Fortinet FortiInsight
FortiInsight is a unique data security and threat detection solution that delivers advanced threat hunting to help you spot, respond to, and manage risky behaviors that put your business-critical data at risk. It combines powerful and flexible Machine Learning with detailed forensics around user actions to bring focus to the facts more rapidly than other solutions.
- What is Discovered and Monitored
- Event Types
- Rules
- Reports
- Configuration in FortiInsight
- Configuration in FortiSIEM
- Sample Events
What is Discovered and Monitored
Protocol | Information collected | Used for |
---|---|---|
FortiInsight API | Policy based alerts and AI based alerts | Data security, threat protection |
This feature allows FortiSIEM to get Policy-based alerts and AI-based alerts from FortiInsight.
Event Types
In RESOURCES > Event Types, enter "FortiInsight" in the Search column to see the event types associated with this device.
Rules
In RESOURCES > Rules, enter "FortiInsight" in the Search column to see the rules associated with this device.
Reports
No defined reports.
Configuration in FortiInsight
Get an API Key in FortiInsight
Complete these steps in the FortiInsight UI:
- Login to FortiInsight.
- Select Admin > Account from the left menu.
- Click New API Key to open the New API Key dialog box.
- Enter a descriptive Name.
- Click Save to generate the API key. This will download a file containing the API key information (Client ID, Client Secret, and Name). Make a note of these values; you will need them when you configure FortiSIEM.
Configuration in FortiSIEM
Complete these steps in the FortiSIEM UI:
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials:
- Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box:
Settings Description Name Enter a name for the credential Device Type Fortinet FortiSIEM Access Protocol FortiInsight API Pull Interval The interval in which FortiSIEM will pull events from FortiInsight. Default is 3 minutes. Client ID Access key for your FortiInsight instance. Client Secret Secret key for your FortiInsight instance Organization The organization the device belongs to. Description Description of the device.
- In Step 2, Enter IP Range to Credential Associations:
- Select the name of your Fortinet FortiInsight credential from the Credentials drop-down list.
- Enter a host name, an IP, or an IP range in the IP/Host Name field.
- Click Save.
- Click Test to test the connection to FortiInsight.
- To see the jobs associated with FortiInsight, select ADMIN > Setup > Pull Events.
- To see the received events select ANALYTICS, then enter FortiInsight in the search box.
Sample Events
[FORTIINSIGHT_POLICY_ALERT] = {"description":"","events":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-03-18T13:22:24.344+00:00","id":null,"m":"uqP","mn":{"dh":"tcp://server-10-230-2-153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Administrator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc":{"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","longitude":"10.8925"},"p":"tcp-ip-4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret\\prototypedemo1.mkv-> tcp://server-54-230-2-153.lhr5.r.cloudfront.net:443","u":"acmeltd__engineer2"}],"extendedEvents":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-03-18T13:22:24.344+00:00","id":null,"latestHostname":"mimas","latestIp":"10.10.0.1","m":"uqP","mn":{"dh":"tcp://server-54-230-2-153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Administrator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc":{"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","longitude":"10.8925"},"p":"tcp-ip-4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret\\prototypedemo1.mkv-> tcp://server-10-230-2-153.lhr5.r.cloudfront.net:443","resolvedUsername":"","u":"acmeltd__engineer2"}],"id":"AWmQ98PYg7b_-i6_5Rvg","labels":[""],"policyId":"default_6COnUMjTCB8N","policyName":"Browser Download","regimes":["ZoneFox"],"serverIp":"52.209.49.52","serverName":"fortisiemtest.dev.fortiinsight.cloud","severity":10,"status":"New","time":"2019-03-18T13:22:29.473715+00:00"}