Mirrors/marcredhat-siem-toolkit-patched
1
0
Fork 0
mirror of https://github.com/marcredhat/SIEM-toolkit-patched synced 2026-06-08 20:37:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bfff0eeec0335d3081f5556ed7e99862242fb612
marcredhat-siem-toolkit-pat…/parsers/fortinet_fortigate_candidate_logs-latest
T
marc 7c1687efce Sync upstream features; preserve fork KV scanner, parsers, verifier 
Brought in 35 upstream commits (MITRE heatmap, health score, dependency map,
PowerQuery playground, onboarding tracker, product grouping, modern UI redesign).

Preserved fork additions:
  backend/routers/quality.py  KV scanner, pattern refs, JS keys, JSON mode,
                              /parsers + /sync-from-sdl endpoints
  parsers/                    96 OCSF + tenant parsers
  tools/stormshield-verify/   end-to-end ingest regression test
  .gitignore                  un-ignored parsers/*
  CHANGES.md, PATCHES.md
2026-05-22 18:19:52 +02:00

317 lines
8.9 KiB
Plaintext
Raw Blame History

{
/*
* A parser for Fortigate syslog.
*
* It will split every key/value pair to a field 'fortinet.fieldname'
* Uses rewrites to rewrite the field to OCSF field used by SentinelOne SDL
*
* Instructions:
*
* - Use the format "default" in FortiGate configuration:
* - ssh to fg device
* commands:
* config log syslogd settings
* set format default
* end
*
* - fill in site ID if you want the data to be surfaced in the context of a SITE, or remove the attribute below.
*
*
* Contributors: Mischa Deden <mischa.deden@sentinelone.com>, Jan Tietze <jant@sentinelone.com> (original parser)
*/
"patterns":
{
"dateTimePattern": "date=\\d+-\\d+-\\d+ time=\\d+:\\d+:\\d+"
},
"attributes":
{
"dataSource.category": "security",
"dataSource.name": "Fortigate",
"dataSource.vendor": "Fortinet"
},
"formats": [
{
"format": "^<$syslog.priority{parse=syslogPriority}$>$datetime=dateTimePattern$",
"rewrites": [
{
"input": "datetime",
"output": "timestamp",
"match": "date=(\\d+-\\d+-\\d+) time=(\\d+:\\d+:\\d+)",
"replace": "$1 $2"
}
]
}, {
"format": ".*$_=identifier$=$fortinet._=quoteOrSpace$",
"repeat": true,
"rewrites": [
{
"input": "fortinet.action",
"output": "event.network.connectionStatus",
"match": ".*",
"replace": "$0"
},
{
"input": "fortinet.subtype",
"output": "event.network.direction",
"match": ".*",
"replace": "$0"
},
{
"input": "fortinet.service",
"output": "event.network.protocolName",
"match": ".*",
"replace": "$0"
},
{
"input": "fortinet.srcip",
"match": ".*",
"output": "event.source",
"replace": "$0"
},
{
"input": "fortinet.srcip",
"match": ".*",
"output": "src_endpoint.ip",
"replace": "$0"
},
{
"input": "fortinet.srcport",
"match": ".*",
"output": "src_endpoint.port",
"replace": "$0"
},
{
"input": "fortinet.srcmac",
"match": ".*",
"output": "src_endpoint.mac",
"replace": "$0"
},
{
"input": "fortinet.dstip",
"match": ".*",
"output": "dst_endpoint.ip",
"replace": "$0"
},
{
"input": "fortinet.dstip",
"match": ".*",
"output": "dst.ipaddress",
"replace": "$0"
},
{
"input": "fortinet.dstip",
"match": ".*",
"output": "event.target",
"replace": "$0"
},
{
"input": "fortinet.dstport",
"match": ".*",
"output": "dst_endpoint.port",
"replace": "$0"
},
{
"input": "fortinet.dstport",
"match": ".*",
"output": "dst.port.number",
"replace": "$0"
},
{
"input": "fortinet.dstmac",
"match": ".*",
"output": "dst_endpoint.mac",
"replace": "$0"
},
{
"input": "fortinet.subtype",
"match": ".*",
"output": "activity_name",
"replace": "$0"
},
{
"input": "fortinet.subtype",
"match": ".*",
"output": "activity_id",
"replace": "$0"
},
{
"input": "fortinet.subtype",
"match": ".*",
"output": "event.type",
"replace": "$0"
},
{
"input": "fortinet.severity",
"match": ".*",
"output": "severity_id",
"replace": "99"
},
{
"input": "fortinet.severity",
"match": "^information$",
"output": "severity_id",
"replace": "1"
},
{
"input": "fortinet.severity",
"match": "^critical$",
"output": "severity_id",
"replace": "5"
},
{
"input": "fortinet.severity",
"match": "^Emergency$",
"output": "severity_id",
"replace": "6"
},
{
"input": "fortinet.severity",
"match": "^information$",
"output": "severity_id",
"replace": "1"
},
{
"input": "fortinet.severity",
"match": "^critical$",
"output": "severity_id",
"replace": "5"
},
{
"input": "fortinet.severity",
"match": "^Emergency$",
"output": "severity_id",
"replace": "6"
},
{
"input": "fortinet.action",
"match": ".*",
"output": "activity_name",
"replace": "$0"
},
{
"input": "fortinet.action",
"match": "^(accept|permit)$",
"output": "activity_name",
"replace": "Open"
},
{
"input": "fortinet.action",
"match": "^(dropped|close|shutdown)$",
"output": "activity_name",
"replace": "Close"
},
{
"input": "fortinet.action",
"match": "^clear_session",
"output": "activity_name",
"replace": "Reset"
},
{
"input": "fortinet.action",
"match": "^(block|blocked)$",
"output": "activity_name",
"replace": "Refuse"
},
{
"input": "activity_name",
"match": ".*",
"output": "activity_id",
"replace": "99"
},
{
"input": "activity_name",
"match": "^Open",
"output": "activity_id",
"replace": "1"
},
{
"input": "activity_name",
"match": "^Close",
"output": "activity_id",
"replace": "2"
},
{
"input": "activity_name",
"match": "^Reset",
"output": "activity_id",
"replace": "3"
},
{
"input": "activity_name",
"match": "^Refuse",
"output": "activity_id",
"replace": "5"
},
{
"input": "activity_name",
"match": ".*",
"output": "event.type",
"replace": "$0"
},
{
"input": "fortinet.severity",
"match": ".*",
"output": "severity_id",
"replace": "99"
},
{
"input": "fortinet.severity",
"match": "^(information|Information)$",
"output": "severity_id",
"replace": "1"
},
{
"input": "fortinet.severity",
"match": "^(critical|Critical)$",
"output": "severity_id",
"replace": "5"
},
{
"input": "fortinet.severity",
"match": "^(emergency|Emergency)$",
"output": "severity_id",
"replace": "6"
},
{
"input": "activity_id",
"match": "(.*)",
"output": "type_uid",
"replace": "40010$0"
},
{
"input": "activity_id",
"match": "99",
"output": "type_uid",
"replace": "400199"
},
{
"input": "activity_name",
"match": "(.*)",
"output": "type_name",
"replace": "Network Activity: $0"
},
{
"input": "fortinet.sentbyte",
"match": "(.*)",
"output": "traffic.bytes_in",
"replace": "$0"
},
{
"input": "fortinet.rcvdbyte",
"match": "(.*)",
"output": "traffic.bytes_out",
"replace": "$0"
},
{
"input": "message",
"match": ".*srcip\\=(\\S+)\\s.*dstip\\=(\\S+)\\s.*dstmac\\=\"(.*?)\"\\s.*",
"output": "observables",
"replace": "\\[\\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"fortinet.srcip\"\\, \"value\"\\: \"$1\"\\}\\, \\{\"type_id\"\\: \"2\"\\, \"type\"\\: \"IP Address\"\\, \"name\"\\: \"fortinet.dstip\"\\, \"value\"\\: \"$2\"\\}\\, \\{\"type_id\"\\: \"3\"\\, \"type\"\\: \"MAC Address\"\\, \"name\"\\: \"fortinet.dstmac\"\\, \"value\"\\: \"$3\"\\}\\]"
}
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink