Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Integrating using the FortiDLP Add-on for Splunk

    Integrating using the FortiDLP Add-on for Splunk

    Our technology add-on for Splunk makes integrating with our Event Streaming Service quick and simple. The add-on is already set up to request events for you, minimizing configuration time. By default, the add-on will stream events in websocket mode.

    Prerequisites
    1. Complete Generating an event stream and access token.
    2. Install the Next DLP Reveal Technology Add-on in Splunk.
    How to integrate an event stream with the Splunk add-on
    1. In Splunk, go to Apps.
    2. On the row of the FortiDLP add-on, select Launch app.
    3. On the top-right corner of the Inputs page, click Create New Input.

    4. In the Add Event Stream dialog box, do the following:
      1. In the Name field, enter a name without special characters.
      2. In the Interval field, enter a number of seconds. In case of a disconnection with the event stream, the add-on will wait for this amount of time before attempting to reconnect.
      3. In the Connector URL field, paste the URL of the event stream you generated in Generating an event stream and access token.
      4. In the Access token field, paste the API access token you generated in Generating an event stream and access token.
      5. Optionally, to disable extended metadata for policy detection events, select the Discard Extended Metadata checkbox.
        Note

        This option is only available with version 2.1.0+ of the add-on.

      6. Click Add.
    How to view events in the Splunk add-on

    Once you have set up the integration, you can start analyzing the events that are pulled into Splunk. To view the events, follow these steps.

    1. In Splunk, go to Apps.
    2. On the row of the FortiDLP add-on, select Launch app.
    3. Select the Search tab at the top of the page.
    4. Do one of the following to view events:
      • To view all events, enter
        index="*" sourcetype="Reveal:EventStream:*:JSON" into the search bar.
      • To view detection events, enter
        index="*" sourcetype="Reveal:EventStream:Detections:JSON" into the search bar.
      • To view incident events, enter
        index="*" sourcetype="Reveal:EventStream:Incidents:JSON" into the search bar.
      • To view audit log events, enter
        index ="*" sourcetype="Reveal:EventStream:AuditLogs:JSON" into the search bar.

    How to troubleshoot the Splunk add-on

    If you encounter an issue when integrating the Splunk add-on with an event stream, try these troubleshooting options. If you still experience the issue, contact Fortinet Support.

    • If you experience an issue with websocket mode, do the following to try long polling mode:
    1. In Splunk, go to Apps.
    2. On the row of the FortiDLP add-on, select Launch app.
    3. Select the Configuration tab.
    4. Select Add-on Settings.
    5. Deselect the Websocket Streaming Mode checkbox.
      Note

      The time set in the Interval field of the Input will then be used as the interval between each batch request. We recommend you set the Interval field to 10 seconds when long polling mode is enabled.

  • If you see errors for certificate verification, you can do the following to disable TLS verification:
    1. In Splunk, go to Apps.
    2. On the row of the FortiDLP add-on, select Launch app.
    3. Select the Configuration tab.
    4. Select Add-on Settings.
    5. Select the Disable TLS certificate verification checkbox.
    • Previous
    Next

    Integrating using the FortiDLP Add-on for Splunk

    Integrating using the FortiDLP Add-on for Splunk

    Our technology add-on for Splunk makes integrating with our Event Streaming Service quick and simple. The add-on is already set up to request events for you, minimizing configuration time. By default, the add-on will stream events in websocket mode.

    Prerequisites
    1. Complete Generating an event stream and access token.
    2. Install the Next DLP Reveal Technology Add-on in Splunk.
    How to integrate an event stream with the Splunk add-on
    1. In Splunk, go to Apps.
    2. On the row of the FortiDLP add-on, select Launch app.
    3. On the top-right corner of the Inputs page, click Create New Input.

    4. In the Add Event Stream dialog box, do the following:
      1. In the Name field, enter a name without special characters.
      2. In the Interval field, enter a number of seconds. In case of a disconnection with the event stream, the add-on will wait for this amount of time before attempting to reconnect.
      3. In the Connector URL field, paste the URL of the event stream you generated in Generating an event stream and access token.
      4. In the Access token field, paste the API access token you generated in Generating an event stream and access token.
      5. Optionally, to disable extended metadata for policy detection events, select the Discard Extended Metadata checkbox.
        Note

        This option is only available with version 2.1.0+ of the add-on.

      6. Click Add.
    How to view events in the Splunk add-on

    Once you have set up the integration, you can start analyzing the events that are pulled into Splunk. To view the events, follow these steps.

    1. In Splunk, go to Apps.
    2. On the row of the FortiDLP add-on, select Launch app.
    3. Select the Search tab at the top of the page.
    4. Do one of the following to view events:
      • To view all events, enter
        index="*" sourcetype="Reveal:EventStream:*:JSON" into the search bar.
      • To view detection events, enter
        index="*" sourcetype="Reveal:EventStream:Detections:JSON" into the search bar.
      • To view incident events, enter
        index="*" sourcetype="Reveal:EventStream:Incidents:JSON" into the search bar.
      • To view audit log events, enter
        index ="*" sourcetype="Reveal:EventStream:AuditLogs:JSON" into the search bar.

    How to troubleshoot the Splunk add-on

    If you encounter an issue when integrating the Splunk add-on with an event stream, try these troubleshooting options. If you still experience the issue, contact Fortinet Support.

    • If you experience an issue with websocket mode, do the following to try long polling mode:
    1. In Splunk, go to Apps.
    2. On the row of the FortiDLP add-on, select Launch app.
    3. Select the Configuration tab.
    4. Select Add-on Settings.
    5. Deselect the Websocket Streaming Mode checkbox.
      Note

      The time set in the Interval field of the Input will then be used as the interval between each batch request. We recommend you set the Interval field to 10 seconds when long polling mode is enabled.

  • If you see errors for certificate verification, you can do the following to disable TLS verification:
    1. In Splunk, go to Apps.
    2. On the row of the FortiDLP add-on, select Launch app.
    3. Select the Configuration tab.
    4. Select Add-on Settings.
    5. Select the Disable TLS certificate verification checkbox.
    • Previous
    Next