0% found this document useful (0 votes)

117 views

Fortinet Advanced Analytics Lab Guide For Fortisiem 63

Analitics fortinete para Analitics fortinete para labs Analitics fortinete para labs

Uploaded by

Allan

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

117 views

Fortinet Advanced Analytics Lab Guide For Fortisiem 63

Analitics fortinete para Analitics fortinete para labs Analitics fortinete para labs

Uploaded by

Allan

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 224

DO NOT REPRINT

Advanced Analytics
Lab Guide
for FortiSIEM 6.3
DO NOT REPRINT
© FORTINET
Fortinet Training

https://training.fortinet.com

Fortinet Document Library

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Network Security Expert Program (NSE)

https://training.fortinet.com/local/staticpage/view.php?page=certifications

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Feedback

Email: [email protected]

9/20/2021
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

Network Topology 8
Lab 1: Customer Definition 9
Exercise 1: Adding Customers With Collectors 10
Define Customers With Collectors 10
Define Customers Without Collectors 12
Exercise 2: Discovering Devices Without a Collector 14
Verify the SNMP Service on Kali 14
Configure Device Credentials for an Organization Without a Collector 14
Discover a Device 17
Review Logs From an Organization Without a Collector 18
Exercise 3: Reviewing Multi-Tenancy on FortiSOAR 21
Review Tenants on FortiSOAR 21
Lab 2: Worker Configuration 23
Exercise 1: Adding a Worker 24
Add a Worker to the FortiSIEM Cluster 24
Exercise 2: Generating Incidents on FortiSIEM 26
Generate Incidents on FortiSIEM 26
Exercise 3: Configuring FortiSIEM Data Ingestion 28
Configure the FortiSIEM Connector 28
Lab 3: Administration and Management of Collectors 34
Exercise 1: Assigning Collectors to Organizations 35
Assign Collectors to Organizations 35
Verify Collector Health 38
Exercise 2: Registering Collectors 39
Register Collectors 39
Verify Collector Health 40
Exercise 3: Discovering FGT Banking through a Collector 42
Configure SNMP on FortiGate 42
Add Credentials for FortiGate 43
Discover Banking FortiGate 45
Approve FortiGate in CMDB 46
Exercise 4: Discovering FGT Aviation through a Collector 48
Configure Syslog on FGT Aviation 48
DO NOT REPRINT
© FORTINET
Configure SNMP on Aviation FortiGate 49
Add Credentials for Aviation FortiGate 50
Discover FortiGate 52
Approve FortiGate in CMDB 53
Lab 4: Administration and Management of Agents 54
Exercise 1: Adding a Windows Agent to an Organization 55
Configure Windows Agent Registration Credentials 55
Configure the Windows Agent Installation Settings File 56
Define an Audit Policy 57
Verify the Windows Agent Status 59
Exercise 2: Assigning Templates to Windows Agents 60
Create a Windows Agent Monitor Template 60
Associate a Host to a Template 61
Verify the Agent Status 62
Approve the Windows Agent 63
Exercise 3: Discovering LDAP Users 65
Discover LDAP Users and Groups 65
Review LDAP Users on FortiSIEM 67
Exercise 4: Adding a Linux Agent to an Organization 69
Configure Linux Agent Registration Credentials 69
Register the Linux Agent 70
Verify the Linux Agent Status 71
Exercise 5: Assigning Templates to Linux Agents 73
Create Linux Agent Monitor Templates 73
Associate a Host to a Template 74
Verify the Agent Status 75
Approve the Linux Agent 75
Lab 5: Discover Rules 76
Exercise 1: Analyzing Allowed Traffic 77
Log All Sessions on FortiGate 77
Analyze Traffic Events on FortiSIEM 77
Create a Rule From an Analytics Search 79
Exercise 2: Monitoring Firewall Sessions 83
Build an Analytics Search 83
Display the Average Firewall Session 84
Lab 6: Configuration of Single Pattern Security Rules 87
Exercise 1: Detecting Remote Desktop Access 88
Review the Remote Desktop From Internet Rule 88
RDP From the Internet 92
Review the RDP Incident 92
Exercise 2: Detecting Multiple VPN Logon Failures 95
DO NOT REPRINT
© FORTINET
Review the Multiple VPN Logon Failures Rule 95
Generate SSL VPN Login Failures 98
Verify VPN events on FortiGate 99
Review the Incident for Multiple VPN Logon Failures 100
Exercise 3: Detecting Locked Domain Accounts 102
Review the Domain Account Locked Rule 102
Review the Incident for Locked Domain Accounts 105
Exercise 4: Creating a New Security Rule 106
Create a Custom Rule 106
Log in to FortiGate From a Public IP Address 109
Lab 7: Configuration of Multipattern Security Rules 111
Exercise 1: Reviewing a VPN Login Event 112
Review the LDAP Users 112
Create a VPN Pool 113
Connect to the SSL VPN 114
Analyze the SSL VPN Event 115
Exercise 2: Reviewing an RDP Event 117
Run a Real-Time Analytics Search 117
Analyze an RDP Event 119
Exercise 3: emranBuilding a Multipattern Rule 120
Create a New Multipattern Rule 120
Establish an RDP Connection over SSL VPN 125
Review the Incident 126
Lab 8: Baseline Theory 128
Exercise 1: Reviewing Baseline Reports and Rules 129
Review Baseline Reports 129
Review Baseline Rules 130
Exercise 2: Determining What to Baseline 132
Determine Parameters to Baseline 132
Exercise 3: Creating a Baseline With the BaselineMate Script 136
Define an Event 136
Run the BaselineMate Script from Supervisor 137
Exercise 4: Verifying the Baseline Report 142
Verify the Baseline Report 142
Run the Script to Replay USB Events 143
Update the Daily and Profile Databases 143
Run the Baseline Report 145
Lab 9: Configuration of Baseline Rules 148
Exercise 1: Building a Baseline Rule 149
Build a Baseline Rule 149
Exercise 2: Preparing FortiSIEM for a Baseline Rule 155
DO NOT REPRINT
© FORTINET
Update the Profile Database 155
Exercise 3: Triggering a Baseline Rule 157
Trigger a Baseline Rule 157
Verify the Incident on FortiSIEM 158
Lab 10: UEBA 161
Exercise 1: Building a UEBA AI Model 162
Train the AI Engine 162
Exercise 2: Running the UEBA Demo 165
Run the UEBA Demo 165
Exercise 3: Reviewing UEBA Incidents 166
Review the UEBA Incidents 166
Review the UEBA Rules 169
Exercise 4: Reviewing the UEBA Dashboard 173
Review the UEBA Dashboards 173
Lab 11: MITRE ATT&CK Framework 181
Exercise 1: Creating Tags on FortiSIEM 182
Create Tags on FortiSIEM 182
Exercise 2: Generating Incidents on FortiSIEM 184
Generate Incidents on FortiSIEM 184
Exercise 3: Reviewing the MITRE ATT&CK Framework Support on FortiSIEM 185
Review the MITRE ATT&CK Incident Dashboard 185
Exercise 4: Reviewing the MITRE ATT&CK Framework Support on
FortiSOAR 189
Review the MITRE ATT&CK Framework on FortiSOAR 189
Lab 12: Clear Conditions 192
Exercise 1: Reviewing Time-Based Clear Conditions 193
Review Rules With Clear Conditions 193
Review a Time-Based Clear Condition 194
Exercise 2: Configuring a Pattern-Based Clear Condition 195
Define a Pattern-Based Clear Condition 195
Modify the SNMP Ping Interval 196
Disable the SNMP Service 197
Run the Rule as a Query 198
Verify the Incident 199
Enable the SNMP Service 201
Run the Rule as a Query 201
Verify the Incident Status 201
Lab 13: Remediation 204
Exercise 1: Remediating an Incident 205
Execute the Remediation 205
Analyze the Remediation Result 207
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring the REST API on FortiGate 209
Configure the REST API on FortiGate 209
Configure a New Web Filter Profile 210
Exercise 3: Configuring the FortiGate Connector 212
Configure the FortiGate Connector 212
Configure a Playbook to Use the FortiGate Connector 213
Exercise 4: Mitigating Malicious IOCs 215
Extract Indicators 215
Enrich Malicious Indicators 217
Block Malicious Indicators 220
Appendix A 223
DO Network
NOTTopology
REPRINT
© FORTINET
Network Topology

See Appendix A on page 223 for an enlarged network topology diagram.

Advanced Analytics 6.3 Lab Guide 8

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 1: Customer Definition

In this lab, you will add three organizations to FortiSIEM. Two of the organizations will be deployed with collectors,
and the third one will be deployed without a collector. You will also discover a device for an organization without a
collector, and then review the logs.

Objectives
l Manage organizational scopes
l Add organizations with a collector
l Add organizations without a collector
l Add credentials for organizations without a collector
l Discover devices for organizations without a collector
l Review multi-tenancy on FortiSOAR

Time to Complete
Estimated: 25 minutes

9 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Adding Customers With Collectors

In this exercise, you will add customers that have collectors in their infrastructure to the FortiSIEM supervisor
node. You will also add customers that do not have collectors. Each new organization is automatically given an
organization ID, which is included in every new event collected or received from that organization.

Define Customers With Collectors

In a multi-tenant environment, you will add customers with different network infrastructures—some customers
might have collectors and some might not. Now, you will add organizations that have collectors in their
environment.

To add customers with collectors

1. On the supervisor FortiSIEM GUI, log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

2. Click LOG IN.

3. Click ADMIN.
4. In the left navigation pane, click Setup, and then click Organizations.

You will notice that there are no organizations defined by default.

5. Click New to create a new organization.

6. Configure the following settings:

Field Value

Organization Banking

Admin User bankadmin

Advanced Analytics 6.3 Lab Guide 10

Fortinet Technologies Inc.
DO Define
NOT REPRINT
Customers With Collectors Exercise 1: Adding Customers With Collectors

Admin Password Password1!

Confirm Admin Password Password1!

Admin Email [email protected]

Your configuration should match the following example:

7. Click Save.
8. Click New to create another organization.
9. Configure the following settings:

Field Value

Organization Aviation

Admin User flightadmin

Admin Password Password1!

Confirm Admin Password Password1!

Admin Email [email protected]

10. Click Save.

Your organization configuration should match the following example. Note that FortiSIEM dynamically
assigns the Organization ID.

11 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Adding
REPRINT
Customers With Collectors Define Customers Without Collectors

When you register collectors in the upcoming labs, you require information, such as the
organization name and the admin username and password that you configured for the
organizations on the supervisor.

Define Customers Without Collectors

You will add an organization that does not have a collector in their environment. You will specify an IP address
range to identify devices that belong to an organization without a collector.

To add customers without collectors

1. Continuing on the supervisor FortiSIEM GUI, click New to create a new organization.
2. Configure the following settings:

Field Value

Organization University

Admin User uniadmin

Admin Password Password1!

Confirm Admin Password Password1!

Admin Email [email protected]

Include IP/IP Range 100.64.1.10

3. Click Save.
Your configuration should match the following example:

Advanced Analytics 6.3 Lab Guide 12

Fortinet Technologies Inc.
DO Define
NOT REPRINT
Customers Without Collectors Exercise 1: Adding Customers With Collectors

Organizations without collectors are defined by a unique IP address, which can be a

single IP address, multiple IP addresses separated by commas, or an IP address
range. Note that CIDR definitions are not supported here.

4. Log out of the supervisor FortiSIEM GUI.

13 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Discovering Devices Without a Collector

In this exercise, you will define credentials for devices for the University organization that does not have a
collector, and then discover a device with those credentials.

Verify the SNMP Service on Kali

The SNMP service is preconfigured on Kali. You must restart the service, and then verify its status.

To verify the SNMP service on Kali

1. Go to the Kali VM.

The credentials for Kali are as follows:

l Username: root
l Password: toor

2. Open a terminal window.

3. Type the following command to restart the SNMP service:
service snmpd restart
4. Type the following command to check the SNMP service status:
service snmpd status
Verify that it is in a running state.

5. Press Q.
6. Close the terminal window.

Configure Device Credentials for an Organization Without a Collector

Before you can discover devices, you must define credentials for those devices. You must also associate the
credentials with the IP address of those devices.

Advanced Analytics 6.3 Lab Guide 14

Fortinet Technologies Inc.
DO Configure
NOTDevice
Collector
Credentials for an Organization Without a
REPRINT Exercise 2: Discovering Devices Without a
Collector

© FORTINET
To configure credentials for an organization without a collector
1. On the supervisor FortiSIEM GUI, log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

2. Click LOG IN.

3. Click ADMIN.
4. In the left navigation pane, click Setup, and then click Credentials.

5. Click New.
6. Configure the following settings:

Field Value

Name Kali

Device Type Generic

Access Protocol SNMP

Port 161

Password config manual

Community String public

Confirm Community String public

Your configuration should match the following example:

15 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Discovering
Collector REPRINT Devices Without a Configure Device Credentials for an Organization Without a
Collector

7. Click Save.

To configure the IP range to credential association

1. Continuing on the Credentials tab, under the Step 2: Enter IP Range to Credential Associations section, click
New.

2. Configure the following settings:

Field Value

IP/IP Range 100.64.1.10

Credentials Kali

3. Click Save.

Advanced Analytics 6.3 Lab Guide 16

Fortinet Technologies Inc.
DO Discover
NOTa Device
REPRINT Exercise 2: Discovering Devices Without a Collector

You will discover a device, and the discovered device will be added automatically to the CMDB database.

To discover a device
1. Continuing on the supervisor FortiSIEM GUI, click Discovery.

2. Click New.
3. Configure the following settings:

Field Value

Name Kali

Discovery Type Range Scan

Include 100.64.1.10

Name Resolution SNMP/WMI first

4. Click Save.
5. Click Discover.

After discovery is complete, the Status column displays succeeded.

If for any reason the discovery fails, the Status column displays fail, along with the reason associated with
that failure.

6. Click Close.

17 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Discovering
REPRINT Devices Without a Collector Review Logs From an Organization Without a Collector

After a device is discovered, FortiSIEM parses logs from that device and tags those events with the organization
ID and organization name. You will analyze the logs that are being sent through SNMP from the Kali device to
FortiSIEM.

To review logs from an organization without a collector

1. Continuing on the supervisor FortiSIEM GUI, in the top navigation pane, click ANALYTICS.
2. Click Edit Filters and Time Range.
3. Select Event Attribute as the Filter type.
4. Configure the following settings:

Field Value

Attribute Reporting IP

Operator =

Value 100.64.1.10

Time Relative, Last 10 Minutes

5. Click Apply & Run.

6. Select the System uptime for a device event log.
7. In the Raw Event Log column, click the arrow icon ( ).

8. Review the Event Details.

Notice that the Collector ID has a value of 1, which is the default collector ID if an organization does not have
any collectors.

Advanced Analytics 6.3 Lab Guide 18

Fortinet Technologies Inc.
DO Review
NOTLogsREPRINT
From an Organization Without a Collector Exercise 2: Discovering Devices Without a Collector

9. Scroll down in the Event Details window, and then view the Organization ID and Organization Name.

19 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Discovering
REPRINT Devices Without a Collector Review Logs From an Organization Without a Collector

The Organization ID may be different for you. You can filter logs using either the Organization ID or
Organization Name, which will display all logs that are associated with that organization.

10. Click Close.

11. Log out of the supervisor FortiSIEM GUI.

Advanced Analytics 6.3 Lab Guide 20

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Reviewing Multi-Tenancy on FortiSOAR

In this exercise, you will review multi-tenancy on FortiSOAR.

Review Tenants on FortiSOAR

The tenants on FortiSOAR are already preconfigured. You will review them and verify that the tenant names
match what is configured on FortiSIEM.

To review tenants on FortiSOAR

1. On the FortiSOAR management GUI, log in with the username csadmin and password Fortinet1!.
2. On the FortiSOAR GUI, in the top-right corner, click the Settings icon.

3. In the Multi Tenancy section, click Tenants.

The three tenants that are configured on FortiSIEM are already configured on FortiSOAR.

4. In the left navigation menu, click Tenants.

21 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Reviewing
REPRINTMulti-Tenancy on FortiSOAR Review Tenants on FortiSOAR

The super organization is mapped to the Self tenant, which is the default tenant on FortiSOAR.

5. Continuing on the FortiSOAR GUI, click Incident Response.

6. Click Alerts.

There is a dedicated column to filter records by tenant name.

7. Log out of the FortiSOAR GUI.

Advanced Analytics 6.3 Lab Guide 22

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 2: Worker Configuration

In this lab, you will add a worker to the FortiSIEM cluster—the worker is already deployed and installed. Next, you
will configure the FortiSIEM connector on FortiSOAR to ingest data from FortiSIEM to FortiSOAR. Finally, you will
generate two incidents on FortiSIEM and ingest data to FortiSOAR to perform field mapping.

Objectives
l Add a worker to the FortiSIEM cluster
l Generate incidents on FortiSIEM
l Configure the FortiSIEM connector on FortiSOAR

Time to Complete
Estimated: 30 minutes

23 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Adding a Worker

In this exercise, you will add a worker to the FortiSIEM cluster. You cannot define collectors until you configure the
worker upload address. Collectors receive this information during registration, and this value tells the collector
which node it should upload the data to.

Add a Worker to the FortiSIEM Cluster

A worker enables the supervisor node to offload some of the log processing. You will add a worker to the
FortiSIEM cluster.

To add a worker to the FortiSIEM cluster

1. On the supervisor FortiSIEM GUI, log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

2. Click LOG IN.

3. Click ADMIN.
4. In the left navigation pane, click License.
5. Click Nodes.
6. Click Add.
7. In the Worker IP Address field, type 10.0.1.140.
8. Click OK.
9. Continuing on the ADMIN tab, in the left navigation pane, click Settings.
10. Click Event Worker.

11. In the Worker Address field, type 10.0.1.140.

12. Click Save.

Advanced Analytics 6.3 Lab Guide 24

Fortinet Technologies Inc.
DO Add
NOT REPRINT
a Worker to the FortiSIEM Cluster Exercise 1: Adding a Worker

To view the health of the worker

1. Continuing on the ADMIN tab, in the left navigation pane, click Health.

You can see the CPU and memory usage values for the worker and supervisor nodes, as well as the
processes running on those nodes. The name of a node is the name that was assigned to the node during
installation.

You will also notice that the supervisor node has a subset of more processes compared to the worker node.

2. Log out of the supervisor FortiSIEM GUI.

25 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Generating Incidents on FortiSIEM

In this exercise, you will generate several different types of incidents on FortiSIEM using an incident generator
script.

Generate Incidents on FortiSIEM

You will generate Windows security incidents using a script.

To generate incidents on FortiSIEM

1. On the Local-Host VM, open a terminal window (Ctrl+Alt+T).
2. Enter the following command to open an SSH connection to the FortiSIEM supervisor:
ssh [email protected]
3. Enter the password Fortinet1!.
4. Enter the following command to check your working directory—it should be /root:
pwd
5. Enter the following command, and then verify that the highlighted files are available:
ls -lrt

6. Enter the following command to run the incident generation script:

./fsmIncidentSimulator2_4.sh security_soar_incident
7. Close the SSH session tab.

To verify the incidents on FortiSIEM

1. On the supervisor FortiSIEM GUI, log in to the super organization with the following credentials:

Field Value

User ID admin

Advanced Analytics 6.3 Lab Guide 26

Fortinet Technologies Inc.
DO Generate
NOTIncidents
REPRINT
on FortiSIEM Exercise 2: Generating Incidents on FortiSIEM

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

2. Click INCIDENTS.
3. Verify that you have two incidents with a HIGH severity.

4. Log out of the supervisor FortiSIEM GUI.

27 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Configuring FortiSIEM Data Ingestion

In this exercise, you will configure data ingestion from FortiSIEM.

Configure the FortiSIEM Connector

You will configure the FortiSIEM connector to automatically pull incidents from FortiSIEM to FortiSOAR on a
scheduled basis.

To configure the FortiSIEM connector

1. On the FortiSOAR management GUI, log in with the username csadmin and password Fortinet1!.
2. Click Automation > Connectors.
3. In the Installed section, search for the Fortinet FortiSIEM connector, and then open it.
4. Configure the following settings:

Field Value

Configuration Name lab

Mark As Default Configuration Enable

Server URL https://10.0.1.130

Username admin

Password Fortinet1!

Organization super

Verify SSL Disable

5. Click Save.
6. Verify that the CONFIGURATION field is COMPLETED and the HEALTH CHECK field is AVAILABLE.

Advanced Analytics 6.3 Lab Guide 28

Fortinet Technologies Inc.
DO Configure
NOTtheREPRINT
FortiSIEM Connector Exercise 3: Configuring FortiSIEM Data Ingestion

7. Close the connector configuration window.

To configure data ingestion for FortiSIEM

1. Continuing on the FortiSOAR GUI, click Automation > Connectors.
2. Click Data Ingestion.
3. In the lab row, click Configure Ingestion.

4. Click Let's start by fetching some data.

5. In the Fetch Data step, configure the following settings:

29 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT FortiSIEM Data Ingestion Configure the FortiSIEM Connector

Fetch Mode By Updates In Last X Minutes

Pull Incidents Creates/Updates In Last X Minutes 240

Maximum Events To Pull Per Incident 1

Configure Multi-Tenant Mappings Select the checkbox.

Organization Mapping { "Super": "Self",

"Banking": "Banking",

"Aviation": "Aviation",

"University": "University" }

Your configuration should match the following example:

6. Click FETCH DATA.

7. In the Field Mapping step, in the Module drop-down list, select Alerts.

Advanced Analytics 6.3 Lab Guide 30

Fortinet Technologies Inc.
DO Configure
NOTtheREPRINT
FortiSIEM Connector Exercise 3: Configuring FortiSIEM Data Ingestion

9. In the search field, type MITRE.

10. Click inside the MITRE ATT&CK ID field.
11. In the Sample Data section, search for Technique.
12. Click attackTechniqueId.

The attackTechniqueId field in the Sample Data section is mapped to the MITRE ATT&CK ID field in the
Field Mapping section.

13. Click inside the MITRE Technique field of the Field Mapping section.
14. In the Sample Data section, search for Tactic.
15. Click attackTactic.

31 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT FortiSIEM Data Ingestion Configure the FortiSIEM Connector

The attackTactic field in the Sample Data section is mapped to the MITRE Technique field in the Field
Mapping section.

16. Click Save Mapping & Continue.

17. In the Do you want to schedule the ingestion? drop-down list, select Yes.
18. Click Every X minutes.
19. In the minute field, type */1.
20. Type * for hour, day of month, month, and day of week if * is not already in those fields by default.

21. Click Save Settings & Continue.

The Quick Summary page is displayed.

22. Review the Quick Summary section.

Advanced Analytics 6.3 Lab Guide 32

Fortinet Technologies Inc.
DO Configure
NOTtheREPRINT
FortiSIEM Connector Exercise 3: Configuring FortiSIEM Data Ingestion

23. Click Done.

To verify the data ingestion schedule

1. Continuing on the FortiSOAR GUI, click Automation > Schedules.
2. Verify that the data ingestion scheduler for Ingestion_fortinet-fortisiem ran at least one time.
The Total Run Count must be 1 or more than 1.

To verify data ingestion from FortiSIEM

1. Continuing on the FortiSOAR GUI, click Incident Response > Alerts.
Alerts are displayed with a Source value of Fortinet FortiSIEM.

If you do not see the alerts, wait for a minute because the schedule runs every minute.

2. Log out of the FortiSOAR GUI.

33 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 3: Administration and Management of Collectors

In this lab, you will assign two collectors to one organization and a third collector to another organization. After you
add the collectors on the supervisor node, you will register the collectors to the supervisor node.

Objectives
l Assign collectors to organizations
l Register collectors to the supervisor
l Add credentials for organizations with collectors
l Discover devices from organizations with collectors

Time to Complete
Estimated: 40 minutes

Advanced Analytics 6.3 Lab Guide 34

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Assigning Collectors to Organizations

In this exercise, you will assign collectors to organizations, and configure the guaranteed events per second
(EPS) for each collector.

Assign Collectors to Organizations

Collectors must be defined for organizations that have collectors in their environment. Now, you will add collectors
by editing the organizations that you created earlier.

To assign collectors to organizations

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click the ADMIN tab.
5. In the left navigation pane, click Setup, and then click Organizations.

6. Select the Banking organization, and then click Edit.

35 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Assigning
REPRINTCollectors to Organizations Assign Collectors to Organizations

7. Scroll down, and click New to add a collector.

8. Enter the following values:

Field Value

Name collector1

Guaranteed EPS 100

Start Time Unlimited

End Time Unlimited

9. Click Save.
Note the collector name. You will use this information during the collector registration.

Your configuration should match the following example:

Advanced Analytics 6.3 Lab Guide 36

Fortinet Technologies Inc.
DO Assign
NOT REPRINT
Collectors to Organizations Exercise 1: Assigning Collectors to Organizations

10. Click Save.

Note the collector name. You will use this information during the collector registration.

11. Select the Aviation organization, and then click Edit.

12. Scroll down, and then click New to add a collector.
13. Enter the following values:

Field Value

Name collector2

Guaranteed EPS 150

Start Time Unlimited

End Time Unlimited

14. Click Save.

Note the collector name. You will use this information during the collector registration.

15. Click Save.

37 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Assigning
REPRINTCollectors to Organizations Verify Collector Health

Now, you will verify the health of collectors.

To verify collector health

1. Continuing on the ADMIN tab, on the left navigation pane, click Health.
2. Click Collector Health.

If you do not see the collectors, click the refresh icon ( ).

The Status of all three collectors is No Connection. For the Status column to show a
status of up, you must deploy, install, and register the collectors to the supervisor. The
collectors have already been installed and IP addresses have been assigned. In the
next lab exercise, you will register the collectors and verify that their Status is up.

3. Log out of the Supervisor FortiSIEM management GUI.

Advanced Analytics 6.3 Lab Guide 38

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Registering Collectors

In this exercise, you will register the collectors to the supervisor, and then verify that their status is up.

Now, you will register the collectors to the supervisor. During registration, the collector is provided with information
such as supervisor IP address, username, password, organization name, and collector name.

To register Collector1
1. Open an SSH connection to the Collector1 [10.0.2.130] FortiSIEM from Local-Host machine.
Log in to the collector1 with the following credentials:

Field Value

Username root

Password Fortinet1!

2. Type the following commands to register Collector1 with the supervisor node:
phProvisionCollector --add bankadmin Password1! 10.0.1.130 Banking collector1
The collector will reboot to complete the registration process.

3. Close the SSH session.

To register Collector2
1. Open an SSH connection to the Collector2 [10.0.3.130] FortiSIEM from Local-Host machine.
Log in to the collector2 with the following credentials:

Field Value

Username root

Password Fortinet1!

39 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Registering
REPRINT Collectors Verify Collector Health

© FORTINET
2. Type the following commands to register Collector3 with the supervisor node:
phProvisionCollector --add flightadmin Password1! 10.0.1.130 Aviation collector2
The collector will reboot to complete the registration process.

3. Close the SSH session.

Verify Collector Health

Now, you will verify the health of the collectors.

To verify collector health

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click ADMIN.
5. In the left navigation pane, click Health, and then click Collector Health.
6. Click refresh ( ).

The Status of all three collectors is up, the Health is Normal, and the correct IP address is associated with
each collector.

7. Select any of the collector and click Show Processes to view the processes running on the collector and their
status.

Advanced Analytics 6.3 Lab Guide 40

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
Collector Health Exercise 2: Registering Collectors

If the status of any of the collectors is not up, open an SSH connection to the collector,
and then reboot it using the following commands:
reboot -h now

8. Log out of the Supervisor FortiSIEM management GUI.

41 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Discovering FGT Banking through a Collector

In this exercise, you will discover a FortiGate device in the banking organization that has two collectors.

Configure SNMP on FortiGate

Now, you will configure SNMP on FortiGate at the Banking organization. You will enable SNMP events that are
critical for FortiSIEM to monitor.

Configure SNMP on FGT Banking

1. Go to the management GUI of the FGT Banking FortiGate.
2. Log in with the username admin and password password.
3. Click System > SNMP.
4. Enable SNMP Agent.
5. Enter the following values:

Field Value

Description FGT_Banking

Location Ottawa

6. In the SNMP v1/v2c section, click Create New.

7. Enter the following values:

Field Value

Community Name public

Enabled enable

IP Address 0.0.0.0/0

Host Type Accept queries and send traps

8. Scroll down to the SNMP Events section, and verify that the following traps are enabled:

Field Value

VPN tunnel is up enable

VPN tunnel is down enable

IPS detected an attack enable

Advanced Analytics 6.3 Lab Guide 42

Fortinet Technologies Inc.
DO Add
NOT REPRINT
Credentials for FortiGate Exercise 3: Discovering FGT Banking through a Collector

IPS detected an anomaly enable

AV detected virus enable

AV detected oversized file enable

AV detected file matching pattern enable

AV detected fragmented file enable

9. Click OK.
10. Click Apply.

To enable the SNMP service on an interface

1. Continuing on the FGT Banking management GUI, click Network > Interfaces.
2. Select port2, and then click Edit.
3. In the Administrative Access section, enable SNMP.
4. Click OK.
5. Log out fo the FGT Banking FortiGate management GUI.

Add Credentials for FortiGate

Now, you will add the FortiGate credentials on FortiSIEM. Using these credentials, FortiSIEM will be able to
discover the FortiGate device.

To add credentials for FGT Banking

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click the Change Organization View icon and, in the drop-down list, select Change Organization View.

43 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Discovering
REPRINT FGT Banking through a Collector Add Credentials for FortiGate

6. Click Change View.

7. Click ADMIN.
8. In the left navigation pane, click Setup, and then click Credentials.
9. In the Step 1: Enter Credentials section, click New.
10. Enter the following values:

Field Value

Name Banking_FGT_SNMP

Device Type Generic

Access Protocol SNMP

Port 161

Password config Manual

Community String public

Confirm Community String public

11. Click Save.

12. In the Step 1: Enter Credentials section, click New again.
13. Enter the following values:

Field Value

Name Banking_FGT_SSH

Device Type Fortinet FortiOS

Access Protocol SSH

Port 22

Password config Manual

Advanced Analytics 6.3 Lab Guide 44

Fortinet Technologies Inc.
DO Discover
NOTBanking
REPRINT
FortiGate Exercise 3: Discovering FGT Banking through a Collector

User Name admin

Password password

Confirm Password password

14. Click Save.

15. In the Step 2: Enter IP Range to Credential Associations section, click New.
16. Enter the following values:

Field Value

IP/IP Range 10.0.2.254

Credential Banking_FGT_SNMP

Click +, and then select Banking_FGT_SSH.

17. Click Save.

Your configuration should match the following example:

Discover Banking FortiGate

Now, you will discover the Banking FortiGate device.

45 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Discovering
REPRINT FGT Banking through a Collector Approve FortiGate in CMDB

© FORTINET
To discover FGT Banking
1. Continuing on the Setup page on FortiSIEM, click Discovery.
2. Click New.
3. Enter the following values:

Field Value

Name Banking_FGT

Discovery Type Range Scan

Include 10.0.2.254

Name Resolution SNMP/WMI first

4. Click Save.
5. Click Discover.
Wait for the discovery to complete.

6. Click Close.

Approve FortiGate in CMDB

When FortiSIEM discovers devices, monitoring begins automatically, and incidents for those devices will be
triggered automatically based on the rules associated with those devices. However, you can configure the
discovery settings so incidents are triggered only for devices you approve.

Since this is a lab environment with few devices, you can use the default settings.

To approve FGT Banking in CMDB

1. Continuing on the FortiSIEM management GUI, click CMDB.
2. In the left navigation pane, click Devices > Network Device > Firewalls.
3. Select FGT_Banking.
4. Click Action, and in the drop-down list, select Change Status.

Advanced Analytics 6.3 Lab Guide 46

Fortinet Technologies Inc.
DO Approve
NOTFortiGate
REPRINT
in CMDB Exercise 3: Discovering FGT Banking through a Collector

5. Verify that the Change Status to setting is set to Approved.

6. Click OK.
7. Log out of the Supervisor FortiSIEM managemnet GUI.

47 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 4: Discovering FGT Aviation through a Collector

In this exercise, you will discover a FortiGate device from the aviation organization that has a collector.

Configure Syslog on FGT Aviation

Syslog is another method of sending logs to FortiSIEM. Now, you will configure Syslog on the Aviation FGT
FortiGate device and enable only the essential logs that you want to monitor on FortiSIEM.

To configure Syslog on FGT Aviation

1. Go to the management GUI of FGT Aviation FortiGate.
2. Log in with the username admin and password password.
3. Click Log & Report > Log Settings.
4. Enable Send logs to syslog.
5. In the IP Address/FQDN field, type 10.0.3.130.
6. In the Event Logging section, click Customize.
7. Enable the following events:
l System activity event
l VPN activity event
l User activity event
l Router activity event
8. In the Local Traffic Log section, click Customize.
9. Verify that the following events are disabled:
l Log Allowed Traffic
l Log Local Out Traffic
l Log Denied Unicast Traffic
l Log Denied Broadcast Traffic
Your configuration should match the following example:

Advanced Analytics 6.3 Lab Guide 48

Fortinet Technologies Inc.
DO Configure
NOTSNMP REPRINT
on Aviation FortiGate Exercise 4: Discovering FGT Aviation through a Collector

10. Click Apply.

Configure SNMP on Aviation FortiGate

Now, you will configure SNMP on FGT Aviation and enable the SNMP events that you would like to monitor on
FortiSIEM.

To configure SNMP on FGT Aviation

1. Continuing on the management GUI of FGT Aviation, click System > SNMP.
2. Enable SNMP Agent.
3. Enter the following values:

Field Value

Description FGT_Aviation

Location London

4. In the SNMP v1/v2c section, click Create New.

5. Enter the following values:

Field Value

Community Name public

Enabled enable

49 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Discovering
REPRINT FGT Aviation through a Collector Add Credentials for Aviation FortiGate

IP Address 0.0.0.0/0

Host Type Accept queries only

6. Scroll down to the SNMP Events section, and disable all SNMP events except the following:
l IPS detected an attack
l IPS detected an anomaly
7. Click OK.
8. Click Apply.

To enable SNMP on an interface

1. Continuing on the management GUI of FGT Aviation, click Network > Interfaces.
2. Select port2, and then click Edit.
3. In the Administrative Access section, enable SNMP.
4. Click OK.
5. Log out of the FGT Aviation FortiGate management GUI.

Add Credentials for Aviation FortiGate

Now, you will add the FortiGate credentials on FortiSIEM so that FortiGate can be discovered through SNMP.

To add credentials for FGT Aviation

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click the Change Organization View icon, and in the drop-down list, select Change Organization View.

Advanced Analytics 6.3 Lab Guide 50

Fortinet Technologies Inc.
DO Add
NOT REPRINT
Credentials for Aviation FortiGate Exercise 4: Discovering FGT Aviation through a Collector

If you are already logged in as an admin user of the banking organization, you must
change the scope to Global, and then change the scope again to Aviation.

You can also log out and log back in as an admin user of the aviation organization.

7. Click ADMIN.
8. In the left navigation pane, click Setup, and then click Credentials.
9. In the Step 1: Enter Credentials section, click New.
10. Enter the following values:

Field Value

Name Aviation_FGT_SSH

Device Type Fortinet FortiOS

Access Protocol SSH

Port 22

Password config Manual

User Name admin

Password password

Confirm Password password

11. Click Save.

12. In the Step 1: Enter Credentials section, click New again.
13. Enter the following values:

Field Value

Name Aviation_FGT_SNMP

Device Type Generic

Access Protocol SNMP

Port 161

Password config Manual

Community String public

Confirm Community String public

14. Click Save.

15. In the Step 2: Enter IP Range to Credential Associations section, click New.

51 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Discovering
REPRINT FGT Aviation through a Collector Discover FortiGate

Field Value

IP/Host Name 10.0.3.254

Credential Aviation_FGT_SSH

Click +, and then select Aviation_FGT_SNMP.

17. Click Save.

Discover FortiGate

Now, you will discover the FortiGate device from Aviation organization on FortiSIEM.

To discover FGT Aviation

1. Continuing on the Setup page of FortiSIEM, click Discovery.
2. Click New.
3. Enter the following values:

Field Value

Name Aviation_FGT

Discovery Type Range Scan

Include 10.0.3.254

Name Resolution SNMP/WMI first

4. Click Save.
5. Click Discover.
Wait for the discovery to complete.

Advanced Analytics 6.3 Lab Guide 52

Fortinet Technologies Inc.
DO Approve
NOTFortiGate
REPRINT
in CMDB Exercise 4: Discovering FGT Aviation through a Collector

6. Click Close.

Approve FortiGate in CMDB

Since this is a lab environment with few devices, you can use the default settings.

To approve FGT Aviation in CMDB

1. Continuing in the aviation organization scope, click CMDB.
2. In the left navigation pane, click Devices > Network Device > Firewall.
3. Select FGT_Aviation.
4. Click Action, and in the drop-down list, select Change Status.
5. Verify that the Change Status to setting is set to Approved.
6. Click OK.
7. Log out of the Supervisor FortiSIEM management GUI.

53 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 4: Administration and Management of Agents

In this lab, you will add Windows and Linux agents to organizations.

Objectives
l Add agent credentials to organizations
l Register agents to a supervisor

Time to Complete
Estimated: 30 minutes

Advanced Analytics 6.3 Lab Guide 54

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Adding a Windows Agent to an Organization

In this exercise, you will add a Windows agent to the aviation organization. You will also configure audit policies on
Windows so that appropriate security events will be sent to FortiSIEM for analysis.

Configure Windows Agent Registration Credentials

Before registering a Windows agent, you must define the administrator credentials for the organization through
which the Windows agent will be managed.

To define Windows agent registration credentials

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click ADMIN.
5. In the left navigation pane, click Setup, and then click Organizations.

6. Select Aviation, and then click Edit.

7. Enter the following values:

Field Value

Agent User admin

Agent Password Password1!

Confirm Agent Password Password1!

8. Click Save.
Note the aviation organization ID. You will need this ID during the agent registration process.

55 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Adding
REPRINT
a Windows Agent to an Organization Configure the Windows Agent Installation Settings File

Using a text editor, you will edit the InstallSettings.xml file, which is located in the same folder as the
Windows agent binaries. You will specify parameters such as organization name, organization ID, administrator
username, administrator password, and supervisor IP.

To configure the InstallSettings.xml file

1. Go to the Win-Agent VM.
2. Click Resource > FSM_WindowsAgent > InstallSettings.xml.
Open the file in Notepad++.

3. Enter the following values:

Field Value

ORG_ID Enter the aviation organization ID.

ORG_NAME Aviation

SUPER_IP 10.0.1.130

ORG_NAME/AGENT_USER Aviation/admin

AGENT_PASSWORD Password1!

Your configuration file should match the following example, except for the organization ID.

4. Save the file (Ctrl + S).

5. Close the file.

Advanced Analytics 6.3 Lab Guide 56

Fortinet Technologies Inc.
DO Define
NOT REPRINT
an Audit Policy Exercise 1: Adding a Windows Agent to an Organization

© FORTINET
6. Return to the FSM_WindowsAgent folder, and double-click the MSI package FSMLogAgent-v4.1.2-
build0108.
7. Click Install.
The installer will display an install progress window.

8. When installation is complete, click Restart to restart the Windows device.

Wait for the windows server to come back up.

9. On the Win-Agent VM task bar, click Services.

10. Verify that the FSMLogAgent is Running.

11. Close the Services window.

Define an Audit Policy

Since Windows generates a lot of security logs, you will specify the categories of events that you want to be
logged and available for monitoring by FortiSIEM.

To define an audit policy

1. On the Win-Agent VM taskbar, click Local Security Policy.

57 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Adding
REPRINT
a Windows Agent to an Organization Define an Audit Policy

2. Click Local Policies > Audit Policy.

3. Double-click Audit account logon events.
4. Enable both Success and Failure.
5. Click OK.

6. Configure the following audit policies the same way:

l Audit logon events
l Audit object access
l Audit policy change
Your configuration should match the following example:

Advanced Analytics 6.3 Lab Guide 58

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
the Windows Agent Status Exercise 1: Adding a Windows Agent to an Organization

Verify the Windows Agent Status

Once an agent is installed, it appears in the CMDB. The Agent Status column may display various states initially,
depending on whether a matching template is predefined or not. Now, you will verify the status of the Windows
agent on FortiSIEM.

To verify the Windows agent status on CMDB

1. Return to the FortiSIEM management GUI, and click CMDB.
2. In the Orgs without collector drop-down list, select Aviation.

3. Click Windows.

The Win_Agent agent is displayed.

Notice that the Method used to discover the Win_Agent is listed as AGENT. The Agent Status is
Registered, which means the agent has successfully registered but has not received a monitoring template.
Therefore, at this point, a Windows agent license is not used and the Status of the device is Unmanaged.

4. Log out of the Supervisor FortiSIEM management GUI.

59 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Assigning Templates to Windows Agents

In this exercise, you will assign a template to the Windows agent.

Create a Windows Agent Monitor Template

Monitor templates define what type of logs the agent will monitor and upload, such as security event logs, system
event logs, DNS logs, DHCP logs, custom application logs, file integrity monitoring logs, and so on.

You will configure a security monitoring template for the Windows server.

To create a Windows agent monitor template

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click ADMIN.
5. In the left navigation pane, click Setup, then click Windows Agent.
6. In the Windows Agent Monitor Templates section, click New.

7. In the Name field, type Security_Template.

8. Click Event.
9. Click New.
10. In the Type drop-down list, select Security.
11. Click Save.
Your configuration should match the following example:

Advanced Analytics 6.3 Lab Guide 60

Fortinet Technologies Inc.
DO Associate
NOTaREPRINT
Host to a Template Exercise 2: Assigning Templates to Windows Agents

12. Click Save.

Associate a Host to a Template

After defining the monitoring templates, you must associate hosts to templates. You will be mapping organizations
and hosts to templates and collectors.

To associate a host to a template

1. Continuing on the Windows Agent tab, in the Host To Template Associations section, click New.

2. Configure the following settings:

Field Value

Name Template_Server_2016

Organization Aviation

Template Security_Template

Collector collector2

61 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Assigning
REPRINTTemplates to Windows Agents Verify the Agent Status

3. Click Save.

Verify the Agent Status

Now, you will verify the agent status after the template has been associated with it.

To verify the agent status

1. Continuing on the FortiSIEM management GUI, click CMDB.
2. In the Orgs without collector drop-down list, select Aviation.

Advanced Analytics 6.3 Lab Guide 62

Fortinet Technologies Inc.
DO Approve
NOTtheREPRINT
Windows Agent Exercise 2: Assigning Templates to Windows Agents

3. Click Windows.

4. Click the refresh icon ( ).

It will take a few minutes for the Agent Status column to change to Running Active.

If for some reason the Agent Status changes to Disconnected, restart the Windows
agent service on the Win-Agent VM.

Approve the Windows Agent

Now, you will approve the Windows agent. Monitoring of the agent begins automatically, and incidents for those
devices will trigger automatically based on the rules associated with those devices.

To approve the Windows agent

1. Continuing on the CMDB tab, select Win_Agent, and in the Action drop-down list, select Change Status.

63 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Assigning
REPRINTTemplates to Windows Agents Approve the Windows Agent

2. Verify that the Change Status to setting is set to Approved, and then click OK.
Your configuration should match the following example:

3. Log out of the Supervisor FortiSIEM management GUI.

Advanced Analytics 6.3 Lab Guide 64

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Discovering LDAP Users

In this exercise, you will discover LDAP users and groups from FortiSIEM, which are preconfigured on the
Windows Server.

Discover LDAP Users and Groups

To add users to the FortiSIEM deployment from an Active Directory server over LDAP, you must first add the login
credentials for your server and associate them to an IP range, and then run the discovery process on the Active
Directory server. When the server is discovered successfully, all users in that directory will be added to your
deployment.

To add credentials for LDAP

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click the Change Organization View icon, and in the drop-down list, select Change Organization View.

5. Select Switch to Organization, and in the drop-down list, select Aviation.

6. Click Change View.
7. Click ADMIN.
8. In the left navigation pane, click Setup, then click Credentials.
9. In the Step 1: Enter Credentials section, click New.
10. Enter the following values:

Field Value

Name LDAP Server

65 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Discovering
REPRINT LDAP Users Discover LDAP Users and Groups

Device Type Microsoft Windows Server 2016

Access Protocol LDAP

Used For Microsoft Active Directory

Server Port 389

Base DN DC=Aviation,DC=lab

Password config Manual

User Name CN=Administrator,CN=Users,DC=Aviation,DC=lab

Password Fortinet1!

Confirm Password Fortinet1!

11. Click Save.

12. In the Step 2: Enter IP Range to Credential Associations section, click New.
13. Enter the following values:

Field Value

IP/Host Name 10.0.3.10

Credentials LDAP Server

14. Click Save.

To discover LDAP users

1. Continuing on the Setup page, click Discovery.
2. Click New.
3. Enter the following values:

Field Value

Name LDAP Server

Discovery Type Range Scan

Include 10.0.3.10

Name Resolution SNMP/WMI first

4. Click Save.
5. Select LDAP Server, and then click Discover.
Wait for the discovery to complete.

Advanced Analytics 6.3 Lab Guide 66

Fortinet Technologies Inc.
DO Review
NOTLDAPREPRINT
Users on FortiSIEM Exercise 3: Discovering LDAP Users

6. Click Close.

Review LDAP Users on FortiSIEM

Now, you will review the discovered LDAP users on FortiSIEM.

To review LDAP users

1. Continuing on the FortiSIEM management GUI, click CMDB.
2. Click Users > DC=Aviation,DC=lab > OU=VPN Users,DC=aviation,DC=lab.
The four users who are members of the VPN user group are displayed.

3. Select Sarah, and then click the arrow icon to review the Summary.

You will notice that Sarah is a member of both the VPN Users and Domain Admins groups, unlike other
users who are members of the VPN Users group only.

67 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Discovering
REPRINT LDAP Users Review LDAP Users on FortiSIEM

4. Log out of the Supervisor FortiSIEM management GUI.

Advanced Analytics 6.3 Lab Guide 68

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 4: Adding a Linux Agent to an Organization

In this exercise, you will add a Linux agent to the banking organization.

Configure Linux Agent Registration Credentials

Before you register a Linux agent, you must define the administrator credentials for the organization through
which the Linux agent will be managed.

To configure Linux agent registration credentials

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click ADMIN.
5. In the left navigation pane, click Setup, and then click Organizations.

6. Select Banking, and then click Edit.

7. Enter the following values:

Field Value

Agent User admin

Agent Password Password1!

Confirm Agent Password Password1!

8. Click Save.
Note the banking organization ID. You will need this ID during the agent registration process.

69 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Adding
REPRINT
a Linux Agent to an Organization Register the Linux Agent

To install a Linux agent, you must download the shell script for the Linux agent installer from the Fortinet Support
site. For this lab, the installer is already downloaded.

The install script needs execute permissions and you must install it as a root user. You will specify parameters,
such as supervisor IP address, organization ID, organization name, agent username, and agent password, before
executing the script.

To register the Linux agent to a supervisor

1. Go to the Linux-Agent VM.
2. Open a terminal window (Ctrl + Alt + T).
3. Type the following command to change your working directory:
cd Desktop/Resource/FSM_LinuxAgent
4. Type ls, and verify that the linux_agent.sh file exists.
5. Type the following command to start the installer:
sudo ./linux_agent.sh
6. Type the password password.
The install options and install script syntax are displayed.

7. Type the following command to start the installation. Replace <Organization-Id> with the organization ID you
noted earlier:
sudo ./linux_agent.sh -s 10.0.1.130 -i <Organization-Id> -o Banking -u admin -p
Password1!
An INSTALLATION SUCCESS message is displayed:

Advanced Analytics 6.3 Lab Guide 70

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
the Linux Agent Status Exercise 4: Adding a Linux Agent to an Organization

8. Type the following command to check the agent service status:

systemctl status fortisiem-linux-agent.service

9. Press Ctrl + C, and then type the following command to change your working directory:
cd /opt/fortinet/fortisiem/linux-agent/bin
10. Enter ls, and verify that your directory listing matches the following example:

There are several files for different purposes, such as starting the agent, stopping the agent, uninstalling the
agent, checking the version number of the agent, and so on.

11. Close the terminal window.

12. Close the Linux-Agent VM browser tab.

Verify the Linux Agent Status

Now, you will verify the status of the Linux agent on FortiSIEM.

Once an agent is installed, it appears in the CMDB. The Agent Status column may display various states initially,
depending on whether a matching template is predefined or not.

To verify the Linux agent status on CMDB

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

71 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Adding
REPRINT
a Linux Agent to an Organization Verify the Linux Agent Status

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click CMDB.
5. In the Orgs without collector drop-down list, select Banking.

6. Click Unix.

The Linux_Agent agent is displayed.

Notice that the Method that Linux_Agent was discovered is AGENT. The Agent Status is Registered,
which means the agent has successfully registered but has not received a monitoring template. Therefore, at
this point, a Linux agent license is not used and the device Status shows Unmanaged.

7. Log out of the Supervisor FortiSIEM management GUI.

Advanced Analytics 6.3 Lab Guide 72

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 5: Assigning Templates to Linux Agents

In this exercise, you will assign a template to the Linux agent.

Create Linux Agent Monitor Templates

Linux templates define the type of logs the agent will monitor and upload, such as security event logs, system
event logs, DNS logs, DHCP logs, custom application logs, file integrity monitoring logs, and so on.

To create a Linux agent monitor template

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

You must be logged in to the FortiSIEM from the Local-Host VM.

3. Click LOG IN.

4. Click ADMIN.
5. In the left navigation pane, click Setup, and then click Linux Agent.
6. In the Linux Agent Monitor Templates section, click New.
7. In the Name field, type FIM_Template.
8. In the Description field, type File Integrity and Monitoring.
9. Click the FIM tab.
10. Click New.
11. In the Include File/Directory field, type /home/student/Desktop/Resources.
12. In the Actions section, select Modify and Delete.
13. On Modify select Push Files and Compare Baseline.
14. For compare baseline browse to the Resource folder on the Local-Host Desktop.
15. Open lab4 folder.
16. Select hello_world.
17. Click Open.

73 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT5: Assigning
REPRINTTemplates to Linux Agents Associate a Host to a Template

18. Click Save.

19. Click Save.

Associate a Host to a Template

After you define the monitoring templates, you must associate hosts to that template. You will map organizations
and hosts to templates and collectors.

To associate a host to a template

1. Continuing on the Linux Agent tab, in the Host To Template Associations section, click New.
2. Enter the following values:

Field Value

Name Template_Server_Linux

Organization Banking

Template FIM_Template

Collector collector1

3. Click Save.

Advanced Analytics 6.3 Lab Guide 74

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
the Agent Status Exercise 5: Assigning Templates to Linux Agents

Now, you will verify the agent status after the template has been associated with it.

To verify the agent status

1. Continuing on the FortiSIEM management GUI, click CMDB.
2. In the Orgs without collector drop-down list, select Banking.
3. Click Unix.
4. Click the refresh icon ( ) in the top left corner.
It will take a few minutes for the Agent Status column to change to Running Active.

Approve the Linux Agent

Now, you will approve the Linux agent. Monitoring of the agent begins automatically, and incidents for those
devices will trigger automatically based on the rules associated with those devices.

To approve the Linux agent

1. Continuing on the CMDB tab, select Linux_Agent, and then in the Action drop-down list, select Change Status.
2. Verify that the Change Status to setting is set to Approved, and click OK.
Your configuration should match the following example:

3. Log out of the Supervisor FortiSIEM management GUI.

75 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 5: Discover Rules

In this lab, you will learn the basics of FortiSIEM rules. You will analyze logs from FortiGate, and filter logs that you
want to analyze.

Objectives
l Filter events from FortiGate on FortiSIEM
l Group events with similar attributes
l Apply aggregate conditions to events

Time to Complete
Estimated: 30 minutes

Advanced Analytics 6.3 Lab Guide 76

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Analyzing Allowed Traffic

In this exercise, you will generate HTTPS traffic on FortiGate and analyze the events on FortiSIEM.

Log All Sessions on FortiGate

In this task, you will enable all session logging on FGT_Aviation. By enabling this setting, FortiGate will create a
log entry for every session that matches the policy. These logs are forwarded to the supervisor node by the
collector. You will also generate some HTTPS traffic to generate traffic logs on FGT_Aviation.

To log all sessions on FGT_Aviation

1. Go to the FGT_Aviation FortiGate management GUI.
2. Log in with the username admin and password password.
3. Click Policy & Objects > IPv4 Policy.
4. Expand the port2→port1 section.
5. Select the Lan to Wan policy, and then click Edit.
6. In the Log Allowed Traffic section, click All Sessions.
7. Click OK.
8. Close the FGT_Aviation FortiGate browser tab.

To generate HTTPS traffic

1. Go to the Win-Agent VM.
2. Open the Google Chrome browser, and then navigate to https://www.fortinet.com.
3. Close the Win-Agent VM browser tab.

Analyze Traffic Events on FortiSIEM

Now, you can view the traffic logs generated by FortiGate on FortiSIEM. You will run a historical search for events
related to FortiGate allowed traffic.

After that, you will analyze the events and understand the log enrichment performed by FortiSIEM.

To filter allowed traffic events

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

77 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Analyzing
REPRINTAllowed Traffic Analyze Traffic Events on FortiSIEM

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click ANALYTICS.
5. Click the Edit Filters and Time Range field.
6. In the Filter section, select Event Attribute.
7. Enter the following values. Click the add icon ( ) to add new rows.

Attribute Operator Value Next

Reporting IP = 10.0.3.254 AND

Event Type = FortiGate-traffic-allowed AND

Destination TCP/UDP Port = 443 AND

8. In the Time section, select Relative, and set it to 2 Hours.

Your filter setup should match the following example:

9. Click Apply & Run.

To analyze the allowed traffic events

1. Continuing on the ANALYTICS page, select any of the displayed events, and then click the arrow icon ( ) in the
Raw Event Log column.

Advanced Analytics 6.3 Lab Guide 78

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a Rule From an Analytics Search Exercise 1: Analyzing Allowed Traffic

2. Scroll down and select the Display settings for Organization ID and Organization Name.

This adds the Organization ID and Organization Name columns to the event results.

3. Click OK.
4. Click Run again.

5. Click Show Event Type.

This will add an additional Event Type column to the event results.

Create a Rule From an Analytics Search

You can create a rule from the ANALYTICS tab, based on the filtered search criteria. Now, you will create a new
rule without activating it. This is to save resources in the lab.

79 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Analyzing
REPRINTAllowed Traffic Create a Rule From an Analytics Search

© FORTINET
To create a rule from an analytics search
1. Continuing on the ANALYTICS page, in the Action drop-down list, select Create Rule.

2. In the Rule Name field, type Excess HTTPS traffic.

3. Click Step 2: Define Condition.
4. Change the time window to 120 seconds.
5. Click the pencil icon ( ) to edit the Filter_1 subpattern.
6. In the Aggregate section, change the Value setting to 100.
7. In the Group By section, configure the following values. Click the add icon ( ) to add the following new rows:
l Reporting IP
l Source IP
l Destination TCP/UDP Port
Your configuration should match the following example:

Advanced Analytics 6.3 Lab Guide 80

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a Rule From an Analytics Search Exercise 1: Analyzing Allowed Traffic

© FORTINET
To configure Aggregate functions use the Expression Builder,available when you
click on Attribute field for the Aggregate section.
1. Select Function from the drop-down list
2. Add Function to the expression
3. Select the Event Attribute
4. Add the Event Attribute to the expression
5. Click Validate and ensure the expression is valid
6. Finally click OK when the expression is ready

8. Click Save.
9. Click Step 3: Define Action.
10. In the Severity drop-down list, select 5 - MEDIUM.
11. In the Category drop-down list, select Security.
12. In the Subcategory drop-down list, select Impact.
13. In the Action section, click the pencil icon ( ) to edit it.
14. In the Incident Attributes section, configure the following values:

Event Attribute Subpattern Filter Attribute

Source IP Filter_1 Source IP

15. Click Save.

16. Click OK.
17. Click RESOURCES.
18. In the left navigation pane, click Rules > Ungrouped.
The Excess HTTPS traffic rule is displayed.

81 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Analyzing
REPRINTAllowed Traffic Create a Rule From an Analytics Search

© FORTINET
You will not be triggering any incidents for this rule. This exercise is to demonstrate the ability to create rules
from the ANALYTICS search tab.

If you activate this rule, it will trigger incidents for hosts that have more than 100 sessions within a two minute
window.

Do not activate this rule because it could consume excessive resources in the lab
environment. Because the lab environment contains many devices, each device has
been configured to run on minimum resources.

19. Log out of the Supervisor FortiSIEM management GUI.

Advanced Analytics 6.3 Lab Guide 82

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Monitoring Firewall Sessions

In this exercise, you will calculate the average firewall sessions from FGT2.

Build an Analytics Search

The FortiSIEM search functionality includes both real-time and historical search options of the information that is
collected. With real-time search, you can see events as they happen, while historical search is based on
information stored in the event database. Both types of searches include simple keyword searching, as well as
structured searches that let you search based on specific event attributes and values, and then group the results
by attributes.

To build an analytics search for firewall sessions

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click ANALYTICS.
5. Click the Edit Filters and Time Range field.
If the attributes from the previous exercise appear in the field, click Clear All.

6. In the Filter section, select Attribute.

7. Enter the following values. Click the add icon ( ) to add new rows.

Attribute Operator Value Next

Reporting IP = 10.0.2.254 AND

83 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Monitoring
REPRINT Firewall Sessions Display the Average Firewall Session

Event Type = Select from CMDB AND

Search for PH_DEV_MON_FW_CONN_

UTIL

Click the add item icon ( ) to select it.

8. In the Time section, select Relative, and set it to 20 Minutes.

Your filter setup should match the following example:

9. Click Apply & Run.

All events related to firewall sessions from FGT_Banking are displayed.

If you don't see any events, check the FortiSIEM alerts ( ) located in the
top-right corner of the page. If there is a clock drift issue with a collector,
open an SSH connection, and reboot the collector with the following
command:
reboot -h now

Display the Average Firewall Session

Now, you will display only the average value for the firewall sessions.

Advanced Analytics 6.3 Lab Guide 84

Fortinet Technologies Inc.
DO Display
NOTthe Average
REPRINTFirewall Session Exercise 2: Monitoring Firewall Sessions

© FORTINET
To display the average firewall session
1. Continuing on the FortiSIEM management GUI, click the Change Display Fields icon ( ).
2. Click the add icon ( ) to add a new row.

3. Click the empty Attribute field in the new row, and then select Expression Builder.

4. In the Expression field, type AVG(Firewall Session).

5. Click Validate.
A pop-up is displayed indicating that the expression is valid.

6. Close the pop-up message.

7. Click OK.
8. Click the remove icon ( ) to delete the following rows:
l Raw Event Log
l Event Receive Time
These are unique attributes and cannot be considered for grouping events with similar attributes, and
performing aggregate calculations.

9. Click Apply & Run.

85 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Monitoring
REPRINT Firewall Sessions Display the Average Firewall Session

Note the display columns for Reporting IP, Event Name, and AVG(Firewall
Session). The average function calculates the average firewall session from all events
related to firewall connection for the past 20 minutes.

10. Log out of the Supervisor FortiSIEM management GUI.

Advanced Analytics 6.3 Lab Guide 86

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 6: Configuration of Single Pattern Security Rules

In this lab, you will learn about single subpattern security rules. You will review some of the out-of-box rules, and
create your own rules. You will also learn about the event filters, group by conditions, and aggregation conditions,
that are required in a single subpattern rule.

Objectives
l Identify a single subpattern security rule
l Review a subpattern in a rule
l Understand out-of-the-box rules
l Define conditions in a rule
l Define actions for a rule
l Understand incident generation
l Review incident attributes
l Determine incident source and target

Time to Complete
Estimated: 30 minutes

87 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Detecting Remote Desktop Access

In this exercise, you will review the out-of-the-box rule which detects remote desktop access from the Internet,
which is defined as anything outside the internal network. Remote desktop is detected from a Windows log or from
a traffic flow to the RDP port.

Review the Remote Desktop From Internet Rule

You will review only the out-of-the-box rule, which detects remote desktop from the Internet. You will not be
making any changes to this rule.

To review the Remote Desktop from Internet rule

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click RESOURCES.
5. Click Rules.
6. In the search field, type Remote Desktop from Internet.
7. Select the rule, and then click Edit > Selected Rule.
The Step 1: General page has basic information such as the Rule Name, Description of the rule, Event
Type, and Remediation Note.

8. Click Step 2: Define Condition.

This page displays the rule condition. This rule will trigger if the pattern RDP occurs within a 10 minute
window.

9. Click the pencil icon ( ) to edit the RDP subpattern.

10. Review the Filters for the rule.
The first two conditions state that the Source IP must not be part of the Networks: Private Net group and the
Destination IP must be part of the Networks: Private Net group. For simplicity, and to understand it better,
you can refer to these two conditions as Group 1.

Advanced Analytics 6.3 Lab Guide 88

Fortinet Technologies Inc.
DO Review
NOTthe Remote
REPRINTDesktop From Internet Rule Exercise 1: Detecting Remote Desktop Access

The next three filter conditions are grouped into one group, using parentheses. You can refer to these three
conditions as Group 2. The Destination IP must be in the Devices: Windows, Win Logon Type must be
equal to 10, and the Event Type must be part of Dev Logon Failure or Dev Logon Success.

The last two conditions are grouped into one group, using parentheses. You can refer to these two conditions
as Group 3. The Destination TCP/UDP Port must be equal to 3389, and the Event Type must be in the
Bidirectional Netflow or Permit Traffic group.

The Group 2 and Group 3 conditions are nested by other parentheses. There is an OR operator between
Group 2 and Group 3, which means that either Group 2 or Group 3 conditions can be true. For this rule to
trigger, Group 1 and either Group 2 or Group 3 must be true.

89 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Detecting
REPRINTRemote Desktop Access Review the Remote Desktop From Internet Rule

11. Review the Group By attributes.

The Group By attributes are set as Source IP and Destination IP. All the matching events that are defined in
the filter will be grouped into two columns—Source IP and Destination IP.

12. Review the Aggregate conditions.

After the events are grouped, and if the COUNT(Matched Events) is equal to or greater than one, the rule will
be triggered.

13. Click Cancel.

14. Click Step 3: Define Action.
Review the Severity, Category, Subcategory, Technique, and Tactic.

Advanced Analytics 6.3 Lab Guide 90

Fortinet Technologies Inc.
DO Review
NOTthe Remote
REPRINTDesktop From Internet Rule Exercise 1: Detecting Remote Desktop Access

15. Click the pencil icon ( ) to edit the Action setting.

16. Review the Incident Attributes.

These will be more clear once the incident is triggered.

91 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Detecting
REPRINTRemote Desktop Access RDP From the Internet

RDP From the Internet

Now, you will establish a remote desktop connection from the Local-Host VM. The RDP session will be translated
to a public IP address by the FortiGate firewall. The rule will trigger an incident since the RDP session was
sourced from a public IP address.

To establish an RDP connection to Win-Agent

1. Go to the Local-Host VM.
2. Open Remmina from the task bar.

3. Double-click Server_2016_Administrator.
This is a bookmark for an RDP session for 10.0.3.10.

4. If the bookmark prompts for credentials then enter the following credentials:

Field Value

User name Administrator

Password Fortinet1!

Domain Aviation

5. Click OK.
6. Accept any certificate warnings.
The RDP connection to the Win-Agent VM opens.

7. Close the RDP session.

8. Close the Win-Agent VM browser tab.

Review the RDP Incident

An incident will be generated, alerting the administrator that an RDP connection was established from the Internet.
Any RDP connection from a public IP address is considered suspicious. You will review the incident in detail and
the events that triggered this incident.

Advanced Analytics 6.3 Lab Guide 92

Fortinet Technologies Inc.
DO Review
NOTthe RDP
REPRINT
Incident Exercise 1: Detecting Remote Desktop Access

© FORTINET
To review the RDP incident
1. Return to the Supervisor FortiSIEM management GUI, and click INCIDENTS.
2. Click INCIDENTS.
3. In the Top Impacted Hosts - By Severity / Risk Score section, find the Win_Agent widget, and click Remote
Desktop from Internet.

It can take upto 30 seconds for the incident to display.

4. Select the rule and, at the bottom of the page, click Details.
5. Review the incident details.

6. Click Events.
7. Enable Show Event Type.
8. Select the Win-Security-4624 event, and click the arrow icon ( ) in the Raw Event Log column.
The Event Details window opens.

93 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Detecting
REPRINTRemote Desktop Access Review the RDP Incident

This event was reported by Win_Agent. The logon type code is 10, and the RDP session was initiated from a
public IP address to a private IP address. These conditions were enough to trigger the incident.

10. Click Close.

11. Click Rule, and review the rule that triggered this incident.
12. Analyze the Pattern Definitions.

These are the same definitions that were defined in the aggregate condition, event filter, and group by
attributes in step 2 of the rule.

13. Click the left icon ( ) to return to the Overview page.

14. Log out of the Supervisor FortiSIEM management GUI.

Advanced Analytics 6.3 Lab Guide 94

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Detecting Multiple VPN Logon Failures

In this exercise, you will review the out-of-the-box rule which detects five consecutive VPN logon failures in a 10
minute evaluation period.

Review the Multiple VPN Logon Failures Rule

Now, you will review the out-of-the-box rule which detects five consecutive VPN logon failures in a 10 minute
evaluation period.

To review the multiple VPN logon failures rule

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click RESOURCES.
5. Click Rules.
6. In the search field, type Multiple Logon Failures: VPN.
7. Select the Multiple Logon Failures: VPN rule, and then click Edit > Selected Rule.
The Step 1: General page displays the Rule Name, Description, Event Type, and Remediation Note.

8. Click Step 2: Define Condition.

This page displays the rule condition. This rule will trigger if the ExcessVPNLoginFailure subpattern occurs
within a 10 minute window.

9. Click the pencil icon ( ) to edit the ExcessVPNLoginFailure subpattern.

10. Review the Filters for the rule.

There is only one filter. The Event Type must be from the VPN Logon Failure group.

11. Review the Group By attributes.

95 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Detecting
REPRINTMultiple VPN Logon Failures Review the Multiple VPN Logon Failures Rule

The Group By attributes are Source IP, Reporting Device, Reporting IP, and User. All the matching
events that are defined in the filter will be grouped into four columns, as defined in the Group By section.

12. Review the Aggregate conditions.

After the events are grouped, and if the COUNT(Matched Events) is equal to or greater than 5, the rule will
be triggered.

13. Click Cancel.

14. Click Step 3: Define Action.
Review the Severity, Category, Subcategory, Technique, and Tactic.

15. Click the pencil icon ( ) to edit the Action setting.

16. Review the Incident Attributes.

Advanced Analytics 6.3 Lab Guide 96

Fortinet Technologies Inc.
DO Review
NOTthe Multiple
REPRINT VPN Logon Failures Rule Exercise 2: Detecting Multiple VPN Logon Failures

This will be more clear after the incident is triggered.

17. Click Cancel.

18. Click Cancel.

To review event types for VPN logon failure

1. Continuing on the FortiSIEM GUI, on the left navigation pane, click Event Types > Security > Logon Failure >
VPN Logon Failure.

There are 107 different types of VPN logon failures that can trigger this rule. These are the event types that
are built in to FortiSIEM. You cannot delete them, but you can create your own event types in the appropriate
category.

2. In the search field, type FortiGate.

97 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Detecting
REPRINTMultiple VPN Logon Failures Generate SSL VPN Login Failures

You will trigger a tunnel-mode SSL VPN logon failure.

Generate SSL VPN Login Failures

Now, you will generate five or more SSL VPN login failures by entering an incorrect password. FortiGate will send
those failed logon events to FortiSIEM.

To initiate five consecutive SSL VPN login failures

1. Go to the Local-Host VM.
2. Open FortiClient from the task bar.

If the system prompts for password to run FortiClient then enter password.

3. Connect to the Aviation organization through SSL VPN with the following credentials:

Field Value

VPN Name SSL_VPN_Aviation

User Sarah

Password 123456

This is an incorrect password for the VPN which will generate the failed logon events.

Advanced Analytics 6.3 Lab Guide 98

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
VPN events on FortiGate Exercise 2: Detecting Multiple VPN Logon Failures

© FORTINET
4. Click Connect.
5. Click Continue.
6. Click OK.
7. Continue attempting to log in four more times with different incorrect passwords.

Pause for 30 seconds after each login attempt. This ensures that FortiGate records the
events and forwards them to FortiSIEM.

8. Close FortiClient.
9. Close the Local-Host VM browser tab.

Verify VPN events on FortiGate

Now, on FortiGate, you will verify the failed SSL VPN events. You must ensure that there are at least five failed
logon events within a 10 minute period.

To verify the VPN events on FGT3

1. Go to the FGT_Aviation FortiGate management GUI.
2. Log in with the username admin and password password.
3. Click Log & Report > Events.
4. Click System Events
5. From the drop-down list, select VPN Events.
6. Click Add Filter > Action > ssl-login-fail.
The failed SSL VPN login events are displayed.

There must be at least five failed SSL VPN login attempts within a 10 minute period.

7. Log out of the FGT_Aviation FortiGate management GUI.

99 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Detecting
REPRINTMultiple VPN Logon Failures Review the Incident for Multiple VPN Logon Failures

Now, you will review the incident that is generated because there were five or more SSL VPN logon failures. You
will review the incident source, target, and details.

To review the incident for multiple VPN logon failures

1. Return to the Supervisor FortiSIEM management GUI, and click INCIDENTS.
2. In the Top Impacted Host - By Severity / Risk Score section, find the FGT_Aviation widget, and then click
Multiple Logon Failures: VPN.

3. Select the incident, and at the bottom of the page, click Details.
4. Review the incident details.
5. Click the Events tab to view the events that triggered this incident.

Because FGT_Aviation FortiGate reported five or more VPN logon failures, FortiSIEM generated this
incident.

6. Review the Source, Target, and Detail for the incident.

Advanced Analytics 6.3 Lab Guide 100

Fortinet Technologies Inc.
DO Review
NOTthe Incident
REPRINT for Multiple VPN Logon Failures Exercise 2: Detecting Multiple VPN Logon Failures

This incident was generated because of failed VPN logon attempts from the IP address 100.64.2.253 and
the target was the FortiGate IP address 10.0.3.254. The user Sarah was also a target because someone
tried to use her username to log in to the VPN. The Detail section provides you with the number of events that
it took to trigger this incident.

7. Log out of the Supervisor FortiSIEM management GUI.

101 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Detecting Locked Domain Accounts

In this exercise, you will review the out-of-the-box rule which detects account lockout caused by excessive logon
failures in a 10 minute window.

Review the Domain Account Locked Rule

You will review the Account Locked: Domain out-of-the-box rule which detects account lockout caused by
excessive logon failures.

To review the domain account locked rule

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click RESOURCES.
5. Click Rules.
6. In the search field, type Account Locked: Domain.
7. Select the Account Locked: Domain rule, and then click Edit > Selected Rule.
The Step 1: General page shows the Rule Name, Description, Event Type, and Remediation Note.

8. Click Step 2: Define Condition.

This page displays the rule condition. This rule will trigger if the DomainAcctLockout subpattern occurs
within a 10 minute window.

9. Click the pencil icon ( ) to edit the DomainAcctLockout subpattern.

10. Review the Filters for this rule.

Advanced Analytics 6.3 Lab Guide 102

Fortinet Technologies Inc.
DO Review
NOTthe Domain
REPRINTAccount Locked Rule Exercise 3: Detecting Locked Domain Accounts

© FORTINET
The Event Type attribute must be in the Domain Account Locked group, and the Reporting IP must be in
the Domain Controller group.

11. Review the Group By attributes.

The Group By attributes are Reporting Device, Reporting IP, and User. All the matching events that are
defined in the filter will be grouped into four columns, as defined in the Group By section.

12. Review the Aggregate conditions.

After the events are grouped, and if the COUNT(Matched Events) is equal to or greater than 1, the rule will
be triggered.

13. Click Cancel.

14. Click Step 3: Define Action.
Review the Severity, Category, Subcategory, Technique, and Tactics.

15. Click the pencil icon ( ) to edit the Action setting.

16. Review the Incident Attributes.

103 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Detecting
REPRINTLocked Domain Accounts Review the Domain Account Locked Rule

17. Click Cancel.

18. Click Cancel.

To review the domain account locked event types

1. Continuing on the RESOURCE page, on the left navigation pane, click Event Types > Security > Logon Failure
> Domain Account Locked.
There are three different types of domain account lockout events that are built in to FortiSIEM.

Advanced Analytics 6.3 Lab Guide 104

Fortinet Technologies Inc.
DO Review
NOTthe Incident
REPRINT for Locked Domain Accounts Exercise 3: Detecting Locked Domain Accounts

The incident for this rule was already triggered when you tried to log in to the SSL VPN and failed five times using
the username Sarah. The domain policy is configured to lock user accounts after five failed attempts.

To review the incident for locked domain accounts

1. Continuing on the FortiSIEM GUI, click INCIDENTS.
2. In the Top Impacted Host - By Severity / Risk Score section, find the Win-Agent.aviation.lab widget, and click
Account Locked: Domain.

3. Select the incident, and at the bottom of the page, click Events.

The Event Type is Win-Security-4740, and it is reported from an IP address that belongs to the domain
controller group.

4. Log out of the Supervisor FortiSIEM management GUI.

105 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 4: Creating a New Security Rule

In this exercise, you will build a new security rule which monitors for successful login events reported by a network
device from a public IP address.

Create a Custom Rule

Creating a new rule involves defining the attributes of the incident that is triggered by the rule, as well as the
triggering conditions and any exceptions or clear conditions. You can also create a rule by cloning an existing rule.

In this task, you will create a new rule to detect successful admin logins to FortiGate from a public IP address.

To create a custom rule

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click the Change Organization View icon, and in the drop-down list, select Change Organization View.

5. Select Switch to Organization, and in the drop-down list, select Aviation.

6. Click Change View.
7. Click RESOURCES.
8. In the left navigation pane, click Rules > Security.
9. Click New.
10. In Step 1: General, enter the following:

Field Value

Rule Name Admin login to FortiGate from a public IP address

Description Detects successful admin login to FortiGate from public IP addresses

Advanced Analytics 6.3 Lab Guide 106

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a Custom Rule Exercise 4: Creating a New Security Rule

© FORTINET
11. Click Step 2: Define Condition.
12. Click the pencil icon ( ) to edit the Subpattern.
13. In the Name field, type FgtLoginPublic.
14. Configure the following Filters:

Attribute Operator Value Next

Source IP NOT IN Select from CMDB. AND

Click Networks > Private Net.

Click the add item icon ( ) to select it.

Event Type = Select from CMDB. AND

Search for FortiGate-event-admin-login-success.

Click the add item icon ( ) to select it.

15. Configure the following Aggregate function:

Attribute Operator Value Next

COUNT(Matched Events) >= 1 AND

To configure Aggregate functions use the Expression Builder,available when you

click on Attribute field for the Aggregate section.
1. Select Function from the drop-down list
2. Add Function to the expression
3. Select the Event Attribute
4. Add the Event Attribute to the expression
5. Click Validate and ensure the expression is valid
6. Finally click OK when the expression is ready

16. Add the following Group By attributes:

l User
l Reporting Device

107 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Creating
REPRINT
a New Security Rule Create a Custom Rule

© FORTINET
l Reporting IP
l Source IP
16. Click Save.
17. Click Step 3: Define Action.
18. Configure the following values:

Field Value

Severity 9-HIGH

Category Security

Subcategory Suspicious Activity

Technique [T1190] Exploit Public-Facing Application

19. Click the pencil icon ( ) to edit the Action setting.

20. Configure the following Incident Attributes:

Event Attribute Subpattern Filter Attribute

Destination IP FgtLoginPublic Reporting IP

Destination Host Name FgtLoginPublic Reporting Device

User FgtLoginPublic User

Source IP FgtLoginPublic Source IP

21. Set the Incident Title as follows:

$srcIpAddr attempted to log into FortiGate $destIpAddr from a public IP address

You can populate the Source IP and Destination IP using the Insert Attribute drop-down list

22. Select the following Triggered Attributes:

l Event Receive Time
l Event Type
l Reporting IP
l Raw Event Log
l Source IP
22. Click Save.
23. Click Save again.
24. Click the checkbox to activate your custom rule.

25. Click Continue.

Advanced Analytics 6.3 Lab Guide 108

Fortinet Technologies Inc.
DO Log
NOT REPRINT
in to FortiGate From a Public IP Address Exercise 4: Creating a New Security Rule

Now, you will trigger an incident by logging in to FGT_Aviation from a public IP address.

To log in to FortiGate from Kali

1. Go to the Kali VM.
2. Open a terminal session.
3. Type the following commands to open an SSH connection to FGT_Aviation
ssh [email protected]

Accept any security warnings.

4. Log in with the password password.

5. Close terminal window.
6. Close the Kali VM browser tab.

To review the incident for the rule

1. Return to the Supervisor FortiSIEM management GUI, and click INCIDENTS.
2. In the Top Impacted Host - By Severity / Risk Score section, find the FGT_Aviation widget, and click Admin
login to FortiGate from a public IP address.

3. Select the incident, and at the bottom of the page, click Details.
4. Review the incident details.
5. Click the Events tab to view the events that triggered this incident.
6. Review the Source, Target, and Detail for the incident.

109 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Creating
REPRINT
a New Security Rule Log in to FortiGate From a Public IP Address

© FORTINET
This incident was generated because the administrator of FGT_Aviation logged in from a public network. The
source IP address 100.64.1.10 is a public IP address and is not part of the private network group on
FortiSIEM.

7. Log out of the Supervisor FortiSIEM management GUI.

Advanced Analytics 6.3 Lab Guide 110

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 7: Configuration of Multipattern Security Rules

In this lab, you will build a multipattern rule to detect events where a user successfully authenticates to a VPN, and
then successfully performs RDP authentication, using LDAP accounts not in a specific service accounts group,
over a one hour time period.

Objectives
l Review a multisubpattern rule
l Build a multisubpattern rule from an analytics search
l Trigger an incident for the multisubpattern rule

Time to Complete
Estimated: 30 minutes

111 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Reviewing a VPN Login Event

In this exercise, you will review an LDAP user group, and create a VPN IP pool. Then, you will log in to the SSL
VPN, and study the attributes that you will use to create the subpattern.

Review the LDAP Users

You will review the LDAP users that were imported from the Active Directory server.

To review the LDAP users

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click the Change Organization View icon, and in the drop-down list, select Change Organization View.

5. Select Switch to Organization, and in the drop-down list, select Aviation.

6. Click Change View.
7. Click CMDB.
8. In the left navigation pane, expand Users > DC=Aviation,DC=lab.
You will see all the user groups from the LDAP server that you discovered in a previous lab.

Advanced Analytics 6.3 Lab Guide 112

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a VPN Pool Exercise 1: Reviewing a VPN Login Event

9. In the left navigation pane, click OU=Service Accounts,DC=aviation,DC=lab.

The svcldap account is an LDAP service account.

10. In the left navigation pane, click OU=VPN Users,DC=aviation,DC=lab.

These are the users who belong to the VPN users group.

Create a VPN Pool

Now, you will create a VPN pool, where you will specify the IP range for the VPN network.

To create a VPN pool

1. Continuing on the FortiSIEM management GUI, click RESOURCES.
2. Click Networks > VPN Pool.
3. Click VPN Pool.
4. Click New.
5. Configure the following values:

Field Value

Name SSL_VPN_Pool

Low 10.212.134.1

High 10.212.134.254

Mask 24

6. Click Save.

To run a real-time search for the SSL tunnel

1. Continuing on the FortiSIEM management GUI, click ANALYTICS.
2. Click the Edit Filters and Time Range field.
3. In the Filter section, select Event Attribute, and configure the following values:

113 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Reviewing
REPRINTa VPN Login Event Connect to the SSL VPN

Reporting IP = 10.0.3.254 AND

Event Type = FortiGate-ssl-vpn-session-tunnel-up

4. In the Time section, select Real Time.

Your configuration should match the following example:

5. Click Apply & Run.

Connect to the SSL VPN

Now, you will establish an SSL VPN connection to FortiGate.

To connect to the SSL VPN

1. Go to the Local-Host VM
2. Open FortiClient from the task bar.

Advanced Analytics 6.3 Lab Guide 114

Fortinet Technologies Inc.
DO Analyze
NOTtheREPRINT
SSL VPN Event Exercise 1: Reviewing a VPN Login Event

If the system prompts for password to run FortiClient then enter password.

3. Connect to the Aviation organization through SSL VPN with the following credentials:

Field Value

VPN Name SSL_VPN_Aviation

User Sarah

Password password

4. Click Connect.
5. Click Continue.

Analyze the SSL VPN Event

Now, you will analyze the SSL VPN event on FortiSIEM, and note the relevant attributes that will be used for
constructing a subpattern.

To analyze the SSL VPN event

1. Return to the FortiSIEM management GUI, and on the ANALYTICS page, click Stop.

2. Select the event, and then click the arrow icon ( ) in the Raw Event Log column.
The Event Details window opens.

Notice that the internal IP address assigned to the user is presented by the Post-NAT Source IP attribute.

115 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Reviewing
REPRINTa VPN Login Event Analyze the SSL VPN Event

Based on the observations that you made in this exercise, you will need the following
attributes to build a template for the first rule subpattern to track a successful SSL
VPN login:

Attribute Value

Event Type FortiGate-ssl-vpn-session-tunnel-up

User Any

Post-NAT Source IP Any

3. Close the Event Details dialog box.

4. Log out of the Supervisor FortiSIEM management GUI.

Do not disconnect the SSL VPN connection.

Advanced Analytics 6.3 Lab Guide 116

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Reviewing an RDP Event

In this exercise, you will review an RDP logon event.

Run a Real-Time Analytics Search

Now, you will run a real-time analytics search for Windows security events being reported by the Win-Agent
Windows server. After that, you will establish an RDP connection to the Windows server, and that will generate a
Windows logon security log, which will be forwarded to FortiSIEM by the Windows agent.

To run a real-time analytics search

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click the Change Organization View icon, and in the drop-down list, select Change Organization View.

5. Select Switch to Organization, and in the drop-down list, select Aviation.

6. Click Change View.
7. Click ANALYTICS.
8. Click the Edit Filters and Time Range field.
9. In the Filter section, select Attribute, and configure the following values:

Attribute Operator Value Next

Reporting IP = 10.0.3.10 AND

Event Type = Win-Security-4624 AND

Win Logon Type = 10

117 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Reviewing
REPRINTan RDP Event Run a Real-Time Analytics Search

11. Click Apply & Run.

To establish an RDP connection to Win-Agent

1. Go to the Local-Host VM.
2. Open Remmina from the task bar.

3. Double-click Server_2016_Sarah.
This is a bookmark for an RDP session for 10.0.3.10.

4. If the bookmark prompts for credentials then enter the following credentials:

Field Value

User name SARAH

Password password

Domain Aviation

5. Accept any certificate warnings.

The RDP connection to the Win-Agent VM opens.

Advanced Analytics 6.3 Lab Guide 118

Fortinet Technologies Inc.
DO Analyze
NOTan RDP
REPRINT
Event Exercise 2: Reviewing an RDP Event

Analyze an RDP Event

Now, you will analyze the RDP event on FortiSIEM and note the relevant attributes that will be used for
constructing a subpattern. After that, you will disconnect the VPN.

To analyze an RDP event

1. Return to the Supervisor FortiSIEM management GUI, and on the ANALYTICS page, click Stop.

2. Select and review the event that was received for a successful RDP logon.
3. Enable Show Event Type.
4. Select the Win-Security-4624 event, and click the arrow icon ( ) in the Raw Event Log column.
The Event Details window opens.

Notice this event contains the server IP address (Destination IP), the user who logged in (User), the source
IP address of the user (Source IP), and the logon type code (Win Logon Type) which indicates that it is an
RDP logon.

Based on the observations that you made in this exercise, you will need the following
attributes to build a template for the second rule subpattern to track the RDP logon :

Attribute Value

Event Type Win-Security-4624

Destination IP 10.0.3.10

Win Logon
10
Type

The user account Sarah is a member of the VPN Users group and the source IP
address is from the SSL_VPN_Pool pool. These two conditions will be the factors that
will trigger the rule. The rule will track users who are not supposed to access the
server using RDP.

5. Close the Event Details window.

6. Log out of the Supervisor FortiSIEM management GUI.
7. Return to the Local-Host VM, and on the FortiClient SSLVPN client, click Stop.
8. Close FortiClient.
9. Close the Local-Host VM browser tab.

119 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: emranBuilding a Multipattern Rule

In this exercise, you will build the rule using the two subpatterns that you analyzed in the previous two exercises.

Create a New Multipattern Rule

In the previous two exercises of this lab, you obtained relevant information for building a subpattern. Now, you will
use that information to create a multipattern rule.

FortiSIEM supports rules with multiple subpatterns. These cover conditions where two patterns might need to
occur within a specific time period, or one of a selection of patterns needs to occur to prove an incident condition
exists.

To build a new multipattern rule

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click the Change Organization View icon, and in the drop-down list, select Change Organization View.

5. Select Switch to Organization, and in the drop-down list, select Aviation.

6. Click Change View.
7. Click RESOURCES.
8. In the left navigation pane, expand Rules > Security.
9. Click New.
10. In Step 1: General, enter the following values:

Advanced Analytics 6.3 Lab Guide 120

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a New Multipattern Rule Exercise 3: emranBuilding a Multipattern Rule

Rule Name Successful RDP Logon from VPN Pool for Disallowed User

Description Detects RDP Logon to AD Server from VPN Pool for Disallowed Users

11. Click Step 2: Define Condition.

12. In the time window field, type 3600.
13. Click the pencil icon ( ) to edit the Subpattern.
14. In the Name field, type SSL_VPN_Logon.
15. Configure the following Filter:

Attribute Operator Value Next

Event Type = FortiGate-ssl-vpn-session-tunnel-up AND

16. Configure the following Aggregate function:

Attribute Operator Value Next

COUNT(Matched Events) >= 1 AND

To configure Aggregate functions use the Expression Builder,available

when you click on Attribute field for the Aggregate section.

1. Select Function from the drop-down list

2. Add Function to the expression
3. Select the Event Attribute
4. Add the Event Attribute to the expression
5. Click Validate and ensure the expression is valid
6. Finally click OK when the expression is ready

17. Add the following Group By attributes:

l User
l Post-NAT Source IP
Your configuration should match the following example:

121 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: REPRINT
emranBuilding a Multipattern Rule Create a New Multipattern Rule

18. Click Save.

19. In the Next column, in the drop-down list, select FOLLOWED_BY.
20. Click the add icon ( ) to add a new subpattern.
21. In the Name field, type RDP_Logon.
22. Configure the following Filters:

Attribute Operator Value Next

Event Type = Win-Security-4624 AND

Win Logon Type = 10 AND

User NOT IN Select from CMDB AND

Expand Users > DC=Aviation,DC=lab.

Select OU=Service Accounts,DC=Aviation,DC=lab.

Click the add folder icon ( ), and then click OK.

Destination IP = 10.0.3.10 AND

Source IP IN Select from CMDB AND

Expand Networks, and then select VPN Pool.

Click the add folder icon ( ), and then click OK.

23. Enter the following Aggregate function:

Attribute Operator Value Next

COUNT(Matched Events) >= 1 AND

Advanced Analytics 6.3 Lab Guide 122

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a New Multipattern Rule Exercise 3: emranBuilding a Multipattern Rule

24. Add the following Group By attributes:

l User
l Source IP
Your configuration should match the following example:

25. Click Save.

26. Configure the following subpattern relationships:

123 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: REPRINT
emranBuilding a Multipattern Rule Create a New Multipattern Rule

SSL_VPN_Logon User = RDP_Logon User

SSL_VPN_Logon Post-NAT Source IP = RDP_Logon Source IP

Your configuration should match the following example:

27. Click Step 3: Define Action.

28. Configure the following values:

Field Value

Severity 9-HIGH

Category Security

Subcategory Suspicious Activity

Technique [T1564.002] Hide Artifacts: Hidden Users

29. Click the pencil icon ( ) to edit the Action setting.

30. Configure the following Incident Attributes:

Event Attribute Subpattern Filter Attribute

Source IP SSL_VPN_Logon Post-NAT Source IP

User SSL_VPN_Logon User

In this case, using either subpattern attributes will obtain the same result.

31. Add the following Triggered Attributes:

Advanced Analytics 6.3 Lab Guide 124

Fortinet Technologies Inc.
DO Establish
NOTanREPRINT
RDP Connection over SSL VPN Exercise 3: emranBuilding a Multipattern Rule

© FORTINET
l User
l Source IP
32. Use the move icons (˄ or ˅) to rearrange the attributes to match the following example:

33. Click Save.

34. Click Save.
35. Click the checkbox to activate your custom rule.

36. Click Continue.

Establish an RDP Connection over SSL VPN

Now, you will establish an SSL VPN connection, and then connect over RDP to the Windows server, over the VPN
tunnel.

To connect to SSL VPN

1. Go to the Local-Host VM.
2. Open FortiClient from the task bar.
3. Connect to the Aviation organization through SSL VPN with the following credentials:

Field Value

VPN Name SSL_VPN_Aviation

User Sarah

Password password

125 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: REPRINT
emranBuilding a Multipattern Rule Review the Incident

To establish an RDP connection to Win-Agent

1. Continuing on the Local-Host VM, open Remmina from the task bar.

2. Double-click Server_2016_Sarah.
This is a bookmark for an RDP session for 10.0.3.10.

3. If the bookmark prompts for credentials then enter the following credentials:

Field Value

User name SARAH

Password password

Domain Aviation

4. Accept any certificate warnings.

The RDP connection to the Win-Agent VM opens.

5. Close the RDP session, and then close Remmina.

6. Disconnect the VPN, and then close FortiClient.
7. Close the Local-Host VM browser tab.

Review the Incident

Now, you will review the incident that was generated by the rule you created to track successful RDP logons from
the VPN pool for disallowed users.

To review the incident

1. Return to the Supervisor FortiSIEM management GUI, and click Incidents.
2. Find the Security widget, and then click High.
It may take a few minutes for the incident to show up.

Advanced Analytics 6.3 Lab Guide 126

Fortinet Technologies Inc.
DO Review
NOTthe Incident
REPRINT Exercise 3: emranBuilding a Multipattern Rule

© FORTINET
3. Select the Successful RDP Logon from VPN Pool for Disallowed Users incident, and then click Details.
4. Click Events.
5. In the Subpattern drop-down list, select SSL_VPN_Logon.
Note the Event Receive Time.

6. In the Subpattern drop-down list, select RDP_Logon.

Note the Event Receive Time.

In the examples shown here, the event receive time for the SSL VPN tunnel occurred
38 seconds before the RDP logon event. This satisfies the followed by condition in the
rule, which states that the VPN logon event must occur before the RDP logon event.

7. Log out of the Supervisor FortiSIEM management GUI.

127 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 8: Baseline Theory

In this lab, you will explore the baselining features on FortiSIEM, and create your own baseline profile.

Objectives
l Review baseline reports
l Review baseline rules
l Determine what you need to baseline
l Create a baseline with the BaselineMate script
l Verify that the baseline report has been applied
l View data in the daily DB and profile DB

Time to Complete
Estimated: 50 minutes

Advanced Analytics 6.3 Lab Guide 128

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Reviewing Baseline Reports and Rules

In this exercise, you will review the baseline reports and rules.

Review Baseline Reports

You will review the out-of-the-box baseline reports, and understand the anomaly detection baseline feature on
those reports.

To review baseline reports

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click RESOURCES.
5. In the left navigation pane, click Reports > Baseline.
6. Review the following anomaly detection baseline reports. Select each report, and then click Edit.
l Privileged Logon Profile
l STM Response Time Profile
l Failed User Logon Profile
l Successful Device Logon Profile
l Reported Error Log Profile
l DNS Request Profile
For each report, review the Event Type that it's referencing. Click Cancel after you're done.

7. In the left navigation pane, click Event Status.

8. Select All FortiSIEM Non-reporting Modules, and then click Edit.

Notice that the Anomaly Detection Baseline setting has been deselected for this
report. This is a special flag to indicate to the system where the data will be queried
from. This is the major difference between a baseline report and an ordinary report.

9. Click Cancel.

129 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Reviewing
REPRINTBaseline Reports and Rules Review Baseline Rules

There are several out-of-the-box rules that refer to baseline data to compute aggregate conditions and generate
incidents. The rule names start with the term Sudden. You will review one of these baseline rules.

To review baseline rules

1. Continuing on the RESOURCE tab, in the left navigation pane, expand Rules.
2. In the left pane, select and expand Rules.
3. Click the search icon ( ), and in the drop-down list, deselect Description.

4. In the search field, type sudden.

Review the list of baseline rules that appear in the filtered list.

5. Select Sudden Increase In Firewall Connections, and then click Edit.

6. Click Step 2: Define Condition.
7. Click the pencil icon ( ) to edit the Subpattern.
Review the rule construction.

8. Click one of the Aggregate condition fields, and in the drop-down list, select Expression Builder.

The Expression Builder opens.

9. Review the full expression, and try to determine what it means.

Advanced Analytics 6.3 Lab Guide 130

Fortinet Technologies Inc.
DO Review
NOTBaseline
REPRINT
Rules Exercise 1: Reviewing Baseline Reports and Rules

© FORTINET
The rule detects a sudden increase in permitted firewall connections when, over a 30
minute window, the number of current firewall connections is more than three
standard deviations away from the mean.

For the statistical average and standard deviation rule functions, the format is the
name, followed by the aggregation, attribute, and profile ID arguments.

The statistical average is the moving average value of AVG(Firewall Session) from
profile 112 in the profile database.

10. Click Cancel.

11. Click Cancel.
12. Log out of the Supervisor FortiSIEM management GUI.

131 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Determining What to Baseline

In this exercise, you will determine the parameters required to baseline a profile.

Determine Parameters to Baseline

You will determine the parameters that require baseline, and run a script to generate USB write events.

To disable the Windows Server USB File Write rule

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click RESOURCES.
5. In the left pane, expand Rules.
6. In the search field, type Windows Server USB File Write.
7. Deselect the Active checkbox.
The Set Activation Scope window opens.

8. Deselect All Orgs.

9. Deselect Active.

Advanced Analytics 6.3 Lab Guide 132

Fortinet Technologies Inc.
DO Determine
NOT Parameters
REPRINT
to Baseline Exercise 2: Determining What to Baseline

10. Click Save.

To run a script to replay USB events

1. Go to the Local-Host VM.
2. Open a terminal window (Ctrl + Alt + T).
3. Type the following command to change the working directory:
cd Desktop/Resource/Lab/lab8/8_2
4. Type the following command to start the script:
sudo ./runLab8_2.sh

5. Type the password password.

6. Type 1, and then press Enter.
Wait for the All Done! message.

7. Type 2, and then press Enter to exit the script.

8. Close the terminal window.
9. Close the Local-Host VM browser tab.

To identify parameters for baseline

1. Return to the Supervisor FortiSIEM management GUI, and click ANALYTICS.
2. Click the Edit Filters And Time Range field.

133 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Determining
REPRINT What to Baseline Determine Parameters to Baseline

Attribute Operator Value Next

Reporting IP IN 10.0.1.1,10.0.1.5,10.0.1.9 AND

Event Type = AO-WUA-RemovableMedia-AddFile

5. Set the time to 40 minutes.

6. Click Apply.
7. Click the Change Display Fields icon ( ).
8. Configure the following Group By and Display Fields. Leave all Order and Display As fields empty:
l Reporting IP
l Reporting Device
l Disk Name
l Disk Model
l User
l COUNT(Matched Events)
l COUNT DISTINCT(File Name)
9. Configure the following Display Conditions:
l COUNT(Matched Events) >= 1
l COUNT DISTINCT(File Name) >= 1
Your configuration should match the following example:

9. Click Apply & Run.

Advanced Analytics 6.3 Lab Guide 134

Fortinet Technologies Inc.
DO Determine
NOT Parameters
REPRINT
to Baseline Exercise 2: Determining What to Baseline

© FORTINET
Notice there are three servers that reported USB write events, with a total of 10 events. You should see that
the results are ordered by the COUNT DISTINCT(File Name) values.

10. Log out of the Supervisor FortiSIEM management GUI.

135 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Creating a Baseline With the BaselineMate
Script

In this exercise, you will create a baseline with the BaselineMate script.

Define an Event

When you create a new baseline for device logs, you must add a new event type to FortiSIEM so that the log
events can be identified.

To define an event
1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click ADMIN.
5. Click Device Support > Event Types.
6. Click New.
7. Configure the following values:

Field Value

Event Type PH_PROF_ET_175_USB

Device Type Fortinet FortiSIEM

Event Type Group Info

Severity 1 - LOW

Your configuration should match the following example:

Advanced Analytics 6.3 Lab Guide 136

Fortinet Technologies Inc.
DO Run
NOT REPRINT
the BaselineMate Script from Supervisor Exercise 3: Creating a Baseline With the BaselineMate Script

8. Click Save.
9. Select the event, and then click Apply.
10. Click Yes, to save the changes.

Run the BaselineMate Script from Supervisor

Now, you will create a baseline profile report using a script. The script will also warn you about the missing event
attributes that you will add using the GUI.

To run the BaselineMate script from Supervisor

1. Go to the Local-Host VM.
2. Open a terminal window (Ctrl + Alt + T).
3. Type the following command to open an SSH connection to the FortiSIEM supervisor:
ssh [email protected]
4. Type the password Fortinet1!.
5. Type the following command to change the working directory:
cd Lab/lab8/8_3
6. Type the following command to start the script:
./baselineMate.sh

137 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Creating
REPRINT
a Baseline With the BaselineMate Script Run the BaselineMate Script from Supervisor

7. Type 1, and then press Enter.

8. Type 2, and then press Enter.
9. Type 175 for the Profile ID, and then press Enter.
10. Type PH_PROF_ET_175_USB for the Profile EventType, and then press Enter.
11. Type yes, and then press Enter.
12. Type 1000 for the number of rows and then press Enter.
The Profile Report definition is displayed.

Review the definition and verify that SelectClause, OrderByClause, SingleEvtConstr, and GroupByAttr
are listed.

13. Type y, and then press Enter.

The script displays a three-step menu.

14. Type 1, and then press Enter to deploy the New Profile Report.
The phReportWorker and phReportMaster processes are restarted.

Advanced Analytics 6.3 Lab Guide 138

Fortinet Technologies Inc.
DO Run
NOT REPRINT
the BaselineMate Script from Supervisor Exercise 3: Creating a Baseline With the BaselineMate Script

15. Type 2 to initiate a check for required attributes.

A warning is displayed.

Do not close the terminal window. Leave it running in the background, and you will
come back to it later.

16. Return to the Supervisor FortiSIEM management GUI, and click Event Attribute.
17. Click New.
18. Configure the following attributes:

Name Display Name Value Type

minDistinctFileName Min Distinct File Name UINT64

maxDistinctFileName Max Distinct File Name UINT64

avgDistinctFileName Avg Distinct File Name DOUBLE

sdevDistinctFileName Std Dev Distinct File Name DOUBLE

Your configuration should match the following example:

139 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Creating
REPRINT
a Baseline With the BaselineMate Script Run the BaselineMate Script from Supervisor

19. Click Apply.

20. Click Yes.

21. Return to the Local-Host VM, and in the terminal window, type y and press Enter.
22. Type 3 to create a baseline report.
23. For the profile name, type USB Write Profile, and then press Enter.
The baseline report is displayed.

24. Type yes, and then press Enter.

Wait for the upload to finish.

25. Close the terminal window.

26. Close the Local-Host VM browser tab.

Advanced Analytics 6.3 Lab Guide 140

Fortinet Technologies Inc.
DO Run
NOT REPRINT
the BaselineMate Script from Supervisor Exercise 3: Creating a Baseline With the BaselineMate Script

© FORTINET
To view the baseline report
1. Return to the FortiSIEM GUI, and click RESOURCES.
2. In the left navigation pane, expand Reports, and then click Baseline.
3. In the Global drop-down list, select Super/Local.

The baseline report was created for the super organization. You can see this in the customer ID, which is set
to 1. This means that this report is for those assets that belong to the super organization.

4. In the search field, type USB Write Profile.

5. Select USB Write Profile, and then click Run.
No report results found is displayed.

This is expected behavior since this baseline report reads from the profile DB, which only updates at midnight
and currently contains no data.

6. Log out of the Supervisor FortiSIEM management GUI.

141 Advanced Analytics 6.3 Lab Guide

In this exercise, you will verify the baseline report.

Verify the Baseline Report

Now, you will verify the baseline report that you created in the previous exercise. You will also view the profile
table that was created in the daily DB.

To verify the baseline report

1. Go to the Local-Host VM.
2. Open a terminal window (Ctrl + Alt + T).
3. Type the following command to open an SSH connection to the FortiSIEM supervisor:
ssh [email protected]
4. Type the password Fortinet1!.
5. Type the following command:
cat /opt/phoenix/data-definition/profile/ProfileReports.xml
The new profile report is displayed.

6. Type the following commands to see the profile table that was created in the daily DB:
sqlite3 /opt/phoenix/cache/daily.db
.tables
You should see a profile table for profile_175.

Advanced Analytics 6.3 Lab Guide 142

Fortinet Technologies Inc.
DO Run
NOT REPRINT
the Script to Replay USB Events Exercise 4: Verifying the Baseline Report

7. Type the following command to quit the SQLite prompt:

.quit
Leave the SSH session running in the background. You will return to it later.

Run the Script to Replay USB Events

Now, you will run the script to replay USB events.

To run the script to replay USB events

1. On the Local-Host VM, open another terminal window (Ctrl + Alt + T).
2. Type the following command to change the working directory:
cd Desktop/Resource/Lab/lab8/8_4
3. Type the following command to run the script:
sudo ./runLab8_4.sh

4. Type the password password.

Wait for the All Done! message.

Update the Daily and Profile Databases

The daily database values are populated in the profile database at midnight, and the daily database is purged to
prepare for the next day’s values. Since data is being written hourly, and then again at midnight, you need to
simulate this data. You will simulate this process by running a script to inject data into the daily and profile
databases.

143 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Verifying
REPRINTthe Baseline Report Update the Daily and Profile Databases

© FORTINET
To update the daily databases from Supervisor
1. Return to the terminal window connected to the FortiSIEM supervisor, and type the following command to change
the working directory:
cd Lab/lab8/8_4
2. Type the following command to run the script:
./updateDailydb.sh

Wait for the All Done! message.

3. Type the following commands to query the daily DB for stored data:
sqlite3 /opt/phoenix/cache/daily.db
.headers on
select * from profile_175;
The table data is displayed.

4. Review the data.

5. Type the following command to exit SQLite:
.quit

To update profile database from Supervisor

1. Continuing on the terminal window connected to the FortiSIEM supervisor, type the following commands:
./updateProfiledb.sh

This script simulates the daily DB data being merged at midnight with the profile DB. Wait for the All Done!
message.

2. Type exit to quit the SSH session.

3. Close the terminal windows.
4. Close the Local-Host VM browser tab.

Advanced Analytics 6.3 Lab Guide 144

Fortinet Technologies Inc.
DO Run
NOT REPRINT
the Baseline Report Exercise 4: Verifying the Baseline Report

Now that the data is available in the profile database, you can run a baseline report to view the baseline data
values that are calculated and stored in the profile database.

To run the baseline report

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click RESOURCES.
4. In the Global drop-down list, select Super/Local.

5. In the left navigation pane, expand Reports, and then click Baseline.
6. Select the USB Write Profile report, and then click Run.
Your output should match the following example:

7. Select one of the ServerA rows.

8. Click the down arrow icon ( ) in the Reporting Device column, and in the drop-down list, select Add To Filter.

145 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Verifying
REPRINTthe Baseline Report Run the Baseline Report

10. Find the user Jimmy.Jones, click the down arrow icon ( ) in the User column, and in the drop-down list, select
Add To Filter.
11. Select =.

12. Click Run.

The filtered results are displayed.

13. Select any of the Reporting IP addresses, click the down arrow icon ( ), and then select Visualize.

Advanced Analytics 6.3 Lab Guide 146

Fortinet Technologies Inc.
DO Run
NOT REPRINT
the Baseline Report Exercise 4: Verifying the Baseline Report

The baseline chart is displayed.

Since there is only one data point so far, the standard deviation values are 0, so not all values are plotted. You
can see only the Average Distinct File Names and Average Matched Events for each hour of the day for
ServerA and the user Jimmy.Jones.

14. Click Close.

15. Log out of the Supervisor FortiSIEM management GUI.

147 Advanced Analytics 6.3 Lab Guide

In this lab, you will create a baseline rule.

Objectives
l Prepare FortiSIEM for a baseline rule
l Build a baseline rule
l Trigger the new baseline rule

Time to Complete
Estimated: 30 minutes

Advanced Analytics 6.3 Lab Guide 148

In this exercise, you will build a new baseline rule to detect if there is an anomaly in the number of distinct
filenames being written to USB by the same user.

Build a Baseline Rule

Now, you will create a new baseline rule to detect if there is an anomaly in the number of distinct filenames being
written to USB by the same user. You will create aggregation conditions to analyze if a distinct filename is more
than three standard deviations away from the mean for the current hour.

To build a baseline rule

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOGIN.
4. Click RESOURCES.
5. In the Global drop-down list, select Super/Local.

6. In the left navigation pane, click Rules.

7. Click the plus icon ( ) to add a new rules group.

149 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Building
REPRINT
a Baseline Rule Build a Baseline Rule

8. In the Group field, type Lab Rule.

9. Click Save.
10. In the left navigation pane, expand Rules, and then click Lab Rule.
11. Click New.

12. In the Rule Name field, type Sudden Increase in File Transfers to USB.
13. In the Description field, type Detects an anomaly in the number of distinct filenames being
written to USB by the same user if more than 3 standard deviations away from the
mean for the current hour.
14. Click Step 2: Define Condition.
15. Click the pencil icon ( ) to edit the Subpattern.
16. Configure the following Filters:

Attribute Operator Value Next

Event Type = AO-WUA-RemovableMedia-AddFile AND

Reporting IP IN 10.0.1.1,10.0.1.5,10.0.1.9

17. Configure the following Group By attributes:

l Reporting IP
l Reporting Device
l Disk Name

Advanced Analytics 6.3 Lab Guide 150

Fortinet Technologies Inc.
DO Build
NOT REPRINT
a Baseline Rule Exercise 1: Building a Baseline Rule

18. Go to the Local-Host VM.

19. Open a terminal window (Ctrl + Alt + T).
20. Type the following command to open an SSH connection to the FortiSIEM supervisor:
ssh [email protected]
21. Type the password Fortinet1!.
22. Type the following command to change the working directory:
cd /root/Lab/lab9/9_1
23. Type the following commands
./baselineRuleHelper.sh

24. For the profile ID, type 175, and then press Enter.

The script will examine the defined profile report and return options for each aggregated field that can be
entered in the rule definition.

The Option 6 section for the COUNT(DISTINCT fileName) rule functions provides the aggregation function
for the rule you are building.

25. Select and copy the first COUNT(DISTINCT fileName) Option 6 aggregate function.
(COUNT(DISTINCT File Name)-STAT_AVG(COUNT(DISTINCT File Name):175))/STAT_STDDEV(COUNT
(DISTINCT File Name):175)

151 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Building
REPRINT
a Baseline Rule Build a Baseline Rule

© FORTINET
26. Return to the Supervisor FortiSIEM management GUI, and in the Aggregate section, in the Attribute drop-down
list, select Expression Builder.

27. In the Expression field, paste the copied function.

28. Click Validate.
An Expression is valid message is displayed.

29. Close the pop-up window.

30. Click OK.
31. In the Operator drop-down list, select >=.
32. In the Value field, type 3.
33. Click the Add New Row ( ) to add a second Aggregate condition.
34. Return to the terminal window, and copy the second COUNT(DISTINCT fileName) Option 6 aggregate function.
STAT_STDDEV(COUNT(DISTINCT File Name):175)
35. Return to the Supervisor FortiSIEM management GUI, and in the Aggregate section, in the Attribute drop-down
list, in the second row, select Expression Builder.
36. In the Expression field, paste the copied function.
37. Click Validate.
An Expression is valid message is displayed.

38. Close the pop-up window.

39. Click OK.
40. In the Operator drop-down list, in the second row, select >.
41. In the Value field of the second row, type 0.

Advanced Analytics 6.3 Lab Guide 152

Fortinet Technologies Inc.
DO Build
NOT REPRINT
a Baseline Rule Exercise 1: Building a Baseline Rule

42. Click Save.

43. Click Step 3: Define Action.
44. Configure the following values:

Event attribute Filter attribute

Category Security

Subcategory Behavioral Anomaly

45. Click the pencil icon ( ) to edit the Action setting.

46. Configure the following Incident Attributes:

Event attribute Subpattern Filter attribute

Host IP filter_0 Reporting IP

Host Name filter_0 Reporting Device

Avg Distinct File Name filter_0 STAT_AVG(COUNT(DISTINCT File Name):175)

Std Dev Distinct File Name filter_0 STAT_STDDEV(COUNT(DISTINCT File Name):175)

Count filter_0 COUNT(DISTINCT File Name)

47. Add the following Triggered Attributes:

l Reporting Device
l Disk Name
l Disk Model
l User
43. Remove the following Triggered Attributes:

153 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Building
REPRINT
a Baseline Rule Build a Baseline Rule

© FORTINET
l Reporting IP
l Raw Event Log
44. Use the move icons (˄ and ˅) to rearrange the attributes to match the following order:
l Event Receive Time
l Event Type
l Reporting Device
l Disk Name
l Disk Model
l User
45. Click Save.
46. Click Save.
47. Click the checkbox to activate your baseline rule.

48. Click Continue.

49. Log out of the Supervisor FortiSIEM management GUI.
50. Return to the Local-Host VM, and close the terminal window.
51. Close the Local-Host VM browser tab.

Advanced Analytics 6.3 Lab Guide 154

In this exercise, you will update the numpoints data in the profile database.

Update the Profile Database

The numpoints value in the profile database plays an important role when rules evaluate any attribute. The
importance of the numpoint value is to avoid premature triggering of a rule before a baseline is set and becomes
active. The rules engine will therefore only fetch values from the profile database that have a numpoints value
equal to 2 or more.

You will run a script to manipulate the numpoint value so that you can use it in the baseline rule.

To update numpoint on Profile database

1. Go to the Local-Host VM.
2. Open a terminal window (Ctrl + Alt + T).
3. Type the following command to open an SSH connection to the FortiSIEM supervisor:
ssh [email protected]
4. Type the password Fortinet1!.
5. Type the following command to change your working directory:
cd /root/Lab/lab9/9_2
6. Type the following command to run the script:
./updateProfiledbRules.sh

The script updates the profile DB with some up-to-date values, including updating the numPoints value to be
greater than 2, so the data will be available for the rules engine.

7. Review the output on the screen.

155 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Preparing
REPRINTFortiSIEM for a Baseline Rule Update the Profile Database

© FORTINET
From the profile DB output, you will see that for the current Hour of Day, for the user Jimmy.Jones, the
numPoints value has been increased to 3.

Do not close the SSH session to the supervisor. Continue to the next exercise.

Advanced Analytics 6.3 Lab Guide 156

In this exercise, you will trigger the new baseline rule that you created in the previous exercise.

Trigger a Baseline Rule

Now, you will set up the conditions to trigger the baseline rule that you created in the previous exercise. You will
send 32 USB events to the supervisor node.

To restart the process on FortiSIEM

1. Go to the Local-Host VM.
2. Open a terminal window (Ctrl + Alt + T).
3. Type the following command to open an SSH connection to the FortiSIEM supervisor:
ssh [email protected]
4. Type the password Fortinet1!.
5. Type phstatus.
The FortiSIEM processes are displayed. Keep the terminal window open.

6. Open another terminal window (Ctrl + Alt + T), and then type the following command to open another SSH
connection to the FortiSIEM supervisor:
ssh [email protected]
7. Type the password Fortinet1!.
8. Type the following command to change your working directory:
cd /root/Lab/lab9/9_3
9. Type the following command to run the script that will restart all supervisor processes:
./processrestart.sh

Wait for the All Done! message. You can monitor the process status in the previous terminal window.

Wait until all processes are started. Do not proceed to the next section before that.

To run the script to replay USB events

1. Continuing on the Local-Host VM, open another terminal window (Ctrl + Alt + T).
2. Type the following command to change your working directory:
cd Desktop/Resource/Lab/lab9/9_3
3. Type the following command to start the script:
sudo ./runLab9_3.sh

157 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Triggering
REPRINT a Baseline Rule Verify the Incident on FortiSIEM

4. Type the password password.

Wait for the All Done! message.

Verify the Incident on FortiSIEM

Now, you will verify the incident that was generated by the baseline rule. You will verify the incident on the GUI and
CLI, using a script. The aggregation calculation is not shown in the incident details on the GUI—only the individual
component scores are shown. The script displays the aggregation calculation in the CLI.

To verify the incident on the FortiSIEM GUI

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOG IN.

4. Click INCIDENT.
5. In the Top Incidents section, click the Sudden Increase in File Transfers to USB widget.
6. Select the incident, and then click Details.
7. Review the incident details and triggering events, and then note the Incident ID.
In the following example, the Incident ID is 9702. Your Incident ID may be different.

Advanced Analytics 6.3 Lab Guide 158

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
the Incident on FortiSIEM Exercise 3: Triggering a Baseline Rule

To verify the incident on the FortiSIEM CLI

1. Return to the terminal window connected to the FortiSIEM supervisor, and type the following command to change
your working directory:
cd /root/Lab/lab9/9_3
2. Type the following command to verify the incident:
./verifyRuleData.sh

Enter your incident ID when prompted.

The script queries the incident details and returns exactly why the rule was triggered.

159 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Triggering
REPRINT a Baseline Rule Verify the Incident on FortiSIEM

3. Close all terminal windows.

4. Close Firefox.

Advanced Analytics 6.3 Lab Guide 160

In this lab, you will build an AI model on FortiSIEM and generate anomaly events to trigger UEBA rules. You will
then analyze the UEBA incidents.

Objectives
l Build a UEBA AI model
l Generate a UEBA anomaly event
l Analyze a UEBA incident
l Analyze UEBA dashboards and widgets

Time to Complete
Estimated: 30 minutes

161 Advanced Analytics 6.3 Lab Guide

In this exercise, you will build an AI model on FortiSIEM using a script.

Train the AI Engine

You will train the AI engine with simulated logs.

Do not run this script on a production machine or in a customer POC.

To replace the ai.properties file

1. On the Local-Host VM, open a terminal window (Ctrl+Alt+T).
2. Enter the following command to open an SSH connection to the FortiSIEM supervisor:
ssh [email protected]
3. Enter the password Fortinet1!.
4. Enter the following command to verify your working directory—it should be /root:
pwd
5. Enter the following command, and then verify that the highlighted file is available:
ls -lrt

6. Enter the following command to navigate to the fsmUebaDemo directory:

cd fsmUebaDemo
7. Enter the following command to replace the default ai.properties file with the included example:
cp ai.properties /opt/fortiinsight-ai/bin/config/ai.properties

8. Type Y to confirm the overwrite.

9. Enter the following command to change the owner of the new ai.properties file:
chown admin:admin /opt/fortiinsight-ai/bin/config/ai.properties
10. Enter the following command to identify the phFortiInsightAI process ID (PID):

Advanced Analytics 6.3 Lab Guide 162

Fortinet Technologies Inc.
DO Train
NOT the AI REPRINT
Engine Exercise 1: Building a UEBA AI Model

© FORTINET
ps -edf | grep Insight
In the following example, the PID is 1096. The PID will be different in your environment.

11. Enter the following command to kill the process. Make sure you use the PID you retrieved in the previous step.
kill <PID>
The process restarts after a few minutes.

12. After a few minutes, type the following command, and then verify that the phFortiInsightAI service has started
again:
phstatus

13. Type Ctrl+C to return to the command line.

To train the AI model

1. Continuing on the SSH session, enter the following command to view the script run options:
./fsmUebaDemo.php

163 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Building
REPRINT
a UEBA AI Model Train the AI Engine

2. Type the following command to train the model:

./fsmUebaDemo.php -t

The process will take 10–20 minutes.

3. Type 1 to change the AI engine to Active Detection mode:

4. Close the SSH session browser tab.

Advanced Analytics 6.3 Lab Guide 164

In this exercise, you will trigger anomalies based on previous pattern behavior by sending events that the AI
engine has not seen before.

Run the UEBA Demo

You will send 50 regular logs to FortiSIEM. In the 50 log set, there are a few logs that will trigger anomalies.

To run the demo

1. On the Local-Host VM, open a terminal window (Ctrl+Alt+T).
2. Enter the following command to open an SSH connection to the FortiSIEM supervisor:
ssh [email protected]
3. Enter the password Fortinet1!.
4. Enter the following command to navigate to the fsmUebaDemo directory:
cd fsmUebaDemo
5. Enter the following command to send the logs:
./fsmUebaDemo.php -s

6. Close the SSH session browser tab.

165 Advanced Analytics 6.3 Lab Guide

In this exercise, you will review the UEBA incidents generated by the UEBA rules.

Review the UEBA Incidents

You will review the incidents generated by the AI engine.

To review the UEBA incidents

1. On the supervisor FortiSIEM GUI, log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

2. Click LOG IN.

3. Click INCIDENTS.
4. Select List by Time.
5. In the left navigation pane, click Actions > Search.
6. Search for all incidents for the last 2 hours, and then click Apply Time Range.

7. Filter the results by Incident Name, using the string UEBA AI detects unusual file upload.

Advanced Analytics 6.3 Lab Guide 166

Fortinet Technologies Inc.
DO Review
NOTthe UEBA
REPRINT
Incidents Exercise 3: Reviewing UEBA Incidents

Do not close the Action menu. You will search through different UEBA AI incidents in
this exercise.

8. Review the UEBA AI detects unusual file upload incident.

Seven different incidents were triggered for the same rule. Different types of unusual files were uploaded by
different users.

167 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Reviewing
REPRINTUEBA Incidents Review the UEBA Incidents

© FORTINET
9. In the filter section, clear the UEBA AI detects unusual file upload checkbox.
10. In the filter section, select the UEBA AI detects unusual process created checkbox.
11. Review the UEBA AI detects unusual process created incident.

Seven different incidents were triggered for the same rule. Different types of unusual processes were created
by different users.

12. In the filter section, clear the UEBA AI detects unusual process created checkbox.
13. In the filter section, select the UEBA Policy detects hacking tool usage and UEBA AI detects unusual host
logon checkboxes.

One incident was generated because UEBA AI detected an unusual host logon activity. Another incident was
generated because UEBA detected a user using a hacking tool.

14. Close the Action menu.

Advanced Analytics 6.3 Lab Guide 168

Fortinet Technologies Inc.
DO Review
NOTthe UEBA
REPRINT
Rules Exercise 3: Reviewing UEBA Incidents

There are several out-of-the-box UEBA rules that refer to AI data to compute an anomaly and generate incidents.
The rule names start with the term UEBA. You will review the four UEBA rules that were triggered in this lab.

To review the UEBA AI detects unusual file upload rule

1. Continuing on the FortiSIEM GUI, click RESOURCE.
2. In the left pane, select and expand Rules.
3. Select and expand Security.
4. Click UEBA.
There are 50 built-in UEBA rules. By default, a few rules are not active. If you need those rules in your
environment, you must activate them manually.

5. Search for the UEBA AI detects unusual file upload rule that triggered several incidents in this lab.
6. Select this rule, and then click Edit.
7. Click Selected Rule.
8. Click Step 2: Define Condition.
9. Edit the UEBA subpattern.

This rule is tracking the Event Type that has the value FortiInsight-AiAlert-fileuploaded. A single such
event triggers an incident. This occurs only if there is an anomaly event that deviates from the AI model.

10. Click Cancel.

11. Click Cancel again.

169 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Reviewing
REPRINTUEBA Incidents Review the UEBA Rules

© FORTINET
To review the UEBA Policy detects hacking tool usage rule
1. Continuing on the UEBA rules page, search for the UEBA Policy detects hacking tool usage rule.
2. Select the rule, and then click Edit.
3. Click Selected Rule.
4. Click Step 2: Define Condition.
5. Edit the UEBA subpattern.

This rule is tracking the Event Type that has the value FINS-Windows-new-process-created. This rule is
also tracking the following processes:
l metasploit
l metasploit.exe
l mimikatz.exe
l nc
l nc.exe
l ncat
l nmap
l nmap.exe
l oclhashcat
l psexec.exe
l psexecsvc.exe
l runas.exe
l tor browser
l tor browser.exe

Advanced Analytics 6.3 Lab Guide 170

Fortinet Technologies Inc.
DO Review
NOTthe UEBA
REPRINT
Rules Exercise 3: Reviewing UEBA Incidents

© FORTINET
l tor
l tor.exe
l tor.real
l wireshark
l wireshark.exe
l zenmap
l zenmap.exe
If an anomaly event matches the event type defined and that event contains one or more of the processes
defined, it triggers an incident.

6. Click Cancel.
7. Click Cancel again.

To review the UEBA AI detects unusual process created rule

1. Continuing on the UEBA rules page, search for the UEBA AI detects unusual process created rule.
2. Select the rule, and then click Edit.
3. Click Selected Rule.
4. Click Step 2: Define Condition.
5. Edit the UEBA subpattern.

This rule is tracking the Event Type that has the value FortiInsight-AiAlert-newprocesscreated. A single
such event triggers an incident. This occurs only if there is an anomaly event that deviates from the AI model.
The event must also have an average confidence value greater than 0.

171 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Reviewing
REPRINTUEBA Incidents Review the UEBA Rules

To review the UEBA AI detects unusual host logon rule

1. Continuing on the UEBA rules page, search for the UEBA AI detects unusual host logon rule.
2. Select the rule, and then click Edit.
3. Click Selected Rule.
4. Click Step 2: Define Condition.
5. Edit the UEBA subpattern.

This rule is tracking the Event Type that has the value FortiInsight-AiAlert-userloggedon. A single such
event triggers an incident. This occurs only if there is an anomaly event that deviates from the AI model.

6. Click Cancel.
7. Click Cancel again.
8. Log out of the supervisor FortiSIEM GUI.

Advanced Analytics 6.3 Lab Guide 172

In this exercise, you will review the UEBA alerts and events dashboard.

Review the UEBA Dashboards

You will review the UEBA dashboards.

To review the UEBA alerts dashboard

1. On the supervisor FortiSIEM GUI, log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

2. Click LOG IN.

3. Click DASHBOARD.
4. Click UEBA Alerts.
5. Review the Incidents By Severity widget.

You can drill down to Analytics to see more details about the incidents.

173 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Reviewing
REPRINTthe UEBA Dashboard Review the UEBA Dashboards

6. Review the Top Incidents widget.

You can drill down to Analytics to see more details about the top incidents.

7. Review the Top Tags widget.

Advanced Analytics 6.3 Lab Guide 174

Fortinet Technologies Inc.
DO Review
NOTthe UEBA
REPRINT
Dashboards Exercise 4: Reviewing the UEBA Dashboard

You can drill down to Analytics to see more details about the top tags.

8. Review the Top Hosts widget.

You can drill down to Analytics to see more details about the top hosts.

175 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Reviewing
REPRINTthe UEBA Dashboard Review the UEBA Dashboards

9. Review the Top Applications widget.

You can drill down to Analytics to see more details about the top applications.

Advanced Analytics 6.3 Lab Guide 176

Fortinet Technologies Inc.
DO Review
NOTthe UEBA
REPRINT
Dashboards Exercise 4: Reviewing the UEBA Dashboard

You can drill down to Analytics to see more details about the top users.

11. Review the All Incidents widget.

To review the UEBA events dashboard

1. Continuing on the DASHBOARD page, click UEBA Events.
2. Review the Top Events widget.

177 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Reviewing
REPRINTthe UEBA Dashboard Review the UEBA Dashboards

You can drill down to Analytics to see more details.

3. Review the Top Hosts widget.

You can drill down to Analytics to see more details.

Advanced Analytics 6.3 Lab Guide 178

Fortinet Technologies Inc.
DO Review
NOTthe UEBA
REPRINT
Dashboards Exercise 4: Reviewing the UEBA Dashboard

4. Review the Top Users widget.

You can drill down to Analytics to see more details.

5. Review the Top Applications widget.

179 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Reviewing
REPRINTthe UEBA Dashboard Review the UEBA Dashboards

You can drill down to Analytics to see more details.

6. Log out of the supervisor FortiSIEM GUI.

Advanced Analytics 6.3 Lab Guide 180

In this lab, you will generate several security incidents and analyze them through the MITRE ATT&CK framework
on FortiSIEM and FortiSOAR.

Objectives
l Analyze incidents on FortiSIEM with the MITRE ATT&CK framework
l Map FortiSIEM incident MITRE techniques to FortiSOAR
l Analyze alerts on FortiSOAR with the MITRE ATT&CK framework

Time to Complete
Estimated: 30 minutes

181 Advanced Analytics 6.3 Lab Guide

In this exercise, you will create a few tags on FortiSIEM and associate one of the tags with a rule. This makes it
easier for you to search for incidents that the rule detects using the tag name. You can also map the tags on
FortiSOAR.

Create Tags on FortiSIEM

You will create a few tags on FortiSIEM and associate one of the tags with a specific rule.

To create tags on FortiSIEM

1. On the supervisor FortiSIEM GUI, log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

2. Click ADMIN.
3. Click Settings.
4. Click Tags.
5. Click New.
6. Configure the following tags:

Tag Color

phishing red

ransomware red

code execution red

powershell yellow

To add tags to incidents

1. Continuing on the FortiSIEM GUI, click RESOURCES.
2. In the left navigation pane, expand Rules.
3. Search for the Windows: WannaCry Ransomware rule name.
4. Select the rule, and then click Edit.
5. Click Selected Rule.

Advanced Analytics 6.3 Lab Guide 182

Fortinet Technologies Inc.
DO Create
NOT TagsREPRINT
on FortiSIEM Exercise 1: Creating Tags on FortiSIEM

8. Click Save.
9. Log out of the supervisor FortiSIEM GUI.

183 Advanced Analytics 6.3 Lab Guide

In this exercise, you will generate several different types of incidents on FortiSIEM using an incident generator
script.

Generate Incidents on FortiSIEM

You will generate Windows security incidents through the incident generator script.

To generate incidents
1. On the Local-Host VM, open a terminal window (Ctrl+Alt+T).
2. Enter the following command to open an SSH connection to the FortiSIEM supervisor:
ssh [email protected]
3. Enter the password Fortinet1!.
4. Enter the following command to verify your working directory—it should be /root:
pwd
5. Enter the following command, and then verify that the highlighted files are available:
ls -lrt

6. Enter the following command to run the script to generate security incidents:
./fsmIncidentSimulator2_4.sh security_incident
7. Once the script is complete, type the following command to generate user security incidents:
./fsmIncidentSimulator2_4.sh security_user_incident
8. Once the scripts are complete, type the following command to generate sysmon incidents:
./fsmIncidentSimulator2_4.sh security_sysmon_incident
9. Close the SSH session browser tab.

Advanced Analytics 6.3 Lab Guide 184

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Reviewing the MITRE ATT&CK Framework
Support on FortiSIEM

In this exercise, you will review the baseline reports and rules.

Review the MITRE ATT&CK Incident Dashboard

You will review the MITRE ATT&CK incident dashboard.

To review the MITRE rule coverage

1. On the supervisor FortiSIEM GUI, log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

2. Click LOG IN.

3. Click INCIDENTS.
4. In the MITRE ATT&CK drop-down list, select Rule Coverage.
The FortiSIEM rule coverage of the MITRE framework is displayed.

To review the MITRE incident coverage

1. Continuing on the FortiSIEM GUI, in the MITRE ATT&CK drop-down list, select Incident Coverage.

185 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Reviewing
FortiSIEM
the MITRE ATT&CK Framework Support on
REPRINT Review the MITRE ATT&CK Incident
Dashboard

In this view, incidents generated on FortiSIEM are mapped to the MITRE framework.

2. In the Execution tactic column, select Command and Scripting Interpreter.

3. Click Show Incidents.

All incidents related to the Command and Scripting Interpreter technique are displayed.

To review the MITRE incident explorer

1. Continuing on the FortiSIEM GUI, in the MITRE ATT&CK drop-down list, select Incident Explorer.

Advanced Analytics 6.3 Lab Guide 186

Fortinet Technologies Inc.
DO Review
NOTthe MITRE
Dashboard
ATT&CK Incident
REPRINT Exercise 3: Reviewing the MITRE ATT&CK Framework Support on
FortiSIEM

In this view, incidents generated on FortiSIEM based on target device are mapped to the MITRE framework.

2. Continuing on the MITRE ATT&CK Incident Explorer page, click Tactics:All.

3. Select Defense Evasion.

4. Select the device_172_16_8_98 device.

5. Click the Windows: WannaCry Ransomware incident.
Review the incidents details, such as Tactics and Technique.

187 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Reviewing
FortiSIEM
the MITRE ATT&CK Framework Support on
REPRINT Review the MITRE ATT&CK Incident
Dashboard

The incident was tagged with the ransomware tag that you created and applied to the rule in a previous
exercise.

6. Log out of the supervisor FortiSIEM GUI.

Advanced Analytics 6.3 Lab Guide 188

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 4: Reviewing the MITRE ATT&CK Framework
Support on FortiSOAR

In this exercise, you will review the MITRE ATT&CK framework on FortiSOAR.

Review the MITRE ATT&CK Framework on FortiSOAR

You will review the incidents that were generated on FortiSIEM on FortiSOAR. FortiSOAR is preconfigured to
ingest incidents from FortiSIEM.

To review the MITRE ATT&CK framework on FortiSOAR

1. On the FortiSOAR GUI, log in with the following credentials:

Field Value

Username csadmin

Password Fortinet1!

2. Click Incident Response > MITRE ATT&CK Techniques.

The module contains details about all of the 525 MITRE ATT&CK techniques. You can manually link alerts
and incidents to various techniques or you can use a playbook to automate the process.

189 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Reviewing
FortiSOAR
the MITRE ATT&CK Framework Support on
REPRINT Review the MITRE ATT&CK Framework on
FortiSOAR

© FORTINET
3. Continuing on the Incident Response module, click Alerts.
4. Open an alert in the list that is marked with the Credential Access MITRE technique.

5. Scroll down, and then click Correlations.

6. Click ATT&CK Techniques.

The technique is listed as Password Guessing and the Technique ID is T1110.001.

7. Click T1110.001.
Review the technique details.

Advanced Analytics 6.3 Lab Guide 190

Fortinet Technologies Inc.
DO Review
NOTthe MITRE
FortiSOAR
ATT&CK Framework on
REPRINT Exercise 4: Reviewing the MITRE ATT&CK Framework Support on
FortiSOAR

8. Scroll down to the bottom, and in the Related Records section, click Alerts.

There are seven other alerts that are associated with the same technique on FortiSOAR. Analysts can quickly
navigate to other alerts and remediate those alerts based on the mitigation action defined for the technique.

9. Log out of the FortiSOAR GUI.

191 Advanced Analytics 6.3 Lab Guide

In this lab, you will explore how clear conditions are applied to rules and how they are triggered.

Objectives
l Review time-based clear conditions
l Add a pattern-based clear condition to a rule

Time to Complete
Estimated: 30 minutes

Advanced Analytics 6.3 Lab Guide 192

In this exercise, you will review time-based clear conditions.

Review Rules With Clear Conditions

Clear conditions specify conditions in which incidents will have their status changed from active to cleared. You
can set the time period that must elapse for the clear condition to occur, and then set the conditions based on the
triggering of the original rule, or on a subpattern based on the incident attributes.

A few out-of-the-box rules have clear conditions predefined. You will review those.

To run a CMDB report for rules with clear conditions

1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOGIN.
4. Click CMDB.
5. In the left navigation pane, click CMDB Reports.
6. In the search field, type clear.
7. Select Rules with Clear Conditions, and then click Run.

8. Verify that All Organizations is selected, and then click Run.

Notice that for each rule with a clear condition, FortiSIEM reports whether it is timebased or patternbased on
the GUI.

193 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Reviewing
REPRINTTime-Based Clear Conditions Review a Time-Based Clear Condition

Review a Time-Based Clear Condition

Now, you will review a time-based clear condition rule. Specifying the time means that the original rule will not
trigger again for a specified period of time, which can be in seconds, minutes, or hours.

To review a time-based clear condition

1. Continuing on the FortiSIEM GUI, click RESOURCES.
2. In the left navigation pane, click Rules.
3. In the search field, type High Process Memory.
4. Select the High Process Memory: Network Device rule, and then click Edit > Selected Rule.
5. Click Step 3: Define Action.
6. Click the pencil icon ( ) to edit the Clear settings.

This is a time-based clear condition. FortiSIEM will simply clear the incident after 20 minutes if the original rule
does not trigger again.

7. Click Cancel.
8. Click Cancel.
9. Log out of the Supervisor FortiSIEM management GUI.

Advanced Analytics 6.3 Lab Guide 194

In this exercise, you will configure a pattern-based clear condition.

Define a Pattern-Based Clear Condition

With a pattern-based clear condition, a subpattern must be defined which can be a single pattern or multiple
patterns. Usually, it is almost an exact mirror of the original pattern in the rule but with a different aggregation
calculation.

You will clone an existing rule and define a pattern-based clear condition for that rule.

To clone a rule
1. Go to the Supervisor FortiSIEM management GUI.
2. Log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

3. Click LOGIN.
4. Click RESOURCES.
5. In the left navigation pane, click Rules.
6. In the search field, type SNMP Service Unavailable.
7. Deselect the checkbox in the Active column.
8. Deselect Active.
9. Deselect All Orgs.
10. Click Save.
11. Select the rule again, and then click Clone.
12. In the Save As field, type SNMP Service Unavailable Kali.
13. Click Save.
14. Select the SNMP Service Unavailable Kali rule, and select the checkbox to activate it.
15. Click Active.
16. Click University.
17. Click Save.

195 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT a Pattern-Based Clear Condition Modify the SNMP Ping Interval

© FORTINET
To define a pattern-based clear condition
1. Continuing on the FortiSIEM GUI, select the SNMP Service Unavailable Kali rule, and then click Edit.
2. Click Step 2: Define Condition.
3. Click the pencil icon ( ) to edit the SnmpDown subpattern.
4. In the Value field, for the AVG(Packet Loss Pct) attribute, type 5.
By reducing the packet loss percentage value, you can trigger the rule quickly. In a real-world environment, it
is recommended to keep the value at 100.

5. In the Operator drop-down list, for the AVG(Packet Loss Pct) attribute, select >=.
6. Click Save.
7. Click Step 3: Define Action.
8. Click the pencil icon ( ) to edit the Clear settings.
9. Verify that the following conditions are met is selected.
10. Click the pencil icon ( ) to edit the SnmpDown_CLEAR subpattern.
Review the Value field for the AVG(Packet Loss Pct) attribute.

If the packet loss percentage is less than 10%, the incident will be cleared.

11. Click Cancel.

12. Click Cancel.
13. Click Save.
14. Click OK.

Modify the SNMP Ping Interval

The default SNMP Ping Stat interval is two minutes. For this lab, you will reduce that interval to one minute so that
the rule triggers sooner.

To reduce the SNMP Ping Stat interval

1. Continuing on the FortiSIEM GUI, click ADMIN.
2. Click Monitor Performance.
3. Click kali, and then in the More drop-down list, select Edit Intervals.

Advanced Analytics 6.3 Lab Guide 196

Fortinet Technologies Inc.
DO Disable
NOTthe REPRINT
SNMP Service Exercise 2: Configuring a Pattern-Based Clear Condition

4. Select SNMP Ping Stat(SNMP), and then click >>>.

5. Set the interval to 01.

6. Click Save.

Disable the SNMP Service

To trigger the rule and generate an incident, you will now disable the SNMP service on Kali.

To disable the SNMP service on Kali

1. Go to the Kali VM.
2. Open a terminal window.
3. Type the following command to stop the SNMP service:
service snmpd stop
4. Type the following command to verify that the SNMP service has stopped:
service snmpd status

197 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT a Pattern-Based Clear Condition Run the Rule as a Query

Run the Rule as a Query

You will run the SNMP Service Unavailable rule as a query, and monitor the packet loss percentages. An
incident will be triggered only if the packet loss percentage value is more than 5%.

To run the rule as a query

1. Return to the FortiSIEM GUI, click RESOURCES.
2. In the left navigation pane, click Rules.
3. Select the SNMP Service Unavailable Kali rule, and then click Edit.
4. Click Step 2: Define Condition.
5. Click the pencil icon ( ) to edit the SnmpDown subpattern.
6. Click Run as Query.

7. Deselect all organizations except University.

8. Set the Time Range to 4 minutes.

Advanced Analytics 6.3 Lab Guide 198

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
the Incident Exercise 2: Configuring a Pattern-Based Clear Condition

9. Click Run.
The query results are displayed on a new browser tab.

Review the AVG(Packet Loss Pct) column. The average packet loss percentage must be greater than 5%
for the rule to trigger an incident. Run the query again after a few minutes if the average packet loss
percentage is not above 5%.

Verify the Incident

Now, you will verify the incident that was created because the SNMP service was down. You will notice that the
incident status is Active.

To verify the incident

1. Continuing on the FortiSIEM GUI, click the INCIDENTS icon ( ).

2. Click List and from the drop-down select List by Time.

199 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT a Pattern-Based Clear Condition Verify the Incident

3. In the Action drop-down list, select Search.

4. In the left pane, click Incident Status, and deselect Active.

This sets the Incident Status setting to All.

5. Find and select the SNMP Service Unavailable Kali incident.

6. Click Details.
Review the incident and the current status.

Advanced Analytics 6.3 Lab Guide 200

Fortinet Technologies Inc.
DO Enable
NOT REPRINT
the SNMP Service Exercise 2: Configuring a Pattern-Based Clear Condition

Now, you will enable the SNMP service so that you can observe the incident status automatically change to an
automatically cleared status.

To enable the SNMP service on Kali

1. Return to the Kali VM, and in the terminal window, type the following command to start the SNMP service:
service snmpd start
2. Type the following command to verify that the SNMP service has started:
service snmpd status

3. Close the terminal window.

4. Close the Kali VM browser tab.

Run the Rule as a Query

You will run the SNMP Service Unavailable rule as a query again, and monitor the packet loss percentage. The
incident will automatically clear if the packet loss percentage value is less than 10%.

To run the rule as a query

1. Return to the Supervisor FortiSIEM management GUI.
2. On the Edit SubPattern page, click Run as Query.
3. Deselect all organizations except University.
4. Set the Time Range to 4 minutes.
5. Click Run.
You will notice that the packet loss percentage value will continue to decrease. The system will automatically
clear the incident when the packet loss percentage value is less than 10%.

Depending on network latency, the SNMP Ping Stat round trip value could be slower than usual.

Verify the Incident Status

Now, you will verify the incident and observe the status of the incident change to automatically clear.

To verify the automatically cleared status for the SNMP service incident
1. Return to the INCIDENTS page of the FortiSIEM GUI.
2. In the left pane, click Incident Status.

201 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT a Pattern-Based Clear Condition Verify the Incident Status

If you don't see the Auto Cleared option on your GUI, it means the incident has not automatically cleared yet.
Wait a few more minutes.

4. Find and select the SNMP Service Unavailable Kali incident.

5. Click Details.
Review the incident and the current status.

The Action History section displays the reason the incident was cleared. In this case, it was cleared by the
system since it met the clear conditions that were defined in the rule.

6. Click Events.

Review the packet loss percentage. In this example, the packet loss was 20% and this is the reason why the
incident was triggered. In the rule, you defined 5% as the threshold and any packet loss above 5% should
trigger an incident.

Advanced Analytics 6.3 Lab Guide 202

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
the Incident Status Exercise 2: Configuring a Pattern-Based Clear Condition

© FORTINET
From the incident, you will not be able to view the event that caused the incident to clear. You can see only the
events related to the subpattern that triggered the incident. In this case, the subpattern was SnmpDown.

7. Log out of the Supervisor FortiSIEM management GUI.

203 Advanced Analytics 6.3 Lab Guide

In this lab, you will remediate incidents manually from FortiSIEM. You will also configure the REST API on
FortiGate so that you can connect FortiSOAR to FortiGate. Then, you will perform mitigation of malicious
indicators of compromise (IOCs) from FortiSOAR and block them on FortiGate.

You will perform other FortiSOAR actions, such as extracting and enriching indicators.

Objectives
l Run a remediation script on an incident to block an IP address on FortiGate
l Configure the REST API on FortiGate
l Configure the FortiGate connector on FortiSOAR
l Extract, enrich, and mitigate IOCs

Time to Complete
Estimated: 30 minutes

Advanced Analytics 6.3 Lab Guide 204

FortiSIEM can perform remediation after an incident is detected. The remediation can be performed either
automatically, using notification policies, or manually. In this exercise, you will learn how to remediate an incident
from FortiGate manually from FortiSIEM.

Execute the Remediation

On FortiSIEM, you will find several existing remediation scripts, including scripts for FortiGate devices. You will
remediate an incident that was generated by FGT_Aviation. You will block the offending IP address on FortiGate
by running a remediation action from FortiSIEM.

When an incident that affects a FortiGate device occurs, you can execute the remediation automatically using a
notification policy. However, in this task, you will execute the remediation manually from FortiSIEM.

To execute the remediation script

1. On the supervisor FortiSIEM GUI, log in to the super organization with the following credentials:

Field Value

User ID admin

Password Fortinet1!

Cust/Org Id super

Domain LOCAL

2. Click INCIDENT.
3. Click List.
4. In the Action drop-down list, select Search.
5. Click Last 2 Hours, and then set it to 3 days.
6. Click Apply Time Range.
7. Verify that Incident Status is set to Active.
8. In the search results, find an incident that has a Target of fgt_aviation.

205 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Remediating
REPRINT an Incident Execute the Remediation

9. Identify and select the Admin login to FortiGate from a public IP address incident that has a Source of
100.64.1.10.
If you don't see any incidents on the first page, go to the next incident page.

Advanced Analytics 6.3 Lab Guide 206

Fortinet Technologies Inc.
DO Analyze
NOTtheREPRINT
Remediation Result Exercise 1: Remediating an Incident

© FORTINET
10. Select the incident, and then in the Action drop-down list, select Remediate Incident.
11. In the Type field, select Remediation.
12. In the Remediation field, select Fortinet FortiOS - Block IP FortiOS 5.4.
13. In the Run On field, select collector 2.
14. Click Run.
Wait for the script to execute. The Task Result field displays Success.

15. Close the Run Remediation window.

16. Click the Details tab to open details about the incident.
Review the Action History for the incident.

Analyze the Remediation Result

After the remediation is completed, the offending IP address is blocked on FGT_Aviation. Now, you will verify the
blocked IP address on FGT_Aviation.

207 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Remediating
REPRINT an Incident Analyze the Remediation Result

© FORTINET
To analyze the remediation result
1. On the FGT_Aviation FortiGate GUI, log in with the username admin and password password.
2. Expand Dashboard.
3. Select Quarantine.
4. Review the Banned IP entry.
The IP address 100.64.1.10 was blocked by FortiSIEM because that is the source public IP address that
logged in to the FGT_Aviation firewall.

5. Log out of the FortiGate GUI.

Advanced Analytics 6.3 Lab Guide 208

In this exercise, you will configure the REST API on FGT_Aviation.

Configure the REST API on FortiGate

You will create a new administrator profile and a REST API administrator account, and then generate an API key
on FortiGate.

To configure a REST API administrator profile

1. On the FGT_Aviation FortiGate GUI, log in with the username admin and password password.
2. Click System > Admin Profiles.
3. Click Create New.
4. In the Name field, type FortiSOAR_API.
5. In the Permissions drop-down list, select Read/Write.

6. Click OK.

209 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT the REST API on FortiGate Configure a New Web Filter Profile

© FORTINET
To configure an API administrator account
1. Continuing on the FGT_Aviation GUI, click System > Administrators.
2. In the Create New drop-down list, select REST API Admin.
3. In the Username field, type FortiSOAR_API.
4. In the Administrator profile drop-down list, select FortiSOAR_API.
5. Disable PKI Group.
6. Disable Trusted Hosts.

7. Click OK.
The API key is displayed. This is the key that is used to authenticate FortiSOAR on FortiGate.

It is important to save this API key because you will need it later when you configure
the FortiGate connector on FortiSOAR. If you close the New API key window, you
cannot access this same key again. If you lose the key or forget to save it, you can
generate a new key by clicking Regenerate on the Administrator configuration page.

8. Click Close.
9. Click OK.

Configure a New Web Filter Profile

You will configure a new web filter profile that FortiSOAR modifies to block URLs.

Advanced Analytics 6.3 Lab Guide 210

Fortinet Technologies Inc.
DO Configure
NOTaREPRINT
New Web Filter Profile Exercise 2: Configuring the REST API on FortiGate

© FORTINET
To configure a new web filter profile
1. Continuing on the FortiGate GUI, click Security Profiles > Web Filter.
2. Click Create New.
3. In the Name field, type FortiSOAR_URL_Block.
4. Disable FortiGuard category based filter.
5. Enable URL Filter.
6. Click Create New.
7. Configure the following settings:

Field Value

URL fortinet.com

Type Simple

Action Exempt

Status Enable

8. Click OK.
Your configuration should match the following example:

9. Click OK.
10. Log out of the FortiGate GUI.

211 Advanced Analytics 6.3 Lab Guide

In this exercise, you will configure the FortiGate connector on FortiSOAR.

Configure the FortiGate Connector

The FortiGate connector allows FortiSOAR to query and make changes to a FortiGate configuration. Some
sample actions include blocking URLs, domains, applications, and IP addresses. For this task, you need the
REST API key you generated and saved in the previous exercise.

To configure the FortiGate connector

1. On the FortiSOAR GUI, log in with the username csadmin and password Fortinet1!.
2. Click Automation > Connectors.
3. Click Installed.
4. Click Fortinet FortiGate.
5. In the Configuration Name field, type FGT_Aviation.
6. Enable Mark As Default Configuration.
7. In the Hostname field, type https://10.0.3.254.
8. In the API Key field, paste the REST API key that you generated in the previous exercise.
9. Leave the Port number at the default value, which is 443.
10. In the Web Filter Profile Name field, type FortiSOAR_URL_Block.
This is the name of the web filter profile that you created on FortiGate in the previous exercise, which
FortiSOAR accesses using the REST API to apply URL and domain blocks.

11. Disable Verify SSL.

The SSL certificate that FortiGate uses in this lab environment uses a self-issued certificate that FortiSOAR
cannot independently validate.

12. Click Save.

The value of the CONFIGURATION field is COMPLETED, and the value of the HEALTH CHECK field is
AVAILABLE.

Advanced Analytics 6.3 Lab Guide 212

Fortinet Technologies Inc.
DO Configure
NOTaREPRINT
Playbook to Use the FortiGate Connector Exercise 3: Configuring the FortiGate Connector

13. Close the connector configuration page.

Configure a Playbook to Use the FortiGate Connector

You will review the Mitigate Malicious URL playbook that uses the FortiGate connector.

To configure a playbook to use the FortiGate connector

1. Continuing on the FortiSOAR GUI, click Automation > Playbooks.
2. Click 00-LAB 13.
3. Open the Mitigate Malicious URL custom playbook.
4. Double-click the Block URL step.
Review the playbook step and verify that the Configuration field is set to FGT_Aviation. If it is not, select
FGT_Aviation in the drop-down list.

213 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT the FortiGate Connector Configure a Playbook to Use the FortiGate Connector

5. Click Save.
6. Click Save Playbook.
7. Log out of the FortiSOAR GUI.

Advanced Analytics 6.3 Lab Guide 214

In this exercise, you will execute three different types of playbooks. The first playbook will extract indicators from
an alert that was ingested from FortiSOAR. The second playbook will enrich indicators that were extracted from
the alert. The third playbook will block malicious URLs on the FGT_Aviation FortiGate.

Extract Indicators

On FortiSOAR, there are a few built-in playbooks that you can use to extract indicators from phishing emails and
so on. You will use a custom playbook designed to extract indicators from a FortiSIEM incident that was ingested
to FortiSOAR.

To extract indicators
1. On the FortiSOAR GUI, log in with the username csadmin and password Fortinet1!.
2. Click Incident Response > Alerts.
3. Search for the Web Traffic to FortiSandbox Malicious URLs alert.

4. Select and open this alert.

5. Scroll down to the Indicators tab.
The indicator list is empty because no indicators were extracted.

215 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Mitigating
REPRINT Malicious IOCs Extract Indicators

6. Scroll to the bottom of the record, and in the Execute drop-down list, select Extract Indicators from FortiSIEM
Incident custom.

The playbook executes and the following indicators are populated.

Advanced Analytics 6.3 Lab Guide 216

Fortinet Technologies Inc.
DO Enrich
NOT REPRINT
Malicious Indicators Exercise 4: Mitigating Malicious IOCs

7. Close the record.

Enrich Malicious Indicators

On FortiSOAR, there are a few built-in playbooks that you can use to enrich indicators from phishing emails and
so on. You will use a custom playbook designed to enrich an indicator that was extracted from a FortiSIEM
incident.

To enrich indicators
1. Continuing on the FortiSOAR GUI, click Threat Intelligence > Indicators.
2. Search for the https://upload.gumblar.cn indicator.

217 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Mitigating
REPRINT Malicious IOCs Enrich Malicious Indicators

3. Select and open the indicator.

4. Review the indicator.

The Reputation for the indicator is unknown, and there is no description. The indicator is linked to the Web
Traffic to FortiSandbox Malicious URLs alert.

5. Scroll to the bottom of the record, and then in the Execute drop-down list, select Enrich Indicators custom.

Advanced Analytics 6.3 Lab Guide 218

Fortinet Technologies Inc.
DO Enrich
NOT REPRINT
Malicious Indicators Exercise 4: Mitigating Malicious IOCs

The playbook executes. The Reputation and Description of the indicator is updated and the TLP is updated
to Red.

219 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Mitigating
REPRINT Malicious IOCs Block Malicious Indicators

6. Close the record.

Block Malicious Indicators

You will block the malicious indicator on the FGT_Aviation firewall.

To block indicators on the firewall

1. Continuing on the FortiSOAR GUI, click Threat Intelligence > Indicators.
2. Search for the https://upload.gumblar.cn indicator.
3. Select and open the indicator.
4. Scroll to the bottom of the record, and then in the Execute drop-down list, select Mitigate Malicious URL
custom.

Advanced Analytics 6.3 Lab Guide 220

Fortinet Technologies Inc.
DO Block
NOT REPRINT
Malicious Indicators Exercise 4: Mitigating Malicious IOCs

Wait a minute for the playbook to finish executing.

5. Close the record.

6. Log out of the FortiSOAR GUI.

To verify the URL block on FortiGate

1. On the FGT_Aviation GUI, log in with the username admin and password password.
2. Click Security Profiles > Web Filter.
3. Double-click FortiSOAR_URL_Block.
Verify that the URL is added to the URL filter with a Block action.

221 Advanced Analytics 6.3 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Mitigating
REPRINT Malicious IOCs Block Malicious Indicators

4. Log out of the FGT_Aviation GUI.

Advanced Analytics 6.3 Lab Guide 222

223 Advanced Analytics 6.3 Lab Guide

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Fortinet SD Wan Lab Guide For Fortios 72
No ratings yet
Fortinet SD Wan Lab Guide For Fortios 72
204 pages
(FCSS Cloud - NSE7) - Public Cloud Security Fortigate 7.2 - Study Guide
No ratings yet
(FCSS Cloud - NSE7) - Public Cloud Security Fortigate 7.2 - Study Guide
194 pages
Ebin - Pub Fortinet Enterprise Firewall Study Guide For Fortios 72
No ratings yet
Ebin - Pub Fortinet Enterprise Firewall Study Guide For Fortios 72
390 pages
FortiGate 7.4 Administrator Course Description
0% (1)
FortiGate 7.4 Administrator Course Description
3 pages
Simphony FreedomPay MARRIOTT Implementation Guide v1.1
No ratings yet
Simphony FreedomPay MARRIOTT Implementation Guide v1.1
91 pages
(Fcss NW) - Sd-Wan Fortios 7.2 - Study Guide
No ratings yet
(Fcss NW) - Sd-Wan Fortios 7.2 - Study Guide
381 pages
Fortinet Fortinac Lab Guide For Fortinac 72
No ratings yet
Fortinet Fortinac Lab Guide For Fortinac 72
118 pages
Fortinet Fortimanager Study Guide For Fortimanager 72
100% (1)
Fortinet Fortimanager Study Guide For Fortimanager 72
372 pages
Do Not Reprint © Fortinet: Fortimanager Lab Guide
No ratings yet
Do Not Reprint © Fortinet: Fortimanager Lab Guide
182 pages
Fortinet Fortiweb Lab Guide For Fortiweb 64
No ratings yet
Fortinet Fortiweb Lab Guide For Fortiweb 64
103 pages
FortiManager-7 4 0-Administration - Guide
No ratings yet
FortiManager-7 4 0-Administration - Guide
937 pages
Self Study Guide Nse4 Cert
No ratings yet
Self Study Guide Nse4 Cert
1 page
FortiNAC Deployment Prerequisite Task List
100% (1)
FortiNAC Deployment Prerequisite Task List
26 pages
How To Setup FortiGate Firewall To Access The Internet
No ratings yet
How To Setup FortiGate Firewall To Access The Internet
7 pages
60LAB Fotigate
No ratings yet
60LAB Fotigate
226 pages
FortiAnalyzer-7 4 1-Administration - Guide
No ratings yet
FortiAnalyzer-7 4 1-Administration - Guide
425 pages
FortiManager Student Guide-Online
No ratings yet
FortiManager Student Guide-Online
330 pages
NSE7 - Advanced Analytics FortiSIEM 6.3 - Study Guide
No ratings yet
NSE7 - Advanced Analytics FortiSIEM 6.3 - Study Guide
476 pages
NSE7 - Enterprise Firewall FortiOS 6.4 - Study Guide
No ratings yet
NSE7 - Enterprise Firewall FortiOS 6.4 - Study Guide
533 pages
FortiGate 7.4 Operator Lesson Scripts
100% (1)
FortiGate 7.4 Operator Lesson Scripts
33 pages
FortiNAC FortiGate VPN Integration
No ratings yet
FortiNAC FortiGate VPN Integration
58 pages
FortiOS 7.4 Best Practices
No ratings yet
FortiOS 7.4 Best Practices
47 pages
FortiGate 7.4 Administrator Study Guide-Online v2 Español
No ratings yet
FortiGate 7.4 Administrator Study Guide-Online v2 Español
818 pages
FortiAuthenticator Study Guide
No ratings yet
FortiAuthenticator Study Guide
480 pages
- Fortinet FortiClient EMS Lab Guide for FortiClient EMS 7.0
No ratings yet
- Fortinet FortiClient EMS Lab Guide for FortiClient EMS 7.0
110 pages
(FCP Sec Ops - NSE5) - FortiAnalyzer Analyst 7.2 - Study Guide
No ratings yet
(FCP Sec Ops - NSE5) - FortiAnalyzer Analyst 7.2 - Study Guide
209 pages
FortiNAC 9.4.0 Admin Guide
No ratings yet
FortiNAC 9.4.0 Admin Guide
905 pages
FortiOS 7.4.1 CLI Reference
No ratings yet
FortiOS 7.4.1 CLI Reference
2,190 pages
Course - FortiGate Essentials 6.4 Self-Paced
No ratings yet
Course - FortiGate Essentials 6.4 Self-Paced
4 pages
LAB 6 - Certificate Operations PDF
No ratings yet
LAB 6 - Certificate Operations PDF
16 pages
FortiSandbox-4 4 1-Administration - Guide
No ratings yet
FortiSandbox-4 4 1-Administration - Guide
256 pages
Fortigate Security Study Guide: Do Not Reprint © Fortinet
No ratings yet
Fortigate Security Study Guide: Do Not Reprint © Fortinet
459 pages
Fortinet Fortiedr Lab Guide For Fortiedr 50
No ratings yet
Fortinet Fortiedr Lab Guide For Fortiedr 50
104 pages
NSE7 - SD-WAN FortiOS 6.4.5 - Study Guide
No ratings yet
NSE7 - SD-WAN FortiOS 6.4.5 - Study Guide
229 pages
Fortianalyzer Lab Guide: Do Not Reprint © Fortinet
No ratings yet
Fortianalyzer Lab Guide: Do Not Reprint © Fortinet
90 pages
Fortinet FortiClient EMS Study Guide
No ratings yet
Fortinet FortiClient EMS Study Guide
348 pages
FortiGate Security 7.2 Study Guide-Online-10
No ratings yet
FortiGate Security 7.2 Study Guide-Online-10
40 pages
Fortigate Fortiwifi and Fortiap Configuration Guide 56
No ratings yet
Fortigate Fortiwifi and Fortiap Configuration Guide 56
205 pages
NSE4 Study G-7
100% (1)
NSE4 Study G-7
70 pages
Install and Configure FortiGate Default Certificate
100% (1)
Install and Configure FortiGate Default Certificate
3 pages
Fortinet Cli
No ratings yet
Fortinet Cli
20 pages
Building A Lab To Simulate Real World Scenarios: Tony Zabaneh
No ratings yet
Building A Lab To Simulate Real World Scenarios: Tony Zabaneh
18 pages
FortiNAC Deployment Guide v94
No ratings yet
FortiNAC Deployment Guide v94
82 pages
LAB 7 - High Availability (HA)
100% (1)
LAB 7 - High Availability (HA)
17 pages
(FCSS SASE) - FortiSASE Administrator FortiSASE 23 - Study Guide
No ratings yet
(FCSS SASE) - FortiSASE Administrator FortiSASE 23 - Study Guide
149 pages
FortiWiFi and FortiAP-7.4.1-Configuration Guide
No ratings yet
FortiWiFi and FortiAP-7.4.1-Configuration Guide
388 pages
Fortinac: Fortigate VPN Device Integration
No ratings yet
Fortinac: Fortigate VPN Device Integration
45 pages
(FCSS SASE) - FortiSASE Administrator FortiSASE 24 - Study Guide
100% (1)
(FCSS SASE) - FortiSASE Administrator FortiSASE 24 - Study Guide
171 pages
FortiGate Infrastructure 7.0 Study Guide-Online Compressed
100% (1)
FortiGate Infrastructure 7.0 Study Guide-Online Compressed
387 pages
FortiGate Security 7.0 Study Guide - FortiGate - Security - 7.0 - Study - Guide-Online
No ratings yet
FortiGate Security 7.0 Study Guide - FortiGate - Security - 7.0 - Study - Guide-Online
42 pages
FortiGate III Student Guide-Online V8
100% (1)
FortiGate III Student Guide-Online V8
521 pages
FortiOS 7.0.1 Administration Guide
No ratings yet
FortiOS 7.0.1 Administration Guide
2,150 pages
(FCP Sec Ops - NSE5) - FortiEDR 5.0 - Study Guide
No ratings yet
(FCP Sec Ops - NSE5) - FortiEDR 5.0 - Study Guide
257 pages
FortiClient EMS 7.0.0 Administration Guide
No ratings yet
FortiClient EMS 7.0.0 Administration Guide
261 pages
Lab 2: Security Fabric: Do Not Reprint © Fortinet
No ratings yet
Lab 2: Security Fabric: Do Not Reprint © Fortinet
27 pages
LAB 5 - Logging and Monitoring
No ratings yet
LAB 5 - Logging and Monitoring
20 pages
FortiNAC High Availability
100% (1)
FortiNAC High Availability
55 pages
Getting Started in Cybersecurity 1.0 Course Description 2024-JULY
No ratings yet
Getting Started in Cybersecurity 1.0 Course Description 2024-JULY
41 pages
Fortinet Fortisiem Lab Guide For Fortisiem 63
No ratings yet
Fortinet Fortisiem Lab Guide For Fortisiem 63
249 pages
Standalone PDF
No ratings yet
Standalone PDF
1,022 pages
Lab Guide
No ratings yet
Lab Guide
32 pages
DFF Flexfields
No ratings yet
DFF Flexfields
13 pages
Soniya Hariramani (CYBERSECURITY Report
No ratings yet
Soniya Hariramani (CYBERSECURITY Report
39 pages
Industry 4.0 Barriers To Adoption
No ratings yet
Industry 4.0 Barriers To Adoption
31 pages
Drive Test Report For 5 Liberty Estate Oke Funfun Aroro Yerokun Ojo Ibadan
No ratings yet
Drive Test Report For 5 Liberty Estate Oke Funfun Aroro Yerokun Ojo Ibadan
19 pages
The Impact of Social Media On Tourism: April 2014
No ratings yet
The Impact of Social Media On Tourism: April 2014
5 pages
SYCONnet Netframe OI 14 EN
No ratings yet
SYCONnet Netframe OI 14 EN
23 pages
Process Definition Document
No ratings yet
Process Definition Document
24 pages
Ip Project 2024-25
67% (3)
Ip Project 2024-25
44 pages
WPT Mock
No ratings yet
WPT Mock
6 pages
2025-01-02
No ratings yet
2025-01-02
26 pages
NM Schedule - AcYr 24-25
No ratings yet
NM Schedule - AcYr 24-25
4 pages
Full Prep Ms-102
No ratings yet
Full Prep Ms-102
373 pages
Halimbawa NG Term Paper Sa Filipino Essay
100% (1)
Halimbawa NG Term Paper Sa Filipino Essay
5 pages
Discovery 22: Configuring Cisco IOS Embedded Event Manager (EEM)
No ratings yet
Discovery 22: Configuring Cisco IOS Embedded Event Manager (EEM)
2 pages
Zoom Recording Instructions
No ratings yet
Zoom Recording Instructions
4 pages
Ibt 4 Zwave
No ratings yet
Ibt 4 Zwave
5 pages
SLT V1 User Guide
No ratings yet
SLT V1 User Guide
22 pages
High Level Architecture NON NIC Shillong
No ratings yet
High Level Architecture NON NIC Shillong
1 page
Presentacion FTTR
No ratings yet
Presentacion FTTR
12 pages
Class XII (As Per CBSE Board) : Computer Science
No ratings yet
Class XII (As Per CBSE Board) : Computer Science
27 pages
Istio-Certified-Associate (2)
No ratings yet
Istio-Certified-Associate (2)
5 pages
06 Quiz - Hardening
No ratings yet
06 Quiz - Hardening
2 pages
Put Your Angels To Work by David Oyedepo Bishop David Oyedepo PDF
100% (3)
Put Your Angels To Work by David Oyedepo Bishop David Oyedepo PDF
6 pages
ABTT Reviewer
No ratings yet
ABTT Reviewer
14 pages
HDV S4 Hana Installation
No ratings yet
HDV S4 Hana Installation
43 pages
Red Hat Openstack Platform-16.1-Networking Guide-En-Us
No ratings yet
Red Hat Openstack Platform-16.1-Networking Guide-En-Us
208 pages
UTS Pemrograman Bergerak
No ratings yet
UTS Pemrograman Bergerak
4 pages
Pam Admin 12.6 Exercise Guide Ilt
No ratings yet
Pam Admin 12.6 Exercise Guide Ilt
280 pages
Making Presentations: Terminal and Enabling Learning Outcomes Covered in The Lesson
No ratings yet
Making Presentations: Terminal and Enabling Learning Outcomes Covered in The Lesson
22 pages