FortiSIEM Compliance related Reports

Compliance related
Compliance related

PCI

COBIT

SOX

HIPAA

PCI

PCI 1.x: Top Reporting Firewalls By Event Count: Ranks the firewalls by the number of events sent

PCI 1.x: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

PCI 1.x: Router Config Changes Detected From Log: This report provides details about router config changes

PCI 1.x: Router Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

PCI 1.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a firewall’s running and startup config

PCI 1.x: Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

PCI 1.x: Router Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

PCI 1.x: Firewall Admin Activity Details: Provides details about firewall admin activity – logons, command executions and logoff

PCI 1.x: Router Admin Activity Details: Provides details about router admin activity – logons, command executions and logoff

PCI 1.x: Firewall NAT Translations: This report captures the NAT translations over a time window

PCI 1.x: Top Firewalls and Outbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

PCI 1.x: Top Firewalls and Inbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

PCI 1.x: Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

PCI 1.x: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

PCI 1.x: Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

PCI 1.x: Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined

connections – these connections would be typically be for administrative and monitoring purposes PCI 5.x: Top Reporting Security Management Servers:

PCI 1.x: Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

PCI 5.x: Spyware found but not remediated by Host Antivirus:

PCI 5.x: Top hosts with Malware found by Host Antivirus:

PCI 5.x: Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS

PCI 5.x: Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

PCI 5.x: Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.

PCI 8.x,10.x: Detailed Successful Login At PCI Device: Captures detailed successful logins at any device or application including servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

PCI 8.x: Windows Server Account Lockouts: This report captures account lockouts on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation

PCI 8.x: Windows Domain Account Lockouts: This report details windows domain account lockouts

PCI 8.x: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

PCI 8.x: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

PCI 8.x: Server Password Changes: Tracks password changes

PCI 8.x: Local Windows User Accounts Created: This report captures user accounts added on a server

PCI 8.x: Local Windows User Accounts Deleted: This report captures user accounts removed from a server PCI 8.x: Local Windows User Accounts Modified: This report captures local user account modifications.

PCI 8.x: Users Added To Local Groups: This report captures users added to local groups.

PCI 8.x: Users Added To Global Groups: This report captures users added to global or univeral groups.

PCI 8.x: Users Deleted From Local Groups: This report captures users deleted from local groups.

PCI 8.x: Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

PCI 8.x: Local Windows Groups Deleted: This report captures local group deletions

PCI 8.x: Local Windows Groups Modified: This report captures local group modifications

PCI 8.x: Local Windows Groups Created: This report captures local group creations

PCI 8.x: Global Windows Groups Created: This report captures global group creations

PCI 8.x: Global Windows Groups Deleted: This report captures global group deletions

PCI 8.x: Global Windows Groups Modified: This report captures global group modifications

PCI 10.x: Detailed Failed Login At PCI System: Captures detailed failed logins at any device or application – servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

PCI 10.x: Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account

PCI 10.x: Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections PCI 10.x: Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

PCI 10.x: Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

PCI 10.x: Successful Firewall Admin Logon Details: Details about successful firewall logons

PCI 10.x: Failed Firewall Admin Logon Details: Details about failed firewall logons

PCI 10.x: Successful Router Admin Logon Details: Details about successful router logons

PCI 10.x: Failed Router Admin Logon Details: Details about failed router logons

PCI 10.x: Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

PCI 10.x: Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

PCI 10.x: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

PCI 10.x: Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

PCI 10.x: Network Device Down/Restart: Tracks network device down and restart events

PCI 10.x: Server Down/Restart: Tracks server down and restart events

PCI 10.x: Application Down/Restart: Tracks application stop and start events

PCI 10.x: Network Device Link Module Down/Up: Tracks network device miscellaneous module (e.g. fan, power etc.) down/up events

PCI 10.x: Network Device Errors: Tracks errors reported by network device

COBIT

COBIT AI2.4: Successful Database Server Logon Details: Captures successful database server logons

COBIT AI2.4: Failed Database Server Logon Details: Captures failed database server logons

COBIT AI2.4: Top App Servers By Current Uptime: Ranks App servers by current uptime (i.e. time since last reboot)

COBIT AI2.5: Server Installed Software Changes: This report captures detected installed software changes

COBIT DS3.x: Top Devices By CPU Util: Ranks the devices by average cpu utilization over a window

COBIT DS3.x: Top Devices By Memory Util: Ranks the devices by average memory utilization over a window

COBIT DS3.x: Top Devices By Disk Util: Ranks the devices by average system disk utilization over a window

COBIT DS3.x: Top Firewalls By Connections: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.

COBIT DS3.x: Top Device Intf By Util, Error, Discards: Ranks the devices and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

COBIT DS3.x: Top Server Apps By CPU, Mem Util: Ranks the server processes by first average cpu utilization and then by memory utilization over a window

COBIT DS3.x: Top Network Device Processes By CPU, Mem Util: Ranks the host processes by average cpu utilization over a window COBIT DS3.x: Top App Servers By CPU Usage With Other Performance Metrics: Ranks App servers by the amount of CPU usage this report provides details on other performance aspects such as memory, threads and classes

COBIT DS3.x: All devices under performance monitoring: Captures all devices under performance monitoring

COBIT DS4.x: Device Ping Monitor Statistics: Tracks the PING response times and packet loss for the monitored devices

COBIT DS4.x: Network Device Down/Restart: Tracks network device down and restart events

COBIT DS4.x: Server Down/Restart: Tracks server down and restart events

COBIT AI2.4,DS4.x: Application Down/Restart: Tracks application stop and start events

COBIT DS4.x: Network Device Failover: Tracks network device failovers

COBIT DS4.x: Network Device Interface Down/Up: Tracks network device interface down and up events

COBIT AI2.4,DS4.x: Server Interface Down/Up: Tracks server network interface down and up events

COBIT DS4.x: Network Device License Expiry: Tracks network device license expiry events

COBIT DS4.x: Application License Expiry: Tracks application license expiry events

COBIT DS4.x: Network Device Link Module Down/Up: Tracks network device miscellaneous module (e.g. fan, power etc.) down/up events

COBIT DS4.x: Top Network Devices, Errors By Count: Ranks network devices by reported error count

COBIT DS4.x: Top Devices by Accumulated Downtime: Ranks the devices by total system downtime over the last week

COBIT AI2.4,DS4.x: Top Applications By Response Time: Ranks the services by average application level probe response times COBIT DS5.4: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

COBIT DS5.4: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

COBIT DS5.4: Server Password Changes: Tracks password changes

COBIT DS5.4: Local Windows User Accounts Created: This report captures user accounts added on a server

COBIT DS5.4: Local Windows User Accounts Deleted: This report captures user accounts removed from a server COBIT DS5.4: Local Windows User Accounts Modified: This report captures local user account modifications.

COBIT DS5.4: Users Added To Local Windows User Groups: This report captures users added to local groups.

COBIT DS5.4: Users Added To Global Windows User Groups: This report captures users added to global or univeral groups.

COBIT DS5.4: Users Deleted From Local Windows User Groups: This report captures users deleted from local groups.

COBIT DS5.4: Users Deleted From Global Windows User Groups: This report captures users deleted from global or univeral groups.

COBIT DS5.4: Local Windows Groups Deleted: This report captures local group deletions

COBIT DS5.4: Local Windows Groups Modified: This report captures local group modifications

COBIT DS5.4: Local Windows Groups Created: This report captures local group creations

COBIT DS5.4: Global Windows Groups Created: This report captures global group creations

COBIT DS5.4: Global Windows Groups Deleted: This report captures global group deletions

COBIT DS5.4: Global Windows Groups Modified: This report captures global group modifications

COBIT DS5.4: Unix Users Added To Group: Tracks user additions to groups

COBIT DS5.4: Unix User Password Changed: Tracks password changes

COBIT DS5.5: Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account

COBIT DS5.5: Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections

COBIT DS5.5: Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

COBIT DS5.5: Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

COBIT DS5.5: Successful Firewall Admin Logon Details: Details about successful firewall logons

COBIT DS5.5: Failed Firewall Admin Logon Details: Details about failed firewall logons

COBIT DS5.5: Successful Router Admin Logon Details: Details about successful router logons

COBIT DS5.5: Failed Router Admin Logon Details: Details about failed router logons

COBIT DS5.5: Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

COBIT DS5.5: Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

COBIT DS5.5: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

COBIT DS5.5: Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

COBIT DS5.6: Top Incidents Ranked By Severity, Count: Ranks the incidents by first their severity and then by their count.

COBIT DS5.6: All Availability Incidents: Captures the availability incidents

COBIT DS5.6: Performance Incidents: Captures the performance related incidents

COBIT DS5.6: Security Incidents: Captures the security related incidents

COBIT DS5.9: Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

COBIT DS5.9: Spyware found but not remediated by Host Antivirus:

COBIT DS5.9: Top Hosts with Malware found by Host Antivirus:

COBIT DS5.9: Top Hosts with Malware Found By Network IPS and Firewalls: Tracks IP addresses with Malware as found by IPS

COBIT DS5.9: Top Hosts with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

COBIT DS5.9: Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.

COBIT DS5.10: Top Firewalls and Permitted Outbound Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

COBIT DS5.10: Top Firewalls and Permitted Inbound Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

COBIT DS5.10: Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

COBIT DS5.10: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

COBIT DS5.10: Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

COBIT DS5.10: Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes

COBIT DS5.10: Top Blocked Internal Sources, Services, Destinations: Ranks blocked Internal Sources, Services, Destinations Ranked By Connection Count

COBIT DS5.10: Top Blocked Internal Destinations, Services Ranked By Connection Count: Ranks blocked Internal Destinations, Services Ranked By Connection Count

COBIT DS5.10: Top Network IPS events By Severity, Count: Ranks the network IPS events by count

COBIT DS5.10: Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

COBIT DS5.10: Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS

COBIT DS5.10: Top Web Users By Uncommon HTTP Method Connections: Ranks web users by uncommon HTTP methods used COBIT DS5.10: Top Web Users By HTTP POST Exchanged Bytes: Ranks web clients by HTTP POST byte count – can catch malware sending confidential information out

COBIT DS5.10: Top Visited Web Sites And Categories By Connections: Ranks (successfully) visited web sites and categories by the number of connections

COBIT DS5.10: Top Denied Web Sites And Categories By Connections: Ranks web sites and categories that were denied by policy, by the number of connections

COBIT DS5.10: Top Web Users, Denied Sites And Categories By Connections: Ranks users, web sites and categories that were denied by policy, by the number of connections

COBIT DS5.10: Top Inbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

COBIT DS5.10: Top Inbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

COBIT DS5.10: Filtered Inbound Spam Count: Counts total inbound spam denied by spam filtering policy

COBIT DS5.10: Top Outbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

COBIT DS5.10: Top Outbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

COBIT DS5.10: Filtered Outbound Spam Count: Counts total outbound spam denied by policy

COBIT DS5.10: Total Denied Web Connections By Policy: Counts denied web site connections because of policy violations

COBIT DS5.10: Top Mail Security Gateway Actions By Count: Ranks the actions taken by the mail security gateway – actions include blocking an inbound/outbound mail gateway because of RBL or other SMTP violations, blocking a mail because of spam or other policy violations and delivering a mail

COBIT DS9.x: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

COBIT DS9.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

COBIT DS9.x: Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

COBIT DS9.x: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

SOX

SOX (AI2.4): Successful Database Server Logons: Captures successful database server logons

SOX (AI2.4): Failed Database Server Logons: Captures failed database server logons

SOX (AI2.4,DS4.x): Top Applications By Response Time: Ranks the services by average application level probe response times

SOX (AI2.4): Top App Servers By Current Uptime: Ranks App servers by current uptime (i.e. time since last reboot)

SOX (AI2.4,DS4.x): Application Down/Restart: Tracks application stop and start events

SOX (AI2.4,DS4.x): Server Interface Down/Up: Tracks server network interface down and up events

SOX (AI2.5): Server Installed Software Changes: This report captures detected installed software changes

SOX (DS3.x): Top Devices By CPU Util: Ranks the devices by average cpu utilization over a window

SOX (DS3.x): Top Devices By Memory Util: Ranks the devices by average memory utilization over a window

SOX (DS3.x): Top Devices By Disk Util: Ranks the devices by average system disk utilization over a window

SOX (DS3.x): Top Firewalls By Connections: Ranks the firewalls by average connection count over a window. The ratio of the connection count to the max connection count since startup is also provided. If the ratio is close 1 and the firewall is up for a long time, the the firewall must be busy from a firewalled connection point of view.

SOX (DS3.x): Top Device Intf By Util, Error, Discards: Ranks the devices and their network interfaces by first average inbound and then by outbound interface utilization. The utilization is computed by accounting for the link bandwidth.

SOX (DS3.x): Top Server Apps By CPU, Mem Util: Ranks the server processes by first average cpu utilization and then by memory utilization over a window

SOX (DS3.x): Top Network Device Processes By CPU, Mem Util: Ranks the host processes by average cpu utilization over a window SOX (DS3.x): Top App Servers By CPU Usage With Other Performance Metrics: Ranks App servers by the amount of CPU usage this report provides details on other performance aspects such as memory, threads and classes

COBIT DS5.6: All Availability Incidents: Captures the availability incidents

SOX (DS5.6): Performance Incidents: Captures the performance related incidents

SOX (DS3.x): All devices under performance monitoring: Captures all devices under performance monitoring

SOX (DS5.4): Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

SOX (DS5.4,PCI1.x)): Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

SOX (DS5.4,PCI1.x): Server Password Changes: Tracks password changes

SOX (DS5.4,PCI1.x): Local Windows User Accounts Created: This report captures user accounts added on a server

SOX (DS5.4,PCI1.x): Local Windows User Accounts Deleted: This report captures user accounts removed from a server SOX (DS5.4,PCI1.x): Local Windows User Accounts Modified: This report captures local user account modifications.

SOX (DS5.4,PCI1.x): Users Added To Local Windows User Groups: This report captures users added to local groups.

SOX (DS5.4): Users Added To Global Windows User Groups: This report captures users added to global or univeral groups.

SOX (DS5.4,PCI1.x): Users Deleted From Local Windows User Groups: This report captures users deleted from local groups. SOX (DS5.4,PCI1.x): Users Deleted From Global Windows User Groups: This report captures users deleted from global or univeral groups.

SOX (DS5.4,PCI1.x): Local Windows Groups Deleted: This report captures local group deletions

SOX (DS5.4,PCI1.x): Local Windows Groups Modified: This report captures local group modifications

SOX (DS5.4,PCI1.x): Local Windows Groups Created: This report captures local group creations

SOX (DS5.4,PCI1.x): Global Windows Groups Created: This report captures global group creations

SOX (DS5.4,PCI1.x): Global Windows Groups Deleted: This report captures global group deletions

SOX (DS5.4,PCI1.x): Global Windows Groups Modified: This report captures global group modifications

SOX (DS5.4,PCI1.x): Unix Users Added To Group: Tracks user additions to groups

SOX (DS5.4,PCI1.x): Unix User Password Changed: Tracks password changes

SOX (DS5.5,PCI1.x): Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged

logon attempts to a windows server using the Administrator account

SOX (DS5.5,PCI1.x): Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections

SOX (DS5.5,PCI1.x): Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

SOX (DS5.5,PCI1.x): Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

COBIT DS5.5: Successful Firewall Admin Logon Details: Details about successful firewall logons

COBIT DS5.5: Failed Firewall Admin Logon Details: Details about failed firewall logons

SOX (DS5.5,PCI1.x): Successful Router Admin Logon Details: Details about successful router logons

SOX (DS5.5,PCI1.x): Failed Router Admin Logon Details: Details about failed router logons

SOX (DS5.5,PCI1.x): Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

SOX (DS5.5,PCI1.x): Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

SOX (DS5.5,PCI1.x): Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

SOX (DS5.5,PCI1.x): Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller

SOX (DS5.6): Security Incidents: Captures the security related incidents

SOX (DS5.9): Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

SOX (DS5.9): Spyware found but not remediated by Host Antivirus:

SOX (DS5.9): Top Hosts with Malware found by Host Antivirus:

SOX (DS5.9): Top Hosts with Malware Found By Network IPS and Firewalls: Tracks IP addresses with Malware as found by IPS

SOX (DS5.9): Top Hosts with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

SOX (DS5.9): Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities.

SOX (DS5.10): Top Firewalls and Permitted Outbound Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

SOX (DS5.10): Top Firewalls and Permitted Inbound Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

SOX (DS5.10): Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

SOX (DS5.10): Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

SOX (DS5.10): Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139), MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

SOX (DS5.10): Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes

SOX (DS5.10): Top Blocked Internal Sources, Services, Destinations: Ranks blocked Internal Sources, Services, Destinations Ranked By Connection Count

SOX (DS5.10): Top Blocked Internal Destinations, Services Ranked By Connection Count: Ranks blocked Internal Destinations, Services Ranked By Connection Count

SOX (DS5.10): Top Network IPS events By Severity, Count: Ranks the network IPS events by count

SOX (DS5.10): Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

SOX (DS5.10): Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS

SOX (DS5.10): Top Web Users By Uncommon HTTP Method Connections: Ranks web users by uncommon HTTP methods used SOX (DS5.10): Top Web Users By HTTP POST Exchanged Bytes: Ranks web clients by HTTP POST byte count – can catch malware sending confidential information out

SOX (DS5.10): Top Visited Web Sites And Categories By Connections: Ranks (successfully) visited web sites and categories by the number of connections

SOX (DS5.10): Top Denied Web Sites And Categories By Connections: Ranks web sites and categories that were denied by policy, by the number of connections

SOX (DS5.10): Top Web Users, Denied Sites And Categories By Connections: Ranks users, web sites and categories that were denied by policy, by the number of connections

SOX (DS5.10): Top Inbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

SOX (DS5.10): Top Inbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

SOX (DS5.10): Filtered Inbound Spam Count: Counts total inbound spam denied by spam filtering policy

SOX (DS5.10): Top Outbound Blacklisted Mail Gateways By Connections: Ranks denied mail gateways by the number of attempted SMTP connections. The most common reason of denial is often the gateway being included in blacklists.

SOX (DS5.10): Top Outbound Blacklisted Mail Gateways and SMTP Error Types By Connections: Ranks denied mail gateways and the SMTP errors by the number of attempted connections. The most common SMTP error is often the gateway being included in mail blacklists.

SOX (DS5.10): Filtered Outbound Spam Count: Counts total outbound spam denied by policy

SOX (DS5.10): Total Denied Web Connections By Policy: Counts denied web site connections because of policy violations

SOX (DS5.10): Top Mail Security Gateway Actions By Count: Ranks the actions taken by the mail security gateway – actions include blocking an inbound/outbound mail gateway because of RBL or other SMTP violations, blocking a mail because of spam or other policy violations and delivering a mail

SOX (DS9.x): Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

SOX (DS9.x): Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

SOX (DS9.x): Router/Switch Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

SOX (DS9.x): Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

HIPAA

HIPAA 164.308(a)(3): Server Password Changes: Tracks password changes

HIPAA 164.308(a)(3),164.312(a)(2): Local Windows User Accounts Created: This report captures user accounts added on a server HIPAA 164.308(a)(3): Local Windows User Accounts Deleted: This report captures user accounts removed from a server HIPAA 164.308(a)(3): Local Windows User Accounts Modified: This report captures local user account modifications.

HIPAA 164.308(a)(3): Users Added To Local Groups: This report captures users added to local groups.

HIPAA 164.308(a)(3): Users Added To Global Groups: This report captures users added to global or univeral groups.

HIPAA 164.308(a)(3): Users Deleted From Local Groups: This report captures users deleted from local groups.

HIPAA 164.308(a)(3): Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

HIPAA 164.308(a)(3): Local Windows Groups Deleted: This report captures local group deletions

HIPAA 164.308(a)(3): Local Windows Groups Modified: This report captures local group modifications

HIPAA 164.308(a)(3): Local Windows Groups Created: This report captures local group creations

HIPAA 164.308(a)(3): Global Windows Groups Created: This report captures global group creations

HIPAA 164.308(a)(3): Global Windows Groups Deleted: This report captures global group deletions

HIPAA 164.308(a)(3): Global Windows Groups Modified: This report captures global group modifications

HIPAA 164.308(a)(4): Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

HIPAA 164.308(a)(4): Router Config Changes Detected Via Login: This report captures detected startup or running config changes the changes are detected by logging into the device and hence is accurate.

HIPAA 164.308(a)(4): Router Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

HIPAA 164.308(a)(4): Top Firewalls and Outbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted outbound services by first the total number of connections and then by bytes for that service

HIPAA 164.308(a)(4): Top Firewalls and Inbound Permitted Services By Connections, Bytes: Ranks firewalls and permitted inbound services by first the total number of connections and then by bytes for that service

HIPAA 164.308(a)(4): Top Firewalls and Permitted High Port Services By Connections, Bytes: Tracks the high port services permitted by firewalls – these services may pose security risk

HIPAA 1.x: Top Firewalls and Permitted Uncommon Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – common services include DNS, SMTP, Web

HIPAA 164.308(a)(4): Top Firewalls and Permitted Vulnerable Low Port Services By Connections, Bytes: Tracks uncommon services permitted by firewalls – vulnerable services include Microsoft services such as MS-RPC (135), NETBIOS-SSN (139),

MICROSOFT-DS (445), MS-SQL (1433,1434), FTP (23), TELNET (21)

HIPAA 164.308(a)(4): Top Firewall Originated Or Destined Permitted Connections By Count: Ranks the firewall originated or destined connections – these connections would be typically be for administrative and monitoring purposes

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Detailed Successful Login At HIPAA Device: Captures detailed successful logins at any device or application including servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Detailed Failed Login At HIPAA System: Captures detailed failed logins at any

device or application – servers, network devices, domain controllers, VPN gateways, WLAN controllers and applications

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful Firewall Admin Logon Details: Details about successful firewall logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed Firewall Admin Logon Details: Details about failed firewall logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful Router Admin Logon Details: Details about successful router logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed Router Admin Logon Details: Details about failed router logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Successful VPN Admin Logon: Provides event details for all successful VPN admin logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed VPN Admin Logon: Provides event details for all failed VPN admin logons

HIPAA 10.x: Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Privileged Windows Server Logon Attempts using the Administrator Account: This report details prvileged logon attempts to a windows server using the Administrator account

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Remote Desktop Connections to Windows Servers: This report details successful and failed remote desktop connections

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Successful Windows Server Logons: This report records successful windows server logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Failed Windows Server Logons: This report reports failed windows servers logons

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Successful Unix Server Logons: This report details successful unix server logons with all parsed fields and raw logs

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c),164.312(a)(2): Failed Unix Server Logons: This report details failed unix server logons with all parsed fields and raw logs

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Unix Server Privileged Logon: This report details UNIX server privileged logon (su) details with all parsed parameters and raw logs

HIPAA 164.308(a)(4),164.308(a)(5)(ii)(c): Unix Server Privileged Command Execution: This report details privilege command execuations (sudo) at a Unix server

HIPAA 164.308(a)(5)(ii)(c): Windows Server Account Lockouts: This report captures account lockouts on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation HIPAA 164.308(a)(5)(ii)(c): Windows Server Account Unlocks: Captures account unlocks on windows servers. Account unlocks happen after lockouts that may happen on repeated login failures

HIPAA 164.308(a)(5): Server Password Changes: Tracks password changes

HIPAA 164.308(a)(6): Virus found but not remediated by Host Antivirus: Captures events that indicate the viruses that Host Antivirus found but failed to remedy

HIPAA 164.308(a)(6): Spyware found but not remediated by Host Antivirus:

HIPAA 164.308(a)(6): Top hosts with Malware found by Host Antivirus:

HIPAA 164.308(a)(6): Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS HIPAA 164.308(a)(6): Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways

HIPAA 164.308(a)(6): Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities. HIPAA 164.308(a)(6): Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events

HIPAA 164.308(a)(6): Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS HIPAA 164.308(a)(6): Top Network IPS events (affecting HIPAA devices) Ranked By Severity, Count: Ranks the network IPS events affecting HIPAA devices

HIPAA 164.308(a)(6): Top System detected Security Incidents (affecting HIPAA devices) Ranked By Severity, Count: Ranks the security related incidents by first their severity and then by their count – restricted to HIPAA devices

HIPAA 164.312(a)(2): Successful VPN Logons: Captures successful VPN logons

HIPAA 164.312(a)(2): Failed VPN Logons: Captures failed VPN logons

HIPAA 164.312(a)(2): Successful Wireless Logons: Captures successful wireless logons

HIPAA 164.312(a)(2): Failed Wireless Logons: Captures failed wireless logons

HIPAA 164.312(a)(2): Successful Windows Domain Authentications: Captures successful domain authentications

HIPAA 164.312(a)(2): Failed Windows Domain Authentications: Captures failed domain authentications

HIPAA 164.312(a)(2): Successful Database Server Logons: Captures successful database server logons

HIPAA 164.312(a)(2): Failed Database Server Logons: Captures failed database server logons

HIPAA 164.312(b): Windows Audit Policy Changed: This report captures audit policy changes

HIPAA 164.312(b): All System Admin User Logon Attempts: Details all System Admin User Logon Attempts

HIPAA 164.312(b): System Operational Warnings: Detects System operational errors including license limits, down collector

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.