The following snippet summarizes the steps necessary to configure FortiSIEM to provide the FortiGate with IP addresses that have been associated with suspicious or malicious activity. The deployment expects that the customer has deployed FortiSIEM (either on premise or FortiSIEM Cloud) and a FortiGate that will consume the FortiSIEM watchlist for network enforcement. To view the complete guide, go to Agentless ZTNA with FortiSIEM UEBA and FortiGate.
FortiSIEM UEBA Telemetry
For the most complete visibility of user activity, the deployment of FortiSIEM Agents with UEBA enabled is recommended. This allows for detailed user activity to be collected without the need to enable any specific Microsoft Windows auditing.
Native Windows as UEBA Telemetry
Where an agent cannot be deployed, there are still events that can be collected from the Windows device using an agentless method such as OMI. However, about 50% of the UEBA ML model will miss necessary data.
Other Infrastructure Logs
Understanding user behavior does not solely rely on UEBA and ML models. The somewhat more traditional SIEM correlation rules, as well as specific statistical rules, can improve detection, identify user anomalies and potentially malicious behavior.
Sharing Information with FortiGate
FortiGate will use a Security Fabric Threat Feed Integration to connect to FortiSIEM using watchlist API to pull back the list of IP addresses.
The IP addresses can then be used in a number of scenarios that include:
The high-level deployment plan is as follows:
FortiSIEM – Install FortiSIEM Agents and enable UEBA where licensed. Specific steps to deploy and enable can be found in the Windows Agent Installation Guide.
FortiSIEM - Define IP watchlist.
FortiSIEM - Import the custom rules.
FortiSIEM - Customize the rules to reference the watchlists.
FortiGate - Configure the FortiGate to collect the IPs from the Fabric watchlists.
FortiGate – Configure use case for FortiGate consumption of the IP Address Threat Feed.
For detail instructions on the Deployment Steps, see Agentless ZTNA with FortiSIEM UEBA and FortiGate > Deployment Procedures.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.