Generating an event stream and access token
To integrate a SIEM tool with an event stream, in the FortiDLP Console, you must first create the event stream and then generate an API access token. The event stream’s URL is required to identify the event stream when a request is made for events, and the API access token authorizes communication between the SIEM tool and FortiDLP.
FortiDLP gives you fine-grained control over the type of events you stream to a SIEM tool. You can filter by specific tags and risk scores to refine your event stream to just include events of interest.
|
For example, to be alerted to FortiDLP Agent component tampering attempts, you could filter for detections that have the |
|
By default, you can create up to 5 event streams. If you require more event streams, contact Fortinet Support. By default, Event Streaming Service API access tokens are valid for 10 years. |
How to create an event stream
- In FortiDLP, on the left-hand side bar, click
. - Under Integrations, select Event streaming.
- On the top-right corner of the page, click Create new stream.
- In the Create new stream dialog box, do the following:
- In the Name field, enter a name for the event stream.
- Do at least one of the following:
- To stream detection events, do the following:
- Turn the Enable detections toggle on.
- Optionally, do the following:
- In the Tags field, enter one or more tags that you want to filter detections by, and do one of the following.
- To stream detections that have all of the entered tags, select the All tags radio button.
- To stream detections that have at least one of the entered tags, select the Any tags radio button.
- In the Labels list, select one or more labels that you want to filter detections by, and do one of the following:
- To stream detections that have all of the selected labels, select the All labels radio button.
- To stream detections that have at least one of the selected labels, select the Any labels radio button.
- In the Minimum score field, enter a number to only stream events that have a score equivalent to the number or higher.
- In the Tags field, enter one or more tags that you want to filter detections by, and do one of the following.
- To stream incident events, do the following:
- Turn the Enable incidents toggle on.
- In the Receive event messages when list, select at least one of the following:
- To receive an event message when an incident is created, select An incident is created.
- To receive an event message when an incident is resolved, select An incident is resolved.
- To receive an event message when a new user is added to an incident, select the A new user is added to an incident.
- To receive an event message when a new node is added to an incident, select A new node is added to an incident.
- Optionally, In the Minimum score field, enter a number to only stream events that have a score equivalent to the number or higher.
- To stream audit log events, do the following:
- Turn the Enable audit logs toggle on.
- In the event type list, select one or more audit log types that you want to filter the event stream by.
- To stream detection events, do the following:
- Click Save.
- Make a note of the event stream’s URL.
- On the row of the event stream, click
> Generate access token.
- Click Copy token.
Event stream statuses
Once you have created an event stream, it will display with one of the following statuses in the FortiDLP Console, reflecting how effectively your SIEM tool is consuming the events.
| Status | Description |
|---|---|
| Healthy | The SIEM tool has ingested all the events that the event stream has generated so far. |
| Warning | The SIEM tool has not ingested all the events from the event stream, and there is now a backlog of events pending ingestion. |
| Unhealthy | There is a significant delay with the ingestion of the event stream, where events pending ingestion are over 12 hours old. |