Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

SadekAbdelnasser
New Contributor

Created on ‎02-08-2022 02:19 PM

join events from two log sources together in search

we have fortigate and clear path for authentication of our wireless network, so we could get the username and his assigned ip from clear pass logs , and we can see that ip traffic and activities from  firewall logs , How i can combine data from these two log source in one table , like i want to search for authentication activity for some users from clear pass then pass their ip to another search to get their activity from firewall logs and view that in one table ( show username, ip , destination he went to through firewall ) , is that possible ?
Labels:
368
0 Kudos
3 REPLIES 3
FSM_FTNT
Staff
Staff

Created on ‎02-09-2022 02:02 AM

Hi Sadek,

In version 6.4.0 released a lookup table feature has been added that allows you to 1) Populate a table 2) use it for analytic filters and lookups

https://docs.fortinet.com/document/fortisiem/6.4.0/release-notes/456886/whats-new-in-6-4-0#Lookup

Here is an example of its use:

1) Create a lookup table with SourceIP and User as the values. Make the SourceIP field the key. 
2) Populate the table using a scheduled report - report on the clearpass logs with user and IP mapped to the lookup table values. It should look like this

MessageImages_b4621e5afc0a4178ac86b85bb8a1a683.png

3) Add a filter as needed to Analytics. In this example we are saying, "Only show logs where the Source IP is in the Lookup Table AND the User in the Lookup Table is not 'N/A'"

MessageImages_824d8e57e3fc45d9848711e8a6928a56.pngMessageImages_e76de77bf3d5470c9a1143e0bf5fe439.png
4) The we use the Display Fields to Looup the Source IP and display the User

MessageImages_bd7ca72401a04897a4268f58c0bb1ec9.png

Let us know how you get on.

Thanks



------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
348
0 Kudos
PartBhat
Staff
Staff

Created on ‎02-09-2022 08:08 AM

Use the concept of lookup table in 6.4.0.

 

Store clear path for authentication in a lookup table with IP as key.



*** Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Please also note that any views, opinions, conclusions or commitments expressed in this message are those of the individual sender and do not necessarily reflect the views of Fortinet, Inc., its affiliates, and emails are not binding on Fortinet and only a writing manually signed by Fortinet's General Counsel can be a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. ***


348
0 Kudos
FSM_FTNT
Staff
Staff

Created on ‎02-18-2022 04:28 AM

Hi Sadek,

We have posted a more in-depth blog post on this topic

https://fusecommunity.fortinet.com/blogs/dusan/2022/02/14/fortisiem-lookup-tables-64

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
348
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.