Nov 09 2023 08:13 PM
We are collecting Fortinet firewall logs via CEF connector Via AMA, we have duplicated common security log table into analytical and basic table. Also created the DCR but unsure what filter need to be applied in Transform KQL to move the data to what table. which are the essential column data that needs to be moved to analytical table and what to be moved to basic table.
Nov 10 2023 01:56 AM
Nov 14 2023 11:01 AM
@Clive_Watson Many Thanks for the response.
Question 1. I have followed the article to create a table using the below script, however I am not able to see any logs under basic table, we see utm, event, traffic logs being received by sentinel (provided the screenshots for the same).
Question 2. Is there any best practice to choose what columns need to monitor and alert on.
Question 3. Do we need to create table for VPN logs as well or this is only specific to Firewall logs ?
Please help us how we can move forward.
Below is the Script to move the logs into analytical and basic table.
"dataFlows": [
{
"streams": [
"Microsoft-CommonSecurityLog"
],
"destinations": [
"DataCollectionEvent"
],
"transformKql": "source | where DeviceVendor == 'Fortinet' and DeviceEventCategory has 'traffic'",
"outputStream": "Microsoft-CommonSecurityLog"
},
{
"streams": [
"Microsoft-CommonSecurityLog"
],
"destinations": [
"DataCollectionEvent"
],
"transformKql": "source | where DeviceVendor == 'Fortinet' and DeviceEventCategory !has 'traffic'",
"outputStream": "Custom-BasicCommonSecLog_CL"
}
Screenshot 1 : We are able to see utm, event and traffic logs in commonsecuritylog table.
Screenshot 2 : No logs are found in Basic table.
Nov 17 2023 11:07 AM - edited Nov 17 2023 11:08 AM
@Clive Watson
removed devicevendor filter and now we are able to get logs under the basic table, however under commonsecuritylog still we can see all types of category logs like utm,event and traffic
"dataFlows": [
{
"streams": [
"Microsoft-CommonSecurityLog"
],
"destinations": [
"DataCollectionEvent"
],
"transformKql": "source | where DeviceEventCategory has 'traffic'",
"outputStream": "Microsoft-CommonSecurityLog"
},
{
"streams": [
"Microsoft-CommonSecurityLog"
],
"destinations": [
"DataCollectionEvent"
],
"transformKql": "source | where DeviceEventCategory !has 'traffic'",
"outputStream": "Custom-BasicCommonSecLog_CL"
}