Professional Documents
Culture Documents
FortiSIEM 5.1 Lab Guide-Online
FortiSIEM 5.1 Lab Guide-Online
© FORTINET
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Feedback
Email: courseware@fortinet.com
11/20/2018
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
© FORTINET
Virtual Lab Basics
In this course, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab
and its virtual machines. It also shows the topology of the virtual machines in the lab.
If your trainer asks you to use a different lab, such as devices physically located in your
classroom, then ignore this section. This section applies only to the virtual lab
accessed through the Internet. If you do not know which lab to use, please ask your
trainer.
Network Topology
Lab Environment
Fortinet's virtual lab for hands-on exercises is hosted on remote data centers that allow each student to have their
own training lab environment or point of deliveries (PoD).
© FORTINET
Remote Access Test
Before starting any course, check if your computer can connect to the remote data center successfully. The
remote access test fully verifies if your network connection and your web browser can support a reliable
connection to the virtual lab.
You do not have to be logged in to the lab portal in order to run the remote access test.
If your computer connects successfully to the virtual lab, you will see the message All tests passed!:
© FORTINET
Logging In
After you run the remote access test to confirm that your system can run the labs successfully, you can proceed to
log in.
You will receive an email from your trainer with an invitation to auto-enroll in the class. The email will contain a
link and a passphrase.
© FORTINET
Your system dashboard appears, listing the virtual machines (VMs) in your lab topology.
l From the box of the VM you want to open, click View VM.
When you open a VM, your browser uses HTML5 to connect to it. Depending on the VM you select, the web
browser provides access to either the GUI of a Windows or Linux VM, or the CLI-based console access of a
Fortinet VM.
© FORTINET
For most lab exercises, you will connect to a jumpbox VM, that could be either a Windows or a Linux VM.
From the jumpbox VM, you will connect over HTTPS and SSH to all other Fortinet VMs in the lab
environment.
If your computer’s connection to the VM times out or closes, to regain access, return to the window or tab that
contains the list of VMs for your session, and reopen the VM.
Screen Resolution
To configure screen resolution in the HTML5 client, use the Resolution drop-down list on the left. You can also
change the color depth:
© FORTINET
You can use the Virtual Keyboard panel to either send the Ctrl-Alt-Del combination, or the Windows key:
From the Virtual Keyboard panel, you can also copy text to the guest VM's clipboard:
© FORTINET
Student Tools
There are three icons on the left for messaging the instructor, chatting with the class, and requesting assistance:
Troubleshooting Tips
l Do not connect to the virtual lab environment through Wi-Fi, 3G, VPN tunnels, or other low-bandwidth or high-
latency connections.
l Prepare your computer's settings by disabling screen savers and changing the power saving scheme so that your
computer is always on, and does not go to sleep or hibernate.
l For best performance, use a stable broadband connection, such as a LAN.
© FORTINET
l You can run a remote access test from within your lab dashboard. It will measure your bandwidth, latency and
general performance:
l If the connection to any VM or the virtual lab portal closes unexpectedly, try to reconnect. If you can't reconnect,
notify the instructor.
l If you can't connect to a VM, on the dashboard, open the VM action menu, and select Reset:
l If that does not solve the access problem, you can try to revert the VM back to its initial state. Open the VM action
menu, and select Revert:
Reverting to the VM's initial state will undo all of your work. Try other solutions first.
© FORTINET
l During the labs, if the VM is waiting for a response from the authentication server, a license message similar to the
following example appears:
Objectives
l Create a role
l Create new users
l Apply roles to users
l Change local passwords
Time to Complete
Estimated: 15 minutes
Follow the directions in the Lab Guide and do not make changes to any other device or
devices, unless notified by the course instructor.
2. Open the Firefox browser and enter the following URL to access the FortiSIEM GUI:
https://10.0.1.130/phoenix/login-html.jsf
There is a link for the FortiSIEM GUI on the browser's Favorites bar.
Field Value
User ID admin
Password admin*1
Domain LOCAL
© FORTINET
Because FortiSIEM does not allow you to overwrite the out-of-box system roles, the
system will prompt you to save the role with a different name. (By default, it will add a
date stamp.)
7. Remove the date stamp and add FSM_LAB to the role name as in the following example, then click OK:
2. Review the information in the Data Conditions and CMDB Report Conditions sections for this role.
What do you understand about these fields? See "Appendix: Answer Sheet" on page 208for the answer.
© FORTINET
3. Review the UI Access section and the conditions that apply to this role.
4. Expand the CMDB option and expand Devices.
Notice how all network devices are hidden while giving access to server devices.
5. After you review the list, in the lower-left corner of the pane, click Cancel to exit the Server Admin_FSM_LAB
details.
Field Value
Attribute Reporting IP
Operator IN
© FORTINET
Field Value
Click the item and select down arrow to change its status.
l FortiSIEM Dashboard
l Network Dashboard
l Security Dashboard
l Server Dashboard
Hide the rest of the Dashboards.
© FORTINET
© FORTINET
l Others
In this exercise, you will create two new users: a manager account and your own user account.
Field Value
System Admin Click in the empty box to prompt a dialog box to open. Configure the following
settings:
Mode Local
Password admin*2
© FORTINET
4. Click Back.
5. Click Save.
6. Log out of the FortiSIEM GUI by clicking the power icon on the top toolbar.
Field Value
User ID manager
© FORTINET
Field Value
Password admin*2
Domain LOCAL
4. Click CMDB and notice it shows only Devices you have selected previously for the role.
5. Log out of the FortiSIEM GUI as the manager and log in again as the admin user:
l User ID: admin
l Password: admin*1
l Domain: LOCAL
6. Click the CMDB tab and, in the pane on the left side of the screen, click Users.
7. Click New to create your own user account, but this time specify the Full Admin role and use the password
admin*3. For example:
Field Value
System Admin Click in the empty box to prompt a dialog box to open. Configure the following
settings:
Mode Local
Password admin*3
8. Click Back.
9. Click Save to save your new user account.
10. Log out of the FortiSIEM GUI.
Field Value
Password admin*3
Domain LOCAL
Notice your user name and current role are listed at the bottom of the screen.
2. On the upper-right corner of the window, click the single user icon.
3. In the Password and Confirm Password fields, enter a new password, and then click Save.
The password must contain at least one number and one special character (such as:
!@#$%^*(),.?).
© FORTINET
In this lab, you will explore how FortiSIEM processes each log into an event type.
Objectives
l View raw event logs
l View structured data
l Inspect event classification
l Inspect event enrichment
l Review performance events
Time to Complete
Estimated: 45 minutes
Follow the directions in the Lab Guide and do not make changes to any other device or
devices, unless notified by the course instructor.
In this exercise, you will review the raw events that have been received by syslog.
There is a link for the FortiSIEM GUI on the browser's Favorites bar.
If logged out from FortiSIEM due to inactivity, then log back in using HTML edition
option.
Field Value
User ID admin
Password admin*1
Domain LOCAL
© FORTINET
Field Value
Attribute Reporting IP
Operator =
Value 192.168.3.2
To generate logs
1. Open a new tab in your browser, and go to the NSE Institutewebsite:
https://10.0.1.130/NSE_Institute/index.php
2. On the web site, click LABS SET 1 and, under Lab 2 – SIEM Concepts, click Exercise 2.1 – Raw Events.
The output should resemble the following example:
© FORTINET
4. In the table, in the Raw Event Log, review the log details for each event received by syslog.
Which users had failed logins? See "Appendix: Answer Sheet" on page 208 for the answer.
5. Leave the window that displays the events open and continue to the next exercise.
In this exercise, you will review the normalization of raw events into structured data.
Which attribute relates to the device IP address that sent the data? See "Appendix: Answer Sheet" on page
209 for the answer.
Notice how each raw event log maps to a specific Event Type.
Which event type relates to a login failure? See "Appendix: Answer Sheet" on page 209 for the answer.
2. In the Raw Event Log field, select a login event that was successful.
Once selected a white down arrow icon will appear.
© FORTINET
3. Click the white down arrow icon to display the Show Detail button, which enables you to view the details
associated with that event.
4. Click Show Detail.
The Event Details dialog box opens. The window includes both the raw log details as well as a more
structured view of the log details.
5. In the structured Event Detailsview, review the attributes that FortiSIEM has normalized the raw event log into.
Which attribute provides the local time when FortiGate actually logged the event? See "Appendix: Answer
Sheet" on page 209 for the answer.
What are the Reporting Model and Reporting Vendor attributes of the event? See "Appendix: Answer
Sheet" on page 209for the answer.
© FORTINET
6. Review the raw event log view and look at which protocol was used for the authentication (HTTPS or SSH).
What attribute did FortiSIEM map this to in the structured view? See "Appendix: Answer Sheet" on page 209
for the answer.
Who made a successful authentication? And what attribute was this field mapped to in the structured view?
See "Appendix: Answer Sheet" on page 209 for the answer.
7. Close only the Event Details window, and continue to the next exercise.
In this exercise, you will review how the events are grouped into event types.
Using the same analytics results from the previous exercise, you will inspect the event classification of Event
Type, FortiGate-event-login-success in the FortiSIEM database (CMDB).
4. Select FortiGate-event-login-success.
A Summary pane will open at the bottom of the screen.
© FORTINET
7. Remove the search term FortiGate and review all the other vendor event types that have been classified as a Dev
Logon Success event.
8. On the left pane, still under Security, click Logon Failure > Dev Account Locked, and review the different
event types.
9. Find the event Win-Security-4740 in the list.
What do you notice about this particular event? See"Appendix: Answer Sheet" on page 210 for the answer.
In this exercise, you will review how FortiSIEM adds enrichment attributes to events.
Make sure the search field is empty (it may contain text from another exercise).
2. In the Filters editor, configure the following settings to create a new query:
Field Value
Attribute Reporting IP
Operator =
Value 172.16.1.3
Next Op OR
3. In the Row column associated with your existing condition, click the + icon to add another row:
4. In the Next column associated with your existing condition, select OR.
5. Complete the following query:
Field Value
Attribute Reporting IP
Operator =
Value 192.168.20.2
© FORTINET
To generate logs
1. Return to the browser tab displaying the NSE Institute website (or, if closed, open a new browser tab and go to
the NSE Institute website).
2. Under LABS SET 1 and Lab 2 – SIEM and PAM Concepts select Exercise 2.2 – Event Enrichment (Part
A)
The output should resemble the following example:
What is the value in the Member of field? See "Appendix: Answer Sheet" on page 210 for the answer.
© FORTINET
8. Click the white down arrow icon to display the Show Detail option, which will enable you to view the details
associated with that event.
9. Click Show Detail.
The Event Details window opens.
11. Review the attributes in the structured view and note the Source Country, Source Organization, and Source
State.
Where did this information come from? See "Appendix: Answer Sheet" on page 210 for the answer.
© FORTINET
You might see an error message as FortiSIEM is not configured with real Google API
key.
6. In the Edit Device Location pop-up window, configure the following settings (or configure your own), and then
click OK:
Field Value
City London
7. Click Save.
8. Click the ANALYTICS tab and click the search field.
Your previous query should still be listed.
© FORTINET
To generate logs for manually updated geographical location
1. Return to your browser tab displaying the NSE Institute website (or, if closed, open a new browser tab and go to
the NSE Institute website).
2. Under LABS SET 1 and Lab 2 – SIEM and PAM Concepts select Exercise 2.2 – Event Enrichment (Part
B).
Is there now a Reporting City, Destination City, Destination Country, and Destination State
populated? If so, why? See "Appendix: Answer Sheet" on page 211 for the answer.
In this exercise, you will examine some of the performance events collected by FortiSIEM.
Attribute Reporting IP
Operator =
Value 192.168.20.2
3. Click the Event Type column to sort the data alphabetically (once clicked, you should notice an up or down arrow
to the left of the field).
© FORTINET
4. Select Raw Event Log for Event Type PH_DEV_MON_SYS_UPTIME and view Event Details.
Performance events are also enriched with geo-location data (Host/Reporting Country,
and so on., if the CMDB has a location set for an internal device). And all performance
events will have a host IP populated.
What attribute relates to how often the event is collected? See "Appendix: Answer Sheet" on page 211 for the
answer.
icon in the RAW event Log to open the Event Details dialog box, and select Event
6. Click white down arrow
Type PH_DEV_MON_SYS_MEM_UTIL.
7. Review the raw event log and structured data.
Which attribute relates to the memory utilization of the device? See "Appendix: Answer Sheet" on page 212
for the answer.
© FORTINET
How often is the memory utilization event collected? See "Appendix: Answer Sheet" on page 212 for the
answer.
8. Open the Event Details dialog box associated with the event type PH_DEV_MON_NET_INTF_UTIL.
9. Review the raw event log and structured data.
Which attributes relate to the interface name and interface utilization? See "Appendix: Answer Sheet" on
page 212 for the answer.
Why are there four interface utilization events? See "Appendix: Answer Sheet" on page 212 for the answer.
Objectives
l View auto log discovery
l Add credentials and IP ranges for a single device
l Discover a single device
l Pull configuration data using privileged credentials
l Perform a discovery on many devices
l Pull performance data from devices
Time to Complete
Estimated: 75 minutes
Follow the directions in the Lab Guide and do not make changes to any other device or
devices, unless notified by the course instructor.
In this exercise, you will inspect the type of data that is extracted from the syslogs.
There is a link for the FortiSIEM GUI on the browser's Favorites bar.
2. Click the ANALYTICS tab and click the search field to edit the condition.
3. In the Filters editor, configure the following settings to create a new query:
Field Value
Operator CONTAIN
Value ASA
4. In the Next column associated with your existing condition, select OR.
5. In the Row column associated with your existing condition, click the + icon to add another row.
6. Configure the following settings:
Field Value
Operator CONTAIN
Value devname
© FORTINET
Make sure the search field is empty (it may contain text from another exercise).
© FORTINET
2. Click the CMDB tab and, in the pane on the left side of the screen, click Devices > Network Device > Firewall.
3. To add a Version column to the display, on the upper-right corner of the CMDB tab, click the columns icon to
select display columns.
4. Select Version from Available Columns, click right arrow icon to move Version to Selected Columns and
then click OK.
5. Click the CMDB tab and, on the pane on the left side of the screen, click Devices > Network Device >
Firewall.
You should see a Cisco ASA device with the name HOST-192.168.19.65 and a Fortinet FortiOS device with
the name FG240D3913800441.
Make sure the search field is empty (it may contain text from another exercise).
Why are the names different? If you are unsure, review some of the raw events on the ANALYTICS tab.
See "Appendix: Answer Sheet" on page 212 for the answer.
© FORTINET
What is displayed under the Version and Last Discovered Method fields for each device? See "Appendix:
Answer Sheet" on page 213 for the answer.
6. Continuing on CMDB tab, on the lower pane containing the details, select the Cisco ASA device, then click the
Summary tab and review the details.
Notice this device has been automatically categorized under three groups.
7. Select the Fortinet FortiOS device and, on the lower pane containing the details, click the Summarytab and
review the details.
Notice this device has been automatically categorized under four groups.
8. On the same lower pane, review the Interfaces and Configuration tabs for both devices.
What do you see and what can you identify about the population of the CMDB from the log discovery alone?
See "Appendix: Answer Sheet" on page 213 for the answer.
In this exercise, you will add SNMP credentials used in the discovery process.
Field Value
© FORTINET
6. Click Save.
Prediscovery Preparation
Because you are working with a system that has fake data, you need to prepare the system before you can
perform the discovery.
3. Once completed, select Exercise 3.2 – (B) Copy FortiGate Discovery File.
The output should resemble the following example:
© FORTINET
In this exercise, you will use the credentials from the previous exercise to discover a device and collect data from
it.
Field Value
Include 192.168.3.1
6. Keep the default settings for all other fields, and click Save.
7. On the table, select the FortiGate Firewall entry, and click Discover.
8. Once the discovery is complete, review the fields to view what access method was used for the discovery and what
system monitors and application monitors were applied to the device.
© FORTINET
9. Click Close.
Because this is a fake device, you will trick the system into believing the performance jobs are being collected.
© FORTINET
On the upper-right corner of the CMDB tab, click the columns icon to select
display columns.
4. Select the Fortinet FortiOS device and, on the lower pane containing the details, click the Summary tab and
review the details.
How many groups is this device now a member of? See "Appendix: Answer Sheet" on page 213 for the
answer.
6. Continuing on the lower pane, click the Hardware tab, and then the Components sub-tab.
Notice how the serial number and software version is recorded.
7. Click the main Admin tab and, on the pane on the left side of the screen, click Setup.
8. On the main window, select the Monitor Performancetab.
Notice how the Fortinet FortiOS device lists the system monitors and application monitors.
9. View the Monitor column and make a note of how often CPU Util, Mem Util and Net Intf Stat jobs are being
collected using SNMP. See "Appendix: Answer Sheet" on page 213 for the answer.
© FORTINET
Clicking Report takes you to the ANALYTICS tab to view the results.
If Telnet or SSH credentials are also associated with a supported device, then the device startup and running
configuration can also be stored in the CMDB, along with installed software versions, for some devices. In this
exercise, you will explore this functionality.
Field Value
Notice how the access protocol defaults to HTTPS and the port 443.
Password topsecret
6. Click Save.
© FORTINET
7. Under Step 2: Enter IP Range to Credential Associations, select the 192.168.3.1 entry, and click Edit.
The Device Credential Mapping Definition dialog opens.
8. Click the + icon near the bottom of the dialog box, and select FortiGate SSH (which you just created), then click
OK.
In a real-world environment, you could rediscover the FortiGate firewall. The new SSH credential would also
be attempted against the device to apply a configuration pulling system monitor job. Because this device is
fake, you need to simulate this.
© FORTINET
To simulate FortiGate SSH Config and Installed Software
1. Return to the browser tab on the NSE Institutewebsite.
2. Navigate to LABS SET 1 and, under Lab 3 – Discovery, select Exercise 3.4 – (A) Simulate FortiGate SSH
Config and Installed Software.
The output takes approximately one minute to return and should resemble the following example:
5. Continuing on the lower pane, select the Software tab and look at the details on the Installed Software sub-tab.
You should now see all the versions of the AV engine, attack definitions, and so on.
© FORTINET
To review simulated FortiGate SSH Config Change
1. Return to your browser tab displaying the FortiSIEM GUI.
2. Continuing on the Firewall page, select the Fortinet FortiOS device (FG240D3913800441), and click refresh
icon .
3. On the lower pane containing the details, click the Configuration tab again.
You should notice a second revision of the startup-config. (If not wait one minute and refresh again.)
4. Depending on your computer, use Shift or Ctrl to select both revisions, and then click the Diff button.
In this exercise, you will create discoveries for all other devices in the simulated lab. You will continue to use only
SNMP. (You are assuming the same SNMP credential across all devices.)
© FORTINET
Type Make IP Address Method
Field Value
6. Click Save.
7. Click New again, and configure the credentials to add a range of devices:
Field Value
8. Click Save.
9. Click New again, and configure the following credentials to add the Wireless Controller IP:
Field Value
© FORTINET
10. Click New again, and configure the following credentials to add a list of server devices (to demonstrate a mixture
of IP ranges):
Field Value
To prepare the fake devices for discovery, you need to prepare the lab system.
If you don’t see three 100% successful SCP transfers, advise your instructor.
© FORTINET
Name Discovery Type Include Name Resolution
4. Once you have defined the discovery ranges, select each entry (but not the FortiGate Firewall that was already
present), and then click Discover. (Do these one at a time.)
© FORTINET
5. Once completed, on the Monitor Performance tab, review the system monitors applied to each device.
6. Click the CMDB tab and review the devices and device categorizations. (You may need to click Refresh.)
7. On the pane on the left side of the screen, click Devices > Server.
8. On the main window, select device WIN2008-ADS and, in the lower pane that contains the details, click the
Software tab.
9. Click the Running Applications sub-tab and, in the search field, type iis.
Notice the list of running applications populated from discovery for IIS.
10. Make a note of the entries in the Process Name and Process Param columns. See "Appendix: Answer Sheet"
on page 214 for the answer.
© FORTINET
11. Type DNS in the search field and again make note of the entries in the Process Name and Process Param
columns. See "Appendix: Answer Sheet" on page 214 for the answer.
12. On the pane on the left side of the screen, click Applications > Infrastructure App > DNS, and select
Microsoft DNS on the main window.
Notice how the CMDB knows which devices in the environment are running the DNS process.
13. On the pane on the left side of the screen, click Applications > User App > Web Server, and select Microsoft
IIS on the main window.
Again, notice how FortiSIEM understands which devices are running IIS by tracking the process names
running during discovery.
Now that the devices are populated in the CMDB, you will start to bring in fake performance and security data.
Field Value
Operator CONTAIN
Value *
© FORTINET
6. Next to Time, select Real Time.
7. Click Save & Run.
Make sure the search field is empty (it may contain text from another exercise).
Wait for a few seconds and then you will see various events arriving.
8. Remove the asterisk from the filter box, type PH_DEV_MON, and click Search again.
After waiting a minute or so, you should start to see performance metric events.
3. On the FortiSIEM dashboard, select the + icon next to the Incidents tab to add a new dashboard.
© FORTINET
The Create New Dashboard pop-up window opens.
Field Value
© FORTINET
Not all devices collect the same system resource metrics, so some columns will be
blank. If your system does not resemble the following example, inform your instructor.
Objectives
l Understand the real-time search
l Perform a search for raw log messages
l Perform a historical keyword search
l Employ multiple search conditions
l Explore some of the well-used search operators
Time to Complete
Estimated: 30 minutes
Follow the directions in the Lab Guide and do not make changes to any other device or
devices, unless notified by the course instructor.
In this exercise, you will perform a real-time search for raw logs.
There is a link for the FortiSIEM GUI on the browser's Favorites bar.
© FORTINET
7. The Filter editor opens.
8. Create the following query:
Field Value
Operator CONTAIN
Value *
The Raw Event Log attribute is used for viewing raw log messages from various
devices.
11. In the Raw Event Log field, select a raw log message.
A white down arrow icon appears.
12. Click the down arrow icon to display the Show Detail button, and view the event details associated with that
event.
© FORTINET
The top portion of the dialog box includes the raw log received by FortiSIEM.
The bottom portion of the dialog box includes the structured view—all the attributes that FortiSIEM parsed
out of the message.
You can use these attributes in structured searches, rules, reports, and on dashboards.
Notice that as soon as you click Clear All, all existing settings will cleared.
© FORTINET
16. Click Cancel. Don't save the changes made when you clicked Clear All.
5. Modify the search condition again in the Filters editor for condition devname AND HTTP, and complete the
following query:
Field Value
Operator CONTAIN
Value devname
6. In the Row column associated with your existing condition, click the + icon to add another row.
7. In the Next column associated with your existing condition, select AND .
8. Complete the following query:
Field Value
Operator CONTAIN
Value HTTP
The logical AND operator is used to achieve the results for the query devname AND
HTTP
© FORTINET
What was the impact of this search? See "Appendix: Answer Sheet" on page 214 for the answer.
What can you identify about the case sensitivity of keywords? See "Appendix: Answer Sheet" on page 214 for
the answer.
Field Value
Operator CONTAIN
Value deny
3. Next to Time, select Relative, then in the Last field, type 10, and select Minutes.
4. Click Save & Run.
Notice the graph results shows a COUNT over time (10 minutes in this case) of all the events.
5. Hover your mouse over the graph to view the absolute time range for those event during that time period.
© FORTINET
This allows granular control and the ability to drill into event peaks of interest.
Field Value
Operator CONTAIN
Value *
3. Next to Time, select Relative, then, in the Last field, type 3, and select Minutes.
4. Click Save & Run.
Notice all the events received over the specified time period.
This could be many lines and pages of data, too many lines to fit on one page.
You can jump to any page required by entering the page number.
Field Value
Attribute Reporting IP
Operator =
Value 192.168.3.1
© FORTINET
7. In the Last field, type 5, and select Minutes, then click Save & Run.
Notice how all the results include the reporting IP you specified.
In this exercise, you will explore the use of multiple search conditions.
Field Value
Attribute Destination IP
Operator =
Value 8.8.8.8
5. Modify the Time drop-down list to run the search over the last 10 minutes.
In this exercise, you will explore the use of the CONTAINS operator.
Field Value
Operator CONTAIN
Value win-security
3. Leave the search time set to the last 10 minutes, and click Save & Run.
You should notice that all events returned are Windows security related.
Field Value
Attribute User
Operator !=
Value svc_monitor
© FORTINET
8. Leave the search time set to the last 10 minutes, and click Save & Run.
9. Review the Event Details of the raw event log for one of the returned events.
l Once you select the RAW Event log, a white down arrow icon will appear.
l Click the icon to display the Show Detail option, which will enable you to view the
Event Details associated with that event.
10. Scroll to the bottom of the structured view and, in the row that contains the User attribute, select Display.
This adds an extra display column to the display.
11. Click OK to close the Event Details dialog box, then run your search again.
None of the users should be svc_monitor.
If you do not get any results for any search, run the search over a longer time period.
In this exercise, you will explore the use of the IN and NOT IN operators.
Field Value
Operator NOT IN
This query is now configured to look for events that are Windows security events but are not from the
administrator or svc_monitor user.
Use the NOT IN operator when specifying the user (that is, the User is NOT IN this
list).
3. Next to Time, select Relative then, in the Last field, type 30, and select Minutes.
In your results you may see many users returned with a $. These are computer accounts.
© FORTINET
4. Modify your search to exclude these computer accounts by adding an extra condition using the NOT CONTAIN
operator:
a. In the Next column associated with the User condition, select AND .
b. In the Row column associated with the User condition, click the + icon to add another row.
c. Configure the following settings for your new condition:
Field Value
Attribute User
Value $
5. Leave the search time set to the last 10 minutes, and click Save & Run.
6. Review the results.
You will get a result similar to the following example:
In this exercise, you will explore the use of the IS and IS NOT operators.
Field Value
Operator CONTAIN
Value ph_dev_mon
© FORTINET
5. Leave Time set to Relative then, in the Last field, type 1, and select Hour.
6. Click Save & Run.
7. Open the Event Details dialog box for one of the events, and select check boxes to add the following display
columns:
l Disk Capacity Util
l Disk Name
l Free Disk MB
l Once the RAW Event log is selected a white down arrow icon will appear.
l Click the icon to display the Show Detail option, which will enable you to view the
Event Details associated with that event .
© FORTINET
Review the results. Three new fields were added to the display column for all events.
In this exercise, you will explore the use of the greater than operator.
Field Value
Operator >
Value 80
3. Leave the search time set to the last 1 hour and click Save & Run.
4. Review the results.
5. Open the Event Details dialog box for one of the events and remove the following display columns, which you
added in the previous exercise:
l Disk Capacity Util
l Disk Name
l Free Disk MB
l Once the RAW Event log is selected a white down arrow icon will appear.
l Click the icon to display the Show Detail option, which will enable you to view the
Event Details associated with that event.
In this lab, you will explore how the CMDB can be referenced in searches within FortiSIEM.
Objectives
l Reference CMDB elements in your search criteria
l Add and remove display columns
l Use multiple tabs to compare similar search results
l Expert challenge (unguided search scenarios)
Time to Complete
Estimated: 45 minutes
Follow the directions in the Lab Guide and do not make changes to any other device or
devices, unless notified by the course instructor.
In this exercise, you will learn how to reference devices from the CMDB in your search criteria.
There is a link for the FortiSIEM GUI on the browser's Favorites bar.
Field Value
Attribute Reporting IP
Operator IN
© FORTINET
8. In CMDB dialog box, in the Folders pane, click Devices > Network Device > Firewall.
The firewall devices appear in the middle column.
12. Next to Time, select Relative then, in the Last field, type 20, and select Minutes.
13. Click Save & Run.
If you do not get any results for any search, run the search over a longer time period.
Field Value
© FORTINET
Field Value
Operator IN
f. Click OK.
2. Leave Time set to Relative then, in the Last field, type 20, and select Minutes.
3. Click Save & Run.
This will narrow your search to only denied traffic events.
If you do not get any results for any search, run the search over a longer time period.
Field Value
Attribute Destination IP
Operator NOT IN
© FORTINET
c. Click the Value field and select ...Select from CMDB .
d. Click Networks > Private Net.
Notice this lists three network entries that relate to the Private IP space of RFC 1918.
Field Value
Attribute Source IP
Operator IN
© FORTINET
e. Click >> to add the folder to Selections.
f. Click OK.
2. Leave Time set to Relative then, in the Last field, type 20, and select Minutes.
3. Click Save & Run.
Your final queries should look like the following example:
4. Once the search is complete, click the Display Fields drop-down list and add a new row to display a column for
Destination TCP/UDP Port.
5. Run the search again and see if you can identify the most commonly blocked port.
The search result should look like the following example:
© FORTINET
6. Once you have finished reviewing the event logs, click the Display Fields drop-down list again.
7. Remove the Destination TCP UDP/Port display column by selecting the - icon in the Row column, then click
Save.
You can build queries similar to this exercise for other devices like Windows servers,
and so on.
In this exercise, you will learn how to select event categories from the CMDB in your search criteria.
Field Value
Operator IN
© FORTINET
2. In the Event Type field associated with your selected event type, click the white down arrow that appears, then
select Add to Filter.
To build a query for investigation of an event with out losing existing query
1. Examine the Event Details of the raw event log for one of the returned events.
l Once the RAW Event log is selected a white down arrow icon will appear.
l Click the icon to display the Show Detail option, which will enable you to view the
Event Details associated with that event.
2. In the Event Details dialog box, in the Display column, select the Target User, Target User Group, User and
Destination IP check boxes, to add those items as display fields.
3. Close the Event Details dialog box.
4. Run the search again over the last 4 hours.
5. Investigate any events with the administrator user in more detail, without losing the existing query:
© FORTINET
a. Select an event with the User set to administrator.
b. In the User column, click the white down arrow.
c. Select Add to Tab.
d. In the Add To Tab dialog box, select Add to New Tab.
The second tab becomes the active tab in the GUI. You should now have two query tabs.
7. Click the first tab and select the event with the destination IP of 10.1.1.33.
8. In the Reporting IP column of that event, click the white down arrow, then click Add to Tab.
9. This time, select an existing tab by clicking [1] Raw Messages then, in the drop-down list that appears, select the
second tab [2] Raw Messages.
10. Click OK.
© FORTINET
11. Click the search field again to validate that the additional row for the reporting IP filter has been added to the
query.
12. Next toTime, select Relative then, in the Last field, type 10, and select Hours.
13. Click Save & Run and review the results.
In this exercise, you will be presented with various scenarios, for which you must identify the search criteria that
will produce the desired outcome.
Do you see any suspicious port usage in your results? See "Appendix: Answer Sheet" on page 215 for the
answer.
© FORTINET
Produce the report and determine whether they were successful or not over the last three hours, and
display the destination TCP/UDP port as a display column.
The firewall should only allow common web traffic (ports 80, 443, 53, 123) outbound. Do your results
indicate the firewall rules are correctly implemented?
Use the CMDB to determine permitted traffic classifications for events and network
lists for internal and external traffic.
d. Malware alert
There has been plenty of news in the media about malware attacks originating in Asia. The CISO wants to
know if any internal traffic was permitted to any country in Asia in the last 2 hours that was not on
TCP/UDP ports 25, 53, 80, 123, or 443.
Add Sent Bytes, Total Bytes, and Destination TCP/UDP Port as display columns to the results.
Produce a list of any events where the Sent Interface Util is greater than 20%, and identify which
interfaces on the switch have this issue. Create the search over the last 8 hours.
Select the correct device from the CMDB, and use the PH_DEV_MON_NET_INTF_
UTIL event.
© FORTINET
In this lab, you will explore the data aggregation features of FortiSIEM.
Objectives
l Group by a single and multiple attributes
l Aggregate data
l Expert challenge
Time to Complete
Estimated: 60 minutes
Follow the directions in the Lab Guide and do not make changes to any other device or
devices, unless notified by the course instructor.
In this exercise, you will learn how to group similar events based on a single and multiple attributes.
There is a link for the FortiSIEM GUI on the browser's Favorites bar.
2. In the FortiSIEM GUI, click the ANALYTICS tab and click the search field to edit the condition.
3. Click Clear All to clear any existing conditions.
4. In the Filters editor complete the following to create a new query:
Field Value
Attribute Reporting IP
Operator IN
© FORTINET
To apply Group By feature
1. Click Display Fields.
A drop-down list will appear.
2. Beside the Event Receive Time, Event Type, and Raw Event Log attributes, under the Row column, click the
minus icon to remove them.
3. Click plus icon + under the Row column to add a new row.
4. Click in the Attribute field and select Expression Builder.
5. In the Function field ,choose COUNT and click the plus icon.
6. In the Event Attribute field ,choose the only available option Matched Events and click the plus icon.
7. Once the expression is added, in the Expression field, click Validate.
A pop-up message should display, reading “Expression is valid."
© FORTINET
8. Close the pop-up and click OK to close the Expression Builder dialog box.
Your final Display Fields settings should look as follows:
9. In the Display Fields dialog box, click Save & Run to view Group By results.
In the results, you will see a top-down list of the reporting IP addresses that reported the most events in that
1 hour time period. Notice that the Reporting IP attribute column along COUNT (Matched Events)
column is returned.
10. Browse the different chart options at the top right of the graph. Choose the following:
l Bar chart
l Donut chart
© FORTINET
© FORTINET
You should see a top down list of the most reported combination of reporting IP, source IP, destination IP,
destination TCP/UDP port over the time period.
5. Change the time to 2 hours and rerun the search query to view the results over the increased time period.
In order to change the time period, you need to open Filters editor by clicking the
search field under the ANALYTICS tab.
You will notice that, even after executing the query for 2 hours, the display fields for group by remain the
same.
You can use Clear All to reset both Filters and Display Fields to default settings.
In this exercise, you will learn how to add an aggregation condition to your search criteria.
Field Value
Attribute Reporting IP
Operator =
Field Value
Operator CONTAIN
12. In Time select Relative, in the Last field, type 1, select Hour from the drop-down list.
13. Click Save & Run.
© FORTINET
2. From the Event Type column associated with the event, click the down arrow and select Add to Filter.
4. Open the Event Details dialog box for one of the events and add the following columns to the display:
l Disk Name
l Disk Capacity Util
l Free Disk (MB)
l Total Disk (MB)
l Once the RAW Event log is selected, a down arrow icon will appear.
l Clicking the icon will provide a Show Detail option to view the event details
associated with that event.
© FORTINET
5. Click OK to close Event Details dialog box.
6. Click the Display Fields drop-down list arrow icon.
You will notice that the display attributes you have added from Event Details are present.
7. Remove the following rows from the Display Fields by clicking minus icon - in the Row column:
l Event Receive Time
l Event Type
l Raw Event Log
8. Run the search again.
Now you can see disk related attributes with reporting IP.
To aggregate events
1. Click the Display Fields drop-down list and edit the fields using one of the following methods:
l Edit the Disk Capacity Util attribute by removing text in an existing row and click Expression Builder.
l Remove a row from the Disk Capacity Util row, add a new row at the bottom, and click Expression Builder.
2. In the Function drop-down list, select AVG and click plus icon +.
3. Under the Event Attribute drop-down list, type Disk Capacity Util and click plus icon +.
© FORTINET
4. Click OK to close the Expression Builder dialog box.
5. Under the Display Fields edit the fields using one of the following methods:
l Edit the Free Disk MB attribute by removing the existing text entry and add the expression LAST(Free Disk
MB).
l Remove the row for the Free Disk MB attribute, add a new row, and add an expression LAST(Free Disk MB)
using Expression Builder.
6. Click OK.
7. Run the search over the last 10 hours.
Results will be aggregated in one line for 10 hours (values shown below may vary).
Field Value
Attribute Reporting IP
Operator IN
3. In the Value field, click Select from CMDB and click Devices > Servers.
4. Click >> to add the folder to Selections and then click OK.
5. Select Time as Relative, in the Last field, type 24, and select Hours from the drop-down list.
6. Click Save.
7. Click display fields icon add a row for Reporting Device by clicking the plus icon in the Row column of the
Reporting IP.
8. Click up arrow icon in the Move column of the Reporting Device row to move it to the top.
9. Click Save & Run.
You will get the aggregated average disk utilization of all servers in a 24-hour time period.
© FORTINET
Do you notice any pattern in the way results are displayed? See "Appendix: Answer Sheet" on page 216, for
the answer.
In this exercise, you will be presented with various scenarios, for which you must determine the proper search
criteria that will produce the desired outcome.
b. Firewall Reporting 2
The customer wants to know which is the most common destination country of any firewall events that are
not on destination TCP/UDP Port of 21, 80, 443 or 53 over the last 1 hour.
c. Firewall Reporting 3
The customer wants to know what is the most common source country for any denied traffic events
reported by a firewall device in the last 30 minutes.
© FORTINET
Produce a report showing the Reporting IP, Application Name, Software Name, CPU Util, and
Memory Util and hide all other display columns.
What events does this report produce? See"Appendix: Answer Sheet" on page 217 for answer.
Objectives
l Explore a simple rule
l Explore a performance and availability rule
l Create a simple rule to alert on a specific event
l Add watch lists
l Import rules
Time to Complete
Estimated: 75 minutes
Follow the directions in the Lab Guide and do not make changes to any other device or
devices, unless notified by the course instructor.
To view a rule
1. From the Student Workstation VM, open the Firefox browser and enter the following URL to access the
FortiSIEM GUI : https://10.0.1.130/phoenix/login-html.jsf
There is a link for the FortiSIEM GUI on the browser's Favorites bar.
Make note of the severity of the rule and also the function. See "Appendix: Answer Sheet" on page 217 for
the answer.
What time period is the rule evaluating the pattern over? See "Appendix: Answer Sheet" on page 217 for the
answer.
© FORTINET
5. In the Condition section, under the Subpattern column, beside DomainAcctLockout, click the pencil icon.
Make a note of the attributes in the Group By section. See "Appendix: Answer Sheet" on page 217 for the
answer.
9. Review the parameters provided in the Generate Incident for: Account Locked:Domain dialog box.
The parameters determine how the incident source and incident target are determined, along with what
information is populated as the incident details.
In the Triggered Attributes section, make a note of the attributes in the Selected Attributes column. See
"Appendix: Answer Sheet" on page 217 for the answer.
© FORTINET
10. Click Cancel to close the Generate Incident for: Account Locked:Domain dialog box and then click Cancel
to exit the rule definition.
Field Value
Operator IN
Field Value
Attribute Reporting IP
Operator IN
To generate events
1. Navigate to LABS SET 2 on the NSE Institute website and under Lab 7 – Rules select Exercise 7.1 –
Account Lockout Events.
The output should resemble the following:
© FORTINET
To review received events
1. Go back to the tab with the FortiSIEM GUI.
2. Click Pause after the event is received.
3. Examine the Event Details of raw event log for the returned event.
l Once the RAW Event log is selected a white down arrow icon will appear.
l Clicking on icon will provide Show Detail option to view the Event Details
associated with that event.
4. Review the reporting IP of the event along with the user that locked out their account.
5. Close the Event Details dialog box.
© FORTINET
8. In the Incident Name:ALL field, click Search, and type keyword locked.
9. Select the Account Locked:Domain incident and Close from the bottom left pane.
10. Hover your cursor over the Target column for this incident.
Notice it reports an IP address and user that matches what you saw in the real-time search.
11. Select the incident and in the lower pane, review the incident details.
If you select an incident and lower pane does not appear then you need to click the up
arrow icon to expand lower pane manually.
You can select auto expand option in the lower pane, so you don' t have to keep
manually expanding lower pane for incidents.
Before proceeding to the next exercise, under the INCIDENTS tab, click Actions >
Search, and clear all of the selections.
Field Value
Attribute Reporting IP
Operator =
Value 192.168.0.40
Next AND
5. Under the Row column, click the + icon to add a second condition:
Field Value
Operator CONTAIN
Value SYS_DISK_UTIL
6. In the Time section, select Relative, and in the Last field, type 5, and select Minutes from the drop-down menu.
7. Click Save & Run.
Due to the demo system, the results are not strictly correct. In a production system,
this event would be collected every 3 minutes, for each disk. You will probably have
more events which are related to the fake data replay mechanism used.
8. Examine the Event Details of raw event log for one of the returned event.
© FORTINET
l When you select the RAW Event log, a down arrow icon appears.
l Clicking the down arrow icon reveals the Show Detail option, which you can use to
view the Event Details associated with that event.
Don’t change any of the values if you want the lab to work!
6. Make a note of value in the Default field and the disk name listed:
See "Appendix: Answer Sheet" on page 218 for the answer.
© FORTINET
Field Value
Disk Name
7. Click Cancel, and now find the threshold for Free Disk (MB) Critical Threshold.
See "Appendix: Answer Sheet" on page 218 for the answer.
Field Value
Disk Name
The Server Disk space Warning - Edit Details dialog box opens.
Field Value
Severity
Category
© FORTINET
8. Click Cancel to close Generate Incident for: Server Disk Space Warning dialog box
9. In the Conditions section, under the Subpattern column, beside ServDiskWarn, click the pencil icon.
In the Filters section, the subpattern is looking for any events that match the exact event type PH_DEV_
MON_SYS_DISK_UTIL and only from devices classified as a Server in the CMDB, while excluding any
events where the disk name is /boot.
In the Aggregate Condition section, the subpattern is looking for at least two events (two samples) where,
during the rule evaluation time window, the following is true:
l AVG(Disk Capacity Util) > DeviceToCMDBAttr(Host IP,Disk Name,Disk Space Util Critical Threshold)
AND
l AVG(Free Disk (MB)) < DeviceToCMDBAttr(Host IP,Disk Name,Free Disk (MB) Critical Threshold)
You can view the default critical thresholds by clicking Admin > Device Support >
Custom Property. Please see the next two images.
© FORTINET
Notice the attributes in the Edit SubPattern dialog box in the Group Bysection are Host IP, Host Name,
and Disk Name.
11. In Time Range tab, select Relative, and in the Last field, type 10, select Minute from the drop-down list, and
then click Run.
A new browser tab will open, the ANALYTICS tab will be selected, and result for the query will be displayed.
© FORTINET
Are there any results where the AVG(Disk Capacity Util) is greater than 95% and the AVG (Free Disk (MB)) is
less than 100? See "Appendix: Answer Sheet" on page 219 for the answer.
Field Value
Attribute Host IP
Operator =
Value 192.168.0.40
4. In the Time section, select Relative, in the Last field, type 10, and select Minutes from the drop-down list.
5. Click Save & Run.
You should get a single result just for the WIN2K8 machine and it look similar to result below:
© FORTINET
Keep the new tab opened to complete the rest of the exercise.
You should now see some more AVG(Disk Capacity Util) > 95 % and the AVG(Free Disk(MB) is less than 100
MB events, which should trigger an incident.
© FORTINET
4. Click Last 2 Hours option to change the time range.
5. Select Relative, and in the Last field, type 30, select Minutes.
6. Click Apply Time Range.
10. Review the details, such as the incident target, incident details, and triggered events.
Before proceeding to the next exercise, Under INCIDENTS tab click Actions >
Search and clear all of the selections.
A company has strict policies specifying that the administration of a selected FortiGate Firewall can be performed
from approved workstations only. They would like to detect if administrators are connecting to the FortiGate
device from non-approved workstations.
Field Value
Attribute Reporting IP
Operator =
Value 192.168.3.1
Field Value
Operator CONTAIN
Value login-success
To generate events
1. Navigate to LABS SET 2 on the NSE Institute website and under Lab 7 – Rules select Exercise 7.3 –
FortiGate Admin Login Events – (Part A).
Wait approximately 1 to 2 minutes for the output. The output should resemble the following:
© FORTINET
2. Examine the Event Details of the raw event log for one of the returned events.
l Once you select the RAW Event log, a down arrow icon appears.
l Clicking the arrow icon will provide the Show Detail option to view the Event
Details associated with that event.
© FORTINET
Notice these FortiGate admin login events contain the Application Protocol (SSH or HTTP), Source IP
and User who successfully authenticated.
3. Once you have reviewed the details, close the Event Details dialog box.
4. Select the COUNT in Function field and then click the plus icon.
5. Click in the Event Attribute field, select Matched Events, and then click the plus icon.
6. Click Validate.
A message stating “Expression is valid” opens.
7. Close the message.
8. Click OK.
9. Click Save to close the dialog box.
© FORTINET
Notice all the results so far are for IP addresses that were in the allowed Administrator Workstation IPs group.
13. Edit the search filters and add an extra row for the condition:
Field Value
Attribute Source IP
Operator NOT IN
14. Click Save&Run and you will get no results this time and the message “No report results found”.
To create a rule
1. Click the Actions button and then select Create Rule from drop-down list.
2. In the Rule Name field, enter FortiGate Admin Logon from Non Admin Machine and enter an
optional Description.
© FORTINET
3. Leave the time window set at 300 seconds.
4. For Category, select Security.
5. Next to the SubPattern field, click the pencil icon.
6. In the Edit SubPattern dialog box, notice the addition of an Aggregate section, which has defaulted to COUNT
(Matched Events) >= 1.
7. Click Cancel when done.
8. Next to Action: Defined, click the pencil icon.
Notice how the rule creator has added the Group By fields as Incident Attributes.
9. Make sure the User field is added to the Triggered Attributes selected section, and then click Save.
© FORTINET
Review the incident source, incident target, and details, and then review the events that triggered the rule.
Before proceeding to the next exercise, under INCIDENTS tab click Actions >
Search and clear all of the selections.
4. With Watch Lists selected, click the white + icon at the top of the left pane to create a new list.
5. Configure the Create New Watch List Group with the following details, and then click Save:
Field Value
Description Admin Users who are ignoring compliance rules on FortiGate Administration
Type String
Expired in 1 week
© FORTINET
Your new watch list will appear at the bottom of the list.
© FORTINET
To generate events for the watch list
1. Navigate to LABS SET 2 on the NSE Institute website and under Lab 7 – Rules select Exercise 7.4 –
FortiGate Admin Login Events – Watch List.
The output should resemble the following:
You can filter the display of incidents just for FortiGate Admin Logon from Non
Admin Machine, like you did in exercises 1 and 2 of Rules LAB 7.
Notice that admin101 and admin103, which were the admin users referenced in the latest incident, are
listed.
To import a rule
1. Click the RESOURCES tab.
2. On the left pane, click Rules.
3. From the left pane, click the white + icon to create a new rule group.
The left pane now shows a rule group under Rules called Custom_LAB7.
© FORTINET
If you experience difficultly in getting the file newrule.xml, ask your instructor for
help.
The imported and activated rule will appear in the Rules > Custom_LAB7 group list.
Objectives
l Review the incidents page
l Group and tune incidents
l Use the inbuilt ticketing system
l Create custom email templates
l Create notification policies
Time to Complete
Estimated: 90 minutes
Follow the directions in the Lab Guide and do not make changes to any other device or
devices, unless notified by the course instructor.
In this exercise, you will familiarize yourself with the incident table.
There is a link for the FortiSIEM GUI on the browser's Favorites bar.
By default, Active is selected as the incident status. If you are unable to view any
incidents, clear Active and the incident status changes to ALL.
© FORTINET
7. Click Apply Time Range.
8. Click the refresh icon and select Refresh Now from the drop-down list.
The page will auto refresh as based on your Search selection. There is also an option
for manual page refresh.
10. On the Search pane, change the following settings from Search:
Field Value
Category Performance
© FORTINET
13. From the Display list, select First Occurred and Status.
© FORTINET
The incident dashboard view now contains the column you added, in the position that you placed it in.
There are four different incident statuses available.However, a status type will be
listed only when incidents with that status exist in the selected time range.
l Active
l Cleared
l External Cleared
l System Cleared
By default, the Active incident status is selected. If you are unable to find any
incident, clear Active and the incident status will change to than change it to ALL by
de-selecting Active status.
5. Select the Events tab to view the events for this incident.
© FORTINET
If you select an incident and the lower pane does not appear, click the up arrow icon
to expand lower pane manually.
You can select the auto expand option in the lower pane, so you don' t have to keep
manually expanding lower pane for incidents.
6. Continuing with the incident Server Disk Space Critical selected, click Actions and select Edit Rule in the
drop-down list.
7. Next to Clear: Defined, click the pencil icon to edit the clear condition.
What do you think this option is actually doing for this rule? See "Appendix: Answer Sheet" on page 219, for
the answer.
8. Click Cancel to close the Edit Rule Clear Conditions dialog box.
9. Click Cancel on the Edit Rule dialog box.
© FORTINET
3. In the Reason text box, type Temp files removed from server by admin to free up space,
and click OK.
Note that the Server Disk Space Critical for WIN2K8 incident will disappear from list because the incident
status is set to show incidents with an Active status.
4. Click Actions and then click Search from the drop-down list.
5. Click the incident Status and from the drop-down list, select Cleared Manually and click Close.
Notice the Server Disk Space Critical for WIN2K8 appears again in the main pane with Manually
Cleared status.
6. Select the Server Disk Space Critical incident for WIN2K8 with status set to Manually Cleared.
The bottom pane will appear with incident Details. Review Cleared Reason.
© FORTINET
7. Click Actions, click Search, and in the incident Status drop-down list, select Active.
Before proceeding to the next exercise, under INCIDENTS tab click Actions >
Search and clear all of the selections.
In this exercise, you will learn how to group common incidents and how to tune FortiSIEM to reduce the number
of incidents produced.
© FORTINET
This will show a group of incidents with keyword DNS.
10. Select the Excessive End User DNS Queries incident and click Close.
This will show only incidents for the group Excessive End User DNS Queries.
11. Select one of the incidents, and in the Actions drop-down, click Edit Rule.
12. In the Edit Rule dialog box, in the Conditions section, beside the subpattern ExcessiveDNSFromFlow, click
the pencil icon and review the subpattern.
Explain what the rule pattern is looking for. See "Appendix: Answer Sheet" on page 219, for the answer.
13. Click Cancel to close the dialog box and click Cancel to exit the Rule Editor dialog box.
Tune Incidents
To demonstrate the tuning capabilities for the same incident, we will assume incident source 192.168.22.11
is actually an application server that produces a huge amount of DNS queries by design.
To tune incidents
1. Select the incident with IP 192.168.22.11 in the Source column.
2. Click Actions and select Edit Rule Exception in the drop-down list.
© FORTINET
3. In condition section, click the Attribute drop-down list.
Notice the only attribute that can be used for an exception for this particular incident is the Source IP.
Field Value
Attribute Source IP
Operator =
Value 192.168.22.11
5. Click Save.
This will then suppress and not generate any incidents if this rule triggers for the incident source of
192.168.22.11.
Before proceeding to the next exercise, click Actions > Search and clear all of the
selections.
In this exercise, you will learn how to implement the built-in ticketing system.
8. Click Close.
9. In the Incident column, select User added to Administrator Group.
10. Click the down arrow and select Add to Filter.
© FORTINET
Notice now it only shows incidents with name User added to Administrator Group.
11. Under the Target column, select Target User: mike.long. This is a suspicious entry.
The New Ticket dialog box opens. Notice that the Incident ID(s), Summary, and Description fields are
pre-populated.
© FORTINET
© FORTINET
7. Click Actions and select Display from drop down list.
8. Select Ticket Status and click Close.
You should be able to see theTicket Status column as well as the other default columns.
12. Edit the ticket again and add the following text in the Description field:
New admin in IT. Closing case.
© FORTINET
Notice how the ticket state change is reflected in the table. Also, if you return to the INCIDENTS tab the
Ticket Status column for that incident is set to Closed.
Field Value
5. Click Save.
To view the test email, open a Mozilla Thunderbird email client from the desktop on
the Student Workstation.
© FORTINET
4. At then end of the inserted content, click the text field in Email Subject before inserting more options.
5. Click Insert Content again, and select Rule Name.
6. In the Email Body field, type a combination of text and then use the Insert Content button to reference Rule
Name, Rule Description, First Seen Time, Last Seen Time, Incident Source, Incident Target, and
Incident Detail.
Note that you can enable HTML Tags to create HTML-based email templates.
7. Click Save.
Import a Rule
We have modified a system rule for this lab to work, follow the steps below to import the modified rule.
To import a rule
1. Click the RESOURCES tab.
2. On the left pane, select Rules .
3. From the top right side, click Import.
© FORTINET
9. In the Actions section, beside Send Email/SMS to the target users click the pencil icon to specify a
notification action.
The Notification Policy > Define Notification Actions dialog box openss.
The Notification Policy > Define Notification Actions > Email Address dialog box opens.
System Defaulttemplate is used for this exercise. You can also select custom email
template FSM_LAB , which you created in previous exercise.
Beware if you use custom email results may vary from images below.
© FORTINET
15. In the Notification Policy > Define Notification Actions dialog box, click Save.
© FORTINET
© FORTINET
Once you complete the lab, deactivate the High Severity IPS Exploit Notification
LAB rule because it generates many notification emails.
To deactivate the High Severity IPS Exploit Notification LAB rule, click
RESOURCES > Rules > Ungrouped > High Severity IPS Exploit Notification
LAB. Clear the check box in the Active column.
Objectives
l Open reports from the Analytics and the Reports trees
l Schedule reports
l Create custom dashboards
l Explore the various options for dashboards and widgets
l Export and import dashboards
l Create custom CMDB reports
Time to Complete
Estimated: 60 minutes
Follow the directions in the Lab Guide and do not make changes to any other device or
devices, unless notified by the course instructor.
In this exercise, you will open and save reports from the Analytics page.
To load a report
1. On the Student Workstation VM, open the Firefox browser and enter the following URL to access the
FortiSIEM GUI : https://10.0.1.130/phoenix/login-html.jsf
There is a link for the FortiSIEM GUI on the browser's Favorites bar.
3. From left side of the window, click the folder icon and in the drop-down on list, select the Reports folder.
4. Click Reports > Function > Availability.
5. On the right pane, select Device Uptime History and click right arrow icon .
When you click right arrow icon, the report will execute.
© FORTINET
7. In the Time section, select Relative, in the Last field, type 90, and from the drop-down list, select Minutes.
8. Click Save & Run.
9. When the results open, in the Actions drop-down list, select Save Result.
10. In the Report Name field, replace the text that is there by typing Device Uptime History-only-
Results.
11. Leave Save Definition cleared, and in the Save Results for field, type 1, select Hours, and click OK.
An Alert message will appear confirming Save Report result successful and disappear quickly .
3. In the new [1]:Raw Messages tab, click the folder icon from left and select Save Results.
© FORTINET
In the right pane note that the Device Uptime History -only-Results report is listed with a date and time
stamp.
4. Select the Device Uptime History - only-Results report click the down arrow, and then click View Result.
5. Review the results (and the speed in which the results came back), and notice the Time selection.
Field Value
Attribute Reporting IP
Operator IN
© FORTINET
The Save Report window appears.
2. Remove the date and time stamp and only-Results from the report name, and type Device Uptime
History - with-Definition to replace the report name.
3. Select the Save Definition check box.
4. In the Save To section, select Frequently Used.
Notice how it defaults to the existing report that was loaded with a date and time stamp on the end.
5. In the Save Results for drop-down, select f, type 1, select Hour, and click OK.
6. Click the folder icon and select Save Results.
Notice that there are now two reports where the results will be stored for 1 hour. One report will contain the
results only, and the other report will contain both the results and definition saved as a report.
Results will be valid for 1 hour, because as they are cached but definition can be used as report anytime.
© FORTINET
You now have a new LAB9-Reports folder under Reports in the left pane at bottom.
In this exercise, you will explore the opening and running of reports from the report tree.
5. On the Report Time Range tab, ensure that Relative is selected, 1 is entered in the Last field, and Hour is
selected in the drop-down.
6. Click OK.
The report automatically runs and populates the results in new tab in ANALYTICS.
© FORTINET
To schedule a report
1. Click the RESOURCES tab.
2. In the left pane, click Reports > Incidents.
3. On the main window, select All Incidents and click More.
5. Complete the following (you may have to scroll down the fields to view the settings):
Field Value
Schedule Time Range (Start Set to 10 minutes ahead of the current time and make sure Local is selected.
Time:)
Notification Custom Notification (Note that a table for Recipients will appear.)
Recipients Click the pencil icon (Add Notification dialog box will appear.)
© FORTINET
Field Value
Email Address Click Add (the Add Email dialog box will appear).
© FORTINET
The Scheduled column for the All Incidents report indicates that a report is scheduled.
© FORTINET
2. Click the + icon.
Notice that the same Schedule dialog box shown above will open.
3. Click Cancel.
4. Click Scheduled for.
Both the pencil and bin icon will become active. You can use the pencil icon to modify the schedule of the report.
You can use the bin icon to delete the schedule for the report.
5. After ten minutes, you can verify the delivery of scheduled report to the student email box by opening the Mozilla
Thunderbird email client from the student workstation.
You should receive the All Incidents report in PDF format after approximately 10 minutes.
The LAB-9-Dashboard group will open and also be added to dashboard type drop-down list.
1. on the LAB-9-Dashboard window, click the plus icon to the right of the dashboard drop-down.
© FORTINET
The Create New Dashboard dialog box will open.
The Lab9-Summary dashboard will open. You have a blank canvas in the format of the All Device summary
dashboards.
© FORTINET
6. Use the right arrow key to move the devices to the Selected Devices list.
7. Click OK.
8. Change the severity selection from Critical + Warning to All.
Your new summary dashboard is filtered for only the devices you added.
9. In the Perf status column for WIN2K8, hover your mouse cursor over and to the right.
A trend icon will appear indicating Disk Capacity Util->Critical, Free Disk MB->Critical.
© FORTINET
To add a widget dashboard
1. On LAB-9-Dashboard tab, click the plus icon to the right of the dashboard drop-down.
The Create New Dashboard dialog box opens.
The Lab9-Widget will be created. In the main window, you will have a blank canvas.
© FORTINET
The right arrow icon will appear once you select a report.
10. Click the arrow icon to add a widget for the Not Approved Devices report.
© FORTINET
b. Drag the AVG(CPU Util) slider on the right to around 60%.
5. Click Save.
The results are colored to reflect the seriousness of the value.
You can influence the colors on these widgets and change the thresholds for what values should be reported:
red, yellow, and green.
Will these new adjusted values for AVG CPU determine what thresholds rules will trigger for these devices?
See "Appendix: Answer Sheet" on page 220, for the answer.
© FORTINET
6. On the Top Devices By Failed Login widget, click the settings icon and change the display to Aggregation
View (Donut).
7. Change the Firewall Permit: Top Outbound Ports By Bytes widget to an Aggregation View (Bar).
You can restrict user access to this dashboard group using role management.
In this exercise, you will explore the drill down capabilities of the dashboards.
Only follow step 2, 3, and 4, if you are not on DASHBOARD > LAB-9-Dashboard>
Lab9-Widget page. If you are already on this page then clicking these options again
will prompt to change the name of dashboards.
© FORTINET
What has the time criteria been prepopulated to run over and where did this value come from? See
"Appendix: Answer Sheet" on page 220 for the answer.
What was the result of this action? See "Appendix: Answer Sheet" on page 220for the answer.
How does this differ from the analytic query produced from step 7 of the previous task? See "Appendix:
Answer Sheet" on page 221 for the answer.
© FORTINET
In this exercise, you will learn how to export and import dashboards.
To export a dashboard
1. Click the DASHBOARD tab.
2. Click the dashboard type drop-down on the left.
3. Click LAB-9-Dashboard.
4. Click Lab9-Widget.
5. On the top right of the main window, click the export icon .
To import a dashboard
1. Click the DASHBOARD tab.
2. Click the dashboard type drop-down on the left.
3. Click New.
The Create Dashboard Folder dialog box will appear.
5. In LAB-9-Dashboard, click the plus icon to the right of the dashboard drop-down.
6. In the Name field, type Lab9-Shared-Widget.
7. In the Type drop-down list, select Widget Dashboard.
© FORTINET
8. Click Save.
10. Click Browse to choose the Dashboard.xml file in your Downloads folder, and click Import.
11. When the message displays confirming that the import succeeded, click OK.
You should now see that the custom dashboard has been imported.
You can give access to this dashboard group to all users through role management.
This gives a report of all the different vendors, models, versions, and counts in the CMDB.
3. Click Back.
4. Find the report Router/Switch Inventory and then click Run.
5. Review the results, and when done, click Back.
6. Find the report Active Rules and click Run.
Note that other kinds of data such as rules, users, and device monitoring jobs can also be reported on
through this feature.
Field Value
Operator CONTAIN
Value deactivate
10. In the Display Columns section, click Row to add an additional attribute, and then add the following attribute :
l Rule Name
l Rule Description
l Rule Remediation
© FORTINET
You can easily find custom CMDB reports by ordering the Scope field. All out-the-box
reports are itemized as System and your reports as User.
Objectives
l Create a business service
l Monitor a business service
l Report on a business service
Time to Complete
Estimated: 45 minutes
Follow the directions in the Lab Guide and do not make changes to any other device or
devices, unless notified by the course instructor.
9. On the left pane, click Applications > User App > Mail Server.
10. On the Apps pane, find and select MS Exchange Information store in the list.
11. On the Select running on instance pane, select the device with access IP 172.16.10.28.
12. Click the > button to move the selected device to the Selected Devices/Apps pane.
13. On the Select adjacent network devices pane, select JunOS-3200-1.
14. Click the > button to move the selected device to the Selected Devices/Apps pane.
15. On the left pane, click Devices > Network Device > Firewall.
16. On the Select Devices pane, select FG240D3913800441.
17. Click the > button to move the selected device to the Selected Devices/Apps pane.
© FORTINET
© FORTINET
5. In Filters section, add a row above the existing Event Severity entry, and add the following condition:
Field Value
Operator CONTAINS
Value Nessus
6. Under the Paren column to the left of the Reporting Vendor attribute, click the plus (+) icon.
7. Under Paren column to the right of the Reporting Model attribute, click the plus (+) icon.
© FORTINET
8. Change the Event Severity attribute Value to 6.
9. Under the Next column, select make the following selections:
Field Value
Reporting Vendor OR
14. Under Incident Attributes, add an extra row (at the bottom) and add the following values:
Field Value
Subpattern ScannerHighSev
© FORTINET
15. Click Save and then click Save again.
Since FortiSIEM does not allow you to overwrite the out-the-box system rules, the
system will prompt you to save the rule with a different name. (By default, it will add a
date stamp.)
16. Remove the date stamp, add LAB10 and click OK:
17. Under the Active column, clear the check box next to Scanner found severe vulnerability, and click
Continue.
The original system rule will be disabled.
18. Under the Active column, select the check box beside the modified rule, and click Continue when prompted.
© FORTINET
4. Under the Active column, clear the check box beside Original Excessively Slow SQL Server DB Query
Rule, and click Continue when prompted.
5. Select the cloned rule and click Edit.
6. In the Conditions field, beside the LongQuery subpattern, click the pencil icon.
7. In the Group By section, add an extra row under Host Name.
8. In the Attribute field, type Host IP.
Field Value
Subpattern LongQuery
© FORTINET
12. Click Save and then click Save again to close the rule editor.
13. Click OK again if you get a warning that the rule has been changed.
14. In the Active column, select the check box beside the cloned version of the rule, and click Continue when
prompted.
© FORTINET
3. In the main window, in the Actions drop-down list, click Search.
The Search pane opens.
4. From the Search pane, click BizService, select thePatient Services from drop-down list and Close.
Selection should be as below:
By default, Incident Status is selected for Active incidents. If you are unable to view
any incident, clear the Active status, to change the selection to ALL.
5. Click the refresh icon and select Refresh Now in the drop-down list.
You should notice several incidents related to devices in this business service.
© FORTINET
Which devices had severe vulnerability detected? See "Appendix: Answer Sheet" on page 221 for the answer.
In this exercise, you will learn how to create and view business services through dashboards and searches.
© FORTINET
5. Click the select business service icon from top right-hand corner of the window.
The Select Business service window opens.
6. On the Available Services pane, select Patient Services and click > to move Patient Services to the
Selected Services pane.
7. Click Save.
The summary dashboard for Patient Services will look like this:
© FORTINET
2. In the Impacted Devices section, click WIN2K8, and then click the Incidents column.
The Incidents for WIN2K8 window opens.
Can you identify the SQL query that was running slow? See "Appendix: Answer Sheet" on page 221, for the
answer.
© FORTINET
Make sure the search field is empty (it may contain text from another exercise).
2. In the Filters editor, enter the following values to create a new query:
Field Value
Attribute Reporting IP
Operator IN
3. Click inside the Value field and select Select from CMDB .
4. Click Business Services > Ungrouped and select Patient Services.
5. Click > to move Patient Services to the Selections section, and click OK.
6. Add another row and add the following values:
Field Value
Operator CONTAIN
Value FileMon
7. In the Time section, select Relative, in the Last field, type 1, and in the drop-down list, select Hour.
8. Click Save & Run.
© FORTINET
If you get no results to any search, simply run the search over a longer time period.
Can you identify the files that were added on the QA-EXCHG or WIN2K8 machines? See "Appendix: Answer
Sheet" on page 221 for the answer.
Question:
Review the information in the Data Conditions and CMDB Report Conditions sections for this role. What do
you understand about these fields?
Answer:
Data Conditions - Restrict what data a role can see in the GUI, such as restricting auditors to just events reported
by Server devices such as Windows devices, or to restrict access to some dashboards for example Network
Dashboard.
CMDB Report Conditions - Restrict what data is available in CMDB Reports, such as allowing a device inventory
report of only Server devices.
Question:
Answer:
Question:
© FORTINET
Answer:
Event Receive Time, Reporting IP, Event Type, Raw Event Log.
Question:
Answer:
Reporting IP
Question:
Answer:
FortiGate-event-login-failure
Question:
Which attribute provides the local time when FortiGate actually logged the event?
Answer:
Device Time
Question:
What are the Reporting Model and Reporting Vendor attributes of the event?
Answer:
Question:
Answer:
Application Protocol
Question:
Who made a successful authentication? And what attribute was this field mapped to in the structured view?
© FORTINET
Answer:
Question:
Answer:
Question:
Answer:
Question:
Answer:
Question:
Answer:
Question:
© FORTINET
Answer:
Yes
Question:
Answer:
Question:
Is there a Source Country or Destination Country populated for this event? If not, why?
Answer:
Question:
Is there now a Reporting City, Destination City, Destination Country, and Destination State populated? If
so why?
Answer:
Yes, since country related event enrichment can also occur for internal RFC 1918 addresses if these value are set
on an asset in the CMDB.
Question:
Answer:
Question:
Answer:
Polling Interval
© FORTINET
Question:
Answer:
Memory Util
Question:
Answer:
Question:
Answer:
Question:
Answer:
Lab 3 – Discovery
Question:
Answer:
The FortiGate logs contain the name of the device reporting the data (devname=x), and hence the parser reads
this and maps to an attribute named Reporting Device Name.
© FORTINET
The Cisco ASA logs do not contain the name, so the default behavior is to name the device HOST-<reporting ip>
Question:
What is displayed under the Version and Last Discovered Method fields for each device?
Answer:
l Version: ANY ... logs alone do not tell the FortiSIEM the version of the device or application.
l Last Discovered Method: LOG .. auto log discovery
Question:
What do you see and what can you determine about the population of the CMDB from log only discovery alone?
Answer:
They are blank. This type of information is not sent as part of the event message.
Question:
Answer:
Version: 5.4.1(1064)
Question:
Answer:
19 groups. It has also been categorized under various networks by the IP Addresses/Network Masks on the
interfaces.
Question:
Make a note of how often CPU Util, Mem Util, and Net Intf Stat jobs are being collected via SNMP.
Answer:
© FORTINET
Exercise 5: Performing Discovery of other Lab Devices
Question:
Make a note of the entries in the Process Name and Process Param columns.
Answer:
Question:
Now type DNS in the search field and again make note of the entries in the Process Name and Process Param
columns.
Answer:
Question:
Answer:
Only raw logs with both devname and HTTP keywords are returned
Question:
Answer:
© FORTINET
Lab 5 – CMDB Lookups and Filters
Question A:
Answer:
Question B:
Answer:
Destination IP = 192.168.0.10
Question C:
Answer:
There are lots of connections permitted to external destinations on non-standard ports like 135, 199, 445, etc.
The firewall rule is incorrectly configured.
Question D:
Was any internal traffic permitted to any country in ASIA in the last 2 hours that was not on TCP/UDP ports
25,53,80,123, or 443?
Answer:
Yes, permitted traffic has been reported to countries in ASIA not on the defined TCP/UDP port list. Time to
tighten up those firewall rules!
Question E:
© FORTINET
Answer:
Interface: GigabitEthernet4/48
Question:
Answer:
A list of the disk capacity utilization of all the servers, with the highest utilization at the top of the list.
Question A:
Which firewall device reported the most events over the last 30 minute time period?
Answer:
192.168.3.1
Question B:
Which is the most common destination country of any firewall events that are not on Destination TCP/UDP Port
of 21,80,443 or 53 over the last 1 hour?
Answer:
United States
Question C:
What is the most common source country for any deny events reported by a firewall device in the last 30 minutes?
Answer:
Top result is NULL (for internal IPs that don’t have a country).
© FORTINET
Question D
Answer:
It produces hundreds of events that repeat for the same Application/Software Name. (Since the data is collected
every 3 minutes.)
Lab 7 – Rules
Question:
Make a note of the severity of the rule and also the function.
Answer:
Question:
Answer:
Question:
Answer:
l Reporting Device
l Reporting IP
l User
Question:
© FORTINET
Answer:
Question:
Do the details match what was recorded in step 6 of To view a rule section of this exercise?
Answer:
Yes
Question:
Make a note of value in the Default field and the disk name listed:
Answer:
Name C:\
Question:
Answer:
Name C:\
Question:
© FORTINET
Answer:
Severity 5 - MEDIUM
Category Performance
Question:
Are there any results where the AVG(Disk Capacity Util) is greater than 95% and the AVG (Free Disk (MB)) is less
than 100?
Answer:
Yes
Question:
What do you think this option is actually doing for this rule?
Answer:
If the original rule does not trigger again for 20 minutes, then the incident will automatically be cleared.
Question:
Answer:
It is looking for DNS traffic that is not coming from other DNS servers or internal applications. The traffic is
originating from the internal private network and is being reported by the firewalls, routers, and/or switches.
© FORTINET
Lab 9 – Reporting
Question:
Will these new adjusted values for AVG CPU determine what thresholds rules will trigger for these devices?
Answer:
No
Question:
Answer:
Question:
What has the time criteria been pre-populated to run over and where did this value come from?
Answer:
The time criteria is set to look at absolute last hour. These values came from the widget.
Question:
Answer:
© FORTINET
Question:
How does this differ from the analytic query produced from step 7 of drill down on dashboard content?
Answer:
Question:
Answer:
Question:
Answer:
Question:
Can you identify the SQL query that was running slow?
Answer:
Question:
Can you identify the files that were added on the QA-EXCHG or WIN2K8 machines?
Answer:
C:\Documents\Contracts\7ogger.exe
C:\Windows\System32\svchostss.exe
© FORTINET
C:\Documents\Contracts\mcafeeav.pif
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.