Splunk Enterprise Security

Fortigate Firewall logs are not populating in Intrusion Centre dashboard in Splunk Enterprise Security

bsuresh1
Path Finder

Hi All,

Environment: Splunk Cloud

We have installed "Fortinet Fortigate Add-On for Splunk" on our Onprem Heavy Forwarder. Log ingestion is happening with sourcetypes like fgt_traffic, fgt_utm, etc.

But the fortigate data is not being populated in "Intrusion Centre" dashboard in Enterprise Security.

Should I install "Fortinet Fortigate APP" also in HF and SH to get these dashboards populated with data?

0 Karma
1 Solution

jerryzhao
Contributor

Fortinet Fortigate App is not needed for enterprise security.
To see results in intrusion center, do you have any logs like this? with attack in the field?

Aug 15 15:20:18 10.160.55.31 date=2019-08-15 time=15:20:38 devname="FGT1500D0-232" devid="FG1K5D3I13800014" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1565907638 severity="critical" srcip=x.x.x.x srccountry="United States" dstip=x.x.x.x srcintf="port32" srcintfrole="undefined" dstintf="demo-gateway" dstintfrole="lan" sessionid=39547555 action="dropped" proto=6 service="HTTPS" policyid=13 attack="OpenSSL.Heartbleed.Attack" srcport=58940 dstport=443 hostname="*.fortinet.com" direction="outgoing" attackid=38315 profile="default" ref="http://www.fortinet.com/ids/VID38315" incidentserialno=949409074 msg="applications: OpenSSL.Heartbleed.Attack, OpenSSL Heartbleed" crscore=50 crlevel="critical"

View solution in original post

0 Karma

diogofgm
SplunkTrust
SplunkTrust

what that's are being applied to your events? intrusion events should be tagged with ids and attack tags so they can be seen by the "Intrusion Detection" data model and thus ES. Which version of ES, splunk and CIM app are you using?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

bsuresh1
Path Finder

Hi diogofgm,

Yes, the events were tagged with ids and attack but I missed to add the index=firewall in CIM setup (in Intrusion Detection datamodel). After updating the CIM setup, data showed up in Intrusion Center in other dashboards. Thanks.

0 Karma

jerryzhao
Contributor

Fortinet Fortigate App is not needed for enterprise security.
To see results in intrusion center, do you have any logs like this? with attack in the field?

Aug 15 15:20:18 10.160.55.31 date=2019-08-15 time=15:20:38 devname="FGT1500D0-232" devid="FG1K5D3I13800014" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" eventtime=1565907638 severity="critical" srcip=x.x.x.x srccountry="United States" dstip=x.x.x.x srcintf="port32" srcintfrole="undefined" dstintf="demo-gateway" dstintfrole="lan" sessionid=39547555 action="dropped" proto=6 service="HTTPS" policyid=13 attack="OpenSSL.Heartbleed.Attack" srcport=58940 dstport=443 hostname="*.fortinet.com" direction="outgoing" attackid=38315 profile="default" ref="http://www.fortinet.com/ids/VID38315" incidentserialno=949409074 msg="applications: OpenSSL.Heartbleed.Attack, OpenSSL Heartbleed" crscore=50 crlevel="critical"

0 Karma

bsuresh1
Path Finder

Thank you JerryZhao.

I could see very few events with "attack" field. But still the data didn't show up in Intrusion Center. Later, I have found that I should update index="firewall" in CIM setup (in Intrusion Detection datamodel). Now, I could see the data showing up in Intrusion Center.

Thanks again.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...