MicrosoftMicrosoft
*NOTE* We already have a support case with the vendor (Fortinet) but so far all we've got is "we cannot help you now, we have only tested this out on virtual appliances". *NOTE*
Is there any way to change the "default query" of a connector?
We have a bunch of physical FortiGate appliances, from whcih logshipping in CEF format to Sentinel works fine (We can see the entries in CommonSecurityLog) but they're not logged as "Fortinet" per se;
An example log post:
`Oct 24 14:27:07 DEVICE_HOSTNAME CEF: 0|Fortinet|FortiGate-300E|6.0.5,build0268 (GA)|0000000013|forward traffic close|5|start=Oct 24 2019 14:27:07 logver=60 deviceExternalId=FG....`
However, the Fortinet connector says "not connected".
Our guess is because Sentinel is looking for something like this (as one of the example queries):
... where DeviceProduct == “Fortigate” …
We assume the culprit is that it’s looking for “Fortigate”, not a wildcard “Fortigate*”, and the Fortinet physical appliances report their model as Fortigate-$MODEL.
So.. can we somehow change the “default query” for the connector to either search for “Fortigate*” or simply remove the “where DeviceProduct == “Fortigate”” clause completely?
Thank you in advance.
