Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 5.3.3 External Systems Configuration Guide
    5.3.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    AWS CloudTrail API

    AWS CloudTrail

    What is Discovered and Monitored

    Protocol Information Discovered Metrics Collected Used For
    CloudTrail API None None Security Monitoring

    Event Types

    In ADMIN > Device Support > Event, search for "Cloudtrail" in the Device Type column to see the event types associated with this device. See the Amazon API reference for more information about the event types available for CloudTrail monitoring.

    Reports

    In RESOURCE > Reports, search for "cloudtrail" in the Name column to see the rules associated with this device.

    Configuration

    If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies.

    FortiSIEM receives information about AWS events through the CloudTrail API. After creating an S3 bucket for the storage of log files on AWS, you then configure the Simple Notification Service (SNS) and Simple Queue Service (SQS) to create a notification for the log file and have it delivered by SQS. In your FortiSIEM virtual appliance you then enter access credentials so FortiSIEM can communicate with CloudTrail as it would any other device.

    Create a new CloudTrail
    1. Log in to https://console.aws.amazon.com/cloudtrail.
    2. Switch to the region for which you want to generate cloud trail logs.
    3. Click Trails.
    4. Click on Add New Trail
    5. Enter a Trail name such as aocloudtrail.
    6. Select Yes for Apply Trail to all regions.
      FortiSIEM can pull trails from all regions via a single credential.
    7. Select Yes for Create a new S3 bucket.
    8. For S3 bucket, enter a name like s3aocloudtrail.
    9. Click Advanced.
    10. Select Yes for Create a new SNS topic.
    11. For SNS topic, enter a name like snsaocloudtrail.
    12. Leave the rest of advanced settings to the default values.
    13. Click Create.
      A dialog will confirm that logging is turned on.

    Configure Simple Queue Service (SQS) Delivery

    1. Log in to https://console.aws.amazon.com/sqs.
    2. Switch to the region in which you created a new cloudtrail above
    3. Click Create New Queue.
    4. Enter a Queue Name such as sqsaocloudtrail
      SettingValue
      Default Visibility Timeout0 seconds
      Message Retention Period

      This must be set for between 5 and 50 minutes. A lower value is recommended for high event rates to avoid event loss.       		10 minutes
      Maximum Message Size256 KB
      Delivery Delay0 seconds
      Receive Message Wait Time5 seconds
    5. Click Create Queue.
    6. When the queue is created, click the Details tab and make note of the ARN (Amazon Resource Name), as you will need this when configuring the Simple Notification Service below and when configuring the access credentials for FortiSIEM.

    Set Up Simple Notification Service (SNS)

    1. Log in to https://console.aws.amazon.com/sns.
    2. Switch to the region where you created the trail and SQS.
    3. Select Topics.
    4. Select the SNS topic snsaocloudtrail that you specified when creating a cloudtrail.
    5. Click Actions > Subscribe to topic from the menu to launch the popup Create Subscription.
    6. For Protocol, select Amazon SQS.
    7. For Endpoint, enter the ARN of the queue that you created when setting up SQS.
    8. Click Create Subscription.

    Give Permission for Amazon SNS to Send Messages to SQS

    1. Log in to https://console.aws.amazon.com/sqs.
    2. Select the queue you created, sqsaocloudtrail.
    3. In the Queue Actions menu, select Subscribe Queue to SNS Topic.
    4. From the Choose a Topic dropdown, select the SNS topic snsaocloudtrail that you created earlier.
    5. The Topic ARN will be automatically filled.
    6. Click Subscribe.

    Note: Ensure that SQS, SNS, S3 bucket and CloudTrail are in the same region.

    You do not need to initiate discovery of AWS Cloud Trail, but should check that FortiSIEM is pulling events for AWS by checking for an amazon.com entry in ADMIN > Setup > Event Pulling.

    You can configure FortiSIEM to communicate with your device by following the instructions in "Discovery Settings" and "Setting Credentials" in the User Guide.

    Settings for Access Credentials

    Use these Access Method Definition settings to allow FortiSIEM to communicate with the CloudTrail API.

    SettingValue
    Nameaocloudtrail
    Device TypeAmazon AWS CloudTrail
    Access ProtocolAmazon AWS CloudTrail
    RegionRegion where you created the trail.
    BucketThe name of the S3 bucket you created (s3aocloudtrail)
    SQS Queue URLEnter the ARN of your queue without the http:// prefix.
    Password ConfigSee Password Configuration.
    Access Key IDThe access key for your AWS instance.
    Secret KeyThe secret key for your AWS instance.
    OrganizationSelect an organization from the drop-down list.

    Sample Events for AWS CloudTrail 

    Fri Oct 10 14:44:23 2014 FortiSIEM-CloudTrail [additionalEventData/LoginTo]=https://console.aws.amazon.com/console/home?state= hashArgs%23&isauthcode=true
    [additionalEventData/MFAUsed]=No [additionalEventData/MobileVersion]=No [awsRegion]=us-east-1 [eventID]=fdf8f837-7e75-46a0-ac95-b6d15993ebf7 [eventName]=ConsoleLogin [eventSource]=SIGNIN [eventTime]=2014-10-10T06:38:11Z [eventVersion]=1.01 [requestParameters]=null [responseElements/ConsoleLogin]=Success [sourceIPAddress]=211.144.207.10 [userAgent]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 [userIdentity/accountId]=623885071509 [userIdentity/arn]=arn:aws:iam::623885071509:user/John.Adams [userIdentity/principalId]=AIDAIUSNMEIUYBS7AN4UW [userIdentity/type]=IAMUser [userIdentity/userName]=John.Adams

Fri Oct 10 14:19:45 2014 FortiSIEM-CloudTrail [awsRegion]=us-east-1 [eventID]=351bda80-39d4-41ed-9e4d-86d6470c2436 [eventName]=DescribeInstances [eventSource]=EC2 [eventTime]=2014-10-10T06:12:24Z [eventVersion]=1.01 [requestID]=2d835ae2-176d-4ea2-8523-b1a09585e803 [requestParameters/filterSet/items/0/name]=private-ip-address [requestParameters/filterSet/items/0/valueSet/items/0/value]=10.0.0.233 [responseElements]=null [sourceIPAddress]=211.144.207.10 [userAgent]=aws-sdk-php2/2.4.7 Guzzle/3.7.1 curl/7.19.7 PHP/5.3.3 [userIdentity/accessKeyId]=AKIAI2MUUCROHFSLLT3A [userIdentity/accountId]=623885071509 [userIdentity/arn]=arn:aws:iam::623885071509:root [userIdentity/principalId]=623885071509 [userIdentity/type]=Root [userIdentity/userName]=accelops

    Performance Tuning for High EPS CloudTrail Events

    AWS CloudTrail can generate a lot of events. Follow these recommendations to enable FortiSIEM to keep up with high EPS CloudTrail events.

    1. In the AWS configuration, change the Message retention period of SQS to 1 day.
    2. Adjust the CloudTrail event pulling parameters as follows. Go to the Collector that pulls AWS CloudTrail events. You will find these three relevant parameters in the /opt/phoenix/config/phoenix_config.txt file:
      • cloudtrail_msg_pull_interval (default 30 seconds, minimum recommended 10 seconds) - how often CloudTrail events are pulled.
      • cloudtrail_msg_pull_thread_num (default 1, maximum recommended 60) - how many threads are used to pull CloudTrail events.
      • cloudtrail_file_parse_thread_num (default 3, maximum recommended 60) - how many threads are used to parse CloudTrail events.

    Since each API call returns maximum 10 files, set the parameters to satisfy the following two constraints. If the thread count is high, then you must increase the number of vCPUs in the Collector.

    • Set (SQSInputEventRate times cloudtrail_msg_pull_interval) to be smaller than (cloudtrail_msg_pull_thread_num times 10)
    • Set cloudtrail_msg_pull_thread_num to be equal to cloudtrail_file_parse_thread_num
    Previous
    Next

    AWS CloudTrail API

    AWS CloudTrail

    What is Discovered and Monitored

    Protocol Information Discovered Metrics Collected Used For
    CloudTrail API None None Security Monitoring

    Event Types

    In ADMIN > Device Support > Event, search for "Cloudtrail" in the Device Type column to see the event types associated with this device. See the Amazon API reference for more information about the event types available for CloudTrail monitoring.

    Reports

    In RESOURCE > Reports, search for "cloudtrail" in the Name column to see the rules associated with this device.

    Configuration

    If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies.

    FortiSIEM receives information about AWS events through the CloudTrail API. After creating an S3 bucket for the storage of log files on AWS, you then configure the Simple Notification Service (SNS) and Simple Queue Service (SQS) to create a notification for the log file and have it delivered by SQS. In your FortiSIEM virtual appliance you then enter access credentials so FortiSIEM can communicate with CloudTrail as it would any other device.

    Create a new CloudTrail
    1. Log in to https://console.aws.amazon.com/cloudtrail.
    2. Switch to the region for which you want to generate cloud trail logs.
    3. Click Trails.
    4. Click on Add New Trail
    5. Enter a Trail name such as aocloudtrail.
    6. Select Yes for Apply Trail to all regions.
      FortiSIEM can pull trails from all regions via a single credential.
    7. Select Yes for Create a new S3 bucket.
    8. For S3 bucket, enter a name like s3aocloudtrail.
    9. Click Advanced.
    10. Select Yes for Create a new SNS topic.
    11. For SNS topic, enter a name like snsaocloudtrail.
    12. Leave the rest of advanced settings to the default values.
    13. Click Create.
      A dialog will confirm that logging is turned on.

    Configure Simple Queue Service (SQS) Delivery

    1. Log in to https://console.aws.amazon.com/sqs.
    2. Switch to the region in which you created a new cloudtrail above
    3. Click Create New Queue.
    4. Enter a Queue Name such as sqsaocloudtrail
      SettingValue
      Default Visibility Timeout0 seconds
      Message Retention Period

      This must be set for between 5 and 50 minutes. A lower value is recommended for high event rates to avoid event loss.       		10 minutes
      Maximum Message Size256 KB
      Delivery Delay0 seconds
      Receive Message Wait Time5 seconds
    5. Click Create Queue.
    6. When the queue is created, click the Details tab and make note of the ARN (Amazon Resource Name), as you will need this when configuring the Simple Notification Service below and when configuring the access credentials for FortiSIEM.

    Set Up Simple Notification Service (SNS)

    1. Log in to https://console.aws.amazon.com/sns.
    2. Switch to the region where you created the trail and SQS.
    3. Select Topics.
    4. Select the SNS topic snsaocloudtrail that you specified when creating a cloudtrail.
    5. Click Actions > Subscribe to topic from the menu to launch the popup Create Subscription.
    6. For Protocol, select Amazon SQS.
    7. For Endpoint, enter the ARN of the queue that you created when setting up SQS.
    8. Click Create Subscription.

    Give Permission for Amazon SNS to Send Messages to SQS

    1. Log in to https://console.aws.amazon.com/sqs.
    2. Select the queue you created, sqsaocloudtrail.
    3. In the Queue Actions menu, select Subscribe Queue to SNS Topic.
    4. From the Choose a Topic dropdown, select the SNS topic snsaocloudtrail that you created earlier.
    5. The Topic ARN will be automatically filled.
    6. Click Subscribe.

    Note: Ensure that SQS, SNS, S3 bucket and CloudTrail are in the same region.

    You do not need to initiate discovery of AWS Cloud Trail, but should check that FortiSIEM is pulling events for AWS by checking for an amazon.com entry in ADMIN > Setup > Event Pulling.

    You can configure FortiSIEM to communicate with your device by following the instructions in "Discovery Settings" and "Setting Credentials" in the User Guide.

    Settings for Access Credentials

    Use these Access Method Definition settings to allow FortiSIEM to communicate with the CloudTrail API.

    SettingValue
    Nameaocloudtrail
    Device TypeAmazon AWS CloudTrail
    Access ProtocolAmazon AWS CloudTrail
    RegionRegion where you created the trail.
    BucketThe name of the S3 bucket you created (s3aocloudtrail)
    SQS Queue URLEnter the ARN of your queue without the http:// prefix.
    Password ConfigSee Password Configuration.
    Access Key IDThe access key for your AWS instance.
    Secret KeyThe secret key for your AWS instance.
    OrganizationSelect an organization from the drop-down list.

    Sample Events for AWS CloudTrail 

    Fri Oct 10 14:44:23 2014 FortiSIEM-CloudTrail [additionalEventData/LoginTo]=https://console.aws.amazon.com/console/home?state= hashArgs%23&isauthcode=true
    [additionalEventData/MFAUsed]=No [additionalEventData/MobileVersion]=No [awsRegion]=us-east-1 [eventID]=fdf8f837-7e75-46a0-ac95-b6d15993ebf7 [eventName]=ConsoleLogin [eventSource]=SIGNIN [eventTime]=2014-10-10T06:38:11Z [eventVersion]=1.01 [requestParameters]=null [responseElements/ConsoleLogin]=Success [sourceIPAddress]=211.144.207.10 [userAgent]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 [userIdentity/accountId]=623885071509 [userIdentity/arn]=arn:aws:iam::623885071509:user/John.Adams [userIdentity/principalId]=AIDAIUSNMEIUYBS7AN4UW [userIdentity/type]=IAMUser [userIdentity/userName]=John.Adams

Fri Oct 10 14:19:45 2014 FortiSIEM-CloudTrail [awsRegion]=us-east-1 [eventID]=351bda80-39d4-41ed-9e4d-86d6470c2436 [eventName]=DescribeInstances [eventSource]=EC2 [eventTime]=2014-10-10T06:12:24Z [eventVersion]=1.01 [requestID]=2d835ae2-176d-4ea2-8523-b1a09585e803 [requestParameters/filterSet/items/0/name]=private-ip-address [requestParameters/filterSet/items/0/valueSet/items/0/value]=10.0.0.233 [responseElements]=null [sourceIPAddress]=211.144.207.10 [userAgent]=aws-sdk-php2/2.4.7 Guzzle/3.7.1 curl/7.19.7 PHP/5.3.3 [userIdentity/accessKeyId]=AKIAI2MUUCROHFSLLT3A [userIdentity/accountId]=623885071509 [userIdentity/arn]=arn:aws:iam::623885071509:root [userIdentity/principalId]=623885071509 [userIdentity/type]=Root [userIdentity/userName]=accelops

    Performance Tuning for High EPS CloudTrail Events

    AWS CloudTrail can generate a lot of events. Follow these recommendations to enable FortiSIEM to keep up with high EPS CloudTrail events.

    1. In the AWS configuration, change the Message retention period of SQS to 1 day.
    2. Adjust the CloudTrail event pulling parameters as follows. Go to the Collector that pulls AWS CloudTrail events. You will find these three relevant parameters in the /opt/phoenix/config/phoenix_config.txt file:
      • cloudtrail_msg_pull_interval (default 30 seconds, minimum recommended 10 seconds) - how often CloudTrail events are pulled.
      • cloudtrail_msg_pull_thread_num (default 1, maximum recommended 60) - how many threads are used to pull CloudTrail events.
      • cloudtrail_file_parse_thread_num (default 3, maximum recommended 60) - how many threads are used to parse CloudTrail events.

    Since each API call returns maximum 10 files, set the parameters to satisfy the following two constraints. If the thread count is high, then you must increase the number of vCPUs in the Collector.

    • Set (SQSInputEventRate times cloudtrail_msg_pull_interval) to be smaller than (cloudtrail_msg_pull_thread_num times 10)
    • Set cloudtrail_msg_pull_thread_num to be equal to cloudtrail_file_parse_thread_num
    Previous
    Next