Fortinet FortiGate Modeling Rules (#20292)

* Added Modeling Rules for FortiGate * Changed the time field to match the original CEF * Added Release notes * Added ReleaseNotes * Added FortinetFortiGateModelingRules_schema.json * Changed the value in first field in the json file * Delete create_certs.sh * Added README file * Bigger font for header * Changed styling * Revert "Delete create_certs.sh" This reverts commit 0d994bb. * Changed file names * Changed the README file * Revert "Added FortinetFortiGateModelingRules_schema.json" This reverts commit 0c86f6d. * Added Fortinet * Added Fortigate to known words * Changed the ReleaseNotes * Changed the Yaml file Co-authored-by: evisochek <72695126+evisochek@users.noreply.github.com>
demisto · Aug 2, 2022 · 83ee37f · 83ee37f
1 parent 14fe397
commit 83ee37f
Show file tree

Hide file tree

Showing 7 changed files with 188 additions and 2 deletions.
diff --git a/Packs/FortiGate/ModelingRules/FortiGate/FortiGate.xif b/Packs/FortiGate/ModelingRules/FortiGate/FortiGate.xif
@@ -0,0 +1,35 @@
+[MODEL:model="Network", dataset="fortinet_fortigate_raw"]
+// create timestamp field
+alter time_p1 = arrayindex( regextract(_time,"(\w+\s\d+)") ,0)
+| alter time_p2 = arrayindex( regextract(_time ,"(\d{4}\s\d+:\d+:\d+)") ,0)
+| alter timestamp = parse_timestamp("%b %d %Y %H:%M:%S", concat(time_p1, " ", time_p2 ) )
+// end timestamp field
+|alter XDM.Network.application_protocol	=	app,
+XDM.Network.application_protocol_category	=	FTNTFGTcat,
+XDM.Network.Destination.host.fqdn	=	dhost,
+XDM.Network.Destination.ipv4	=	dst,
+XDM.Network.Destination.port	=	to_number(dpt),
+XDM.Network.Destination.user.username	=	duser,
+XDM.Network.event_timestamp	=	timestamp ,
+XDM.Network.http.url	=	request,
+XDM.Network.ip_protocol	=	proto,
+XDM.Network.Observer.action	=	act,
+XDM.Network.Observer.product	=	_product,
+XDM.Network.Observer.type	=	cat,
+XDM.Network.Observer.vendor	=	_vendor,
+XDM.Network.original_event_description	=	msg,
+XDM.Network.original_event_id	=	_id,
+XDM.Network.outcome	=	outcome,
+XDM.Network.reason	=	reason,
+XDM.Network.session_id	=	externalId,
+XDM.Network.Source.bytes	=	to_number(out),
+XDM.Network.Source.host.fqdn	=	shost,
+XDM.Network.Source.ipv4	=	src,
+XDM.Network.Source.port	=	to_number(spt),
+XDM.Network.Destination.bytes = to_number("in"),
+XDM.Network.Source.process.executable.filename	=	fname,
+XDM.Network.Source.process.name	=	sproc,
+XDM.Network.Source.user.username	=	suser,
+XDM.Network.threat.category	=	FTNTFGTdtype,
+XDM.Network.threat.description	=	FTNTFGTref,
+XDM.Network.threat.severity	=	cefSeverity ;
diff --git a/Packs/FortiGate/ModelingRules/FortiGate/FortiGate.yml b/Packs/FortiGate/ModelingRules/FortiGate/FortiGate.yml
@@ -0,0 +1,6 @@
+name: Fortinet FortiGate Modeling Rule
+id: Fortinet_FortiGate_modeling_rule
+fromversion: 6.8.0
+tags: FortinetFortiGate
+rules: ""
+schema: ""
diff --git a/Packs/FortiGate/ModelingRules/FortiGate/FortiGate_schema.json b/Packs/FortiGate/ModelingRules/FortiGate/FortiGate_schema.json
@@ -0,0 +1,120 @@
+{
+  "fortinet_fortigate_raw": {
+    "_raw_log": {
+      "type": "string",
+      "is_array": false
+    },
+    "app": {
+      "type": "string",
+      "is_array": false
+    },
+    "FTNTFGTcat": {
+      "type": "string",
+      "is_array": false
+    },
+    "dhost": {
+      "type": "number",
+      "is_array": false
+    },
+    "dst": {
+      "type": "string",
+      "is_array": false
+    },
+    "dpt": {
+      "type": "string",
+      "is_array": false
+    },
+    "duser": {
+      "type": "string",
+      "is_array": false
+    },
+    "request": {
+      "type": "string",
+      "is_array": false
+    },
+    "proto": {
+      "type": "string",
+      "is_array": false
+    },
+    "act": {
+      "type": "string",
+      "is_array": false
+    },
+    "_product": {
+      "type": "string",
+      "is_array": false
+    },
+    "cat": {
+      "type": "string",
+      "is_array": false
+    },
+    "_vendor": {
+      "type": "string",
+      "is_array": false
+    },
+    "msg": {
+      "type": "string",
+      "is_array": false
+    },
+    "_id": {
+      "type": "string",
+      "is_array": false
+    },
+    "outcome": {
+      "type": "string",
+      "is_array": false
+    },
+    "reason": {
+      "type": "string",
+      "is_array": false
+    },
+    "externalId": {
+      "type": "string",
+      "is_array": false
+    },
+    "out": {
+      "type": "string",
+      "is_array": false
+    },
+    "shost": {
+      "type": "string",
+      "is_array": false
+    },
+     "src": {
+      "type": "string",
+      "is_array": false
+    },
+     "spt": {
+      "type": "string",
+      "is_array": false
+    },
+     "in": {
+      "type": "string",
+      "is_array": false
+    },
+     "fname": {
+      "type": "string",
+      "is_array": false
+    },
+     "sproc": {
+      "type": "string",
+      "is_array": false
+    },
+     "suser": {
+      "type": "string",
+      "is_array": false
+    },
+     "FTNTFGTdtype": {
+      "type": "string",
+      "is_array": false
+    },
+     "FTNTFGTref": {
+      "type": "string",
+      "is_array": false
+    },
+     "cefSeverity": {
+      "type": "string",
+      "is_array": false
+    }     
+  }
+}
diff --git a/Packs/FortiGate/README.md b/Packs/FortiGate/README.md
@@ -0,0 +1,17 @@
+## Collect Events from Vendor
+
+In order to use the collector, you can use one of the following options to collect events from the vendor:
+ - [Broker VM](#broker-vm)
+
+In either option, you will need to configure the vendor and product for this specific collector.
+### Broker VM
+You will need to use the information described [here](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/configure-your-broker-vm).\
+You can configure the specific vendor and product for this instance.
+1. Navigate to **Settings** -> **Configuration** -> **Data Broker** -> **Broker VMs**. 
+2. Right-click, and select **Syslog Collector** -> **Configure**.
+3. When configuring the Syslog Collector, set:
+   - vendor as vendor<- Fortinet
+   - product as product<- FortiGate
+
+
+
diff --git a/Packs/FortiGate/ReleaseNotes/1_0_8.md b/Packs/FortiGate/ReleaseNotes/1_0_8.md
@@ -0,0 +1,4 @@
+
+#### Modeling Rules
+##### New: Fortinet FortiGate Modeling Rule
+- Added the XSIAM Modeling Rules for FortiGate.
diff --git a/Packs/FortiGate/pack_metadata.json b/Packs/FortiGate/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "FortiGate",
     "description": "Manage FortiGate Firewall",
     "support": "xsoar",
-    "currentVersion": "1.0.7",
+    "currentVersion": "1.0.8",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Tests/known_words.txt b/Tests/known_words.txt
@@ -194,4 +194,8 @@ lookback
 subclass
 pagination
 XDM
-ADFS
+<<<<<<< HEAD
+Fortinet
+=======
+ADFS
+>>>>>>> master