FortiSIEM Visual Analytics

Leave a reply
Visual Analytics

Visual Analytics is an add-on for AccelOps that lets you create custome visualizations of AccelOps report data, as well as dashboards containing multiple visualization charts. AccelOps Visual Analytics has three components:

  1. The AccelOps Report Server, which syncs with and replicates AccelOps reports in near-real time.
  2. Tableau Server from Tableau Software, which enables the publication and distribution of your visualizations.
  3. Tableau Desktop, also from Tabeleau Software, which is your primary tool for creating visualizations.

See Installation and Configuration of AccelOps Visual Analytics for information about setting up AccelOps Report Server. For more detailed information about Tableau Server and Desktop, including installation, configuration, and examples of creating sheets and workbooks, you should consult the Product Support section of the Tableau Software website.

 

AccelOps Visual Analytics Architecture

Overview and Report Server Architecture

Using AccelOps Report Server with Tableau Software

Overview and Report Server Architecture

With AccelOps Visual Analytics, you can now create visual representations of the data that is stored in AccelOps. This includes:

Structured data stored in the AccelOps CMDB relational PostgreSQL database, such as: Discovered information about devices, systems, applications and users

Identity and location information

Incidents and notifications

Unstructured data such as logs, events, performance metrics etc. that are monitored by AccelOps and stored in the EventDB NoSQL database, which is accessible by Supervisors and Workers over NFS.

In order to provide near real-time visual analytics without compromising the performance of your AccelOps deployment, both structured and unstructured data is exported to a separate virtual machine, the AccelOps Report Server, running PostgreSQL. The Report Server contains two databases that are queried by AccelOps Visual Analytics:

phoenixdb

This database contains the entire AccelOps CMDB and is populated via asynchronous PostgreSQL replication (slony) in near-real time.

reportdb

This database contains the results of event queries

You can find more information about AccelOps Report Server in the topic Report Server Architecture: phoenixdb and reportdb and its related topics.

Using AccelOps Report Server with Tableau Software

AccelOps Report Server integrates with Tableau Software to provide the interface for creating and publishing your data visualizations. Workbooks containing visualizations based on AccelOps data are created using Tableau Desktop, and then are published to Tableau server, where they can be accessed on any Windows or OS X device by users how have been granted permission for viewing or editing them. AccelOps provides some workbooks for visualizations, but you can construct others for custom analytics. You can find more information about workbooks in the section Cre ating and Managing Workbooks.

 

 

 

FortiSIEM Audit

Leave a reply
Audit

Audit Reports can be used to determine if a device is running the recommended OS and installed software versions, performance metrics are within bounds and harmful events have not triggered.

Creating Audit Report

Running an Audit

Exporting Audit Results

Scheduling an Audit

 

Creating Audit Report

To create an Audit Report

  1. Go to Analytics tab
  2. Expand Audit node on the left tree and go to the folder to which the new report will belong. You can also create a new folder first by clicking on the + on top of the left tree.
  3. Click New.
  4. Enter the following information for an Audit Report
    1. Name: Name of the Audit Report
    2. Description: Description of the Audit Report
    3. Vendor: Select a specific device vendor from the drop down list. The Audit Report will be specific to the chosen device vendor and model
    4. Model: Select a vendor specific model from the drop down list. The Audit Report will be specific to the chosen device vendor and model
    5. Specify Failed Criteria for the Audit Report. A device will fail the audit if any of the specified criteria is matched. i. OS Version Condition:
      1. Choose an operator: possible choices are IN, NOT IN, CONTAINS, NOT CONTAINS
      2. Specify value to be matched: this can be a comma separated list ii. Install Software Condition:
      3. Specify Condition name. This is just for reference purposes.
      4. Specify Install software name – the name has to be exactly identical to the discovered installed software in CMDB > Devices > Installed Software > Name
      5. Choose an operator: possible choices are IN, NOT IN, CONTAINS, NOT CONTAINS
      6. Specify value to be matched: this can be comma separated list
  • Rules Condition:
    1. Click and the Rule selector dialog appears
    2. Select the appropriate Rule folder from the left most tree. If you do not know the specific folder, then choose the top level Rules folder.
    3. Select the rules from the middle section. You can also type a search string. You can expand the window and shrink the left most section to see more of the rule descriptions. The rules in the selected folder will appear in the middle section.
    4. Click Items >> to place the selected rules on the rightmost section 5. Click
  1. Report Condition:
    1. Click and the Report selector dialog appears
    2. Select the appropriate Report folder from the left most tree. If you do not know the specific folder, then choose the top level Reports folder. The reports in the selected folder will appear in the middle section.
    3. Select the reports from the middle section. You can also type a search string. You can expand the window and shrink the left most section to see more of the report descriptions.
    4. Click Items >> to place the selected reports on the rightmost section 5. Click OK.

 

Audit Policy Criteria Matching Notes

  1. For each criteria, only devices in CMDB with vendor and model specified in the Audit Report is considered
  2. If any of the criteria matches, then the device fails the audit
  3. IN and NOT IN are exact match while CONTAINS and NOT CONTAINS are case insensitive sub-string match
  4. For OS Version match, the entered value is compared with the Version column in CMDB > Device.
  5. For Installed Software Version match, the entered value is compared with the Version column in CMDB > Device > Installed Software
  6. For Rule match, the specified rule must trigger during the time interval specified in the Audit Report. Organization id and access IP of the device is compared to the Organization Id and Host IP in an incident.
  7. For Report match, the specified reports run for the time duration specified in Audit Report must have data.
Running an Audit

To run an Audit,

  1. Select an Audit Policy
  2. Click Run Now
  3. In the follow up dialog,
    1. Select the organizations for which to run the audit (meaningful for Service Provider version)
    2. Choose a time window – absolute or relative
    3. Click OK

The Audit Policy check results are displayed in the right bottom pane.

Summary tab shows a high level overview of the Audit Policy check.

 Audit Result Distribution chart shows the device pass/fail distribution for every selected organization.

Failed Criteria distribution chart shows the contribution of each audit criteria to the devices that failed the audit.

Detail tab shows the Audit Policy check for each device matching the vendor, model specified in the policy.

Organization specifies the entity to which the device belongs

Device Name is the host name of the device in CMDB

Audit Status is the Pass/Fail flag

Details specifes the reasons for Audit Policy check failure

Exporting Audit Results

To export an Audit Report,

  1. Select an Audit Policy
  2. Run the Audit Policy Check. The results will be shown in the bottom right pane.
  3. Click Export
    1. Add User Notes
    2. Choose Output Format – PDF or CSV
    3. Click Generate Report – the PDF file will be stored in local disk
Scheduling an Audit

To schedule a report to run at a later time

  1. Choose between one of two options
    1. Run this report for – If the ‘Run this report for’ button is selected, a report will be scheduled for the super user, containing data from the organizations selected. The super user will be the owner of the report. The recipients of the report may be defined in the ‘Send Notifications’ section below or in Admin -> General Settings -> Analytics.
    2. Schedule this report for – If the ‘Schedule this report for’ button is selected, multiple reports will be scheduled — one for each selected organization — and containing only that organization’s data. The reports will be owned by the respective organizations. The recipients of the report are taken from Admin -> General Settings -> Analytics. When multiple reports are run in this way the notification recipients cannot be indicated in the ‘Send Notifications’ section below.
  2. Select all the Organizations for which to run the Audit Report
  3. Select the Report time range
  4. Specify Schedule settings – when to run this report
  5. Choose Output Format – PDF or CSV
  6. Select notification – report recipients and method
    1. If you choose Send default notification, then the settings in Admin > General Settings > Analytics > Alerts to be sent when scheduler runs any REPORT, is used
    2. If you choose Specify custom notifications, then you can specify email addresses
    3. If you choose Copy to a remote directory, then the settings in Admin > General Settings > Analytics > Reports to be copied to this remote location when scheduler runs any REPORT, is used

FortiSIEM Viewing Available Reports

Leave a reply
Viewing Available Reports
  1. Log in to your Supervisor node.
  2. Go to Analytics > Reports.
  3. For multi-tenant deployments, select the Organization for which you want to view the available reports.
  4. Expand the Reports list, and select the subcategory of report you want to view.
  5. Select the report you want to view information about. Each report has four information tabs:
Report

Tab

 Description
Summary Includes the Filter and Group By conditions for the report, and the report’s Display attributes
Schedule Information about when the report is scheduled to run. See Scheduling Reports for more information. You can click the + icon to set a schedule for the report to run.
Results The results from any scheduled runs of the report, or results you have saved from running the report.
Definition The XML definition of the report.

 

FortiSIEM Scheduling Reports

Leave a reply
Scheduling Reports

You can schedule reports to run once or on recurring periods in the future. When the test runs, the results will be saved to the Results tab for the report, and in Analytics > Generated Reports.

Prerequisites

When you schedule a report, you can specify notifications that should be sent for that report. In addition, you should make sure that the d efault settings for notifications for all scheduled reports have been set up.

Procedure

  1. Log in to your Supervisor node.
  2. Go to Analytics > Reports.
  3. Select the report you want to schedule.
  4. Select Schedule this report for:
  5. For multi-tenant deployments, select the Organization for which this report should apply.
  6. Select the Report Time Range.
  7. Select the Schedule Settings.
  8. Select the Output Format, whether you want to include the Chart in the output, and the Maximum Rows to Display.
  9. Specify the Notifications that should be sent when the report runs.

Click Specify custom notifications if you want to send notifications to specific email addresses.

To copy the report to a remote directory, first define the remote location in Admin > General Settings > Analytics > Report to be copied to this remote location when scheduler runs any report. and then select Copy to a remote directory option.

  1. Specify the amount of time the report should be retained after it has run.
  2. Click OK.

The report will run at the time you scheduled.

Related Links

Setting Up Email Alert Routing for Scheduled Reports

FortiSIEM Running System and User-Defined Reports and Baseline Reports

Leave a reply
Running System and User-Defined Reports and Baseline Reports

AccelOps includes a number of baseline reports for common data center analytics, as well as over 300 reports relating to IT infrastructure. You can also create your own reports. This topic describes how to run a system-generated or user-defined baseline report.

  1. Log in to your Supervisor node.
  2. Go to Analytics > Reports and select the subcategory containing the report you want to run.

For baseline reports, select Baseline.

  1. Select the report to run.
  2. Click Run Now to run the report immediately, or Run Later to schedule the report.
  3. If you chose Run Now and have a multi-tenant deployment, select the Organization for which you want to run the baseline report, and then click OK.

The report will run and the results will be displayed.

For baseline results, the values in the Profile Date Type column indicate whether the baseline date type is a Weekend (Saturday and Sunday) – 0 or Workday – 1. The values in Hour of Day, 1 – 24, column indicate the time on which the baseline is based.

You can further refine the results of reports and baseline reports as described in Using Search Results to Refine Historical Searches.

For baseline reports, you can create scatter plots of the report results, use the Quick Info menu to get more information about items in the report results, and also view geolocation information about the results. For other types of reports you can use all the charts and other methods of refining results that are related to historical search.

Related Links

Scheduling Reports

Using Search Results to Refine Historical Searches

System-Defined Baseline Reports

Overview of Historical Search Results and Charts

Using the Analysis Menu

Using Geolocation Attributes in Rules

Refining the Results from Historical Search

FortiSIEM Report Bundles

Leave a reply
Report Bundles

Report bundles are groups of reports for common IT infrastructure analytics, such as Windows Server Health. Be defining a bundle and placing reports into it, you can run all the reports at the same time, and apply the same filter conditions to all reports. You can view system and user-defined report bundles under Analytics > Report Bundles.

Creating a Report Bundle Running a Report Bundle

Creating a Report Bundle

Creating a report bundle involves naming and describing the bundle, adding reports to the bundle, and then setting what you want to include in the report results.

  1. Log in to your Supervisor node.
  2. Go to Analytics > Reports > Report Bundles.
  3. Click the + icon at the top of the Analytics navigation pane.
  4. For Group, enter the name of the bundle, and then enter a Description.
  5. Under Select Group Members, select the report category that contains the report you want to add to the bundle.

When you select a category, all the reports in that category will be added to the selection window.

  1. Select a report and use the >> button to add it to the bundle.
  2. Select Show Table if you want all reports to include tables by default.

You can set individual reports to show tables by selecting the report under Show Reports, clicking Edit, and then selecting Show Table.

  1. Enter the number of Rows per Table.
  2. Click OK.

Running a Report Bundle

  1. Log in to your Supervisor node.
  2. Go to Analytics > Reports > Report Bundles.
  3. Select a report bundle to run.
  4. At the top of the Analytics navigation pane, click the blue Arrow
  5. For multi-tenant deployments, select the Organization for which the reports should apply.
  6. Select the Time Range for the results.
  7. Set any Data Conditions to use in filtering the results.

The most common use cases for setting data conditions involves imposing additional restrictions on the reporting devices, for example reporting devices IN a particular device group. These conditions are AND-ed to the filter conditions in every report of the bundle.

  1. Click Export.

The reports will run in the background, and when ready, you will see a dialog to save or download the PDF files.

FortiSIEM Identity and Location Report

1 Reply
Identity and Location Report

Overview

The Identity and Location Report Display Fields

Report Information and Event Types

Creating New Identity Events

Overview

The Identity and Location report is constructed by associating a network identity like an IP address, or MAC address, to a user identity like a user name, computer name, or domain, and tying that to a location, like a wired switch port, a wireless LAN controller, or VPN gateway. When any element of these associations changes, a new entry is created in the report.

The associations between IP addresses, users, and locations are obtained by combining Windows Active Directory events, DHCP events, and WLAN and VPN logon events, with discovery results to produce a report combining all of this information into a comprehensive listing of users and machines by their identity and location.

The Identity and Location Report Display Fields

The Identity and Location Report contains these display fields:

Display

Field

 Description
IP

Address

 IP adress of a host whose identity and location is recorded in this result. You can view IP addresses with country flags in a map by clicking Locations.
MAC

Address

 MAC address of the host
User User associated with this IP Address. Obtained from one of these event types: Windows Domain Logon, WLAN Login, VPN Logon, AAA Authentication. See the section on Report Information and Event Types on this topic for more information.
Host

Name

 Obtained from the Windows Domain Logon and WLAN Authentication event types.
Domain Information displayed here depends on the logon event type it was obtained from:

Windows Domain Logon: the Domain name

VPN Logon: the reporting IP address of the VPN gateway

WLAN Logon: the reporting IP address of the WLAN controller

AAA Logon: the reporting IP of the AAA server
VLAN ID For hosts directly attached to a switch, this is the VLAN ID of the switch port
Location For hosts attached to a switch port, this is the switch name, reporting IP address, and interface name
First

Seen

 The time at which this entry was first created in the AccelOps Identity and Location table
Last

Seen

 The time at which some attribute of this entry was last updated. If there is a conflict, for example a host acquiring a new IP address because of DHCP, then the original entry is closed and a new entry is created. A closed entry will never be updated.

Report Information and Event Types

This table lists the events and event types that contribute to information in the Identity and Location Report, as well as what information is collected for each type of event.

  IP MAC Host Name User Domain VLAN Location Contributing Event Types
DHCP Renew Events x x WIN-DHCP-IP-LEASE-RENEW

WIN-DHCP-IP-ASSIGN

Linux_DHCPACK

Generic_DHCPACK
AD Successful Login

Events

 x x (resolvable by DNS or in AccelOps CMDB) x (if in

Event)

 x Win-Security-540

Win-Security-4624
AAA Successful Login

Events

 x x x Win-IAS-PassedAuth

CisACS_01_PassedAuth
VPN Successful Login

Events

 x x x Cisco-VPN3K-IKE/25

ASA-722022

ASA-713228

ASA-713049-Client-VPN-Logon-success
WLAN Successful

Login Events

 x (if in

Event)

 x x (if in

Event)

 x  Cisco-WLC-53-bsnDot11StationAssociate
WLAN Discovery

Events

 x (if in

Event)

 x x (if in

Event)

 x PH_DISCOV_CISCO_WLAN_HOST_LOCATION

PH_DISCOV_ARUBA_WLAN_HOST_LOCATION
VoIP Call Manager

Discovery Events

 x x x x  PH_DISCOV_VOIP_PHONE_ID
AccelOps L2 discovery

Events

 x x x (if resolvable by DNS or in AccelOps CMDB) x x  PH_DISCOV_HOST_LOCATION

Creating New Identity Events

There may be a situation in which a new event type is added to AccelOps, and you want to use the parsed attributes of that event in the Identity and Location report. Once you have made sure that the event will parse correctly, you will need to edit the identityDef.xml file for your Supervisor and any Worker nodes in your deployment.

  1. Log in to your Supervisor host machine as admin.
  2. Change the directory to /opt/phoenix/config/xml.
  3. Logon to AccelOps Super as admin
  4. Edit the xml file:
    1. Create a new <identityEvent>.
    2. For <eventType>, enter the ID of the event containing the identity attribute.
    3. For <eventAttributes>, enter the name of the event attribute and its corresponding identity attribute. For reqd, enter yes if t he event must have this event attribute for use in the identity and location report. Possible location attributes include: ipAddr macAddr computerName domain domainUser aaaUser vpnUser geoCountry geoState geoCity geoLatitude vlanId netEntryPt netEntryPort
  5. Restart identityMaster and identityWorker
  6. Repeat for any Worker nodes.

This code sample is an example of a new <identityEvent> entry in the identityDef.xml file

 

 

FortiSIEM Creating a Report or Baseline Report

Leave a reply
Creating a Report or Baseline Report

Creating a report or baseline report is like creating a structured historical search, because you set the Conditions and Group By attributes that will be used to process the report data, and specify Display Fields to use in the report summary.

  1. Log in to your Supervisor node.
  2. Go to Analytics > Reports, and select the category for your new report.

Select Baseline for baseline reports.

  1. Click New.
  2. Enter a report Name and Description.
  3. For baseline reports, select Anomaly Detection Baseline.
  4. Enter the Conditions to use in your report.

See Selecting Attributes for Structured Searches, Display Fields, and Rules and Using Expressions in Structured Searches and Rules for more information on setting conditions. For creating baseline reports, see Baseline Reports for information on how to use the STAT_AVG and STAT_STDDEV functions in creating expressions for baseline reports.

  1. Select the Group By attribute to use in processing the search results.

The topic Example of How a Structured Historical Search is Processed explains how the Group By attribute is used in search results.

  1. Set the Display Fields to use in your search results.

See Selecting Attributes for Structured Searches, Display Fields, and Rules for more information on using event attributes in display fields.

  1. Click Save.

Your report will be saved into the selected category, and you can now run it or schedule it to run later.

Related Links

Creating a Structured Historical Search

Selecting Attributes for Structured Searches, Display Fields, and Rules

Example of How a Structured Historical Search is Processed

Using Expressions in Structured Searches and Rules Baseline Reports