Event Organization Mapping
FortiSIEM can handle multi-tenant reporting devices that already have Organization names in the events they send, for example, VDOM attribute in FortiGate. This section shows how to map Organization names in external events to those in FortiSIEM. FortiSIEM will create a separate reporting device in each Organization and associate the events to the reporting device in the corresponding FortiSIEM Organization.
This feature requires that:
- One or more (multi-tenant) Collectors are created under Super-Local Organization.
- Multi-tenant devices send logs to the multi-tenant Collectors under Super-Local Organization.
Follow the steps below:
- Go to ADMIN > Settings > Event Handling > Event Org Mapping tab.
- Click New.
- Select or search the Device Type of the sender from the drop-down.
This has to be a device that FortiSIEM understands and able to parse events. - Select or search the Event Attribute that contains the external organization name from the drop-down.
FortiSIEM will map the value in this field to the FortiSIEM Organization. - Select or search the multi-tenant Collectors under Super-Local Organization that will receive the events from the drop-down.
To include all Collectors, select All Collectors. - Specify the IP/IP Range of the multi-tenant devices that are sending events.
Only a single IP or an IP Range is allowed, for example, 10.1.1.1 or 10.1.1.1-10.1.1.2. Comma-separated values, such as 10.1.1.1,10.1.1.2, are not allowed. - Click the edit icon next to Org Mapping to map an organization to an event.
- Click on any Event Organization cell in the Event Organization Mapping dialog box to edit. Click Save.
- Click Save.
Note: Do not define overlapping rules - make sure there are no overlaps in (Collector, Reporting IP/Range, Event Attribute) between multiple rules.