Fortigate SIEM Integration

The Fortigate's webhook automation stitch action makes HTTP and HTTPS requests to AIR server.

Step 1 - Creating A webhook for Fortigate SIEM

  • Visit the Webhooks page in Binalyze AIR,

  • Click the "+ New Webhook" button in the upper right corner,

  • Provide a self-explanatory name,

  • Select "Fortigate SIEM Webhook Parser" as the parser for this webhook,

  • Select an Acquisition Profile when the trigger activates this webhook,

  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),

  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy

  • Click the "Save" button.

Step 2 - Creating the Integration Settings in Fortinet,

In this integration, a specific log message (failed administrator login attempt) triggers the FortiGate to send the contents of the log to AIR Console.

To configure the webhook automation stitch in the GUI:

  1. Go to Security Fabric > Automation and click Create New.

  2. Enter the stitch name.

  3. Configure the trigger:

    • Click Add Trigger.

    • Click Create and select FortiOS Event Log.

    • Enter the following:

      • Name: <Give name>

      • Event: <Description>

    • Click OK.

    • Select the trigger in the list and click Apply.

  4. Configure the automation stitch action:

    • Click Add Action.

    • Click Create and select Webhook.

    • Enter the following:

      • Name: Trigger an Acquisition in AIR

      • Protocol: HTTP

      • URL: Paste the Webhook URL

      • Method: POST

      • HTTP body: %%log%% or %%results.source%%

      • Add HTTP Header Content-Type: application/json

      • Click OK.

      • Select the action in the list and click Apply.

  5. Click OK.

Step 3 - To test the automation stitch in Fortinet

  1. Trigger the related event,

  2. On the server, check the log to see that FortiGate sent its contents.

  3. The body content is replaced with the log from the trigger.

  4. On the FortiGate, go to Log & Report > Events and select System Events to confirm that the stitch was activated.

  5. Go to Security Fabric > Automation to see when the stitch was triggered.

Last updated