elastic · efd6 · Oct 28, 2022 · Aug 26, 2022 · Oct 26, 2022 · P1llus
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -68,6 +68,7 @@
 /packages/fleet_server @elastic/elastic-agent-control-plane
 /packages/fortinet @elastic/security-external-integrations
 /packages/fortinet_forticlient @elastic/security-external-integrations
+/packages/fortinet_fortiedr @elastic/security-external-integrations
 /packages/fortinet_fortigate @elastic/security-external-integrations
 /packages/fortinet_fortimail @elastic/security-external-integrations
 /packages/fortinet_fortimanager @elastic/security-external-integrations

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@v8.3.0
@@ -0,0 +1,15 @@
+# Fortinet FortiEDR Integration
+
+This integration is for Fortinet FortiEDR logs sent in the syslog format.
+
+## Configuration
+
+The Fortinet FortiEDR integration requires that the **Send Syslog Notification** opion be turned on in the FortiEDR Playbook policy that includes the devices that are to be monitored by the integration.
+
+### Log
+
+The `log` dataset collects Fortinet FortiEDR logs.
+
+{{event "log"}}
+
+{{fields "log"}}
@@ -0,0 +1,18 @@
+version: '2.3'
+services:
+  fortinet-logfile:
+    image: alpine
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+      - ${SERVICE_LOGS_DIR}:/var/log
+    command: /bin/sh -c "cp /sample_logs/* /var/log/"
+  fortinet-edr-tcp:
+    image: docker.elastic.co/observability/stream:v0.7.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=tcp /sample_logs/fortinet-edr.log
+  fortinet-edr-udp:
+    image: docker.elastic.co/observability/stream:v0.7.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9515 -p=udp /sample_logs/fortinet-edr.log
@@ -0,0 +1 @@
+<133>1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478; Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N; Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe; Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation; First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1; Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U; MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "1.0.0"
+  changes:
+    - description: Initial version of Fortinet FortiEDR package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/4070
@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event
@@ -0,0 +1,2 @@
+<133>1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478; Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N; Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe; Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation; First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1; Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U; MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A
+<133>1 2019-09-18T07:42:18.000Z 1.1.1.1 enSilo 8710 - - Organization: Demo;Organization ID: 156646;Event ID: 458478; Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N; Process Name: svchost.exe;Process Path: \Device\HarddiskVolume4\Windows\System32\svchost.exe; Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation; First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1; Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\U; MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A
@@ -0,0 +1,183 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2019-09-18T06:42:18.000Z",
+            "ecs": {
+                "version": "8.4.0"
+            },
+            "event": {
+                "action": "blocked",
+                "category": "malware",
+                "end": "2019-09-18T02:42:18.000Z",
+                "id": "458478",
+                "original": "\u003c133\u003e1 2019-09-18T06:42:18.000Z 1.1.1.1 enSilo - - - Organization: Demo;Organization ID: 156646;Event ID: 458478; Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N; Process Name: svchost.exe;Process Path: \\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe; Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation; First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1; Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\\U; MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A",
+                "start": "2019-09-18T02:42:18.000Z"
+            },
+            "fortinet": {
+                "edr": {
+                    "action": "Blocked",
+                    "autonomous_system": "N/A",
+                    "certificate": "yes",
+                    "classification": "Suspicious",
+                    "count": "1",
+                    "country": "N/A",
+                    "destination": "File Creation",
+                    "device_name": "WIN10-VICTIM",
+                    "event_id": "458478",
+                    "first_seen": "2019-09-18T02:42:18.000Z",
+                    "last_seen": "2019-09-18T02:42:18.000Z",
+                    "mac_address": "00-0C-29-D4-75-EC",
+                    "operating_system": "Windows 10 Pro N",
+                    "organization": "Demo",
+                    "organization_id": "156646",
+                    "process_name": "svchost.exe",
+                    "process_path": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
+                    "process_type": "64bit",
+                    "raw_data_id": "1270886879",
+                    "rules_list": "File Encryptor - Suspicious file modification",
+                    "script": "N/A",
+                    "script_path": "N/A",
+                    "severity": "Critical",
+                    "users": "WIN10-VICTIM\\U"
+                }
+            },
+            "host": {
+                "hostname": "WIN10-VICTIM",
+                "mac": [
+                    "00-0C-29-D4-75-EC"
+                ],
+                "os": {
+                    "full": "Windows 10 Pro N"
+                }
+            },
+            "log": {
+                "syslog": {
+                    "appname": "enSilo",
+                    "facility": {
+                        "code": 16
+                    },
+                    "hostname": "1.1.1.1",
+                    "priority": 133,
+                    "severity": {
+                        "code": 5
+                    },
+                    "version": "1"
+                }
+            },
+            "observer": {
+                "product": "FortiEDR",
+                "type": "edr",
+                "vendor": "Fortinet"
+            },
+            "process": {
+                "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
+                "name": "svchost.exe"
+            },
+            "related": {
+                "hosts": [
+                    "WIN10-VICTIM",
+                    "1.1.1.1"
+                ],
+                "user": [
+                    "WIN10-VICTIM\\U"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "id": "WIN10-VICTIM\\U"
+            }
+        },
+        {
+            "@timestamp": "2019-09-18T07:42:18.000Z",
+            "ecs": {
+                "version": "8.4.0"
+            },
+            "event": {
+                "action": "blocked",
+                "category": "malware",
+                "end": "2019-09-18T02:42:18.000Z",
+                "id": "458478",
+                "original": "\u003c133\u003e1 2019-09-18T07:42:18.000Z 1.1.1.1 enSilo 8710 - - Organization: Demo;Organization ID: 156646;Event ID: 458478; Raw Data ID: 1270886879;Device Name: WIN10-VICTIM;Operating System: Windows 10 Pro N; Process Name: svchost.exe;Process Path: \\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe; Process Type: 64bit;Severity: Critical;Classification: Suspicious;Destination: File Creation; First Seen: 18-Sep-2019, 02:42:18;Last Seen: 18-Sep-2019, 02:42:18;Action: Blocked;Count: 1; Certificate: yes;Rules List: File Encryptor - Suspicious file modification;Users: WIN10-VICTIM\\U; MAC Address: 00-0C-29-D4-75-EC;Script: N/A;Script Path: N/A;Autonomous System: N/A;Country: N/A",
+                "start": "2019-09-18T02:42:18.000Z"
+            },
+            "fortinet": {
+                "edr": {
+                    "action": "Blocked",
+                    "autonomous_system": "N/A",
+                    "certificate": "yes",
+                    "classification": "Suspicious",
+                    "count": "1",
+                    "country": "N/A",
+                    "destination": "File Creation",
+                    "device_name": "WIN10-VICTIM",
+                    "event_id": "458478",
+                    "first_seen": "2019-09-18T02:42:18.000Z",
+                    "last_seen": "2019-09-18T02:42:18.000Z",
+                    "mac_address": "00-0C-29-D4-75-EC",
+                    "operating_system": "Windows 10 Pro N",
+                    "organization": "Demo",
+                    "organization_id": "156646",
+                    "process_name": "svchost.exe",
+                    "process_path": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
+                    "process_type": "64bit",
+                    "raw_data_id": "1270886879",
+                    "rules_list": "File Encryptor - Suspicious file modification",
+                    "script": "N/A",
+                    "script_path": "N/A",
+                    "severity": "Critical",
+                    "users": "WIN10-VICTIM\\U"
+                }
+            },
+            "host": {
+                "hostname": "WIN10-VICTIM",
+                "mac": [
+                    "00-0C-29-D4-75-EC"
+                ],
+                "os": {
+                    "full": "Windows 10 Pro N"
+                }
+            },
+            "log": {
+                "syslog": {
+                    "appname": "enSilo",
+                    "facility": {
+                        "code": 16
+                    },
+                    "hostname": "1.1.1.1",
+                    "priority": 133,
+                    "procid": "8710",
+                    "severity": {
+                        "code": 5
+                    },
+                    "version": "1"
+                }
+            },
+            "observer": {
+                "product": "FortiEDR",
+                "type": "edr",
+                "vendor": "Fortinet"
+            },
+            "process": {
+                "executable": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
+                "name": "svchost.exe"
+            },
+            "related": {
+                "hosts": [
+                    "WIN10-VICTIM",
+                    "1.1.1.1"
+                ],
+                "user": [
+                    "WIN10-VICTIM\\U"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "id": "WIN10-VICTIM\\U"
+            }
+        }
+    ]
+}
@@ -0,0 +1,7 @@
+service: fortinet-logfile
+input: logfile
+data_stream:
+  vars:
+    paths:
+      - "{{SERVICE_LOGS_DIR}}/*edr*.log"
+    preserve_original_event: true
@@ -0,0 +1,8 @@
+service: fortinet-edr-tcp
+service_notify_signal: SIGHUP
+input: tcp
+data_stream:
+  vars:
+    tcp_host: 0.0.0.0
+    tcp_port: 9514
+    preserve_original_event: true
@@ -0,0 +1,8 @@
+service: fortinet-edr-udp
+service_notify_signal: SIGHUP
+input: udp
+data_stream:
+  vars:
+    udp_host: 0.0.0.0
+    udp_port: 9515
+    preserve_original_event: true
@@ -0,0 +1,20 @@
+paths:
+{{#each paths as |path|}}
+  - {{path}}
+{{/each}}
+exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
@@ -0,0 +1,17 @@
+tcp:
+host: "{{tcp_host}}:{{tcp_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+{{#if processors}}
+{{processors}}
+{{/if}}
+- add_locale: ~
@@ -0,0 +1,17 @@
+udp:
+host: "{{udp_host}}:{{udp_port}}"
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+{{#if processors}}
+{{processors}}
+{{/if}}
+- add_locale: ~