Closed cborla closed 1 year ago
Field Mapping Fortinet Client Endpoint
ecs field | value | wazuh field | reason | |
---|---|---|---|---|
destination.ip | "10.102.123.34" | destination.ip | ||
destination.port | 3994 | destination.port | ||
event.action | "deny" | event.action | ||
event.code | "http" | event.code | ||
event.dataset | "fortinet.clientendpoint | event.dataset | ||
event.module | "fortinet" | event.module | ||
event.original | "January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure" | event.original | ||
event.outcome | "failure" | event.outcome | ||
fileset.name | "clientendpoint" | fileset.name | Custom field, should use apache fields schema | |
host.name | "boNemoe4402.www.invalid" | host.name | ||
input.type | "log" | input.type | Custom field, should use apache fields schema | |
log.offset | 0 | XXX | Not implemented | |
network.direction | "external" | network.direction | ||
network.protocol | "udp" | network.protocol | ||
observer.product | "FortiClient" | observer.product | ||
observer.type | "Anti-Virus" | observer.type | ||
observer.vendor | "Fortinet" | observer.vendor | ||
process.pid | 7880 | process.pid | ||
related.hosts | related.hosts | |||
"10.102.123.34" | ||||
"10.150.92.220" | ||||
related.user | related.user | |||
"sumdo" | ||||
rsa.counters.dclass_c1 | 5286 | rsa.counters.dclass_c1 | Custom field, should use apache fields schema | |
rsa.counters.dclass_c1_str | "block_count" | rsa.counters.dclass_c1_str | Custom field, should use apache fields schema | |
rsa.internal.messageid | "http" | rsa.internal.messageid | Custom field, should use apache fields schema | |
rsa.investigations.ec_outcome | "http" | rsa.internal.messageid | Custom field, should use apache fields schema | |
rsa.investigations.ec_subject | "NetworkComm" | rsa.investigations.ec_subject | Custom field, should use apache fields schema | |
rsa.investigations.ec_theme | "ALM" | rsa.investigations.ec_theme | Custom field, should use apache fields schema | |
rsa.misc.action | rsa.misc.action | Custom field, should use apache fields schema | ||
"deny" | ||||
rsa.misc.result | "failure" | rsa.misc.result | Custom field, should use apache fields schema | |
rsa.network.alias_host | rsa.network.alias_host | Custom field, should use apache fields schema | ||
"boNemoe4402.www.invalid" | ||||
rsa.network.domain | "litesse6379.api.domain" | network.protocol | Custom field, should use apache fields schema | |
rsa.network.network_service | "http" | rsa.network.network_service | Custom field, should use apache fields schema | |
server.domain | "litesse6379.api.domain" | server.domain | ||
server.registered_domain | "api.domain" | server.registered_domain | ||
server.subdomain | "litesse6379" | server.subdomain | ||
server.top_level_domain | "domain" | server.top_level_domain | ||
service.type | "fortinet" | service.type | ||
source.ip | "10.150.92.220" | source.ip | ||
source.port | 7178 | source.port | ||
tags | tags | |||
"fortinet.clientendpoint" | ||||
"forwarded" | ||||
user.name | "sumdo" | user.name |
<!DOCTYPE html>
ecs field | value | wazuh field | reason |
---|---|---|---|
@timestamp | "2020-04-23T12:32:48.000-05:00" | @timestamp | |
event.action | "FSSO-logon" | event.action | |
event.category | "authentication" | event.category | |
event.reason | malformed input | event.reason | |
event.code | "0102043014" | event.code | |
event.dataset | "fortinet.firewall" | event.dataset | |
event.kind | "event" | event.kind | |
event.module | "fortinet" | event.module | |
event.outcome | "success" | event.outcome | |
event.start | "2020-04-18T12:32:48.439-05:00" | event.start | |
event.timezone | "-0500" | event.timezone | |
event.duration | 22 | event.duration | |
event.type | "user" | event.type | |
event.reference | http://www.fortinet.com/ids/VID16777316 | event.reference | |
fileset.name | "firewall" | fileset.name | Custom field, should use apache fields schema |
fortinet.firewall.action | "FSSO-logon" | fortinet.firewall.action | Custom field, should use apache fields schema |
fortinet.firewall.type | utm | fortinet.firewall.type | Custom field, should use apache fields schema |
fortinet.firewall.addrgrp | FCTEMS0000011111_AV-Running | fortinet.firewall.addrgrp | Custom field, should use apache fields schema |
fortinet.firewall.action | FSSO-logon | fortinet.firewall.action | Custom field, should use apache fields schema |
fortinet.firewall.fctemssn | FCTEMS0000011111 | fortinet.firewall.fctemssn | Custom field, should use apache fields schema |
fortinet.firewall.server | "elasticserver" | fortinet.firewall.server | Custom field, should use apache fields schema |
fortinet.firewall.craction | 1050 | fortinet.firewall.craction | Custom field, should use apache fields schema |
fortinet.firewall.subtype | "user" | fortinet.firewall.subtype | Custom field, should use apache fields schema |
fortinet.firewall.crlevel | high | fortinet.firewall.crlevel | Custom field, should use apache fields schema |
fortinet.firewall.vd | "root" | fortinet.firewall.vd | Custom field, should use apache fields schema |
fortinet.firewall.crscore | 5 | fortinet.firewall.crscore | Custom field, should use apache fields schema |
fortinet.firewall.dstcountry | Reserved | fortinet.firewall.dstcountry | Custom field, should use apache fields schema |
fortinet.firewall.srccountry | Reserved | fortinet.firewall.srccountry | Custom field, should use apache fields schema |
fortinet.firewall.dstintfrole | lan | fortinet.firewall.dstintfrole | Custom field, should use apache fields schema |
fortinet.firewall.sessionid | 155313 | fortinet.firewall.sessionid | Custom field, should use apache fields schema |
fortinet.firewall.srcintfrole | lan | fortinet.firewall.srcintfrole | Custom field, should use apache fields schema |
fortinet.firewall.trandisp | noop | fortinet.firewall.trandisp | Custom field, should use apache fields schema |
fortinet.firewall.method | domain | fortinet.firewall.method | Custom field, should use apache fields schema |
fortinet.firewall.profile | elasticruleset | fortinet.firewall.profile | Custom field, should use apache fields schema |
fortinet.firewall.sn | 1234 | fortinet.firewall.sn | Custom field, should use apache fields schema |
fortinet.firewall.connection_type | sslvpn | fortinet.firewall.connection_type | Custom field, should use apache fields schema |
fortinet.firewall.count | 2 | fortinet.firewall.count | Custom field, should use apache fields schema |
fortinet.firewall.fctuid | 645234fdd01F885824F764 | fortinet.firewall.fctuid | Custom field, should use apache fields schema |
fortinet.firewall.ip | 172.16.0.2 | fortinet.firewall.ip | Custom field, should use apache fields schema |
fortinet.firewall.license_limit | unlimited | fortinet.firewall.license_limit | Custom field, should use apache fields schema |
fortinet.firewall.name | somerouter | fortinet.firewall.name | Custom field, should use apache fields schema |
fortinet.firewall.cookies | 125cbf9ee8349965/0000000000000000 | fortinet.firewall.cookies | Custom field, should use apache fields schema |
fortinet.firewall.init | local | fortinet.firewall.init | Custom field, should use apache fields schema |
fortinet.firewall.mode | aggressive | fortinet.firewall.mode | Custom field, should use apache fields schema |
fortinet.firewall.outintf | port1 | fortinet.firewall.outintf | Custom field, should use apache fields schema |
fortinet.firewall.result | OK | fortinet.firewall.result | Custom field, should use apache fields schema |
fortinet.firewall.role | initiator | fortinet.firewall.role | Custom field, should use apache fields schema |
fortinet.firewall.stage | 1 | fortinet.firewall.stage | Custom field, should use apache fields schema |
fortinet.firewall.peer_notif | NOT-APPLICABLE | fortinet.firewall.peer_notif | Custom field, should use apache fields schema |
fortinet.firewall.bandwidth | 23/4 | fortinet.firewall.bandwidth | Custom field, should use apache fields schema |
fortinet.firewall.cpu | 0 | fortinet.firewall.cpu | Custom field, should use apache fields schema |
fortinet.firewall.disk | 0 | fortinet.firewall.disk | Custom field, should use apache fields schema |
fortinet.firewall.disklograte | 0 | fortinet.firewall.disklograte | Custom field, should use apache fields schema |
fortinet.firewall.fazlograte | 0 | fortinet.firewall.fazlograte | Custom field, should use apache fields schema |
fortinet.firewall.freediskstorage | 331 | fortinet.firewall.freediskstorage | Custom field, should use apache fields schema |
fortinet.firewall.mem | 10 | fortinet.firewall.mem | Custom field, should use apache fields schema |
fortinet.firewall.setuprate | 0 | fortinet.firewall.setuprate | Custom field, should use apache fields schema |
fortinet.firewall.sysuptime | 25170 | fortinet.firewall.sysuptime | Custom field, should use apache fields schema |
fortinet.firewall.totalsession | 23 | fortinet.firewall.totalsession | Custom field, should use apache fields schema |
fortinet.firewall.authproto | TELNET(10.1.100.11) | fortinet.firewall.authproto | Custom field, should use apache fields schema |
fortinet.firewall.interface | port10 | fortinet.firewall.interface | Custom field, should use apache fields schema |
fortinet.firewall.status | success | fortinet.firewall.status | Custom field, should use apache fields schema |
fortinet.firewall.tunnelid | 2 | fortinet.firewall.tunnelid | Custom field, should use apache fields schema |
fortinet.firewall.tunnelip | 10.10.10.10 | fortinet.firewall.tunnelip | Custom field, should use apache fields schema |
fortinet.firewall.tunneltype | ssl-tunnel | fortinet.firewall.tunneltype | Custom field, should use apache fields schema |
fortinet.firewall.ui | ssh(172.16.200.254) | fortinet.firewall.ui | Custom field, should use apache fields schema |
fortinet.firewall.vd | root | fortinet.firewall.vd | Custom field, should use apache fields schema |
fortinet.firewall.used_for_type | 4 | fortinet.firewall.used_for_type | Custom field, should use apache fields schema |
fortinet.firewall.vpntunnel | elasticvpn | fortinet.firewall.vpntunnel | Custom field, should use apache fields schema |
fortinet.firewall.authserver | FSSO_elastiauth | fortinet.firewall.authserver | Custom field, should use apache fields schema |
fortinet.firewall.version | 1.522479 | fortinet.firewall.version | Custom field, should use apache fields schema |
fortinet.firewall.applist | policylist | fortinet.firewall.applist | Custom field, should use apache fields schema |
fortinet.firewall.app | icmp6/25/0 | fortinet.firewall.app | Custom field, should use apache fields schema |
fortinet.firewall.rcvddelta | 728 | fortinet.firewall.rcvddelta | Custom field, should use apache fields schema |
fortinet.firewall.sentdelta | 576 | fortinet.firewall.sentdelta | Custom field, should use apache fields schema |
fortinet.firewall.vwlid | 0 | fortinet.firewall.vwlid | Custom field, should use apache fields schema |
fortinet.firewall.identifier | 0 | fortinet.firewall.identifier | Custom field, should use apache fields schema |
fortinet.firewall.appid | 43540 | fortinet.firewall.appid | Custom field, should use apache fields schema |
fortinet.firewall.apprisk | elevated | fortinet.firewall.apprisk | Custom field, should use apache fields schema |
fortinet.firewall.appact | detected | fortinet.firewall.appact | Custom field, should use apache fields schema |
fortinet.firewall.vwlquality | Seq_num(3), alive, selected | fortinet.firewall.vwlquality | Custom field, should use apache fields schema |
fortinet.firewall.wanin | 1130 | fortinet.firewall.wanin | Custom field, should use apache fields schema |
fortinet.firewall.wanout | 1130 | fortinet.firewall.wanout | Custom field, should use apache fields schema |
fortinet.firewall.lanin | 1130 | fortinet.firewall.lanin | Custom field, should use apache fields schema |
fortinet.firewall.lanout | 1130 | fortinet.firewall.lanout | Custom field, should use apache fields schema |
fortinet.firewall.mastersrcmac | a2:e9:00:ec:40:01 | fortinet.firewall.mastersrcmac | Custom field, should use apache fields schema |
fortinet.firewall.srcmac | a2:e9:00:ec:40:01 | fortinet.firewall.srcmac | Custom field, should use apache fields schema |
fortinet.firewall.srcserver | 0 | fortinet.firewall.srcserver | Custom field, should use apache fields schema |
fortinet.firewall.dstuuid | ae28f494-5735-51e9-f247-d1d2ce663f4b | fortinet.firewall.dstuuid | Custom field, should use apache fields schema |
fortinet.firewall.srcuuid | ae28f494-5735-51e9-f247-d1d2ce663f4b | fortinet.firewall.srcuuid | Custom field, should use apache fields schema |
fortinet.firewall.devcategory | None | fortinet.firewall.devcategory | Custom field, should use apache fields schema |
fortinet.firewall.devtype | Unknown | fortinet.firewall.devtype | Custom field, should use apache fields schema |
fortinet.firewall.countdlp | 1 | fortinet.firewall.countdlp | Custom field, should use apache fields schema |
fortinet.firewall.cat | 76 | fortinet.firewall.cat | Custom field, should use apache fields schema |
fortinet.firewall.eventtype | ftgd_blk | fortinet.firewall.eventtype | Custom field, should use apache fields schema |
fortinet.firewall.method | domain | fortinet.firewall.method | Custom field, should use apache fields schema |
fortinet.firewall.reqtype | direct | fortinet.firewall.reqtype | Custom field, should use apache fields schema |
fortinet.firewall.incidentserialno | 23465 | fortinet.firewall.incidentserialno | Custom field, should use apache fields schema |
fortinet.firewall.qtypeval | 1 | fortinet.firewall.qtypeval | Custom field, should use apache fields schema |
fortinet.firewall.analyticscksum | 275a021bbfb6489e54d471899f7db9d1663fc69... | fortinet.firewall.analyticscksum | Custom field, should use apache fields schema |
fortinet.firewall.analyticssubmit | false | fortinet.firewall.analyticssubmit | Custom field, should use apache fields schema |
fortinet.firewall.quarskip | File-was-not-quarantined. | fortinet.firewall.quarskip | Custom field, should use apache fields schema |
fortinet.firewall.virus | EICAR_TEST_FILE | fortinet.firewall.virus | Custom field, should use apache fields schema |
fortinet.firewall.virusid | 2172 | fortinet.firewall.virusid | Custom field, should use apache fields schema |
fortinet.firewall.attack | Adobe.Flash.newfunction.Handling.Code.Execution | fortinet.firewall.attack | Custom field, should use apache fields schema |
fortinet.firewall.attackid | 23305 | fortinet.firewall.attackid | Custom field, should use apache fields schema |
fortinet.firewall.severity | critical | fortinet.firewall.severity | Custom field, should use apache fields schema |
fortinet.firewall.icmpcode | 0x00 | fortinet.firewall.icmpcode | Custom field, should use apache fields schema |
fortinet.firewall.icmpid | 0x1474 | fortinet.firewall.icmpid | Custom field, should use apache fields schema |
fortinet.firewall.icmptype | 0x08 | fortinet.firewall.icmptype | Custom field, should use apache fields schema |
fortinet.firewall.policytype | DoS-policy | fortinet.firewall.policytype | Custom field, should use apache fields schema |
fortinet.firewall.dlpextra | dlp-file-size11 | fortinet.firewall.dlpextra | Custom field, should use apache fields schema |
fortinet.firewall.epoch | 1740880646 | fortinet.firewall.epoch | Custom field, should use apache fields schema |
fortinet.firewall.filtercat | file | fortinet.firewall.filtercat | Custom field, should use apache fields schema |
fortinet.firewall.filteridx | 1 | fortinet.firewall.filteridx | Custom field, should use apache fields schema |
fortinet.firewall.filtertype | file-type | fortinet.firewall.filtertype | Custom field, should use apache fields schema |
fortinet.firewall.channeltype | shell | fortinet.firewall.channeltype | Custom field, should use apache fields schema |
fortinet.firewall.login | root | fortinet.firewall.login | Custom field, should use apache fields schema |
fortinet.firewall.certhash | 1115ec1857ed7f937301ff5e02f6b0681cf2ec4e | fortinet.firewall.certhash | Custom field, should use apache fields schema |
fortinet.firewall.quarskip | File-was-not-quarantined | fortinet.firewall.quarskip | Custom field, should use apache fields schema |
url.domain | lhsp.s206.xrea.com | url.domain | |
url.original | http://lhsp.s206.xrea.com/download/eicar_test_virus.zip | url.original | |
url.path | /download/eicar_test_virus.zip | url.path | |
url.scheme | http | url.scheme | |
input.type | "log" | input.type | Custom field, should use apache fields schema |
log.level | "notice" | log.level | |
log.offset | 0 | log.offset | Not implemented |
message | FSSO-logon event from FSSO_elasticserver: user elasticouser logged on 10.10.10.10 | message | |
network.application | icmp6/25/0 | network.application | |
network.type | "ipv4" | network.type | |
network.iana_number | 6 | network.iana_number | |
network.protocol | HTTP | network.protocol | |
network.bytes | 3874 | network.bytes | |
network.direction | outbound | network.direction | |
observer.name | "testswitch3" | observer.name | |
observer.product | "Fortigate" | observer.product | |
observer.serial_number | "someotherrouteridagain" | observer.serial_number | |
observer.type | "firewall" | observer.type | |
observer.vendor | "Fortinet" | observer.vendor | |
observer.ingress.interface.name | port25 | observer.ingress.interface.name | |
observer.egress.interface.name | port3 | observer.egress.interface.name | |
related.ip | "10.10.10.10" | related.ip | |
related.user | "elasticouser" | related.user | |
related.hosts | elastic.example.com | related.hosts | |
rule.id | 1 | rule.id | |
rule.description | "FSSO logon authentication status" | rule.description | |
rule.name | elasticnewruleset | rule.name | |
rule.uuid | d8ce7a90-7763-51e9-e2be-741294c96f31 | rule.uuid | |
rule.category | Web-based Email | rule.category | |
rule.ruleset | DoS-policy | rule.ruleset | |
service.type | "fortinet" | service.type | |
source.ip | "10.150.92.220" | source.ip | |
source.port | 80 | source.port | |
source.nat.ip | 67.43.156.12 | source.nat.ip | |
source.nat.port | 80 | source.nat.port | |
source.packets | 4 | source.packets | |
source.user.name | "elasticouser" | source.user.name | |
source.user.group.name | elasticgroup2 | source.user.group.name | |
source.bytes | 84 | source.bytes | |
source.mac | a2:e9:00:ec:40:01 | source.mac | |
tags | "fortinet-firewall" "forwarded" | tags | |
destination.packets | 8 | destination.packets | |
destination.bytes | 10 | destination.bytes | |
destination.ip | 67.43.156.12 | destination.ip | |
destination.port | 80 | destination.port | |
dns.resolved_ip | 67.43.156.12 | dns.resolved_ip | |
dns.id | 2234 | dns.id | |
dns.question.class | IN | dns.question.class | |
dns.question.name | elastic.example.com | dns.question.name | |
dns.question.type | A | dns.question.type | |
tls.server.x509.subject.common_name | test.elastic.co | tls.server.x509.subject.common_name | |
tls.server.x509.issuer.common_name | DigiCert SHA2 High Assurance Server CA | tls.server.x509.issuer.common_name | |
tls.server.issuer | DigiCert SHA2 High Assurance Server CA | tls.server.issuer | |
user_agent.name | curl | user_agent.name | |
user_agent.original | curl/7.47.0 | user_agent.original | |
user_agent.version | 7.47.0 | user_agent.version | |
vulnerability.category | Virus | vulnerability.category | |
file.extension | file.extension | ||
file.name | FortiOS_6.2.0_Log_Reference.pdf | file.name | |
file.size | 12345 | file.size |
Field Mapping Fortinet Fortimanager
ecs field | value | wazuh field | reason |
---|---|---|---|
destination.bytes | 3879 | destination.bytes | |
destination.geo.country_name | ation | destination.geo.country_name | |
destination.ip | 10.171.204.166 | destination.ip | |
destination.nat.ip | 10.53.110.111 | destination.nat.ip | |
destination.nat.port | 2549 | destination.nat.port | |
destination.port | 6668 | destination.port | |
event.action | accept | event.action | |
event.code | atio | event.code | |
event.dataset | fortinet.fortimanager | event.dataset | Forced |
event.module | fortinet | event.module | Forced |
event.timezone | CEST | event.timezone | |
fileset.name | fortimanager | fileset.name | Custom Forced |
host.name | aer445.host | host.name | |
http.request.referrer | https://api.example.org/tamremap/tur.html?radipis=isetq#estqui | http.request.referrer | |
input.type | log | input.type | Custom Forced |
log.level | high | log.level | |
log.offset | 593 | log.offset | Custom |
network.bytes | 10257 | network.bytes | |
network.direction | external | network.direction | |
network.protocol | TCP | network.protocol | |
observer.egress.interface.name | enp0s2581 | observer.egress.interface.name | |
observer.ingress.interface.name | enp0s208 | observer.ingress.interface.name | |
observer.product | FortiManager | observer.product | Forced |
observer.serial_number | tur | observer.serial_number | |
observer.type | Configuration | observer.type | |
observer.vendor | Fortinet | observer.vendor | Forced |
observer.version | 1.41 | observer.version | |
related.hosts__001 | aer445.host | related.hosts__001 | Custom |
related.hosts__002 | mvolu | related.hosts__002 | Custom |
related.hosts__003 | pisciv | related.hosts__003 | Custom |
related.ip__001 | 10.171.204.166 | related.ip__001 | Custom |
related.ip__002 | 10.62.4.246 | related.ip__002 | Custom |
related.user__- | oluptas | related.user__- | Custom |
rsa.db.index | taevi | rsa.db.index | Custom |
rsa.internal.event_desc | com | rsa.internal.event_desc | Custom |
related.ip__003 | 10.53.110.111 | related.ip__003 | Custom |
rsa.internal.messageid | generic_fortinetmgr | rsa.internal.messageid | Forced |
rsa.investigations.event_vcat | eius | rsa.investigations.event_vcat | Custom |
rsa.misc.OS | anonnu | rsa.misc.OS | Custom |
rsa.misc.action__001 | accept | rsa.misc.action__001 | Custom |
rsa.misc.action__002 | mol | rsa.misc.action__002 | Custom |
rsa.misc.category | exe | rsa.misc.category | Custom |
rsa.misc.client | radip | rsa.misc.client | Custom |
rsa.misc.context | nibus | rsa.misc.context | Custom |
rsa.misc.event_source | pisciv | rsa.misc.event_source | Custom |
rsa.misc.event_type | umexe | rsa.misc.event_type | Custom |
rsa.misc.fcatnum | byC | rsa.misc.fcatnum | Custom |
rsa.misc.filter | tinculp | rsa.misc.filter | Custom |
rsa.misc.hardware_id | tur | rsa.misc.hardware_id | Custom |
rsa.misc.log_session_id | tNequ | rsa.misc.log_session_id | Custom |
rsa.misc.obj_name | uaturQ | rsa.misc.obj_name | Custom |
rsa.misc.policy_id | uidolor | rsa.misc.policy_id | Custom |
rsa.misc.policy_name | ionofde | rsa.misc.policy_name | Custom |
rsa.misc.reference_id | atio | rsa.misc.reference_id | Custom |
rsa.misc.rule_name | eumiu | rsa.misc.rule_name | Custom |
rsa.misc.severity | high | rsa.misc.severity | Custom |
rsa.network.domain | xplicabo4308.www.example | rsa.network.domain | Custom |
rsa.misc.sig_id | 6728 | rsa.misc.sig_id | Custom |
rsa.misc.version | 1.41 | rsa.misc.version | Custom |
rsa.misc.vsys | iatnu | rsa.misc.vsys | Custom |
rsa.network.alias_host__- | aer445.host | rsa.network.alias_host__- | Custom |
rsa.network.dinterface | enp0s2581 | rsa.network.dinterface | Custom |
rsa.network.network_service | emape | rsa.network.network_service | Custom |
rsa.network.sinterface | enp0s208 | rsa.network.sinterface | Custom |
rsa.threat.threat_desc | sum | rsa.threat.threat_desc | Custom |
rsa.time.duration_time | 72.226 | rsa.time.duration_time | Custom |
rsa.time.event_time | 2016-02-12T03:12:33.000Z | rsa.time.event_time | Custom |
server.domain | xplicabo4308.www.example | server.domain | |
server.registered_domain | www.example | server.registered_domain | |
server.subdomain | xplicabo4308 | server.subdomain | |
server.top_level_domain | example | server.top_level_domain | |
rsa.time.timezone | CEST | rsa.time.timezone | Custom |
rsa.time.event_time_str | onemul | rsa.time.event_time_str | Custom |
rsa.web.reputation_num | 145.047 | rsa.web.reputation_num | Custom |
rsa.web.web_ref_domain | mvolu | rsa.web.web_ref_domain | Custom |
rule.name | eumiu | rule.name | |
service.type | fortinet | service.type | Forced |
source.bytes | 6378 | source.bytes | |
source.geo.country_name | tconsec | source.geo.country_name | |
source.ip | 10.62.4.246 | source.ip | |
source.mac | 01:00:5e:84:66:6c | source.mac | |
source.port | 189 | source.port | |
tags__001 | fortinet.fortimanager | tags__001 | |
tags__002 | forwarded | tags__002 | |
url.domain | www.example.net | url.domain | |
url.extension | htm | url.extension | |
url.fragment | roinBCS | url.fragment | |
url.original | https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS | url.original | |
url.path | /orisn/cca.htm | url.path | |
url.query__001 | ofdeF=metcons | url.query__001 | |
url.query__002 | taspe | url.query__002 | |
url.scheme | https | url.scheme | |
user.name | oluptas | user.name |
Field Mapping Fortinet Fortimail
ecs field | value | wazuh field | reason |
---|---|---|---|
event.original | date=2018-12-7 time=16:17:40 device_id=econ log_id=aborio log_part=rve type=event subtype=smtp pri=medium user=nbyCiui=runtmollaction=blockstatus=velillumsession_id="ionev" msg="to=<, delay=rna, xdelay=cons, mailer=ipv6-icmp, pri=lupta, relay=olaboris3175.internal.home[10.250.94.95], dsn=tno, stat=imve" | event.original | |
event.action | block | event.action | |
event.code | aborio | event.code | |
event.dataset | fortinet.fortimail | event.dataset | Forced |
event.module | fortinet | event.module | Forced |
fileset.name | fortimail | fileset.name | Custom Forced |
host.hostname | olaboris3175.internal.home | host.name | |
input.type | log | input.type | Custom Forced |
log.level | medium | log.level | |
network.protocol | ipv6-icmp | network.protocol | |
observer.product | FortiMail | observer.product | Forced |
observer.serial_number | econ | observer.serial_number | |
observer.type | Firewall | observer.type | |
observer.vendor | Fortinet | observer.vendor | Forced |
related.hosts | olaboris3175.internal.home | related.hosts | Custom |
related.ip | 10.250.94.95 | related.ip | Custom |
related.user | nbyCi | related.user | Custom |
rsa.email.email_dst | vitaedi | rsa.misc.event_source | Custom |
rsa.email.subject | event | rsa.misc.event_source | Custom |
rsa.internal.messageid | smtp | rsa.misc.event_source | Custom |
rsa.misc.event_state | velillum | rsa.misc.event_source | Custom |
rsa.misc.event_type | block | rsa.misc.event_type | Custom |
rsa.misc.hardware_id | econ | rsa.misc.hardware_id | Custom |
rsa.misc.msgIdPart1 | block | rsa.misc.obj_name | Custom |
rsa.misc.msgIdPart2 | smtp | rsa.misc.obj_name | Custom |
rsa.misc.reference_id | aborio | rsa.misc.reference_id | Custom |
rsa.misc.reference_id1 | rve | rsa.misc.reference_id | Custom |
rsa.misc.severity | medium | rsa.misc.severity | Custom |
rsa.network.network_service | runtmoll | rsa.network.network_service | Custom |
rsa.time.event_time | 2016-02-12T03:12:33.000Z | rsa.time.event_time | Custom |
service.type | fortinet | service.type | Forced |
source.ip | 10.250.94.95 | source.ip | |
tags | forwarded, fortinet.fortimail | tags |
Description
It is necessary to extend the coverage of our ruleset, so a Fortinet decoder will be written for this purpose.
In addition, the creation of this decoder will be used to identify those functionalities that need to be expanded or improved for a better writing of the decoders.
There are four kind of events.
Proposed filenames
wazuh/src/engine/ruleset/decoders/fortinet/fortinet.yml
wazuh/src/engine/ruleset/decoders/fortinet/client_endpoint.yml
wazuh/src/engine/ruleset/decoders/fortinet/firewall.yml
wazuh/src/engine/ruleset/decoders/fortinet/fortimail.yml
wazuh/src/engine/ruleset/decoders/fortinet/fortimanager.yml
Fortinet documentation
DoD