Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.1.2
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.1.2 User Guide
    7.1.2
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    Editing Event Pulling

    Editing Event Pulling

    After discovery is complete, FortiSIEM starts pulling events from devices with correct credentials. Examples include Windows Servers via WMI, VMWare VCenter via VMWare SDK, AWS CloudTrail via AWS SDK, etc.

    The following section describes the procedures to see the status of these event pulling jobs and turn them on/off.

    Viewing Event Pulling Jobs

    Complete these steps to enable event pulling:

    1. Go to ADMIN > Setup > Pull Events tab.
    2. See the listed jobs:
      • Enabled – the job is enabled at a device level.
      • Device name – name of the device in CMDB.
      • Access IP – IP address with which FortiSIEM accesses this device.
      • Device Type – the device type in CMDB.
      • Organization – the organization to which this device belongs (for a multi-tenant FortiSIEM install).
      • Method – the event pulling method – format - credential name (Access Protocol). An icon appears next to the method, showing the collection status. Hover your cursor over the icon/method to get more details.

        Icon

        Collection Status

        Data for the specific monitor is being collected normally.
        Method validated for the specific monitor, but data collection has not yet started.
        Metric collection for the specific monitor not scheduled due to test failure during the beginning of the monitoring cycle, though discovery was successful. In most situations, this is caused by missing or invalid device credentials in FortiSIEM. Recommendation is to check the access protocol credentials and restart discovery.
        Event pulling method for the specific monitor has failed.
      • Maintenance – indicates if this device is in maintenance or not.
    3. See Enabled option to view the enabled device.
    4. Select Errors to view the list of errors, if any.

    Modifying Event Pulling Jobs

    Complete these steps to enable/disable event pulling at all device level (all jobs will be enabled/disabled).

    1. Go to ADMIN > Setup > Pull Events tab.
    2. Select the device from the list.
    3. Select All check-box to enable all jobs or deselect to disable.
    4. Click Apply.

    Complete these steps to enable/disable a specific event pulling job for a device:

    1. Go to ADMIN > Setup > Pull Events tab.
    2. Select the device from the list.
    3. Click Edit.
    4. Check the specific job to enable/disable.
    5. Click Apply.

    Checking Status of Event Pulling Jobs

    Complete these steps to the status of event pulling jobs:

    1. Go to ADMIN > Setup > Pull Events tab.
    2. Select the device from the list.
    3. Hover over the method column – the tool tip shows the Execution Status.
    4. To see the events generated from the event pulling job, click Report.
      A report is run for all the events generated by this event pulling job in the last 10 minutes.

    Exporting Event Pulling Jobs into a Report

    Complete these steps to export an event pulling job report:

    1. Go to ADMIN > Setup > Pull Events tab.
    2. Click Export.
    3. Optional - Enter the User Notes.
    4. Select the output format to PDF or CSV and click Generate.
    5. Click View to download and view the report.

    Viewing Event Pulling Reports

    1. Go to ADMIN > Setup > Pull Events tab.
    2. Select Super/Local or Org with collector or use the Search field to view any related jobs.
    Previous
    Next

    Editing Event Pulling

    Editing Event Pulling

    After discovery is complete, FortiSIEM starts pulling events from devices with correct credentials. Examples include Windows Servers via WMI, VMWare VCenter via VMWare SDK, AWS CloudTrail via AWS SDK, etc.

    The following section describes the procedures to see the status of these event pulling jobs and turn them on/off.

    Viewing Event Pulling Jobs

    Complete these steps to enable event pulling:

    1. Go to ADMIN > Setup > Pull Events tab.
    2. See the listed jobs:
      • Enabled – the job is enabled at a device level.
      • Device name – name of the device in CMDB.
      • Access IP – IP address with which FortiSIEM accesses this device.
      • Device Type – the device type in CMDB.
      • Organization – the organization to which this device belongs (for a multi-tenant FortiSIEM install).
      • Method – the event pulling method – format - credential name (Access Protocol). An icon appears next to the method, showing the collection status. Hover your cursor over the icon/method to get more details.

        Icon

        Collection Status

        Data for the specific monitor is being collected normally.
        Method validated for the specific monitor, but data collection has not yet started.
        Metric collection for the specific monitor not scheduled due to test failure during the beginning of the monitoring cycle, though discovery was successful. In most situations, this is caused by missing or invalid device credentials in FortiSIEM. Recommendation is to check the access protocol credentials and restart discovery.
        Event pulling method for the specific monitor has failed.
      • Maintenance – indicates if this device is in maintenance or not.
    3. See Enabled option to view the enabled device.
    4. Select Errors to view the list of errors, if any.

    Modifying Event Pulling Jobs

    Complete these steps to enable/disable event pulling at all device level (all jobs will be enabled/disabled).

    1. Go to ADMIN > Setup > Pull Events tab.
    2. Select the device from the list.
    3. Select All check-box to enable all jobs or deselect to disable.
    4. Click Apply.

    Complete these steps to enable/disable a specific event pulling job for a device:

    1. Go to ADMIN > Setup > Pull Events tab.
    2. Select the device from the list.
    3. Click Edit.
    4. Check the specific job to enable/disable.
    5. Click Apply.

    Checking Status of Event Pulling Jobs

    Complete these steps to the status of event pulling jobs:

    1. Go to ADMIN > Setup > Pull Events tab.
    2. Select the device from the list.
    3. Hover over the method column – the tool tip shows the Execution Status.
    4. To see the events generated from the event pulling job, click Report.
      A report is run for all the events generated by this event pulling job in the last 10 minutes.

    Exporting Event Pulling Jobs into a Report

    Complete these steps to export an event pulling job report:

    1. Go to ADMIN > Setup > Pull Events tab.
    2. Click Export.
    3. Optional - Enter the User Notes.
    4. Select the output format to PDF or CSV and click Generate.
    5. Click View to download and view the report.

    Viewing Event Pulling Reports

    1. Go to ADMIN > Setup > Pull Events tab.
    2. Select Super/Local or Org with collector or use the Search field to view any related jobs.
    Previous
    Next