DO NOT REPRINT © FORTINET
FortiSIEM Lab Guide for Fort FortiSI iSIEM EM 5. 5.1 1
DO NOT REPRINT © FORTINET Fortinet Training http://www.fortinet.com/training
Fortinet Document Library http://docs.fortinet.com
Fortinet Knowledge Base http://kb.fortinet.com
Fortinet Forums https://forum.fortinet.com
Fortinet Support https://support.fortinet.com https://support.fortine t.com
FortiGuard Labs http://www.fortiguard.com
Fortinet Network Network Security Security Expert Expert P Progra rogram m (NSE) https://www.fortinet.com/support-and-training/training/network-security-expert-program.html Feedback Email: courseware
[email protected] @fortinet.com
11/20/2018
DO NOT REPRINT © FORTINET
TABLE OF CONTENTS Virtual Lab Basics
6
Network Topology Lab Environment Remote Access Test Logging In Disconnections and Timeouts Screen Resolution Sending Special Keys Student Tools
6 6 7 8 10 10 11 12
Troublesho Troublesh ooting Tips
12
Lab 1: Introd Introduction to FortiSIEM Exercise 1: Cr Creating Roles Exercis Exerci se 2: Creating New Users Exercise 3: 3: Changing Local User Passwords Lab 2: SIEM Co Concepts and PAM Concepts Exercise 1: Re Reviewing Incoming Data Exercise 2: Structured Structured Data Exercise 3: Event Event Classification
15 16 22 25 27 28 31 34
Inspect Inspe ct Event Classificat Classification ion
34
Exercise 4: Event Enrichment Enrichment Exercise 5: Reviewing Reviewing P Pe erformance Events Lab 3: Discovery Exercise 1: Auto Auto Log Discovery Exercise 2: Adding Credentials Adding Credentials and IP Ranges for a Single Single Device Prediscov Predisco very Preparation
50
Exercise 3: Discovery D iscovery of a Single Device Faking Fak ing Performan Performance ce Data
52
53
Exerciise 4: Add Exerc Addiing a Pri Privil vileg eged ed Cr Cred eden enttia iall for Con Conffigur gurat atio ion n Pul Pullling ing Exercise 5: Perfo P erforrming Discovery of Other Lab Devices Prepare Prep are th the e Fake Fake Devic Devices es for for Disco Discove very ry
Exercise 6: Bringing in Fake Data Lab 4: FortiSI FortiSIEM EM Analy Analyttics
36 41 44 45 49
56 60 62
66 70
DO NOT REPRINT © FORTINET FORTINET
Exercise 1: Getting to Know tth he Real-Time Search Exercise 2: Search Operators Exercise 3: Historical K Ke eyword Search Exercise 4: Single Search Condition Exercise 5: Multiple Search Conditions Exercise 6: Using the Contain Operator
71 75 77 79 81 82
Exercise 7: Using the IN/NOT IN Operators Exercise 8: Using the IS Operator Exercise 9: Using the Greater Than Operator Lab 5: CMDB Lookups and Filters Exercise 1: Select S electing ing D Devices evices from from CMDB Exercise 2: Searching Searching for Partic Particular ular Categories of Event Events s Exercise 3: Expert E xpert Challen Challeng ge Lab 6: Group By and Aggr egation Exercise 1: Grouping By Sin Single and Multiple Attributes Exercise 2: Adding Aggregatin Aggregating Data Exercise 3: Expert Chall Ch allenge enge Lab 7: Rules Exercise 1: Exploring a Simpl Simple e Rule Example Exercise 2: Exploring Exploring a Performance Rule Example Exercise 3: Creating a Ru R ule Exercise 4: Enhancing the Rule with a a Watch List Exercise 5: Importing Importing a Rule Lab 8: In Incidents and Notification Policies Exercise 1: Reviewing the Incide Incid ent Table Exercise 2: Groupi Grouping and Tuning Incidents Exercise 3: Using the Built-In Ticket Ticketing System Exercise 4: Creating Creating a Custom Email Template Exercise 5: Creating a Notif Notifiication Policy Lab 9: Reporting Exercise 1: Opening a Report from from the Analytics Page Exercise 2: Opening a Repor t from the Report Tree Exercise 3: 3: Scheduling a Report Exercise 4: Creating Custom Dashboar Dashboards Exercise 5: Explori Exploring ng Dashboard Dashboard Dril Drilll Down Capabil Capabiliti itie es Exercise 6: Importing Importing and Ex Exp porting Dashboards Exercise 7: Running CMDB Reports Exercise 8: Building a Cus Custom CMDB Report
84 86 89 90 91 97 101 104 105 110 115 117 118 123 131 137 140 142 143 150 153 158 160 165 166 171 173 177 184 187 189 190
DO NOT REPRINT © FORTINET FORTINET
Lab 10: Business Services Exercise 1: Creating a Business Service Exercise 2: Monitoring Business Service Incidents Exercise 3: Using the Business Service Dashboard Appendix: Answer Sheet
192 193 195 203 208
Lab 1 - Introduction to FortiSIEM
208
Lab 2 - SIEM & PAM Concepts Lab 3 – Discovery Lab 4 – Introduction to Analytics Lab 5 – CMDB Lookups and Filters Lab 6 – Group By and Aggregation Lab 7 – Rul Rules Lab 8 – Incidents and Notification Policies La Lab b 9 – Repor Reporti ting ng Lab Lab 10 – Bus Busin ine ess Services
208 212 214 215 216 217 219 220 221
DO VNOT REPRINT irt ual Lab B asics
Net work Topology
© FORTINET
Virtual Lab Basics In this course course,, you will use a virtual lab for hands hands-on -on exe exercis rcises. es. This section section explains explains how to connect connect to t he lab and its virtua virtuall machines. machines. It also s shows hows the topolog topology y of the virtual virtual machi machines nes in the lab. If your trainer asks asks you to us use e a differe different nt lab, such such as devices devices physic physically ally located located in your your classro clas sroom, om, then ignore ignore this section. section. This section section applies applies only to the virtual lab lab accessed acces sed through the Internet. If you do not know which lab to use, please ask your trainer.
Network Topolo Topology gy
Lab Environment Fortinet's virtua virtuall lab for hand hands-o s-on n exercis exercises es is hos hosted ted on remote data cen centers ters that allow eac each h student student to have have their own training training lab environme environment nt or point of deliveries deliveries (PoD). (PoD).
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
6
DO RNOT em ot e AccREPRINT ess Test
Virt ual Lab Basics
© FORTINET Remote Access Test Before Befor e starting an any y course, course, che check ck if your computer computer can c connec onnectt to the remote data center center succes successfully sfully.. The remote acces access s test fully ver verifies ifies if your network network con connectio nection n and y your our web brows browser er can s suppor upportt a reliab reliable le connection to the virtual lab. You do not not have to be logged in to the lab portal in order order to run the remote acc access ess test.
access test To run the remote access 1. From a browser, access access the following UR URL: L: https://use.cloudshare.com/test.mvc
If your compu computer ter connects connects suc succes cessfully sfully to the virtual lab, you w will ill see the mess message age All tests passed!:
2. Inside the Speed Test box, click Run.
The speed speed test begins. Once complete, complete, you will get an estimate for your your bandwidth bandwidth and latency. latency. I f those estimations estimation s are not within the recommended recommended val values, ues, you will get any erro errorr message: message:
7
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO VNOT REPRINT irt ual Lab B asics
Logging I n
© FORTINET
Logging In After you run the remote rem ote access test t o confirm that your system system can run the labs l abs successfully, successfully, you can proceed to log in. You will will receiv receive e an email from your trainer with an invitation to auto-enroll auto-enroll in the class class.. The email will contain a link and a passphr passphrase. ase.
To log in to the remote lab 1. Click Click the logi login n lin link k pro provid vided ed b by y your your ins instruc tructor tor over over email. email. 2. Ente Enterr your email addr address ess and the c class lass passphra passphrase se provided provided by your your trainer over email, and and then clic click k Login.
3. Ente Enterr your first and last name. 4. Click Register and Login.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
8
DO LNOT ogging I n REPRINT
Virt ual Lab Basics
© FORTINET Yourr system You system dashbo dashboard ard appears, appears, listing the virtual machines machines (VMs (VMs)) in your lab topology. topology. 5. To open a V VM M from the dashboard, do one of the following: l
From the top na naviga vigation tion bar, bar, cli click ck a V VM's M's tab.
l
From the box of the VM y you ou wa want nt to open, cl click ick View VM.
Follow the same same proc procedur edure e to access access any of your VMs. VMs.
When you you open a VM, your browser browser uses HTML5 to connect connect to it. Depending on the VM you select, select, the web brows browser er pro provid vides es acce access ss to either the GUI of a Win Window dows s or Lin Linux ux VM, or the CLICLI-bas based ed conso console le acces access s of a Fortinet VM.
9
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO VNOT REPRINT irt ual Lab B asics
Disconnect ions and Tim eout s
© FORTINET
For most lab ex exerc ercises ises,, you w will ill con connect nect to a ju jumpbox mpbox VM, that could could be either either a Windows Windows or a Linux VM. From the jumpbox jumpbox VM, you will connec connectt over HTTP HTTPS S and S SSH SH to all other Fortinet VMs VMs in the lab environment.
Disconnections and Timeouts If your compu computer’s ter’s connection connection to the VM VM times out or closes, closes, to rega regain in acc access ess,, return to the window window or tab that contains conta ins the list of of VMs for your session session,, and reopen reopen the VM. VM. If that fails, see Troubles see Troubleshooting hooting Tips on page 12. 12.
Screen Resolution The GUIs of some Fortinet devices devices require require a minimum screen size. size. To conf iigure gure screen resolution in in the the HTML5 client, use the Resolution drop-down list on the left. You can also change chan ge the color depth:
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
10
DO SNOT REPRINT ending Spe cial Keys
Virt ual Lab Basics
© FORTINET
Sending Special Keys You can use the Virtual Keyboard panel to either send the Ctr Ctrl-A l-Alt-Del lt-Del combination combination,, or the Windows Windows key: key:
From the Virtual Keyboard panel, you can can also copy text to t he gues guestt VM's clipboard clipboard::
11
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO VNOT REPRINT irt ual Lab B asics
St udent Tools
© FORTINET
Student Tools There are three icons on the left for messaging the instruc instructor, tor, chatting with the class, and requesting ass assistance: istance:
Troubleshooting Tips l
Do no not t connect connect t o the virtual lab environment environment throug through h Wi-Fi, 3G, VPN tunnels, tunnels, or
other low-b low-bandw andwidth idth or high-
latency latenc y conn connection ections. s. l
l
Pre Prepare pare your your computer's computer's settings by disabling disabling sc screen reen s save avers rs and changing changing the power power sav saving ing scheme scheme so that that your co compute mputerr is alw alway ays s on, and do does es not go to slee sleep p or hib hiber ernate nate.. For best performance, us use e a stable stable broadband connection, suc such h as a LAN. LAN.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
12
DO TNOT roubleshooREPRINT t ing Tips
Virt ual Lab Basics
© FORTINET l
l
l
l
You c can an run a remote remote acc access ess test from within y your our lab dashboa dashboard. rd. It will measur measure e your bandwidth, bandwidth, latency and general performance:
If the connec connection tion to any VM or the vir virtual tual lab por portal tal closes closes unexpected unexpectedly, ly, try to reconnec reconnect. t. If you c can' an'tt reconnect, reconnect, notify the ins instructor tructor.. If you can't connec connectt to a VM, on the dashboard, open the VM action menu, and select Reset:
If that does not solve solve the acces access s prob problem, lem, you can can try to rev revert ert the VM VM back to its initial s state. tate. Open the VM VM action menu, and select Revert:
Reverting Rev erting to the VM's VM's initial s state tate will u undo ndo a allll of your your work. work. Try other solu solutions tions first.
13
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO VNOT REPRINT irt ual Lab B asics
Troubleshoot ing Tips
© FORTINET
l
Durin During g the labs, if the VM is waiting for a resp respons onse e from the authenticatio authentication n serv server, er, a license license message message similar to the following example appears:
To expedite the response, response, enter the following command command in the CLI: execute execu te upda update-no te-now w
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
14
DO NOT REPRINT © FORTINET
Lab 1: Int Introduct roduction ion to FortiSI FortiSIEM EM In this lab, you will examine role-based role-based application controls (RBAC). (RBAC).
Objectives l
Create a role
l
Create new users
l
Apply Apply rol roles es to users users
l
Change loc local al pass passwords words
Time to Complete Estimated: 15 minutes
Follow the direction directions s in the Lab Guid Guide e and do not not make make chang changes es to any other other dev device ice or devices devi ces,, unles unless s notified by the cours course e instructor. instructor.
15
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exe Exerc rcis ise e 1: Cre Creat ating ing Roles In this exercis exercise, e, you will create create a manager role.
To clone a system defined a role 1. Log in to the Student WorkstationVM by clic clicking king View VM.
2. Open the Fir Firefox efox browser browser and enter the follo following wing URL to ac acces cess s the FortiSIEM GUI:
https://10.0.1.130/phoenix/login-html.jsf
There is a link for the FortiSIEM FortiSIEM GUI GUI on the browser browser's 's Favorites Favorites bar.
3. Log in as the following following default user user and c click lick Login:
Field
Val ue
User I D
adm in
Password
adm in*1
Domain
LOCAL
4. Click Click the Admin tab. 5. In the pane on the left side of the s screen, creen, select select General Settings, then click Role.
Notice Notic e the default system roles (s) that are availab available. le. 6. Click Click the Server Admin role, then select Clone.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
16
DO NOT REPRINT
Exercise Exer cise 1: Creating Roles
© FORTINET
Because FortiSIEM does not allow you to overwrite the out-of-box sys Because system tem roles, the system system will prompt you to save the role with a different name. (By default, it will add a date stamp.)
7. Remove the date stamp and a add dd FSM_LAB to t he role name as in the following example, example, then click click OK:
To review the settings for cloned role 1. Select the cloned role Serve Serverr Admin_FSM_LAB Admin_FSM_LAB , then click Edit
2. Review the information in the Data Conditions and CMDB Report Conditions se sectio ctions ns for this rol role. e.
What do you understand about these fields? See "App See "Appendix endix:: Ans Answer wer She Sheet" et" on page 208for 208for the an answe swer. r.
17
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 1: Creating Roles © FORTINET
3. Review the UI Access sec section tion and and the conditions conditions that apply apply to this role. 4. Expa Expand nd the CMDB option and expand Devices.
Notice Notic e how all network devi devices ces are hidde hidden n while giving access access to server server devices devices..
5. After you rrevie eview w the list, list, in the lower-left lower-left cor corner ner of the pane, click click Cancel to exit the Server Server Admin_FSM_LAB details.
To create a new role 1. Click New to create a role. 2. In the Role Name field, enter: Lab Lab1 1 – Manag Manager er View View. 3. In the Data Conditions section, configure the following settings:
Field
Value
Attribute
Reporting IP
Operat or
IN
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
18
DO NOT REPRINT
Exercise Exer cise 1: Creating Roles
© FORTINET Field Value
Value
1. Click Click in Va Value lue sea search rch ba barr select select ....Select from CMDB. 2. On the left pane, expand Devices, then expand Network Device. 3. Select Firewall, then click >> to move it to the Selections pane. 4. Click OK.
4. Leave the CMDB Report Conditions section blank. 5. In the UI Access section, complete the following:
Click Clic k the item and selec selectt down arro arrow w to change its status. status.
In HTML Dashboard> Dashboards sec section tion only allow : l
FortiSIEM Fo rtiSIEM Dashboard
l
Network Dashboard
l
Security Dashboard
l
Server Dashboard
Hide the rest of the Dashboards.
19
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 1: Creating Roles © FORTINET
l
Leave Analytics setting settings s as default. default.
l
Leave Incidents se setting ttings s as defa default. ult.
l
CMDB (hide all except Devices)
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
20
DO NOT REPRINT
Exercise Exer cise 1: Creating Roles
© FORTINET
l
Others
8. At the bottom, click Save.
21
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 2: Cre Creat ating ing New Us Users ers In this exercis exercise, e, you will create create two new users: users: a manager account account and your own user user account. account.
To create new users 1. Click Click the CMDB tab, and, on the pane on the left side of the screen, select Users.
2. Click New to create a new user. 3. Configure the following settings:
Field
Value
User Nam e
m anager
Syste tem m Adm dmin in
Clic lick in th the e empty mpty boxto pr prom ompt pt a di dial alo og boxto op open en.. Con onfi figu gurre the the foll follow owin ing g settings:
M ode
Local
Password
adm in*2
Conf irm Password
adm in*2
Def ault Role
Lab1 - M Ma anager V Viiew
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
22
DO NOT REPRINT
Exercise Exer cise 2: Creating New Users
© FORTINET
4. Click Back. 5. Click Save. 6. Log out o off the FortiSIEM GUI by clic clicking king the pow power er icon on the top toolbar. toolbar.
To verify the settings for the newly created account 1. Log in again using the manager account you you just c created: reated:
23
Field
Value
User I D
manager
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Creating New Users © FORTINET Field
Value
Password
adm in*2
Domain
LOCAL
Stop and think! Notice how how va various rious parts of the GUI are no longer longer visible. visible. 2. Click Click the Dashboard tab.
Notice how you you can s see ee only the few dashboards you spec specified ified previously. 3. Click Click the Analytics tab.
Notice how it contains the Real-time Search and Reports options.Because of the restrictions on the role, if Notice you were were to perform a real-time search, search, the events return returned ed would only come from devices devices that the role is allowed to view. 4. Click CMDB and notice itit shows only Devices you have have selec selected ted previously previously for the role. 5. Log out o off the FortiSIEM GUI as the manag manager er and log log in ag again ain as the admin user: user: l
User ID: admin
l
Password: admin*1
l
Domain: LOCAL
6. Click Click the CMDB tab and, in the pane on the left side of the screen, click Users. 7. Click New to create create your own user account, account, but but this time sp specify ecify the Full Admin role and use the password admin*3. For exampl example: e:
Field
Value
User Na Nam e
Syste tem m Adm dmin in
Clic lick in th the e empty mpty boxto pr prom ompt pt a di dial alo og boxto op open en.. Con onfi figu gurre the the foll follow owin ing g settings:
M ode Password
Local adm in*3
Conf irm Password
adm in*3
Def ault Role
Full Adm in
8. Click Back. 9. Click Save to save save your new user user acc account. ount. 10. Log out o off the FortiSIEM GUI.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
24
DO NOT REPRINT © FORTINET
Exercise Exerc ise 3: Changing Local Local User Passw Passwords ords In this exercis exercise, e, you will change change your user password password..
To change local user passwords 1. Log in to the FortiSIEM GUI with your own us user er acc account ount (the one you created created for your yourself self in the previous previous exercise):
Field
Value
User ID ID
Password
adm in*3
Domain
LOCAL
Notice Notic e your user name and current current role are listed listed at t he bottom of the scre screen. en.
2. On the upp upper-r er-right ight corner corner of the window, window, clic click k the sin single gle us user er icon. icon.
3. In the Password and Confirm Password fields, enter a new p passwor assword, d, and then click Save.
The password password must contain at least one number and one spec special ial character (such as: !@#$%^*(),.?).
25
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 3: Changing Local User Passwords Passwords © FORTINET
4. Log out o off the FortiSIEM GUI. 5. Log in again using the new passw password. ord.
You have completed Lab 1.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
26
DO NOT REPRINT © FORTINET
Lab La b 2: SI SIEM EM Con onc cep eptts an and d PA PAM M Con onc cep eptts In this lab, you will explore explore how FortiSIEM proces processes ses each log into an event type.
Objectives l
View raw ev event ent logs
l
View structured data
l
Inspect ev event ent classification classification
l
Inspect ev event ent enrichment enrichment
l
Review performance e events vents
Time to Complete Estimated: 45 minutes
Lab Guid Guide e
do not not
Follow directions direction s in the and tor. make chang changes es to any other other dev device ice or devices devi ces,the , unles unless s notified by the cours course e instructor. instruc
27
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 1: Rev Reviewing iewing Incoming Incoming Data Data In t his exercis exercise, e, you will review the raw events that have been rece received ived by syslog syslog..
To set search filter criteria 1. On the Student Workstation VM, open the Firefox brow browser ser and en enter ter the following following URL URL to access access the FortiSIEM GUI : https://10.0.1.130/phoenix/login-html.jsf
There is a link for the For FortiSIE tiSIEM M GUI on the brow browser ser's 's Favorites Favorites bar.
If logged logged out f rom FortiSIEM FortiSIEM due to inactivity, inactivity, then log back in using HTML edition option.
2. Log in as the following following default user user and c click lick Login:
Field
Val ue
User I D
adm in
Password
adm in*1
Domain
LOCAL
3. Click Click the ANALYTICS tab.
4. Clic Click k the sea search rch field field to edit the c condition ondition..
The Filter editor editor opens. opens. 5. Create the following query:
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
28
DO NOT REPRINT
Exercise 1: Reviewing Incoming Data
© FORTINET Field
Value
Attribute
Reporting IP
Operat or
=
Value
192. 168. 3. 2
6. Next to Time, select Real Time. 7. Click Save & Run.
To generate logs 1. Open a n Institute utewebsite: new ew tab in your browser browser,, and go to the NSE Instit https://10.0.1.130/NSE_Institute/index.php
There Ther e is a link on the brow browse ser' r's s Fav Favori orites tes bar. bar.
2. On the web site, site, click LABS SET 1 and, under Lab 2 – SIEM Concepts, click Exercise 2.1 – Raw Events.
The output should resemble the following example:
29
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT1: Reviewing REPRINT Incoming Data © FORTINET
To view raw event logs 1. Retur Return n to the browser browser tab where where you ar are e logged iin n to the FortiSIEM GUI and, after five ev events ents are receiv received ed in the table, click Pause. 2. To view the type, s select elect Show Event Type. 3. To view the full raw log message, s select elect Wrap Raw Event.
4. In the table, in the Raw Event Log, review the log details details for each ev event ent received received by syslog syslog..
Stop and think! Can you you identify what dev device ice they came from? "Appendix endix:: Ans Answer wer She Sheet" et" on page 208 for 208 for the ans answer. wer. Which users users had failed logins? See See "App
5. Leave the window that displays the events open and continue to the ne next xt exerc exercise. ise.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
30
DO NOT REPRINT © FORTINET
Exercise Exerc ise 2: Struc Structured tured Data Data In t his exercis exercise, e, you will review the normalization normalization of raw events into structur structured ed data.
To view structured data 1. Usi Using ng the same an analytic alytics s res results ults from the previous previous exer exercis cise, e, make a note of eac each h field header header in the table (that is, is, Event Receive Receive Time, and so on). See "App See "Appendix endix:: Ans Answer wer She Sheet" et" on page 208 for 208 for the ans answer. wer.
FortiSIEM FortiS IEM refers to these as Attributes.
Which Whic h attribute rel relates ates to the device device IP address address that sent the data? S See ee "App "Appendix endix:: Ans Answer wer She Sheet" et" on page 209 for the ans 209 for answer. wer.
Notice how each each raw ev event ent log maps to a specific Event Type. "Appendix endix:: Ans Answer wer She Sheet" et" on page 209 for 209 for the ans answer. wer. Which Whic h event type relates to a login failure failure? ? See See "App
2. In the Raw Event Log field, select a login event that was succ successful. essful.
Once selected selected a white down arro arrow w
31
icon will appea appear. r.
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Structured Data © FORTINET 3. Clic Click k the white down arro arrow w icon icon to display display the Show Deta D etail il button, which enables enables you to view the details associated with that event. 4. Click Show Deta D etail il .
The Event Details dialog box opens. opens. The win window dow iinclu ncludes des both the raw llog og details details as well as as a more structured view of the log details.
5. In the structured Event Detailsview view,, review the attributes that FortiSIEM has normalized normalized the raw event event log into.
Which attribute provide Which provides s the local time when FortiGate FortiGate actually logged the event? event? See "Appendix: See "Appendix: Answer Sheet" She et" on page 209 209 for the ans answer wer..
Reporting ing Vendor attributes of the event? S What are the Reporting Model and Report See ee "Appendix: "Appendix: Answer Sheet" She et" on page 209 209for the answ answer. er.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
32
DO NOT REPRINT
Exercise Exer cise 2: Structured Data
© FORTINET
6. Rev Review iew the raw event event log view and and look at whic which h protoc protocol ol was use used d for the authentic authentication ation (H (HTTPS TTPS or SS SSH). H). Answer wer She Sheet" et" on page 209 What attribute did FortiSIEM FortiSIEM map this to in the structured structured view? See See "Appendix "Appendix:: Ans for the ans answer wer..
Who made a success successful ful authenticatio authentication? n? And what attribute was this field mapped to in the structured structured view? See "App See "Appendix endix:: Ans Answer wer She Sheet" et" on page 209 for 209 for the ans answer. wer.
7. Clos Close e only the Event Details Details window, and continue to the next exercise.
33
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 3: Ev Event ent Cl Class assif ific icat ation ion In this exercise, exercise, you w will ill review how the events are grouped into event types.
Inspect Event Classification Using the same analytics analytics results from the previous exercise, exercise, you will inspec inspectt the event classification classification of Event Event Type, FortiGate-event-login-success in the FortiSIEM database (CMDB).
To inspect event classification 1. Click Click the RESOURCEStab and, in the pane on the left side of the screen, expand Event Types. 2. Click Security > Logon Success > Dev Logon Success. 3. In the main window, type FortiGate in the Search field to look look for all ev events ents related related to FortiGate FortiGate..
Stop and think! Is the event event FortiGate-event-login-success listed? 4. Select FortiGate-event-login-success.
A Summary pane will open at the bottom of the screen. 5. Make a no note te of the Member of field. See "App See "Appendix endix:: Ans Answer wer She Sheet" et" on page 210 for 210 for the ans answer. wer.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
34
DO INOT nspect EveREPRINT nt Classif icat ion
Exercise 3: Event Classif icat ion
© FORTINET
6. Make a no note te of the Description, and close the window. See "App See "Appendix endix:: Ans Answer wer She Sheet" et" on page 210 for 210 for the ans answer. wer.
7. Remove the search search term FortiGate and review review all the other other ven vendor dor event event types that have b been een classi classified fied as a Dev Logon Success event. 8. On the le left ft pane, still still under under Security, click Logon Failure > Dev Account Locked, and review the different event types. 9. Find the ev event ent Win-Security-47 W in-Security-4740 40 in the list.
Use the search search field to filter the resul results. ts.
What do you notice notice abou aboutt this partic particular ular even event? t? See"A See"Append ppendix: ix: Answer Answer She Sheet" et" on page 210 for 210 for the ans answer wer..
35
Fort iSI EM 5. 1 Lab Guide
Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exerc Ex ercis ise e 4: Ev Event ent Enr Enric ichm hment ent In this exercis exercise, e, you will review review how FortiS FortiSIEM IEM adds enrichment enrichment attributes to events.
To set search filter criteria 1. Click Click the ANALYTICS tab, and click the searc search h field to edit the condition.
Make sure sure the s searc earch h field is empty (it may contain contain text from anothe anotherr exercis exercise). e).
The condition condition editor opens. opens. 2. In the Filters editor, configure the following settings to create a new query:
Field
Value
Attribute
Reporting IP
Operat or
=
Value
172. 16. 1. 3
Next Op
OR
3. In the Row column associa associated ted with you yourr existing existing condition, click the + icon to add another another row: row: 4. In the Next column associated associated with your existing cond condition, ition, select OR. 5. Complete the following query query::
Field
Value
Attribute
Reporting IP
Operat or
=
Value
192. 168. 20. 2
FortiSIEM 5.1 Lab Guide
36
Fortinet Technologies Technologies Inc.
DO NOT REPRINT
Exercise 4: Event Enrichment
© FORTINET
6. Next to Time, select Real Time. 7. Click Save & Run.
To generate logs 1. Retur Return n to the browse browserr tab displayin displaying g the NSE Instit Institute ute website (or, if closed, open a new new brows browser er tab and go to the NSE Instit Institute ute website). 2. Under LABS SET 1 and Lab 2 – SIEM and PAM Concepts select Exercis Exercise e 2.2 – Event Enrichment Enrichment (Par (Partt
A) The output should resemble the following example:
To inspect event enrichment of PAN-OS event log 1. Retur Return n to the browse browserr tab displayin displaying g the FortiSIEM GUI, and after two eve events nts are re receiv ceived, ed, click click Pause. 2. Click Click the RESOURCES tab and, in the pane on the left side of the screen, expand Event Types. 3. Click Security > Logon Failure > Dev Logon Failure. 4. In the main window, type PAN in the Search field to look for all ev events ents related related to FortiGate FortiGate.. 5. Select PAN-OS-SYSTEM-login-failed.
A Summary pane opens opens at the bottom of the scr screen. een. What is the value value in the Member of field? See "App See "Appendix endix:: Ans Answer wer She Sheet" et" on page 210 for 210 for the ans answer wer..
37
Fort iSI EM 5. 1 Lab Guide
Fortinet Technologies Technologies Inc.
DO Exercise NOT4: Event REPRINT Enrichment © FORTINET
6. Retur Return n to the ANALYTICS tab. 7. Select the Raw Event Log field to look look at the details details for the PAN-OS-SYSTEM-login-failed event.
Once selected selected a white down arro arrow w
icon will appea appear r
8. Clic Click k the white down arro arrow w icon icon to display display the Show Deta D etail il option, which will enable you to view the details associated with that event. 9. Click Show Deta D etail il .
The Event Details window opens. 10. Rev Review iew the rraw aw event event log for that even event. t.
Does it contain any coun country-r try-related elated information? information? See "App See "Appendix endix:: Ans Answer wer Sh Sheet" eet" on page 210 for 210 for the ans answer wer..
11. Rev Review iew the attribu attributes tes in the structured structured v view iew and n note ote the Source Country, Source Organization, and Source State.
Appendix:: Answer Answer Sheet" on page 210 210 for for the ans answer. wer. Where Wher e did this information co come me from? See " See "Appendix
12. Close the Event Details window.
To inspect event enrichment in the IOS-SEC event log 1. Review the Event Details raw even eventt log for the IOS-SEC_LOGIN-LOGIN_FAILED event.
"Appendix: Is there there a Source Country or Destination Destination Country popula populated ted for this event? event? If not, why? See See "Appendix: Answer Answ er Sheet" on page 211 for 211 for the ans answer. wer.
FortiSIEM 5.1 Lab Guide
38
Fortinet Technologies Technologies Inc.
DO NOT REPRINT
Exercise 4: Event Enrichment
© FORTINET
2. Close the Event Details window.
To update the geographical location for a device manually 1. Click Click the CMDB tab. 2. In the pane on the left side of the s screen, creen, select select Devices. 3. In the s searc earch h field, typ type e the IP addr address ess 192.168.20.2 .
4. In the search results, select the dev HOST-192.168.2 68.20.2 0.2. device ice Name HOST-192.1 5. Click the down arrow assoc associated iated with Actions and select Edit Location.
The Edit Device Location Location pop-up window opens.
You might see an error error mess message age as FortiS FortiSIEM IEM is not configur configured ed with real Google API API key.
6. In the Edit Device Location Location poppop-up up window, window, configure configure the f ollowing ollowing settings (or configure configure you yourr own), own), and t hen click OK:
Field
Value
Locat ion Nam e
UK D Da at a Cent er
Count ry
Unit ed Kingdom
St at e
London, Cit y of
Cit y
London
7. Click Save. 8. Click Click the ANALYTICS tab and click the searc search h field.
Yourr previous You previous query shou should ld still be listed. listed. 9. Next to Time, select Real Time. 10. Click Save & Run.
39
Fort iSI EM 5. 1 Lab Guide
Fortinet Technologies Technologies Inc.
DO Exercise NOT4: Event REPRINT Enrichment © FORTINET To generate logs for manually updated geographical location 1. Retur Return n to your your browser browser tab dis display playing ing the NSE Instit Institute ute website (or, if closed, open a new new browser browser tab and go to the NSE Instit Institute ute website). 2. Under LABS SET 1 and Lab 2 – SIEM and PAM Concepts select Exercis Exercise e 2.2 – Event Enrichment Enrichment (Par (Partt B).
To inspect event enrichment for a manually updated geographical location 1. Retur Return n to the browse browserr tab displayin displaying g the FortiSIEM GUI and, after two eve events nts are re receiv ceived, ed, click click Pause. 2. Review the Event Details for raw event event log IOS-SEC_LOGIN-LOGIN_FAILED again. l
Make sure Wrap Raw Event is sele selected cted
l
Make sure Show Event Type is se selec lected ted
l
Once the RAW Event Event log is selec selected, ted, a white white down down arr arrow ow
l
icon icon wil willl appear appear
Click the ic icon on to display display the Show Detail option, which will enable you to view the details ass associa ociated ted with t hat event.
Is there there now a Reporting City, Destination City, Destination Country, and Destination State populated? If so, why? See "App See "Appendix endix:: Ans Answer wer She Sheet" et" on page 211 for 211 for the ans answer. wer.
3. Close the Even Eventt Details window. 4. Cli Click ck the CMDB tab, select select the device with the IP addr address ess 192.168.20.2 , and click Delete. (If a prompt appears appe ars instru instructing cting you to delete the sele selected cted device device from the CMDB, CMDB, or remov remove e it from the group, group, click Yes.) 5. Close the pop-up window informing you that the devic device e was successfully successfully deleted.
FortiSIEM 5.1 Lab Guide
40
Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 5: Rev Reviewing iewing Performanc Performance e Events In this exercis exercise, e, you will examine some some of the performance performance events events colle collected cted by FortiSIEM. FortiSIEM.
To set search filter criteria 1. Click Click the ANALYTICS tab. 2. Clic Click k the sea search rch field field to edit the c condition ondition..
The Filter editor appears. appears. 3. Click Clear All to clear the existin existing g queries queries..
4. Once c cleared, leared, create the following query: query:
Attribute
Reporting IP
Operat or
=
Value
192. 168. 20. 2
5. Next to Time, select Real Time. 6. Click Save & Run.
To generate performance event logs 1. Open a n new ew tab in your browser browser,, and go to the NSE Instit Institute utewebsite. 2. Navigate to LABS SET 1 and, under Lab 2 – SIEM and PAM Concepts, select Exercise 2.3 – Performance Events.
The output should resemble the following example:
To view performance events 1. Retur Return n to the browse browserr tab displayin displaying g the FortiSIEM GUI. 2. After 10 even events ts are receive received, d, click click Pause.
Notice Notic e there are are a number of events events labeled labeled PH_DEV_MON, which which stands stands for device device monitor. monitor. 3. Cli Click ck the column to sort the data alphabetically (once c clicked, licked, you should should notice an up or down arrow Event Type to the left of the field).
41
Fort iSI EM 5. 1 Lab Guide
Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 5: Reviewing Performance Events © FORTINET 4. Select Raw Event Log for Event Type PH_DEV_MON_SYS_UPTIME and view Event Details. l
Make sure Wrap Raw Event is sele selected cted
l
Make sure Show Event Type is se selec lected ted
l
Once the RAW Event Event log is selec selected, ted, a white white down down arr arrow ow
l
Click the ic icon on to display display the Show Detail option, which will enable you to view the
icon icon wil willl appear appear
details ass associa ociated ted with t hat event. 5. Review the raw event log and structured structured data.
Which attributes relate to the up-time and downtime of the devi Which device? ce? See See "Appendix "Appendix:: Ans Answer wer She Sheet" et" on page 211 for 211 for the ans answer. wer.
Performance events events are also enriched enriched with geo-location data (Host/Reporting Country, and so on., if the CMDB has a location set set for an interna internall device). device). And all performanc performance e events even ts will hav have e a hos hostt IP popula populated. ted.
"Appendix endix:: Ans Answer wer She Sheet" et" on page 211 fo 211 forr the the What attribute relates relates to how often the event is collected? collected? S See ee "App answer.
icon icon in the RAW event Log to open the Event Details dialog box, and select Event Type PH_DEV_MON_SYS_M PH_DEV_MON_SYS_MEM_UTIL EM_UTIL.
6. Clic Click k wh white ite do down wn ar arro row w
7. Review the raw event log and structured structured data.
Which attribute relates to the memory utilization Which utilization of the device? device? See See "App "Appendix endix:: Ans Answer wer She Sheet" et" on page 212 for the ans answer wer..
FortiSIEM 5.1 Lab Guide
42
Fortinet Technologies Technologies Inc.
DO NOT REPRINT
Exercise Exer cise 5: Reviewing Performance Events
© FORTINET "Appendix endix:: Ans Answer wer She Sheet" et" on page 212 fo 212 forr the the How often is the memory utilization utilization event event collec collected? ted? See See "App answer.
8. Open the Event Details dialog box associa associated ted with t he event type PH_DEV_MON_NET_INTF_UTIL. 9. Review the raw event log and structured structured data.
Which att ributes relate to the interface name and interfac Which interface e utilization? See See "App "Appendix endix:: Ans Answer wer She Sheet" et" on page 212 for 212 for the ans answer wer..
Why are there four interface interface utilization ev events? ents? S See ee "App "Appendix endix:: Ans Answer wer She Sheet" et" on page 212 for 212 for the ans answer. wer.
You have completed Lab 2.
43
Fort iSI EM 5. 1 Lab Guide
Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Lab 3: Di Disc scove overy ry In t his lab, you will examine the FortiS FortiSIEM IEM discovery discovery proc process esses. es.
Objectives l
View auto log discovery discovery
l
Add credentials credentials and IP ranges ranges for a single single devi device ce
l
Discov Discover er a single device
l
Pull configuration data us using ing privileged credentials
l
Per Perform form a discove discovery ry on man many y dev devices ices
l
Pull performance data from devices
Time to Complete Estimated: 75 minutes
Follow the direction directions s in the Lab Guid Guide e and do not not make make chang changes es to any other other dev device ice or devices devi ces,, unles unless s notified by the cours course e instructor. instructor.
FortiSIEM 5.1 Lab Guide
44
Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 1: Auto Log Disc Discovery overy In this exercis exercise, e, you will inspect inspect the type of data that is extra extracted cted from the syslo syslogs. gs.
To set search criteria for logs
1. On the Student Workstation VM, open the Firefox brow browser ser and en enter ter the following following URL URL to access access the FortiSIEM GUI: https://10.0.1.130/phoenix/login-html.jsf
There is a link for the For FortiSIE tiSIEM M GUI on the brow browser ser's 's Favorites Favorites bar.
2. Click Click the ANALYTICS tab and click the searc search h field to edit the condition. 3. In the Filters editor, configure the following settings to create a new query:
Field
Val ue
Attribute
Raw Event Log
Operat or
CONTAI N
Value
ASA
4. In the Next column associated associated with your existing cond condition, ition, select OR. 5. In the Row column associa associated ted with you yourr existing existing condition, click the + icon to add another another row. row. 6. Configure the following settings:
Field
Val ue
Attribute
Raw Event Log
Operat or
CONTAI N
Value
devnam e
7. Next to Time, select Real Time. 8. Click Save & Run.
45
Fort iSI EM 5. 1 Lab Guide
Fortinet Technologies Technologies Inc.
DO Exercise NOT1: Auto REPRINT Log Discovery © FORTINET
Make sure sure the s searc earch h field is empty (it may contain contain text from anothe anotherr exercis exercise). e).
To generate test logs 1. Open a n Institute ute website. new ew tab in your browser browser,, and go to the NSE Instit 2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.1 – Auto Log Discovery.
The output should resemble the following example:
To inspect the syslogs 1. On the b brows rowser er tab dis display playing ing the FortiSIEM GUI, on the Analytics tab, wait until at least least 25 events are received, then click Pause.
FortiSIEM 5.1 Lab Guide
46
Fortinet Technologies Technologies Inc.
DO NOT REPRINT
Exercise 1: Auto Log Discovery
© FORTINET
2. Click Click the CMDB tab and, in the pane on the left side of the screen, click Devices > Network Device > Firewall. 3. To add a Version column to the display, on the upper-right corner corner of the CMDB tab, tab, cl clic ick k the the col olum umns ns ic icon on select display columns.
to
4. Select Version from Available Columns, click right arro arrow w icon to move Version to Select Selected ed Columns and then click OK. 5. Click Click the CMDB tab and, on the pane on the left side of the screen, click Devices > Network Device > Firewall.
You should see a Cisco Cisco ASA device with the name HOST-192.168.19.65 and a Fortinet FortiOS devi device ce with the name FG240D3913800441.
Make sure sure the s searc earch h field is empty (it may contain contain text from anothe anotherr exercis exercise). e).
Why are the n names ames different? If you are uns unsure, ure, re review view some of the rraw aw ev events ents on the ANALYTICS tab. "Appendix endix:: Ans Answer wer She Sheet" et" on page 212 for 212 for the ans answer. wer. See "App See
47
Fort iSI EM 5. 1 Lab Guide
Fortinet Technologies Technologies Inc.
DO Exercise NOT1: Auto REPRINT Log Discovery © FORTINET
What is displ displayed ayed under the Version and Las each dev device? ice? See "Appendix: See "Appendix: Lastt Discovere Discovered d Method Method fields for each Answer Sheet" on page 213 for Answer 213 for the ans answer. wer.
6. Continuing on CMDB tab, on the lower pane co containing ntaining the details details,, select the Cisco ASA devic device, e, then click the Summary tab and review the details.
Notice Notic e this device device has been automatical automatically ly catego categoriz rized ed under under three groups. groups. 7. Select the Fortinet FortiOS devic device e and, on the lower pane containing containing the details details,, click the Summarytab and review the details.
Notice Notic e this device device has has been automatically automatically categoriz categorized ed under under four groups. groups. 8. On the s same ame lower lower pane, pane, revie review w the Interfaces and Configuration tabs for both dev device ices. s.
What do you see and what what can you identify about the populatio population n of the CMDB from the log discov discovery ery alone? alone? "Appendix endix:: Ans Answer wer She Sheet" et" on page 213 for 213 for the ans answer. wer. See "App See
FortiSIEM 5.1 Lab Guide
48
Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 2: Addi Adding ng Credent Credentials ials and IP IP Ranges Ranges fo forr a Single Single Device In this exercis exercise, e, you will add SNMP cre credentials dentials use used d in the disc discove overy ry process process..
To add an SNMP credential 1. On the FortiSIEM GUI, click click the Admin tab. 2. On the pane on the left side of the screen screen,, click Setup. 3. On the main window, select the Credentials tab. 4. Click Step 1: Enter Credentials, then click New.
5. Configure the following settings:
49
Field
Value
Name
Global SNM P
Device Type
Generic
Access Acc ess Protocol
SNMP
Comm unit y S Stt ring
public
Conf irm Com m St ring
public
Descript ion
Fort iSI EM Training SNM P C Crredent ials
Fort iSI EM 5. 1 Lab Guide
Fortinet Technologies Technologies Inc.
DO ENOT REPRINT xercise 2: A dding Credent ia ials and I PR PRa anges f o orr a Single Device
Prediscovery Preparat io ion
© FORTINET 6. Click Save.
To assign credentials to address ranges 1. Under Step 2: Enter IP Range to Credential Associations , click New. 2. In the IP/IP Range Range field, type 192.168.3.1 . 3. Select the Global SNMP cred credential ential from the list (it should be lis listed ted as default, because because ther there e is only one
credential defined), and click Save.
Prediscovery Preparation Because you are working Because working with a system that has fake data, you need to prepare the system before you can perform t he discovery. discovery.
To create fake discovery data 1. Retur Return n to the browse browserr tab displayin displaying g the NSE Instit Institute ute website. 2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.2 – (A) Prepare System for Locall File Discovery Loca Discovery.
The output takes appr approximatel oximately y one minute to return and should should resemble resemble the following following example:
3. Once completed, select select Exercise 3.2 – (B) Copy FortiGate Discovery File. The output should resemble the following example:
FortiSIEM 5.1 Lab Guide
50
Fortinet Technologies Technologies Inc.
DO PNOT rediscoverREPRINT y Preparat io ion
Exercise 2: Adding Credent iia als and I PRa PRanges f or or a Single Device
© FORTINET
51
Fort iSI EM 5. 1 Lab Guide
Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exerc Ex ercis ise e 3: Di Disc scov overy ery of a Single Single Devi Device ce In t his exercis exercise, e, you will use the cre credentials dentials from the previous previous exer exercis cise e to disc discover over a device and collect collect data from it.
To add a device to be discovered 1. Retur Return n to the browse browserr tab displayin displaying g the FortiSIEM GUI, and click click the Admin tab. 2. On the pane on the left side of the screen screen,, click Setup. 3. On the main window window,, click click the Discovery tab. 4. Click New. 5. Configure the following settings:
Field
Value
Name
Fort iGat e Firewall
Discovery Ty Type
Range Scan
I nclude
192. 168. 3. 1
Name resolut ion
SNMP/ WM I f irst
6. Kee Keep p the default settings for all other fields, and clic click k Save. 7. On the table, select the FortiGate Firewall entry, and click Discover . 8. Once the discov discovery ery is comple complete, te, review review the fields to view view wh what at acc access ess method was was used used for the dis discov covery ery and what what system system monitors and applic application ation monitors wer were e applied to t he device. device.
FortiSIEM 5.1 Lab Guide
52
Fortinet Technologies Technologies Inc.
DO FNOT REPRINT aking Perf o rmance Dat a
Exercise 3: Discovery o off a Single Device
© FORTINET
9. Click Close.
Faking g Performanc Performance e Data Fakin Because Bec ause this is a fake devic device, e, you will trick the sys system tem into believ believing ing the performance performance jobs are being collected collected..
To fake the performance data 1. Retur Return n to the browser browser tab on the NSE Instit Institute ute website. 2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.3 – Start FortiGate Performance Data.
The output should resemble the following example:
To review the performance data 1. Retur Return n to the browse browserr tab displayin displaying g the FortiSIEM GUI. 2. Click Click the CMDB tab and, on the pane on the left side of the screen, click Devices > Network Device > Firewall. 3. Loo Look k at the Fortinet FortiOS device again (FG240D3913800441) (FG240D3913800441).. ppendix: ix: Answer Answer She Sheet" et" on page 213 for 213 for the ans answer. wer. Whatt does the Version field show now? See"A Wha See"Append
53
Fort iSI EM 5. 1 Lab Guide
Fortinet Technologies Technologies Inc.
DO ENOT REPRINT xercise 3: D iscovery o off a Single Device
Faking Perf orm ance Dat a
© FORTINET
We added the Version column to the display in Exer Exercise cise 1. On the upperupper-rig right ht co corne rnerr of the CMDB CMDB tab, cli click ck the co column lumns s ico icon n display disp lay columns. columns.
to se selec lectt
4. Select the Fortinet FortiOS devic device e and, on the lower pane containing containing the details details,, click the Summary tab and review the details.
"Appendix endix:: Ans Answer wer She Sheet" et" on page 213 for 213 for the the How How many gro groups ups is this device device n now ow a me member mber of? S See ee "App answer.
5. Contin Continuing uing on the lo lower wer pane, click click the Interfaces tab.
Notice Notic e how it is now pop populated ulated with a lot of detail. 6. Contin Continuing uing on the lo lower wer pane, click click the Hardware tab, and then the Components sub-tab.
Notice Notic e how t he serial number and softwar software e versio version n is rec recorde orded. d. 7. Click Click the main Admin tab and, on the pane on the left side of the screen, click Setup. 8. On the main window, select the Monitor Performancetab.
Notice Notic e how the Fortinet FortiOS device device lists the sys system tem monitors and application application monitors. monitors. 9. View the Monitor column column and make a note of how often CPU Util, Mem Util and Net Intf Stat jobs are being collected using SNMP. See "App See "Appendix endix:: Ans Answer wer She Sheet" et" on page 213 for 213 for the ans answer. wer.
10. Sel Select ect a an n entry entry and click click More. 11. Select Report from drop-down drop-down list to verify if performanc performance e data is being collected collected..
FortiSIEM 5.1 Lab Guide
54
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
54
DO FNOT REPRINT aking Perf o rmance Dat a © FORTINET
This create creates s a que query ry.. Clicking Report takes you to the ANALYTICS tab to view the results.
Exercise 3: Discovery o off a Single Device
55
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 4: Adding a Privileged Privileged Credential Credential for Configuration Pulling If Telnet or SS SSH H credentials are also associated associated with a supported supported device, then the device s startup tartup and running configuration can also be stored in the CMDB, along with installed software v versions, ersions, for some devices. devices. In this thi s exercise, exercis e, you will explore this functionality.
To pull data using privileged credentials 1. On the FortiSIEM GUI, click click the Admin tab. 2. On the pane on the left side of the screen screen,, select Setup. 3. On the main window, select the Credentials tab. 4. Under Step 1: Enter Credentials, click New. 5. Configure the following settings:
Field
Val ue
Name
Fort iGat e SSH
Device Type
Fortinet FortiOS Notice Notic e how the access access protoc protocol ol defaults to HTTPS and the port 443.
Access Acc ess protocol
SSH (P (Port ort will change to 22)
Password conf ig
M anual
User Nam e
admin
Password
t opsecret
Conf irm Password
t opsecret
6. Click Save.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
56
DO NOT REPRINT
Exercise Exer cise 4: Adding a Privileged Privileged Credential for Configuration Pulling
© FORTINET
7. Under Step 2: Enter IP Range to Credential Associations , select the 192.168.3.1 entry, and click Edit.
The Device Credential Credential Mapping Definition dialog opens.
8. Cli Click ck the + icon near near the bottom of t he dialog box, box, and select select FortiGate SSH (which you just created), then click OK.
Don’t try to discover discover the device. device. It will FAIL in the lab!
In a real-world environment, you could rediscover rediscover the FortiGate FortiGat e firewall. The T he new SSH SSH credential would also be attempted against against t he devic device e to apply a configuration configuration pulling sy system stem monitor job. Bec Because ause this device device is fake, you need to simulate this.
57
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 4: Adding a Privileged Privileged Credential for Configuration Pulling © FORTINET To simulate FortiGate SSH Config and Installed Software 1. Retur Return n to the browser browser tab on the NSE Instit Institute utewebsite. 2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.4 – (A) Simulate FortiGate SSH Config and Installed Software.
The output takes appr approximatel oximately y one minute to return and should should resemble resemble the following following example:
To review simulated FortiGate SSH Config and Installed Software 1. Retur Return n to your your browser browser tab dis display playing ing the FortiSIEM GUI. 2. Click Click the CMDB tab and, on the pane on the left side of the screen, click Devices > Network Device > Firewall. 3. On the main window window,, cli click ck re refres fresh h ico icon n
.
4. Select the Fortinet FortiOS device Name (FG240 (FG240D391 D39138004 3800441) 41) and, on the lower lower pane, c click lick the Configuration tab.
You should see the startup configuration of the device. 5. Contin Continuing uing on on the low lower er pane, select select the Software tab and look look at the details details on the Installed Software sub-tab.
You should should now see see all the versions versions of the AV engine, engine, attack definitions, definitions, and so on.
To simulate FortiGate SSH Config Change 1. Retur Return n to the browse browserr tab displayin displaying g the NSE Instit Institute ute website. 2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.4 – (B) Simulate FortiGate SSH Config Change.
The output takes appr approximatel oximately y one minute to return and should should resemble resemble the following following example:
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
58
DO NOT REPRINT
Exercise Exer cise 4: Adding a Privileged Privileged Credential for Configuration Pulling
© FORTINET To review simulated FortiGate SSH Config Change 1. Retur Return n to your your browser browser tab dis display playing ing the FortiSIEM GUI. 2. Continuing on the Firewall page, select the Fortinet FortiOS device (FG240D3913800441), (FG240D3913800441), and click refresh icon . 3. On the lo lower wer pane containing containing the details details,, click click the Configuration tab again.
You should notice a second revision of the startup-config. (If not wait one minute and refresh again.) 4. Depe Depending nding o on n your computer, computer, use S Shift hift or Ctrl to select select both revision revisions, s, and then click click the Diff button.
5. Review the c configuration onfiguration changes, then close the dialog box box..
59
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 5: Perf Perform orming ing Dis Discov covery ery of Oth Other er Lab Devi Devices ces In this exercis exercise, e, you will create create discover discoveries ies for all other dev devices ices in the simulated lab. You You will continu continue e to use only SNMP. (You are assuming assuming the same SNMP credential across across all devices devices.) .)
Other Device List Type
Make
I P A ddress
Method
Firewall
Fort igat e
172. 16. 255. 82
SNM P
Firewall
Fort igat e
10. 1. 1. 1
SNM P
Firewall
Palo Alt o
172. 16. 1. 2
SNM P
Firewall
Cisco ASA
192. 168. 19. 65
Lab Special
Firewall
Juniper
172. 16. 3. 10
Log Only
Firewall
Juniper
172. 16. 255. 70
SNM P
Firewall
Checkpoint
172. 16. 0. 1
SNM P
Rout er/ Swit ch
Cisco I OS
10. 1. 1. 5
Log Only
Rout er/ Swit ch
Cisco I OS
192. 168. 20. 1
SNM P
Rout er/ Swit ch
Cisco I OS
172. 16. 3. 2
SNM P
Rout er/ Swit ch
Cisco I OS
192. 168. 19. 1
SNM P
Rout er/ Swit ch
Foundry
172. 16. 0. 4
SNM P
Rout er/ Swit ch
Foundry
172. 16. 10. 1
Log Only
Rout er/ Swit ch
HP Procurve
172. 16. 22. 2
SNM P
Rout er/ Swit ch
Jun OS
172. 16. 5. 64
SNM P
Wireless C Co ont roller
Aruba
192. 168. 26. 7
SNM P
Server
Windows
172. 16. 10. 28
SNM P
Server
Windows
192. 168. 0. 10
SNM P
Server
Windows
192. 168. 0. 40
SNM P
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
60
DO NOT REPRINT
Exercise Exerc ise 5: Performing Performing Discovery Discovery of Other Lab Dev Devices ices
© FORTINET Type
Make
I P A ddress
Method
Server
Windows
172. 16. 10. 9
SNM P
Server
Windows
10. 10. 100. 27
Log Only
Server
Windows
10. 1. 1. 33
SNM P
Server
Windows
10. 1. 1. 41
SNM P
Server
Linux
192. 168. 0. 16
SNM P
Server
AI X
172. 16. 20. 160
SNM P
Server
Solaris
172. 16. 10. 6
SNM P
ranges s for the Other Device List to Creden Credentials tials To add IP range 1. On the FortiSIEM GUI, click click the Admin tab. 2. On the pane on the left side of the screen screen,, select Setup. 3. On the main window window,, click click the Credentials tab. 4. Under Step 2: Enter IP Range to Credential Associations , click New.
This time, to demons demonstrate trate a range, range, you will enter a list of firewall dev devices ices.. 5. Configure the following credentials:
Field
Value
IP IP/H /Hos ostt Name
172. 172.16 16.2 .255 55.8 .82 2, 10 10.1 .1.1 .1.1 .1,, 17 172 2.16. .16.1. 1.2, 2, 17 172 2.16. .16.25 255. 5.70 70,, 17 172. 2.16 16.0 .0.1 .1
Credent ials
Global SNM P
6. Click Save. 7. Click New again, and configure the credentials to add a range of devic devices: es:
Field
Value
IP IP/H /Hos ostt Name
192 92.1 .16 68. 8.20 20.1 .1,, 172. 172.16 16.3 .3.2 .2,, 192 92.1 .16 68.19 8.19.1 .1,, 17 172. 2.16 16.0 .0.4 .4,, 172 72.1 .16 6.22. .22.2, 2, 172.16.5.64
Credent ials
Global SNM P
8. Click Save. 9. Click New again, and configure configure the following following crede credentials ntials to add the Wireless Controller Controller IP:
Field
Value
I P/ Host Nam e
192. 168. 26. 7
Credent ials
Global SNM P
61
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 5: Performing Discov Discovery ery of Other Lab Devices
Prepare the Fake Devices for Discovery Discovery
© FORTINET 10. Click New again, and configure configure the following following crede credentials ntials to add a list of server server devices devices (to demonstrate demonstrate a mixture of IP ranges) ranges)::
Field
Value
IP/H IP/Hos ostt Name Name
172. 172.16 16.1 .10. 0.66-17 172. 2.16 16.1 .10. 0.28 28,, 192. 192.16 168. 8.0. 0.10 10-1 -192 92.1 .168 68.0 .0.4 .40, 0, 10.1 10.1.1 .1.3 .33, 3, 10.1 10.1.1 .1.4 .41, 1, 172.16.20.160
Credent ials
Global SNM P
11. Click Save.
Prepare the Fake Devices for Discovery To prepare the fake devices devices for discovery, discovery, you need to prep prepare are the lab sys system. tem.
To prepare the fake devices for discovery 1. Retur Return n to your your browser browser tab dis display playing ing the NSE Instit Institute ute website. 2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.5 – Copy All Other Discovery Files.
The output takes appr approximatel oximately y one minute to return and should should resemble resemble the following following example:
If you don’t see see three 100 100% % succ successful essful SCP SCP transfers, advis advise e your your instructor.
To add the discovery task for devices 1. Retur Return n to the browse browserr tab displayin displaying g the FortiSIEM GUI. 2. Continuing on the Setup page, click click the Discovery tab. 3. Click New to add t he following discover discovery y ranges ranges (click (click New for eac each h new entry entry and Save):
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
62
DO PNOT rep epa are th the eREPRINT Fak Fake Devic evice es fo forr Disc iscov over ery y
Exerc rcis ise e 5: Perfo erforrmi ming ng Dis isc cov over ery y of Othe Otherr La Lab b Devic ices es
© FORTINET Name
Discovery Type
Include
Name Resoluti on
Other FTNT Other Firewalls
Range Scan
172. 16. 255. 82, 1 10 0. 1. 1. 1
SNM P/ WMI First
Palo Alt o
Range Scan
172. 16. 1. 2
SNM P/ WMI First
Juniper FW FW
Range Scan
172. 16. 255. 70
SNM P/ WMI First
Checkpoint
Range Scan
172. 16. 0. 1
SNM P/ WMI First
Cisco I OS
Range Scan
192. 168. 20. 1, 172.16.3.2, 192.168.19.1
SNMP/WMI First
Foundry
Range Scan
172. 16. 0. 4
SNM P/ WMI First
HP Pr Procurve
Range Scan
172. 16. 22. 2
SNM P/ WMI First
Jun OS
Range Scan
172. 16. 5. 64
SNM P/ WMI First
Aruba
Range Scan
192.168.26.7
SNMP/WMI First
Windows
Range Scan
172. 16. 10. 28, 192.168.0.10192.168.0.40, 172.16.10.9, 10.1.1.33, 10.1.1.41
SNMP/WMI First
Linux
Range Scan
192. 168. 0. 16
SNM P/ WMI First
AIX
Range Scan
172.16.20.160
SNMP/WMI First
Solaris
Range Scan
172. 16. 10. 6
SNM P/ WMI First
4. Once y you ou have defined the discovery discovery ranges, select select each entry (but not the FortiGate Firewall that was alrea already dy present), and then click Discover . (Do th these ese o one ne at a time.)
63
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 5: Performing Discov Discovery ery of Other Lab Devices
Prepare the Fake Devices for Discovery Discovery
© FORTINET
5. Once completed, on the Monitor Performance tab, review the system system monitors applied to each d device. evice.
6. Click Click the CMDB tab and review the devices devices and device categorizations. (You may need to click Refresh.) 7. On the pane on the left side of the screen screen,, click Devices > Server . 8. On the main w window, indow, select device WIN2008-ADS and, in the lower lower pane that contains contains the detail details, s, cli click ck the Software tab. 9. Click Click the Running Applications Applications sub-tab and, in the search field, type iis .
Notice Notic e the list of running application applications s popula populated ted from disco discover very y for IIS.
10. Make a no ppendix: Answer Answer Sheet" note te of the entries in the Process Name and Process Param columns. See "A See "Appendix: on page 214 for 214 for the ans answer wer..
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
64
DO PNOT rep epa are th the eREPRINT Fak Fake Devic evice es fo forr Disc iscov over ery y
Exerc rcis ise e 5: Perfo erforrmi ming ng Dis isc cov over ery y of Othe Otherr La Lab b Devic ices es
© FORTINET 11. Type DNS in the search search field and again make make note of the entries in the Process Name and Process Param columns. See "App See "Appendix endix:: An Answe swerr She Sheet" et" on page 214 for 214 for the ans answer wer..
12. On the pane on the left side of the screen screen,, click Applications > Infrastructure App > DNS, and select Microsoft DNS on the main window.
Notice Notic e how the CMDB know knows s whic which h devices devices in the envi environmen ronmentt are runn running ing the DNS process process.. 13. On the pane on the left side of the screen screen,, click Applications > User App > Web Server , and select Microsoft IIS o on n the main window.
Again, notice how FortiSIEM F ortiSIEM understands which devices are running II IIS S by tracking the process names running during discover discovery. y.
65
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 6: Bringing in Fake Fake Data Data Now that the devices are populated in the CMDB, you will start to bring in fake performance and se security curity data.
To observe the pulling of performance data from devices 1. Retur Return n to your your browser browser tab dis display playing ing the NSE Instit Institute ute website. 2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.6 – Start All Performance and
Device Data. The output takes appr approximatel oximately y two minutes to return and shou should ld rese resemble mble the following example: example:
3. Retur Return n to your your browser browser tab dis display playing ing the FortiSIEM GUI. 4. Click Click the ANALYTICS tab, t hen click click the searc search h field to edit the condition. 5. In the Filters section, configure the following settings settings to create a new query:
Field
Val ue
Attribute
Raw Event Log
Operat or
CONTAI N
Value
*
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
66
DO NOT REPRINT
Exercise 6: Bringing in Fake Data
© FORTINET 6. Next to Time, select Real Time. 7. Click Save & Run.
Make sure sure the s searc earch h field is empty (it may contain contain text from anothe anotherr exercis exercise). e).
Wait for a few seconds seconds and then y you ou will see see var various ious even events ts arriving. arriving. 8. Remov Remove e the asterisk asterisk from the filter box, type PH_DEV_MON , and click Search again.
After waiting a minute or so, you should start to see performance perf ormance metric events.
To view all devices on the Summary Dashboard 1. Click Click the Dashboard tab, then click the down ar arrow row on the Amazon Web Services Services Dashboard Dashboard. 2. On the drop drop-down -down list, list, select FortiSIEM Dashboard.
3. On the FortiSIEM da dashboard, shboard, s select elect the + icon next to the Incidents tab to add a new dashboard.
67
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT6: Bringing REPRINT in Fake Data © FORTINET The Create New Dashboard pop-up window opens. 4. Configure the following settings to cre create ate a dashboard:
Field
Value
Name
All Devices
Type
Sum m ary Dashboard
5. Next to Incidents, select the All Devices tab. 6. Add all devices devices by clicking clicking the select select dev devices ices icon
next to the search search bar.
The Select devices for display pop-up window opens.
7. Sel Devices column. Select ect a allll devices devices in the Available Devices 8. Use the right-arrow icon to add all selected devices to the Selected Devices column. 9. Click OK. 10. When the All Devices dashboard opens, select All in the filter.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
68
DO NOT REPRINT
Exercise 6: Bringing in Fake Data
© FORTINET
Yourr dashboar You dashboard d should should look similar to the following exa example: mple:
Not all devices collect the same s system ystem resour resource ce metrics, so some columns will be blank.. I f your system blank system does not resemb resemble le the following examp example, le, inform your instructor. instructor.
You have completed Lab 3.
69
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Lab 4: Fo Fort rtiS iSIE IEM M Ana Analy lyttic ics s In this lab, you will explore the keyword keyword search feature.
Objectives l
Understand the real-time search search
l
Perform a search for raw log messages messages
l
Perform a historical k keyword eyword search search
l
Emplo Employ y multiple searc search h co conditions nditions
l
Explore some of the well-used search search operators
Time to Complete Estimated: 30 minutes
Guide e and do not not make Follow the direction directions s in the Lab Guid make chang changes es to any other other dev device ice or devices,, unles devices unless s notified by the cours course e instructor. instructor.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
70
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 1: Get Getti ting ng to Know th the e Real-Tim Real-Time e Search Search In this exercis exercise, e, you will perform a real-time searc search h for raw logs logs..
To view all raw logs in real-time search 1. On the Student Workstation VM, open the Firefox brow browser ser and en enter ter the following following URL URL to access access the FortiSIEM GUI : https://10.0.1.130/phoenix/login-html.jsf
There is a link for the For FortiSIE tiSIEM M GUI on the brow browser ser's 's Favorites Favorites bar.
2. Click Click the ANALYTICS tab. 3. Click Click the Display Fields drop down icon.
4. Click Clear All and Save. 5. Select Use Default from pop up.
6. Clic Click k the s searc earch h field to Edit Filters and Time Range.
71
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT1: REPRINT Getting to Know the Real-Time Search © FORTINET 7. The Filter editor opens. opens. 8. Create the following query:
Field
Val ue
Attribute
Raw Event Log
Operat or
CONTAI N
Value
*
The Raw Event Log attribute is used for view viewing ing raw log messages messages from vari various ous devices. Raw log messages are unstructured unstructured data. 9. Next to Time, select Real Time. 10. Click Save & Run, let the t he searc search h run for about 20 seconds, seconds, and then click Pause. Notice Notic e all the different different events being rec receive eived d in real-time and the default columns (Event Receive Receive Time Tim e, Reporting IP, Event Type, and Raw Event Log).
l
Make sure Wrap Raw Event is sele selected. cted.
l
Make sure Show Event Type is sele selected. cted.
11. In the Raw Event Log field, select a raw log message.
A white down arrow
icon appears.
12. Clic Click k the dow down n ar arrow row icon to dis display play the Show Deta D etail il button, and view the event details associate associated d with that event.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
72
DO NOT REPRINT
Exercise 1: Getting to Know the Real-Time Search
© FORTINET
13. Click Show Deta D etail il .
An Event Details dialog box box opens. opens.
The top portion of the dialog box box includes includes the raw log receiv received ed by FortiSIEM. FortiSIEM. The bottom portion of the dialog box includes includes the structured structured vie view—all w—all the attributes that FortiSIEM FortiSIEM parsed out of the message. You can use use these attributes in structured searches, searches, rules, reports, and on dashboards dashboards.. 14. Close the Event Details dialog box. 15. In the Filters section, click Clear All to see see the function functionality ality of this button.
Notice Notic e that as soon soon as you c click lick Clear All, all existing se settings ttings will clear cleared. ed.
73
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT1: REPRINT Getting to Know the Real-Time Search © FORTINET 16. Click Cancel. Don't save the changes made when you clicked clicked Clea Clearr A ll.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
74
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 2: Searc Search h Opera Operator tors s In this exercise, exercise, you will explore the use of search oper operators. ators.
To use search operators 1. Click Click the ANALYTICS tab, t hen click click the searc search h field to edit the condition. 2. In the Filters sec section, tion, change change the query to remove the as asterisk terisk (*) from from the Value field of the search, then type devname . 3. Next to Time, select Real Time. 4. Click Save & Run.
Review the results devname ame AND HTTP, and complete the 5. Modify the search search cond condition ition again again in the Filters editor editor for co condi ndition tion devn following query:
Field
Val ue
Attribute
Raw Event Log
Operat or
CONTAI N
Value
devnam e
6. In the Row column associa associated ted with you yourr existing existing condition, click the + icon to add another another row. row. 7. In the Next column associated associated with y your our existing condition, condition, select AND. 8. Complete the following query query::
Field
Val ue
Attribute
Raw Event Log
Operat or
CONTAI N
Value
HTTP
9. Next to Time, select Real Time. 10. Click Save & Run.
The logical AND opera operator tor is used used to achi achiev eve e the results results for the query query devn devname ame AND HTTP
75
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Search Searc h Operators © FORTINET
11. After you rrece eceive ive a appro pproximately ximately 50 logs, logs, clic click k Pause.
"Appendix pendix:: An Answe swerr She Sheet" et" on page 214 for 214 for the ans answer wer.. What was the impact of this search? search? S See ee "Ap
What can you you identify about the case sensitivity of keywor keywords? ds? S See ee "App "Appendix endix:: Ans Answer wer She Sheet" et" on page 214 for 214 for the answer.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
76
DO NOT REPRINT © FORTINET
Exercise Exerc ise 3: His Historic torical al Keyword Search Search In this exercise, exercise, you will perform a keyword se search. arch.
To perform a keyword search 1. On the FortiSIEM GUI, click click the ANALYTICS tab, then click click the search search field to edit the condition. 2. In the Filters editor, configure the following settings to create a new query:
Field
Val ue
Attribute
Raw Event Log
Operat or
CONTAI N
Value
deny
3. Next to Time, select Relative, then in the Last field, type 10 , and select Minutes. 4. Click Save & Run.
Events Events that contain the word "deny" "deny" will appear. appear. Notice Notic e the graph graph rresu esults lts sho shows ws a COU COUNT NT ov over er time (10 minutes in this case) case) of all the even events. ts. 5. Hov Hover er you yourr mouse over the graph graph to view view the abs absolute olute time ran range ge for those even eventt during tha thatt time period.
77
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT3: Historical REPRINT Keyword Search © FORTINET
6. Doub Double-c le-click lick any point on on the graph. graph.
The system system opens opens a new tab and ru runs ns the same query query with the time selector selector set to the speci specific fic time interval interval you selected. This allows allows gran granular ular con control trol an and d the ability to dril drilll into even eventt peak peaks s of interest. interest. 7. Close the tab.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
78
DO NOT REPRINT © FORTINET
Exercise Exerc ise 4: Single Search Search Condition Condition In this exercise, exercise, you will explore the use of search c conditions. onditions.
To add a search condition 1. On the FortiSIEM GUI, click click the ANALYTICS tab, then click click the search search field to edit the condition. 2. On the Filters editor, configure the following settings to create a new query:
Field
Val ue
Attribute
Raw Event Log
Operat or
CONTAI N
Value
*
3. Next to Time, select Relative, then, in the Last field, type 3, and select Minutes. 4. Click Save & Run.
Notice Notic e all the events rec receive eived d over the specified specified time perio period. d. This co could uld b be e many lines lines and page pages s of data data,, too many lines lines to fit on one page page.. You can can jump to any page required required by enterin entering g the page number.
5. Clic Click k the s searc earch hc criteria riteria box again. 6. Config Configure ure the following following se settings ttings to chang change e the query query::
Field
Value
Attribute
Reporting IP
Operat or
=
Value
192. 168. 3. 1
79
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 4: Single Search Condition © FORTINET
7. In the Last field, type 5, and select Minutes, then click Save & Run.
Notice Notic e how all t he results include include the reporting IP you specified. specified.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
80
DO NOT REPRINT © FORTINET
Exercise Exerc ise 5: Mult Multiple iple Search Conditi Conditions ons In this exercise, exercise, you will explore the use of multiple search conditions.
To add multiple search condition 1. Continuing the searc search h from the last exerc exercise, ise, click the search field to edit the conditions. 2. In the Next column associated associated with your existing cond condition, ition, select AND. 3. In the Row column associa associated ted with you yourr existing existing condition, click the + icon to add another another row. row. 4. Config Configure ure the following following settings for your second second cond condition: ition:
Field
Value
Attribute
Destination IP IP
Operat or
=
Value
8. 8. 8. 8
5. Modify Modify the Time drop-down list list to run the search over over the last 10 minutes.
6. Click Save & Run.
Notice Notic e how now all the events events are reported reported by a spec specific ific devi device ce IP going to the destination destination IP 8.8.8.8 .
81
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 6: Us Using ing the Contain Contain Operator Operator In t his exercis exercise, e, you will explore the use of t he CONTAINS CONTAINS opera operator. tor.
To use the CONTAIN operator 1. Continuing the searc search h from the last exerc exercise, ise, click the search field and click Clear All to clear the quer query. y.
2. Config Configure ure the following following settings to create a new query query::
Field
Value
Attribute
Event Type
Operat or
CONTAI N
Value
win-securit y
3. Leave the s search earch time set to the last 10 minutes, and click Save & Run.
You should should notice that all events return returned ed are Windows Windows sec security urity related. related. 4. Clic Click k the sea search rch field field to edit the c condition ondition.. 5. In the Next column associated associated with your existing cond condition, ition, select AND. 6. In the Row column associa associated ted with you yourr existing existing condition, click the + icon to add another another row. row. 7. Config Configure ure the the follo followin wing g query query to look for only only Win Window dows s secu security rity ev events ents that do not not have a us user er with the the name != svc_monitor :
Field
Value
Attribute
User
Operat or
!=
Value
svc_m onit or
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
82
DO NOT REPRINT
Exercise 6: Using the Contain Operator
© FORTINET 8. Leave the s search earch time set to the last 10 minutes, and click Save & Run. 9. Review the Event Details of the raw event log for one of the returned eve events. nts.
l
l
Once you select the RAW Event log, a white white dow down n arrow arrow
ic icon on wil willl appear appear..
Click the ic icon on to display display the Show Detail option, which will enable you to view the Event Details associated with that event.
10. Scroll Scroll to the bottom of the struc structured tured v view iew and and,, in the row that conta contains ins the User attribute, select Display.
This adds an ex extra tra dis display play colu column mn to the display. display.
11. Click OK to close the Event Details dialog box, then run your search a again. gain.
None of the users should be s svc_monitor. vc_monitor.
If you do no nott get any res results ults for any search search,, run the s searc earch h over over a longer longer time period. period.
83
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exerc Ex ercis ise e 7: Us Using ing the the IN/N IN/NOT OT IN Ope Operat rators ors In this exercise, exercise, you will explore the use of the IN and NOT IN operators.
To use the IN and NOT IN operators 1. Contin Continuing uing the searc search h from the last exerci exercise, se, click click the sear search ch field to modify your your query. query. 2. Modify the existing existing User cond condition ition as follows follows::
Field
Value
Operat or
NOT I N
Value
svc_m onit or, administ rat or
This query query is now c confi onfigur gured ed to loo look k for events events that are are Wind Window ows s se secu curity rity ev events ents but are are not from the administrator adminis trator or svc_mon svc_monitor itor user. user.
Use the NOT IN opera operator tor when speci specifying fying the user user (that is, the User is NOT IN this list).
3. Next to Time, select Relative then, in the Last field, type 30 , and select Minutes.
In your your results results yo you u may see see many user users s retu returne rned d with a $. These are co computer mputer acc accounts. ounts.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
84
DO NOT REPRINT
Exercise 7: Using the IN/NOT IN Operators
© FORTINET 4. Modify your search search to exc exclude lude the these se computer computer acc accounts ounts by adding adding an extra extra condition condition using the NOT CONTAIN operator: a. In the Next column associated with the User condition, select AND. b. In the Row column associated with the User cond condition, ition, click click the + icon to add another another row row.. c. Configu Configure re the following following settings for your new cond condition: ition:
Field
Val ue
Attribute
User
Operat or
NOT CONTAI N
Value
$
5. Leave the s search earch time set to the last 10 minutes, and click Save & Run. 6. Review the res results. ults.
You will will get a res result ult similar to the following following example:
85
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 8: Us Using ing the IS IS Operator In this exercis exercise, e, you will explore explore the use of the IS and IS NOT operators operators..
To use the IS NOT operator 1. Continuing the searc search h from the last exerc exercise, ise, click the search field, then t hen click Clear All to clear yo your ur query query.. 2. Bui Build ld a search search to look for all performa performance nce events events over a one-hou one-hourr time period. period.
All performance events contain the word PH_DE PH_DEV_MON. V_MON.
Field
Value
Attribute
Event Type
Operat or
CONTAI N
Value
ph_dev_mon
3. Click Save & Run, and view the results. 4. Add a second second condition condition to your query query usin using g the IS NOT oper operator ator to searc search h only only for events events that co contain ntain the spec specific ific attribute you are interested in.
For exampl example: e:
Attribute
Operator
Val ue
Free Disk MB
I S NOT
NULL
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
86
DO NOT REPRINT
Exercise Exerc ise 8: Using Using the IS Operator
© FORTINET
5. Leave Time set to Relative then, in the Last field, type 1, and select Hour . 6. Click Save & Run. 7. Open the Event Details dialog box box for one of the events, events, and se select lect check check boxes boxes to add the following following display display
columns: Disk Cap Capac acity ity Util l
l
Disk Disk Name
l
Free Free Disk Disk MB
l
l
Event log is selec Once the RAW Event selected ted a white white dow down n arr arrow ow
icon icon wil willl appear appear..
Click the ic icon on to display display the Show Detail option, which will enable you to view the Event Details associated with that event .
87
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT Exercise cise 8: REPRINT Using Using the IS Operator © FORTINET
8. Click OK to close the Event Details dialog box. 9. Leave the sear search ch time set to the last 1 hour, and click Run.
Review Rev iew the resul results. ts. Three new fields were ad added ded to the display colu column mn for all events events..
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
88
DO NOT REPRINT © FORTINET
Exercise Exerc ise 9: Us Using ing the Greater Greater Than Operator In this exercis exercise, e, you will explore explore the use of t he greater greater than operator. operator.
To use the greater than operator 1. Continuing the search from the last exercis exercise, e, click the searc search h field to modify the query. query. 2. Add an addition additional al condition condition to look look only for even events ts wher where e the Disk Capacity Util is gr greate eaterr than 8 80% 0%::
Field
Value
Attribute
Disk Capacity Util
Operat or
>
Value
80
3. Leav Leave e the search search time set to the last 1 hour hour and cli click ck Save & Run. 4. Review the res results. ults. 5. Open the Event Details dialog box box for one of the events events and re remove move the following following display display columns, columns, which which you added in the previous previous exercise: exercise: l
Disk Cap Capac acity ity Util
l
Disk Disk Name
l
Free Free Disk Disk MB
l
l
Once the RAW Event Event log is selec selected ted a white white dow down n arr arrow ow
icon icon wil willl appear appear..
Click the ic icon on to display display the Show Detail option, which will enable you to view the Event Details associated with that event.
You have completed Lab 4.
89
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Lab 5: CM CMDB DB Look Lookups ups and Fil Filte ters rs In this lab, you will explore explore how the CMDB can be reference referenced d in searches searches within FortiSIEM. FortiSIEM.
Objectives l
Refere Reference nce CMDB elements in y your our search search criter criteria ia
l
Add and remove display columns
l
Use multiple tabs tabs to compa compare re similar similar sear search ch rresul esults ts
l
Exper Expertt challenge (unguided search sce scenarios) narios)
Time to Complete Estimated: 45 minutes
Follow the direction directions s in the Lab Guid Guide e and do not not make make chang changes es to any other other dev device ice or devices devi ces,, unles unless s notified by the cours course e instructor. instructor.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
90
DO NOT REPRINT © FORTINET
Exerc Ex ercis ise e 1: Sel Selec ecti ting ng Devic Devices es from CM CMDB DB In this exercis exercise, e, you will learn how to reference reference dev devices ices from the CMDB in your search search cr criteria. iteria.
To select devices from the CMDB 1. On the Student Workstation VM, open the Firefox brow browser ser and en enter ter the following following URL URL to access access the FortiSIEM GUI : https://10.0.1.130/phoenix/login-html.jsf
There is a link for the For FortiSIE tiSIEM M GUI on the brow browser ser's 's Favorites Favorites bar.
2. Click Click the ANALYTICS tab. 3. Clic Click k the sea search rch field field to edit the c condition ondition.. 4. The Filter editor opens. opens. 5. Click Clear All to clear clear the pre previou vious s quer query. y.
6. Configure the following settings:
Field
Value
Attribute
Reporting IP
Operat or
IN
7. Click Click the Value field and select ...Select from CMDB.
This is known known as the CMDB Dev Device ice Se Selec lector. tor. The CMDB Select Value dialog box box opens. opens.
91
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 1: Selecting Selec ting Devices from CMDB © FORTINET
8. In CMD CMDB B dialog box, box, in the Folders pane, click Devices > Network Device > Firewall.
The firewall firewall devic devices es appear appear in the middle column. 9. In the Items pane, select a firewall. 10. Click >> to add the folder folder to the Selections pane. 11. Click OK to close the CMDB dialog box. box.
12. Next to Time, select Relative then, in the Last field, type 20 , and select Minutes. 13. Click Save & Run.
If you do no nott get any res results ults for any search search,, run the s searc earch h over over a longer longer time period. period.
To add second query 1. Clic Click k the sear search ch field again to add a second second c condition ondition to yo your ur quer query: y: a. In the Next column associated associated with your existing condition, select AND. b. In the Row colu column mn associated associated with your exis existing ting condition, click the + button. c. Complete the following following for your second second cond condition: ition:
Field
Value
Attribute
Event Type
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
92
DO NOT REPRINT
Exercise Exer cise 1: Selecting Selecting Devices from CMDB
© FORTINET Field
Value
Operat or
IN
d. Click Click the Value field and select ...Select from CMDB. e. Click Event Types > Regular Traffic > Denied Traffic, then click >> to add the folde folderr to Selections.
f. Click OK. 2. Leave Time set to Relative then, in the Last field, type 20 , and select Minutes. 3. Click Save & Run.
This will narrow narrow your your search search to only denie denied d traffic events. events.
If you do no nott get any res results ults for any search search,, run the s searc earch h over over a longer longer time period. period.
To add a third query 1. Clic Click k the sear search ch field again again to add a third c condition ondition to y your our query: query: a. In the Next field of the second condition, select AND then, in the Row field, click + to add a third condition. b. Add the follow following ing third co condition ndition to view e events vents where where the Dest Destination ination IP I P is NOT IN a Private RFC 1918 address:
Field
Value
Attribute
Destination IP IP
Operat or
NOT I N
93
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 1: Selecting Selec ting Devices from CMDB © FORTINET c. Click Click the Value field and select ...Select from CMDB. d. Click Networks > Private Net.
Notice Notic e this lists three networ network k entries that relate to the Priv Private ate IP spac space e of RFC 1918.
e. Click >> to add the folde folderr to Selections. f. Click OK. 2. Leave Time set to Relative then, in the Last field, type 20 , and select Minutes. 3. Click Save & Run.
In the results, results, you should should notice that all the des destination tination IP address addresses es are external external to the network, network, but you may also have have so some me events wher where e the source source is also a pub public lic IP.
l
Make sure Wrap Raw Event is sele selected. cted.
l
Make sure Show Event Type is sele selected. cted.
To add fourth query 1. Cre Create ate a fourth filter cond condition ition for your query: query: a. In the Next field of the third condition, select ANDthen, in the Row field, click + to add a fourth condition. b. Add the following following fourth condition condition to view events events wher where e any source source IP is in the Priva Private te Network Network group: group:
Field
Value
Attribute
Sourc Source e IP
Operat or
IN
c. Click Click the Value field and select ...Select from CMDB. d. Click Networks > Private Net.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
94
DO NOT REPRINT
Exercise Exer cise 1: Selecting Selecting Devices from CMDB
© FORTINET e. Click >> to add the folde folderr to Selections. f. Click OK. 2. Leave Time set to Relative then, in the Last field, type 20 , and select Minutes. 3. Click Save & Run.
Yourr final queries You queries shou should ld look like the follo following wing ex example: ample:
4. Once the searc search h is comple complete, te, click click the Display Fields dropdrop-down down list list and add a new row to disp display lay a column for Destination TCP/UDP Port.
5. Run the se searc arch h again and see see if you can identify identify the most commonly block blocked ed port. The search result should look like the following example:
95
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 1: Selecting Selec ting Devices from CMDB © FORTINET
6. Once y you ou have finished reviewing reviewing the ev event ent logs, click the Display Fields drop-down list again. 7. Remove the Destination TCP UDP/Port disp display lay colu column mn by selecting selecting the - icon in the Row column, then click Save.
You can build quer queries ies similar to this exercis exercise e for other devi devices ces like Windows Windows server servers, s, and so on.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
96
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 2: Searc Searching hing for for Partic Particular ular Cate Categori gories es of Ev Event ents s In this exercis exercise, e, you will learn how to select select event categories categories from the CMDB in your search search cr criteria. iteria.
To use an event category from CMDB 1. Click Click the ANALYTICS tab, t hen click click the searc search h field to edit the condition.
The Filter editor opens. opens. 2. Click Click the Clear All button to clear any existing existing con conditions ditions.. 3. Add the following condition:
Field
Value
Attribute
Event Type
Operat or
IN
4. Click Click the
field and select . Value ...Select from CMDB 5. Click Event Types > Change > Account Change. 6. Click >> to add the folde folderr to Selections.
7. Click OK to close the CMDB dialog box. box. 8. Run the searc search h over over the last 2 hours.
To add a condition in existing filter from event logs 1. In the receiv received ed results, results, select the Event Type with the name Win-Security-4728.
Win-Security-4728 Win-Sec urity-4728 may not be on the first page of the search results. results.
97
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exerc NOT REPRINT Ex ercise ise 2: Search Sea rching ing for Par Particular ticular Categories Categories of Events © FORTINET
l
Make sure Wrap Raw Event is sele selected. cted.
l
Make sure Show Event Type is sele selected. cted.
2. In the Event Type field associated with with your selected ev event ent type, click the white down arrow arrow that appears, appears, then select Add to Filter .
3. Clic Click k the se searc arch h criteria criteria fiel field. d. You should should see see that t he Win-Secur Win-Security-47 ity-4728 28 event event t ype has been adde added d as a filter to your query. query.
4. Close the Conditions dialog box. 5. Run the search again ov over er the last 4 hours.
To build a query for investigation of an event with out losing existing query 1. Examine the Event Details of the raw event log for one of the retur returned ned eve events. nts.
l
l
Once the RAW Event Event log is selec selected ted a white white dow down n arr arrow ow
icon icon wil willl appear appear..
Click the ic icon on to display display the Show Detail option, which will enable you to view the Event Details associated with that event.
2. In the Event Details dialog box, in the Display column, select the Target User , Target User Group, User and Destination IP chec check k boxes, boxes, to add those items as display display fields. fields. 3. Close the Event Details dialog box. 4. Run the search again ov over er the last 4 hours. 5. Inves Investigate tigate any events events with the ad administra ministrator tor user in more detail, detail, without without losing the the existing existing query: query:
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
98
DO NOT REPRINT
Exerc Exercise ise 2: Search Searching ing for Par Particular ticular Categories Categories of Events
© FORTINET a. Select an ev event ent with the User set to administrator . b. In the User column, click the white down arrow. c. Select Add to Tab. d. In the Add To Tab dialog box, select Add to New Tab.
The second second tab become becomes s the active tab in the GUI. You should should now have have two query tabs. 6. Clic Click k the sea search rch field field on the ne newly wly opened opened second second tab.
Yourr extra filter cond You condition ition has been added. added. Your exis existing ting que query ry is also still open open on the firs firstt tab.
7. Clic Click k the first tab an and d select select the ev event ent with the destina destination tion IP of 10.1.1.33 10.1.1.33. 8. In the Reporting IP column of that event, click the white down arrow, arrow, then click Add to Tab.
9. This time, select select an exis existing ting tab by clicking clicking [1] Raw Messages then, in the drop-down list that appears, select the second tab [2] Raw Messages. 10. Click OK.
The second second tab become becomes s the active tab in the GUI.
99
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exerc NOT REPRINT Ex ercise ise 2: Search Sea rching ing for Par Particular ticular Categories Categories of Events © FORTINET 11. Clic Click k the sea search rch field field again to valid validate ate that the add additional itional row row for the repo reporting rting IP filter has been added added to the query.
12. Next toTime, select Relative then, in the Last field, type 10 , and select Hours. 13. Click Save & Run and review the results.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
100
DO NOT REPRINT © FORTINET
Exerc Ex ercis ise e 3: Ex Exper pertt Ch Chall alleng enge e In this exercis exercise, e, you will be presented presented with vario various us scenari scenarios, os, for whic which h you must identify the search search criteria that will produce the desired outcome.
To conduct scenario-based historical searches 1. Click Click the ANALYTICS tab, t hen click click the searc search h field to edit the condition. 2. For a h historic istoric even eventt s searc earch, h, u use se Relative or Absolute opti options ons for Time. 3. Clos Close e any search search tab tabs s that are open, the then n attempt the searc searches hes below: below: a. The server server admin is reporting unusual activity activity
There has been some some usual usual be behavi havior or reported reported by the Solaris Solaris administrator. administrator. The administrator administrator wants to see a report report of all eve events nts repor reported ted by the Solaris Solaris device device with IP Addres Address s 172.16.10.6 ov over er the last last 2 hours hour s and identify the following following:: Which user had failed an SS SSH H login? From what IP Addres Address? s? endix:: An Answe swerr She Sheet" et" on page 215 for 215 for the ans answer wer.. See "Appendix See "App
b. The firewall firewall team team is reporting some strange strange activity activity occurring occurring from an IP
The firewall team has asked you you to produce a s search earch of all events between source source IP 68.94.156.1 and destination destin ation I P 192.168.0.10 over the last 2 hours, hours, and displa display y the destination destination TCP/UDP TCP/UDP port. They suspec suspectt this machine machine could have been compromised. compromised. Answe swerr She Sheet" et" on page 215 for 215 for the the Do you see see any suspicio suspicious us port usa usage ge in your res results? ults? See See "Appendix "Appendix:: An answer.
c. Security team team firewall firewall rule validation
The firewall team implemented a new firewall, firewall, but they are unsure unsure if they configured configured it corr correctly ectly.. They would like like a rep report ort of all logs from a sour source ce IP in the internal internal networ network k to an external external destination destination IP that are permitted connec connections, tions, but not on t he common TCP/UDP TCP/UDP ports of 80 80 , 443 , 53 , or 123 .
101
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 3: Expert Exper t Challenge © FORTINET Produce the report Produce report and determine whether whether they were were succ success essful ful or not over the last three hours hours,, and display disp lay the des destination tination TCP/UD TCP/UDP P port as as a display display colu column. mn. The firewall firewall should on only ly allow c common ommon web traffic (ports (ports 80 , 4 443 43 , 53 , 12 3) outbound. outbound. D Do oy your our results results indicate indic ate the firewa firewallll rules are corr correctly ectly implemented? implemented?
Use the CMD CMDB B to deter determine mine permitted permitted tra traffic ffic classifica classifications tions for even events ts and n network etwork lists for internal internal and extern external al traffic traffic..
See "Appendix See "App endix:: An Answe swerr She Sheet" et" on page 215 for 215 for the ans answer wer..
d. Malware alert There has has been plenty plenty of news in the media a about bout malwa malware re attac attacks ks originating originating in Asia. Asia. The CISO CISO wants wants to know if any internal internal traffic was was per permitted mitted to any countr country y in Asia Asia in the last last 2 hours hours that was was not on TCP/UDP TCP /UDP ports 25 , 53 , 80 8 0, 123 1 23 , or 443 .
Add Sent Bytes, Total Bytes, and Destination TCP/UDP Port as dis displa play y co column lumns s to the results results.. endix:: An Answe swerr She Sheet" et" on page 215 for 215 for the ans answer wer.. See "Appendix See "App
e. Slow network performance performance to a remote site
The NOC manager manager is getting co complaints mplaints about s slow low performanc performance e to remote sites sites.. These re remote mote sites all connect through the core switch SJ-Main-Cat6500. Produce a list of any events Produce events wher where e the Sent Sent Interface U Util til is greater greater than 20% 20%,, and iden identify tify whic which h interfaces interfac es on the switch hav have e this issue. issue. Create the sear search ch over over the last 8 hours.
Select the correct device from the CMDB, and use the PH_DEV_MON_NET_INTF_ UTIL event.
See "Appendix See "App endix:: An Answe swerr She Sheet" et" on page 215 for 215 for the ans answer wer..
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
102
DO NOT REPRINT © FORTINET
You have completed Lab 5.
Exercise Exer cise 3: Expert Expert Challenge
103
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Lab 6: Gro Group up By By and Agg Aggreg regat ation ion In this lab, you will will explore explore the data aggreg aggregation ation feature features s of FortiSIEM. FortiSIEM.
Objectives l
Group by a single single an and d multiple attributes
l
Aggregate data
l
Exper Expertt challenge
Time to Complete Estimated: 60 minutes
Follow the direction directions s in the Lab Guid Guide e and do not not make make chang changes es to any other other dev device ice or devices devi ces,, unles unless s notified by the cours course e instructor. instructor.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
104
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 1: Groupi Grouping ng By Singl Single e and Mul Multi tiple ple Attribut Attributes es In this exercis exercise, e, you will learn how to group similar similar events events bas based ed on a single and multiple attributes attributes..
To set search filter criteria 1. From the Student Workstation VM, open open the Firefox brow browser ser and enter enter the following following URL URL to access access the FortiSIEM GUI : https://10.0.1.130/phoenix/login-html.jsf
There is a link for the For FortiSIE tiSIEM M GUI on the brow browser ser's 's Favorites Favorites bar.
2. In the FortiSIEM GUI, click click the ANALYTICS tab and click the search search field to edit the condition. 3. Click Clear All to clear any existing existing co conditions nditions.. 4. In the Filters editor complete complete t he following to create a new query query::
Field
Value
Attribute
Reporting IP
Operat or
IN
5. In the Value field, click Select from CMDB . 6. Click Devices > Network Device > Firewall. 7. Click >> to add the folde folderr to Selections and then click OK. 8. For Time select Relative, in the Last field, type 1, and select Hour from the drop-down list. 9. Click Save & Run.
105
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 1: Grouping By By Single and Multiple Attributes © FORTINET To apply Group By feature 1. Click Display Fields. A drop-down list will appear. 2. Beside the Event Receive Receive Time, Event Type, and Raw Event Log attributes attributes,, und under er the Row colu column, mn, click click the minus icon to remove remove them.
Leave the Reporting IP. 3. C Clic lick k plus plus ico icon n + un under der the Row column to add a new row. 4. Click Click in the Attribute field and select Express Expression ion Builder .
A dialog box will appear to build an expression. 5. In the Function field ,choose COUNT and clic click k the plu plus s icon icon.. 6. In the Event Attribute field ,choose ,choose the only avail available able option Matched Events and clic click k the plus plus icon. icon. 7. Once the expres expression sion is adde added, d, in the Expression field, click Validate. A pop-up message should display, reading “Expression “Expression is valid."
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
106
DO NOT REPRINT
Exercise Exer cise 1: Grouping By By Single and Multiple Attributes
© FORTINET 8. Close the pop pop-up -up and c click lick OK to close the Expre Expression ssion Builder dialog box.
Your Your final final Display Fields se setting ttings s sh shoul ould d loo look k as follo follows ws::
9. In the Display Fields dialog box, click Save & Run to view Group By results.
In the results, you will see see a t op-d op-down own list of the reporting IP address addresses es that reported the most events events in that 1 hour time period period.. Notice that the Reporting IP attribute column along COUNT (Matched Events) column colu mn is returned. returned.
10. Brow Browse se the different char chartt options at the top right of the g graph. raph. Choos Choose e the following: l
B Bar ar chart chart
l
Donut chart
107
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 1: Grouping By By Single and Multiple Attributes © FORTINET
To add multiple Group By attributes 1. Click Click the Display Fields icon again a drop-down list will appear. 2. C Clic lick k plus plus ico icon n + from Row to add a new row in Reporting IP row, above COUNT express expression ion row. 3. Add the fol following lowing attributes attributes,, one by one. Ea Each ch time you add add an attribute, attribute, you have have to click the plus icon + from Row colu column, mn, to add new row row for the new attribute. attribute.
l
Source IP Destination Destination IP
l
Destination Destination TCP/UDP Port
l
4. Click Save & Run.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
108
DO NOT REPRINT
Exercise Exer cise 1: Grouping By By Single and Multiple Attributes
© FORTINET
You should see a top down list of the most reported combination of reporting IP, source IP, destination IP, destination des tination TCP TCP/UDP /UDP port over over the time period. 5. Chan Change ge the time to 2 hours and rerun rerun the searc search h query to view the re results sults over over the increas increased ed time period period..
In order to change the time perio period, d, you need to open Filters edi editor tor by cli click cking ing the search sear ch field und under er the ANALYTICS tab.
You will notice notice that, eve even n after executing executing the query query for 2 hou hours, rs, the the dis display play fields for group group by remain the same. You can use Clear All to reset both Filters and Display Fields to default settings.
109
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 2: Adding Aggregating Aggregating Data Data In this exercise, exercise, you will learn how to add an aggregation condition to your search search criteria.
To set search filter criteria 1. In the FortiSIEM GUI, click click the ANALYTICS tab and click click plus plus icon icon + to add a new tab for a search. search.
2. Clic Click k the sea search rch field field to edit the c condition ondition.. 3. In the Filters editor, complete the following to create a new query:
Field
Value
Attribute
Reporting IP
Operat or
=
4. In the Value field, click Select from CMDB . 5. Click Devices > Server > Windows. 6. In Items, select device WIN2K8. 7. Click > to add the device to Selections. 8. Click OK. 9. In the Next column beside the existing condition, and select AND. 10. In the Row column beside the existing existing condition, and c click lick the + icon to add another another row. 11. Comple Complete te the foll following owing for your your second second condition condition::
Field
Value
Attribute
Event Type
Operat or
CONTAI N
Value
t ype PH_DEV_MON_SYS
12. In Time select Relative, in the Last field, type 1, select Hour from the drop-down list. 13. Click Save & Run.
To set display fields for aggregation 1. Once y you ou get results, select select the event PH_DEV_MON_SYS_DISK_UTIL.
l
l
Make sure Wrap Raw Event is sele selected. cted. Make sure Show Event Type is sele selected. cted.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
110
DO NOT REPRINT
Exercise Exerc ise 2: Adding Aggregating Data
© FORTINET 2. From the Event Type column associated associated with tthe he event, click the down arrow and select select Add to Filter .
3. Run the search search ag again ain for the las lastt 1 hour.
You should should now hav have e your search search res results ults filtered to just disk utiliza utilization tion events. events. 4. Open the Event Details dialog box box for one of the events events and add add the follow following ing columns columns to the disp display: lay: l
Disk Name
l
Disk Capacity Capacity Util
l
Free Disk (MB) (MB)
l
Total Total Disk (MB) (MB)
l
l
Once the RAW Event Event log is selec selected, ted, a down down arrow arrow
icon icon wil willl appear appear..
Clicking the icon will provide a Show D etail etail option to view the event details associated with that event.
111
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Adding Aggregating Data © FORTINET 5. Click OK to close Event Details dialog box. 6. Cli Click ck the Display Fields drop-down list arrow icon. You will will notice that the display display attributes you have have added from Event Details are present.
7. Remov Remove e the following following ro rows ws from the Display Fields by click clicking ing minus ico icon n - in the Row column: l
Event Receive Receive Time
l
Event Type
l
Raw Event Event Lo Log g
8. Run the search again.
Now you you can see disk disk related attrib attributes utes with reporting reporting IP.
To aggregate events 1. Click Click the Display Fields drop-down list and edit the fields using one o off the following methods: l
l
Expression ssion Builder . Edit the Disk Capacity Util attribute by removing removing text in an existin existing g row and click Expre Remove a row from the Disk Capacity Util row, add a new row at the bottom, and click Expre Expression ssion Builder .
2. In the Function drop-down list, select AVG and clic click k plu plus s icon icon +. 3. Under Under the Event Attribute drop-down list, type Disk Capa click plus plus ico icon n +. Capacity city Util and click
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
112
DO NOT REPRINT
Exercise Exerc ise 2: Adding Aggregating Data
© FORTINET 4. Click OK to close the Expre Expression ssion Builder dialog box. 5. Under Under the Display Fields edit the fields usin using g one of t he following methods: methods: l
l
Edit the Free Disk MB attribute by removing removing the existing text text entry and add the expr express ession ion LAST(Fre LAST(Free e Disk MB). Remove Remove the row for the Free Disk MB attribute, add a new row, and add an expression LAST(Free Disk MB) Expression ssion Builder . using Expre
6. Click OK. 7. Run the searc search h over over the last 10 hours.
Results Res ults will be aggrega aggregated ted in one line for 10 hour hours s (va (values lues show shown n below may may vary). vary).
To aggregate disk utilization for all servers 1. Edit the s search earch condition again and remove the entry for Reporting IP = Device: WIN2K8. 2. Add the following condition:
Field
Value
Attribute
Reporting IP
Operat or
IN
3. In the Value field, click Select from CMDB and click Devices > Servers. 4. Click >> to add the folde folderr to Selections and then click OK. 5. Select Time as Relative, in the Last field, type 24 , and select Hours from the drop-down list. 6. Click Save. 7. Clic Click k displ display ay fields icon add a row for Reporting Device by clicking clicking the plus icon in the Row colu column mn of the Reporting IP. 8. Clic Click k up ar arrow row icon in the Move column of the Reporting Device row to move it to the top. 9. Click Save & Run.
You will will get t he aggre aggregated gated average average dis disk k utiliza utilization tion of all ser server vers s in a 24-hour time period.
113
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Adding Aggregating Data © FORTINET
Do you notice notice any pattern in the way res results ults are display displayed? ed? See See "App "Appendix endix:: Ans Answer wer She Sheet" et" on page 216, 216, for the answer.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
114
DO NOT REPRINT © FORTINET
Exerc Ex ercis ise e 3: Ex Exper pertt Ch Chall alleng enge e In t his exercis exercise, e, you will be pres presented ented with variou various s scenari scenarios, os, for whic which h you must determine the proper proper search search criteria that will produce the desired outcome.
To conduct scenario-based historical searches 1. Click Click the ANALYTICS tab and click the searc search h field to edit the condition. 2. For a h historic istoric even eventt s searc earch, h, u use se Relative or Absolute opti options ons for Time. 3. Select appropriate Display Fields and apply Grou Group p By and Aggrega Aggregation tion express expressions ions to achieve achieve desired results results for scenar scenarios ios in this chal challenge. lenge. 4. Clos Close e any search search tabs that are open open and attempt the sea search rches es below: below: a. Firewall Firewall Report Reporting ing 1
The customer customer wants know w which hich fire firewall wall dev device ice rep reported orted the most events events over over the last 30 minute time period. See "Appendix See "App endix:: An Answe swerr She Sheet" et" on page 216 for 216 for answ answer. er.
b. Firewall Firewall Report Reporting ing 2
The customer customer wants to kno know w wh which ich is the most c common ommon destination destination country country of any firewall firewall eve events nts that are not on destination TCP/UDP TCP/UDP Por Portt of 21 21 , 80 , 443 4 43 or 53 over the last 1 hour. hour. Also remove the NULL entry in your results. endix:: An Answe swerr She Sheet" et" on page 216 for 216 for answ answer. er. See "Appendix See "App
c. Firewall Firewall Report Reporting ing 3
The custo customer mer wants wants to know w what hat is the most most common common so sourc urce e country country for any denied denied traffic traffic events events reported repo rted by a firewall device device in the last 30 minutes. endix:: An Answe swerr She Sheet" et" on page 216 for 216 for answ answer. er. See "Appendix See "App
115
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 3: Expert Exper t Challenge © FORTINET
d. Resource Resource Utilization Reporting Reporting (Part 1)
The customer customer wants to see a lis listt of all the CPU and me memory mory usage usage for each each proc process ess on device device minutes. 192.168.0.16 over the last 30 minutes. Produce a report showing the Reporting IP, Application Name, Software Name, CPU Util, and Memory Util and hide hide all other display display colu columns. mns.
Use Event Type: PH_DEV_MON_PROC_RESOURCE_UTIL
What events events does this report report produce produce? ? See See"Append "Appendix: ix: Answer Answer She Sheet" et" on page 217 for 217 for answ answer. er.
e. Resource Resource Utilization Utilization Reporting Reporting (Part 2)
After the last report, tthe he customer said the report contains the same process over and over again in t he results. He would simply simply like to see a report report for each application name and software software name and an average CPU CP U Util value and maximum Memory Util value.
Use the display column expres expression sion builder.
Run the report report over the last 6 hours.
You have completed Lab 6.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
116
DO NOT REPRINT © FORTINET
Lab La b 7: Rul ules es In this lab, you will configure configure rules rules to generate inc incidents idents..
Objectives l
Explore a simple rule rule
l
Explore a performance performance and availability rule
l
Crea Create te a simple rule rule to alert on a sp specific ecific even eventt
l
Add watch lists
l
Import rules
Time to Complete Estimated: 75 minutes
Follow the direction directions s in the Lab Guid Guide e and do not not make make chang changes es to any other other dev device ice or devices devi ces,, unles unless s notified by the cours course e instructor. instructor.
117
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 1: Explori Exploring ng a Simple Rule Example Example In this exercise, exercise, you will explore the structure of a simple rule.
r ule To view a rule 1. From the Student Workstation VM, open open the Firefox brow browser ser and enter enter the following following URL URL to access access the FortiSIEM GUI : https://10.0.1.130/phoenix/login-html.jsf
There is a link for the For FortiSIE tiSIEM M GUI on the brow browser ser's 's Favorites Favorites bar.
2. Click Click the RESOURCES tab. 3. In the le left ft pane, click click Rules. 4. On the main window, select Account Locked: Domain and click Edit.
Make note of the severity severity of the rule and also the function. See "App See "Appendix endix:: Ans Answer wer Sh Sheet" eet" on page 217 for 217 for the answer.
"Appendix endix:: Ans Answer wer She Sheet" et" on page 217 fo 217 forr the the What time period period is the rule evalua evaluating ting the pattern over? over? See See "App answer.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
118
DO NOT REPRINT
Exercise Exer cise 1: Exploring a Simple Rule Example
© FORTINET 5. In the Condition sec section, tion, under under the Subpattern column, beside DomainAcctLockout, click the pencil pencil icon.
6. Review the rule sub-pattern.
Account Locked Locked event The sub-p sub-patter attern n is loo lookin king g for a match of one or more ev events ents under under the Domain Account type in the CMDB, CMDB, and only those re reported ported by devi devices ces that are categ categoriz orized ed as a domain controller controller.. endix:: Ans Answer wer She Sheet" et" on page 217 for 217 for the the Make a note note of the attributes attributes in the Group By section. See "App See "Appendix answer.
7. Click Cancel to exit the rule pattern. 8. In the Actions sec section, tion, click the pencil ico icon n to edit.
9. Rev Review iew the pa parameters rameters provided provided in the Generate Incident for: Account Locked:Domain dialog box.
The parameters determine how the incident source and incident target are determined, along with what information is popula populated ted as the incident incident details details.. In the Triggered Attributes sec section, tion, make a note of the attributes attributes in the Selected Attributes column. See "Append ppendix: ix: Answer Answer She Sheet" et" on page 217 for 217 for the answer. answer. "A
119
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 1: Exploring Explor ing a Simple Rule Example © FORTINET 10. Click Cancel to close the Generate Incident for: Account Locked:Domain dialog box box and then click click Cancel to exit t he rule definition.
To set search filter criteria 1. Click Click the ANALYTICS tab. 2. Clic Click k the sea search rch field field to edit the c condition ondition..
The Filter editor appears. appears. 3. Add the following condition:
Field
Value
Attribute
Event Type
Operat or
IN
4. Click Click the Value field and select ...Select from CMDB. 5. Navigate to Event Types > Security > Login Failure > Domain Account Account Locked Locked. 6. Click Click add fold folder er icon icon >> and then click OK. 7. In the Next field for that attribute, select select AND. 8. Add a rrow ow and create create a second condition: condition:
Field
Value
Attribute
Reporting IP
Operat or
IN
9. Click Click in the Value field and select ...Select from CMDB. 10. Navigate to Applications > Infrastructure App > Domain Controller . 11. Click Click add fold folder er icon icon >> and then click OK. 12. Select Time as Real Time 13. Click Save & Run.
To generate events 1. Navigate to LABS SET 2 on the NSE Institute website website and under Lab 7 – Rules select Exercise 7.1 – Account Lockout Events.
The output should resemble the following:
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
120
DO NOT REPRINT
Exercise Exer cise 1: Exploring a Simple Rule Example
© FORTINET To review received events 1. Go b back ack to the tab with with the FortiSIEM GUI. 2. Click Pause after the event event is rec receive eived. d.
l
Make sure Wrap Raw Event is tick ticked. ed.
l
Make sure Show Event Type is tick ticked. ed.
3. Examine the Event Details of raw event log for the returned ev event. ent.
l
l
Once the RAW Event Event log is selec selected ted a white white dow down n arr arrow ow
icon icon wil willl appear appear..
Clicking on icon will provide Show Deta D etail il option to view the Event Details associated with that event.
4. Rev Review iew the rrepor eporting ting IP of the event event along w with ith the use userr that lock locked ed out their account. account. 5. Close the Event Details dialog box.
To view Incident for the rule Account Locked Domain 1. Click Click the INCIDENTS tab. 2. Click List to view incident table. 3. Click Actions and select Search from drop down list.
4. Click Last 2 Hours option to change the time range. 5. Select Relative, and in the Last field, type 30 , select Minutes. 6. Click Apply Time Range.
7. Cli Click ck the Incident Name:ALL drop-down list. Differentt incidents Differen incidents will appear. appear.
121
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 1: Exploring Explor ing a Simple Rule Example © FORTINET 8. In the Incident Name:ALL field, click Search, and type keyword locked.
9. Select the Account Locked:Domain incident and Close from the bottom left pane. pane.
10. Hove Hoverr your your cu curs rsor or over over the Target co column lumn for this incide incident. nt.
Notice Notic e it reports an IP addre address ss and us user er that matches what you you saw in the real-time real-time searc search. h. 11. Select the incident and in the lower pane, review the incident details.
If you select select an inc incident ident and low lower er pane does does not appear appear then you n need eed to clic click k the up arr arrow ow ico icon n to expan expand d lower lower pane pane manu manually ally.. You can can select select auto expand option in the lower pane, pane, so you don' t have to keep manually expanding expanding lowe lowerr pane for incidents. incidents. 12. Click Events tab.
To view a rule section of this excercise Do the details match what what was rec recorde orded d in step 6 of To excercise ? See "A "Append ppendix: ix: Answer Answer She Sheet" et" on page 218 for 218 for the answer. answer.
Before proceeding proceeding to the next exercise, exercise, under the INCIDENTS tab, click Actions > Search, and clear all of the selectio selections. ns.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
122
DO NOT REPRINT © FORTINET
Exercise Exerc ise 2: Explori Exploring ng a Performance Performance Rule Example Example In this exercise, exercise, you will explore an existing performance monitoring rule.
To view a performance monitoring rule 1. Click Click the ANALYTICS tab. 2. Clic Click k the sea search rch field field to edit the c condition ondition..
The Filters editor opens. opens. 3. Click Clear All to clear clear the pre previou vious s quer query. y.
4. Add the following condition:
Field
Value
Attribute
Reporting IP
Operat or
=
Value
192. 168. 0. 40
Next
AND
5. Under Under the Row colu column, mn, click click the + icon to add a second condition:
Field
Value
Attribute
Event Type
Operat or
CONTAI N
Value
SYS_DI SK_UTI L
6. In the Time section, select Relative, and in the Last field, type 5, and select Minutes from the drop-down menu. 7. Click Save & Run.
Due to the demo system, the results are not strictly strictly correc correct. t. In a prod production uction system, system, this event event would be collected collected ev every ery 3 minutes, for each each disk disk.. You will probably probably have have more events events which which are related to the fake data replay mecha mechanism nism use used. d.
8. Examine the Event Details of raw event event log for one of the returned event. event.
123
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Exploring Explor ing a Performance Rule Example © FORTINET l
l
When you select the RAW Event Event log, a down down arrow arrow
icon icon appear appears. s.
Clicking the down arrow icon reve reveals als the Show Deta D etail il option, which you can use to view the Event Details associated with that event.
9. The re releva levant nt attributes in this eve event nt are th the e follow following: ing: l
Disk Cap Capac acity ity Util
l
Disk Disk Name
l
Free Free Disk Disk MB
l
Host IP
l
Host Name
l
Total Dis Disk k MB
l
Used Used Dis Disk k MB
10. Close the Event Details dialog box.
To view performance threshold values for a device in CMDB 1. Click Click the CMDB tab. 2. In the le left ft pane, click click Devices > Server > Windows. 3. From the main window, c click lick WIN2K8 (192.168.0.40 ), and then click Edit.
The Edit Device dialog box opens. opens. 4. Click Click the Properties tab. 5. On the Disk Space Util Critical Threshold, click Edit.
Don’t change change any of the values if you want the lab to work! work!
The Disk Space Util Critical Threshold dialog box box opens. opens. 6. Make a note of value in the Default field and the disk name listed listed::
endix:: Ans Answer wer She Sheet" et" on page 218 for 218 for the ans answer. wer. See "Appendix See "App
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
124
DO NOT REPRINT
Exercise Exerc ise 2: Exploring a Performance Rule Example
© FORTINET Field
Value
Disk Space Util Critical Threshold Disk Dis k Name
7. Click Cancel, and now find the threshold for Free Disk (MB) Critical Threshold. See "App See "Appendix endix:: Ans Answer wer She Sheet" et" on page 218 for 218 for the ans answer. wer.
Field
Value
Free Disk(MB) Disk(MB) Critical Thres Threshold hold Disk Dis k Name 8. Click Cancel, and then click Cancel again.
To view a performance monitoring rule 1. Click Click the RESOURCES tab. 2. On the left pane, click click Rules > Performance. 3. Sea Search rch for rules with the name Serve Serverr Disk Space S pace (use the search field to filter). 4. Select the Serv Server er D Disk isk space Warning rule and then click Edit.
The Server Disk space Warning - Edit Details dialog box opens. opens. 5. Make a no note te of the values associa associated ted with the following following items:
endix:: Ans Answer wer She Sheet" et" on page 218 for 218 for the ans answer. wer. See "Appendix See "App
Field
Value
Severity Category If this Patter Pattern n oc occur curs s within any (Evaluation Time Window) 6. In the Actions sec section, tion, click the pencil ico icon n to edit. 7. Review the Incident Attributes section and Triggered Attributes section.
125
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Exploring Explor ing a Performance Rule Example © FORTINET 8. Click Cancel to close Generate Incident for: Server Disk Space Warning dialog box 9. In the Conditions sec section, tion, under under the Subpattern column, beside ServDiskWarn, click the pencil pencil icon.
In the Filters sec section, tion, the subpattern subpattern is is looking looking for any events events that match the ex exact act ev event ent type PH_DEV_ MON_SYS_DISK_UTIL and only from de devic vices es classified classified as a Server in the CMDB, while excluding any events eve nts wher where e the disk name is /boot. In the Aggregate Condition sec section, tion, the subpattern subpattern is look looking ing for at least two ev events ents (two samples samples)) wher where, e, during durin g the rule evaluation evaluation time window, the following is true: l
AV AVG(Di G(Disk sk Capa Capacity city Util) > Dev DeviceToC iceToCMDBA MDBAttr(Hos ttr(Hostt IP,Disk Name,Disk Name,Disk Space Space Util Cr Critical itical Threshol Threshold) d) AND
l
AV AVG(Fre G(Free e Disk Disk (MB)) (MB)) < DeviceToC DeviceToCMDBA MDBAttr(Hos ttr(Hostt IP,Disk Name,Fre Name,Free e Dis Disk k (MB) Critic Critical al Threshold) Threshold)
You can view the default critical thresholds thresholds by clicking clicking Admin > Device Support > Custom Property. Please see the next two images.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
126
DO NOT REPRINT
Exercise Exerc ise 2: Exploring a Performance Rule Example
© FORTINET
Notice the attributes Notice attributes in the Edit SubPattern dialog box in the Group Bysection are Host IP, Host Name, and Disk Name. 10. At the bottom of the dialog box, click Run as Query.
The Edit SubPattern > Run As Query dialog box box opens. opens. 11. In Time Range tab, select Relative, and in the Last field, type 10 , select Minute from the drop-down list, and then click Run.
A new browser tab will open, tthe he ANALYTICS tab will be selected, and result result for the query will be displayed. displayed.
127
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Exploring Explor ing a Performance Rule Example © FORTINET
Are there any results where the AVG(Disk Capacity Util) is greater than 95% and the AVG (Free Disk (MB)) is less than 100? See See "App "Appendix endix:: Ans Answer wer Sh Sheet" eet" on page 219 for 219 for the ans answer wer..
To modify performance search query for once device 1. In the ne newly wly opened opened bro brows wser er tab for FortiSIEM, FortiSIEM, under ANALYTICS, click the search search filter. 2. In the Next drop-down field of the last attribute in the list, select AND. 3. Add a an n extra rrow ow for the following following condition: condition:
Field
Value
Attribute
Host IP
Operat or
=
Value
192. 168. 0. 40
4. In the Time section, select Relative, in the Last field, type 10 , and select Minutes from the drop-down list. 5. Click Save & Run.
You should should get get a single res result ult just for the WIN2K WIN2K8 8 machine an and d it look similar to result result below:
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
128
DO NOT REPRINT
Exercise Exerc ise 2: Exploring a Performance Rule Example
© FORTINET
Close Clos e the old browser browser tab of FortiSIEM. FortiSIEM. Keep the new tab opened to complete the rest of the exercise.
To generate performance events 1. Navigate to LABS SET 2 on the NSE Institute website website and under Lab 7 – Rules select Exercise 7.2 – Trigger Server Critical Disk Rule.
The output should resemble resemble the following: (Will take around 3-5 minutes.)
To review performance events 1. After 5 minu minutes, tes, return to y your our browser browser tab w with ith the FortiSIEM GUI in ANALYTICS tab, click Run to search again for the last 10 minutes. minutes.
You should should no now w se see e some some more AVG( AVG(Disk Disk Capacity Capacity Util) > 95 % and the AV AVG(Free G(Free Disk(MB) Disk(MB) is less than 100 100 MB even events, ts, which should should trigge triggerr an incident. incident.
To view Incidents for performance rule 1. Click Click the INCIDENTS tab. 2. Click List to view incident table. 3. Click Actions and select Search from the drop-down list.
129
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Exploring Explor ing a Performance Rule Example © FORTINET 4. Click Last 2 Hours option to change the time range. 5. Select Relative, and in the Last field, type 30 , select Minutes. 6. Click Apply Time Range.
7. Cli Click ck the Incident Name:ALL, drop-down list. Differentt incidents Differen incidents will appear. appear. 8. In Incident Name:ALL, click Search and type keywor keyword d disk. 9. Select the Serv Server er D Disk isk Spac S pace e Critical incident and Close from the bottom left pane.
10. Review the details, such as the incident target, incident details, and triggered events.
Before proceeding to the next exercise, Under INCIDENTS tab click Actions > Search and clear clear all of t he selec selections. tions.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
130
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 3: Cre Creat ating ing a Rule In this exercise, exercise, you w will ill create a s simple imple rule. A company has strict policies specifying that t he administrat administration ion of a selected Forti FortiGate Gate Firewall Fi rewall can be performed from approved approved work workstations stations only. only. They would lik like e to detec detectt if adminis administrators trators are connec connecting ting to t he FortiGate device from non-approved non-approved workstations. The approved workstations workstations are IPs: IPs: l
10.1.50.1
l
10.1.50.2
l
10.1.50.3
l
10.1.50.4
l
10.1.50.5
To set search criteria for analytics 1. Click Click the ANALYTICS tab. 2. Clic Click k the sea search rch field field to edit the c condition ondition..
The Filter editor editor opens. opens. 3. Add the following condition:
Field
Value
Attribute
Reporting IP
Operat or
=
Value
192. 168. 3. 1
4. In the Row field, click + in to add a second condition:
Field
Value
Attribute
Event Type
Operat or
CONTAI N
Value
login-success
5. Select Time as Real Time. 6. Click Save & Run.
To generate events 1. FortiGate Navigate toAdmin on the NSE Institute website and under Lab 7 – Rules select Exercise 7.3 – LABS Login SET 2 Events – (Part A). website
Wait approximately approximately 1 to 2 minutes for the output. The output should should re resemble semble the following following::
131
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT3: Creating REPRINT a Rule © FORTINET
Wait for the mess message age Completed! before continuing.
To review generated events 1. Retur Return n to you yourr browser browser tab w with ith the FortiSIEM GUI and, after all the ev events ents are sent, sent, click click Pause.
You should should only see FortiGate-event-login-success .
l
l
Make sure Wrap Raw Event is sele selected cted Make sure Show Event Type is se selec lected ted
2. Examine the Event Details of the raw event log for one of the retur returned ned eve events. nts.
l
l
Once you select the RAW Event log, a dow down n arrow arrow
icon icon appear appears. s.
Clicking the arrow icon will provide the Show Deta D etail il option to view the Event Details associated with that event.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
132
DO NOT REPRINT
Exercise 3: Creating a Rule
© FORTINET Notice these FortiGate admin login events contain Notice contain the Application Protocol (SS (SSH H or HTTP) HTTP),, Source IP and User who succ successfully essfully authenticated. 3. Once you have reviewed reviewed the details, close the Event Details dialog box.
To set display fields for analytics 1. Click Click the Display Fields icon
.
2. Click Clear All and then add two new rows rows for Source IP and User . 3. Add a third row and select Express Expression ion Builder .
4. Select the COUNT in Function field and then c click lick the plus icon. icon. 5. Click Click in the Event Attribute field, select Matched Events, and then clic click k the plus icon. icon. 6. Click Validate. A message stating “Expression “Expression is valid” opens. 7. Close the message. message. 8. Click OK. 9. Click Save to close the dialog box.
10. Clic Click k in s searc earch h fiel field. d. 11. In Filters, change the search to be Relative ove overr a 20 minute time period. period. 12. Click Save&Run.
133
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT3: Creating REPRINT a Rule © FORTINET
Notice Notic e all the results results so far are for IP address addresses es that were were in the allow allowed ed Administr Administrator ator Workstation Workstation IPs IPs group. group. 13. Edi Editt the sear search ch filters filters and add add an ex extra tra row for the condition: condition:
Field
Val ue
Attribute
Source Source IP
Operat or
NOT I N
Value
10. 1. 50. 1, 10. 1. 50. 2, 10. 1. 50. 3, 10. 1. 50. 4, 10. 1. 50. 5
Yourr search You search filter sho should uld now lo look ok like the following: following:
14. Click Save&Run and you you will get no res results ults this time and the message message “No report results found”.
To create a rule 1. Click Click the Actions button and then select Create Rule from drop-down list. Forti tiGat Gate e Adm Admin in Logon Logon fr from om Non Admin Admin Machi Machine ne and enter 2. In the Rule Name field, enter For enter an optional Description.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
134
DO NOT REPRINT
Exercise 3: Creating a Rule
© FORTINET 3. Leave the time window set set at 300 seconds. 4. For Category, select Security. 5. Next to the SubPattern field, click the pencil ico icon. n. 6. In the Edit SubPattern dialog box, notice the addition of an Aggregate sec section, tion, which has defaulted to COUNT (Matched Events) >= 1. 7. Click Cancel when done. 8. Next to Action: Defined, click the penci pencill icon. Notice Notic e how the rule rule creator creator has added the Group By field fields s as Incident Attributes. 9. Make sure the User field is add added ed to the Triggered Attributes selected section, and then click Save.
10. Click OK on the Rule dialog box when done. done. 11. Click Click the RESOURCES tab, and then choose Rules, and then Ungrouped from the left-hand pane. 12. Select the rule FortiGate Admin Logon from Non Admin Machine. 13. Selec Selectt the ch chec eck k box under under the Active column, and then click Continue on the pop-up warning.
events for a rule To generate events 1. Navigate to LABS SET 2 on the NSE Institute website website and under Lab 7 – Rules select Exercise 7.3 – FortiGate Admin Login Events – (Part B).
The output should resemble the following:
135
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT3: Creating REPRINT a Rule © FORTINET
To review incident triggered by rule 1. Retur Return n to you yourr browser browser tab w with ith the FortiSIEM GUI. 2. Click Click the INCIDENTS tab. 3. Click List to view incident table. 4. A new rule has triggered triggered a an n Inc Incident ident FortiGate Admin Logon from Non Admin Machine.
Review the incident incident source, incident target, and details, and then review the events that triggered the rule. Before proceeding to the next exercise, under INCIDENTS tab click Actions > Search and clear clear all of t he selec selections. tions.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
136
DO NOT REPRINT © FORTINET
Exercise Exerc ise 4: Enhancing the the Rule with with a Watch Watch List In this exercis exercise, e, you will add a watch watch list to your rule.
To create a watch list 1. Click Click the RESOURCES tab. 2. In the le left ft pane, click click Watch Lists. 3. Rev Review iew the va various rious watc watch h lists that are pro provided vided out out the box.
For demonstration purposes, we w will ill create a new one. 4. With Watch Lists sele selected, cted, click click the white + icon at the top of the left pane to create a new list. list.
5. Configure the Creat Create e N ew Watch List Group Group with the following details, and then click Save:
Field
Val ue
Group
Suspect Adm ins
Desc escripti iption on
Admin dmin Users who are igno ignorrin ing g compl omplia ianc nce e ru rule les s on For FortiGa tiGate te Admin dminis istr trat atio ion n
Type Expired in
String 1 week
137
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT4: Enhancing REPRINT the Rule with a Watch List © FORTINET
Yourr new watch You watch list list will appear appear at the bottom of the list.
To add a rule in the watch list 1. Click Rules > Ungrouped. 2. Find and select FortiGate Admin Logon from Non Admin Machine and click Edit. 3. Beside the Watch Lists option, click penc pencilil icon to edit.
The Define Watch List dialog box appears. appears. 4. In the Incident Attribute drop-down list, select User . 5. Beside Watch List in the Availablelist, select Suspect Admins, and click the right arrow arrow button to move the selection to the Selected list. 6. Click Save.
7. Click Save again for rule.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
138
DO NOT REPRINT
Exercise 4: Enhancing the Rule with a Watch List
© FORTINET To generate events for the watch list 1. Navigate to LABS SET 2 on the NSE Institute website website and under Lab 7 – Rules select Exercise 7.4 – FortiGate Admin Login Events – Watch List.
The output should resemble the following:
To review events for the watch list 1. Retur Return n to you yourr browser browser tab w with ith the FortiSIEM GUI, and click click the INCIDENTS tab. 2. Click List to view incident table. 3. Find new incid incidents ents for the rule FortiGate Admin Logon from Non Admin Machine.
4. Review the incident sourc source, e, incident target, and details. 5. Rev Review iew the ev events ents that triggered triggered the rule. rule. 6. Make note of the Target column because because it indic indicates ates users.
You can filter the dis display play of inc incidents idents just for FortiGate Admin Logon from Non Admin Machine, like you did in exercises exercises 1 and 2 of Rules Rules LA LAB B 7.
7. Click Click the RESOURCES tab. 8. From the left pane, click click Watch Lists > Suspec Suspectt Admins.
Notice that admin101 and admin103, which were the admin users users referenced in the latest incident, are listed.
139
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 5: Im Importing porting a Rule In this exercis exercise, e, you will import a rule into FortiSIEM.
To import a rule 1. Click Click the RESOURCES tab. 2. On the left pane, click click Rules. 3. From the left pane, pane, cl click ick the w white hite + icon to create a new rule group.
The Create New Rule Group dialog box box will open. open. 4. In the Group field, type Custom_LAB7 and click Save.
The left pane now shows shows a rule group under under Rules called Custom_LAB7.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
140
DO NOT REPRINT
Exercise 5: Importing a Rule
© FORTINET
5. From the left pane, click click Custom_LAB7. 6. In the right pane, click Import.
The Import Rule dialog box box opens. opens. 7. In the Import Rule dialog box, click Choose file. 8. On the desktop, from the Resourcesfolder, open the LAB-7 folder, select the newrule.xml file, and click Import.
If you experienc experience e difficultly in getting the file newrule.xml , ask ask yo your ur ins instru tructo ctorr for help.
The imported and activated activated rule will will appear in the Rules > Custom_LAB7 group list.
We will will use use this rule in a late laterr lab.
You have completed Lab 7.
141
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Lab 8: Inc Incident idents s and Notif Notific icati ation on Policies Policies In this lab, you will will configure configure rules to alert incide incidents. nts.
Objectives l
Rev Review iew the in incide cidents nts page
l
Group and tune incidents
l
Use the inbuilt ticketing sys system tem
l
Create custom email templates
l
Create notification policies
Time to Complete Estimated: 90 minutes
Follow the direction directions s in the Lab Guid Guide e and do not not make make chang changes es to any other other dev device ice or devices devi ces,, unles unless s notified by the cours course e instructor. instructor.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
142
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 1: Rev Review iewing ing the Inci Incident dent Tab Table le In this exercise, exercise, you w will ill famili familiarize arize y yourself ourself with the incident table.
To view the Incidents tab 1. From the Student Workstation VM, open open the Firefox brow browser ser and enter enter the following following URL URL to access access the FortiSIEM GUI : https://10.0.1.130/phoenix/login-html.jsf
There is a link for the For FortiSIE tiSIEM M GUI on the brow browser ser's 's Favorites Favorites bar.
2. Click Click the INCIDENTS tab. 3. Click List to view incident table.
4. Click Actions and select Search from the drop-down list.
By default, default, Active is sele selected cted as the incid incident ent status. If you are unable unable to view any incidents, clear Active and the incid incident ent statu status s changes changes to ALL.
5. Click Click the Last 2 Hours option to change the time range. 6. Select Relative, in the Last field, type 90 , and select Minutes from the drop-down list.
143
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT1: REPRINT Reviewing the Incident Table © FORTINET 7. Click Apply Time Range.
8. Click the refresh icon and s select elect Refresh Now from the drop-down list.
There should should be pages pages of incidents.
The page will auto refresh as base based d on your Search sele selection. ction. There is also an option for manual page page refresh. refresh.
9. On the Search pane, click Severity, and select High.
The results show a filtered subse subsett of high-sev high-severity erity incidents. incidents. 10. On the Search pane pane,, chan change ge the f ollowi ollowing ng settings from Search:
Field
Value
Severit y
All (clear HI HI GH )
Cat egory
Perf ormance
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
144
DO NOT REPRINT
Exercise 1: Reviewing the Incident Table
© FORTINET
11. In the left Search pane, click Close. 12. Click Actions and select Display from the drop-down list.
13. From the Display list, select First Occurred and Status.
14. Click Close. 15. On First Occurred colu column, mn, click and drag drag the curs cursor or to the Last Occurred column.
145
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT1: REPRINT Reviewing the Incident Table © FORTINET
The incident dashboard view now c contains ontains the column you added, in the position that you placed it in.
To review incident clear condition 1. Click Actions and select Search from the drop-down list. 2. Click Status.
Note that only Active status incidents incidents are shown. shown.
3. Click Click the Close.
There are four different incident incident statuses ava available.H ilable.Howev owever, er, a status type will be listed only only when in incide cidents nts with that status exist exist in the selected selected time range. The available available status statuses es are as follows: follows: l
Active
l
Cleared
l
External Cleared
l
System Cleared
4. For WIN2K8, select the Serve Serverr Disk Space Critical incident. Incident Incide nt details will appear. appear.
By default, default, the Active incid incident ent status is selected. selected. If you are unable unable to find any incident, clear Active and the incident incident status will chan change ge to t han change change it to ALL by de-selecting Active status.
5. Select the Events tab to view view the ev events ents for this incide incident. nt.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
146
DO NOT REPRINT
Exercise 1: Reviewing the Incident Table
© FORTINET If you select select an incident and the low lower er pane doe does s not appear, appear, click the up arrow icon icon to expand lower lower pane manually manually.. You can can select select the auto expa expand nd option in the lower pane pane,, so you don' t have to keep manually expanding expanding lowe lowerr pane for incidents. incidents. 6. Continuing w with ith the inc incident ident Server Disk Space Critical selected, click Actions and select Edit Rule in the drop-down list.
The Edit Rule dialog box box will open. open. 7. Next to Clear: Defined, click the penc pencilil icon to edit the cle clear ar con condition. dition.
Whatt do you th Wha think ink this option option is actual actually ly doing doing for this rul rule? e? See See "App "Appendix endix:: Ans Answer wer She Sheet" et" on page 219, 219, for the answer.
8. Click Cancel to close the Edit Rule Clear Conditions dialog box. 9. Click Cancel on the Edit Rule dialog box.
To manually clear an incident 1. In incident Search section, ensure that Active is sele selected cted in the Status drop-down list.
2. Select the Serv Server er D Disk isk Spac S pace e Critical incident, click Actions and click Clear Inciden I ncidentt from the drop-down list.
147
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT1: REPRINT Reviewing the Incident Table © FORTINET
The Clear Selected Incidents dialog box will appear. appear. 3. In the Reason text box, type Temp Temp files files remo remove ved d from from serve server r by admin admin to free free up spac space e, and click OK.
Note that the Serv Server er D Disk isk Spac S pace e Critical Critical for WIN2K8 incident will disappear from list because the incident status sta tus is se sett to sh show ow incide incidents nts with an Active status. 4. Click Actions and then click Search from the drop-down list. 5. Clic Click k the incident incident Status and from the drop-down list, select Cleared Manually and click Close.
Serverr Disk Space Critical for WIN2K8 appea Notice the Serve appears rs again in the main pane with with Manually Cleared status. 6. Select the Serv Server er D Disk isk Spac S pace e Critical incident for WIN2K8 with status status se sett to Manually Cleared.
The bottom pane will appear with incid incident ent Details. Review Cleared Reason.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
148
DO NOT REPRINT
Exercise 1: Reviewing the Incident Table
© FORTINET
7. Click Actions, click Search, and in the incident Status drop-down list, select Active.
Before proceeding to the next exercise, under INCIDENTS tab click Actions > Search and clear clear all of t he selec selections. tions.
149
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 2: Grouping and Tuning Incident Incidents s In t his exercis exercise, e, you will learn how to grou group p common incidents incidents and how to t une FortiSIEM FortiSIEM to reduc reduce e the number of incid incidents ents produced. produced.
To review grouping of incidents 1. Click Click the INCIDENTS tab. 2. Click List to view incident table. 3. Click Actions and select Search from the drop-down list. 4. Click Click the Last 2 Hours option to change the time range. 5. Select Relative, in the Last field, type 5, and select Hours from the drop-down list. 6. Click Apply Time Range. 7. Beside Status: Active, click the cr cross oss icon to c chang hange e it to All .
8. Click Click the Incident Name. A drop-down list of different incidents will appear. T The he incidents are grouped with a count indicating t he number of incide incidents nts for the grou group. p.
9. In the Incident Name section, click Search and type DNS.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
150
DO NOT REPRINT
Exercise 2: Grouping and Tuning Incidents
© FORTINET This will show a group of incidents incidents with keyw keyword ord DNS. DNS. 10. Select the Excessive End User DNS Queries incident and click Close.
This will will sho show w onl only y inc incide idents nts for the gr group oup Excessive End User DNS Queries. 11. Select o one ne of the inc incidents, idents, and in the Actions drop-down, click Edit Rule. 12. In the Edit Rule dialog box, in the Conditions section, beside the subpattern ExcessiveDNSFromFlow , click the pencil icon and review the subpattern.
endix:: Ans Answer wer She Sheet" et" on page 219, 219, for the answe answer. r. Explain what the rule pattern is looking for. See "App See "Appendix
13. Click Cancel to clos close e the dialog box and clic click k Cancel to exit the Rule Editor dialog box.
Tune Incidents To demonstrate demonstrate t he tuning capabilities capabilities for the same incident, incident, we will assu assume me incident source source 192.168.22.11 is actual actually ly an a applic pplication ation server server that pr produc oduces es a huge huge a amount mount o off DN DNS S quer queries ies by design. design.
To tune incidents 1. Select the incident w with ith IP 192.168.22.11 in the Source column. 2. Click Actions and select Edit Rule Exception in the drop-down list.
The Edit Rule Exception dialog box box will open. open.
151
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT2: REPRINT Grouping and Tuning Incidents © FORTINET 3. In co condition ndition section, section, click click the Attribute drop-down list.
Notice Notic e the only attribute that can can be used used for an ex excep ception tion for this particular particular incid incident ent is the Source IP. 4. Add the following condition:
Field
Val ue
Attribute
Sourc Source e IP
Operat or
=
Value
192. 168. 22. 11
5. Click Save.
This will then then suppre suppress ss and not gen generate erate any incidents incidents if this rule triggers triggers for the inc incident ident sourc source e of 192.168.22.11 . 6. Cle Clear ar this incide incident nt (192.168.22.11 ) and enter enter a reason reason wh when en pro prompted. mpted.
Before proceeding to the next exercise, click Actions > Search and clear clear all of the selections.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
152
DO NOT REPRINT © FORTINET
Exercise Exerc ise 3: Us Using ing the Built Built-In -In Ticketing Ticketing System System In this exercise, exercise, you w will ill learn how to implement the built-in ticketing system. system.
To review incidents for suspicious activity 1. Click Click the INCIDENTS tab. 2. Click Actions and select Search from the drop-down list. 3. To clear clear all selec selection tions, s, on all availa available ble opti options ons,, clic click k the cr cros oss s ico icon n
and se sett them them to ALL.
4. Click Click the Last 2 Hours option to change the time range. 5. Select Relative, and in the Last field, type 5, and select Hours from the drop-down list. 6. Click Apply Time Range. 7. From the Category drop-down list, click Show all and select Change.
8. Click Close. 9. In the Incident column, select User added to Administrator Group. 10. Click the down arrow and s select elect Add to Filter .
153
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT3: Using REPRINT the Built-In Ticketing System © FORTINET
Administrator tor Group. Notice Notic e now it only sho shows ws incid incidents ents with name name User added to Administra 11. Under Under the Target column, select Target User: mike.long. This is a susp suspic iciou ious s entry. entry.
To create a case using the built-in ticketing system 1. Click Actions and select Create Ticket from the drop-down list.
The New Ticket dialog box box opens. opens. Notice that the Incident ID(s), Summary, and Description field fields s ar are e pre-populated.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
154
DO NOT REPRINT
Exercise 3: Using the Built-In Ticketing System
© FORTINET
2. In the Assignee section, click the pencil icon to select a us user. er. 3. Click Click the Users folder, select admin from right pane, and click Save.
4. In the Priority section, select High. 5. In the Due Date field, specify specify a time in the future. 6. Click Save.
155
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT3: Using REPRINT the Built-In Ticketing System © FORTINET 7. Click Actions and select Display from drop down list. 8. Select Ticket Status and click Close.
You should be able to see the Ticket Status colu column mn as well as the other other default colu columns. mns. 9. In the mai main n FortiSIEM FortiSIEM menu menu,, clic click k the CASES tab.
You can can see the tickets that are currently currently open. 10. Select the ticket and c click lick Edit. 11. In the low lower er pane, pane, add the fo followin llowing g text in the Description field and click Save: Who Who is thi this s use user? r? Need Needs s to be ver verif ified ied. .
12. Edit the ticket again and add the following text in the Description field: New New admi admin n in IT. Clo Closi sing ng cas case. e.
13. From the State drop-down list, select Closed. 14. From the Close Code drop-down list , select Solved (Permanent). 15. Click Save. 16. Click Yes on the warning popup.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
156
DO NOT REPRINT
Exercise 3: Using the Built-In Ticketing System
© FORTINET Notice how the ticket state change Notice change is reflec reflected ted in the table. Als Also, o, if you retu return rn to the INCIDENTS tab the Ticket Status co column lumn for that incide incident nt is se sett to Closed.
157
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 4: Cre Creat ating ing a Custom Custom Ema Emailil Templat Template e In t his exercis exercise, e, you will create a custom email t emplate.
To configure email settings 1. Click Click the ADMIN tab. 2. On the left pane, click click General Settings. 3. On the main window window,, click click the System tab and then then clic click k the Email tab. 4. In Email Settings section, complete the following:
Field
Val ue
Em ail Gat eway Server
10. 0. 1. 10
Def au ault Email Sender
adm in in@f sm sm .l.local
5. Click Save.
You can can test email by send sending ing an email from
[email protected] to
[email protected] . To view the test email, open a Mozilla Thunderbird email client from the desktop on the Student Workstation.
To create a email template 1. Sti Stillll under under the Email tab, in the Incident Email Template section, click New.
Email Template dialog box will appear. appear. 2. In the Name field, type FSM_LAB . 3. In the Email Subject field, click click the text field, click click Insert Content, and then select Status from the drop-down
list.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
158
DO NOT REPRINT
Exercise 4: Creating a Custom Email Template
© FORTINET 4. At then e end nd of the inserted inserted content, content, clic click k the text field in Email Subject before inserting more options. 5. Click Insert Content again, and select Rule Name.
6. In the Email Body field, type a combination of text and then use the Insert Content button to reference Rule Name, Rule Description Description, First Seen Time, Last Seen Time, Incident Source, Incident Target, and Incident Detail.
Note that you can enable HTML Tags to create HTML-based email templates. 7. Click Save.
159
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 5: Creat Creating ing a Not Notific ification ation Policy Policy In this exercise, exercise, you will learn how to create a notification policy.
Import a Rule We have have modified a sys system tem rule for this lab to work, work, follow the steps below to import import the m odified ru rule. le.
To import a rule 1. Click Click the RESOURCES tab. 2. On the left pane, select select Rules . 3. From the top right side, c click lick Import.
A dialog box will opens for Import Rule. 4. Click Choose file. 5. Click Resources > LAB-8, and select the file Notification_test_rule.xml from the folder folder on the desktop.
6. Open the Rules folder and select select the Ungrouped folder.
Notice the imported rule will named High Severity IPS Exploit Notification LAB in an active state.
To create a Notification Policy 1. Click Click the ADMIN tab. 2. In the le left ft pane, click click General Settings. 3. In the main window window,, click click the Notification tab, and then click New. 4. In the Rules field, click the down arrow. arrow.
The Notific Notification ation Policy > Define Rule Conditions window opens. 5. Click Rules > Ungrouped. 6. In the Items section, select High Severity IPS Exploit Notification LAB.
7. Click > to move the item to the Selections pane. 8. Click Save.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
160
DO NOT REPRINT
Exercise 5: Creating a Notification Policy
© FORTINET
9. In the Actions section, beside Send Email/SMS to the target users clic click k the pencil pencil icon to s specify pecify a
notification action.
Notification ation Policy > Define N otificat otification ion Actions dialog box openss. The Notific openss. 10. Click Click the Add Addr tab.
Notification ation Policy > Define N otificat otification ion Actions > Email Address dialog box opens. The Notific opens. 11. In the Method drop-down list, select Email. 12. In the To field, type
[email protected] . 13. In the Email Template drop-down list, select System Default.
System Defaulttemplate is used for this exercis exercise. e. You can also also select select custom custom email template FSM_LAB, which you created in previous exercise. exercise. Beware Bew are if y you ou us use e cus custom tom email results results may vary vary from images below below.. 14. Click Save.
161
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT5: Creating REPRINT a Notification Policy © FORTINET
15. In the Notifica Notification tion Policy > Define Notification Actions dialog box, click Save.
16. In the Notifica Notification tion Policy dialog box, click Save. 17. In the Enabled colu column, mn, select the notification policy policy to enable it.
Generate Incidents to Trigger Notification Policy For this task, task, you are are using using data from lab lab 3.
To generate incidents to trigger notification policy 1. Return Return to the brow browse serr tab fo forr the NSE Institute website. 2. Navigate to LABS SET 1 and under Lab 3 – Discovery select Exercise 3.6 – Start All Performance and
Device Data. Wait approximately approximately 2 minutes for the output.The output should should resemble resemble the following following sample:
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
162
DO NOT REPRINT
Exercise 5: Creating a Notification Policy
© FORTINET
To view notification email 1. On the Student Workstation desktop, open a Mozilla Thunderbird email client.
Mozilla Thunderbir Thunderbird d is prec preconfigur onfigured ed for email account account
[email protected]. You will start receiving receiving notification emails from FortiSIEM.
2. Clic Click k one o off the notification notification emails emails.. Notifications Notifica tions will app appear ear in the bottom pane as sho shown wn in the ex example ample below: below:
163
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT5: Creating REPRINT a Notification Policy © FORTINET Once you complete the lab, deactivate the High Severity IPS Exploit Notification LAB rule because because it generates many notificatio notification n emails. To deactivate the High Severity IPS Exploit Notification LAB rule, click RESOURCES > Rules > Ungrouped > High Severity IPS Exploit Notification LAB . Clear Clear the c chec heck k box in the the Active column.
You have completed Lab 8.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
164
DO NOT REPRINT © FORTINET
Lab 9: Re Repor porti ting ng In t his lab, you will run and schedule schedule repor reports. ts.
Objectives l
Open repor reports ts from the Analytics Analytics and the R Repor eports ts trees
l
Schedule reports
l
Create c custom ustom dashboards dashboards
l
Explore Explore the various various options for dashboar dashboards ds and widge widgets ts
l
Expor Exportt and import dash dashboards boards
l
Crea Create te custom custom CMDB repor reports ts
Time to Complete Estimated: 60 minutes
Follow the direction directions s in the Lab Guid Guide e and do not not make make chang changes es to any other other dev device ice or devices,, unles devices unless s notified by the cours course e instructor. instructor.
165
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exerc Ex ercis ise e 1: Ope Openin ning g a Repo Report rt fr from om th the e Analy Analyti tics cs Pag Page e In this exercis exercise, e, you will open and save save repor reports ts from the Analytics page.
To load a report 1. On the Student Workstation VM, open the Firefox brow browser ser and en enter ter the following following URL URL to access access the FortiSIEM GUI : https://10.0.1.130/phoenix/login-html.jsf
There is a link for the For FortiSIE tiSIEM M GUI on the brow browser ser's 's Favorites Favorites bar.
2. Click Click the ANALYTICS tab. 3. Fro From m left left side side of the window window,, clic click k the folder folder ico icon n
and in the drop-d drop-down own on lis list, t, sele select ct the Reports folder.
4. Click Reports > Function > Availability. 5. On the right pane, select select Device Uptime History an and d clic click k ri righ ghtt ar arro row w ic icon on
When you click click right arrow icon, the report will execute. execute.
.
6. Clic Click k the s searc earch h field field..
The Filters editor appears appears.. Notice how the quer query y syn syntax tax is prep prepopulate opulated. d.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
166
DO NOT REPRINT
Exercise Exer cise 1: Opening a Report from the Analytics Page
© FORTINET 7. In the Time section, select Relative, in the Last field, type 90 , and from the drop-down list, select Minutes. 8. Click Save & Run. 9. When the rresu esults lts open, in the Actions drop-down list, select Save Result.
The Save Report window opens. 10. In the Report Name field, replace replace the te text xt that is there b by y typing Device Uptime History-onlyHistory-onlyResults . 11. Leave Save Definit D efinition ion cleared, and in the Save Results for field, type 1, select Hours, and click OK.
An Alert mess message age will appea appearr confirming confirming Save Report result successful and disa disappear ppear quickly quickly .
To load saved results for report 1. Clic Click k the plu plus s (+) icon to ope open n a new sear search. ch. 2. Close the [1]:Device Uptime History searc search h t ab.
3. In the new [1]:Raw Messages tab, click click the folder icon from from left and se select lect Save Results.
167
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 1: Opening a Report from the Analytics Page © FORTINET In the right pane note that the Device Uptime History -only-Results repo report rt is listed with with a date and time stamp.
4. Select the Device Uptime History - only-Result only-Results s report click the down arrow, and then click click View Result.
5. Rev Review iew the res results ults (and the speed speed in which which the results came bac back), k), and notice notice the Time selection.
To modify the search query 1. Clic Click k the s searc earch h field field.. 2. In the e exis xisting ting c condition ondition,, under the Next column, select AND. 3. In the Row column column,, click click the + icon. 4. Add a s second econd condition condition using the following values:
Field
Value
Attribute
Reporting IP
Operat or
IN
5. In the Value field, click and select select Select from CMDB. 6. Click Devices > Network Device > Firewall. 7. In Folders, click >> to add the Firewall fold folder er to Selections. 8. Click OK to close the CMDB window. window. 9. In the Time section, select Relative; in the Last field, type 1; and from the drop-down, select Hour . 10. Click Save & Run.
To save report with definition 1. When the re results sults appear, appear, click click Actions and select Save Result.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
168
DO NOT REPRINT
Exercise Exer cise 1: Opening a Report from the Analytics Page
© FORTINET The Save Report window appears. 2. Remov Remove e the date an and d time stamp and only-Results from the report name, and type Devi Device ce Uptime Uptime History His tory - with with-De -Defini finition tion to replace the report name. 3. Select the Save Definit D efinition ion chec check k box. box. 4. In the Save To section, select Frequently Used.
Notice Notic e how it defaults to the existing report report that was loade loaded d with a date and time stamp on the end.
5. In the Save Results for drop-down, select f, type 1, select Hour , and click OK. 6. Clic Click k the fo folder lder icon and selec selectt Save Results.
Notice that t here are Notice are now two reports reports wher where e the results will be stored for 1 hour. One report report will contain the results res ults only, only, and the other report report will contain both both the results and definition s saved aved as a report. report. Results Res ults will be valid valid for 1 hour, bec becaus ause e as they are cached cached b but ut definition can can be used used as report report anytime. 7. In the le left ft pane, click click Reports > Frequently Used. 8. In the right pane, in the searc search h bar, type definition .
You should see the report you just saved.
169
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 1: Opening a Report from the Analytics Page © FORTINET
To create a custom report folder 1. Click Click the RESOURCES tab. 2. In the le left ft pane, click click Reports and click click the + icon at the top of the pane to create a new report group. 3. In the Group field, type LAB9-Reports . 4. Click Reports > Frequently Used. 5. Under Under the Items column, in the search bar, type definition . 6. Select Device Uptime History - with- Definition, and click > to move the report to the Selections section. 7. Click Save.
You now have a new LAB9-Reports fold folder er under under Reports in the left pane at bottom.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
170
DO NOT REPRINT © FORTINET
Exerc Ex ercis ise e 2: 2: Ope Openin ning g a Re Repor portt fr from om th the e Repo Report rt Tr Tree ee In t his exercis exercise, e, you will explore the opening and running running of reports from the repor reportt t ree.
To run a report from the report tree 1. Click Click the RESOURCES tab. 2. On the left pane, click click Reports > Function > Change. 3. In the search field, type use user r acco account unt mod. 4. Select the report and click Run.
The Run window will open. 5. On the Report Time Range tab, ensure that Relative is sele selected, cted, 1 is entered entered in the Last field, and Hour is selected in the drop-down. 6. Click OK.
The report report au automatically tomatically runs and populates populates the res results ults in new tab in ANALYTICS.
171
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exercise NOT2: REPRINT Opening a Report from the Report Tree © FORTINET
7. Review the res results. ults.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
172
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 3: Sc Schedul heduling ing a Rep Report ort In this exercise, exercise, you will learn how to schedule a rreport. eport.
To schedule a report 1. Click Click the RESOURCES tab. 2. In the le left ft pane, click click Reports > Incidents. 3. On the main window, select All Incidents and click More.
4. From the More drop-down list, select Schedule.
5. Comple Complete te the following (y (you ou may hav have e to scroll do down wn the fields to view the settings): settings):
Field Report time range
Value
Relative, last 1 hour
Schedule Time Range (Start Time:)
Set to 10 minutes ahead of the curr current ent time and make sur sure e Local is selected. selected.
Out put Form at
PDF
Noti tifi fic catio tion
Custom tom Noti tifi fic catio tion (Note tha that a tab table for for Recipientswill tswill appear.)
Recipien ients
Clic lick the the pencil icon (Add Notifi tific catio tion dia iallog box wil illl appear.)
173
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 3: Scheduling Sched uling a Report © FORTINET Field Email Address
Value
Click Add (the Add Email dialog box will appear). appear). Enterr email address Ente address
[email protected] and click Continue.
The Add Email dialog box box opens. opens. 6. In the Add Notific Notification ation dialog box, click OK.
7. In the Schedule dialog box, click OK.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
174
DO NOT REPRINT
Exercise Exer cise 3: Scheduling a Report
© FORTINET
The Scheduled column column for for the All Incidents repo report rt indicates indicates that a report is schedule scheduled. d.
To explore other options to schedule a report 1. To illustrate an alternative method to schedu schedule le a report, select select the All Incidents report, and in the bottom pane, click click the Schedule tab.
Notice Notic e the existing existing report sche schedule dule is alrea already dy present. present.
175
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 3: Scheduling Sched uling a Report © FORTINET 2. Cli Click ck the + icon. Notice that the same Schedule dialog box shown above above will ope open. n. 3. Click Cancel. 4. Click Scheduled for . Both the pencil and bin icon will become active. You can use use the pencil icon to modif y the schedule of the report.
You can can use the bin icon to delete the schedule schedule for the report.
Do not delete delete the schedule schedule for the repor report. t.
5. After ten minutes minutes,, you can can v verify erify the deliver delivery y of sc schedu heduled led re report port to the student student email box by opening opening the Mozilla Thunderbird email client from the student workstation.
You should receive the All Incidents repo report rt in PDF format format after approximatel approximately y 10 minutes. minutes.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
176
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 4: Cre Creat ating ing Custom Custom Das Dashboard hboards s In this exercise, exercise, you will crea create te a custom dashboard.
To create a custom dashboard folder 1. Click Click the DASHBOARD tab. 2. Clic Click k the dro drop-do p-down wn menu menu on the left. 3. Click New.
The Create Dashboard Folder dialog box box will open. open. 4. In the Name field, type LAB-9-Dashboard and click Save.
The LAB-9-Dashboard group will open and also be added to dashboard type drop-down list.
To add a summary dashboard 1. on the LAB-9-Dashboard win window dow,, clic click k the plus plus icon icon
to th the e rrigh ightt of the dashbo dashboard ard dropdrop-dow down. n.
177
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 4: Creating Custom Dashboards © FORTINET The Create New Dashboard dialog box box will open. open. 2. In the Name field, type Lab9-Summary . 3. In the Type drop-down list, select Summary Dashboard and click Save.
The Lab9-Summary dashboard will will open. You have a blank canvas in the format of the All Device summary dashboards. 4. In Lab9-Summary tab tab,, clic click k the se sele lect ct de devi vice ces s icon icon
.
The Select devices for display dialog box box will open. open. 5. In the Available Devices Devices list, search search f or the following devic devices: es: l
WIN2K8(192.168.0.40 )
l
WIN2008-ADS(192.168.0.10 )
l
QA-EXCHG(172.16.10.28 )
l
THREATCTR(10.1.1.41 )
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
178
DO NOT REPRINT
Exercise Exerc ise 4: Creating Custom Dashboards Dashboards
© FORTINET
6. Use the right right arrow arrow ke key y to move the dev devices ices to the Selected Devices list. 7. Click OK. 8. Change the severity severity selection from Critical + Warning to All .
Your Your new summar summary y das dashbo hboard ard is filtered filtered for only only the devi device ces s yo you u added. added.
9. In the Perf status column for WIN2K8, hover hover yo your ur mouse mouse curso cursorr over over and to the right. right. A trend icon will appear indicating Disk Capacity Capacity Util->Critical Util->Critical, Free Disk MB->Critical.
179
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 4: Creating Custom Dashboards © FORTINET To add a widget dashboard 1. On LAB-9-Dashboard tab, cli click ck the plus plus icon icon
to the right right of the dashbo dashboard ard dropdrop-dow down. n.
The Create New Dashboard dialog box opens. opens. 2. In the Name field, type Lab9-Widget . 3. In the Type drop-down list, select Widget Dashboard. 4. Click Save.
The Lab9-Widget will be created. created. In t he main window, you will hav have e a blank canvas. canvas. 5. In Lab9-Widget ta tab, b, clic lick th the e plus plus icon icon
.
The Report sele selector ctor pop u up p will appear appear from the left. left. 6. In the left pane, pane, c click lick the Reports folder. 7. Use the search search field field to find the follow following ing re reports ports and then add add them by clicking clicking right right arrow arrow icon icon . (You must add the reports reports one rep report ort at a tim e): l
Top Networ Network k Devic Devices es By CP CPU, U, Memor Memory y Util
l
Top Devices Devices By Failed Login
l
Firewall Firewall Permit: Permit: Top Ou Outbound tbound Por Ports ts By Bytes Bytes
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
180
DO NOT REPRINT
Exercise Exerc ise 4: Creating Custom Dashboards Dashboards
© FORTINET
The right arro arrow w icon
will appe appear ar onc once e you select select a report. report.
8. In the Lab9-Widget ta tab, b, clic lick th the e plus plus icon icon
.
9. Select the CMDB Reports folder. 10. Clic Click k the arro arrow w icon icon
to ad add d a widg widget et for the Not Approve Approved d Device Devices s report.
To explore widget dashboard options 1. On the top right, clic click k the Layout columns drop-down list, and change the layout to a 2 (column display). 2. Hove Hoverr your your mous mouse e cur curso sorr over over the title bar of the the Top Network Devices By CPU , Memory Util widget and, on the right side, side, click the middle icon (Edit settings).
The Settings dialog box box will open. open.
3. In the Display drop-down list, select Table View. 4. In Display Settings Settings section: a. Drag the AVG(CPU Util) slide sliderr on the left to around 25%. 25%.
181
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 4: Creating Custom Dashboards © FORTINET b. Drag the AVG(CPU Util) slide sliderr on the right to around around 60%.
5. Click Save. The results results are colo colored red to reflect the serious seriousnes ness s of t he value value..
You can can influence influence the colors on these widg widgets ets and cha change nge the thresholds thresholds for what valu values es should should be reported: reported: red, yellow, and green. Will these these new ad adjusted justed values values for AVG AVG CPU determine w what hat thres thresholds holds rules will trigger trigger for these devic devices? es? See "App See "Appendix endix:: Ans Answer wer She Sheet" et" on page 220, 220, for the answe answer. r.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
182
DO NOT REPRINT
Exercise Exerc ise 4: Creating Custom Dashboards Dashboards
© FORTINET 6. On the Top Devices By Failed Login widg widget, et, click the setting settings s icon and and change change the displa display y to Aggregation View (Donut). 7. Change the Firewall Permit: Top Outbound Ports By Bytes widge Aggregation tion View (Bar). widgett t o an Aggrega
You can can restric restrictt user access access to this dashboar dashboard d group using role role management.
183
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 5: Explori Exploring ng Dashboard Drill Drill Down Capabilities Capabilities In this exercise, exercise, you w will ill explore the drill do down wn capabilities capabilities of the dashboards dashboards..
To drill down on dashboard content 1. Click Click the DASHBOARD tab.
Only follow s step tep 2, 3, and 4, if you are not on DASHBOARD > LAB-9-Dashboard> Lab9-Widget page. If you are already already on this page then cl click icking ing these options options again will prompt to change the name of dashboards. If you are on Lab9-Widget page then proceed to step 5. 2. Click the dashboar dashboard d type drop-down on the left. 3. Click LAB-9-Dashboard from the bottom of the list. 4. Click Lab9-Widget. 5. On the Top Network Devices By CPU, Memory Util widget, select device FortiGate90D . 6. Click the blue d down own arrow arrow and select select Drill down to Analytics.
This takes takes yo you u to the ANALYTICS tab. 7. Clic Click k the s searc earch h field field..
"Appendix endix:: Ans Answer wer She Sheet" et" on page 220 for 220 for the ans answer wer.. What is the query query looking looking at? S See ee "App
8. Loo Look k at the Time selection.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
184
DO NOT REPRINT
Exercise Exer cise 5: Exploring Exploring Dashboard Drill Down Capabilit ies
© FORTINET What has the time criteria criteria been prep prepopulate opulated d to run ove overr and wher where e did this value value come from? See "A "Append ppendix: ix: Answer Answer She Sheet" et" on page 220 for 220 for the answer. answer.
9. Click Save & Run to run the search. 10. View the resu results. lts.
To explore another dashboard drill down example 1. Click Click the DASHBOAR DASHBOARD Dtab. 2. Click the dashboar dashboard d type drop-down on the left. 3. Click LAB-9-Dashboard from the bottom of the list. 4. Click Lab9-Widget. 5. On the Firewall Permit: Top Outbound Ports By Bytes widge widget, t, click the magnifying magnifying glass glass icon. icon.
What was was the result result of this action action? ? Se See e "Appendix "Appendix:: Ans Answer wer She Sheet" et" on page 220for 220for the an answe swer. r.
How does this differ from the an analytic alytic quer query y prod produced uced from step 7 of the previo previous us task? task? See See "Appendix: Answer Answ er Sheet" on page 221 for 221 for the ans answer. wer.
185
DO Exer NOT REPRINT Exercise cise 5: Exploring Explor ing Dashboard Drill Down Capabilit Capabilities ies © FORTINET
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
186
DO NOT REPRINT © FORTINET
Exercise Exerc ise 6: Im Importing porting and Exporting Exporting Dashboards Dashboards In this exercise, exercise, you will learn how to export and import dashboards dashboards..
To export a dashboard 1. Click Click the DASHBOARD tab. 2. Click the dashboar dashboard d type drop-down on the left. 3. Click LAB-9-Dashboard. 4. Click Lab9-Widget. 5. On the top right right of the main window window,, clic click k the expor exportt icon icon
.
6. When prompted, click Save File and then OK. Dashboard.xml is expo exported rted to your your Downloads Downloads folder.
To import a dashboard 1. Click Click the DASHBOARD tab. 2. Click the dashboar dashboard d type drop-down on the left. 3. Click New.
The Create Dashboard Folder dialog box will appear. appear. 4. In the Namefield, type Lab9-Sh Lab9-Shared ared Dashboar Dashboard d and click Save.
5. In LAB-9-Dashboard, c clic lick k the plus plus icon icon to th the e right right o off the das dashbo hboard ard drop-d drop-dow own. n. 6. In the Name field, type Lab9-Shared-Widget . 7. In the Type drop-down list, select Widget Dashboard.
187
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 6: Importing and Exporting Dashboards © FORTINET 8. Click Save. 9. In Lab9-Shared-Widge, clic lick th the e imp impor ortt ico icon
.
The Import Dashboard dialog box box will open. open. 10. Click Browse to choose the Dashboard.xml file in your Downloads Downloads folder, and click Import.
11. When the mes message sage dis displays plays confirming that the import succ succeeded, eeded, click OK.
You should should now see that the custom dashboard has been imported.
You can can give acce access ss to this dash dashboard board group group to all users through through role management.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 7: Running CMD CMDB B Reports Reports In t his exercis exercise, e, you will run existing CMDB repo reports. rts.
To run a CMDB report 1. Click Click the CMDB tab and in the left pane, click CMDB Reports. 2. Find the re report port CMDB Device Types in the list and click Run.
This gives gives a repor reportt of all the different vendors, vendors, models, versions versions,, and counts in the CMDB.
3. Click Back. 4. Find the re report port Router/Switch Inventory and then click Run. 5. Review the results, and wh when en done, click Back. 6. Find the re report port Active Rules and click Run.
Note that other kinds kinds of data such as rules rules,, users, users, and device device monitoring jobs jobs can also also be reported reported on through throug h this feature.
188
189
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 8: Buil Building ding a Custo Custom m CM CMDB DB Report Report In this exercis exercise, e, you will create create a cus custom tom CMDB repo report. rt.
To create a CMDB report 1. Click Click the RESOURCES tab. 2. On the left pane, click click Rules > Ungrouped. 3. Find the rule named High Severity IPS Exploit Notification LAB and click Edit.
Note that that there a are re s some ome re remediation mediation steps for an ope operator rator to follow if this rule is triggered. triggered.
4. Once you have reviewed reviewed the rule, click Cancel. 5. Click Click the CMDB tab and return to CMDB Reports. 6. Click New. 7. In the Report Name field, type Rule Rules s wit with h Reme Remedia diation tion Instruct Instructions ions. 8. From the Target drop-down list, select RULE. 9. In the Conditions section, define the following:
Field
Value
Attribute
Rule Remediation
Operat or
CONTAI N
Value
deact ivat e
10. In the Display Columns section, click Row to add an addition additional al attribute, and t hen add the following attribute : l
Rule Name
l
Rule Description Description
l
Rule Remediation Remediation
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
190
DO NOT REPRINT
Exercise Exer cise 8: Building a Custom CMDB Report
© FORTINET
11. Click Save. 12. In the CMDB Reports folder, find the Rules with Remediation Instructions, and click Run.
You should should see that only the rule you crea created ted curre currently ntly has remediation remediation instruc instructions. tions.
You can easily easily find cu custom stom CMD CMDB B repo reports rts by ordering ordering the Scope field. All out-the-box reports repo rts are itemized itemized as System and your your reports reports as User .
You have completed Lab 9.
191
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Lab 10: Bus Busine iness ss Ser Servi vice ces s In this lab, you will create create a busines business s ser servic vice. e.
Objectives l
Create a business servic service e
l
Monitor a busi business ness servic service e
l
Report on a bus business iness servic service e
Time to Complete Estimated: 45 minutes
Follow the direction directions s in the Lab Guid Guide e and do not not make make chang changes es to any other other dev device ice or devices devi ces,, unles unless s notified by the cours course e instructor. instructor.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 1: Cre Creat ating ing a Busines Business s Serv Service ice In this exercise, exercise, you w will ill create a new business servic service. e.
To create a business service 1. Login to FortiS FortiSIEM IEM an and d click click the CMDB tab and in the left pane, select Business Services. 2. On the main window, click New. 3. In the Name field, type Patient Services. 4. On the New Business Service window, on the left pane, click Applications > User App > Database. 5. On the Apps pane, select Microsoft SQL Server . 6. On the Select running on insta instance nce pane, select Microsoft SQL Server (WIN2K8) 192.168.0.40. 7. On the Select adjacent network devices pane, select SJ-Main-Cat6500. 8. Click Click the > button to move the selectio selections ns to the Selected Devices/Apps pane.
9. On the left pane, click click Applications > User App > Mail Server . 10. On the Apps pane, find and select MS Exchange Information store in the list. 11. On the Select running on insta instance nce pane, select the device device with ac access cess IP 172.16.10.28. 12. Click Click the > button to move the selected device to the Selected Devices/Apps pane. 13. On the Select adjacent network devices pane, select JunOS-3200-1. 14. Click Click the > button to move the selected device to the Selected Devices/Apps pane.
192
15. On the left pane, click click Devices > Network Device > Firewall. 16. On the Select Devices pane, select FG240D3913800441. 17. Click Click the > button to move the selected device to the Selected Devices/Apps pane.
193
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 1: Creating a Business Serv Service ice © FORTINET
18. Click Save. 19. To review the added dev devices, ices, click Business Services > Ungrouped > Patient Services.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Exercise Exerc ise 2: Monit Monitoring oring Busines Business s Servic Service e Incident Incidents s In t his exercis exercise, e, you will learn methods of m onitoring onitoring busine business ss ser servic vices. es.
To monitor a business service 1. Click Click the INCIDENTS tab. 2. Click List to view incident table. 3. On the mai main n window, window, in the Actions drop-down list, click Display.
You should should be able to see an extra added field to the display column selection pane BizService. 4. Select Biz BizServ Service ice and click Close.
To modify system rule for business services 1. Click Click the RESOURCES tab and on the left pane, click Rules.
For the labs to work work you need to edit two rules rules.. 2. In the search field, type vulnerability .
194
195
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Monitoring Business Service Service Incidents © FORTINET
3. Select Scanner found severe vulnerability and click Edit. 4. In the Conditions sec section, tion, click the pencil icon nex nextt to ScannerHighSev.
5. In Filters section, add a row above the existing Event Severity entry, and add the following condition:
Field
Value
Attribute
Reporting Model
Operat or Value
CONTAI NS Nessus
6. Under Under the Paren column to the left of the Report Reporting ing Vendor attri attribute bute,, click click the plus plus (+) ic icon on.. 7. Under Paren colu column mn to the right of the Reporting Model attrib attribute, ute, click click the plus plus (+) ic icon on..
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
196
DO NOT REPRINT
Exercise Exer cise 2: Monitoring Business Serv Service ice Incidents
© FORTINET 8. Change the Event Severity attribute Value to 6. 9. Under Under the Next column, select make the following selections:
Field
Value
Report ing Vendor
OR
Report ing M odel
AND
10. In the Group By section, add a row under Host Name. 11. In the new attribute field, field, type Host Host IP.
12. Click Save to close the EditSubPattern window. 13. In the Actions sec section, tion, click the pencil ico icon n to edit.
14. Under Incident Attributes, add an extra row (at the bottom) and add the following v values alues::
Field
Value
Event At t ribut e
Host I P
Subpat t ern
ScannerHighSev
Filt er At At t ribut e
Host I P
197
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Monitoring Business Service Service Incidents © FORTINET 15. Click Save and then click Save again.
Since FortiSIE Since FortiSIEM M does not allow you to ove overwr rwrite ite the out-theout-the-box box sy system stem rules, the system system will prompt you to save the rule with a different name. (By default, it will add a date stamp.)
16. Remove the date stamp, add LAB10 and click OK:
17. Under Under the Active column column,, clear the chec check k box next next to Scanner found severe vulnerability, and click Continue. The original system rule will be disabled.
18. Under Under the Active column column,, select the check check box beside beside the modified rule, and click Continue when prompted.
To modify second system rule for business services
1. In the search field, type sql Excessiv ssively ely Slow Sl ow SQL Server Server DB Que Query ry. sql serve server r db, and select the rule Exce 2. Click Clone. 3. Delete the date stamp, add LAB10 and click Save.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
198
DO NOT REPRINT
Exercise Exer cise 2: Monitoring Business Serv Service ice Incidents
© FORTINET
4. Un Under der the Active column column,, clear clear the check check box beside beside Original Excessively Slow SQL Server DB Query Rule, and click Continue when prompted. 5. Select the c cloned loned rule and click Edit. 6. In the Conditions field, beside the LongQuery subpattern, click the pencil icon. 7. In the Group By section, add an extra row under Host Name. 8. In the Attribute field, type Host Host IP.
9. Click Saveto close the EditSubPattern window. 10. In the Actions sec section, tion, click the pencil ico icon n to edit. 11. Add an extra row below Host Name and add the following following valu values es in the Incident Attributes section:
Field
Val ue
Event At t ribut e
Host I P
Subpat t ern
LongQuery
Filt er At At t ribut e
Host I P
199
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Monitoring Business Service Service Incidents © FORTINET 12. Click Save and then click Save again to close the rule editor. 13. Click OK again if you get a warning that the rule has been changed.
14. In the Active column, select the check check box beside the cloned cloned vers version ion of the rule, and click click Continue when prompted.
To trigger business service-related incidents 1. Open a ne new w browser browser tab, and nav navigate igate to the NS NSE E Institute website. website. 2. Under LABS SET 2 and Lab 10 – Business Services select Exercis Exercise e 10.1 – Trigger Business Service Related Incidents.
Wait for approximately approximately 2 minutes. The output should res resemble emble the following:
To review business service incidents
1. Return to the FortiSIEM FortiSIEM GUI. 2. Cli Click ck the INCIDENTS tab.
Under Under the BizService column, you should should see s some ome incidents that have the Patient Services name.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
200
DO NOT REPRINT
Exercise Exer cise 2: Monitoring Business Serv Service ice Incidents
© FORTINET 3. In the main window, window, in the Actions drop-down list, click Search.
The Search pane opens. 4. From the Search pane, click BizService, select thePatient Services from drop-down list and Close.
Selection Sel ection sho should uld be as below: below:
By default, default, Incident Status is sele selected cted for Active incidents. If you are unable to view any incide incident, nt, clear clear the Active status, to change the selection to ALL.
5. Click the refresh icon and s select elect Refresh Now in the drop-down list.
You should should notice se sever veral al incidents incidents related to devices devices in this busi business ness servic service. e. 6. Review a few of the incidents.
endix:: Ans Answer wer She Sheet" et" on page 221for 221for the an answe swer. r. What service service was stopped? See "App See "Appendix
201
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 2: Monitoring Business Service Service Incidents © FORTINET
Which devices had s severe evere vulnerability detected? See See "App "Appendix endix:: Ans Answer wer She Sheet" et" on page 221 for 221 for the ans answer wer..
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
202
DO NOT REPRINT © FORTINET
Exerc Exe rcis ise e 3: Us Using ing the Business Business Serv Servic ice e Das Dashboar hboard d In this exercise, exercise, you w will ill learn how to c create reate and view business servic services es through dashboards dashboards and searches. searches.
To create a business services dashboard group 1. Click Click the DASHBOARD tab. 2. On the left side of the window, click click the drop-down drop-down list and select NEW.
3. In the Name field, type BizServi BizService ce Dashboa Dashboard rd.
To create a business services dashboard 1. To the right right of the dashbo dashboard ard dropdrop-dow down n list, list, c clic lick k the plus plus icon icon
.
2. In the Namefield, type Patient Services. 3. In the Type drop-down list, select Business Service Dashboard. 4. Click Save.
203
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 3: Using the Business Service Service Dashboar Dashboard d © FORTINET
5. Click Click the se selec lectt b bus usine iness ss serv service ice ico icon n from top right-h right-hand and co corne rnerr of the window window.. The Select Business service window opens. 6. On the Available Services pane, select Patient Services and click > to move Patient Services to the Selected Services pane.
7. Click Save.
The summary dashboar dashboard d for Patient Services will look look like this this::
To view business services dashboard details
1. On the s summary ummary dashboard, select Patient Services. The Impacted Devices pane will open open at the bottom of the windo window w to display the list of impacted devices devices for Patient Services.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
204
DO NOT REPRINT
Exercise Exer cise 3: Using the Business Business Service Service Dashboard Dashboard
© FORTINET
2. In the Impacted Devices section, click WIN2K8, and then then clic click k the Incidents column.
The Incidents for WIN2K8 window opens.
Can you you iden identify tify the SQL query query that was runn running ing slow? slow? S See ee "App "Appendix endix:: Ans Answer wer She Sheet" et" on page 221, 221, for for the the answer.
To reference business services in an analytics search
1. Click Click the ANALYTICS tab and click the searc search h field to edit the condition.
205
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Exer NOT REPRINT Exercise cise 3: Using the Business Service Service Dashboar Dashboard d © FORTINET Make sure sure the s searc earch h field is empty (it may contain contain text from anothe anotherr exercis exercise). e).
2. In the Filters editor, enter the following following values to create a new qu query ery::
Field
Value
Attribute
Reporting IP
Operat or
IN
3. Clic Click k insid inside e the Value field and select Select from CMDB. 4. Click Business Services > Ungrouped and select Patient Services.
5. Click > to move Patient Services to the Selections section, and click OK. 6. Add another row and add the following v values: alues:
Field
Value
Attribute
Event Type
Operat or
CONTAI N
Value
FileMon
7. In the Time section, select Relative, in the Last field, type 1, and in the drop-down list, select Hour .
8. Click Save & Run.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
206
DO NOT REPRINT
Exercise Exer cise 3: Using the Business Business Service Service Dashboard Dashboard
© FORTINET
This drills down into Windows Windows Age Agent nt eve events nts being colle collected. cted.
If you get no resul results ts to any search search,, simply run the s searc earch h over over a longer longer time period period..
Can you you identify the files that were added on the QAQA-EX EXCHG CHG or WIN2K8 WIN2K8 machines machines? ? See "Appendix: See "Appendix: Answer Sheet" She et" on page 221 221 for the ans answer wer..
l
Make sure Wrap Raw Event is sele selected. cted.
l
Make sure Show Event Type is sele selected. cted.
You have completed Lab 10.
207
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO NOT REPRINT © FORTINET
Appendi Appendix: x: Answer Sheet She et Lab 1 - Introduction to FortiSIEM Exercise 1: Creating Roles Question: Review the information in the Data Conditions and CMDB Report Conditions se sectio ctions ns for this rol role. e. What What do you understand about these fields?
Answer: Data Conditions Conditions - Res Restrict trict what data a role ca can n see in the GUI, such as restricting restricting auditors auditors to just events reported reported by Server Server devi devices ces suc such h as Windo Windows ws devices devices,, or to restric restrictt access access to some some da dashbo shboards ards for example example N Networ etwork k Dashboard. CMDB Repo Report rt Condi Conditions tions - Restrict Restrict wha whatt data is ava available ilable in C CMDB MDB Reports, Reports, suc such h as allowing allowing a device device inventory inventory report repo rt of only Ser Server ver dev devices ices..
Lab 2 - SIEM & PAM Concepts Exercise 1: Review R eviewing ing Incoming Data Question: Which Whic h users had failed logins?
Answer: admin and fred
Exercise 2: Structured Data Question:
Make a note of each field header header in the table.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
208
DO LNOT REPRINT ab 2 - SI EM & PAM Concept s © FORTINET Answer: Event Receive Time, Reporting IP, Event Type, Raw Event Log.
Question: Which Whic h attribute re relates lates to the devic device e IP that sent the data?
Answer: Reporting IP
Question: Which Whic h event type rela relates tes to a login failure?
Answer: FortiGate-event-login-failure
Question: Which Whic h attribute provid provides es the local time when FortiGa FortiGate te actually logged logged the event? event?
Answer: Device Time
Question: What are the Reporting Model and Reporting Vendor attributes of the event? event?
Answer: Reporting Model: FortiOS Reporting Vendor: Fortinet
Question: What attribute did FortiSIEM FortiSIEM map this to in t he struc structured tured view view? ?
Answer: Application Protocol
Question:
Appendix: Answer Sheet
Who made a success successful ful authentication authentication? ? And what attribute was this field mapped to in the struc structured tured view? view?
209
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Appendix NOT: Answer REPRINT Appendix: Sheet © FORTINET Answer: admin was was mapped to the User User attribute.
Exercise 3: Event Classification Question: Make a note of the Member of field.
Answer: /Security/Logon Success/Dev Success/Dev Logon Success Success
Question: Make a note of the Description
Answer: Successful Succ essful admin logon
Question: What do you notice notice abou aboutt this partic particular ular eve event? nt?
Answer: It's a member member of two group groups: s: /Security/Logon Failure/Dev Acc Account ount Locked /Security/Logon Failure/Domain Account Account Locked Therefore, events can belong to more than one group/category. group/category.
Exercise 4: Event Enrichme Enrichment nt Question: What is the value value in the Member of field?
Answer: /Security/Logon Failure/Dev Logon Failure
Lab 2 - SIEM & PAM Concepts
Question: Does it co contain ntain any country country related information information? ?
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
210
DO LNOT REPRINT ab 2 - SI EM & PAM Concept s
Appendix: Answer Sheet
© FORTINET Answer: Yes
Question: Where Wher e did this information c come ome from?
Answer: The internal geolocation database
Question: Is there there a Source Country or Destination Country popul populated ated for this event? event? If not, w why? hy?
Answer: No, these are internal RFC 1918 addresses.
Question: Is there there now a Report Reporting ing City, Destination City, Destination Country, and Destination State populated? If so why?
Answer: Yes, sinc Yes, since e country related ev event ent enrich enrichment ment can also occu occurr for interna internall RFC 1918 addresses addresses if these value value are set on an asset in the CMDB.
Exercise 5: Review Reviewing ing Performance Events Question: Which Whic h attributes relate to the up-time and downtime of the device?
Answer: l
RAW: s sysUp ysUpTime, Time, sysDownTime
l
Attribute: Sys System tem Uptime, Sys System tem Downtime
Question:
What attribute attribute relates to how often the ev event ent is collected? collected?
Answer: Polling Interval
211
Fort iSI EM 5. 1 Lab Guide Fortinet Technologies Technologies Inc.
DO Appendix NOT: Answer REPRINT Appendix: Sheet © FORTINET Question: Which Whic h attribute relate relates s to the memory utilization utilization of the device?
Answer: Memory Memor y Util
Question: How often is the memory utilization utilization event event collected collected? ?
Answer: Every Every 180 sec seconds onds (or 3 min minutes) utes)
Question: Which Whic h attributes relate to the interface interface name and interface utilization utilization? ?
Answer: l
Host Interface Name Name
l
Rec Recv v Interface Util
l
Sent Interface Util Util
Question: Why are ther there e four interface interface utilization ev events? ents?
Answer: The device device has has 4 network network interfaces interfaces (one event event per per interfac interface). e).
Lab 3 – Discovery Exercise 1: Auto Log Discovery Question: Why are the n names ames differen differentt do you think? think?
Lab 3 – Discovery Discovery
Answer: The FortiGate logs conta contain in the name of the devic device e reporting the data (devname=x (devname=x), ), and hence the parser reads reads this and maps maps to an attrib attribute ute named named Report Reporting ing Device Name.
FortiSIEM 5.1 Lab Guide Fortinet Technologies Technologies Inc.
212
DO LNOT ab 3 – DiscREPRINT overy
Appendix: Answer Sheet
© FORTINET The Cisco Cisco ASA logs do not contain the name, so the default behavior is to name the device device HOS HOST-
