Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.2.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiCNAPP Administration Guide
    26.2.0
    26.2.0

    Splunk alert channel

    Splunk alert channel

    You can configure FortiCNAPP to forward alerts to Splunk using an HTTP Event Collector (HEC).

    FortiCNAPP forwards alerts to Splunk using a destination port of either 80 or 443. If Splunk is configured to use another port (for example, 8088) you must set up port forwarding.

    FortiCNAPP does not support the use of self-signed SSL/TLS certificates for the Splunk server URL.

    Creating a Splunk HTTP event collector

    To create a Splunk HTTP event collector:
    1. Navigate to Settings > Data Inputs.
    2. In the HTTP Event Collector row, select + Add new.
    3. On the Select Source page:
      1. Provide a name for your token.
      2. Optionally, override the default source name and provide a description. For example, lacework_alerts and HEC for Lacework Alerts.
      3. Optionally, specify an Output Group.
      4. At the top of the page, click Next.
    4. On the Input Settings page:
      1. Specify a Source type or leave as automatic. FortiCNAPP sends the data as json, so you can explicitly choose _json under Structured.
      2. Choose an App Context as applicable to your Splunk design and use.
      3. Choose Indexes as applicable to your Splunk design and use.
      4. At the top of the page, click Review.
    5. On the Review page, review your inputs, and click Submit at the top of the page.

    You should see the message Token has been created successfully. Copy the token, index, source and resolvable hostname or IP address of your Splunk instance.

    Creating a Splunk alert channel

    To create a Splunk alert channel:
    1. Log in to the console as a user with administrative privileges.
    2. Go to Settings > Notifications > Channels.
    3. Click + Add new.
    4. Select Splunk.
    5. Click Next.
    6. Verify that you have created your Splunk HTTP event collector as described in Create a Splunk HTTP Event Collector.
    7. Name the channel.
    8. Enter your Splunk HEC token.
    9. Optionally, enter a Splunk channel.
    10. Enter the resolvable hostname or IP address of your Splunk instance (such as http-inputs-<customer>.splunkcloud.com). Do not include the port number before http:// and exclude /services/collector at the end of the hostname or IP address.
    11. Enter the destination port for forwarding events [80 or 443].
    12. Check the SSL box if appropriate.
    13. Enter your Splunk index.
    14. Enter your Splunk source.
    15. Click Save.
    16. Click Alert Rules and configure your required alert routing details by leveraging the alert channel you created.

    To test your alert channel, click Test. You should see a confirmation of the test and a single alert sent to Splunk with the field-value pair of 'host :login.lacework.net'. You should start to receive FortiCNAPP alert notifications in Splunk.

    Creating a FortiCNAPP Splunk alert channel using Terraform

    For organizations using Terraform to manage their environments, FortiCNAPP maintains the Terraform provider, which enables configuration of alert channels using automation.

    For a complete list of custom Terraform resources to manage alert channels in FortiCNAPP, see Manage alert channels with Terraform.

    resource "lacework_alert_channel_splunk" "ops_critical" {
  name      = "OPS Critical Alerts"
  hec_token = "BA696D5E-CA2F-4347-97CB-3C89F834816F"
  host = "localhost"
  port = "80"
  event_data {
    index = "index"
    source = "source"
  }
}

    Additional information on the lacework_alert_channel_splunk resource can be found on the Terraform Registry.

    Previous
    Next

    Splunk alert channel

    Splunk alert channel

    You can configure FortiCNAPP to forward alerts to Splunk using an HTTP Event Collector (HEC).

    FortiCNAPP forwards alerts to Splunk using a destination port of either 80 or 443. If Splunk is configured to use another port (for example, 8088) you must set up port forwarding.

    FortiCNAPP does not support the use of self-signed SSL/TLS certificates for the Splunk server URL.

    Creating a Splunk HTTP event collector

    To create a Splunk HTTP event collector:
    1. Navigate to Settings > Data Inputs.
    2. In the HTTP Event Collector row, select + Add new.
    3. On the Select Source page:
      1. Provide a name for your token.
      2. Optionally, override the default source name and provide a description. For example, lacework_alerts and HEC for Lacework Alerts.
      3. Optionally, specify an Output Group.
      4. At the top of the page, click Next.
    4. On the Input Settings page:
      1. Specify a Source type or leave as automatic. FortiCNAPP sends the data as json, so you can explicitly choose _json under Structured.
      2. Choose an App Context as applicable to your Splunk design and use.
      3. Choose Indexes as applicable to your Splunk design and use.
      4. At the top of the page, click Review.
    5. On the Review page, review your inputs, and click Submit at the top of the page.

    You should see the message Token has been created successfully. Copy the token, index, source and resolvable hostname or IP address of your Splunk instance.

    Creating a Splunk alert channel

    To create a Splunk alert channel:
    1. Log in to the console as a user with administrative privileges.
    2. Go to Settings > Notifications > Channels.
    3. Click + Add new.
    4. Select Splunk.
    5. Click Next.
    6. Verify that you have created your Splunk HTTP event collector as described in Create a Splunk HTTP Event Collector.
    7. Name the channel.
    8. Enter your Splunk HEC token.
    9. Optionally, enter a Splunk channel.
    10. Enter the resolvable hostname or IP address of your Splunk instance (such as http-inputs-<customer>.splunkcloud.com). Do not include the port number before http:// and exclude /services/collector at the end of the hostname or IP address.
    11. Enter the destination port for forwarding events [80 or 443].
    12. Check the SSL box if appropriate.
    13. Enter your Splunk index.
    14. Enter your Splunk source.
    15. Click Save.
    16. Click Alert Rules and configure your required alert routing details by leveraging the alert channel you created.

    To test your alert channel, click Test. You should see a confirmation of the test and a single alert sent to Splunk with the field-value pair of 'host :login.lacework.net'. You should start to receive FortiCNAPP alert notifications in Splunk.

    Creating a FortiCNAPP Splunk alert channel using Terraform

    For organizations using Terraform to manage their environments, FortiCNAPP maintains the Terraform provider, which enables configuration of alert channels using automation.

    For a complete list of custom Terraform resources to manage alert channels in FortiCNAPP, see Manage alert channels with Terraform.

    resource "lacework_alert_channel_splunk" "ops_critical" {
  name      = "OPS Critical Alerts"
  hec_token = "BA696D5E-CA2F-4347-97CB-3C89F834816F"
  host = "localhost"
  port = "80"
  event_data {
    index = "index"
    source = "source"
  }
}

    Additional information on the lacework_alert_channel_splunk resource can be found on the Terraform Registry.

    Previous
    Next