Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

HugoPinto
Contributor

Send Incident between Supervisors (creating a mini Super of Super(s))

Hi,

We share with you guys, another MSSP that want to centralize incidents between multiple supervisors, with drill down.

Supervisot A: Organization ID 2000
Supervisor B: Organization ID 3000

In this case we want to send incidents from Supervisor A -> Supervisor B

Step 1) Create incident notification policy,

Step 2 ) Call a Python Procces to collect XML tree from the incident.

Step 3) Collect RAW Event into a String.

Step 4) Add a string "phcustid=3000, "
             Note: phcustid is the ID of the Organization on Supervisor B.

Step 5) merge message from step3 and step 2 it will be like this
            Note: <1> phcustid=3000, <123> 12-10-12 Fortigate raw......

Step 6) Go to Admin -> Organization -> Incluide IP address of Super A

Note: current we are working on Parser for phCustID and Multipleclients in same supervisor.


Then you will see on Supervisor B, the incomming message from Supervisor A, and auto mapping to the wanted organization on Supervisor B, the message will be parsed as the original Syslog, and the analysts can drill down for user, and other events.

This is only happend because of the Parser PHToolBox, that collects phcustid and then pass to the other messages.

In this case when incidents is trigerred, will keep the parsing and MitreFramework, etc... 

Enjoi

Hugo Pinto
Claranet Portugal

2 REPLIES 2
HugoPinto
Contributor

We share a Development script, not a final one.

Please fill all IP settings for this to work.

We are developing to send bizService to, for Multiple Geolocations in same tenant (like a sub-tenant but using biz service).

HP
HugoPinto

change the extension of the file to Python. (py)