Categorization of Devices and Applications
FortiSIEM uses four methods to identify and categorize devices and applications in the CMDB.
From Discovery – Network Devices
When FortiSIEM discovers a device, it looks for keywords in the SNMP sysDescr attribute and also probes for the SNMP sysObjectID attribut e. Internal tables are then used to map a discovered device to one or more CMDB device groups based on these attributes.
Keywords from the sysDescr attribute are matched against the system table Device Vendor and Model
Keywords from the sysObjectID attribute are matched against the system table Device Vendor and Model
Matches from the Device Vendor and Model table are then matched against the ApprovedDeviceVendor.csv table that is used to create the categories in the CMDB Devices/Applications.
From Discovery – Applications
FortiSIEM discovers applications by discovering the processes that are running on a server. The table AppMapping.csv maps process names to Applications, Application Groups, and application folders in the CMDB.
From Logs
FortiSIEM includes a large number of log parsers, each of of which is associated with a Device Vendor/Model and Application Vendor/Model. When the log is parsed by FortiSIEM, the Device/Application/Vendor information is matched against the table ApprovedDeviceVendor.csv, which then assigns the application or device to the appropriate CMDB Device/Application folder.
Special Cases
There are some special cases that cannot be categorized using discovery or log information. An example is Microsoft Active Directory. It is an application, but there is no explicit process for i.t as it is part of the kernel or big system service. In this case, specific logs are used: Windows Security logs 672, 673 to detect Microsoft Domain Controller 2000, 2003, andĀ Windows Security logs 4768, 4769 to detect Microsoft Windows Domain Controller 2008, 2012.
Examples
Categorizing a Cisco IOS Router/Switch
This is an example of categorizing a device using discovery. In this case, the Cisco IOS substring in the SNMP sysDescr attribute is used to detect a Cisco IOS device,
Then this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Cisco IOS to the Router/Switch category in the CMDB. PH_ SYS_DEVICE_ROUTER_SWITCH is the internal ID of the category.
Categorizing Fortinet Firewalls
This is also an example of categorizing a device by discovery. In this case, the SNMPv2-SMI::enterprises.12356 substring in the SNMP sy sObjectId attribute is used to detect a Fortinet Firewall device.
Then this entry in the ApprovedDeviceVendor.csv table maps the Device Vendor/Model Fortinet FortiOS to the Firewall and Network IOS categories in the CMDB, since Fortinet is a UTM device. PH_SYS_DEVICE_FIREWALL and PH_SYS_DEVICE_NETWORK_IPS are the internal IDs of the categories.
Categorizing Microsoft IIS
This is an example of categorizing an application based on a running process. In this case, SNMP discovers a process svchost.exe with the
This entry in the AppMapping.csv table is then used to map the process name svchost.exe with the path name -k iissvcs to a Microsoft IIS application.
Categorizing Cisco ASA
This is an example of categorizing a device based on logs. The Cisco ASA parser has has a Device Vendor/Model associated with it, and when a log from the Cisco ASA device is parsed by FortiSIEM, this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Cisco ASA to the Firewall and VPN Gateway categories in the CMDB. PH_SYS_DEVICE_FIREWALL and PH_SYS_DEVICE_VPN_GATEWAY are the internal IDs of these categories.
Categorizing Microsoft IIS
This is an example of categorizing an application based on logs. The Microsoft IIS (via Snare) parser has a Device Vendor/Model associated with it, and when a log from Microsoft IIS is processed by FortiSIEM, this entry in ApprovedDeviceVendor.csv maps the Device Vendor/Model Mi crosoft to the Windows Server and Web Server categories in the CMDB. PH_SYS_DEVICE_WINDOWS_SERVER and PH_SYS_APP_WEB_SER
VER are the internal IDs of these categories.
the following entry in