FortiSIEM System-Defined Baseline Reports

System-Defined Baseline Reports

The following system provided baseline reports are continuously running in the system.

Network Traffic Analysis

Performance / Availability Monitoring

Logon Activity

 

Report Description ID Fields
DNS Request

Profile

This report baselines DNS requests on a per client basis: the number of requests and distinct destinations it attempted to resolve 113 Key: Source IP

Values: Number of Requests, Distinct Destination Count – means and standard deviation for each

DNS Traffic

Profile

This report baselines DNS traffic characteristics on a per client basis: sent and receive bytes and packets. 113 Key: Source IP

Values: Sent Bytes, Received Bytes, Total Bytes – mean and standard deviation for each

Destination

Traffic Profile

This report baselines traffic destined to a server. The data is reported by network flow (Netflow, Sflow) and firewall logs. For each destination IP, the number of distinct peers, the number of distinct ports opened on the server and the total number of flows are tracked. 126 Key: Destination IP

Values: Distinct Source IP, Distinct

Destination Ports, Total Flows –  mean and standard deviation for each

Source Traffic

Profile

This report baselines traffic generated by a source. The data is reported by network flow (Netflow, Sflow) and firewall logs. For each source IP, the number of distinct peers, the number of distinct ports opened by the source, the total number of flows and total bytes exchanged are tracked. 125 Key: Source IP

Values: Distinct Destination IP, Distinct

Destination Ports, Total Flows, Total Bytes

–  mean and standard deviation for each

Firewall

Connection

Count Profile

This report provides baseline of permitted firewall connection count typically gathered by

SNMP.

112 Key: Firewall Name, Firewall IP

Values: Firewall Connection Count – mean and standard deviation for each

Firewall Denied

Aggregate

Traffic Profile

This profile baselines denied firewall traffic from firewall logs – volume of denied traffic, distinct attacker count, distinct target IP and port. 108 Key: Firewall Name, Firewall IP

Values: Denied Flows, Distinct Denied

Source IP,  Distinct Denied Destination IP, Distinct Denied Destination Port –  mean and standard deviation for each

ICMP Traffic

Profile

This report baselines generated ICMP traffic by each source: number of ICMP packets and number of distinct destinations 114 Key: Source IP

Values: Distinct Destinations, Total Flows, Total Bytes –  mean and standard deviation for each

Inbound

Firewall Denied

TCP/UDP Port

Profile

This report provides baseline of denied inbound TCP/UDP port usage as reported by firewall logs. For every port, the number of denied attempts and the number of distinct source are profiled. 106 Key: Destination Protocol, Port

Values: Distinct Source IP, Total Flows – mean and standard deviation for each

Inbound

Firewall Permitt

edTCP/UDP

Port Usage

Profile

This report provides baseline of permitted inbound TCP/UDP port usage. The data is reported by firewall logs. For every inbound destination port and protocol combination, the total number of unique sources, destinations and the total bytes and flows are profiled 104 Key: Destination Protocol, Port

Values: Distinct Source IP, Distinct Destination IP, Total Flows, Total Bytes – mean and standard deviation for each

Outbound

Firewall Denied

TCP/UDP Port

Profile

This report provides baseline of denied outbound TCP/UDP port usage as reported by firewall logs. For every port, the number of denied attempts and the number of distinct destinations are profiled. 107 Key: Destination Protocol, Port

Values: Distinct Destination IP, Total Flows –  mean and standard deviation for each

Outbound

Firewall Permitt

edTCP/UDP

Port Usage

Profile

This report provides baseline of permitted inbound TCP/UDP port usage. The data is reported by firewall logs. For every inbound destination port and protocol combination, the total number of unique sources, destinations and the total bytes and flows are profiled 105 Key: Destination Protocol, Port

Values: Distinct Source IP, Distinct Destination IP, Total Flows, Total Bytes – mean and standard deviation for each

Network Traffic Analysis

Performance / Availability Monitoring

Report Description ID Fields
Device CPU,

Memory

Usage Profile

This report provides baselines cpu, memory usage – the data is collected by SNMP or

WMI. For every host, CPU, real and virtual memory utilization are profiled

109 Key: Host Name

Values: CPU Utilization, Memory Utilization, Virtual Memory Utilization –  mean and standard deviation for each

Device Disk

I/O Profile

This report provides baselines disk I/O usage for servers, VMs and ESX – the data is collected by SNMP or WMI or VCenter API. For every host and disk combination, read and write volumes are profiled 121 Key: Host Name, Datastore Name, Disk

Name

Values: Disk Read KBps, Disk Write KBps – mean and standard deviation for each

Network

Interface

Traffic Profile

This report provides baselines network interface traffic. The data is collected by SNMP. For each network interface, the total sent and received bytes are profiled. 110 Key: Host Name, Interface name

Values: Sent Bytes, Received Bytes –  mean and standard deviation for each

Network

Interface Error

Profile

This report provides baselines network interface errors and discards. The data is collected by SNMP. For each network interface, the total errors and discards are profiled. 111 Key: Host Name, Interface name

Values: Errors, Discards –  inbound and outbound – mean for each

Server

Process

Count profile

This report baselines the number of processes running at a server. The data is collected by SNMP. 123 Key: Host name

Values: Process Count –  mean and

standard deviation

Reporting

EPS Profile

This report baselines the rate at which devices sends events to AccelOps. 116 Key: Host Name, Host IP

Values: Events/sec –  mean and standard deviation

Reported

Event Type

Profile

This report provides baselines for distinct event types reported by a device. 119 Key: Host Name, Host IP

Values: Distinct Event Type –  mean and standard deviation

Reported

Error Log

Profile

This report baselines the number of system errors reported in logs on a per device basis. 120 Key: Host Name, Host IP

Values: Number of events classified as system errors –  mean

STM

Response

Time Profile

This report baselines Synthetic Transaction Monitoring response times 123 Key: Host Name, Monitor Name Values: Response Time –  mean and standard deviation

Logon Activity

Report Description ID Fields
Successful

Logon Profile

This report baseline successful log on activity at a host. The data is collected from logs. 115 Key: Host Name, Host IP

Values: Successful Logons, Distinct Source IP, Distinct Users – mean and standard deviation

Failed Logon

Profile

This report baseline failed log on activity at a host. The data is collected from logs. Key: Host Name, Host IP

Values: Failed Logons, Distinct Source IP, Distinct Users –  mean and standard deviation

Privileged Logon

Profile

This report baseline successful log on activity at a host. The data is collected from logs. 118 Key: Host Name, Host IP

Values: Privileged Logons –  mean and standard deviation

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.