|
To understand how FortiSIEM extracts the username field for any raw event logs, it is essential to know about the Identity and Location feature. This feature establishes an association between Network Identity, User Identity, and Location based on received events, such as VPN logon events. FortiSIEM then uses this information to enrich other events while parsing.
In cases where the raw event log does not contain user information, FortiSIEM may still populate a username based on its enrichment capabilities. However, this can lead to inaccuracies if multiple users are mapped to the same IP address, especially in scenarios involving source NAT (SNAT) by devices like Zscaler.
To address issues related to incorrect user mapping, two workarounds are available:
- Modify the phoenix_config.txt file on every Collector or at least the ones that enrich wrong values. Change the iplocation_update_interval from 15 minutes to 1 minute to update the user names more frequently.
- Disable the Identity and Location feature by removing related event types from /opt/phoenix/config/identityDef.xml. This will prevent FortiSIEM from enriching events with user information, relying solely on raw logs for incident triggers.
It is also important to note that truncating or resetting the Identity and Location table applies globally across all organizations in the system and cannot be done for a single tenant. Newer versions of FortiSIEM (v7.4.0 and above) have improved enrichment performance and bug fixes related to Identity and Location updates, but do not inherently bypass SNAT user-mapping limitations unless more identifiable user data is available in the logs.
For more information on the Identity and Location Dashboard, refer to this document Identity and Location Dashboard.
|
