Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-09-2023 06:41 AM
Hello,
I started to ingest my Fortinet logs and alerts in Cortex XDR to get a better visibility and Analytical Alerts in the XDR.
Whereas, I observed that the visibility and the readibility of the Fortinet Alert in the Cortex XDR console look weird, as if values where not in the good columns.
For example :
Here, he alert name is evasive as we just know that it has been triggered by a IPS signature, wihtout description.
When I look on the Debug Alert og this incident (Alt + Righ Click -> Debug Alert), I can see in the details that I have some fields that are corresponding more to the Alert Name or the Description :
I would say that the FTNTFTGattack field is a better correspondance with the field Alert Name anf the filed Description could be filled with the field FTNTGFref field.
As it seems that it is well retrieved in the Fortinet logs, why Palo Alto is not using these fileds that are more explicit rather than the "IPS:signature" that is not explicit when reading the alert columns.
Is there others Cortex XDR with Fortinet firewall logs users that have this problem or any advices to get this fields into the Alert Name field ?
Regards,
Benjamin
