Fortinet Fortigate DNS asim parser issue #11653
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi all,
There seems to be an issue on the following line:
https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsFortinetFortigate.yaml#L159
The DeviceProduct field is not always populated with the value 'Fortigate', sometimes the value contains the product's series name (ex. 'FortiGate-400F'):
I suppose this is different per FortiOS version.
The following line should solve this issue:
Also, the following line:
https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsFortinetFortigate.yaml#L160
filters correctly for the DNS ids, but it seems that on some versions another representation of the id is being parsed for this field:
I suppose that the first part of this 10-digit representation is somehow related to these log id definitions https://docs.fortinet.com/document/fortigate/7.6.1/fortios-log-message-reference/656858/log-id-definitions#:~:text=pfcp%2Dall%3A%201-,dns%3A%2015,-dns%2Dquery%3A%200, but still these events are filtered out by ASIM.
Until now I've discovered this mapping between these representations:
1500054000 -> 54000
1501054200 -> 54200
1501054601 -> 54601
1501054800 -> 54800
1501054802 -> 54802
but I am not sure about the rest ids
54400
54401
54600
54803
54804
54805
54801
However I think the following line solves this problem:
Thanks in advance,
Christos Giampoulakis
The text was updated successfully, but these errors were encountered: