Description
Scope
Solution
Find the original Report
- under Reports -> System Audit > CMDB: Complete Device Modification History, which the key Event Type(s) was/were PH_AUDIT_DEVICE*.
The goal of this article is to help the user to create an extended means of reporting on FortiSIEM to demonstrate auditing via user for any changes made on tracked devices.
The target audience is for any user that wishes to run reports to see who on the system which made changes to any existing device within FortiSIEM.
Scope
Version affected: All Versions 4.x and above
Solution
Find the original Report
- under Reports -> System Audit > CMDB: Complete Device Modification History, which the key Event Type(s) was/were PH_AUDIT_DEVICE*.
This produce the original two Event Types: PH_AUDIT_DEVICE_ADDED & PH_AUDIT_DEVICE_DELETED
However, added a key third Event Type which reflects when a device is modified, which is PH_AUDIT_DEVICE_DISCOVERY_ITEM_CHANGED.
Modified the existing report to a new form, which includes the following definition:
Attribute | Operator | Value | Next Op |
System Event Category | = | 2 | AND |
Event Type | IN | PH_AUDIT_DEVICE_DELETED, PH_AUDIT_DEVICE_ADDED, PH_AUDIT_DEVICE_DISCOVERY_ITEM_CHANGED |
|
In addition, Include the Attribute “User” in the Display Column, as it is part of the original Audit Report, in which for optimal User-based reporting, place it as the first Column on the report and minimally Order it via this display column.
Example of said report configuration:
