Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    SIEM tools

    SIEM tools

    Integrating with a Security Information and Event Management (SIEM) tool enables you to utilize third-party analytics to track data trends for events and strengthen your security strategy further. Reveal provides an Event Streaming Service that supports rapid ingestion of events into SIEM tools.

    Event streams

    An event stream is a real-time flow of events from the FortiDLP Infrastructure, and a SIEM tool accesses an event stream via an API. If an event stream is not being actively ingested by a SIEM tool, events will be queued so that they can be retrieved at a later time. A single event stream is intended to be consumed by a single SIEM tool, that is, an event from the stream can only be consumed once.

    Events from the event stream are encoded as JSON. For details on the fields that are available in event messages, see Event message fields.

    Event ingestion modes

    The Event Streaming Service supports two modes of event ingestion:

    • Websocket mode: A mode in which the SIEM tool connects to the API via a websocket connection. In this mode, the websocket connection maintains a persistent connection to the event stream, meaning events are continuously streamed to the SIEM tool.
    • Long polling mode: A mode in which the SIEM tool requests a batch of events from the API via HTTP. In this mode, the batch of events received includes those already queued in the stream and/or those queued within 30 seconds from the time of the request.
    Note

    You can stream detection, incident, and audit log events.

    We recommend that you switch to this integration if you currently use Splunk webhooks to obtain event data.

    For optimal delivery of events, we recommend you use the Event Streaming Service’s websocket mode where possible.
    SIEM tool integration setup tasks
    Task Description

    Generating an event stream and access token.

    First, in the FortiDLP Console, you must generate an event stream and an API access token. To connect to an event stream, a SIEM tool requires the URL of the event stream and the value of the access token.

    Integrating using the FortiDLP Add-on for Splunk or Integrating using the Event Streaming Service API

    Lastly, integrate the SIEM tool with the Event Streaming Service. If your SIEM tool is Splunk, we provide a technology add-on that is already set up to request events from FortiDLP. Alternatively, for other SIEM tools, use the Event Streaming Service API.
    Previous
    Next

    SIEM tools

    SIEM tools

    Integrating with a Security Information and Event Management (SIEM) tool enables you to utilize third-party analytics to track data trends for events and strengthen your security strategy further. Reveal provides an Event Streaming Service that supports rapid ingestion of events into SIEM tools.

    Event streams

    An event stream is a real-time flow of events from the FortiDLP Infrastructure, and a SIEM tool accesses an event stream via an API. If an event stream is not being actively ingested by a SIEM tool, events will be queued so that they can be retrieved at a later time. A single event stream is intended to be consumed by a single SIEM tool, that is, an event from the stream can only be consumed once.

    Events from the event stream are encoded as JSON. For details on the fields that are available in event messages, see Event message fields.

    Event ingestion modes

    The Event Streaming Service supports two modes of event ingestion:

    • Websocket mode: A mode in which the SIEM tool connects to the API via a websocket connection. In this mode, the websocket connection maintains a persistent connection to the event stream, meaning events are continuously streamed to the SIEM tool.
    • Long polling mode: A mode in which the SIEM tool requests a batch of events from the API via HTTP. In this mode, the batch of events received includes those already queued in the stream and/or those queued within 30 seconds from the time of the request.
    Note

    You can stream detection, incident, and audit log events.

    We recommend that you switch to this integration if you currently use Splunk webhooks to obtain event data.

    For optimal delivery of events, we recommend you use the Event Streaming Service’s websocket mode where possible.
    SIEM tool integration setup tasks
    Task Description

    Generating an event stream and access token.

    First, in the FortiDLP Console, you must generate an event stream and an API access token. To connect to an event stream, a SIEM tool requires the URL of the event stream and the value of the access token.

    Integrating using the FortiDLP Add-on for Splunk or Integrating using the Event Streaming Service API

    Lastly, integrate the SIEM tool with the Event Streaming Service. If your SIEM tool is Splunk, we provide a technology add-on that is already set up to request events from FortiDLP. Alternatively, for other SIEM tools, use the Event Streaming Service API.
    Previous
    Next