Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat][Fortinet] Fortinet ingest pipeline should set event.kind: alert #22136

Closed
ijokarumawak opened this issue Oct 26, 2020 · 7 comments · Fixed by #24816
Closed

[Filebeat][Fortinet] Fortinet ingest pipeline should set event.kind: alert #22136

ijokarumawak opened this issue Oct 26, 2020 · 7 comments · Fixed by #24816

Comments

@ijokarumawak
Copy link

Describe the enhancement:
Fortinet ingest pipeline should set event.kind: alert if fortinet.firewall.attack field is set.

Describe a specific use case for the enhancement or feature:
Filebeat Paloalt module has its ingest pipeline to set event.kind: alert if ctx?.panw?.panos?.type == "THREAT". So analysts can see such events at SIEM Overview 'External alert trend' graph. But Fortinet module doesn't have such logic and its kind is always event.kind: event. Fortinet module should implement the similar logic.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 26, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 26, 2020
@legoguy1000
Copy link
Contributor

The current sample logs don't have anything that sets the fortinet.firewall.attack field. Can you post sample data and then it will be easy to make the change and verify its in the right place.

@ijokarumawak
Copy link
Author

Hi @legoguy1000 , thanks for looking at this. Unfortunately, I don't have the actual log message at hand right now. I will try to find one. The fortinet.firewall.attack field had value such as "Backdoor.DoublePulsar".

@legoguy1000
Copy link
Contributor

looks like Fortinet provides sample logs for the different types. I'll see if that works. https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/986892/sample-logs-by-log-type

@legoguy1000 legoguy1000 mentioned this issue Mar 29, 2021
Merged
6 tasks
@ijokarumawak
Copy link
Author

ijokarumawak commented Mar 30, 2021
edited
Loading

@legoguy1000 Glad to know that you could find the Fortinet sample logs! Thanks for working on it. For further improvement, let me share a actual log message corrected by fortigate via rsyslog. This message does not have the attack field, but have subtype="virus". I think it can be better if Elastic SIEM treats such logs as external alerts. How do you think?

Mar 30 14:04:59 gateway date=2021-03-30 time=14:04:58 devname="htd-Kfgt1" devid="FGT50EXXXXXXXXXX" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1617080699214283280 tz="+0900" policyid=5 msg="File is infected." action="blocked" service="HTTP" sessionid=20572875 srcip=192.168.XX.XX dstip=150.95.9.43 srcport=54987 dstport=80 srcintf="XXX-XXX" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" proto=6 direction="incoming" filename="eicar_test_virus.zip" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://lhsp.s206.xrea.com/download/eicar_test_virus.zip" profile="default" agent="Chrome/89.0.4389.90" analyticscksum="8a18d44ed122e6257863169d9a219946f4229f57b1d49ca0493b8366338230e8" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

@legoguy1000
Copy link
Contributor

I think that makes sense. I proposed a couple other things to change in the PR. As someone who uses the module, can you take a look at the PR #24816 and see if you have any thoughts or concerns about what i changed/am thinking to change?

@legoguy1000
Copy link
Contributor

@legoguy1000 Glad to know that you could find the Fortinet sample logs! Thanks for working on it. For further improvement, let me share a actual log message corrected by fortigate via rsyslog. This message does not have the attack field, but have subtype="virus". I think it can be better if Elastic SIEM treats such logs as external alerts. How do you think?

Mar 30 14:04:59 gateway date=2021-03-30 time=14:04:58 devname="htd-Kfgt1" devid="FGT50EXXXXXXXXXX" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1617080699214283280 tz="+0900" policyid=5 msg="File is infected." action="blocked" service="HTTP" sessionid=20572875 srcip=192.168.XX.XX dstip=150.95.9.43 srcport=54987 dstport=80 srcintf="XXX-XXX" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" proto=6 direction="incoming" filename="eicar_test_virus.zip" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://lhsp.s206.xrea.com/download/eicar_test_virus.zip" profile="default" agent="Chrome/89.0.4389.90" analyticscksum="8a18d44ed122e6257863169d9a219946f4229f57b1d49ca0493b8366338230e8" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

Change made please see the the PR for the updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Filebeat] Update Fortinet Ingest Pipeline legoguy1000/beats
4 participants
@andresrc @ijokarumawak @legoguy1000 @elasticmachine