Skip to content
Find out how we support MDR.

Fortinet FortiAnalyzer integration

You can integrate Fortinet FortiAnalyzer with Sophos Central so that it sends reports to Sophos for analysis.

This page gives you an overview of the integration.

Note

This integration lets the FortiAnalyzer Appliance and VM Subscription products forward data to Sophos. However, FortiAnalyzer Cloud can't forward logs, including security events, so isn't compatible with this integration. See Limitations of FortiAnalyzer Cloud.

Fortinet FortiAnalyzer product overview

Fortinet's FortiAnalyzer platform centralizes the collection and interpretation of network events. Sophos can ingest Fortigate firewall alerts via FortiAnalyzer.

Fortigate is a next-generation firewall that delivers advanced threat protection and performance optimization. Its integrated platform consolidates various security and networking functions, offering users protection against sophisticated threats.

Sophos documents

Integrate Fortinet FortiAnalyzer (API)

What we ingest

Sample alerts seen by Sophos:

  • Risky App usage
  • Web traffic to C2 domain
  • Malware provided from address
  • Traffic to botnet domain
  • Intrusion logs
  • Configuration changes

Alerts ingested in full

We ingest events returned from the FortiAnalyzer /eventmgmt/adom endpoint.

Filtering

We query the Endpoint eventmgmt/adom.

We filter the results to remove data provided in a non-compliant format.

Then we DROP alerts matching the following types as uninteresting:

  • ",\\\\W+subject\\\\W+vpntunnel:*",
  • ",\\\\W+subject\\\\W+Web request to Unrated blocked",
  • ",\\\\W+subject\\\\W+IP scanning on Port: .* detected",
  • ",\\\\W+subject\\\\W+SSL connection is exempted based on allowlist.",
  • ",\\\\W+subject\\\\W+SSL connection is exempted based on address.",
  • "Link monitor: Interface .* was turned down",
  • "Link monitor: Interface .* was turned up",
  • "logdesc:Memory log full over final warning level",
  • "logdesc:Memory log full over second warning level",
  • "desc\\\\:Disk quota alert",
  • "desc\\\\:Disk quota warning",
  • ",\\\\W+subject\\\\W+Insecure SSL Connection blocked",

Sample threat mappings

The alert type is defined as follows:

If the field message isn't empty, search for a specified regex pattern. Otherwise check for the existence of the FTNTFGTattack, ad.subtype, and cat fields and assign their values accordingly. If no matches are found, we trim the message field.

Sample Alerts:

{"alertType": "Fortigate had experienced an unexpected power off!"}
{"threatId": "T1562.001", "threatName": "Disable or Modify Tools"}
{"alertType": "Add dnsfilter.domain-filter N", "threatId": "TA0005", "threatName": "Defense Evasion"}

Vendor documentation

Creating administrators