FortiSIEM Watch List
Deception Tokens are part of the FortiDeceptor platform and are included in the product license at no additional cost.
FortiDeceptorTokens:
- Are an agentless technology.
- Deceive threat actors by adding breadcrumbs to real endpoints and servers so the actor engages with network decoys instead of real assets.
- Are normally distributed within real endpoints and server assets to expand the attack surface.
FortiDeceptor generates a deception token package based on the decoy service configuration. The FortiDeceptor and FortiSIEM integration for the Watch List detects when a threat actor attempts to use the fake credentials from the token package to access a real asset (as opposed to a decoy). FortiDeceptor cannot detect this type of access because the asset is not a decoy. When integrated, both the FortiDeceptor and FortiSIEM GUI will display an alert for this type of access.
To integrate FortiDeceptor with FortiSIEM:
- Configure FortiSIEM.
- Configure the Watch List in FortiDeceptor.
- Test the integration.
- Check the incidents on FortiSIEM.
- View the incidents on FortiDeceptor.
1. Configure FortiSIEM
- In FortiSIEM go to Watch Lists and click New to create a new watch list or edit an existing Watch List. For more information, see Managing Resources > Watch List > Creating a Watch List in the FortiSIEM User Guide.
- Go to Resources and define the Watch List rules. For information, see Managing Resources > Watch List > Using a Watch List > Adding a Watch List to a Rule in the FortiSIEM User Guide.
In the image below, the usernames (face credential tokens) are generated automatically by FortiDeceptor during the integration.
2. Configure the Watch List in FortiDeceptor
- In FortiDeceptor, go to Fabric > Quarantine Integration and click Quarantine Integration With New Device.
- From the Integrate Method dropdown, select FSM Watch-List.
- Configure the integration settings.
IP Enter the IP for the FortiSIEM device. Port Enter the Port number for the FortiSIEM device. Username Enter the username for the FortiSIEM device. Enter the password for the FortiSIEM device.
Watch-List Name
Enter the name of the Watch List you created in Step 1 Configure FortiSIEM.
Lure Users-Manual Mode
This option allow you to add more usernames manually to the FortiSIEM watch list in addition to the one that FortiDeceptor generates automatically based on the deception token package. Please enter the Lure Users you created and separate multiple users with a comma.
- Click Save.
3. Test the integration
To test the integration, use one of the fake credentials to access a real asset. Verify that FortiSIEM can detect fake credentials when used to access an asset that is not a decoy.
4. Check the incidents on FortiSIEM
In FortiSIEM, go to Incidents to verify the incidents you triggered are reported. For information, see FortiSIEM Manager > FortiSIEM Manager Incidents > FortiSIEM Manager Incidents - List View in the FortiSIEM User Guide.
5. View the incidents on FortiDeceptor
In FortiDeceptor, go to Incident > Analysis to view the incidents you triggered.
Incidents captured by FortiSIEM are recorded as UNKNOWN in the Protocol column. |
Click the arrow to expand the alert. You will see the incident was captured by FortiSIEM.