FortiSIEM 6.4.0 introduces the ability of enriching Analytics with information from Lookup Tables to provide insight into the data being retrieved from logs. It also introduces the ability to create Correlation Rules based on contents and conditions in one or more Lookup Tables.
New out of the box LookupTables have been included in this release, which rely on reports to create a baseline of processes and user logins:
AWSLoginCountry – Source countries for successful AWS login
AzurePortalLoginCountry – Source countries for successful Azure Portal login
GSuiteLoginCountry – Source countries for successful GCP login
CommonLinuxProcess – Common Linux Process Created
CommonWindowsProcess – Common Windows Process Created
O365MailLoginCountry – Source countries for successful O365 Mail login
ServerLogin – Servers that users login to
VPNLoginCountry – Source countries for Successful VPN Login
These are accompanied by new Correlation Rules which will trigger in real-time when FortiSIEM receives an event that doesn’t match the existing baseline.
List of New Rules associated to Lookup Tables:
Uncommon AWS Console Login
Uncommon Azure Portal Login
Uncommon GSuite Login
Uncommon Linux process Created
Uncommon Office365 Mail Login
Uncommon Server Login
Uncommon VPN Login
Uncommon Windows process Creat
What are Lookup Tables?
Lookup Tables are data dictionaries that contain mappings of unique keys to values. They allow you to reference any key or value to enrich or filter the data in your Analytics and Rules Conditions. A single lookup table can contain up to five keys and as many values as you’d like.
Lookup Tables can be populated manually, by running an on demand or scheduled report, by uploading a CSV file or by using the new Lookup Table API.
Why Should I Use them?
Lookup Tables are typically used for baselining and for enrichment purposes.
By using them for baselining, we can alert when an unknown occurrence shows up in the logs.
When used for enrichment, they give analysts contextual information about the attribute that they want to lookup (i.e additional user or ip information which is not present in the logs but is contained in the lookup table)
We can also use Lookup Tables to limit the events that are retrieved from the event database by returning only results that match a key in a lookup table.
How does FortiSIEM Implement Lookup Tables?
FortiSIEM adds two new functions: LookupTableGet (used for enrichment and filtering purposes) and LookupTableHas (used for filtering purposes).
LookupTableHas can be either True or False. If set to True then it will filter event retrieval and only return data that is present in the Lookup Table. If set to False then it will retrieve all data when the attributes are not present in the LookupTable.
LookupTableGet retrieves a value from a lookup table and can be used as a filter or within Display fields.
FortiSIEM provides a REST API for Lookup Table management, as well as manual creation via GUI and automatic population through running reports or uploading CSVs.
Let’s go through an example of creating a Malware IP Lookup Table manually in the GUI with IP, category, country and confidence information and importing a CSV file with a list of such IPs.
Notice how you can define multiple keys for the lookup table and the type of attribute (LONG, STRING or DOUBLE).
Once table is created, you may import a CSV with this information and do the data mappings in the GUI:
Once we import the data, our lookup table will be populated.
We can now analyze permitted traffic events from our firewall and see how we can leverage our new lookup table in a few use cases.
Use Case #1 – Show only Permitted Traffic where either the source or destination IP belongs to our MalwareIPList
We must specify in the query filter that we only want to return results if either the Source IP or Destination IP are in the MalwareIPList Lookup Table. We use the new function LookupTableHas(MalwareIPList : Source IP) = True OR LookupTableHas(MalwareIPList : Destination IP) to achieve this condition:
When we run the query, it will only return events where either the source or destination IP are in the lookup table:
Use Case #2 – Enrich the results of Permitted Traffic IPs that exist in the MalwareIPList by adding Confidence level and Category
First, we specify in the query filter that we only want to return results if either the Source IP or Destination IP are in the MalwareIPList. We use the new function LookupTableHas(MalwareIPList : Source IP) = True OR LookupTableHas(MalwareIPList : Destination IP) for this:
We must also add the relevant functions to the Display Fields:
LookupTableGet( MalwareIPList : Source IP : Category)
LookupTableGet( MalwareIPList : Source IP : Confidence)
LookupTableGet( MalwareIPList : Destination IP : Category)
When we run the query we should see the Source IP and Destination IPs enriched with information from the lookup table:
Use Case #3 – Show only Permitted Traffic where the confidence level of the Source IP is greater than or equal to 87
To achieve this use case we must leverage the LookupTableGet function by specifying LookupTableGet ( MalwareIPList : Source IP : Confidence ) >= 87
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.