User Profile
susanthasilva
Brass Contributor
Joined 9 years ago
User Widgets
Recent Discussions
Sentinel integration with FortiNet firewall and queries
Hi Everyone, we have help one customer to integrate FortiNet firewall logs via syslog connector to Azure Sentinel. At that time to avoid huge amount of logs passing to Sentinel side we filtered only critical evets to be passed. Though logs are passing to FortiNet side we found out workbook available for Fortinet is very basic one. Customer want some SIEM user cases against the firewall logs collected but I'm unable to find much information in the Sentinel documentation. Not much in the Github either. Below are some queries and I hope someone who done this will share their experience or Microsoft engineer will shed some light. Analysis over firewall traffic for more than 100 requests are getting dropped or blocked by perimeter firewall from the same source IP in a day and with some pattern or cluster. Traffic anomaly to a destination address or from a public IP address which is malicious or with a bad reputation. If one or multiple source address of private network is connecting to public address which is malicious or with bad reputation. Single source address with Multiple MAC addresses. From single source address which private IP address communicating to distinct destination port in a very short time. Monitoring TOR Ports – 9001,9003,9050,9151,9150 – for outbound logic Monitoring Crypto ports – 8333,18333 ,9333,9999, 22556, 30303 – for outbound logic Monitoring TOR Exit Node IP’s based on threat intel records. Communications to potential suspicious ports. Communication to Proxy Server IP (Firewall/Proxy). Traffic to known suspicious proxy domains/IP is indicative of a malicious payload or process which would cause an endpoint to communicate with known bad domains. Unusual amount of Time-Taken for Connection by source or firewall. Possible Network Flood Detection: – IP Address using Same Destination Port Communicating to Distinct Destination Address in a very short time. Hunt for unusual RDP/LDAP/FTP traffic from rare system to a known critical server.12KViews0likes3CommentsUnfamiliar sign-in properties does not show more information in Sentinel
We have already setup CA policies with strict policies when it comes to sign-in. Recently we can across and incident in Sentinel which says "Unfamiliar sign-in properties" but does not show much information in the incident. Need to check with forum members if this is expected scenarios for others as well. Kindly refer to the attach picture for more information.2KViews0likes2CommentsClosing alerts in Azure Sentinel does not automatically close in Cloud App Security console
We have both Cloud App Security and Azure Sentinel deploy on the environment. When we get alerts from Cloud App Security to Azure Sentinel, we overlook the incidents and close them accordingly. When we do this same alert generated in Cloud App Security side is not being closed. This leads for duplication of jobs where engineer need to close the alert both in Cloud App Security and Azure Sentinel. Is there a way when we resolve an incident on Sentinel side it's related alerts to be closed in Cloud App Security side?3.3KViews0likes2Comments