cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Fortigate workbook not populating

joshzan
New Contributor

‎Jul 07 2020 05:51 PM

‎Jul 07 2020 05:51 PM

Fortigate workbook not populating

Hi, hoping someone can help me figure out why the Fortigate workbook isn't populating. I've had the Fortinet logs coming through for about 30 hours now, and the workbook doesn't seem to be populating. Any ideas?

2020-07-08_10-41-55.png2020-07-08_10-42-49.png

1,289 Views
0 Likes
11 Replies
Reply
11 Replies
rodtrent

‎Jul 08 2020 05:17 AM

‎Jul 08 2020 05:17 AM

Re: Fortigate workbook not populating

@joshzan It does look like the data is being ingested, but have you run any queries against the table containing the Fortinet data to verify that the table is populated?

 

In the Logs blade:

 

CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct startswith "Fortigate"

0 Likes
Reply
joshzan

‎Jul 08 2020 04:11 PM

‎Jul 08 2020 04:11 PM

Re: Fortigate workbook not populating

@rodtrent The table is being populated.

0 Likes
Reply
CliveWatson

‎Jul 11 2020 02:42 AM

‎Jul 11 2020 02:42 AM

Re: Fortigate workbook not populating

@joshzan 

 

So you now have data in the Table, is the Workbook working ok now? If not I would put it in Edit mode and check one of the queries to make sure its mapped to the right Subscription & Workspace?Annotation 2020-07-11 104128.jpg

0 Likes
Reply
MikeElliottUK

‎Dec 14 2020 03:16 AM

‎Dec 14 2020 03:16 AM

Re: Fortigate workbook not populating

@rodtrent I have the same problem here.  Data is being populated to the table, I can query against the table directly, but no results in the workbook.

0 Likes
Reply
CliveWatson

‎Dec 14 2020 04:37 AM

‎Dec 14 2020 04:37 AM

Re: Fortigate workbook not populating

@MikeElliottUK 

 

So when you run this, you get data back?  If so the workbook uses the same.

CommonSecurityLog
| where DeviceVendor =~ 'Fortinet'
| where DeviceProduct =~ 'Fortigate'



Do you get an error from the Workbook or "no data" ?  Have you confirmed that the workbook is opened in the same Workspace?


0 Likes
Reply
MikeElliottUK

‎Dec 14 2020 11:03 AM

‎Dec 14 2020 11:03 AM

Re: Fortigate workbook not populating

yes that's the weird thing Clive, a query works fine and returns data, but the workbook returns no results. I've confirmed that the workbook is opened to the same workspace.
0 Likes
Reply
MikeElliottUK

‎Dec 14 2020 11:28 AM - edited ‎Dec 14 2020 11:56 AM

‎Dec 14 2020 11:28 AM - edited ‎Dec 14 2020 11:56 AM

Re: Fortigate workbook not populating

I think I've figured out the problem here. The query doesn't actually work exactly as typed, my mistake. The DeviceProduct field contains data such as "FortiGate-80E" rather than simply "FortiGate". I've modified the Workbook queries to begin with...
let data = CommonSecurityLog
| where DeviceVendor =~ 'Fortinet'
| where DeviceProduct startswith 'Fortigate'
and it now populates. Perhaps this is a syntax problem with the workbook itself or maybe the Fortigate output format has changed since the workbook template was written.  One other possibility, the content being sent to Sentinel in my case comes from FortiAnalyzer rather than directly from a Fortigate firewall.

0 Likes
Reply
Surya92

‎Feb 08 2022 12:30 PM

‎Feb 08 2022 12:30 PM

Re: Fortigate workbook not populating

Hello @rodtrent, @CliveWatson, @MikeElliottUK

I am facing similar issue, where the FortiGate workbook is not populating any data.

Data is being populated to the table, I can query against the table directly, but no results in the workbook
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct startswith "Fortigate"

Also as Mike suggested, checked by adding | where DeviceProduct startswith 'Fortigate' as well, but still doesn't work.

Can you help me with this issue.
0 Likes
Reply
rodtrent

‎Feb 08 2022 12:47 PM

‎Feb 08 2022 12:47 PM

Re: Fortigate workbook not populating

For kicks, try replacing the code with the code from the GitHub repo in the event the Workbook has been modified in some way. I tested the original and it's working fine.

https://cda.ms/3PF
0 Likes
Reply
Surya92

‎Feb 11 2022 10:10 AM

‎Feb 11 2022 10:10 AM

Re: Fortigate workbook not populating

Hello @rodtrent,

We have completely replaced our code with the code from GitHub repository, but still no luck.

Do we have any other work arounds for this.
0 Likes
Reply
Clive_Watson

‎Feb 13 2022 07:00 AM

‎Feb 13 2022 07:00 AM

Re: Fortigate workbook not populating

@Surya92 

 

Does this work better, new workbook version

1. How to install clivewatson/KQLpublic: My useful KQL and Azure Monitor workbooks (Public) (github.com)
- Just follow the above process but create a NEW Sentinel workbook, to paste the new code into

2. Link to a updated version of the Workbook: https://raw.githubusercontent.com/clivewatson/KQLpublic/master/KQL/Workbooks/Forti/FortiGate v1.1.wo... 

0 Likes
Reply