This article helps you to connect your Fortinet FortiGate NGFW via SIEM to the Expel Workbench. The procedure is to port in logs by creating a new Syslog source, configuring that source in Workbench, then your Fortinet device in Workbench.
Note
Some steps in this procedure vary greatly depending upon the SIEM-based technology you use.
Step 1: Logging to a Desired SIEM
Refer to your SIEM documentation or work with your SIEM representative to port in Fortinet logs. You can also refer to the following web references for creating a new Syslog source:
Step 2: Configure the SIEM in Workbench
This link opens the Expel Help Center section for connecting SIEM-based technology to Workbench. Follow the applicable article to configure your SIEM-based tech and confirm that Fortinet logs are flowing through and available.
Step 3: Configure Fortinet in Workbench
-
In a new browser tab, go to https://workbench.expel.io/settings/security-devices?setupIntegration=fortinet_via_siem.
-
Complete the device fields as follows:
-
SIEM - select the SIEM that was onboarded in Step 2.
-
Name - enter the host name of the Fortinet device.
-
Location - enter the geographic location of the device.
-
-
Fill in the Connection Settings fields based on the SIEM you selected:
-
Source category - enter the Sumo Logic source category for this device.
-
Source type - enter the Splunk source type for this device.
-
Resource group name - enter the Secureonix resource group name for this device.
-
Vendor - enter either the Exabeam Fusion SIEM vendor or the Microsoft Sentinel device vendor for this device.
-
Sumologic query indices - if you are subject to Sumo Logic’s Flex pricing, you will need to provide a comma-separated list of indexes you wish Expel to query in this field. If you are on the traditional Sumo Logic pricing model, do not use this field.
If you are not sure if this applies to you or you need more information, see Considerations for Sumo Logic Flex Pricing Customers.
-
- Select Save.