FortiSIEM 5.1 Lab Guide-Online

DO NOT REPRINT
© FORTINET
FortiSIEM Lab Guide

for FortiSIEM 5.1
DO NOT REPRINT
© FORTINET
Fortinet Training
http://www.fortinet.com/training
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: courseware@fortinet.com
11/20/2018
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
Virtual Lab Basics 6

Network Topology 6
Lab Environment 6
Remote Access Test 7
Logging In 8
Disconnections and Timeouts 10
Screen Resolution 10
Sending Special Keys 11
Student Tools 12
Troubleshooting Tips 12
Lab 1: Introduction to FortiSIEM 15
Exercise 1: Creating Roles 16
Exercise 2: Creating New Users 22
Exercise 3: Changing Local User Passwords 25
Lab 2: SIEM Concepts and PAM Concepts 27
Exercise 1: Reviewing Incoming Data 28
Exercise 2: Structured Data 31
Exercise 3: Event Classification 34
Inspect Event Classification 34
Exercise 4: Event Enrichment 36
Exercise 5: Reviewing Performance Events 41
Lab 3: Discovery 44
Exercise 1: Auto Log Discovery 45
Exercise 2: Adding Credentials and IP Ranges for a Single Device 49
Prediscovery Preparation 50
Exercise 3: Discovery of a Single Device 52
Faking Performance Data 53
Exercise 4: Adding a Privileged Credential for Configuration Pulling 56
Exercise 5: Performing Discovery of Other Lab Devices 60
Prepare the Fake Devices for Discovery 62
Exercise 6: Bringing in Fake Data 66
Lab 4: FortiSIEM Analytics 70
DO NOT REPRINT
© FORTINET
Exercise 1: Getting to Know the Real-Time Search 71
Exercise 2: Search Operators 75
Exercise 3: Historical Keyword Search 77
Exercise 4: Single Search Condition 79
Exercise 5: Multiple Search Conditions 81
Exercise 6: Using the Contain Operator 82
Exercise 7: Using the IN/NOT IN Operators 84
Exercise 8: Using the IS Operator 86
Exercise 9: Using the Greater Than Operator 89
Lab 5: CMDB Lookups and Filters 90
Exercise 1: Selecting Devices from CMDB 91
Exercise 2: Searching for Particular Categories of Events 97
Exercise 3: Expert Challenge 101
Lab 6: Group By and Aggregation 104
Exercise 1: Grouping By Single and Multiple Attributes 105
Exercise 2: Adding Aggregating Data 110
Exercise 3: Expert Challenge 115
Lab 7: Rules 117
Exercise 1: Exploring a Simple Rule Example 118
Exercise 2: Exploring a Performance Rule Example 123
Exercise 3: Creating a Rule 131
Exercise 4: Enhancing the Rule with a Watch List 137
Exercise 5: Importing a Rule 140
Lab 8: Incidents and Notification Policies 142
Exercise 1: Reviewing the Incident Table 143
Exercise 2: Grouping and Tuning Incidents 150
Exercise 3: Using the Built-In Ticketing System 153
Exercise 4: Creating a Custom Email Template 158
Exercise 5: Creating a Notification Policy 160
Lab 9: Reporting 165
Exercise 1: Opening a Report from the Analytics Page 166
Exercise 2: Opening a Report from the Report Tree 171
Exercise 3: Scheduling a Report 173
Exercise 4: Creating Custom Dashboards 177
Exercise 5: Exploring Dashboard Drill Down Capabilities 184
Exercise 6: Importing and Exporting Dashboards 187
Exercise 7: Running CMDB Reports 189
Exercise 8: Building a Custom CMDB Report 190
DO NOT REPRINT
© FORTINET
Lab 10: Business Services 192
Exercise 1: Creating a Business Service 193
Exercise 2: Monitoring Business Service Incidents 195
Exercise 3: Using the Business Service Dashboard 203
Appendix: Answer Sheet 208
Lab 1 - Introduction to FortiSIEM 208
Lab 2 - SIEM & PAM Concepts 208
Lab 3 – Discovery 212
Lab 4 – Introduction to Analytics 214
Lab 5 – CMDB Lookups and Filters 215
Lab 6 – Group By and Aggregation 216
Lab 7 – Rules 217
Lab 8 – Incidents and Notification Policies 219
Lab 9 – Reporting 220
Lab 10 – Business Services 221
DO Virtual
NOT REPRINT
Lab Basics Network Topology
© FORTINET
Virtual Lab Basics
In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab
and its virtual machines. It also shows the topology of the virtual machines in the lab.
If your trainer asks you to use a different lab, such as devices physically located in your
classroom, then ignore this section. This section applies only to the virtual lab
accessed through the Internet. If you do not know which lab to use, please ask your
trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have their
own training lab environment or point of deliveries (PoD).
FortiSIEM 5.1 Lab Guide 6

Fortinet Technologies Inc.
DO Remote
NOTAccess
REPRINT
Test Virtual Lab Basics
© FORTINET
Remote Access Test
Before starting any course, check if your computer can connect to the remote data center successfully. The
remote access test fully verifies if your network connection and your web browser can support a reliable
connection to the virtual lab.
You do not have to be logged in to the lab portal in order to run the remote access test.
To run the remote access test

1. From a browser, access the following URL:
https://use.cloudshare.com/test.mvc
If your computer connects successfully to the virtual lab, you will see the message All tests passed!:
2. Inside the Speed Test box, click Run.

The speed test begins. Once complete, you will get an estimate for your bandwidth and latency. If those
estimations are not within the recommended values, you will get any error message:
7 FortiSIEM 5.1 Lab Guide

DO Virtual
NOT REPRINT
Lab Basics Logging In
© FORTINET
Logging In
After you run the remote access test to confirm that your system can run the labs successfully, you can proceed to
log in.
You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain a
link and a passphrase.
To log in to the remote lab

1. Click the login link provided by your instructor over email.
2. Enter your email address and the class passphrase provided by your trainer over email, and then click Login.
3. Enter your first and last name.

4. Click Register and Login.

DO Logging
NOTIn REPRINT Virtual Lab Basics
© FORTINET
Your system dashboard appears, listing the virtual machines (VMs) in your lab topology.
5. To open a VM from the dashboard, do one of the following:

l From the top navigation bar, click a VM's tab.
l From the box of the VM you want to open, click View VM.
Follow the same procedure to access any of your VMs.
When you open a VM, your browser uses HTML5 to connect to it. Depending on the VM you select, the web
browser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of a
Fortinet VM.

DO Virtual
NOT REPRINT
Lab Basics Disconnections and Timeouts
© FORTINET
For most lab exercises, you will connect to a jumpbox VM, that could be either a Windows or a Linux VM.
From the jumpbox VM, you will connect over HTTPS and SSH to all other Fortinet VMs in the lab
environment.
Disconnections and Timeouts
If your computer’s connection to the VM times out or closes, to regain access, return to the window or tab that
contains the list of VMs for your session, and reopen the VM.
If that fails, see Troubleshooting Tips on page 12.
Screen Resolution
The GUIs of some Fortinet devices require a minimum screen size.
To configure screen resolution in the HTML5 client, use the Resolution drop-down list on the left. You can also
change the color depth:

DO Sending
NOTSpecial
REPRINT
Keys Virtual Lab Basics
© FORTINET
Sending Special Keys
You can use the Virtual Keyboard panel to either send the Ctrl-Alt-Del combination, or the Windows key:
From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard:

DO Virtual
NOT REPRINT
Lab Basics Student Tools
© FORTINET
Student Tools
There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance:
Troubleshooting Tips
l Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or high-
latency connections.
l Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that your
computer is always on, and does not go to sleep or hibernate.
l For best performance, use a stable broadband connection, such as a LAN.

DO Troubleshooting
NOT REPRINT Tips Virtual Lab Basics
© FORTINET
l You can run a remote access test from within your lab dashboard. It will measure your bandwidth, latency and
general performance:
l If the connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnect,
notify the instructor.
l If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset:
l If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action
menu, and select Revert:
Reverting to the VM's initial state will undo all of your work. Try other solutions first.

DO Virtual
NOT REPRINT
Lab Basics Troubleshooting Tips
© FORTINET
l During the labs, if the VM is waiting for a response from the authentication server, a license message similar to the
following example appears:
To expedite the response, enter the following command in the CLI:

execute update-now

DO NOT REPRINT
© FORTINET
Lab 1: Introduction to FortiSIEM
In this lab, you will examine role-based application controls (RBAC).
Objectives
l Create a role
l Create new users
l Apply roles to users
l Change local passwords
Time to Complete
Estimated: 15 minutes
Follow the directions in the Lab Guide and do not make changes to any other device or
devices, unless notified by the course instructor.

DO NOT REPRINT
© FORTINET
Exercise 1: Creating Roles
In this exercise, you will create a manager role.
To clone a system defined a role

1. Log in to the Student WorkstationVM by clicking View VM.
2. Open the Firefox browser and enter the following URL to access the FortiSIEM GUI:
https://10.0.1.130/phoenix/login-html.jsf
There is a link for the FortiSIEM GUI on the browser's Favorites bar.
3. Log in as the following default user and click Login:
Field Value
User ID admin
Password admin*1
Domain LOCAL
4. Click the Admin tab.

5. In the pane on the left side of the screen, select General Settings, then click Role.
Notice the default system roles (s) that are available.
6. Click the Server Admin role, then select Clone.

DO NOT REPRINT Exercise 1: Creating Roles
© FORTINET
Because FortiSIEM does not allow you to overwrite the out-of-box system roles, the
system will prompt you to save the role with a different name. (By default, it will add a
date stamp.)
7. Remove the date stamp and add FSM_LAB to the role name as in the following example, then click OK:
To review the settings for cloned role

1. Select the cloned role Server Admin_FSM_LAB , then click Edit
2. Review the information in the Data Conditions and CMDB Report Conditions sections for this role.
What do you understand about these fields? See "Appendix: Answer Sheet" on page 208for the answer.

DO Exercise
NOT1: Creating
REPRINT
Roles
© FORTINET
3. Review the UI Access section and the conditions that apply to this role.
4. Expand the CMDB option and expand Devices.
Notice how all network devices are hidden while giving access to server devices.
5. After you review the list, in the lower-left corner of the pane, click Cancel to exit the Server Admin_FSM_LAB
details.
To create a new role

1. Click New to create a role.
2. In the Role Name field, enter: Lab1 – Manager View.
3. In the Data Conditions section, configure the following settings:
Field Value
Attribute Reporting IP
Operator IN

© FORTINET
Field Value
Value 1. Click in Value search bar select ....Select from CMDB .

2. On the left pane, expand Devices, then expand Network Device.
3. Select Firewall, then click >> to move it to the Selections pane.
4. Click OK.
4. Leave the CMDB Report Conditions section blank.

5. In the UI Access section, complete the following:
Click the item and select down arrow to change its status.
In HTML Dashboard> Dashboards section only allow :
l FortiSIEM Dashboard
l Network Dashboard
l Security Dashboard
l Server Dashboard
Hide the rest of the Dashboards.

DO Exercise
NOT1: Creating
REPRINT
Roles
© FORTINET
l Leave Analytics settings as default.
l Leave Incidents settings as default.
l CMDB (hide all except Devices)

© FORTINET
l Others
8. At the bottom, click Save.

DO NOT REPRINT
© FORTINET
Exercise 2: Creating New Users
In this exercise, you will create two new users: a manager account and your own user account.
To create new users

1. Click the CMDB tab, and, on the pane on the left side of the screen, select Users.
2. Click New to create a new user.

3. Configure the following settings:
Field Value
User Name manager
System Admin Click in the empty box to prompt a dialog box to open. Configure the following
settings:
Mode Local
Password admin*2
Confirm Password admin*2
Default Role Lab1 - Manager View

DO NOT REPRINT Exercise 2: Creating New Users
© FORTINET
4. Click Back.
5. Click Save.
6. Log out of the FortiSIEM GUI by clicking the power icon on the top toolbar.
To verify the settings for the newly created account

1. Log in again using the manager account you just created:
Field Value
User ID manager

DO Exercise
NOT2: Creating
REPRINT
New Users
© FORTINET
Field Value
Password admin*2
Domain LOCAL
Stop and think!

Notice how various parts of the GUI are no longer visible.
2. Click the Dashboard tab.

Notice how you can see only the few dashboards you specified previously.
3. Click the Analytics tab.

Notice how it contains the Real-time Search and Reports options.Because of the restrictions on the role, if
you were to perform a real-time search, the events returned would only come from devices that the role is
allowed to view.
4. Click CMDB and notice it shows only Devices you have selected previously for the role.
5. Log out of the FortiSIEM GUI as the manager and log in again as the admin user:
l User ID: admin
l Password: admin*1
l Domain: LOCAL
6. Click the CMDB tab and, in the pane on the left side of the screen, click Users.
7. Click New to create your own user account, but this time specify the Full Admin role and use the password
admin*3. For example:
Field Value
User Name <select a name>
System Admin Click in the empty box to prompt a dialog box to open. Configure the following
settings:
Mode Local
Password admin*3
Confirm Password admin*3
Default Role Full Admin
8. Click Back.
9. Click Save to save your new user account.
10. Log out of the FortiSIEM GUI.

DO NOT REPRINT
© FORTINET
Exercise 3: Changing Local User Passwords
In this exercise, you will change your user password.
To change local user passwords

1. Log in to the FortiSIEM GUI with your own user account (the one you created for yourself in the previous
exercise):
Field Value
User ID <the name you selected>
Password admin*3
Domain LOCAL
Notice your user name and current role are listed at the bottom of the screen.
2. On the upper-right corner of the window, click the single user icon.
3. In the Password and Confirm Password fields, enter a new password, and then click Save.
The password must contain at least one number and one special character (such as:
!@#$%^*(),.?).

DO Exercise
NOT3: Changing
REPRINT
Local User Passwords
© FORTINET
4. Log out of the FortiSIEM GUI.

5. Log in again using the new password.
You have completed Lab 1.

DO NOT REPRINT
© FORTINET
Lab 2: SIEM Concepts and PAM Concepts
In this lab, you will explore how FortiSIEM processes each log into an event type.
Objectives
l View raw event logs
l View structured data
l Inspect event classification
l Inspect event enrichment
l Review performance events
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Reviewing Incoming Data
In this exercise, you will review the raw events that have been received by syslog.
To set search filter criteria

1. On the Student Workstation VM, open the Firefox browser and enter the following URL to access the
FortiSIEM GUI : https://10.0.1.130/phoenix/login-html.jsf
If logged out from FortiSIEM due to inactivity, then log back in using HTML edition
option.
2. Log in as the following default user and click Login:
Field Value
User ID admin
Password admin*1
Domain LOCAL
3. Click the ANALYTICS tab.
4. Click the search field to edit the condition.

The Filtereditor opens.
5. Create the following query:

DO NOT REPRINT Exercise 1: Reviewing Incoming Data
© FORTINET
Field Value
Operator =
Value 192.168.3.2
6. Next to Time, select Real Time.

7. Click Save & Run.
To generate logs
1. Open a new tab in your browser, and go to the NSE Institutewebsite:
https://10.0.1.130/NSE_Institute/index.php
There is a link on the browser's Favorites bar.
2. On the web site, click LABS SET 1 and, under Lab 2 – SIEM Concepts, click Exercise 2.1 – Raw Events.
The output should resemble the following example:

DO Exercise
NOT1: Reviewing
REPRINTIncoming Data
© FORTINET
To view raw event logs

1. Return to the browser tab where you are logged in to the FortiSIEM GUI and, after five events are received in the
table, click Pause.
2. To view the type, select Show Event Type.
3. To view the full raw log message, select Wrap Raw Event.
4. In the table, in the Raw Event Log, review the log details for each event received by syslog.
Stop and think!

Can you identify what device they came from?
Which users had failed logins? See "Appendix: Answer Sheet" on page 208 for the answer.
5. Leave the window that displays the events open and continue to the next exercise.

DO NOT REPRINT
© FORTINET
Exercise 2: Structured Data
In this exercise, you will review the normalization of raw events into structured data.
To view structured data

1. Using the same analytics results from the previous exercise, make a note of each field header in the table (that is,
Event Receive Time, and so on).
See "Appendix: Answer Sheet" on page 208 for the answer.
FortiSIEM refers to these as Attributes.
Which attribute relates to the device IP address that sent the data? See "Appendix: Answer Sheet" on page
209 for the answer.
Notice how each raw event log maps to a specific Event Type.
Which event type relates to a login failure? See "Appendix: Answer Sheet" on page 209 for the answer.
2. In the Raw Event Log field, select a login event that was successful.
Once selected a white down arrow icon will appear.

DO Exercise
NOT2: Structured
REPRINT Data
© FORTINET
3. Click the white down arrow icon to display the Show Detail button, which enables you to view the details
associated with that event.
4. Click Show Detail.
The Event Details dialog box opens. The window includes both the raw log details as well as a more
structured view of the log details.
5. In the structured Event Detailsview, review the attributes that FortiSIEM has normalized the raw event log into.
Which attribute provides the local time when FortiGate actually logged the event? See "Appendix: Answer
Sheet" on page 209 for the answer.
What are the Reporting Model and Reporting Vendor attributes of the event? See "Appendix: Answer
Sheet" on page 209for the answer.

DO NOT REPRINT Exercise 2: Structured Data
© FORTINET
6. Review the raw event log view and look at which protocol was used for the authentication (HTTPS or SSH).
What attribute did FortiSIEM map this to in the structured view? See "Appendix: Answer Sheet" on page 209
for the answer.
Who made a successful authentication? And what attribute was this field mapped to in the structured view?
7. Close only the Event Details window, and continue to the next exercise.

DO NOT REPRINT
© FORTINET
Exercise 3: Event Classification
In this exercise, you will review how the events are grouped into event types.
Inspect Event Classification
Using the same analytics results from the previous exercise, you will inspect the event classification of Event
Type, FortiGate-event-login-success in the FortiSIEM database (CMDB).
To inspect event classification

1. Click the RESOURCEStab and, in the pane on the left side of the screen, expand Event Types.
2. Click Security > Logon Success > Dev Logon Success.
3. In the main window, type FortiGate in the Search field to look for all events related to FortiGate.
Stop and think!

Is the event FortiGate-event-login-success listed?
4. Select FortiGate-event-login-success.
A Summary pane will open at the bottom of the screen.
5. Make a note of the Member of field.


DO Inspect
NOT REPRINT
Event Classification Exercise 3: Event Classification
© FORTINET
6. Make a note of the Description, and close the window.

7. Remove the search term FortiGate and review all the other vendor event types that have been classified as a Dev
Logon Success event.
8. On the left pane, still under Security, click Logon Failure > Dev Account Locked, and review the different
event types.
9. Find the event Win-Security-4740 in the list.
Use the search field to filter the results.
What do you notice about this particular event? See"Appendix: Answer Sheet" on page 210 for the answer.

DO NOT REPRINT
© FORTINET
Exercise 4: Event Enrichment
In this exercise, you will review how FortiSIEM adds enrichment attributes to events.

1. Click the ANALYTICS tab, and click the search field to edit the condition.
Make sure the search field is empty (it may contain text from another exercise).
The condition editor opens.
2. In the Filters editor, configure the following settings to create a new query:
Field Value
Operator =
Value 172.16.1.3
Next Op OR
3. In the Row column associated with your existing condition, click the + icon to add another row:
4. In the Next column associated with your existing condition, select OR.
5. Complete the following query:
Field Value
Operator =
Value 192.168.20.2

DO NOT REPRINT Exercise 4: Event Enrichment
© FORTINET

To generate logs
1. Return to the browser tab displaying the NSE Institute website (or, if closed, open a new browser tab and go to
the NSE Institute website).
2. Under LABS SET 1 and Lab 2 – SIEM and PAM Concepts select Exercise 2.2 – Event Enrichment (Part
A)
To inspect event enrichment of PAN-OS event log

1. Return to the browser tab displaying the FortiSIEM GUI, and after two events are received, click Pause.
2. Click the RESOURCES tab and, in the pane on the left side of the screen, expand Event Types.
3. Click Security > Logon Failure > Dev Logon Failure.
4. In the main window, type PAN in the Search field to look for all events related to FortiGate.
5. Select PAN-OS-SYSTEM-login-failed.
A Summary pane opens at the bottom of the screen.
What is the value in the Member of field? See "Appendix: Answer Sheet" on page 210 for the answer.

DO Exercise
NOT4: Event
REPRINT
Enrichment
© FORTINET
6. Return to the ANALYTICS tab.

7. Select the Raw Event Log field to look at the details for the PAN-OS-SYSTEM-login-failed event.
Once selected a white down arrow icon will appear
8. Click the white down arrow icon to display the Show Detail option, which will enable you to view the details
The Event Details window opens.
10. Review the raw event log for that event.

Does it contain any country-related information? See "Appendix: Answer Sheet" on page 210 for the answer.
11. Review the attributes in the structured view and note the Source Country, Source Organization, and Source
State.
Where did this information come from? See "Appendix: Answer Sheet" on page 210 for the answer.
12. Close the Event Details window.
To inspect event enrichment in the IOS-SEC event log

1. Review the Event Details raw event log for the IOS-SEC_LOGIN-LOGIN_FAILED event.
Is there a Source Country or Destination Country populated for this event? If not, why? See "Appendix:
Answer Sheet" on page 211 for the answer.

DO NOT REPRINT Exercise 4: Event Enrichment
© FORTINET
To update the geographical location for a device manually

1. Click the CMDB tab.
2. In the pane on the left side of the screen, select Devices.
3. In the search field, type the IP address 192.168.20.2.
4. In the search results, select the device Name HOST-192.168.20.2.

5. Click the down arrow associated with Actions and select Edit Location.
The Edit Device Location pop-up window opens.
You might see an error message as FortiSIEM is not configured with real Google API
key.
6. In the Edit Device Location pop-up window, configure the following settings (or configure your own), and then
click OK:
Field Value
Location Name UK Data Center
Country United Kingdom
State London, City of
City London
7. Click Save.
8. Click the ANALYTICS tab and click the search field.
Your previous query should still be listed.


DO Exercise
NOT4: Event
REPRINT
Enrichment
© FORTINET
To generate logs for manually updated geographical location
1. Return to your browser tab displaying the NSE Institute website (or, if closed, open a new browser tab and go to
the NSE Institute website).
2. Under LABS SET 1 and Lab 2 – SIEM and PAM Concepts select Exercise 2.2 – Event Enrichment (Part
B).
To inspect event enrichment for a manually updated geographical location

1. Return to the browser tab displaying the FortiSIEM GUI and, after two events are received, click Pause.
2. Review the Event Details for raw event log IOS-SEC_LOGIN-LOGIN_FAILED again.
l Make sure Wrap Raw Event is selected

l Make sure Show Event Type is selected
l Once the RAW Event log is selected, a white down arrow icon will appear
l Click the icon to display the Show Detail option, which will enable you to view the
details associated with that event.
Is there now a Reporting City, Destination City, Destination Country, and Destination State
populated? If so, why? See "Appendix: Answer Sheet" on page 211 for the answer.

4. Click the CMDB tab, select the device with the IP address 192.168.20.2, and click Delete. (If a prompt
appears instructing you to delete the selected device from the CMDB, or remove it from the group, click Yes.)
5. Close the pop-up window informing you that the device was successfully deleted.

DO NOT REPRINT
© FORTINET
Exercise 5: Reviewing Performance Events
In this exercise, you will examine some of the performance events collected by FortiSIEM.

The Filter editor appears.
3. Click Clear All to clear the existing queries.
4. Once cleared, create the following query:
Operator =
Value 192.168.20.2

To generate performance event logs

1. Open a new tab in your browser, and go to the NSE Institutewebsite.
2. Navigate to LABS SET 1 and, under Lab 2 – SIEM and PAM Concepts, select Exercise 2.3 – Performance
Events.
To view performance events

1. Return to the browser tab displaying the FortiSIEM GUI.
2. After 10 events are received, click Pause.
Notice there are a number of events labeled PH_DEV_MON , which stands for device monitor.
3. Click the Event Type column to sort the data alphabetically (once clicked, you should notice an up or down arrow
to the left of the field).

DO Exercise
NOT5: Reviewing
REPRINTPerformance Events
© FORTINET
4. Select Raw Event Log for Event Type PH_DEV_MON_SYS_UPTIME and view Event Details.

l Once the RAW Event log is selected, a white down arrow icon will appear
details associated with that event.
5. Review the raw event log and structured data.

Which attributes relate to the up-time and downtime of the device? See "Appendix: Answer Sheet" on page
211 for the answer.
Performance events are also enriched with geo-location data (Host/Reporting Country,
and so on., if the CMDB has a location set for an internal device). And all performance
events will have a host IP populated.
What attribute relates to how often the event is collected? See "Appendix: Answer Sheet" on page 211 for the
answer.
icon in the RAW event Log to open the Event Details dialog box, and select Event
6. Click white down arrow
Type PH_DEV_MON_SYS_MEM_UTIL.
Which attribute relates to the memory utilization of the device? See "Appendix: Answer Sheet" on page 212
for the answer.

DO NOT REPRINT Exercise 5: Reviewing Performance Events
© FORTINET
How often is the memory utilization event collected? See "Appendix: Answer Sheet" on page 212 for the
answer.
8. Open the Event Details dialog box associated with the event type PH_DEV_MON_NET_INTF_UTIL.
Which attributes relate to the interface name and interface utilization? See "Appendix: Answer Sheet" on
page 212 for the answer.
Why are there four interface utilization events? See "Appendix: Answer Sheet" on page 212 for the answer.

DO NOT REPRINT
© FORTINET
Lab 3: Discovery
In this lab, you will examine the FortiSIEM discovery processes.
Objectives
l View auto log discovery
l Add credentials and IP ranges for a single device
l Discover a single device
l Pull configuration data using privileged credentials
l Perform a discovery on many devices
l Pull performance data from devices
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Auto Log Discovery
In this exercise, you will inspect the type of data that is extracted from the syslogs.
To set search criteria for logs

FortiSIEM GUI: https://10.0.1.130/phoenix/login-html.jsf
2. Click the ANALYTICS tab and click the search field to edit the condition.
Field Value
Attribute Raw Event Log
Operator CONTAIN
Value ASA
4. In the Next column associated with your existing condition, select OR.
5. In the Row column associated with your existing condition, click the + icon to add another row.
Field Value
Operator CONTAIN
Value devname


DO Exercise
NOT1: Auto
REPRINT
Log Discovery
© FORTINET
To generate test logs

1. Open a new tab in your browser, and go to the NSE Institute website.
2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.1 – Auto Log Discovery.
To inspect the syslogs

1. On the browser tab displaying the FortiSIEM GUI, on the Analytics tab, wait until at least 25 events are
received, then click Pause.

DO NOT REPRINT Exercise 1: Auto Log Discovery
© FORTINET
2. Click the CMDB tab and, in the pane on the left side of the screen, click Devices > Network Device > Firewall.
3. To add a Version column to the display, on the upper-right corner of the CMDB tab, click the columns icon to
select display columns.
4. Select Version from Available Columns, click right arrow icon to move Version to Selected Columns and
then click OK.
5. Click the CMDB tab and, on the pane on the left side of the screen, click Devices > Network Device >
Firewall.
You should see a Cisco ASA device with the name HOST-192.168.19.65 and a Fortinet FortiOS device with
the name FG240D3913800441.
Why are the names different? If you are unsure, review some of the raw events on the ANALYTICS tab.

DO Exercise
NOT1: Auto
REPRINT
Log Discovery
© FORTINET
What is displayed under the Version and Last Discovered Method fields for each device? See "Appendix:
6. Continuing on CMDB tab, on the lower pane containing the details, select the Cisco ASA device, then click the
Summary tab and review the details.
Notice this device has been automatically categorized under three groups.
7. Select the Fortinet FortiOS device and, on the lower pane containing the details, click the Summarytab and
review the details.
Notice this device has been automatically categorized under four groups.
8. On the same lower pane, review the Interfaces and Configuration tabs for both devices.
What do you see and what can you identify about the population of the CMDB from the log discovery alone?

DO NOT REPRINT
© FORTINET
Exercise 2: Adding Credentials and IP Ranges for a Single
Device
In this exercise, you will add SNMP credentials used in the discovery process.
To add an SNMP credential

1. On the FortiSIEM GUI, click the Admin tab.
2. On the pane on the left side of the screen, click Setup.
3. On the main window, select the Credentials tab.
4. Click Step 1: Enter Credentials, then click New.
Field Value
Name Global SNMP
Device Type Generic
Access Protocol SNMP
Community String public
Confirm Comm String public
Description FortiSIEM Training SNMP Credentials

DO Exercise
NOT2: Adding
REPRINT
Credentials and IP Ranges for a Single Device Prediscovery Preparation
© FORTINET
6. Click Save.
To assign credentials to address ranges

1. Under Step 2: Enter IP Range to Credential Associations, click New.
2. In the IP/IP Range field, type 192.168.3.1.
3. Select the Global SNMP credential from the list (it should be listed as default, because there is only one
credential defined), and click Save.
Prediscovery Preparation
Because you are working with a system that has fake data, you need to prepare the system before you can
perform the discovery.
To create fake discovery data

1. Return to the browser tab displaying the NSE Institute website.
2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.2 – (A) Prepare System for
Local File Discovery.
The output takes approximately one minute to return and should resemble the following example:
3. Once completed, select Exercise 3.2 – (B) Copy FortiGate Discovery File.

DO Prediscovery
NOT REPRINT Preparation Exercise 2: Adding Credentials and IP Ranges for a Single Device
© FORTINET

DO NOT REPRINT
© FORTINET
Exercise 3: Discovery of a Single Device
In this exercise, you will use the credentials from the previous exercise to discover a device and collect data from
it.
To add a device to be discovered

1. Return to the browser tab displaying the FortiSIEM GUI, and click the Admin tab.
2. On the pane on the left side of the screen, click Setup.
3. On the main window, click the Discovery tab.
4. Click New.
Field Value
Name FortiGate Firewall
Discovery Type Range Scan
Include 192.168.3.1
Name resolution SNMP/WMI first
6. Keep the default settings for all other fields, and click Save.
7. On the table, select the FortiGate Firewall entry, and click Discover.
8. Once the discovery is complete, review the fields to view what access method was used for the discovery and what
system monitors and application monitors were applied to the device.

DO Faking
NOT REPRINT
Performance Data Exercise 3: Discovery of a Single Device
© FORTINET
9. Click Close.
Faking Performance Data
Because this is a fake device, you will trick the system into believing the performance jobs are being collected.
To fake the performance data

1. Return to the browser tab on the NSE Institute website.
2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.3 – Start FortiGate Performance
Data.
To review the performance data

2. Click the CMDB tab and, on the pane on the left side of the screen, click Devices > Network Device > Firewall.
3. Look at the Fortinet FortiOS device again (FG240D3913800441).
What does the Version field show now? See"Appendix: Answer Sheet" on page 213 for the answer.

DO Exercise
NOT3: Discovery
REPRINTof a Single Device Faking Performance Data
© FORTINET
We added the Version column to the display in Exercise 1.
On the upper-right corner of the CMDB tab, click the columns icon to select
display columns.
4. Select the Fortinet FortiOS device and, on the lower pane containing the details, click the Summary tab and
review the details.
How many groups is this device now a member of? See "Appendix: Answer Sheet" on page 213 for the
answer.
5. Continuing on the lower pane, click the Interfaces tab.

Notice how it is now populated with a lot of detail.
6. Continuing on the lower pane, click the Hardware tab, and then the Components sub-tab.
Notice how the serial number and software version is recorded.
7. Click the main Admin tab and, on the pane on the left side of the screen, click Setup.
8. On the main window, select the Monitor Performancetab.
Notice how the Fortinet FortiOS device lists the system monitors and application monitors.
9. View the Monitor column and make a note of how often CPU Util, Mem Util and Net Intf Stat jobs are being
collected using SNMP. See "Appendix: Answer Sheet" on page 213 for the answer.
10. Select an entry and click More.

11. Select Report from drop-down list to verify if performance data is being collected.

DO Faking
NOT REPRINT
Performance Data Exercise 3: Discovery of a Single Device
© FORTINET
This creates a query.
Clicking Report takes you to the ANALYTICS tab to view the results.

DO NOT REPRINT
© FORTINET
Exercise 4: Adding a Privileged Credential for
Configuration Pulling
If Telnet or SSH credentials are also associated with a supported device, then the device startup and running
configuration can also be stored in the CMDB, along with installed software versions, for some devices. In this
exercise, you will explore this functionality.
To pull data using privileged credentials

2. On the pane on the left side of the screen, select Setup.
3. On the main window, select the Credentials tab.
4. Under Step 1: Enter Credentials, click New.
Field Value
Name FortiGate SSH
Device Type Fortinet FortiOS
Notice how the access protocol defaults to HTTPS and the port 443.
Access protocol SSH (Port will change to 22)
Password config Manual
User Name admin
Password topsecret
Confirm Password topsecret
6. Click Save.

DO NOT REPRINT Exercise 4: Adding a Privileged Credential for Configuration Pulling
© FORTINET
7. Under Step 2: Enter IP Range to Credential Associations, select the 192.168.3.1 entry, and click Edit.
The Device Credential Mapping Definition dialog opens.
8. Click the + icon near the bottom of the dialog box, and select FortiGate SSH (which you just created), then click
OK.
Don’t try to discover the device. It will FAIL in the lab!
In a real-world environment, you could rediscover the FortiGate firewall. The new SSH credential would also
be attempted against the device to apply a configuration pulling system monitor job. Because this device is
fake, you need to simulate this.

DO Exercise
NOT4: Adding
REPRINT
a Privileged Credential for Configuration Pulling
© FORTINET
To simulate FortiGate SSH Config and Installed Software
1. Return to the browser tab on the NSE Institutewebsite.
2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.4 – (A) Simulate FortiGate SSH
Config and Installed Software.
To review simulated FortiGate SSH Config and Installed Software

1. Return to your browser tab displaying the FortiSIEM GUI.
2. Click the CMDB tab and, on the pane on the left side of the screen, click Devices > Network Device >
Firewall.
3. On the main window, click refresh icon .
4. Select the Fortinet FortiOS device Name (FG240D3913800441) and, on the lower pane, click the
Configuration tab.
You should see the startup configuration of the device.
5. Continuing on the lower pane, select the Software tab and look at the details on the Installed Software sub-tab.
You should now see all the versions of the AV engine, attack definitions, and so on.
To simulate FortiGate SSH Config Change

1. Return to the browser tab displaying the NSE Institute website.
2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.4 – (B) Simulate FortiGate SSH
Config Change.

DO NOT REPRINT Exercise 4: Adding a Privileged Credential for Configuration Pulling
© FORTINET
To review simulated FortiGate SSH Config Change
2. Continuing on the Firewall page, select the Fortinet FortiOS device (FG240D3913800441), and click refresh
icon .
3. On the lower pane containing the details, click the Configuration tab again.
You should notice a second revision of the startup-config. (If not wait one minute and refresh again.)
4. Depending on your computer, use Shift or Ctrl to select both revisions, and then click the Diff button.
5. Review the configuration changes, then close the dialog box.

DO NOT REPRINT
© FORTINET
Exercise 5: Performing Discovery of Other Lab Devices
In this exercise, you will create discoveries for all other devices in the simulated lab. You will continue to use only
SNMP. (You are assuming the same SNMP credential across all devices.)
Other Device List
Type Make IP Address Method
Firewall Fortigate 172.16.255.82 SNMP
Firewall Fortigate 10.1.1.1 SNMP
Firewall Palo Alto 172.16.1.2 SNMP
Firewall Cisco ASA 192.168.19.65 Lab Special
Firewall Juniper 172.16.3.10 Log Only
Firewall Juniper 172.16.255.70 SNMP
Firewall Checkpoint 172.16.0.1 SNMP
Router/Switch Cisco IOS 10.1.1.5 Log Only
Router/Switch Cisco IOS 192.168.20.1 SNMP
Router/Switch Foundry 172.16.0.4 SNMP
Router/Switch Foundry 172.16.10.1 Log Only
Router/Switch HP Procurve 172.16.22.2 SNMP
Router/Switch Jun OS 172.16.5.64 SNMP
Wireless Controller Aruba 192.168.26.7 SNMP
Server Windows 172.16.10.28 SNMP

DO NOT REPRINT Exercise 5: Performing Discovery of Other Lab Devices
© FORTINET
Type Make IP Address Method
Server Windows 10.10.100.27 Log Only
Server Linux 192.168.0.16 SNMP
Server AIX 172.16.20.160 SNMP
Server Solaris 172.16.10.6 SNMP
To add IP ranges for the Other Device List to Credentials

2. On the pane on the left side of the screen, select Setup.
3. On the main window, click the Credentials tab.
4. Under Step 2: Enter IP Range to Credential Associations, click New.
This time, to demonstrate a range, you will enter a list of firewall devices.
5. Configure the following credentials:
Field Value
IP/Host Name 172.16.255.82, 10.1.1.1, 172.16.1.2, 172.16.255.70, 172.16.0.1
Credentials Global SNMP
6. Click Save.
7. Click New again, and configure the credentials to add a range of devices:
Field Value
IP/Host Name 192.168.20.1, 172.16.3.2, 192.168.19.1, 172.16.0.4, 172.16.22.2,

172.16.5.64
8. Click Save.
9. Click New again, and configure the following credentials to add the Wireless Controller IP:
Field Value
IP/Host Name 192.168.26.7

DO Exercise
NOT5: Performing
REPRINT Discovery of Other Lab Devices Prepare the Fake Devices for Discovery
© FORTINET
10. Click New again, and configure the following credentials to add a list of server devices (to demonstrate a mixture
of IP ranges):
Field Value
IP/Host Name 172.16.10.6-172.16.10.28, 192.168.0.10-192.168.0.40, 10.1.1.33, 10.1.1.41,

172.16.20.160
11. Click Save.
Prepare the Fake Devices for Discovery
To prepare the fake devices for discovery, you need to prepare the lab system.
To prepare the fake devices for discovery

1. Return to your browser tab displaying the NSE Institute website.
2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.5 – Copy All Other Discovery
Files.
If you don’t see three 100% successful SCP transfers, advise your instructor.
To add the discovery task for devices

2. Continuing on the Setup page, click the Discovery tab.
3. Click New to add the following discovery ranges (click New for each new entry and Save):

DO Prepare
NOTtheREPRINT
Fake Devices for Discovery Exercise 5: Performing Discovery of Other Lab Devices
© FORTINET
Name Discovery Type Include Name Resolution
Other FTNT Range Scan 172.16.255.82,10.1.1.1 SNMP/WMI First

Firewalls
Palo Alto Range Scan 172.16.1.2 SNMP/WMI First
Juniper FW Range Scan 172.16.255.70 SNMP/WMI First
Checkpoint Range Scan 172.16.0.1 SNMP/WMI First
Cisco IOS Range Scan 192.168.20.1, SNMP/WMI First

172.16.3.2, 192.168.19.1
Foundry Range Scan 172.16.0.4 SNMP/WMI First
HP Procurve Range Scan 172.16.22.2 SNMP/WMI First
Jun OS Range Scan 172.16.5.64 SNMP/WMI First
Aruba Range Scan 192.168.26.7 SNMP/WMI First
Windows Range Scan 172.16.10.28, SNMP/WMI First

192.168.0.10-
192.168.0.40,
172.16.10.9, 10.1.1.33,
10.1.1.41
Linux Range Scan 192.168.0.16 SNMP/WMI First
AIX Range Scan 172.16.20.160 SNMP/WMI First
Solaris Range Scan 172.16.10.6 SNMP/WMI First
4. Once you have defined the discovery ranges, select each entry (but not the FortiGate Firewall that was already
present), and then click Discover. (Do these one at a time.)

DO Exercise
NOT5: Performing
REPRINT Discovery of Other Lab Devices Prepare the Fake Devices for Discovery
© FORTINET
5. Once completed, on the Monitor Performance tab, review the system monitors applied to each device.
6. Click the CMDB tab and review the devices and device categorizations. (You may need to click Refresh.)
7. On the pane on the left side of the screen, click Devices > Server.
8. On the main window, select device WIN2008-ADS and, in the lower pane that contains the details, click the
Software tab.
9. Click the Running Applications sub-tab and, in the search field, type iis.
Notice the list of running applications populated from discovery for IIS.
10. Make a note of the entries in the Process Name and Process Param columns. See "Appendix: Answer Sheet"
on page 214 for the answer.

DO Prepare
NOTtheREPRINT
Fake Devices for Discovery Exercise 5: Performing Discovery of Other Lab Devices
© FORTINET
11. Type DNS in the search field and again make note of the entries in the Process Name and Process Param
columns. See "Appendix: Answer Sheet" on page 214 for the answer.
12. On the pane on the left side of the screen, click Applications > Infrastructure App > DNS, and select
Microsoft DNS on the main window.
Notice how the CMDB knows which devices in the environment are running the DNS process.
13. On the pane on the left side of the screen, click Applications > User App > Web Server, and select Microsoft
IIS on the main window.
Again, notice how FortiSIEM understands which devices are running IIS by tracking the process names
running during discovery.

DO NOT REPRINT
© FORTINET
Exercise 6: Bringing in Fake Data
Now that the devices are populated in the CMDB, you will start to bring in fake performance and security data.
To observe the pulling of performance data from devices

1. Return to your browser tab displaying the NSE Institute website.
2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.6 – Start All Performance and
Device Data.
The output takes approximately two minutes to return and should resemble the following example:

4. Click the ANALYTICS tab, then click the search field to edit the condition.
5. In the Filters section, configure the following settings to create a new query:
Field Value
Operator CONTAIN
Value *

DO NOT REPRINT Exercise 6: Bringing in Fake Data
© FORTINET
Wait for a few seconds and then you will see various events arriving.
8. Remove the asterisk from the filter box, type PH_DEV_MON, and click Search again.
After waiting a minute or so, you should start to see performance metric events.
To view all devices on the Summary Dashboard

1. Click the Dashboard tab, then click the down arrow on the Amazon Web Services Dashboard.
2. On the drop-down list, select FortiSIEM Dashboard.
3. On the FortiSIEM dashboard, select the + icon next to the Incidents tab to add a new dashboard.

DO Exercise
NOT6: Bringing
REPRINT
in Fake Data
© FORTINET
The Create New Dashboard pop-up window opens.
4. Configure the following settings to create a dashboard:
Field Value
Name All Devices
Type Summary Dashboard
5. Next to Incidents, select the All Devices tab.

6. Add all devices by clicking the select devices icon next to the search bar.
The Select devices for display pop-up window opens.
7. Select all devices in the Available Devices column.

8. Use the right-arrow icon to add all selected devices to the Selected Devices column.
9. Click OK.
10. When the All Devices dashboard opens, select All in the filter.

DO NOT REPRINT Exercise 6: Bringing in Fake Data
© FORTINET
Your dashboard should look similar to the following example:
Not all devices collect the same system resource metrics, so some columns will be
blank. If your system does not resemble the following example, inform your instructor.

DO NOT REPRINT
© FORTINET
Lab 4: FortiSIEM Analytics
In this lab, you will explore the keyword search feature.
Objectives
l Understand the real-time search
l Perform a search for raw log messages
l Perform a historical keyword search
l Employ multiple search conditions
l Explore some of the well-used search operators
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Getting to Know the Real-Time Search
In this exercise, you will perform a real-time search for raw logs.
To view all raw logs in real-time search


3. Click the Display Fields drop down icon.
4. Click Clear All and Save.

5. Select Use Default from pop up.
6. Click the search field to Edit Filters and Time Range.

DO Exercise
NOT1: Getting
REPRINT
to Know the Real-Time Search
© FORTINET
7. The Filter editor opens.
8. Create the following query:
Field Value
Operator CONTAIN
Value *
The Raw Event Log attribute is used for viewing raw log messages from various
devices.
Raw log messages are unstructured data.

10. Click Save & Run, let the search run for about 20 seconds, and then click Pause.
Notice all the different events being received in real-time and the default columns (Event Receive Time,
Reporting IP, Event Type, and Raw Event Log).
l Make sure Wrap Raw Event is selected.

l Make sure Show Event Type is selected.
11. In the Raw Event Log field, select a raw log message.
A white down arrow icon appears.
12. Click the down arrow icon to display the Show Detail button, and view the event details associated with that
event.

DO NOT REPRINT Exercise 1: Getting to Know the Real-Time Search
© FORTINET

An Event Details dialog box opens.
The top portion of the dialog box includes the raw log received by FortiSIEM.
The bottom portion of the dialog box includes the structured view—all the attributes that FortiSIEM parsed
out of the message.
You can use these attributes in structured searches, rules, reports, and on dashboards.
14. Close the Event Details dialog box.

15. In the Filters section, click Clear All to see the functionality of this button.
Notice that as soon as you click Clear All, all existing settings will cleared.

DO Exercise
NOT1: Getting
REPRINT
to Know the Real-Time Search
© FORTINET
16. Click Cancel. Don't save the changes made when you clicked Clear All.

DO NOT REPRINT
© FORTINET
Exercise 2: Search Operators
In this exercise, you will explore the use of search operators.
To use search operators

2. In the Filters section, change the query to remove the asterisk (*) from the Value field of the search, then type
devname.
Review the results
5. Modify the search condition again in the Filters editor for condition devname AND HTTP, and complete the
following query:
Field Value
Operator CONTAIN
Value devname
7. In the Next column associated with your existing condition, select AND .
8. Complete the following query:
Field Value
Operator CONTAIN
Value HTTP

The logical AND operator is used to achieve the results for the query devname AND
HTTP

DO Exercise
NOT2: Search
REPRINT
Operators
© FORTINET
11. After you receive approximately 50 logs, click Pause.
What was the impact of this search? See "Appendix: Answer Sheet" on page 214 for the answer.
What can you identify about the case sensitivity of keywords? See "Appendix: Answer Sheet" on page 214 for
the answer.

DO NOT REPRINT
© FORTINET
Exercise 3: Historical Keyword Search
In this exercise, you will perform a keyword search.
To perform a keyword search

1. On the FortiSIEM GUI, click the ANALYTICS tab, then click the search field to edit the condition.
Field Value
Operator CONTAIN
Value deny
3. Next to Time, select Relative, then in the Last field, type 10, and select Minutes.
Events that contain the word "deny" will appear.
Notice the graph results shows a COUNT over time (10 minutes in this case) of all the events.
5. Hover your mouse over the graph to view the absolute time range for those event during that time period.

DO Exercise
NOT3: Historical
REPRINT Keyword Search
© FORTINET
6. Double-click any point on the graph.

The system opens a new tab and runs the same query with the time selector set to the specific time interval
you selected.
This allows granular control and the ability to drill into event peaks of interest.
7. Close the tab.

DO NOT REPRINT
© FORTINET
Exercise 4: Single Search Condition
In this exercise, you will explore the use of search conditions.
To add a search condition

1. On the FortiSIEM GUI, click the ANALYTICS tab, then click the search field to edit the condition.
2. On the Filters editor, configure the following settings to create a new query:
Field Value
Operator CONTAIN
Value *
3. Next to Time, select Relative, then, in the Last field, type 3, and select Minutes.
Notice all the events received over the specified time period.
This could be many lines and pages of data, too many lines to fit on one page.
You can jump to any page required by entering the page number.
5. Click the search criteria box again.

6. Configure the following settings to change the query:
Field Value
Operator =
Value 192.168.3.1

DO Exercise
NOT4: Single
REPRINT
Search Condition
© FORTINET
7. In the Last field, type 5, and select Minutes, then click Save & Run.
Notice how all the results include the reporting IP you specified.

DO NOT REPRINT
© FORTINET
Exercise 5: Multiple Search Conditions
In this exercise, you will explore the use of multiple search conditions.
To add multiple search condition

1. Continuing the search from the last exercise, click the search field to edit the conditions.
4. Configure the following settings for your second condition:
Field Value
Attribute Destination IP
Operator =
Value 8.8.8.8
5. Modify the Time drop-down list to run the search over the last 10 minutes.

Notice how now all the events are reported by a specific device IP going to the destination IP 8.8.8.8.

DO NOT REPRINT
© FORTINET
Exercise 6: Using the Contain Operator
In this exercise, you will explore the use of the CONTAINS operator.
To use the CONTAIN operator

1. Continuing the search from the last exercise, click the search field and click Clear All to clear the query.
2. Configure the following settings to create a new query:
Field Value
Attribute Event Type
Operator CONTAIN
Value win-security
3. Leave the search time set to the last 10 minutes, and click Save & Run.
You should notice that all events returned are Windows security related.

7. Configure the following query to look for only Windows security events that do not have a user with the name !=
svc_monitor:
Field Value
Attribute User
Operator !=
Value svc_monitor

DO NOT REPRINT Exercise 6: Using the Contain Operator
© FORTINET
9. Review the Event Details of the raw event log for one of the returned events.
l Once you select the RAW Event log, a white down arrow icon will appear.
Event Details associated with that event.
10. Scroll to the bottom of the structured view and, in the row that contains the User attribute, select Display.
This adds an extra display column to the display.
11. Click OK to close the Event Details dialog box, then run your search again.
None of the users should be svc_monitor.
If you do not get any results for any search, run the search over a longer time period.

DO NOT REPRINT
© FORTINET
Exercise 7: Using the IN/NOT IN Operators
In this exercise, you will explore the use of the IN and NOT IN operators.
To use the IN and NOT IN operators

1. Continuing the search from the last exercise, click the search field to modify your query.
2. Modify the existing User condition as follows:
Field Value
Operator NOT IN
Value svc_monitor, administrator
This query is now configured to look for events that are Windows security events but are not from the
administrator or svc_monitor user.
Use the NOT IN operator when specifying the user (that is, the User is NOT IN this
list).
3. Next to Time, select Relative then, in the Last field, type 30, and select Minutes.
In your results you may see many users returned with a $. These are computer accounts.

DO NOT REPRINT Exercise 7: Using the IN/NOT IN Operators
© FORTINET
4. Modify your search to exclude these computer accounts by adding an extra condition using the NOT CONTAIN
operator:
a. In the Next column associated with the User condition, select AND .
b. In the Row column associated with the User condition, click the + icon to add another row.
c. Configure the following settings for your new condition:
Field Value
Attribute User
Operator NOT CONTAIN
Value $
6. Review the results.
You will get a result similar to the following example:

DO NOT REPRINT
© FORTINET
Exercise 8: Using the IS Operator
In this exercise, you will explore the use of the IS and IS NOT operators.
To use the IS NOT operator

1. Continuing the search from the last exercise, click the search field, then click Clear All to clear your query.
2. Build a search to look for all performance events over a one-hour time period.
All performance events contain the word PH_DEV_MON.
Field Value
Operator CONTAIN
Value ph_dev_mon
3. Click Save & Run, and view the results.

4. Add a second condition to your query using the IS NOT operator to search only for events that contain the specific
attribute you are interested in.
For example:
Attribute Operator Value
Free Disk MB IS NOT NULL

DO NOT REPRINT Exercise 8: Using the IS Operator
© FORTINET
5. Leave Time set to Relative then, in the Last field, type 1, and select Hour.
7. Open the Event Details dialog box for one of the events, and select check boxes to add the following display
columns:
l Disk Capacity Util
l Disk Name
l Free Disk MB
l Once the RAW Event log is selected a white down arrow icon will appear.
Event Details associated with that event .

DO Exercise
NOT8: Using
REPRINT
the IS Operator
© FORTINET
8. Click OK to close the Event Details dialog box.

9. Leave the search time set to the last 1 hour, and click Run.
Review the results. Three new fields were added to the display column for all events.

DO NOT REPRINT
© FORTINET
Exercise 9: Using the Greater Than Operator
In this exercise, you will explore the use of the greater than operator.
To use the greater than operator

1. Continuing the search from the last exercise, click the search field to modify the query.
2. Add an additional condition to look only for events where the Disk Capacity Util is greater than 80%:
Field Value
Attribute Disk Capacity Util
Operator >
Value 80
3. Leave the search time set to the last 1 hour and click Save & Run.
5. Open the Event Details dialog box for one of the events and remove the following display columns, which you
added in the previous exercise:
l Disk Name
l Free Disk MB

DO NOT REPRINT
© FORTINET
Lab 5: CMDB Lookups and Filters
In this lab, you will explore how the CMDB can be referenced in searches within FortiSIEM.
Objectives
l Reference CMDB elements in your search criteria
l Add and remove display columns
l Use multiple tabs to compare similar search results
l Expert challenge (unguided search scenarios)
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Selecting Devices from CMDB
In this exercise, you will learn how to reference devices from the CMDB in your search criteria.
To select devices from the CMDB


4. The Filter editor opens.
5. Click Clear All to clear the previous query.
Field Value
Operator IN
7. Click the Value field and select ...Select from CMDB .
This is known as the CMDB Device Selector.
The CMDB Select Value dialog box opens.

DO Exercise
NOT1: Selecting
REPRINTDevices from CMDB
© FORTINET
8. In CMDB dialog box, in the Folders pane, click Devices > Network Device > Firewall.
The firewall devices appear in the middle column.
9. In the Items pane, select a firewall.

10. Click >> to add the folder to the Selections pane.
11. Click OK to close the CMDB dialog box.
12. Next to Time, select Relative then, in the Last field, type 20, and select Minutes.
To add second query

1. Click the search field again to add a second condition to your query:
a. In the Next column associated with your existing condition, select AND .
b. In the Row column associated with your existing condition, click the + button.
c. Complete the following for your second condition:
Field Value

DO NOT REPRINT Exercise 1: Selecting Devices from CMDB
© FORTINET
Field Value
Operator IN
d. Click the Value field and select ...Select from CMDB .

e. Click Event Types > Regular Traffic > Denied Traffic, then click >> to add the folder to Selections.
f. Click OK.
2. Leave Time set to Relative then, in the Last field, type 20, and select Minutes.
This will narrow your search to only denied traffic events.
To add a third query

1. Click the search field again to add a third condition to your query:
a. In the Next field of the second condition, select AND then, in the Row field, click + to add a third condition.
b. Add the following third condition to view events where the Destination IP is NOT IN a Private RFC 1918
address:
Field Value
Attribute Destination IP
Operator NOT IN

DO Exercise
NOT1: Selecting
© FORTINET
c. Click the Value field and select ...Select from CMDB .
d. Click Networks > Private Net.
Notice this lists three network entries that relate to the Private IP space of RFC 1918.
e. Click >> to add the folder to Selections.

f. Click OK.
In the results, you should notice that all the destination IP addresses are external to the network, but you may
also have some events where the source is also a public IP.

To add fourth query

1. Create a fourth filter condition for your query:
a. In the Next field of the third condition, select AND then, in the Row field, click + to add a fourth condition.
b. Add the following fourth condition to view events where any source IP is in the Private Network group:
Field Value
Attribute Source IP
Operator IN
c. Click the Value field and select ...Select from CMDB .

d. Click Networks > Private Net.

DO NOT REPRINT Exercise 1: Selecting Devices from CMDB
© FORTINET
e. Click >> to add the folder to Selections.
f. Click OK.
Your final queries should look like the following example:
4. Once the search is complete, click the Display Fields drop-down list and add a new row to display a column for
Destination TCP/UDP Port.
5. Run the search again and see if you can identify the most commonly blocked port.
The search result should look like the following example:

DO Exercise
NOT1: Selecting
© FORTINET
6. Once you have finished reviewing the event logs, click the Display Fields drop-down list again.
7. Remove the Destination TCP UDP/Port display column by selecting the - icon in the Row column, then click
Save.
You can build queries similar to this exercise for other devices like Windows servers,
and so on.

DO NOT REPRINT
© FORTINET
Exercise 2: Searching for Particular Categories of Events
In this exercise, you will learn how to select event categories from the CMDB in your search criteria.
To use an event category from CMDB

The Filter editor opens.
2. Click the Clear All button to clear any existing conditions.

3. Add the following condition:
Field Value
Operator IN

5. Click Event Types > Change > Account Change.
6. Click >> to add the folder to Selections.
7. Click OK to close the CMDB dialog box.

8. Run the search over the last 2 hours.
To add a condition in existing filter from event logs

1. In the received results, select the Event Type with the name Win-Security-4728.
Win-Security-4728 may not be on the first page of the search results.

DO Exercise
NOT2: Searching
REPRINTfor Particular Categories of Events
© FORTINET

2. In the Event Type field associated with your selected event type, click the white down arrow that appears, then
select Add to Filter.
3. Click the search criteria field.

You should see that the Win-Security-4728 event type has been added as a filter to your query.
4. Close the Conditions dialog box.

5. Run the search again over the last 4 hours.
To build a query for investigation of an event with out losing existing query
1. Examine the Event Details of the raw event log for one of the returned events.
2. In the Event Details dialog box, in the Display column, select the Target User, Target User Group, User and
Destination IP check boxes, to add those items as display fields.
4. Run the search again over the last 4 hours.
5. Investigate any events with the administrator user in more detail, without losing the existing query:

DO NOT REPRINT Exercise 2: Searching for Particular Categories of Events
© FORTINET
a. Select an event with the User set to administrator.
b. In the User column, click the white down arrow.
c. Select Add to Tab.
d. In the Add To Tab dialog box, select Add to New Tab.
The second tab becomes the active tab in the GUI. You should now have two query tabs.
6. Click the search field on the newly opened second tab.

Your extra filter condition has been added. Your existing query is also still open on the first tab.
7. Click the first tab and select the event with the destination IP of 10.1.1.33.
8. In the Reporting IP column of that event, click the white down arrow, then click Add to Tab.
9. This time, select an existing tab by clicking [1] Raw Messages then, in the drop-down list that appears, select the
second tab [2] Raw Messages.
10. Click OK.
The second tab becomes the active tab in the GUI.

DO Exercise
NOT2: Searching
REPRINTfor Particular Categories of Events
© FORTINET
11. Click the search field again to validate that the additional row for the reporting IP filter has been added to the
query.
12. Next toTime, select Relative then, in the Last field, type 10, and select Hours.
13. Click Save & Run and review the results.

DO NOT REPRINT
© FORTINET
Exercise 3: Expert Challenge
In this exercise, you will be presented with various scenarios, for which you must identify the search criteria that
will produce the desired outcome.
To conduct scenario-based historical searches

2. For a historic event search, use Relative or Absolute options for Time.
3. Close any search tabs that are open, then attempt the searches below:
a. The server admin is reporting unusual activity
There has been some usual behavior reported by the Solaris administrator. The administrator wants to
see a report of all events reported by the Solaris device with IP Address 172.16.10.6 over the last 2
hours and identify the following:
Which user had failed an SSH login?
From what IP Address?
b. The firewall team is reporting some strange activity occurring from an IP

The firewall team has asked you to produce a search of all events between source IP 68.94.156.1 and
destination IP 192.168.0.10 over the last 2 hours, and display the destination TCP/UDP port.
They suspect this machine could have been compromised.
Do you see any suspicious port usage in your results? See "Appendix: Answer Sheet" on page 215 for the
answer.
c. Security team firewall rule validation

The firewall team implemented a new firewall, but they are unsure if they configured it correctly. They
would like a report of all logs from a source IP in the internal network to an external destination IP that are
permitted connections, but not on the common TCP/UDP ports of 80,443,53, or 123.

DO Exercise
NOT3: Expert
REPRINT
Challenge
© FORTINET
Produce the report and determine whether they were successful or not over the last three hours, and
display the destination TCP/UDP port as a display column.
The firewall should only allow common web traffic (ports 80, 443, 53, 123) outbound. Do your results
indicate the firewall rules are correctly implemented?
Use the CMDB to determine permitted traffic classifications for events and network
lists for internal and external traffic.
d. Malware alert
There has been plenty of news in the media about malware attacks originating in Asia. The CISO wants to
know if any internal traffic was permitted to any country in Asia in the last 2 hours that was not on
TCP/UDP ports 25, 53, 80, 123, or 443.
Add Sent Bytes, Total Bytes, and Destination TCP/UDP Port as display columns to the results.
e. Slow network performance to a remote site

The NOC manager is getting complaints about slow performance to remote sites. These remote sites all
connect through the core switch SJ-Main-Cat6500.
Produce a list of any events where the Sent Interface Util is greater than 20%, and identify which
interfaces on the switch have this issue. Create the search over the last 8 hours.
Select the correct device from the CMDB, and use the PH_DEV_MON_NET_INTF_
UTIL event.

DO NOT REPRINT Exercise 3: Expert Challenge
© FORTINET

DO NOT REPRINT
© FORTINET
Lab 6: Group By and Aggregation
In this lab, you will explore the data aggregation features of FortiSIEM.
Objectives
l Group by a single and multiple attributes
l Aggregate data
l Expert challenge
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Grouping By Single and Multiple Attributes
In this exercise, you will learn how to group similar events based on a single and multiple attributes.

1. From the Student Workstation VM, open the Firefox browser and enter the following URL to access the
2. In the FortiSIEM GUI, click the ANALYTICS tab and click the search field to edit the condition.
3. Click Clear All to clear any existing conditions.
4. In the Filters editor complete the following to create a new query:
Field Value
Operator IN
5. In the Value field, click Select from CMDB .

6. Click Devices > Network Device > Firewall.
7. Click >> to add the folder to Selections and then click OK.
8. For Time select Relative, in the Last field, type 1, and select Hour from the drop-down list.

DO Exercise
NOT1: Grouping
REPRINT
By Single and Multiple Attributes
© FORTINET
To apply Group By feature
1. Click Display Fields.
A drop-down list will appear.
2. Beside the Event Receive Time, Event Type, and Raw Event Log attributes, under the Row column, click the
minus icon to remove them.
Leave the Reporting IP.
3. Click plus icon + under the Row column to add a new row.
4. Click in the Attribute field and select Expression Builder.
A dialog box will appear to build an expression.
5. In the Function field ,choose COUNT and click the plus icon.
6. In the Event Attribute field ,choose the only available option Matched Events and click the plus icon.
7. Once the expression is added, in the Expression field, click Validate.
A pop-up message should display, reading “Expression is valid."

DO NOT REPRINT Exercise 1: Grouping By Single and Multiple Attributes
© FORTINET
8. Close the pop-up and click OK to close the Expression Builder dialog box.
Your final Display Fields settings should look as follows:
9. In the Display Fields dialog box, click Save & Run to view Group By results.
In the results, you will see a top-down list of the reporting IP addresses that reported the most events in that
1 hour time period. Notice that the Reporting IP attribute column along COUNT (Matched Events)
column is returned.
10. Browse the different chart options at the top right of the graph. Choose the following:
l Bar chart
l Donut chart

DO Exercise
NOT1: Grouping
REPRINT
By Single and Multiple Attributes
© FORTINET
To add multiple Group By attributes

1. Click the Display Fields icon again a drop-down list will appear.
2. Click plus icon + from Row to add a new row in Reporting IP row, above COUNT expression row.
3. Add the following attributes, one by one. Each time you add an attribute, you have to click the plus icon + from
Row column, to add new row for the new attribute.
l Source IP
l Destination IP
l Destination TCP/UDP Port

DO NOT REPRINT Exercise 1: Grouping By Single and Multiple Attributes
© FORTINET
You should see a top down list of the most reported combination of reporting IP, source IP, destination IP,
destination TCP/UDP port over the time period.
5. Change the time to 2 hours and rerun the search query to view the results over the increased time period.
In order to change the time period, you need to open Filters editor by clicking the
search field under the ANALYTICS tab.
You will notice that, even after executing the query for 2 hours, the display fields for group by remain the
same.
You can use Clear All to reset both Filters and Display Fields to default settings.

DO NOT REPRINT
© FORTINET
Exercise 2: Adding Aggregating Data
In this exercise, you will learn how to add an aggregation condition to your search criteria.

1. In the FortiSIEM GUI, click the ANALYTICS tab and click plus icon + to add a new tab for a search.

3. In the Filters editor, complete the following to create a new query:
Field Value
Operator =
4. In the Value field, click Select from CMDB .

5. Click Devices > Server > Windows.
6. In Items, select device WIN2K8.
7. Click > to add the device to Selections.
8. Click OK.
9. In the Next column beside the existing condition, and select AND .
10. In the Row column beside the existing condition, and click the + icon to add another row.
11. Complete the following for your second condition:
Field Value
Operator CONTAIN
Value type PH_DEV_MON_SYS
12. In Time select Relative, in the Last field, type 1, select Hour from the drop-down list.
To set display fields for aggregation

1. Once you get results, select the event PH_DEV_MON_SYS_DISK_UTIL.


DO NOT REPRINT Exercise 2: Adding Aggregating Data
© FORTINET
2. From the Event Type column associated with the event, click the down arrow and select Add to Filter.
3. Run the search again for the last 1 hour.

You should now have your search results filtered to just disk utilization events.
4. Open the Event Details dialog box for one of the events and add the following columns to the display:
l Disk Name
l Free Disk (MB)
l Total Disk (MB)
l Once the RAW Event log is selected, a down arrow icon will appear.
l Clicking the icon will provide a Show Detail option to view the event details

DO Exercise
NOT2: Adding
REPRINT
Aggregating Data
© FORTINET
5. Click OK to close Event Details dialog box.
6. Click the Display Fields drop-down list arrow icon.
You will notice that the display attributes you have added from Event Details are present.
7. Remove the following rows from the Display Fields by clicking minus icon - in the Row column:
l Event Receive Time
l Event Type
l Raw Event Log
8. Run the search again.
Now you can see disk related attributes with reporting IP.
To aggregate events
1. Click the Display Fields drop-down list and edit the fields using one of the following methods:
l Edit the Disk Capacity Util attribute by removing text in an existing row and click Expression Builder.
l Remove a row from the Disk Capacity Util row, add a new row at the bottom, and click Expression Builder.
2. In the Function drop-down list, select AVG and click plus icon +.
3. Under the Event Attribute drop-down list, type Disk Capacity Util and click plus icon +.

DO NOT REPRINT Exercise 2: Adding Aggregating Data
© FORTINET
4. Click OK to close the Expression Builder dialog box.
5. Under the Display Fields edit the fields using one of the following methods:
l Edit the Free Disk MB attribute by removing the existing text entry and add the expression LAST(Free Disk
MB).
l Remove the row for the Free Disk MB attribute, add a new row, and add an expression LAST(Free Disk MB)
using Expression Builder.
6. Click OK.
7. Run the search over the last 10 hours.
Results will be aggregated in one line for 10 hours (values shown below may vary).
To aggregate disk utilization for all servers

1. Edit the search condition again and remove the entry for Reporting IP = Device: WIN2K8.
Field Value
Operator IN
3. In the Value field, click Select from CMDB and click Devices > Servers.
4. Click >> to add the folder to Selections and then click OK.
5. Select Time as Relative, in the Last field, type 24, and select Hours from the drop-down list.
6. Click Save.
7. Click display fields icon add a row for Reporting Device by clicking the plus icon in the Row column of the
Reporting IP.
8. Click up arrow icon in the Move column of the Reporting Device row to move it to the top.
You will get the aggregated average disk utilization of all servers in a 24-hour time period.

DO Exercise
NOT2: Adding
REPRINT
Aggregating Data
© FORTINET
Do you notice any pattern in the way results are displayed? See "Appendix: Answer Sheet" on page 216, for
the answer.

DO NOT REPRINT
© FORTINET
In this exercise, you will be presented with various scenarios, for which you must determine the proper search
criteria that will produce the desired outcome.
To conduct scenario-based historical searches

2. For a historic event search, use Relative or Absolute options for Time.
3. Select appropriate Display Fields and apply Group By and Aggregation expressions to achieve desired results for
scenarios in this challenge.
4. Close any search tabs that are open and attempt the searches below:
a. Firewall Reporting 1
The customer wants know which firewall device reported the most events over the last 30 minute time
period.
See "Appendix: Answer Sheet" on page 216 for answer.
b. Firewall Reporting 2
The customer wants to know which is the most common destination country of any firewall events that are
not on destination TCP/UDP Port of 21, 80, 443 or 53 over the last 1 hour.
Also remove the NULL entry in your results.
c. Firewall Reporting 3
The customer wants to know what is the most common source country for any denied traffic events
reported by a firewall device in the last 30 minutes.

DO Exercise
NOT3: Expert
REPRINT
Challenge
© FORTINET
d. Resource Utilization Reporting (Part 1)

The customer wants to see a list of all the CPU and memory usage for each process on device
192.168.0.16 over the last 30 minutes.
Produce a report showing the Reporting IP, Application Name, Software Name, CPU Util, and
Memory Util and hide all other display columns.
Use Event Type: PH_DEV_MON_PROC_RESOURCE_UTIL
What events does this report produce? See"Appendix: Answer Sheet" on page 217 for answer.
e. Resource Utilization Reporting (Part 2)

After the last report, the customer said the report contains the same process over and over again in the
results. He would simply like to see a report for each application name and software name and an average
CPU Util value and maximum Memory Util value.
Use the display column expression builder.
Run the report over the last 6 hours.

DO NOT REPRINT
© FORTINET
Lab 7: Rules
In this lab, you will configure rules to generate incidents.
Objectives
l Explore a simple rule
l Explore a performance and availability rule
l Create a simple rule to alert on a specific event
l Add watch lists
l Import rules
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Exploring a Simple Rule Example
In this exercise, you will explore the structure of a simple rule.
To view a rule
2. Click the RESOURCES tab.

3. In the left pane, click Rules.
4. On the main window, select Account Locked: Domain and click Edit.
Make note of the severity of the rule and also the function. See "Appendix: Answer Sheet" on page 217 for
the answer.
What time period is the rule evaluating the pattern over? See "Appendix: Answer Sheet" on page 217 for the
answer.

DO NOT REPRINT Exercise 1: Exploring a Simple Rule Example
© FORTINET
5. In the Condition section, under the Subpattern column, beside DomainAcctLockout, click the pencil icon.
6. Review the rule sub-pattern.

The sub-pattern is looking for a match of one or more events under the Domain Account Locked event
type in the CMDB, and only those reported by devices that are categorized as a domain controller.
Make a note of the attributes in the Group By section. See "Appendix: Answer Sheet" on page 217 for the
answer.
7. Click Cancel to exit the rule pattern.

8. In the Actions section, click the pencil icon to edit.
9. Review the parameters provided in the Generate Incident for: Account Locked:Domain dialog box.
The parameters determine how the incident source and incident target are determined, along with what
information is populated as the incident details.
In the Triggered Attributes section, make a note of the attributes in the Selected Attributes column. See
"Appendix: Answer Sheet" on page 217 for the answer.

DO Exercise
NOT1: Exploring
REPRINTa Simple Rule Example
© FORTINET
10. Click Cancel to close the Generate Incident for: Account Locked:Domain dialog box and then click Cancel
to exit the rule definition.

The Filter editor appears.
Field Value
Operator IN

5. Navigate to Event Types > Security > Login Failure > Domain Account Locked.
6. Click add folder icon >> and then click OK.
7. In the Next field for that attribute, select AND .
8. Add a row and create a second condition:
Field Value
Operator IN
9. Click in the Value field and select ...Select from CMDB .

10. Navigate to Applications > Infrastructure App > Domain Controller.
11. Click add folder icon >> and then click OK.
12. Select Time as Real Time
To generate events
1. Navigate to LABS SET 2 on the NSE Institute website and under Lab 7 – Rules select Exercise 7.1 –
Account Lockout Events.
The output should resemble the following:

DO NOT REPRINT Exercise 1: Exploring a Simple Rule Example
© FORTINET
To review received events
1. Go back to the tab with the FortiSIEM GUI.
2. Click Pause after the event is received.
l Make sure Wrap Raw Event is ticked.

l Make sure Show Event Type is ticked.
3. Examine the Event Details of raw event log for the returned event.
l Clicking on icon will provide Show Detail option to view the Event Details
4. Review the reporting IP of the event along with the user that locked out their account.
To view Incident for the rule Account Locked Domain

1. Click the INCIDENTS tab.
2. Click List to view incident table.
3. Click Actions and select Search from drop down list.
4. Click Last 2 Hours option to change the time range.

5. Select Relative, and in the Last field, type 30, select Minutes.
6. Click Apply Time Range.
7. Click the Incident Name:ALL drop-down list.

Different incidents will appear.

DO Exercise
NOT1: Exploring
REPRINTa Simple Rule Example
© FORTINET
8. In the Incident Name:ALL field, click Search, and type keyword locked.
9. Select the Account Locked:Domain incident and Close from the bottom left pane.
10. Hover your cursor over the Target column for this incident.
Notice it reports an IP address and user that matches what you saw in the real-time search.
11. Select the incident and in the lower pane, review the incident details.
If you select an incident and lower pane does not appear then you need to click the up
arrow icon to expand lower pane manually.
You can select auto expand option in the lower pane, so you don' t have to keep
manually expanding lower pane for incidents.
12. Click Events tab.

Do the details match what was recorded in step 6 of To view a rule section of this excercise ? See
Before proceeding to the next exercise, under the INCIDENTS tab, click Actions >
Search, and clear all of the selections.

DO NOT REPRINT
© FORTINET
Exercise 2: Exploring a Performance Rule Example
In this exercise, you will explore an existing performance monitoring rule.
To view a performance monitoring rule

The Filters editor opens.
3. Click Clear All to clear the previous query.
Field Value
Operator =
Value 192.168.0.40
Next AND
5. Under the Row column, click the + icon to add a second condition:
Field Value
Operator CONTAIN
Value SYS_DISK_UTIL
6. In the Time section, select Relative, and in the Last field, type 5, and select Minutes from the drop-down menu.
Due to the demo system, the results are not strictly correct. In a production system,
this event would be collected every 3 minutes, for each disk. You will probably have
more events which are related to the fake data replay mechanism used.
8. Examine the Event Details of raw event log for one of the returned event.

DO Exercise
NOT2: Exploring
REPRINTa Performance Rule Example
© FORTINET
l When you select the RAW Event log, a down arrow icon appears.
l Clicking the down arrow icon reveals the Show Detail option, which you can use to
view the Event Details associated with that event.
9. The relevant attributes in this event are the following:

l Disk Name
l Free Disk MB
l Host IP
l Host Name
l Total Disk MB
l Used Disk MB
To view performance threshold values for a device in CMDB

1. Click the CMDB tab.
2. In the left pane, click Devices > Server > Windows.
3. From the main window, click WIN2K8 (192.168.0.40), and then click Edit.
The Edit Device dialog box opens.
4. Click the Properties tab.

5. On the Disk Space Util Critical Threshold, click Edit.
Don’t change any of the values if you want the lab to work!
The Disk Space Util Critical Threshold dialog box opens.
6. Make a note of value in the Default field and the disk name listed:

DO NOT REPRINT Exercise 2: Exploring a Performance Rule Example
© FORTINET
Field Value
Disk Space Util Critical Threshold
Disk Name
7. Click Cancel, and now find the threshold for Free Disk (MB) Critical Threshold.
Field Value
Free Disk(MB) Critical Threshold
Disk Name
8. Click Cancel, and then click Cancel again.
To view a performance monitoring rule

2. On the left pane, click Rules > Performance.
3. Search for rules with the name Server Disk Space (use the search field to filter).
4. Select the Server Disk space Warning rule and then click Edit.
The Server Disk space Warning - Edit Details dialog box opens.
5. Make a note of the values associated with the following items:

Field Value
Severity
Category
If this Pattern occurs within any

(Evaluation Time Window)

7. Review the Incident Attributes section and Triggered Attributes section.

DO Exercise
NOT2: Exploring
© FORTINET
8. Click Cancel to close Generate Incident for: Server Disk Space Warning dialog box
9. In the Conditions section, under the Subpattern column, beside ServDiskWarn, click the pencil icon.
In the Filters section, the subpattern is looking for any events that match the exact event type PH_DEV_
MON_SYS_DISK_UTIL and only from devices classified as a Server in the CMDB, while excluding any
events where the disk name is /boot.
In the Aggregate Condition section, the subpattern is looking for at least two events (two samples) where,
during the rule evaluation time window, the following is true:
l AVG(Disk Capacity Util) > DeviceToCMDBAttr(Host IP,Disk Name,Disk Space Util Critical Threshold)
AND
l AVG(Free Disk (MB)) < DeviceToCMDBAttr(Host IP,Disk Name,Free Disk (MB) Critical Threshold)
You can view the default critical thresholds by clicking Admin > Device Support >
Custom Property. Please see the next two images.

© FORTINET
Notice the attributes in the Edit SubPattern dialog box in the Group Bysection are Host IP, Host Name,
and Disk Name.
10. At the bottom of the dialog box, click Run as Query.
The Edit SubPattern > Run As Query dialog box opens.
11. In Time Range tab, select Relative, and in the Last field, type 10, select Minute from the drop-down list, and
then click Run.
A new browser tab will open, the ANALYTICS tab will be selected, and result for the query will be displayed.

DO Exercise
NOT2: Exploring
© FORTINET
Are there any results where the AVG(Disk Capacity Util) is greater than 95% and the AVG (Free Disk (MB)) is
less than 100? See "Appendix: Answer Sheet" on page 219 for the answer.
To modify performance search query for once device

1. In the newly opened browser tab for FortiSIEM, under ANALYTICS, click the search filter.
2. In the Next drop-down field of the last attribute in the list, select AND .
3. Add an extra row for the following condition:
Field Value
Attribute Host IP
Operator =
Value 192.168.0.40
4. In the Time section, select Relative, in the Last field, type 10, and select Minutes from the drop-down list.
You should get a single result just for the WIN2K8 machine and it look similar to result below:

© FORTINET
Close the old browser tab of FortiSIEM.
Keep the new tab opened to complete the rest of the exercise.
To generate performance events

1. Navigate to LABS SET 2 on the NSE Institute website and under Lab 7 – Rules select Exercise 7.2 – Trigger
Server Critical Disk Rule.
The output should resemble the following: (Will take around 3-5 minutes.)
To review performance events

1. After 5 minutes, return to your browser tab with the FortiSIEM GUI in ANALYTICS tab, click Run to search
again for the last 10 minutes.
You should now see some more AVG(Disk Capacity Util) > 95 % and the AVG(Free Disk(MB) is less than 100
MB events, which should trigger an incident.
To view Incidents for performance rule

3. Click Actions and select Search from the drop-down list.

DO Exercise
NOT2: Exploring
© FORTINET
4. Click Last 2 Hours option to change the time range.
5. Select Relative, and in the Last field, type 30, select Minutes.
7. Click the Incident Name:ALL, drop-down list.

Different incidents will appear.
8. In Incident Name:ALL, click Search and type keyword disk.
9. Select the Server Disk Space Critical incident and Close from the bottom left pane.
10. Review the details, such as the incident target, incident details, and triggered events.
Before proceeding to the next exercise, Under INCIDENTS tab click Actions >
Search and clear all of the selections.

DO NOT REPRINT
© FORTINET
Exercise 3: Creating a Rule
In this exercise, you will create a simple rule.
A company has strict policies specifying that the administration of a selected FortiGate Firewall can be performed
from approved workstations only. They would like to detect if administrators are connecting to the FortiGate
device from non-approved workstations.
The approved workstations are IPs:

l 10.1.50.1
l 10.1.50.2
l 10.1.50.3
l 10.1.50.4
l 10.1.50.5
To set search criteria for analytics

The Filter editor opens.
Field Value
Operator =
Value 192.168.3.1
4. In the Row field, click + in to add a second condition:
Field Value
Operator CONTAIN
Value login-success
5. Select Time as Real Time.

To generate events
FortiGate Admin Login Events – (Part A).
Wait approximately 1 to 2 minutes for the output. The output should resemble the following:

DO Exercise
NOT3: Creating
REPRINT
a Rule
© FORTINET
Wait for the message Completed! before continuing.
To review generated events

1. Return to your browser tab with the FortiSIEM GUI and, after all the events are sent, click Pause.
You should only see FortiGate-event-login-success.

2. Examine the Event Details of the raw event log for one of the returned events.
l Once you select the RAW Event log, a down arrow icon appears.
l Clicking the arrow icon will provide the Show Detail option to view the Event
Details associated with that event.

DO NOT REPRINT Exercise 3: Creating a Rule
© FORTINET
Notice these FortiGate admin login events contain the Application Protocol (SSH or HTTP), Source IP
and User who successfully authenticated.
3. Once you have reviewed the details, close the Event Details dialog box.
To set display fields for analytics
1. Click the Display Fields icon .

2. Click Clear All and then add two new rows for Source IP and User.
3. Add a third row and select Expression Builder.
4. Select the COUNT in Function field and then click the plus icon.
5. Click in the Event Attribute field, select Matched Events, and then click the plus icon.
6. Click Validate.
A message stating “Expression is valid” opens.
7. Close the message.
8. Click OK.
9. Click Save to close the dialog box.
10. Click in search field.

11. In Filters, change the search to be Relative over a 20 minute time period.
12. Click Save&Run.

DO Exercise
NOT3: Creating
REPRINT
a Rule
© FORTINET
Notice all the results so far are for IP addresses that were in the allowed Administrator Workstation IPs group.
13. Edit the search filters and add an extra row for the condition:
Field Value
Attribute Source IP
Operator NOT IN
Value 10.1.50.1, 10.1.50.2, 10.1.50.3, 10.1.50.4, 10.1.50.5
Your search filter should now look like the following:
14. Click Save&Run and you will get no results this time and the message “No report results found”.
To create a rule
1. Click the Actions button and then select Create Rule from drop-down list.
2. In the Rule Name field, enter FortiGate Admin Logon from Non Admin Machine and enter an
optional Description.

DO NOT REPRINT Exercise 3: Creating a Rule
© FORTINET
3. Leave the time window set at 300 seconds.
4. For Category, select Security.
5. Next to the SubPattern field, click the pencil icon.
6. In the Edit SubPattern dialog box, notice the addition of an Aggregate section, which has defaulted to COUNT
(Matched Events) >= 1.
7. Click Cancel when done.
8. Next to Action: Defined, click the pencil icon.
Notice how the rule creator has added the Group By fields as Incident Attributes.
9. Make sure the User field is added to the Triggered Attributes selected section, and then click Save.
10. Click OK on the Rule dialog box when done.

11. Click the RESOURCES tab, and then choose Rules, and then Ungrouped from the left-hand pane.
12. Select the rule FortiGate Admin Logon from Non Admin Machine.
13. Select the check box under the Active column, and then click Continue on the pop-up warning.
To generate events for a rule

FortiGate Admin Login Events – (Part B).

DO Exercise
NOT3: Creating
REPRINT
a Rule
© FORTINET
To review incident triggered by rule

1. Return to your browser tab with the FortiSIEM GUI.
4. A new rule has triggered an Incident FortiGate Admin Logon from Non Admin Machine.
Review the incident source, incident target, and details, and then review the events that triggered the rule.
Before proceeding to the next exercise, under INCIDENTS tab click Actions >

DO NOT REPRINT
© FORTINET
Exercise 4: Enhancing the Rule with a Watch List
In this exercise, you will add a watch list to your rule.
To create a watch list

2. In the left pane, click Watch Lists.
3. Review the various watch lists that are provided out the box.
For demonstration purposes, we will create a new one.
4. With Watch Lists selected, click the white + icon at the top of the left pane to create a new list.
5. Configure the Create New Watch List Group with the following details, and then click Save:
Field Value
Group Suspect Admins
Description Admin Users who are ignoring compliance rules on FortiGate Administration
Type String
Expired in 1 week

DO Exercise
NOT4: Enhancing
REPRINTthe Rule with a Watch List
© FORTINET
Your new watch list will appear at the bottom of the list.
To add a rule in the watch list

1. Click Rules > Ungrouped.
2. Find and select FortiGate Admin Logon from Non Admin Machine and click Edit.
3. Beside the Watch Lists option, click pencil icon to edit.
The Define Watch List dialog box appears.
4. In the Incident Attribute drop-down list, select User.

5. Beside Watch List in the Availablelist, select Suspect Admins, and click the right arrow button to move the
selection to the Selected list.
6. Click Save.
7. Click Save again for rule.

DO NOT REPRINT Exercise 4: Enhancing the Rule with a Watch List
© FORTINET
To generate events for the watch list
FortiGate Admin Login Events – Watch List.
To review events for the watch list

1. Return to your browser tab with the FortiSIEM GUI, and click the INCIDENTS tab.
3. Find new incidents for the rule FortiGate Admin Logon from Non Admin Machine.
4. Review the incident source, incident target, and details.

5. Review the events that triggered the rule.
6. Make note of the Target column because it indicates users.
You can filter the display of incidents just for FortiGate Admin Logon from Non
Admin Machine, like you did in exercises 1 and 2 of Rules LAB 7.

8. From the left pane, click Watch Lists > Suspect Admins.
Notice that admin101 and admin103, which were the admin users referenced in the latest incident, are
listed.

DO NOT REPRINT
© FORTINET
Exercise 5: Importing a Rule
In this exercise, you will import a rule into FortiSIEM.
To import a rule
2. On the left pane, click Rules.
3. From the left pane, click the white + icon to create a new rule group.
The Create New Rule Group dialog box will open.
4. In the Group field, type Custom_LAB7 and click Save.
The left pane now shows a rule group under Rules called Custom_LAB7.

DO NOT REPRINT Exercise 5: Importing a Rule
© FORTINET
5. From the left pane, click Custom_LAB7.

6. In the right pane, click Import.
The Import Rule dialog box opens.
7. In the Import Rule dialog box, click Choose file.

8. On the desktop, from the Resourcesfolder, open the LAB-7 folder, select the newrule.xml file, and click
Import.
If you experience difficultly in getting the file newrule.xml, ask your instructor for
help.
The imported and activated rule will appear in the Rules > Custom_LAB7 group list.
We will use this rule in a later lab.

DO NOT REPRINT
© FORTINET
Lab 8: Incidents and Notification Policies
In this lab, you will configure rules to alert incidents.
Objectives
l Review the incidents page
l Group and tune incidents
l Use the inbuilt ticketing system
l Create custom email templates
l Create notification policies
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Reviewing the Incident Table
In this exercise, you will familiarize yourself with the incident table.
To view the Incidents tab


By default, Active is selected as the incident status. If you are unable to view any
incidents, clear Active and the incident status changes to ALL.
5. Click the Last 2 Hours option to change the time range.

6. Select Relative, in the Last field, type 90, and select Minutes from the drop-down list.

DO Exercise
NOT1: Reviewing
REPRINTthe Incident Table
© FORTINET
8. Click the refresh icon and select Refresh Now from the drop-down list.
There should be pages of incidents.
The page will auto refresh as based on your Search selection. There is also an option
for manual page refresh.
9. On the Search pane, click Severity, and select High.
The results show a filtered subset of high-severity incidents.
10. On the Search pane, change the following settings from Search:
Field Value
Severity All (clear HIGH )
Category Performance

DO NOT REPRINT Exercise 1: Reviewing the Incident Table
© FORTINET
11. In the left Search pane, click Close.

12. Click Actions and select Display from the drop-down list.
13. From the Display list, select First Occurred and Status.
14. Click Close.

15. On First Occurred column, click and drag the cursor to the Last Occurred column.

DO Exercise
NOT1: Reviewing
© FORTINET
The incident dashboard view now contains the column you added, in the position that you placed it in.
To review incident clear condition

2. Click Status.
Note that only Active status incidents are shown.
3. Click the Close.
There are four different incident statuses available.However, a status type will be
listed only when incidents with that status exist in the selected time range.
The available statuses are as follows:
l Active
l Cleared
l External Cleared
l System Cleared
4. For WIN2K8, select the Server Disk Space Critical incident.

Incident details will appear.
By default, the Active incident status is selected. If you are unable to find any
incident, clear Active and the incident status will change to than change it to ALL by
de-selecting Active status.
5. Select the Events tab to view the events for this incident.

© FORTINET
If you select an incident and the lower pane does not appear, click the up arrow icon
to expand lower pane manually.
You can select the auto expand option in the lower pane, so you don' t have to keep
manually expanding lower pane for incidents.
6. Continuing with the incident Server Disk Space Critical selected, click Actions and select Edit Rule in the
drop-down list.
The Edit Rule dialog box will open.
7. Next to Clear: Defined, click the pencil icon to edit the clear condition.
What do you think this option is actually doing for this rule? See "Appendix: Answer Sheet" on page 219, for
the answer.
8. Click Cancel to close the Edit Rule Clear Conditions dialog box.
9. Click Cancel on the Edit Rule dialog box.
To manually clear an incident

1. In incident Search section, ensure that Active is selected in the Status drop-down list.
2. Select the Server Disk Space Critical incident, click Actions and click Clear Incident from the drop-down list.

DO Exercise
NOT1: Reviewing
© FORTINET
The Clear Selected Incidents dialog box will appear.
3. In the Reason text box, type Temp files removed from server by admin to free up space,
and click OK.
Note that the Server Disk Space Critical for WIN2K8 incident will disappear from list because the incident
status is set to show incidents with an Active status.
4. Click Actions and then click Search from the drop-down list.
5. Click the incident Status and from the drop-down list, select Cleared Manually and click Close.
Notice the Server Disk Space Critical for WIN2K8 appears again in the main pane with Manually
Cleared status.
6. Select the Server Disk Space Critical incident for WIN2K8 with status set to Manually Cleared.
The bottom pane will appear with incident Details. Review Cleared Reason.

© FORTINET
7. Click Actions, click Search, and in the incident Status drop-down list, select Active.
Before proceeding to the next exercise, under INCIDENTS tab click Actions >

DO NOT REPRINT
© FORTINET
Exercise 2: Grouping and Tuning Incidents
In this exercise, you will learn how to group common incidents and how to tune FortiSIEM to reduce the number
of incidents produced.
To review grouping of incidents

5. Select Relative, in the Last field, type 5, and select Hours from the drop-down list.
7. Beside Status: Active, click the cross icon to change it to All.
8. Click the Incident Name.

A drop-down list of different incidents will appear. The incidents are grouped with a count indicating the number of
incidents for the group.
9. In the Incident Name section, click Search and type DNS.

DO NOT REPRINT Exercise 2: Grouping and Tuning Incidents
© FORTINET
This will show a group of incidents with keyword DNS.
10. Select the Excessive End User DNS Queries incident and click Close.
This will show only incidents for the group Excessive End User DNS Queries.
11. Select one of the incidents, and in the Actions drop-down, click Edit Rule.
12. In the Edit Rule dialog box, in the Conditions section, beside the subpattern ExcessiveDNSFromFlow, click
the pencil icon and review the subpattern.
Explain what the rule pattern is looking for. See "Appendix: Answer Sheet" on page 219, for the answer.
13. Click Cancel to close the dialog box and click Cancel to exit the Rule Editor dialog box.
Tune Incidents
To demonstrate the tuning capabilities for the same incident, we will assume incident source 192.168.22.11
is actually an application server that produces a huge amount of DNS queries by design.
To tune incidents
1. Select the incident with IP 192.168.22.11 in the Source column.
2. Click Actions and select Edit Rule Exception in the drop-down list.
The Edit Rule Exception dialog box will open.

DO Exercise
NOT2: Grouping
REPRINT
and Tuning Incidents
© FORTINET
3. In condition section, click the Attribute drop-down list.
Notice the only attribute that can be used for an exception for this particular incident is the Source IP.
Field Value
Attribute Source IP
Operator =
Value 192.168.22.11
5. Click Save.
This will then suppress and not generate any incidents if this rule triggers for the incident source of
192.168.22.11.
6. Clear this incident (192.168.22.11) and enter a reason when prompted.
Before proceeding to the next exercise, click Actions > Search and clear all of the
selections.

DO NOT REPRINT
© FORTINET
Exercise 3: Using the Built-In Ticketing System
In this exercise, you will learn how to implement the built-in ticketing system.
To review incidents for suspicious activity

3. To clear all selections, on all available options, click the cross icon and set them to ALL.

5. Select Relative, and in the Last field, type 5, and select Hours from the drop-down list.
7. From the Category drop-down list, click Show all and select Change.
8. Click Close.
9. In the Incident column, select User added to Administrator Group.
10. Click the down arrow and select Add to Filter.

DO Exercise
NOT3: Using
REPRINT
the Built-In Ticketing System
© FORTINET
Notice now it only shows incidents with name User added to Administrator Group.
11. Under the Target column, select Target User: mike.long. This is a suspicious entry.
To create a case using the built-in ticketing system

1. Click Actions and select Create Ticket from the drop-down list.
The New Ticket dialog box opens. Notice that the Incident ID(s), Summary, and Description fields are
pre-populated.

DO NOT REPRINT Exercise 3: Using the Built-In Ticketing System
© FORTINET
2. In the Assignee section, click the pencil icon to select a user.

3. Click the Users folder, select admin from right pane, and click Save.
4. In the Priority section, select High.

5. In the Due Date field, specify a time in the future.
6. Click Save.

DO Exercise
NOT3: Using
REPRINT
the Built-In Ticketing System
© FORTINET
7. Click Actions and select Display from drop down list.
8. Select Ticket Status and click Close.
You should be able to see theTicket Status column as well as the other default columns.
9. In the main FortiSIEM menu, click the CASES tab.
You can see the tickets that are currently open.
10. Select the ticket and click Edit.

11. In the lower pane, add the following text in the Description field and click Save:
Who is this user? Needs to be verified.
12. Edit the ticket again and add the following text in the Description field:
New admin in IT. Closing case.
13. From the State drop-down list, select Closed.

14. From the Close Code drop-down list , select Solved (Permanent).
15. Click Save.
16. Click Yes on the warning popup.

DO NOT REPRINT Exercise 3: Using the Built-In Ticketing System
© FORTINET
Notice how the ticket state change is reflected in the table. Also, if you return to the INCIDENTS tab the
Ticket Status column for that incident is set to Closed.

DO NOT REPRINT
© FORTINET
Exercise 4: Creating a Custom Email Template
In this exercise, you will create a custom email template.
To configure email settings

1. Click the ADMIN tab.
2. On the left pane, click General Settings.
3. On the main window, click the System tab and then click the Email tab.
4. In Email Settings section, complete the following:
Field Value
Email Gateway Server 10.0.1.10
Default Email Sender admin@fsm.local
5. Click Save.
You can test email by sending an email from admin@fsm.local to

student@fsm.local.
To view the test email, open a Mozilla Thunderbird email client from the desktop on
the Student Workstation.
To create a email template

1. Still under the Email tab, in the Incident Email Template section, click New.
Email Template dialog box will appear.
2. In the Name field, type FSM_LAB.
3. In the Email Subject field, click the text field, click Insert Content, and then select Status from the drop-down
list.

DO NOT REPRINT Exercise 4: Creating a Custom Email Template
© FORTINET
4. At then end of the inserted content, click the text field in Email Subject before inserting more options.
5. Click Insert Content again, and select Rule Name.
6. In the Email Body field, type a combination of text and then use the Insert Content button to reference Rule
Name, Rule Description, First Seen Time, Last Seen Time, Incident Source, Incident Target, and
Incident Detail.
Note that you can enable HTML Tags to create HTML-based email templates.
7. Click Save.

DO NOT REPRINT
© FORTINET
Exercise 5: Creating a Notification Policy
In this exercise, you will learn how to create a notification policy.
Import a Rule
We have modified a system rule for this lab to work, follow the steps below to import the modified rule.
To import a rule
2. On the left pane, select Rules .
3. From the top right side, click Import.
A dialog box will opens for Import Rule.
4. Click Choose file.

5. Click Resources > LAB-8, and select the file Notification_test_rule.xml from the folder on the
desktop.
6. Open the Rules folder and select the Ungrouped folder.

Notice the imported rule will named High Severity IPS Exploit Notification LAB in an active state.
To create a Notification Policy

1. Click the ADMIN tab.
2. In the left pane, click General Settings.
3. In the main window, click the Notification tab, and then click New.
4. In the Rules field, click the down arrow.
The Notification Policy > Define Rule Conditions window opens.
5. Click Rules > Ungrouped.

6. In the Items section, select High Severity IPS Exploit Notification LAB .
7. Click > to move the item to the Selections pane.
8. Click Save.

DO NOT REPRINT Exercise 5: Creating a Notification Policy
© FORTINET
9. In the Actions section, beside Send Email/SMS to the target users click the pencil icon to specify a
notification action.
The Notification Policy > Define Notification Actions dialog box openss.
10. Click the Add Addr tab.
The Notification Policy > Define Notification Actions > Email Address dialog box opens.
11. In the Method drop-down list, select Email.

12. In the To field, type student@fsm.local.
13. In the Email Template drop-down list, select System Default.
System Defaulttemplate is used for this exercise. You can also select custom email
template FSM_LAB , which you created in previous exercise.
Beware if you use custom email results may vary from images below.
14. Click Save.

DO Exercise
NOT5: Creating
REPRINT
a Notification Policy
© FORTINET
15. In the Notification Policy > Define Notification Actions dialog box, click Save.
16. In the Notification Policy dialog box, click Save.

17. In the Enabled column, select the notification policy to enable it.
Generate Incidents to Trigger Notification Policy

For this task, you are using data from lab 3.
To generate incidents to trigger notification policy

1. Return to the browser tab for the NSE Institute website.
2. Navigate to LABS SET 1 and under Lab 3 – Discovery select Exercise 3.6 – Start All Performance and
Device Data.
Wait approximately 2 minutes for the output.The output should resemble the following sample:

DO NOT REPRINT Exercise 5: Creating a Notification Policy
© FORTINET
To view notification email

1. On the Student Workstation desktop, open a Mozilla Thunderbird email client.
Mozilla Thunderbird is preconfigured for email account student@fsm.local.
You will start receiving notification emails from FortiSIEM.
2. Click one of the notification emails.

Notifications will appear in the bottom pane as shown in the example below:

DO Exercise
NOT5: Creating
REPRINT
a Notification Policy
© FORTINET
Once you complete the lab, deactivate the High Severity IPS Exploit Notification
LAB rule because it generates many notification emails.
To deactivate the High Severity IPS Exploit Notification LAB rule, click
RESOURCES > Rules > Ungrouped > High Severity IPS Exploit Notification
LAB. Clear the check box in the Active column.

DO NOT REPRINT
© FORTINET
Lab 9: Reporting
In this lab, you will run and schedule reports.
Objectives
l Open reports from the Analytics and the Reports trees
l Schedule reports
l Create custom dashboards
l Explore the various options for dashboards and widgets
l Export and import dashboards
l Create custom CMDB reports
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Opening a Report from the Analytics Page
In this exercise, you will open and save reports from the Analytics page.
To load a report
3. From left side of the window, click the folder icon and in the drop-down on list, select the Reports folder.
4. Click Reports > Function > Availability.
5. On the right pane, select Device Uptime History and click right arrow icon .
When you click right arrow icon, the report will execute.
6. Click the search field.

The Filters editor appears. Notice how the query syntax is prepopulated.

DO NOT REPRINT Exercise 1: Opening a Report from the Analytics Page
© FORTINET
7. In the Time section, select Relative, in the Last field, type 90, and from the drop-down list, select Minutes.
9. When the results open, in the Actions drop-down list, select Save Result.
The Save Report window opens.
10. In the Report Name field, replace the text that is there by typing Device Uptime History-only-
Results.
11. Leave Save Definition cleared, and in the Save Results for field, type 1, select Hours, and click OK.
An Alert message will appear confirming Save Report result successful and disappear quickly .
To load saved results for report

1. Click the plus (+) icon to open a new search.
2. Close the [1]:Device Uptime History search tab.
3. In the new [1]:Raw Messages tab, click the folder icon from left and select Save Results.

DO Exercise
NOT1: Opening
REPRINT
a Report from the Analytics Page
© FORTINET
In the right pane note that the Device Uptime History -only-Results report is listed with a date and time
stamp.
4. Select the Device Uptime History - only-Results report click the down arrow, and then click View Result.
5. Review the results (and the speed in which the results came back), and notice the Time selection.
To modify the search query

2. In the existing condition, under the Next column, select AND .
3. In the Row column, click the + icon.
4. Add a second condition using the following values:
Field Value
Operator IN
5. In the Value field, click and select Select from CMDB .

6. Click Devices > Network Device > Firewall.
7. In Folders, click >> to add the Firewall folder to Selections.
8. Click OK to close the CMDB window.
9. In the Time section, select Relative; in the Last field, type 1; and from the drop-down, select Hour.
To save report with definition

1. When the results appear, click Actions and select Save Result.

DO NOT REPRINT Exercise 1: Opening a Report from the Analytics Page
© FORTINET
The Save Report window appears.
2. Remove the date and time stamp and only-Results from the report name, and type Device Uptime
History - with-Definition to replace the report name.
3. Select the Save Definition check box.
4. In the Save To section, select Frequently Used.
Notice how it defaults to the existing report that was loaded with a date and time stamp on the end.
5. In the Save Results for drop-down, select f, type 1, select Hour, and click OK.
6. Click the folder icon and select Save Results.
Notice that there are now two reports where the results will be stored for 1 hour. One report will contain the
results only, and the other report will contain both the results and definition saved as a report.
Results will be valid for 1 hour, because as they are cached but definition can be used as report anytime.
7. In the left pane, click Reports > Frequently Used.

8. In the right pane, in the search bar, type definition.
You should see the report you just saved.

DO Exercise
NOT1: Opening
REPRINT
a Report from the Analytics Page
© FORTINET
To create a custom report folder

2. In the left pane, click Reports and click the + icon at the top of the pane to create a new report group.
3. In the Group field, type LAB9-Reports.
4. Click Reports > Frequently Used.
5. Under the Items column, in the search bar, type definition.
6. Select Device Uptime History - with- Definition, and click > to move the report to the Selections section.
7. Click Save.
You now have a new LAB9-Reports folder under Reports in the left pane at bottom.

DO NOT REPRINT
© FORTINET
Exercise 2: Opening a Report from the Report Tree
In this exercise, you will explore the opening and running of reports from the report tree.
To run a report from the report tree

2. On the left pane, click Reports > Function > Change.
3. In the search field, type user account mod.
4. Select the report and click Run.
The Run window will open.
5. On the Report Time Range tab, ensure that Relative is selected, 1 is entered in the Last field, and Hour is
selected in the drop-down.
6. Click OK.
The report automatically runs and populates the results in new tab in ANALYTICS.

DO Exercise
NOT2: Opening
REPRINT
a Report from the Report Tree
© FORTINET

DO NOT REPRINT
© FORTINET
Exercise 3: Scheduling a Report
In this exercise, you will learn how to schedule a report.
To schedule a report
2. In the left pane, click Reports > Incidents.
3. On the main window, select All Incidents and click More.
4. From the More drop-down list, select Schedule.
5. Complete the following (you may have to scroll down the fields to view the settings):
Field Value
Report time range Relative, last 1 hour
Schedule Time Range (Start Set to 10 minutes ahead of the current time and make sure Local is selected.
Time:)
Output Format PDF
Notification Custom Notification (Note that a table for Recipients will appear.)
Recipients Click the pencil icon (Add Notification dialog box will appear.)

DO Exercise
NOT3: Scheduling
REPRINT a Report
© FORTINET
Field Value
Email Address Click Add (the Add Email dialog box will appear).
Enter email address Student@fsm.local and click Continue.
The Add Email dialog box opens.
6. In the Add Notification dialog box, click OK.
7. In the Schedule dialog box, click OK.

DO NOT REPRINT Exercise 3: Scheduling a Report
© FORTINET
The Scheduled column for the All Incidents report indicates that a report is scheduled.
To explore other options to schedule a report

1. To illustrate an alternative method to schedule a report, select the All Incidents report, and in the bottom pane,
click the Schedule tab.
Notice the existing report schedule is already present.

DO Exercise
NOT3: Scheduling
REPRINT a Report
© FORTINET
2. Click the + icon.
Notice that the same Schedule dialog box shown above will open.
3. Click Cancel.
4. Click Scheduled for.
Both the pencil and bin icon will become active. You can use the pencil icon to modify the schedule of the report.
You can use the bin icon to delete the schedule for the report.
Do not delete the schedule for the report.
5. After ten minutes, you can verify the delivery of scheduled report to the student email box by opening the Mozilla
Thunderbird email client from the student workstation.
You should receive the All Incidents report in PDF format after approximately 10 minutes.

DO NOT REPRINT
© FORTINET
Exercise 4: Creating Custom Dashboards
In this exercise, you will create a custom dashboard.
To create a custom dashboard folder

1. Click the DASHBOARD tab.
2. Click the drop-down menu on the left.
3. Click New.
The Create Dashboard Folder dialog box will open.
4. In the Name field, type LAB-9-Dashboard and click Save.
The LAB-9-Dashboard group will open and also be added to dashboard type drop-down list.
To add a summary dashboard
1. on the LAB-9-Dashboard window, click the plus icon to the right of the dashboard drop-down.

DO Exercise
NOT4: Creating
REPRINT
Custom Dashboards
© FORTINET
The Create New Dashboard dialog box will open.
2. In the Name field, type Lab9-Summary.

3. In the Type drop-down list, select Summary Dashboard and click Save.
The Lab9-Summary dashboard will open. You have a blank canvas in the format of the All Device summary
dashboards.
4. In Lab9-Summary tab, click the select devices icon .
The Select devices for display dialog box will open.
5. In the Available Devices list, search for the following devices:

l WIN2K8(192.168.0.40)
l WIN2008-ADS(192.168.0.10)
l QA-EXCHG(172.16.10.28)
l THREATCTR(10.1.1.41)

DO NOT REPRINT Exercise 4: Creating Custom Dashboards
© FORTINET
6. Use the right arrow key to move the devices to the Selected Devices list.
7. Click OK.
8. Change the severity selection from Critical + Warning to All.
Your new summary dashboard is filtered for only the devices you added.
9. In the Perf status column for WIN2K8, hover your mouse cursor over and to the right.
A trend icon will appear indicating Disk Capacity Util->Critical, Free Disk MB->Critical.

DO Exercise
NOT4: Creating
REPRINT
Custom Dashboards
© FORTINET
To add a widget dashboard
1. On LAB-9-Dashboard tab, click the plus icon to the right of the dashboard drop-down.
The Create New Dashboard dialog box opens.
2. In the Name field, type Lab9-Widget.

3. In the Type drop-down list, select Widget Dashboard.
4. Click Save.
The Lab9-Widget will be created. In the main window, you will have a blank canvas.
5. In Lab9-Widget tab, click the plus icon .
The Report selector pop up will appear from the left.
6. In the left pane, click the Reports folder.

7. Use the search field to find the following reports and then add them by clicking right arrow icon . (You must add
the reports one report at a time):
l Top Network Devices By CPU, Memory Util
l Top Devices By Failed Login
l Firewall Permit: Top Outbound Ports By Bytes

© FORTINET
The right arrow icon will appear once you select a report.
8. In the Lab9-Widget tab, click the plus icon .

9. Select the CMDB Reports folder.
10. Click the arrow icon to add a widget for the Not Approved Devices report.
To explore widget dashboard options

1. On the top right, click the Layout columns drop-down list, and change the layout to a 2 (column display).
2. Hover your mouse cursor over the title bar of the Top Network Devices By CPU , Memory Util widget and, on
the right side, click the middle icon (Edit settings).
The Settings dialog box will open.
3. In the Display drop-down list, select Table View.

4. In Display Settings section:
a. Drag the AVG(CPU Util) slider on the left to around 25%.

DO Exercise
NOT4: Creating
REPRINT
Custom Dashboards
© FORTINET
b. Drag the AVG(CPU Util) slider on the right to around 60%.
5. Click Save.
The results are colored to reflect the seriousness of the value.
You can influence the colors on these widgets and change the thresholds for what values should be reported:
red, yellow, and green.
Will these new adjusted values for AVG CPU determine what thresholds rules will trigger for these devices?
See "Appendix: Answer Sheet" on page 220, for the answer.

© FORTINET
6. On the Top Devices By Failed Login widget, click the settings icon and change the display to Aggregation
View (Donut).
7. Change the Firewall Permit: Top Outbound Ports By Bytes widget to an Aggregation View (Bar).
You can restrict user access to this dashboard group using role management.

DO NOT REPRINT
© FORTINET
Exercise 5: Exploring Dashboard Drill Down Capabilities
In this exercise, you will explore the drill down capabilities of the dashboards.
To drill down on dashboard content

Only follow step 2, 3, and 4, if you are not on DASHBOARD > LAB-9-Dashboard>
Lab9-Widget page. If you are already on this page then clicking these options again
will prompt to change the name of dashboards.
If you are on Lab9-Widget page then proceed to step 5.
2. Click the dashboard type drop-down on the left.

3. Click LAB-9-Dashboard from the bottom of the list.
4. Click Lab9-Widget.
5. On the Top Network Devices By CPU, Memory Util widget, select device FortiGate90D .
6. Click the blue down arrow and select Drill down to Analytics.
This takes you to the ANALYTICS tab.

What is the query looking at? See "Appendix: Answer Sheet" on page 220 for the answer.
8. Look at the Time selection.

DO NOT REPRINT Exercise 5: Exploring Dashboard Drill Down Capabilities
© FORTINET
What has the time criteria been prepopulated to run over and where did this value come from? See
9. Click Save & Run to run the search.

10. View the results.
To explore another dashboard drill down example

3. Click LAB-9-Dashboard from the bottom of the list.
5. On the Firewall Permit: Top Outbound Ports By Bytes widget, click the magnifying glass icon.
What was the result of this action? See "Appendix: Answer Sheet" on page 220for the answer.
How does this differ from the analytic query produced from step 7 of the previous task? See "Appendix:

DO Exercise
NOT5: Exploring
REPRINTDashboard Drill Down Capabilities
© FORTINET

DO NOT REPRINT
© FORTINET
Exercise 6: Importing and Exporting Dashboards
In this exercise, you will learn how to export and import dashboards.
To export a dashboard
3. Click LAB-9-Dashboard.
5. On the top right of the main window, click the export icon .
6. When prompted, click Save File and then OK.

Dashboard.xml is exported to your Downloads folder.
To import a dashboard
3. Click New.
The Create Dashboard Folder dialog box will appear.
4. In the Namefield, type Lab9-Shared Dashboard and click Save.
5. In LAB-9-Dashboard, click the plus icon to the right of the dashboard drop-down.
6. In the Name field, type Lab9-Shared-Widget.
7. In the Type drop-down list, select Widget Dashboard.

DO Exercise
NOT6: Importing
REPRINTand Exporting Dashboards
© FORTINET
8. Click Save.
9. In Lab9-Shared-Widge, click the import icon .
The Import Dashboard dialog box will open.
10. Click Browse to choose the Dashboard.xml file in your Downloads folder, and click Import.
11. When the message displays confirming that the import succeeded, click OK.
You should now see that the custom dashboard has been imported.
You can give access to this dashboard group to all users through role management.

DO NOT REPRINT
© FORTINET
Exercise 7: Running CMDB Reports
In this exercise, you will run existing CMDB reports.
To run a CMDB report

1. Click the CMDB tab and in the left pane, click CMDB Reports.
2. Find the report CMDB Device Types in the list and click Run.
This gives a report of all the different vendors, models, versions, and counts in the CMDB.
3. Click Back.
4. Find the report Router/Switch Inventory and then click Run.
5. Review the results, and when done, click Back.
6. Find the report Active Rules and click Run.
Note that other kinds of data such as rules, users, and device monitoring jobs can also be reported on
through this feature.

DO NOT REPRINT
© FORTINET
Exercise 8: Building a Custom CMDB Report
In this exercise, you will create a custom CMDB report.
To create a CMDB report

2. On the left pane, click Rules > Ungrouped.
3. Find the rule named High Severity IPS Exploit Notification LAB and click Edit.
Note that there are some remediation steps for an operator to follow if this rule is triggered.
4. Once you have reviewed the rule, click Cancel.

5. Click the CMDB tab and return to CMDB Reports.
6. Click New.
7. In the Report Name field, type Rules with Remediation Instructions.
8. From the Target drop-down list, select RULE.
9. In the Conditions section, define the following:
Field Value
Attribute Rule Remediation
Operator CONTAIN
Value deactivate
10. In the Display Columns section, click Row to add an additional attribute, and then add the following attribute :
l Rule Name
l Rule Description
l Rule Remediation

DO NOT REPRINT Exercise 8: Building a Custom CMDB Report
© FORTINET
11. Click Save.

12. In the CMDB Reports folder, find the Rules with Remediation Instructions, and click Run.
You should see that only the rule you created currently has remediation instructions.
You can easily find custom CMDB reports by ordering the Scope field. All out-the-box
reports are itemized as System and your reports as User.

DO NOT REPRINT
© FORTINET
Lab 10: Business Services
In this lab, you will create a business service.
Objectives
l Create a business service
l Monitor a business service
l Report on a business service
Time to Complete

DO NOT REPRINT
© FORTINET
Exercise 1: Creating a Business Service
In this exercise, you will create a new business service.
To create a business service

1. Login to FortiSIEM and click the CMDB tab and in the left pane, select Business Services.
2. On the main window, click New.
3. In the Name field, type Patient Services.
4. On the New Business Service window, on the left pane, click Applications > User App > Database.
5. On the Apps pane, select Microsoft SQL Server.
6. On the Select running on instance pane, select Microsoft SQL Server (WIN2K8) 192.168.0.40.
7. On the Select adjacent network devices pane, select SJ-Main-Cat6500.
8. Click the > button to move the selections to the Selected Devices/Apps pane.
9. On the left pane, click Applications > User App > Mail Server.
10. On the Apps pane, find and select MS Exchange Information store in the list.
11. On the Select running on instance pane, select the device with access IP 172.16.10.28.
12. Click the > button to move the selected device to the Selected Devices/Apps pane.
13. On the Select adjacent network devices pane, select JunOS-3200-1.
15. On the left pane, click Devices > Network Device > Firewall.
16. On the Select Devices pane, select FG240D3913800441.

DO Exercise
NOT1: Creating
REPRINT
a Business Service
© FORTINET
18. Click Save.

19. To review the added devices, click Business Services > Ungrouped > Patient Services.

DO NOT REPRINT
© FORTINET
Exercise 2: Monitoring Business Service Incidents
In this exercise, you will learn methods of monitoring business services.
To monitor a business service

3. On the main window, in the Actions drop-down list, click Display.
You should be able to see an extra added field to the display column selection pane BizService.
4. Select BizService and click Close.
To modify system rule for business services

1. Click the RESOURCES tab and on the left pane, click Rules.
For the labs to work you need to edit two rules.
2. In the search field, type vulnerability.

DO Exercise
NOT2: Monitoring
REPRINT Business Service Incidents
© FORTINET
3. Select Scanner found severe vulnerability and click Edit.

4. In the Conditions section, click the pencil icon next to ScannerHighSev.
5. In Filters section, add a row above the existing Event Severity entry, and add the following condition:
Field Value
Attribute Reporting Model
Operator CONTAINS
Value Nessus
6. Under the Paren column to the left of the Reporting Vendor attribute, click the plus (+) icon.
7. Under Paren column to the right of the Reporting Model attribute, click the plus (+) icon.

DO NOT REPRINT Exercise 2: Monitoring Business Service Incidents
© FORTINET
8. Change the Event Severity attribute Value to 6.
9. Under the Next column, select make the following selections:
Field Value
Reporting Vendor OR
Reporting Model AND
10. In the Group By section, add a row under Host Name.

11. In the new attribute field, type Host IP.
12. Click Save to close the EditSubPattern window.

14. Under Incident Attributes, add an extra row (at the bottom) and add the following values:
Field Value
Event Attribute Host IP
Subpattern ScannerHighSev
Filter Attribute Host IP

DO Exercise
NOT2: Monitoring
© FORTINET
15. Click Save and then click Save again.
Since FortiSIEM does not allow you to overwrite the out-the-box system rules, the
system will prompt you to save the rule with a different name. (By default, it will add a
date stamp.)
16. Remove the date stamp, add LAB10 and click OK:
17. Under the Active column, clear the check box next to Scanner found severe vulnerability, and click
Continue.
The original system rule will be disabled.
18. Under the Active column, select the check box beside the modified rule, and click Continue when prompted.
To modify second system rule for business services

1. In the search field, type sql server db, and select the rule Excessively Slow SQL Server DB Query.
2. Click Clone.
3. Delete the date stamp, add LAB10 and click Save.

© FORTINET
4. Under the Active column, clear the check box beside Original Excessively Slow SQL Server DB Query
Rule, and click Continue when prompted.
5. Select the cloned rule and click Edit.
6. In the Conditions field, beside the LongQuery subpattern, click the pencil icon.
7. In the Group By section, add an extra row under Host Name.
8. In the Attribute field, type Host IP.
9. Click Saveto close the EditSubPattern window.

11. Add an extra row below Host Name and add the following values in the Incident Attributes section:
Field Value
Event Attribute Host IP
Subpattern LongQuery
Filter Attribute Host IP

DO Exercise
NOT2: Monitoring
© FORTINET
12. Click Save and then click Save again to close the rule editor.
13. Click OK again if you get a warning that the rule has been changed.
14. In the Active column, select the check box beside the cloned version of the rule, and click Continue when
prompted.
To trigger business service-related incidents

1. Open a new browser tab, and navigate to the NSE Institute website.
2. Under LABS SET 2 and Lab 10 – Business Services select Exercise 10.1 – Trigger Business Service
Related Incidents.
Wait for approximately 2 minutes. The output should resemble the following:
To review business service incidents

1. Return to the FortiSIEM GUI.
Under the BizService column, you should see some incidents that have the Patient Services name.

© FORTINET
3. In the main window, in the Actions drop-down list, click Search.
The Search pane opens.
4. From the Search pane, click BizService, select thePatient Services from drop-down list and Close.
Selection should be as below:
By default, Incident Status is selected for Active incidents. If you are unable to view
any incident, clear the Active status, to change the selection to ALL.
5. Click the refresh icon and select Refresh Now in the drop-down list.
You should notice several incidents related to devices in this business service.
6. Review a few of the incidents.

What service was stopped? See "Appendix: Answer Sheet" on page 221for the answer.

DO Exercise
NOT2: Monitoring
© FORTINET
Which devices had severe vulnerability detected? See "Appendix: Answer Sheet" on page 221 for the answer.

DO NOT REPRINT
© FORTINET
Exercise 3: Using the Business Service Dashboard
In this exercise, you will learn how to create and view business services through dashboards and searches.
To create a business services dashboard group

2. On the left side of the window, click the drop-down list and select NEW .
3. In the Name field, type BizService Dashboard.
To create a business services dashboard

1. To the right of the dashboard drop-down list, click the plus icon .
2. In the Namefield, type Patient Services.
3. In the Type drop-down list, select Business Service Dashboard.
4. Click Save.

DO Exercise
NOT3: Using
REPRINT
the Business Service Dashboard
© FORTINET
5. Click the select business service icon from top right-hand corner of the window.
The Select Business service window opens.
6. On the Available Services pane, select Patient Services and click > to move Patient Services to the
Selected Services pane.
7. Click Save.
The summary dashboard for Patient Services will look like this:
To view business services dashboard details

1. On the summary dashboard, select Patient Services.
The Impacted Devices pane will open at the bottom of the window to display the list of impacted devices for
Patient Services.

DO NOT REPRINT Exercise 3: Using the Business Service Dashboard
© FORTINET
2. In the Impacted Devices section, click WIN2K8, and then click the Incidents column.
The Incidents for WIN2K8 window opens.
Can you identify the SQL query that was running slow? See "Appendix: Answer Sheet" on page 221, for the
answer.
To reference business services in an analytics search


DO Exercise
NOT3: Using
REPRINT
the Business Service Dashboard
© FORTINET
2. In the Filters editor, enter the following values to create a new query:
Field Value
Operator IN
3. Click inside the Value field and select Select from CMDB .
4. Click Business Services > Ungrouped and select Patient Services.
5. Click > to move Patient Services to the Selections section, and click OK.
6. Add another row and add the following values:
Field Value
Operator CONTAIN
Value FileMon
7. In the Time section, select Relative, in the Last field, type 1, and in the drop-down list, select Hour.

DO NOT REPRINT Exercise 3: Using the Business Service Dashboard
© FORTINET
This drills down into Windows Agent events being collected.
If you get no results to any search, simply run the search over a longer time period.
Can you identify the files that were added on the QA-EXCHG or WIN2K8 machines? See "Appendix: Answer
Sheet" on page 221 for the answer.


DO NOT REPRINT
© FORTINET
Appendix: Answer Sheet
Lab 1 - Introduction to FortiSIEM
Exercise 1: Creating Roles
Question:
Review the information in the Data Conditions and CMDB Report Conditions sections for this role. What do
you understand about these fields?
Answer:
Data Conditions - Restrict what data a role can see in the GUI, such as restricting auditors to just events reported
by Server devices such as Windows devices, or to restrict access to some dashboards for example Network
Dashboard.
CMDB Report Conditions - Restrict what data is available in CMDB Reports, such as allowing a device inventory
report of only Server devices.
Lab 2 - SIEM & PAM Concepts
Exercise 1: Reviewing Incoming Data
Question:
Which users had failed logins?
Answer:
admin and fred
Exercise 2: Structured Data
Question:
Make a note of each field header in the table.

DO Lab
NOT REPRINT
2 - SIEM & PAM Concepts Appendix: Answer Sheet
© FORTINET
Answer:
Event Receive Time, Reporting IP, Event Type, Raw Event Log.
Question:
Which attribute relates to the device IP that sent the data?
Answer:
Reporting IP
Question:
Which event type relates to a login failure?
Answer:
FortiGate-event-login-failure
Question:
Which attribute provides the local time when FortiGate actually logged the event?
Answer:
Device Time
Question:
What are the Reporting Model and Reporting Vendor attributes of the event?
Answer:
Reporting Model: FortiOS
Reporting Vendor: Fortinet
Question:
What attribute did FortiSIEM map this to in the structured view?
Answer:
Application Protocol
Question:
Who made a successful authentication? And what attribute was this field mapped to in the structured view?

DO Appendix:
NOT AnswerREPRINT
Sheet Lab 2 - SIEM & PAM Concepts
© FORTINET
Answer:
admin was mapped to the User attribute.
Exercise 3: Event Classification
Question:
Make a note of the Member of field.
Answer:
/Security/Logon Success/Dev Logon Success
Question:
Make a note of the Description
Answer:
Successful admin logon
Question:
What do you notice about this particular event?
Answer:
It's a member of two groups:
/Security/Logon Failure/Dev Account Locked
/Security/Logon Failure/Domain Account Locked
Therefore, events can belong to more than one group/category.
Exercise 4: Event Enrichment
Question:
What is the value in the Member of field?
Answer:
/Security/Logon Failure/Dev Logon Failure
Question:
Does it contain any country related information?

DO Lab
NOT REPRINT
2 - SIEM & PAM Concepts Appendix: Answer Sheet
© FORTINET
Answer:
Yes
Question:
Where did this information come from?
Answer:
The internal geolocation database
Question:
Is there a Source Country or Destination Country populated for this event? If not, why?
Answer:
No, these are internal RFC 1918 addresses.
Question:
Is there now a Reporting City, Destination City, Destination Country, and Destination State populated? If
so why?
Answer:
Yes, since country related event enrichment can also occur for internal RFC 1918 addresses if these value are set
on an asset in the CMDB.
Exercise 5: Reviewing Performance Events
Question:
Which attributes relate to the up-time and downtime of the device?
Answer:
l RAW: sysUpTime, sysDownTime

l Attribute: System Uptime, System Downtime
Question:
What attribute relates to how often the event is collected?
Answer:
Polling Interval

DO Appendix:
NOT AnswerREPRINT
Sheet Lab 3 – Discovery
© FORTINET
Question:
Which attribute relates to the memory utilization of the device?
Answer:
Memory Util
Question:
How often is the memory utilization event collected?
Answer:
Every 180 seconds (or 3 minutes)
Question:
Which attributes relate to the interface name and interface utilization?
Answer:
l Host Interface Name

l Recv Interface Util
l Sent Interface Util
Question:
Why are there four interface utilization events?
Answer:
The device has 4 network interfaces (one event per interface).
Lab 3 – Discovery
Exercise 1: Auto Log Discovery
Question:
Why are the names different do you think?
Answer:
The FortiGate logs contain the name of the device reporting the data (devname=x), and hence the parser reads
this and maps to an attribute named Reporting Device Name.

DO Lab
NOT REPRINT
3 – Discovery Appendix: Answer Sheet
© FORTINET
The Cisco ASA logs do not contain the name, so the default behavior is to name the device HOST-<reporting ip>
Question:
What is displayed under the Version and Last Discovered Method fields for each device?
Answer:
l Version: ANY ... logs alone do not tell the FortiSIEM the version of the device or application.
l Last Discovered Method: LOG .. auto log discovery
Question:
What do you see and what can you determine about the population of the CMDB from log only discovery alone?
Answer:
They are blank. This type of information is not sent as part of the event message.
Exercise 3: Discovery of a Single Device
Question:
What does the Version field show now?
Answer:
Version: 5.4.1(1064)
Question:
How many groups is this device now a member of?
Answer:
19 groups. It has also been categorized under various networks by the IP Addresses/Network Masks on the
interfaces.
Question:
Make a note of how often CPU Util, Mem Util, and Net Intf Stat jobs are being collected via SNMP.
Answer:
l CPU Util - 3 minutes

l Mem Util - 3 minutes
l Net Intf Stat - 1 minute

DO Appendix:
NOT AnswerREPRINT
Sheet Lab 4 – Introduction to Analytics
© FORTINET
Exercise 5: Performing Discovery of other Lab Devices
Question:
Make a note of the entries in the Process Name and Process Param columns.
Answer:
l Process Name: svchost.exe

l Process Parameter: -k iissvcs
Question:
Now type DNS in the search field and again make note of the entries in the Process Name and Process Param
columns.
Answer:
l Process Name: dns.exe

l Process Param: none
Lab 4 – Introduction to Analytics
Exercise 2: Search Operators
Question:
What was the impact of this search?
Answer:
Only raw logs with both devname and HTTP keywords are returned
Question:
What can you determine about the case sensitivity of keywords?
Answer:
The keywords are not case sensitive.

DO Lab
NOT REPRINT
5 – CMDB Lookups and Filters Appendix: Answer Sheet
© FORTINET
Lab 5 – CMDB Lookups and Filters
Question A:
l Which user had failed an SSH login?

l From what IP Address?
Answer:
Hacker from source IP 192.168.0.30.
Question B:
Do you see any suspicious port usage in your results?
Answer:
Source IP = 69.94.156.1 AND
Destination IP = 192.168.0.10
Add Column: Destination TCP/UDP
Question C:
Do your results indicate the firewall rules are correctly implemented?
Answer:
There are lots of connections permitted to external destinations on non-standard ports like 135, 199, 445, etc.
The firewall rule is incorrectly configured.
Question D:
Was any internal traffic permitted to any country in ASIA in the last 2 hours that was not on TCP/UDP ports
25,53,80,123, or 443?
Answer:
Yes, permitted traffic has been reported to countries in ASIA not on the defined TCP/UDP port list. Time to
tighten up those firewall rules!
Question E:
Which interfaces on the switch has this issue?

DO Appendix:
NOT AnswerREPRINT
Sheet Lab 6 – Group By and Aggregation
© FORTINET
Answer:
Interface: GigabitEthernet4/48
Lab 6 – Group By and Aggregation
Exercise 2: Aggregating Data
Question:
What do your results show?
Answer:
A list of the disk capacity utilization of all the servers, with the highest utilization at the top of the list.
Question A:
Which firewall device reported the most events over the last 30 minute time period?
Answer:
192.168.3.1
Question B:
Which is the most common destination country of any firewall events that are not on Destination TCP/UDP Port
of 21,80,443 or 53 over the last 1 hour?
Answer:
United States
Question C:
What is the most common source country for any deny events reported by a firewall device in the last 30 minutes?
Answer:
Top result is NULL (for internal IPs that don’t have a country).
Most common country is the United States.

DO Lab
NOT REPRINT
7 – Rules Appendix: Answer Sheet
© FORTINET
Question D
What events does this report produce?
Answer:
It produces hundreds of events that repeat for the same Application/Software Name. (Since the data is collected
every 3 minutes.)
Lab 7 – Rules
Exercise 1: Simple Rule Example
Question:
Make a note of the severity of the rule and also the function.
Answer:
Severity: 10-High Function: Security
Question:
What time period is the rule evaluating the pattern over?
Answer:
600 seconds (or 10 minutes)
Question:
Make a note of the attributes in the Group By section.
Answer:
l Reporting Device
l Reporting IP
l User
Question:
Make a note of the attributes in the Selected Attributes column.

DO Appendix:
NOT AnswerREPRINT
Sheet Lab 7 – Rules
© FORTINET
Answer:
l Event Receive Time

l Event Type
l Reporting IP
l Source IP
l User
l Computer
l Win Logon Type
l Raw Event Log
Question:
Do the details match what was recorded in step 6 of To view a rule section of this exercise?
Answer:
Yes
Exercise 2: Performance Rule Example
Question:
Make a note of value in the Default field and the disk name listed:
Answer:
Disk Space Util Critical Threshold 95
Name C:\
Question:
Find the threshold for Free Disk (MB) Critical Threshold.
Answer:
Free Disk (MB) Critical Threshold 100
Name C:\
Question:
Make a note of the values associated with the following items.

DO Lab
NOT REPRINT
8 – Incidents and Notification Policies Appendix: Answer Sheet
© FORTINET
Answer:
Severity 5 - MEDIUM
Category Performance
Evaluation Time Window 600 seconds
Question:
Are there any results where the AVG(Disk Capacity Util) is greater than 95% and the AVG (Free Disk (MB)) is less
than 100?
Answer:
Yes
Lab 8 – Incidents and Notification Policies
Exercise 1: Reviewing the Incident Table
Question:
What do you think this option is actually doing for this rule?
Answer:
If the original rule does not trigger again for 20 minutes, then the incident will automatically be cleared.
Exercise 2: Grouping and Tuning Incidents
Question:
Explain what the rule pattern is looking for.
Answer:
It is looking for DNS traffic that is not coming from other DNS servers or internal applications. The traffic is
originating from the internal private network and is being reported by the firewalls, routers, and/or switches.

DO Appendix:
NOT AnswerREPRINT
Sheet Lab 9 – Reporting
© FORTINET
Lab 9 – Reporting
Exercise 4: Creating your Own Dashboards
Question:
Will these new adjusted values for AVG CPU determine what thresholds rules will trigger for these devices?
Answer:
No
Exercise 5: Dashboard Drill Down
Question:
What is the query looking at?
Answer:
Attribute Operator Value Next Op
Host Name = FortiGate90D
Event Type IN PH_DEV_MON_SYS_CPU_UTIL, PH_DEV_MON_SYS_MEM_UTIL AND AND
Host IP IN Devices: Network Device AND
Question:
What has the time criteria been pre-populated to run over and where did this value come from?
Answer:
The time criteria is set to look at absolute last hour. These values came from the widget.
Question:
What was the result of this action?
Answer:
It takes you to ANALYTICS tab with search field pre-populated.

DO Lab
NOT REPRINT
10 – Business Services Appendix: Answer Sheet
© FORTINET
Question:
How does this differ from the analytic query produced from step 7 of drill down on dashboard content?
Answer:
In step 3, it was on a specific device.
Lab 10 – Business Services
Exercise 2: Business Service Incidents
Question:
What service was stopped?
Answer:
McAfee Access Scanner
Question:
Which device had a severe vulnerability detected?
Answer:
WIN2K8 192.168.0.40 and QA-EXCHG 172.16.10.28
Exercise 3: Business Service Summary Dashboard
Question:
Can you identify the SQL query that was running slow?
Answer:
select * from patient_records
Question:
Can you identify the files that were added on the QA-EXCHG or WIN2K8 machines?
Answer:
C:\Documents\Contracts\7ogger.exe
C:\Windows\System32\svchostss.exe

DO Appendix:
NOT AnswerREPRINT
Sheet Lab 10 – Business Services
© FORTINET
C:\Documents\Contracts\mcafeeav.pif

DO NOT REPRINT
© FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiSIEM 5.1 Lab Guide-Online

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiSIEM 5.1 Lab Guide-Online

Uploaded by

Copyright:

Available Formats

DO NOT REPRINT

FortiSIEM Lab Guide

Fortinet Network Security Expert Program (NSE)

Virtual Lab Basics 6

FortiSIEM 5.1 Lab Guide 6

To run the remote access test

2. Inside the Speed Test box, click Run.

7 FortiSIEM 5.1 Lab Guide

To log in to the remote lab

3. Enter your first and last name.

FortiSIEM 5.1 Lab Guide 8

5. To open a VM from the dashboard, do one of the following:

Follow the same procedure to access any of your VMs.

9 FortiSIEM 5.1 Lab Guide

Disconnections and Timeouts

If that fails, see Troubleshooting Tips on page 12.

The GUIs of some Fortinet devices require a minimum screen size.

FortiSIEM 5.1 Lab Guide 10

Sending Special Keys

11 FortiSIEM 5.1 Lab Guide

FortiSIEM 5.1 Lab Guide 12

13 FortiSIEM 5.1 Lab Guide

To expedite the response, enter the following command in the CLI:

FortiSIEM 5.1 Lab Guide 14

In this lab, you will examine role-based application controls (RBAC).

15 FortiSIEM 5.1 Lab Guide

In this exercise, you will create a manager role.

To clone a system defined a role

3. Log in as the following default user and click Login:

4. Click the Admin tab.

Notice the default system roles (s) that are available.

6. Click the Server Admin role, then select Clone.

FortiSIEM 5.1 Lab Guide 16

To review the settings for cloned role

17 FortiSIEM 5.1 Lab Guide

To create a new role

FortiSIEM 5.1 Lab Guide 18

Value 1. Click in Value search bar select ....Select from CMDB .

4. Leave the CMDB Report Conditions section blank.

In HTML Dashboard> Dashboards section only allow :

19 FortiSIEM 5.1 Lab Guide

l Leave Analytics settings as default.

l Leave Incidents settings as default.

l CMDB (hide all except Devices)

FortiSIEM 5.1 Lab Guide 20

8. At the bottom, click Save.

21 FortiSIEM 5.1 Lab Guide

To create new users

2. Click New to create a new user.

User Name manager

Confirm Password admin*2

Default Role Lab1 - Manager View

FortiSIEM 5.1 Lab Guide 22

To verify the settings for the newly created account

23 FortiSIEM 5.1 Lab Guide

Stop and think!

2. Click the Dashboard tab.

3. Click the Analytics tab.

User Name <select a name>

Confirm Password admin*3

Default Role Full Admin

FortiSIEM 5.1 Lab Guide 24

In this exercise, you will change your user password.

To change local user passwords