OpenCTI seeks Fortigate VPN connection

[glonghi34]

Hello,

I would like to search by the field: data.remip

I use this field to verify Fortigate VPN logins. How do I add this verification field to the Wazuh-OpenCTI Connector?

Thank you very much.

[misje]

This will be easy to add. I thought I had added every single reference to IP from the official Wazuh decoders, but I seem to have missed the rather unconventional naming "remip", "remport" etc.

[glonghi34]

Attached is a printout of Wazuh with the data.remip/remip field.

Basically this is a VPN connection log. It would be incredible to have this crossover. Based on rule: 81622 from Wazuh

I wait for you with new updates or can I make the adjustment here in my environment?

[misje]

If you're comfortable editing the source and building the connector manually, you can add data.remip to this array. That will make the connector search in remip. Assuming you're using docker, you'll have to replace "image:" with "build: context: ." and have the source in the same directory as your docker-compose.yml file. Or, of course, create the image and make it available in your environment somehow. Otherwise I suggest waiting till I've implemented it.

The enrichment module should also be made aware of the missing field names (not just remip) too, but I'll implement that.

[glonghi34]

Thank you very much for your feedback.

I'm using your connector a lot. I will wait for your update. Amazing work.

[misje]

@glonghi34 Have a look at the recent changes in dev and try it out. As of today, docker images are built for several OpenCTI versions. Pick a dev_x.y.z tag that matches your OpenCTI version the most.