Azure ATP integration with Fortinet

%3CLINGO-SUB%20id%3D%22lingo-sub-401075%22%20slang%3D%22en-US%22%3EAzure%20ATP%20integration%20with%20Fortinet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-401075%22%20slang%3D%22en-US%22%3E%3CP%3Equick%20question%20I%20am%20trying%20to%20setup%20our%20VPN%20appliance%20to%20see%20if%20it%20can%20forward%20the%20logs%20to%20Azure%20ATP%20agents.%20%26nbsp%3B%26nbsp%3B%20I%20read%20some%20articles%20on%20the%20integration%20with%20Radius%20servers%20but%20looking%20to%20see%20if%20anyone%20has%20been%20able%20to%20get%20a%20Fortinet%20appliance%20to%20connect%20and%20send%20info%20to%20the%20agents.%20%26nbsp%3B%26nbsp%3B%20If%20anyone%20can%20share%20some%20insight%20it%20would%20be%20greatly%20appreciated.%20We%20do%20not%20have%20any%20standalone%20agents%20by%20the%20way.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-411583%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20integration%20with%20Fortinet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-411583%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F145727%22%20target%3D%22_blank%22%3E%40Jose%20Escamilla%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F94531%22%20target%3D%22_blank%22%3E%40Andrew%20Harris%20(AZURE%20SEC)%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20speak%20to%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482152%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20integration%20with%20Fortinet%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482152%22%20slang%3D%22en-US%22%3EWe%20only%20need%20the%20RADIUS%20Accounting%20logs.%20Once%20enabled%20in%20AATP%2C%20you%20can%20forward%20these%20events%20into%20AATP.%3CBR%20%2F%3E%3CBR%20%2F%3EHere%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Finstall-atp-step6-vpn%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Finstall-atp-step6-vpn%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHowever%2C%20if%20that%20isn't%20possible%20for%20whatever%20reason%20(i.e.%20the%20appliance%20doesnt%20support%20RADIUS%20Accounting)%2C%20I'd%20recommend%20sending%20this%20data%20to%20Azure%20Sentinel.%20We%20would%20do%20similar%20threat%20intelligence%20fusion%20against%20that%20data%20source%20as%20we%20do%20for%20Azure%20ATP--as%20long%20as%20you%20properly%20integrate%20it%20into%20Azure%20Sentinel%20so%20it%20knows%20which%20field%20is%20your%20Users%2C%20Computers%2C%20Timestamp%2C%20etc..%20Here%20is%20an%20Azure%20Sentinel%20reference%20to%20get%20you%20started%20if%20that%20caught%20your%20interest%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fquickstart-onboard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fquickstart-onboard%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAgain%2C%20however%2C%20if%20the%20appliance%20supports%20RADIUS%20Accounting%2C%20just%20point%20those%20events%20to%20AATP%20and%20it%20will%20do%20the%20rest.%3C%2FLINGO-BODY%3E
Highlighted
Senior Member

quick question I am trying to setup our VPN appliance to see if it can forward the logs to Azure ATP agents.    I read some articles on the integration with Radius servers but looking to see if anyone has been able to get a Fortinet appliance to connect and send info to the agents.    If anyone can share some insight it would be greatly appreciated. We do not have any standalone agents by the way. 

 

Thanks,  

2 Replies
Highlighted

@Jose Escamilla 

 

@Andrew Harris (AZURE SEC): Is this something you can speak to? 

Highlighted
We only need the RADIUS Accounting logs. Once enabled in AATP, you can forward these events into AATP.

Here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/install-atp-step6-vpn

However, if that isn't possible for whatever reason (i.e. the appliance doesnt support RADIUS Accounting), I'd recommend sending this data to Azure Sentinel. We would do similar threat intelligence fusion against that data source as we do for Azure ATP--as long as you properly integrate it into Azure Sentinel so it knows which field is your Users, Computers, Timestamp, etc.. Here is an Azure Sentinel reference to get you started if that caught your interest : https://docs.microsoft.com/en-us/azure/sentinel/quickstart-onboard

Again, however, if the appliance supports RADIUS Accounting, just point those events to AATP and it will do the rest.