Azure Sentinel Fortinet Parser

Anonymous
2021-06-15T14:38:38.803+00:00

Is anyone else experiencing strange behavior with their Fortinet Fortigate events that are being shipped to Azure Sentinel? Around 6/11 - 6/12 we started seeing, what appears to be an issue with the internal Fortigate Parser. Previous to 6/11 we were seeing only 2 unique device externalIDs structured as such: FG5H0E##########. On 6/11 we began to see more than 40 + unique externalIDs. This data is present on the CommonSecurityLog table and is not being parsed on our end before it is interpreted. These IDs included the original 2, plus what appear to be miss parsed IDs:

FG5H0E#######
FG5H0E#####
FG5H
FG5H0E##########FTNTFGTeven
FG5H0E##########FTNTFGTeventtim

This is being piped to Azure Sentinel via log forwarder outlined in the knowledge base articles and I have also confirmed no changes have been made to this function as well.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,123 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,821 Reputation points Microsoft Employee
    2021-06-15T19:20:51.76+00:00

    It looks like those IDs are related to the fortinet modules: https://www.forticloud.com/help/supportedmodels.html

    Like you said, this seems to be an issue with the fortinet parser. Fortinet is supported on its own forum (as Microsoft Q&A only supports Microsoft products). I would recommend reaching out there for help with this: https://forum.fortinet.com/


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.