Fortigate SIEM Integration
The Fortigate's webhook automation stitch action makes HTTP and HTTPS requests to AIR server.
Step 1 - Creating A webhook for Fortigate SIEM
- Visit the Webhooks page in Binalyze AIR,
- Click the "+ New Webhook" button in the upper right corner,
- Provide a self-explanatory name,
- Select "Fortigate SIEM Webhook Parser" as the parser for this webhook,
- Select an Acquisition Profile when the trigger activates this webhook,
- Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
- Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy
- Click the "Save" button.
Step 2 - Creating the Integration Settings in Fortinet,
In this integration, a specific log message (failed administrator login attempt) triggers the FortiGate to send the contents of the log to AIR Console.
To configure the webhook automation stitch in the GUI:
- 1.Go to Security Fabric > Automation and click Create New.
- 2.Enter the stitch name.
- 3.Configure the trigger:
- Click Add Trigger.
- Click Create and select FortiOS Event Log.
- Enter the following:
- Name: <Give name>
- Event: <Description>
- Click OK.
- Select the trigger in the list and click Apply.
- 4.Configure the automation stitch action:
- Click Add Action.
- Click Create and select Webhook.
- Enter the following:
- Name: Trigger an Acquisition in AIR
- Protocol: HTTP
- URL: Paste the Webhook URL
- Method: POST
- HTTP body: %%log%% or %%results.source%%
- Add HTTP Header
Content-Type: application/json
- Click OK.
- Select the action in the list and click Apply.
- 5.Click OK.
Step 3 - To test the automation stitch in Fortinet
- 1.Trigger the related event,
- 2.On the server, check the log to see that FortiGate sent its contents.
- 3.The body content is replaced with the log from the trigger.
- 4.On the FortiGate, go to Log & Report > Events and select System Events to confirm that the stitch was activated.
- 5.Go to Security Fabric > Automation to see when the stitch was triggered.
Last modified 2mo ago