Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Bit9 Security Platform

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog Logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Bit9" to see the event types associated with this device. 

Rules

  • Bit9 Agent Uninstalled or File Tracking Disabled
  • Bit9 Fatal Errors
  • Blocked File Execution
  • Unapproved File Execution

Reports

  • Bit9 Account Group Changes
  • Bit9 Fatal and Warnings Issues
  • Bit9 Functionality Stopped
  • Bit9 Security Configuration Downgrades

Bit9 Configuration

Syslog

FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514.

Sample Syslog

<14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Bit9 event:  text="Server discovered new file 'c:\usersacct\appdata\local\temp\3cziegdd.dll' [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery" subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52 PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080" server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_threat="-1"

Bit9 Security Platform

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog Logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Bit9" to see the event types associated with this device. 

Rules

  • Bit9 Agent Uninstalled or File Tracking Disabled
  • Bit9 Fatal Errors
  • Blocked File Execution
  • Unapproved File Execution

Reports

  • Bit9 Account Group Changes
  • Bit9 Fatal and Warnings Issues
  • Bit9 Functionality Stopped
  • Bit9 Security Configuration Downgrades

Bit9 Configuration

Syslog

FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514.

Sample Syslog

<14>1 2015-04-06T16:24:02Z server1.foo.com - - - - Bit9 event:  text="Server discovered new file 'c:\usersacct\appdata\local\temp\3cziegdd.dll' [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f]." type="Discovery" subtype="New file on network" hostname="SVR123" username="SVR123\acct" date="4/6/2015 4:22:52 PM" ip_address="10.168.1.1" process="c:\abc\infrastructure\bin\scannerreset.exe" file_path="c:\users\acct\appdata\local\temp\3cziegdd.dll" file_name="3cziegdd.dll" file_hash="361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f" installer_name="csc.exe" policy="High Enforce" process_key="00000000-0000-1258-01d0-7085edb50080" server_version="7.2.0.1395" file_trust="-2" file_threat="-2" process_trust="-1" process_threat="-1"