Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 7.2.3 External Systems Configuration Guide
    7.2.3
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Atlassian Beacon

    Atlassian Beacon

    Support Added: FortiSIEM 7.2.0

    Vendor: Atlassian

    Vendor Version Tested: Not Provided

    Product Information: https://www.atlassian.com/software/beacon

    Intelligent threat detection, built for Atlassian cloud products.

    Configuration

    Prerequisite

    Most applications using webhook push notifications do server TLS certificate validation, which means the target collector must be configured with a public CA signed TLS certificate.

    See How to Set Up a FortiSIEM Collector with a Public SSL/TLS Certificate for configuration information.

    FortiSIEM Setup

    To configure webhook integration, you will need to take the following general steps.

    Create Credential

    Take the following steps to configure a credential for FortiSIEM.

    1. Login to FortiSIEM as an administrator.

    2. Navigate to Admin > Setup > Credentials.

    3. Under Step 1: Enter Credentials, click New.

    4. In the Access Method Definition window, input the following:

      1. In the Name field, enter the name of the credential. This serves as the basis of the target endpoint created.

      2. From the Device Type drop-down list, select Atlassian Beacon.

      3. In the Separator field, leave the default as "\n" to separate the payload. The "\n" is the newline linefeed and means that each line in the response is treated as a new log.

      4. In the Receiver FQDN field, enter the FQDN of the FortiSIEM node. This field expects the FQDN or IP address of the FortiSIEM collector that will be receiving the webhook traffic. This is used to help dynamically generate an endpoint configuration for you. This should ideally be the FQDN of the collector from the sending application's perspective.

      5. In the Reporting Host Name field, enter "beacon.atlassian.com". This field expects the source hostname of the sending application. It is used to uniquely identify the logs as it will be in the header of every log.

      6. Endpoint is the dynamically generated webhook endpoint based on the receiver FQDN. This makes it easier to paste this URL as the target of your webhooks in the client application.

      7. From the Auth Type drop-down list, select Basic Auth. Basic authorization compares the base64(name:password) with the value of the authorization header (authorization: basic xxxx) in an HTTP request.

        There is an optional helpful UI feature if you'd like to get the exact string the client application should send in the authorization header (if for some reason they don't compute the basic auth themselves). You can get the expected Authorization header value by clicking Get from Header Value after you have entered the User Name, and associated password in the User Name field and Password/Confirm Password fields respectively. This should rarely be needed, as most client applications sending webhooks with basic auth will only require the same username/password and compute this for you.

      8. In the User Name field, enter the username.

      9. In the Password and Confirm Password fields, enter the password associated with the username.

      10. (Optional) You can get the expected Authorization header value by clicking Get Header Value. You will need to enter the username, and associated password in the User Name field and Password/Confirm Password fields respectively first.
        Note: This is only useful if you need to see the preformatted header value (in this case ‘Bearer base64(username:password)’. In most cases this is not even needed, and purely a convenience function for testing.

        The client application sending the webhooks using Basic authentication, in this case Atlassian, will generally take the username/password, and generate the Authorization header for you using the base64 value.

      11. Click Save and Deploy.

    Atlassian Beacon Setup

    Reference Documentation: https://intercom.help/atlassian-beacon/en/articles/6558090-send-alerts-to-a-siem-slack-teams-splunk-or-other-tools#h_198d466bb5.

    Ensure the Prequisite is completed before proceeding.

    Set up webhook to get events from Atlassian Beacon through SSL verification by updating the httpd server configuration.

    1. In Beacon, navigate to Integrations > SIEM forwarding.

    2. Click Add webhook.

    3. In the Webhook URL field, enter the Webhook URL. The structure should be:
      https://<FortiSIEM_Node_IP>/webhook/<FortiSIEM_Credential_NAME>

      You can get the Webhook URL by accessing a completed FortiSIEM Create Credential configuration from the FortiSIEM GUI and copying the information in Endpoint.

    4. Click Save.

    5. Click Authorization. Input the Authentication Header. The format is “Basic <string of base64 username:password>”. To get this content, from a completed FortiSIEM Create Credential configuration, click Get in Header Value, and click the copy icon, then paste the information here.

      Example: For User Name: tester1, Password: tester:Tester123!, the Authentication Header would be Basic dGVzdGVyMToqKioqKioqKg==

    6. Click Test.

    Checking for Events

    Events can be queried from the Analytics page, using atlassian-beacon as part of a Raw Event Log search. Make sure Atlassian Beacon Setup is completed before proceeding with your check for events.

    From the FortiSIEM GUI, take the following steps.

    1. Navigate to Analytics >Search.

    2. Click Edit Filters and Time Range.....

    3. In Filter By, select the Event Attribute tab.

    4. Enter/select the following:
      Attribute = Raw Event Log, Operator = CONTAIN, Value = atlassian-beacon

    5. Click Apply & Run.

    Event Type 

    [PH_DEV_MON_CUSTOM_JSON]:[reptVendor]=Atlassian,[reptModel]=Beacon,[reptDevName]=test.com,[reptDevIpAddr]=11.11.11.11,[json]={"alertDetailURL":"https://beacon.atlassian.com/w/11111111-1111-1111-1111-111111111111/alerts/c111e111a11bfd11d1111c1d?atlOrigin=eyJpIjoiODUwMmU1NmFkMTMzNDYxZGJjODk1NmY1MGVmNDkzN1IiLCJwIjoiYmVhY11uIn1","alertId":"c111e111a11bfd11d1111c1d","alertTitle":"Sensitive data detected: Atlassian API token","detectionTime":1711493273898,"activity":{"action":"READ","subject":{"ari":"ari:cloud:confluence::site/a1111a1d-11f1-1c11-a111-11111c111111","containerAri":"ari:cloud:platform::org/j1111j1b-11d1-1a11-j111-11111a111111","ati":"ati:cloud:confluence:space"},"time":{"start":"2023-11-11T11:11:11.111Z","end":"2023-11-11T11:11:11.111Z"}},"actor":{"accountId":"111111:db1a1a1e-1c11-111a-11dd-1e1c11111111","name":"Mei Liu","sessions":[{"ipAddress":"11.11.11.11","userAgent":"Mozilla/1.1 (Macintosh; Intel Mac OS X 11_11_1) AppleWebKit/111.1.11 (KHTML, like Gecko) Version/11.1.1 Safari/111.1.11","loginTime":"2023-11-11T11:11:11.111Z","lastActiveTime":"2023-11-11T11:11:11.111Z"}],"url":"https://beacon.atlassian.com/w/11111111-1111-1111-1111-111111111111/users/111111:db1a1a1e-1c11-111a-11dd-1e1c11111111?atlOrigin=eyJpIjoiODUwMmU1NmFkMTMzNDYxZGJjODk1NmY1MGVmNDkzN1IiLCJwIjoiYmVhY11uIn1"},"alert":{"created":"2023-11-11T11:11:11.111Z","id":"c111e111a11bfd11d1111c1d","product":"CONFLUENCE","site":"https://fortisiem.atlassian.net?atlOrigin=eyJpIjoiODUwMmU1NmFkMTMzNDYxZGJjODk1NmY1MGVmNDkzN1IiLCJwIjoiYmVhY11uIn1","title":"Sensitive data detected: Atlassian API token","url":"https://beacon.atlassian.com/w/11111111-1111-1111-1111-111111111111/alerts/c111e111a11bfd11d1111c1d?atlOrigin=eyJpIjoiODUwMmU1NmFkMTMzNDYxZGJjODk1NmY1MGVmNDkzN1IiLCJwIjoiYmVhY11uIn1"},"id":"c111e111a11bfd11d1111c1d","timestamp":1711493273898,"type":"beacon:create:test","workspace":{"cloudId":"a1111a1d-11f1-1c11-a111-11111c111111","id":"11111111-1111-1111-1111-111111111111","orgId":"j1111j1b-11d1-1a11-j111-11111a111111"}}
    Previous
    Next

    Atlassian Beacon

    Atlassian Beacon

    Support Added: FortiSIEM 7.2.0

    Vendor: Atlassian

    Vendor Version Tested: Not Provided

    Product Information: https://www.atlassian.com/software/beacon

    Intelligent threat detection, built for Atlassian cloud products.

    Configuration

    Prerequisite

    Most applications using webhook push notifications do server TLS certificate validation, which means the target collector must be configured with a public CA signed TLS certificate.

    See How to Set Up a FortiSIEM Collector with a Public SSL/TLS Certificate for configuration information.

    FortiSIEM Setup

    To configure webhook integration, you will need to take the following general steps.

    Create Credential

    Take the following steps to configure a credential for FortiSIEM.

    1. Login to FortiSIEM as an administrator.

    2. Navigate to Admin > Setup > Credentials.

    3. Under Step 1: Enter Credentials, click New.

    4. In the Access Method Definition window, input the following:

      1. In the Name field, enter the name of the credential. This serves as the basis of the target endpoint created.

      2. From the Device Type drop-down list, select Atlassian Beacon.

      3. In the Separator field, leave the default as "\n" to separate the payload. The "\n" is the newline linefeed and means that each line in the response is treated as a new log.

      4. In the Receiver FQDN field, enter the FQDN of the FortiSIEM node. This field expects the FQDN or IP address of the FortiSIEM collector that will be receiving the webhook traffic. This is used to help dynamically generate an endpoint configuration for you. This should ideally be the FQDN of the collector from the sending application's perspective.

      5. In the Reporting Host Name field, enter "beacon.atlassian.com". This field expects the source hostname of the sending application. It is used to uniquely identify the logs as it will be in the header of every log.

      6. Endpoint is the dynamically generated webhook endpoint based on the receiver FQDN. This makes it easier to paste this URL as the target of your webhooks in the client application.

      7. From the Auth Type drop-down list, select Basic Auth. Basic authorization compares the base64(name:password) with the value of the authorization header (authorization: basic xxxx) in an HTTP request.

        There is an optional helpful UI feature if you'd like to get the exact string the client application should send in the authorization header (if for some reason they don't compute the basic auth themselves). You can get the expected Authorization header value by clicking Get from Header Value after you have entered the User Name, and associated password in the User Name field and Password/Confirm Password fields respectively. This should rarely be needed, as most client applications sending webhooks with basic auth will only require the same username/password and compute this for you.

      8. In the User Name field, enter the username.

      9. In the Password and Confirm Password fields, enter the password associated with the username.

      10. (Optional) You can get the expected Authorization header value by clicking Get Header Value. You will need to enter the username, and associated password in the User Name field and Password/Confirm Password fields respectively first.
        Note: This is only useful if you need to see the preformatted header value (in this case ‘Bearer base64(username:password)’. In most cases this is not even needed, and purely a convenience function for testing.

        The client application sending the webhooks using Basic authentication, in this case Atlassian, will generally take the username/password, and generate the Authorization header for you using the base64 value.

      11. Click Save and Deploy.

    Atlassian Beacon Setup

    Reference Documentation: https://intercom.help/atlassian-beacon/en/articles/6558090-send-alerts-to-a-siem-slack-teams-splunk-or-other-tools#h_198d466bb5.

    Ensure the Prequisite is completed before proceeding.

    Set up webhook to get events from Atlassian Beacon through SSL verification by updating the httpd server configuration.

    1. In Beacon, navigate to Integrations > SIEM forwarding.

    2. Click Add webhook.

    3. In the Webhook URL field, enter the Webhook URL. The structure should be:
      https://<FortiSIEM_Node_IP>/webhook/<FortiSIEM_Credential_NAME>

      You can get the Webhook URL by accessing a completed FortiSIEM Create Credential configuration from the FortiSIEM GUI and copying the information in Endpoint.

    4. Click Save.

    5. Click Authorization. Input the Authentication Header. The format is “Basic <string of base64 username:password>”. To get this content, from a completed FortiSIEM Create Credential configuration, click Get in Header Value, and click the copy icon, then paste the information here.

      Example: For User Name: tester1, Password: tester:Tester123!, the Authentication Header would be Basic dGVzdGVyMToqKioqKioqKg==

    6. Click Test.

    Checking for Events

    Events can be queried from the Analytics page, using atlassian-beacon as part of a Raw Event Log search. Make sure Atlassian Beacon Setup is completed before proceeding with your check for events.

    From the FortiSIEM GUI, take the following steps.

    1. Navigate to Analytics >Search.

    2. Click Edit Filters and Time Range.....

    3. In Filter By, select the Event Attribute tab.

    4. Enter/select the following:
      Attribute = Raw Event Log, Operator = CONTAIN, Value = atlassian-beacon

    5. Click Apply & Run.

    Event Type 

    [PH_DEV_MON_CUSTOM_JSON]:[reptVendor]=Atlassian,[reptModel]=Beacon,[reptDevName]=test.com,[reptDevIpAddr]=11.11.11.11,[json]={"alertDetailURL":"https://beacon.atlassian.com/w/11111111-1111-1111-1111-111111111111/alerts/c111e111a11bfd11d1111c1d?atlOrigin=eyJpIjoiODUwMmU1NmFkMTMzNDYxZGJjODk1NmY1MGVmNDkzN1IiLCJwIjoiYmVhY11uIn1","alertId":"c111e111a11bfd11d1111c1d","alertTitle":"Sensitive data detected: Atlassian API token","detectionTime":1711493273898,"activity":{"action":"READ","subject":{"ari":"ari:cloud:confluence::site/a1111a1d-11f1-1c11-a111-11111c111111","containerAri":"ari:cloud:platform::org/j1111j1b-11d1-1a11-j111-11111a111111","ati":"ati:cloud:confluence:space"},"time":{"start":"2023-11-11T11:11:11.111Z","end":"2023-11-11T11:11:11.111Z"}},"actor":{"accountId":"111111:db1a1a1e-1c11-111a-11dd-1e1c11111111","name":"Mei Liu","sessions":[{"ipAddress":"11.11.11.11","userAgent":"Mozilla/1.1 (Macintosh; Intel Mac OS X 11_11_1) AppleWebKit/111.1.11 (KHTML, like Gecko) Version/11.1.1 Safari/111.1.11","loginTime":"2023-11-11T11:11:11.111Z","lastActiveTime":"2023-11-11T11:11:11.111Z"}],"url":"https://beacon.atlassian.com/w/11111111-1111-1111-1111-111111111111/users/111111:db1a1a1e-1c11-111a-11dd-1e1c11111111?atlOrigin=eyJpIjoiODUwMmU1NmFkMTMzNDYxZGJjODk1NmY1MGVmNDkzN1IiLCJwIjoiYmVhY11uIn1"},"alert":{"created":"2023-11-11T11:11:11.111Z","id":"c111e111a11bfd11d1111c1d","product":"CONFLUENCE","site":"https://fortisiem.atlassian.net?atlOrigin=eyJpIjoiODUwMmU1NmFkMTMzNDYxZGJjODk1NmY1MGVmNDkzN1IiLCJwIjoiYmVhY11uIn1","title":"Sensitive data detected: Atlassian API token","url":"https://beacon.atlassian.com/w/11111111-1111-1111-1111-111111111111/alerts/c111e111a11bfd11d1111c1d?atlOrigin=eyJpIjoiODUwMmU1NmFkMTMzNDYxZGJjODk1NmY1MGVmNDkzN1IiLCJwIjoiYmVhY11uIn1"},"id":"c111e111a11bfd11d1111c1d","timestamp":1711493273898,"type":"beacon:create:test","workspace":{"cloudId":"a1111a1d-11f1-1c11-a111-11111c111111","id":"11111111-1111-1111-1111-111111111111","orgId":"j1111j1b-11d1-1a11-j111-11111a111111"}}
    Previous
    Next