Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Fortinet FortiCASB

Integration Points

Method Information discovered Metrics collected LOGs collected Used for
API       Security monitoring

Event Types

In ADMIN > Device Support > Event Types, and search for "FortiCASB" to see the event types associated with this device.

Rules

No specific rules are written for FortiCASB but generic end point rules apply.

Reports

No specific reports are written for FortiCASB but generic end point rules apply.

Configuration

Configure FortiCASB to send logs to FortiSIEM in the supported format (see Sample event below)

Setup in FortiCASB

Take the following steps in FortiCASB.

  1. Login to FortiCASB with your account.

  2. At the top right corner, click on the Switch Company icon.

  3. Click Manage Company to access the company setting.

  4. Select the API Setting tab.

  5. Click Generate New to generate a new API credential.

  6. EIn the Credential field, enter a credential name and click Generate Credential.

  7. Copy the credential information to be used later to call the FortiCASB API.
    Note: The credential will only be shown once, so keep it in a private and secured place.

    The generated credential can be used repeatedly as long as it is not revoked on FortiCASB.

Setup in FortiSIEM

FortiSIEM processes events from this via the Fortinet FortiCASB API. Make sure to complete Setup in FortiCASB before proceeding here.

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeFortinet FortiCASB
      Access ProtocolFortiCASB_API
      Pull Interval5 minutes
      TokenProvide the authorization token from your account.

      Confirm Token

      Provide the authorization token from your account to confirm.

      DescriptionDescription about the device
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Select the name of your credential from the Credentials drop-down list. The IP/Host Name field will auto populate with "www.forticasb.com".
    2. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to FortiCASB.
  5. To see the jobs associated with FortiCASB, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "FortiCASB" in the search box.

 

 

Sample Events

[FortiCASB-EVENT] = {
   "alertType":"Data Analysis",
   "applicationId":"Y2lzY29zcGFyazovL3VzL09SR0FOSVpBVElPTi84NGI0NDZlMi0xYTU5LTQyZjQtOGVkMy05YmY4MjdiN2ZlMjg",
   "buId":84,
   "companyId":"62598",
   "contextName":"DLP Birthdate Policy",
   "createTime":1621250006181,
   "defineType":"Predefined",
   "displayOperation":"Upload File",
   "eventId":"62598-Webex-58cb1d3b6f30326cfca5e64d2f96fa5d",
   "eventIdList":[
      "62598-Webex-58cb1d3b6f30326cfca5e64d2f96fa5d"
   ],
   "fileId":"Y2lzY29zcGFyazovL3VybjpURUFNOnVzLXdlc3QtMl9yL0NPTlRFTlQvOWI2YjUzNzAtYjZmZi0xMWViLWE0NjAtMDE0ZTAzYTk3NmI3LzA",
   "id":"d6e52513ee1069437704271f1144d981",
   "matches":1,
   "object":"01-ssn-usercollaborator.doc",
   "objectId":"Y2lzY29zcGFyazovL3VybjpURUFNOnVzLXdlc3QtMl9yL0NPTlRFTlQvOWI2YjUzNzAtYjZmZi0xMWViLWE0NjAtMDE0ZTAzYTk3NmI3LzA",
   "objectType":"DOCUMENT",
   "phCustId":1,
   "policyCode":"FC-ACT-018",
   "policyId":"13285945",
   "policyName":"DLP Birthdate Policy",
   "resultDesc":"File \"  01-ssn-usercollaborator.doc  \"Matches the DLP Birthdate 1 times(s), the matched content are: \n(1) *****1972 \n\n\n null\n ",
   "serverHostName":"www.forticasb.com",
   "serverIp":"34.212.75.194",
   "service":"Webex",
   "severity":"Alert",
   "timestampUUID":"d6e52513ee1069437704271f1144d981",
   "updateTime":1621250006000,
   "user":"testadmin1@forticasb.com",
   "userId":"Y2lzY29zcGFyazovL3VzL1BFT1BMRS8zZGVmNDBhNC1kYTI1LTQ0ODctODFlOS0zNWJjYzk5MTA2YTA",
   "userName":"Test admin",
   "violationActivity":"WEBEX_CREATED_MESSAGES"
}

Fortinet FortiCASB

Integration Points

Method Information discovered Metrics collected LOGs collected Used for
API       Security monitoring

Event Types

In ADMIN > Device Support > Event Types, and search for "FortiCASB" to see the event types associated with this device.

Rules

No specific rules are written for FortiCASB but generic end point rules apply.

Reports

No specific reports are written for FortiCASB but generic end point rules apply.

Configuration

Configure FortiCASB to send logs to FortiSIEM in the supported format (see Sample event below)

Setup in FortiCASB

Take the following steps in FortiCASB.

  1. Login to FortiCASB with your account.

  2. At the top right corner, click on the Switch Company icon.

  3. Click Manage Company to access the company setting.

  4. Select the API Setting tab.

  5. Click Generate New to generate a new API credential.

  6. EIn the Credential field, enter a credential name and click Generate Credential.

  7. Copy the credential information to be used later to call the FortiCASB API.
    Note: The credential will only be shown once, so keep it in a private and secured place.

    The generated credential can be used repeatedly as long as it is not revoked on FortiCASB.

Setup in FortiSIEM

FortiSIEM processes events from this via the Fortinet FortiCASB API. Make sure to complete Setup in FortiCASB before proceeding here.

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      SettingsDescription
      NameEnter a name for the credential.
      Device TypeFortinet FortiCASB
      Access ProtocolFortiCASB_API
      Pull Interval5 minutes
      TokenProvide the authorization token from your account.

      Confirm Token

      Provide the authorization token from your account to confirm.

      DescriptionDescription about the device
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Select the name of your credential from the Credentials drop-down list. The IP/Host Name field will auto populate with "www.forticasb.com".
    2. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to FortiCASB.
  5. To see the jobs associated with FortiCASB, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "FortiCASB" in the search box.

 

 

Sample Events

[FortiCASB-EVENT] = {
   "alertType":"Data Analysis",
   "applicationId":"Y2lzY29zcGFyazovL3VzL09SR0FOSVpBVElPTi84NGI0NDZlMi0xYTU5LTQyZjQtOGVkMy05YmY4MjdiN2ZlMjg",
   "buId":84,
   "companyId":"62598",
   "contextName":"DLP Birthdate Policy",
   "createTime":1621250006181,
   "defineType":"Predefined",
   "displayOperation":"Upload File",
   "eventId":"62598-Webex-58cb1d3b6f30326cfca5e64d2f96fa5d",
   "eventIdList":[
      "62598-Webex-58cb1d3b6f30326cfca5e64d2f96fa5d"
   ],
   "fileId":"Y2lzY29zcGFyazovL3VybjpURUFNOnVzLXdlc3QtMl9yL0NPTlRFTlQvOWI2YjUzNzAtYjZmZi0xMWViLWE0NjAtMDE0ZTAzYTk3NmI3LzA",
   "id":"d6e52513ee1069437704271f1144d981",
   "matches":1,
   "object":"01-ssn-usercollaborator.doc",
   "objectId":"Y2lzY29zcGFyazovL3VybjpURUFNOnVzLXdlc3QtMl9yL0NPTlRFTlQvOWI2YjUzNzAtYjZmZi0xMWViLWE0NjAtMDE0ZTAzYTk3NmI3LzA",
   "objectType":"DOCUMENT",
   "phCustId":1,
   "policyCode":"FC-ACT-018",
   "policyId":"13285945",
   "policyName":"DLP Birthdate Policy",
   "resultDesc":"File \"  01-ssn-usercollaborator.doc  \"Matches the DLP Birthdate 1 times(s), the matched content are: \n(1) *****1972 \n\n\n null\n ",
   "serverHostName":"www.forticasb.com",
   "serverIp":"34.212.75.194",
   "service":"Webex",
   "severity":"Alert",
   "timestampUUID":"d6e52513ee1069437704271f1144d981",
   "updateTime":1621250006000,
   "user":"testadmin1@forticasb.com",
   "userId":"Y2lzY29zcGFyazovL3VzL1BFT1BMRS8zZGVmNDBhNC1kYTI1LTQ0ODctODFlOS0zNWJjYzk5MTA2YTA",
   "userName":"Test admin",
   "violationActivity":"WEBEX_CREATED_MESSAGES"
}