Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Fortinet FortiInsight

FortiInsight is a unique data security and threat detection solution that delivers advanced threat hunting to help you spot, respond to, and manage risky behaviors that put your business-critical data at risk. It combines powerful and flexible Machine Learning with detailed forensics around user actions to bring focus to the facts more rapidly than other solutions.

What is Discovered and Monitored

Protocol Information collected Used for
FortiInsight API Policy based alerts and AI based alerts Data security, threat protection

This feature allows FortiSIEM to get Policy-based alerts and AI-based alerts from FortiInsight.

Event Types

In RESOURCES > Event Types, enter "FortiInsight" in the main content panel Search... field to see the event types associated with this device.

Rules

No defined rules.

Reports

In RESOURCES > Reports, enter "FortiInsight" in the main content panel Search... field to see the rules associated with this device.

Configuration in FortiInsight

Get an API Key in FortiInsight

Complete these steps in the FortiInsight UI:

  1. Login to FortiInsight.
  2. Select Admin > Account from the left menu.
  3. Click New API Key to open the New API Key dialog box.
  4. Enter a descriptive Name.
  5. Click Save to generate the API key. This will download a file containing the API key information (Client ID, Client Secret, and Name). Make a note of these values; you will need them when you configure FortiSIEM.

Configuration in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      Settings Description
      Name Enter a name for the credential
      Device Type Fortinet FortiSIEM
      Access Protocol FortiInsight API
      Pull Interval The interval in which FortiSIEM will pull events from FortiInsight. Default is 3 minutes.
      Client IDAccess key for your FortiInsight instance.
      Client Secret Secret key for your FortiInsight instance
      Organization The organization the device belongs to.
      Description Description of the device.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your Fortinet FortiInsight credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to FortiInsight.
  5. To see the jobs associated with FortiInsight, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "FortiInsight" in the search box.

Sample Events

[FORTIINSIGHT_POLICY_ALERT] = {"description":"","events":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-03-18T13:22:24.344+00:00","id":null,"m":"uqP","mn":{"dh":"tcp://server-10-230-2-153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Administrator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc":{"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","longitude":"10.8925"},"p":"tcp-ip-4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret\\prototypedemo1.mkv-> tcp://server-54-230-2-153.lhr5.r.cloudfront.net:443","u":"acmeltd__engineer2"}],"extendedEvents":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-03-18T13:22:24.344+00:00","id":null,"latestHostname":"mimas","latestIp":"10.10.0.1","m":"uqP","mn":{"dh":"tcp://server-54-230-2-153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Administrator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc":{"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","longitude":"10.8925"},"p":"tcp-ip-4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret\\prototypedemo1.mkv-> tcp://server-10-230-2-153.lhr5.r.cloudfront.net:443","resolvedUsername":"","u":"acmeltd__engineer2"}],"id":"AWmQ98PYg7b_-i6_5Rvg","labels":[""],"policyId":"default_6COnUMjTCB8N","policyName":"Browser Download","regimes":["ZoneFox"],"serverIp":"52.209.49.52","serverName":"fortisiemtest.dev.fortiinsight.cloud","severity":10,"status":"New","time":"2019-03-18T13:22:29.473715+00:00"}

Fortinet FortiInsight

FortiInsight is a unique data security and threat detection solution that delivers advanced threat hunting to help you spot, respond to, and manage risky behaviors that put your business-critical data at risk. It combines powerful and flexible Machine Learning with detailed forensics around user actions to bring focus to the facts more rapidly than other solutions.

What is Discovered and Monitored

Protocol Information collected Used for
FortiInsight API Policy based alerts and AI based alerts Data security, threat protection

This feature allows FortiSIEM to get Policy-based alerts and AI-based alerts from FortiInsight.

Event Types

In RESOURCES > Event Types, enter "FortiInsight" in the main content panel Search... field to see the event types associated with this device.

Rules

No defined rules.

Reports

In RESOURCES > Reports, enter "FortiInsight" in the main content panel Search... field to see the rules associated with this device.

Configuration in FortiInsight

Get an API Key in FortiInsight

Complete these steps in the FortiInsight UI:

  1. Login to FortiInsight.
  2. Select Admin > Account from the left menu.
  3. Click New API Key to open the New API Key dialog box.
  4. Enter a descriptive Name.
  5. Click Save to generate the API key. This will download a file containing the API key information (Client ID, Client Secret, and Name). Make a note of these values; you will need them when you configure FortiSIEM.

Configuration in FortiSIEM

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      Settings Description
      Name Enter a name for the credential
      Device Type Fortinet FortiSIEM
      Access Protocol FortiInsight API
      Pull Interval The interval in which FortiSIEM will pull events from FortiInsight. Default is 3 minutes.
      Client IDAccess key for your FortiInsight instance.
      Client Secret Secret key for your FortiInsight instance
      Organization The organization the device belongs to.
      Description Description of the device.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a new mapping.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your Fortinet FortiInsight credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to FortiInsight.
  5. To see the jobs associated with FortiInsight, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "FortiInsight" in the search box.

Sample Events

[FORTIINSIGHT_POLICY_ALERT] = {"description":"","events":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-03-18T13:22:24.344+00:00","id":null,"m":"uqP","mn":{"dh":"tcp://server-10-230-2-153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Administrator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc":{"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","longitude":"10.8925"},"p":"tcp-ip-4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret\\prototypedemo1.mkv-> tcp://server-54-230-2-153.lhr5.r.cloudfront.net:443","u":"acmeltd__engineer2"}],"extendedEvents":[{"act":"file downloaded","app":"chrome.exe","childId":null,"d":"2019-03-18T13:22:24.344+00:00","id":null,"latestHostname":"mimas","latestIp":"10.10.0.1","m":"uqP","mn":{"dh":"tcp://server-54-230-2-153.lhr5.r.cloudfront.net","dip":"10.1.1.76","dp":61024,"ext":".mkv","fp":"c:\\users\\Administrator\\documents\\secret\\prototypedemo1.mkv","fs":2307792448,"loc":{"altCode":null,"city":"Augsburg","code":"DE","country":"Germany","latitude":"48.3718","longitude":"10.8925"},"p":"tcp-ip-4","sip":"78.47.38.226","sp":443,"ts":1460},"r":"c:\\users\\Administrator\\documents\\secret\\prototypedemo1.mkv-> tcp://server-10-230-2-153.lhr5.r.cloudfront.net:443","resolvedUsername":"","u":"acmeltd__engineer2"}],"id":"AWmQ98PYg7b_-i6_5Rvg","labels":[""],"policyId":"default_6COnUMjTCB8N","policyName":"Browser Download","regimes":["ZoneFox"],"serverIp":"52.209.49.52","serverName":"fortisiemtest.dev.fortiinsight.cloud","severity":10,"status":"New","time":"2019-03-18T13:22:29.473715+00:00"}