Nov 03 2021 09:38 AM
Hi Everyone, we have help one customer to integrate FortiNet firewall logs via syslog connector to Azure Sentinel. At that time to avoid huge amount of logs passing to Sentinel side we filtered only critical evets to be passed. Though logs are passing to FortiNet side we found out workbook available for Fortinet is very basic one. Customer want some SIEM user cases against the firewall logs collected but I'm unable to find much information in the Sentinel documentation. Not much in the Github either.
Below are some queries and I hope someone who done this will share their experience or Microsoft engineer will shed some light.
Nov 04 2021 03:26 AM
Two things,
1. There are 16 use cases (rules that apply to the Forti data for you to enable)
2. Forti uses CEF (CommonSecurityLog), so you can check what other vendors do in their workbooks or queries and maybe adjust those, typically you only have to alter the DeviceVendor or product columns. However all vendor have unique data so more work maybe needed.
CommonSecurityLog
| where DeviceVendor == "Fortinet"
Also the Azure Firewall Workbook is a good one to look at for examples.
Nov 04 2021 07:25 PM
Oct 24 2022 07:10 AM
Hi @Susantha Silva,
You would have to create these use cases yourself in Sentinel by using KQL queries. You can take a look here for inspiration: https://cryptsus.com/blog/fortinet-firewall-sentinel-siem-hunting.html
Feel free to contact the author of this article to ask for consultancy in order to create your exact use cases in KQL.