Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiDeceptor 6.2.1 Administration Guide
    6.2.1
    6.2.1
    6.2.0
    6.1.1
    6.1.0
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.2
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.0
    4.1.1
    4.1.0
    4.0.2
    4.0.1
    4.0.0
    3.3.3
    3.3.2
    3.3.1
    3.3.0
    3.2.2
    3.2.1
    3.2.0
    3.1.1
    3.1.0
    3.0.2
    3.0.1
    3.0.0
    2.1.0
    2.0.0
    1.1.0
    1.0.1

    Integration with Splunk Watch List

    Integration with Splunk Watch List

    This topic provides steps for integrating FortiDeceptor with Splunk, focusing on setting up data sources, creating lookups, searches, roles, users, and tokens.

    To integrate FortiDeceptor with Splunk Watch List:
    1. Set up the Data Source
    2. Create a new lookup
    3. Create a new search
    4. Create a new role
    5. Create a new user
    6. Create a new token
    7. Configure the integration in FortiDeceptor

      8. Artifacts list

    1. Set up the Data Source

    1. Go to Settings > Data > Data Inputs > Add New.

    2. In the File or Directory field, click Browse and select auth logs from /var/log/auth.log.

    3. Click Next.

    2. Create a new lookup

    For detailed information about creating a lookup in Splunk, see the product documentation.

    1. In Splunk, go to Apps > Splunk App for Lookup File Editing.

    2. In the Lookup Editor, click Lookups > Create New Lookup.

    3. Choose to create a CSV lookup.

    Below is an example of a FortiDeceptor CSV lookup in Splunk.

    The Key Name column is used to match field values from your events is the username column.

    3. Create a new search

    1. Go to Apps > Search & Reporting

    2. In the New Search field, enter search statements and select the search period from the dropdown list (e.g., Last 24 hours).

      Example:

      source="/var/log/auth.log" host="virtual-machine" sourcetype="LocalAuthLog" | lookup alert_username_lookup.csv username as username OUTPUT username | search username=* | table username, _time

    3. To save the alert, click Save As > Alert and give a name, such as Alert for username.

    4. Create a new role

    1. Go to Settings > USERS AND AUTHENTICATION > Roles.
    2. Click New Role.

    3. Define the role:
      1. In the Role Name field, enter a name for the role (for example, restapi_role)
      2. In the Inheritance tab, select user.

      3. You can use the defaults in the Capabilities, Indexes, Restrictions and Resources tabs.
      4. Click Save.

    5. Create a new user

    1. Go to Settings > USERS AND AUTHENTICATION > Users.

    2. Click New user.
    3. Define the new user (Full name, Email address, etc)
    4. In the Assign roles area, assign the role you created in the previous steps. In this example, restapi_role.

    6. Create a new token

    1. Go to Settings > USERS AND AUTHENTICATION > Tokens.
    2. Click New Token.

    3. Click Create to generate a new token.

    4. Copy and save the token. You will need this token later.

    7. Configure the integration in FortiDeceptor

    1. In FortiDeceptor go to Fabric > Quarantine Integration.
    2. Click Quarantine integration with new device. The Integrate With New Device pane opens.
    3. Configure the integration.

      Integrate MethodSelect Splunk-Watch-List.
      IP/URL Enter the IP address of the Splunk instance
      API Token Enter the token you created in 6. Create a new token.
      Triggered Alert NameEnter the alert name you created in 3. Create a new search.
      Key Name in Lookup CSVEnter the name of the CSV you created in 2. Create a new lookup.

    4. Configure the other settings as required and click Save.

    After the integration has been initialized, go to Incident > Analysis to view the events.

    Artifacts list

    Extracted from the file system
    • IE/Firefox/Chrome History
    • Named Pipes
    • Prefetch Startup
    • Directories
    Extracted from the registry
    • Installer Folders
    • Recent Docs
    • Services
    • UserAssists
    • Networks List
    Previous
    Next

    Integration with Splunk Watch List

    Integration with Splunk Watch List

    This topic provides steps for integrating FortiDeceptor with Splunk, focusing on setting up data sources, creating lookups, searches, roles, users, and tokens.

    To integrate FortiDeceptor with Splunk Watch List:
    1. Set up the Data Source
    2. Create a new lookup
    3. Create a new search
    4. Create a new role
    5. Create a new user
    6. Create a new token
    7. Configure the integration in FortiDeceptor

      8. Artifacts list

    1. Set up the Data Source

    1. Go to Settings > Data > Data Inputs > Add New.

    2. In the File or Directory field, click Browse and select auth logs from /var/log/auth.log.

    3. Click Next.

    2. Create a new lookup

    For detailed information about creating a lookup in Splunk, see the product documentation.

    1. In Splunk, go to Apps > Splunk App for Lookup File Editing.

    2. In the Lookup Editor, click Lookups > Create New Lookup.

    3. Choose to create a CSV lookup.

    Below is an example of a FortiDeceptor CSV lookup in Splunk.

    The Key Name column is used to match field values from your events is the username column.

    3. Create a new search

    1. Go to Apps > Search & Reporting

    2. In the New Search field, enter search statements and select the search period from the dropdown list (e.g., Last 24 hours).

      Example:

      source="/var/log/auth.log" host="virtual-machine" sourcetype="LocalAuthLog" | lookup alert_username_lookup.csv username as username OUTPUT username | search username=* | table username, _time

    3. To save the alert, click Save As > Alert and give a name, such as Alert for username.

    4. Create a new role

    1. Go to Settings > USERS AND AUTHENTICATION > Roles.
    2. Click New Role.

    3. Define the role:
      1. In the Role Name field, enter a name for the role (for example, restapi_role)
      2. In the Inheritance tab, select user.

      3. You can use the defaults in the Capabilities, Indexes, Restrictions and Resources tabs.
      4. Click Save.

    5. Create a new user

    1. Go to Settings > USERS AND AUTHENTICATION > Users.

    2. Click New user.
    3. Define the new user (Full name, Email address, etc)
    4. In the Assign roles area, assign the role you created in the previous steps. In this example, restapi_role.

    6. Create a new token

    1. Go to Settings > USERS AND AUTHENTICATION > Tokens.
    2. Click New Token.

    3. Click Create to generate a new token.

    4. Copy and save the token. You will need this token later.

    7. Configure the integration in FortiDeceptor

    1. In FortiDeceptor go to Fabric > Quarantine Integration.
    2. Click Quarantine integration with new device. The Integrate With New Device pane opens.
    3. Configure the integration.

      Integrate MethodSelect Splunk-Watch-List.
      IP/URL Enter the IP address of the Splunk instance
      API Token Enter the token you created in 6. Create a new token.
      Triggered Alert NameEnter the alert name you created in 3. Create a new search.
      Key Name in Lookup CSVEnter the name of the CSV you created in 2. Create a new lookup.

    4. Configure the other settings as required and click Save.

    After the integration has been initialized, go to Incident > Analysis to view the events.

    Artifacts list

    Extracted from the file system
    • IE/Firefox/Chrome History
    • Named Pipes
    • Prefetch Startup
    • Directories
    Extracted from the registry
    • Installer Folders
    • Recent Docs
    • Services
    • UserAssists
    • Networks List
    Previous
    Next