Sentinel integration with FortiNet firewall and queries

Brass Contributor

Hi Everyone, we have help one customer to integrate FortiNet firewall logs via syslog connector to Azure Sentinel. At that time to avoid huge amount of logs passing to Sentinel side we filtered only critical evets to be passed. Though logs are passing to FortiNet side we found out workbook available for Fortinet is very basic one. Customer want some SIEM user cases against the firewall logs collected but I'm unable to find much information in the Sentinel documentation. Not much in the Github either. 

Below are some queries and I hope someone who done this will share their experience or Microsoft engineer will shed some light. 


  • Analysis over firewall traffic for more than 100 requests are getting dropped or blocked by perimeter firewall from the same source IP in a day and with some pattern or cluster.
  • Traffic anomaly to a destination address or from a public IP address which is malicious or with a bad reputation.
  • If one or multiple source address of private network is connecting to public address which is malicious or with bad reputation.
  • Single source address with Multiple MAC addresses.
  • From single source address which private IP address communicating to distinct destination port in a very short time.
  • Monitoring TOR Ports – 9001,9003,9050,9151,9150 – for outbound logic
  • Monitoring Crypto ports – 8333,18333 ,9333,9999, 22556, 30303 – for outbound logic
  • Monitoring TOR Exit Node IP’s based on threat intel records.
  • Communications to potential suspicious ports.
  • Communication to Proxy Server IP (Firewall/Proxy). Traffic to known suspicious proxy domains/IP is indicative of a malicious payload or process which would cause an endpoint to communicate with known bad domains.
  • Unusual amount of Time-Taken for Connection by source or firewall.
  • Possible Network Flood Detection: – IP Address using Same Destination Port Communicating to Distinct Destination Address in a very short time.
  • Hunt for unusual RDP/LDAP/FTP traffic from rare system to a known critical server.
3 Replies

@Susantha Silva 

Two things,
1. There are 16 use cases (rules that apply to the Forti data for you to enable)

Screenshot 2021-11-04 101957.png

2. Forti uses CEF (CommonSecurityLog), so you can check what other vendors do in their workbooks or queries and maybe adjust those, typically you only have to alter the DeviceVendor or product columns.  However all vendor have unique data so more work maybe needed. 

| where DeviceVendor == "Fortinet"

Also the Azure Firewall Workbook is a good one to look at for examples. 

Hi Clive, thank you for the response. I've first started with existing FortiNet Workbook and tried to leverage the dashboards. Found out some of them are not showing the data visualization part properly. I only selected high severity level logging to be passed to syslog to avoid unnecessary data transfer from Forti to syslog.
Regarding observe other Workbooks let me try that options.

Hi @Susantha Silva,

You would have to create these use cases yourself in Sentinel by using KQL queries. You can take a look here for inspiration:

Feel free to contact the author of this article to ask for consultancy in order to create your exact use cases in KQL.