Create an alert under Settings->Searches, Reports, and Alerts->New Alert
In Search field: fill out Search field based on the CIM datamodel if Enterprise Security and FortiGate Add-on has been installed and FortiGate has been reporting logs to the Splunk
| datamodel "Malware" "Malware_Attacks" search
sourcetype=fgt_utm subtype=virus action=blocked
if only FortiGate add-on has been installed;
Choose FortiGateActions and select the field to block if an event matches the search.
After logs matching the search has been detected, there will be a firewall policy
added in the FortiGate which trigged the event. The policy will include a
comment "fgt_ar" for users to easily identify.
Make sure the add-on has been set up with FortiGate's information including correct device id, admin password, IP address and the IP address enables https access.
If set up is correct, you can get more information about the issue by searching:
-fix session logout issue
Fix compatibility issue with FOS6
1. Initial release of Fortinet Active Response Add-on for FortiGate
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.