From a788bf9ec0a05f83eebb3de198f9f45214c500ac Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Tue, 24 Sep 2024 14:32:53 -0400 Subject: [PATCH] [fortinet_fortimanager] Add more ECS fields mappings (#11237) * [fortinet_fortimanager] Add more ECS fields mappings * Update changelog with PR number * Map appcat to rule.category * Map srcname/dstname to source.address/destination.address instead --- packages/fortinet_fortimanager/changelog.yml | 5 + .../pipeline/test-fortimanager-additional.log | 5 + ...-fortimanager-additional.log-expected.json | 401 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 179 ++++++++ .../data_stream/log/fields/fields.yml | 45 ++ packages/fortinet_fortimanager/docs/README.md | 15 + packages/fortinet_fortimanager/manifest.yml | 2 +- 7 files changed, 651 insertions(+), 1 deletion(-) create mode 100644 packages/fortinet_fortimanager/data_stream/log/_dev/test/pipeline/test-fortimanager-additional.log create mode 100644 packages/fortinet_fortimanager/data_stream/log/_dev/test/pipeline/test-fortimanager-additional.log-expected.json diff --git a/packages/fortinet_fortimanager/changelog.yml b/packages/fortinet_fortimanager/changelog.yml index dd3e16b6a7a..2675bd28394 100644 --- a/packages/fortinet_fortimanager/changelog.yml +++ b/packages/fortinet_fortimanager/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.13.0" + changes: + - description: Add more ECS fields mappings. + type: enhancement + link: https://github.com/elastic/integrations/pull/11237 - version: "2.12.0" changes: - description: Switch from KV to Script processors to improve ingest performance. diff --git a/packages/fortinet_fortimanager/data_stream/log/_dev/test/pipeline/test-fortimanager-additional.log b/packages/fortinet_fortimanager/data_stream/log/_dev/test/pipeline/test-fortimanager-additional.log new file mode 100644 index 00000000000..02788dfc5ea --- /dev/null +++ b/packages/fortinet_fortimanager/data_stream/log/_dev/test/pipeline/test-fortimanager-additional.log @@ -0,0 +1,5 @@ +<189>logver=702081639 timestamp=1722245274 devname="xxxxx" devid="xxxxx" vd="root" date=2024-07-29 time=09:27:54 eventtime=1722238073918993547 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=175.16.199.1 srcname="175.16.199.1" srcport=62575 srcintf="ssl.root" srcintfrole="undefined" dstip=175.16.199.1 dstname="xgsasnyjyr28o9r9ew9.karma.college" dstport=443 dstintf="port2" dstintfrole="wan" srccountry="Reserved" dstcountry="United States" sessionid=123029078 proto=6 action="close" policyid=111111 policytype="policy" poluuid="aaaaaaaa" user="wn00225617" group="U-1870-Employees" authserver="H-I-FOC-radius" centralnatid=5 service="HTTPS" trandisp="snat" transip=175.16.199.1 transport=62575 appid=34231 app="Microsoft.Portal" appcat="Collaboration" apprisk="elevated" applist="app_aaaaa" duration=13 sentbyte=8105 rcvdbyte=12539 sentpkt=25 rcvdpkt=30 vwlid=0 utmaction="allow" countapp=2 +<189>logver=702081639 timestamp=1722245274 devname="xxxxx" devid="xxxxx" vd="root" date=2024-07-29 time=09:27:54 eventtime=1722238074076487911 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=175.16.199.1 srcname="AWCMGVSTUUUTYZI" srcport=60309 srcintf="vl6" srcintfrole="lan" dstip=175.16.199.1 dstname="xgsasnyjyr28o9r9ew9.karma.college" dstport=443 dstintf="port1" dstintfrole="wan" srccountry="Reserved" dstcountry="United States" sessionid=1074259404 proto=6 action="server-rst" policyid=15 policytype="policy" poluuid="aaaaaaaa" policyname="Default internet access" centralnatid=6 service="HTTPS" trandisp="snat" transip=175.16.199.1 transport=60309 appid=16190 app="Microsoft.SharePoint" appcat="Collaboration" apprisk="elevated" applist="app_aaaaa" duration=73 sentbyte=3234 rcvdbyte=33392 sentpkt=18 rcvdpkt=32 vwlid=0 utmaction="allow" countapp=1 srchwvendor="Dell" osname="Windows" srcswversion="10" unauthuser="AnzenbSt" unauthusersource="kerberos" mastersrcmac="12:47:c3:12:11:11" srcmac="22:47:22:bb:11:11" srcserver=0 +<190>logver=702081639 timestamp=1722245274 devname="xxxxx" devid="xxxxx" vd="root" date=2024-07-29 time=09:27:54 eventtime=1722238074067757494 tz="+0200" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" appid=1111 srcip=175.16.199.1 srccountry="Reserved" dstip=175.16.199.1 dstcountry="Austria" srcport=51826 dstport=443 srcintf="vl6" srcintfrole="lan" dstintf="port1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=15 poluuid="aaaaaaaa" policytype="policy" sessionid=111111111 applist="app_aaaaa" action="pass" appcat="Collaboration" app="Microsoft.Portal" hostname="k4gt.grand.investments" incidentserialno=43434 url="/" msg="Collaboration: Microsoft.Portal" apprisk="elevated" scertcname="biyg5nym.juliet.blackfriday" scertissuer="Microsoft Azure ECC TLS Issuing CA 03" +<189>logver=702081639 timestamp=1722245274 devname="xxxxx" devid="xxxxx" vd="root" date=2024-07-29 time=09:27:54 eventtime=1722238073977425432 tz="+0200" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip=175.16.199.1 srcname="175.16.199.1" srcport=45689 srcintf="port1" srcintfrole="wan" dstip=89.160.20.112 dstname="175.16.199.1" dstport=9844 dstintf="vl203" dstintfrole="undefined" srccountry="Russian Federation" dstcountry="Austria" sessionid=1074366084 proto=6 action="deny" policyid=156 policytype="policy" poluuid="aaaaaaa" policyname="Block countries" service="tcp/6554" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=43434 crlevel="high" +<190>logver=702081639 timestamp=1722245274 devname="xxxxx" devid="xxxxx" vd="root" date=2024-07-29 time=09:27:54 eventtime=1722238074077898858 tz="+0200" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" appid=1111 srcip=175.16.199.1 srccountry="Reserved" dstip=175.16.199.1 dstcountry="France" srcport=61284 dstport=443 srcintf="vl4" srcintfrole="lan" dstintf="port1" dstintfrole="wan" proto=6 service="SSL" direction="outgoing" policyid=15 poluuid="aaaaaaaa" policytype="policy" sessionid=3333333 applist="app_aaaaa" action="pass" appcat="General.Interest" app="Windows.Push.Notification" hostname="vgq67oov6jz.tomato.bz" incidentserialno=343434 url="/" msg="General.Interest: Windows.Push.Notification" apprisk="elevated" scertcname="*.yz9ky79xdl9bwunf9juzqmj.never.mm" scertissuer="Microsoft Azure RSA TLS Issuing CA 08" diff --git a/packages/fortinet_fortimanager/data_stream/log/_dev/test/pipeline/test-fortimanager-additional.log-expected.json b/packages/fortinet_fortimanager/data_stream/log/_dev/test/pipeline/test-fortimanager-additional.log-expected.json new file mode 100644 index 00000000000..04adbab13fb --- /dev/null +++ b/packages/fortinet_fortimanager/data_stream/log/_dev/test/pipeline/test-fortimanager-additional.log-expected.json @@ -0,0 +1,401 @@ +{ + "expected": [ + { + "@timestamp": "2024-07-29T07:27:54.000Z", + "destination": { + "address": "xgsasnyjyr28o9r9ew9.karma.college", + "bytes": 12539, + "geo": { + "country_name": "United States" + }, + "ip": "175.16.199.1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "close", + "kind": "event", + "original": "<189>logver=702081639 timestamp=1722245274 devname=\"xxxxx\" devid=\"xxxxx\" vd=\"root\" date=2024-07-29 time=09:27:54 eventtime=1722238073918993547 tz=\"+0200\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" srcip=175.16.199.1 srcname=\"175.16.199.1\" srcport=62575 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=175.16.199.1 dstname=\"xgsasnyjyr28o9r9ew9.karma.college\" dstport=443 dstintf=\"port2\" dstintfrole=\"wan\" srccountry=\"Reserved\" dstcountry=\"United States\" sessionid=123029078 proto=6 action=\"close\" policyid=111111 policytype=\"policy\" poluuid=\"aaaaaaaa\" user=\"wn00225617\" group=\"U-1870-Employees\" authserver=\"H-I-FOC-radius\" centralnatid=5 service=\"HTTPS\" trandisp=\"snat\" transip=175.16.199.1 transport=62575 appid=34231 app=\"Microsoft.Portal\" appcat=\"Collaboration\" apprisk=\"elevated\" applist=\"app_aaaaa\" duration=13 sentbyte=8105 rcvdbyte=12539 sentpkt=25 rcvdpkt=30 vwlid=0 utmaction=\"allow\" countapp=2", + "timezone": "+0200", + "type": [ + "info" + ] + }, + "fortimanager": { + "log": { + "action": "close", + "app": "Microsoft.Portal", + "appcat": "Collaboration", + "apprisk": "elevated", + "date": "2024-07-29T07:27:54.000Z", + "dev": { + "id": "xxxxx", + "name": "xxxxx" + }, + "dstcountry": "United States", + "dstip": "175.16.199.1", + "dstname": "xgsasnyjyr28o9r9ew9.karma.college", + "id": "0000000013", + "level": "notice", + "priority_number": 189, + "rcvdbyte": 12539, + "sentbyte": 8105, + "service": "HTTPS", + "srcip": "175.16.199.1", + "srcname": "175.16.199.1", + "srcport": 62575, + "subtype": "forward", + "type": "traffic", + "user": { + "name": "wn00225617" + }, + "vdom": "root" + } + }, + "host": { + "hostname": "xxxxx" + }, + "log": { + "level": "notice" + }, + "related": { + "hosts": [ + "xxxxx" + ], + "user": [ + "wn00225617" + ] + }, + "rule": { + "category": "Collaboration" + }, + "source": { + "address": "175.16.199.1", + "bytes": 8105, + "ip": "175.16.199.1", + "port": 62575 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "wn00225617" + } + }, + { + "@timestamp": "2024-07-29T07:27:54.000Z", + "destination": { + "address": "xgsasnyjyr28o9r9ew9.karma.college", + "bytes": 33392, + "geo": { + "country_name": "United States" + }, + "ip": "175.16.199.1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "server-rst", + "kind": "event", + "original": "<189>logver=702081639 timestamp=1722245274 devname=\"xxxxx\" devid=\"xxxxx\" vd=\"root\" date=2024-07-29 time=09:27:54 eventtime=1722238074076487911 tz=\"+0200\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" srcip=175.16.199.1 srcname=\"AWCMGVSTUUUTYZI\" srcport=60309 srcintf=\"vl6\" srcintfrole=\"lan\" dstip=175.16.199.1 dstname=\"xgsasnyjyr28o9r9ew9.karma.college\" dstport=443 dstintf=\"port1\" dstintfrole=\"wan\" srccountry=\"Reserved\" dstcountry=\"United States\" sessionid=1074259404 proto=6 action=\"server-rst\" policyid=15 policytype=\"policy\" poluuid=\"aaaaaaaa\" policyname=\"Default internet access\" centralnatid=6 service=\"HTTPS\" trandisp=\"snat\" transip=175.16.199.1 transport=60309 appid=16190 app=\"Microsoft.SharePoint\" appcat=\"Collaboration\" apprisk=\"elevated\" applist=\"app_aaaaa\" duration=73 sentbyte=3234 rcvdbyte=33392 sentpkt=18 rcvdpkt=32 vwlid=0 utmaction=\"allow\" countapp=1 srchwvendor=\"Dell\" osname=\"Windows\" srcswversion=\"10\" unauthuser=\"AnzenbSt\" unauthusersource=\"kerberos\" mastersrcmac=\"12:47:c3:12:11:11\" srcmac=\"22:47:22:bb:11:11\" srcserver=0", + "timezone": "+0200", + "type": [ + "info" + ] + }, + "fortimanager": { + "log": { + "action": "server-rst", + "app": "Microsoft.SharePoint", + "appcat": "Collaboration", + "apprisk": "elevated", + "date": "2024-07-29T07:27:54.000Z", + "dev": { + "id": "xxxxx", + "name": "xxxxx" + }, + "dstcountry": "United States", + "dstip": "175.16.199.1", + "dstname": "xgsasnyjyr28o9r9ew9.karma.college", + "id": "0000000013", + "level": "notice", + "osname": "Windows", + "priority_number": 189, + "rcvdbyte": 33392, + "sentbyte": 3234, + "service": "HTTPS", + "srcip": "175.16.199.1", + "srcname": "AWCMGVSTUUUTYZI", + "srcport": 60309, + "subtype": "forward", + "type": "traffic", + "unauthuser": "AnzenbSt", + "vdom": "root" + } + }, + "host": { + "hostname": "xxxxx" + }, + "log": { + "level": "notice" + }, + "os": { + "name": "Windows" + }, + "related": { + "hosts": [ + "xxxxx" + ], + "user": [ + "AnzenbSt" + ] + }, + "rule": { + "category": "Collaboration" + }, + "source": { + "address": "AWCMGVSTUUUTYZI", + "bytes": 3234, + "ip": "175.16.199.1", + "port": 60309 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "AnzenbSt" + } + }, + { + "@timestamp": "2024-07-29T07:27:54.000Z", + "destination": { + "geo": { + "country_name": "Austria" + }, + "ip": "175.16.199.1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "pass", + "kind": "event", + "original": "<190>logver=702081639 timestamp=1722245274 devname=\"xxxxx\" devid=\"xxxxx\" vd=\"root\" date=2024-07-29 time=09:27:54 eventtime=1722238074067757494 tz=\"+0200\" logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"signature\" level=\"information\" appid=1111 srcip=175.16.199.1 srccountry=\"Reserved\" dstip=175.16.199.1 dstcountry=\"Austria\" srcport=51826 dstport=443 srcintf=\"vl6\" srcintfrole=\"lan\" dstintf=\"port1\" dstintfrole=\"wan\" proto=6 service=\"SSL\" direction=\"outgoing\" policyid=15 poluuid=\"aaaaaaaa\" policytype=\"policy\" sessionid=111111111 applist=\"app_aaaaa\" action=\"pass\" appcat=\"Collaboration\" app=\"Microsoft.Portal\" hostname=\"k4gt.grand.investments\" incidentserialno=43434 url=\"/\" msg=\"Collaboration: Microsoft.Portal\" apprisk=\"elevated\" scertcname=\"biyg5nym.juliet.blackfriday\" scertissuer=\"Microsoft Azure ECC TLS Issuing CA 03\"", + "timezone": "+0200", + "type": [ + "info" + ] + }, + "fortimanager": { + "log": { + "action": "pass", + "app": "Microsoft.Portal", + "appcat": "Collaboration", + "apprisk": "elevated", + "date": "2024-07-29T07:27:54.000Z", + "dev": { + "id": "xxxxx", + "name": "xxxxx" + }, + "direction": "outgoing", + "dstcountry": "Austria", + "dstip": "175.16.199.1", + "id": "1059028704", + "level": "information", + "msg": "Collaboration: Microsoft.Portal", + "priority_number": 190, + "service": "SSL", + "srcip": "175.16.199.1", + "srcport": 51826, + "subtype": "app-ctrl", + "type": "utm", + "url": "/", + "vdom": "root" + } + }, + "host": { + "hostname": "xxxxx" + }, + "log": { + "level": "information" + }, + "message": "Collaboration: Microsoft.Portal", + "network": { + "direction": "outbound" + }, + "related": { + "hosts": [ + "xxxxx" + ] + }, + "rule": { + "category": "Collaboration" + }, + "source": { + "ip": "175.16.199.1", + "port": 51826 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-07-29T07:27:54.000Z", + "destination": { + "address": "175.16.199.1", + "bytes": 0, + "geo": { + "country_name": "Austria" + }, + "ip": "89.160.20.112" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "deny", + "kind": "event", + "original": "<189>logver=702081639 timestamp=1722245274 devname=\"xxxxx\" devid=\"xxxxx\" vd=\"root\" date=2024-07-29 time=09:27:54 eventtime=1722238073977425432 tz=\"+0200\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" srcip=175.16.199.1 srcname=\"175.16.199.1\" srcport=45689 srcintf=\"port1\" srcintfrole=\"wan\" dstip=89.160.20.112 dstname=\"175.16.199.1\" dstport=9844 dstintf=\"vl203\" dstintfrole=\"undefined\" srccountry=\"Russian Federation\" dstcountry=\"Austria\" sessionid=1074366084 proto=6 action=\"deny\" policyid=156 policytype=\"policy\" poluuid=\"aaaaaaa\" policyname=\"Block countries\" service=\"tcp/6554\" trandisp=\"noop\" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat=\"unscanned\" crscore=30 craction=43434 crlevel=\"high\"", + "timezone": "+0200", + "type": [ + "info" + ] + }, + "fortimanager": { + "log": { + "action": "deny", + "appcat": "unscanned", + "crlevel": "high", + "crscore": 30, + "date": "2024-07-29T07:27:54.000Z", + "dev": { + "id": "xxxxx", + "name": "xxxxx" + }, + "dstcountry": "Austria", + "dstip": "89.160.20.112", + "dstname": "175.16.199.1", + "id": "0000000013", + "level": "notice", + "priority_number": 189, + "rcvdbyte": 0, + "sentbyte": 0, + "service": "tcp/6554", + "srcip": "175.16.199.1", + "srcname": "175.16.199.1", + "srcport": 45689, + "subtype": "forward", + "type": "traffic", + "vdom": "root" + } + }, + "host": { + "hostname": "xxxxx" + }, + "log": { + "level": "notice" + }, + "related": { + "hosts": [ + "xxxxx" + ] + }, + "risk": { + "static_level": "high", + "static_score_norm": 30 + }, + "rule": { + "category": "unscanned" + }, + "source": { + "address": "175.16.199.1", + "bytes": 0, + "ip": "175.16.199.1", + "port": 45689 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-07-29T07:27:54.000Z", + "destination": { + "geo": { + "country_name": "France" + }, + "ip": "175.16.199.1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "pass", + "kind": "event", + "original": "<190>logver=702081639 timestamp=1722245274 devname=\"xxxxx\" devid=\"xxxxx\" vd=\"root\" date=2024-07-29 time=09:27:54 eventtime=1722238074077898858 tz=\"+0200\" logid=\"1059028704\" type=\"utm\" subtype=\"app-ctrl\" eventtype=\"signature\" level=\"information\" appid=1111 srcip=175.16.199.1 srccountry=\"Reserved\" dstip=175.16.199.1 dstcountry=\"France\" srcport=61284 dstport=443 srcintf=\"vl4\" srcintfrole=\"lan\" dstintf=\"port1\" dstintfrole=\"wan\" proto=6 service=\"SSL\" direction=\"outgoing\" policyid=15 poluuid=\"aaaaaaaa\" policytype=\"policy\" sessionid=3333333 applist=\"app_aaaaa\" action=\"pass\" appcat=\"General.Interest\" app=\"Windows.Push.Notification\" hostname=\"vgq67oov6jz.tomato.bz\" incidentserialno=343434 url=\"/\" msg=\"General.Interest: Windows.Push.Notification\" apprisk=\"elevated\" scertcname=\"*.yz9ky79xdl9bwunf9juzqmj.never.mm\" scertissuer=\"Microsoft Azure RSA TLS Issuing CA 08\"", + "timezone": "+0200", + "type": [ + "info" + ] + }, + "fortimanager": { + "log": { + "action": "pass", + "app": "Windows.Push.Notification", + "appcat": "General.Interest", + "apprisk": "elevated", + "date": "2024-07-29T07:27:54.000Z", + "dev": { + "id": "xxxxx", + "name": "xxxxx" + }, + "direction": "outgoing", + "dstcountry": "France", + "dstip": "175.16.199.1", + "id": "1059028704", + "level": "information", + "msg": "General.Interest: Windows.Push.Notification", + "priority_number": 190, + "service": "SSL", + "srcip": "175.16.199.1", + "srcport": 61284, + "subtype": "app-ctrl", + "type": "utm", + "url": "/", + "vdom": "root" + } + }, + "host": { + "hostname": "xxxxx" + }, + "log": { + "level": "information" + }, + "message": "General.Interest: Windows.Push.Notification", + "network": { + "direction": "outbound" + }, + "related": { + "hosts": [ + "xxxxx" + ] + }, + "rule": { + "category": "General.Interest" + }, + "source": { + "ip": "175.16.199.1", + "port": 61284 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + } + ] +} \ No newline at end of file diff --git a/packages/fortinet_fortimanager/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/fortinet_fortimanager/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 2ad3f88ae41..6195af4382c 100644 --- a/packages/fortinet_fortimanager/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/fortinet_fortimanager/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -975,6 +975,172 @@ processors: field: _temp.protocol target_field: fortimanager.log.protocol ignore_missing: true + - convert: + field: _temp.srcip + tag: 'convert_srcip_to_ip' + target_field: fortimanager.log.srcip + type: ip + ignore_missing: true + if: ctx._temp?.srcip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + copy_from: fortimanager.log.srcip + ignore_empty_value: true + - rename: + field: _temp.srcname + target_field: fortimanager.log.srcname + ignore_missing: true + - set: + field: source.address + copy_from: fortimanager.log.srcname + ignore_empty_value: true + - convert: + field: _temp.srcport + tag: 'convert_srcport' + target_field: fortimanager.log.srcport + type: long + ignore_missing: true + if: ctx._temp?.srcport != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.port + copy_from: fortimanager.log.srcport + ignore_empty_value: true + - convert: + field: _temp.dstip + tag: 'convert_dstip_to_ip' + target_field: fortimanager.log.dstip + type: ip + ignore_missing: true + if: ctx._temp?.dstip != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.ip + copy_from: fortimanager.log.dstip + ignore_empty_value: true + - rename: + field: _temp.dstname + target_field: fortimanager.log.dstname + ignore_missing: true + - set: + field: destination.address + copy_from: fortimanager.log.dstname + ignore_empty_value: true + - rename: + field: _temp.dstcountry + target_field: fortimanager.log.dstcountry + ignore_missing: true + - set: + field: destination.geo.country_name + copy_from: fortimanager.log.dstcountry + ignore_empty_value: true + - rename: + field: _temp.unauthuser + target_field: fortimanager.log.unauthuser + ignore_missing: true + - set: + field: user.name + copy_from: fortimanager.log.unauthuser + ignore_empty_value: true + - convert: + field: _temp.sentbyte + tag: 'convert_sentbyte' + target_field: fortimanager.log.sentbyte + type: long + ignore_missing: true + if: ctx._temp?.sentbyte != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.bytes + copy_from: fortimanager.log.sentbyte + ignore_empty_value: true + - convert: + field: _temp.rcvdbyte + tag: 'convert_rcvdbyte' + target_field: fortimanager.log.rcvdbyte + type: long + ignore_missing: true + if: ctx._temp?.rcvdbyte != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: destination.bytes + copy_from: fortimanager.log.rcvdbyte + ignore_empty_value: true + - rename: + field: _temp.osname + target_field: fortimanager.log.osname + ignore_missing: true + - set: + field: os.name + copy_from: fortimanager.log.osname + ignore_empty_value: true + - rename: + field: _temp.direction + target_field: fortimanager.log.direction + ignore_missing: true + - set: + field: network.direction + copy_from: fortimanager.log.direction + ignore_empty_value: true + - set: + field: network.direction + value: inbound + if: ctx.network?.direction == "incoming" + - set: + field: network.direction + value: outbound + if: ctx.network?.direction == "outgoing" + - rename: + field: _temp.crlevel + target_field: fortimanager.log.crlevel + ignore_missing: true + - set: + field: risk.static_level + copy_from: fortimanager.log.crlevel + ignore_empty_value: true + - convert: + field: _temp.crscore + tag: 'convert_crscore' + target_field: fortimanager.log.crscore + type: long + ignore_missing: true + if: ctx._temp?.crscore != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: risk.static_score_norm + copy_from: fortimanager.log.crscore + ignore_empty_value: true + - rename: + field: _temp.apprisk + target_field: fortimanager.log.apprisk + ignore_missing: true + - rename: + field: _temp.appcat + target_field: fortimanager.log.appcat + ignore_missing: true + - set: + field: rule.category + copy_from: fortimanager.log.appcat + ignore_empty_value: true - set: field: network.transport copy_from: fortimanager.log.protocol @@ -1255,22 +1421,35 @@ processors: field: - fortimanager.log.action - fortimanager.log.adom.name + - fortimanager.log.crlevel + - fortimanager.log.crscore - fortimanager.log.date - fortimanager.log.dev.name - fortimanager.log.device.id - fortimanager.log.device.name + - fortimanager.log.direction + - fortimanager.log.dstcountry + - fortimanager.log.dstip + - fortimanager.log.dstname - fortimanager.log.end_time - fortimanager.log.err_code - fortimanager.log.event.id - fortimanager.log.file - fortimanager.log.level - fortimanager.log.msg + - fortimanager.log.osname - fortimanager.log.pid - fortimanager.log.protocol + - fortimanager.log.rcvdbyte - fortimanager.log.remote.ip - fortimanager.log.remote.port + - fortimanager.log.sentbyte - fortimanager.log.serial + - fortimanager.log.srcip + - fortimanager.log.srcname + - fortimanager.log.srcport - fortimanager.log.start_time + - fortimanager.log.unauthuser - fortimanager.log.user.id - fortimanager.log.user.name ignore_missing: true diff --git a/packages/fortinet_fortimanager/data_stream/log/fields/fields.yml b/packages/fortinet_fortimanager/data_stream/log/fields/fields.yml index 1d663c340d1..c526e209af2 100644 --- a/packages/fortinet_fortimanager/data_stream/log/fields/fields.yml +++ b/packages/fortinet_fortimanager/data_stream/log/fields/fields.yml @@ -25,6 +25,12 @@ - name: app type: keyword description: Application name. + - name: appcat + type: keyword + description: Application category. + - name: apprisk + type: keyword + description: Application risk. - name: attribute_name type: keyword description: Variable name of which value is changed. @@ -79,6 +85,12 @@ - name: cpu_usage type: long description: CPU usage. + - name: crlevel + type: keyword + description: CR level. + - name: crscore + type: long + description: CR score. - name: date type: date description: "The year, month, and day when the event occurred in the format: YY-MM-DD." @@ -139,6 +151,9 @@ - name: offline_duration type: keyword description: Offline durations of device. + - name: direction + type: keyword + description: Direction. - name: disk type: group fields: @@ -154,6 +169,15 @@ - name: current type: keyword description: RAID disk status after change. + - name: dstcountry + type: keyword + description: Destination country. + - name: dstip + type: ip + description: Destination IP. + - name: dstname + type: keyword + description: Destination name. - name: dm_state type: keyword description: Deployment manager states. @@ -325,6 +349,9 @@ - name: oper_stat type: keyword description: The result of the operation. + - name: osname + type: keyword + description: OS name. - name: package type: group fields: @@ -424,6 +451,9 @@ - name: rate_value type: long description: Log rate. + - name: rcvdbyte + type: long + description: Number of bytes received. - name: reboot_reason type: keyword description: The reason for system reboot. @@ -481,6 +511,9 @@ - name: val type: keyword description: Sensor value. + - name: sentbyte + type: long + description: Number of bytes sent. - name: serial type: keyword description: Serial number of the device. @@ -499,6 +532,15 @@ - name: size type: long description: The size of log file that is rolling and uploaded. + - name: srcip + type: ip + description: Source IP. + - name: srcname + type: keyword + description: Source name. + - name: srcport + type: long + description: Source port. - name: start_time type: date description: Start time of the report. @@ -535,6 +577,9 @@ - name: tz type: keyword description: Event timezone. + - name: unauthuser + type: keyword + description: Unauthenticated user. - name: upddb_ver type: keyword description: Version of the updating database. diff --git a/packages/fortinet_fortimanager/docs/README.md b/packages/fortinet_fortimanager/docs/README.md index baae4842b9b..bfaf34609e5 100644 --- a/packages/fortinet_fortimanager/docs/README.md +++ b/packages/fortinet_fortimanager/docs/README.md @@ -160,6 +160,8 @@ An example event for `log` looks as following: | fortimanager.log.adom.name | The name of admin ADOM. | keyword | | fortimanager.log.adom.oid | The OID of target ADOM. | keyword | | fortimanager.log.app | Application name. | keyword | +| fortimanager.log.appcat | Application category. | keyword | +| fortimanager.log.apprisk | Application risk. | keyword | | fortimanager.log.attribute_name | Variable name of which value is changed. | keyword | | fortimanager.log.auth_msg | SSH authentication message. | keyword | | fortimanager.log.bid | BID. | keyword | @@ -177,6 +179,8 @@ An example event for `log` looks as following: | fortimanager.log.connect_status | Status of connection to the device. | keyword | | fortimanager.log.const_msg | Constant message. | keyword | | fortimanager.log.cpu_usage | CPU usage. | long | +| fortimanager.log.crlevel | CR level. | keyword | +| fortimanager.log.crscore | CR score. | long | | fortimanager.log.date | The year, month, and day when the event occurred in the format: YY-MM-DD. | date | | fortimanager.log.db.status | DVM device status. | keyword | | fortimanager.log.db.ver | The service database version. | keyword | @@ -193,12 +197,16 @@ An example event for `log` looks as following: | fortimanager.log.device_log.last_logging | Last logging device. | keyword | | fortimanager.log.device_log.name | Device log name. | keyword | | fortimanager.log.device_log.offline_duration | Offline durations of device. | keyword | +| fortimanager.log.direction | Direction. | keyword | | fortimanager.log.disk.label | Raid disk label. | long | | fortimanager.log.disk.status.before | RAID disk status before change. | keyword | | fortimanager.log.disk.status.current | RAID disk status after change. | keyword | | fortimanager.log.dm_state | Deployment manager states. | keyword | +| fortimanager.log.dstcountry | Destination country. | keyword | | fortimanager.log.dste.pid | An identification number for the destination endpoint. | keyword | | fortimanager.log.dste.uid | An identification number for the destination end user. | keyword | +| fortimanager.log.dstip | Destination IP. | ip | +| fortimanager.log.dstname | Destination name. | keyword | | fortimanager.log.dvid | Device id. | keyword | | fortimanager.log.dvmdb_obj | Dvm_db object type. | keyword | | fortimanager.log.end_time | End time of the report. | date | @@ -246,6 +254,7 @@ An example event for `log` looks as following: | fortimanager.log.old_value | String representation of value before being changed. | keyword | | fortimanager.log.oper_stat | The result of the operation. | keyword | | fortimanager.log.operation | Operation name. | keyword | +| fortimanager.log.osname | OS name. | keyword | | fortimanager.log.package.desc | Package description. | keyword | | fortimanager.log.package.name | Name of package which is installed. | keyword | | fortimanager.log.package.type | Identifier of package type. | keyword | @@ -275,6 +284,7 @@ An example event for `log` looks as following: | fortimanager.log.rate_limit | Log rate limit. | long | | fortimanager.log.rate_peak | Log rate peak. | long | | fortimanager.log.rate_value | Log rate. | long | +| fortimanager.log.rcvdbyte | Number of bytes received. | long | | fortimanager.log.reboot_reason | The reason for system reboot. | keyword | | fortimanager.log.remote.filename | Remote filename on server side. | keyword | | fortimanager.log.remote.host | Remote host name or host ip in string presentation. | keyword | @@ -291,12 +301,16 @@ An example event for `log` looks as following: | fortimanager.log.sensor.name | Sensor name. | keyword | | fortimanager.log.sensor.st | Sensor status. | keyword | | fortimanager.log.sensor.val | Sensor value. | keyword | +| fortimanager.log.sentbyte | Number of bytes sent. | long | | fortimanager.log.serial | Serial number of the device. | keyword | | fortimanager.log.service | Name of the starting service. | keyword | | fortimanager.log.session_id | The session identification number. | keyword | | fortimanager.log.setup | Whether it needs to setup or not. | long | | fortimanager.log.shutdown_reason | The reason for system shutdown. | keyword | | fortimanager.log.size | The size of log file that is rolling and uploaded. | long | +| fortimanager.log.srcip | Source IP. | ip | +| fortimanager.log.srcname | Source name. | keyword | +| fortimanager.log.srcport | Source port. | long | | fortimanager.log.start_time | Start time of the report. | date | | fortimanager.log.state | The state of the task. | keyword | | fortimanager.log.status | Interface/Operation status. | keyword | @@ -310,6 +324,7 @@ An example event for `log` looks as following: | fortimanager.log.type | Log type. | keyword | | fortimanager.log.tz | Event timezone. | keyword | | fortimanager.log.uid | UID of a fortiClient installation. | keyword | +| fortimanager.log.unauthuser | Unauthenticated user. | keyword | | fortimanager.log.upddb_ver | Version of the updating database. | keyword | | fortimanager.log.upg_act | Operation that is failed. | keyword | | fortimanager.log.upgrade.adom | The name of ADOM to be upgraded. | keyword | diff --git a/packages/fortinet_fortimanager/manifest.yml b/packages/fortinet_fortimanager/manifest.yml index 51461742a0a..5ec2d6bea5d 100644 --- a/packages/fortinet_fortimanager/manifest.yml +++ b/packages/fortinet_fortimanager/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: fortinet_fortimanager title: Fortinet FortiManager Logs -version: "2.12.0" +version: "2.13.0" description: Collect logs from Fortinet FortiManager instances with Elastic Agent. type: integration categories: ["security", "network", "firewall_security"]