https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/fortigate-correlation-rules-thread/m-p/1248787#M352 <P>Hi All,</P> <P>With Fortigate FW logs ingesting into XSIAM, even with the forti content pack installed, there is no real method for detection apart from the analytics engine that will use the '3rd party firewalls' analytic rules to natively detect issues/alerts on Fortigate FWs that i am aware off..</P> <P>&nbsp;</P> <P>As such one will be required to do additional correlation rules for extra detection.</P> <P>Has anyone done these and willing to share the XQL content of these rules you have created?</P> <P>I am in the process to design my own and have a number of use cases i want to build out like the following:</P> <P>Possible Data Exfiltration<BR />Exploit Public Facing<BR />Deserialization Vulnerability<BR />BotC2-Allow<BR />Malicious network traffic from LAN to WAN<BR />Compromised Host<BR />Unwanted or malicious applications detected<BR />Admin Failure<BR />SSL login failure followed by successful<BR /><BR /></P> <P>will share once they are tested.</P> <P>rgds</P> Mon, 23 Feb 2026 14:43:46 GMT PA_nts 2026-02-23T14:43:46Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/fortigate-correlation-rules-thread/m-p/1248787#M352 <P>Hi All,</P> <P>With Fortigate FW logs ingesting into XSIAM, even with the forti content pack installed, there is no real method for detection apart from the analytics engine that will use the '3rd party firewalls' analytic rules to natively detect issues/alerts on Fortigate FWs that i am aware off..</P> <P>&nbsp;</P> <P>As such one will be required to do additional correlation rules for extra detection.</P> <P>Has anyone done these and willing to share the XQL content of these rules you have created?</P> <P>I am in the process to design my own and have a number of use cases i want to build out like the following:</P> <P>Possible Data Exfiltration<BR />Exploit Public Facing<BR />Deserialization Vulnerability<BR />BotC2-Allow<BR />Malicious network traffic from LAN to WAN<BR />Compromised Host<BR />Unwanted or malicious applications detected<BR />Admin Failure<BR />SSL login failure followed by successful<BR /><BR /></P> <P>will share once they are tested.</P> <P>rgds</P> Mon, 23 Feb 2026 14:43:46 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/fortigate-correlation-rules-thread/m-p/1248787#M352 PA_nts 2026-02-23T14:43:46Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/fortigate-correlation-rules-thread/m-p/1248810#M354 <P>Are you ingesting data directly from the Fortigate FWs or are you ingesting the firewall data from the FortiAnalyzer?</P> Mon, 23 Feb 2026 20:50:46 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/fortigate-correlation-rules-thread/m-p/1248810#M354 amcdonal363 2026-02-23T20:50:46Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/fortigate-correlation-rules-thread/m-p/1248835#M355 <P>We have both direct from FW &gt; broker-VM&nbsp; and also via FW &gt; FortiAnalyzer &gt; Broker-VM</P> <P>&nbsp;</P> Tue, 24 Feb 2026 05:59:03 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/fortigate-correlation-rules-thread/m-p/1248835#M355 PA_nts 2026-02-24T05:59:03Z