Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.5.3 External Systems Configuration Guide
    6.5.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Microsoft Active Directory

    Microsoft Active Directory

    What is Discovered and Monitored

    Protocol

    Information discovered

    Metrics collected

    Used for
    LDAP User details, Password age Security Monitoring, User meta data for log
    WMI

    		Win32_PerfRawData_NTDS_NTDS class: Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate, New LDAP Connection Rate, Successful LDAP Bind Rate, LDAP Active Threads, LDAP Bind Time, LDAP Client Sessions Performance Monitoring
    WMI "dcdiag -e" command output - detect successful and failed domain controller diagnostic tests Domain Controller Replication status
    WMI "repadmin /replsummary" command output - detect replication statistics Domain Controller Replication status

    Event Types

    • PH_DISCOV_ADS_ACCOUNT_TO_EXPIRE (Active Directory account to expire in 2 weeks)
    • PH_DISCOV_ADS_ACCT_DISABLED (Accounts Disabled)
    • PH_DISCOV_ADS_DORMANT_ACCT (Dormant User Accounts - not log on in last 30 days)
    • PH_DISCOV_ADS_PASSWORD_NEVER_EXPIRES (Active Directory user password never expires)
    • PH_DISCOV_ADS_PASSWORD_NOT_REQD (Active Directory user password not required)
    • PH_DISCOV_ADS_PASSWORD_STALE (Active Directory user password stale - more than 90 days)
    • PH_DISCOV_ADS_PASSWORD_TO_EXPIRE (Active Directory user password to expire in 2 weeks)
    • PH_DEV_MON_DCDIAG (output of "dcdiag -e" command) 
      [PH_DEV_MON_DCDIAG]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT,[errReason]="",[testResult]="passed",[testSubject]="WIN-IGO8O8M5JVT",[testName]="NCSecDesc"
    • PH_DEV_MON_SRC_AD_REPL_STAT (output of "repadmin /replsummary" command)
      [PH_DEV_MON_SRC_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,[srcName]="WIN-IGO8O8M5JVT",[errReason]=""
    • PH_DEV_MON_DST_AD_REPL_STAT (output of "repadmin /replsummary" command)
       [PH_DEV_MON_DST_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,[destName]="WIN-IGO8O8M5JVT",[errReason]=""

    Rules

    • Failed Windows DC Diagnostic Test

    Reports

    • Successful Windows Domain Controller Diagnostic Tests
    • Failed Windows Domain Controller Diagnostic Tests
    • Source Domain Controller Replication Status
    • Destination Domain Controller Replication Status

    Configuration

    WMI

    See WMI Configurations in the Microsoft Windows Server Configuration section.

    Active Directory User Discovery

    If you want to add Active Directory users to FortiSIEM, follow these steps in the FortiSIEM UI.

    1. Add the login credentials for Active Directory server and associate them to an IP range.
    2. Discover the Active Directory server.

    If the Active Directory server is discovered successfully, then all of the users and their properties will be added to FortiSIEM.

    After the users have been added to FortiSIEM, you can re-run discovery to get new changes from Active Directory. You cannot make changes in FortiSIEM as this will inevitably make FortiSIEM out of synch with Active Directory.

    Since Active Directory can contain many users, it is possible to choose a sub-tree by specifying a base DN (see below).

    Adding Active Directory Login Credentials to FortiSIEM
    1. Log in to your Supervisor UI.
    2. Go to ADMIN > Setup > Credentials.
    3. Click New to create an LDAP discovery credential by entering the following in the Access Method Definition dialog box:
      1. Name: a name for the credential.
      2. Device Type: select Microsoft Windows.
      3. Access Protocol:
        1. By default, LDAP servers listen on TCP port 389.
        2. LDAPS (LDAP with SSL) defaults to port 636.
        3. LDAP Start TLS defaults to port 389.
      4. Used For: select Microsoft Active Directory.
      5. Enter the root of the LDAP user tree that you want to discover. For example, dc=companyABC,dc=com or ou=Org1,dc=companyABC,dc=com
      6. NetBIOS/Domain: enter the NetBIOS/Domain value.
      7. User Name: enter the user name for your LDAP directory.

        The user should be a member of the Domain Users group in Active Directory. See the Validating LDAP Credentials and Permissions for information on how to validate this membership.

      8. Enter and confirm the Password for your User.
      9. Click Save. Your LDAP credentials will be added to the list of credentials.
    4. Under Enter IP Range to Credential Associations, click Add.
    5. Select your LDAP credentials from the list of Credentials. Click + to add more.
    6. Enter the IP/IP Range or host name for your Active Directory server.
    7. Click Save. Your LDAP credentials will appear in the list of credential/IP address associations.
    8. Click Test > Test Connectivity to make sure you can connect to the Active Directory server.
    Discovering Users in FortiSIEM
    1. Go to ADMIN > Setup > Discovery and click New.
    2. For Name, enter Active Directory.
    3. For Include, enter the IP address or host name for your Active Directory server.
    4. Click Save. Active Directory will be added to the list of discoverable devices.
    5. Select the Active Directory device and click Discover.
    6. After discovery completes, go to CMDB > Users to view the discovered users. You may need to click the Refresh icon to load the user tree hierarchy.

    To get user updates in Active Directory, simply re-run discovery.

    Validating LDAP Credentials and Permissions

    1. Log in to your Active Directory server.
    2. Open the Active Directory console from the command prompt and execute the dsa.msc command.
    3. From the Active Directory console, select the User that added in FortiSIEM Supervisor.

    4. Right click the selected User and check Properties.
    5. The User should be a member of Domain Users.
    6. On FortiSIEM Base DN should match, example: DC=accelops,DC=net.

    Mapping Active Directory User Attributes to FortiSIEM User Attributes

    The following table shows how user attributes in Microsoft Active Directory are shown in the FortiSIEM UI. To find Active Directory user attributes, take the following steps:

    1. Log in to Active Directory.
    2. Go to Active Directory Users and Computers.
    3. Click View > Enable Advanced Features.
    4. Find a user, and take the following steps:
      1. Double click user.
      2. Click Attribute Editor.
        You will see a set of attributes and the values they are set to.

    In FortiSIEM, user details can be found in CMDB > Users. First, click the tree node on the left that you have discovered, then locate the user in the right pane. Attributes are displayed on the main page and under Summary, Contact, and Member Of.

    Microsoft Active Directory User Attribute FortiSIEM User Attribute
    sAMAccoutName User Name
    name Full Name
    userPrincipalName <Not shown>
    mail Email

    telephoneNumber

    Work Phone

    mobile

    Mobile Phone

    title

    Job Title

    company

    Company

    department

    <Not shown>

    employeeID

    Employee ID

    manager

    Manager

    I

    <Not shown>

    postalCode

    ZIP

    streetAddress

    Address

    homePostalAddress

    <Not shown>

    c

    City

    st

    State

    co

    Country

    memberOf

    Member Of

    Previous
    Next

    Microsoft Active Directory

    Microsoft Active Directory

    What is Discovered and Monitored

    Protocol

    Information discovered

    Metrics collected

    Used for
    LDAP User details, Password age Security Monitoring, User meta data for log
    WMI

    		Win32_PerfRawData_NTDS_NTDS class: Directory Search Rate, Read Rate, Write Rate, Browse Rate, LDAP search rate, LDAP Bind Rate, New LDAP Connection Rate, Successful LDAP Bind Rate, LDAP Active Threads, LDAP Bind Time, LDAP Client Sessions Performance Monitoring
    WMI "dcdiag -e" command output - detect successful and failed domain controller diagnostic tests Domain Controller Replication status
    WMI "repadmin /replsummary" command output - detect replication statistics Domain Controller Replication status

    Event Types

    • PH_DISCOV_ADS_ACCOUNT_TO_EXPIRE (Active Directory account to expire in 2 weeks)
    • PH_DISCOV_ADS_ACCT_DISABLED (Accounts Disabled)
    • PH_DISCOV_ADS_DORMANT_ACCT (Dormant User Accounts - not log on in last 30 days)
    • PH_DISCOV_ADS_PASSWORD_NEVER_EXPIRES (Active Directory user password never expires)
    • PH_DISCOV_ADS_PASSWORD_NOT_REQD (Active Directory user password not required)
    • PH_DISCOV_ADS_PASSWORD_STALE (Active Directory user password stale - more than 90 days)
    • PH_DISCOV_ADS_PASSWORD_TO_EXPIRE (Active Directory user password to expire in 2 weeks)
    • PH_DEV_MON_DCDIAG (output of "dcdiag -e" command) 
      [PH_DEV_MON_DCDIAG]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT,[errReason]="",[testResult]="passed",[testSubject]="WIN-IGO8O8M5JVT",[testName]="NCSecDesc"
    • PH_DEV_MON_SRC_AD_REPL_STAT (output of "repadmin /replsummary" command)
      [PH_DEV_MON_SRC_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,[srcName]="WIN-IGO8O8M5JVT",[errReason]=""
    • PH_DEV_MON_DST_AD_REPL_STAT (output of "repadmin /replsummary" command)
       [PH_DEV_MON_DST_AD_REPL_STAT]:[hostIpAddr]=10.1.20.59,[hostName]=WIN-IGO8O8M5JVT, [largestReplDelta]=">60 days",[failureCount]=0.00,[count]=5.00,[failurePct]=0.00,[destName]="WIN-IGO8O8M5JVT",[errReason]=""

    Rules

    • Failed Windows DC Diagnostic Test

    Reports

    • Successful Windows Domain Controller Diagnostic Tests
    • Failed Windows Domain Controller Diagnostic Tests
    • Source Domain Controller Replication Status
    • Destination Domain Controller Replication Status

    Configuration

    WMI

    See WMI Configurations in the Microsoft Windows Server Configuration section.

    Active Directory User Discovery

    If you want to add Active Directory users to FortiSIEM, follow these steps in the FortiSIEM UI.

    1. Add the login credentials for Active Directory server and associate them to an IP range.
    2. Discover the Active Directory server.

    If the Active Directory server is discovered successfully, then all of the users and their properties will be added to FortiSIEM.

    After the users have been added to FortiSIEM, you can re-run discovery to get new changes from Active Directory. You cannot make changes in FortiSIEM as this will inevitably make FortiSIEM out of synch with Active Directory.

    Since Active Directory can contain many users, it is possible to choose a sub-tree by specifying a base DN (see below).

    Adding Active Directory Login Credentials to FortiSIEM
    1. Log in to your Supervisor UI.
    2. Go to ADMIN > Setup > Credentials.
    3. Click New to create an LDAP discovery credential by entering the following in the Access Method Definition dialog box:
      1. Name: a name for the credential.
      2. Device Type: select Microsoft Windows.
      3. Access Protocol:
        1. By default, LDAP servers listen on TCP port 389.
        2. LDAPS (LDAP with SSL) defaults to port 636.
        3. LDAP Start TLS defaults to port 389.
      4. Used For: select Microsoft Active Directory.
      5. Enter the root of the LDAP user tree that you want to discover. For example, dc=companyABC,dc=com or ou=Org1,dc=companyABC,dc=com
      6. NetBIOS/Domain: enter the NetBIOS/Domain value.
      7. User Name: enter the user name for your LDAP directory.

        The user should be a member of the Domain Users group in Active Directory. See the Validating LDAP Credentials and Permissions for information on how to validate this membership.

      8. Enter and confirm the Password for your User.
      9. Click Save. Your LDAP credentials will be added to the list of credentials.
    4. Under Enter IP Range to Credential Associations, click Add.
    5. Select your LDAP credentials from the list of Credentials. Click + to add more.
    6. Enter the IP/IP Range or host name for your Active Directory server.
    7. Click Save. Your LDAP credentials will appear in the list of credential/IP address associations.
    8. Click Test > Test Connectivity to make sure you can connect to the Active Directory server.
    Discovering Users in FortiSIEM
    1. Go to ADMIN > Setup > Discovery and click New.
    2. For Name, enter Active Directory.
    3. For Include, enter the IP address or host name for your Active Directory server.
    4. Click Save. Active Directory will be added to the list of discoverable devices.
    5. Select the Active Directory device and click Discover.
    6. After discovery completes, go to CMDB > Users to view the discovered users. You may need to click the Refresh icon to load the user tree hierarchy.

    To get user updates in Active Directory, simply re-run discovery.

    Validating LDAP Credentials and Permissions

    1. Log in to your Active Directory server.
    2. Open the Active Directory console from the command prompt and execute the dsa.msc command.
    3. From the Active Directory console, select the User that added in FortiSIEM Supervisor.

    4. Right click the selected User and check Properties.
    5. The User should be a member of Domain Users.
    6. On FortiSIEM Base DN should match, example: DC=accelops,DC=net.

    Mapping Active Directory User Attributes to FortiSIEM User Attributes

    The following table shows how user attributes in Microsoft Active Directory are shown in the FortiSIEM UI. To find Active Directory user attributes, take the following steps:

    1. Log in to Active Directory.
    2. Go to Active Directory Users and Computers.
    3. Click View > Enable Advanced Features.
    4. Find a user, and take the following steps:
      1. Double click user.
      2. Click Attribute Editor.
        You will see a set of attributes and the values they are set to.

    In FortiSIEM, user details can be found in CMDB > Users. First, click the tree node on the left that you have discovered, then locate the user in the right pane. Attributes are displayed on the main page and under Summary, Contact, and Member Of.

    Microsoft Active Directory User Attribute FortiSIEM User Attribute
    sAMAccoutName User Name
    name Full Name
    userPrincipalName <Not shown>
    mail Email

    telephoneNumber

    Work Phone

    mobile

    Mobile Phone

    title

    Job Title

    company

    Company

    department

    <Not shown>

    employeeID

    Employee ID

    manager

    Manager

    I

    <Not shown>

    postalCode

    ZIP

    streetAddress

    Address

    homePostalAddress

    <Not shown>

    c

    City

    st

    State

    co

    Country

    memberOf

    Member Of

    Previous
    Next