Fortigate logs to Elastic SIEM App

[Cyb3rSn0rlax]

Hello,
ECS version: 1.5
Elastic stack 7.6.2

I don't know why I am finding this repo until today, such a great work.
I haven't tried this mapping yet since I created my own but I noticed that if you want this to work with Elastic SIEM to have a more complete and centralized visibility with other firewall/endpoint logs, you would need to change/add few things :

• The Timeline Event Renderer won't give you this view :

Instead you would have flat events. This is because of the even.category is set to network even though that this is what is recommended in the documentation but I had to change it to network_traffic to get the event renderer working for my fortigate logs.

More info in this reddit thread here

• If you want to see top source and destination countries on the Network panel of your Elastic SIEM app you would need to use the GeoIP processor of an ingest node and not logstash, since the one logstash uses is not ecs friendly because it creates a country_code1 or country_code2... etc instead of country_iso_code which the one inspected by Elastic SIEM . From the kibana developper panel create an ingest pipeline :

PUT _ingest/pipeline/geoip-info-fortinet
{
    "description": "Add geoip info",
    "processors": [
        {
            "geoip": {
                "field": "srcip",
                "target_field": "source.geo"
            }
        },
        {
            "geoip": {
                "field": "dstip",
                "target_field": "destination.geo"
            }
        }
    ]
}

Make sure that the node you creating this into is an node.ingest : true

Hope it helps someone and thanks for the great work.

[enotspe]

Hi @H1L021 , thanks for the suggestion for network_traffic !!! I spent quite some time trying to figure out how to make it work on SIEM. I will add it to even.category as suggested

About geo field names, the pipeline geo_enrichment already handles it so those fields show up on SIEM UI.

    #rename iso code fields to match ECS
    mutate { 
        remove_field => ["src_ip_geo_apply", "dest_ip_geo_apply" ] 
        rename => { "[source][geo][country_code2]" => "[source][geo][country_iso_code]" }
        rename => { "[destination][geo][country_code2]" => "[destination][geo][country_iso_code]" }
        rename => { "[source][geo][region_code]" => "[source][geo][region_iso_code]" }
        rename => { "[destination][geo][region_code]" => "[destination][geo][region_iso_code]" }

[Cyb3rSn0rlax]

Thank you, my bad didn't see it. Sorry

[enotspe]

3af76bd

[fredtj]

looks like network_traffic is depreciated as of 8.0.0 - see here elastic/beats#19039

perhaps the real issue is the timeline event renderer needs to be updated?

[enotspe]

yeah. That is why I left this line commented

fortinet-2-elasticsearch/logstash/40-fortigate_2_ecs

Line 142 in 7ee2df8

#add_field => { "[event][category]" => "network" } this should be the correct value once SIEM UI gets aligned with ECS event.category allowed values