Help
FortiSIEM Discussions
HugoPinto
Contributor

Created on ‎07-29-2020 03:10 PM

Send Incident between Supervisors (creating a mini Super of Super(s))

Hi,

We share with you guys, another MSSP that want to centralize incidents between multiple supervisors, with drill down.

Supervisot A: Organization ID 2000
Supervisor B: Organization ID 3000

In this case we want to send incidents from Supervisor A -> Supervisor B

Step 1) Create incident notification policy,

Step 2 ) Call a Python Procces to collect XML tree from the incident.

Step 3) Collect RAW Event into a String.

Step 4) Add a string "phcustid=3000, "
             Note: phcustid is the ID of the Organization on Supervisor B.

Step 5) merge message from step3 and step 2 it will be like this
            Note: <1> phcustid=3000, <123> 12-10-12 Fortigate raw......

Step 6) Go to Admin -> Organization -> Incluide IP address of Super A

Note: current we are working on Parser for phCustID and Multipleclients in same supervisor.


Then you will see on Supervisor B, the incomming message from Supervisor A, and auto mapping to the wanted organization on Supervisor B, the message will be parsed as the original Syslog, and the analysts can drill down for user, and other events.

This is only happend because of the Parser PHToolBox, that collects phcustid and then pass to the other messages.

In this case when incidents is trigerred, will keep the parsing and MitreFramework, etc... 

Enjoi

Hugo Pinto
Claranet Portugal

433
0 Kudos
2 REPLIES 2
HugoPinto
Contributor

Created on ‎07-30-2020 02:56 AM

We share a Development script, not a final one.

Please fill all IP settings for this to work.

We are developing to send bizService to, for Multiple Geolocations in same tenant (like a sub-tenant but using biz service).

HP-------------------------------------------
Original Message:
Sent: Jul 29, 2020 03:09 PM
From: Hugo Pinto
Subject: Send Incident between Supervisors (creating a mini Super of Super(s))

Hi,

We share with you guys, another MSSP that want to centralize incidents between multiple supervisors, with drill down.

Supervisot A: Organization ID 2000
Supervisor B: Organization ID 3000

In this case we want to send incidents from Supervisor A -> Supervisor B

Step 1) Create incident notification policy,

Step 2 ) Call a Python Procces to collect XML tree from the incident.

Step 3) Collect RAW Event into a String.

Step 4) Add a string "phcustid=3000, "
             Note: phcustid is the ID of the Organization on Supervisor B.

Step 5) merge message from step3 and step 2 it will be like this
            Note: <1> phcustid=3000, <123> 12-10-12 Fortigate raw......

Then you will see on Supervisor B, the incomming message from Supervisor A, and auto mapping to the wanted organization on Supervisor B, the message will be parsed as the original Syslog, and the analysts can drill down for user, and other events.

This is only happend because of the Parser PHToolBox, that collects phcustid and then pass to the other messages.

In this case when incidents is trigerred, will keep the parsing and MitreFramework, etc... 

Enjoi

Hugo Pinto
Claranet Portugal

433
0 Kudos
HugoPinto
Contributor
In response to HugoPinto

Created on ‎07-30-2020 02:58 AM

change the extension of the file to Python. (py)-------------------------------------------
Original Message:
Sent: Jul 30, 2020 02:56 AM
From: Hugo Pinto
Subject: Send Incident between Supervisors (creating a mini Super of Super(s))

We share a Development script, not a final one.

Please fill all IP settings for this to work.

We are developing to send bizService to, for Multiple Geolocations in same tenant (like a sub-tenant but using biz service).

HP
Original Message:
Sent: Jul 29, 2020 03:09 PM
From: Hugo Pinto
Subject: Send Incident between Supervisors (creating a mini Super of Super(s))

Hi,

We share with you guys, another MSSP that want to centralize incidents between multiple supervisors, with drill down.

Supervisot A: Organization ID 2000
Supervisor B: Organization ID 3000

In this case we want to send incidents from Supervisor A -> Supervisor B

Step 1) Create incident notification policy,

Step 2 ) Call a Python Procces to collect XML tree from the incident.

Step 3) Collect RAW Event into a String.

Step 4) Add a string "phcustid=3000, "
             Note: phcustid is the ID of the Organization on Supervisor B.

Step 5) merge message from step3 and step 2 it will be like this
            Note: <1> phcustid=3000, <123> 12-10-12 Fortigate raw......

Then you will see on Supervisor B, the incomming message from Supervisor A, and auto mapping to the wanted organization on Supervisor B, the message will be parsed as the original Syslog, and the analysts can drill down for user, and other events.

This is only happend because of the Parser PHToolBox, that collects phcustid and then pass to the other messages.

In this case when incidents is trigerred, will keep the parsing and MitreFramework, etc... 

Enjoi

Hugo Pinto
Claranet Portugal

433
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.