External Systems Configuration Guide

FortiSIEM External Systems Configuration Guide Online
Change Log
Overview
FortiSIEM External Ports
Supported Devices and Applications by Vendor
Applications
- Application Server
- Authentication Server
- Database Server
- DHCP and DNS Server
- Directory Server
  - Microsoft Active Directory
- Document Management Server
  - Microsoft SharePoint
- Healthcare IT
  - Epic EMR/EHR System
- Mail Server
  - Microsoft Exchange
- Management Server/Appliance
  - Cisco Application Centric Infrastructure (ACI)
  - Fortinet FortiManager
- Remote Desktop
  - Citrix Receiver (ICA)
- Source Code Control
- Unified Communication Server
- Web Server
Blade Servers
- Cisco UCS Server
- HP BladeSystem
Cloud Applications
- Alicide.io KAudit
- AWS Access Key IAM Permissions and IAM Policies
- AWS CloudTrail API
- AWS EC2
- AWS EC2 CloudWatch API
- AWS Kinesis
- AWS RDS
- AWS Security Hub
- Box.com
- Google Apps Audit
- Microsoft Azure Audit
- Microsoft Office365 Audit
- Microsoft Cloud App Security
- Micorosft Azure ATP
- Microsoft Azure Compute
- Microsoft Azure Event Hub
- Microsoft Windows Defender ATP
- Okta
- Salesforce CRM Audit
Console Access Devices
- Lantronix SLC Console Manager
End Point Security Software
- Bit9 Security Platform
- Carbon Black Security Platform
- Cisco AMP Cloud V0
- Cisco AMP Cloud V1
- Cisco Security Agent (CSA)
- CloudPassage Halo
- Crowdstrike
- Digital Guardian CodeGreen DLP
- ESET NOD32 Anti-Virus
- FortiClient
- FortinetFortiEDR
- MalwareBytes
- McAfee ePolicy Orchestrator (ePO)
- MobileIron Sentry and Connector
- Netwrix Auditor
- Palo Alto Traps Endpoint Security Manager
- SentinelOne
- Sophos Central
- Sophos Endpoint Security and Control
- Symantec Endpoint Protection
- Symantec SEPM
- Tanium Connect
- Trend Micro Interscan Web Filter
- Trend Micro Intrusion Defense Firewall (IDF)
- Trend Micro OfficeScan
Environmental Sensors
- APC Netbotz Environmental Monitor
- APC UPS
- Generic UPS
- Liebert FPC
- Liebert HVAC
- Liebert UPS
Firewalls
- Check Point FireWall-1
- Check Point Provider-1
- Check Point VSX
- Cisco Adaptive Security Appliance (ASA)
- Clavister Firewall
- Cyberoam Firewall
- Dell SonicWALL
- Fortinet FortiGate Firewall
- Imperva Securesphere Web App Firewall
- Juniper Networks SSG
- McAfee Firewall Enterprise (Sidewinder)
- Palo Alto
- Sophos UTM
- Stormshield Network Security
- Tigera Calico
- WatchGuard Firebox
Load Balancers and Application Firewalls
- Brocade ServerIron ADX
- Citrix Netscaler Application Delivery Controller (ADC)
- F5 Networks Application Security Manager
- F5 Networks Local Traffic Manager
- F5 Networks Web Accelerator
- Fortinet FortiADC
- Qualys Web Application Firewall
Network Compliance Management Applications
- Cisco Network Compliance Manager
- PacketFence
Network Intrusion Prevention System
- 3COM TippingPoint UnityOne IPS
- AirTight Networks SpectraGuard
- Alert Logic IRIS API
- Cisco FireSIGHT and FirePower Threat Defence
- Cisco Intrusion Prevention System
- Cisco Stealthwatch
- Cylance Protect Endpoint Protection
- Cyphort Cortex Endpoint Protection
- Damballa Failsafe
- Darktrace CyberIntelligence Platform
- FireEye Malware Protection System (MPS)
- FortiDDoS
- Fortinet FortiDeceptor
- Fortinet FortiNAC
- Fortinet FortiSandbox Configuration
- Fortinet FortiTester
- IBM Internet Security Series Proventia
- Indegy Security Platform
- Juniper DDoS Secure
- Juniper Networks IDP Series
- McAfee IntruShield
- McAfee Stonesoft IPS
- Motorola AirDefense
- Nozomi
- Radware DefensePro
- Snort Intrusion Prevention System
- Sourcefire 3D and Defense Center
- Trend Micro Deep Discovery
- Zeek (Bro) Installed on Security Onion
Routers and Switches
- Alcatel TiMOS and AOS Switch
- Arista Router and Switch
- Brocade NetIron CER Routers
- Cisco 300 Series Routers
- Cisco IOS Router and Switch
  - How CPU and Memory Utilization is Collected for Cisco IOS
- Cisco Meraki Cloud Controller and Network Devices
- Cisco NX-OS Router and Switch
- Cisco ONS
- Cisco Viptela SDWAN Router
- Dell Force10 Router and Switch
- Dell NSeries Switch
- Dell PowerConnect Switch and Router
- Foundry Networks IronWare Router and Switch
- HP/3Com ComWare Switch
- HP ProCurve Switch
- HP Value Series (19xx) and HP 3Com (29xx) Switch
- Hirschman SCADA Firewalls and Switches
- Juniper Networks JunOS Switch
- MikroTik Router
- Nortel ERS and Passport Switch
Security Gateways
- Barracuda Networks Spam Firewall
- Blue Coat Web Proxy
- Cisco IronPort Mail Gateway
- Cisco IronPort Web Gateway
- Fortinet FortiMail
- Fortinet FortiWeb
- Imperva Securesphere DB Monitoring Gateway
- Imperva Securesphere DB Security Gateway
- McAfee Vormetric Data Security Manager
- McAfee Web Gateway
- Microsoft ISA Server
- Squid Web Proxy
- SSH Comm Security CryptoAuditor
- Websense Web Filter
Servers
- HP UX Server
- IBM AIX Server
- IBM OS400 Server
- Linux Server
- Microsoft Windows Server
- QNAP Turbo NAS
- Sun Solaris Server
Storage
- Brocade SAN Switch
- Dell Compellant Storage
- Dell EqualLogic Storage
- EMC Clarion Storage
- EMC Isilon Storage
- EMC VNX Storage
- NetApp Data ONTAP
- NetApp Filer Storage
- Nimble Storage
- Nutanix Storage
Threat Intelligence
- FortiInsight
- LastLine
- ThreatConnect
Virtualization
- HyperV
- HyTrust CloudControl
- VMware ESX
VPN Gateways
- Cisco VPN 3000 Gateway
- Cyxtera AppGuard
- Juniper Networks SSL VPN Gateway
- Microsoft PPTP VPN Gateway
- Pulse Secure
Vulnerability Scanners
- AlertLogic
- Green League WVSS
- McAfee Foundstone Vulnerability Scanner
- Nessus Vulnerability Scanner
- Qualys QualysGuard Scanner
- Qualys Vulnerability Scanner
- Rapid7 NeXpose Vulnerability Scanner
- Rapid7 InsightVM
- Tenable.io
- Tenable Nessus Vulnerability Scanner
- Tenable Security Center
- XYLink Vulnerability Scanner
WAN Accelerators
- Cisco Wide Area Application Server
- Riverbed SteelHead WAN Accelerator
Wireless LANs
- Aruba Networks Wireless LAN
- Cisco Wireless LAN
- CradlePoint
- FortiAP
- FortiWLC
- Motorola WiNG WLAN AP
- Ruckus Wireless LAN
Using Virtual IPs to Access Devices in Clustered Environments
Syslog over TLS
SNMP V3 Traps
Flow Support
Appendix
- Access Credentials

Home FortiSIEM 5.4.0 External Systems Configuration Guide

5.4.0

Cisco AMP Cloud V1

Cisco Advanced Malware Protection (AMP) for Endpoints is a lightweight connector that can use the public cloud or be deployed as a private cloud.

What is Discovered and Monitored
Event Types
Rules
Reports
Configure Cisco AMP Cloud V1
Configure FortiSIEM
Sample Events

What is Discovered and Monitored

Protocol	Information collected	Used for
AMQP	Global threat intelligence, advanced sand boxing, and real-time malware blocking.	Intrusion protection system

Event Types

In RESOURCES > Event Types, enter "Cisco AMP" in the Search column to see the event types associated with this device.

Rules

No defined rules.

Reports

No defined reports.

Configure Cisco AMP Cloud V1

Log in to the Cisco AMP for Endpoints Portal as an administrator.
Click Accounts > API Credentials.
In the API Credentials pane, click New API Credential.
In the Application name field, enter a name, and then select Read & Write.
Note: you must have Read & Write access to manage event streams on your Cisco AMP for Endpoints platform.
Click Create.
In the API Key Details section, make note of the values for the 3rd Party API Client ID and the API Key. You will need these values to manage queues.
Click Management > Group
In the Groups pane, click Create Group.
Enter the group name and click Save.
Enter the following curl command to get the group_guid of the group that is created in the previous step.
curl -X GET -H 'accept: application/json' \
-H 'content-type: application/json' --compressed \
-H 'Accept-Encoding: gzip, deflate' \
-u <CLIENTID:APIKEY>\
'https://api.amp.cisco.com/v1/groups'
where:
- <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
- If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
- If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
Enter the following curl command to create a Cisco AMP event stream:
curl -X POST -H 'accept: application/json' \
-H 'content-type: application/json' --compressed \
-H 'Accept-Encoding: gzip, deflate' \
-d '{"name":"<STREAM_NAME>", "group_guid":["<GUID>"]}' \
-u <CLIENTID:APIKEY> \
'https://api.amp.cisco.com/v1/event_streams'
where:
- < STREAM_NAME > is the name of your choice for the event stream.
- < GUID > is the group GUID that you want to use to link to the event stream in Step 10.
- <CLIENTID:APIKEY> is the Client ID and the API key that you created in Step 6.
- If you are in the Asia Pacific Japan and China (APJC) region, change https://api.amp.cisco.com/v1/event_streams to https://api.apjc.amp.cisco.com/v1/event_streams.
- If you are in the European region, change https://api.amp.cisco.com/v1/event_streams to https://api.eu.amp.cisco.com/v1/event_streams.
Enter the following curl command to get a summary of the information you need to get a CloudAMP V1 credential in FortiSIEM:
curl -X POST -H 'accept: application/json' \
-H 'content-type: application/json' --compressed \
-H 'Accept-Encoding: gzip, deflate' \
-d '{"name":"meistream","group_guid":["34e483f4-85a8-412f-9997-07dd3f0c29ea"]}' \
-u a54c0f4c589d72e0c73e:14713974-eb93-420b-ad76-6e13943f87d4 \
'https://api.amp.cisco.com/v1/event_streams'
{
"version": "v1.2.0",
"metadata": {
"links": {
"self": "https://api.amp.cisco.com/v1/event_streams"
}
},
"data": {
"id": 8849,
"name": "meistream",
"group_guids": [
"34e483f4-85a8-412f-9997-07dd3f0c29ea"
],
"amqp_credentials": {
"user_name": "8849-a54c0f4c589d72e0c73e",
"queue_name": "event_stream_8849",
"password": "e3298163b3c57e5e4e11ea1b571e85cc2ac45b55",
"host": "export-streaming.amp.cisco.com",
"port": "443",
"proto": "https"
}
}
}

Configure ForitSIEM

In Admin > Setup > Credentials, create a Cisco CloudAMP Credential.
Click New and enter the following information:
1. Set Device Type to Cisco AMP.
2. Set Access Protocol to AMQP.
3. Set Queue Name from queue-name in Step 12 in the previous section.
4. Set User Name from user_name in Step 12 in the previous section.
5. Set Password from password in Step 12 in the previous section.
Click Save.
Go to Admin > Setup > IP to Credential Mapping and create an association as follows.
Click New and enter the following information:
1. Set IP/Host Name to host in Step 12 in previous section.
2. Choose Credential to the one created in Steps 1 to Step 3 in the previous section.
3. Click Save.
Go to Admin > Credentials, select the credential, and run Test Connectivity.
If connectivity is successful, go to Admin > Pull Events. An entry will appear in the Event Pulling table. That means events are being pulled.

Sample Events

Events are in JSON format.

[CiscoAMP-Update-Policy-Failure]{"id":6723137944535695384,"timestamp":1565352535,"timestamp_nanoseconds":82000000,"date":"2019-08-09T12:08:55+00:00","event_type":"Policy Update Failure","event_type_id":2164260866,"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","group_guids":["3c025f05-a2c4-4613-9186-343365f53853"],"error":{"error_code":3242196993,"description":"Unknown Error"},"computer":{"connector_guid":"98be064e-2ba5-4482-8405-4a9268ae9f2e","hostname":"host1","external_ip":"1.2.3.4","active":true,"network_addresses":[{"ip":"1.2.3.5","mac":"00:21:97:1e:1c:05"}],"links":{"computer":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e","trajectory":"https://api.amp.cisco.com/v1/computers/98be064e-2ba5-4482-8405-4a9268ae9f2e/trajectory","group":"https://api.amp.cisco.com/v1/groups/3c025f05-a2c4-4613-9186-343365f53853"}}}