Fabric View – FortiAnalyzer – FortiOS 6.2.3

Fabric View

Fabric Connectors

You can use FortiAnalyzer to create the following types of fabric connectors:

ITSM

You can use the Fabric Connectors tab to create the following types of ITSM connectors:

l ServiceNow l Webhook, a generic connector

Creating or editing ITSM connectors

You can create ITSM connectors for ServiceNow and Webhook.

To create or edit ITSM connectors:

  1. Go to Fabric View > Fabric Connectors.
  2. To create an ITSM connector, click Create New. In the Create New Fabric Connector wizard, select ServiceNow or Webhook, and click Next.

To edit an ITSM connector, click the ITSM connector. The connector options are displayed.

  1. Configure the following options, and then click OK:
Property   Description
Name   Type a name for the fabric connector.
Description   (Optional) Type a description for the fabric connector.
Protocol   Select HTTPS.
Property Description
Port Specify the port FortiAnalyzer uses to communicate with the external platform.
Method Select POST.
Title Type a title for the fabric connector.
URL Type the URL of the external platform.

Using ServiceNow as an example, copy and paste the URL from ServiceNow API URL in the Connection to ServiceNow API section in ServiceNow > FortiAnalyzerSystem Properties.

Enable HTTP Authentication Set HTTP authentication to ON or OFF.

Using ServiceNow as an example, enter the username and password from the Connection to ServiceNow API section in ServiceNow > FortiAnalyzer System Properties.

Status Toggle ON to enable the fabric connector. Toggle OFF to disable the fabric connector.

Storage

You can use the Fabric Connectors tab to create the following types of storage connectors: l Amazon S3

l Microsoft Azure l Google Cloud

Creating or editing storage connectors

You can create storage connectors for Amazon S3, Microsoft Azure, and Google Cloud. Once you have created a storage connector, you can upload FortiAnalyzer logs to cloud storage. See Upload logs to cloud storage on page 219

To create a storage connector:

  1. Go to Fabric View > Fabric Connectors.
  2. Select Create New. In the Create New Fabric Connector wizard, choose Amazon S3, Azure Blob, or Google and select Next.
  3. Configure the following options and select OK.
Property   Description
Name   Type a name for the fabric connector.
Comments   (Optional) Add comments about the connector.
Title   Type a title for the fabric connector.
Status   Toggle On to enable the fabric connector. Toggle Off to disable the fabric connector.
Amazon S3

Azure Blob

Google

Provider Type AWS.
Region Select a region.
Access Key ID Paste the access key from the IAM user account.
Secret Access Key Paste the secret access key from the IAM user account. Click the eye icon to Show or Hide the key.
Storage Account

Name

Paste the storage account name from the Microsoft Azure account.
Account Key Paste the account key from the Microsoft Azure account.
Cloud

Project Number

Paste the project number from the Google account.
Service Account Credentials Paste the entire Google account JSON key into the field. Click the eye icon to Show or Hide the key.
Cloud Location Select a Google Cloud location. For information about Google locations, visit the product help.
  1. Advanced options will differ between the various types of storage connectors.

To edit a storage connector:

  1. Go to Fabric View > Fabric Connectors.
  2. Select an existing storage connector to edit.
  3. In the dropdown menu that appears below the connector name, modify the connector settings.
  4. Select OK.

Identity Center

The Fabric View > Identity Center pane displays a list of users and endpoints in the network from relevant logs, and correlates them with FortiAnalyzer modules.

The Identity Center is useful for user and endpoint mapping. Some users might use multiple endpoints in the network, endpoints might use multiple different interfaces to connect, network interfaces might have multiple IP addresses, and so on. A map of users and their endpoints gives you better visibility when you analyze logs, events, and incidents. This also helps with your reporting.

To view relevant identity logs directly from the SOC, Log View, and Incidents & Events panes, click the user or endpoint log, then click the Topography link in the pop-up that appears.

This Identity pane lists all endpoints and users from relevant logs and correlates them with FortiAnalyzer modules.

Column Description
User Name The name of the user.
User Group The group of user identities. An identity can be a: l Local user account (username/password stored on the FortiGate unit) l Remote user account (password stored on a RADIUS, LDAP, or TACACS+ server) l PKI user account with digital client authentication certificate stored on the FortiGate unit l RADIUS, LDAP, or TACACS+ server, optionally specifying particular user groups on that server l User group defined on an FSSO server.
Endpoints Endpoint host name, IP address, or MAC address. A user may be connected to multiple endpoints.

Click the endpoint to display the corresponding user information in the Assets pane.

Social The user’s Name, Picture, Email, Phone Number, and Social if it is available.
Source The name of device that created the log.
Last Update The date and time the log was updated.

Use the toolbar to select a Security Fabric, time period, and columns.

End user information is limited if there is no FortiClient in your installation.

  • Endpoints are detected based on MAC address and displayed by IP address instead of host name.
  • User related information might not be available.
  • Detailed information such as OS version, avatar, and social ID information are not available.

To provide a unified experience, you can customize how identity information is displayed, including which fields are displayed, the order, and the priority.

To configure the display settings in the Social column:

  1. Go to Log View >Tools > UserDisplay Preferences.
  2. Select the order preference tab you want to configure.

Tabs include Name, Picture, Email, Phone Number, and Social.

  1. Rearrange the order preference as per your needs by drag-and-dropping an entry. For names, pictures, emails, and phone numbers, only the top entry will appear in the identity pop-up window.
  2. User information can be disabled by moving the Show toggle to the Off position in the respective tabs.

Assets

The Fabric View > Assets pane is the central location for security analysts to view endpoint and user information to make sure they are compliant. Endpoints are important assets in a network as they are the main entry points in a cybersecurity breach.

The Assets pane is useful for the following:

  • Incident response. Check assets that are infected or vulnerable as part of your SOC analysis and incident response process. l Identify unknown and non-compliant users and endpoints.

To view relevant asset logs directly from the SOC, Log View, and Incidents & Events panes, click the user or endpoint log, then click the Topography link in the pop-up that appears.

The Assets pane lists all endpoints and users from relevant logs and correlates them with FortiAnalyzer modules. Sort by the Vulnerabilities column to see which endpoints and users have the highest vulnerabilities.

Column Description
Endpoint Endpoint host name or IP address.
User The name of the user. Click the name to view the corresponding user information in the Identity Center pane.
MAC Address Endpoint MAC address.
IP Address IP address the endpoint is connected to. A user might be connected to multiple endpoints.
FortiClient UUID Unique ID of the FortiClient.
Hardware / OS OS name and version.
Vulnerabilities The number of vulnerabilities for critical, high, medium, and low vulnerabilities. Click the vulnerability to view the name and category.
Network Location The location of the FortiAnalyzer device.
Last Update The date and time the log was updated.

Use the toolbar to select a Security Fabric, time period, and columns.

If there is no FortiClient in your installation, then endpoint and end user information is limited.

  • Endpoints are detected based on MAC address and displayed by IP address instead of host name.
  • User related information might not be available.
  • Detailed information such as OS version, avatar, and social ID information are not available.

 

This entry was posted in Administration Guides, FortiAnalyzer, FortiOS, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.