Add group field with a smart desc

SEKOIA-IO · Dec 31, 2024 · c4a6f1f · c4a6f1f
1 parent 850620b
commit c4a6f1f
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 0 deletions.
diff --git a/Fortinet/fortigate/_meta/smart-descriptions.json b/Fortinet/fortigate/_meta/smart-descriptions.json
@@ -24,6 +24,31 @@
       }
     ]
   },
+  {
+    "value": "{source.ip} connected to {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "action.outcome",
+        "value": "success"
+      },
+      {
+        "field": "source.ip"
+      },
+      {
+        "field": "destination.ip"
+      },
+      {
+        "field": "destination.port"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ]
+  },
   {
     "value": "{source.ip} was denied a connection to {destination.ip}:{destination.port}",
     "conditions": [

diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml
@@ -241,6 +241,7 @@ stages:
           fortinet.fortigate.policyid: "{{parsed_event.message.policyid}}"
           fortinet.fortigate.poluuid: "{{parsed_event.message.poluuid}}"
           network.forwarded_ip: "{{parsed_event.message.forwardedfor}}"
+          group.name: "{{parsed_event.message.group}}"
 
       - set:
           fortinet.fortigate.poluuid: "{{parsed_event.message.uuid}}"

diff --git a/Fortinet/fortigate/tests/test_group_field.json b/Fortinet/fortigate/tests/test_group_field.json
@@ -0,0 +1,14 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Fortinet FortiGate",
+        "dialect_uuid": "5702ae4e-7d8a-455f-a47b-ef64dd87c981"
+      }
+    },
+    "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\""
+  },
+  "expected": {
+    "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\""
+  }
+}
diff --git a/Fortinet/fortigate/tests/test_group_field_1.json b/Fortinet/fortigate/tests/test_group_field_1.json
@@ -0,0 +1,14 @@
+{
+  "input": {
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Fortinet FortiGate",
+        "dialect_uuid": "5702ae4e-7d8a-455f-a47b-ef64dd87c981"
+      }
+    },
+    "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"[email protected]\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\""
+  },
+  "expected": {
+    "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"[email protected]\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\""
+  }
+}