Splunk Enterprise Security

How to create an alert that works with Fortigate Active Response?

Having a hard time getting an alert that works with FortigateAR. We want to use FortigateAR to block SourceIP based on an IDS alert. I get data from Firewall and it's visible using the Fortinet FortiGate App for Splunk and Fortinet FortiGate Add-on for Splunk. Need an alert that is triggered from IDS that uses AR to block Source IP.

0 Karma

Contributor

the required fields devid, srcip, dstip, user are extracted or transformed from the fortigate log by the add-on, so if your fortigate FOS version is 5.0 and later, you will be able to get those fields from fortigate logs.
can you share the query string for the alert your created? and the matching result?
what problem do you have with the fortigate alert action? No firewall policy is created on fortigate?
if you could share $SPLUNK_HOME/var/logs/splunk/FortiGateActions_modalert.log, it would be most helpful.

0 Karma

Splunk Employee
Splunk Employee

It looks like the AR action that Fortinet wrote (https://splunkbase.splunk.com/app/3444/) requires the resulting events from your search contains a "devid" field. The devid field is used to retrieve the specific Fortigate device you want to send the commands to. From there if you set the action to block the "source ip" ensure that your events also contain the field name "srcip" as the AR action is looking for any of the following fields:
srcip
dstip
user

You may need to use eval to massage the field names.

0 Karma