Fortinet white logo
Fortinet white logo

Administration Guide

FortiSIEM Watch List

FortiSIEM Watch List

Deception Tokens are part of the FortiDeceptor platform and are included in the product license at no additional cost.

FortiDeceptorTokens:

  • Are an agentless technology.
  • Deceive threat actors by adding breadcrumbs to real endpoints and servers so the actor engages with network decoys instead of real assets.
  • Are normally distributed within real endpoints and server assets to expand the attack surface.

FortiDeceptor generates a deception token package based on the decoy service configuration. The FortiDeceptor and FortiSIEM integration for the Watch List detects when a threat actor attempts to use the fake credentials from the token package to access a real asset (as opposed to a decoy). FortiDeceptor cannot detect this type of access because the asset is not a decoy. When integrated, both the FortiDeceptor and FortiSIEM GUI will display an alert for this type of access.

To integrate FortiDeceptor with FortiSIEM:
  1. Configure FortiSIEM.
  2. Configure the Watch List in FortiDeceptor.
  3. Test the integration.
  4. Check the incidents on FortiSIEM.
  5. View the incidents on FortiDeceptor.

1. Configure FortiSIEM

  1. In FortiSIEM go to Watch Lists and click New to create a new watch list or edit an existing Watch List. For more information, see Managing Resources > Watch List > Creating a Watch List in the FortiSIEM User Guide.

  2. Go to Resources and define the Watch List rules. For information, see Managing Resources > Watch List > Using a Watch List > Adding a Watch List to a Rule in the FortiSIEM User Guide.

    In the image below, the usernames (face credential tokens) are generated automatically by FortiDeceptor during the integration.

2. Configure the Watch List in FortiDeceptor

  1. In FortiDeceptor, go to Fabric > Quarantine Integration and click Quarantine Integration With New Device.
  2. From the Integrate Method dropdown, select FSM Watch-List.
  3. Configure the integration settings.
    IPEnter the IP for the FortiSIEM device.
    PortEnter the Port number for the FortiSIEM device.
    UsernameEnter the username for the FortiSIEM device.

    Password

    Enter the password for the FortiSIEM device.

    Watch-List Name

    Enter the name of the Watch List you created in Step 1 Configure FortiSIEM.

    Lure Users-Manual Mode

    This option allow you to add more usernames manually to the FortiSIEM watch list in addition to the one that FortiDeceptor generates automatically based on the deception token package. Please enter the Lure Users you created and separate multiple users with a comma.

  4. Click Save.

3. Test the integration

To test the integration, use one of the fake credentials to access a real asset. Verify that FortiSIEM can detect fake credentials when used to access an asset that is not a decoy.

4. Check the incidents on FortiSIEM

In FortiSIEM, go to Incidents to verify the incidents you triggered are reported. For information, see FortiSIEM Manager > FortiSIEM Manager Incidents > FortiSIEM Manager Incidents - List View in the FortiSIEM User Guide.

5. View the incidents on FortiDeceptor

In FortiDeceptor, go to Incident > Analysis to view the incidents you triggered.

Tooltip

Incidents captured by FortiSIEM are recorded as UNKNOWN in the Protocol column.

Click the arrow to expand the alert. You will see the incident was captured by FortiSIEM.

FortiSIEM Watch List

FortiSIEM Watch List

Deception Tokens are part of the FortiDeceptor platform and are included in the product license at no additional cost.

FortiDeceptorTokens:

  • Are an agentless technology.
  • Deceive threat actors by adding breadcrumbs to real endpoints and servers so the actor engages with network decoys instead of real assets.
  • Are normally distributed within real endpoints and server assets to expand the attack surface.

FortiDeceptor generates a deception token package based on the decoy service configuration. The FortiDeceptor and FortiSIEM integration for the Watch List detects when a threat actor attempts to use the fake credentials from the token package to access a real asset (as opposed to a decoy). FortiDeceptor cannot detect this type of access because the asset is not a decoy. When integrated, both the FortiDeceptor and FortiSIEM GUI will display an alert for this type of access.

To integrate FortiDeceptor with FortiSIEM:
  1. Configure FortiSIEM.
  2. Configure the Watch List in FortiDeceptor.
  3. Test the integration.
  4. Check the incidents on FortiSIEM.
  5. View the incidents on FortiDeceptor.

1. Configure FortiSIEM

  1. In FortiSIEM go to Watch Lists and click New to create a new watch list or edit an existing Watch List. For more information, see Managing Resources > Watch List > Creating a Watch List in the FortiSIEM User Guide.

  2. Go to Resources and define the Watch List rules. For information, see Managing Resources > Watch List > Using a Watch List > Adding a Watch List to a Rule in the FortiSIEM User Guide.

    In the image below, the usernames (face credential tokens) are generated automatically by FortiDeceptor during the integration.

2. Configure the Watch List in FortiDeceptor

  1. In FortiDeceptor, go to Fabric > Quarantine Integration and click Quarantine Integration With New Device.
  2. From the Integrate Method dropdown, select FSM Watch-List.
  3. Configure the integration settings.
    IPEnter the IP for the FortiSIEM device.
    PortEnter the Port number for the FortiSIEM device.
    UsernameEnter the username for the FortiSIEM device.

    Password

    Enter the password for the FortiSIEM device.

    Watch-List Name

    Enter the name of the Watch List you created in Step 1 Configure FortiSIEM.

    Lure Users-Manual Mode

    This option allow you to add more usernames manually to the FortiSIEM watch list in addition to the one that FortiDeceptor generates automatically based on the deception token package. Please enter the Lure Users you created and separate multiple users with a comma.

  4. Click Save.

3. Test the integration

To test the integration, use one of the fake credentials to access a real asset. Verify that FortiSIEM can detect fake credentials when used to access an asset that is not a decoy.

4. Check the incidents on FortiSIEM

In FortiSIEM, go to Incidents to verify the incidents you triggered are reported. For information, see FortiSIEM Manager > FortiSIEM Manager Incidents > FortiSIEM Manager Incidents - List View in the FortiSIEM User Guide.

5. View the incidents on FortiDeceptor

In FortiDeceptor, go to Incident > Analysis to view the incidents you triggered.

Tooltip

Incidents captured by FortiSIEM are recorded as UNKNOWN in the Protocol column.

Click the arrow to expand the alert. You will see the incident was captured by FortiSIEM.