Fortinet FortiAnalyzer integration
You can integrate Fortinet FortiAnalyzer with Sophos Central so that it sends reports to Sophos for analysis.
This page gives you an overview of the integration.
Note
This integration lets the FortiAnalyzer Appliance and VM Subscription products forward data to Sophos. However, FortiAnalyzer Cloud can't forward logs, including security events, so isn't compatible with this integration. See Limitations of FortiAnalyzer Cloud.
Fortinet FortiAnalyzer product overview
Fortinet's FortiAnalyzer platform centralizes the collection and interpretation of network events. Sophos can ingest Fortigate firewall alerts via FortiAnalyzer.
Fortigate is a next-generation firewall that delivers advanced threat protection and performance optimization. Its integrated platform consolidates various security and networking functions, offering users protection against sophisticated threats.
Sophos documents
Integrate Fortinet FortiAnalyzer (API)
What we ingest
Sample alerts seen by Sophos:
- Risky App usage
- Web traffic to C2 domain
- Malware provided from address
- Traffic to botnet domain
- Intrusion logs
- Configuration changes
Alerts ingested in full
We ingest events returned from the FortiAnalyzer /eventmgmt/adom
endpoint.
Filtering
We query the Endpoint eventmgmt/adom
.
We filter the results to remove data provided in a non-compliant format.
Then we DROP alerts matching the following types as uninteresting:
",\\\\W+subject\\\\W+vpntunnel:*",
",\\\\W+subject\\\\W+Web request to Unrated blocked",
",\\\\W+subject\\\\W+IP scanning on Port: .* detected",
",\\\\W+subject\\\\W+SSL connection is exempted based on allowlist.",
",\\\\W+subject\\\\W+SSL connection is exempted based on address."
,"Link monitor: Interface .* was turned down",
"Link monitor: Interface .* was turned up",
"logdesc:Memory log full over final warning level",
"logdesc:Memory log full over second warning level",
"desc\\\\:Disk quota alert",
"desc\\\\:Disk quota warning",
",\\\\W+subject\\\\W+Insecure SSL Connection blocked",
Sample threat mappings
The alert type is defined as follows:
If the field message
isn't empty, search for a specified regex pattern. Otherwise check for the existence of the FTNTFGTattack
, ad.subtype
, and cat
fields and assign their values accordingly. If no matches are found, we trim the message
field.
Sample Alerts:
{"alertType": "Fortigate had experienced an unexpected power off!"}
{"threatId": "T1562.001", "threatName": "Disable or Modify Tools"}
{"alertType": "Add dnsfilter.domain-filter N", "threatId": "TA0005", "threatName": "Defense Evasion"}