FortiSIEM Discussions
HugoPinto
Contributor

Send Incident between Supervisors (creating a mini Super of Super(s))

Hi,

We share with you guys, another MSSP that want to centralize incidents between multiple supervisors, with drill down.

Supervisot A: Organization ID 2000
Supervisor B: Organization ID 3000

In this case we want to send incidents from Supervisor A -> Supervisor B

Step 1) Create incident notification policy,

Step 2 ) Call a Python Procces to collect XML tree from the incident.

Step 3) Collect RAW Event into a String.

Step 4) Add a string "phcustid=3000, "
             Note: phcustid is the ID of the Organization on Supervisor B.

Step 5) merge message from step3 and step 2 it will be like this
            Note: <1> phcustid=3000, <123> 12-10-12 Fortigate raw......

Step 6) Go to Admin -> Organization -> Incluide IP address of Super A

Note: current we are working on Parser for phCustID and Multipleclients in same supervisor.


Then you will see on Supervisor B, the incomming message from Supervisor A, and auto mapping to the wanted organization on Supervisor B, the message will be parsed as the original Syslog, and the analysts can drill down for user, and other events.

This is only happend because of the Parser PHToolBox, that collects phcustid and then pass to the other messages.

In this case when incidents is trigerred, will keep the parsing and MitreFramework, etc... 

Enjoi

Hugo Pinto
Claranet Portugal

2 REPLIES 2
HugoPinto
Contributor

We share a Development script, not a final one.

Please fill all IP settings for this to work.

We are developing to send bizService to, for Multiple Geolocations in same tenant (like a sub-tenant but using biz service).

HP-------------------------------------------
Original Message:
Sent: Jul 29, 2020 03:09 PM
From: Hugo Pinto
Subject: Send Incident between Supervisors (creating a mini Super of Super(s))

Hi,

We share with you guys, another MSSP that want to centralize incidents between multiple supervisors, with drill down.

Supervisot A: Organization ID 2000
Supervisor B: Organization ID 3000

In this case we want to send incidents from Supervisor A -> Supervisor B

Step 1) Create incident notification policy,

Step 2 ) Call a Python Procces to collect XML tree from the incident.

Step 3) Collect RAW Event into a String.

Step 4) Add a string "phcustid=3000, "
             Note: phcustid is the ID of the Organization on Supervisor B.

Step 5) merge message from step3 and step 2 it will be like this
            Note: <1> phcustid=3000, <123> 12-10-12 Fortigate raw......

Then you will see on Supervisor B, the incomming message from Supervisor A, and auto mapping to the wanted organization on Supervisor B, the message will be parsed as the original Syslog, and the analysts can drill down for user, and other events.

This is only happend because of the Parser PHToolBox, that collects phcustid and then pass to the other messages.

In this case when incidents is trigerred, will keep the parsing and MitreFramework, etc... 

Enjoi

Hugo Pinto
Claranet Portugal

HugoPinto

change the extension of the file to Python. (py)-------------------------------------------
Original Message:
Sent: Jul 30, 2020 02:56 AM
From: Hugo Pinto
Subject: Send Incident between Supervisors (creating a mini Super of Super(s))

We share a Development script, not a final one.

Please fill all IP settings for this to work.

We are developing to send bizService to, for Multiple Geolocations in same tenant (like a sub-tenant but using biz service).

HP
Original Message:
Sent: Jul 29, 2020 03:09 PM
From: Hugo Pinto
Subject: Send Incident between Supervisors (creating a mini Super of Super(s))

Hi,

We share with you guys, another MSSP that want to centralize incidents between multiple supervisors, with drill down.

Supervisot A: Organization ID 2000
Supervisor B: Organization ID 3000

In this case we want to send incidents from Supervisor A -> Supervisor B

Step 1) Create incident notification policy,

Step 2 ) Call a Python Procces to collect XML tree from the incident.

Step 3) Collect RAW Event into a String.

Step 4) Add a string "phcustid=3000, "
             Note: phcustid is the ID of the Organization on Supervisor B.

Step 5) merge message from step3 and step 2 it will be like this
            Note: <1> phcustid=3000, <123> 12-10-12 Fortigate raw......

Then you will see on Supervisor B, the incomming message from Supervisor A, and auto mapping to the wanted organization on Supervisor B, the message will be parsed as the original Syslog, and the analysts can drill down for user, and other events.

This is only happend because of the Parser PHToolBox, that collects phcustid and then pass to the other messages.

In this case when incidents is trigerred, will keep the parsing and MitreFramework, etc... 

Enjoi

Hugo Pinto
Claranet Portugal