Forum Discussion
Sentinel integration with FortiNet firewall and queries
Hi Everyone, we have help one customer to integrate FortiNet firewall logs via syslog connector to Azure Sentinel. At that time to avoid huge amount of logs passing to Sentinel side we filtered only ...
Two things,
1. There are 16 use cases (rules that apply to the Forti data for you to enable)
2. Forti uses CEF (CommonSecurityLog), so you can check what other vendors do in their workbooks or queries and maybe adjust those, typically you only have to alter the DeviceVendor or product columns. However all vendor have unique data so more work maybe needed.
CommonSecurityLog
| where DeviceVendor == "Fortinet"
Also the Azure Firewall Workbook is a good one to look at for examples.
- Hi Clive, thank you for the response. I've first started with existing FortiNet Workbook and tried to leverage the dashboards. Found out some of them are not showing the data visualization part properly. I only selected high severity level logging to be passed to syslog to avoid unnecessary data transfer from Forti to syslog.
Regarding observe other Workbooks let me try that options.
