Description

This article describes how to configure Microsoft Sentinel to receive CEF logs from FortiAnalyzer in CEF format, assuming that user has successfully deployed and integrated FortiAnalyzer to Microsoft Sentinel via Azure Monitoring Agent.

Scope

FortiAnalyzer.

Solution

Refer to this FortiAnalyzer Integration with Microsoft Sentinel for deployment and setup between FortiAnalyzer and Microsoft Sentinel via Azure Monitoring Agent (AMA).

1. After successfully configuring the Linux VM, navigate to FortiAnalyzer and configure the log forward settings in the CLI:

This command is used on FortiGate to forward logs received from another FortiGate to an upstream log server, most commonly FortiAnalyzer.

2. On the Azure homepage, look for Azure services, select' Microsoft Sentinel'. Click on the configured Microsoft Sentinel.
3. In Content management -> Content Hub, find 'CEF' in the search bar and install the 'Common Event Format (CEF) via AMA':

4. Select the 'Open connector page':

5. Select 'Create data collection rule':

6. Configure the name, subscription, and resource group in the 'Basic' tab. In the 'Resources' tab, choose the configured Linux VM as mentioned in step 1.
7. As for the 'Collect' tab, since 'set fwd-facility local7' was configured in step 1, the LOG_LOCAL7 facility needs to be set as 'LOG_DEBUG' in the Data Collection Rule (DCR) to receive the CEF logs. 

8. On the 'Review + create' tab, select 'Create'. Now, the DCR has been successfully created.
9. Navigate to General -> Logs, type 'CommonSecurityLog' in the query field, and select 'Run': 

10. The logs shown here are the logs received in CEF format from FortiAnalyzer, which originates from the FortiGate. 

11.  If no logs are appearing, a test log can be sent from the FortiGate end by using the 'diagnose log test' command to troubleshoot further.

Related article:

Technical Tip: How to configure and troubleshoot Log Forwarding on FortiAnalyzer