Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiNDR Cloud for Microsoft Sentinel

    Home FortiNDR Cloud 2024.10.0 FortiNDR Cloud for Microsoft Sentinel
    2024.10.0
    2024.10.0

    FAQ

    FAQ

    Why is the Data Connector status Disconnected after the connector is created and data is flowing?

    This is caused by a delay from the Sentinel Portal.

    To view the status of the installed Data Connector, search for the Data Connector name in the Azure Function App page. There, you can see the connection status and real time running logs for the Data Connector.

    Why does Data Types display "Suricata is not connected" when I query FncEventsSuricata_CL?

    Suricata may not have been added as an event type to retrieve.

    To verify Suricata events were added to the event types:

    1. Go to the Azure Function App page.
    2. In the connector's Environment Variables, ensure Suricata was added to FncEvents.
    How often does the Data Connector fetch and post data into Sentinel?

    The default fetch interval is every five minutes. However, you can configure this time with Environment Variables: FncIntervalMinutes. See, Configuring Fortinet FortiNDR Cloud Solution.

    If the value for Last Log Received is from several hours or days from the time you are viewing the data, it is likely because there was no new data to retrieve during the configured interval or due to a delay from the Sentinel Portal.

    What should I do if I need to update or correct the Environment Variables once data is flowing?

    If you need to reconfigure or update an Environment Variable, we strongly recommend setting up a new Sentinel environment and installing a new Data Connector.

    Please do not make any changes to the Environment Variables once the Data Connector has started fetching and posting event data. Changing the settings while data is flowing may cause data gaps or data duplications in Sentinel.

    Why is some historical data missing?

    The Data Connector uses a logic that will fetch and post historical data piece-by-piece periodically. If some historical data is not showing up, it is highly possible that the Data Connector has not started working on that piece.

    If you are seeing a data gap in the historical data for events or detections, check the Azure Function App for the Data Connector. By checking the Invocations of the correlated functions, you can see what time and data type the Data Connector is currently working on.

    If any errors occur, please contact us immediately for further investigations.

    Previous
    Next

    FAQ

    FAQ

    Why is the Data Connector status Disconnected after the connector is created and data is flowing?

    This is caused by a delay from the Sentinel Portal.

    To view the status of the installed Data Connector, search for the Data Connector name in the Azure Function App page. There, you can see the connection status and real time running logs for the Data Connector.

    Why does Data Types display "Suricata is not connected" when I query FncEventsSuricata_CL?

    Suricata may not have been added as an event type to retrieve.

    To verify Suricata events were added to the event types:

    1. Go to the Azure Function App page.
    2. In the connector's Environment Variables, ensure Suricata was added to FncEvents.
    How often does the Data Connector fetch and post data into Sentinel?

    The default fetch interval is every five minutes. However, you can configure this time with Environment Variables: FncIntervalMinutes. See, Configuring Fortinet FortiNDR Cloud Solution.

    If the value for Last Log Received is from several hours or days from the time you are viewing the data, it is likely because there was no new data to retrieve during the configured interval or due to a delay from the Sentinel Portal.

    What should I do if I need to update or correct the Environment Variables once data is flowing?

    If you need to reconfigure or update an Environment Variable, we strongly recommend setting up a new Sentinel environment and installing a new Data Connector.

    Please do not make any changes to the Environment Variables once the Data Connector has started fetching and posting event data. Changing the settings while data is flowing may cause data gaps or data duplications in Sentinel.

    Why is some historical data missing?

    The Data Connector uses a logic that will fetch and post historical data piece-by-piece periodically. If some historical data is not showing up, it is highly possible that the Data Connector has not started working on that piece.

    If you are seeing a data gap in the historical data for events or detections, check the Azure Function App for the Data Connector. By checking the Invocations of the correlated functions, you can see what time and data type the Data Connector is currently working on.

    If any errors occur, please contact us immediately for further investigations.

    Previous
    Next