Open SashaSelin opened 1 week ago
Related Issue: Missing enable/disable state Ids
Description of changes: added state id's to Device Config State Change Class.
Signed-off-by: Sasha Selin (Cyrebro) (sasha.selin@cyrebro.io)
Following closed PR #1076 (https://github.com/ocsf/ocsf-schema/pull/1076), Ive created new PR to create disable/enable state to "device_config_state_change" class.
state “disable/enable” is very common when it comes to FortiGate logs, especially where the subtype=”system” and action=”add”. The “status” field on this type of logs are represent the “cfgattr” (Configuration value changed) status.
Raw log for example:
Related Issue: Missing enable/disable state Ids
Description of changes: added state id's to Device Config State Change Class.
Signed-off-by: Sasha Selin (Cyrebro) (sasha.selin@cyrebro.io)
Following closed PR #1076 (https://github.com/ocsf/ocsf-schema/pull/1076), Ive created new PR to create disable/enable state to "device_config_state_change" class.
state “disable/enable” is very common when it comes to FortiGate logs, especially where the subtype=”system” and action=”add”. The “status” field on this type of logs are represent the “cfgattr” (Configuration value changed) status.
Raw log for example:
<118>date=2024-05-01 time=11:43:38 devname="Test for OCSF" devid="FG11256985563" eventtime=1714553018203018280 tz="+0300" logid="0100044547" type="event" subtype="system" level="information" vd="North" logdesc="Object attribute configured" user="SashaS" ui="GUI(192.168.190.54)" action="Add" cfgtid=10691505 cfgpath="firewall.policy" cfgobj="136" cfgattr="status[disable]srcintf[OCSF-Test]dstintf[OCSF-Test]srcaddr[Sasha-selin-ocsf-test]dstaddr[Sasha-selin]srcaddr6[]dstaddr6[]src-vendor-mac[]action[accept]schedule[always]service[RDP]groups[]users[]fsso-groups[]comments[ (Copy of 148)]custom-log-fields[]" msg="Add firewall.policy 136" 