02-23-2026 06:43 AM
Hi All,
With Fortigate FW logs ingesting into XSIAM, even with the forti content pack installed, there is no real method for detection apart from the analytics engine that will use the '3rd party firewalls' analytic rules to natively detect issues/alerts on Fortigate FWs that i am aware off..
As such one will be required to do additional correlation rules for extra detection.
Has anyone done these and willing to share the XQL content of these rules you have created?
I am in the process to design my own and have a number of use cases i want to build out like the following:
Possible Data Exfiltration
Exploit Public Facing
Deserialization Vulnerability
BotC2-Allow
Malicious network traffic from LAN to WAN
Compromised Host
Unwanted or malicious applications detected
Admin Failure
SSL login failure followed by successful
will share once they are tested.
rgds
02-23-2026 12:50 PM
Are you ingesting data directly from the Fortigate FWs or are you ingesting the firewall data from the FortiAnalyzer?
02-23-2026 09:59 PM
We have both direct from FW > broker-VM and also via FW > FortiAnalyzer > Broker-VM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
