FortiGate / FortiOS

FortiManager

FortiAnalyzer

User Guide

FortiSIEM User Guide
TABLE OF CONTENTS
Overview
FortiSIEM Releases
- What's New in 7.0.3
- What's New in 7.0.2
- What's New in 7.0.1
- What's New in 7.0.0
Windows Agent Releases
Content Pack Updates
Key Concepts
Getting Started
Advanced Operations
- CMDB
- Incidents and Cases
- Device Support
- Rules, Reports, and Dashboards
- Advanced Health System
- Managing FortiSIEM
Administration
- Setup
- Device Support
- Health
- License
- Content Update
- Settings
Managing CMDB
- Devices
- Applications
- Users
- Business Services
- CMDB Reports
Managing Resources
- Reports
  - Viewing System Reports
  - Working With Report Templates
  - Creating New Reports
  - Running System Reports
  - Scheduling Reports
  - Importing and Exporting Reports
  - Importing and Exporting Report Definitions
- Rules
  - Viewing Rules
  - Creating Rules
  - Activating and Deactivating a Rule
  - Testing a Rule
  - Exporting and Importing a Rule Definitions
- Networks
  - Adding a Network
  - Modifying a Network
  - Deleting a Network
- Watch Lists
  - System-defined Watch list
  - Creating a Watch List
  - Modifying a Watch List
  - Using a Watch List
  - Exporting and Importing Watch Lists
- Protocols
  - Adding a Protocol
  - Modifying a Protocol
  - Deleting a Protocol
- Event Types
  - Adding an Event Type
  - Modifying an Event Type
  - Deleting an Event Type
- Working with AlienVault OTX
- Working with Dragos IOCs
- Working with FortiGuard IOCs
- Working with Malware Patrol
- Working with ThreatConnect
- Malware Domains
  - Adding a Malware Domain
  - Modifying a Malware Domain
  - Deleting a Malware Domain
  - Importing Malware Domains
  - Viewing Malware Domains
    - Working with Custom Threat Feeds that use HTTPS Connectivity
- Malware IPs
  - Adding a Malware IP
  - Modifying a Malware IP
  - Deleting a Malware IP
  - Importing Malware IPs
  - Viewing Malware IPs
- Malware URLs
  - Adding a Malware URL
  - Modifying a Malware URL
  - Deleting a Malware URL
  - Importing Malware URLs
  - Viewing Malware URLs
- Malware Processes
  - Creating a Malware Process Group
  - Adding a Malware Process
  - Modifying a Malware Process
  - Deleting a Malware Process
  - Importing Malware Processes
  - Viewing Malware Processes
- Country Groups
  - Creating a Country Group
  - Adding a Country Group
  - Modifying a Country Group
  - Deleting a Country Group
  - Changing the Home Country
- Malware Hash
  - Adding a Malware Hash
  - Modifying a Malware Hash
  - Importing/Updating User-defined Malware Hash
  - Viewing Malware Hash
- Default Password
  - Adding a Default Password
  - Modifying a Default Password
  - Importing and Exporting a Default Password
- Anonymity Network
  - Adding Anonymity Networks
  - Modifying Anonymity Networks
  - Updating Anonymity Networks
- User Agents
  - Adding User Agents
  - Modifying User Agents
  - Importing and Exporting User Agents
- Remediations
  - Adding Remediations
  - Modifying Remediations
  - Deleting Remediations
- Lookup Tables
  - Adding a Lookup Table
  - Deleting a Lookup Table
  - Working with Lookup Table Data
- Playbooks
  - Viewing Playbooks
  - Updating Playbooks
- Connectors
  - Viewing Connectors
  - Updating Connectors
- Machine Learning Jobs
  - Viewing Machine Learning Jobs
  - Editing a Machine Learning Job
  - Deleting a Machine Learning Job
Working with Cases
- Creating a Ticket
- Editing a Ticket
- Managing Cases
Working with Incidents
- Overview View
- List View
- Risk View
- Explorer View
- MITRE ATT&CK View
- UEBA View
- Investigating Incidents
- Automated Incident Resolution Recommendation
- Lookups Via External Websites
- CVE-Based IPS False Positive Analysis
- Remediating an Incident using a Script
- Executing a Playbook on an Incident
- Running a Connector on an Incident
- Troubleshooting Incident Trigger
Working with Analytics Search
- Running a Built-in Search
- Understanding Search Components
- New Query Functions
- Viewing Historical Search Results
- Viewing Real-time Search Result
- Using Nested Queries
- Searches Using Pre-computed Results
- Saving Search Results
- Viewing Saved Search Results, Loading Reports and Shortcuts
- Exporting Search Results
- Emailing Search Results
- Creating a Rule from Search
- Copying Filter and Time Range Tab Information
- Executing a Playbook
- Running a Connector
Machine Learning
- Overview
- Anomaly Detection
- Classification
- Clustering
- Forecasting
- Regression
Working with Dashboards
- General Operations
- Widget Dashboard
- Summary Dashboard
- Business Service Dashboard
- Identity and Location Dashboard
- Interface Usage Dashboard
- PCI Logging Status Dashboard
Managing Tasks
FortiSIEM Manager
- FortiSIEM Manager Incidents
  - FortiSIEM Manager Incidents Overview View
  - FortiSIEM Manager Incidents - List View
- FortiSIEM Manager CMDB Users
  - FortiSIEM Manager CMDB Adding Users
  - FortiSIEM Manager - Editing User Information
- FortiSIEM Manager Resources
- FortiSIEM Manager Admin
Appendix
- Administrative Tools and Information
- ClickHouse Usage Notes
- Configuration Notes
- Elasticsearch Usage Notes
- FortiEMS Endpoint Tagging
- FortiSOAR Integration Notes
  - Configuring FortiSOAR for FortiSIEM Integration
  - Writing FortiSIEM Compatible FortiSOAR Playbooks
- Functions in Analytics
- GUI Notes
  - Flash to HTML5 GUI Mapping
  - FortiSIEM Charts and Maps
- Knowledge Base
- License Enforcement
- Python Threat Feed Framework
- UEBA Information

Home FortiSIEM 7.0.3 User Guide

7.0.3

Advanced Health System

Advanced Health System Advanced Operations

FortiSIEM enables you to perform the following advanced operations:

Monitoring System Health
Monitoring Collector Health
Monitoring Elasticsearch Health
System Errors
Monitoring User and Query Activity

Monitoring System Health

To see the system level health of every FortiSIEM Supervisor/Worker node, go to ADMIN > Health > Cloud Health. The top pane shows the overall health of various nodes – Supervisor and Workers. Click any one node and the bottom pane shows the health of the various processes in that node.

For details, see here.

Monitoring Collector Health

To see the system level health of every FortiSIEM Collector node, go to ADMIN > Health > Collector Health.

For details, see here.

Monitoring Elasticsearch Health

To see the Elasticsearch health information, go to ADMIN > Health > Elasticsearch Health.

For details, see here.

System Errors

To see the system errors, click the Jobs/Errors icon on the top-right corner of FortiSIEM GUI and select the Error tab. You can also run a report in ANALYTICS > click the Folders icon > Shortcuts > Top FortiSIEM Operational Errors.

Monitoring User and Query Activity

To see FortiSIEM User and Query Activity, click the User Activity icon () on the top-right corner of FortiSIEM GUI. The User Activity dialog box contains these tabs:

Logged in Users
Locked Users
Query Status
Query Workload

All of the tabs in the User Activity dialog box contain the time of the last refresh and the number of seconds until the next automatic refresh. By default, the automatic refresh interval is 60 seconds. To refresh the table on demand, click the Refresh button.

Logged in Users

This tab displays a table listing the users currently logged in to FortiSIEM. You can perform the following operations on this tab:

Log Out - Select one or more users in the table and click Log Out. The selected users will be logged out of FortiSIEM.
Log Out and Lock Out - Select one or more users in the table and click Log Out and Lock Out. The selected users will be logged out of FortiSIEM and prevented from logging back in.

The Logged in Users table contains the following information:

Column	Description
Organization	The Organization to which the user belongs.
User	The name of the user.
Full Name	The full name of the user.
Login IP	The IP address from which the user logged in.
Role	The name of the user's role.
Login Time	The date and time when the user logged in.
Session ID	The ID of the user's FortiSIEM session.

Locked Users

This tab displays a table listing the users currently locked out of FortiSIEM. Typically, user access to FortiSIEM can be locked due to multiple login failures. You can perform the following operations on this tab:

Unlock - Select one or more users in the table and click Unlock.

Note: Users can also be unlocked by going to CMDB > Users > Actions > Unlock.

The Locked Users table contains the following information:

Column	Description
Organization	The Organization to which the user belongs.
User	The name of the user.
Full Name	The full name of the user.
Login IP	The IP address from which the user logged in.
Role	The name of the user's role.
Locked Time	The date and time when the user was locked out of FortiSIEM.

Query Status

This tab displays a table listing the status of current and recent queries. You can perform the following operations on this tab:

Stop Query - Select a query from the table and click Stop Query. The selected query will be stopped remotely. If the query was sent from the ANALYTICS page, you should see a warning message saying this query was stopped manually. You should also be able to see the partial results you received before it was stopped.
Search - Click the Search button to search for queries by Query name (plain text search), User name (multiple options selected via a checkbox), and/or query Type (multiple options selected via a checkbox).
Sort - Click a column name. You can sort the column data in ascending or descending order.
Job Distribution for Query - Click a query in the Query Status table to see the Job Distribution for Query <query_name> table. This table identifies the Worker nodes employed in processing the query and their status. For more information, see Obtaining Job Distribution for Query.

The Query Status table contains the following information:

Column	Description
Query ID	The ID of the query.
Query Name	The name of the query.
Organization	The organization where the query was issued.
User	The name of the user who issued the query.
Type	The value of Type can be: Interactive - Queries executed directly from the ANALYTICS page. Scheduled - Queries scheduled from RESOURCES > Reports.
Submit Time	The time the query was submitted.
Start Time	The date and time when the query was issued.
Status	The value of Status can be: Running - The query is currently running. Waiting - The query is waiting in the queue because the maximum number of running queries has been reached.
Progress	The percent of progress the query has made towards completion.
Elapsed	The time, in seconds, that the query has run.
Supervisor	The Supervisor involved with the query.

Obtaining Job Distribution for Query

To see how the query job is distributed between Worker nodes, click a query in the Query Status table. The Job Distribution for Query <query_name> table appears beneath the Query Status table.

Sort - Click a column name. You can sort the column data in ascending or descending order.

The Job Distribution for Query <query_name> table contains the following information:

Column	Description
Node	The Worker IP address.
Role	The FortiSIEM role running the query.
Status	The value of Status can be: Unknown - The query process is in an unknown state. Starting - The query has started processing. Running - The query is currently processing. Pausing - The query is in the process of pausing processing. Resuming - The query has resumed processing. Stopping - the query is in the process of stopping processing. Paused - The query has temporarily paused processing. Stopped - The query has stopped processing. Completed - The query has completed processing.
Progress	The percent of progress the query has made towards completion.
Elapsed	The time (in seconds) elapsed since the Start Time. Note: This value is calculated from the last refresh time, not the Last Update minus the Start Time.
Range Start Time	The start time period for scheduled queries.
Range End Time	The end time period for scheduled queries.
Start Time	The date and time when the query began processing.
Last Update	The date and time when the Worker last reported a progress update.

Query Workload

This tab displays a table listing the available Worker nodes for a query job. You can perform the following operations on this tab:

Sort - Click a column name. You can sort the column data in ascending or descending order.
Status of Running Tasks - Click a Worker node row in the Query Workload table to display the Tasks Running On <Worker_IP_address> table. For more information, see Obtaining Running Tasks.

The Query Workload table contains the following information:

Column	Description
Node	The Worker IP address.
Role	The FortiSIEM role running the query.
Status	The value of Status can be: Online - The Worker node is currently online. Offline - The Worker node is currently offline.
Interactive Tasks	The number of interactive tasks (that is, sent from the ANALYTICS page) assigned to the Worker node.
Scheduled Tasks	The number of scheduled tasks assigned to the Worker node.
Task Workload	The total number of tasks assigned to the Worker node.

Obtaining Running Tasks

To see the status of running tasks, click a Worker node in the Query Workload table. The Tasks Running On <Worker_IP_address> table appears beneath the Query Workload table. You can perform the following operations on this tab:

Sort - Click a column name. You can sort the column data in ascending or descending order.

The Tasks Running On <Worker_IP_address> table contains the following information:

Column	Description
Query ID	The ID of the query.
Query Name	The name of the query.
Organization	The organization that the query originated from.
User	The name of the user who issued the query.
Type	The value of Type can be: Interactive - Queries executed directly from the ANALYTICS page. Scheduled - Queries scheduled from RESOURCES > Reports.
Start Time	The date and time when the query began processing.
Status	See Status in Obtaining Job Distribution for Query.
Progress	The percent of progress the query has made towards completion.
Range Start Time	The start time period for scheduled queries.
Range End Time	The end time period for scheduled queries.

Advanced Health System Advanced Operations

FortiSIEM enables you to perform the following advanced operations:

Monitoring System Health
Monitoring Collector Health
Monitoring Elasticsearch Health
System Errors
Monitoring User and Query Activity

Monitoring System Health

For details, see here.

Monitoring Collector Health

To see the system level health of every FortiSIEM Collector node, go to ADMIN > Health > Collector Health.

For details, see here.

Monitoring Elasticsearch Health

To see the Elasticsearch health information, go to ADMIN > Health > Elasticsearch Health.

For details, see here.

System Errors

Monitoring User and Query Activity

To see FortiSIEM User and Query Activity, click the User Activity icon () on the top-right corner of FortiSIEM GUI. The User Activity dialog box contains these tabs:

Logged in Users
Locked Users
Query Status
Query Workload

Logged in Users

This tab displays a table listing the users currently logged in to FortiSIEM. You can perform the following operations on this tab:

Log Out - Select one or more users in the table and click Log Out. The selected users will be logged out of FortiSIEM.
Log Out and Lock Out - Select one or more users in the table and click Log Out and Lock Out. The selected users will be logged out of FortiSIEM and prevented from logging back in.

The Logged in Users table contains the following information:

Column	Description
Organization	The Organization to which the user belongs.
User	The name of the user.
Full Name	The full name of the user.
Login IP	The IP address from which the user logged in.
Role	The name of the user's role.
Login Time	The date and time when the user logged in.
Session ID	The ID of the user's FortiSIEM session.

Locked Users

Unlock - Select one or more users in the table and click Unlock.

Note: Users can also be unlocked by going to CMDB > Users > Actions > Unlock.

The Locked Users table contains the following information:

Column	Description
Organization	The Organization to which the user belongs.
User	The name of the user.
Full Name	The full name of the user.
Login IP	The IP address from which the user logged in.
Role	The name of the user's role.
Locked Time	The date and time when the user was locked out of FortiSIEM.

Query Status

This tab displays a table listing the status of current and recent queries. You can perform the following operations on this tab:

Stop Query - Select a query from the table and click Stop Query. The selected query will be stopped remotely. If the query was sent from the ANALYTICS page, you should see a warning message saying this query was stopped manually. You should also be able to see the partial results you received before it was stopped.
Search - Click the Search button to search for queries by Query name (plain text search), User name (multiple options selected via a checkbox), and/or query Type (multiple options selected via a checkbox).
Sort - Click a column name. You can sort the column data in ascending or descending order.
Job Distribution for Query - Click a query in the Query Status table to see the Job Distribution for Query <query_name> table. This table identifies the Worker nodes employed in processing the query and their status. For more information, see Obtaining Job Distribution for Query.

The Query Status table contains the following information:

Column	Description
Query ID	The ID of the query.
Query Name	The name of the query.
Organization	The organization where the query was issued.
User	The name of the user who issued the query.
Type	The value of Type can be: Interactive - Queries executed directly from the ANALYTICS page. Scheduled - Queries scheduled from RESOURCES > Reports.
Submit Time	The time the query was submitted.
Start Time	The date and time when the query was issued.
Status	The value of Status can be: Running - The query is currently running. Waiting - The query is waiting in the queue because the maximum number of running queries has been reached.
Progress	The percent of progress the query has made towards completion.
Elapsed	The time, in seconds, that the query has run.
Supervisor	The Supervisor involved with the query.

Obtaining Job Distribution for Query

To see how the query job is distributed between Worker nodes, click a query in the Query Status table. The Job Distribution for Query <query_name> table appears beneath the Query Status table.

Sort - Click a column name. You can sort the column data in ascending or descending order.

The Job Distribution for Query <query_name> table contains the following information:

Column	Description
Node	The Worker IP address.
Role	The FortiSIEM role running the query.
Status	The value of Status can be: Unknown - The query process is in an unknown state. Starting - The query has started processing. Running - The query is currently processing. Pausing - The query is in the process of pausing processing. Resuming - The query has resumed processing. Stopping - the query is in the process of stopping processing. Paused - The query has temporarily paused processing. Stopped - The query has stopped processing. Completed - The query has completed processing.
Progress	The percent of progress the query has made towards completion.
Elapsed	The time (in seconds) elapsed since the Start Time. Note: This value is calculated from the last refresh time, not the Last Update minus the Start Time.
Range Start Time	The start time period for scheduled queries.
Range End Time	The end time period for scheduled queries.
Start Time	The date and time when the query began processing.
Last Update	The date and time when the Worker last reported a progress update.

Query Workload

This tab displays a table listing the available Worker nodes for a query job. You can perform the following operations on this tab:

Sort - Click a column name. You can sort the column data in ascending or descending order.
Status of Running Tasks - Click a Worker node row in the Query Workload table to display the Tasks Running On <Worker_IP_address> table. For more information, see Obtaining Running Tasks.

The Query Workload table contains the following information:

Column	Description
Node	The Worker IP address.
Role	The FortiSIEM role running the query.
Status	The value of Status can be: Online - The Worker node is currently online. Offline - The Worker node is currently offline.
Interactive Tasks	The number of interactive tasks (that is, sent from the ANALYTICS page) assigned to the Worker node.
Scheduled Tasks	The number of scheduled tasks assigned to the Worker node.
Task Workload	The total number of tasks assigned to the Worker node.

Obtaining Running Tasks

Sort - Click a column name. You can sort the column data in ascending or descending order.

The Tasks Running On <Worker_IP_address> table contains the following information:

Column	Description
Query ID	The ID of the query.
Query Name	The name of the query.
Organization	The organization that the query originated from.
User	The name of the user who issued the query.
Type	The value of Type can be: Interactive - Queries executed directly from the ANALYTICS page. Scheduled - Queries scheduled from RESOURCES > Reports.
Start Time	The date and time when the query began processing.
Status	See Status in Obtaining Job Distribution for Query.
Progress	The percent of progress the query has made towards completion.
Range Start Time	The start time period for scheduled queries.
Range End Time	The end time period for scheduled queries.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

User Guide

Advanced Health System

Advanced Health System Advanced Operations

Monitoring System Health

Monitoring Collector Health

Monitoring Elasticsearch Health

System Errors

Monitoring User and Query Activity

Logged in Users

Locked Users

Query Status

Obtaining Job Distribution for Query