Hi there, We noticed that FortiGate logs are not being tagged correctly and therefore are not being included in the Network_Traffic data model. Our current architecture is as follows: Syslog → Universal Forwarder (UF) → Indexer (IDX) → Search Head (SH) Both the IDX and SH reside in Splunk Cloud. Both are apps Fortinet Fortigate Add-on for Splunk and Fortinet FortiGate App for Splunk are installed in Cloud. On the UF, no add-ons are installed. The configuration only contains a monitor stanza as shown below: [monitor:///data/islog/netsec/frt/*] sourcetype = frt_log index = my_frt_netsec The logs are successfully indexed and searchable; however, they are not appearing in the Network_Traffic data model. We verified this using the following search: | datamodel Network_Traffic summariesonly=true search | search sourcetype="frt_log" | timechart span=1d count Could you please advise what might be missing, I read the app Fortinet FortiGate Add-On for Splunk installation manual will by default automatically extract FortiGate log data from inputs with sourcetype 'fortigate_log'.  Does this mean that on the UF, we need to update the inputs.conf to change the sourcetype from frt_log to fortigate_log for the logs to be included in the Network_Traffic DM Thank you. ... View more

Hi, I’m building a search on the Network_Traffic datamodel to detect high outbound flows (>1 GB). I need to exclude a list of known backup / AWS ranges, and the exclusion should apply if either src_ip or dest_ip matches any of them. Right now my query looks like this (shortened for readability): | tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | where bytes_out > 1073741824 | where NOT ( cidrmatch("<internal_backup_subnet>/24", src_ip) OR cidrmatch("<internal_backup_subnet>/24", dest_ip) OR cidrmatch("<external_backup_subnet>/24", src_ip) OR cidrmatch("<external_backup_subnet>/24", dest_ip) … etc … ) | table _time src_ip src_port dest_ip dest_port transport app vlan bytes_gb dvc rule action user dest_interface src_interface direction src_zone dest_zone   This works, but the WHERE NOT block is huge (I’ve got 40+ CIDRs). I tried to utilized inputlookup and lookup file but failed, the lookup file backup-subnet-test.csv structure are as follow subnet comment <subnet>/28 comment1 <subnet>/20 comment2 <subnet>/32 comment3   Question Is it possible to use a lookup file for this case? I want to use the lookup file (backup-subnet-test.csv) to exclude traffic if either src_ip or dest_ip matches a subnet in the lookup. Or is there a cleaner way to apply the CIDR lookup once against both fields? Thanks a lot in advance! ... View more