Fortinet black logo

External Systems Configuration Guide

Bit9 Security Platform

Bit9 Security Platform

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog Logs Security Monitoring

Event Types

In ADMIN > Device Support > Event, search for "Bit9" in the Device Type columns to see the event types associated with this device.

Rules

  • Bit9 Agent Uninstalled or File Tracking Disabled
  • Bit9 Fatal Errors
  • Blocked File Execution
  • Unapproved File Execution

Reports

  • Bit9 Account Group Changes
  • Bit9 Fatal and Warnings Issues
  • Bit9 Functionality Stopped
  • Bit9 Security Configuration Downgrades

Bit9 Configuration

Syslog

FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514.

Sample Syslog

<14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Bit9 event:  text="Server discovered new file 'c:\usersacct\appdata\local\temp\3cziegdd.dll' [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery" subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52 PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080" server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_threat="-1"

Bit9 Security Platform

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog Logs Security Monitoring

Event Types

In ADMIN > Device Support > Event, search for "Bit9" in the Device Type columns to see the event types associated with this device.

Rules

  • Bit9 Agent Uninstalled or File Tracking Disabled
  • Bit9 Fatal Errors
  • Blocked File Execution
  • Unapproved File Execution

Reports

  • Bit9 Account Group Changes
  • Bit9 Fatal and Warnings Issues
  • Bit9 Functionality Stopped
  • Bit9 Security Configuration Downgrades

Bit9 Configuration

Syslog

FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514.

Sample Syslog

<14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Bit9 event:  text="Server discovered new file 'c:\usersacct\appdata\local\temp\3cziegdd.dll' [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery" subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52 PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080" server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_threat="-1"