Forum Discussion

JMSHW0420's avatar
JMSHW0420
Iron Contributor
Jan 23, 2023

KQL Queries: Fortinet

I am looking to extract from Fortinet log(s), any DNS events which are deemed high risk.   I have written this query BUT could do with some advice on how to improve it or identify other related que...
  • Clive_Watson's avatar
    Jan 23, 2023

    JMSHW0420 
    Maybe look at ASIM,

    1. Look at the ASIM parser for Fortigate, to get some of the Columns you may need in a normalized way (you may want to adopt the column naming to get your finished query aligned to ASIM now - that way if Forti release a parser you are probably virtually ready to use it). 

    2. look at the other DNS ASIM parsers, whilst there isn't one for Forti (yet), you may get some ideas.

     

    3. Also look at the DNS Queries that use ASIM Azure-Sentinel/Detections/ASimDNS at master · Azure/Azure-Sentinel (github.com)

Resources