FortiSIEM Discussions
SadekAbdelnasser
New Contributor

join events from two log sources together in search

we have fortigate and clear path for authentication of our wireless network, so we could get the username and his assigned ip from clear pass logs , and we can see that ip traffic and activities from  firewall logs , How i can combine data from these two log source in one table , like i want to search for authentication activity for some users from clear pass then pass their ip to another search to get their activity from firewall logs and view that in one table ( show username, ip , destination he went to through firewall ) , is that possible ?
3 REPLIES 3
DanielHanman
Staff
Staff

Hi Sadek,

In version 6.4.0 released a lookup table feature has been added that allows you to 1) Populate a table 2) use it for analytic filters and lookups

https://docs.fortinet.com/document/fortisiem/6.4.0/release-notes/456886/whats-new-in-6-4-0#Lookup

Here is an example of its use:

1) Create a lookup table with SourceIP and User as the values. Make the SourceIP field the key. 
2) Populate the table using a scheduled report - report on the clearpass logs with user and IP mapped to the lookup table values. It should look like this

b4621e5afc0a4178ac86b85bb8a1a683.pngb4621e5afc0a4178ac86b85bb8a1a683.png

3) Add a filter as needed to Analytics. In this example we are saying, "Only show logs where the Source IP is in the Lookup Table AND the User in the Lookup Table is not 'N/A'"

824d8e57e3fc45d9848711e8a6928a56.png824d8e57e3fc45d9848711e8a6928a56.pnge76de77bf3d5470c9a1143e0bf5fe439.pnge76de77bf3d5470c9a1143e0bf5fe439.png
4) The we use the Display Fields to Looup the Source IP and display the User

bd7ca72401a04897a4268f58c0bb1ec9.pngbd7ca72401a04897a4268f58c0bb1ec9.png

Let us know how you get on.

Thanks



------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
-------------------------------------------
Original Message:
Sent: Feb 08, 2022 02:18 PM
From: Sadek Abdelnasser
Subject: join events from two log sources together in search

we have fortigate and clear path for authentication of our wireless network, so we could get the username and his assigned ip from clear pass logs , and we can see that ip traffic and activities from  firewall logs , How i can combine data from these two log source in one table , like i want to search for authentication activity for some users from clear pass then pass their ip to another search to get their activity from firewall logs and view that in one table ( show username, ip , destination he went to through firewall ) , is that possible ?
ParthaBhattacharya

Use the concept of lookup table in 6.4.0.

 

Store clear path for authentication in a lookup table with IP as key.




*** Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Please also note that any views, opinions, conclusions or commitments expressed in this message are those of the individual sender and do not necessarily reflect the views of Fortinet, Inc., its affiliates, and emails are not binding on Fortinet and only a writing manually signed by Fortinet's General Counsel can be a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. ***



-------------------------------------------
Original Message:
Sent: 2/8/2022 5:19:00 PM
From: Sadek
Subject: join events from two log sources together in search

we have fortigate and clear path for authentication of our wireless network, so we could get the username and his assigned ip from clear pass logs , and we can see that ip traffic and activities from  firewall logs , How i can combine data from these two log source in one table , like i want to search for authentication activity for some users from clear pass then pass their ip to another search to get their activity from firewall logs and view that in one table ( show username, ip , destination he went to through firewall ) , is that possible ?
DanielHanman
Staff
Staff

Hi Sadek,

We have posted a more in-depth blog post on this topic

https://community.fortinet.com/t5/FortiSIEM-Discussions/join-events-from-two-log-sources-together-in...

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
-------------------------------------------
Original Message:
Sent: Feb 08, 2022 02:18 PM
From: Sadek Abdelnasser
Subject: join events from two log sources together in search

we have fortigate and clear path for authentication of our wireless network, so we could get the username and his assigned ip from clear pass logs , and we can see that ip traffic and activities from  firewall logs , How i can combine data from these two log source in one table , like i want to search for authentication activity for some users from clear pass then pass their ip to another search to get their activity from firewall logs and view that in one table ( show username, ip , destination he went to through firewall ) , is that possible ?

Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"