Fortigate workbook not populating

New Contributor

Hi, hoping someone can help me figure out why the Fortigate workbook isn't populating. I've had the Fortinet logs coming through for about 30 hours now, and the workbook doesn't seem to be populating. Any ideas?

2020-07-08_10-41-55.png2020-07-08_10-42-49.png

7 Replies

@joshzan It does look like the data is being ingested, but have you run any queries against the table containing the Fortinet data to verify that the table is populated?

 

In the Logs blade:

 

CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct startswith "Fortigate"

@rodtrent The table is being populated.

@joshzan 

 

So you now have data in the Table, is the Workbook working ok now? If not I would put it in Edit mode and check one of the queries to make sure its mapped to the right Subscription & Workspace?Annotation 2020-07-11 104128.jpg

@rodtrent I have the same problem here.  Data is being populated to the table, I can query against the table directly, but no results in the workbook.

@MikeElliottUK 

 

So when you run this, you get data back?  If so the workbook uses the same.

CommonSecurityLog
| where DeviceVendor =~ 'Fortinet'
| where DeviceProduct =~ 'Fortigate'



Do you get an error from the Workbook or "no data" ?  Have you confirmed that the workbook is opened in the same Workspace?


yes that's the weird thing Clive, a query works fine and returns data, but the workbook returns no results. I've confirmed that the workbook is opened to the same workspace.

I think I've figured out the problem here. The query doesn't actually work exactly as typed, my mistake. The DeviceProduct field contains data such as "FortiGate-80E" rather than simply "FortiGate". I've modified the Workbook queries to begin with...
let data = CommonSecurityLog
| where DeviceVendor =~ 'Fortinet'
| where DeviceProduct startswith 'Fortigate'
and it now populates. Perhaps this is a syntax problem with the workbook itself or maybe the Fortigate output format has changed since the workbook template was written.  One other possibility, the content being sent to Sentinel in my case comes from FortiAnalyzer rather than directly from a Fortigate firewall.