{
    /*
     * A parser for Fortigate syslog.
     *
   * It will split every key/value pair to a field 'fortinet.fieldname'
   * Uses rewrites to rewrite the field to OCSF field used by SentinelOne SDL
     *
   * Instructions:
     *
     * - Use the format "default" in FortiGate configuration:
   * - ssh to fg device
   * commands:
   * config log syslogd settings
   * set format default
   * end
   *
     * - fill in site ID if you want the data to be surfaced in the context of a SITE, or remove the attribute below.
     *
     *
     * Contributors: Mischa Deden <mischa.deden@sentinelone.com>, Jan Tietze <jant@sentinelone.com> (original parser)
     */
    "patterns": 
    {
      "dateTimePattern": "date=\\d+-\\d+-\\d+ time=\\d+:\\d+:\\d+"
    },
    
    "attributes": 
    {
      "dataSource.category": "security",
      "dataSource.name": "Fortigate",
      "dataSource.vendor": "Fortinet"
    },
    
    "formats": [
      {
        "format": "^<$syslog.priority{parse=syslogPriority}$>$datetime=dateTimePattern$",
        "rewrites": [
          {
            "input": "datetime",
            "output": "timestamp",
            "match": "date=(\\d+-\\d+-\\d+) time=(\\d+:\\d+:\\d+)",
            "replace": "$1 $2"
          }
        ]
      }, {
        "format": ".*$_=identifier$=$fortinet._=quoteOrSpace$",
        "repeat": true,
        "rewrites": [
          { 
            "input": "fortinet.action",
            "output": "event.network.connectionStatus",
            "match": ".*",
            "replace": "$0"
          },
          { 
            "input": "fortinet.subtype",
            "output": "event.network.direction",
            "match": ".*",
            "replace": "$0"
          },
          { 
            "input": "fortinet.service",
            "output": "event.network.protocolName",
            "match": ".*",
            "replace": "$0"
          },
          {
            "input": "fortinet.srcip",
            "match": ".*",
            "output": "event.source",
            "replace": "$0"
          },
          {
            "input": "fortinet.srcip",
            "match": ".*",
            "output": "src_endpoint.ip",
            "replace": "$0"
          }, 
          {
            "input": "fortinet.srcport",
            "match": ".*",
            "output": "src_endpoint.port",
            "replace": "$0"
          }, 
          {
            "input": "fortinet.srcmac",
            "match": ".*",
            "output": "src_endpoint.mac",
            "replace": "$0"
          }, 
          {
            "input": "fortinet.dstip",
            "match": ".*",
            "output": "dst_endpoint.ip",
            "replace": "$0"
          },
          {
            "input": "fortinet.dstip",
            "match": ".*",
            "output": "dst.ipaddress",
            "replace": "$0"
          },
          {
            "input": "fortinet.dstip",
            "match": ".*",
            "output": "event.target",
            "replace": "$0"
          }, 
          {
            "input": "fortinet.dstport",
            "match": ".*",
            "output": "dst_endpoint.port",
            "replace": "$0"
          },
          {
            "input": "fortinet.dstport",
            "match": ".*",
            "output": "dst.port.number",
            "replace": "$0"
          }, 
          {
            "input": "fortinet.dstmac",
            "match": ".*",
            "output": "dst_endpoint.mac",
            "replace": "$0"
          }, 
          {
            "input": "fortinet.subtype",
            "match": ".*",
            "output": "activity_name",
            "replace": "$0"
          },
          {
            "input": "fortinet.subtype",
            "match": ".*",
            "output": "activity_id",
            "replace": "$0"
          }, 
          {
            "input": "fortinet.subtype",
            "match": ".*",
            "output": "event.type",
            "replace": "$0"
          }, 
          {
            "input": "fortinet.severity",
            "match": ".*",
            "output": "severity_id",
            "replace": "99"
          }, 
          {
            "input": "fortinet.severity",
            "match": "^information$",
            "output": "severity_id",
            "replace": "1"
          }, 
          {
            "input": "fortinet.severity",
            "match": "^critical$",
            "output": "severity_id",
            "replace": "5"
          }, 
          {
            "input": "fortinet.severity",
            "match": "^Emergency$",
            "output": "severity_id",
            "replace": "6"
          },
          {
            "input": "fortinet.severity",
            "match": "^information$",
            "output": "severity_id",
            "replace": "1"
          },
          {
            "input": "fortinet.severity",
            "match": "^critical$",
            "output": "severity_id",
            "replace": "5"
          },
          {
            "input": "fortinet.severity",
            "match": "^Emergency$",
            "output": "severity_id",
            "replace": "6"
          },
          {
            "input": "fortinet.action",
            "match": ".*",
            "output": "activity_name",
            "replace": "$0"
          },
          {
            "input": "fortinet.action",
            "match": "^(accept|permit)$",
            "output": "activity_name",
            "replace": "Open"
          },
          {
            "input": "fortinet.action",
            "match": "^(dropped|close|shutdown)$",
            "output": "activity_name",
            "replace": "Close"
          },
          {
            "input": "fortinet.action",
            "match": "^clear_session",
            "output": "activity_name",
            "replace": "Reset"
          },
          { 
            "input": "fortinet.action",
            "match": "^(block|blocked)$",
            "output": "activity_name",
            "replace": "Refuse"
          },
          {
            "input": "activity_name",
            "match": ".*",
            "output": "activity_id",
            "replace": "99"
          },
          {
            "input": "activity_name",
            "match": "^Open",
            "output": "activity_id",
            "replace": "1"
          },
          {
            "input": "activity_name",
            "match": "^Close",
            "output": "activity_id",
            "replace": "2"
          },
          {
            "input": "activity_name",
            "match": "^Reset",
            "output": "activity_id",
            "replace": "3"
          },
          {
            "input": "activity_name",
            "match": "^Refuse",
            "output": "activity_id",
            "replace": "5"
          },
          {
            "input": "activity_name",
            "match": ".*",
            "output": "event.type",
            "replace": "$0"
          },
          {
            "input": "fortinet.severity",
            "match": ".*",
            "output": "severity_id",
            "replace": "99"
          },
          {
            "input": "fortinet.severity",
            "match": "^(information|Information)$",
            "output": "severity_id",
            "replace": "1"
          },
          {
            "input": "fortinet.severity",
            "match": "^(critical|Critical)$",
            "output": "severity_id",
            "replace": "5"
          },
          {
            "input": "fortinet.severity",
            "match": "^(emergency|Emergency)$",
            "output": "severity_id",
            "replace": "6"
          },
          {
            "input": "activity_id",
            "match": "(.*)",
            "output": "type_uid",
            "replace": "40010$0"
          },
          {
            "input": "activity_id",
            "match": "99",
            "output": "type_uid",
            "replace": "400199"
          },
          {
            "input": "activity_name",
            "match": "(.*)",
            "output": "type_name",
            "replace": "Network Activity: $0"
          },
          {
            "input": "fortinet.sentbyte",
            "match": "(.*)",
            "output": "traffic.bytes_in",
            "replace": "$0"
          },
          {
            "input": "fortinet.rcvdbyte",
            "match": "(.*)",
            "output": "traffic.bytes_out",
            "replace": "$0"
          },
          {
            "input": "message",
            "match": ".*srcip\\=(\\S+)\\s.*dstip\\=(\\S+)\\s.*dstmac\\=\"(.*?)\"\\s.*",
            "output": "observables",
            "replace": "\\[\\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"fortinet.srcip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"fortinet.dstip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"fortinet.dstmac\"\\, \"value\"\\: \"$3\"\\}\\]"
          }
        ]
      }
    ]
  }
