question

BenFerguson-8184 avatar image
0 Votes"
BenFerguson-8184 asked BenFerguson-8184 commented

Azure Sentinel Fortinet Parser

Is anyone else experiencing strange behavior with their Fortinet Fortigate events that are being shipped to Azure Sentinel? Around 6/11 - 6/12 we started seeing, what appears to be an issue with the internal Fortigate Parser. Previous to 6/11 we were seeing only 2 unique device externalIDs structured as such: FG5H0E##########. On 6/11 we began to see more than 40 + unique externalIDs. This data is present on the CommonSecurityLog table and is not being parsed on our end before it is interpreted. These IDs included the original 2, plus what appear to be miss parsed IDs:

FG5H0E#######
FG5H0E#####
FG5H
FG5H0E##########FTNTFGTeven
FG5H0E##########FTNTFGTeventtim

This is being piped to Azure Sentinel via log forwarder outlined in the knowledge base articles and I have also confirmed no changes have been made to this function as well.

microsoft-sentinel
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered BenFerguson-8184 commented

It looks like those IDs are related to the fortinet modules: https://www.forticloud.com/help/supportedmodels.html

Like you said, this seems to be an issue with the fortinet parser. Fortinet is supported on its own forum (as Microsoft Q&A only supports Microsoft products). I would recommend reaching out there for help with this: https://forum.fortinet.com/

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Does Fortinet own the development of the internal Azure Sentinel Fortigate parser? I am unsure if parser is the correct term to utilize as it is the interpreter that receives the logs from the forwarder and writes to the CommonSecurityLog Table.

0 Votes 0 ·