FortiSIEM Change management related reports

Leave a reply
Change management related
Change management related

Network Device Config Changes

Server Change

Network Device Config Changes

Change: Router Configuration Changes Detected From Log: This report provides details about router config changes Change: Router Run versus Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

Change: Router Config Changes Detected Via Login: This report captures detected configuration changes via login

WLAN Config Change: This report tracks all software, hardware and device configuration changes at WLAN Access points and Base stations. The report includes Original Reporting Controller IP, Event Type and MAC address of the AP or Controller where the event happened. If the MAC address is empty then, the event happened at the reporting Controller.

Change: Firewall Run vs Startup Config Difference Via Login: This report captures detected differences between a routers running and startup config

Change: Firewall Config Changes Detected Via Login: This report captures detected startup or running config changes – the changes are detected by logging into the device and hence is accurate.

Server Changes

Change: Database Server DDL Changes: Captures database DDL changes

Change: Top Windows Servers, Users by Account Modification Count: This report ranks the windows servers and their administrative users by the number of user account modification events

Change: Windows Server Account Modification Details: This report captures the details of windows account modification events.

Details include the administrative user, target user, the operation performed and the raw log

Change: Windows File Access Details: This report captures the details of windows server file access events. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Top Windows Servers, Users By Config/Policy Modification Count: This report ranks the windows servers and their administrative users by the number of server configuration or policy modification events

Change: Windows Server Config Modification Details: This report captures the details of windows server configuration or policy

modification events. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Local User Accounts Created: This report captures user accounts added on a server Change: Local User Accounts Deleted: This report captures user accounts removed from a server Change: User Accounts Modified: This report captures local user account modifications.

Change: Users Added To Local Groups: This report captures users added to local groups.

Change: Users Added To Global Groups: This report captures users added to global or univeral groups.

Change: Users Deleted From Local Groups: This report captures users deleted from local groups.

Change: Users Deleted From Global Groups: This report captures users deleted from global or univeral groups.

Change: Local Groups Deleted: This report captures local group deletions

Change: Local Groups Modified: This report captures local group modifications

Change: Global Groups Created: This report captures global group creations

Change: Global Groups Deleted: This report captures global group deletions

Change: Global Groups Modified: This report captures global group modifications

Change: Local Groups Created: This report captures local group creations

Change: Windows Server Password Changes: Tracks password changes

Change: Windows Server Account Lock/Unlock history: Captures account lockouts and unlocks on windows servers. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

Change: Windows Audit Policy Changed: This report captures audit policy changes

Change: Windows File Access Failures: This report captures the details of windows server file access failures. Details include the administrative user, file/directory, the operation performed and the raw log

Change: Windows File Access Successes: This report captures the details of windows server file access successes. Details include the administrative user, file/directory, the operation performed and the raw log

Change: All Account/Group Change Events: This report lists all account/group change events

Change: Top Windows Domain Controllers, Users By Account Modification Count: Ranks Domain Controllers and their administrators by the number of account modifications performed

Change: Windows Domain Account Modification Details: Details windows domain account modifications

Change: Top Windows Domain Controllers, Users By File Modification Count: Ranks the Domain Controllers abd their administrators by the number of file modifications performed

Change: Windows Domain Controller File Modification Details: Provides details about domain controller file modifications Change: Top Windows Domain Controllers, Users By Config Modification Count: Ranks Domain Controllers and their administrators by the number of config modifications performed

Change: Windows Domain Controller Config Changes: Provides detailed windows domain controller config changes

Change: Computers added to domain: Captures computers added to a domain

Change: Computers deleted from domain: Captures computers removed from a domain Change: Domain user accounts created: Captures user accounts added to a domain Change: Domain user accounts deleted: Captures user accounts removed from a domain Change: Domain user accounts modified: Captures domain user account modifications.

Change: Domain groups created: Captures domain group creations

Change: Domain groups deleted: Captures domain group deletions

Change: Domain groups modified: Captures domain group modifications

Change: Users Added To Domain Groups: Tracks users added to domain groups

Change: Users Deleted From Domain Groups: Tracks users deleted from domain groups. The information contains who did it (User, Computer, Domain, Source IP) along with the deleted account (Target User) and group (Target User Group).

Change: Domain User Password Changes: Tracks password changes

Change: Domain Account Lock/Unlock history: Captures account lockouts and unlocks on domain accounts. Account lockouts happen on repeated login failures and may be suspicious if they are repeated or happen at odd hours of operation.

Change: Domain Account Unlocks: Captures account unlocks on domain accounts. Account unlocks happen after lockouts that may happen on repeated login failures

Change: Windows Domain Controller Audit Policy Changed: This report captures audit policy changes

Change: Unix Users Added To Group: Tracks user additions to groups

Change: Unix User Password Changed: Tracks password changes

Change: Audited file changes: Tracks user modifications to files and directories. Both the content and attribute modifications are captured. For actions on directories, the affected files in the directories are also captured.

FortiSIEM Security Information Management

Leave a reply

Security Information Management

User Password Monitoring Events

AccelOps generates the following events related to user password monitoring during LDAP discoveries.

LDAP Password Never Expire Events

LDAP Password Not Required Events

LDAP Password Expiry Event

LDAP Password Stale Events

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_DISCOV_ADS_PASSWORD_NEVER_EXPIRES
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

 userDN string User Distinguishing name
Password Age passwordAge uint64 Password age in days
Password Last

Set

 passwordLastSet Date Time when password was last set

LDAP Password Not Required Events

Event Type: PH_DISCOV_ADS_PASSWORD_NOT_REQD

Description: Event contains users whose password is not required

Source: Windows Active Directory Discovery via LDAP Sample event

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_DISCOV_ADS_PASSWORD_NEVER_EXPIRES
Event Severity eventSeverity uint16 Set to 1.
Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

 userDN string User Distinguishing name

LDAP Password Expiry Event

Event Type: PH_DISCOV_ADS_PASSWORD_TO_EXPIRE

Description: Event contains users and the times when their passwords were last set and when their passwords are about to expire Source: Windows Active Directory Discovery via LDAP

Sample event

<174>Feb 12 12:09:29 PH-QA-AUTOTEST phDiscover[22677]: [PH_DISCOV_ADS_PASSWORD_TO_EXPIRE]:[eventSeverity]=PHL_INFO,[procNa me]=phDiscover,[fileName]=dirUser.cpp,[lineNumber]=1750,[hostIpAddr ]=192.168.0.10,[user]=testuser,[userFullName]=Testuser,[userDN]=CN=

Testuser,CN=Users,DC=acme,DC=net,[daysToPasswordExpiry]=0,[password

LastSet]=1360606672,[phLogDetail]=

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DISCOV_ADS_PASSWORD_TO_EXPIRE
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High

 

Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name
User

Distinguishing

Name

 userDN string User Distinguishing name
Days to

Password

Expiry

 daysToPasswordExpiry uint64 Number of days until the password will expire
Password Last

Set

 passwordLastSet Date Time when password was last set
Name Id Type Description
Event Type eventType string Event type set to PH_DISCOV_ADS_PASSWORD_STALE
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date AccelOps Super IP
Relaying IP relayDevIpAddr Date AccelOps Super IP
Raw Event Log rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
Host name hostName string Active Directory Server Host Name
Host IP Address hostIpAddr IP Active Directory Server IP
User user string User logon name
User Full Name userFullName string user Full Display Name

 

User

Distinguishing

Name

 userDN string User Distinguishing name
Password Age passwordAge uint64 Age of the password in days
Password Last

Set

 passwordLastSet Date Time when password was last set

 

 

FortiSIEM Network Flow Monitoring Events

Leave a reply
Network Flow Monitoring Events

Network Flow Events

These events are generated from Cisco Netflow and SFlow.

Event Type: IOS-NETFLOW-BI (BI standing for bidirecational: two unidirectional netflow messages are combined into one), SFLOW-BI

Description: Event containing netflow data Source: Cisco IOS (Netflow) Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to IOS-NETFLOW-BI, SFLOW-BI
Event Severity eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event Receive

Time

 phRecvTime Date Time at which AccelOps generated this event (after receiving netflow)
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Source IP srcIpAddr IP Source IP address of the flow
Dest IP destIpAddr IP Destination IP address of the flow
IP Protocol ipProto uint16 IP protocol e.g. TCP/UDP/GRE/ICMP etc
Source TCP/UDP

Port

 srcIpPort uint16 Source TCP/UDP port
Dest TCP/UDP

Port

 destIpPort uint16 Destination TCP/UDP port
ICMP Type icmpType uint16 ICMP type
ICMP Code icmpCode uint16 ICMP code
IP Type of Service tos uchar IP Type of Service
Sent TCP flags srcDestTCPFlags uchar OR-ed TCP Flags from Source to Destination
Received TCP

flags

 destSrcTCPFlags uchar OR-ed TCP Flags from Destination to Source
Source Intf SNMP

Index

 srcSnmpIntfIndex uint16 Source SNMP interface index
Source Interface

Name

 srcIntfName string Source Interface name
Dest Intf SNMP

Index

 destSnmpIntfIndex uint16 Destination SNMP interface index
Destination

Interface Name

 destIntfName string Destination Interface name
Source

Autonomous

System Number

 srcASNum uint16 Source Autonomous number
Dest Autonomous

System Number

 destASNum uint16 Destination Autonomous number
Sent Bytes sentBytes uint32 Sent Bytes in this flow
Sent Packets sentPkts uint32 Sent Packets in this flow
Received Bytes recvBytes uint32 Received Bytes in this flow
Received Packets recvPkts uint32 received Packets in this flow

FortiSIEM Application Monitoring Events

Leave a reply
Application Monitoring Events

Application Monitoring Events

AccelOps generates the following events related to application monitoring

Process Resource Utilization

Apache Performance Metrics

Microsoft ASP.NET Metrics

Exchange RPC Metrics

Exchange RPC Error Metrics

Exchange Mailbox Metrics

Exchange SMTP Metrics

Microsoft DNS Performance Metrics

Microsoft DHCP Performance Metrics

Microsoft Active Directory Performance Metrics

IP SLA VoIP Metrics

IP SLA HTTP metrics

IP SLA ICMP metrics

Generic IPSLA metrics

Tomcat Application Server Monitoring Metrics

Glassfish Application Server Monitoring Metrics

Weblogic Application Server Monitoring Metrics

Websphere Application Server Monitoring Metrics

JBOSS Application Server Monitoring Metrics

Process Resource Utilization

Pages: 1 2 3 4 5 6 7 8 9 10

FortiSIEM VM Network IO Monitoring

Leave a reply

VM Network IO Monitoring

Event Type: PH_DEV_MON_VM_STATE

Description: Event containing VM CPU metrics Source: All

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

 eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

 rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

 hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName string
phyMachIpAddr IP
vSwitch string
intfName string
sentPkts uint32 Sent Packets
recvPkts uint32 Received Packets
sentBytes uint32 Sent Bytes
recvBytes uint32 Received Bytes
Poll Interval pollIntv uint32 Polling interval in seconds

Sample event:

<134>Feb 08 18:22:16 10.1.2.11 java:

[PH_DEV_MON_VM_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[phyMachName

]=HOST-10.1.2.51,

[phyMachIpAddr]=10.1.2.51, [pollIntv]=180, [vmName]=CO159,

[morId]=vm-194, [hostName]=CO159, [hostIpAddr]=10.1.2.159,

[vSwitch]=vSwitch0, [intfName]=Network adapter 1, [sentPkts]=454,

[recvPkts]=939, [sentBytes]=102400, [recvBytes]=307200

VM Cluster CPU Utilization

VM Cluster Memory Utilization

VM Cluster Datastore I/O Utilization

VM Resource pool CPU Utilization

 

VM Resource pool Memory Utilization

ESX State Monitoring

ESX Datastore Utilization Monitoring

ESX Disk I/O Monitoring

<134>Oct 02 12:00:42 192.168.1.3 java:

[PH_DEV_MON_ESX_DISK_IO]:[eventSeverity]=PHL_INFO,

[hostName]=ESX3i-QA-01.prospecthills.net, [hostIpAddr]=192.168.1.3,

[pollIntv]=180, [morId]=ha-host, [diskName]=mpx.vmhba32:C0:T0:L0,

[diskReadKBytesPerSec]=9.9, [diskWriteKBytesPerSec]=0.3,

[diskReadReqPerSec]=1.215, [diskWriteReqPerSec]=0.045,

[devDiskRdLatency]=0.1, [devDiskWrLatency]=0.4, [kernDiskRdLatency]=0.0,

[totDiskRdLatency]=0.1, [totDiskWrLatency]=0.4, [kernDiskWrLatency]=0.0

ESX Datastore I/O Monitoring

FortiSIEM VM Datastore I/O Monitoring

Leave a reply

VM Datastore I/O Monitoring

Event Type: PH_DEV_MON_VM_STATE

Description: Event containing VM CPU metrics Source: All

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

 eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting

IP

 reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

 rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

 hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName string
phyMachIpAddr IP
datastore string
diskReadReqPerSec double
diskWriteReqPerSec double
diskReadKBytesPerSec double
diskWriteKBytesPerSec double
Poll Interval pollIntv uint32 Polling interval in seconds

Sample event:

FortiSIEM VM Datastore Utilization Monitoring

Leave a reply

VM Datastore Utilization Monitoring

Event Type: PH_DEV_MON_VM_DISK_UTIL

Description: Event containing VM Datastore utilization metrics Source: All

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

 eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting IP reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as

Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

 rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

 hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName
phyMachIpAddr
datastore
datastoreType
diskUtil
totalDiskMB
freeDiskMB
usedDiskMB
Poll Interval pollIntv uint32 Polling interval in seconds

Sample event:

FortiSIEM VM Disk I/O Monitoring

Leave a reply

VM Disk I/O Monitoring

Event Type: PH_DEV_MON_VM_DISK_IO

Description: Event containing VM Disk I/O performance metrics Source: All

Key Attributes:

Name Id Type Description
Event Type eventType string Event type set to PH_DEV_MON_SYS_PING_STAT
Event

Severity

 eventSeverity uint16 Set to 1. In general, a number between 0 (lowest severity) and 10 (highest severity)
Event

Severity

Category

 eventSeverityCat string Set to Low. IN general, takes the values Low, Medium and High. Event Severities 0-4 are mapped to

Low, 5-8 are mapped to Medium and 9-10 are mapped to High
Event

Receive

Time

 phRecvTime Date Time at which AccelOps generated this event
Reporting

IP

 reptDevIpAddr Date IP address of device reporting this event. In this case set to the device reporting the utilization (same as Host name attribute)
Relaying IP relayDevIpAddr Date IP address of device relaying this event from the source to AccelOps. In general it could be a syslog-ng IP address but in this, since AccelOps talks to the device directly, Relaying IP is set to AccelOps IP Address.
Raw Event

Log

 rawEventMsg string Raw event containing all attributes in comma separated “[Attribute] = value” format.
vmName
Host name hostName string Host name (as in AccelOps CMDB) of the device whose CPU utilization is being reported
Host IP

Address

 hostIpAddr IP Access IP (as in AccelOps CMDB) of the device whose CPU utilization is being reported
phyMachName
phyMachIpAddr
diskName
datastore
diskReadKBytesPerSec
diskWriteKBytesPerSec
diskReadReqPerSec
diskWriteReqPerSec
Poll Interval pollIntv uint32 Polling interval in seconds

Sample event: