEM
Filename SG_FortiSIEM_bluecoat_main.log
8. Clear the selections Use Secure Connections (SSL) and Use Local Time.
9. Select Use Pasv.
10. Click OK.
11. Follow this same process to configure the settings for im, ssl and p2p.
For each of these, you will refer to a different Filename.
l For im the file name is SG_FortiSIEM_bluecoat_im.log
l For ssl the file name is SG_FortiSIEM_bluecoat_ssl.log
l For p2p the file name is SG_FortiSIEM_bluecoat_p2p.log
Sample Parsed Blue Coat Access Syslog
<2> Jun 25 11:15:33 SJ-QA-W-FDR-Test-01.prospect-hills.net BluecoatWebLog 0 2010-06-25

18:13:34 2021 192.168.22.21 200 TCP_TUNNELED 820 1075 CONNECT tcp accelops.webex.com 443 / - -
- NONE 172.16.0.141 - - "WebEx Outlook Integration Http Agent" PROXIED "none" - 25.24.23.22
Setting Value
Name <set name>
Device Type Blue Coat CacheOS

Security Gateways
Cisco IronPort Mail Gateway

l Configuration

discovered
SNMP Ping Status, SNMP Ping Stat, Uptime, CPU Util, Mem Util, Net Intf
Stat, Hardware Status
Syslog Mail attributes: attributes include MID, ICID, DCID, Sender Security
address, Receiver Address, Mail Subject, Sent Bytes, Attachment, Monitoring and
Spam indicator, Virus indicator, Quarantine indicator, SMTP delivery compliance
failures and failure codes, mail action - pass, block, clean.
Event Types
In ADMIN > Device Support > Event, search for "ironport-mail" in the Display Name column to see the event types
Rules
Reports
In RESOURCE > Reports, search for "ironport mail" in the Name and Description columns to see the reports for this
device.
Configuration
SNMP
User Guide.

Security Gateways
Syslog
1. Log in to your Ironport Mail Gateway device manager with administrator privileges.
2. Edit the Log Subscription settings.
3. For Log Name, enter IronPort-Mail.
This identifies the log to FortiSIEM as originating from an Ironport mail gateway device.
4. For Retrieval Method, select Syslog Push.
5. For Hostname, enter the IP address of your FortiSIEM virtual appliance.
6. For Protocol, select UDP.
Sample Parsed Ironport Mail Gateway Syslog
Tue Sep 24 11:39:49 2012 IronPort-Mail: Info: MID 200257071 ready 24663 bytes from
<[email protected]>Sep 24 11:39:49 18.0.19.8 IronPort-Mail: Info: MID 1347076 ICID 346818 From:
<[email protected]>Tue Sep 24 11:39:49 2012 IronPort-Mail: Info: Message aborted MID 200257071
Dropped by antivirus
Tue Sep 24 11:39:49 2012 IronPort-Mail: Info: Delayed: DCID 5 MID 200257071 to RID 0 - 4.1.0 -
Unknown address error ('466', ['Mailbox temporarily full.'])[]
Setting Value
Name <set name>
Device Type Cisco IronPort AsyncOS Mail

Security Gateways
Cisco IronPort Web Gateway

l Configuration

discovered
Syslog Squid style web logs: attributes include Source IP Address, Security
Destination Host name, Sent Bytes, Received Bytes, HTTP User Monitoring and
Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status compliance
Code, URL, HTTP Content type, Web Category, HTTP Proxy Action
Event Types
In ADMIN > Device Support > Event, search for "ironport-web" in the Display Name column to see the event types
Rules
Reports
Configuration
Syslog
1. Log in to your Ironport gateway device manager with administrator privileges.

2. Edit the settings for Log Subscription.
Setting Value
Log Type Access Logs
Log Name IronPort-Web

This identifies the log to FortiSIEM as
originating from an IronPort web gateway
device

Security Gateways
Setting Value
Log Style Squid
Custom Fields %L %B %u
Enable Log Clear the selection

Compression
Retrieval Method Syslog Push
Hostname The IP address of your FortiSIEM virtual

appliance
Protocol UDP
Sample Parsed Ironport Web Gateway Syslog
<134>Oct 09 09:19:25 IronPort-Web: Info: 1349795965.314 92 10.163.154.153 TCP_CLIENT_REFRESH_

MISS/200 70798 GET
http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky/Package/1210090007/base
s/base1b1d.kdc.cab - DIRECT/forefrontdl.microsoft.com application/octet-stream ALLOW_
CUSTOMCAT_11-UnAuthenticated_Applications-APU_No_Auth-NONE-NONE-NONE-DefaultGroup <J_
Doe,6.9,-,""-"",-,-,-,-,""-"",-,-,-,""-"",-,-,""-"",""-"",-,-,IW_swup,-,""-"",""-
"",""Unknown"",""Unknown"",""-"",""-"",6156.35,0,-,""-"",""-""> - ""09/Oct/2012:09:19:25 -
0600"" 71052 ""V3S;{6ADC64A3-11F9-4B04-8257-BEB541BE2975};""
Setting Value
Name <set name>
Device Type Cisco IronPort AsyncOS Web

Security Gateways
Fortinet FortiMail

l Configuration
l Rules
l Reports
l Configuration

Discovered
Syslog System events (e.g. configuration changes), System up/down/restart Security

events, Performance issues, Admin logon events, malware Monitoring and
attachments compliance
Event Types
In ADMIN > Device Support > Event, search for "fortimail" to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "fortimail" to see the rules associated with this device.
For generic availability rules, see RESOURCE > Rules > Availability > Network.
For generic performance rules, see RESOURCE > Rules > Performance > Network.
Reports
In RESOURCE > Reports, search for "fortimail" to see the reports associated with this device.
Configuration
Syslog
Configure FortiMail appliance to send logs to FortiSIEM. Make sure the format matches.
In the FortiMail GUI go to Log & Report > Log Setings > Remote (tab) > New.
Suggested Logging configuration:

Security Gateways
Name Description
Name Define a name for the configuration.
Server name/IP Enter the resolvable DNS name or IP of the

FortiSIEM appliance where logs will be sent.
Server port 514
Mode UDP
Level Information
Facility kern
CSV format leave disabled
Matched session leave disabled

only

Security Gateways
Sample Parsed FortiMail Syslog:
date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event

subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success
reason=none msg="User admin login successfully from GUI(172.20.120.26)"
date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics
pri=information session_id="q6GJMuPu003642-q6GJMuPv003642" client_name="[172.20.140.94]"
dst_ip="172.20.140.92" endpoint="" from="[email protected]" to="[email protected]"
subject=""mailer="mta" resolved="OK" direction="in" virus="" disposition="Reject"
classifier="Recipient Verification" message_length="188"
Setting Value
Name <set name>
Device Type Fortinet FortiMail

Security Gateways
Fortinet FortiWeb

l Configuration
l Rules
l Reports
l Configuration

Discovered
SNMP Host Name, Vendor, CPU, memory, Disk, Interface, Uptime Performance
Model, Version, monitoring
Hardware Model,
hardware
Syslog System events (e.g. configuration changes), System Security

up/down/restart events, Performance issues, Admin logon Monitoring and
events, Security exploits compliance
Supported Syslog format
Currently FortiSIEM supports FortiWeb native logging format and not CEF format.
Event Types
In ADMIN > Device Support > Event, search for "fortiweb" to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "fortiweb" to see the rules associated with this device.
For generic availability rules, see RESOURCE > Rules > Availability > Network.
For generic performance rules, see RESOURCE > Rules > Performance > Network.
Reports
In RESOURCE > Reports, search for "fortiweb" to see the reports associated with this device.

Security Gateways
Configuration
Syslog
Configure FortiWenb appliance to send logs to FortiSIEM. Make sure the format matches.
Sample FortiWeb Syslog:
date=2016-02-18 time=10:00:05 log_id=00001002 msg_id=000067508821 device_

id=FV400D3A15000010 vd="root" timezone="(GMT+3:00)Baghdad" type=event subtype="admin"
pri=information trigger_policy="" user=admin ui=GUI action=edit status=success msg="User
admin changed global from GUI(172.22.6.66)
Setting Value
Name <set name>
Device Type Fortinet FortiWeb

Security Gateways
Imperva Securesphere DB Monitoring Gateway

Setting Value
Name <set name>
Device Type Imperva Securesphere DB Monitoring

Gateway

device

c. Click Save.
4. Click Test to test the connection to Imperva Securesphere DB Monitoring Gateway.

Security Gateways
Imperva Securesphere DB Security Gateway
The ImpervaParser parser collects syslog log events in CEF format.
Configuration
Setup in FortiSIEM

Setting Value
Name <set name>
Device Type Imperva Securesphere DB Security

Gateway

device

c. Click Save.
4. Click Test to test the connection to Imperva Securesphere DB Security Gateway.

Security Gateways
Sample Events
<14>CEF:0|Imperva Inc.|SecureSphere|11.5.0.20_0|Audit|Audit|Informative|dst=10.2.6.194
dpt=3306 duser=wf_settlement src=10.2.6.48 spt=59876 proto=TCP rt=11 April 2016 14:07:09
cat=Audit Default Rule - All cs2Label=ServerGroup cs3=ProcessMakerDBFX cs3Label=ServiceName
cs4=Default MySql Application cs4Label=ApplicationName cs5=642697783064 cs5Label=EventId
cs6=Query cs6Label=EventType cs7=Default MySql group cs7Label=UserGroup cs8=True
cs8Label=UserAuthenticated cs9= cs9Label=ApplicationUser cs10= cs10Label=SourceApplication
cs11= cs11Label=OSUser cs12= cs12Label=HostName cs13=wf_settlement cs13Label=Database cs14=
cs14Label=Schema cs15=SELECT COUNT(APP_CACHE_VIEW.APP_UID) FROM APP_CACHE_VIEW LEFT JOIN USERS
CU ON (APP_CACHE_VIEW.USR_UID=CU.USR_UID) LEFT JOIN USERS PU ON (APP_CACHE_VIEW.PREVIOUS_USR_
UID=PU.USR_UID) LEFT JOIN APP_CACHE_VIEW APPCVCR ON (APP_CACHE_VIEW.APP_UID=APPCVCR.APP_UID
AND APPCVCR.DEL_LAST_INDEX=1) LEFT JOIN USERS USRCR ON (APPCVCR.USR_UID=USRCR.USR_UID) WHERE
APP_CACHE_VIEW.APP_STATUS='TO_DO' AND APP_CACHE_VIEW.USR_
UID='2800810224bbdfe1cc8bb02024369548' AND APP_CACHE_VIEW.DEL_FINISH_DATE IS NULL AND APP_
CACHE_VIEW.APP_THREAD_STATUS='OPEN' AND APP_CACHE_VIEW.DEL_THREAD_STATUS='OPEN'
cs15Label=RawQuery cs16=select count(app_cache_view.app_uid) from app_cache_view left join
users cu on (app_cache_view.usr_uid=cu.usr_uid) left join users pu on (app_cache_
view.previous_usr_uid=pu.usr_uid) left join app_cache_view appcvcr on (app_cache_view.app_
uid=appcvcr.app_uid and appcvcr.del_last_index=?) left join users usrcr on (appcvcr.usr_
uid=usrcr.usr_uid) where app_cache_view.app_status=? and app_cache_view.usr_uid=? and app_
cache_view.del_finish_date is ? and app_cache_view.app_thread_status=? and app_cache_view.del_
thread_status=? cs16Label=ParsedQuery cs17= cs17Label=BindVariables cs18= cs18Label=SQLError
cs19=1 cs19Label=ResponseSize cs20=0 cs20Label=ResponseTime cs21=0 cs21Label=AffectedRows

Security Gateways
McAfee Vormetric Data Security Manager

l Event Types
l Rules
l Reports
l Configuration
Syslog (CEF format) 1 event type Security and Compliance
Event Types
In RESOURCE > Event Types, Search for “Vormetric-”.
Sample Event Type:
<14> 2013-06-29T18:44:42.420Z 10.10.10.1 CEF:0|Vormetric, Inc.|dsm|5.2.0.1|DAO0048I|update

host|3|cs4Label=logger cs4=DAO spid=4322 rt=1388986263954 dvchost=example.com suser=USER_1
shost=test_cpu
Rules
There are no specific rules but generic rules for Security Manager and Generic Servers apply.
Reports
There are no specific reports but generic rules for Security Manager and Generic Servers apply.
Configuration
Configure Vormetric Data Security Manager to send syslog in CEF format on port 514 to FortiSIEM.

Security Gateways
McAfee Web Gateway

l Configuration

discovered
Syslog Parsed event attributes: include Source IP, Destination URL, Security
HTTP Method, HTTP User agent, HTTP Status Code, HTTP Content Monitoring and
Type, Blocked Reason, Risk compliance
Event Types
In ADMIN > Device Support > Event, search for "mcafee_web" in the Device Type column to see the event types
Rules
Reports
Configuration
Syslog
appliance.
Sample Parsed McAffee Web Gateway Syslog Message
[21/Feb/2012:11:44:19 -0500] """""""""""" ""10.200.11.170 200 """"GET http://abc.com/

HTTP/1.1"""" """"General News"""" """"Minimal Risk"""" """"text/html"""" 101527 """"""""

Security Gateways
"""""""" """"0""""""[30/May/2012:10:39:44 -0400] "" 10.19.2.63 200

"GEThttp://abc.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=126x31_spon2&cnn_
rollup=homepage&page.allowcompete=no&params.styles=fs&Params.User.UserID=4fc6251c068c9f0aa5147
5025d0040b8&transactionID=7179860628805012&tile=4893878838331&domId=135492 HTTP/1.1" "Web Ads,
Forum/Bulletin Boards" "MinimalRisk" "text/html" 1 "" "" "0"
Setting Value
Name <set name>
Device Type McAfee WebGateway

Security Gateways
Microsoft ISA Server

l Configuration

discovered
type Monitoring
mappings
Syslog Application W3C proxy logs: attributes include Service Instance, Source IP, Security
(via type User, Destination IP, Destination Port, Service Instance, Sent Bytes, Monitoring and
SNARE) Received Bytes, Connection Duration, HTTP User Agent, HTTP compliance
Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL,
Source interface, Destination interface, Proxy action
Event Types
In ADMIN > Device Support > Event, search for "isa server" in the Device Type andDescription column to see the
Rules
Reports
Configuration
SNMP
Enabling SNMP on Windows Server 2003
SNMP is typically enabled by default on Windows Server 2003, but you must still add FortiSIEM to the hosts that are
authorized to accept SNMP packets. First you must make sure that the SNMP Management tool has been enabled for

Security Gateways
your device.
1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.
Make sure that Simple Network Management Tool is selected.
If it isn't selected, select it, and then click Next to install.
5. Go to Start > Administrative Tools > Services.
6. Select and open SNMP Service.
7. Click the Security tab.
8. Select Send authentication trap.
9. Under Accepted communities, make sure there is an entry for public that is set to read-only.
10. Select Accept SNMP packets from these hosts.
11. Click Add.
12. Enter the IP address for your FortiSIEM virtual appliance that will access your device over SNMP.
13. Click Add.
14. Click Apply.
15. Under SNMP Service, click Restart service.
Enabling SNMP on Windows 7 or Windows Server 2008 R2
authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.
1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
2. In the Start menu, select Control Panel.
3. Under Programs, click Turn Windows features on/off.
4. Under Features, see if SNMP Services is installed.
If not, click Add Feature, then select SMNP Service and click Next to install the service.
5. In the Server Manager window, go to Services > SNMP Services.
11. Click Add.
13. Click Add.
14. Click Apply.

Security Gateways
WMI
Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and
the Performance Monitor Users Group
Groups.
3. Create a user.
5. Click OK.
8. Click OK.
11. Click OK.

Security Gateways
Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group
8. Click OK.
5. Click OK.
8. Click OK.
device.

Security Gateways
Applications.
5. Click Security.
7. Click Advanced.

2. Run gpedit.msc.
domain or not.

You can configure FortiSIEM to communicate with your device. For more information, refer to sections "Discovery
Syslog
Use the Windows Agent Installation Guide to configure sending syslogs from your device to FortiSIEM.

Security Gateways
Sample Microsoft ISA Server Syslog
<13>Mar 6 20:56:03 ISA.test.local ISAWebLog 0 192.168.69.9 anonymous Mozilla/5.0

(Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Y 2011-
03-05 21:33:55 w3proxy ISA - 212.58.246.82 212.58.246.82 80 156 636
634 http TCP GET http://212.58.246.82/rss/newsonline_uk_edition/front_
page/rss.xml text/html; charset=iso-8859-1 Inet 301 0x41200100 Local Machine
Req ID: 07c10445; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Local Host External 0x400 Allowed 2011-03-05 21:33:55 -
Setting Value
Name <set name>
Device Type Generic

Security Gateways
Squid Web Proxy

l Configuration

discovered
SNMP Host name, CPU utilization, Memory utilization Performance

Interfaces, Monitoring
Serial number
Syslog Proxy traffic: attributes include Source IP, Destination IP, Security
Destination Name, Destination Port, URL, Web category, Proxy Monitoring and
action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP compliance
Method, HTTP Status Code, Sent Bytes, Received Bytes,
Connection Duration
Event Types
In ADMIN > Device Support > Event, search for "squid" in the Description and Device Type columns to see the
Configuration
SNMP
User Guide.
Syslog
1. Add this line to the logformat section in /etc/squid/squid.conf.

logformat PHCombined %>a %>p %<A %la %lp %tr %ul %ui %un %us %ue [%tl] %rm "%ru" HTTP/%rv
%Hs %<st %>st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
2. Add this line to the access_log section in /etc/squid/squid.conf.

access_log syslog:LOG_LOCAL4 PHCombined
3. Restart Squid.

Security Gateways
Configure syslogd (or rsyslogd) to Forward the Logs to FortiSIEM
1. Modify /etc/syslog.conf (/etc/rsyslog.conf if running rsyslog) .

Local4.*
@<FortiSIEMIp>
2. Restart syslogd (or rsyslogd).
Sample Parsed Squid Syslog Messages
Squid on Linux with syslog locally to forward to FortiSIEM
<166>squid[28988]: 192.168.25.15 51734 65.54.87.157 172.16.10.40 3128 5989 - - - - -

[22/Apr/2011:17:17:46 -0700] GET "http://col.stj.s-msn.com/br/sc/js/jquery/jquery-
1.4.2.min.js" HTTP/1.1 200 26141 407 "http://www.msn.com/" "Mozilla/5.0 (Windows; U; Windows
NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16" TCP_MISS:DIRECT
Squid on Linux with syslog-ng locally to forward to FortiSIEM
<166>Oct 20 09:21:54 QA-V-CentOS-Syslog-ng squid[7082]: 192.168.20.42 1107 74.125.19.100

172.16.10.34 3128 291 - - - - - [20/Oct/2009:09:21:54 -0700] GET
"http://clients1.google.com/generate_204" HTTP/1.1 204 387 603 "http://www.google.com/"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Linux with syslog locally and forward to syslog-ng remotely to forward to FortiSIEM
<166>Oct 20 10:21:42 172.16.10.40 squid[26033]: 192.168.20.42 1121 66.235.132.121 172.16.10.40

3128 117 - - - - - [20/Oct/2009:12:05:49 \-0700|] GET
"http://metrics.sun.com/b/ss/sunglobal,suncom,sunstruppdev/1/H.14/s21779365053734?" HTTP/1.1
200 746 1177 "http://www.sun.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT
Squid on Linux with syslog-ng locally and forward to syslog-ng remotely to forward to FortiSIEM
<166>Oct 20 12:44:12 172.16.10.40 squid[26033]: 192.168.20.42 1125 64.213.38.80 172.16.10.40

3128 117 - - - - - [20/Oct/2009:12:44:12 -0700] GET "http://www-cdn.sun.com/images/hp5/hp5b_
enterprise_10-19-09.jpg" HTTP/1.1 200 12271 520 "http://www.sun.com/" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)" TCP_MISS:DIRECT
Squid on Solaris with syslog locally to forward to FortiSIEM
<166>May 6 17:55:48 squid[1773]: [ID 702911 local4.info] 192.168.20.39 1715 72.14.223.18

172.16.10.6 3128 674 - - - - - [06/May/2008:17:55:48 -0700] GET
"http://mail.google.com/mail/?" HTTP/1.1 302 1061 568 "http://www.google.com/" "Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14" TCP_
MISS:DIRECT

Security Gateways
Squid on Solaris with syslog locally and forward to syslog-ng remotely to forward to FortiSIEM
<166>Oct 20 13:02:19 172.16.10.6 squid[687]: [ID 702911 local4.info] 192.168.20.42 1112

208.92.236.184 172.16.10.6 3128 201 - - - - - [20/Oct/2009:13:02:19 -0700] GET
"http://m.webtrends.com/dcs4f6vsz99k7mayiw2jzupyr_1s2e/dcs.gif?" HTTP/1.1 200 685 1604
"http://www.microsoft.com/en/us/default.aspx" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT
5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" TCP_MISS:DIRECT

Security Gateways
SSH Comm Security CryptoAuditor

l Event Types
l Rules
l Reports
l Configuration
Syslog (CEF format) - 15 event types Security and Compliance
Event Types
In RESOURCE > Event Types, Search for “CryptoAuditor-”.
Sample Event Type:
<189>Jun 24 15:43:01 auditor ssh-auditor[4067]: CEF:0|SSH|CryptoAuditor|1.6.0|4201|Connection_

received|1|rt=Jun 26 2015 07:48:24 SshAuditorSrc=10.1.78.8 spt=34453 SshAuditorDst=10.1.78.8
dpt=10022 SshAuditorSessionId=21 SshAuditorUsername=testuser SshAuditorRemoteusername=testuser
SshAuditorProtocolsessionId=C089C55D9ADE0A4F901917D69B46B01223A02B70 SshAuditorVirtualLAN=0
cs1=source connection cs1Label=Text
<189>Jun 24 15:43:01 auditor ssh-auditor[4067]: CEF:0|SSH|CryptoAuditor|1.6.0|4201|Connection_

received|rt=Jun 26 2015 07:48:24 SshAuditorSrc=10.1.78.8 spt=34453 SshAuditorDst=10.1.78.8
dpt=10022 SshAuditorSessionId=21 SshAuditorUsername=testuser SshAuditorRemoteusername=testuser
SshAuditorProtocolsessionId=C089C55D9ADE0A4F901917D69B46B01223A02B70 SshAuditorVirtualLAN=0
cs1=source connection cs1Label=Text
Rules
There are no specific rules but generic rules for Generic Servers apply.
Reports
There are no specific reports but generic rules for Generic Servers apply.
Configuration
Configure SSH Comm Security CryptoAuditor to send syslog on port 514 to FortiSIEM.

Security Gateways
Websense Web Filter

l Configuration

discovered
Syslog Parsed event attributes: include Source IP, Destination Name, Security
Destination URL, HTTP Method, HTTP User agent, HTTP Status Monitoring and
Code, HTTP Content Type, Blocked Reason, Website category, compliance
HTTP Disposition, Sent Bytes, Recv Bytes, Duration, File Type etc
Event Types
In ADMIN > Device Support > Event, search for "web sense_mail" in the Display Name column to see the event
Rules
Reports
Configuration
FortiSIEM integrates with Websense Web Filter via syslogs sent in the SIEM integration format as described in
the Websense SEIM guide. See the instructions on how to install a Websense Multiplexer that integrates with
Websense Policy server and creates syslog for consumption by SIEM products such as FortiSIEM.
Sample Parsed Websense Web Filter Syslog Message
<159>Feb 28 14:25:32 10.203.28.21 vendor=Websense product=Security product_version=7.7.0

action=permitted severity=1 category=153
user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_
port=443 bytes_out=197 bytes_in=76
http_response=200 http_method=CONNECT http_content_type= -

Security Gateways
http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2.23)_Gecko/20110920_
Firefox/3.6.23
http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0
url=https://mail.google.com
Setting Value
Name <set name>
Device Type Websense Web Security
Log Server IP IP of the log server
Port 1433
Log Database wslogdb70_1
URL Database wslogdb70
URL Category wslogdb70

Database
Disposition wslogdb70
Database
User Name Name used to access the database

Servers
FortiSIEM supports these servers for discovery and monitoring.

l HP UX Server
l IBM AIX Server
l IBM OS400 Server
l Linux Server
l Microsoft Windows Server
l QNAP Turbo NAS
l Sun Solaris Server

HP UX Server

l Configuration

Discovered
SNMP Host name, generic Uptime, CPU/Memory/Network Interface/Disk space Performance

hardware (cpu, utilization, Network Interface Errors, Running Process Count, Monitoring
memory, network Installed Software change, Running process CPU/memory
interface, disk), utilization, Running process start/stop, TCP/UDP port up/down
software (operating
system version,
installed software,
running processes,
open TCP/UDP
ports)
SSH Hardware (cpu Memory paging rate, Disk I/O utilization Performance
details, memory) Monitoring
Syslog Vendor, Model General logs including Authentication Success/Failure, Security

Privileged logons, User/Group Modification Monitoring and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "hp_ux" in the Description column to see the event types
Rules
Reports
In RESOURCE > Reports , search for "hp_ux" in the Name column to see the reports associated with this device.

Servers
Configuration
SNMP v1 and v2c
1. Make sure that snmp libraries are installed. FortiSIEM has been tested to work with the default HP UX package that
comes with snmpd preinstalled.
2. Start snmpd deamon with the default configuration by issuing /etc/init.d/snmpd restart.
SSH
1. Make sure that the vmstat and iostat commands are available. If not, install these libraries.
2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to
login to the server.
SNMP, Telnet, and SSH Access Credentials for All Devices

See Access Credentials.
LDAP, LDAPS, LDAP Start TLS / OpenLDAP Access Credentials for All Devices
Settings Value
Name <set name>
Device Type HP HPUX
Access Protocol LDAP / LDAPS / LDAP Start TLS
Used For OpenLDAP
Server Port 389 for LDAP, LDAP Start TLS; 636 for LDAPS
Base DN The Distinguished Name (DN) of the starting

point for directory server searches
User Name Name of the user able to access this system
Password Password of the user able to access this system
LDAP, LDAPS, LDAP Start TLS / Microsoft Active Directory Access Credentials for All Devices

Servers
Settings Value
Name <set name>
Device Type HP HPUX
Used For Microsoft Active Directory

NetBIOS/Domain The domain name or NetBIOS name attribute

Servers
IBM AIX Server

l Configuration

Discovered

software (operating
system version,
installed software,
running processes,
open TCP/UDP
ports)

Compliance
Event Types
In ADMIN > Device Support > Event, search for "ibm_aix" in the Device Type and Description column to see the
Rules
Reports

Servers
Configuration
SNMP v1 and v2c
1. Make sure that snmp libraries are installed. Accelops has been tested to work with the default AIX package that
comes with snmpd preinstalled.
2. Start snmpd deamon with the default configuration by issuing /etc/init.d/snmpd restart.
SSH
2. Create a user account that can issue vmstat and iostat commands. FortiSIEM will use that user account to log
in to the server.
Syslog
1. Makes sure that /etc/syslog.conf contains a *.* entry and points to a log file.
. @<SENSORIPADDRESS>
2. Refresh syslogd.
# refresh -s syslogd

Settings Value
Name <set name>
Device Type IBM AIX
Used For OpenLDAP


Servers
Settings Value
Settings Value
Name <set name>
Device Type IBM AIX


Servers
IBM OS400 Server

l Configuration

Discovered
Syslog General logs including Authentication Success/Failure, Privileged Security

logons, User/Group Modification Monitoring and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "os400" in the Device Type column to see the event types
Rules
Reports
Configuration
Syslog
FortiSIEM parses IBM OS 400 logs received via the PowerTech Agent as described here. The PowerTech agent sends
syslogs to FortiSIEM.
Sample Parsed IBM OS400 Syslog Messages
Mar 18 17:49:36 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0603|A File Server transaction was

allowed for user BRENDAN.|2| src =10.0.1.60 dst =10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB
:QPWFSERVSO JUSER :BRENDAN JNBR :025355 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: OB
BRENDAN *FILESRV CRTSTRMFIL QPWFSERVSO LNS0811 000112 00023 /home/BRENDAN/subfolder
Mar 18 17:48:36 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0604|A File Server transaction was

allowed for user BRENDAN.|2| src =10.0.1.60 dst =10.0.1.180 msg=TYPE:JRN CLS :AUD JJOB

Servers
:QPWFSERVSO JUSER :BRENDAN JNBR :025355 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER: DETAIL: OB
BRENDAN *FILESRV DLTSTRMFIL QPWFSERVSO LNS0811 000112 00025 /home/BRENDAN/BoardReport
Mar 18 17:53:00 ROBINSON CEF :0|PowerTech|Interact|2.0|UNA0703|A System i FTP Client

transaction was allowed for user BRENDAN.|3| src =10.0.1.180 dst =10.0.1.180 msg=TYPE:JRN CLS
:AUD JJOB :QTFTP00149 JUSER :BRENDAN JNBR :029256 PGM :PLKR108JEL OBJECT : LIBRARY : MEMBER:
DETAIL: ST BRENDAN *FTPCLIENT DELETEFILE QTFTP00149 LNS0811 000112 00033
/QSYS.LIB/PAYROLL.LIB/NEVADA.FILE

Servers
Linux Server

l Event Types
l Rules
l Reports
l Configuration

Discovered

hardware (cpu, utilization, Swap space utilization, Network Interface Monitoring
memory, network Errors, Running Process Count, Installed Software
interface, disk), change, Running process CPU/memory utilization,
software (operating Running process start/stop, TCP/UDP port up/down
system version,
installed software,
running processes,
open TCP/UDP
ports)
SSH OS type, Hardware Memory paging rate, Disk I/O utilization Performance
(cpu details, Monitoring
memory)
Compliance
Syslog (via File or directory change: User, Type of change, directory Security
FortiSIEM or file name Monitoring and
Linux Agent) Compliance
Event Types
In ADMIN > Device Support > Event Types, search for "linux" to see the event types associated with this device.
Rules
In RESOURCES > Rules, search for "linux" in the main content panel Search... field to see the rules associated with
this device.

Servers
Reports
In RESOURCES > Reports , search for "linux" in the main content panel Search... field to see the reports associated
with this device.
Configuration
l SNMP v1 and v2c

l SNMP v3
l SSH
l Syslog Logging
l Basic Linux File Monitoring over Syslog
SNMP v1 and v2c
1. Make sure that snmp libraries are installed. FortiSIEM has been tested to work with net-snmp libraries.
2. Log in to your server with administrative access.
3. Make these modifications to the /etc/snmp/snmpd.conf file:
a. Define the community string for FortiSIEM usage and permit snmp access from FortiSIEM IP.
b. Allow FortiSIEM read-only access to the mib-2 tree.
c. Allow Accelops read-only access to the enterprise MIB: UCD-SNMP-MIB.
d. Open up the entire tree for read-only view.
4. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more
details):
a. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
b. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like:
# snmpd command line options
OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"
c. Change the range from 0-6 to 0-5:

5. Restart the snmpd deamon by issuing /etc/init.d/snmpd restart.

6. Add the snmpd daemon to start from boot by issuing chkconfig snmpd on.
SNMP v3
Configuring rwcommunity/rocommunity or com2sec
1. Log in to your Linux server.

2. Stop SNMP.
service snmpd stop

Servers
3. Use vi to edit the /etc/snmp/snmpd.conf file.

Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this
file so the snap daemon has correct credentials.
vi /etc/snmp/snmpd.conf
4. At the end of the file, add this line, substituting your username for snmpv3user and removing the <>
tags: rouser <snmpv3user>.
5. Save the file.
6. Use vi to edit the /var/lib/snmp/snmpd.conf file.
Before you edit this file, make sure you have created a backup, as it is very important to have a valid version of this
file for the SNMP daemon to function correctly.
vi /var/lib/snmp/snmpd.conf
7. At the end of the file, add this line, entering the username you entered in step 4, and then passwords for that user
for MD5 and DES.
If you want to use SHA or AES, then add those credentials as well.
createUser <snmpv3user> MD5 <snmpv3md5password> DES <snmpv3despassword>
8. Save the file.

9. Reduce the logging level to avoid per connection logging which may cause resource issues (see here for more
details)
a. Edit /etc/sysconfig/snmpd (on RedHat/CentOS) or /etc/defaults/snmpd (on Debian/Ubuntu)
b. Look for the line that passes the command line options to snmpd. On RedHat Enterprise 6 this looks like:
c. Change the range from 0-6 to 0-5:

10. Restart SNMP.

service snmpd start
chkconfig auditd on
11. View the contents of the /var/lib/snmp/snmpd.conf file.

If this works, restarting snmpd will have no errors, also the entry that you created under
/var/lib/snmp/snmpd.conf will be removed:
cat /var/lib/snmp/snmpd.conf
12. Run snmpwalk -v 3 -u <snmpv3user> -l authpriv <IP> -a MD5 -

A <snmpv3md5password> -x DES -X <snmpv3despassword>
You will see your snmpwalk if this works. If there are any errors, see net-snmp for further instructions.
Configuring net-smnp-devel
If you have net-snmp-devel on your Linux server/client, follow these steps to configure SNMP v3.
1. Stop SNMP.
service snmpd stop

Servers
2. Run net-snmp-config --create-snmpv3-user -ro -A <MD5passwordhere> -X

<DESpasswordhere> -x DES -a MD5 <SNMPUSERNAME>.
3. Restart SNMP.
service snmpd start
4. Test by following step 10 from above.
SSH
in to the server.
Syslog Logging
Syslog forwarding can be configured on Linux servers to send the logs to FortiSIEM. There are different options
regarding syslog configuration, including Syslog over TLS.
There are typically two commonly-used Syslog demons:
l Syslog-ng
l rsyslog
Basic Syslog-ng Configuration
Follow these steps to enable basic Syslog-ng:

1. Add the following line to your Syslog-ng configuration:
{ udp("Collector IP" port(514));};
2. Restart the syslog-ng service or reload the configuration.
Basic rsyslog Configuration
Follow these steps to enable ryslog:

1. Add the following lines to your ryslog configuration:
# Send logs to the FortiSIEM Collector
*.* @Collector IP:514
2. Restart the rsyslog service or reload the configuration.
Linux File Monitoring
FortiSIEM has licensed Linux agents that provide additional capabilities, such as custom log forwarding and central
management. See the “Linux Agent Installation Guide” for details on this agent.
l SNMP Access Credentials for All Devices

l SSH Access Credentials for All Devices

Servers
Setting Value
Name <set name>
Device Type Generic
Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22

device over SSH

Servers
Microsoft Windows Server
l Supported OS
l Configuration
Supported OS
l Windows 2003
l Windows 2016
l Windows 2019
Metrics in bold are unique to Microsoft Windows Server monitoring.

Installed Software Monitored via SNMP
Although information about installed software is available via both SNMP and WMI, FortiSIEM uses SNMP to obtain
installed software information to avoid an issue in Microsoft's WMI implementation for the Win32_Product WMI class -
see Microsoft KB 974524 article for more information. Because of this bug, WMI calls to the Win32_Product class
create many unnecessary Windows event log messages indicating that the Windows Installer has reconfigured all
installed applications.
Winexe execution and its effect
FortiSIEM uses the winexe command during discovery and monitoring of Windows servers for the following purposes
1. Windows domain controller diagnostic (dcdiag) and replication monitoring (repadmin /replsummary)
2. HyperV Performance Monitoring
3. Windows Custom performance monitoring – to run a command (e.g. powershell) remotely on windows systems
Note: Running the winexe command remotely will automatically install the winexesvc command on the windows
server.
SNMP Host name, generic hardware Uptime, Overall CPU/Memory/Network Interface/Disk Performance
(cpu, memory, network space utilization, Network Interface Errors, Running Monitoring
interface, disk), software Process Count, Installed Software change,
(operating system version, Running process CPU/memory utilization, Running
installed software, running process start/stop, TCP/UDP port up/down,
processes, open TCP/UDP
ports)

Servers
SNMP Vendor specific server Hardware module status - fan, power supply, thermal
hardware (hardware model, status, battery, disk, memory . Currently supported
hardware serial number, fans, vendors include HP and Dell
power supply, disk, raid
battery). Currently supported
vendors include HP and Dell
WMI Win32_ComputerSystem: Win32_OperatingSystem: Uptime Win32_ Performance

Host name, OS Win32_ PerfRawData_PerfOS_Processor: Detailed CPU Monitoring
WindowsProductActivation: utilization Win32_PerfRawData_PerfOS_Memory:
OS Serial Number Win32_ Memory utilization, paging/swapping metrics Win32_
OperatingSystem: Memory, LogicalDisk: Disk space utilization Win32_
Uptime Win32_BIOS: Bios PerfRawData_PerfOS_PagingFile: Paging file
Win32_Processor: CPU utilization Win32_PerfRawData_PerfDisk_
Win32_LogicalDisk: Disk info LogicalDisk: Disk I/O metrics Win32_PerfRawData_
Win32_ Tcpip_NetworkInterface: Network Interface utilization
NetworkAdapterConfiguration: Win32_Service: Running process uptime, start/stop
network interface Win32_ status Win32_Process, Win32_PerfRawData_
Service: Services Win32_ PerfProc_Process: Process CPU/memory/I/O
Process: Running processes utilization
Win32_QuickFixEngineering:
Installed Patches
WMI Security, Application and System Event Logs Security and

including logon, file/folder edits, network traffic Compliance
(Win32_NTLogEvent)
Snare Security, Application and System Event Logs Security and

agent including logon, file/folder edits, network traffic Compliance
(Win32_NTLogEvent)
Correlog Security, Application and System Event Logs ncluding Security and
agent logon, file/folder edits, network traffic (Win32_ Compliance
NTLogEvent)
FortiSIEM Security, Application and System Event Logs, DNS, Security and
Agent DHCP, IIS, DFS logs, Custom log files, File Integrity Compliance
Monitoring, Registry Change Monitoring, Installed
Software Change Monitoring, WMI and Powershell
output monitoring
Event Types
In ADMIN > Device Support > Event, search for "windows server" in the Description column to see the event types
associated with this application or device.

Servers
Rules
In RESOURCE > Rules, search for "windows server" in the Name column to see the rules associated with this
Reports
In RESOURCE > Reports , search for "windows server" in the Name column to see the reports associated with this
Configuration
l WinRM Configurations
l SNMP Configurations
l WMI Configurations
l Windows Agent Configurations
l Syslog Configurations
WinRM Configurations
WinRM is used for some FortiSIEM Remediation actions. If Windows Remediation actions are not used in FortiSIEM,
this configuration step is not required.
Enable WinRM and set authentication
Use the commands below to enable WinRM and set authentication on the target Windows Servers:
1. To configure Windows Server:
winrm quickconfig
winrm set winrm/config/service/auth ‘@{Basic="true"}’
winrm set winrm/config/service ‘@{AllowUnencrypted="true"}’
Single quotes are needed for Windows 2016 and later.
2. To configure FortiSIEM Client (Super or Collector):
pip install pywinrm
SNMP Configurations
l Enabling SNMP on Windows Server 2012R2, Server 2016, Server 2019

l Enabling SNMP on Windows 7 or Windows Server 2008 R2
l Enabling SNMP on Windows Server 2003
Enabling SNMP on Windows Server 2012R2, Server 2016, Server 2019
SNMP is typically enabled by default on Windows Server 2012R2, Server 2016, and Server 2019. But you must still add
FortiSIEM to the hosts that are authorized to accept SNMP packets. First, you should check that SNMP Services have
been enabled for your server.

Servers
4. The Add Roles and Features Wizard will open automatically.
5. Select Role-based or feature-based installation. Click Next until the Features option appears.
If not, check the checkbox before the SNMP Service and click Next to install the service.
7. From the Start menu, select Services. Go to Services > SNMP Services.
13. Click Add.
15. Click Add.
16. Click Apply.
Enabling SNMP on Windows 7 or Windows Server 2008 R2
authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.
If not, click Add Feature, then select SMNP Service and click Next to install the service.
5. In the Server Manager window, go to Services > SNMP Services.
11. Click Add.
13. Click Add.
14. Click Apply.
Enabling SNMP on Windows Server 2003
authorized to accept SNMP packets. First you must make sure that the SNMP Management tool has been enabled for

Servers
your device.
1. In the Start menu, go to Administrative Tools > Services.
2. Go to Control Panel > Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click Details.
Make sure that Simple Network Management Tool is selected.
If it isn't selected, select it, and then click Next to install.
5. Go to Start > Administrative Tools > Services.
11. Click Add.
13. Click Add.
14. Click Apply.
WMI Configurations
l WMI Configuration for Windows 2012, 2012R2, 2016, 2019

l WMI Configurations for Windows 2008 and 2008R2
WMI Configuration for Windows 2012, 2012R2, 2016, 2019
To configure WMI on your device so that FortiSIEM can discover and monitor it, you must create a user who has access
l Differences Between Administrator and Non-Administrator Account
Step 1. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users
Groups.
2. Right-click Users and select New User.
3. Create a user.
4. Select this user and right-click to select Properties > Member of tab.
5. Click Add > Advanced > Find Now.

Servers
6. Select and add the following groups:

Note: To select multiple groups, hold down the CTRL key and click the desired groups.
l Distributed COM Users group.
l Performance Monitor Users group.
l Remote Desktop Users group.
7. Click OK to save.
Step 2. Enable DCOM Permissions for the Monitoring Account
1. Go to Start > Control Panel > Administrative Tools > Component Services > Computers > My
Computer.
5. Click OK.
6. Under Access Permissions, click Edit Default.
Access and Remote Access set to Allowed. If the Distributed COM Users group and Performance Monitor
Users group are not present, then click Add to add these two groups as described in Step 1.
8. Click OK.
11. Click OK.
permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation. If the
Distributed COM Users group and Performance Monitor Users group are not present, then click Add to add
these two groups as described in Step 1.
14. Click OK.
Step 3. See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows
Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.
Step 4. Configuring Log Monitoring for Non-Administrative User
To configure the non-administrative user to monitor windows event logs, follow the steps below:
1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer
Management > Local Users and Groups for servers that are not a domain controller).
2. Right-click the non-admin user and select Properties.
3. Select the Member of tab.
4. Select the group Event Log Reader and click Add.
5. Click Apply.
6. Click OK to complete the configuration.

Servers
7. The following groups should be applied to the user:

l Distributed COM Users
l Domain Users
l Event Log Reader
Step 1. Enable remote WMI requests by adding a Monitoring Account to the Domain Administrators Group
2. Right-click Users and select New > User.
4. Right-click Domain Admins in Users and select Properties.
6. Click Advanced > Find Now, add the Administrator and the user which you created in Step 3.
7. Click OK to close the User select dialog
Step 2. Enable the Monitoring Account to Access the Monitored Device
5. Click OK.
6. In the COM Security tab, under Access Permissions, click Edit Defaults.
7. Find the user you created for the monitoring account, and make sure that the user has the permission Allow for
both Local Access and Remote Access. If the Distributed COM Users group and Performance Monitor
Users group are not present, then click Add to add these two groups as described in Step 1.
8. Click OK.
9. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits.
Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group and
Performance Monitor Users group are not present, then click Add to add these two groups as described in Step
1.
11. In the COM Security tab, under Launch and Activation Permissions, click Edit Limits.
Launch, Remote Launch, Local Activation, and Remote Activation. If the Distributed COM Users group

Servers
and Performance Monitor Users group are not present, then click Add to add these two groups as described in
Step 1.
13. Click OK.
device.
Applications.
5. Click Security.
6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable
Account and Remote Enable. If the user isn ot present, then click Add to add the user you created.
7. Click Advanced.
9. In the Applies onto menu, select This namespace and subnamespaces.
Allow WMI through Windows Firewall (Windows Server 2012, 2016 and 2019)

3. Select Windows Management Instrumentation, and the click OK. You can configure FortiSIEM to
communicate with your device. For more information, refer to sections "Discovery Settings" and "Setting
Credentials" in the User Guide.
Differences Between Administrator and Non-Administrator Account
Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly.
WMI Class Administrator Non-Administrator
Win32_BIOS Yes No
Win32_ComputerSystem Yes Yes
Win32_LogicalDisk Yes No
Win32_NetworkAdapter Yes Yes
Win32_NetworkAdapterConfiguration Yes Yes

Servers
Win32_NTLogEvent Yes Yes
Win32_OperatingSystem Yes Yes
Win32_Process Yes Yes
Win32_Processor Yes Yes
Win32_Product Yes Yes
Win32_QuickFixEngineering Yes No
Win32_Service Yes No
Win32_UserAccount Yes No
win32_Volume Yes Yes
Win32_PerfFormattedData_DHCPServer_DHCPServer Yes Yes
Win32_PerfFormattedData_DNS_DNS Yes Yes
Win32_PerfFormattedData_W3SVC_WebService Yes Yes
Win32_PerfRawData_DirectoryServices_DirectoryServices Yes Yes
Win32_PerfRawData_NTDS_NTDS Yes Yes
Win32_PerfRawData_PerfDisk_LogicalDisk Yes Yes
Win32_PerfRawData_PerfDisk_PhysicalDisk Yes Yes
Win32_PerfRawData_PerfOS_Memory Yes Yes
Win32_PerfRawData_PerfOS_PagingFile Yes Yes
Win32_PerfRawData_PerfOS_Processor Yes Yes
Win32_PerfRawData_PerfProc_Process Yes Yes
Win32_PerfRawData_Tcpip_NetworkInterface Yes Yes
WMI Configurations for Windows 2008 and 2008R2
To configure WMI on your device so that FortiSIEM can discover and monitor it, you must create a user who has access
l Differences Between Administrator and Non-Administrator Account

Servers
Step 1. Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users
Groups.
2. Right-click Users and select New User.
3. Create a user.
4. Select this user and right-click to select Properties > Member of tab.
5. Select Distributed COM Users and click Add.
6. Click OK to save.
Step 2. Enable DCOM Permissions for the Monitoring Account
5. Click OK.
8. Click OK.
11. Click OK.
Configuring Log Monitoring for Non-Administrative User
To configure the non-administrative user to monitor windows event logs, follow the steps below:
1. Go to Start > Control Panel > Administrative Tools > Active Directory Users and Computers (Computer
Management > Local Users and Groups for servers that are not a domain controller).
2. Right-click the non-admin user and select Properties.
3. Select the Member of tab.
4. Select the group Event Log Reader and click Add.
5. Click Apply.

Servers
6. Click OK to complete the configuration.
The following groups should be applied to the user:

l Distributed COM Users
l Domain Users
l Event Log Reader
Step 1. Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators
Group
8. Click OK.
Step 2. Enable the Monitoring Account to Access the Monitored Device
5. Click OK.
8. Click OK.

Servers
device.
Applications.
5. Click Security.
7. Click Advanced.

2. Run gpedit.msc.
domain or not.

3. Select Windows Management Instrumentation, and the click OK.You can configure FortiSIEM to communicate
with your device. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the
User Guide.

Servers
Differences Between Administrator and Non-Administrator Account
Windows allows certain WMI classes to be pulled only via Administrator account. The following table shows this clearly.
Win32_BIOS Yes No
Win32_ComputerSystem Yes Yes
Win32_LogicalDisk Yes No
Win32_NetworkAdapter Yes Yes
Win32_NetworkAdapterConfiguration Yes Yes
Win32_NTLogEvent Yes Yes
Win32_OperatingSystem Yes Yes
Win32_Process Yes Yes
Win32_Processor Yes Yes
Win32_Product Yes Yes
Win32_QuickFixEngineering Yes No
Win32_Service Yes No
Win32_UserAccount Yes No
win32_Volume Yes Yes
Win32_PerfFormattedData_DHCPServer_DHCPServer Yes Yes
Win32_PerfFormattedData_DNS_DNS Yes Yes
Win32_PerfFormattedData_W3SVC_WebService Yes Yes
Win32_PerfRawData_DirectoryServices_DirectoryServices Yes Yes
Win32_PerfRawData_NTDS_NTDS Yes Yes
Win32_PerfRawData_PerfDisk_LogicalDisk Yes Yes
Win32_PerfRawData_PerfDisk_PhysicalDisk Yes Yes
Win32_PerfRawData_PerfOS_Memory Yes Yes
Win32_PerfRawData_PerfOS_PagingFile Yes Yes
Win32_PerfRawData_PerfOS_Processor Yes Yes
Win32_PerfRawData_PerfProc_Process Yes Yes
Win32_PerfRawData_Tcpip_NetworkInterface Yes Yes

Servers
Windows Agent Configurations
For information on configuring Windows Agent, see Windows Agent Installation Guide.
Syslog Configurations
See the Windows Agent Installation Guide for information on configuring the sending of syslogs from your device to
FortiSIEM.
Sample Windows Server Syslog
<108>2014 Dec 17 15:05:47 CorreLog_Win_Agent 1NDCITVWCVLT05.tsi.lan Login Monitor: Local

Console User Login: User Name: weighalll-admin
Configuring the Security Audit Logging Policy
Because Windows generates a lot of security logs, you should specify the categories of events that you want logged and
available for monitoring by FortiSIEM.
1. Log in the machine where you want to configure the policy as an administrator.
2. Go to Programs > Administrative Tools > Local Security Policy.
3. Expand Local Policies and select Audit Policy.
You will see the current security audit settings.
4. Selet a policy and edit the Local Security Settings for the events you want audited. Recommended settings are:
Policy Description Settings
Audit account logon For auditing logon activity Select Success and
events and Audit logon Failure
events
Audit object access For auditing access to files and folders. There is an Select Success and
events additional configuration requirement for specifying which Failure
files and folders, users and user actions will be audited. See
the next section, Configuring the File Auditing Policy.
Audit system events Includes system up/down messages
Configuring the File Auditing Policy
When you enable the policy to audit object access events, you also must specify which files, folders, and user actions
will be logged. You should be very specific with these settings, and set their scope to be as narrow as possible to avoid
excessive logging. For this reason you should also specify system-level folders for auditing.
1. Log in the machine where you want to set the policy with administrator privileges.
On a domain computer, a Domain administrator account is needed
2. Open Windows Explorer, select the file you want to set the auditing policy for, right-click on it, and select
Properties.
3. In the Security tab, click Advanced.
4. Select the Auditing tab, and then click Add.
This button is labeled Edit in Windows 2008.

Servers
5. In the Select User or Group dialog, click Advanced, and then find and select the users whose access to this file
you want to monitor.
6. Click OK when you are done adding users.
7. In the Permissions tab, set the permissions for each user you added.
The configuration is now complete. Windows will generate audit events when the users you specified take the actions
specified on the files or folders for which you set the audit policies.

Settings Value
Name <set name>
Device Type Microsoft Windows Server *
Used For OpenLDAP
Base DN Specify the root of the LDAP tree as the Base DN.
For example: dc=companyABC,dc=com
Password See Password Configuration

Config
User Name For user discoveries from an OpenLDAP directory,

specify the full DN as the user name. For
example:
uid=jdoe,ou=hr,ou=unit,dc=companyABC,dc=com
Settings Value
Name <set name>

Servers
Settings Value
Base DN Specify the root of the LDAP tree as the Base

DN. For example:
dc=companyABC,dc=com
User Name For Microsoft Active Directory, the user name

can be just the login name.
WMI Access Credentials for All Devices
Settings Value
Name <set name>
Access Protocol WMI
Pull Interval 1 minute

Servers
QNAP Turbo NAS
Configuration
Setup in FortiSIEM

Setting Value
Name <set name>
Device Type QNAP Turbo NAS

c. Click Save.
4. Click Test to test the connection to QNAP Turbo NAS.
5. To see the jobs associated with QNAP, select ADMIN > Pull Events.
6. To see the received events select ANALYTICS, then enter QNAP in the search box.

Servers
Sun Solaris Server

l Configuration

discovered

software (operating
system version,
installed software,
running processes,
open TCP/UDP
ports)

Compliance
Event Types
In ADMIN > Device Support > Event, search for "solaris" in the Device Type and Description column to see the
Configuration
SNMP v1 and v2c
1. Check if the netsnmp package installed. Solaris has built-in snmp packages. If the netsnmp is not installed, use
pkgadd cmd to install it.
2. Start snmnp with the default configuration.

Servers
SSH
in to the server.

Settings Value
Name <set name>
Device Type Sun Solaris
Used For OpenLDAP

Settings Value
Name <set name>
Device Type Sun Solaris


Servers
Settings Value

Storage
FortiSIEM supports these storage devices for discovery and monitoring.

l Brocade SAN Switch
l Dell Compellent Storage
l Dell EqualLogic Storage
l EMC Clariion Storage
l EMC Isilon Storage
l EMC VNX Storage
l NetApp Data ONTAP
l NetApp Filer Storage
l Nimble Storage
l Nutanix Storage

Brocade SAN Switch

l Configuration

Discovered
SNMP Host name, Uptime, Network Interface metrics (utilization, bytes sent and Availability and
Operating system received, packets sent and received, errors, discards and Performance
model, Serial
number, Network
interfaces, Physical
Disks, Components
SNMP Hardware Status: Fan, Power Supply, Temperature Availability

(FortiSIEM Event Type: PH_DEV_MON_HW_STATUS) Monitoring
Event Types
In ADMIN > Device Support > Event, search for "brocade" in the Description column to see the event types
Rules
Reports
Configuration
SNMP
User Guide

Storage
Setting Value
Name <set name>
Device Type Brocade San Switch

Storage
Dell Compellent Storage

l Configuration

Discovered
model, Serial
number, Network
Disks, Components
SNMP Hardware component health: Power, Temperature, Fan Availability

Monitoring
SNMP Volume Utilization Performance

Monitoring
Event Types
l Ping Monitoring: PH_DEV_MON_PING_STAT

l Hardware Status: PH_DEV_MON_HW_STATUS
l Disk Utilization: PH_DEV_MON_DISK_UTIL
Rules
Availability
l Storage Hardware Warning

l Storage Hardware Critical
l NFS Disk space Warning

l NFS Disk Space Critical

Storage
Reports
l Dell Compellent Hardware Status

l Top Dell Compellent Devices By Disk Space Util
l Top Dell Compellent Devices By Disk Space Util (Detailed)
l Top Dell Compellent modules by fan speed
l Top Dell Compellent modules by temperature
l Top Dell Compellent modules by voltage
Configuration
SNMP
User Guide
Setting Value
Name <set name>
Device Type Dell Compellent Storage

Storage
Dell EqualLogic Storage

l Configuration

Discovered
model, Serial
number, Network
Disks, Components
SNMP Hardware component health: Component name (Disk, Availability

Power supply, Temperature, Fan, RAID health), Component Monitoring
status, Host spare ready disk count
Overall Disk health metrics: Total disk count, Active disk
count, Failed disk count, Spare disk count
SNMP Connection metrics: Connection Count, Read request rate Performance

(IOPS), Write request rate (IOPS), Read latency, Write latency, Monitoring
Read volume (KBps), Write volume (KBps)
Disk performance metrics: Disk Name, Disk I/O Utilization,
Disk I/O Queue, Read volume (KBps), Write volume (KBps)
Group level performance metrics: Total storage, Used
storage, Reserved storage, Reserved used storage, Total
volumes, Used volumes, Online volumes, Total snapshot,
Used snapshot, Online snapshot
Event Types
In ADMIN > Device Support > Event, search for "equallogic" in the Description column to see the event types
Rules
In RESOURCE > Rules, search for "equallogic" in the Name column to see the rules associated with this device.

Storage
Reports
In RESOURCE > Reports , search for "equallogic" in the Name column to see the reports associated with this
device.
Configuration
SNMP
User Guide.
Setting Value
Name <set name>
Device Type Dell EqualLogic

Storage
EMC Clariion Storage

l Configuration

Discovered
NaviSecCLI Host name, Processor utilization: SP Name, Read request rate (IOPS), Availability and
Operating system Write request rate (IOPS), Read volume (KBps), Write volume Performance
version, Hardware (KBps), Read/Write request rate (IOPS), Read/Write volume Monitoring
model, Serial (KBps)
number, Network Port I/O: Port name, Read request rate (IOPS), Write request
interfaces* Installed rate (IOPS), Read volume (KBps), Write volume (KBps),
Software, Storage Read/Write request rate (IOPS), Read/Write volume (KBps)
Controller Ports RAID Group I/O: RAID Group id, RAID type, Total disk,
Hardware Read request rate (IOPS), Write request rate (IOPS), Read
components: volume (KBps), Write volume (KBps), Read/Write request rate
Enclosures, Fan, (IOPS), Read/Write volume (KBps)
Power Supply, Link LUN I/O: LUN name, LUN id, Total disk, Used disk, Free
Control Card, CPU, disk, Disk util, Read request rate (IOPS), Write request rate
Disk (IOPS), Read volume (KBps), Write volume (KBps),
RAID Groups and Read/Write request rate (IOPS), Read/Write volume (KBps)
the assigned disk Host HBA Connectivity: Source IP, Source Name, Source
LUNs and LUN -> WWN, Dest IP, Destination Name, SP Port Name, Storage
RAID Group Group, LUN Names, Login Status, Registration Status
mappings Host HBA Unregistered Host: Source IP, Source Name,
Storage Groups Source WWN, Dest IP, Destination Name, SP Port Name
and memberships Hardware component health: Component name (Disk,
(Host, Port, LUN). Power supply, LCC, Fan, Link, Port), Component status, Host
spare ready disk count
Overall Disk health: Total disk count, Total disk size (MB),
Active disk count, Failed disk count, Spare disk count
Event Types
In ADMIN > Device Support > Event Types, search for "clariion" to see the event types associated with this device.
Rules

Storage
Reports
Configuration
Installing the NaviSecCLI Library in FortiSIEM
Changing NaviSecCLI Credentials

If you change the NaviSecCLI credentials on your EMC Clariion device, the certificates may also be changed and
naviseccli may prompt you to accept new certificates. This should only happen the first time after a certificate change,
however, FortiSIEM discovery and performance monitoring will fail. You must run NaviSecCLI manually on each
Supervisor and Worker in your deployment and accept the certificate, and then rediscover your EMC Clariion device for
performance monitoring to resume.
Configuration of your EMC Clariion storage device involves installing EMC's NaviSecCLI library in your FortiSIEM virtual
appliance, and then setting the access credentials that the appliance will use to communicate with your device.
1. Log in to your FortiSIEM virtual appliance as root.
2. Copy the file NaviCLI-Linux-64-x86-versionxyz.rpm to the FortiSIEM directory.
3. Run rpm --Uvh NaviCLI-Linux-64-x86-versionxyz.rpm to install the rpm package.
[root@Rob-SP-94 tmp]# rpm -Uvh NaviCLI-Linux-64-x86-en_US-7.30.15.0.44-1.x86_64.rpm
Preparing... ########################################### [100%]
1:NaviCLI-Linux-64-x86-en########################################### [100%]
Please enter the verifying level(low|medium|l|m) to set?
m
Setting medium verifying level
[root@Rob-SP-94 opt]# ls -la
total 40
drwxr-xr-x 8 root root 4096 Aug 22 16:06 .
drwxr-xr-x 29 root root 4096 Aug 16 16:46 ..
drwxr-xr-x 11 admin admin 4096 Jul 23 18:56 glassfish
lrwxrwxrwx 1 root root 16 Aug 16 16:46 Java -> /opt/jdk1.6.0_32
drwxr-xr-x 8 root root 4096 Jun 2 16:35 jdk1.6.0_32
drwxr-xr-x 5 root root 4096 Aug 22 16:06 Navisphere <----Note this directory was created***
drwxrwxr-x 14 admin admin 4096 Jul 24 11:22 phoenix
drwxrwxr-x 3 root root 4096 Jun 2 16:36 rpm
drwxr-xr-x 8 root root 4096 Jun 18 2010 vmware
[root@Rob-SP-94 opt]#
4. Change the user role to the admin su - admin and make sure that the user can run the
command naviseccli -h -User <user> -Password <pwd> -Scope global getall -sp from
the directory /opt/phoenix/bin .
[root@Rob-SP-94 Navisphere]# cd bin
[root@Rob-SP-94 bin]# su - admin
[admin@Rob-SP-94 ~]$ naviseccli
Not enough arguments
Usage:
[-User <username>] [-Password <password>]
[-Scope <0 - global; 1 - local; 2 - LDAP>]

Storage
[-Address <IPAddress | NetworkName> | -h <IPAddress | NetworkName>]

[-Port <portnumber>] [-Timeout <timeout> | -t <timeout>]
[-AddUserSecurity | -RemoveUserSecurity | -DeleteSecurityEntry]
[-Parse | -p] [-NoPoll | -np] [-cmdtime]
[-Xml] [-f <filename>] [-Help] CMD <Optional Arguments>[security -certificate]
[admin@Rob-SP-94 ~]$ pwd
/opt/phoenix/bin
5. Make sure that the Navisphere Analyzer module is on.

If the module is off, performance metrics will not be available and discovery will fail. This log shows an example of
the module being turned off.
[admin@accelops ~]$ naviseccli -user admin -password admin*1 -scope 0 -h 192.168.1.100
getall -sp
Server IP Address: 192.168.1.100
Agent Rev: 7.32.26 (0.95)
SP Information
--------------
Storage Processor: SP A
Storage Processor Network Name: A-IMAGE
Storage Processor IP Address: 192.168.1.100
Storage Processor Subnet Mask: 255.255.255.0
Storage Processor Gateway Address: 192.168.1.254
Storage Processor IPv6 Mode: Not Supported
Management Port Settings:
Link Status: Link-Up
Current Speed: 1000Mbps/full duplex
Requested Speed: Auto
Auto-Negotiate: YES
Capable Speeds: 1000Mbps half/full duplex
10Mbps half/full duplex
Auto
System Fault LED: OFF
Statistics Logging: OFF <----- Note: performance statistics are not being
collected
<------ so AccelOp can not pull stats and discovery
will fail.
<------ See how to turn ON Statistics Logging below.
SP Read Cache State Enabled
SP Write Cache State Enabled
....
6. If the Navisphere Analyzer module is off, turn it on with the setstats -on command.
setstats -on
getall -sp

Agent Rev: 7.32.26 (0.95)
SP Information
--------------

Storage

Auto-Negotiate: YES
Auto
Statistics Logging: ON <---NOTE that statistics Logging is now ON.
Max Requests: N/A
Average Requests: N/A
Hard errors: N/A
Total Reads: 1012
Total Writes: 8871
Prct Busy: 6.98
Prct Idle: 93.0
System Date: 10/04/2013
Day of the week: Friday
System Time: 11:23:48
Read_requests: 1012
Write_requests: 8871
Blocks_read: 26259
Blocks_written: 235896
Sum_queue_lengths_by_arrivals: 27398
Arrivals_to_non_zero_queue: 3649
....
7. Once this command runs successfully, you are ready to set the access credentials for your device in FortiSIEM
and initiate the discovery process.
Set these Access Method Definition values to allow FortiSIEM to communicate with your EMC Clarion storage
device over NaviSecCLI.
Setting Value
Name <set name>
Device Type EMC Clariion
Access Protocol Navisec CLI
Use LDAP Select to use LDAP to access directory services
User Name The user you configured to access NaviSecCLI

Storage
Setting Value

Storage
EMC Isilon Storage

l Configuration

Discovered
model, Serial
number, Network
Disks, Components
SNMP Hardware component health: Component name (Disk, Availability

Power supply, Temperature, Fan), Component status (AO Monitoring
event type: PH_DEV_MON_HW_STATUS)
Environmental: Temperature (AO event type: PH_DEV_
MON_HW_TEMP), Voltage readings (AO event type: PH_
DEV_MON_HW_VOLTAGE)
Cluster membership change: (AO event type: PH_DEV_
MON_ISILON_CLUSTER_MEMBERSHIP_CHANGE)
Event Types
In ADMIN > Device Support > Event, search for "isilon" in the Description column to see the event types
Rules
In RESOURCE > Rules, search for "isilon" in the Name column to see the rules associated with this device.
Reports
In RESOURCE > Reports , search for "isilon" in the Name column to see the reports associated with this device.

Storage
Configuration
SNMP
User Guide.

Setting Value
Name <set name>
Device Type Generic

Storage
EMC VNX Storage Configuration
Configuring EMC VNX
Like EMC Clarion, FortiSIEM uses Navisec CLI to discover the device and to collect performance metrics. The only
difference is that a slightly different command and XML formatted output is used.
Navisec Host name, Operating Processor utilization: SP Name, Read request rate Availability and
CLI system version, Hardware (IOPS), Write request rate (IOPS), Read volume (KBps), Performance
model, Serial number, Write volume (KBps), Read/Write request rate (IOPS), Monitoring
Network interfaces* Read/Write volume (KBps)
Installed Software, Storage Storage Pool I/O: RAID Group id, RAID type, Total
Controller Ports disk, Read request rate (IOPS), Write request rate
Hardware components: (IOPS), Read volume (KBps), Write volume (KBps),
Enclosures, Fan, Power Read/Write request rate (IOPS), Read/Write volume
Supply, Link Control Card, (KBps)
CPU, Disk
Storage Pools, RAID
Groups and the
assigned disks
LUNs and LUN ->
Storage Pool and RAID
Group mappings
Storage Groups and
memberships (Host, Port,
LUN)
LUN I/O: LUN name, LUN id, Total disk, Used disk, Free
disk, Disk util, Read request rate (IOPS), Write request
rate (IOPS), Read volume (KBps), Write volume (KBps),
Read/Write request rate (IOPS), Read/Write volume
(KBps)
Host HBA Connectivity: Source IP, Source Name,
Source WWN, Dest IP, Destination Name, SP Port
Name, Storage Group, LUN Names, Login Status,
Registration Status
Host HBA Unregistered Host: Source IP, Source
Name, Source WWN, Dest IP, Destination Name, SP
Port Name
Hardware component health: Component name
(Disk, Power supply, LCC, Fan, Link, Port), Component
status, Host spare ready disk count
Overall Disk health: Total disk count, Total disk size
(MB), Active disk count, Failed disk count, Spare disk
count

Storage
Configuration
Installing the NaviSecCLI Library in FortiSIEM
Changing NaviSecCLI Credentials

If you change the NaviSecCLI credentials on your EMC Clarion device, the certificates may also be changed and
naviseccli may prompt you to accept new certificates. This should only happen the first time after a certificate change,
however, FortiSIEM discovery and performance monitoring will fail. You must run NaviSecCLI manually on each
Supervisor and Worker in your deployment and accept the certificate, and then rediscover your EMC Clarion device for
performance monitoring to resume.
Configuration of your EMC Clarion storage device involves installing EMC's NaviSecCLI library in your FortiSIEM virtual
appliance, and then setting the access credentials that the appliance will use to communicate with your device.
1. Log in to your FortiSIEM virtual appliance as root.
2. Copy the file NaviCLI-Linux-64-x86-versionxyz.rpm to the FortiSIEM directory.
3. Run rpm --Uvh NaviCLI-Linux-64-x86-versionxyz.rpm to install the rpm package.
[root@Rob-SP-94 tmp]# rpm -Uvh NaviCLI-Linux-64-x86-en_US-7.30.15.0.44-1.x86_64.rpm
Preparing... ########################################### [100%]
1:NaviCLI-Linux-64-x86-en########################################### [100%]
Please enter the verifying level(low|medium|l|m) to set?
m
Setting medium verifying level
[root@Rob-SP-94 opt]# ls -la
total 40
drwxr-xr-x 8 root root 4096 Aug 22 16:06 .
drwxr-xr-x 29 root root 4096 Aug 16 16:46 ..
drwxr-xr-x 11 admin admin 4096 Jul 23 18:56 glassfish
lrwxrwxrwx 1 root root 16 Aug 16 16:46 Java -> /opt/jdk1.6.0_32
drwxr-xr-x 8 root root 4096 Jun 2 16:35 jdk1.6.0_32
drwxr-xr-x 5 root root 4096 Aug 22 16:06 Navisphere <----Note this directory was created***
drwxrwxr-x 14 admin admin 4096 Jul 24 11:22 phoenix
drwxrwxr-x 3 root root 4096 Jun 2 16:36 rpm
drwxr-xr-x 8 root root 4096 Jun 18 2010 vmware
[root@Rob-SP-94 opt]#
4. Change the user role to the admin su - admin and make sure that the user can run the
command naviseccli -h -User <user> -Password <pwd> -Scope global getall -sp from
the directory /opt/phoenix/bin .
[root@Rob-SP-94 Navisphere]# cd bin
[root@Rob-SP-94 bin]# su - admin
[admin@Rob-SP-94 ~]$ naviseccli
Not enough arguments
Usage:
[-User <username>] [-Password <password>]
[-Scope <0 - global; 1 - local; 2 - LDAP>]
[-Address <IPAddress | NetworkName> | -h <IPAddress | NetworkName>]
[-Port <portnumber>] [-Timeout <timeout> | -t <timeout>]
[-AddUserSecurity | -RemoveUserSecurity | -DeleteSecurityEntry]
[-Parse | -p] [-NoPoll | -np] [-cmdtime]
[-Xml] [-f <filename>] [-Help] CMD <Optional Arguments>[security -certificate]

Storage
[admin@Rob-SP-94 ~]$ pwd

/opt/phoenix/bin
5. Make sure that the Navisphere Analyzer module is on.

If the module is off, performance metrics will not be available and discovery will fail. This log shows an example of
the module being turned off.
getall -sp
Agent Rev: 7.32.26 (0.95)
SP Information
--------------
Auto-Negotiate: YES
Auto
Statistics Logging: OFF <----- Note: performance statistics are not being
collected
<------ so AccelOp can not pull stats and discovery
will fail.
<------ See how to turn ON Statistics Logging below.
....
6. If the Navisphere Analyzer module is off, turn it on with the setstats -on command.
setstats -on
getall -sp

Agent Rev: 7.32.26 (0.95)
SP Information
--------------

Storage

Auto-Negotiate: YES
Auto
Statistics Logging: ON <---NOTE that statistics Logging is now ON.
Max Requests: N/A
Average Requests: N/A
Hard errors: N/A
Total Reads: 1012
Total Writes: 8871
Prct Busy: 6.98
Prct Idle: 93.0
System Date: 10/04/2013
Day of the week: Friday
System Time: 11:23:48
Read_requests: 1012
Write_requests: 8871
Blocks_read: 26259
Blocks_written: 235896
Sum_queue_lengths_by_arrivals: 27398
Arrivals_to_non_zero_queue: 3649
....
7. Once this command runs successfully, you are ready to set the access credentials for your device in FortiSIEM
and initiate the discovery process.
Setting the IP Address for Credential Mapping
Enter the Storage Processor IP address when you associate your device's access credentials to an IP address during
the credential set up process. Do not enter any other IP address, such as the Control Station IP.
Use these Access Method Definition settings to allow FortiSIEM to access your EMC VNX storage device over
NaviSecCLI.
Setting Value
Name <set name>
Device Type EMC VNX
Access Protocol Navisec CLI
Use LDAP Select to use LDAP to access directory services
User Name The user you configured to access NaviSecCLI

Storage
NetApp DataONTAP
l Supported Version
l Configuration
Supported Version
FortiSIEM supports the latest NetApp ONTAP API version listed here.
l NetApp ONTAP API 8.2
Configuration
Setup in FortiSIEM

Device Type NetApp DataONTAP
Access Protocol NetApp ONTAPI
Transport - HTTP
- HTTPS

a. Enter a host name, an IP, or an IP range in the IP/Host Name field.
b. Select the name of your credential from the Credentials drop-down list.
c. Click Save.
4. Click the Test drop-down list and select Test Connectivity to test the connection to NetApp DataONTAP.
5. To see the jobs associated with DataONTAP, select ADMIN > Setup > Pull Events.
6. To see the received events select ANALYTICS, then enter "DataONTAP" in the search box.

Storage

Storage
NetApp Filer Storage

l Configuration

Discovered
SNMP Host name, Uptime, CPU utilization, Network Interface metrics (utilization, Availability and
Operating system bytes sent and received, packets sent and received, errors, Performance
version, Hardware discards and queue lengths), Logical Disk Volume utilization Monitoring
model, Serial
number, Network
interfaces, Logical
volumes, Physical
Disks
SNMP Hardware component health: Component name (Battery, Availability

Disk, Power supply, Temperature, Fan), Component status, Monitoring
Failed power supply count, Failed Fan Count
Overall Disk health metrics: Total disk count, Active disk
count, Failed disk count, Spare disk count, Reconstructing disk
count, Scrubbing disk count, Add spare disk count
SNMP NFS metrics: Cache age, CIFS request rate (IOPS), NFS Performance
request rate (IOPS), Disk read rate (IOPS), Disk write rate Monitoring
(IOPS), Network Sent rate (Kbps), Network received rate
(Kbps), RPC Bad calls, NFS Bad calls, CIFS Bad calls
Detailed NFS V3 metrics: Read request rate (IOPS), Write
request rate (IOPS), Read latency, Write latency, Read volume
(KBps), Write volume (KBps)
Detailed NFS V4 metrics: Read request rate (IOPS), Write
Detailed CIFS metrics: Total Read/Write rate (IOPS),
Latency
Detailed ISCSI metrics: Read request rate (IOPS), Write
Detailed FCP metrics: Read request rate (IOPS), Write

Storage

Discovered
Detailed LUN metrics: LUN Name, Read request rate

(IOPS), Write request rate (IOPS), Read/Write latency, Read
volume (KBps), Write volume (KBps), Disk queue full
ONTAP Detailed Aggregate metrics: Aggregate name, Read Performance

API request rate (IOPS), Write request rate (IOPS), Transfer rate, Monitoring
CP Read rate
Detailed Volume metrics: Volume Name, Disk Read request
rate (IOPS), Disk Write request rate (IOPS), Disk read latency,
Disk write latency, NFS Read request rate (IOPS), NFS Write
request rate (IOPS), NFS Read latency, NFS Write latency,
CIFS Read request rate (IOPS), CIFS Write request rate
(IOPS), CIFS Read latency, CIFS Write latency, SAN Read
request rate (IOPS), SAN Write request rate (IOPS), SAN Read
latency, SAN Write latency
Detailed Disk performance metrics: Disk Name, Disk
Utilization, Read request rate (IOPS), Write request rate
(IOPS), Read latency, Write latency, Transfer operations rate
Event Types
In ADMIN > Device Support > Event, search for "netapp" in the Device Type column to see the event types
Rules
In RESOURCE > Rules, search for "netapp" in the Name column to see the rules associated with this device.
Reports
In RESOURCE > Reports , search for "netapp" in the Name column to see the reports associated with this device.
Configuration
SNMP
1. Log in to your NetApp device with administrative privileges.

2. Go to SNMP > Configure.
3. For SNMP Enabled, select Yes.
4. Under Communities, create a public community with Read-Only permissions.
5. Click Apply.

Storage

Setting Value
Name <set name>
Device Type Generic

Storage
Nimble Storage

l Configuration

Discovered
model, Serial
number, Network
Disks, Components
SNMP Storage Disk Utilization: Disk name, Total Disk, Used Disk, Availability
Free Disk, Disk Utilization Monitoring
SNMP Storage Performance metrics: Read rate (IOPS), Performance

Sequential Read Rate (IOPS), Write rate (IOPS), Sequential Monitoring
Write Rate (IOPS), Read latency, Write latency, Read volume
(KBps), Sequential Read volume (KBps), Sequential Write
volume (KBps), Used Volume (MB), Used Snapshot (MB), Non-
Sequential Cache Hit Ratio (FortiSIEM Event Type: PH_DEV_
MON_NIMBLE_GLOBAL_STAT)
Event Types
In ADMIN > Device Support > Event, search for "nimble" in the Description column to see the event types
Rules
Reports

Storage
Configuration
SNMP
User Guide.
Setting Value
Name <set name>
Device Type Nimble Storage NimbleOS

Storage
Nutanix Storage

l Event Types
l Rules
l Reports
l Configuration

Discovered
SNMP Host name, Uptime, Process count, CPU utilization, Real and virtual Availability and
Operating system memory utilization, Disk utilization, Process CPU/Memory Performance
version, Hardware utilization, Network Interface metrics Monitoring
model, Serial
number, Network
Disks, Components
SNMP Disk Status: Cluster, Controller VM, Disk id, Disk serial, Disk Availability
utilization, Total Disk, Used Disk, Free Disk Monitoring
Disk Temp: Disk Id, disk serial, Controller VM, temperature
Cluster Status: Cluster, Cluster version, storage utilization,
total storage, used storage, IOPS, latency
Service Status: Cluster, Controller VM, Cluster VM Status,
Zeus Status, Stargate Status
SNMP Storage Pool Info: Cluster, storage pool name, storage Performance
utilization, total storage, used storage, IOPS, latency Monitoring
Container Info: Cluster, Container name, storage utilization,
total storage, used storage, IOPS, latency
Event Types
[PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=1468,[cpuName]=Generic CPU,[hostName]=NTNX-14SM15290052-A-CVM,
[hostIpAddr]=10.0.252.20,[cpuUtil]=100.000000,[sysCpuUtil]=0.000000,[userCpuUtil]=0.000000,
[waitCpuUtil]=0.000000,[kernCpuUtil]=0.000000,[contextSwitchPersec]=0.000000,
[cpuInterruptPersec]=0.000000,[pollIntv]=177,[cpuCore]=8,[loadAvg1min]=2.500000,
[loadAvg5min]=2.500000,[loadAvg15min]=2.390000,[phLogDetail]=

Storage
[PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=9587,[memName]=Physical Memory,[hostName]=NTNX-14SM15290052-A-CVM,
[hostIpAddr]=10.0.252.20,[memUtil]=93.210754,[pollIntv]=177,[phLogDetail]=
l PH_DEV_MON_SYS_VIRT_MEM_UTIL
[PH_DEV_MON_SYS_VIRT_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=9590,[memName]=Virtual memory,[hostName]=NTNX-14SM15290052-A-CVM,
[hostIpAddr]=10.0.252.20,[virtMemUsedKB]=30773124,[virtMemUtil]=93.210754,[pollIntv]=177,
[phLogDetail]=
l PH_DEV_MON_SYS_UPTIME
[PH_DEV_MON_SYS_UPTIME]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=1065,[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.252.20,
[sysUpTime]=1815730,[sysUpTimePct]=100.000000,[sysDownTime]=0,[pollIntv]=56,[phLogDetail]=
[PH_DEV_MON_SYS_DISK_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=9664,[diskName]=/home/nutanix/data/stargate-storage/disks/9XG6R3HG,
[hostName]=NTNX-14SM15290052-A-CVM,[hostIpAddr]=10.0.252.20,[appTransportProto]=SNMP
(hrStorage),[diskUtil]=9.229729,[totalDiskMB]=938899,[usedDiskMB]=86658,
[freeDiskMB]=852241,[pollIntv]=176,[phLogDetail]=
[lineNumber]=319,[intfName]=eth0,[intfAlias]=,[hostName]=NTNX-14SM15290052-A-CVM,
[hostIpAddr]=10.0.252.20,[pollIntv]=56,[recvBytes64]=0,[recvBitsPerSec]=0.000000,
[inIntfUtil]=0.000000,[sentBytes64]=0,[sentBitsPerSec]=0.000000,[outIntfUtil]=0.000000,
[recvPkts64]=0,[sentPkts64]=0,[inIntfPktErr]=0,[inIntfPktErrPct]=0.000000,
[outIntfPktErr]=0,[outIntfPktErrPct]=0.000000,[inIntfPktDiscarded]=0,
[inIntfPktDiscardedPct]=0.000000,[outIntfPktDiscarded]=0,[outIntfPktDiscardedPct]=0.000000,
[outQLen64]=0,[intfInSpeed64]=10000000000,[intfOutSpeed64]=10000000000,
[intfAdminStatus]=up,[intfOperStatus]=up,[daysSinceLastUse]=0,[totIntfPktErr]=0,
[totBitsPerSec]=0.000000,[phLogDetail]=
l PH_DEV_MON_PROC_RESOURCE_UTIL
[PH_DEV_MON_PROC_RESOURCE_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=4378,[swProcName]=python,[hostName]=NTNX-14SM15290052-A-CVM,
[hostIpAddr]=10.0.23.20,[procOwner]=,[memUtil]=0.379639,[cpuUtil]=0.000000,
[appName]=python,[appGroupName]=,[pollIntv]=116,[swParam]=/home/nutanix/ncc/bin/health_
server.py --log_plugin_output=true --logtostderr=true,[phLogDetail]=
l PH_DEV_MON_SYS_PROC_COUNT
[PH_DEV_MON_SYS_PROC_COUNT]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[procCount]=327,[pollIntv]=176,[phLogDetail]=
l PH_DEV_MON_NUTANIX_DISK_STATUS
[PH_DEV_MON_NUTANIX_DISK_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp,
[cluster]=AmanoxLab01,[diskId]=24,[ntxControllerVMId]=7,[hwDiskSerial]=9XG6V4DS,
[diskUtil]=35.704633,[totalDiskMB]=916,[freeDiskMBNonRoot]=589,[inodeUsedPct]=0.234492,
[inodeMax]=61054976,[inodeFreeNonRoot]=60911807,[phLogDetail]=
l PH_DEV_MON_NUTANIX_CLUSTER_STATUS

Storage
[PH_DEV_MON_NUTANIX_CLUSTER_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp,
[cluster]=Lab01,[clusterVersion]=el6-release-danube-4.1.2-stable-
99e1e2dda7a78989136f39132e1f198989ef03a4,[clusterStatus]=started,[diskUtil]=32.000000,
[totalDiskMB]=14482532,[usedDiskMB]=4740567,[diskRWReqPerSec]=3109.000000,
[devDiskRWLatency]=0.631000,[phLogDetail]=
l PH_DEV_MON_NUTANIX_SERVICE_STATUS
[PH_DEV_MON_NUTANIX_SERVICE_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp,
[cluster]=Lab01,[ntxControllerVMId]=5,[ntxClusterVMStatus]=Up,[ntxZeusStatus]=3287, 3310,
3311, 3312, 3389, 3403,[ntxStargateStatus]=5331, 5365, 5366, 5421, 19543,[phLogDetail]=
l PH_DEV_MON_NUTANIX_STORAGE_POOL_INFO
[PH_DEV_MON_NUTANIX_STORAGE_POOL_INFO]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp,
[cluster]=Lab01,[spoolId]=1474,[spoolName]=amanoxlab_sp,[diskUtil]=32.733000,
l PH_DEV_MON_NUTANIX_CONTAINER_INFO
[PH_DEV_MON_NUTANIX_CONTAINER_INFO]:[eventSeverity]=PHL_INFO,[fileName]=devNutanix.cpp,
[cluster]=Lab01,[ntxContainerId]=1488,[ntxContainerName]=perflab_ndfs,[diskUtil]=8.357116,
Rules
Currently there are no system rules defined.
Reports
l Nutanix Cluster Disk Usage

l Nutanix Cluster Performance
l Nutanix Cluster Service Status
l Nutanix Cluster Storage Usage
l Nutanix Container Performance
l Nutanix Container Storage Usage
l Nutanix Storage Pool Performance
l Nutanix Storage Pool Usage
Configuration
SNMP
User Guide.

Storage
Setting Value
Name <set name>
Device Type Nutanix Controller VM

Threat Intelligence
FortiSIEM supports these threat detection devices:

l FortiInsight
l LastLine
l ThreatConnect
External threat intelligence sources provide information about malware actors (Indicators of Compromise or IOCs).
FortiSIEM can be configured to download this information periodically, either incrementally or full updates, according to
a schedule you define. IOCs can include Malware IP, Domain, URL, and file hashes. You can write rules to look for
matches in real time or reports to look for matches in historical data.
The following external threat intelligence sources are supported out of the box:
l Emerging Threat
l FortiGuard
l FortiSandbox
l Malware Domain
l SANS
l ThreatStream
l ThreatConnect
l TruSTAR
l Zeus
In general, any threat source that provides a CSV file or supports STIC/TAXII standards 1.0, 1.1, and 2.0 can be
automatically supported by FortiSIEM. FortiSIEM also provides a Java-based API which can be used to support a new
website.

Fortinet FortiInsight
FortiInsight is a unique data security and threat detection solution that delivers advanced threat hunting to help you
spot, respond to, and manage risky behaviors that put your business-critical data at risk. It combines powerful and
flexible Machine Learning with detailed forensics around user actions to bring focus to the facts more rapidly than other
solutions.
l Event Types
l Rules
l Reports
l Configuration in FortiInsight
l Sample Events
FortiInsight API Policy based alerts and AI based alerts Data security, threat protection
This feature allows FortiSIEM to get Policy-based alerts and AI-based alerts from FortiInsight.
Event Types
In RESOURCES > Event Types, enter "FortiInsight" in the Search column to see the event types associated with this
device.
Rules
In RESOURCES > Rules, enter "FortiInsight" in the Search column to see the rules associated with this device.
Reports
No defined reports.
Configuration in FortiInsight
Get an API Key in FortiInsight
Complete these steps in the FortiInsight UI:

1. Login to FortiInsight.
2. Select Admin > Account from the left menu.

Threat Intelligence
3. Click New API Key to open the New API Key dialog box.
4. Enter a descriptive Name.
5. Click Save to generate the API key. This will download a file containing the API key information (Client ID, Client
Secret, and Name). Make a note of these values; you will need them when you configure FortiSIEM.

Device Type Fortinet FortiSIEM
Access Protocol FortiInsight API

events from FortiInsight. Default is 3
minutes.
Client ID Access key for your FortiInsight instance.
Client Secret Secret key for your FortiInsight instance

a. Select the name of your Fortinet FortiInsight credential from the Credentials drop-down list.
c. Click Save.
4. Click Test to test the connection to FortiInsight.
5. To see the jobs associated with FortiInsight, select ADMIN > Setup > Pull Events.
6. To see the received events select ANALYTICS, then enter FortiInsight in the search box.
Sample Events
[FORTIINSIGHT_POLICY_ALERT] = {"description":"","events":[{"act":"file
18T13:22:24.344+00:00","id":null,"m":"uqP","mn":{"dh":"tcp://server-10-230-2-

Threat Intelligence
ude":"10.8925"},"p":"tcp-ip-
prototypedemo1.mkv-> tcp://server-54-230-2-153.lhr5.r.cloudfront.net:443","u":"acmeltd__
engineer2"}],"extendedEvents":[{"act":"file
18T13:22:24.344+00:00","id":null,"latestHostname":"mimas","latestIp":"10.10.0.1","m":"uqP","m
n":{"dh":"tcp://server-54-230-2-
ude":"10.8925"},"p":"tcp-ip-
prototypedemo1.mkv-> tcp://server-10-230-2-
153.lhr5.r.cloudfront.net:443","resolvedUsername":"","u":"acmeltd__
engineer2"}],"id":"AWmQ98PYg7b_-i6_5Rvg","labels":[""],"policyId":"default_
6COnUMjTCB8N","policyName":"Browser Download","regimes":
["ZoneFox"],"serverIp":"52.209.49.52","serverName":"fortisiemtest.dev.fortiinsight.cloud","sev
erity":10,"status":"New","time":"2019-03-18T13:22:29.473715+00:00"}

Threat Intelligence
Lastline
The Lastline parser collects syslog log events in CEF format.

l Event Types
l Rules
l Reports
l Syslog
l Sample Events

Discovered
Syslog Device Type Endpoint activity such as file download, email attachments, Security and
network connections. Compliance
Event Types
In ADMIN > Device Support > Event, search for "Lastline" in the Name and Description columns to see the event
Rules
There are no specific rules for Lastline, however rules that match the Event Type Groups associated with Lastline
Events may trigger.
Reports
There are no specific Reports for Lastline, however reports that match the Event Type Groups associated with Lastline
Events may return results.
Syslog
FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514
using CEF formatting.

Threat Intelligence
Sample Events
Aug 13 14:48:37 fortisiem CEF:0|Lastline|Enterprise|7.10|appliance-status|Appliance

Status|1|cat=Online cs1=SENSOR cs1Label=deviceType
cs2=https://example/portal#/appliances/config/status/76b80c7ac11a4d37bc6b29e66726b01d
cs2Label=deviceStatusLink deviceExternalId=76b80c7ac11a4d37bc6b29e66726b01d dvc=10.31.61.152
dvchost=example.com end=Aug 13 2018 16:48:37 CEST rt=Aug 13 2018 16:48:37 CEST start=Aug 13
2018 16:48:37 CEST

Threat Intelligence
ThreatConnect
ThreatConnect API Malware Domain, IP, URL and Hash Detect threats for Security and Compliance
Configuring ThreatConnect

The details are here:
https://kb.threatconnect.com/customer/en/portal/articles/2188549-creating-user-accounts
1. Log in to your ThreatConnect portal as an administrative user.
2. Go to My Profile > ORG Settings.
3. Click Create API User.
These credentials will be created:
l Access ID
l Secret Key
4. Note the Organization Name. You will need it in a later step.
5. ThreatConnect contains many threat feeds. If you want to get specific threatfeeds, then you must know the threat
feeds that are available for your account. You can see these feeds by navigating to Browse > Indicators > My
ThreatConnect > Intelligent Sources.
Configuring FortiSIEM to Download IOCs from ThreatConnect
Use the Access ID and Secret Key that were created in the previous section to enable FortiSIEM access.
FortiSIEM can provide the following IOCs from ThreatConnect:
l Malware Domain
l Malware IP
l Malware URL
l Malware Hash
Follow these steps to set up Malware Domain downloads from ThreatConnect.
2. Go to RESOURCE > Malware Domain > ThreatConnect Malware Domain.
3. Click More > Update. Select Update via API.
4. Enter the following fields
a. Set User Name to Access ID (Step 3a above).
b. Set Password to Secret Key (Step 3b above).
c. Set Data Format to STIX-TAXII.
d. For Collection:, you have two choices:

Threat Intelligence
l To get all threatfeeds - enter All:<Organization Name> (Step 4 above), or

l To get specific threatfeeds, enter comma-separated values of threatfeeds (obtained from Step 6 above).
e. Set Data Update = Incremental
5. Click Save.
6. Click Schedule to specify how often the threat feed will be updated.
a. Choose Start time.
b. Choose Recurrence pattern.
c. Click Save.
7. Wait until the first scheduled download occurs. Then, navigate to RESOURCE > Malware Domain >
ThreatConnect Malware Domain. Downloaded Malware domains will be displayed in the right-hand table. You
can use this object in rules and reports to detect hits.
Downloading Other IOCs
The steps for configuring FortiSIEM to download other IOCs are identical, except for the following details:
l Malware IP—Navigate to RESOURCE > Malware Domain > ThreatConnect Malware IP
l Malware URL—Navigate to RESOURCE > Malware Domain > ThreatConnect Malware URL
l Malware Hash—Navigate to RESOURCE > Malware Domain > ThreatConnect Malware Hash

Virtualization
FortiSIEM supports these virtualization servers for discovery and monitoring.

l HyperV
l HyTrust CloudControl
l VMware ESX

Hyper-V

l Configuration

discovered
Powershell CPU, Memory, Network and Storage metrics both at Performance

over WMI Guest and Host level . Monitoring
Event Types
l PH_DEV_MON_HYPERV_OVERALL_HEALTH: HyperV Machine Health Summary

[PH_DEV_MON_HYPERV_OVERALL_HEALTH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,
[vmHealthCritCount]=0,[vmHealthOkCount]=10
l PH_DEV_MON_HYPERV_OVERALL_SYSINFO: HyperV System Information

[PH_DEV_MON_HYPERV_OVERALL_SYSINFO]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,
[notificationCount]=10,[virtualProcessors]=52,[totalPages]=67290,[partitionCount]=6,
[logicalProcessors]=16
l PH_DEV_MON_HYPERV_CPU_LOGICAL_PROC: HyperV Logical Processor Usage

[PH_DEV_MON_HYPERV_CPU_LOGICAL_PROC]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,
[idleTimePct]=47.30,[guestRunTimePct]=50.88,[hypervisorRunTimePct]=1.97,
[totalRunTimePct]=52.84,[cpuInterruptPerSec]=53390.62,[contextSwitchPerSec]=85516.44
l PH_DEV_MON_HYPERV_CPU_ROOT_VIRTUAL_PROC: HyperV Root Virtual Processor Usage

[PH_DEV_MON_HYPERV_CPU_ROOT_VIRTUAL_PROC]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-
HH2MFBPMHMR,[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,
[guestRunTimePct]=0.19,[hypervisorRunTimePct]=0.04,[totalRunTimePct]=0.23,
[cpuInterruptPersec]=4588.63,[interceptCost]=1458
l PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC: HyperV Guest Virtual Processor Usage

[PH_DEV_MON_HYPERV_CPU_GUEST_VIRTUAL_PROC]:[hostIpAddr]=172.16.20.185,[hostName]=accelops-
reporter-hyperv-4.3.1.1158,[vmName]=accelops-reporter-hyperv-4.3.1.1158,
[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-HH2MFBPMHMR,[guestRunTimePct]=1.06,
[hypervisorRunTimePct]=0.70,[totalRunTimePct]=1.77,[cpuInterruptPersec]=6474.56,
[interceptCost]=1086
l PH_DEV_MON_HYPERV_MEM_PARTITION: HyperV Memory Partition usage

[PH_DEV_MON_HYPERV_MEM_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,
[1gGpaPages]=0,[2mGpaPages]=16385,[4kGpaPages]=9949,[depositedGpaPages]=20946
l PH_DEV_MON_HYPERV_MEM_PARTITION_PER_VM: HyperV per-VM Memory Partition usage

Virtualization
[PH_DEV_MON_HYPERV_MEM_PARTITION_PER_VM]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-
HH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostName]=accelops-va-hyperv-4.3.1.1158,
[vmName]=accelops-va-hyperv-4.3.1.1158,[1gGpaPages]=0,[2mGpaPages]=4096,[4kGpaPages]=2089,
[depositedGpaPages]=5044
l PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION: HyperV Root Partition Total Memory Usage

[PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-
HH2MFBPMHMR,[1gGpa]=0,[2mGpa]=32613,[4kGpa]=9760,[depositedGpa]=46344
l PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION_ROOT: HyperV Root Partition Root Memory Usage

[PH_DEV_MON_HYPERV_MEM_ROOT_PARTITION_ROOT]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-
HH2MFBPMHMR,[1gGpa]=0,[2mGpa]=32613,[4kGpa]=9760,[depositedGpa]=46344
l PH_DEV_MON_HYPERV_MEM_VID_PARTITION: HyperV VID Partition Memory Usage

[PH_DEV_MON_HYPERV_MEM_VID_PARTITION]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-
HH2MFBPMHMR,[physicalPages]=8398888,[remotePages]=0
l PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM: HyperV per-VM VID Partition Memory Usage

[PH_DEV_MON_HYPERV_MEM_VID_PARTITION_PER_VM]:[phyMachIpAddr]=172.16.20.180,
[phyMachName]=WIN-HH2MFBPMHMR,[hostIpAddr]=172.16.20.185,[hostName]=accelops-reporter-
hyperv-4.3.1.1158,[vmName]=accelops-reporter-hyperv-4.3.1.1158,[physicalPages]=1050632,
[remotePages]=0
l PH_DEV_MON_HYPERV_MEM_OVERALL: HyperV Root Memory Usage

[PH_DEV_MON_HYPERV_MEM_OVERALL]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,
[freeMemKB]=27519348,[pageFaultsPersec]=0
l PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH: HyperV Virtual Switch Network Usage

[PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-
HH2MFBPMHMR,[vSwitch]=broadcom bcm5709c netxtreme ii gige [ndis vbd client] _34 - virtual
switch,[recvBitsPerSec]=719403.45,[recvPktsPerSec]=323.03,[sentBitsPerSec]=3382443.50,
[sentPktsPerSec]=283.90,[totalPktsPerSec]=323.03[PH_DEV_MON_HYPERV_NET_VIRTUAL_SWITCH]:
[hostIpAddr]=172.16.20.180,[hostName]=WIN-HH2MFBPMHMR,[vSwitch]=broadcom bcm5709c netxtreme
ii gige [ndis vbd client] _34 - virtual switch,[recvBitsPerSec]=719403.45,
[recvPktsPerSec]=323.03,[sentBitsPerSec]=3382443.50,[sentPktsPerSec]=283.90,
[totalPktsPerSec]=323.03
l PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER: HyperV Virtual Switch Per Adapter Network Usage

[PH_DEV_MON_HYPERV_NET_VIRTUAL_ADAPTER]:[phyMachIpAddr]=172.16.20.180,[phyMachName]=WIN-
HH2MFBPMHMR,[hostIpAddr]=172.16.20.182,[hostName]=accelops-va-hyperv-4.3.1.1158,
[vmName]=accelops-va-hyperv-4.3.1.1158,[intfName]=adapter_e1eb0a1f-1b36-48fe-be79-
fde20d335364--31575d2f-5085-45d3-905f-2f3e17342a81,[recvBitsPerSec]=64970.24,
[recvPktsPerSec]=20.86,[sentBitsPerSec]=124741.68,[sentPktsPerSec]=42.61,
[totalPktsPerSec]=20.86
l PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE: HyperV Virtual Storage Usage

[PH_DEV_MON_HYPERV_STORAGE_VIRTUAL_STORAGE]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-
HH2MFBPMHMR,[diskName]=e:-hyperinstance-report431-virtual hard disks-accelops-reporter-
4.3.1.1158-disk2.vhdx,[diskErrors]=2,[diskFlushes]=1267221,[diskReadKBytesPerSec]=0.00,
[diskReadReqPerSec]=0.00,[diskWriteKBytesPerSec]=0.00,[diskWriteReqPerSec]=0.00
l PH_DEV_MON_HYPERV_STORAGE_LOGICAL_DISK: HyperV Logical Disk Usage

[PH_DEV_MON_HYPERV_STORAGE_LOGICAL_DISK]:[hostIpAddr]=172.16.20.180,[hostName]=WIN-
HH2MFBPMHMR,[diskName]=e:,[ioReadLatency]=0,[ioWriteLatency]=14

Virtualization
Rules
l HyperV Disk I/O Warning

l HyperV Disk I/O Critical
l HyperV Guest Critical
l HyperV Guest Hypervisor Run Time Percent Warning
l HyperV Logical Processor Total Run Time Percent Critical
l HyperV Logical Processor Total Run Time Percent Warning
l HyperV Page fault Critical
l HyperV Page fault Warning
l HyperV Remainining Guest Memory Warning
Reports
Look in RESOURCES > Reports > Device > Server > HyperV
l HyperV Configuration and Health
l Top HyperV Guests By Virtual Processor Run Time Pct
l Top HyperV Guests by Large Page Size Usage
l Top HyperV Guests by Remote Physical Page Usage
l Top HyperV Root Partitions By Virtual Processor Run Time Pct
l Top HyperV Root Partitions by Large Page Size Usage
l Top HyperV Servers By Logical Processor Run Time Pct
l Top HyperV Servers by Disk Activity
l Top HyperV Servers by Disk Latency
l Top HyperV Servers by Large Page Size Usage
l Top HyperV Servers by Memory Remaining for Guests
l Top HyperV Servers by Remote Physical Page Usage
Configuration
FortiSIEM needs WMI credentials to get the HyperV performance metrics. Configure this following the guidelines
described in Microsoft Windows Server Configuration.
Configure WMI on FortiSIEM.

Virtualization
HyTrust CloudControl

l Event Types
l Rules
l Reports
l Configuration
Syslog (CEF format) - Over 70 event types Security and Compliance
Event Types
In RESOURCE > Event Types, Search for “HyTrust-”.

Sample Event Type:
<172>Mar 22 03:32:36 htcc136.test.hytrust.com local5: CEF:0|HyTrust|HyTrust
CloudControl|5.0.0.50821|ARC0031|TEMPLATE_OPERATION_ERRORED_ERR|6| rt=Mar 22 2017 03:32:36.196
UTC act=HostOperation dst=192.168.213.154 src=192.168.213.10 suser=ARC deviceExternalId=6u1b-
esxi2.test.hytrust.com deviceFacility=HostSystem msg=Template operation VHG6.0 esxi-check-
patch-version error on host 6u1b-esxi2.test.hytrust.com (192.168.213.154). privilege={}
Rules
There are no specific rules but generic rules for Security Manager and Generic Servers apply.
Reports
There are no specific reports but generic rules for Security Manager and Generic Servers apply.
Configuration
Configure HyTrust CloudControl to send syslog on port 514 to FortiSIEM.

Virtualization
VMware ESX

l Configuration

discovered
VMWare ESX Server and the Both ESX level and guest host level performance metrics. Performance
SDK Guest hosts running Guest host level metrics include CPU/memory/disk Monitoring
on that server. ESX utilization, CPU Run/Ready/Limited percent, memory swap
host clusters. in/out rate, free memory state, disk read/write rate/latency,
Hardware (CPU, network interface utilization, errors, bytes in/out.
Memory, Disk, ESX level metrics include physical CPU utilization, ESX
network Interface) for kernel disk read/writre latency etc
all guests, OS vendor
and version for all
guests. Virtual switch
for connecting guest
hosts to network
interfaces.
VMWare ESX logs include scenarios like ESX level login sucess/failure, Availability,
SDK configuration change, Guest host movement, account creation Change and
and modification Security
Monitoring
Configuration
FortiSIEM discovers and monitors VMware ESX servers and guests over the the VMware SDK. Make sure that VMware
Tools is installed on all the guests in your ESX deployment, and FortiSIEM will be able to obtain their IP addresses.
User with System View Credentials
Make sure to provide a user with System View permissions who can access the entire vCenter hierarchy when setting
up the access credentials for your VMware ESX device. See the VMware documentation on how to se tup a user with
System View permissions.
Settings for VMware ESX VMSDK Access Credentials

Virtualization
Setting Value
Name <set name>
Device Type VMware ESX Server
Access Protocol VM SDK
User Name A user with System View permissions

VPN Gateways
FortiSIEM supports these VPN gateways for discovery and monitoring.

l Cisco VPN 3000 Gateway
l Cyxtera AppGuard
l Juniper Networks SSL VPN Gateway
l Microsoft PPTP VPN Gateway
l Pulse Secure

Cisco VPN 3000 Gateway

l Configuration
SNMP
Syslog
Event Types
In ADMIN > Device Support > Event, search for "cisco_vpn" in the Name and Device Type column to see the event
Rules
Reports
Configuration
SNMP
1. Log in to your device with administrative credentials.

2. Go to Configuration > System > Management Protocols > SNMP Communities.
3. Click Add.
4. For Community String, enter public.
Syslog
1. Go to Configuration > System > Events > Syslog Servers.

2. Click Add.
3. Enter the IP address of your FortiSIEM virtual appliance for Syslog Server.
4. Add a syslog server with FortiSIEM IP Address

VPN Gateways
Sample Parsed Cisco VPN 3000 Syslog Messages
<189>18174 01/07/1999 20:25:27.210 SEV=5 AUTH/31 RPT=14 User [ admin ] Protocol [ Telnet ]
attempted ADMIN logon. Status: <REFUSED> authentication failure
Setting Value
Name <set name>
Device Type Cisco VPN 3K

VPN Gateways
Cyxtera AppGate Software Defined Perimeter (SDP)
l Configuring Cyxtera AppGate Software
Integration points
Syslog Access Control log Security and Compliance
Configuring Cyxtera AppGate Software
Follow Cyxtera AppGate SDP documentation to send syslog to FortiSIEM.
FortiSIEM automatically recognizes Cyxtera AppGate syslog, so long as it follows the following format as shown in the
sampel syslog:
"id":"a51e7e7d-ab5f-444c-b7f8-ca72e4bb940b","timestamp":"2018-10-
09T10:23:43.992Z","event_type":"ip_access","version":8,"distinguished_
name":"CN=0f1a40d612f741228d7cb73a4308bea8,CN=abc,OU=ACME","entitlement_token_
id":"78174080-a34","action":"allow","direction":"down","client_
ip":"1.1.1.1","client_port":1392,"packet_size":40,"protocol":"TCP","source_
ip":"10.1.1.1","destination_ip":"10.1.1.1","source_port":56100,"destination_
port":59721,"connection_type":"established","rule_name":"rule1"
Parsing and Events
Over 70 events are parsed – see event Types in Resources > Event Types and search for 'Cyxtera-AppGate-SDP'.

VPN Gateways
Juniper Networks SSL VPN Gateway

l Configuration
SNMP
Syslog
Event Types
In ADMIN > Device Support > Event, search for "junos_dynamic_vpn" in the Name column to see the event types
Rules
Reports
Configuration
SNMP
1. Log into your device with administrative credentials.

2. Go to System > Log/Monitoring > SNMP.
3. Under Agent Properties, enter public for Community.
Syslog
VPN Access Syslogs
1. Go to System > Log/Monitoring > User Access > Settings.

2. Under Select Events to Log, select Login/logout, User Settings, and Network Connect.
3. Under Syslog Servers, enter the IP address of your FortiSIEM virtual appliance, and set the Facility to LOCAL0.
4. Click Save Changes.

VPN Gateways
Admin Access Syslogs
1. Go to System > Log/Monitoring > Admin Access > Settings.

2. Under Select Events to Log, select Administrator changes, License Changes, and Administrator logins.
3. Under Syslog Servers, enter the IP address of your FortiSIEM virtual appliance, and set the Facility to LOCAL0.
4. Click Save Changes.
Sample Parsed Juniper Networks SSL VPN Syslog Messages
<134>Juniper: 2008-10-28 04:34:53 - ive - [192.168.20.82] admin(Users)[] - Login failed using

auth server SteelBelted (Radius Server). Reason: Failed
<134>Juniper: 2008-10-28 03:12:03 - ive - [192.168.20.82] wenyong(Users)[Users] - Login

succeeded for wenyong/Users from 192.168.20.82.
<134>Juniper: 2008-10-28 03:55:20 - ive - [192.168.20.82] wenyong(Users)[Users] - Network

Connect: Session ended for user with IP 172.16.3.240
<134>Juniper: 2008-10-28 03:05:25 - ive - [172.16.3.150] admin(Admin Users)[] - Primary

authentication successful for admin/Administrators from 172.16.3.150
<134>Juniper: 2008-10-28 05:33:02 - ive - [172.16.3.150] admin(Admin Users)[] - Primary

authentication failed for admin/Administrators from 172.16.3.150
Setting Value
Name <set name>
Device Type Generic

VPN Gateways
Microsoft PPTP VPN Gateway
Configuring Microsoft PPTP
Windows 2003 Server
1. Logon with administrative rights

2. Configure PPTP VPN
a. Go to Start | All Programs | Administrative Tools | Configure Your Server Wizard, select the Remote
Access/VPN Server role. The click the next button which runs the the Routing and Remote Access Wizard.
b. On the Routing and Remote Access wizard, follow the following steps:
i. Select "Virtual Private Network (VPN) and NAT" and click Next
ii. Select the network interface for use by VPN connection and click Next.
iii. Specify the network that VPN clients should connect to in order to access resources and click Next.
iv. Select VPN IP Address assignment methodology (DHCP/VPN pool) and click Next.
v. Specify VPN pool if VPN pool was chosen in step d and click Next.
vi. Identify the network that has shared access to the Internet and click Next.
vii. Select if an external RADIUS server is to be used for central authentication and click Next
c. Give users VPN access rights. Open the properties page for a user, select that user's Dial-In properties page
and select "Allow access" under Remote Access Permissions.
3. Configure Server Logging - Enable authentication and accounting logging from the Settings tab on the properties
of the Local File object in the Remote Access Logging folder in the Routing and Remote Access snap-in. The
authentication and accounting information is stored in a configurable log file or files stored in
the SystemRoot\System32\LogFiles folder. The log files are saved in Internet Authentication Service (IAS) or
database-compatible format, meaning that any database program can read the log file directly for analysis.
4. Configure Snare agent to send logs to FortiSIEM.
Sample syslog messages
<13>Apr 1 09:28:03 dev-v-win03-vc MSPPTPLog 0
192.168.24.11,administrator,04/01/2009,09:28:00,RAS,DEV-V-WIN03-
VC,44,29,4,192.168.24.11,6,2,7,1,5,129,61,5,64,1,65,1,31,192.168.20.38,66,192.168.20.38,4108,1
92.168.24.11,4147,311,4148,MSRASV5.20,4155,1,4154,Use Windows authentication for all
users,4129,DEV-V-WIN03-VC\administrator,4130,DEV-V-WIN03-VC\administrator,4127,4,25,311 1
192.168.24.11 04/01/2009 16:12:12 3,4149,Connections to Microsoft Routing and Remote Access
server,4136,1,4142,0

VPN Gateways
Pulse Secure

l Configuration
Syslog Security and Performance alerts Security and performance monitoring
Event Types
In ADMIN > Device Support > Event, search for "PulseSecure" to see the event types associated with this device.
Rules
Reports
Configuration
Syslog
Sample PulseSecure Syslog Messages
<134> 2015-12-18T06:30:29-08:00 PulseSecure: 2015-12-18 06:30:29 - XXX-A1234-VPNSSL01 -

[1.1.1.1] admin(company1 Realm)[some title] - Host Checker policy 'VMS_Host_Checker_Policy'
passed on host '1.1.1.1' address '' for user 'admin'.
Setting Value
Name <set name>
Device Type Pulse Secure Pulse Connect

VPN Gateways
Setting Value

Vulnerability Scanners
FortiSIEM supports these vulnerability scanners for discovery and monitoring.

l AlertLogic
l Green League WVSS
l McAfee Foundstone Vulnerability Scanner
l Qualys QualysGuard Scanner
l Qualys Vulnerability Scanner
l Rapid7 NeXpose Vulnerability Scanner
l Rapid7 InsightVM
l Tenable.io
l Tenable Nessus Vulnerability Scanner
l Tenable Security Center
l XYLink Vulnerability Scanner

AlertLogic Intrusion Detection and Prevention Systems (IPS)
l Configuring AlertLogic for FortiSIEM API Access
l Configuring FortiSIEM for AlertLogic API Access
Integration points
AlertLogic V3 API Security Alerts created by AlertLogic Security and Compliance
Configuring AlertLogic for FortiSIEM API Access
Contact AlertLogic for API access key. This must be entered in FortiSIEM in the next step.
Configuring FortiSIEM for AlertLogic API Access
1. Logon to FortiSIEM
3. Click New to create AlertLogic API credential:
For Access Protocol = AlertLogic API V3
Setting Value
Name <set name>
Access Protocol AlertLogic API V3
API Key The API Key for device access is provided by

AlertLogic
Organization Choose the Organization if it is an MSP

deployment and the same credential is to be
used for multiple customers
For Access Protocol = AlertLogic IPS

Access Protocol Alert Logic IPS

events from Alert Logic. Default is 5 minutes.
Access Key ID Access key for your Alert Logic instance.
Secret Key Secret key for your Alert Logic instance

a. Set Hostname to alertlogic.com
c. Click Save.
5. Select the entry in step 4 and click Test > Test Connectivity. If it succeeds, then the credential is correct.
start to pull events from AlertLogic Cloud service using the AlertLogic V3 API.
To test for events received from AlertLogic:
The system will take you to the ANALYTICS tab and run a query to display the events received from AlertLogic in the

Green League WVSS

Device Type Green League WVSS
Access Protocol WVSS API
Domain Domain name
3. In Step 2: Enter IP Range to Credential Associations:

c. Click Save.
4. Click Test to test the connection to Green League WVSS.
5. To see the jobs associated with Green League, select ADMIN > Pull Events.
6. To see the received events select ANALYTICS, then enter Green League in the search box.

McAfee Foundstone Vulnerability Scanner

l Configuration
Protocol Metrics collected Used for
JDBC (SQL Server) Scan name, Scanned Host Name, Host OS, Vulnerability category, Security Monitoring
Vulnerability name, Vulnerability severity, Vulerability CVE Id,
Vulnerability Score, Vulnerability Consequence
Event Types
In ADMIN > Device Support > Event, search for "foundstone" in the Description column to see the event types
Rules
Reports
Configuration
JDBC
FortiSIEM connects to the faultline database in the McAfee vulnerability scanner to collect metrics. This is a SQL
Server database, so you must have set up access credentials for the database over JDBC to set up access credentials in
FortiSIEM and initiate discovery.
Settings for McAfee Foundstone Vulnerability Scanner JDBC Access Credentials


Setting Value
Name mcafee_jdbc
Used for McAfee VulnMgr
Pull Interval 5
(minutes)
Port 1433
Database name faultline
User Name A user with access to the faultline database

over JDBC

Qualys QualysGuard Scanner

Device Type Qualys QualysGuard Scanner
Access Protocol Qualys API
Port 443
User Name A user who has access to the vulnerability

scanner over the API.
Password Password associated with the user

c. Click Save.
4. Click Test to test the connection to Qualys QualysGuard Scanner.
5. To see the jobs associated with Qualys, select ADMIN > Pull Events.
6. To see the received events select ANALYTICS, then enter Qualys in the search box.

Qualys Vulnerability Scanner

l Configuration
Qualys API Scan name, Scanned Host Name, Host OS, Vulnerability category, Security Monitoring
Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq
Id, Vulnerability Consequence
Event Types
In ADMIN > Device Support > Event, search for "qualys" in the Device Type column to see the event types
Rules
Reports
In RESOURCE > Reports , search for "qualys" in the Description column to see the reports associated with this
device.
Configuration
Qualys API
Create a user name and password that FortiSIEM can use as access credentials for the API.
You can configure FortiSIEM to communicate with your device, and then initiate discovery of the device. . For more
Use Host Name for IP Range in Access Credentials

Enter the host name for your Qualys service rather than an IP address when associating your access credentials to an IP
range.
Settings for Qualys Vulnerability Scanner API Access Credentials

Setting Value
Name qualys
Device Type Qualys QualysGuard Scanner
Access Protocol Qualys API
Pull Interval 5
(minutes)
Port 443
User Name A user who has access to the vulnerability

scanner over the API

Rapid7 NeXpose Vulnerability Scanner

l Configuration
Rapid7 Scan name, Scanned Host Name, Host OS, Vulnerability category, Security Monitoring
Nexpose API Vulnerability name, Vulnerability severity, Vulerability CVE Id and Bugtraq
Id, Vulnerability CVSS Score, Vulnerability Consequence
Event Types
In ADMIN > Device Support > Event, search for "rapid7" in the Description and Device Type columns to see the
Rules
Reports
Configuration
Rapid7 NeXpose API
1. Log into the device manger for your vulnerability scanner with administrative credentials.
2. Go to Administration > General > User Configuration, and create a user that FortiSIEM can use to access the
device.
3. Go to Reports > General > Report Configuration.
4. Create a report with the Report Format set to Simple XML Report Version 1.0 or NeXpose XML Report
Version 2.0.
FortiSIEM can pull reports only in these formats.
Settings for Rapid7 Nexpose API Access Credentials

Setting Value
Name <set name>
Device Type Rapid7 NeXpose Security Scanner
Access Protocol Rapid7 NeXpose API
Pull Interval 60
(minutes)
Port 3780
User Name A user who can access the device over the API

Rapid7 InsightVM Integration
l I ntegration points
l Rapid7 InsightVM API Integration
Integration points
InsightVM API Vulnerability scan data Security and

Compliance
Rapid7 InsightVM API Integration
FortiSIEM can pull vulnerability scan data from Rapid7 InsightVM Server via InsightVM API.
InsightVM scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate
FortiSIEM event with event type Rapid7-InsightVM-Vuln-Detected.
Configuring Rapid7 InsightVM Server
Use the account in previous step to enable FortiSIEM access:

2. Go to Admin > Setup > Credential.
3. Click New to create a Rapid7 InsightVM credential.
a. Choose Device Type = Rapid7 InsightVM (Vendor = Rapid7, Model = InsightVM).
b. Choose Access Protocol = InsightVM API.
d. Choose HTTPS Port (default 3780).
e. Choose User name and Password for the account created while Configuring Rapid7 InsightVM Server.
f. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple
customers.
g. Click Save.
a. Set IP to the IP address of the Rapid7 InsightVM Server.
b. Select the Credential created in step 3

c. Click Save.
5. Perform Test Connectivity to make sure that the credential works correctly.
6. Discover the Rapid7 InsightVM Server using the IP address used in Step 4. Make sure Discover succeeds.
7. An entry will be created in Admin > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will
start to pull events from Rapid7 InsightVM Server using the InsightVM REST API.
To test for received InsightVM Vulnerability events:
1. Go to Admin > Setup > Pull Events
2. Select the InsightVM entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from InsightVM Server in
the last 15 minutes. You can modify the time interval to get more events.

Tenable.io
l I ntegration points
l Tenable.io API Integration
Integration points
Tenable.io API Vulnerability scan data Security and Compliance
Tenable.io API Integration
FortiSIEM can pull vulnerability scan data from Tenable.io Cloud Service via Tenable.io API.
Tenable.io scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate
FortiSIEM event with event type TenableIO-Vuln-Detected.
Configuring Tenable.io Cloud Service

1. Login to your Tenable.io portal using your account.
2. Create API Key for use in FortiSIEM:
a. For administrative user.
b. Click Settings > User.
c. In User table, click the name of the User you want to edit.
d. Click the API Keys tab in the generate and click Generate.
e. Click Save.
3. For regular user:
a. Click My Account.
b. Click the API Keys tab in the generate and click Generate.
c. Click Save.
3. Click New to create a Tenable.io credential:
a. Choose Device Type = Tenable.io Tenable (Vendor = Tenable, Model = Tenable.io).
b. Choose Access Protocol = TenableIO API.

d. Choose Account, Access Key and Secret Key obtained from Tenable.io portal (see Configuring Tenable.io
Cloud Service)
customers
f. Click Save.
a. Set Hostname = cloud.tenable.com
b. Select the credential created in step 3.
c. Click Save.
5. Select the entry in step 4 and click Test Connectivity.
this event pulling job. FortiSIEM will start to pull events from Tenable.io portal using the API.
To test for received Tenable.io events:
2. Select the Tenable.io entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from Tenable.io in the last
15 minutes. You can modify the time interval to get more events.

Tenable Nessus Vulnerability Scanner

l Configuration
Nessus API Scan name, Scanned Host Name, Host OS, Vulnerability category, Security Monitoring
Vulnerability name, Vulnerability severity, Vulerability CVE Id and
Bugtraq Id, Vulnerability CVSS Score, Vulnerability Consequence
Event Types
In ADMIN > Device Support > Event, search for "nessus" in the Description and Device Type column to see the
Rules
Reports
In RESOURCE > Reports , search for "nessus" in the Description column to see the reports associated with this
device.
Configuration
Nessus API
Create a user name and password that FortiSIEM can use as access credentials for the API. Make sure the user has
permissions to view the scan report files on the Nessus device. You can check if your user has the right permissions by
running a scan report as that user.
You can now configure FortiSIEM to communicate with your device. For more information, refer to sections and Setting
Credentials and Testing Credentials and API Event Collection in the User Guide.
Settings for Nessus Vulnerability Scanner API Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your Nessus Vulnerability
Scanner over the API.
Setting Value
Name <set name>
Device Type -Tenable Nessus Security Scanner

-Tenable Nessus6 Security Scanner
Access Protocol -Nessus API

-Nessus6 API
-Nessus7 API
-Nessus8 API
Pull Interval 5
(minutes)
Port 8834
User Name (for A user who has permission to access the device
Nessus and 6) over the API
Password (for The password associated with the user

Nessus and 6)
Access Key (for Obtain the Access Key from Nessus

Nessus7 and 8)
Secret Key (for Obtain the Secret Key from Nessus

Nessus7 and 8)

Tenable Security Center
l Tenable.sc (Security Center) API Integration
l Sample Events
Integration points
Tenable.sc API Vulnerability scan data Security and Compliance
Tenable.sc (Security Center) API Integration
FortiSIEM can pull vulnerability scan data via the Tenable.sc API.
Tenable.sc scan data contains vulnerabilities found on a host. Each host vulnerability is converted into a separate
FortiSIEM event with event type TenableSC-Vuln-Detected.
l Configuring Tenable.sc for FortiSIEM
Configuring Tenable.sc for FortiSIEM
Except for setting your Tenable account user name and password, no special configuration is needed for Tenable.sc.
3. Click New to create a Tenable.sc credential:
a. Enter a Name for the credential.
b. Choose Device Type = Tenable Tenable Security Center (Vendor = Tenable, Model = Security Center).
c. Choose Access Protocol = Tenable.sc API.
d. Choose Pull Interval = 60 minutes.
e. Enter the User Name for the account.
f. Enter the Password for the account.
g. Click Save.
a. Enter the host's IP or Hostname.
b. Select the credential created in Step 3 from the drop-down list.
c. Click Save.

5. Select the entry in step 4 and click Test Connectivity.

this event pulling job. FortiSIEM will start to pull events from Tenable Security Center using the API.
To test for received Tenable.sc events:
2. Select the Tenable.sc entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from Tenable.sc in the last
15 minutes. You can modify the time interval to get more events.
Sample Events
[TenableSc-Vuln-Detected]:[serverIp]=10.10.10.79,[serverName]=sc.tenalab.online,
[scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,
[policyName]=6e8a5582-076f-5798-b0c3-5384b8854cad-501013/Advanced Scan
(Vulnerability),[osName]=linux,[hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux
Kernel 2.6,[hostName]=target-cent7.lxd,[hostIpAddr]=10.238.64.9,
[startTime]=1580538643,[appPort]=22,[appTransportProto]=tcp,[eventSeverity]=1,
[nessusPluginId]=70658,[nessusPluginName]=SSH Server CBC Mode Ciphers Enabled,
[categoryType]=Misc.,[vulnCVEId]=CVE-2008-5161,[vulnCvssBaseScore]=2.6,
[vulnCvssBaseTemporal]=1.9,[cweId]=200,[vulnDesc]=The SSH server is configured to
support Cipher Block Chaining (CBC) encryption. This may allow an attacker to
recover the plaintext message from the ciphertext. Note that this plugin only
checks for the options of the SSH server and does not check for vulnerable software
versions.,[fileName]=ssh_cbc_supported_ciphers.nasl,[vulnType]=remote,
[threatLevel]=Low,[vulnSolution]=Contact the vendor or consult product
documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher
mode encryption.,[vulnCVESummary]=The SSH server is configured to use Cipher Block
Chaining.,[nessusPluginOutput]= The following client-to-server Cipher Block
Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc
blowfish-cbc cast128-cbc The following server-to-client Cipher Block Chaining (CBC)
algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc
cast128-cbc
[TenableSc-Vuln-Detected]:[serverIp]=52.170.35.79,[serverName]=sc.tenalab.online,
[scanName]=tensc_job1__ordr_1580449845796,[endTime]=1580538767,
[policyName]=6e8a5582-076f-5798-b0c3-5384b8854cad-501013/Advanced Scan
(Vulnerability),[osName]=linux,[hostMACAddr]=00:16:3E:5D:7A:71,[osVersion]=Linux
Kernel 2.6,[hostName]=target-cent7.lxd,[hostIpAddr]=10.238.64.9,
[startTime]=1580538643,[appPort]=0,[appTransportProto]=tcp,[eventSeverity]=0,
[nessusPluginId]=35081,[nessusPluginName]=Xen Guest Detection,[categoryType]=Misc.,
[vulnDesc]=According to the MAC address of its network adapter, the remote host is
a Xen virtual machine.,[fileName]=xen_detect.nasl,[vulnType]=combined,
[threatLevel]=None,[vulnSolution]=Ensure that the host's configuration is in
agreement with your organization's security policy.,[vulnCVESummary]=The remote
host is a Xen virtual machine.

YXLink Vuln Scanner

Device Type YXLink Vuln Scanner
Access Protocol YX API
Port 0
Domain Domain name

a. Enter a host name, an IP, or an IP range in the IP/Host Name field.
b. Select the name of your credential from the Credentials drop-down list.
c. Click Save.
4. Click the Test drop-down list and select Test Connectivity to test the connection to YXLink Vulnerability Scanner.
5. To see the jobs associated with YXLink, select ADMIN > Setup > Pull Events.
6. To see the received events select ANALYTICS, then enter "YXLink" in the search box.

WAN Accelerators
FortiSIEM supports these wide area network accelerators for discovery and monitoring.
l Cisco Wide Area Application Server
l Riverbed SteelHead WAN Accelerator

Cisco Wide Area Application Server
l What is Discovered and Monitored on page 696

l Event Types
l Rules
l Reports
l Configuration

Discovered
SNMP Host name, Software Uptime, CPU and Memory utilization, Network Interface Availability and
version, Hardware metrics (utilization, bytes sent and received, packets sent and Performance
model, Network received, errors, discards and queue lengths), Disk space Monitoring
interfaces utilization, Process cpu/memory utilization
Event Types
Regular monitoring events

l PH_DEV_MON_SYS_UPTIME
[lineNumber]=1053,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,[sysUpTime]=13256948,
[sysUpTimePct]=100.000000,[sysDownTime]=0,[pollIntv]=56,[phLogDetail]=
[lineNumber]=1053,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,[sysUpTime]=13256948,
[sysUpTimePct]=100.000000,[sysDownTime]=0,[pollIntv]=56,[phLogDetail]=
[PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=9822,[memName]=Physical Memory,[hostName]=edge.bank.com,
[hostIpAddr]=10.19.1.5,[memUtil]=93.438328,[pollIntv]=176,[phLogDetail]=
[PH_DEV_MON_SYS_DISK_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=9902,[diskName]=/swstore,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,
[appTransportProto]=SNMP (hrStorage),[diskUtil]=56.931633,[totalDiskMB]=992,
[usedDiskMB]=565,[freeDiskMB]=427,[pollIntv]=176,[phLogDetail]=
l PH_DEV_MON_SYS_PROC_COUNT

WAN Accelerators
[PH_DEV_MON_SYS_PROC_COUNT]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=11710,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,[procCount]=429,
[lineNumber]=323,[intfName]=GigabitEthernet 1/0,[intfAlias]=,[hostName]=edge.bank.com,
[hostIpAddr]=10.19.1.5,[pollIntv]=56,[recvBytes64]=0,[recvBitsPerSec]=0.000000,
[inIntfUtil]=0.000000,[sentBytes64]=0,[sentBitsPerSec]=0.000000,[outIntfUtil]=0.000000,
[recvPkts64]=0,[sentPkts64]=0,[inIntfPktErr]=0,[inIntfPktErrPct]=0.000000,
[outIntfPktErr]=0,[outIntfPktErrPct]=0.000000,[inIntfPktDiscarded]=0,
[inIntfPktDiscardedPct]=0.000000,[outIntfPktDiscarded]=0,[outIntfPktDiscardedPct]=0.000000,
[outQLen64]=0,[intfInSpeed64]=100000000,[intfOutSpeed64]=100000000,[intfAdminStatus]=,
[intfOperStatus]=,[daysSinceLastUse]=0,[totIntfPktErr]=0,[totBitsPerSec]=0.000000,
[phLogDetail]=
l PH_DEV_MON_PROC_RESOURCE_UTIL
[PH_DEV_MON_PROC_RESOURCE_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cpp,
[lineNumber]=4320,[swProcName]=syslogd,[hostName]=edge.bank.com,[hostIpAddr]=10.19.1.5,
[procOwner]=,[memUtil]=0.038191,[cpuUtil]=0.000000,[appName]=Syslog Server,
[appGroupName]=Unix Syslog Server,[pollIntv]=116,[swParam]=-s -f /etc/syslog.conf-diamond,
[phLogDetail]=
Rules
Regular monitoring rules
Reports
Regular monitoring reports
Configuration
User Guide.
Setting Value
Name <set name>
Device Type Cisco WAAS

WAN Accelerators
Setting Value

WAN Accelerators
Riverbed SteelHead WAN Accelerator

l Event Types
l Rules
l Reports
l Configuration

Discovered
SNMP Host name, Software Uptime, CPU and Memory utilization, Network Interface Availability and
version, Hardware metrics (utilization, bytes sent and received, packets sent and Performance
model, Network received, errors, discards and queue lengths), Disk space Monitoring
interfaces utilization, Process cpu/memory utilization
SNMP Hardware status Availability and

Performance
Monitoring
SNMP Bandwidth metrics: Inbound Optimized Bytes - LAN side, Availability and
WAN side, Outbound optimized bytes - LAN side and WAN Performance
side Monitoring
Connection metrics: Optimized connections, Passthrough
connections, Half-open optimized connections, Half-closed
Optimized connections, Established optimized connections,
Active optimized connections
Top Usage metrics: Top source (Source IP, Total Bytes), Top
destination (Destination IP, Total Bytes), Top Application
(TCP/UDP port, Total Bytes), Top Talker (Source IP, Source
Port, Destination IP, Destination Port, Total Bytes)
Peer status: For every peer: State, Connection failures,
Request timeouts, Max latency
SNMP All traps: software errors, hardware errors, admin login, Availability,
Trap performance issues - cpu, memory, peer latency issues. About Security and
115 traps defined in ADMIN > Device Support > Event. The Compliance
mapped event types start with "Riverbed-".
Event Types
In ADMIN > Device Support > Event, search for "steelhead" in the Description and Device Type columns to see

WAN Accelerators
Rules
In RESOURCE > Rules, search for "steelhead" in the Name column to see the rules associated with this device.
Reports
Configuration
SNMP
User Guide.
SNMP Trap
Setting Value
Name <set name>
Device Type Riverbed Steelhead

Wireless LANs
FortiSIEM supports these wireless local area network devices for discovery and monitoring.
l Aruba Networks Wireless LAN
l Cisco Wireless LAN
l CradlePoint
l FortiAP
l FortiWLC
l Motorola WiNG WLAN AP
l Ruckus Wireless LAN

Aruba Networks Wireless LAN

l Configuration
FortiSIEM uses SNMP and NMAP to discover the device and to collect logs and performance metrics. FortiSIEM
communicates to the WLAN Controller only and discovers all information from the Controller. FortiSIEM does not
communicate to the WLAN Access points directly.

Discovered
SNMP Controller host Controller Uptime, Controller Network Interface metrics Availability and
name, Controller (utilization, bytes sent and received, packets sent and Performance
hardware model, received, errors, discards and queue lengths), Radio interface Monitoring
Controller network performance metrics
interfaces,
Associated WLAN
Access Points
SNMP Controller device All system logs: User authentication, Admin authentication, Availability,
Trap type WLAN attacks, Wireless link health Security and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "aruba" in the Description and Device Type columns to see the
Rules
Reports
In RESOURCE > Reports , search for "aruba" in the Name column to see the reports associated with this device.

Wireless LANs
Configuration
SNMP V1/V2c
1. Log in to your Aruba wireless controller with administrative privileges.

2. Go to Configuration > Management > SNMP.
3. For Read Community String, enter public.
4. Select Enable Trap Generation.
5. Next to Read Community String, click Add.
6. Under Trap Receivers, click Add and enter the IP address of your FortiSIEM virtual appliance.
Sample Aruba Networks Wireless LAN Controller SNMP Trap Messages

(1355400) 3:45:54.00 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-
SMI::enterprises.14823.2.2.1.1.100.1003 SNMPv2-SMI::enterprises.14823.2.3.1.11.1.1.60 =
Hex-STRING: 07 D8 06 0B 13 2E 39 00 2D 07 00 SNMPv2-
SMI::enterprises.14823.2.2.1.1.2.1.1.2.192.168.180.1 = Hex-STRING: 00 1E 52 72 AF 4B
Setting Value
Name <set name>
Device Type Aruba ArubaOS WLAN AP

Wireless LANs
Cisco Wireless LAN

l Event Types
l Rules
l Reports
l Configuration

Discovered
SNMP Controller host Controller Uptime, Controller CPU and Memory utilization, Availability and
name, Controller Controller Network Interface metrics (utilization, bytes sent and Performance
hardware model, received, packets sent and received, errors, discards and Monitoring
Controller network queue lengths)
interfaces,
Associated WLAN
Access Points
SNMP Controller device All system logs: User authentication, Admin authentication, Availability,
Trap type WLAN attacks, Wireless link health Security and
Compliance
Event Types
In ADMIN > Device Support > Event, search for "cisco wireless" in the Description column to see the event types
Rules
Reports

Wireless LANs
Configuration
SNMP V1/V2c and SNMP Traps
1. Log in to your Cisco wireless LAN controller with administrative privileges.

2. Go to MANAGEMENT > SNMP > General.
3. Set both SNMP v1 Mode and SNMP v2c Mode to Enable.
4. Go to SNMP > Communities.
5. Click New and create a public community string with Read-Only privileges.
6. Click Apply.
7. Go to SNMP > Trap Controls.
8. Select the event traps you want to sent to FortiSIEM.
9. Click Apply.
10. Go to SNMP > Trap Receivers.
11. Click New and enter the IP address of your FortiSIEM virtual appliance as a trap receiver.
12. Click Apply.
Sample SNMP Trap

(86919800) 10 days, 1:26:38.00 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-
SMI::enterprises.14179.2.6.3.2 SNMPv2-SMI::enterprises.14179.2.6.2.35.0 = Hex-STRING: 00 21
55 4D 66 B0 SNMPv2-SMI::enterprises.14179.2.6.2.36.0 = INTEGER: 0 SNMPv2-
SMI::enterprises.14179.2.6.2.37.0 = INTEGER: 1 SNMPv2-SMI::enterprises.14179.2.6.2.34.0 =
Hex-STRING: 00 12 F0 0A 3F 15
2010-11-01 12:59:57 0.0.0.0(via UDP: [172.22.2.25]:32769) TRAP2, SNMP v2c, community 1n3t3ng .
Cold Start Trap (0) Uptime: 0:00:00.00 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks:
(9165100) 1 day, 1:27:31.00 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-
SMI::enterprises.9.9.599.0.4 SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 00 24
D7 36 A0 00 SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: "AP-2" SNMPv2-
SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 00 25 45 B7 66 70 SNMPv2-
SMI::enterprises.9.9.513.1.2.1.1.1.0 = INTEGER: 0 SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.10.0
= IpAddress: 172.22.4.54 SNMPv2-SMI::enterprises.9.9.599.1.2.1.0 = STRING: "IE\brouse" SNMPv2-
SMI::enterprises.9.9.599.1.2.2.0 = STRING: "IE"2011-04-05 10:37:42 0.0.0.0(via UDP:
[10.10.81.240]:32768) TRAP2, SNMP v2c, community FortiSIEM . Cold Start Trap (0) Uptime:
0:00:00.00 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1672429600) 193 days, 13:38:16.00
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9.9.615.0.1 SNMPv2-
SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 00 25 BC 80 E8 77 SNMPv2-
SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 6C 50 4D 7D AC 50 SNMPv2-
SMI::enterprises.9.9.599.1.3.1.1.9.0 = INTEGER: 1 SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0
= STRING: "AP03-3.rdu2" SNMPv2-SMI::enterprises.9.9.615.1.2.1.0 = INTEGER: 1 SNMPv2-
SMI::enterprises.9.9.615.1.2.2.0 = INTEGER: 5000 SNMPv2-SMI::enterprises.9.9.615.1.2.3.0 =
INTEGER: 1 SNMPv2-SMI::enterprises.9.9.615.1.2.4.0 = INTEGER: 31 SNMPv2-
SMI::enterprises.9.9.615.1.2.5.0 = INTEGER: -60 SNMPv2-SMI::enterprises.9.9.615.1.2.6.0 =
INTEGER: -90 SNMPv2-SMI::enterprises.9.9.615.1.2.7.0 = STRING:

Wireless LANs
"0,0,0,0,1,20,24,28,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0" SNMPv2-
SMI::enterprises.9.9.615.1.2.8.0 = INTEGER: 2 SNMPv2-SMI::enterprises.9.9.615.1.2.9.0 =
STRING: "6c:50:4d:7d:ac:50,e8:04:62:0b:b5:f0" SNMPv2-SMI::enterprises.9.9.615.1.2.10.0 =
STRING: "-83,-85" SNMPv2-SMI::enterprises.9.9.615.1.2.11.0 = STRING: "1,1" SNMPv2-
SMI::enterprises.9.9.512.1.1.1.1.11.5 = INTEGER: 1

Setting Value
Name <set name>
Device Type Generic

Wireless LANs
CradlePoint

l Event Types
l Rules
l Reports
l Configuration
l Sample Events

Discovered
Syslog
Event Types
In ADMIN > Device Support > Event, search for "CradlePoint" in the Description column to see the event types
associated with this application or device.
Rules
No specific rules are written for CradlePoint but generic rules for Firewall, VPN Gateway, WLAN AP, Router Switch
apply where there are matching event types.
Reports
No specific reports are written for CradlePoint but generic reports for Firewall, VPN Gateway, WLAN AP, Router Switch
apply where there are matching event types.
Configuration
Configure syslog forwarding of event information from CradlePoint.
None required.

Wireless LANs
Sample Events
<14>(host) dhcp: Updated DHCP client: hostname 10.4.42.222 58:94:6b:8d:2b:94

Wireless LANs
FortiAP

l Event Types
l Rules
l Reports
l Configuration
l Sample events

Discovered
SNMP (to Access point – FortiAP CPU, Memory, Clients, Sent/Received traffic Performance
FortiGate) Name, OS, and Availability
Interfaces, Controller Monitoring
(FortiGate)
Syslog (from Wireless events Security and

FortiGate) Log Analysis
FortiAPs are discovered from FortiGate firewalls via SNMP. FortiAP logs are received via FortiGate firewalls.
Event Types
In ADMIN > Device Support > Event, search for "FortiGate-Wireless" and “FortiGate-event” in the Description
column to see the event types associated with this device.
Rules
There are generic rules that trigger for this device as event types are mapped to specific event type groups.
Reports
Generic reports are written for this device as event types are mapped to specific event type groups.
Configuration
Configure FortiGate to:

1. Send Syslog to FortiSIEM.
2. Enable SNMP read from FortiSIEM.

Wireless LANs
Sample Events
FortiSIEM generated performance monitoring events:

[PH_DEV_MON_FORTIAP_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortinet.cpp,
[lineNumber]=688,[hostName]=FAP320C-default,[hostIpAddr]=,[sysUpTime]=7588440,
[wtpDaemonUpTime]=7588440,[wtpSessionUpTime]=63039960,[numWlanClient]=0,
[ftntWtpSessionStatus]=55038712,[sentBitsPerSec]=0.000000,[recvBitsPerSec]=0.000000,
[PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortinet.cpp,
[lineNumber]=698,[cpuName]=FAP320C-default_WTP_CPU,[hostName]=FAP320C-default,
[hostIpAddr]=,[cpuUtil]=0.000000,[pollIntv]=0,[phLogDetail]=
[PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortinet.cpp,
[lineNumber]=707,[memName]=FAP320C-default_WTP_MEM,[hostName]=FAP320C-default,
[hostIpAddr]=,[memUtil]=34,[totalMemKB]= 254256 ,[freeMemKB]=254256,[usedMemKB]=0,
[phLogDetail]=
Setting Value
Name <set name>
Device Type Fortinet FortiAP

Wireless LANs
FortiWLC

l Configuration
l Sample events
SNMP Controller – Name, OS, Controller – CPU, Memory, Disk, Throughput, QoS Performance
Serial Number, Interfaces, statistics, Station count and Availability
Associated Access Points – Monitoring
name, OS, Interfaces
Syslog Hardware/Software errors, failures, logons, license Security

expiry, Access Point Association / Disassociation Monitoring and
log analysis
Event Types
In ADMIN > Device Support > Event, search for "FortiWLC" in the Description column to see the event types
Rules
Reports
Configuration
Configure FortiWLC to:

1. Send Syslog to FortiSIEM.
2. Enable SNMP read from FortiSIEM.

Wireless LANs
Setting Value
Name <set name>
Device Type Fortinet FortiWLC
Sample events
FortiSIEM generated performance monitoring events:

[PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp,
[lineNumber]=281,[cpuName]=CPU,[hostName]=FWLCDemo,[hostIpAddr]=172.30.72.40,
[cpuUtil]=2.000000,[sysCpuUtil]=0.000000,[userCpuUtil]=2.000000,[waitCpuUtil]=98.000000,
[PH_DEV_MON_SYS_DISK_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp,
[lineNumber]=286,[diskName]=Disk,[hostName]=FWLCDemo,[hostIpAddr]=172.30.72.40,
[diskUtil]=65.000000,[totalDiskMB]=1084,[availDiskMB]=367,[pollIntv]=176,[phLogDetail]=
[PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp,
[lineNumber]=284,[memName]=PhysicalMemory,[hostName]=FWLCDemo,[hostIpAddr]=172.30.72.40,
[memUtil]=9.000000,[totalMemKB]=3922244,[freeMemKB]=3538244,[usedMemKB]=384000,
[phLogDetail]=
[PH_DEV_MON_FORTIWLC_SYS_THRUPUT]:[eventSeverity]=PHL_INFO,
[fileName]=deviceFortiWLCWLAN.cpp,[lineNumber]=343,[hostIpAddr]=172.30.72.40,
[pollIntv]=180,[recvBytes]=3940593459,[sentBytes]=4002693999,[recvBitsPerSec]=0.000000,
[sentBitsPerSec]=0.000000,[wlanRecvBytes]=10851874907433110752,
[wlanSentBytes]=9983789733519268498,[wlanRecvBitsPerSec]=0.000000,
[wlanSentBitsPerSec]=0.000000,[phLogDetail]=
[PH_DEV_MON_FORTIWLC_QOS_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp,
[lineNumber]=426,[hostIpAddr]=172.30.72.40,[pollIntv]=176,[qosSessionCount]=1,
[qosH323SessionCount]=2,[qosSipSessionCount]=3,[qosSccpSessionCount]=4,
[qosRejectedSessionCount]=5,[qosRejectedH323SessionCount]=6,
[qosRejectedSipSessionCount]=7,[qosRejectedSccpSessionCount]=8,[qosPendingSessionCount]=9,
[qosH323PendingSessionCount]=10,[qosSipPendingSessionCount]=11,
[qosSccpPendingSessionCount]=12,[qosActiveFlowCount]=13,[qosPendingFlowCount]=14,
[phLogDetail]=
[PH_DEV_MON_FORTIWLC_STATIONS]:[eventSeverity]=PHL_INFO,[fileName]=deviceFortiWLCWLAN.cpp,
[lineNumber]=511,[hostIpAddr]=172.30.72.40,[pollIntv]=176,[station11a]=1,[station11an1]=2,
[station11an2]=3,[station11an3]=4,[station11b]=5,[station11bg]=6,[station11gn1]=7,
[station11gn2]=8,[station11gn3]=9,[stationData]=10,[stationPhone]=11,[stationWired]=12,
[station11ac1]=13,[station11ac2]=14,[station11ac3]=15,[stationUnknown]=16,[phLogDetail]=
FortiWLC Syslog
Apr 09 15:07:54 172.18.37.203 ALARM: 1270826655l | system | info | ALR | RADIUS SERVER
SWITCHOVER FAILED MAJOR Primary RADIUS Server <172.18.1.3> failed. No valid Secondary
RADIUS Server present. Switchover FAILED for Profile <4089wpa2>

Wireless LANs
Motorola WiNG WLAN AP

l Event Types
l Rules
l Reports
l Configuration

Discovered
Syslog All system logs: User authentication, Admin authentication, Availability,

WLAN attacks, Wireless link health Security and
Compliance
Event Types
Over 127 event types - In ADMIN > Device Support > Event, search for "Motorola-WiNG" to see the event types
Rules
Reports
Configuration
Configure devices to send syslog to FortiSIEM - make sure that the version matches the format below
2015-11-11T13:00:16.720960-06:00 co-ap01 %DOT11-5-EAP_FAILED: Client 'FC-C2-DE-B1-43-81'
failed 802.1x/EAP authentication on wlan 'OFFICE-WAREHOUSE-RADIUS-WLAN' radio 'co-ap01:R1'
2015-11-11T12:52:20.437659-06:00 us600001 %SMRT-5-COV_HOLE_RECOVERY_DONE: Radio us-ap10:R2

power changed from 19 to 14

Wireless LANs
Setting Value
Name <set name>
Device Type Motorola WiNG WLAN AP

Wireless LANs
Ruckus Wireless LAN

l Configuration

Discovered
SNMP Controller host Controller Uptime, Controller Network Interface metrics Availability and
name, Controller (utilization, bytes sent and received, packets sent and Performance
hardware model, received, errors, discards and queue lengths), Controller WLAN Monitoring
Controller network Statistics, Access Point Statistics, SSID performance Stats
interfaces,
Associated WLAN
Access Points
Event Types
l PH_DEV_MON_RUCKUS_CONTROLLER_STAT
[PH_DEV_MON_RUCKUS_CONTROLLER_STAT]:[eventSeverity]=PHL_INFO,
[fileName]=deviceRuckusWLAN.cpp,[lineNumber]=555,[hostName]=guest-zd-01,
[hostIpAddr]=172.17.0.250,[numAp]=41,[numWlanClient]=121,[newRogueAP]=0,[knownRogueAP]=0,
[wlanSentBytes]=0,[wlanRecvBytes]=0,[wlanSentBitsPerSec]=0.000000,
[wlanRecvBitsPerSec]=0.000000,[lanSentBytes]=166848,[lanRecvBytes]=154704,
[lanSentBitsPerSec]=7584.000000,[lanSentBitsPerSec]=7032.000000,[phLogDetail]=
l PH_DEV_MON_RUCKUS_ACCESS_POINT_STAT
[PH_DEV_MON_RUCKUS_ACCESS_POINT_STAT]:[eventSeverity]=PHL_INFO,
[fileName]=deviceRuckusWLAN.cpp,[lineNumber]=470,[hostName]=AP-10.20.30.3,
[hostIpAddr]=10.20.30.3,[description]=,[numRadio]=0,[numWlanClient]=0,[knownRogueAP]=0,
[connMode]=layer3,[firstJoinTime]=140467251729776,[lastBootTime]=140467251729776,
[lastUpgradeTime]=140467251729776,[sentBytes]=0,[recvBytes]=0,[sentBitsPerSec]=0.000000,
[recvBitsPerSec]=0.000000,[phLogDetail]=
l PH_DEV_MON_RUCKUS_SSID_PERF
[PH_DEV_MON_RUCKUS_SSID_PERF]:[eventSeverity]=PHL_INFO,[fileName]=deviceRuckusWLAN.cpp,
[lineNumber]=807,[hostName]=c1cs-guestpoint-zd-01,[hostIpAddr]=172.17.0.250,
[wlanSsid]=GuestPoint,[description]=Welcome SSID for not yet authorized APs.,
[wlanName]=Welcome SSID,[authenMethod]=open,[encryptAlgo]=none,[isGuest]=1,[srcVLAN]=598,
[sentBytes]=0,[recvBytes]=0,[sentBitsPerSec]=0.000000,[recvBitsPerSec]=0.000000,
[authSuccess]=0,[authFailure]=0,[assocSuccess]=0,[assocFailure]=0,[assocDeny]=0,
[disassocAbnormal]=0,[disassocLeave]=0,[disassocMisc]=0,[phLogDetail]=

Wireless LANs
Rules
Reports
Configuration
Configure the Controller so that FortiSIEM can connect to via SNMP.
Setting Value
Name <set name>
Device Type Ruckus SmartOS WLAN AP

Using Virtual IPs to Access Devices in Clustered
Environments
FortiSIEM communicates to devices and applications using multiple protocols. In many instances, access credentials
for discovery protocols such as SNMP and WMI must be associated to the real IP address (assigned to a network
interface) of the device, while application performance or synthetic transaction monitoring protocols (such as JDBC) will
need the Virtual IP (VIP) assigned to the cluster. Since FortiSIEM uses a single access IP to communicate to a device,
you must create an address translation for the Virtual IPs.
1. Log into your FortiSIEM virtual appliance as root.
2. Update the mapping in your IP table to map the IP address used in setting up your access credentials to the virtual
IP.
iptables -t nat -A OUTPUT -p tcp --destination <access-ip> --dport <destPort> -j DNAT --to-
destination <virtual-ip>:<destPort>'
As an example, suppose an Oracle database server is running on a server with a network address of 10.1.1.1, which
is in a cluster with a VIP of 192.168.1.1. The port used to communicate with Oracle over JDBC is 1521. In this case,
the update command would be:
iptables -t nat -A OUTPUT -p tcp --destination 10.1.1.1 --dport 1521 -j DNAT --to-destination
192.168.1.1:1521

Syslog over TLS
To receive syslog over TLS, a port must be enabled and certificates must be defined. The following configurations are
already added to phoenix_config.txt in Super/Worker and Collector nodes.
listen_tls_port_list=6514
ls_certificate_file=/etc/pki/tls/certs/tls_self_
signed.crt tls_key_file=/etc/pki/tls/private/tls_self_signed.key
Note: the syslog over TLS client must be configured to communicate properly with FortiSIEM.

Appendix
CyberArk to FortiSIEM Log Converter XSL
<?xml version="1.0" ?>

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:import href='./Syslog/RFC5424Changes.xsl'/>
<xsl:output method="text" version="1.0" encoding="UTF-8" />
<xsl:template match="/">
<xsl:apply-imports />
<xsl:for-each select="syslog/audit_record">
<xsl:text>CYBERARK: Product="</xsl:text>
<xsl:value-of select="Product" />
<xsl:text>"</xsl:text>
<xsl:text>;Version="</xsl:text>
<xsl:value-of select="Version" />
<xsl:text>;Hostname="</xsl:text>
<xsl:value-of select="Hostname" />
<xsl:text>;MessageID="</xsl:text>
<xsl:value-of select="MessageID" />
<xsl:text>;Message="</xsl:text>
<xsl:value-of select="Message" />
<xsl:choose>
<xsl:when test="Desc!=''">
<xsl:text>;Desc="</xsl:text>
<xsl:value-of select="Desc" />
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="Action!=''">
<xsl:text>;Action="</xsl:text>
<xsl:value-of select="Action" />
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="Location!=''">
<xsl:text>;Location="</xsl:text>
<xsl:value-of select="Location" />

Appendix
</xsl:when>
</xsl:choose>
<xsl:text>;Issuer="</xsl:text>
<xsl:value-of select="Issuer" />
<xsl:choose>
<xsl:when test="Station!=''">
<xsl:text>;Station="</xsl:text>
<xsl:value-of select="Station" />
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="File!=''">
<xsl:text>;File="</xsl:text>
<xsl:value-of select="File" />
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="Safe!=''">
<xsl:text>;Safe="</xsl:text>
<xsl:value-of select="Safe" />
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="Category!=''">
<xsl:text>;Category="</xsl:text>
<xsl:value-of select="Category" />
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="RequestId!=''">
<xsl:text>;RequestId="</xsl:text>
<xsl:value-of select="RequestId" />
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="Reason!=''">
<xsl:text>;Reason="</xsl:text>
<xsl:value-of select="Reason" />
</xsl:when>
</xsl:choose>
<xsl:choose>

Appendix
<xsl:when test="SeverityCategory!=''">
<xsl:text>;Severity="</xsl:text>
<xsl:value-of select="Severity" />
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="GatewayStation!=''">
<xsl:text>;GatewayStation="</xsl:text>
<xsl:value-of select="GatewayStation" />
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="SourceUser!=''">
<xsl:text>;SourceUser="</xsl:text>
<xsl:value-of select="SourceUser" />
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="TargetUser!=''">
<xsl:text>;TargetUser="</xsl:text>
<xsl:value-of select="TargetUser" />
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="TicketID!=''">
<xsl:text>;TicketID="</xsl:text>
<xsl:value-of select="TicketID" />
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="LogonDomain!=''">
<xsl:text>;LogonDomain="</xsl:text>
<xsl:for-each select="CAProperties/CAProperty">
<xsl:if test="@Name='LogonDomain'">
<xsl:value-of select="@Value" />
</xsl:if>
</xsl:for-each>
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="Address!=''">
<xsl:text>;Address="</xsl:text>

Appendix
<xsl:if test="@Name='Address'">
</xsl:if>
</xsl:for-each>
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="CPMStatus!=''">
<xsl:text>;CPMStatus="</xsl:text>
<xsl:if test="@Name='CPMStatus'">
</xsl:if>
</xsl:for-each>
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="Database!=''">
<xsl:text>;Database="</xsl:text>
<xsl:if test="@Name='Database'">
</xsl:if>
</xsl:for-each>
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="DeviceType!=''">
<xsl:text>;DeviceType="</xsl:text>
<xsl:if test="@Name='DeviceType'">
</xsl:if>
</xsl:for-each>
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="ExtraDetails!=''">
<xsl:text>;ExtraDetails="</xsl:text>
<xsl:value-of select="ExtraDetails" />
</xsl:when>
</xsl:choose>
</xsl:for-each>
<xsl:text>
</xsl:text>

Appendix
</xsl:template>
</xsl:stylesheet>

Appendix
Access Credentials
l SNMP Access Credentials

l SSH Access Credentials
l Telnet Access Credentials
l HTTPS Access Credentials
l Password Configuration
l Manual Password Configuration
l CyberArk Password Configuration
l RAX_CustomerService Password Configuration
l RAX_Janus Password Configuration
SNMP Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device over SNMP.
Setting Value
Name <set name>
Device Type <device>
SSH Access Credentials
Setting Value
Name <set name>
Access Protocol SSH
Port 22
User Name A user who has permission to access the device over SSH

Appendix
Setting Value
Super Password Enter the super password for the system, if required
Organization Select an organization from the drop-down list
Telnet Access Credentials
These are the generic settings for providing Telnet access to your device from FortiSIEM
Setting Value
Name <set name>
Port 23
User Name A user who has permission to access the device over Telnet
Super Password Enter the super password for the system, if required
HTTPS Access Credentials
Setting Value
Name <set name>
Access Protocol HTTPS
Port 443
URI URI address
User Name A user who has permission to access the device over HTTPS

Appendix
Password Configuration
Manual Password Configuration
User Name The user name for this account
Password The password for this account
Super Password The super password for this account
CyberArk Password Configuration
App ID Application ID (AccelOps)
Safe Safe value
Folder Folder location (Root)
Object Object name
User Name User name
Platform (Policy ID) Policy ID
Database Database name
Include Address for Query
Description Description or comments about the credentials
RAX_CustomerService Password Configuration
AWS Account Number Enter the account number.
Azure Subscription ID Enter the subscription ID.
RAX_Janus Password Configuration
Select RAX_Janus as the Password Config. Supply a Session ID if required.

Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

FortiSIEM-6.1.2-External Systems Configuration Guide

Uploaded by

Copyright:

Available Formats

FortiSIEM-6.1.2-External Systems Configuration Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiSIEM-6.1.2-External Systems Configuration Guide

Uploaded by

Copyright:

Available Formats

FortiSIEM - External Systems Configuration Guide

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

Date Change Description

2018-05-23 Initial version of the guide.

2018-08-07 Revision 3 with updated section: Fortinet FortiGate Firewall

2018-09-12 Revision 4 with updated section: Microsoft Azure Audit

2018-09-26 Revision 5 with updated section: WatchGuard Firebox Firewall

2019-01-29 Revision 7: updated section: Cisco FireSIGHT

2019-03-15 Revision 8: new section: Threat Intelligence

2020-01-03 Revision 14: added CradlePoint.

2020-12-18 Revision 18: Added note to AWS CloudTrail API Configuration

FortiSIEM 6.1.2 External Systems Configuration Guide 3

Date Change Description

2021-02-03 Revision 20: Updated Malwarebytes to Malwarebytes Endpoint Protection.

2021-03-03 Revision 21: Added NetApp Data ONTAP Supported Version.

2021-05-04 Revision 23: Updated Linux server section.

2021-07-04 Revision 24: Updated AWS Kinesis for 6.2.0.

FortiSIEM 6.1.2 External Systems Configuration Guide 4

FortiSIEM 6.1.2 External Systems Configuration Guide 5

FortiSIEM 6.1.2 External Systems Configuration Guide 6

FortiSIEM 6.1.2 External Systems Configuration Guide 7

FortiSIEM 6.1.2 External Systems Configuration Guide 8

FortiSIEM 6.1.2 External Systems Configuration Guide 9

FortiSIEM 6.1.2 External Systems Configuration Guide 10

FortiSIEM 6.1.2 External Systems Configuration Guide 11

FortiSIEM 6.1.2 External Systems Configuration Guide 12

From To Inbound Ports Services

FortiSIEM Supervisor Inbound ICMP Monitoring via ICMP

FortiSIEM Supervisor Inbound TCP/443 GUI access via HTTPS

Supervisor Report Server Outbound TCP/5432 PostGreSQL (report loading)

Worker Supervisor Inbound SSL/7914 phParser on Worker to phParser

Worker Supervisor Inbound SSL/7900 phMonitorWorker to

Supervisor Worker Outbound SSL/7900 phMonitorSuper to

Worker Supervisor Inbound SSL/7918 phQueryWorker to

FortiSIEM 6.1.2 External Systems Configuration Guide 13

From To Inbound Ports Services

Worker Supervisor Inbound SSL/7922 phRuleWorker to phRuleMaster

Worker 6.1 Supervisor Outbound SSL/7920 phQueryMaster to

Worker Supervisor Inbound SSL/7934 phReportWorker to

Worker Supervisor Inbound SSL/7938 phIdentityWorker to

Supervisor Worker Outbound TCP/6666 Redis communication

Worker Supervisor Inbound TCP/5555 phFortiInsightAI module data

Supervisor External Device Outbound UDP/161 SNMP based monitoring

External Device Supervisor Inbound UDP/162 SNMP Trap

External Device Supervisor Inbound UDP/514 UDP syslog

External Device Supervisor Inbound TCP/514 TCP syslog

External Device Supervisor Inbound SSL/6514 Syslog over TLS

External Device Supervisor Inbound UDP/2055 NetFlow

Supervisor External Outbound TCP/135 WMI based monitoring and log

Supervisor External Outbound TCP/389 LDAP discovery

Supervisor External Outbound TCP/1433 JDBC based monitoring and data

Supervisor External Outbound UDP/8686 JMX based monitoring and data

Supervisor Checkpoint Outbound TCP/18184 Checkpoint LEA based log

FortiSIEM 6.1.2 External Systems Configuration Guide 14

From To Inbound Ports Services

Supervisor External Device Outbound TCP/443 HTTPS based log collection

Supervisor External Device Outbound TCP/993 IMAP/SSL for email monitoring