Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

CloudPassage Halo

Integration points

Protocol Information collected Used for
CloudPassage REST API Halo events – over 110 event types including User login and account activity, server compliance and vulnerability status, server FIM and firewall policy modification etc. Security and Compliance

CloudPassage REST API Integration

FortiSIEM can pull logs from CloudPassage Halo via CloudPassage REST API. Currently, over 110 CloudPassage event types are parsed.

To see the event types:

  1. Login to FortiSIEM.
  2. Go to ADMIN > Resources > Event Types.
  3. Search for 'CloudPassage-Halo'.

Use cases covered via API:

  • User login to Halo and user account creation/deletion/modification activity
  • Vulnerable software package found and Compromised host detection
  • Server FIM, Firewall policy modification
  • Server account creation
  • Server login via ghostport

Configuring CloudPassage Portal

Create an API Key to be used for FortiSIEM communication.

  1. Log in to your CloudPassage Halo portal.
  2. Create an API Key and API Secret for use in FortiSIEM.

Configuring FortiSIEM

Use the API Key and Secret in previous step to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credential.
  3. Click New to create a CloudPassage Halo credential.
    1. Choose Device Type = CloudPassage Halo (Vendor = CloudPassage, Model = Halo).
    2. Choose Access Protocol = Halo REST API.
    3. Choose Pull Interval = 5 minutes.
    4. Password Configuration: for CyberArk and RAX_CustomerService, see Password Configuration. For Manual, see the following:
      1. Set API Key ID to API Key obtained from CloudPassage portal in Configuring CloudPassage Portal.
      2. Set API Key Secret to API Secret obtained from from CloudPassage portal in Configuring CloudPassage Portal.
    5. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
    6. Click Save.
  4. Enter an IP range to Credential Association.
    1. Set Hostname = api.cloudpassage.com
    2. Select the credential created in step 3.
    3. Click Save.
  5. Select the entry in step 4 and click Test Connectivity. Once successful, an entry will be created in ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from CloudPassage portal using the API.

To test for received CloudPassage Halo events:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the CloudPassage entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from CloudPassage in the last 15 minutes. You can modify the time interval to get more events.

CloudPassage Halo

Integration points

Protocol Information collected Used for
CloudPassage REST API Halo events – over 110 event types including User login and account activity, server compliance and vulnerability status, server FIM and firewall policy modification etc. Security and Compliance

CloudPassage REST API Integration

FortiSIEM can pull logs from CloudPassage Halo via CloudPassage REST API. Currently, over 110 CloudPassage event types are parsed.

To see the event types:

  1. Login to FortiSIEM.
  2. Go to ADMIN > Resources > Event Types.
  3. Search for 'CloudPassage-Halo'.

Use cases covered via API:

  • User login to Halo and user account creation/deletion/modification activity
  • Vulnerable software package found and Compromised host detection
  • Server FIM, Firewall policy modification
  • Server account creation
  • Server login via ghostport

Configuring CloudPassage Portal

Create an API Key to be used for FortiSIEM communication.

  1. Log in to your CloudPassage Halo portal.
  2. Create an API Key and API Secret for use in FortiSIEM.

Configuring FortiSIEM

Use the API Key and Secret in previous step to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credential.
  3. Click New to create a CloudPassage Halo credential.
    1. Choose Device Type = CloudPassage Halo (Vendor = CloudPassage, Model = Halo).
    2. Choose Access Protocol = Halo REST API.
    3. Choose Pull Interval = 5 minutes.
    4. Password Configuration: for CyberArk and RAX_CustomerService, see Password Configuration. For Manual, see the following:
      1. Set API Key ID to API Key obtained from CloudPassage portal in Configuring CloudPassage Portal.
      2. Set API Key Secret to API Secret obtained from from CloudPassage portal in Configuring CloudPassage Portal.
    5. Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
    6. Click Save.
  4. Enter an IP range to Credential Association.
    1. Set Hostname = api.cloudpassage.com
    2. Select the credential created in step 3.
    3. Click Save.
  5. Select the entry in step 4 and click Test Connectivity. Once successful, an entry will be created in ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from CloudPassage portal using the API.

To test for received CloudPassage Halo events:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the CloudPassage entry and click Report.

The system will take you to the Analytics tab and run a query to display the events received from CloudPassage in the last 15 minutes. You can modify the time interval to get more events.