Splunk Enterprise Security

How to create an alert that works with Fortigate Active Response?


Having a hard time getting an alert that works with FortigateAR. We want to use FortigateAR to block SourceIP based on an IDS alert. I get data from Firewall and it's visible using the Fortinet FortiGate App for Splunk and Fortinet FortiGate Add-on for Splunk. Need an alert that is triggered from IDS that uses AR to block Source IP.

0 Karma


the required fields devid, srcip, dstip, user are extracted or transformed from the fortigate log by the add-on, so if your fortigate FOS version is 5.0 and later, you will be able to get those fields from fortigate logs.
can you share the query string for the alert your created? and the matching result?
what problem do you have with the fortigate alert action? No firewall policy is created on fortigate?
if you could share $SPLUNK_HOME/var/logs/splunk/FortiGateActions_modalert.log, it would be most helpful.

0 Karma

Splunk Employee
Splunk Employee

It looks like the AR action that Fortinet wrote (https://splunkbase.splunk.com/app/3444/) requires the resulting events from your search contains a "devid" field. The devid field is used to retrieve the specific Fortigate device you want to send the commands to. From there if you set the action to block the "source ip" ensure that your events also contain the field name "srcip" as the AR action is looking for any of the following fields:

You may need to use eval to massage the field names.

0 Karma
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...