FortiSIEM 6.4.0 introduces the ability of enriching Analytics with information from Lookup Tables to provide insight into the data being retrieved from logs. It also introduces the ability to create Correlation Rules based on contents and conditions in one or more Lookup Tables.
New out of the box LookupTables have been included in this release, which rely on reports to create a baseline of processes and user logins:
These are accompanied by new Correlation Rules which will trigger in real-time when FortiSIEM receives an event that doesn’t match the existing baseline.
List of New Rules associated to Lookup Tables:
Lookup Tables are data dictionaries that contain mappings of unique keys to values. They allow you to reference any key or value to enrich or filter the data in your Analytics and Rules Conditions. A single lookup table can contain up to five keys and as many values as you’d like.
Lookup Tables can be populated manually, by running an on demand or scheduled report, by uploading a CSV file or by using the new Lookup Table API.
Lookup Tables are typically used for baselining and for enrichment purposes.
By using them for baselining, we can alert when an unknown occurrence shows up in the logs.
When used for enrichment, they give analysts contextual information about the attribute that they want to lookup (i.e additional user or ip information which is not present in the logs but is contained in the lookup table)
We can also use Lookup Tables to limit the events that are retrieved from the event database by returning only results that match a key in a lookup table.
FortiSIEM adds two new functions: LookupTableGet (used for enrichment and filtering purposes) and LookupTableHas (used for filtering purposes).
LookupTableHas can be either True or False. If set to True then it will filter event retrieval and only return data that is present in the Lookup Table. If set to False then it will retrieve all data when the attributes are not present in the LookupTable.
LookupTableGet retrieves a value from a lookup table and can be used as a filter or within Display fields.
FortiSIEM provides a REST API for Lookup Table management, as well as manual creation via GUI and automatic population through running reports or uploading CSVs.
Let’s go through an example of creating a Malware IP Lookup Table manually in the GUI with IP, category, country and confidence information and importing a CSV file with a list of such IPs.
Notice how you can define multiple keys for the lookup table and the type of attribute (LONG, STRING or DOUBLE).
Once table is created, you may import a CSV with this information and do the data mappings in the GUI:
Once we import the data, our lookup table will be populated.
We can now analyze permitted traffic events from our firewall and see how we can leverage our new lookup table in a few use cases.
We must specify in the query filter that we only want to return results if either the Source IP or Destination IP are in the MalwareIPList Lookup Table. We use the new function LookupTableHas(MalwareIPList : Source IP) = True OR LookupTableHas(MalwareIPList : Destination IP) to achieve this condition:
When we run the query, it will only return events where either the source or destination IP are in the lookup table:
First, we specify in the query filter that we only want to return results if either the Source IP or Destination IP are in the MalwareIPList. We use the new function LookupTableHas(MalwareIPList : Source IP) = True OR LookupTableHas(MalwareIPList : Destination IP) for this:
We must also add the relevant functions to the Display Fields:
LookupTableGet( MalwareIPList : Source IP : Category)
LookupTableGet( MalwareIPList : Source IP : Confidence)
LookupTableGet( MalwareIPList : Destination IP : Category)
When we run the query we should see the Source IP and Destination IPs enriched with information from the lookup table:
To achieve this use case we must leverage the LookupTableGet function by specifying LookupTableGet ( MalwareIPList : Source IP : Confidence ) >= 87
The exact same principle can be applied to rules.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.