Splunk Enterprise Security

How to create an alert that works with Fortigate Active Response?

lukedunzweiler
Engager

Having a hard time getting an alert that works with FortigateAR. We want to use FortigateAR to block SourceIP based on an IDS alert. I get data from Firewall and it's visible using the Fortinet FortiGate App for Splunk and Fortinet FortiGate Add-on for Splunk. Need an alert that is triggered from IDS that uses AR to block Source IP.

0 Karma

jerryzhao
Contributor

the required fields devid, srcip, dstip, user are extracted or transformed from the fortigate log by the add-on, so if your fortigate FOS version is 5.0 and later, you will be able to get those fields from fortigate logs.
can you share the query string for the alert your created? and the matching result?
what problem do you have with the fortigate alert action? No firewall policy is created on fortigate?
if you could share $SPLUNK_HOME/var/logs/splunk/FortiGateActions_modalert.log, it would be most helpful.

0 Karma

kchamplin_splun
Splunk Employee
Splunk Employee

It looks like the AR action that Fortinet wrote (https://splunkbase.splunk.com/app/3444/) requires the resulting events from your search contains a "devid" field. The devid field is used to retrieve the specific Fortigate device you want to send the commands to. From there if you set the action to block the "source ip" ensure that your events also contain the field name "srcip" as the AR action is looking for any of the following fields:
srcip
dstip
user

You may need to use eval to massage the field names.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...