Is anyone else experiencing strange behavior with their Fortinet Fortigate events that are being shipped to Azure Sentinel? Around 6/11 - 6/12 we started seeing, what appears to be an issue with the internal Fortigate Parser. Previous to 6/11 we were seeing only 2 unique device externalIDs structured as such: FG5H0E##########. On 6/11 we began to see more than 40 + unique externalIDs. This data is present on the CommonSecurityLog table and is not being parsed on our end before it is interpreted. These IDs included the original 2, plus what appear to be miss parsed IDs:
FG5H0E#######
FG5H0E#####
FG5H
FG5H0E##########FTNTFGTeven
FG5H0E##########FTNTFGTeventtim
This is being piped to Azure Sentinel via log forwarder outlined in the knowledge base articles and I have also confirmed no changes have been made to this function as well.