diff --git a/dev/import-beats-resources/fortinet/docs/README.md b/dev/import-beats-resources/fortinet/docs/README.md new file mode 100644 index 000000000000..2b02d4479c48 --- /dev/null +++ b/dev/import-beats-resources/fortinet/docs/README.md @@ -0,0 +1,17 @@ +# Fortinet Integration + +This integration is for Fortinet FortiOS logs sent in the syslog format. It includes the following datasets for receiving logs: + +- `firewall` dataset: consists of Fortinet FortiGate logs. + +## Compatibility + +This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. + +## Logs + +### Firewall + +Contains log entries from Fortinet FortiGate applicances. + +{{fields "firewall"}} diff --git a/packages/fortinet/dataset/firewall/agent/stream/log.yml.hbs b/packages/fortinet/dataset/firewall/agent/stream/log.yml.hbs new file mode 100644 index 000000000000..c723fe833507 --- /dev/null +++ b/packages/fortinet/dataset/firewall/agent/stream/log.yml.hbs @@ -0,0 +1,17 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains tags "forwarded"}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/packages/fortinet/dataset/firewall/agent/stream/tcp.yml.hbs b/packages/fortinet/dataset/firewall/agent/stream/tcp.yml.hbs new file mode 100644 index 000000000000..754dfc9486b6 --- /dev/null +++ b/packages/fortinet/dataset/firewall/agent/stream/tcp.yml.hbs @@ -0,0 +1,13 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains tags "forwarded"}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/packages/fortinet/dataset/firewall/agent/stream/udp.yml.hbs b/packages/fortinet/dataset/firewall/agent/stream/udp.yml.hbs new file mode 100644 index 000000000000..754dfc9486b6 --- /dev/null +++ b/packages/fortinet/dataset/firewall/agent/stream/udp.yml.hbs @@ -0,0 +1,13 @@ +host: "{{syslog_host}}:{{syslog_port}}" +tags: +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains tags "forwarded"}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/packages/fortinet/dataset/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet/dataset/firewall/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 000000000000..aa468506f6d7 --- /dev/null +++ b/packages/fortinet/dataset/firewall/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,185 @@ +--- +description: Pipeline for parsing fortinet firewall logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- grok: + field: message + patterns: + - '%{SYSLOG5424PRI}%{GREEDYDATA:syslog5424_sd}$' +- kv: + field: syslog5424_sd + field_split: " (?=[a-z\\_\\-]+=)" + value_split: "=" + prefix: "fortinet.firewall." + ignore_missing: true + ignore_failure: false + trim_value: "\"" +- set: + field: observer.vendor + value: Fortinet +- set: + field: observer.product + value: Fortigate +- set: + field: observer.type + value: firewall +- set: + field: event.module + value: fortinet +- set: + field: event.dataset + value: fortinet.firewall +- set: + field: event.timezone + value: "{{fortinet.firewall.tz}}" + ignore_empty_value: true +- set: + field: _temp.time + value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}} {{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null" +- set: + field: _temp.time + value: "{{fortinet.firewall.date}} {{fortinet.firewall.time}}" + if: "ctx.fortinet?.firewall?.tz == null" +- date: + field: _temp.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + timezone: "{{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null" +- date: + field: _temp.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + if: "ctx.fortinet?.firewall?.tz == null" +- gsub: + field: fortinet.firewall.eventtime + pattern: "\\d{6}$" + replacement: "" + if: "(ctx.fortinet?.firewall?.eventtime).length() > 18" +- date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX_MS + timezone: "{{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" +- date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX + timezone: "{{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" +- date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX_MS + if: "ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" +- date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX + if: "ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" +- rename: + field: fortinet.firewall.devname + target_field: observer.name + ignore_missing: true +- script: + lang: painless + source: "ctx.event.duration = Long.parseLong(ctx.fortinet.firewall.duration) * 1000000000" + if: "ctx.fortinet?.firewall?.duration != null" +- rename: + field: fortinet.firewall.devid + target_field: observer.serial_number + ignore_missing: true +- rename: + field: fortinet.firewall.dstintf + target_field: observer.egress.interface.name + ignore_missing: true + if: "ctx.observer?.egress?.interface?.name == null" +- rename: + field: fortinet.firewall.srcintf + target_field: observer.ingress.interface.name + ignore_missing: true + if: "ctx.observer?.ingress?.interface?.name == null" +- rename: + field: fortinet.firewall.dst_int + target_field: observer.egress.interface.name + ignore_missing: true +- rename: + field: fortinet.firewall.src_int + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: fortinet.firewall.level + target_field: log.level + ignore_missing: true +- remove: + field: fortinet.firewall.assignip + if: "ctx.fortinet?.firewall?.assignip == 'N/A'" +- remove: + field: fortinet.firewall.dstip + if: "ctx.fortinet?.firewall?.dstip == 'N/A'" +- remove: + field: fortinet.firewall.srcip + if: "ctx.fortinet?.firewall?.srcip == 'N/A'" +- remove: + field: fortinet.firewall.remip + if: "ctx.fortinet?.firewall?.remip == 'N/A'" +- remove: + field: fortinet.firewall.locip + if: "ctx.fortinet?.firewall?.locip == 'N/A'" +- remove: + field: fortinet.firewall.group + if: "ctx.fortinet?.firewall?.group == 'N/A'" +- remove: + field: fortinet.firewall.user + if: "ctx.fortinet?.firewall?.user == 'N/A'" +- remove: + field: fortinet.firewall.tranip + if: "ctx.fortinet?.firewall?.tranip == 'N/A'" +- remove: + field: fortinet.firewall.transip + if: "ctx.fortinet?.firewall?.transip == 'N/A'" +- remove: + field: fortinet.firewall.tunnelip + if: "ctx.fortinet?.firewall?.tunnelip == 'N/A'" +- remove: + field: + - _temp + - message + - syslog5424_sd + - syslog5424_pri + - fortinet.firewall.tz + - fortinet.firewall.date + - fortinet.firewall.eventtime + - fortinet.firewall.time + - fortinet.firewall.duration + - host + ignore_missing: true +- pipeline: + name: '{{ IngestPipeline "event" }}' + if: "ctx.fortinet?.firewall?.type == 'event'" +- pipeline: + name: '{{ IngestPipeline "traffic" }}' + if: "ctx.fortinet?.firewall?.type == 'traffic'" +- pipeline: + name: '{{ IngestPipeline "utm" }}' + if: "ctx.fortinet?.firewall?.type == 'utm' || ctx.fortinet?.firewall?.type == 'dns'" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/fortinet/dataset/firewall/elasticsearch/ingest_pipeline/event.yml b/packages/fortinet/dataset/firewall/elasticsearch/ingest_pipeline/event.yml new file mode 100644 index 000000000000..2985ddc4a141 --- /dev/null +++ b/packages/fortinet/dataset/firewall/elasticsearch/ingest_pipeline/event.yml @@ -0,0 +1,323 @@ +--- +description: Pipeline for parsing fortinet firewall logs (event pipeline) +processors: +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: failure + if: "ctx.fortinet?.firewall?.result == 'ERROR' || ctx.fortinet?.firewall?.status == 'negotiate_error'" +- set: + field: event.outcome + value: success + if: "ctx.fortinet?.firewall?.result == 'OK' || ['FSSO-logon', 'auth-logon', 'FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" +- append: + field: event.type + value: + - user + - start + if: "['FSSO-logon', 'auth-logon'].contains(ctx.fortinet?.firewall?.action)" +- append: + field: event.type + value: + - user + - end + if: "['FSSO-logoff', 'auth-logout'].contains(ctx.fortinet?.firewall?.action)" +- append: + field: event.type + value: connection + if: "ctx.fortinet?.firewall?.subtype == 'vpn'" +- append: + field: event.category + value: network + if: "ctx.fortinet?.firewall?.subtype == 'vpn'" +- append: + field: event.type + value: info + if: "ctx.fortinet?.firewall?.action == 'perf-stats'" +- append: + field: event.category + value: host + if: "ctx.fortinet?.firewall?.action == 'perf-stats'" +- append: + field: event.type + value: info + if: "ctx.fortinet?.firewall?.subtype == 'update'" +- append: + field: event.category + value: + - host + - malware + if: "ctx.fortinet?.firewall?.subtype == 'update'" +- append: + field: event.category + value: authentication + if: "ctx.fortinet?.firewall?.subtype == 'user'" +- rename: + field: fortinet.firewall.dstip + target_field: destination.ip + ignore_missing: true +- rename: + field: fortinet.firewall.remip + target_field: destination.ip + ignore_missing: true + if: "ctx.destination?.ip == null" +- convert: + field: fortinet.firewall.dstport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.remport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.destination?.port == null" +- convert: + field: fortinet.firewall.rcvdbyte + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.daddr + target_field: destination.address + ignore_missing: true +- rename: + field: fortinet.firewall.dst_host + target_field: destination.address + ignore_missing: true + if: "ctx.destination?.address == null" +- rename: + field: fortinet.firewall.dst_host + target_field: destination.domain + ignore_missing: true + if: "ctx.destination?.address == null" +- rename: + field: fortinet.firewall.group + target_field: source.user.group.name + ignore_missing: true +- convert: + field: fortinet.firewall.sentbyte + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.srcip + target_field: source.ip + ignore_missing: true +- rename: + field: fortinet.firewall.locip + target_field: source.ip + ignore_missing: true + if: "ctx.source?.ip == null" +- rename: + field: fortinet.firewall.srcmac + target_field: source.mac + ignore_missing: true +- rename: + field: fortinet.firewall.source_mac + target_field: source.mac + ignore_missing: true + if: "ctx.source?.mac == null" +- convert: + field: fortinet.firewall.srcport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.locport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.source?.port == null" +- rename: + field: fortinet.firewall.user + target_field: source.user.name + ignore_missing: true +- rename: + field: fortinet.firewall.saddr + target_field: source.address + ignore_missing: true +- rename: + field: fortinet.firewall.agent + target_field: user_agent.original + ignore_missing: true +- rename: + field: fortinet.firewall.file + target_field: file.name + ignore_missing: true +- convert: + field: fortinet.firewall.filesize + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.level + target_field: log.level + ignore_missing: true +- rename: + field: fortinet.firewall.logid + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: fortinet.firewall.msg + target_field: message + ignore_missing: true +- rename: + field: fortinet.firewall.policyid + target_field: rule.id + ignore_missing: true +- rename: + field: fortinet.firewall.proto + target_field: network.iana_number + ignore_missing: true +- rename: + field: fortinet.firewall.dir + target_field: network.direction + ignore_missing: true +- rename: + field: fortinet.firewall.direction + target_field: network.direction + ignore_missing: true + if: "ctx.network?.direction == null" +- rename: + field: fortinet.firewall.service + target_field: network.protocol + ignore_missing: true +- lowercase: + field: network.protocol + ignore_missing: true +- rename: + field: fortinet.firewall.error_num + target_field: error.code + ignore_missing: true +- rename: + field: fortinet.firewall.hostname + target_field: url.domain + ignore_missing: true +- rename: + field: fortinet.firewall.logdesc + target_field: rule.description + ignore_missing: true +- rename: + field: fortinet.firewall.url + target_field: url.path + ignore_missing: true +- convert: + field: fortinet.firewall.sess_duration + type: long + target_field: event.duration + ignore_failure: true + ignore_missing: true + if: "ctx.event?.duration == null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx.destination?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- remove: + field: + - fortinet.firewall.dstport + - fortinet.firewall.remport + - fortinet.firewall.rcvdbyte + - fortinet.firewall.sentbyte + - fortinet.firewall.srcport + - fortinet.firewall.locport + - fortinet.firewall.filesize + - fortinet.firewall.sess_duration + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/fortinet/dataset/firewall/elasticsearch/ingest_pipeline/traffic.yml b/packages/fortinet/dataset/firewall/elasticsearch/ingest_pipeline/traffic.yml new file mode 100644 index 000000000000..590e662ff3e4 --- /dev/null +++ b/packages/fortinet/dataset/firewall/elasticsearch/ingest_pipeline/traffic.yml @@ -0,0 +1,314 @@ +--- +description: Pipeline for parsing fortinet firewall logs (traffic pipeline) +processors: +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{fortinet.firewall.action}}" + ignore_empty_value: true +- set: + field: event.outcome + value: success + if: "ctx.fortinet?.firewall?.action != null" +- append: + field: event.category + value: network +- append: + field: event.type + value: connection +- append: + field: event.type + value: start + if: "ctx.fortinet?.firewall?.action == 'start'" +- append: + field: event.type + value: end + if: "ctx.fortinet?.firewall?.action != null && ctx.fortinet?.firewall?.action !='start'" +- append: + field: event.type + value: protocol + if: "ctx.fortinet?.firewall?.app != null && ctx.fortinet?.firewall?.action != 'deny'" +- append: + field: event.type + value: allowed + if: "ctx.fortinet?.firewall?.utmaction == null && ctx.fortinet?.firewall?.action != 'deny'" +- append: + field: event.type + value: denied + if: "ctx.fortinet?.firewall?.utmaction == 'block'" +- rename: + field: fortinet.firewall.dstip + target_field: destination.ip + ignore_missing: true +- rename: + field: fortinet.firewall.tranip + target_field: destination.nat.ip + ignore_missing: true +- convert: + field: fortinet.firewall.dstport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.tranport + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.rcvdbyte + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.rcvdpkt + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.dstcollectedemail + target_field: destination.user.email + ignore_missing: true +- rename: + field: fortinet.firewall.dstname + target_field: destination.address + ignore_missing: true +- rename: + field: fortinet.firewall.dstunauthuser + target_field: destination.user.name + ignore_missing: true +- rename: + field: fortinet.firewall.group + target_field: source.user.group.name + ignore_missing: true +- convert: + field: fortinet.firewall.sentbyte + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.srcdomain + target_field: source.domain + ignore_missing: true +- rename: + field: fortinet.firewall.srcip + target_field: source.ip + ignore_missing: true +- rename: + field: fortinet.firewall.srcmac + target_field: source.mac + ignore_missing: true +- convert: + field: fortinet.firewall.srcport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.unauthuser + target_field: source.user.name + ignore_missing: true +- rename: + field: fortinet.firewall.user + target_field: source.user.name + ignore_missing: true + if: "ctx.source?.user?.name == null" +- rename: + field: fortinet.firewall.collectedemail + target_field: source.user.email + ignore_missing: true +- convert: + field: fortinet.firewall.sentpkt + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.transip + target_field: source.nat.ip + ignore_missing: true +- convert: + field: fortinet.firewall.transport + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.app + target_field: network.application + ignore_missing: true +- rename: + field: fortinet.firewall.filename + target_field: file.name + ignore_missing: true +- rename: + field: fortinet.firewall.logid + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: fortinet.firewall.msg + target_field: message + ignore_missing: true +- rename: + field: fortinet.firewall.comment + target_field: rule.description + ignore_missing: true +- rename: + field: fortinet.firewall.policyid + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: fortinet.firewall.poluuid + target_field: rule.uuid + ignore_missing: true +- rename: + field: fortinet.firewall.policytype + target_field: rule.ruleset + ignore_missing: true +- rename: + field: fortinet.firewall.policyname + target_field: rule.name + ignore_missing: true +- rename: + field: fortinet.firewall.appcat + target_field: rule.category + ignore_missing: true +- gsub: + field: rule.category + pattern: "\\." + replacement: "-" + ignore_missing: true +- rename: + field: fortinet.firewall.proto + target_field: network.iana_number + ignore_missing: true +- rename: + field: fortinet.firewall.service + target_field: network.protocol + ignore_missing: true +- lowercase: + field: network.protocol + ignore_missing: true +- rename: + field: fortinet.firewall.url + target_field: url.path + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx.destination?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- append: + field: related.user + value: "{{destination.user.name}}" + if: "ctx.destination?.user?.name != null" +- remove: + field: + - fortinet.firewall.dstport + - fortinet.firewall.tranport + - fortinet.firewall.rcvdbyte + - fortinet.firewall.rcvdpkt + - fortinet.firewall.sentbyte + - fortinet.firewall.srcport + - fortinet.firewall.sentpkt + - fortinet.firewall.transport + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/fortinet/dataset/firewall/elasticsearch/ingest_pipeline/utm.yml b/packages/fortinet/dataset/firewall/elasticsearch/ingest_pipeline/utm.yml new file mode 100644 index 000000000000..b13be60af6f0 --- /dev/null +++ b/packages/fortinet/dataset/firewall/elasticsearch/ingest_pipeline/utm.yml @@ -0,0 +1,431 @@ +--- +description: Pipeline for parsing fortinet firewall logs (utm pipeline) +processors: +- set: + field: event.kind + value: event +- append: + field: event.type + value: denied + if: "['block', 'blocked'].contains(ctx.fortinet?.firewall?.action)" +- append: + field: event.type + value: info + if: "ctx.fortinet?.firewall?.subtype == 'dns'" +- append: + field: event.type + value: allowed + if: "['pass', 'passthrough'].contains(ctx.fortinet?.firewall?.action)" +- set: + field: event.outcome + value: success + if: "ctx.fortinet?.firewall?.action != null" +- append: + field: event.category + value: network +- rename: + field: fortinet.firewall.dstip + target_field: destination.ip + ignore_missing: true +- rename: + field: fortinet.firewall.remip + target_field: destination.ip + ignore_missing: true + if: "ctx.destination?.ip == null" +- convert: + field: fortinet.firewall.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.remport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.destination?.port == null" +- convert: + field: fortinet.firewall.dstport + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.destination?.port == null" +- convert: + field: fortinet.firewall.rcvdbyte + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.recipient + target_field: destination.user.email + ignore_missing: true +- rename: + field: fortinet.firewall.group + target_field: source.user.group.name + ignore_missing: true +- rename: + field: fortinet.firewall.locip + target_field: source.ip + ignore_missing: true +- convert: + field: fortinet.firewall.locport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: fortinet.firewall.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.source?.port == null" +- convert: + field: fortinet.firewall.srcport + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.source?.port == null" +- convert: + field: fortinet.firewall.sentbyte + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.srcdomain + target_field: source.domain + ignore_missing: true +- rename: + field: fortinet.firewall.srcip + target_field: source.ip + ignore_missing: true + if: "ctx.source?.ip == null" +- rename: + field: fortinet.firewall.srcmac + target_field: source.mac + ignore_missing: true +- rename: + field: fortinet.firewall.unauthuser + target_field: source.user.name + ignore_missing: true +- rename: + field: fortinet.firewall.user + target_field: source.user.name + ignore_missing: true + if: "ctx.source?.user?.name == null" +- rename: + field: fortinet.firewall.sender + target_field: source.user.email + ignore_missing: true +- rename: + field: fortinet.firewall.from + target_field: source.user.email + ignore_missing: true + if: "ctx.source?.user?.email == null" +- rename: + field: fortinet.firewall.agent + target_field: user_agent.original + ignore_missing: true +- rename: + field: fortinet.firewall.app + target_field: network.application + ignore_missing: true +- rename: + field: fortinet.firewall.appcat + target_field: rule.category + ignore_missing: true +- rename: + field: fortinet.firewall.applist + target_field: rule.ruleset + ignore_missing: true +- rename: + field: fortinet.firewall.catdesc + target_field: rule.category + ignore_missing: true + if: "ctx.rule?.category == null" +- gsub: + field: rule.category + pattern: "\\." + replacement: "-" + ignore_missing: true + if: "ctx.rule?.category != null" +- rename: + field: fortinet.firewall.dir + target_field: network.direction + ignore_missing: true +- rename: + field: fortinet.firewall.direction + target_field: network.direction + ignore_missing: true + if: "ctx.network?.direction == null" +- rename: + field: fortinet.firewall.error + target_field: event.message + ignore_missing: true +- rename: + field: fortinet.firewall.errorcode + target_field: event.code + ignore_missing: true +- rename: + field: fortinet.firewall.event_id + target_field: event.id + ignore_missing: true +- rename: + field: fortinet.firewall.eventid + target_field: event.id + ignore_missing: true + if: "ctx.event?.id == null" +- rename: + field: fortinet.firewall.eventtype + target_field: event.action + ignore_missing: true +- rename: + field: fortinet.firewall.filename + target_field: file.name + ignore_missing: true +- convert: + field: fortinet.firewall.filesize + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true +- rename: + field: fortinet.firewall.filetype + target_field: file.extension + ignore_missing: true +- rename: + field: fortinet.firewall.infectedfilename + target_field: file.name + ignore_missing: true + if: "ctx.file?.name == null" +- rename: + field: fortinet.firewall.infectedfilesize + target_field: file.size + ignore_missing: true + if: "ctx.file?.size == null" +- rename: + field: fortinet.firewall.infectedfiletype + target_field: file.extension + ignore_missing: true + if: "ctx.file?.extension == null" +- rename: + field: fortinet.firewall.matchedfilename + target_field: file.name + ignore_missing: true + if: "ctx.file?.name == null" +- rename: + field: fortinet.firewall.matchedfiletype + target_field: file.extension + ignore_missing: true + if: "ctx.file?.extension == null" +- rename: + field: fortinet.firewall.hostname + target_field: url.domain + ignore_missing: true +- rename: + field: fortinet.firewall.ipaddr + target_field: dns.resolved_ip + ignore_missing: true +- split: + field: dns.resolved_ip + separator: ', ' + ignore_missing: true +- rename: + field: fortinet.firewall.level + target_field: log.level + ignore_missing: true +- rename: + field: fortinet.firewall.logid + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: fortinet.firewall.msg + target_field: message + ignore_missing: true +- rename: + field: fortinet.firewall.policy_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: fortinet.firewall.policyid + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: fortinet.firewall.profile + target_field: rule.ruleset + ignore_missing: true + if: "ctx.rule?.ruleset == null" +- rename: + field: fortinet.firewall.proto + target_field: network.iana_number + ignore_missing: true +- rename: + field: fortinet.firewall.qclass + target_field: dns.question.class + ignore_missing: true +- rename: + field: fortinet.firewall.qname + target_field: dns.question.name + ignore_missing: true +- rename: + field: fortinet.firewall.qtype + target_field: dns.question.type + ignore_missing: true +- rename: + field: fortinet.firewall.service + target_field: network.protocol + ignore_missing: true +- lowercase: + field: network.protocol + ignore_missing: true +- rename: + field: fortinet.firewall.url + target_field: url.path + ignore_missing: true +- rename: + field: fortinet.firewall.xid + target_field: dns.id + ignore_missing: true +- rename: + field: fortinet.firewall.scertcname + target_field: tls.client.server_name + ignore_missing: true +- rename: + field: fortinet.firewall.scertissuer + target_field: tls.server.issuer + ignore_missing: true +- rename: + field: fortinet.firewall.ccertissuer + target_field: tls.client.issuer + ignore_missing: true +- rename: + field: fortinet.firewall.sender + target_field: tls.server.issuer + ignore_missing: true +- rename: + field: fortinet.firewall.dtype + target_field: vulnerability.category + ignore_missing: true +- rename: + field: fortinet.firewall.ref + target_field: event.reference + ignore_missing: true +- rename: + field: fortinet.firewall.filehash + target_field: fortinet.file.hash.crc32 + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx.destination?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- append: + field: related.hash + value: "{{fortinet.file.hash.crc32}}" + if: "ctx.fortinet?.file?.hash?.crc32 != null" +- remove: + field: + - fortinet.firewall.dst_port + - fortinet.firewall.remport + - fortinet.firewall.dstport + - fortinet.firewall.rcvdbyte + - fortinet.firewall.locport + - fortinet.firewall.src_port + - fortinet.firewall.srcport + - fortinet.firewall.sentbyte + - fortinet.firewall.filesize + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/fortinet/dataset/firewall/fields/base-fields.yml b/packages/fortinet/dataset/firewall/fields/base-fields.yml new file mode 100644 index 000000000000..34cd555af41e --- /dev/null +++ b/packages/fortinet/dataset/firewall/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/fortinet/dataset/firewall/fields/beats.yml b/packages/fortinet/dataset/firewall/fields/beats.yml new file mode 100644 index 000000000000..f7240ec1d378 --- /dev/null +++ b/packages/fortinet/dataset/firewall/fields/beats.yml @@ -0,0 +1,17 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. + +# this isn't actually ECS +- name: event.message + type: text + description: Log message optimized for viewing in a log viewer. diff --git a/packages/fortinet/dataset/firewall/fields/ecs.yml b/packages/fortinet/dataset/firewall/fields/ecs.yml new file mode 100644 index 000000000000..b52c5d9c258d --- /dev/null +++ b/packages/fortinet/dataset/firewall/fields/ecs.yml @@ -0,0 +1,288 @@ +- description: Unique container id. + name: container.id + type: keyword +- description: Destination network address. + name: destination.address + type: keyword +- description: Unique number allocated to the autonomous system. + name: destination.as.number + type: long +- description: Organization name. + name: destination.as.organization.name + type: keyword +- description: Bytes sent from the destination to the source. + name: destination.bytes + type: long +- description: Destination domain. + name: destination.domain + type: keyword +- description: City name. + name: destination.geo.city_name + type: keyword +- description: Name of the continent. + name: destination.geo.continent_name + type: keyword +- description: Country ISO code. + name: destination.geo.country_iso_code + type: keyword +- description: Country name. + name: destination.geo.country_name + type: keyword +- description: Longitude and latitude. + name: destination.geo.location + type: geo_point +- description: User-defined description of a location. + name: destination.geo.name + type: keyword +- description: Region ISO code. + name: destination.geo.region_iso_code + type: keyword +- description: Region name. + name: destination.geo.region_name + type: keyword +- description: IP address of the destination. + name: destination.ip + type: ip +- description: Destination NAT ip + name: destination.nat.ip + type: ip +- description: Destination NAT Port + name: destination.nat.port + type: long +- description: Packets sent from the destination to the source. + name: destination.packets + type: long +- description: Port of the destination. + name: destination.port + type: long +- description: User email address. + name: destination.user.email + type: keyword +- description: Short name or login of the user. + name: destination.user.name + type: keyword +- description: DNS packet identifier. + name: dns.id + type: keyword +- description: The class of records being queried. + name: dns.question.class + type: keyword +- description: The name being queried. + name: dns.question.name + type: keyword +- description: The type of record being queried. + name: dns.question.type + type: keyword +- description: Array containing all IPs seen in answers.data + name: dns.resolved_ip + type: ip +- description: Error code describing the error. + name: error.code + type: keyword +- description: Error message. + name: error.message + type: text +- description: Event category. The second categorization field in the hierarchy. + name: event.category + type: keyword +- description: Identification code for this event. + name: event.code + type: keyword +- description: Name of the dataset. + name: event.dataset + type: keyword +- description: Duration of the event in nanoseconds. + name: event.duration + type: long +- description: Timestamp when an event arrived in the central data store. + name: event.ingested + type: date +- description: The kind of the event. The highest categorization field in the hierarchy. + name: event.kind + type: keyword +- description: Name of the module this data is coming from. + name: event.module + type: keyword +- description: The outcome of the event. + name: event.outcome + type: keyword +- description: Event reference URL + name: event.reference + type: keyword +- description: Contains the date when the event started. + name: event.start + type: date +- description: Event time zone. + name: event.timezone + type: keyword +- description: Event type. The third categorization field in the hierarchy. + name: event.type + type: keyword +- description: File extension. + name: file.extension + type: keyword +- description: Name of the file including the extension, without the directory. + name: file.name + type: keyword +- description: File size in bytes. + name: file.size + type: long +- description: Log level of the log event. + name: log.level + type: keyword +- description: Log message optimized for viewing in a log viewer. + name: message + type: text +- description: Application level protocol name. + name: network.application + type: keyword +- description: Total bytes transferred in both directions. + name: network.bytes + type: long +- description: Direction of the network traffic. + name: network.direction + type: keyword +- description: IANA Protocol Number. + name: network.iana_number + type: keyword +- description: Total packets transferred in both directions. + name: network.packets + type: long +- description: L7 Network protocol name. + name: network.protocol + type: keyword +- description: Interface name + name: observer.egress.interface.name + type: keyword +- description: Interface name + name: observer.ingress.interface.name + type: keyword +- description: Custom name of the observer. + name: observer.name + type: keyword +- description: The product name of the observer. + name: observer.product + type: keyword +- description: Observer serial number. + name: observer.serial_number + type: keyword +- description: The type of the observer the data is coming from. + name: observer.type + type: keyword +- description: Vendor name of the observer. + name: observer.vendor + type: keyword +- description: All the hashes seen on your event. + name: related.hash + type: keyword +- description: All of the IPs seen on your event. + name: related.ip + type: ip +- description: All the user names seen on your event. + name: related.user + type: keyword +- description: Rule category + name: rule.category + type: keyword +- description: Rule description + name: rule.description + type: keyword +- description: Rule ID + name: rule.id + type: keyword +- description: Rule name + name: rule.name + type: keyword +- description: Rule ruleset + name: rule.ruleset + type: keyword +- description: Rule UUID + name: rule.uuid + type: keyword +- description: Source network address. + name: source.address + type: keyword +- description: Unique number allocated to the autonomous system. + name: source.as.number + type: long +- description: Organization name. + name: source.as.organization.name + type: keyword +- description: Bytes sent from the source to the destination. + name: source.bytes + type: long +- description: City name. + name: source.geo.city_name + type: keyword +- description: Name of the continent. + name: source.geo.continent_name + type: keyword +- description: Country ISO code. + name: source.geo.country_iso_code + type: keyword +- description: Country name. + name: source.geo.country_name + type: keyword +- description: Longitude and latitude. + name: source.geo.location + type: geo_point +- description: User-defined description of a location. + name: source.geo.name + type: keyword +- description: Region ISO code. + name: source.geo.region_iso_code + type: keyword +- description: Region name. + name: source.geo.region_name + type: keyword +- description: IP address of the source. + name: source.ip + type: ip +- description: MAC address of the source. + name: source.mac + type: keyword +- description: Source NAT ip + name: source.nat.ip + type: ip +- description: Source NAT port + name: source.nat.port + type: long +- description: Packets sent from the source to the destination. + name: source.packets + type: long +- description: Port of the source. + name: source.port + type: long +- description: User email address. + name: source.user.email + type: keyword +- description: Name of the group. + name: source.user.group.name + type: keyword +- description: Short name or login of the user. + name: source.user.name + type: keyword +- description: List of keywords used to tag each event. + name: tags + type: keyword +- description: Distinguished name of subject of the issuer. + name: tls.client.issuer + type: keyword +- description: Hostname the client is trying to connect to. Also called the SNI. + name: tls.client.server_name + type: keyword +- description: Subject of the issuer of the x.509 certificate presented by the server. + name: tls.server.issuer + type: keyword +- description: Domain of the url. + name: url.domain + type: keyword +- description: Path of the request, such as "/search". + name: url.path + type: keyword +- description: Unparsed user_agent string. + name: user_agent.original + type: keyword +- description: Category of a vulnerability. + name: vulnerability.category + type: keyword diff --git a/packages/fortinet/dataset/firewall/fields/fields.yml b/packages/fortinet/dataset/firewall/fields/fields.yml new file mode 100644 index 000000000000..6e38c063ce0f --- /dev/null +++ b/packages/fortinet/dataset/firewall/fields/fields.yml @@ -0,0 +1,1727 @@ +- name: fortinet + type: group + fields: + - name: file.hash.crc32 + type: keyword + description: | + CRC32 Hash of file + - name: firewall + type: group + release: beta + fields: + - name: acct_stat + type: keyword + description: | + Accounting state (RADIUS) + - name: acktime + type: keyword + description: | + Alarm Acknowledge Time + - name: act + type: keyword + description: | + Action + - name: action + type: keyword + description: | + Status of the session + - name: activity + type: keyword + description: | + HA activity message + - name: addr + type: ip + description: | + IP Address + - name: addr_type + type: keyword + description: | + Address Type + - name: addrgrp + type: keyword + description: | + Address Group + - name: adgroup + type: keyword + description: | + AD Group Name + - name: admin + type: keyword + description: | + Admin User + - name: age + type: integer + description: | + Time in seconds - time passed since last seen + - name: agent + type: keyword + description: | + User agent - eg. agent="Mozilla/5.0" + - name: alarmid + type: integer + description: | + Alarm ID + - name: alert + type: keyword + description: | + Alert + - name: analyticscksum + type: keyword + description: | + The checksum of the file submitted for analytics + - name: analyticssubmit + type: keyword + description: | + The flag for analytics submission + - name: ap + type: keyword + description: | + Access Point + - name: app-type + type: keyword + description: | + Address Type + - name: appact + type: keyword + description: | + The security action from app control + - name: appid + type: integer + description: | + Application ID + - name: applist + type: keyword + description: | + Application Control profile + - name: apprisk + type: keyword + description: | + Application Risk Level + - name: apscan + type: keyword + description: | + The name of the AP, which scanned and detected the rogue AP + - name: apsn + type: keyword + description: | + Access Point + - name: apstatus + type: keyword + description: | + Access Point status + - name: aptype + type: keyword + description: | + Access Point type + - name: assigned + type: ip + description: | + Assigned IP Address + - name: assignip + type: ip + description: | + Assigned IP Address + - name: attachment + type: keyword + description: | + The flag for email attachement + - name: attack + type: keyword + description: | + Attack Name + - name: attackcontext + type: keyword + description: | + The trigger patterns and the packetdata with base64 encoding + - name: attackcontextid + type: keyword + description: | + Attack context id / total + - name: attackid + type: integer + description: | + Attack ID + - name: auditid + type: long + description: | + Audit ID + - name: auditscore + type: keyword + description: | + The Audit Score + - name: audittime + type: long + description: | + The time of the audit + - name: authgrp + type: keyword + description: | + Authorization Group + - name: authid + type: keyword + description: | + Authentication ID + - name: authproto + type: keyword + description: | + The protocol that initiated the authentication + - name: authserver + type: keyword + description: | + Authentication server + - name: bandwidth + type: keyword + description: | + Bandwidth + - name: banned_rule + type: keyword + description: | + NAC quarantine Banned Rule Name + - name: banned_src + type: keyword + description: | + NAC quarantine Banned Source IP + - name: banword + type: keyword + description: | + Banned word + - name: botnetdomain + type: keyword + description: | + Botnet Domain Name + - name: botnetip + type: ip + description: | + Botnet IP Address + - name: bssid + type: keyword + description: | + Service Set ID + - name: call_id + type: keyword + description: | + Caller ID + - name: carrier_ep + type: keyword + description: | + The FortiOS Carrier end-point identification + - name: cat + type: integer + description: | + DNS category ID + - name: category + type: keyword + description: | + Authentication category + - name: cc + type: keyword + description: | + CC Email Address + - name: cdrcontent + type: keyword + description: | + Cdrcontent + - name: centralnatid + type: integer + description: | + Central NAT ID + - name: cert + type: keyword + description: | + Certificate + - name: cert-type + type: keyword + description: | + Certificate type + - name: certhash + type: keyword + description: | + Certificate hash + - name: cfgattr + type: keyword + description: | + Configuration attribute + - name: cfgobj + type: keyword + description: | + Configuration object + - name: cfgpath + type: keyword + description: | + Configuration path + - name: cfgtid + type: keyword + description: | + Configuration transaction ID + - name: cfgtxpower + type: integer + description: | + Configuration TX power + - name: channel + type: integer + description: | + Wireless Channel + - name: channeltype + type: keyword + description: | + SSH channel type + - name: chassisid + type: integer + description: | + Chassis ID + - name: checksum + type: keyword + description: | + The checksum of the scanned file + - name: chgheaders + type: keyword + description: | + HTTP Headers + - name: cldobjid + type: keyword + description: | + Connector object ID + - name: client_addr + type: keyword + description: | + Wifi client address + - name: cloudaction + type: keyword + description: | + Cloud Action + - name: clouduser + type: keyword + description: | + Cloud User + - name: column + type: integer + description: | + VOIP Column + - name: command + type: keyword + description: | + CLI Command + - name: community + type: keyword + description: | + SNMP Community + - name: configcountry + type: keyword + description: | + Configuration country + - name: connection_type + type: keyword + description: | + FortiClient Connection Type + - name: conserve + type: keyword + description: | + Flag for conserve mode + - name: constraint + type: keyword + description: | + WAF http protocol restrictions + - name: contentdisarmed + type: keyword + description: | + Email scanned content + - name: contenttype + type: keyword + description: | + Content Type from HTTP header + - name: cookies + type: keyword + description: | + VPN Cookie + - name: count + type: integer + description: | + Counts of action type + - name: countapp + type: integer + description: | + Number of App Ctrl logs associated with the session + - name: countav + type: integer + description: | + Number of AV logs associated with the session + - name: countcifs + type: integer + description: | + Number of CIFS logs associated with the session + - name: countdlp + type: integer + description: | + Number of DLP logs associated with the session + - name: countdns + type: integer + description: | + Number of DNS logs associated with the session + - name: countemail + type: integer + description: | + Number of email logs associated with the session + - name: countff + type: integer + description: | + Number of ff logs associated with the session + - name: countips + type: integer + description: | + Number of IPS logs associated with the session + - name: countssh + type: integer + description: | + Number of SSH logs associated with the session + - name: countssl + type: integer + description: | + Number of SSL logs associated with the session + - name: countwaf + type: integer + description: | + Number of WAF logs associated with the session + - name: countweb + type: integer + description: | + Number of Web filter logs associated with the session + - name: cpu + type: integer + description: | + CPU Usage + - name: craction + type: integer + description: | + Client Reputation Action + - name: criticalcount + type: integer + description: | + Number of critical ratings + - name: crl + type: keyword + description: | + Client Reputation Level + - name: crlevel + type: keyword + description: | + Client Reputation Level + - name: crscore + type: integer + description: | + Some description + - name: cveid + type: keyword + description: | + CVE ID + - name: daemon + type: keyword + description: | + Daemon name + - name: datarange + type: keyword + description: | + Data range for reports + - name: date + type: keyword + description: | + Date + - name: ddnsserver + type: ip + description: | + DDNS server + - name: desc + type: keyword + description: | + Description + - name: detectionmethod + type: keyword + description: | + Detection method + - name: devcategory + type: keyword + description: | + Device category + - name: devintfname + type: keyword + description: | + HA device Interface Name + - name: devtype + type: keyword + description: | + Device type + - name: dhcp_msg + type: keyword + description: | + DHCP Message + - name: dintf + type: keyword + description: | + Destination interface + - name: disk + type: keyword + description: | + Assosciated disk + - name: disklograte + type: long + description: | + Disk logging rate + - name: dlpextra + type: keyword + description: | + DLP extra information + - name: docsource + type: keyword + description: | + DLP fingerprint document source + - name: domainctrlauthstate + type: integer + description: | + CIFS domain auth state + - name: domainctrlauthtype + type: integer + description: | + CIFS domain auth type + - name: domainctrldomain + type: keyword + description: | + CIFS domain auth domain + - name: domainctrlip + type: ip + description: | + CIFS Domain IP + - name: domainctrlname + type: keyword + description: | + CIFS Domain name + - name: domainctrlprotocoltype + type: integer + description: | + CIFS Domain connection protocol + - name: domainctrlusername + type: keyword + description: | + CIFS Domain username + - name: domainfilteridx + type: integer + description: | + Domain filter ID + - name: domainfilterlist + type: keyword + description: | + Domain filter name + - name: ds + type: keyword + description: | + Direction with distribution system + - name: dst_int + type: keyword + description: | + Destination interface + - name: dstintfrole + type: keyword + description: | + Destination interface role + - name: dstcountry + type: keyword + description: | + Destination country + - name: dstdevcategory + type: keyword + description: | + Destination device category + - name: dstdevtype + type: keyword + description: | + Destination device type + - name: dstfamily + type: keyword + description: | + Destination OS family + - name: dsthwvendor + type: keyword + description: | + Destination HW vendor + - name: dsthwversion + type: keyword + description: | + Destination HW version + - name: dstinetsvc + type: keyword + description: | + Destination interface service + - name: dstosname + type: keyword + description: | + Destination OS name + - name: dstosversion + type: keyword + description: | + Destination OS version + - name: dstserver + type: integer + description: | + Destination server + - name: dstssid + type: keyword + description: | + Destination SSID + - name: dstswversion + type: keyword + description: | + Destination software version + - name: dstunauthusersource + type: keyword + description: | + Destination unauthenticated source + - name: dstuuid + type: keyword + description: | + UUID of the Destination IP address + - name: duid + type: keyword + description: | + DHCP UID + - name: eapolcnt + type: integer + description: | + EAPOL packet count + - name: eapoltype + type: keyword + description: | + EAPOL packet type + - name: encrypt + type: integer + description: | + Whether the packet is encrypted or not + - name: encryption + type: keyword + description: | + Encryption method + - name: epoch + type: integer + description: | + Epoch used for locating file + - name: espauth + type: keyword + description: | + ESP Authentication + - name: esptransform + type: keyword + description: | + ESP Transform + - name: exch + type: keyword + description: | + Mail Exchanges from DNS response answer section + - name: exchange + type: keyword + description: | + Mail Exchanges from DNS response answer section + - name: expectedsignature + type: keyword + description: | + Expected SSL signature + - name: expiry + type: keyword + description: | + FortiGuard override expiry timestamp + - name: fams_pause + type: integer + description: | + Fortinet Analysis and Management Service Pause + - name: fazlograte + type: long + description: | + FortiAnalyzer Logging Rate + - name: fctemssn + type: keyword + description: | + FortiClient Endpoint SSN + - name: fctuid + type: keyword + description: | + FortiClient UID + - name: field + type: keyword + description: | + NTP status field + - name: filefilter + type: keyword + description: | + The filter used to identify the affected file + - name: filehashsrc + type: keyword + description: | + Filehash source + - name: filtercat + type: keyword + description: | + DLP filter category + - name: filteridx + type: integer + description: | + DLP filter ID + - name: filtername + type: keyword + description: | + DLP rule name + - name: filtertype + type: keyword + description: | + DLP filter type + - name: fortiguardresp + type: keyword + description: | + Antispam ESP value + - name: forwardedfor + type: keyword + description: | + Email address forwarded + - name: fqdn + type: keyword + description: | + FQDN + - name: frametype + type: keyword + description: | + Wireless frametype + - name: freediskstorage + type: integer + description: | + Free disk integer + - name: from + type: keyword + description: | + From email address + - name: from_vcluster + type: integer + description: | + Source virtual cluster number + - name: fsaverdict + type: keyword + description: | + FSA verdict + - name: fwserver_name + type: keyword + description: | + Web proxy server name + - name: gateway + type: ip + description: | + Gateway ip address for PPPoE status report + - name: green + type: keyword + description: | + Memory status + - name: groupid + type: integer + description: | + User Group ID + - name: ha-prio + type: integer + description: | + HA Priority + - name: ha_group + type: keyword + description: | + HA Group + - name: ha_role + type: keyword + description: | + HA Role + - name: handshake + type: keyword + description: | + SSL Handshake + - name: hash + type: keyword + description: | + Hash value of downloaded file + - name: hbdn_reason + type: keyword + description: | + Heartbeat down reason + - name: highcount + type: integer + description: | + Highcount fabric summary + - name: host + type: keyword + description: | + Hostname + - name: iaid + type: keyword + description: | + DHCPv6 id + - name: icmpcode + type: keyword + description: | + Destination Port of the ICMP message + - name: icmpid + type: keyword + description: | + Source port of the ICMP message + - name: icmptype + type: keyword + description: | + The type of ICMP message + - name: identifier + type: integer + description: | + Network traffic identifier + - name: in_spi + type: keyword + description: | + IPSEC inbound SPI + - name: incidentserialno + type: integer + description: | + Incident serial number + - name: infected + type: integer + description: | + Infected MMS + - name: infectedfilelevel + type: integer + description: | + DLP infected file level + - name: informationsource + type: keyword + description: | + Information source + - name: init + type: keyword + description: | + IPSEC init stage + - name: initiator + type: keyword + description: | + Original login user name for Fortiguard override + - name: interface + type: keyword + description: | + Related interface + - name: intf + type: keyword + description: | + Related interface + - name: invalidmac + type: keyword + description: | + The MAC address with invalid OUI + - name: ip + type: ip + description: | + Related IP + - name: iptype + type: keyword + description: | + Related IP type + - name: keyword + type: keyword + description: | + Keyword used for search + - name: kind + type: keyword + description: | + VOIP kind + - name: lanin + type: long + description: | + LAN incoming traffic in bytes + - name: lanout + type: long + description: | + LAN outbound traffic in bytes + - name: lease + type: integer + description: | + DHCP lease + - name: license_limit + type: keyword + description: | + Maximum Number of FortiClients for the License + - name: limit + type: integer + description: | + Virtual Domain Resource Limit + - name: line + type: keyword + description: | + VOIP line + - name: live + type: integer + description: | + Time in seconds + - name: local + type: ip + description: | + Local IP for a PPPD Connection + - name: log + type: keyword + description: | + Log message + - name: login + type: keyword + description: | + SSH login + - name: lowcount + type: integer + description: | + Fabric lowcount + - name: mac + type: keyword + description: | + DHCP mac address + - name: malform_data + type: integer + description: | + VOIP malformed data + - name: malform_desc + type: keyword + description: | + VOIP malformed data description + - name: manuf + type: keyword + description: | + Manufacturer name + - name: masterdstmac + type: keyword + description: | + Master mac address for a host with multiple network interfaces + - name: mastersrcmac + type: keyword + description: | + The master MAC address for a host that has multiple network interfaces + - name: mediumcount + type: integer + description: | + Fabric medium count + - name: mem + type: keyword + description: | + Memory usage system statistics + - name: meshmode + type: keyword + description: | + Wireless mesh mode + - name: message_type + type: keyword + description: | + VOIP message type + - name: method + type: keyword + description: | + HTTP method + - name: mgmtcnt + type: integer + description: | + The number of unauthorized client flooding managemet frames + - name: mode + type: keyword + description: | + IPSEC mode + - name: module + type: keyword + description: | + PCI-DSS module + - name: monitor-name + type: keyword + description: | + Health Monitor Name + - name: monitor-type + type: keyword + description: | + Health Monitor Type + - name: mpsk + type: keyword + description: | + Wireless MPSK + - name: msgproto + type: keyword + description: | + Message Protocol Number + - name: mtu + type: integer + description: | + Max Transmission Unit Value + - name: name + type: keyword + description: | + Name + - name: nat + type: keyword + description: | + NAT IP Address + - name: netid + type: keyword + description: | + Connector NetID + - name: new_status + type: keyword + description: | + New status on user change + - name: new_value + type: keyword + description: | + New Virtual Domain Name + - name: newchannel + type: integer + description: | + New Channel Number + - name: newchassisid + type: integer + description: | + New Chassis ID + - name: newslot + type: integer + description: | + New Slot Number + - name: nextstat + type: integer + description: | + Time interval in seconds for the next statistics. + - name: nf_type + type: keyword + description: | + Notification Type + - name: noise + type: integer + description: | + Wifi Noise + - name: old_status + type: keyword + description: | + Original Status + - name: old_value + type: keyword + description: | + Original Virtual Domain name + - name: oldchannel + type: integer + description: | + Original channel + - name: oldchassisid + type: integer + description: | + Original Chassis Number + - name: oldslot + type: integer + description: | + Original Slot Number + - name: oldsn + type: keyword + description: | + Old Serial number + - name: oldwprof + type: keyword + description: | + Old Web Filter Profile + - name: onwire + type: keyword + description: | + A flag to indicate if the AP is onwire or not + - name: opercountry + type: keyword + description: | + Operating Country + - name: opertxpower + type: integer + description: | + Operating TX power + - name: osname + type: keyword + description: | + Operating System name + - name: osversion + type: keyword + description: | + Operating System version + - name: out_spi + type: keyword + description: | + Out SPI + - name: outintf + type: keyword + description: | + Out interface + - name: passedcount + type: integer + description: | + Fabric passed count + - name: passwd + type: keyword + description: | + Changed user password information + - name: path + type: keyword + description: | + Path of looped configuration for security fabric + - name: peer + type: keyword + description: | + WAN optimization peer + - name: peer_notif + type: keyword + description: | + VPN peer notification + - name: phase2_name + type: keyword + description: | + VPN phase2 name + - name: phone + type: keyword + description: | + VOIP Phone + - name: pid + type: integer + description: | + Process ID + - name: policytype + type: keyword + description: | + Policy Type + - name: poolname + type: keyword + description: | + IP Pool name + - name: port + type: integer + description: | + Log upload error port + - name: portbegin + type: integer + description: | + IP Pool port number to begin + - name: portend + type: integer + description: | + IP Pool port number to end + - name: probeproto + type: keyword + description: | + Link Monitor Probe Protocol + - name: process + type: keyword + description: | + URL Filter process + - name: processtime + type: integer + description: | + Process time for reports + - name: profile + type: keyword + description: | + Profile Name + - name: profile_vd + type: keyword + description: | + Virtual Domain Name + - name: profilegroup + type: keyword + description: | + Profile Group Name + - name: profiletype + type: keyword + description: | + Profile Type + - name: qtypeval + type: integer + description: | + DNS question type value + - name: quarskip + type: keyword + description: | + Quarantine skip explanation + - name: quotaexceeded + type: keyword + description: | + If quota has been exceeded + - name: quotamax + type: long + description: | + Maximum quota allowed - in seconds if time-based - in bytes if traffic-based + - name: quotatype + type: keyword + description: | + Quota type + - name: quotaused + type: long + description: | + Quota used - in seconds if time-based - in bytes if trafficbased) + - name: radioband + type: keyword + description: | + Radio band + - name: radioid + type: integer + description: | + Radio ID + - name: radioidclosest + type: integer + description: | + Radio ID on the AP closest the rogue AP + - name: radioiddetected + type: integer + description: | + Radio ID on the AP which detected the rogue AP + - name: rate + type: keyword + description: | + Wireless rogue rate value + - name: rawdata + type: keyword + description: | + Raw data value + - name: rawdataid + type: keyword + description: | + Raw data ID + - name: rcvddelta + type: keyword + description: | + Received bytes delta + - name: reason + type: keyword + description: | + Alert reason + - name: received + type: integer + description: | + Server key exchange received + - name: receivedsignature + type: keyword + description: | + Server key exchange received signature + - name: red + type: keyword + description: | + Memory information in red + - name: referralurl + type: keyword + description: | + Web filter referralurl + - name: remote + type: ip + description: | + Remote PPP IP address + - name: remotewtptime + type: keyword + description: | + Remote Wifi Radius authentication time + - name: reporttype + type: keyword + description: | + Report type + - name: reqtype + type: keyword + description: | + Request type + - name: request_name + type: keyword + description: | + VOIP request name + - name: result + type: keyword + description: | + VPN phase result + - name: role + type: keyword + description: | + VPN Phase 2 role + - name: rssi + type: integer + description: | + Received signal strength indicator + - name: rsso_key + type: keyword + description: | + RADIUS SSO attribute value + - name: ruledata + type: keyword + description: | + Rule data + - name: ruletype + type: keyword + description: | + Rule type + - name: scanned + type: integer + description: | + Number of Scanned MMSs + - name: scantime + type: long + description: | + Scanned time + - name: scope + type: keyword + description: | + FortiGuard Override Scope + - name: security + type: keyword + description: | + Wireless rogue security + - name: sensitivity + type: keyword + description: | + Sensitivity for document fingerprint + - name: sensor + type: keyword + description: | + NAC Sensor Name + - name: sentdelta + type: keyword + description: | + Sent bytes delta + - name: seq + type: keyword + description: | + Sequence number + - name: serial + type: keyword + description: | + WAN optimisation serial + - name: serialno + type: keyword + description: | + Serial number + - name: server + type: keyword + description: | + AD server FQDN or IP + - name: session_id + type: keyword + description: | + Session ID + - name: sessionid + type: integer + description: | + WAD Session ID + - name: setuprate + type: long + description: | + Session Setup Rate + - name: severity + type: keyword + description: | + Severity + - name: shaperdroprcvdbyte + type: integer + description: | + Received bytes dropped by shaper + - name: shaperdropsentbyte + type: integer + description: | + Sent bytes dropped by shaper + - name: shaperperipdropbyte + type: integer + description: | + Dropped bytes per IP by shaper + - name: shaperperipname + type: keyword + description: | + Traffic shaper name (per IP) + - name: shaperrcvdname + type: keyword + description: | + Traffic shaper name for received traffic + - name: shapersentname + type: keyword + description: | + Traffic shaper name for sent traffic + - name: shapingpolicyid + type: integer + description: | + Traffic shaper policy ID + - name: signal + type: integer + description: | + Wireless rogue API signal + - name: size + type: long + description: | + Email size in bytes + - name: slot + type: integer + description: | + Slot number + - name: sn + type: keyword + description: | + Security fabric serial number + - name: snclosest + type: keyword + description: | + SN of the AP closest to the rogue AP + - name: sndetected + type: keyword + description: | + SN of the AP which detected the rogue AP + - name: snmeshparent + type: keyword + description: | + SN of the mesh parent + - name: spi + type: keyword + description: | + IPSEC SPI + - name: src_int + type: keyword + description: | + Source interface + - name: srcintfrole + type: keyword + description: | + Source interface role + - name: srccountry + type: keyword + description: | + Source country + - name: srcfamily + type: keyword + description: | + Source family + - name: srchwvendor + type: keyword + description: | + Source hardware vendor + - name: srchwversion + type: keyword + description: | + Source hardware version + - name: srcinetsvc + type: keyword + description: | + Source interface service + - name: srcname + type: keyword + description: | + Source name + - name: srcserver + type: integer + description: | + Source server + - name: srcssid + type: keyword + description: | + Source SSID + - name: srcswversion + type: keyword + description: | + Source software version + - name: srcuuid + type: keyword + description: | + Source UUID + - name: sscname + type: keyword + description: | + SSC name + - name: ssid + type: keyword + description: | + Base Service Set ID + - name: sslaction + type: keyword + description: | + SSL Action + - name: ssllocal + type: keyword + description: | + WAD SSL local + - name: sslremote + type: keyword + description: | + WAD SSL remote + - name: stacount + type: integer + description: | + Number of stations/clients + - name: stage + type: keyword + description: | + IPSEC stage + - name: stamac + type: keyword + description: | + 802.1x station mac + - name: state + type: keyword + description: | + Admin login state + - name: status + type: keyword + description: | + Status + - name: stitch + type: keyword + description: | + Automation stitch triggered + - name: subject + type: keyword + description: | + Email subject + - name: submodule + type: keyword + description: | + Configuration Sub-Module Name + - name: subservice + type: keyword + description: | + AV subservice + - name: subtype + type: keyword + description: | + Log subtype + - name: suspicious + type: integer + description: | + Number of Suspicious MMSs + - name: switchproto + type: keyword + description: | + Protocol change information + - name: sync_status + type: keyword + description: | + The sync status with the master + - name: sync_type + type: keyword + description: | + The sync type with the master + - name: sysuptime + type: keyword + description: | + System uptime + - name: tamac + type: keyword + description: | + the MAC address of Transmitter, if none, then Receiver + - name: threattype + type: keyword + description: | + WIDS threat type + - name: time + type: keyword + description: | + Time of the event + - name: to + type: keyword + description: | + Email to field + - name: to_vcluster + type: integer + description: | + destination virtual cluster number + - name: total + type: integer + description: | + Total memory + - name: totalsession + type: integer + description: | + Total Number of Sessions + - name: trace_id + type: keyword + description: | + Session clash trace ID + - name: trandisp + type: keyword + description: | + NAT translation type + - name: transid + type: integer + description: | + HTTP transaction ID + - name: translationid + type: keyword + description: | + DNS filter transaltion ID + - name: trigger + type: keyword + description: | + Automation stitch trigger + - name: trueclntip + type: ip + description: | + File filter true client IP + - name: tunnelid + type: integer + description: | + IPSEC tunnel ID + - name: tunnelip + type: ip + description: | + IPSEC tunnel IP + - name: tunneltype + type: keyword + description: | + IPSEC tunnel type + - name: type + type: keyword + description: | + Module type + - name: ui + type: keyword + description: | + Admin authentication UI type + - name: unauthusersource + type: keyword + description: | + Unauthenticated user source + - name: unit + type: integer + description: | + Power supply unit + - name: urlfilteridx + type: integer + description: | + URL filter ID + - name: urlfilterlist + type: keyword + description: | + URL filter list + - name: urlsource + type: keyword + description: | + URL filter source + - name: urltype + type: keyword + description: | + URL filter type + - name: used + type: integer + description: | + Number of Used IPs + - name: used_for_type + type: integer + description: | + Connection for the type + - name: utmaction + type: keyword + description: | + Security action performed by UTM + - name: vap + type: keyword + description: | + Virtual AP + - name: vapmode + type: keyword + description: | + Virtual AP mode + - name: vcluster + type: integer + description: | + virtual cluster id + - name: vcluster_member + type: integer + description: | + Virtual cluster member + - name: vcluster_state + type: keyword + description: | + Virtual cluster state + - name: vd + type: keyword + description: | + Virtual Domain Name + - name: vdname + type: keyword + description: | + Virtual Domain Name + - name: vendorurl + type: keyword + description: | + Vulnerability scan vendor name + - name: version + type: keyword + description: | + Version + - name: vip + type: keyword + description: | + Virtual IP + - name: virus + type: keyword + description: | + Virus name + - name: virusid + type: integer + description: | + Virus ID (unique virus identifier) + - name: voip_proto + type: keyword + description: | + VOIP protocol + - name: vpn + type: keyword + description: | + VPN description + - name: vpntunnel + type: keyword + description: | + IPsec Vpn Tunnel Name + - name: vpntype + type: keyword + description: | + The type of the VPN tunnel + - name: vrf + type: integer + description: | + VRF number + - name: vulncat + type: keyword + description: | + Vulnerability Category + - name: vulnid + type: integer + description: | + Vulnerability ID + - name: vulnname + type: keyword + description: | + Vulnerability name + - name: vwlid + type: integer + description: | + VWL ID + - name: vwlquality + type: keyword + description: | + VWL quality + - name: vwlservice + type: keyword + description: | + VWL service + - name: vwpvlanid + type: integer + description: | + VWP VLAN ID + - name: wanin + type: long + description: | + WAN incoming traffic in bytes + - name: wanoptapptype + type: keyword + description: | + WAN Optimization Application type + - name: wanout + type: long + description: | + WAN outgoing traffic in bytes + - name: weakwepiv + type: keyword + description: | + Weak Wep Initiation Vector + - name: xauthgroup + type: keyword + description: | + XAuth Group Name + - name: xauthuser + type: keyword + description: | + XAuth User Name + - name: xid + type: integer + description: | + Wireless X ID diff --git a/packages/fortinet/dataset/firewall/manifest.yml b/packages/fortinet/dataset/firewall/manifest.yml new file mode 100644 index 000000000000..37211b1f0e97 --- /dev/null +++ b/packages/fortinet/dataset/firewall/manifest.yml @@ -0,0 +1,46 @@ +type: logs +title: Fortinet firewall logs +release: experimental +streams: + - input: tcp + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - fortinet-firewall + - forwarded + template_path: tcp.yml.hbs + title: Fortinet firewall logs (tcp) + description: Collect Fortinet firewall logs using tcp input + - input: udp + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - fortinet-firewall + - forwarded + template_path: udp.yml.hbs + title: Fortinet firewall logs (udp) + description: Collect Fortinet firewall logs using udp input + - input: logfile + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - fortinet-firewall + - forwarded + template_path: log.yml.hbs + title: Fortinet firewall logs (log) + description: Collect Fortinet firewall logs using log input diff --git a/packages/fortinet/docs/README.md b/packages/fortinet/docs/README.md new file mode 100644 index 000000000000..003902026bd3 --- /dev/null +++ b/packages/fortinet/docs/README.md @@ -0,0 +1,556 @@ +# Fortinet Integration + +This integration is for Fortinet FortiOS logs sent in the syslog format. It includes the following datasets for receiving logs: + +- `firewall` dataset: consists of Fortinet FortiGate logs. + +## Compatibility + +This integration has been tested against FortiOS version 6.0.x and 6.2.x. Versions above this are expected to work but have not been tested. + +## Logs + +### Firewall + +Contains log entries from Fortinet FortiGate applicances. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| container.id | Unique container id. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| destination.address | Destination network address. | keyword | +| destination.as.number | Unique number allocated to the autonomous system. | long | +| destination.as.organization.name | Organization name. | keyword | +| destination.bytes | Bytes sent from the destination to the source. | long | +| destination.domain | Destination domain. | keyword | +| destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | +| destination.geo.country_name | Country name. | keyword | +| destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.name | User-defined description of a location. | keyword | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | +| destination.ip | IP address of the destination. | ip | +| destination.nat.ip | Destination NAT ip | ip | +| destination.nat.port | Destination NAT Port | long | +| destination.packets | Packets sent from the destination to the source. | long | +| destination.port | Port of the destination. | long | +| destination.user.email | User email address. | keyword | +| destination.user.name | Short name or login of the user. | keyword | +| dns.id | DNS packet identifier. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.resolved_ip | Array containing all IPs seen in answers.data | ip | +| error.code | Error code describing the error. | keyword | +| error.message | Error message. | text | +| event.category | Event category. The second categorization field in the hierarchy. | keyword | +| event.code | Identification code for this event. | keyword | +| event.dataset | Name of the dataset. | keyword | +| event.duration | Duration of the event in nanoseconds. | long | +| event.ingested | Timestamp when an event arrived in the central data store. | date | +| event.kind | The kind of the event. The highest categorization field in the hierarchy. | keyword | +| event.message | Log message optimized for viewing in a log viewer. | text | +| event.module | Name of the module this data is coming from. | keyword | +| event.outcome | The outcome of the event. | keyword | +| event.reference | Event reference URL | keyword | +| event.start | Contains the date when the event started. | date | +| event.timezone | Event time zone. | keyword | +| event.type | Event type. The third categorization field in the hierarchy. | keyword | +| file.extension | File extension. | keyword | +| file.name | Name of the file including the extension, without the directory. | keyword | +| file.size | File size in bytes. | long | +| fortinet.file.hash.crc32 | CRC32 Hash of file | keyword | +| fortinet.firewall.acct_stat | Accounting state (RADIUS) | keyword | +| fortinet.firewall.acktime | Alarm Acknowledge Time | keyword | +| fortinet.firewall.act | Action | keyword | +| fortinet.firewall.action | Status of the session | keyword | +| fortinet.firewall.activity | HA activity message | keyword | +| fortinet.firewall.addr | IP Address | ip | +| fortinet.firewall.addr_type | Address Type | keyword | +| fortinet.firewall.addrgrp | Address Group | keyword | +| fortinet.firewall.adgroup | AD Group Name | keyword | +| fortinet.firewall.admin | Admin User | keyword | +| fortinet.firewall.age | Time in seconds - time passed since last seen | integer | +| fortinet.firewall.agent | User agent - eg. agent="Mozilla/5.0" | keyword | +| fortinet.firewall.alarmid | Alarm ID | integer | +| fortinet.firewall.alert | Alert | keyword | +| fortinet.firewall.analyticscksum | The checksum of the file submitted for analytics | keyword | +| fortinet.firewall.analyticssubmit | The flag for analytics submission | keyword | +| fortinet.firewall.ap | Access Point | keyword | +| fortinet.firewall.app-type | Address Type | keyword | +| fortinet.firewall.appact | The security action from app control | keyword | +| fortinet.firewall.appid | Application ID | integer | +| fortinet.firewall.applist | Application Control profile | keyword | +| fortinet.firewall.apprisk | Application Risk Level | keyword | +| fortinet.firewall.apscan | The name of the AP, which scanned and detected the rogue AP | keyword | +| fortinet.firewall.apsn | Access Point | keyword | +| fortinet.firewall.apstatus | Access Point status | keyword | +| fortinet.firewall.aptype | Access Point type | keyword | +| fortinet.firewall.assigned | Assigned IP Address | ip | +| fortinet.firewall.assignip | Assigned IP Address | ip | +| fortinet.firewall.attachment | The flag for email attachement | keyword | +| fortinet.firewall.attack | Attack Name | keyword | +| fortinet.firewall.attackcontext | The trigger patterns and the packetdata with base64 encoding | keyword | +| fortinet.firewall.attackcontextid | Attack context id / total | keyword | +| fortinet.firewall.attackid | Attack ID | integer | +| fortinet.firewall.auditid | Audit ID | long | +| fortinet.firewall.auditscore | The Audit Score | keyword | +| fortinet.firewall.audittime | The time of the audit | long | +| fortinet.firewall.authgrp | Authorization Group | keyword | +| fortinet.firewall.authid | Authentication ID | keyword | +| fortinet.firewall.authproto | The protocol that initiated the authentication | keyword | +| fortinet.firewall.authserver | Authentication server | keyword | +| fortinet.firewall.bandwidth | Bandwidth | keyword | +| fortinet.firewall.banned_rule | NAC quarantine Banned Rule Name | keyword | +| fortinet.firewall.banned_src | NAC quarantine Banned Source IP | keyword | +| fortinet.firewall.banword | Banned word | keyword | +| fortinet.firewall.botnetdomain | Botnet Domain Name | keyword | +| fortinet.firewall.botnetip | Botnet IP Address | ip | +| fortinet.firewall.bssid | Service Set ID | keyword | +| fortinet.firewall.call_id | Caller ID | keyword | +| fortinet.firewall.carrier_ep | The FortiOS Carrier end-point identification | keyword | +| fortinet.firewall.cat | DNS category ID | integer | +| fortinet.firewall.category | Authentication category | keyword | +| fortinet.firewall.cc | CC Email Address | keyword | +| fortinet.firewall.cdrcontent | Cdrcontent | keyword | +| fortinet.firewall.centralnatid | Central NAT ID | integer | +| fortinet.firewall.cert | Certificate | keyword | +| fortinet.firewall.cert-type | Certificate type | keyword | +| fortinet.firewall.certhash | Certificate hash | keyword | +| fortinet.firewall.cfgattr | Configuration attribute | keyword | +| fortinet.firewall.cfgobj | Configuration object | keyword | +| fortinet.firewall.cfgpath | Configuration path | keyword | +| fortinet.firewall.cfgtid | Configuration transaction ID | keyword | +| fortinet.firewall.cfgtxpower | Configuration TX power | integer | +| fortinet.firewall.channel | Wireless Channel | integer | +| fortinet.firewall.channeltype | SSH channel type | keyword | +| fortinet.firewall.chassisid | Chassis ID | integer | +| fortinet.firewall.checksum | The checksum of the scanned file | keyword | +| fortinet.firewall.chgheaders | HTTP Headers | keyword | +| fortinet.firewall.cldobjid | Connector object ID | keyword | +| fortinet.firewall.client_addr | Wifi client address | keyword | +| fortinet.firewall.cloudaction | Cloud Action | keyword | +| fortinet.firewall.clouduser | Cloud User | keyword | +| fortinet.firewall.column | VOIP Column | integer | +| fortinet.firewall.command | CLI Command | keyword | +| fortinet.firewall.community | SNMP Community | keyword | +| fortinet.firewall.configcountry | Configuration country | keyword | +| fortinet.firewall.connection_type | FortiClient Connection Type | keyword | +| fortinet.firewall.conserve | Flag for conserve mode | keyword | +| fortinet.firewall.constraint | WAF http protocol restrictions | keyword | +| fortinet.firewall.contentdisarmed | Email scanned content | keyword | +| fortinet.firewall.contenttype | Content Type from HTTP header | keyword | +| fortinet.firewall.cookies | VPN Cookie | keyword | +| fortinet.firewall.count | Counts of action type | integer | +| fortinet.firewall.countapp | Number of App Ctrl logs associated with the session | integer | +| fortinet.firewall.countav | Number of AV logs associated with the session | integer | +| fortinet.firewall.countcifs | Number of CIFS logs associated with the session | integer | +| fortinet.firewall.countdlp | Number of DLP logs associated with the session | integer | +| fortinet.firewall.countdns | Number of DNS logs associated with the session | integer | +| fortinet.firewall.countemail | Number of email logs associated with the session | integer | +| fortinet.firewall.countff | Number of ff logs associated with the session | integer | +| fortinet.firewall.countips | Number of IPS logs associated with the session | integer | +| fortinet.firewall.countssh | Number of SSH logs associated with the session | integer | +| fortinet.firewall.countssl | Number of SSL logs associated with the session | integer | +| fortinet.firewall.countwaf | Number of WAF logs associated with the session | integer | +| fortinet.firewall.countweb | Number of Web filter logs associated with the session | integer | +| fortinet.firewall.cpu | CPU Usage | integer | +| fortinet.firewall.craction | Client Reputation Action | integer | +| fortinet.firewall.criticalcount | Number of critical ratings | integer | +| fortinet.firewall.crl | Client Reputation Level | keyword | +| fortinet.firewall.crlevel | Client Reputation Level | keyword | +| fortinet.firewall.crscore | Some description | integer | +| fortinet.firewall.cveid | CVE ID | keyword | +| fortinet.firewall.daemon | Daemon name | keyword | +| fortinet.firewall.datarange | Data range for reports | keyword | +| fortinet.firewall.date | Date | keyword | +| fortinet.firewall.ddnsserver | DDNS server | ip | +| fortinet.firewall.desc | Description | keyword | +| fortinet.firewall.detectionmethod | Detection method | keyword | +| fortinet.firewall.devcategory | Device category | keyword | +| fortinet.firewall.devintfname | HA device Interface Name | keyword | +| fortinet.firewall.devtype | Device type | keyword | +| fortinet.firewall.dhcp_msg | DHCP Message | keyword | +| fortinet.firewall.dintf | Destination interface | keyword | +| fortinet.firewall.disk | Assosciated disk | keyword | +| fortinet.firewall.disklograte | Disk logging rate | long | +| fortinet.firewall.dlpextra | DLP extra information | keyword | +| fortinet.firewall.docsource | DLP fingerprint document source | keyword | +| fortinet.firewall.domainctrlauthstate | CIFS domain auth state | integer | +| fortinet.firewall.domainctrlauthtype | CIFS domain auth type | integer | +| fortinet.firewall.domainctrldomain | CIFS domain auth domain | keyword | +| fortinet.firewall.domainctrlip | CIFS Domain IP | ip | +| fortinet.firewall.domainctrlname | CIFS Domain name | keyword | +| fortinet.firewall.domainctrlprotocoltype | CIFS Domain connection protocol | integer | +| fortinet.firewall.domainctrlusername | CIFS Domain username | keyword | +| fortinet.firewall.domainfilteridx | Domain filter ID | integer | +| fortinet.firewall.domainfilterlist | Domain filter name | keyword | +| fortinet.firewall.ds | Direction with distribution system | keyword | +| fortinet.firewall.dst_int | Destination interface | keyword | +| fortinet.firewall.dstcountry | Destination country | keyword | +| fortinet.firewall.dstdevcategory | Destination device category | keyword | +| fortinet.firewall.dstdevtype | Destination device type | keyword | +| fortinet.firewall.dstfamily | Destination OS family | keyword | +| fortinet.firewall.dsthwvendor | Destination HW vendor | keyword | +| fortinet.firewall.dsthwversion | Destination HW version | keyword | +| fortinet.firewall.dstinetsvc | Destination interface service | keyword | +| fortinet.firewall.dstintfrole | Destination interface role | keyword | +| fortinet.firewall.dstosname | Destination OS name | keyword | +| fortinet.firewall.dstosversion | Destination OS version | keyword | +| fortinet.firewall.dstserver | Destination server | integer | +| fortinet.firewall.dstssid | Destination SSID | keyword | +| fortinet.firewall.dstswversion | Destination software version | keyword | +| fortinet.firewall.dstunauthusersource | Destination unauthenticated source | keyword | +| fortinet.firewall.dstuuid | UUID of the Destination IP address | keyword | +| fortinet.firewall.duid | DHCP UID | keyword | +| fortinet.firewall.eapolcnt | EAPOL packet count | integer | +| fortinet.firewall.eapoltype | EAPOL packet type | keyword | +| fortinet.firewall.encrypt | Whether the packet is encrypted or not | integer | +| fortinet.firewall.encryption | Encryption method | keyword | +| fortinet.firewall.epoch | Epoch used for locating file | integer | +| fortinet.firewall.espauth | ESP Authentication | keyword | +| fortinet.firewall.esptransform | ESP Transform | keyword | +| fortinet.firewall.exch | Mail Exchanges from DNS response answer section | keyword | +| fortinet.firewall.exchange | Mail Exchanges from DNS response answer section | keyword | +| fortinet.firewall.expectedsignature | Expected SSL signature | keyword | +| fortinet.firewall.expiry | FortiGuard override expiry timestamp | keyword | +| fortinet.firewall.fams_pause | Fortinet Analysis and Management Service Pause | integer | +| fortinet.firewall.fazlograte | FortiAnalyzer Logging Rate | long | +| fortinet.firewall.fctemssn | FortiClient Endpoint SSN | keyword | +| fortinet.firewall.fctuid | FortiClient UID | keyword | +| fortinet.firewall.field | NTP status field | keyword | +| fortinet.firewall.filefilter | The filter used to identify the affected file | keyword | +| fortinet.firewall.filehashsrc | Filehash source | keyword | +| fortinet.firewall.filtercat | DLP filter category | keyword | +| fortinet.firewall.filteridx | DLP filter ID | integer | +| fortinet.firewall.filtername | DLP rule name | keyword | +| fortinet.firewall.filtertype | DLP filter type | keyword | +| fortinet.firewall.fortiguardresp | Antispam ESP value | keyword | +| fortinet.firewall.forwardedfor | Email address forwarded | keyword | +| fortinet.firewall.fqdn | FQDN | keyword | +| fortinet.firewall.frametype | Wireless frametype | keyword | +| fortinet.firewall.freediskstorage | Free disk integer | integer | +| fortinet.firewall.from | From email address | keyword | +| fortinet.firewall.from_vcluster | Source virtual cluster number | integer | +| fortinet.firewall.fsaverdict | FSA verdict | keyword | +| fortinet.firewall.fwserver_name | Web proxy server name | keyword | +| fortinet.firewall.gateway | Gateway ip address for PPPoE status report | ip | +| fortinet.firewall.green | Memory status | keyword | +| fortinet.firewall.groupid | User Group ID | integer | +| fortinet.firewall.ha-prio | HA Priority | integer | +| fortinet.firewall.ha_group | HA Group | keyword | +| fortinet.firewall.ha_role | HA Role | keyword | +| fortinet.firewall.handshake | SSL Handshake | keyword | +| fortinet.firewall.hash | Hash value of downloaded file | keyword | +| fortinet.firewall.hbdn_reason | Heartbeat down reason | keyword | +| fortinet.firewall.highcount | Highcount fabric summary | integer | +| fortinet.firewall.host | Hostname | keyword | +| fortinet.firewall.iaid | DHCPv6 id | keyword | +| fortinet.firewall.icmpcode | Destination Port of the ICMP message | keyword | +| fortinet.firewall.icmpid | Source port of the ICMP message | keyword | +| fortinet.firewall.icmptype | The type of ICMP message | keyword | +| fortinet.firewall.identifier | Network traffic identifier | integer | +| fortinet.firewall.in_spi | IPSEC inbound SPI | keyword | +| fortinet.firewall.incidentserialno | Incident serial number | integer | +| fortinet.firewall.infected | Infected MMS | integer | +| fortinet.firewall.infectedfilelevel | DLP infected file level | integer | +| fortinet.firewall.informationsource | Information source | keyword | +| fortinet.firewall.init | IPSEC init stage | keyword | +| fortinet.firewall.initiator | Original login user name for Fortiguard override | keyword | +| fortinet.firewall.interface | Related interface | keyword | +| fortinet.firewall.intf | Related interface | keyword | +| fortinet.firewall.invalidmac | The MAC address with invalid OUI | keyword | +| fortinet.firewall.ip | Related IP | ip | +| fortinet.firewall.iptype | Related IP type | keyword | +| fortinet.firewall.keyword | Keyword used for search | keyword | +| fortinet.firewall.kind | VOIP kind | keyword | +| fortinet.firewall.lanin | LAN incoming traffic in bytes | long | +| fortinet.firewall.lanout | LAN outbound traffic in bytes | long | +| fortinet.firewall.lease | DHCP lease | integer | +| fortinet.firewall.license_limit | Maximum Number of FortiClients for the License | keyword | +| fortinet.firewall.limit | Virtual Domain Resource Limit | integer | +| fortinet.firewall.line | VOIP line | keyword | +| fortinet.firewall.live | Time in seconds | integer | +| fortinet.firewall.local | Local IP for a PPPD Connection | ip | +| fortinet.firewall.log | Log message | keyword | +| fortinet.firewall.login | SSH login | keyword | +| fortinet.firewall.lowcount | Fabric lowcount | integer | +| fortinet.firewall.mac | DHCP mac address | keyword | +| fortinet.firewall.malform_data | VOIP malformed data | integer | +| fortinet.firewall.malform_desc | VOIP malformed data description | keyword | +| fortinet.firewall.manuf | Manufacturer name | keyword | +| fortinet.firewall.masterdstmac | Master mac address for a host with multiple network interfaces | keyword | +| fortinet.firewall.mastersrcmac | The master MAC address for a host that has multiple network interfaces | keyword | +| fortinet.firewall.mediumcount | Fabric medium count | integer | +| fortinet.firewall.mem | Memory usage system statistics | keyword | +| fortinet.firewall.meshmode | Wireless mesh mode | keyword | +| fortinet.firewall.message_type | VOIP message type | keyword | +| fortinet.firewall.method | HTTP method | keyword | +| fortinet.firewall.mgmtcnt | The number of unauthorized client flooding managemet frames | integer | +| fortinet.firewall.mode | IPSEC mode | keyword | +| fortinet.firewall.module | PCI-DSS module | keyword | +| fortinet.firewall.monitor-name | Health Monitor Name | keyword | +| fortinet.firewall.monitor-type | Health Monitor Type | keyword | +| fortinet.firewall.mpsk | Wireless MPSK | keyword | +| fortinet.firewall.msgproto | Message Protocol Number | keyword | +| fortinet.firewall.mtu | Max Transmission Unit Value | integer | +| fortinet.firewall.name | Name | keyword | +| fortinet.firewall.nat | NAT IP Address | keyword | +| fortinet.firewall.netid | Connector NetID | keyword | +| fortinet.firewall.new_status | New status on user change | keyword | +| fortinet.firewall.new_value | New Virtual Domain Name | keyword | +| fortinet.firewall.newchannel | New Channel Number | integer | +| fortinet.firewall.newchassisid | New Chassis ID | integer | +| fortinet.firewall.newslot | New Slot Number | integer | +| fortinet.firewall.nextstat | Time interval in seconds for the next statistics. | integer | +| fortinet.firewall.nf_type | Notification Type | keyword | +| fortinet.firewall.noise | Wifi Noise | integer | +| fortinet.firewall.old_status | Original Status | keyword | +| fortinet.firewall.old_value | Original Virtual Domain name | keyword | +| fortinet.firewall.oldchannel | Original channel | integer | +| fortinet.firewall.oldchassisid | Original Chassis Number | integer | +| fortinet.firewall.oldslot | Original Slot Number | integer | +| fortinet.firewall.oldsn | Old Serial number | keyword | +| fortinet.firewall.oldwprof | Old Web Filter Profile | keyword | +| fortinet.firewall.onwire | A flag to indicate if the AP is onwire or not | keyword | +| fortinet.firewall.opercountry | Operating Country | keyword | +| fortinet.firewall.opertxpower | Operating TX power | integer | +| fortinet.firewall.osname | Operating System name | keyword | +| fortinet.firewall.osversion | Operating System version | keyword | +| fortinet.firewall.out_spi | Out SPI | keyword | +| fortinet.firewall.outintf | Out interface | keyword | +| fortinet.firewall.passedcount | Fabric passed count | integer | +| fortinet.firewall.passwd | Changed user password information | keyword | +| fortinet.firewall.path | Path of looped configuration for security fabric | keyword | +| fortinet.firewall.peer | WAN optimization peer | keyword | +| fortinet.firewall.peer_notif | VPN peer notification | keyword | +| fortinet.firewall.phase2_name | VPN phase2 name | keyword | +| fortinet.firewall.phone | VOIP Phone | keyword | +| fortinet.firewall.pid | Process ID | integer | +| fortinet.firewall.policytype | Policy Type | keyword | +| fortinet.firewall.poolname | IP Pool name | keyword | +| fortinet.firewall.port | Log upload error port | integer | +| fortinet.firewall.portbegin | IP Pool port number to begin | integer | +| fortinet.firewall.portend | IP Pool port number to end | integer | +| fortinet.firewall.probeproto | Link Monitor Probe Protocol | keyword | +| fortinet.firewall.process | URL Filter process | keyword | +| fortinet.firewall.processtime | Process time for reports | integer | +| fortinet.firewall.profile | Profile Name | keyword | +| fortinet.firewall.profile_vd | Virtual Domain Name | keyword | +| fortinet.firewall.profilegroup | Profile Group Name | keyword | +| fortinet.firewall.profiletype | Profile Type | keyword | +| fortinet.firewall.qtypeval | DNS question type value | integer | +| fortinet.firewall.quarskip | Quarantine skip explanation | keyword | +| fortinet.firewall.quotaexceeded | If quota has been exceeded | keyword | +| fortinet.firewall.quotamax | Maximum quota allowed - in seconds if time-based - in bytes if traffic-based | long | +| fortinet.firewall.quotatype | Quota type | keyword | +| fortinet.firewall.quotaused | Quota used - in seconds if time-based - in bytes if trafficbased) | long | +| fortinet.firewall.radioband | Radio band | keyword | +| fortinet.firewall.radioid | Radio ID | integer | +| fortinet.firewall.radioidclosest | Radio ID on the AP closest the rogue AP | integer | +| fortinet.firewall.radioiddetected | Radio ID on the AP which detected the rogue AP | integer | +| fortinet.firewall.rate | Wireless rogue rate value | keyword | +| fortinet.firewall.rawdata | Raw data value | keyword | +| fortinet.firewall.rawdataid | Raw data ID | keyword | +| fortinet.firewall.rcvddelta | Received bytes delta | keyword | +| fortinet.firewall.reason | Alert reason | keyword | +| fortinet.firewall.received | Server key exchange received | integer | +| fortinet.firewall.receivedsignature | Server key exchange received signature | keyword | +| fortinet.firewall.red | Memory information in red | keyword | +| fortinet.firewall.referralurl | Web filter referralurl | keyword | +| fortinet.firewall.remote | Remote PPP IP address | ip | +| fortinet.firewall.remotewtptime | Remote Wifi Radius authentication time | keyword | +| fortinet.firewall.reporttype | Report type | keyword | +| fortinet.firewall.reqtype | Request type | keyword | +| fortinet.firewall.request_name | VOIP request name | keyword | +| fortinet.firewall.result | VPN phase result | keyword | +| fortinet.firewall.role | VPN Phase 2 role | keyword | +| fortinet.firewall.rssi | Received signal strength indicator | integer | +| fortinet.firewall.rsso_key | RADIUS SSO attribute value | keyword | +| fortinet.firewall.ruledata | Rule data | keyword | +| fortinet.firewall.ruletype | Rule type | keyword | +| fortinet.firewall.scanned | Number of Scanned MMSs | integer | +| fortinet.firewall.scantime | Scanned time | long | +| fortinet.firewall.scope | FortiGuard Override Scope | keyword | +| fortinet.firewall.security | Wireless rogue security | keyword | +| fortinet.firewall.sensitivity | Sensitivity for document fingerprint | keyword | +| fortinet.firewall.sensor | NAC Sensor Name | keyword | +| fortinet.firewall.sentdelta | Sent bytes delta | keyword | +| fortinet.firewall.seq | Sequence number | keyword | +| fortinet.firewall.serial | WAN optimisation serial | keyword | +| fortinet.firewall.serialno | Serial number | keyword | +| fortinet.firewall.server | AD server FQDN or IP | keyword | +| fortinet.firewall.session_id | Session ID | keyword | +| fortinet.firewall.sessionid | WAD Session ID | integer | +| fortinet.firewall.setuprate | Session Setup Rate | long | +| fortinet.firewall.severity | Severity | keyword | +| fortinet.firewall.shaperdroprcvdbyte | Received bytes dropped by shaper | integer | +| fortinet.firewall.shaperdropsentbyte | Sent bytes dropped by shaper | integer | +| fortinet.firewall.shaperperipdropbyte | Dropped bytes per IP by shaper | integer | +| fortinet.firewall.shaperperipname | Traffic shaper name (per IP) | keyword | +| fortinet.firewall.shaperrcvdname | Traffic shaper name for received traffic | keyword | +| fortinet.firewall.shapersentname | Traffic shaper name for sent traffic | keyword | +| fortinet.firewall.shapingpolicyid | Traffic shaper policy ID | integer | +| fortinet.firewall.signal | Wireless rogue API signal | integer | +| fortinet.firewall.size | Email size in bytes | long | +| fortinet.firewall.slot | Slot number | integer | +| fortinet.firewall.sn | Security fabric serial number | keyword | +| fortinet.firewall.snclosest | SN of the AP closest to the rogue AP | keyword | +| fortinet.firewall.sndetected | SN of the AP which detected the rogue AP | keyword | +| fortinet.firewall.snmeshparent | SN of the mesh parent | keyword | +| fortinet.firewall.spi | IPSEC SPI | keyword | +| fortinet.firewall.src_int | Source interface | keyword | +| fortinet.firewall.srccountry | Source country | keyword | +| fortinet.firewall.srcfamily | Source family | keyword | +| fortinet.firewall.srchwvendor | Source hardware vendor | keyword | +| fortinet.firewall.srchwversion | Source hardware version | keyword | +| fortinet.firewall.srcinetsvc | Source interface service | keyword | +| fortinet.firewall.srcintfrole | Source interface role | keyword | +| fortinet.firewall.srcname | Source name | keyword | +| fortinet.firewall.srcserver | Source server | integer | +| fortinet.firewall.srcssid | Source SSID | keyword | +| fortinet.firewall.srcswversion | Source software version | keyword | +| fortinet.firewall.srcuuid | Source UUID | keyword | +| fortinet.firewall.sscname | SSC name | keyword | +| fortinet.firewall.ssid | Base Service Set ID | keyword | +| fortinet.firewall.sslaction | SSL Action | keyword | +| fortinet.firewall.ssllocal | WAD SSL local | keyword | +| fortinet.firewall.sslremote | WAD SSL remote | keyword | +| fortinet.firewall.stacount | Number of stations/clients | integer | +| fortinet.firewall.stage | IPSEC stage | keyword | +| fortinet.firewall.stamac | 802.1x station mac | keyword | +| fortinet.firewall.state | Admin login state | keyword | +| fortinet.firewall.status | Status | keyword | +| fortinet.firewall.stitch | Automation stitch triggered | keyword | +| fortinet.firewall.subject | Email subject | keyword | +| fortinet.firewall.submodule | Configuration Sub-Module Name | keyword | +| fortinet.firewall.subservice | AV subservice | keyword | +| fortinet.firewall.subtype | Log subtype | keyword | +| fortinet.firewall.suspicious | Number of Suspicious MMSs | integer | +| fortinet.firewall.switchproto | Protocol change information | keyword | +| fortinet.firewall.sync_status | The sync status with the master | keyword | +| fortinet.firewall.sync_type | The sync type with the master | keyword | +| fortinet.firewall.sysuptime | System uptime | keyword | +| fortinet.firewall.tamac | the MAC address of Transmitter, if none, then Receiver | keyword | +| fortinet.firewall.threattype | WIDS threat type | keyword | +| fortinet.firewall.time | Time of the event | keyword | +| fortinet.firewall.to | Email to field | keyword | +| fortinet.firewall.to_vcluster | destination virtual cluster number | integer | +| fortinet.firewall.total | Total memory | integer | +| fortinet.firewall.totalsession | Total Number of Sessions | integer | +| fortinet.firewall.trace_id | Session clash trace ID | keyword | +| fortinet.firewall.trandisp | NAT translation type | keyword | +| fortinet.firewall.transid | HTTP transaction ID | integer | +| fortinet.firewall.translationid | DNS filter transaltion ID | keyword | +| fortinet.firewall.trigger | Automation stitch trigger | keyword | +| fortinet.firewall.trueclntip | File filter true client IP | ip | +| fortinet.firewall.tunnelid | IPSEC tunnel ID | integer | +| fortinet.firewall.tunnelip | IPSEC tunnel IP | ip | +| fortinet.firewall.tunneltype | IPSEC tunnel type | keyword | +| fortinet.firewall.type | Module type | keyword | +| fortinet.firewall.ui | Admin authentication UI type | keyword | +| fortinet.firewall.unauthusersource | Unauthenticated user source | keyword | +| fortinet.firewall.unit | Power supply unit | integer | +| fortinet.firewall.urlfilteridx | URL filter ID | integer | +| fortinet.firewall.urlfilterlist | URL filter list | keyword | +| fortinet.firewall.urlsource | URL filter source | keyword | +| fortinet.firewall.urltype | URL filter type | keyword | +| fortinet.firewall.used | Number of Used IPs | integer | +| fortinet.firewall.used_for_type | Connection for the type | integer | +| fortinet.firewall.utmaction | Security action performed by UTM | keyword | +| fortinet.firewall.vap | Virtual AP | keyword | +| fortinet.firewall.vapmode | Virtual AP mode | keyword | +| fortinet.firewall.vcluster | virtual cluster id | integer | +| fortinet.firewall.vcluster_member | Virtual cluster member | integer | +| fortinet.firewall.vcluster_state | Virtual cluster state | keyword | +| fortinet.firewall.vd | Virtual Domain Name | keyword | +| fortinet.firewall.vdname | Virtual Domain Name | keyword | +| fortinet.firewall.vendorurl | Vulnerability scan vendor name | keyword | +| fortinet.firewall.version | Version | keyword | +| fortinet.firewall.vip | Virtual IP | keyword | +| fortinet.firewall.virus | Virus name | keyword | +| fortinet.firewall.virusid | Virus ID (unique virus identifier) | integer | +| fortinet.firewall.voip_proto | VOIP protocol | keyword | +| fortinet.firewall.vpn | VPN description | keyword | +| fortinet.firewall.vpntunnel | IPsec Vpn Tunnel Name | keyword | +| fortinet.firewall.vpntype | The type of the VPN tunnel | keyword | +| fortinet.firewall.vrf | VRF number | integer | +| fortinet.firewall.vulncat | Vulnerability Category | keyword | +| fortinet.firewall.vulnid | Vulnerability ID | integer | +| fortinet.firewall.vulnname | Vulnerability name | keyword | +| fortinet.firewall.vwlid | VWL ID | integer | +| fortinet.firewall.vwlquality | VWL quality | keyword | +| fortinet.firewall.vwlservice | VWL service | keyword | +| fortinet.firewall.vwpvlanid | VWP VLAN ID | integer | +| fortinet.firewall.wanin | WAN incoming traffic in bytes | long | +| fortinet.firewall.wanoptapptype | WAN Optimization Application type | keyword | +| fortinet.firewall.wanout | WAN outgoing traffic in bytes | long | +| fortinet.firewall.weakwepiv | Weak Wep Initiation Vector | keyword | +| fortinet.firewall.xauthgroup | XAuth Group Name | keyword | +| fortinet.firewall.xauthuser | XAuth User Name | keyword | +| fortinet.firewall.xid | Wireless X ID | integer | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.level | Log level of the log event. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| message | Log message optimized for viewing in a log viewer. | text | +| network.application | Application level protocol name. | keyword | +| network.bytes | Total bytes transferred in both directions. | long | +| network.direction | Direction of the network traffic. | keyword | +| network.iana_number | IANA Protocol Number. | keyword | +| network.packets | Total packets transferred in both directions. | long | +| network.protocol | L7 Network protocol name. | keyword | +| observer.egress.interface.name | Interface name | keyword | +| observer.ingress.interface.name | Interface name | keyword | +| observer.name | Custom name of the observer. | keyword | +| observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. | keyword | +| observer.vendor | Vendor name of the observer. | keyword | +| related.hash | All the hashes seen on your event. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names seen on your event. | keyword | +| rule.category | Rule category | keyword | +| rule.description | Rule description | keyword | +| rule.id | Rule ID | keyword | +| rule.name | Rule name | keyword | +| rule.ruleset | Rule ruleset | keyword | +| rule.uuid | Rule UUID | keyword | +| source.address | Source network address. | keyword | +| source.as.number | Unique number allocated to the autonomous system. | long | +| source.as.organization.name | Organization name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source. | ip | +| source.mac | MAC address of the source. | keyword | +| source.nat.ip | Source NAT ip | ip | +| source.nat.port | Source NAT port | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.user.email | User email address. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| tls.client.issuer | Distinguished name of subject of the issuer. | keyword | +| tls.client.server_name | Hostname the client is trying to connect to. Also called the SNI. | keyword | +| tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | +| url.domain | Domain of the url. | keyword | +| url.path | Path of the request, such as "/search". | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| vulnerability.category | Category of a vulnerability. | keyword | + diff --git a/packages/fortinet/img/fortinet-logo.svg b/packages/fortinet/img/fortinet-logo.svg new file mode 100644 index 000000000000..d6a8448f320b --- /dev/null +++ b/packages/fortinet/img/fortinet-logo.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/packages/fortinet/manifest.yml b/packages/fortinet/manifest.yml new file mode 100644 index 000000000000..5bd0e35980de --- /dev/null +++ b/packages/fortinet/manifest.yml @@ -0,0 +1,69 @@ +name: fortinet +title: Fortinet +version: 0.1.0 +release: experimental +description: Fortinet Integration +type: integration +format_version: 1.0.0 +license: basic +categories: [security] +conditions: + kibana.version: ">=7.10.0" +icons: + - src: /img/fortinet-logo.svg + title: Fortinet + size: 216x216 + type: image/svg+xml +config_templates: + - name: fortinet + title: Fortinet logs + description: Collect logs from Fortinet instances + inputs: + - type: logfile + title: "Collect Fortinet logs (input: logfile)" + description: "Collecting logs from Fortinet instances (input: logfile)" + vars: + - name: paths + type: text + title: Paths + multi: true + required: false + show_user: true + - type: tcp + title: "Collect Fortinet logs (input: tcp)" + description: "Collecting logs from Fortinet instances (input: tcp)" + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9004 + - type: udp + title: "Collect Fortinet logs (input: udp)" + description: "Collecting logs from Fortinet instances (input: udp)" + vars: + - name: syslog_host + type: text + title: Syslog Host + multi: false + required: true + show_user: true + default: localhost + - name: syslog_port + type: integer + title: Syslog Port + multi: false + required: true + show_user: true + default: 9004 +owner: + github: elastic/security-ingest