Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiSiem Recover data from SQL DB

Hi everyone;

I still have an incident (backdoor found) appearing on the Fortisiem console, the source of this incident is the IPS of the Fortigate Firwall which detects traffic coming from internal clients towards malicious links.

My need is as follows:
I want to create a rule (or an costum event) which will search the SQL database of the antivirus solution server, in order to confirm whether this client has an antivirus agent or not.
How can the SIEM query and retrieve data from this database?


Hey Chouaib


FortiSIEM acts on events it recieves from various devices. For example, in your case, the anti-virus solution could send a log to FortiSIEM stating that a client does not have a AV agent or maybe the agent is deactivated. 


You can then create a rule to trigger based on the event being received. 


FortiSIEM has out-of-the-box support for the following DB servers:


There is also out-of-the-box support for the following end-point:security software:


Outside of this, a custom integration would be required. Some options would be as follows:


  • Send events from the application or server to FortiSIEM using SYSLOG
  • Use windows/Linux agent to retrieve a log file from the server
  • Use the HTTP advanced poller to collect logs via an API of the target device

In each of the above cases, you would need to write a custom parser to interpret the events. You could then create the required rule.


I hope that helps.

Take a backup before making any changes
Top Kudoed Authors