|Protocol||Information collected||Used For|
|CloudPassage REST API||Halo– over 110 event types including User login and account activity, server compliance and vulnerability status, server FIM and firewall policy modification etc.||Security and Compliance|
FortiSIEM can pull logs from CloudPassage Halo via the CloudPassage REST API. Currently, over 110 CloudPassage event types are parsed.
Use cases covered via API:
- User login to Halo and user account creation/deletion/modification activity
- Vulnerable software package found and Compromised host detection
- Server FIM, Firewall policy modification
- Server account creation
- Server login via ghostport
In RESOURCES > Event Types, search for "CloudPassage-Halo" in the main content panel Search... field to see the various event types for CloudPassage Halo.
Take the following steps to configure CloudPassage Halo for FortiSIEM.
Configuring CloudPassage Portal
Create an API Key to be used for FortiSIEM communication.
- Log in to your CloudPassage Halo portal.
- Create an API Key and API Secret for use in FortiSIEM.
Define CloudPassage Halo Credential in FortiSIEM
Use the API Key and Secret in the previous step to enable FortiSIEM access. Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials:
- Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box and click Save:
Settings Description Name Enter a name for the credential Device Type CloudPassage Halo Access Protocol Halo REST API Pull Interval 5 minutes Password config
For CyberArk and RAX_CustomerService, see Password Configuration.
For Manual, see the following:
- Set API Key ID to API Key obtained from the CloudPassage portal in Configuring CloudPassage Portal.
- Set API Key Secret to API Secret obtained from the CloudPassage portal in Configuring CloudPassage Portal.
Organization Choose the organization if it is an MSP deployment and the same credential is to be used for multiple customers. Description Description of the device.
Create IP Range to Credential Association, Test Connectivity, and Event Checking
From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).
- In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
- Enter "api.cloudpassage.com" in the IP/Host Name field.
- Select the name of the credential created in Define CloudPassage Halo Credential in FortiSIEM from the Credentials drop-down list.
- Click Save.
- Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
- Go to ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from CloudPassage portal using the API.
- Test for received CloudPassage Halo events by navigating to ADMIN > Setup > Pull Events, selecting a CloudPassage Halo event and clicking Report. The system will take you to the ANALYTICS tab and run a query to display the events received from CloudPassage in the last 15 minutes. You can modify the time interval to get more events.