Category Archives: FortiSIEM

FortiSIEM Device Risk Score Computation

Device Risk Score Computation

Risk computation algorithms are proprietary and this section presents only the knobs that user is able to tweak to change the score.

Risk score components

The following factors affect risk score of a device

  1. Device Importance (also called Asset Weight)
  2. Count and CVS Score for non-remediated vulnerabilities found for that device
  3. Severity and Frequency of Security incidents triggering with that device as source or destination
  4. Severity and Frequency of Other (performance, availability and change) incidents triggering on that device

Overall Score (0-100) is a weighted average of 3 components – Vulnerability Score, Security Incident Score and Other Incident Score, computed as follows.

User controllable constants
  1. Device Importance – this can be set in CMDB > Device > Summary. You can select multiple devices and set the Importance in one shot.

Values are

  1. Mission Critical – 10
  2. Critical – 7
  3. Important – 4
  4. Normal – 1
  1. Relative weights of Vulnerabilities, Security and Other incidents to the risk score. The default values of the constants are defined in phoenix_config.txt:
    1. vul_weight = 0.6
    2. security_inci_weight = 0.3
    3. security_inci_weight = 0.1
  2. Maximum number of high-severity events that a mission-critical host can tolerate for each of the 3 score components. These default thresholds are defined in ‘phoenix_config.txt:
    1. vul_threshold = 1
    2. security_inci_threshold = 3
    3. other_inci_threshold = 6
Time varying Risk score

Risk scores are computed for each day. Current risk score is a exponentially weighted average of today’s risk and yesterday’s risk.

The algorithm also reduces the score for earlier vulnerabilities that are now patched. Such vulnerabilities have a weight of 0.7 while new and old but existing vulnerabilities have weight 1

FortiSIEM Incidents – HTML5 version

Incidents – HTML5 version

Incident tab allows users to view and manage incidents.

Incident Attributes

This topic describes all the columns that can be used to create views in the Incident Dashboard. You can add or remove columns from the dashboard by clicking the Columns icon.

Column Name Description
Severity The severity of the incident, High, Medium, or Low
Last Occurred The last time that the incident was triggered
First Occurred The first time that the incident was triggered
Incident The name of the rule that triggered the incident
Incident ID The unique ID assigned to the incident
Source The source IP or host name that triggered the incident
Target The IP or host name where the incident occurred
Detail Event attributes that triggered the incident
Status The status of the incident, Active, Cleared, Cleared Manually, System Cleared
Cleared Reason For manually cleared incidents, this displays the reason the incident was cleared
Cleared Time The time an incident was cleared
Cleared User The person who cleared the incident
Comments Any comments that users have entered for the incident
Ticket Status Status of any tickets associated with the incident
Ticket ID The ID number of any tickets generated by the incident
Ticket User The person assigned to any tickets generated by the event
External User If the ticket was cleared in an external ticket-handling system, this lists the name of the person the ticket was assigned to
External Cleared Time If the ticket was cleared in an external ticket-handling system, this lists the time it was cleared
External Resolved Time If the ticket was resolved in an external ticket-handling system, this lists the time it was resolved
External Ticket ID The ID of the incident in an external ticket-handling system
External Ticket State The state of the incident ticket in an external ticket-handling system
External Ticket Type The type assigned to the incident ticket in an external ticket-handling system
Organization The organization reporting the event
Impacts Organizations impacted by the event
Business Service Business services impacted by the incident
Incident Notification

Status

Status of any notifications that were sent because of the incident
Notification Recipients Who received notification of the incident
Incident Count How many times the incident has occurred during the selected time interval

 

 

Viewing Incidents

Device Risk View of all incidents

List view of all incidents

Viewing incident details

Grouped View of all incidents

Device Risk View of all incidents

This is the default view when user clicks the Incident tab. It shows a list of devices that triggered incidents. Devices are ranked by a risk score that is computed by combining asset criticality, triggered incidents and found security vulnerabilities (details – here).

To see the incidents for a device, click that device. The incidents show up in a time line view.

List view of all incidents

This view provides a list of all incidents over a time period. By default:

Active Incidents over the last 2 hours are displayed

The following incident attributes are shown

Severity – High, Medium, Low – shown by colored icons

Last Occurred – the last time the Incident happened

Reporting Device Name – names of devices that reported the events that led to the incident Incident – rule name

Source – incident source

Target – incident target

Detail – incident parameters other than source and target

Count – number of times the same incident has triggered

To show incidents over a different time interval

Click Time Range Button

A search window appears

To choose a relative time window

Choose Time Range Operator as LAST.

Specify the number of Minutes/Hours/Days/Weeks.

Click Check button.

The Incident page will automatically refresh to show all the incidents over the time window.

To choose an absolute time window

Choose Time Range Operator as FROM.

Specify the starting and end times.

Click Check button.

The Incident page will automatically refresh to show all the incidents over the time window

An incident can be in any of the following states

Active

Cleared

Cleared Manually

System Cleared

By default only Active Incidents are shown. To show Incidents in other states

Click Incident Status Button  A search window appears

To add a new value, click on the white space next to the selected value. A menu appears. Select the needed values one by one.

Click Check button

The Incident page will automatically refresh to show all the incidents in selected state(s)

To select a different set of Incident attributes

Click Choose columns icon

In the popup, select the columns you want to display by moving them to the right. You can re-order the position of the columns. ClickOK.To force a refresh of the incident view, click the Refresh icon

Incidents may be displayed over multiple pages. To see incidents on a different page,

Select the Page Selector icon

Either enter the page number or click on the Next or Previous icon to go to the right page

To view incidents for a different organization (Service Provider version),

Click the User icon on top right

Choose the right organization

Click Change View

Viewing incident details

In the default view, an incident is shown in a single line. To see the details of the incident,

Click anywhere on the incident line

Basic incident attributes are shown immediately below the incident More advanced incident attributes are shown in a bottom pane

To revert to the single line incident view, click anywhere on the incident line. Detailed views will disappear.

To view the rule that triggered the incident,

Click anywhere on the incident line in the single line incident view In the bottom pane, Click Rule tab. Rule details are displayed.

To view the events that triggered the incident

Click anywhere on the incident line in the single line incident view

In the bottom pane, Click Events tab. Basic Event attributes are displayed in a single line. To see the raw events, click on the Basic Event line. Raw events are displayed.

Grouped View of all incidents

Sometimes user may need a grouped view of incidents to get an overview of what incidents have triggered and involves which devices. The following grouped views are provided

Severity – Ranks Incident Severities By Count

Name – Ranks the Incidents By Count

Name, Target – Ranks Incident Name and Incident Target By Count

Name, Source – Ranks Incident Name and Incident Source By Count

Name, Source, Target – Ranks Incident Name, Incident Source and Incident Target By Count

Name, Source, Target, Business Service – Ranks Incident Name, Incident Source, Incident Target and Business Services By Count Name, Source, Target, Business Service, Organizations – Ranks Incident Name, Incident Source, Incident Target, Business Services and Organizations By Count

Searching Incidents

Searchable Incident Attributes

Constructing Search Condition

Searchable Incident Attributes

Incident Attribute Description
Time Range In
ID Incident ID
IP Incident Source IP or Incident Target IP
Host Host name associated with Incident Source IP or Incident Target IP
User User field specified in Incident Target or Incident Details
Severity Incident Severity category – High, Medium or Low
Function Security, Availability, Performance or Change. This is a property of an Incident.
Incident Status Possible values are Active, Cleared, Cleared Manually, System Cleared
Ticket Status Possible values are New, Open, Closed, External, reopened, None. External means opened in an external system.
Incident Rule name
Biz Service Business Service name
Organization Organization name

Constructing Search Condition

To construct a Search condition from a displayed Incident,

Mouse over the cell containing the specific Incident attribute

Right click and choose Add to filter

The condition will be added to existing search string

Matching incidents will be displayed

To construct a Search condition from scratch

Click on the Add filter edit area. Three fields are displayed

Incident Attribute

Operator

Value

Select one of the Incident Attributes from the drop down

Select an Operator from =, != IN, NOT IN, CONTAINS, NOT CONTAINS Select one or more Values from the displayed choices Click the Check button.

Matching incidents will be displayed

 

Managing Incidents

Adding Comments

Clearing Incidents

Exporting Incidents to a PDF document

Adding Comments

Click on an Incident in the un-grouped view From Actions drop down, select Add Comments Write the comment and click OK.

Clearing Incidents

Click on an Incident in the un-grouped view

If you have more incidents to clear, then press Shift and click on the second incident. This will will select all incidents between the first one and this one. To get this approach to work effectively,

Create a filter to get all the incidents to be cleared in view

Select the first incident

Press Shift and click on the last incident – all incidents are now selected From Actions drop down, select Clear Click OK

Exporting Incidents to a PDF document

Click on an Incident in the un-grouped view

If you have more incidents to export, then press Shift and click on the second incident. This will will select all incidents between the first one and this one. To get this approach to work effectively,

Create a filter to get all the incidents to be exported in view

Select the first incident

Press Shift and click on the last incident – all incidents are now selected From Actions drop down, select Export Click OK

 

 

 

 

FortiSIEM Creating Tickets in External Ticketing System

Creating Tickets in External Ticketing System

See External Helpdesk System Integration.

Using Incidents in Searches and Rules

Creating an Historical Search from an Incident

Creating a Real Time Search from an Incident Editing Rules from Incidents

Creating an Historical Search from an Incident

When you are viewing an incident, you may want to about other events related to the source or target of the incident. This topic describes how to create an historical search from an incident.

  1. In the Incident Dashboard, select the incident you want to use.
  2. Select the Incident Source or Incident Target you want to use, and then select Show Related Historical Events.

The Historical Search interface will load, with the IP address of the selected incident attribute loaded in the Filter By conditions, and the Display Fields set to the incident attributes.

  1. Click Run.
  2. You will see a list of events for the Incident Source or Target, which you can further analyze as described in Refining the Results from Historical Search.

Creating a Real Time Search from an Incident

When you are viewing an incident, you may want to about other events related to the source or target of the incident. This topic describes how to create a real time search from an incident.

  1. In the Incident Dashboard, select the incident you want to use.
  2. Select the Incident Source or Incident Target you want to use, and then select Show Related Real Time Events.

The real time search interface will load, with the IP address of the selected incident attribute loaded in the Filter By conditions, and the Di splay Fields set to the incident attributes.

  1. Click Run.
  2. You will see a list of events for the Incident Source or Target, which you can further analyze as described in Viewing and Refining Real Time Search Results.

Editing Rules from Incidents

If you need to edit the rule associated with an incident, you can do so directly from the Incident Dashboard.

  1. In the Incident Dashboard, select an incident based on the rule you want to edit.
  2. Click in any column of the selected incident to open the Options menu, and then select Edit Rule.
  3. Edit the rule as necessary, and then click Save.

FortiSIEM Ticket Related Operations

Ticket Related Operations

Creating a ticket without an Incident

  1. Go to Incidents > Tickets.
  2. Click New.
  3. Enter a Summary and Description for the ticket. Both of these fields are required.
  4. For Assigned To, select a user from the menu.
  5. Set any Due Date for the ticket.
  6. Select a Priority for the ticket.
  7. Click Save.

Creating a ticket from an Incident

  1. In the Incident Dashboard, select the incident you want to create a ticket for.
  2. Click Ticket.

The Incident ID, Summary and Description for the ticket will be populated from the incident information.

  1. Select the person you want to assign the ticket to.
  2. Enter a Due Date for the ticket.
  3. Set a Priority for the ticket.
  4. Click Save.

Closing a ticket

  1. Go to Incidents > Tickets.
  2. Select a ticket
  3. Click Edit
  4. For State drop down, select Closed
  5. Click

Changing the assignee in a ticket

  1. Go to Incidents > Tickets.
  2. Select a ticket
  3. Click Edit
  4. For Assigned drop down, select the new Assignee
  5. Click

Changing the due date in a ticket

  1. Go to Incidents > Tickets.
  2. Select a ticket
  3. Click Edit
  4. For Due Date edit box, select the date and then the time Click Save.

Adding notes to a ticket

  1. Go to Incidents > Tickets.
  2. Select a ticket
  3. Click Edit
  4. Add to Description
  5. Click Save

Adding attachments to a ticket

  1. Go to Incidents > Tickets.
  2. Select a ticket
  3. Click Edit
  4. Click PDF or PNG under Attach file
  5. Include the file and Click Upload.
  6. Click Save

Exporting a ticket

  1. Go to Incidents > Tickets. 2. Select a ticket
  2. Click Export

Viewing Ticket History

  1. Go to Incidents > Tickets.
  2. Select a ticket
  3. Click Edit
  4. See Action History on bottom right pane

Searching tickets

This can be done in two ways

Type in key words in Search box

Use the Attribute Value Search –

FortiSIEM Creating Tickets In FortiSIEM In-built Ticketing System

Creating Tickets In FortiSIEM In-built Ticketing System

AccelOps includes a feature that will let you create and assign tickets for IT infrastructure tasks, and create tickets directly from incidents. You can see all tickets that have been created by going to Incidents > Tickets, and then use the filter controls to view tickets by assignee, organization, priority, and other attributes. You can also configure AccelOps and you Remedy system so that Remedy will take tickets created by incident notification actions.

Configuring Remedy to Accept Tickets from AccelOps Incident Notifications Ticket Related Operations

Configuring Remedy to Accept Tickets from AccelOps Incident Notifications

This topic describes how to configure Remedy to accept tickets as notification actions from AccelOps.

Prerequisites

Procedure

Incident Attributes for Defining Remedy Forms

Prerequisites

Make sure you have configured the Remedy server settings in AccelOps.

Procedure

  • In Remedy, create a new form, AccelOps_Incident_Interface, with the incident attributes listed in the table at the end of this topic as the form fields.
  1. When you have defined the fields in the form, right-click on the field and select the Data Type that corresponds to the incident attribute.
  2. After setting the form field data type, click in the form field again to set the Label for the field.
  3. When you are done creating the form, go to Servers > localhost > Web Service in Remedy, and select New Web Service.
  4. For Base Form, enter AccelOps_Incident_Interface.
  5. Click the WSDL
  6. For the WSDL Handler URL, enter http://<midtier_server>/arsys/WSDL/public/<servername>/AccelOps_Incident_I nterface.
  7. Click the Permissions tab and select
  8. Click

You can test the configuration by opening a browser window and entering the WSDL handler URL from step 7, substituting the Remedy Server IP address for <midtier_server> and localhost for <servername>. If you see an XML page, your configuration was successful.

Incident Attributes for Defining Remedy Forms

Incident Attribute Data Type Description
biz_service text Name of the business services affected by this incident
cleared_events text
cleared_reason text The reason for clearing the incident if it was cleared,
cleared_time bigint The time at which the incident was cleared
cleared_user character varying(255) The user who cleared the incident
comments text Comments
cust_org_id bigint The organization id to which the incident belongs
first_seen_time bigint Time when the incident occurred for the first time
last_seen_time bigint Time when the incident occurred for the last time
incident_count integer Number of times the incident triggered between the first and last seen times
incident_detail text Incident Detail attributes that are not included in incident_src and incident_target
incident_et text Incident Event type
incident_id bigint Incident Id
incident_src text Incident Source
incident_status integer Incident Status
incident_target text Incident Target
notif_recipients text Incident Notification recipients
notification_action_status text

 

orig_device_ip text
ph_incident_category character varying(255) AccelOps defined category to which the incident belongs: Network, Application, Server, Storage, Environmental, Virtualization, Internal, Other
rule_id bigint Rule id
severity integer Incident Severity 0 (lowest) – 10 (highest)
severity_cat character varying(255) LOW (0-4),  MEDIUM (5-8), HIGH (9-10)
ticket_id character varying(2048) Id of the ticket created in AccelOps
ticket_status integer Status of ticket created in AccelOps
ticket_user character varying(1024) Name of the user to which the ticket is assigned to in AccelOps
view_status integer
view_users text

 

 

FortiSIEM Incident XML File Format

Incident XML File Format

This topic includes an example of the XML file that is generated for incidents, and descriptions of its contents.

Example Incident XML File

XML Tag and Attribute Definitions

Example Incident XML File

<?xml version=”1.0″ encoding=”UTF-8″ ?> <incident incidentId=”5672″ ruleType=”PH_RULE_AUTO_SRVC_DOWN” severity=”10″ repeatCount=”1″ organization=”Super” status=”Cleared”>   <name>Auto Service Stopped</name>   <description>Detects that an automatically running service stopped.

Currently this works for windows servers and is detected via

WMI.</description>

<displayTime>Fri Jun 29 15:51:10 PDT 2012</displayTime>

<incidentSource>

</incidentSource>

<incidentTarget>

<entry attribute=”hostIpAddr” name=”Host IP”>172.16.10.15</entry>

<entry attribute=”hostName” name=”Host Name”>QA-V-WIN03-ADS</entry>

</incidentTarget>

<incidentDetails>

<entry attribute=”serviceName” name=”OS Service

Name”>Spooler</entry>

<entry attribute=”servicePath” name=”OS Service

Path”>C:\WINDOWS\system32\spoolsv.exe</entry>

</incidentDetails>

<affectedBizSrvc>Auth Service</affectedBizSrvc>

<identityLocation>

</identityLocation>  <rawEvents>

[SrvcDown]

[PH_DEV_MON_AUTO_SVC_START_TO_STOP]:[eventSeverity]=PHL_INFO,[fileName]= phPerfJob.cpp,[lineNumber]=6005,[hostName]=QA-V-WIN03-ADS,[hostIpAddr]=1 72.16.10.15,[serviceName]=Spooler,[servicePath]=C:\WINDOWS\system32\spoo lsv.exe,[serviceDesc]=Manages all local and network print queues and controls all printing jobs. If this service is stopped, printing on the local machine will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.,[phLogDetail]=  </rawEvents>

</incident>

XML Tag and Attribute Definitions

XML Tag Attributes Description
<incident>
incidentID Unique id of the incident in AccelOps. You can search for the incident by using this ID.

 

ruleType Unique id of the rule in AccelOps
severity The severity of the incident, HIGH MEDIUM LOW
repeatCount How many times this incident has occurred
organization In multi-tenant deployments, the organization affected by the incident
status The status of the incident
<name> The name of the rule that triggered the incident
<description> The description of the rule that triggered the incident
<displayTime> The time when the incident occurred
<incidentSource> The source of the incident. It includes the event attributes associated with the source presented as name:value pairs. Common attributes for source and target tributes here are  srcIpAddr, de stIpAddr, hostIpAddr.
<incidentTarget> Where the incident occurred, or the target of an IPS alert. It includes the event attributes associated with the target presented as name:value pairs. Common attributes for source and target tributes here are  srcIpAddr, destIpAddr, hostIpAddr.
<incidentDetails> The event attributes associated with the rule definition that triggered the incident
<affectedBizSrvc> Any business services impacted by the event
<identityLocation> Information associated with the Identity and Location Report
<rawevents> The contents of the raw event log for the incident.

 

 

FortiSIEM Setting Scripts as Notification Actions

Setting Scripts as Notification Actions

One of the actions you can specify for an incident notification is to execute a script. For example, suppose you are monitoring Windows services that are in Auto mode, and you have rules that will trigger an incident if one of those services is stopped. The notification action for that incident can include the running of a script by AccelOps that will re-start the service, as shown in the example scripts in this topic.

How Script Notification Actions are Processed

  1. When you specify the notification action as a script, you must provide the full path to the script in the notification policy settings, for example /tmp/Myscript.py.
  2. You must write the script so it expects the incident XML file to be located in the same directory as the script, for example /tmp if the script location is /tmp/Myscript.py.
  3. When a notification policy is triggered by an incident, the policy actions are handled in sequential order, so if there are multiple script actions, the first one will be processed before the second one.
  4. When the script action is processed, the AccelOps notification module will first generate an incident XML file and put it in the same directory as the script. AccelOps will then call the script with the XML file name as an argument.
  5. When the script returns, the incident XML file that was created by AccelOps is deleted, so there is no confusion with the next script action which involves a new incident XML file and is processed only after the previous script action is complete.

Setting a Script Notification Action

  1. Log in to your Supervisor node.
  2. Go to Analytics > Incident Notification Policy.
  3. Select the notification policy where you want to add the script action.
  4. Under Actions, next to the Methods table, click .
  5. Under Run Script, click Add.
  6. For Script Name, enter the name of the script and the absolute directory path to it.
  7. Click OK.

 

Example of a Windows Restart Script as a Notification Action

This topic provides an example of a script that could be used as a notification action, following the example of re-starting a Windows service that has stopped an triggered an incident as described in Setting Scripts as Notification Actions.

This example requires two scripts: one located on the Windows server that hosts the service, and a script on the AccelOps Supervisor host machine that will be triggered by the incident notification and will execute the Windows server script.

Windows Script

AccelOps Script

Windows Script

  1. Create a script named installWinexeSvc.bat for starting the remote winexe provider service.

This script, restartWinService.py, reads the incident XML file, parses out the target IP and stopped service, and issues a winexe command to restart the service.

#!/usr/bin/python importos, re, sys, time importxml.dom.minidom iflen(sys.argv) != 2:

print “Usage: parseTargetIP.py incident.xml”    exit() else:

fileName = sys.argv[1] print “parsing incident xml file : “, fileName #os.system(“cp “+ fileName + ” “+ fileName + “.txt”) # /incident/incidentTarget/entry[@attribute=’hostIpAddr’] doc = xml.dom.minidom.parse(fileName) nodes = doc.getElementsByTagName(‘incidentTarget’) ifnodes.length < 1:

print “no incident Target found!” else:

targeNode = nodes[0] targetIP = “” fornode in targeNode.childNodes :    ifnode.nodeType == node.ELEMENT_NODE:       ifnode.getAttribute(“attribute”) == “hostIpAddr”:

targetIP = node.firstChild.data iftargetIP == “”:

print “no incident target found!” # trim IP, e.g. 10.1.20.189(SH-Quidway-SW1) targetIP = re.sub(r’\(.+\)’, “”, targetIP) print “restart service for target IP: “, targetIP # parse process name nodes = doc.getElementsByTagName(‘incidentDetails’) ifnodes.length < 1:

print “no incidentDetails found!” else:

targeNode = nodes[0] fornode in targeNode.childNodes :    ifnode.nodeType == node.ELEMENT_NODE:       ifnode.getAttribute(“attribute”) == “serviceName”:

targetService = node.firstChild.data ########################################################################

######################## # NOTE:  You need to replace the user and password with an account on your Windows server that # #        has permissions to run thiswindows command.

# ########################################################################

######################## # stop the service stopCmd = “winexe –user Administrator –password ProspectHills! //”+ targetIP + ” ‘sc stop “+ targetService + “‘” ret = os.system(stopCmd)

print “stop service with return code ,”, ret print “waiting service stop” time.sleep(10) ########################################################################

######################## # NOTE:  You need to replace the user and password with an account on your Windows server that # #        has permissions to run thiswindows command.

#

########################################################################

######################## ## start the service startCmd = “winexe –user Administrator –password ProspectHills! //”+ targetIP + ” ‘sc start “+ targetService + “‘”