This article describes how to integrate Fortigate, with Microsoft Sentinel.
- Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.
Microsoft Sentinel delivers intelligent security analytics and threats intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
-To be able to ingest Syslog and CEF logs into Microsoft Sentinel from FortiGate, it will be necessary to configure a Linux machine that will collect the logs from the FortiGate and forward them to the Microsoft sentinel workspace.
This designated machine can be either a physical or Virtual machine in the on-prem, and Azure VM or in different cloud.
-Let’s assume to have already Linux machine that Microsoft Sentinel will use as proxy between the Fortigate and Microsoft Sentinel to collect the logs.
-On the Microsoft Sentinel Page, select the 'Data Connectors' under Configuration and choose the 'Fortinet' as described below:
- On the same page, select open connector page to see the instructions needed:
- It is possible now to log in to the Linux machine that is acting as log forwarder using SSH and follow the instructions shown in Fortinet Data connector, see the screen below:
- After successfully performed all steps mentioned in the Fortinet Data connector above, it will possible to receive FortiGate generated CEF message in Microsoft Sentinel.
- To check if the syslog daemon is receiving data on port 514, it is possible to use tcpdump command on the Linux machine:The port 514 must be allowed.
>sudo tcpdump -A -ni any port 514 -vv
- To check if, the agent is receiving data on port 25226, use below command:
>sudo tcpdump -A -ni any port 25226 –vv
- To configure FortiGate to send Syslog messages in CEF format to the proxy machine(Linux), can use the below command:
# config log syslogd settin
set port 514
- At this point, the Fortinet Connector should be visible on the Microsoft Sentinel console turning as 'green', this means the syslog collector is performing correctly, by storing the syslog logs with the right format into the Log Analytics workspace:
-The Microsoft Sentinel|Overview Page, is showing the events are received:
- The syslog messages sent by FortiGate is categorized as 'CommonSecurityLog'.
Here is an example of KQL query: