From c4a6f1ff4aa0d3735dd2529397814cbde77f95d1 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Tue, 31 Dec 2024 17:51:11 +0100 Subject: [PATCH 1/4] Add group field with a smart desc --- .../fortigate/_meta/smart-descriptions.json | 25 +++++++++++++++++++ Fortinet/fortigate/ingest/parser.yml | 1 + .../fortigate/tests/test_group_field.json | 14 +++++++++++ .../fortigate/tests/test_group_field_1.json | 14 +++++++++++ 4 files changed, 54 insertions(+) create mode 100644 Fortinet/fortigate/tests/test_group_field.json create mode 100644 Fortinet/fortigate/tests/test_group_field_1.json diff --git a/Fortinet/fortigate/_meta/smart-descriptions.json b/Fortinet/fortigate/_meta/smart-descriptions.json index 3017002ce..d1f06e563 100644 --- a/Fortinet/fortigate/_meta/smart-descriptions.json +++ b/Fortinet/fortigate/_meta/smart-descriptions.json @@ -24,6 +24,31 @@ } ] }, + { + "value": "{source.ip} connected to {destination.ip}:{destination.port}", + "conditions": [ + { + "field": "action.outcome", + "value": "success" + }, + { + "field": "source.ip" + }, + { + "field": "destination.ip" + }, + { + "field": "destination.port" + } + ], + "relationships": [ + { + "source": "source.ip", + "target": "destination.ip", + "type": "connected to" + } + ] + }, { "value": "{source.ip} was denied a connection to {destination.ip}:{destination.port}", "conditions": [ diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml index 000b90405..221ae274c 100644 --- a/Fortinet/fortigate/ingest/parser.yml +++ b/Fortinet/fortigate/ingest/parser.yml @@ -241,6 +241,7 @@ stages: fortinet.fortigate.policyid: "{{parsed_event.message.policyid}}" fortinet.fortigate.poluuid: "{{parsed_event.message.poluuid}}" network.forwarded_ip: "{{parsed_event.message.forwardedfor}}" + group.name: "{{parsed_event.message.group}}" - set: fortinet.fortigate.poluuid: "{{parsed_event.message.uuid}}" diff --git a/Fortinet/fortigate/tests/test_group_field.json b/Fortinet/fortigate/tests/test_group_field.json new file mode 100644 index 000000000..d25b4b096 --- /dev/null +++ b/Fortinet/fortigate/tests/test_group_field.json @@ -0,0 +1,14 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Fortinet FortiGate", + "dialect_uuid": "5702ae4e-7d8a-455f-a47b-ef64dd87c981" + } + }, + "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\"" + }, + "expected": { + "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\"" + } +} \ No newline at end of file diff --git a/Fortinet/fortigate/tests/test_group_field_1.json b/Fortinet/fortigate/tests/test_group_field_1.json new file mode 100644 index 000000000..3305e4cba --- /dev/null +++ b/Fortinet/fortigate/tests/test_group_field_1.json @@ -0,0 +1,14 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Fortinet FortiGate", + "dialect_uuid": "5702ae4e-7d8a-455f-a47b-ef64dd87c981" + } + }, + "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"xxxxx.xxxxx@test.fr\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\"" + }, + "expected": { + "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"xxxxx.xxxxx@test.fr\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\"" + } +} \ No newline at end of file From e5d8b936cea6d35213aa53dad7e3b655202f988c Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Tue, 31 Dec 2024 17:53:52 +0100 Subject: [PATCH 2/4] Apply linter --- Fortinet/fortigate/tests/test_group_field.json | 4 ++-- Fortinet/fortigate/tests/test_group_field_1.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Fortinet/fortigate/tests/test_group_field.json b/Fortinet/fortigate/tests/test_group_field.json index d25b4b096..e854cc2eb 100644 --- a/Fortinet/fortigate/tests/test_group_field.json +++ b/Fortinet/fortigate/tests/test_group_field.json @@ -1,12 +1,12 @@ { "input": { + "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\"", "sekoiaio": { "intake": { "dialect": "Fortinet FortiGate", "dialect_uuid": "5702ae4e-7d8a-455f-a47b-ef64dd87c981" } - }, - "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\"" + } }, "expected": { "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\"" diff --git a/Fortinet/fortigate/tests/test_group_field_1.json b/Fortinet/fortigate/tests/test_group_field_1.json index 3305e4cba..0bedae40f 100644 --- a/Fortinet/fortigate/tests/test_group_field_1.json +++ b/Fortinet/fortigate/tests/test_group_field_1.json @@ -1,12 +1,12 @@ { "input": { + "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"xxxxx.xxxxx@test.fr\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\"", "sekoiaio": { "intake": { "dialect": "Fortinet FortiGate", "dialect_uuid": "5702ae4e-7d8a-455f-a47b-ef64dd87c981" } - }, - "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"xxxxx.xxxxx@test.fr\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\"" + } }, "expected": { "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"xxxxx.xxxxx@test.fr\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\"" From 36ceb703e29a3339248d71b534daf20ec67f91bf Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Tue, 31 Dec 2024 17:56:45 +0100 Subject: [PATCH 3/4] Fix tests --- .../fortigate/tests/test_group_field.json | 80 +++++++++++++++- .../fortigate/tests/test_group_field_1.json | 93 ++++++++++++++++++- Fortinet/fortigate/tests/tunnel.json | 3 + 3 files changed, 174 insertions(+), 2 deletions(-) diff --git a/Fortinet/fortigate/tests/test_group_field.json b/Fortinet/fortigate/tests/test_group_field.json index e854cc2eb..5e683a864 100644 --- a/Fortinet/fortigate/tests/test_group_field.json +++ b/Fortinet/fortigate/tests/test_group_field.json @@ -9,6 +9,84 @@ } }, "expected": { - "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\"" + "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\"", + "event": { + "action": "client-rst", + "category": "traffic", + "code": "0000000011", + "dataset": "traffic:forward", + "outcome": "success", + "timezone": "+0100" + }, + "@timestamp": "2024-12-26T08:35:30.361753Z", + "action": { + "name": "client-rst", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, + "destination": { + "address": "5.6.7.8", + "bytes": 52, + "ip": "5.6.7.8", + "nat": { + "ip": "1.2.3.4" + }, + "packets": 1, + "port": 443 + }, + "fortinet": { + "fortigate": { + "event": { + "type": "traffic" + }, + "policyid": "1018", + "poluuid": "38fa6456-a819-51ef-3c99-000000000000000000", + "virtual_domain": "EFF" + } + }, + "log": { + "hostname": "eee-111-111-ff-11", + "level": "notice" + }, + "network": { + "bytes": 152, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "EFF-DMZ-0000" + } + }, + "hostname": "eee-111-111-ff-11", + "ingress": { + "interface": { + "name": "EFF-WAN-0000" + } + }, + "serial_number": "FG00000000000000" + }, + "related": { + "hosts": [ + "eee-111-111-ff-11" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "category": "unscanned", + "ruleset": "policy" + }, + "source": { + "address": "1.2.3.4", + "bytes": 100, + "ip": "1.2.3.4", + "packets": 2, + "port": 10000 + } } } \ No newline at end of file diff --git a/Fortinet/fortigate/tests/test_group_field_1.json b/Fortinet/fortigate/tests/test_group_field_1.json index 0bedae40f..364680578 100644 --- a/Fortinet/fortigate/tests/test_group_field_1.json +++ b/Fortinet/fortigate/tests/test_group_field_1.json @@ -9,6 +9,97 @@ } }, "expected": { - "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"xxxxx.xxxxx@test.fr\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\"" + "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"xxxxx.xxxxx@test.fr\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\"", + "event": { + "action": "close", + "category": "traffic", + "code": "0000000010", + "dataset": "traffic:forward", + "outcome": "success", + "timezone": "+0100" + }, + "@timestamp": "2024-12-24T00:26:41.620000Z", + "action": { + "name": "close", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, + "destination": { + "address": "5.6.5.7", + "bytes": 7900, + "ip": "5.6.5.7", + "packets": 29, + "port": 80 + }, + "fortinet": { + "fortigate": { + "event": { + "type": "traffic" + }, + "policyid": "274", + "poluuid": "ac8ed64c-54e7-51eb-3525-d610000000000", + "virtual_domain": "root" + } + }, + "group": { + "name": "TEST-SAML" + }, + "log": { + "hostname": "FFF00D_TEST02", + "level": "notice" + }, + "network": { + "bytes": 26700, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "VPNM-TEST" + } + }, + "hostname": "FFF00D_TEST02", + "ingress": { + "interface": { + "name": "ssl.root" + } + }, + "serial_number": "FGT3HD300000000" + }, + "related": { + "hosts": [ + "FFF00D_TEST02" + ], + "ip": [ + "1.0.5.8", + "1.2.3.4", + "5.6.5.7" + ], + "user": [ + "xxxxx.xxxxx@test.fr" + ] + }, + "rule": { + "category": "unscanned", + "ruleset": "policy" + }, + "source": { + "address": "1.2.3.4", + "bytes": 18800, + "ip": "1.2.3.4", + "nat": { + "ip": "1.0.5.8" + }, + "packets": 30, + "port": 50000, + "user": { + "name": "xxxxx.xxxxx@test.fr" + } + }, + "user": { + "name": "xxxxx.xxxxx@test.fr" + } } } \ No newline at end of file diff --git a/Fortinet/fortigate/tests/tunnel.json b/Fortinet/fortigate/tests/tunnel.json index 41a34c2c2..70ffc2c82 100644 --- a/Fortinet/fortigate/tests/tunnel.json +++ b/Fortinet/fortigate/tests/tunnel.json @@ -37,6 +37,9 @@ "virtual_domain": "IPSEC" } }, + "group": { + "name": "GRP_Generic_JAIL_VPN" + }, "log": { "description": "SSL VPN statistics", "hostname": "abc", From 9235a595914725494bcc75308d0787143989bbf1 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 2 Jan 2025 10:58:28 +0100 Subject: [PATCH 4/4] fix(Fortigate): enhancement the extraction of the user group --- Fortinet/fortigate/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml index 221ae274c..9cb6f3f7d 100644 --- a/Fortinet/fortigate/ingest/parser.yml +++ b/Fortinet/fortigate/ingest/parser.yml @@ -241,7 +241,7 @@ stages: fortinet.fortigate.policyid: "{{parsed_event.message.policyid}}" fortinet.fortigate.poluuid: "{{parsed_event.message.poluuid}}" network.forwarded_ip: "{{parsed_event.message.forwardedfor}}" - group.name: "{{parsed_event.message.group}}" + group.name: "{{parsed_event.message.group or parsed_event.message.FTNTFGTgroup}}" - set: fortinet.fortigate.poluuid: "{{parsed_event.message.uuid}}"