Fortianalyzer Installed EMS features report returning blank fields for several endpoints
FortiClient EMS Cloud (7.0.6) -> FortiAnalyzer VM hosted (7.0.4)
I am trying to extract a report showing a breakdown of all our EMS endpoints, along with their installed and enabled features (av, fw, vuln, etc).
This is proving to be really difficult, but using the log viewer as a starting point, I get this query:
select `uid`, string_agg(distinct `user`, ' ') as user__agg_, string_agg(distinct `hostname`, ' ') as hostname__agg_, string_agg(distinct `epenfeatures`, ' ') as epenfeatures__agg_, string_agg(distinct `epfeatures`, ' ') as epfeatures__agg_ from ###(select `uid`, `user`, `hostname`, `epenfeatures`, `epfeatures` from $log where $filter group by `uid`, `user`, `hostname`, `epenfeatures`, `epfeatures` order by `uid` desc)### t group by `uid` order by `uid` desc
The problem I'm currently having is that many of these fields (especially 'epenfeatures') are returning empty for most endpoints, when I can clearly see that data in FortiClient EMS Cloud.
I have already tried using tags as shown in that document, and by using zero trust tags, but there are no rules for getting the installed features and custom tags would mean manually tagging every endpoint.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.