Hi Everyone, we have help one customer to integrate FortiNet firewall logs via syslog connector to Azure Sentinel. At that time to avoid huge amount of logs passing to Sentinel side we filtered only critical evets to be passed. Though logs are passing to FortiNet side we found out workbook available for Fortinet is very basic one. Customer want some SIEM user cases against the firewall logs collected but I'm unable to find much information in the Sentinel documentation. Not much in the Github either. 

Below are some queries and I hope someone who done this will share their experience or Microsoft engineer will shed some light. 

• Analysis over firewall traffic for more than 100 requests are getting dropped or blocked by perimeter firewall from the same source IP in a day and with some pattern or cluster.
• Traffic anomaly to a destination address or from a public IP address which is malicious or with a bad reputation.
• If one or multiple source address of private network is connecting to public address which is malicious or with bad reputation.
• Single source address with Multiple MAC addresses.
• From single source address which private IP address communicating to distinct destination port in a very short time.
• Monitoring TOR Ports – 9001,9003,9050,9151,9150 – for outbound logic
• Monitoring Crypto ports – 8333,18333 ,9333,9999, 22556, 30303 – for outbound logic
• Monitoring TOR Exit Node IP’s based on threat intel records.
• Communications to potential suspicious ports.
• Communication to Proxy Server IP (Firewall/Proxy). Traffic to known suspicious proxy domains/IP is indicative of a malicious payload or process which would cause an endpoint to communicate with known bad domains.
• Unusual amount of Time-Taken for Connection by source or firewall.
• Possible Network Flood Detection: – IP Address using Same Destination Port Communicating to Distinct Destination Address in a very short time.
• Hunt for unusual RDP/LDAP/FTP traffic from rare system to a known critical server.