From 9235a595914725494bcc75308d0787143989bbf1 Mon Sep 17 00:00:00 2001
From: Sebastien Quioc <sebastien.quioc@sekoia.fr>
Date: Thu, 2 Jan 2025 10:58:28 +0100
Subject: [PATCH] fix(Fortigate): enhancement the extraction of the user group

---
 Fortinet/fortigate/ingest/parser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml
index 221ae274c..9cb6f3f7d 100644
--- a/Fortinet/fortigate/ingest/parser.yml
+++ b/Fortinet/fortigate/ingest/parser.yml
@@ -241,7 +241,7 @@ stages:
           fortinet.fortigate.policyid: "{{parsed_event.message.policyid}}"
           fortinet.fortigate.poluuid: "{{parsed_event.message.poluuid}}"
           network.forwarded_ip: "{{parsed_event.message.forwardedfor}}"
-          group.name: "{{parsed_event.message.group}}"
+          group.name: "{{parsed_event.message.group or parsed_event.message.FTNTFGTgroup}}"
 
       - set:
           fortinet.fortigate.poluuid: "{{parsed_event.message.uuid}}"