Digital Defense Frontline Vulnerability Manager
What is Discovered and Monitored
| Protocol | Information Discovered | Metrics Collected | Used For |
|---|---|---|---|
| Frontline REST API | Host name, Vulnerability name, Vulnerability CVE ID, Vulnerability score, Operating system | Security Monitoring |
Event Types
In ADMIN > Device Support > Event Types, search for "Digital Defense" to see the event types associated with this device. In FortiSIEM 6.3.0, there are 3 event types defined.
Rules
There are no specific rules available for Digital Defense Frontline Vulnerability Manager, but the rule "Scanner found severe vulnerability" applies.
Reports
There are no specific reports available for Digital Defense Frontline Vulnerability Manager, but the report "Host vulnerabilities found by scanner" can be used.
Configuration
Setup in Digital Defense Frontline Vulnerability Manager
Complete these steps from the Frontline Vulnerability Manager Portal.
- Log into Frontline VM.
- In the site header, select your name and choose My profile.
- On the API Tokens tab, select Create new token.
- In the Add New Token dialog, enter a token name, and select OK. Your token should be created.
- Below your token name, select Click to show key to display your API Key.
- Copy this information for your Setup in FortiSIEM.
Setup in FortiSIEM
FortiSIEM processes events from the Vulnerability Manager via the Digital Defense API. Obtain your API Key from the Frontline Vulnerability Manager Portal before proceeding.
Complete these steps in the FortiSIEM UI:
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials:
- Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box, and click Save when done.
Settings Description Name Enter a name for the credential. Device Type Digital Defense Frontline Vulnerability Manager Access Protocol FRONTLINE_API Pull Interval 5 minutes Token Input the API Key from your Digital Defense Frontline Vulnerability Manager API. Confirm Token Input the same API Key as above for verification. Description Description about the device
- In Step 2: Enter IP Range to Credential Associations, click New.
- Select the name of your credential from the Credentials drop-down list. The IP/Host Name field should auto populate with "vm.frontline.cloud".
- Click Save.
- Click the Test drop-down list and select Test Connectivity to test the connection to Digital Defense Frontline Vulnerability Manager.
- To see the jobs associated with Digital Defense Frontline Vulnerability Manager, select ADMIN > Setup > Pull Events.
- To see the received events select ANALYTICS, then enter "Frontline" in the search box.
Sample Logs
Frontline-Scan-Finished
{"ServerHostName":"vm.frontline.cloud","ServerIp":"54.196.81.232","account":{"id":3516,"name":"Fortinet Integration Test"},"account_id":3516,"account_user":"Dan Hanman","account_user_id":15006,"build_reports":false,"businessgroups":{},"date_finished":"2021-04-05T23:27:05.004265Z","date_modified":"2021-04-05T23:27:05.146169Z","date_started":"2021-04-05T23:27:03.489965Z","deleting":false,"description":"","exclude_from_active_view":false,"force_target_detection":false,"has_results":false,"host_count":0,"id":"298183_20210405T232500Z","is_rna_scan":true,"name":"Scan Mar 25, 2021 1:25PM","next_event":null,"phCustId":1,"scan_locations":"internal","scan_policy":"Default","status":"completed","status_message":null,"status_name":"Completed","workflow":"va_workflow"}
Frontline-Vuln-Detected
{"ServerHostName":"vm.frontline.cloud","ServerIp":"54.196.81.232","acceptable_risk":null,"active_view_active_risk_details":null,"active_view_active_risk_score":null,"active_view_date_created":null,"active_view_date_first_created":null,"active_view_threat_rank":null,"analyst_threat_intel":null,"cve":"","cvss_base_score_v2":0.0,"cvss_base_score_v3":null,"cvss_score":"0.0","cvss_version":"2.0","data":"Wordpress 4.0.6 detected","date_finished":null,"date_started":null,"detect_type":"remote","exploitability":{"exploited_in_wild":null,"has_exploit_func":false,"has_exploit_kit":null,"has_exploit_poc":null,"is_crimewareable":null,"is_exploitable":null,"is_priority_exploitable":null},"false_positive":false,"has_notes":false,"hidden":false,"hide_from_now_on":false,"host_hidden":false,"host_id":85634681,"hostname":"172.23.177.67","id":3202200906,"id_ddi":102095,"ip_address":"172.23.177.67","labels":[],"manually_added":false,"manually_added_date_fix_confirmed":null,"manually_added_fix_status_name":null,"matched_status":"new","phCustId":1,"port":80,"protocol":"http","scan_block_id":"548616","scan_id":"277898","scan_version":1016281,"scan_version_active_risk_details":null,"scan_version_active_risk_score":null,"scan_version_date_created":"2020-12-02T17:46:12.640112Z","scan_version_host_id":85634681,"scan_version_threat_rank":null,"scan_version_vulnerability_id":3202200906,"scanner_version":"3.0.26.2","severities":{"ddi":"info","ddi_alt":"trivial","nvd":"low","nvd_alt":"low","pci":"pass","pci_alt":"pass"},"threat_activity":{"1m":0,"1w":0,"1y":0,"3m":0,"total":0},"title":"Wordpress Detected","transport":"tcp","tunnel":"none","vuln_class":"explicit"}
Frontline-Device-Vuln-Score
{"ServerHostName":"vm.frontline.cloud","ServerIp":"54.196.81.232","active_view_active_risk_details":{"ars_unweighted":92.024999999999991,"exposure_score":{"domain":"WIN-30QQRC10MGG","domain_host_count":4,"domain_threat_rank":95.0,"external_asset":false,"subnet":null,"subnet_host_count":0,"subnet_threat_rank":0,"unweighted":68.5,"weight":0.050000000000000003,"weighted":3.4250000000000003},"risk_weight":{"host_risk_weight":50.0},"severity_score":{"unweighted":84,"weight":0.14999999999999999,"weighted":12.6},"threat_score":{"unweighted":95.0,"weight":0.80000000000000004,"weighted":76.0}},"active_view_cvss_version":2.0,"active_view_date_created":"2020-12-02T17:46:12.640112Z","active_view_date_first_created":"2020-12-02T17:46:12.640112Z","agent_uuid":null,"assessed_cis_auth":false,"assessed_db_auth":false,"assessed_os_auth":false,"assessed_threatscan_auth":true,"assessed_unauth":true,"auth_status":{"details":{},"extended_details":{"cis":null,"db":{"mssql":null,"mysql":null,"oracle":null,"postgresql":null},"os":{"linux":null,"vmware":null,"windows":null},"threatscan":"Threat Scan completed successfully"},"overall":"N/A"},"aws_instance_id":null,"base_scan_id":"277898","date_finished":null,"date_started":null,"discovery_method":"nbname","dns_name":"","dns_smartname":"WIN-30QQRC10MGG","has_antivirus":true,"has_crimewareable":null,"has_disabled_antivirus":false,"has_exploitable":null,"has_malware":false,"has_notes":false,"has_outdated_antivirus":false,"hidden":false,"hide_from_now_on":false,"hostname":"WIN-30QQRC10MGG","id":85634671,"internal":true,"ip_address":"172.23.177.55","is_compromised":false,"is_retired":false,"labels":[{"color":"blue","deleted":false,"display_name":"WIN-30QQRC10MGG","id":214189,"labeled_by":0,"location":1}],"mac_address":"00:50:56:8d:16:52","matched_status":"new","named_asset_name":null,"netbios_name":"WIN-30QQRC10MGG","netbios_smartname":"WIN-30QQRC10MGG","network_profile_id":7286,"network_profile_name":"Internal Scanner Profile","notes_distribution":{"asset":false,"asset_only":false,"vuln_only":false},"os":"Windows Server 2012 R2 Standard","os_family":"windows","os_type":"server","partially_scanned":false,"pentest_status":null,"phCustId":1,"scan_block_id":"548616","scan_id":"277898","scan_version":1016281,"scan_version_active":true,"scan_version_active_risk_details":{"ars_unweighted":92.024999999999991,"exposure_score":{"domain":"WIN-30QQRC10MGG","domain_host_count":4,"domain_threat_rank":95.0,"external_asset":false,"subnet":null,"subnet_host_count":0,"subnet_threat_rank":0,"unweighted":68.5,"weight":0.050000000000000003,"weighted":3.4250000000000003},"risk_weight":{"host_risk_weight":50.0},"severity_score":{"unweighted":84,"weight":0.14999999999999999,"weighted":12.6},"threat_score":{"unweighted":95.0,"weight":0.80000000000000004,"weighted":76.0}},"scan_version_active_risk_score":92.025000000000006,"scan_version_cvss_score":10.0,"scan_version_cvss_version":2.0,"scan_version_date_created":"2020-12-02T17:46:12.640112Z","scan_version_host_id":85634671,"scan_version_host_rating_list":{"ddi":"D","ddi_alt":"F","nvd":"High","nvd_alt":"High","pci":"Fail","pci_alt":"Fail"},"scan_version_host_severity_list":{"ddi":"high","nvd":"high","pci":"fail"},"scan_version_risk_score":175.0,"scan_version_risk_weight":50.0,"scan_version_threat_rank":95.0,"scan_version_vulnerability_count":29,"scan_version_vulnerability_severity_counts":{"unweighted":{"ddi":{"counts":{"critical":0,"high":1,"info":21,"low":0,"medium":1,"none":0,"trivial":6},"overall_security_gpa":1.0},"ddi_alt":{"counts":{"critical":1,"high":1,"info":0,"low":1,"medium":0,"none":0,"trivial":26},"overall_security_gpa":0},"nvd":{"counts":{"high":2,"low":24,"medium":3},"overall_security_gpa":0},"nvd_alt":{"counts":{"high":1,"low":27,"medium":1},"overall_security_gpa":0},"pci":{"counts":{"fail":2,"pass":27},"overall_security_gpa":0},"pci_alt":{"counts":{"fail":2,"pass":27},"overall_security_gpa":0}},"weighted":{"ddi":{"counts":{"critical":0,"high":1,"info":21,"low":0,"medium":1,"none":0,"trivial":6},"overall_security_gpa":1.0},"ddi_alt":{"counts":{"critical":1,"high":1,"info":0,"low":1,"medium":0,"none":0,"trivial":26},"overall_security_gpa":0},"nvd":{"counts":{"high":2,"low":24,"medium":3},"overall_security_gpa":0},"nvd_alt":{"counts":{"high":1,"low":27,"medium":1},"overall_security_gpa":0},"pci":{"counts":{"fail":2,"pass":27},"overall_security_gpa":0},"pci_alt":{"counts":{"fail":2,"pass":27},"overall_security_gpa":0}}},"scanner_version":"3.0.26.2"}