Powerful Security Information and Event Management

Lab Guide
FFT-FortiSIEM r3-1715695242
Table of contents
1. Introduction .................................................................................................................................. 3
1.1. FastTrack Program ............................................................................................................ 4
1.2. Agenda ................................................................................................................................ 5
1.3. Topology .............................................................................................................................. 6
2. CMDB Overview ............................................................................................................................ 7
2.1. Navigate CMDB Devices and Applications ..................................................................... 8
2.2. Generate CMDB Server Inventory Report .................................................................... 10
3. Incident Investigation ............................................................................................................... 11
3.1. Investigate an Incident ................................................................................................... 12
4. Analytics ...................................................................................................................................... 14
4.1. Add Malicious IP to IOC Threat Feed ............................................................................ 15
4.2. Perform a Basic Analytic Search ................................................................................... 17
4.3. Aggregate Search Results (Data Aggregation) .......................................................... 19
5. Remediation ................................................................................................................................ 21
5.1. Add Source Device ........................................................................................................... 22
5.2. Associate Device Credentials to IP address and Run Discovery .............................. 24
5.3. Review Discovered Device parameters ........................................................................ 26
5.4. Trigger SQL Injection Attack against FGT-Upstream ................................................. 28
5.5. Remediate Incident ......................................................................................................... 29
6. Conclusion ................................................................................................................................... 31
6.1. Continued Education ....................................................................................................... 32

Powerful Security Information and Event Management

Lab Guide
Page 2 of 32 Fortinet Training Institute
1. Introduction

Fast Track Workshop: Powerful Security Information and Event Management

Cyberattacks are a 365/24/7 reality. The complexity and growth of the enterprise infrastructure, applications, VMs, cloud,
endpoints, and IOT means the attack surface grows exponentially. Coupled with a skills shortage, and resource constraints,
security becomes everybody’s problem but visibility, event correlation, and remediation are other people’s responsibility.
Effective security requires visibility of all the devices, and infrastructure in real-time but also with the context of what
devices represent a threat, and what is their capability so you manage the threat the business faces, not the noise multiple
security tools create.

FortiSIEM is Fortinet’s multivendor security incident and events management solution that brings it all together by
integrating NOC-SOC solutions to automate IT processes and security responses. Visibility, correlation, automated response,
and remediation in a single, scalable solution. Using FortiSIEM, the complexity of managing network and security operations
is reduced, freeing resources, and improving breach detection. Worldwide 80% of breaches go undetected because of skills
shortages and event information noise. FortiSIEM provides cross-correlation and applies machine learning and UEBA to
improve response and stop breaches before they occur.

Attend this technical training to familiarize yourself with the powerful security information and event management
capabilities of FortiSIEM.

Tasks

The blue button at the top of this page is the primary action button. When there is an action that can be completed on the
page, this button will change accordingly.

When ready, click the blue Continue button in the menu at the top of the page to get started.

Powerful Security Information and Event Management

Lab Guide
Page 3 of 32 Fortinet Training Institute
1.1. FastTrack Program

Fast Tracks are free instructor-led hands-on workshops that introduce Fortinet solutions for securing your digital
infrastructure. These workshops are only an introduction to what Fortinet security solutions can do for your organization.

For more in-depth training, we encourage you to investigate our full portfolio of NSE training courses at
https://training.fortinet.com.

Powerful Security Information and Event Management

Lab Guide
Page 4 of 32 Fortinet Training Institute
1.2. Agenda

Agenda

Section Topic Time Prerequisite Mandatory

1 Introduction 1 Minute - Yes
2 CMDB Overview 15 Minutes - Yes
3 Incident 15 Minutes 2 Yes
Investigation
4 Analytics 15 Minutes 3 Yes
5 Remediation 15 Minutes - Yes
6 Conclusion 1 Minute - Yes

Time to Complete: 60 minutes

Tasks

Click Continue to move to the next page.

Powerful Security Information and Event Management

Lab Guide
Page 5 of 32 Fortinet Training Institute
1.3. Topology

Tasks

Click Continue to move to the next page.

This will be the last time we specifically state to click on the Continue button, from now on it is assumed that the user
understands how to move forward.

Powerful Security Information and Event Management

Lab Guide
Page 6 of 32 Fortinet Training Institute
2. CMDB Overview
Introduction

The CMDB is a core component of FortiSIEM. FortiSIEM CMDB is a patented technology that provides real-time asset
discovery & classification of network devices, applications, servers, users, and rogue devices. It further simplifies the
configuration of rules, business services, and reports with automatic grouping based on device profile

In this lab exercise, you do a quick CMDB overview, review discovered device parameters, and generate a server inventory
report.

Time to Complete: 15 minutes

Powerful Security Information and Event Management

Lab Guide
Page 7 of 32 Fortinet Training Institute
2.1. Navigate CMDB Devices and Applications

Background

In this objective, you will navigate CMDB, Devices, and Applications.

Tasks

1. From the Lab Activity: FortiSIEM tab sidebar menu, access FortiSIEM using the HTTPS option.

Note: Unless otherwise indicated all usernames/passwords for the various web consoles are:

Username: admin Password: Fortinet1!

2. Click CMDB.

3. Expand Devices > Network Device to see the discovered network devices.

4. Expand Devices > Server > Windows to see the discovered Windows servers.

5. Expand Applications > Expand Infrastructure App > DNS.

6. Notice the Microsoft DNS entry shows the process dns.exe.

Note: When discovering a device, FortiSIEM checks what processes are running and if matching a particular group, it
automatically adds it to that application group.

Question

Out of the following, identify the methods that aid FortiSIEM’s discovery of different devices?

Select the correct answer(s)

Powerful Security Information and Event Management

Lab Guide
Page 8 of 32 Fortinet Training Institute
 Syslog

SNMP

WMI

Netflow

Windows/Linux Agents

All of the above

Powerful Security Information and Event Management

Lab Guide
Page 9 of 32 Fortinet Training Institute
2.2. Generate CMDB Server Inventory Report

Background

In this objective, you will export a CMDB report which allows you to filter and report on:

• Devices - lots of information such as serial numbers, OS versions, etc.

• Rules - such as what rules have exceptions

• Users - such as when a password was last reset and the DN.

• Incident information - such as cleared times

• Identity and Locations - such as user IP between two times and switch port and other information.

Goal

The CISO of your company has asked you to send a PDF report on all the Servers along with their types, IPs, and names in
their network for an urgent meeting discussion. The goal of this lab objective is to export a ‘Server Inventory’ report.

Success

To complete this objective:

1. Click CMDB > CMDB Reports.

Based on the available options, please try to Run and export a ‘Server Inventory’ report. Once exported, please review it.

NOTE: If you need help with this exercise, click Show hints at the top of this page.

Question

Based on your analysis from the exported ‘Server Inventory’ report, which of the following statements are TRUE? (Select all
that apply)

Select the correct answer(s)

HOST-172.16.10.6 is a Solaris Sun server

ibmaix server’s IP address is 192.168.1.100

QA-EXCHG servers count is three

THREATSOCDC is a Windows server

Powerful Security Information and Event Management

Lab Guide
Page 10 of 32 Fortinet Training Institute
3. Incident Investigation
Introduction

Incidents contain detailed information about rules that have been triggered by FortiSIEM. There are more than 600+ built-in
rules. When FortiSIEM triggers a rule, it collects information such as the time of the incident, the source, the target, and
other information about the incident. The incident is then categorized as an incident related to performance, availability,
security, or change. Incidents also contain the triggering events, which are the details about why an alert is being reported
in the network.

The Incident interface has 3 sections:

1. Overview - It will provide a Red Amber Green (RAG) view of incidents by Type, Devices with incidents, and Hosts by
Risk/Impact. It can also act as a dashboard.

2. List View - This is where you can view all incidents and perform investigations. This is where most of this section of the lab
will be performed.

3. Risk - It creates a timeline view of devices and users by risk.

FortiSIEM also can turn on numerous threat feeds from a myriad of sources. Some of these sources are freely available sites
on the Internet, and others are subscription-based. One such subscription-based source is the FortiGuard IOC threat feed
which contains an updated list of Indicators such as bad Domains, IP addresses, and URLs.

In this lab exercise, you investigate an ongoing incident and manually add the attacker’s IP address to the IOC threat feed.

Time to Complete: 15 minutes

Powerful Security Information and Event Management

Lab Guide
Page 11 of 32 Fortinet Training Institute
3.1. Investigate an Incident

Background

Leveraging machine learning and statistical methodologies to baseline normal behavior and incorporate real-time actionable
insights, FortiSIEM UEBA monitors for anomalous user behavior that may be indicative of a threat.
A user account in your organization has been compromised. The hacker is trying to get access to corporate assets using the
compromised user’s credentials to login via VPN.

Goal

The goal of this lab objective is to investigate which user account is being used and from what all locations, the hacker was
trying to VPN into the corporate network?

Note: Don’t forget to click on the Show hints button if you need help achieving the task.

Success

Initiate Event Data

1. From the Lab Activity: FortiSIEM tab, login into Jumpbox Server using the RDP option.

2. Open web browser from the Desktop.

3. Click Demo bookmark.

4. Under the section: Base Demo Setup, click option 3) Start All Performances and Device Data.

5. Click option 4) Populate the SVN with configurations.

6. Click option 5) Apply final update to cron

7. Wait for one minute and repeat steps 4,5 and 6 again as above to populate more incidents.

Investigate Incident

1. Continue on the FortiSIEM GUI, go to Incident tab

2. Click List > select by Time

Powerful Security Information and Event Management

Lab Guide
Page 12 of 32 Fortinet Training Institute
3. Click Actions > Search > Incident Name.

4. Click Show all to find the relevant incident mentioned in the background above.

Question

Based on your investigation, which of the following statements are TRUE? (Select all that apply)

Select the correct answer(s)

The affected user account is jimmy.carter

High severity incident with Concurr VPN Authentications To Same Account From Different Cities was triggered.

The affected user account is joe.biden

Concurrent VPN authentication from same user from US or France or UK

Concurrent VPN authentication from same account from US and China.

Powerful Security Information and Event Management

Lab Guide
Page 13 of 32 Fortinet Training Institute
4. Analytics
Introduction

After you set up FortiSIEM to receive and collect SIEM and PAM information from your environment, how do you view the
data? FortiSIEM analytics allows you to look at the data generated by all your applications, servers, and devices, whether
they are physical, virtual, in the cloud, or on premise, on the same interface. It uses operators to build search conditions to
filter data in a structured way. You can use query filters for either a real-time or historical search. You can also run the
search without any condition for both real-time or historical search.

In this lab exercise, you will do some basic analytic searches, perform advanced data aggregation to aggregate the search
results and generate a useful report.

Time to Complete: 15 minutes

Powerful Security Information and Event Management

Lab Guide
Page 14 of 32 Fortinet Training Institute
4.1. Add Malicious IP to IOC Threat Feed

Background

In this objective, you will investigate High Risk incident and add Malicious IP to IOC Threat Feed.

During investigation by the SOC team at Acme Corp, they found out that an attacker is searching for local file systems and
remote file shares for files containing insecurely stored credentials on a AcmeCorp server.They confirmed that the attacker’s
IP address is 113.173.2.158.

Tasks

Now, you will add this malicious IP (113.173.2.158) of the attacker to FortiSIEM’s IOC threat feed.

1. Click Resource.

2. Click Malware IPs.

3. Click + icon at the top of the navigation pane.

4. In the Create New Malware IP Group, enter the following details:

Group: FortiGuard Manual Import

Value: IP

5. Click Save.

6. Expand Malware IPs group and navigate to the FortiGuard Manual Import group you just created.

7. Click New to create a new entry.

8. Enter the following information:

Powerful Security Information and Event Management

Lab Guide
Page 15 of 32 Fortinet Training Institute
 Name: Attacker IP
IP: 113.173.2.158

9. Click Save.

Powerful Security Information and Event Management

Lab Guide
Page 16 of 32 Fortinet Training Institute
4.2. Perform a Basic Analytic Search

Background

FortiSIEM analytics also provides granular search capabilities that enable you to troubleshoot problems, investigate security,
performance, network incidents, identify the top talkers, sources, destinations, protocols and so on reported by all of your
devices.

An attacker is searching for local file systems and remote file shares for files containing insecurely stored credentials on
AcmeCorp server.

Goal

The goal of this lab objective is to create an analytic search for traffic events coming from attacker’s IP address
113.173.2.158.

Success

To successfully complete this objective:

1. Continuing on the FortiSIEM GUI, click Analytics.

2. Click Edit Filters and Time Range search box on top.

3. Select Filter > Event Attribute.

4. Choose the following:

Attribute: Source IP (Type ‘Source’ in the box and minimize the search)
Operator: IN
Value: Select from CMDB

5. From the CMDB tree, expand Malware IPs > FortiGuard Manual Import > Attacker IP.

6. Click >> button to add the FortiGuard Manual Import group to Selections.

7. Click OK to save the selected group.

Powerful Security Information and Event Management

Lab Guide
Page 17 of 32 Fortinet Training Institute
8. For Time Range, choose Relative Last 1 Day.

9. Click on Apply and Run.

Question

Based on the output of your above analytic search, identify the IP address of the device that reported the incident carried
out by the attacker?

Select the correct answer(s)

192.168.22.16

10.1.1.5

192.168.3.1

194.106.166.123

Powerful Security Information and Event Management

Lab Guide
Page 18 of 32 Fortinet Training Institute
4.3. Aggregate Search Results (Data Aggregation)

Background

When a search returns many results, you may want to group and order individual results, either by event or by attributes.
Data aggregation is any process in which information is gathered and expressed in a summary form, for purposes such as
statistical analysis. FortiSIEM provides the capabilities to perform mathematical operations such as COUNT, SUM, AVG, MIN,
MAX, LAST, FIRST, and so on.

Goal

The goal of this lab objective is to aggregate all the permitted traffic events to attacker’s malicious IP address
(113.173.2.158) in order to see the total number/count of matching events that have occurred in the last 1 day. As per your
CISO’s request, once the data is successfully aggregated, generate a PDF report that shows the aggregated results plus the
following IP address information used in the attack:

Source IP
Destination IP

Success

To successfully complete this objective:

Note: Do not delete/remove the attribute filters configured in the last objective.

1. Click on the Change Display Fields Icon beside Search box.

2. Add a new row at the bottom by clicking + sign in the Row column.

3. Select Attribute > Expression Builder.

4. In the Expression Builder window, choose:

Function: COUNT - click the + icon to the right of the box

Event Attribute: Matched Events - click the + icon to the right of the box

Powerful Security Information and Event Management

Lab Guide
Page 19 of 32 Fortinet Training Institute
5. Click OK to save.

6. Remove the following rows by clicking the – (minus) icon in the Row column

Event Receive Time

Raw Event Log

7. Click Apply & Run.

What do you see in the results? The search has aggregated all the permitted traffic events to malicious IP address
113.173.2.158, thus, providing a total number/count of matching events that have occurred in the last 1 day.

Now, generate a PDF report that shows the aggregated results plus the source and destination IP address information used
in the attack.

Note: Use the existing display filter along with a combination of new display filters.

Question

Based on the output of your task report, identify the IP address (Destination IP) of the host being targeted?

Select the correct answer(s)

192.168.10.2

192.168.22.16

10.10.100.1

42.83.201.2

Powerful Security Information and Event Management

Lab Guide
Page 20 of 32 Fortinet Training Institute
5. Remediation
Introduction

A key part of incident response is acting quickly to contain a threat. FortiSIEM incident remediation functionality provides
automatic or manual remediation against an incident. Remediation can be done either on an ad-hoc basis or using a
Notification Policy where the system takes the remediation action when Incident happens. Remediation actions are script
based. There are a number of python remediation scripts included out of the box, supporting a range of vendors, actions and
device types. Custom remediation scripts are also supported.

In this lab exercise, you do a real time FortiGate device discovery, trigger SQL injection attack through the FortiGate and
take remediation action by blocking attacker’s IP address.

Time to Complete: 15 minutes

Powerful Security Information and Event Management

Lab Guide
Page 21 of 32 Fortinet Training Institute
5.1. Add Source Device

Background

Add Device (FortiGate)

In this lab we are going to discover and monitor a real device in our network (FGT-Upstream).

Note: Until now, we worked on demo devices that were already discovered by FortiSIEM.

We need to define the following three credentials in FortiSIEM to discover the FortiGate:

SNMP - For discovery and performance monitoring

SSH - For configuration

HTTPS - For API’s

Tasks

1. Continuing on the FortiSIEM GUI, click Admin > Setup > Credentials.

2. Under Step 1: Enter Credentials, click New and enter the following credentials:

Name: SNMP-Fortigate
Device Type: Generic
Access Protocol: SNMP
Port: 161
Password config: Manual
Community String: fortisiem
Confirm Community String: fortisiem
Click Save

3. Click New and enter the following credentials:

Name: SSH-Fortigate
Device Type: Fortinet FortiOS
Access Protocol: SSH
Port: 22

Powerful Security Information and Event Management

Lab Guide
Page 22 of 32 Fortinet Training Institute
 Password config: Manual
User Name: admin
Password: Fortinet1!
Confirm Password: Fortinet1!
Click Save

4. Click New and enter the following credentials:

Name: HTTPS-Fortigate
Device Type: Fortinet FortiOS
Access Protocol: HTTPS
Port: 443
Password config: Manual
User Name: admin
Password: Fortinet1!
Confirm Password: Fortinet1
Click Save

Powerful Security Information and Event Management

Lab Guide
Page 23 of 32 Fortinet Training Institute
5.2. Associate Device Credentials to IP address and Run Discovery

Associate Device Credentials and Run Discovery

Once we have defined the source device (FGT-Upstream) credentials, we will now associate those credentials with the IP
address of FortiGate and create a discovery to successfully discover it.

Prepare System for Live Discovery

1. From the Lab Activity: FortiSIEM tab, login to Jumpbox Server using the RDP option.

2. Open the web browser from the Desktop.

3. Click Demo bookmark.

4. Scroll to Additional Options and click 1) Prepare System for Live Discovery.

Associate FortiGate Credentials with IP Address

1. Click Admin > Setup > Credentials.

2. Below Step 2: Enter IP Range to Credential Associations, and click New.

3. Enter the following information in the Device Credential Mapping Definition:

IP/IP Range: 10.10.30.6

Credentials:

SNMP-Fortigate (Click on + sign to add below credentials)

SSH-Fortigate
HTTPS-Fortigate

Click Save

Discover FortiGate via FortiSIEM Supervisor

Powerful Security Information and Event Management

Lab Guide
Page 24 of 32 Fortinet Training Institute
1. Click Admin > Setup > Discovery.

2. Click New.

3. In the Discovery Definition profile, enter the following details:

Name: FGT-Upstream
Discovery Type: Range Scan
Include: 10.10.30.6

4. Click Save

5. Select the Discovery profile FGT-Upstream.

6. Click Discover

7. Wait for the discovery to complete. Once 100% completed, click Close.

8. Click CDMB > Devices > FGT-Upstream and review to see what was discovered so that you are aware of the benefits
that discovery of devices provides device information such as serial numbers, interface information, configuration details,
and performance monitoring of the device, such as CPU and memory.

Powerful Security Information and Event Management

Lab Guide
Page 25 of 32 Fortinet Training Institute
5.3. Review Discovered Device parameters

Background

Review Discovered Device Parameters

Goal

The goal of this lab objective is to review FGT-Upstream parameters in order to identify what has been discovered and other
related information from that device in the CMDB.

Success

To successfully complete this objective:

1. Click CMDB.

2. Expand Devices > Network Devices.

3. Click FGT-Upstream.

4. Click up arrow key icon twice located at the bottom right corner of the details pane to see more detailed information about
the device.

5. Click and review each of the following sections in the Details Pane:

Summary
Software > Installed Software
Hardware > Interfaces

Question

Based on the available sections in the details pane, could you identify the admin server certificate?

Select the correct answer(s)

Fortinet_CA certificate

Fortinet_ssl_proxy certificate

Powerful Security Information and Event Management

Lab Guide
Page 26 of 32 Fortinet Training Institute
 AcmeCorpDevice

Powerful Security Information and Event Management

Lab Guide
Page 27 of 32 Fortinet Training Institute
5.4. Trigger SQL Injection Attack against FGT-Upstream

Background

You will now perform a simple SQL inject and the FortiGate-Upstream will allow it to happen, however, this will generate an
event on the FortiSIEM.

Tasks

1. From the Lab Activity: FortiSIEM tab sidebar menu, access Kali using the RDP option.

2. Log in with the username root and password Fortinet1!

3. From the Desktop, open Mozilla Firefox.

4. Click the DVWA bookmark in the web browser.

5. Log in to the DVWA web app via the following credentials:

Username: admin
Password: password

6. Click SQL Injection.

Note: Do not select the SQL Injection (Blind) option.

7. In the User ID text box, enter:

%' or 0=0 union select null, version() #

Note: You can copy/paste this command.

8. Click Submit.

Powerful Security Information and Event Management

Lab Guide
Page 28 of 32 Fortinet Training Institute
 5.5. Remediate Incident

Background

You will now locate the SQL injection attack incident on the FortiSIEM and run a remediation script to block the attacker’s IP
on FortiGate-Upstream via APIs

Tasks

1. From the Lab Activity: FortiSIEM tab sidebar menu, access FortiSIEM using the HTTPS option.

2. Login with username admin and password Fortinet1!

3. Click Incidents > List> by Time

4. Under the Actions drop-down, click on Search.

5. Click on the Reporting Device tab.

6. Click on the check box beside FGT-Upstream.

Note: You may need to click Show All and scroll down the list. Wait for a few minutes and refresh the Incidents page in
case you don’t see the FGT-Upstream incident yet.

7. Click on the SQL injection attack reported by FortiGate-Upstream to highlight it.

8. Click Action > Remediate Incident.

9. In the Run Remediation window, choose the following:

Select Type: Remediation

Enforce On: Device: FGT-Upstream
Remediation: Fortinet FortiOS – Block IP FortiOS API
Run On: Super

10. Click Run.

11. You should see Task Result: Success. Click Cancel to close the window.

Powerful Security Information and Event Management

Lab Guide
Page 29 of 32 Fortinet Training Institute
12. From the sidebar menu, access FGT-Upstream using the HTTPS option.

13. Login with username admin and password Fortinet1!

14. Click Dashboard > User&Devices > Quarantine Monitor.

15. Expand the Quarantine Monitor widget to full screen by hovering the mouse over the widget and clicking the Expand to
full-screen button.

16. Verify the banned IP address. FortiSIEM has successfully blocked the attacker’s IP address on the FGT-Upstream via
FortiOS API.

Note: The IP address may be different than the picture.

Powerful Security Information and Event Management

Lab Guide
Page 30 of 32 Fortinet Training Institute
6. Conclusion

This concludes the Fast Track workshop lab activity. We hope you found the information provided useful and the user
experience compelling.

In this workshop you have learned how to:

Understand FortiSIEM architecture

Use FortiSIEM features
Run analytic searches
Investigate UEBA events
Use rapid detection and remediation of security events
Use security and performance management

Powerful Security Information and Event Management

Lab Guide
Page 31 of 32 Fortinet Training Institute
6.1. Continued Education

Congratulations!! You have completed the Security Information and Event Management workshop.

For continued learning about this solution, please consider looking at the following Fortinet NSE training course:

https://training.fortinet.com/local/staticpage/view.php?page=library_fortisiem

Powerful Security Information and Event Management

Lab Guide
Page 32 of 32 Fortinet Training Institute