I still have an incident (backdoor found) appearing on the Fortisiem console, the source of this incident is the IPS of the Fortigate Firwall which detects traffic coming from internal clients towards malicious links.
My need is as follows: I want to create a rule (or an costum event) which will search the SQL database of the antivirus solution server, in order to confirm whether this client has an antivirus agent or not. How can the SIEM query and retrieve data from this database?
FortiSIEM acts on events it recieves from various devices. For example, in your case, the anti-virus solution could send a log to FortiSIEM stating that a client does not have a AV agent or maybe the agent is deactivated.
You can then create a rule to trigger based on the event being received.
FortiSIEM has out-of-the-box support for the following DB servers:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.