FortiGate / FortiOS

FortiManager

FortiAnalyzer

User Guide

FortiSIEM User Guide
TABLE OF CONTENTS
Overview
FortiSIEM Releases
- What's New in 7.4.0
- What's New in 7.3.5
- What's New in 7.3.4
- What is New in 7.3.3
- What's New in 7.3.2
- What's New in 7.3.1
- What's New in 7.3.0
- What's New in 7.2.7
- What's New in 7.2.6
- What's New in 7.2.5
- What's New in 7.2.4
- What's New in 7.2.3
- What's New in 7.2.2
- What's New in 7.2.1
- What's New in 7.2.0
- What is New in 7.1.9
- What's New in 7.1.8
- What's New in 7.1.7
- What's New in 7.1.6
- What's New in 7.1.5
- What's New in 7.1.4
- What's New in 7.1.3
- What's New in 7.1.2
- What's New in 7.1.1
- What's New in 7.1.0
- What's New in 7.0.4
- What's New in 7.0.3
- What's New in 7.0.2
- What's New in 7.0.1
- What's New in 7.0.0
Windows Agent Releases
Content Pack Updates
Key Concepts
Getting Started
Advanced Operations
- CMDB
- Incidents and Cases
- Device Support
- Rules, Reports, and Dashboards
- Advanced Health System
- Managing FortiSIEM
Administration
- Setup
- Device Support
- Health
- License
- Content Update
- Settings
Managing CMDB
- Devices
- Applications
- Users
- Business Services
- CMDB Reports
Managing Resources
- Reports
  - Viewing System Reports
  - Running System Reports
  - Creating New Reports
  - Working with Report Design Templates
  - Scheduling Reports
  - Importing and Exporting Reports
  - Importing and Exporting Report Definitions
- Rules
  - Viewing Rules
  - Creating Rules
  - Activating and Deactivating a Rule
  - Testing a Rule
  - Exporting and Importing Rule Definitions
  - Importing Sigma Rules
- Machine Learning Jobs
  - Viewing Machine Learning Jobs
  - Editing a Machine Learning Job
  - Deleting a Machine Learning Job
- Watch Lists
  - System-defined Watch List
  - Creating a Watch List
  - Modifying a Watch List
  - Using a Watch List
  - Exporting and Importing Watch Lists
- Lookup Tables
  - Adding a Lookup Table
  - Deleting a Lookup Table
  - Working with Lookup Table Data
- Osquery
  - Viewing osquery Templates
  - Creating osquery Templates
- Automation
  - Playbooks
  - Playbook Assets
  - Content Hub
  - Solution Packs
  - Remediations
  - FortiSOAR Playbooks
    - Viewing FortiSOAR Playbooks
    - Updating FortiSOAR Playbooks
  - FortiSOAR Connectors
    - Viewing Connectors
    - Updating Connectors
- Malware Domains
  - Adding a Malware Domain
  - Modifying a Malware Domain
  - Deleting a Malware Domain
  - Importing Malware Domains
  - Viewing Malware Domains
- Malware IPs
  - Adding a Malware IP
  - Modifying a Malware IP
  - Deleting a Malware IP
  - Importing Malware IPs
  - Viewing Malware IPs
- Malware Hash
  - Adding a Malware Hash
  - Modifying a Malware Hash
  - Deleting a Malware Hash
  - Importing/Updating User-defined Malware Hash
  - Viewing Malware Hash
- Malware Processes
  - Creating a Malware Process Group
  - Adding a Malware Process
  - Modifying a Malware Process
  - Deleting a Malware Process
  - Importing Malware Processes
  - Viewing Malware Processes
- Malware URLs
  - Adding a Malware URL
  - Modifying a Malware URL
  - Deleting a Malware URL
  - Importing Malware URLs
  - Viewing Malware URLs
- Anonymity Network
  - Adding Anonymity Networks
  - Modifying Anonymity Networks
  - Updating Anonymity Networks
- Country Groups
  - Creating a Country Group
  - Adding a Country Group
  - Modifying a Country Group
  - Deleting a Country Group
  - Changing the Home Country
- Default Password
  - Adding a Default Password
  - Modifying a Default Password
  - Importing and Exporting a Default Password
- Event Types
  - Adding an Event Type
  - Modifying an Event Type
  - Deleting an Event Type
- User Agents
  - Adding User Agents
  - Modifying User Agents
  - Importing and Exporting User Agents
- Networks
  - Adding a Network
  - Modifying a Network
  - Deleting a Network
- Protocols
  - Adding a Protocol
  - Modifying a Protocol
  - Deleting a Protocol
- Working with AlienVault OTX
- Working with Dragos IOCs
- Working with FortiGuard IOCs
- Working with Malware Patrol
- Working with MISP Threatfeeds
- Working with OpenCTI Threatfeeds
- Working with ThreatConnect IOCs
- Working with Custom Threat Feeds that use HTTPS Connectivity
Working with Cases
- Creating a Case Manually
- Creating a Case Automatically
- Viewing All Cases
- Searching Cases
- Viewing a Case in Depth
- Acting on a Case
- Case Dashboard
- Case Report
- Steps to Update Case Escalation from 6.x-7.1.x to 7.2.x
Working with Incidents
- Overview
- List View
- Risk View
- Explorer View
- MITRE ATT&CK View
- UEBA View
- Investigating Incidents
- Automated Incident Resolution Recommendation
- Lookups Via External Websites
- CVE-Based IPS False Positive Analysis
- Remediating an Incident using a Script
- Executing a FortiSOAR Playbook on an Incident
- Executing a Playbook with Automation Service
- Running a FortiSOAR Connector on an Incident
- Troubleshooting Incident Trigger
Working with Analytics Search
- Overview
- Running a Built-in Historical Search
- Creating a New Search
- Creating a Nested Search
- Viewing Real-time Search Results
- Viewing Historical Search Results
- Searches Using Pre-computed Results
- Working with Search Results
Advanced Search
- Overview
- Running a Built-in Advanced Search
- Creating a New Advanced Search
- Fixing SQL Query Syntax Errors with FortiAI
- Miscellaneous Advanced Search Operations
- Advanced Search Examples
Machine Learning
- Overview
- Anomaly Detection
- Classification
- Clustering
- Forecasting
- Regression
Automation Audit Events
Working with Dashboards
- General Operations
- Widget Dashboard
- Summary Dashboard
- Business Service Dashboard
- Identity and Location Dashboard
- Interface Usage Dashboard
- PCI Logging Status Dashboard
Managing Tasks
FortiAI
FortiSIEM Manager
- FortiSIEM Manager Incidents
  - FortiSIEM Manager Incidents Overview View
  - FortiSIEM Manager Incidents - List View
- FortiSIEM Manager CMDB Users
  - FortiSIEM Manager CMDB Adding Users
  - FortiSIEM Manager - Editing User Information
- FortiSIEM Manager Resources
- FortiSIEM Manager Admin
Appendix
- Administrative Tools and Information
- ClickHouse Usage Notes
- Configuration Notes
- Elasticsearch Usage Notes
- Examples of Custom Performance Monitors
- Exporting QRadar Logs to FortiSIEM
- FortiEMS Endpoint Tagging
- GUI Notes
  - Flash to HTML5 GUI Mapping
  - FortiSIEM Charts and Views
- FortiSOAR Integration Notes
  - Configuring FortiSOAR for FortiSIEM Integration
  - Writing FortiSIEM Compatible FortiSOAR Playbooks
- Functions in Analytics
- Knowledge Base
- License Enforcement
- Parser Specification
- Python Threat Feed Framework
- Sample Windows Agent Logs
- UEBA Information
- Windows Agent System Variables

Home FortiSIEM 7.4.0 User Guide

7.4.0

Event Format Recognizer Specification

The specification for the format recognizer section is:

<eventFormatRecognizer><![CDATA[regex_pattern]]></eventFormatRecognizer>

In the regex_pattern block, a pattern can be directly specified using regex or a previously defined pattern can be referenced. Patterns are defined two places:

Built-in patterns - see Built-in Patterns for more information.
Local patterns: Within this section <patternDefinitions> </patternDefinitions>

Examples:

Cisco ASA Firewalls

All Cisco ASA events have the pattern ASA-severity-id pattern, for example ASA-6-302013.

<134>Nov 28 2007 17:20:48: %ASA-6-302013: Built outbound TCP connection 76118 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.20.31/3530 (192.168.0.1/5967

For this scenario, the event format recognizer is simple:
```
<eventFormatRecognizer><![CDATA[ASA-d-d+]]></eventFormatRecognizer>
```

FortiGate Firewalls

Two examples of FortiGate firewall logs are shown below.

<185>Jun  5 10:11:03 date=2016-09-13 time=13:33:19 devname=FGT_Edge devid=FGT90D3Z13007389 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=critical srcip=42.83.201.2 srccountry="Taiwan" dstip=10.10.50.13 srcintf="wan1" dstintf="HoneyZone" policyid=6 sessionid=51928140 action=detected proto=6 service="SMB" attack="MS.DCERPC.netAPI32.Buffer.Overflow" srcport=2293 dstport=445 direction=outgoing attackid=15995 profile="Honeydrive_monitor" ref="http://www.fortinet.com/ids/VID15995" incidentserialno=176226761 msg="netbios: MS.DCERPC.netAPI32.Buffer.Overflow

<185>date=2023-04-06 time=11:21:20 devname="Fortigate-lab-doe" device_id="FGVMULTM23001223" eventtime=1680805281059447154 tz="-0700" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="root" ui="ssh(172.30.58.81)" method="ssh" srcip=10.1.1.1 dstip=10.1.1.2 action="login" status="failed" reason="name_invalid" msg="Administrator root login failed from ssh(10.1.1.1) because of invalid user name"

The unique format for these logs is highlighted in bold, but since it is too generic, the part of the log leading up to them has to be captured also.

<185>Jun  5 10:11:03 date=2016-09-13 time=13:33:19 devname=FGT_Edge devid=FGT…

<185>date=2023-04-06 time=11:21:20 devname="Fortigate-lab-doe" device_id="FGVM…

Note the generic built-in patterns (See Built-in Patterns).

The following patterns define the various FortiGate model prefixes that can be substituted for FGT, FGVM:

<pattern name="patFormat1"><![CDATA[(?:APS|FG|FGD|FGP|FGR|FGT|FOSVM|FP[^AX]|FR|LF|LFG|FWF|FW|FGV|FD[^C])[\d\w-]+]]></pattern>
<pattern name="patFormat2"><![CDATA[(?:FGTAWS|FGTAZR|FGVM|F\d+K)[\d\w-]+]]></pattern>

Then format recognizer for FortiGate logs becomes:

<eventFormatRecognizer><![CDATA[(?:^|<:gPatSyslogPRI>|\s)(?:device_id|devid)="?(?:<:patFormat2>|<:patFormat1>)"?\s]]></eventFormatRecognizer>

3. Cisco IOS Router

A few samples of Cisco IOS logs are as follows:

<190>109219: Jan  9 18:03:35.281: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (192.168.20.33:1876) -- responder (192.168.0.10:445)

<186>Aug 13 17:39:28:647 UTC: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi0/25 with BPDU Guard enabled. Disabling port.)

<188>84354: Dec  6 08:15:20: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: Admin] [Source: 192.168.135.125] [localport: 80] [Reason: Login Authentication Failed - BadPassword] at 08:15:20 PST Mon Dec 6 2020

To handle this, the list of all Cisco IOS logging modules must be defined: FW, SEC, SSH, SEC_LOGIN, SYS, SNMP, STACKMGR, HSRP, LINK, SPANTREE, LINEPROTO, etc. These patterns can be concatenated together using begin, continue, end primitives.

<pattern list="begin" name="patCiscoIOSMod"> <![CDATA[FW|SEC|SSH|SEC_LOGIN|SYS|SNMP|STACKMGR|HSRP|]]></pattern>

<pattern list="continue" name="patCiscoIOSMod"><![CDATA[LINK|SPANTREE|LINEPROTO|DTP|PARSER|]]></pattern>

<pattern list="continue" name="patCiscoIOSMod"><![CDATA[CDP|DHCPD|CONTROLLER|PORT_SECURITY-SP|]]></pattern>

<pattern list="continue" name="patCiscoIOSMod"><![CDATA[AUTHMGR|MAB|DOT1X|PFINIT|WS_IPSEC_3|]]></pattern>

<pattern list="continue" name="patCiscoIOSMod"><![CDATA[PLATFORM_UCAST|WCCP|ILPOWER|MAC_MOVE|]]></pattern>

<pattern list="continue" name="patCiscoIOSMod"><![CDATA[CLEAR|DUAL|DHCP_SNOOPING|STACKMGR|EIGRP|MGBL|ROUTING|SECURITY|]]></pattern>

<pattern list="continue" name="patCiscoIOSMod"><![CDATA[FMANFP|TRACKING|CRYPTO|ENVMON|ISDN|LAPP_ON_MSGS|SW_MATM|SWITCH_QOS_TB|]]></pattern>

<pattern list="continue" name="patCiscoIOSMod"><![CDATA[OIR-SP|C6KPWR-SP|C6KERRDETECT-SP|C6KPWR|CFIB|CONST_DIAG-SP|CPU_MONITOR|]]></pattern>

<pattern list="continue" name="patCiscoIOSMod"><![CDATA[CPU_MONITOR-SP|EARL_L3_ASIC-SP|EARL_NETFLOW|EC-SP|ETHCNTR|L3_ASIC-DFC3|]]></pattern>

<pattern list="continue" name="patCiscoIOSMod"><![CDATA[MCAST-SP|MISTRAL-SP|MLS_STAT|MLS_STAT-SP|MROUTE|PM_SCP|PM_SCP-SP|QM|SYSTEM|]]></pattern>

<pattern list="continue" name="patCiscoIOSMod"><![CDATA[SYSTEM_CONTROLLER-SP|SYSTEM_CONTROLLER-SW2_SPSTBY|]]></pattern>

<pattern list="end" name="patCiscoIOSMod"><![CDATA[BGP|BGP_SESSION|OSPF|C4K_IOSMODPORTMAN|C4K_REDUNDANCY|C4K_SWITCHINGENGINEMAN|IP|DHCP|PM|SW_DAI|ENTITY_ALARM]]></pattern>

Another pattern is defined:

<pattern name="patStrEndColon"><![CDATA[[^:]*]]></pattern>

The event recognizer for Cisco IOS can now be defined using the patterns defined above and the built-in patterns (see below):

<eventFormatRecognizer><![CDATA[^[^%=]*%<:patCiscoIOSMod>(?:-<:gPatStr>){0,2}-<:gPatInt>-<:patStrEndColon>:]]></eventFormatRecognizer>