Lab Guide
Lab Guide
Lab Guide
FFT-FortiSIEM r3-1715695242
Table of contents
1. Introduction .................................................................................................................................. 3
1.1. FastTrack Program ............................................................................................................ 4
1.2. Agenda ................................................................................................................................ 5
1.3. Topology .............................................................................................................................. 6
2. CMDB Overview ............................................................................................................................ 7
2.1. Navigate CMDB Devices and Applications ..................................................................... 8
2.2. Generate CMDB Server Inventory Report .................................................................... 10
3. Incident Investigation ............................................................................................................... 11
3.1. Investigate an Incident ................................................................................................... 12
4. Analytics ...................................................................................................................................... 14
4.1. Add Malicious IP to IOC Threat Feed ............................................................................ 15
4.2. Perform a Basic Analytic Search ................................................................................... 17
4.3. Aggregate Search Results (Data Aggregation) .......................................................... 19
5. Remediation ................................................................................................................................ 21
5.1. Add Source Device ........................................................................................................... 22
5.2. Associate Device Credentials to IP address and Run Discovery .............................. 24
5.3. Review Discovered Device parameters ........................................................................ 26
5.4. Trigger SQL Injection Attack against FGT-Upstream ................................................. 28
5.5. Remediate Incident ......................................................................................................... 29
6. Conclusion ................................................................................................................................... 31
6.1. Continued Education ....................................................................................................... 32
Cyberattacks are a 365/24/7 reality. The complexity and growth of the enterprise infrastructure, applications, VMs, cloud,
endpoints, and IOT means the attack surface grows exponentially. Coupled with a skills shortage, and resource constraints,
security becomes everybody’s problem but visibility, event correlation, and remediation are other people’s responsibility.
Effective security requires visibility of all the devices, and infrastructure in real-time but also with the context of what
devices represent a threat, and what is their capability so you manage the threat the business faces, not the noise multiple
security tools create.
FortiSIEM is Fortinet’s multivendor security incident and events management solution that brings it all together by
integrating NOC-SOC solutions to automate IT processes and security responses. Visibility, correlation, automated response,
and remediation in a single, scalable solution. Using FortiSIEM, the complexity of managing network and security operations
is reduced, freeing resources, and improving breach detection. Worldwide 80% of breaches go undetected because of skills
shortages and event information noise. FortiSIEM provides cross-correlation and applies machine learning and UEBA to
improve response and stop breaches before they occur.
Attend this technical training to familiarize yourself with the powerful security information and event management
capabilities of FortiSIEM.
Tasks
The blue button at the top of this page is the primary action button. When there is an action that can be completed on the
page, this button will change accordingly.
When ready, click the blue Continue button in the menu at the top of the page to get started.
Fast Tracks are free instructor-led hands-on workshops that introduce Fortinet solutions for securing your digital
infrastructure. These workshops are only an introduction to what Fortinet security solutions can do for your organization.
For more in-depth training, we encourage you to investigate our full portfolio of NSE training courses at
https://training.fortinet.com.
Agenda
Tasks
Tasks
This will be the last time we specifically state to click on the Continue button, from now on it is assumed that the user
understands how to move forward.
The CMDB is a core component of FortiSIEM. FortiSIEM CMDB is a patented technology that provides real-time asset
discovery & classification of network devices, applications, servers, users, and rogue devices. It further simplifies the
configuration of rules, business services, and reports with automatic grouping based on device profile
In this lab exercise, you do a quick CMDB overview, review discovered device parameters, and generate a server inventory
report.
Background
Tasks
1. From the Lab Activity: FortiSIEM tab sidebar menu, access FortiSIEM using the HTTPS option.
Note: Unless otherwise indicated all usernames/passwords for the various web consoles are:
2. Click CMDB.
3. Expand Devices > Network Device to see the discovered network devices.
4. Expand Devices > Server > Windows to see the discovered Windows servers.
Note: When discovering a device, FortiSIEM checks what processes are running and if matching a particular group, it
automatically adds it to that application group.
Question
Out of the following, identify the methods that aid FortiSIEM’s discovery of different devices?
SNMP
WMI
Netflow
Windows/Linux Agents
Background
In this objective, you will export a CMDB report which allows you to filter and report on:
• Users - such as when a password was last reset and the DN.
• Identity and Locations - such as user IP between two times and switch port and other information.
Goal
The CISO of your company has asked you to send a PDF report on all the Servers along with their types, IPs, and names in
their network for an urgent meeting discussion. The goal of this lab objective is to export a ‘Server Inventory’ report.
Success
Based on the available options, please try to Run and export a ‘Server Inventory’ report. Once exported, please review it.
NOTE: If you need help with this exercise, click Show hints at the top of this page.
Question
Based on your analysis from the exported ‘Server Inventory’ report, which of the following statements are TRUE? (Select all
that apply)
Incidents contain detailed information about rules that have been triggered by FortiSIEM. There are more than 600+ built-in
rules. When FortiSIEM triggers a rule, it collects information such as the time of the incident, the source, the target, and
other information about the incident. The incident is then categorized as an incident related to performance, availability,
security, or change. Incidents also contain the triggering events, which are the details about why an alert is being reported
in the network.
1. Overview - It will provide a Red Amber Green (RAG) view of incidents by Type, Devices with incidents, and Hosts by
Risk/Impact. It can also act as a dashboard.
2. List View - This is where you can view all incidents and perform investigations. This is where most of this section of the lab
will be performed.
FortiSIEM also can turn on numerous threat feeds from a myriad of sources. Some of these sources are freely available sites
on the Internet, and others are subscription-based. One such subscription-based source is the FortiGuard IOC threat feed
which contains an updated list of Indicators such as bad Domains, IP addresses, and URLs.
In this lab exercise, you investigate an ongoing incident and manually add the attacker’s IP address to the IOC threat feed.
Background
Leveraging machine learning and statistical methodologies to baseline normal behavior and incorporate real-time actionable
insights, FortiSIEM UEBA monitors for anomalous user behavior that may be indicative of a threat.
A user account in your organization has been compromised. The hacker is trying to get access to corporate assets using the
compromised user’s credentials to login via VPN.
Goal
The goal of this lab objective is to investigate which user account is being used and from what all locations, the hacker was
trying to VPN into the corporate network?
Note: Don’t forget to click on the Show hints button if you need help achieving the task.
Success
1. From the Lab Activity: FortiSIEM tab, login into Jumpbox Server using the RDP option.
4. Under the section: Base Demo Setup, click option 3) Start All Performances and Device Data.
7. Wait for one minute and repeat steps 4,5 and 6 again as above to populate more incidents.
Investigate Incident
4. Click Show all to find the relevant incident mentioned in the background above.
Question
Based on your investigation, which of the following statements are TRUE? (Select all that apply)
High severity incident with Concurr VPN Authentications To Same Account From Different Cities was triggered.
After you set up FortiSIEM to receive and collect SIEM and PAM information from your environment, how do you view the
data? FortiSIEM analytics allows you to look at the data generated by all your applications, servers, and devices, whether
they are physical, virtual, in the cloud, or on premise, on the same interface. It uses operators to build search conditions to
filter data in a structured way. You can use query filters for either a real-time or historical search. You can also run the
search without any condition for both real-time or historical search.
In this lab exercise, you will do some basic analytic searches, perform advanced data aggregation to aggregate the search
results and generate a useful report.
Background
In this objective, you will investigate High Risk incident and add Malicious IP to IOC Threat Feed.
During investigation by the SOC team at Acme Corp, they found out that an attacker is searching for local file systems and
remote file shares for files containing insecurely stored credentials on a AcmeCorp server.They confirmed that the attacker’s
IP address is 113.173.2.158.
Tasks
Now, you will add this malicious IP (113.173.2.158) of the attacker to FortiSIEM’s IOC threat feed.
1. Click Resource.
Value: IP
5. Click Save.
6. Expand Malware IPs group and navigate to the FortiGuard Manual Import group you just created.
9. Click Save.
Background
FortiSIEM analytics also provides granular search capabilities that enable you to troubleshoot problems, investigate security,
performance, network incidents, identify the top talkers, sources, destinations, protocols and so on reported by all of your
devices.
An attacker is searching for local file systems and remote file shares for files containing insecurely stored credentials on
AcmeCorp server.
Goal
The goal of this lab objective is to create an analytic search for traffic events coming from attacker’s IP address
113.173.2.158.
Success
Attribute: Source IP (Type ‘Source’ in the box and minimize the search)
Operator: IN
Value: Select from CMDB
5. From the CMDB tree, expand Malware IPs > FortiGuard Manual Import > Attacker IP.
6. Click >> button to add the FortiGuard Manual Import group to Selections.
Question
Based on the output of your above analytic search, identify the IP address of the device that reported the incident carried
out by the attacker?
192.168.22.16
10.1.1.5
192.168.3.1
194.106.166.123
Background
When a search returns many results, you may want to group and order individual results, either by event or by attributes.
Data aggregation is any process in which information is gathered and expressed in a summary form, for purposes such as
statistical analysis. FortiSIEM provides the capabilities to perform mathematical operations such as COUNT, SUM, AVG, MIN,
MAX, LAST, FIRST, and so on.
Goal
The goal of this lab objective is to aggregate all the permitted traffic events to attacker’s malicious IP address
(113.173.2.158) in order to see the total number/count of matching events that have occurred in the last 1 day. As per your
CISO’s request, once the data is successfully aggregated, generate a PDF report that shows the aggregated results plus the
following IP address information used in the attack:
Source IP
Destination IP
Success
Note: Do not delete/remove the attribute filters configured in the last objective.
2. Add a new row at the bottom by clicking + sign in the Row column.
6. Remove the following rows by clicking the – (minus) icon in the Row column
What do you see in the results? The search has aggregated all the permitted traffic events to malicious IP address
113.173.2.158, thus, providing a total number/count of matching events that have occurred in the last 1 day.
Now, generate a PDF report that shows the aggregated results plus the source and destination IP address information used
in the attack.
Note: Use the existing display filter along with a combination of new display filters.
Question
Based on the output of your task report, identify the IP address (Destination IP) of the host being targeted?
192.168.10.2
192.168.22.16
10.10.100.1
42.83.201.2
A key part of incident response is acting quickly to contain a threat. FortiSIEM incident remediation functionality provides
automatic or manual remediation against an incident. Remediation can be done either on an ad-hoc basis or using a
Notification Policy where the system takes the remediation action when Incident happens. Remediation actions are script
based. There are a number of python remediation scripts included out of the box, supporting a range of vendors, actions and
device types. Custom remediation scripts are also supported.
In this lab exercise, you do a real time FortiGate device discovery, trigger SQL injection attack through the FortiGate and
take remediation action by blocking attacker’s IP address.
Background
In this lab we are going to discover and monitor a real device in our network (FGT-Upstream).
Note: Until now, we worked on demo devices that were already discovered by FortiSIEM.
We need to define the following three credentials in FortiSIEM to discover the FortiGate:
Tasks
1. Continuing on the FortiSIEM GUI, click Admin > Setup > Credentials.
2. Under Step 1: Enter Credentials, click New and enter the following credentials:
Name: SNMP-Fortigate
Device Type: Generic
Access Protocol: SNMP
Port: 161
Password config: Manual
Community String: fortisiem
Confirm Community String: fortisiem
Click Save
Name: SSH-Fortigate
Device Type: Fortinet FortiOS
Access Protocol: SSH
Port: 22
Name: HTTPS-Fortigate
Device Type: Fortinet FortiOS
Access Protocol: HTTPS
Port: 443
Password config: Manual
User Name: admin
Password: Fortinet1!
Confirm Password: Fortinet1
Click Save
Once we have defined the source device (FGT-Upstream) credentials, we will now associate those credentials with the IP
address of FortiGate and create a discovery to successfully discover it.
1. From the Lab Activity: FortiSIEM tab, login to Jumpbox Server using the RDP option.
4. Scroll to Additional Options and click 1) Prepare System for Live Discovery.
Click Save
2. Click New.
Name: FGT-Upstream
Discovery Type: Range Scan
Include: 10.10.30.6
4. Click Save
6. Click Discover
7. Wait for the discovery to complete. Once 100% completed, click Close.
8. Click CDMB > Devices > FGT-Upstream and review to see what was discovered so that you are aware of the benefits
that discovery of devices provides device information such as serial numbers, interface information, configuration details,
and performance monitoring of the device, such as CPU and memory.
Background
Goal
The goal of this lab objective is to review FGT-Upstream parameters in order to identify what has been discovered and other
related information from that device in the CMDB.
Success
1. Click CMDB.
3. Click FGT-Upstream.
4. Click up arrow key icon twice located at the bottom right corner of the details pane to see more detailed information about
the device.
5. Click and review each of the following sections in the Details Pane:
Summary
Software > Installed Software
Hardware > Interfaces
Question
Based on the available sections in the details pane, could you identify the admin server certificate?
Fortinet_CA certificate
Fortinet_ssl_proxy certificate
Background
You will now perform a simple SQL inject and the FortiGate-Upstream will allow it to happen, however, this will generate an
event on the FortiSIEM.
Tasks
1. From the Lab Activity: FortiSIEM tab sidebar menu, access Kali using the RDP option.
Username: admin
Password: password
8. Click Submit.
Background
You will now locate the SQL injection attack incident on the FortiSIEM and run a remediation script to block the attacker’s IP
on FortiGate-Upstream via APIs
Tasks
1. From the Lab Activity: FortiSIEM tab sidebar menu, access FortiSIEM using the HTTPS option.
Note: You may need to click Show All and scroll down the list. Wait for a few minutes and refresh the Incidents page in
case you don’t see the FGT-Upstream incident yet.
11. You should see Task Result: Success. Click Cancel to close the window.
15. Expand the Quarantine Monitor widget to full screen by hovering the mouse over the widget and clicking the Expand to
full-screen button.
16. Verify the banned IP address. FortiSIEM has successfully blocked the attacker’s IP address on the FGT-Upstream via
FortiOS API.
This concludes the Fast Track workshop lab activity. We hope you found the information provided useful and the user
experience compelling.
Congratulations!! You have completed the Security Information and Event Management workshop.
For continued learning about this solution, please consider looking at the following Fortinet NSE training course:
https://training.fortinet.com/local/staticpage/view.php?page=library_fortisiem