Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

CloudPassage Halo

Integration Points

Protocol Information collected Used For
CloudPassage REST API Halo– over 110 event types including User login and account activity, server compliance and vulnerability status, server FIM and firewall policy modification etc. Security and Compliance

CloudPassage REST API Integration

FortiSIEM can pull logs from CloudPassage Halo via the CloudPassage REST API. Currently, over 110 CloudPassage event types are parsed.

Use cases covered via API:

  • User login to Halo and user account creation/deletion/modification activity
  • Vulnerable software package found and Compromised host detection
  • Server FIM, Firewall policy modification
  • Server account creation
  • Server login via ghostport

Event Types

In RESOURCES > Event Types, search for "CloudPassage-Halo" in the main content panel Search... field to see the various event types for CloudPassage Halo.

 

Configuration

Take the following steps to configure CloudPassage Halo for FortiSIEM.

Configuring CloudPassage Portal

Create an API Key to be used for FortiSIEM communication.

  1. Log in to your CloudPassage Halo portal.
  2. Create an API Key and API Secret for use in FortiSIEM.

 

Define CloudPassage Halo Credential in FortiSIEM

Use the API Key and Secret in the previous step to enable FortiSIEM access. Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential
      Device Type CloudPassage Halo
      Access Protocol Halo REST API
      Pull Interval 5 minutes
      Password config

      For CyberArk and RAX_CustomerService, see Password Configuration.

      For Manual, see the following:

      1. Set API Key ID to API Key obtained from the CloudPassage portal in Configuring CloudPassage Portal.
      2. Set API Key Secret to API Secret obtained from the CloudPassage portal in Configuring CloudPassage Portal.
      Organization Choose the organization if it is an MSP deployment and the same credential is to be used for multiple customers.
      Description Description of the device.
  • Create IP Range to Credential Association, Test Connectivity, and Event Checking

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter "api.cloudpassage.com" in the IP/Host Name field.
      2. Select the name of the credential created in Define CloudPassage Halo Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. Go to ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from CloudPassage portal using the API.
    4. Test for received CloudPassage Halo events by navigating to ADMIN > Setup > Pull Events, selecting a CloudPassage Halo event and clicking Report. The system will take you to the ANALYTICS tab and run a query to display the events received from CloudPassage in the last 15 minutes. You can modify the time interval to get more events.

     

    CloudPassage Halo

    Integration Points

    Protocol Information collected Used For
    CloudPassage REST API Halo– over 110 event types including User login and account activity, server compliance and vulnerability status, server FIM and firewall policy modification etc. Security and Compliance

    CloudPassage REST API Integration

    FortiSIEM can pull logs from CloudPassage Halo via the CloudPassage REST API. Currently, over 110 CloudPassage event types are parsed.

    Use cases covered via API:

    • User login to Halo and user account creation/deletion/modification activity
    • Vulnerable software package found and Compromised host detection
    • Server FIM, Firewall policy modification
    • Server account creation
    • Server login via ghostport

    Event Types

    In RESOURCES > Event Types, search for "CloudPassage-Halo" in the main content panel Search... field to see the various event types for CloudPassage Halo.

     

    Configuration

    Take the following steps to configure CloudPassage Halo for FortiSIEM.

    Configuring CloudPassage Portal

    Create an API Key to be used for FortiSIEM communication.

    1. Log in to your CloudPassage Halo portal.
    2. Create an API Key and API Secret for use in FortiSIEM.

     

    Define CloudPassage Halo Credential in FortiSIEM

    Use the API Key and Secret in the previous step to enable FortiSIEM access. Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials:
      1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential
      Device Type CloudPassage Halo
      Access Protocol Halo REST API
      Pull Interval 5 minutes
      Password config

      For CyberArk and RAX_CustomerService, see Password Configuration.

      For Manual, see the following:

      1. Set API Key ID to API Key obtained from the CloudPassage portal in Configuring CloudPassage Portal.
      2. Set API Key Secret to API Secret obtained from the CloudPassage portal in Configuring CloudPassage Portal.
      Organization Choose the organization if it is an MSP deployment and the same credential is to be used for multiple customers.
      Description Description of the device.
  • Create IP Range to Credential Association, Test Connectivity, and Event Checking

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter "api.cloudpassage.com" in the IP/Host Name field.
      2. Select the name of the credential created in Define CloudPassage Halo Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. Go to ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from CloudPassage portal using the API.
    4. Test for received CloudPassage Halo events by navigating to ADMIN > Setup > Pull Events, selecting a CloudPassage Halo event and clicking Report. The system will take you to the ANALYTICS tab and run a query to display the events received from CloudPassage in the last 15 minutes. You can modify the time interval to get more events.