Fortinet black logo

External Systems Configuration Guide

Cybereason

Cybereason

Support Added: FortiSIEM 6.5.0

Vendor Version Tested: Not Provided

Vendor: Cybereason

Product: Cybereason

Product Information: https://www.cybereason.com/

What is Discovered and Monitored

ProtocolInformation DiscoveredMetrics/LOGs collectedUsed for
Syslog (CEF formatted) security logsSecurity and Compliance monitoring

Configuration

Configure the Cybereason platform to send CEF formatted logs to FortiSIEM. FortiSIEM will automatically parse the logs. No configuration is required in FortiSIEM.

Sample Events

Feb 10 13:06:43 xxxx syslogLogger CEF:0|Cybereason|Cybereason||Malop|Malop Created|10|cs1Label=malopId cs1=11.-1587922454714582908 cs2Label=malopDetectionType cs2=CNC cs3Label=malopActivityType cs3=MALICIOUS_INFECTION cs4Label=malopSuspect cs4=powershell.exe cs5Label=malopKeySuspicion cs5=Malicious use of PowerShell / .NET deviceCustomDate1Label=malopCreationTime deviceCustomDate1=Feb 10 2021, 13:06:43 UTC deviceCustomDate2Label=malopUpdateTime deviceCustomDate2=Feb 10 2021, 13:06:43 UTC cn1Label=affectedMachinesCount cn1=1 cn2Label=affectedUsers cn2=1 cs6Label=linkToMalop cs6=https://cripya.cybereason.net:443/#/malop/11.-1587922454714582908

Feb 9 08:55:48 XXXX syslogLogger CEF:0|Cybereason|Cybereason||Malop|Malop Machine Information|10|cs1Label=malopId cs1=11.7905079038751140000 cs2Label=affectedMachine cs2=MACHINE1 deviceCustomDate1Label=malopUpdateTime deviceCustomDate1=Feb 09 2021, 08:55:48 UTC cn1Label=affectedMachinesCount cn1=6

Feb 10 13:46:29 XXX auditSyslogLogger CEF:0|Cybereason|Cybereason||UserAction|Investigation/Query|0|cs1Label=username cs1=/user@company.com cn1Label=actionSuccess cn1=1 deviceCustomDate1Label=userActionTime deviceCustomDate1=Feb 10 2021, 13:46:29 UTC cs2Label=QueryDetails cs2=User > Process > Connection

Cybereason

Support Added: FortiSIEM 6.5.0

Vendor Version Tested: Not Provided

Vendor: Cybereason

Product: Cybereason

Product Information: https://www.cybereason.com/

What is Discovered and Monitored

ProtocolInformation DiscoveredMetrics/LOGs collectedUsed for
Syslog (CEF formatted) security logsSecurity and Compliance monitoring

Configuration

Configure the Cybereason platform to send CEF formatted logs to FortiSIEM. FortiSIEM will automatically parse the logs. No configuration is required in FortiSIEM.

Sample Events

Feb 10 13:06:43 xxxx syslogLogger CEF:0|Cybereason|Cybereason||Malop|Malop Created|10|cs1Label=malopId cs1=11.-1587922454714582908 cs2Label=malopDetectionType cs2=CNC cs3Label=malopActivityType cs3=MALICIOUS_INFECTION cs4Label=malopSuspect cs4=powershell.exe cs5Label=malopKeySuspicion cs5=Malicious use of PowerShell / .NET deviceCustomDate1Label=malopCreationTime deviceCustomDate1=Feb 10 2021, 13:06:43 UTC deviceCustomDate2Label=malopUpdateTime deviceCustomDate2=Feb 10 2021, 13:06:43 UTC cn1Label=affectedMachinesCount cn1=1 cn2Label=affectedUsers cn2=1 cs6Label=linkToMalop cs6=https://cripya.cybereason.net:443/#/malop/11.-1587922454714582908

Feb 9 08:55:48 XXXX syslogLogger CEF:0|Cybereason|Cybereason||Malop|Malop Machine Information|10|cs1Label=malopId cs1=11.7905079038751140000 cs2Label=affectedMachine cs2=MACHINE1 deviceCustomDate1Label=malopUpdateTime deviceCustomDate1=Feb 09 2021, 08:55:48 UTC cn1Label=affectedMachinesCount cn1=6

Feb 10 13:46:29 XXX auditSyslogLogger CEF:0|Cybereason|Cybereason||UserAction|Investigation/Query|0|cs1Label=username cs1=/user@company.com cn1Label=actionSuccess cn1=1 deviceCustomDate1Label=userActionTime deviceCustomDate1=Feb 10 2021, 13:46:29 UTC cs2Label=QueryDetails cs2=User > Process > Connection