{ /* * A parser for Fortigate syslog. * * It will split every key/value pair to a field 'fortinet.fieldname' * Uses rewrites to rewrite the field to OCSF field used by SentinelOne SDL * * Instructions: * * - Use the format "default" in FortiGate configuration: * - ssh to fg device * commands: * config log syslogd settings * set format default * end * * - fill in site ID if you want the data to be surfaced in the context of a SITE, or remove the attribute below. * * * Contributors: Mischa Deden , Jan Tietze (original parser) */ "patterns": { "dateTimePattern": "date=\\d+-\\d+-\\d+ time=\\d+:\\d+:\\d+" }, "attributes": { "dataSource.category": "security", "dataSource.name": "Fortigate", "dataSource.vendor": "Fortinet" }, "formats": [ { "format": "^<$syslog.priority{parse=syslogPriority}$>$datetime=dateTimePattern$", "rewrites": [ { "input": "datetime", "output": "timestamp", "match": "date=(\\d+-\\d+-\\d+) time=(\\d+:\\d+:\\d+)", "replace": "$1 $2" } ] }, { "format": ".*$_=identifier$=$fortinet._=quoteOrSpace$", "repeat": true, "rewrites": [ { "input": "fortinet.action", "output": "event.network.connectionStatus", "match": ".*", "replace": "$0" }, { "input": "fortinet.subtype", "output": "event.network.direction", "match": ".*", "replace": "$0" }, { "input": "fortinet.service", "output": "event.network.protocolName", "match": ".*", "replace": "$0" }, { "input": "fortinet.srcip", "match": ".*", "output": "event.source", "replace": "$0" }, { "input": "fortinet.srcip", "match": ".*", "output": "src_endpoint.ip", "replace": "$0" }, { "input": "fortinet.srcport", "match": ".*", "output": "src_endpoint.port", "replace": "$0" }, { "input": "fortinet.srcmac", "match": ".*", "output": "src_endpoint.mac", "replace": "$0" }, { "input": "fortinet.dstip", "match": ".*", "output": "dst_endpoint.ip", "replace": "$0" }, { "input": "fortinet.dstip", "match": ".*", "output": "dst.ipaddress", "replace": "$0" }, { "input": "fortinet.dstip", "match": ".*", "output": "event.target", "replace": "$0" }, { "input": "fortinet.dstport", "match": ".*", "output": "dst_endpoint.port", "replace": "$0" }, { "input": "fortinet.dstport", "match": ".*", "output": "dst.port.number", "replace": "$0" }, { "input": "fortinet.dstmac", "match": ".*", "output": "dst_endpoint.mac", "replace": "$0" }, { "input": "fortinet.subtype", "match": ".*", "output": "activity_name", "replace": "$0" }, { "input": "fortinet.subtype", "match": ".*", "output": "activity_id", "replace": "$0" }, { "input": "fortinet.subtype", "match": ".*", "output": "event.type", "replace": "$0" }, { "input": "fortinet.severity", "match": ".*", "output": "severity_id", "replace": "99" }, { "input": "fortinet.severity", "match": "^information$", "output": "severity_id", "replace": "1" }, { "input": "fortinet.severity", "match": "^critical$", "output": "severity_id", "replace": "5" }, { "input": "fortinet.severity", "match": "^Emergency$", "output": "severity_id", "replace": "6" }, { "input": "fortinet.severity", "match": "^information$", "output": "severity_id", "replace": "1" }, { "input": "fortinet.severity", "match": "^critical$", "output": "severity_id", "replace": "5" }, { "input": "fortinet.severity", "match": "^Emergency$", "output": "severity_id", "replace": "6" }, { "input": "fortinet.action", "match": ".*", "output": "activity_name", "replace": "$0" }, { "input": "fortinet.action", "match": "^(accept|permit)$", "output": "activity_name", "replace": "Open" }, { "input": "fortinet.action", "match": "^(dropped|close|shutdown)$", "output": "activity_name", "replace": "Close" }, { "input": "fortinet.action", "match": "^clear_session", "output": "activity_name", "replace": "Reset" }, { "input": "fortinet.action", "match": "^(block|blocked)$", "output": "activity_name", "replace": "Refuse" }, { "input": "activity_name", "match": ".*", "output": "activity_id", "replace": "99" }, { "input": "activity_name", "match": "^Open", "output": "activity_id", "replace": "1" }, { "input": "activity_name", "match": "^Close", "output": "activity_id", "replace": "2" }, { "input": "activity_name", "match": "^Reset", "output": "activity_id", "replace": "3" }, { "input": "activity_name", "match": "^Refuse", "output": "activity_id", "replace": "5" }, { "input": "activity_name", "match": ".*", "output": "event.type", "replace": "$0" }, { "input": "fortinet.severity", "match": ".*", "output": "severity_id", "replace": "99" }, { "input": "fortinet.severity", "match": "^(information|Information)$", "output": "severity_id", "replace": "1" }, { "input": "fortinet.severity", "match": "^(critical|Critical)$", "output": "severity_id", "replace": "5" }, { "input": "fortinet.severity", "match": "^(emergency|Emergency)$", "output": "severity_id", "replace": "6" }, { "input": "activity_id", "match": "(.*)", "output": "type_uid", "replace": "40010$0" }, { "input": "activity_id", "match": "99", "output": "type_uid", "replace": "400199" }, { "input": "activity_name", "match": "(.*)", "output": "type_name", "replace": "Network Activity: $0" }, { "input": "fortinet.sentbyte", "match": "(.*)", "output": "traffic.bytes_in", "replace": "$0" }, { "input": "fortinet.rcvdbyte", "match": "(.*)", "output": "traffic.bytes_out", "replace": "$0" }, { "input": "message", "match": ".*srcip\\=(\\S+)\\s.*dstip\\=(\\S+)\\s.*dstmac\\=\"(.*?)\"\\s.*", "output": "observables", "replace": "\\[\\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"fortinet.srcip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"fortinet.dstip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"fortinet.dstmac\"\\, \"value\"\\: \"$3\"\\}\\]" } ] } ] }