Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.

Fortinet Event Categorization

Idea ID 2867045

Fortinet Event Categorization

0 Votes

When migrating to the new Foundation content, the categorization is badly needed as it is widely used there.

We found out that Fortinet events sent by FortiAnalyzer in CEF format do not have categorization at all.

It seems to be an issue for more vendors, but this one is missing all categories at all.

This seems to be an issue for a longer period and for more customers therefore we would really appreciate as ArcSight is now relying on categories in their default content to make this right.

Example of older discussion about the same topic from other customers:

https://community.microfocus.com/t5/ArcSight-User-Discussions/Fortinet-and-Palo-Alto-Event-Categorization/m-p/1766188#M46255

Thanks

Regards

Petr Stuler

 

5 Comments
Knowledge Partner Knowledge Partner
Knowledge Partner

@Eng_SOP  is deviceEventClassID filled in your CEF events? As which Device/Vendor do your logs come into ArcSight 

Lieutenant
Lieutenant

I've tried to solve this as follows (it is just a draft, but good enough as starting position):
add logid or log_id header (syslog) or FTNTFGTlogid field (CEF) to some flex fields

then use categorizer to map events based on various field (logid, action, severtiy), and some categorisation are mapped for undefined events, and if you need fine tune, than you can use fortigate.id.csv map individual IDs (overwrite mappings made by previous categorizer).
I recommend to keep notes about this in dedicated document (i.e. Excel sheets) to keep track about changes of particular map fields.

syslog:
fcp/fortigate/fortigate.sdkkeyvaluefilereader.properties:
event.flexString1=__oneOf(logid,log_id)
event.flexString1Label=__stringConstant(logid)

cef:
fcp/custommappings/Fortinet/Fortigate/ngmappings.adatamappings.properties:
event.flexNumber1=FTNTFGTlogid


then create categorizer files:


acp/categorizer/current/fortinet/fortigate.link.csv:
/fortinet/fortigate.csv
/fortinet/fortigate.basic.csv
/fortinet/fortigate.type.csv
/fortinet/fortigate.subtype.csv
/fortinet/fortigate.action.csv
/fortinet/fortigate.undefBehavior.csv
/fortinet/fortigate.undefOutcome.csv
/fortinet/fortigate.undefSignificance.csv
/fortinet/fortigate.id.csv

acp/categorizer/current/fortinet/fortigate.csv:
event.flexString1,set.expr(||FTNTFGTlogid).event.flexString1,set.event.flexString1Label
,__oneOf(FTNTFGTlogid),logid


acp/categorizer/current/fortinet/fortigate.basic.csv:
!Flags,CaseSens-,Overwrite,TrimSetters,EnfrcUniqID-
event.deviceAction,set.event.categoryOutcome,set.event.categorySignificance
passthrough,/Success,/Normal
pass through,/Success,/Normal
permit,/Success,/Normal
pass,/Success,/Normal
allowed,/Success,/Normal
allow,/Success,/Normal

acp/categorizer/current/fortinet/fortigate.type.csv:
!Flags,CaseSens-,Overwrite,TrimSetters,EnfrcUniqID-
regex.event.flexString1,set.event.categoryObject,set.event.categoryBehavior,set.event.categoryTechnique,set.event.categoryDeviceGroup,set.event.categoryOutcome
^00\d+$,/Host/Application/Service,/Access,/Policy,/Firewall,
^01\d+$,/Host/Operating System,/Execute,,/Firewall,
^02\d+$,/Host/Application/Malware,/Found,,/IDS/Network,
^03\d+$,/Host/Application/Service,/Communicate/Query,,/Proxy,
^04\d+$,/Host/Application/Service,/Communicate/Query,,/IDS/Network,
^05\d+$,/Host/Application/Service/Email,/Communicate/Query,,/Proxy,
^07\d+$,/Network,/Communicate/Query,/Traffic Anomaly,/IDS/Network,
^08\d+$,/Host/Application/Service/Phone Call,/Communicate/Query,,/Firewall,
^09\d+$,/Host,/Communicate/Query,/Information Leak,/IDS/Network,
^10\d+$,/Host/Application/Service,/Communicate/Query,,/IDS/Network,
^12\d+$,/Host/Application/Service,/Communicate/Query,,/Firewall,
^14\d+$,/Host/Application/Service,/Communicate/Query,,/IDS/Network,
^15\d+$,/Host/Application/Service,/Communicate/Query,,/Proxy,
^16\d+$,/Host/Application/Service,/Execute,,/Proxy,
^17\d+$,/Host/Application/Service,/Communicate/Query,/Traffic Anomaly,/IDS/Network,
^18\d+$,/Host/Application/Service,/Communicate/Query,,/Proxy,
^19\d+$,/Host/Application,/Communicate/Query,,/Proxy,
^20\d+$,/Host/Application/Service,/Communicate/Query,,/Firewall,


acp/categorizer/current/fortinet/fortigate.subtype.csv:
!Flags,CaseSens-,Overwrite,TrimSetters,EnfrcUniqID-
regex.event.flexString1,event.deviceAction,set.event.categoryBehavior,set.event.categoryOutcome,set.event.categorySignificance
^00\d+$,deny,/Access,/Failure,/Informational/Alert
^00\d+$,close,/Access/Stop,/Success,/Normal
^00\d+$,dns,/Access,/Success,/Normal
^00\d+$,ip-conn,/Access,/Success,/Normal
^00\d+$,start,/Access,/Success,/Informational
^00\d+$,timeout,/Access,/Failure,/Informational/Warning
^02\d+$,analytics,/Found,/Attempt,/Suspicious
^02\d+$,blocked,/Found,/Failure,/Compromise
^02\d+$,monitored,/Found,/Informational/Warning,/Suspicious
^02\d+$,passthrough,/Access,/Success,/Normal
^02\d+$,pass through,/Access,/Success,/Normal
^03\d+$,allowed,/Communicate/Query,/Success,/Normal
^03\d+$,blocked,/Communicate/Query,/Failure,/Informational/Alert
^03\d+$,DLP,/Communicate/Query,/Attempt,/Informational/Warning
^03\d+$,exempted,/Communicate/Query,/Informational/Warning,/Informational
^03\d+$,filtered,/Communicate/Query,/Attempt,/Informational/Warning
^03\d+$,passthrough,/Communicate/Query,/Success,/Normal
^03\d+$,pass through,/Communicate/Query,/Success,/Normal
^04\d+$,clear_session,/Communicate/Query,/Informational/Warning,/Informational/Warning
^04\d+$,detected,/Communicate/Query,/Attempt,/Suspicious
^04\d+$,drop_session,/Communicate/Query,/Failure,/Hostile
^04\d+$,dropped,/Communicate/Query,/Failure,/Hostile
^04\d+$,pass_session,/Communicate/Query,/Success,/Normal
^04\d+$,reset,/Communicate/Query,/Failure,/Hostile
^04\d+$,reset_client,/Communicate/Query,/Failure,/Hostile
^04\d+$,reset_server,/Communicate/Query,/Failure,/Hostile
^05\d+$,blocked,/Communicate/Query,/Failure,/Informational/Alert
^05\d+$,detected,/Communicate/Query,/Attempt,/Suspicious
^05\d+$,exempted,/Communicate/Query,/Success,/Informational
^05\d+$,log-only,/Communicate/Query,/Success,/Informational
^09\d+$,ban,/Communicate/Query,/Failure,/Informational/Alert
^09\d+$,ban-sender,/Communicate/Query,/Failure,/Informational/Alert
^09\d+$,block,/Communicate/Query,/Failure,/Informational/Alert
^09\d+$,exempt,/Communicate/Query,/Success,/Informational
^09\d+$,log-only,/Communicate/Query,/Success,/Informational
^09\d+$,quarantine-interface,/Communicate/Query,/Attempt,/Informational/Warning
^09\d+$,quarantine-ip,/Communicate/Query,/Attempt,/Informational/Warning
^10\d+$,block,/Communicate/Query,/Failure,/Informational/Alert
^10\d+$,monitor,/Communicate/Query,/Success,/Suspicious
^10\d+$,pass,/Communicate/Query,/Success,/Normal
^10\d+$,reject,/Communicate/Query,/Failure,/Informational/Alert
^10\d+$,reset,/Communicate/Query,/Failure,/Informational/Alert
^12\d+$,deny,/Communicate/Query,/Failure,/Informational/Alert
^12\d+$,start,/Communicate/Query,/Success,/Informational/Warning
^12\d+$,passthrough,/Communicate/Query,/Success,/Normal
^12\d+$,passt hrough,/Communicate/Query,/Success,/Normal
^1500\d+$,pass,/Communicate/Query,/Success,/Normal
^1501\d+$,pass,/Communicate/Response,/Success,/Normal
^1600\d+$,passthrough,/Execute,/Success,/Normal


acp/categorizer/current/fortinet/fortigate.action.csv:
!Flags,CaseSens-,Overwrite,TrimSetters,EnfrcUniqID-
regex.event.flexString1,event.deviceAction,set.event.categoryBehavior,set.event.categoryOutcome,set.event.categorySignificance
^00\d+$,deny,/Access,/Failure,/Informational/Alert
^00\d+$,close,/Access/Stop,/Success,/Normal
^00\d+$,dns,/Access,/Success,/Normal
^00\d+$,ip-conn,/Access,/Success,/Normal
^00\d+$,start,/Access,/Success,/Informational
^00\d+$,timeout,/Access,/Failure,/Informational/Warning
^02\d+$,analytics,/Found,/Attempt,/Suspicious
^02\d+$,blocked,/Found,/Failure,/Compromise
^02\d+$,monitored,/Found,/Informational/Warning,/Suspicious
^02\d+$,passthrough,/Access,/Success,/Normal
^02\d+$,pass through,/Access,/Success,/Normal
^03\d+$,allowed,/Communicate/Query,/Success,/Normal
^03\d+$,blocked,/Communicate/Query,/Failure,/Informational/Alert
^03\d+$,DLP,/Communicate/Query,/Attempt,/Informational/Warning
^03\d+$,exempted,/Communicate/Query,/Informational/Warning,/Informational
^03\d+$,filtered,/Communicate/Query,/Attempt,/Informational/Warning
^03\d+$,passthrough,/Communicate/Query,/Success,/Normal
^03\d+$,pass through,/Communicate/Query,/Success,/Normal
^04\d+$,clear_session,/Communicate/Query,/Informational/Warning,/Informational/Warning
^04\d+$,detected,/Communicate/Query,/Attempt,/Suspicious
^04\d+$,drop_session,/Communicate/Query,/Failure,/Hostile
^04\d+$,dropped,/Communicate/Query,/Failure,/Hostile
^04\d+$,pass_session,/Communicate/Query,/Success,/Normal
^04\d+$,reset,/Communicate/Query,/Failure,/Hostile
^04\d+$,reset_client,/Communicate/Query,/Failure,/Hostile
^04\d+$,reset_server,/Communicate/Query,/Failure,/Hostile
^05\d+$,blocked,/Communicate/Query,/Failure,/Suspicious
^05\d+$,detected,/Communicate/Query,/Attempt,/Suspicious
^05\d+$,exempted,/Communicate/Query,/Success,/Informational
^05\d+$,log-only,/Communicate/Query,/Success,/Informational
^09\d+$,ban,/Communicate/Query,/Failure,/Informational/Alert
^09\d+$,ban-sender,/Communicate/Query,/Failure,/Informational/Alert
^09\d+$,block,/Communicate/Query,/Failure,/Suspicious
^09\d+$,exempt,/Communicate/Query,/Success,/Informational
^09\d+$,log-only,/Communicate/Query,/Success,/Informational
^09\d+$,quarantine-interface,/Communicate/Query,/Attempt,/Informational/Warning
^09\d+$,quarantine-ip,/Communicate/Query,/Attempt,/Informational/Warning
^10\d+$,block,/Communicate/Query,/Failure,/Informational/Alert
^10\d+$,monitor,/Communicate/Query,/Success,/Suspicious
^10\d+$,pass,/Communicate/Query,/Success,/Normal
^10\d+$,reject,/Communicate/Query,/Failure,/Informational/Alert
^10\d+$,reset,/Communicate/Query,/Failure,/Informational/Alert
^12\d+$,deny,/Communicate/Query,/Failure,/Informational/Alert
^12\d+$,start,/Communicate/Query,/Success,/Informational/Warning
^12\d+$,passthrough,/Communicate/Query,/Success,/Normal
^12\d+$,passt hrough,/Communicate/Query,/Success,/Normal
^1500\d+$,pass,/Communicate/Query,/Success,/Normal
^1501\d+$,pass,/Communicate/Response,/Success,/Normal
^1600\d+$,passthrough,/Execute,/Success,/Normal


acp/categorizer/current/fortinet/fortigate.undefBehavior.csv:
!Flags,CaseSens-,Overwrite,TrimSetters,EnfrcUniqID-
event.categoryBehavior,set.event.categoryBehavior
,/Communicate


acp/categorizer/current/fortinet/fortigate.undefOutcome.csv:
!Flags,CaseSens-,Overwrite,TrimSetters,EnfrcUniqID-
event.categoryOutcome,set.event.categoryOutcome
,/Attempt

acp/categorizer/current/fortinet/fortigate.undefSignificance.csv:
!Flags,CaseSens-,Overwrite,TrimSetters,EnfrcUniqID-
event.deviceSeverity,event.categorySignificance,set.event.categorySignificance
emergency,,/Informational/Alert
alert,,/Informational/Alert
critical,,/Informational/Alert
high,,/Informational/Alert
error,,/Informational/Error
elevated,,/Informational/Warning
warning,,/Informational/Warning
medium,,/Informational/Warning
notice,,/Normal
notification,,/Normal
information,,/Informational
debugging,,/Informational
low,,/Informational
0,,/Normal
1,,/Normal
2,,/Normal
3,,/Normal
4,,/Informational/Warning
5,,/Informational/Warning
6,,/Informational/Warning
7,,/Informational/Alert
8,,/Informational/Alert
9,,/Informational/Alert
10,,/Informational/Alert

 


acp/categorizer/current/fortinet/fortigate.id.csv:
!Flags,CaseSens-,Overwrite,TrimSetters,EnfrcUniqID-
regex.event.flexString1,set.event.categoryObject,set.event.categoryBehavior,set.event.categoryTechnique,set.event.categoryDeviceGroup,set.event.categoryOutcome,set.event.categorySignificance,set.event.originator
^\d+32001$,/Host/Operating System,/Authentication/Verify,,/Firewall,/Success,/Informational,Source
^\d+32002$,/Host/Operating System,/Authentication/Verify,,/Firewall,/Failure,/Informational/Alert,Source
^\d+32003$,/Host/Operating System,/Access/Stop,,/Firewall,/Success,/Informational,Source
^\d+43008$,/Host/Operating System,/Authentication/Verify,,/Firewall,/Success,/Normal,Source
^\d+43009$,/Host/Operating System,/Authentication/Verify,,/Firewall,/Failure,/Informational/Alert,Source
^\d+43010$,/Host/Operating System,/Authentication/Verify,,/Firewall,/Failure,/Informational/Alert,Source
^\d+43011$,/Host/Operating System,/Authentication/Verify,,/Firewall,/Failure,/Informational/Warning,Source
^\d+43039$,/Host/Operating System,/Access/Start,,/Firewall,/Success,/Normal,Source
^\d+43040$,/Host/Operating System,/Access/Stop,,/Firewall,/Success,/Normal,Source
^\d+32102$,/Host/Operating System,/Modify/Configuration,,/Firewall,/Success,/Informational/Warning,Source
^\d+32104$,/Host/Operating System,/Modify/Configuration,,/Firewall,/Success,/Informational/Warning,Source
^\d+4454[4-9]$,/Host/Operating System,/Modify/Configuration,,/Firewall,/Success,/Informational/Warning,Source
^\d+4455[0-5]$,/Host/Operating System,/Modify/Configuration,,/Firewall,/Success,/Informational/Warning,Source

 

Knowledge Partner Knowledge Partner
Knowledge Partner

Whow, what an amazing work. In our environment we have a lot of different Forti OS versions - and i remebered seeing in our categoriser things like

0000000007,accept,
00007,accept,

it seems, that not all Forti OS version add the Type and Subtype in the beginning - or is this a config issue @peter.vnencak  do you know?

Lieutenant
Lieutenant

AFAIK, in the original categorizer - there are multiple outdated (or wrong?) records which caused some wrong mappings. This was the main reason why i did not use it. (extend/update it) and decided to read the FortiOS documentation (i think v5.x,v6.x) first 🙂

I dont know if all OS add the Type/Subtype, but it should be so.

Knowledge Partner Knowledge Partner
Knowledge Partner

@peter.vnencak just checked some of our feeds... Found exactly what I described.... Some send full 10( or what the reference says) digit... Some just send the short version of the id.

Not talking your solution down.... By no means... It's way better what we have right now... However wanted to mention, that the environment where  your categorizer is used in, should consequently be observed/ configured (still don't know if bug in OS or config issue) to use the full available number of digits... If this is the case for your environment.... I am jealous 😉

KR

A

 

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.