Monitoring Endpoints (Laptops, Desktops)
Endpoint visibility can be gained by
-
Gathering logs from core network devices (Firewall/ UTM, Active Directory, AV management server etc) that provide indirect visibility of endpoint activity from a central location
-
Installing the FortiSIEM UEBA endpoint agent on the endpoint device
-
Using a dedicated endpoint security system (e.g. FortiEDR) and pulling the logs from that into FortiSIEM
The FortiSIEM External Systems Configuration Guide available at https://docs.fortinet.com/document/fortisiem/7.1.4/external-systems-configuration-guide/780675/fortisiem-external-systems-configuration-guide-online lists supported Fortinet and 3rd party endpoint monitoring solutions.
When designing a solution to provide endpoint visibility, consider how the solution will gather and upload logs from all of the locations where visibility is required. If endpoint visibility is only required when connected to the corporate network then this is relatively straightforward. If however visibility of endpoint activity is required when the endpoint is off-net, such as when in a customer site, hotel, or at home, then consider the following:
-
How will the solution gather logs at this location
and
-
How will the logs be uploaded to the SIEM
Often an agent-based solution, such as the FortiSIEM UEBA agent or FortiEDR, can be used to gather logs directly on the endpoint even when off-net. The agent can typically cache logs for upload when the agent re-connects, or an Internet-accessible collector architecture can be used to allow remote log upload.