-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fortinet FortiGate Modeling Rules (#20292)
* Added Modeling Rules for FortiGate * Changed the time field to match the original CEF * Added Release notes * Added ReleaseNotes * Added FortinetFortiGateModelingRules_schema.json * Changed the value in first field in the json file * Delete create_certs.sh * Added README file * Bigger font for header * Changed styling * Revert "Delete create_certs.sh" This reverts commit 0d994bb. * Changed file names * Changed the README file * Revert "Added FortinetFortiGateModelingRules_schema.json" This reverts commit 0c86f6d. * Added Fortinet * Added Fortigate to known words * Changed the ReleaseNotes * Changed the Yaml file Co-authored-by: evisochek <72695126+evisochek@users.noreply.github.com>
- Loading branch information
Showing
7 changed files
with
188 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
[MODEL:model="Network", dataset="fortinet_fortigate_raw"] | ||
// create timestamp field | ||
alter time_p1 = arrayindex( regextract(_time,"(\w+\s\d+)") ,0) | ||
| alter time_p2 = arrayindex( regextract(_time ,"(\d{4}\s\d+:\d+:\d+)") ,0) | ||
| alter timestamp = parse_timestamp("%b %d %Y %H:%M:%S", concat(time_p1, " ", time_p2 ) ) | ||
// end timestamp field | ||
|alter XDM.Network.application_protocol = app, | ||
XDM.Network.application_protocol_category = FTNTFGTcat, | ||
XDM.Network.Destination.host.fqdn = dhost, | ||
XDM.Network.Destination.ipv4 = dst, | ||
XDM.Network.Destination.port = to_number(dpt), | ||
XDM.Network.Destination.user.username = duser, | ||
XDM.Network.event_timestamp = timestamp , | ||
XDM.Network.http.url = request, | ||
XDM.Network.ip_protocol = proto, | ||
XDM.Network.Observer.action = act, | ||
XDM.Network.Observer.product = _product, | ||
XDM.Network.Observer.type = cat, | ||
XDM.Network.Observer.vendor = _vendor, | ||
XDM.Network.original_event_description = msg, | ||
XDM.Network.original_event_id = _id, | ||
XDM.Network.outcome = outcome, | ||
XDM.Network.reason = reason, | ||
XDM.Network.session_id = externalId, | ||
XDM.Network.Source.bytes = to_number(out), | ||
XDM.Network.Source.host.fqdn = shost, | ||
XDM.Network.Source.ipv4 = src, | ||
XDM.Network.Source.port = to_number(spt), | ||
XDM.Network.Destination.bytes = to_number("in"), | ||
XDM.Network.Source.process.executable.filename = fname, | ||
XDM.Network.Source.process.name = sproc, | ||
XDM.Network.Source.user.username = suser, | ||
XDM.Network.threat.category = FTNTFGTdtype, | ||
XDM.Network.threat.description = FTNTFGTref, | ||
XDM.Network.threat.severity = cefSeverity ; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
name: Fortinet FortiGate Modeling Rule | ||
id: Fortinet_FortiGate_modeling_rule | ||
fromversion: 6.8.0 | ||
tags: FortinetFortiGate | ||
rules: "" | ||
schema: "" |
120 changes: 120 additions & 0 deletions
120
Packs/FortiGate/ModelingRules/FortiGate/FortiGate_schema.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
{ | ||
"fortinet_fortigate_raw": { | ||
"_raw_log": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"app": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"FTNTFGTcat": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"dhost": { | ||
"type": "number", | ||
"is_array": false | ||
}, | ||
"dst": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"dpt": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"duser": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"request": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"proto": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"act": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"_product": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cat": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"_vendor": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"msg": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"_id": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"outcome": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"reason": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"externalId": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"out": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"shost": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"src": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"spt": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"in": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"fname": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"sproc": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"suser": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"FTNTFGTdtype": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"FTNTFGTref": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cefSeverity": { | ||
"type": "string", | ||
"is_array": false | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
## Collect Events from Vendor | ||
|
||
In order to use the collector, you can use one of the following options to collect events from the vendor: | ||
- [Broker VM](#broker-vm) | ||
|
||
In either option, you will need to configure the vendor and product for this specific collector. | ||
### Broker VM | ||
You will need to use the information described [here](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/broker-vm/set-up-broker-vm/configure-your-broker-vm).\ | ||
You can configure the specific vendor and product for this instance. | ||
1. Navigate to **Settings** -> **Configuration** -> **Data Broker** -> **Broker VMs**. | ||
2. Right-click, and select **Syslog Collector** -> **Configure**. | ||
3. When configuring the Syslog Collector, set: | ||
- vendor as vendor<- Fortinet | ||
- product as product<- FortiGate | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
|
||
#### Modeling Rules | ||
##### New: Fortinet FortiGate Modeling Rule | ||
- Added the XSIAM Modeling Rules for FortiGate. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -194,4 +194,8 @@ lookback | |
subclass | ||
pagination | ||
XDM | ||
ADFS | ||
<<<<<<< HEAD | ||
Fortinet | ||
======= | ||
ADFS | ||
>>>>>>> master |