-
Notifications
You must be signed in to change notification settings - Fork 442
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[fortinet_fortimanager] Add more ECS fields mappings (#11237)
* [fortinet_fortimanager] Add more ECS fields mappings * Update changelog with PR number * Map appcat to rule.category * Map srcname/dstname to source.address/destination.address instead
- Loading branch information
Showing
7 changed files
with
651 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 changes: 5 additions & 0 deletions
5
...fortinet_fortimanager/data_stream/log/_dev/test/pipeline/test-fortimanager-additional.log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| <189>logver=702081639 timestamp=1722245274 devname="xxxxx" devid="xxxxx" vd="root" date=2024-07-29 time=09:27:54 eventtime=1722238073918993547 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=175.16.199.1 srcname="175.16.199.1" srcport=62575 srcintf="ssl.root" srcintfrole="undefined" dstip=175.16.199.1 dstname="xgsasnyjyr28o9r9ew9.karma.college" dstport=443 dstintf="port2" dstintfrole="wan" srccountry="Reserved" dstcountry="United States" sessionid=123029078 proto=6 action="close" policyid=111111 policytype="policy" poluuid="aaaaaaaa" user="wn00225617" group="U-1870-Employees" authserver="H-I-FOC-radius" centralnatid=5 service="HTTPS" trandisp="snat" transip=175.16.199.1 transport=62575 appid=34231 app="Microsoft.Portal" appcat="Collaboration" apprisk="elevated" applist="app_aaaaa" duration=13 sentbyte=8105 rcvdbyte=12539 sentpkt=25 rcvdpkt=30 vwlid=0 utmaction="allow" countapp=2 | ||
| <189>logver=702081639 timestamp=1722245274 devname="xxxxx" devid="xxxxx" vd="root" date=2024-07-29 time=09:27:54 eventtime=1722238074076487911 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=175.16.199.1 srcname="AWCMGVSTUUUTYZI" srcport=60309 srcintf="vl6" srcintfrole="lan" dstip=175.16.199.1 dstname="xgsasnyjyr28o9r9ew9.karma.college" dstport=443 dstintf="port1" dstintfrole="wan" srccountry="Reserved" dstcountry="United States" sessionid=1074259404 proto=6 action="server-rst" policyid=15 policytype="policy" poluuid="aaaaaaaa" policyname="Default internet access" centralnatid=6 service="HTTPS" trandisp="snat" transip=175.16.199.1 transport=60309 appid=16190 app="Microsoft.SharePoint" appcat="Collaboration" apprisk="elevated" applist="app_aaaaa" duration=73 sentbyte=3234 rcvdbyte=33392 sentpkt=18 rcvdpkt=32 vwlid=0 utmaction="allow" countapp=1 srchwvendor="Dell" osname="Windows" srcswversion="10" unauthuser="AnzenbSt" unauthusersource="kerberos" mastersrcmac="12:47:c3:12:11:11" srcmac="22:47:22:bb:11:11" srcserver=0 | ||
| <190>logver=702081639 timestamp=1722245274 devname="xxxxx" devid="xxxxx" vd="root" date=2024-07-29 time=09:27:54 eventtime=1722238074067757494 tz="+0200" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" appid=1111 srcip=175.16.199.1 srccountry="Reserved" dstip=175.16.199.1 dstcountry="Austria" srcport=51826 dstport=443 srcintf="vl6" srcintfrole="lan" dstintf="port1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=15 poluuid="aaaaaaaa" policytype="policy" sessionid=111111111 applist="app_aaaaa" action="pass" appcat="Collaboration" app="Microsoft.Portal" hostname="k4gt.grand.investments" incidentserialno=43434 url="/" msg="Collaboration: Microsoft.Portal" apprisk="elevated" scertcname="biyg5nym.juliet.blackfriday" scertissuer="Microsoft Azure ECC TLS Issuing CA 03" | ||
| <189>logver=702081639 timestamp=1722245274 devname="xxxxx" devid="xxxxx" vd="root" date=2024-07-29 time=09:27:54 eventtime=1722238073977425432 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=175.16.199.1 srcname="175.16.199.1" srcport=45689 srcintf="port1" srcintfrole="wan" dstip=89.160.20.112 dstname="175.16.199.1" dstport=9844 dstintf="vl203" dstintfrole="undefined" srccountry="Russian Federation" dstcountry="Austria" sessionid=1074366084 proto=6 action="deny" policyid=156 policytype="policy" poluuid="aaaaaaa" policyname="Block countries" service="tcp/6554" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=43434 crlevel="high" | ||
| <190>logver=702081639 timestamp=1722245274 devname="xxxxx" devid="xxxxx" vd="root" date=2024-07-29 time=09:27:54 eventtime=1722238074077898858 tz="+0200" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" appid=1111 srcip=175.16.199.1 srccountry="Reserved" dstip=175.16.199.1 dstcountry="France" srcport=61284 dstport=443 srcintf="vl4" srcintfrole="lan" dstintf="port1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=15 poluuid="aaaaaaaa" policytype="policy" sessionid=3333333 applist="app_aaaaa" action="pass" appcat="General.Interest" app="Windows.Push.Notification" hostname="vgq67oov6jz.tomato.bz" incidentserialno=343434 url="/" msg="General.Interest: Windows.Push.Notification" apprisk="elevated" scertcname="*.yz9ky79xdl9bwunf9juzqmj.never.mm" scertissuer="Microsoft Azure RSA TLS Issuing CA 08" |
Oops, something went wrong.