Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Fortigate workbook not populating

Copper Contributor

Hi, hoping someone can help me figure out why the Fortigate workbook isn't populating. I've had the Fortinet logs coming through for about 30 hours now, and the workbook doesn't seem to be populating. Any ideas?

2020-07-08_10-41-55.png2020-07-08_10-42-49.png

11 Replies

@joshzan It does look like the data is being ingested, but have you run any queries against the table containing the Fortinet data to verify that the table is populated?

 

In the Logs blade:

 

CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct startswith "Fortigate"

@Rod_Trent The table is being populated.

@joshzan 

 

So you now have data in the Table, is the Workbook working ok now? If not I would put it in Edit mode and check one of the queries to make sure its mapped to the right Subscription & Workspace?Annotation 2020-07-11 104128.jpg

@Rod_Trent I have the same problem here.  Data is being populated to the table, I can query against the table directly, but no results in the workbook.

@MikeElliottUK 

 

So when you run this, you get data back?  If so the workbook uses the same.

CommonSecurityLog
| where DeviceVendor =~ 'Fortinet'
| where DeviceProduct =~ 'Fortigate'



Do you get an error from the Workbook or "no data" ?  Have you confirmed that the workbook is opened in the same Workspace?


yes that's the weird thing Clive, a query works fine and returns data, but the workbook returns no results. I've confirmed that the workbook is opened to the same workspace.

I think I've figured out the problem here. The query doesn't actually work exactly as typed, my mistake. The DeviceProduct field contains data such as "FortiGate-80E" rather than simply "FortiGate". I've modified the Workbook queries to begin with...
let data = CommonSecurityLog
| where DeviceVendor =~ 'Fortinet'
| where DeviceProduct startswith 'Fortigate'
and it now populates. Perhaps this is a syntax problem with the workbook itself or maybe the Fortigate output format has changed since the workbook template was written.  One other possibility, the content being sent to Sentinel in my case comes from FortiAnalyzer rather than directly from a Fortigate firewall.

Hello @Rod_Trent, @CliveWatson, @MikeElliottUK

I am facing similar issue, where the FortiGate workbook is not populating any data.

Data is being populated to the table, I can query against the table directly, but no results in the workbook
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct startswith "Fortigate"

Also as Mike suggested, checked by adding | where DeviceProduct startswith 'Fortigate' as well, but still doesn't work.

Can you help me with this issue.
For kicks, try replacing the code with the code from the GitHub repo in the event the Workbook has been modified in some way. I tested the original and it's working fine.

https://cda.ms/3PF
Hello @Rod_Trent,

We have completely replaced our code with the code from GitHub repository, but still no luck.

Do we have any other work arounds for this.

@Surya92 

 

Does this work better, new workbook version

1. How to install clivewatson/KQLpublic: My useful KQL and Azure Monitor workbooks (Public) (github.com)
- Just follow the above process but create a NEW Sentinel workbook, to paste the new code into

2. Link to a updated version of the Workbook: https://raw.githubusercontent.com/clivewatson/KQLpublic/master/KQL/Workbooks/Forti/FortiGate v1.1.wo...