search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
10.45k stars 1.61k forks source link

Create Fortinet decoder #15850

Closed cborla closed 1 year ago

cborla commented 1 year ago
Wazuh version Component Install type Install method Platform
5.0.0 Engine Manager Packages/Sources OS version

Description

It is necessary to extend the coverage of our ruleset, so a Fortinet decoder will be written for this purpose.

In addition, the creation of this decoder will be used to identify those functionalities that need to be expanded or improved for a better writing of the decoders.

There are four kind of events.

  1. Client endpoint
  2. Firewall
  3. Fortimail
  4. Fortimanager

Proposed filenames

  1. wazuh/src/engine/ruleset/decoders/fortinet/fortinet.yml
  2. wazuh/src/engine/ruleset/decoders/fortinet/client_endpoint.yml
  3. wazuh/src/engine/ruleset/decoders/fortinet/firewall.yml
  4. wazuh/src/engine/ruleset/decoders/fortinet/fortimail.yml
  5. wazuh/src/engine/ruleset/decoders/fortinet/fortimanager.yml

Fortinet documentation

DoD

soynof commented 1 year ago

Field Mapping Fortinet Client Endpoint

ecs field value wazuh field reason
destination.ip "10.102.123.34" destination.ip
destination.port 3994 destination.port
event.action "deny" event.action
event.code "http" event.code
event.dataset "fortinet.clientendpoint event.dataset
event.module "fortinet" event.module
event.original "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure" event.original
event.outcome "failure" event.outcome
fileset.name "clientendpoint" fileset.name Custom field, should use apache fields schema
host.name "boNemoe4402.www.invalid" host.name
input.type "log" input.type Custom field, should use apache fields schema
log.offset 0 XXX Not implemented
network.direction "external" network.direction
network.protocol "udp" network.protocol
observer.product "FortiClient" observer.product
observer.type "Anti-Virus" observer.type
observer.vendor "Fortinet" observer.vendor
process.pid 7880 process.pid
related.hosts related.hosts
"10.102.123.34"
"10.150.92.220"
related.user related.user
"sumdo"
rsa.counters.dclass_c1 5286 rsa.counters.dclass_c1 Custom field, should use apache fields schema
rsa.counters.dclass_c1_str "block_count" rsa.counters.dclass_c1_str Custom field, should use apache fields schema
rsa.internal.messageid "http" rsa.internal.messageid Custom field, should use apache fields schema
rsa.investigations.ec_outcome "http" rsa.internal.messageid Custom field, should use apache fields schema
rsa.investigations.ec_subject "NetworkComm" rsa.investigations.ec_subject Custom field, should use apache fields schema
rsa.investigations.ec_theme "ALM" rsa.investigations.ec_theme Custom field, should use apache fields schema
rsa.misc.action rsa.misc.action Custom field, should use apache fields schema
"deny"
rsa.misc.result "failure" rsa.misc.result Custom field, should use apache fields schema
rsa.network.alias_host rsa.network.alias_host Custom field, should use apache fields schema
"boNemoe4402.www.invalid"
rsa.network.domain "litesse6379.api.domain" network.protocol Custom field, should use apache fields schema
rsa.network.network_service "http" rsa.network.network_service Custom field, should use apache fields schema
server.domain "litesse6379.api.domain" server.domain
server.registered_domain "api.domain" server.registered_domain
server.subdomain "litesse6379" server.subdomain
server.top_level_domain "domain" server.top_level_domain
service.type "fortinet" service.type
source.ip "10.150.92.220" source.ip
source.port 7178 source.port
tags tags
"fortinet.clientendpoint"
"forwarded"
user.name "sumdo" user.name
soynof commented 1 year ago

<!DOCTYPE html>

Field Mapping Fortinet Firewall

ecs field value wazuh field reason
@timestamp "2020-04-23T12:32:48.000-05:00" @timestamp  
event.action "FSSO-logon" event.action  
event.category "authentication" event.category  
event.reason malformed input event.reason  
event.code "0102043014" event.code  
event.dataset "fortinet.firewall" event.dataset  
event.kind "event" event.kind  
event.module "fortinet" event.module  
event.outcome "success" event.outcome  
event.start "2020-04-18T12:32:48.439-05:00" event.start  
event.timezone "-0500" event.timezone  
event.duration 22 event.duration  
event.type "user" event.type  
event.reference http://www.fortinet.com/ids/VID16777316 event.reference  
fileset.name "firewall" fileset.name Custom field, should use apache fields schema
fortinet.firewall.action "FSSO-logon" fortinet.firewall.action Custom field, should use apache fields schema
fortinet.firewall.type utm fortinet.firewall.type Custom field, should use apache fields schema
fortinet.firewall.addrgrp FCTEMS0000011111_AV-Running fortinet.firewall.addrgrp Custom field, should use apache fields schema
fortinet.firewall.action FSSO-logon fortinet.firewall.action Custom field, should use apache fields schema
fortinet.firewall.fctemssn FCTEMS0000011111 fortinet.firewall.fctemssn Custom field, should use apache fields schema
fortinet.firewall.server "elasticserver" fortinet.firewall.server Custom field, should use apache fields schema
fortinet.firewall.craction 1050 fortinet.firewall.craction Custom field, should use apache fields schema
fortinet.firewall.subtype "user" fortinet.firewall.subtype Custom field, should use apache fields schema
fortinet.firewall.crlevel high fortinet.firewall.crlevel Custom field, should use apache fields schema
fortinet.firewall.vd "root" fortinet.firewall.vd Custom field, should use apache fields schema
fortinet.firewall.crscore 5 fortinet.firewall.crscore Custom field, should use apache fields schema
fortinet.firewall.dstcountry Reserved fortinet.firewall.dstcountry Custom field, should use apache fields schema
fortinet.firewall.srccountry Reserved fortinet.firewall.srccountry Custom field, should use apache fields schema
fortinet.firewall.dstintfrole lan fortinet.firewall.dstintfrole Custom field, should use apache fields schema
fortinet.firewall.sessionid 155313 fortinet.firewall.sessionid Custom field, should use apache fields schema
fortinet.firewall.srcintfrole lan fortinet.firewall.srcintfrole Custom field, should use apache fields schema
fortinet.firewall.trandisp noop fortinet.firewall.trandisp Custom field, should use apache fields schema
fortinet.firewall.method domain fortinet.firewall.method Custom field, should use apache fields schema
fortinet.firewall.profile elasticruleset fortinet.firewall.profile Custom field, should use apache fields schema
fortinet.firewall.sn 1234 fortinet.firewall.sn Custom field, should use apache fields schema
fortinet.firewall.connection_type sslvpn fortinet.firewall.connection_type Custom field, should use apache fields schema
fortinet.firewall.count 2 fortinet.firewall.count Custom field, should use apache fields schema
fortinet.firewall.fctuid 645234fdd01F885824F764 fortinet.firewall.fctuid Custom field, should use apache fields schema
fortinet.firewall.ip 172.16.0.2 fortinet.firewall.ip Custom field, should use apache fields schema
fortinet.firewall.license_limit unlimited fortinet.firewall.license_limit Custom field, should use apache fields schema
fortinet.firewall.name somerouter fortinet.firewall.name Custom field, should use apache fields schema
fortinet.firewall.cookies 125cbf9ee8349965/0000000000000000 fortinet.firewall.cookies Custom field, should use apache fields schema
fortinet.firewall.init local fortinet.firewall.init Custom field, should use apache fields schema
fortinet.firewall.mode aggressive fortinet.firewall.mode Custom field, should use apache fields schema
fortinet.firewall.outintf port1 fortinet.firewall.outintf Custom field, should use apache fields schema
fortinet.firewall.result OK fortinet.firewall.result Custom field, should use apache fields schema
fortinet.firewall.role initiator fortinet.firewall.role Custom field, should use apache fields schema
fortinet.firewall.stage 1 fortinet.firewall.stage Custom field, should use apache fields schema
fortinet.firewall.peer_notif NOT-APPLICABLE fortinet.firewall.peer_notif Custom field, should use apache fields schema
fortinet.firewall.bandwidth 23/4 fortinet.firewall.bandwidth Custom field, should use apache fields schema
fortinet.firewall.cpu 0 fortinet.firewall.cpu Custom field, should use apache fields schema
fortinet.firewall.disk 0 fortinet.firewall.disk Custom field, should use apache fields schema
fortinet.firewall.disklograte 0 fortinet.firewall.disklograte Custom field, should use apache fields schema
fortinet.firewall.fazlograte 0 fortinet.firewall.fazlograte Custom field, should use apache fields schema
fortinet.firewall.freediskstorage 331 fortinet.firewall.freediskstorage Custom field, should use apache fields schema
fortinet.firewall.mem 10 fortinet.firewall.mem Custom field, should use apache fields schema
fortinet.firewall.setuprate 0 fortinet.firewall.setuprate Custom field, should use apache fields schema
fortinet.firewall.sysuptime 25170 fortinet.firewall.sysuptime Custom field, should use apache fields schema
fortinet.firewall.totalsession 23 fortinet.firewall.totalsession Custom field, should use apache fields schema
fortinet.firewall.authproto TELNET(10.1.100.11) fortinet.firewall.authproto Custom field, should use apache fields schema
fortinet.firewall.interface port10 fortinet.firewall.interface Custom field, should use apache fields schema
fortinet.firewall.status success fortinet.firewall.status Custom field, should use apache fields schema
fortinet.firewall.tunnelid 2 fortinet.firewall.tunnelid Custom field, should use apache fields schema
fortinet.firewall.tunnelip 10.10.10.10 fortinet.firewall.tunnelip Custom field, should use apache fields schema
fortinet.firewall.tunneltype ssl-tunnel fortinet.firewall.tunneltype Custom field, should use apache fields schema
fortinet.firewall.ui ssh(172.16.200.254) fortinet.firewall.ui Custom field, should use apache fields schema
fortinet.firewall.vd root fortinet.firewall.vd Custom field, should use apache fields schema
fortinet.firewall.used_for_type 4 fortinet.firewall.used_for_type Custom field, should use apache fields schema
fortinet.firewall.vpntunnel elasticvpn fortinet.firewall.vpntunnel Custom field, should use apache fields schema
fortinet.firewall.authserver FSSO_elastiauth fortinet.firewall.authserver Custom field, should use apache fields schema
fortinet.firewall.version 1.522479 fortinet.firewall.version Custom field, should use apache fields schema
fortinet.firewall.applist policylist fortinet.firewall.applist Custom field, should use apache fields schema
fortinet.firewall.app icmp6/25/0 fortinet.firewall.app Custom field, should use apache fields schema
fortinet.firewall.rcvddelta 728 fortinet.firewall.rcvddelta Custom field, should use apache fields schema
fortinet.firewall.sentdelta 576 fortinet.firewall.sentdelta Custom field, should use apache fields schema
fortinet.firewall.vwlid 0 fortinet.firewall.vwlid Custom field, should use apache fields schema
fortinet.firewall.identifier 0 fortinet.firewall.identifier Custom field, should use apache fields schema
fortinet.firewall.appid 43540 fortinet.firewall.appid Custom field, should use apache fields schema
fortinet.firewall.apprisk elevated fortinet.firewall.apprisk Custom field, should use apache fields schema
fortinet.firewall.appact detected fortinet.firewall.appact Custom field, should use apache fields schema
fortinet.firewall.vwlquality Seq_num(3), alive, selected fortinet.firewall.vwlquality Custom field, should use apache fields schema
fortinet.firewall.wanin 1130 fortinet.firewall.wanin Custom field, should use apache fields schema
fortinet.firewall.wanout 1130 fortinet.firewall.wanout Custom field, should use apache fields schema
fortinet.firewall.lanin 1130 fortinet.firewall.lanin Custom field, should use apache fields schema
fortinet.firewall.lanout 1130 fortinet.firewall.lanout Custom field, should use apache fields schema
fortinet.firewall.mastersrcmac a2:e9:00:ec:40:01 fortinet.firewall.mastersrcmac Custom field, should use apache fields schema
fortinet.firewall.srcmac a2:e9:00:ec:40:01 fortinet.firewall.srcmac Custom field, should use apache fields schema
fortinet.firewall.srcserver 0 fortinet.firewall.srcserver Custom field, should use apache fields schema
fortinet.firewall.dstuuid ae28f494-5735-51e9-f247-d1d2ce663f4b fortinet.firewall.dstuuid Custom field, should use apache fields schema
fortinet.firewall.srcuuid ae28f494-5735-51e9-f247-d1d2ce663f4b fortinet.firewall.srcuuid Custom field, should use apache fields schema
fortinet.firewall.devcategory None fortinet.firewall.devcategory Custom field, should use apache fields schema
fortinet.firewall.devtype Unknown fortinet.firewall.devtype Custom field, should use apache fields schema
fortinet.firewall.countdlp 1 fortinet.firewall.countdlp Custom field, should use apache fields schema
fortinet.firewall.cat 76 fortinet.firewall.cat Custom field, should use apache fields schema
fortinet.firewall.eventtype ftgd_blk fortinet.firewall.eventtype Custom field, should use apache fields schema
fortinet.firewall.method domain fortinet.firewall.method Custom field, should use apache fields schema
fortinet.firewall.reqtype direct fortinet.firewall.reqtype Custom field, should use apache fields schema
fortinet.firewall.incidentserialno 23465 fortinet.firewall.incidentserialno Custom field, should use apache fields schema
fortinet.firewall.qtypeval 1 fortinet.firewall.qtypeval Custom field, should use apache fields schema
fortinet.firewall.analyticscksum 275a021bbfb6489e54d471899f7db9d1663fc69... fortinet.firewall.analyticscksum Custom field, should use apache fields schema
fortinet.firewall.analyticssubmit false fortinet.firewall.analyticssubmit Custom field, should use apache fields schema
fortinet.firewall.quarskip File-was-not-quarantined. fortinet.firewall.quarskip Custom field, should use apache fields schema
fortinet.firewall.virus EICAR_TEST_FILE fortinet.firewall.virus Custom field, should use apache fields schema
fortinet.firewall.virusid 2172 fortinet.firewall.virusid Custom field, should use apache fields schema
fortinet.firewall.attack Adobe.Flash.newfunction.Handling.Code.Execution fortinet.firewall.attack Custom field, should use apache fields schema
fortinet.firewall.attackid 23305 fortinet.firewall.attackid Custom field, should use apache fields schema
fortinet.firewall.severity critical fortinet.firewall.severity Custom field, should use apache fields schema
fortinet.firewall.icmpcode 0x00 fortinet.firewall.icmpcode Custom field, should use apache fields schema
fortinet.firewall.icmpid 0x1474 fortinet.firewall.icmpid Custom field, should use apache fields schema
fortinet.firewall.icmptype 0x08 fortinet.firewall.icmptype Custom field, should use apache fields schema
fortinet.firewall.policytype DoS-policy fortinet.firewall.policytype Custom field, should use apache fields schema
fortinet.firewall.dlpextra dlp-file-size11 fortinet.firewall.dlpextra Custom field, should use apache fields schema
fortinet.firewall.epoch 1740880646 fortinet.firewall.epoch Custom field, should use apache fields schema
fortinet.firewall.filtercat file fortinet.firewall.filtercat Custom field, should use apache fields schema
fortinet.firewall.filteridx 1 fortinet.firewall.filteridx Custom field, should use apache fields schema
fortinet.firewall.filtertype file-type fortinet.firewall.filtertype Custom field, should use apache fields schema
fortinet.firewall.channeltype shell fortinet.firewall.channeltype Custom field, should use apache fields schema
fortinet.firewall.login root fortinet.firewall.login Custom field, should use apache fields schema
fortinet.firewall.certhash 1115ec1857ed7f937301ff5e02f6b0681cf2ec4e fortinet.firewall.certhash Custom field, should use apache fields schema
fortinet.firewall.quarskip File-was-not-quarantined fortinet.firewall.quarskip Custom field, should use apache fields schema
url.domain lhsp.s206.xrea.com url.domain  
url.original http://lhsp.s206.xrea.com/download/eicar_test_virus.zip url.original  
url.path /download/eicar_test_virus.zip url.path  
url.scheme http url.scheme  
input.type "log" input.type Custom field, should use apache fields schema
log.level "notice" log.level  
log.offset 0 log.offset Not implemented
message FSSO-logon event from FSSO_elasticserver: user elasticouser logged on 10.10.10.10 message  
network.application icmp6/25/0 network.application  
network.type "ipv4" network.type  
network.iana_number 6 network.iana_number  
network.protocol HTTP network.protocol  
network.bytes 3874 network.bytes  
network.direction outbound network.direction  
observer.name "testswitch3" observer.name  
observer.product "Fortigate" observer.product  
observer.serial_number "someotherrouteridagain" observer.serial_number  
observer.type "firewall" observer.type  
observer.vendor "Fortinet" observer.vendor  
observer.ingress.interface.name port25 observer.ingress.interface.name  
observer.egress.interface.name port3 observer.egress.interface.name  
related.ip "10.10.10.10" related.ip  
related.user "elasticouser" related.user  
related.hosts elastic.example.com related.hosts  
rule.id 1 rule.id  
rule.description "FSSO logon authentication status" rule.description  
rule.name elasticnewruleset rule.name  
rule.uuid d8ce7a90-7763-51e9-e2be-741294c96f31 rule.uuid  
rule.category Web-based Email rule.category  
rule.ruleset DoS-policy rule.ruleset  
service.type "fortinet" service.type  
source.ip "10.150.92.220" source.ip  
source.port 80 source.port  
source.nat.ip 67.43.156.12 source.nat.ip  
source.nat.port 80 source.nat.port  
source.packets 4 source.packets  
source.user.name "elasticouser" source.user.name  
source.user.group.name elasticgroup2 source.user.group.name  
source.bytes 84 source.bytes  
source.mac a2:e9:00:ec:40:01 source.mac  
tags "fortinet-firewall" "forwarded" tags  
destination.packets 8 destination.packets  
destination.bytes 10 destination.bytes  
destination.ip 67.43.156.12 destination.ip  
destination.port 80 destination.port  
dns.resolved_ip 67.43.156.12 dns.resolved_ip  
dns.id 2234 dns.id  
dns.question.class IN dns.question.class  
dns.question.name elastic.example.com dns.question.name  
dns.question.type A dns.question.type  
tls.server.x509.subject.common_name test.elastic.co tls.server.x509.subject.common_name  
tls.server.x509.issuer.common_name DigiCert SHA2 High Assurance Server CA tls.server.x509.issuer.common_name  
tls.server.issuer DigiCert SHA2 High Assurance Server CA tls.server.issuer  
user_agent.name curl user_agent.name  
user_agent.original curl/7.47.0 user_agent.original  
user_agent.version 7.47.0 user_agent.version  
vulnerability.category Virus vulnerability.category  
file.extension pdf file.extension  
file.name FortiOS_6.2.0_Log_Reference.pdf file.name  
file.size 12345 file.size  


soynof commented 1 year ago

Field Mapping Fortinet Fortimanager

ecs field value wazuh field reason
destination.bytes 3879 destination.bytes
destination.geo.country_name ation destination.geo.country_name
destination.ip 10.171.204.166 destination.ip
destination.nat.ip 10.53.110.111 destination.nat.ip
destination.nat.port 2549 destination.nat.port
destination.port 6668 destination.port
event.action accept event.action
event.code atio event.code
event.dataset fortinet.fortimanager event.dataset Forced
event.module fortinet event.module Forced
event.timezone CEST event.timezone
fileset.name fortimanager fileset.name Custom Forced
host.name aer445.host host.name
http.request.referrer https://api.example.org/tamremap/tur.html?radipis=isetq#estqui http.request.referrer
input.type log input.type Custom Forced
log.level high log.level
log.offset 593 log.offset Custom
network.bytes 10257 network.bytes
network.direction external network.direction
network.protocol TCP network.protocol
observer.egress.interface.name enp0s2581 observer.egress.interface.name
observer.ingress.interface.name enp0s208 observer.ingress.interface.name
observer.product FortiManager observer.product Forced
observer.serial_number tur observer.serial_number
observer.type Configuration observer.type
observer.vendor Fortinet observer.vendor Forced
observer.version 1.41 observer.version
related.hosts__001 aer445.host related.hosts__001 Custom
related.hosts__002 mvolu related.hosts__002 Custom
related.hosts__003 pisciv related.hosts__003 Custom
related.ip__001 10.171.204.166 related.ip__001 Custom
related.ip__002 10.62.4.246 related.ip__002 Custom
related.user__- oluptas related.user__- Custom
rsa.db.index taevi rsa.db.index Custom
rsa.internal.event_desc com rsa.internal.event_desc Custom
related.ip__003 10.53.110.111 related.ip__003 Custom
rsa.internal.messageid generic_fortinetmgr rsa.internal.messageid Forced
rsa.investigations.event_vcat eius rsa.investigations.event_vcat Custom
rsa.misc.OS anonnu rsa.misc.OS Custom
rsa.misc.action__001 accept rsa.misc.action__001 Custom
rsa.misc.action__002 mol rsa.misc.action__002 Custom
rsa.misc.category exe rsa.misc.category Custom
rsa.misc.client radip rsa.misc.client Custom
rsa.misc.context nibus rsa.misc.context Custom
rsa.misc.event_source pisciv rsa.misc.event_source Custom
rsa.misc.event_type umexe rsa.misc.event_type Custom
rsa.misc.fcatnum byC rsa.misc.fcatnum Custom
rsa.misc.filter tinculp rsa.misc.filter Custom
rsa.misc.hardware_id tur rsa.misc.hardware_id Custom
rsa.misc.log_session_id tNequ rsa.misc.log_session_id Custom
rsa.misc.obj_name uaturQ rsa.misc.obj_name Custom
rsa.misc.policy_id uidolor rsa.misc.policy_id Custom
rsa.misc.policy_name ionofde rsa.misc.policy_name Custom
rsa.misc.reference_id atio rsa.misc.reference_id Custom
rsa.misc.rule_name eumiu rsa.misc.rule_name Custom
rsa.misc.severity high rsa.misc.severity Custom
rsa.network.domain xplicabo4308.www.example rsa.network.domain Custom
rsa.misc.sig_id 6728 rsa.misc.sig_id Custom
rsa.misc.version 1.41 rsa.misc.version Custom
rsa.misc.vsys iatnu rsa.misc.vsys Custom
rsa.network.alias_host__- aer445.host rsa.network.alias_host__- Custom
rsa.network.dinterface enp0s2581 rsa.network.dinterface Custom
rsa.network.network_service emape rsa.network.network_service Custom
rsa.network.sinterface enp0s208 rsa.network.sinterface Custom
rsa.threat.threat_desc sum rsa.threat.threat_desc Custom
rsa.time.duration_time 72.226 rsa.time.duration_time Custom
rsa.time.event_time 2016-02-12T03:12:33.000Z rsa.time.event_time Custom
server.domain xplicabo4308.www.example server.domain
server.registered_domain www.example server.registered_domain
server.subdomain xplicabo4308 server.subdomain
server.top_level_domain example server.top_level_domain
rsa.time.timezone CEST rsa.time.timezone Custom
rsa.time.event_time_str onemul rsa.time.event_time_str Custom
rsa.web.reputation_num 145.047 rsa.web.reputation_num Custom
rsa.web.web_ref_domain mvolu rsa.web.web_ref_domain Custom
rule.name eumiu rule.name
service.type fortinet service.type Forced
source.bytes 6378 source.bytes
source.geo.country_name tconsec source.geo.country_name
source.ip 10.62.4.246 source.ip
source.mac 01:00:5e:84:66:6c source.mac
source.port 189 source.port
tags__001 fortinet.fortimanager tags__001
tags__002 forwarded tags__002
url.domain www.example.net url.domain
url.extension htm url.extension
url.fragment roinBCS url.fragment
url.original https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS url.original
url.path /orisn/cca.htm url.path
url.query__001 ofdeF=metcons url.query__001
url.query__002 taspe url.query__002
url.scheme https url.scheme
user.name oluptas user.name
NahuFigueroa97 commented 1 year ago

Field Mapping Fortinet Fortimail

ecs field value wazuh field reason
event.original date=2018-12-7 time=16:17:40 device_id=econ log_id=aborio log_part=rve type=event subtype=smtp pri=medium user=nbyCiui=runtmollaction=blockstatus=velillumsession_id="ionev" msg="to=<, delay=rna, xdelay=cons, mailer=ipv6-icmp, pri=lupta, relay=olaboris3175.internal.home[10.250.94.95], dsn=tno, stat=imve" event.original
event.action block event.action
event.code aborio event.code
event.dataset fortinet.fortimail event.dataset Forced
event.module fortinet event.module Forced
fileset.name fortimail fileset.name Custom Forced
host.hostname olaboris3175.internal.home host.name
input.type log input.type Custom Forced
log.level medium log.level
network.protocol ipv6-icmp network.protocol
observer.product FortiMail observer.product Forced
observer.serial_number econ observer.serial_number
observer.type Firewall observer.type
observer.vendor Fortinet observer.vendor Forced
related.hosts olaboris3175.internal.home related.hosts Custom
related.ip 10.250.94.95 related.ip Custom
related.user nbyCi related.user Custom
rsa.email.email_dst vitaedi rsa.misc.event_source Custom
rsa.email.subject event rsa.misc.event_source Custom
rsa.internal.messageid smtp rsa.misc.event_source Custom
rsa.misc.event_state velillum rsa.misc.event_source Custom
rsa.misc.event_type block rsa.misc.event_type Custom
rsa.misc.hardware_id econ rsa.misc.hardware_id Custom
rsa.misc.msgIdPart1 block rsa.misc.obj_name Custom
rsa.misc.msgIdPart2 smtp rsa.misc.obj_name Custom
rsa.misc.reference_id aborio rsa.misc.reference_id Custom
rsa.misc.reference_id1 rve rsa.misc.reference_id Custom
rsa.misc.severity medium rsa.misc.severity Custom
rsa.network.network_service runtmoll rsa.network.network_service Custom
rsa.time.event_time 2016-02-12T03:12:33.000Z rsa.time.event_time Custom
service.type fortinet service.type Forced
source.ip 10.250.94.95 source.ip
tags forwarded, fortinet.fortimail tags