Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.4.6 Administration Guide
    7.4.6
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Using the template - Endpoint security vulnerability report

    Using the template - Endpoint security vulnerability report

    This topic describes a template report that uses logs from the SIEM database (siemdb).

    The Endpoint Security Vulnerability Report provides a comprehensive security rating overview and historical trends specifically for all managed endpoints based on the vulnerabilities. This report utilizes retrieved data from FortiClient EMS and FortiGuard, including the outbreak alert and endpoint vulnerability information.

    FortiClient EMS connector(s) must be created and enabled to generate this report with data. The EMS connector can insert the data into FortiAnalyzer Fabric SIEM logs. For more information about configuration, see below.

    To collect data through the EMS connectors and insert it to Fabric (SIEM) logs:

    1. In Fabric View > Fabric Connectors, create an EMS connector. See Creating or editing Security Fabric connectors.

      Once the first EMS connector is configured, the Update Asset, Identity and Vulnerability in Sequence playbook is automatically created in Fabric View > Automation > Playbook . This default playbook gets the endpoints and their vulnerabilities from EMS. It is scheduled to run once per day, but it can be edited according your needs. See Playbooks.

    2. In Fabric View > Asset Identity Center > Asset Identity List > Asset List, click More > Data Sources.

      The Data Source Selection dialog displays.

    3. Click Create New.

    4. Configure the following, and then click OK.

      1. From the Data Source dropdown, select EMS Connector.

      2. Enable the Status.

      3. For the Connectors field, select the EMS connector that you have created.

    5. In Device Manager, authorize the EMS device.

      The EMS device will receive the related endpoint vulnerabilities logs.

      When the playbook is run, it will call the EMS API to get all endpoints and vulnerabilities data, and it will be inserted as FortiAnalyzer Fabric (SIEM) logs. Note that the predefined EMS-Connector Log Parser to parse the logs; you can find this parser in Incidents & Events > Log Parser > Log Parsers.

      Multiple EMS connectors are supported. If needed, repeat the steps to create another EMS connector.

    The report can be created from the template in Reports > Report Definitions > Templates.

    See below for an example of page 1 from the Endpoint Security Vulnerability Report.

    The data query for the Endpoint Security Vulnerability Report is based on the SIEM database (siemdb), and it uses SIEM normalized logs and the fct_mdata.

    The following fields have been added in FortiAnalyzer 7.4.4 for this report:

    • event_subtype=endpoint-vuln is added in the siemdb

    • release_data and detection_product are added to fct_mdata

    The related charts, macros, and datasets for this report use the "SIEM-" prefix in their name.

    Previous
    Next

    Using the template - Endpoint security vulnerability report

    Using the template - Endpoint security vulnerability report

    This topic describes a template report that uses logs from the SIEM database (siemdb).

    The Endpoint Security Vulnerability Report provides a comprehensive security rating overview and historical trends specifically for all managed endpoints based on the vulnerabilities. This report utilizes retrieved data from FortiClient EMS and FortiGuard, including the outbreak alert and endpoint vulnerability information.

    FortiClient EMS connector(s) must be created and enabled to generate this report with data. The EMS connector can insert the data into FortiAnalyzer Fabric SIEM logs. For more information about configuration, see below.

    To collect data through the EMS connectors and insert it to Fabric (SIEM) logs:

    1. In Fabric View > Fabric Connectors, create an EMS connector. See Creating or editing Security Fabric connectors.

      Once the first EMS connector is configured, the Update Asset, Identity and Vulnerability in Sequence playbook is automatically created in Fabric View > Automation > Playbook . This default playbook gets the endpoints and their vulnerabilities from EMS. It is scheduled to run once per day, but it can be edited according your needs. See Playbooks.

    2. In Fabric View > Asset Identity Center > Asset Identity List > Asset List, click More > Data Sources.

      The Data Source Selection dialog displays.

    3. Click Create New.

    4. Configure the following, and then click OK.

      1. From the Data Source dropdown, select EMS Connector.

      2. Enable the Status.

      3. For the Connectors field, select the EMS connector that you have created.

    5. In Device Manager, authorize the EMS device.

      The EMS device will receive the related endpoint vulnerabilities logs.

      When the playbook is run, it will call the EMS API to get all endpoints and vulnerabilities data, and it will be inserted as FortiAnalyzer Fabric (SIEM) logs. Note that the predefined EMS-Connector Log Parser to parse the logs; you can find this parser in Incidents & Events > Log Parser > Log Parsers.

      Multiple EMS connectors are supported. If needed, repeat the steps to create another EMS connector.

    The report can be created from the template in Reports > Report Definitions > Templates.

    See below for an example of page 1 from the Endpoint Security Vulnerability Report.

    The data query for the Endpoint Security Vulnerability Report is based on the SIEM database (siemdb), and it uses SIEM normalized logs and the fct_mdata.

    The following fields have been added in FortiAnalyzer 7.4.4 for this report:

    • event_subtype=endpoint-vuln is added in the siemdb

    • release_data and detection_product are added to fct_mdata

    The related charts, macros, and datasets for this report use the "SIEM-" prefix in their name.

    Previous
    Next