Fortinet fortigate enhancement (demisto#29655)

* Updated the readme for proofpoint fortigate. * Modified the modeling rule. * Modified the modeling rule and the schema file. * Updated the release note. * Update Packs/FortiGate/README.md Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com> * Updated the modeling rule. * Added tags to the readme. * removed ftntfgtmastersrcmac and ftntfgtmasterdstmac from the mapping. * updated the modeling rule and the schema file. * updated the modeling rule * updated the modeling rule --------- Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>
xsoar-contrib · Oct 5, 2023 · fbdb097 · fbdb097
1 parent 0c314c9
commit fbdb097
Show file tree

Hide file tree

Showing 5 changed files with 126 additions and 21 deletions.
diff --git a/Packs/FortiGate/ModelingRules/FortiGate_1_3/FortiGate_1_3.xif b/Packs/FortiGate/ModelingRules/FortiGate_1_3/FortiGate_1_3.xif
@@ -1,27 +1,29 @@
 [MODEL: dataset="fortinet_fortigate_raw"]
 alter
-    xdm.network.application_protocol = app,
+    xdm.network.application_protocol = if(app != "" and app != null, app, ftntfgtmethod != "" and ftntfgtmethod != null, ftntfgtmethod),
 	xdm.network.application_protocol_category = FTNTFGTcat,
 	xdm.target.host.fqdn = dhost,
-	xdm.target.ipv4 = dst,
-	xdm.target.port = to_integer(dpt),
-	xdm.target.user.username = duser,
+	xdm.target.ipv4 = if(dst ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", dst, null),
+	xdm.target.ipv6 = if(dst ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", dst, null),
+	xdm.target.port = if(to_string(dpt) != "" and to_string(dpt) != null, to_integer(dpt), to_string(ftntfgtpdstport) != "" and to_string(ftntfgtpdstport) != null, to_integer(ftntfgtpdstport)),
+	xdm.target.user.username = if(duser != "" and duser != null, duser, ftntfgtdstunauthuser != "" and ftntfgtdstunauthuser != null, ftntfgtdstunauthuser),
 	xdm.network.http.url = request,
 	xdm.network.ip_protocol = if(proto="0",XDM_CONST.IP_PROTOCOL_HOPOPT, proto="1",XDM_CONST.IP_PROTOCOL_ICMP, proto="2",XDM_CONST.IP_PROTOCOL_IGMP, proto="3",XDM_CONST.IP_PROTOCOL_GGP, proto="4",XDM_CONST.IP_PROTOCOL_IP, proto="5",XDM_CONST.IP_PROTOCOL_ST, proto="6",XDM_CONST.IP_PROTOCOL_TCP, proto="7",XDM_CONST.IP_PROTOCOL_CBT, proto="8",XDM_CONST.IP_PROTOCOL_EGP, proto="9",XDM_CONST.IP_PROTOCOL_IGP, proto="10",XDM_CONST.IP_PROTOCOL_BBN_RCC_MON, proto="11",XDM_CONST.IP_PROTOCOL_NVP_II, proto="12",XDM_CONST.IP_PROTOCOL_PUP, proto="13",XDM_CONST.IP_PROTOCOL_ARGUS, proto="14",XDM_CONST.IP_PROTOCOL_EMCON, proto="15",XDM_CONST.IP_PROTOCOL_XNET, proto="16",XDM_CONST.IP_PROTOCOL_CHAOS, proto="17",XDM_CONST.IP_PROTOCOL_UDP, proto="18",XDM_CONST.IP_PROTOCOL_MUX, proto="19",XDM_CONST.IP_PROTOCOL_DCN_MEAS, proto="20",XDM_CONST.IP_PROTOCOL_HMP, proto="21",XDM_CONST.IP_PROTOCOL_PRM, proto="22",XDM_CONST.IP_PROTOCOL_XNS_IDP, proto="23",XDM_CONST.IP_PROTOCOL_TRUNK_1, proto="24",XDM_CONST.IP_PROTOCOL_TRUNK_2, proto="25",XDM_CONST.IP_PROTOCOL_LEAF_1, proto="26",XDM_CONST.IP_PROTOCOL_LEAF_2, proto="27",XDM_CONST.IP_PROTOCOL_RDP, proto="28",XDM_CONST.IP_PROTOCOL_IRTP, proto="29",XDM_CONST.IP_PROTOCOL_ISO_TP4, proto="30",XDM_CONST.IP_PROTOCOL_NETBLT, proto="31",XDM_CONST.IP_PROTOCOL_MFE_NSP, proto="32",XDM_CONST.IP_PROTOCOL_MERIT_INP, proto="33",XDM_CONST.IP_PROTOCOL_DCCP, proto="34",XDM_CONST.IP_PROTOCOL_3PC, proto="35",XDM_CONST.IP_PROTOCOL_IDPR, proto="36",XDM_CONST.IP_PROTOCOL_XTP, proto="37",XDM_CONST.IP_PROTOCOL_DDP, proto="38",XDM_CONST.IP_PROTOCOL_IDPR_CMTP, proto="39",XDM_CONST.IP_PROTOCOL_TP, proto="40",XDM_CONST.IP_PROTOCOL_IL, proto="41",XDM_CONST.IP_PROTOCOL_IPV6, proto="42",XDM_CONST.IP_PROTOCOL_SDRP, proto="43",XDM_CONST.IP_PROTOCOL_IPV6_ROUTE, proto="44",XDM_CONST.IP_PROTOCOL_IPV6_FRAG, proto="45",XDM_CONST.IP_PROTOCOL_IDRP, proto="46",XDM_CONST.IP_PROTOCOL_RSVP, proto="47",XDM_CONST.IP_PROTOCOL_GRE, proto="48",XDM_CONST.IP_PROTOCOL_DSR, proto="49",XDM_CONST.IP_PROTOCOL_BNA, proto="50",XDM_CONST.IP_PROTOCOL_ESP, proto="51",XDM_CONST.IP_PROTOCOL_AH, proto="52",XDM_CONST.IP_PROTOCOL_I_NLSP, proto="53",XDM_CONST.IP_PROTOCOL_SWIPE, proto="54",XDM_CONST.IP_PROTOCOL_NARP, proto="55",XDM_CONST.IP_PROTOCOL_MOBILE, proto="56",XDM_CONST.IP_PROTOCOL_TLSP, proto="57",XDM_CONST.IP_PROTOCOL_SKIP, proto="58",XDM_CONST.IP_PROTOCOL_IPV6_ICMP, proto="59",XDM_CONST.IP_PROTOCOL_IPV6_NONXT, proto="60",XDM_CONST.IP_PROTOCOL_IPV6_OPTS, proto="62",XDM_CONST.IP_PROTOCOL_CFTP, proto="64",XDM_CONST.IP_PROTOCOL_SAT_EXPAK, proto="65",XDM_CONST.IP_PROTOCOL_KRYPTOLAN, proto="66",XDM_CONST.IP_PROTOCOL_RVD, proto="67",XDM_CONST.IP_PROTOCOL_IPPC, proto="69",XDM_CONST.IP_PROTOCOL_SAT_MON, proto="70",XDM_CONST.IP_PROTOCOL_VISA, proto="71",XDM_CONST.IP_PROTOCOL_IPCV, proto="72",XDM_CONST.IP_PROTOCOL_CPNX, proto="73",XDM_CONST.IP_PROTOCOL_CPHB, proto="74",XDM_CONST.IP_PROTOCOL_WSN, proto="75",XDM_CONST.IP_PROTOCOL_PVP, proto="76",XDM_CONST.IP_PROTOCOL_BR_SAT_MON, proto="77",XDM_CONST.IP_PROTOCOL_SUN_ND, proto="78",XDM_CONST.IP_PROTOCOL_WB_MON, proto="79",XDM_CONST.IP_PROTOCOL_WB_EXPAK, proto="80",XDM_CONST.IP_PROTOCOL_ISO_IP, proto="81",XDM_CONST.IP_PROTOCOL_VMTP, proto="82",XDM_CONST.IP_PROTOCOL_SECURE_VMTP, proto="83",XDM_CONST.IP_PROTOCOL_VINES, proto="84",XDM_CONST.IP_PROTOCOL_TTP, proto="85",XDM_CONST.IP_PROTOCOL_NSFNET_IGP, proto="86",XDM_CONST.IP_PROTOCOL_DGP, proto="87",XDM_CONST.IP_PROTOCOL_TCF, proto="88",XDM_CONST.IP_PROTOCOL_EIGRP, proto="89",XDM_CONST.IP_PROTOCOL_OSPFIGP, proto="90",XDM_CONST.IP_PROTOCOL_SPRITE_RPC, proto="91",XDM_CONST.IP_PROTOCOL_LARP, proto="92",XDM_CONST.IP_PROTOCOL_MTP, proto="93",XDM_CONST.IP_PROTOCOL_AX25, proto="94",XDM_CONST.IP_PROTOCOL_IPIP, proto="95",XDM_CONST.IP_PROTOCOL_MICP, proto="96",XDM_CONST.IP_PROTOCOL_SCC_SP, proto="97",XDM_CONST.IP_PROTOCOL_ETHERIP, proto="98",XDM_CONST.IP_PROTOCOL_ENCAP, proto="100",XDM_CONST.IP_PROTOCOL_GMTP, proto="101",XDM_CONST.IP_PROTOCOL_IFMP, proto="102",XDM_CONST.IP_PROTOCOL_PNNI, proto="103",XDM_CONST.IP_PROTOCOL_PIM, proto="104",XDM_CONST.IP_PROTOCOL_ARIS, proto="105",XDM_CONST.IP_PROTOCOL_SCPS, proto="106",XDM_CONST.IP_PROTOCOL_QNX, proto="107",XDM_CONST.IP_PROTOCOL_AN, proto="108",XDM_CONST.IP_PROTOCOL_IPCOMP, proto="110",XDM_CONST.IP_PROTOCOL_COMPAQ_PEER, proto="111",XDM_CONST.IP_PROTOCOL_IPX_IN_IP, proto="112",XDM_CONST.IP_PROTOCOL_VRRP, proto="113",XDM_CONST.IP_PROTOCOL_PGM, proto="115",XDM_CONST.IP_PROTOCOL_L2TP, proto="116",XDM_CONST.IP_PROTOCOL_DDX, proto="117",XDM_CONST.IP_PROTOCOL_IATP, proto="118",XDM_CONST.IP_PROTOCOL_STP, proto="119",XDM_CONST.IP_PROTOCOL_SRP, proto="120",XDM_CONST.IP_PROTOCOL_UTI, proto="121",XDM_CONST.IP_PROTOCOL_SMP, proto="122",XDM_CONST.IP_PROTOCOL_SM, proto="123",XDM_CONST.IP_PROTOCOL_PTP, proto="124",XDM_CONST.IP_PROTOCOL_ISIS, proto="125",XDM_CONST.IP_PROTOCOL_FIRE, proto="126",XDM_CONST.IP_PROTOCOL_CRTP, proto="127",XDM_CONST.IP_PROTOCOL_CRUDP, proto="128",XDM_CONST.IP_PROTOCOL_SSCOPMCE, proto="129",XDM_CONST.IP_PROTOCOL_IPLT, proto="130",XDM_CONST.IP_PROTOCOL_SPS, proto="131",XDM_CONST.IP_PROTOCOL_PIPE, proto="132",XDM_CONST.IP_PROTOCOL_SCTP, proto="133",XDM_CONST.IP_PROTOCOL_FC, proto="134",XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE, proto="135",XDM_CONST.IP_PROTOCOL_MOBILITY, proto="136",XDM_CONST.IP_PROTOCOL_UDPLITE, proto="137",XDM_CONST.IP_PROTOCOL_MPLS_IN_IP,to_string(proto)),
 	xdm.observer.action = act,
 	xdm.observer.type = cat,
 	xdm.event.description = msg,
 	xdm.event.outcome_reason = reason,
 	xdm.source.host.fqdn = shost,
-	xdm.source.ipv4 = src,
-	xdm.source.port = to_integer(spt),
+	xdm.source.ipv4 = if(src ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", src, null),
+    xdm.source.ipv6 = if(src ~= "[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}", src, null),
+	xdm.source.port = if(to_string(spt) != "" and to_string(spt) != null, to_integer(spt), to_string(ftntfgtpsrcport) != "" and to_string(ftntfgtpsrcport) != null, to_integer(ftntfgtpsrcport)),
 	xdm.target.sent_bytes = to_integer(`in`),
 	xdm.source.process.executable.filename = fname,
 	xdm.source.process.name = sproc,
-	xdm.source.user.username = suser,
+	xdm.source.user.username = if(suser != "" and suser != null, suser, ftntfgtunauthuser != "" and ftntfgtunauthuser != null, ftntfgtunauthuser),
 	xdm.alert.description = FTNTFGTref,
-    xdm.event.outcome = if(outcome="update", XDM_CONST.OUTCOME_SUCCESS, outcome="failure", XDM_CONST.OUTCOME_FAILED, outcome="success", XDM_CONST.OUTCOME_SUCCESS, outcome="database-check", XDM_CONST.OUTCOME_PARTIAL, outcome="failed", XDM_CONST.OUTCOME_FAILED, outcome="unregistered", XDM_CONST.OUTCOME_UNKNOWN, outcome="new", XDM_CONST.OUTCOME_UNKNOWN, to_string(outcome)),
-	xdm.session_context_id = externalId, 								
+    xdm.event.outcome = if(outcome="update", XDM_CONST.OUTCOME_SUCCESS, outcome="failure", XDM_CONST.OUTCOME_FAILED, outcome="success", XDM_CONST.OUTCOME_SUCCESS, outcome="succeeded", XDM_CONST.OUTCOME_SUCCESS, outcome="database-check", XDM_CONST.OUTCOME_PARTIAL, outcome="authentication-required", XDM_CONST.OUTCOME_PARTIAL, outcome="failed", XDM_CONST.OUTCOME_FAILED, outcome="negotiate_error", XDM_CONST.OUTCOME_FAILED, outcome="unregistered", XDM_CONST.OUTCOME_UNKNOWN, outcome="new", XDM_CONST.OUTCOME_UNKNOWN, lowercase(ftntfgtresult) = "ok", XDM_CONST.OUTCOME_SUCCESS, lowercase(ftntfgtresult) = "done", XDM_CONST.OUTCOME_SUCCESS, lowercase(ftntfgtresult) = "n/a", XDM_CONST.OUTCOME_UNKNOWN, lowercase(ftntfgtresult) = "error", XDM_CONST.OUTCOME_FAILED, outcome != null and outcome != "", to_string(outcome), ftntfgtresult != null and ftntfgtresult != "", to_string(ftntfgtresult)),
+	xdm.session_context_id = externalId,
     xdm.source.sent_bytes = to_integer(out),
     xdm.target.sent_packets = to_integer(FTNTFGTrcvdpkt),
     xdm.source.sent_packets = to_integer(FTNTFGTsentpkt),
@@ -33,4 +35,15 @@ alter
     xdm.event.operation_sub_type = FTNTFGTsubtype,
     xdm.alert.severity = coalesce(FTNTFGTlevel, cefSeverity),
     xdm.source.user.domain = FTNTFGTvd,
-    xdm.alert.subcategory = FTNTFGTlogdesc;
+    xdm.alert.subcategory = FTNTFGTlogdesc,
+    xdm.source.application.name = ftntfgtapp,
+    xdm.event.id = to_string(ftntfgtlogid),
+    xdm.target.host.mac_addresses = arraycreate(if(ftntfgtdstmac != "" and  ftntfgtdstmac != null, ftntfgtdstmac)),
+    xdm.source.host.mac_addresses = arraycreate(if(ftntfgtsrcmac != "" and  ftntfgtsrcmac != null, ftntfgtsrcmac)),
+    xdm.source.host.os = ftntfgtosname,
+    xdm.source.host.os_family = if(ftntfgtosname contains "windows", XDM_CONST.OS_FAMILY_WINDOWS, ftntfgtosname contains "mac", XDM_CONST.OS_FAMILY_MACOS, ftntfgtosname contains "linux", XDM_CONST.OS_FAMILY_LINUX, ftntfgtosname contains "android", XDM_CONST.OS_FAMILY_ANDROID, ftntfgtosname contains "ios", XDM_CONST.OS_FAMILY_IOS, ftntfgtosname contains "ubuntu", XDM_CONST.OS_FAMILY_UBUNTU, ftntfgtosname contains "debian", XDM_CONST.OS_FAMILY_DEBIAN, ftntfgtosname contains "fedora", XDM_CONST.OS_FAMILY_FEDORA, ftntfgtosname contains "centos", XDM_CONST.OS_FAMILY_CENTOS, ftntfgtosname contains "chrome", XDM_CONST.OS_FAMILY_CHROMEOS, ftntfgtosname contains "solaris", XDM_CONST.OS_FAMILY_SOLARIS, ftntfgtosname contains "scada", XDM_CONST.OS_FAMILY_SCADA),
+    xdm.network.rule = ftntfgtpolicyname,
+    xdm.network.tls.server_name = ftntfgtscertcname,
+    xdm.network.tls.server_certificate.issuer = ftntfgtscertissuer,
+    xdm.source.host.device_category = ftntfgtsrcfamily,
+    xdm.event.type = ftntfgtsubtype;
diff --git a/Packs/FortiGate/ModelingRules/FortiGate_1_3/FortiGate_1_3_schema.json b/Packs/FortiGate/ModelingRules/FortiGate_1_3/FortiGate_1_3_schema.json
@@ -147,6 +147,74 @@
       "FTNTFGTvd": {
         "type": "string",
         "is_array": false
-      }                                                     
+      },
+      "ftntfgtapp": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtdstunauthuser": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtdstunauthusersource": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtunauthuser": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtunauthusersource": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtlogid": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtdstmac": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtsrcmac": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtmethod": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtosname": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtpdstport": {
+        "type": "int",
+        "is_array": false
+      },
+      "ftntfgtpsrcport": {
+        "type": "int",
+        "is_array": false
+      },
+      "ftntfgtpolicyname": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtresult": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtscertcname": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtscertissuer": {
+        "type": "string",
+        "is_array": false
+      },
+      "ftntfgtsrcfamily": {
+        "type": "string",
+        "is_array": false
+      }
     }
   }
diff --git a/Packs/FortiGate/README.md b/Packs/FortiGate/README.md
@@ -1,9 +1,27 @@
-## Collect Events from Vendor
+<~XSIAM>
+# Fortigate
+This pack includes Cortex XSIAM content.
+
+Fortigate versions: 7.x
+
+## Configuration on Server Side
+You need to configure Fortigate to forward Syslog messages.
 
-In order to use the collector, you can use one of the following options to collect events from the vendor:
- - [Broker VM](#broker-vm)
+1. Log in to the FortiGate web interface using your admin credentials.
+2. Open a CLI console by clicking the **_>** icon in the top right corner
+4. Run the following command:
+```bash 
+   config log syslogd setting
+    set status enable
+    set server <syslog_IP>
+    set format cef
+    set mode udp
+    set port <port_number>
+```
 
-In either option, you will need to configure the vendor and product for this specific collector.
+More information can be found [here](https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/250999/log-settings-and-targets)
+## Collect Events from Vendor
+In order to use the collector, use the [Broker VM](#broker-vm) option.
 
 * Support for timestamp parsing is available only for the **FTNTFGTeventtime** field in UTC +0000 time zone.
 
@@ -13,8 +31,9 @@ You can configure the specific vendor and product for this instance.
 1. Navigate to **Settings** -> **Configuration** -> **Data Broker** -> **Broker VMs**. 
 2. Right-click, and select **Syslog Collector** -> **Configure**.
 3. When configuring the Syslog Collector, set:
-   - vendor as vendor<- Fortinet
-   - product as product<- FortiGate
-
-
+   - vendor as Fortinet
+   - product as FortiGate
+</~XSIAM>
 
+
+
diff --git a/Packs/FortiGate/ReleaseNotes/1_0_24.md b/Packs/FortiGate/ReleaseNotes/1_0_24.md
@@ -0,0 +1,3 @@
+#### Modeling Rules
+##### Fortinet FortiGate Modeling Rule
+Updated the modeling rule with additional fields.
diff --git a/Packs/FortiGate/pack_metadata.json b/Packs/FortiGate/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "FortiGate",
     "description": "Manage FortiGate Firewall",
     "support": "xsoar",
-    "currentVersion": "1.0.23",
+    "currentVersion": "1.0.24",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
@@ -12,7 +12,9 @@
     ],
     "tags": [],
     "useCases": [],
-    "keywords": [],
+    "keywords": [
+        "Fortinet"
+    ],
     "marketplaces": [
         "xsoar",
         "marketplacev2"