SIEM & UEBA

Expand all | Collapse all

Analytics using two different log sources

  • 1.  Analytics using two different log sources

    Posted 19 days ago
    Hello,

    I am trying to create a report which would require data from two different log sources or events.

    One event is the initial login of the VPN user, which has their username, login success/failure and their Source IP (which is their actual public IP allocated by the ISP).
    The other logs contain their general traffic logs, and the important info in these logs is the tunnel IP they have been allocated once they have connected to the corporate VPN.

    I can do the reports and dashboards for both these events individually.

    Is there anyone to combine these two logs or events and extract the important info from both and present it as one output/report. 

    Regards,
    Ali.


  • 2.  RE: Analytics using two different log sources

    Posted 15 days ago
    Ali,

    It's not perfect, but you can take your two existing report criteria and put them into one query using OR.  (1st Report Parameters) OR (2nd Report Parameters).  Then use the displayed columns to display the fields you would like.


  • 3.  RE: Analytics using two different log sources

    GROUP ADMIN
    Posted 15 days ago
    Hi Ali,

    To build on Karn suggestion, you can also use a Nested search. Check here https://help.fortinet.com/fsiem/6-1-0/Online-Help/HTML5_Help/Nested_queries.htm

    If you are able to share the events from both your searches, I can have a go at building the nested search for you.

    Cheers

    Dan

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------