Fortinet black logo

Administration Guide

Integration with FortiSIEM

Copy Link
Copy Doc ID 250a63c1-9b8e-11ee-a142-fa163e15d75b:528142
Download PDF

Integration with FortiSIEM

To integrate FortiDeceptor with FortiSIEM:
  1. Configure FortiSIEM as a remote log server in FortiDeceptor
  2. Change the discovered FortiDeceptor status from Pending to Approved
  3. Check the logs and generate reports in FortiSIEM

1. Configure FortiSIEM as a remote log server in FortiDeceptor

  1. In FortiDeceptor, go to Log > Log Servers.
  2. Click Create new. The New Remote Log Server window opens.
  3. Configure the Log Server Address for FortiSIEM and click OK. For more information, see Log Servers.

2. Change the discovered FortiDeceptor status from Pending to Approved

  1. In FortiSIEM go to Devices and select the FortiDeceptor device from the list.
  2. Click the Actions dropdown and change the status from Pending to Approved.

3. Check the logs and generate reports in FortiSIEM

  1. In FortiSIEM click the DASHOBARD tab, the Fortinet Security Fabric dashboard, and click the FortiDeceptor dashboard. The information received from FortiDeceptor is displayed. You can click on any widget to drill down on the information.

  2. In the Top Services widget click SSH.

    The events and the raw logs are displayed in the ANALYTICS tab.

  3. Use a Group By and the Display Fields template to view the Source IP and Destination IP.

    The Source and Destination IPs are displayed.

  4. Click the Incidents tab. Select and incident in the list and the click the Details, Events, and Rule tab to view more information about the incident.

  5. Click the Actions menu and select Remediable Incident to block the IP address.

Related Videos

sidebar video

FortiSIEM Demo: FortiSIEM and FortiDeceptor Integrations

  • 13,199 views
  • 2 years ago

Integration with FortiSIEM

To integrate FortiDeceptor with FortiSIEM:
  1. Configure FortiSIEM as a remote log server in FortiDeceptor
  2. Change the discovered FortiDeceptor status from Pending to Approved
  3. Check the logs and generate reports in FortiSIEM

1. Configure FortiSIEM as a remote log server in FortiDeceptor

  1. In FortiDeceptor, go to Log > Log Servers.
  2. Click Create new. The New Remote Log Server window opens.
  3. Configure the Log Server Address for FortiSIEM and click OK. For more information, see Log Servers.

2. Change the discovered FortiDeceptor status from Pending to Approved

  1. In FortiSIEM go to Devices and select the FortiDeceptor device from the list.
  2. Click the Actions dropdown and change the status from Pending to Approved.

3. Check the logs and generate reports in FortiSIEM

  1. In FortiSIEM click the DASHOBARD tab, the Fortinet Security Fabric dashboard, and click the FortiDeceptor dashboard. The information received from FortiDeceptor is displayed. You can click on any widget to drill down on the information.

  2. In the Top Services widget click SSH.

    The events and the raw logs are displayed in the ANALYTICS tab.

  3. Use a Group By and the Display Fields template to view the Source IP and Destination IP.

    The Source and Destination IPs are displayed.

  4. Click the Incidents tab. Select and incident in the list and the click the Details, Events, and Rule tab to view more information about the incident.

  5. Click the Actions menu and select Remediable Incident to block the IP address.