Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.0.0 User Guide
    7.0.0
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    Custom WMI Monitor for Windows Domain and Physical Registry

    Custom WMI Monitor for Windows Domain and Physical Registry

    Planning

    Mapping Windows WMI Classes to FortiSIEM Event Attribute Types

    If you run the command wmic -U <domain>/<user>%<pwd> //<ip> "select * from Win32_ComputerSystem against a Windows server, you will see an output similar to this:

    CLASS: Win32_ComputerSystem
AdminPasswordStatus::SEP::AutomaticManagedPagefile::SEP::AutomaticResetBootOption::SEP::AutomaticResetCapability::SEP::BootOptionOnLimit::SEP::BootOptionOnWatchDog::SEP::BootROMSupported::SEP::BootupState::SEP::Caption::SEP::ChassisBootupState::SEP::CreationClassName::SEP::CurrentTimeZone::SEP::DaylightInEffect::SEP::Description::SEP::DNSHostName::SEP::Domain::SEP::DomainRole::SEP::EnableDaylightSavingsTime::SEP::FrontPanelResetStatus::SEP::InfraredSupported::SEP::InitialLoadInfo::SEP::InstallDate::SEP::KeyboardPasswordStatus::SEP::LastLoadInfo::SEP::Manufacturer::SEP::Model::SEP::Name::SEP::NameFormat::SEP::NetworkServerModeEnabled::SEP::NumberOfLogicalProcessors::SEP::NumberOfProcessors::SEP::OEMLogoBitmap::SEP::OEMStringArray::SEP::PartOfDomain::SEP::PauseAfterReset::SEP::PCSystemType::SEP::PowerManagementCapabilities::SEP::PowerManagementSupported::SEP::PowerOnPasswordStatus::SEP::PowerState::SEP::PowerSupplyState::SEP::PrimaryOwnerContact::SEP::PrimaryOwnerName::SEP::ResetCapability::SEP::ResetCount::SEP::ResetLimit::SEP::Roles::SEP::Status::SEP::SupportContactDescription::SEP::SystemStartupDelay::SEP::SystemStartupOptions::SEP::SystemStartupSetting::SEP::SystemType::SEP::ThermalState::SEP::TotalPhysicalMemory::SEP::UserName::SEP::WakeUpType::SEP::Workgroup

1::SEP::True::SEP::True::SEP::True::SEP::3::SEP::3::SEP::True::SEP::Normal boot::SEP::WIN2008-ADS::SEP::3::SEP::Win32_ComputerSystem::SEP::-420::SEP::True::SEP::AT/AT COMPATIBLE::SEP::WIN2008-ADS::SEP::FortiSIEM.net::SEP::5::SEP::True::SEP::3::SEP::False::SEP::NULL::SEP::(null)::SEP::3::SEP::(null)::SEP::VMware, Inc.::SEP::VMware Virtual Platform::SEP::WIN2008-ADS::SEP::(null)::SEP::True::SEP::1::SEP::1::SEP::NULL::SEP::([MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7],Welcome to the Virtual Machine)::SEP::True::SEP::3932100000::SEP::0::SEP::NULL::SEP::False::SEP::0::SEP::0::SEP::3::SEP::(null)::SEP::Windows User::SEP::1::SEP::-1::SEP::-1::SEP::(LM_Workstation,LM_Server,Primary_Domain_Controller,Timesource,NT,DFS)::SEP::OK::SEP::NULL::SEP::0::SEP::NULL::SEP::0::SEP::X86-based PC::SEP::3::SEP::4293496832::SEP::FortiSIEM\Administrator::SEP::6::SEP::(null)

    From this output you can see that the Win32_ComputerSystem WMI class has two attributes:

    • Domain
    • TotalPhysicalMemory

    From these outputs you can see that if you want to create a performance monitor for Windows Domain and Physical Registry, you must:

    1. Create an event type, PH_DEV_MON_CUST_WIN_MEM, that will contain the event attribute types Domain and memTotalMB, both of which are already contained in the FortiSIEM event attribute types library.
    2. Create the mapping between the WMI class attributes and the FortiSIEM event attribute types:
      • WMI class attribute Domain and Domain.
      • WMI class attribute TotalPhysicalMemory (Bytes) and memTotalMB (type INT64). Because TotalPhysicalMemory returns in bytes, and memTotalMB is in INT64, a transform will be required to convert the metrics.

    Creating New Device Types, Event Attributes, and Event Types

    To create these items, go to ADMIN > Device Support, and select the appropriate tab(s) to start.

    • Device Type

      Since Microsoft Windows is supported by FortiSIEM, you don't need to create a new device type.

    • Event Attribute Types and Event Types

      Both Domain and memTotalMB are included in the FortiSIEM event attribute type library, so you only need to create a new event type, PH_DEV_MON_CUST_WIN_MEM, that will contain them.

    • Naming Custom Event Types

      All custom event types must begin with the prefix PH_DEV_MON_CUST_ .

    Name

    Device Type

    		 Severity Description
    PH_DEV_MON_CUST_WIN_MEM Microsoft Windows 0 - Low Windows Domain and Memory

    Adding the Microsoft Windows WMI Performance Object

    In this case, you will create one performance object that will map the WMI Class attributes to the FortiSIEM event attribute types Domain and memTotalMB, and then associate them with the PH_DEV_MON_CUST_WIN_MEM event type. When you create the memTotalMB mapping you will also add a transform to convert bytes to INT64 as shown in the second table.

    Performance Object Configuration for Event Type PH_DEV_MON_CUST_DLINK_UPTIME

    Field Setting
    Name WinMem
    Type System
    Method WMI
    Parent Class Win32_ComputerSystem
    Parent Class is Table <left cleared>
    List of Attributes

    AttributeFormatTypeEvent Attribute
    DomainStringRawValuedomain
    TotalPhysicalMemoryIntegerRawValuememTotalMB
    Event Type PH_DEV_MON_CUST_WIN_MEM
    Polling Frequency 20 seconds

    Transform Formula for TotalPhysicalMemory Event Attribute Type

    Type Formula
    custom TotalPhysicalMemory/1024/1024

    Associating Device Types to Performance Objects

    In this example, you must associate Microsoft Windows device types to the performance object.

    Edit Device to Performance Object

    Field Settings
    Name WinMisc
    Device Types
    • Microsoft Windows
    • Microsoft Windows NT
    • Microsoft Windows Server 2000
    • Microsoft Windows Server 2003
    • Microsoft Windows Server 2008
    • Microsoft Windows Vista
    • Microsoft Windows XP
    Perf Objects
    • WinMem(WMI) - DefaultInterval:0.33mins

    Testing the Performance Monitor

    Before testing the monitor, make sure you have defined the access credentials for the server, created the IP address to credentials mapping, and tested connectivity.

    1. Go to ADMIN > Device Support > Monitoring.
    2. Select one of the performance monitors you created, and then click Test.
    3. For IP, enter the address of the Microsoft Windows server, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
    4. Click Test.
      You should see succeed under Result, and the parsed event attributes in the test result pane.
    5. When the test succeeds, click Close, and then click Apply to register the new monitor with the back-end module.

    Enabling the Performance Monitor

    1. Discover or re-discover the device you want to monitor.
    2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

    Writing Queries for the Performance Metrics

    You can now use a simple query to make sure that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

    Create a structured historical search with these settings:

    Filter Criteria Display Columns Time For Organizations
    Host IP = <IP> AND Event Type = " PH_DEV_MON_CUST_WIN_MEM";Group by:[None] Event Receive Time,Reporting IP,Domain,Total Memory (MB) Last 10 Minutes All
    Previous
    Next

    Custom WMI Monitor for Windows Domain and Physical Registry

    Custom WMI Monitor for Windows Domain and Physical Registry

    Planning

    Mapping Windows WMI Classes to FortiSIEM Event Attribute Types

    If you run the command wmic -U <domain>/<user>%<pwd> //<ip> "select * from Win32_ComputerSystem against a Windows server, you will see an output similar to this:

    CLASS: Win32_ComputerSystem
AdminPasswordStatus::SEP::AutomaticManagedPagefile::SEP::AutomaticResetBootOption::SEP::AutomaticResetCapability::SEP::BootOptionOnLimit::SEP::BootOptionOnWatchDog::SEP::BootROMSupported::SEP::BootupState::SEP::Caption::SEP::ChassisBootupState::SEP::CreationClassName::SEP::CurrentTimeZone::SEP::DaylightInEffect::SEP::Description::SEP::DNSHostName::SEP::Domain::SEP::DomainRole::SEP::EnableDaylightSavingsTime::SEP::FrontPanelResetStatus::SEP::InfraredSupported::SEP::InitialLoadInfo::SEP::InstallDate::SEP::KeyboardPasswordStatus::SEP::LastLoadInfo::SEP::Manufacturer::SEP::Model::SEP::Name::SEP::NameFormat::SEP::NetworkServerModeEnabled::SEP::NumberOfLogicalProcessors::SEP::NumberOfProcessors::SEP::OEMLogoBitmap::SEP::OEMStringArray::SEP::PartOfDomain::SEP::PauseAfterReset::SEP::PCSystemType::SEP::PowerManagementCapabilities::SEP::PowerManagementSupported::SEP::PowerOnPasswordStatus::SEP::PowerState::SEP::PowerSupplyState::SEP::PrimaryOwnerContact::SEP::PrimaryOwnerName::SEP::ResetCapability::SEP::ResetCount::SEP::ResetLimit::SEP::Roles::SEP::Status::SEP::SupportContactDescription::SEP::SystemStartupDelay::SEP::SystemStartupOptions::SEP::SystemStartupSetting::SEP::SystemType::SEP::ThermalState::SEP::TotalPhysicalMemory::SEP::UserName::SEP::WakeUpType::SEP::Workgroup

1::SEP::True::SEP::True::SEP::True::SEP::3::SEP::3::SEP::True::SEP::Normal boot::SEP::WIN2008-ADS::SEP::3::SEP::Win32_ComputerSystem::SEP::-420::SEP::True::SEP::AT/AT COMPATIBLE::SEP::WIN2008-ADS::SEP::FortiSIEM.net::SEP::5::SEP::True::SEP::3::SEP::False::SEP::NULL::SEP::(null)::SEP::3::SEP::(null)::SEP::VMware, Inc.::SEP::VMware Virtual Platform::SEP::WIN2008-ADS::SEP::(null)::SEP::True::SEP::1::SEP::1::SEP::NULL::SEP::([MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7],Welcome to the Virtual Machine)::SEP::True::SEP::3932100000::SEP::0::SEP::NULL::SEP::False::SEP::0::SEP::0::SEP::3::SEP::(null)::SEP::Windows User::SEP::1::SEP::-1::SEP::-1::SEP::(LM_Workstation,LM_Server,Primary_Domain_Controller,Timesource,NT,DFS)::SEP::OK::SEP::NULL::SEP::0::SEP::NULL::SEP::0::SEP::X86-based PC::SEP::3::SEP::4293496832::SEP::FortiSIEM\Administrator::SEP::6::SEP::(null)

    From this output you can see that the Win32_ComputerSystem WMI class has two attributes:

    • Domain
    • TotalPhysicalMemory

    From these outputs you can see that if you want to create a performance monitor for Windows Domain and Physical Registry, you must:

    1. Create an event type, PH_DEV_MON_CUST_WIN_MEM, that will contain the event attribute types Domain and memTotalMB, both of which are already contained in the FortiSIEM event attribute types library.
    2. Create the mapping between the WMI class attributes and the FortiSIEM event attribute types:
      • WMI class attribute Domain and Domain.
      • WMI class attribute TotalPhysicalMemory (Bytes) and memTotalMB (type INT64). Because TotalPhysicalMemory returns in bytes, and memTotalMB is in INT64, a transform will be required to convert the metrics.

    Creating New Device Types, Event Attributes, and Event Types

    To create these items, go to ADMIN > Device Support, and select the appropriate tab(s) to start.

    • Device Type

      Since Microsoft Windows is supported by FortiSIEM, you don't need to create a new device type.

    • Event Attribute Types and Event Types

      Both Domain and memTotalMB are included in the FortiSIEM event attribute type library, so you only need to create a new event type, PH_DEV_MON_CUST_WIN_MEM, that will contain them.

    • Naming Custom Event Types

      All custom event types must begin with the prefix PH_DEV_MON_CUST_ .

    Name

    Device Type

    		 Severity Description
    PH_DEV_MON_CUST_WIN_MEM Microsoft Windows 0 - Low Windows Domain and Memory

    Adding the Microsoft Windows WMI Performance Object

    In this case, you will create one performance object that will map the WMI Class attributes to the FortiSIEM event attribute types Domain and memTotalMB, and then associate them with the PH_DEV_MON_CUST_WIN_MEM event type. When you create the memTotalMB mapping you will also add a transform to convert bytes to INT64 as shown in the second table.

    Performance Object Configuration for Event Type PH_DEV_MON_CUST_DLINK_UPTIME

    Field Setting
    Name WinMem
    Type System
    Method WMI
    Parent Class Win32_ComputerSystem
    Parent Class is Table <left cleared>
    List of Attributes

    AttributeFormatTypeEvent Attribute
    DomainStringRawValuedomain
    TotalPhysicalMemoryIntegerRawValuememTotalMB
    Event Type PH_DEV_MON_CUST_WIN_MEM
    Polling Frequency 20 seconds

    Transform Formula for TotalPhysicalMemory Event Attribute Type

    Type Formula
    custom TotalPhysicalMemory/1024/1024

    Associating Device Types to Performance Objects

    In this example, you must associate Microsoft Windows device types to the performance object.

    Edit Device to Performance Object

    Field Settings
    Name WinMisc
    Device Types
    • Microsoft Windows
    • Microsoft Windows NT
    • Microsoft Windows Server 2000
    • Microsoft Windows Server 2003
    • Microsoft Windows Server 2008
    • Microsoft Windows Vista
    • Microsoft Windows XP
    Perf Objects
    • WinMem(WMI) - DefaultInterval:0.33mins

    Testing the Performance Monitor

    Before testing the monitor, make sure you have defined the access credentials for the server, created the IP address to credentials mapping, and tested connectivity.

    1. Go to ADMIN > Device Support > Monitoring.
    2. Select one of the performance monitors you created, and then click Test.
    3. For IP, enter the address of the Microsoft Windows server, and select either the Supervisor or Collector node that will retrieve the information for this monitor.
    4. Click Test.
      You should see succeed under Result, and the parsed event attributes in the test result pane.
    5. When the test succeeds, click Close, and then click Apply to register the new monitor with the back-end module.

    Enabling the Performance Monitor

    1. Discover or re-discover the device you want to monitor.
    2. Once the device is successfully discovered, make sure that the monitor is enabled and pulling metrics.

    Writing Queries for the Performance Metrics

    You can now use a simple query to make sure that the metrics are pulled correctly. The search results should display the metrics for the event attributes you defined.

    Create a structured historical search with these settings:

    Filter Criteria Display Columns Time For Organizations
    Host IP = <IP> AND Event Type = " PH_DEV_MON_CUST_WIN_MEM";Group by:[None] Event Receive Time,Reporting IP,Domain,Total Memory (MB) Last 10 Minutes All
    Previous
    Next