User Agents

The CMDB User Agent page lists common and uncommon user agents in HTTP communications. The traditional use case for a user agent is to detect browser types so the server can return an optimized page. However, user agents are often misused by malware, and are used to communicate the identity of the client to the BotNet controller over HTTP(S). FortiSIEM monitors HTTP(S) logs and the system rule Blacklist User Agent Match uses regular expression matching to detect blacklisted user agents.

Adding User Agents

1. Log in to your Supervisor node.
2. Go to CMDB > User Agents.
3. Select the User Agent group where you want to add the new user agent.
4. Click New.
5. Enter the User Agent using regular expression notation.

Protocols

The CMDB Protocols page lists the protocols used by applications and devices to communicate with the FortiSIEM virtual appliance.

Adding a Protocol

1. Log in to your Supervisor node.
2. Go to CMDB > Protocols.
3. Create a new protocol group or select an existing one.
4. Click New.
5. Enter an Name and Description for the protocol.
6. Click + to select a protocol and associate it with a port 7. Select or create an Apps Group to associate with the protocol.
7. Click Save.

Networks

The CMDB Networks page lists the defined networks in your IT infrastructure

Adding a New Network

1. Log in to your Supervisor node.
2. Go to CMDB > Networks.
3. Create a new network group or select an existing one.
4. Click New.
5. Enter an Network Name and the Low IP address of the network IP range.
6. Enter any other information about the network.
7. Click Save.

Event Types

The CMDB Event Types page lists the types of events that are collected for supported devices.

Adding a New Event Type

1. Log in to your Supervisor node.
2. Go to CMDB > Event Types.
3. Select a group to add the new event to, or create a new one.
4. Click New.
5. Enter a Name, Display Name, and Description for the event type.
6. Select the Device to associate with this event type.
7. Select the level of Severity associated with this event type.
8. For CVE IDs, enter links to any vulnerabilities associated with this event type as cataloged by the National Vulnerability Database.
9. Click Save.

Devices

You would typically add devices to the CMDB through the Discovering Infrastructure process. However, there may be situations in which you want to add devices to the CMDB manually. For example, you may not have access credentials for a device but still want to be able to include network information about it so that logs received by FortiSIEM can be parsed properly. These topics describe those situations and provide instructions for how to successfully add a device to the CMDB:

Adding Devices to the CMDB Outside of Discovery

Adding a Synthetic Monitoring Test to a Business Service

Default Passwords

The CMDB Default Password page contains a list of default vendor credentials. These well-known credentials should never be used in production. During device discovery FortiSIEM checks if the device credentials are still set to default , and the system rule Default Password Detected by System triggers an incident if they are.

A sample raw event log for a default password incident:

<174>Oct 20 22:50:03 [PH_AUDIT_DEFAULT_PWD_MATCH]:[phEventCategory]=2,[appTransportProto]=SNMP,[reptModel]=

Adding a New Default Password

1. Log in to your Supervisor node.
2. Go to CMDB > Default Passwords.
3. Select a group where you want to add the default password, or create a new one.
4. Click New.
5. Select the Vendor and Model of the device for which you want to enter a default password.
6. Select the Access Protocol that is used to connect to the device.
7. Enter the default User Name and Password for the device.

Creating CMDB Groups and Adding Objects to Them

In the CMDB browser pane you will see several categories, or groups, for each type of CMDB object. For example, under Applications, you will see the groups Infrastructure App, User App, and Ungrouped, with additional subcategorization within each of those groups. You can create your own groupings and add CMDB objects to them.

1. Log in to your Supervisor node.
2. Click CMDB.
3. In the CMDB browser pane, select the type of CMDB object you want to create a group for, and then click +.
4. Enter a Group name and Description.
5. Under Select Group Members, select any existing groups from which you would like to add objects to your new group.

The group containing all the CMDB objects of this type is selected by default.

6. Select the objects you want to add to the group, and then click >> to add them to the group.
7. Click OK.

Your new group, and the objects it contains, will be listed under that CMDB object type in the CMDB browser pane. You can add objects directly to the group by selecting it in the CMDB browser pane, and then following the process for adding a new object.

Country Groups

The Country Groups page contains a list of all the country names in the FortiSIEM geolocation database. You can also create folders that represent different organizations of countries for use in Analytics.

Adding a New Country or Country Group

1. Log in to your Supervisor node.
2. Go to CMDB > Country Groups.
3. Select an existing country group, or create a new one.
4. Click New.
5. Enter a name and description for the new country.
6. Click Save.