Configuring QRadar to categorize App Ctrl events for Fortinet Fortigate Security Gateway

If you want to categorize App Ctrl events based on the Action field in IBM® QRadar®, use the DSM Editor to enable the App Ctrl events.

By default, Fortinet Fortigate Security Gateway App Ctrl events are categorized as notice/informational.

Procedure

  1. On the Admin tab, in the Data Sources section, click DSM Editor.
  2. From the Select Log Source Type window, select Fortinet FortiGate Security Gateway from the list, and click Select.
  3. On the Configuration tab, set Display DSM Parameters Configuration to On.
  4. From the Event Collector list, select the event collector for the log source, and click Select.
  5. Set Categorize App Ctrl Logs Based on Action Field to On.
  6. Click Save and close the DSM Editor.