FortiSIEM Discovery Settings

Discovery Settings

Before you initiate discovery, you should configure the Discovery Settings in your Supervisor.

  • Log in to your Supervisor node.
  1. Go to Admin > General Settings > Discovery.
  2. Configure the settings as required for your deployment.

See Setting Device Location Information for information on how to manually enter locations for devices, or to upload a CSV file of device locations.

Setting Description
Virtual IPs Often a common virtual IP address will exist in multiple machines for load balancing and failover purposes. When you discover devices, you need to have these virtual IP addresses defined within your discovery settings for two reasons:

Listing the virtual IP addresses ensures that two or more devices with the same virtual IP will not be merged into one device during device discovery, so each of the load-balanced devices will maintain their separate identity in the

CMDB

The virtual IP will not be used as an access IP during discovery, since the identity of the device when accessed via the virtual IP is unpredictable

Click the Edit icon to enter a Virtual IP address, and then click + to add more.

Excluded

Shared

Device IPs

An enterprise often has servers that share credentials, for example mail servers, web proxies, and source code control servers, and a large number of users will authenticate to these servers to access their services. Providing a list of of the IP addresses for these servers allows FortiSIEM to exclude these servers from user identity and location calculations in the Analytics > Identity and Location report.

For example, suppose user U logs on to server M to retrieve his mail, and server M authenticates user U via Active Directory. If server M is not excluded, the Analytics > Identity and Location Report will contain two entries for user U: one for the workstation that U logs into, and also one for server M. You can eliminate this behavior by adding server M to the list of Server IPs with shared credentials.

Allow

Incident

Firing On

With this setting you can control incident firings based on approved device status. If you select Approved Devices Only, then FortiSIEM will use this logic to determine if an incident is triggered:

If an incident reporting device is not approved, the incident does not trigger

If an incident reporting device is approved, then there are two possible cases: (a) at least one Source, Destination or Host IP is approved and the incident triggers, or (b) none of the Source, Destination or Host IPs are approved and the incident does not trigger

If you select Approved Devices Only, then when the discovery process completes, you will need to approve devices, as described in Approving Newly Discovered Devices, before incidents are triggered.

CMDB

Device

Filter

This setting allows you to limit the set of devices that the system automatically discovers from logs and netflows. After receiving a log from a device, the system automatically discovers that device, and then adds it to CMDB. For example, when a Netflow analysis detects a TCP/UDP service is running on a server, the server, along with the open ports, are added to CMDB. Sometimes you may not want to add all of these devices to CMDB, so you can create filters to exclude a specific set of devices from being added to CMDB.

Each filter consists of a required Excluded IP Range field and an optional Except field. A device will not be added to

CMDB if it falls in the range defined in the Excluded IP Range field. For example, if you wanted to exclude the 172.16.

20.0/24 network from CMDB, you would to add a filter with 172.16.20.0-172.16.20.255 in its Excluded IP Range field.

The Except field allows you to specify some exceptions in the excluded range. For example, if you wanted to exclude the 172.16.20.0/24 network without excluding the 172.16.20.0/26 network, you would add a filter with 172.16.2

0.0-172.16.20.255 in the Excluded IP Range field, and 172.16.20.192-172.16.20.255 in the Except field.

Click Add to add a new CMDB Device Filter, then click Apply.

Application

Filtering

This setting allows you to limit the set of applications/processes that the system automatically learns from discovery.

You may be more interested in discovering and monitoring server processes/daemons, rather than client processes, that run on a server. To exclude client processes from being discovered and listed in the CMDB, enter these applications here. An application/process will not be added to CMDB if it matches one of the entries defined in this table.

 

Click Add, then enter the Process Name and any Parameters for that process that you want to filter.

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.