Fortinet black logo

External Systems Configuration Guide

Digital Defense Frontline Vulnerability Manager

Digital Defense Frontline Vulnerability Manager

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Frontline REST API Host name, Vulnerability name, Vulnerability CVE ID, Vulnerability score, Operating system Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Digital Defense" to see the event types associated with this device. In FortiSIEM 6.3.0, there are 3 event types defined.

Rules

There are no specific rules available for Digital Defense Frontline Vulnerability Manager, but the rule "Scanner found severe vulnerability" applies.

Reports

There are no specific reports available for Digital Defense Frontline Vulnerability Manager, but the report "Host vulnerabilities found by scanner" can be used.

Configuration

Setup in Digital Defense Frontline Vulnerability Manager

Complete these steps from the Frontline Vulnerability Manager Portal.

  1. Log into Frontline VM.
  2. In the site header, select your name and choose My profile.
  3. On the API Tokens tab, select Create new token.
  4. In the Add New Token dialog, enter a token name, and select OK. Your token should be created.
  5. Below your token name, select Click to show key to display your API Key.
  6. Copy this information for your Setup in FortiSIEM.
Setup in FortiSIEM

FortiSIEM processes events from the Vulnerability Manager via the Digital Defense API. Obtain your API Key from the Frontline Vulnerability Manager Portal before proceeding.

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box, and click Save when done.

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeDigital Defense Frontline Vulnerability Manager
      Access ProtocolFRONTLINE_API
      Pull Interval5 minutes
      TokenInput the API Key from your Digital Defense Frontline Vulnerability Manager API.
      Confirm TokenInput the same API Key as above for verification.
      DescriptionDescription about the device
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Select the name of your credential from the Credentials drop-down list. The IP/Host Name field should auto populate with "vm.frontline.cloud".
    2. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to Digital Defense Frontline Vulnerability Manager.
  5. To see the jobs associated with Digital Defense Frontline Vulnerability Manager, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "Frontline" in the search box.

Sample Logs

Frontline-Scan-Finished
{"ServerHostName":"vm.frontline.cloud","ServerIp":"54.196.81.232","account":{"id":3516,"name":"Fortinet Integration Test"},"account_id":3516,"account_user":"Dan Hanman","account_user_id":15006,"build_reports":false,"businessgroups":{},"date_finished":"2021-04-05T23:27:05.004265Z","date_modified":"2021-04-05T23:27:05.146169Z","date_started":"2021-04-05T23:27:03.489965Z","deleting":false,"description":"","exclude_from_active_view":false,"force_target_detection":false,"has_results":false,"host_count":0,"id":"298183_20210405T232500Z","is_rna_scan":true,"name":"Scan Mar 25, 2021 1:25PM","next_event":null,"phCustId":1,"scan_locations":"internal","scan_policy":"Default","status":"completed","status_message":null,"status_name":"Completed","workflow":"va_workflow"}
Frontline-Vuln-Detected
{"ServerHostName":"vm.frontline.cloud","ServerIp":"54.196.81.232","acceptable_risk":null,"active_view_active_risk_details":null,"active_view_active_risk_score":null,"active_view_date_created":null,"active_view_date_first_created":null,"active_view_threat_rank":null,"analyst_threat_intel":null,"cve":"","cvss_base_score_v2":0.0,"cvss_base_score_v3":null,"cvss_score":"0.0","cvss_version":"2.0","data":"Wordpress 4.0.6 detected","date_finished":null,"date_started":null,"detect_type":"remote","exploitability":{"exploited_in_wild":null,"has_exploit_func":false,"has_exploit_kit":null,"has_exploit_poc":null,"is_crimewareable":null,"is_exploitable":null,"is_priority_exploitable":null},"false_positive":false,"has_notes":false,"hidden":false,"hide_from_now_on":false,"host_hidden":false,"host_id":85634681,"hostname":"172.23.177.67","id":3202200906,"id_ddi":102095,"ip_address":"172.23.177.67","labels":[],"manually_added":false,"manually_added_date_fix_confirmed":null,"manually_added_fix_status_name":null,"matched_status":"new","phCustId":1,"port":80,"protocol":"http","scan_block_id":"548616","scan_id":"277898","scan_version":1016281,"scan_version_active_risk_details":null,"scan_version_active_risk_score":null,"scan_version_date_created":"2020-12-02T17:46:12.640112Z","scan_version_host_id":85634681,"scan_version_threat_rank":null,"scan_version_vulnerability_id":3202200906,"scanner_version":"3.0.26.2","severities":{"ddi":"info","ddi_alt":"trivial","nvd":"low","nvd_alt":"low","pci":"pass","pci_alt":"pass"},"threat_activity":{"1m":0,"1w":0,"1y":0,"3m":0,"total":0},"title":"Wordpress Detected","transport":"tcp","tunnel":"none","vuln_class":"explicit"}
Frontline-Device-Vuln-Score
{"ServerHostName":"vm.frontline.cloud","ServerIp":"54.196.81.232","active_view_active_risk_details":{"ars_unweighted":92.024999999999991,"exposure_score":{"domain":"WIN-30QQRC10MGG","domain_host_count":4,"domain_threat_rank":95.0,"external_asset":false,"subnet":null,"subnet_host_count":0,"subnet_threat_rank":0,"unweighted":68.5,"weight":0.050000000000000003,"weighted":3.4250000000000003},"risk_weight":{"host_risk_weight":50.0},"severity_score":{"unweighted":84,"weight":0.14999999999999999,"weighted":12.6},"threat_score":{"unweighted":95.0,"weight":0.80000000000000004,"weighted":76.0}},"active_view_cvss_version":2.0,"active_view_date_created":"2020-12-02T17:46:12.640112Z","active_view_date_first_created":"2020-12-02T17:46:12.640112Z","agent_uuid":null,"assessed_cis_auth":false,"assessed_db_auth":false,"assessed_os_auth":false,"assessed_threatscan_auth":true,"assessed_unauth":true,"auth_status":{"details":{},"extended_details":{"cis":null,"db":{"mssql":null,"mysql":null,"oracle":null,"postgresql":null},"os":{"linux":null,"vmware":null,"windows":null},"threatscan":"Threat Scan completed successfully"},"overall":"N/A"},"aws_instance_id":null,"base_scan_id":"277898","date_finished":null,"date_started":null,"discovery_method":"nbname","dns_name":"","dns_smartname":"WIN-30QQRC10MGG","has_antivirus":true,"has_crimewareable":null,"has_disabled_antivirus":false,"has_exploitable":null,"has_malware":false,"has_notes":false,"has_outdated_antivirus":false,"hidden":false,"hide_from_now_on":false,"hostname":"WIN-30QQRC10MGG","id":85634671,"internal":true,"ip_address":"172.23.177.55","is_compromised":false,"is_retired":false,"labels":[{"color":"blue","deleted":false,"display_name":"WIN-30QQRC10MGG","id":214189,"labeled_by":0,"location":1}],"mac_address":"00:50:56:8d:16:52","matched_status":"new","named_asset_name":null,"netbios_name":"WIN-30QQRC10MGG","netbios_smartname":"WIN-30QQRC10MGG","network_profile_id":7286,"network_profile_name":"Internal Scanner Profile","notes_distribution":{"asset":false,"asset_only":false,"vuln_only":false},"os":"Windows Server 2012 R2 Standard","os_family":"windows","os_type":"server","partially_scanned":false,"pentest_status":null,"phCustId":1,"scan_block_id":"548616","scan_id":"277898","scan_version":1016281,"scan_version_active":true,"scan_version_active_risk_details":{"ars_unweighted":92.024999999999991,"exposure_score":{"domain":"WIN-30QQRC10MGG","domain_host_count":4,"domain_threat_rank":95.0,"external_asset":false,"subnet":null,"subnet_host_count":0,"subnet_threat_rank":0,"unweighted":68.5,"weight":0.050000000000000003,"weighted":3.4250000000000003},"risk_weight":{"host_risk_weight":50.0},"severity_score":{"unweighted":84,"weight":0.14999999999999999,"weighted":12.6},"threat_score":{"unweighted":95.0,"weight":0.80000000000000004,"weighted":76.0}},"scan_version_active_risk_score":92.025000000000006,"scan_version_cvss_score":10.0,"scan_version_cvss_version":2.0,"scan_version_date_created":"2020-12-02T17:46:12.640112Z","scan_version_host_id":85634671,"scan_version_host_rating_list":{"ddi":"D","ddi_alt":"F","nvd":"High","nvd_alt":"High","pci":"Fail","pci_alt":"Fail"},"scan_version_host_severity_list":{"ddi":"high","nvd":"high","pci":"fail"},"scan_version_risk_score":175.0,"scan_version_risk_weight":50.0,"scan_version_threat_rank":95.0,"scan_version_vulnerability_count":29,"scan_version_vulnerability_severity_counts":{"unweighted":{"ddi":{"counts":{"critical":0,"high":1,"info":21,"low":0,"medium":1,"none":0,"trivial":6},"overall_security_gpa":1.0},"ddi_alt":{"counts":{"critical":1,"high":1,"info":0,"low":1,"medium":0,"none":0,"trivial":26},"overall_security_gpa":0},"nvd":{"counts":{"high":2,"low":24,"medium":3},"overall_security_gpa":0},"nvd_alt":{"counts":{"high":1,"low":27,"medium":1},"overall_security_gpa":0},"pci":{"counts":{"fail":2,"pass":27},"overall_security_gpa":0},"pci_alt":{"counts":{"fail":2,"pass":27},"overall_security_gpa":0}},"weighted":{"ddi":{"counts":{"critical":0,"high":1,"info":21,"low":0,"medium":1,"none":0,"trivial":6},"overall_security_gpa":1.0},"ddi_alt":{"counts":{"critical":1,"high":1,"info":0,"low":1,"medium":0,"none":0,"trivial":26},"overall_security_gpa":0},"nvd":{"counts":{"high":2,"low":24,"medium":3},"overall_security_gpa":0},"nvd_alt":{"counts":{"high":1,"low":27,"medium":1},"overall_security_gpa":0},"pci":{"counts":{"fail":2,"pass":27},"overall_security_gpa":0},"pci_alt":{"counts":{"fail":2,"pass":27},"overall_security_gpa":0}}},"scanner_version":"3.0.26.2"}

Digital Defense Frontline Vulnerability Manager

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Frontline REST API Host name, Vulnerability name, Vulnerability CVE ID, Vulnerability score, Operating system Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Digital Defense" to see the event types associated with this device. In FortiSIEM 6.3.0, there are 3 event types defined.

Rules

There are no specific rules available for Digital Defense Frontline Vulnerability Manager, but the rule "Scanner found severe vulnerability" applies.

Reports

There are no specific reports available for Digital Defense Frontline Vulnerability Manager, but the report "Host vulnerabilities found by scanner" can be used.

Configuration

Setup in Digital Defense Frontline Vulnerability Manager

Complete these steps from the Frontline Vulnerability Manager Portal.

  1. Log into Frontline VM.
  2. In the site header, select your name and choose My profile.
  3. On the API Tokens tab, select Create new token.
  4. In the Add New Token dialog, enter a token name, and select OK. Your token should be created.
  5. Below your token name, select Click to show key to display your API Key.
  6. Copy this information for your Setup in FortiSIEM.
Setup in FortiSIEM

FortiSIEM processes events from the Vulnerability Manager via the Digital Defense API. Obtain your API Key from the Frontline Vulnerability Manager Portal before proceeding.

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box, and click Save when done.

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeDigital Defense Frontline Vulnerability Manager
      Access ProtocolFRONTLINE_API
      Pull Interval5 minutes
      TokenInput the API Key from your Digital Defense Frontline Vulnerability Manager API.
      Confirm TokenInput the same API Key as above for verification.
      DescriptionDescription about the device
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Select the name of your credential from the Credentials drop-down list. The IP/Host Name field should auto populate with "vm.frontline.cloud".
    2. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to Digital Defense Frontline Vulnerability Manager.
  5. To see the jobs associated with Digital Defense Frontline Vulnerability Manager, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "Frontline" in the search box.

Sample Logs

Frontline-Scan-Finished
{"ServerHostName":"vm.frontline.cloud","ServerIp":"54.196.81.232","account":{"id":3516,"name":"Fortinet Integration Test"},"account_id":3516,"account_user":"Dan Hanman","account_user_id":15006,"build_reports":false,"businessgroups":{},"date_finished":"2021-04-05T23:27:05.004265Z","date_modified":"2021-04-05T23:27:05.146169Z","date_started":"2021-04-05T23:27:03.489965Z","deleting":false,"description":"","exclude_from_active_view":false,"force_target_detection":false,"has_results":false,"host_count":0,"id":"298183_20210405T232500Z","is_rna_scan":true,"name":"Scan Mar 25, 2021 1:25PM","next_event":null,"phCustId":1,"scan_locations":"internal","scan_policy":"Default","status":"completed","status_message":null,"status_name":"Completed","workflow":"va_workflow"}
Frontline-Vuln-Detected
{"ServerHostName":"vm.frontline.cloud","ServerIp":"54.196.81.232","acceptable_risk":null,"active_view_active_risk_details":null,"active_view_active_risk_score":null,"active_view_date_created":null,"active_view_date_first_created":null,"active_view_threat_rank":null,"analyst_threat_intel":null,"cve":"","cvss_base_score_v2":0.0,"cvss_base_score_v3":null,"cvss_score":"0.0","cvss_version":"2.0","data":"Wordpress 4.0.6 detected","date_finished":null,"date_started":null,"detect_type":"remote","exploitability":{"exploited_in_wild":null,"has_exploit_func":false,"has_exploit_kit":null,"has_exploit_poc":null,"is_crimewareable":null,"is_exploitable":null,"is_priority_exploitable":null},"false_positive":false,"has_notes":false,"hidden":false,"hide_from_now_on":false,"host_hidden":false,"host_id":85634681,"hostname":"172.23.177.67","id":3202200906,"id_ddi":102095,"ip_address":"172.23.177.67","labels":[],"manually_added":false,"manually_added_date_fix_confirmed":null,"manually_added_fix_status_name":null,"matched_status":"new","phCustId":1,"port":80,"protocol":"http","scan_block_id":"548616","scan_id":"277898","scan_version":1016281,"scan_version_active_risk_details":null,"scan_version_active_risk_score":null,"scan_version_date_created":"2020-12-02T17:46:12.640112Z","scan_version_host_id":85634681,"scan_version_threat_rank":null,"scan_version_vulnerability_id":3202200906,"scanner_version":"3.0.26.2","severities":{"ddi":"info","ddi_alt":"trivial","nvd":"low","nvd_alt":"low","pci":"pass","pci_alt":"pass"},"threat_activity":{"1m":0,"1w":0,"1y":0,"3m":0,"total":0},"title":"Wordpress Detected","transport":"tcp","tunnel":"none","vuln_class":"explicit"}
Frontline-Device-Vuln-Score
{"ServerHostName":"vm.frontline.cloud","ServerIp":"54.196.81.232","active_view_active_risk_details":{"ars_unweighted":92.024999999999991,"exposure_score":{"domain":"WIN-30QQRC10MGG","domain_host_count":4,"domain_threat_rank":95.0,"external_asset":false,"subnet":null,"subnet_host_count":0,"subnet_threat_rank":0,"unweighted":68.5,"weight":0.050000000000000003,"weighted":3.4250000000000003},"risk_weight":{"host_risk_weight":50.0},"severity_score":{"unweighted":84,"weight":0.14999999999999999,"weighted":12.6},"threat_score":{"unweighted":95.0,"weight":0.80000000000000004,"weighted":76.0}},"active_view_cvss_version":2.0,"active_view_date_created":"2020-12-02T17:46:12.640112Z","active_view_date_first_created":"2020-12-02T17:46:12.640112Z","agent_uuid":null,"assessed_cis_auth":false,"assessed_db_auth":false,"assessed_os_auth":false,"assessed_threatscan_auth":true,"assessed_unauth":true,"auth_status":{"details":{},"extended_details":{"cis":null,"db":{"mssql":null,"mysql":null,"oracle":null,"postgresql":null},"os":{"linux":null,"vmware":null,"windows":null},"threatscan":"Threat Scan completed successfully"},"overall":"N/A"},"aws_instance_id":null,"base_scan_id":"277898","date_finished":null,"date_started":null,"discovery_method":"nbname","dns_name":"","dns_smartname":"WIN-30QQRC10MGG","has_antivirus":true,"has_crimewareable":null,"has_disabled_antivirus":false,"has_exploitable":null,"has_malware":false,"has_notes":false,"has_outdated_antivirus":false,"hidden":false,"hide_from_now_on":false,"hostname":"WIN-30QQRC10MGG","id":85634671,"internal":true,"ip_address":"172.23.177.55","is_compromised":false,"is_retired":false,"labels":[{"color":"blue","deleted":false,"display_name":"WIN-30QQRC10MGG","id":214189,"labeled_by":0,"location":1}],"mac_address":"00:50:56:8d:16:52","matched_status":"new","named_asset_name":null,"netbios_name":"WIN-30QQRC10MGG","netbios_smartname":"WIN-30QQRC10MGG","network_profile_id":7286,"network_profile_name":"Internal Scanner Profile","notes_distribution":{"asset":false,"asset_only":false,"vuln_only":false},"os":"Windows Server 2012 R2 Standard","os_family":"windows","os_type":"server","partially_scanned":false,"pentest_status":null,"phCustId":1,"scan_block_id":"548616","scan_id":"277898","scan_version":1016281,"scan_version_active":true,"scan_version_active_risk_details":{"ars_unweighted":92.024999999999991,"exposure_score":{"domain":"WIN-30QQRC10MGG","domain_host_count":4,"domain_threat_rank":95.0,"external_asset":false,"subnet":null,"subnet_host_count":0,"subnet_threat_rank":0,"unweighted":68.5,"weight":0.050000000000000003,"weighted":3.4250000000000003},"risk_weight":{"host_risk_weight":50.0},"severity_score":{"unweighted":84,"weight":0.14999999999999999,"weighted":12.6},"threat_score":{"unweighted":95.0,"weight":0.80000000000000004,"weighted":76.0}},"scan_version_active_risk_score":92.025000000000006,"scan_version_cvss_score":10.0,"scan_version_cvss_version":2.0,"scan_version_date_created":"2020-12-02T17:46:12.640112Z","scan_version_host_id":85634671,"scan_version_host_rating_list":{"ddi":"D","ddi_alt":"F","nvd":"High","nvd_alt":"High","pci":"Fail","pci_alt":"Fail"},"scan_version_host_severity_list":{"ddi":"high","nvd":"high","pci":"fail"},"scan_version_risk_score":175.0,"scan_version_risk_weight":50.0,"scan_version_threat_rank":95.0,"scan_version_vulnerability_count":29,"scan_version_vulnerability_severity_counts":{"unweighted":{"ddi":{"counts":{"critical":0,"high":1,"info":21,"low":0,"medium":1,"none":0,"trivial":6},"overall_security_gpa":1.0},"ddi_alt":{"counts":{"critical":1,"high":1,"info":0,"low":1,"medium":0,"none":0,"trivial":26},"overall_security_gpa":0},"nvd":{"counts":{"high":2,"low":24,"medium":3},"overall_security_gpa":0},"nvd_alt":{"counts":{"high":1,"low":27,"medium":1},"overall_security_gpa":0},"pci":{"counts":{"fail":2,"pass":27},"overall_security_gpa":0},"pci_alt":{"counts":{"fail":2,"pass":27},"overall_security_gpa":0}},"weighted":{"ddi":{"counts":{"critical":0,"high":1,"info":21,"low":0,"medium":1,"none":0,"trivial":6},"overall_security_gpa":1.0},"ddi_alt":{"counts":{"critical":1,"high":1,"info":0,"low":1,"medium":0,"none":0,"trivial":26},"overall_security_gpa":0},"nvd":{"counts":{"high":2,"low":24,"medium":3},"overall_security_gpa":0},"nvd_alt":{"counts":{"high":1,"low":27,"medium":1},"overall_security_gpa":0},"pci":{"counts":{"fail":2,"pass":27},"overall_security_gpa":0},"pci_alt":{"counts":{"fail":2,"pass":27},"overall_security_gpa":0}}},"scanner_version":"3.0.26.2"}