From 15c3ba3ee70ac8111c60a78ac264118e67255cb9 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 29 Jan 2024 16:09:06 +0200 Subject: [PATCH 01/31] Change AdditionalExtensions info parsing. --- .../Parsers/vimWebSessionFortinetFortiGate.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml index 0dc33be848b..d7f145fa031 100644 --- a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml @@ -175,7 +175,9 @@ ParserQuery: | ThreatOriginalRiskLevel = FortinetFortiGatecrscore, SrcPackets = FortinetFortiGatesentpkt, DstPackets = FortinetFortiGatercvdpkt - | parse AdditionalExtensions with * "Method=" temp_HttpRequestMethod "|User-Agent=" temp_HttpUserAgent ";" * + | extend + temp_HttpRequestMethod = extract(@"Method=(.*?)(?:\||\;|$)", 1, AdditionalExtensions), + temp_HttpUserAgent = extract(@"User-Agent=(.*?)(?:\||\;|$)", 1, AdditionalExtensions) | extend HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod), HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent) From 999049fe91dd07084be9dd4237df6b0e327b829e Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Tue, 30 Jan 2024 12:18:30 +0200 Subject: [PATCH 02/31] Change AdditionalExtensions info parsing. --- .../Parsers/ASimWebSessionFortinetFortiGate.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml index 928dd559ebb..33c54572a7d 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml @@ -115,7 +115,9 @@ ParserQuery: | ThreatOriginalRiskLevel = FortinetFortiGatecrscore, SrcPackets = FortinetFortiGatesentpkt, DstPackets = FortinetFortiGatercvdpkt - | parse AdditionalExtensions with * "Method=" temp_HttpRequestMethod "|User-Agent=" temp_HttpUserAgent ";" * + | extend + temp_HttpRequestMethod = extract(@"Method=(.*?)(?:\||\;|$)", 1, AdditionalExtensions), + temp_HttpUserAgent = extract(@"User-Agent=(.*?)(?:\||\;|$)", 1, AdditionalExtensions) | extend HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod), HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent) @@ -148,4 +150,4 @@ ParserQuery: | Rule = tostring(RuleNumber) | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber }; - parser (disabled=disabled) \ No newline at end of file + parser (disabled=disabled) From e84b11b77ac6d9257d74b09e32b8a4a98cc73317 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Tue, 30 Jan 2024 23:32:28 +0200 Subject: [PATCH 03/31] Adding NetworkApplicationProtocol to the project. --- .../Parsers/ASimWebSessionFortinetFortiGate.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml index 33c54572a7d..1a0ce58c62d 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml @@ -55,7 +55,7 @@ ParserQuery: | | extend EventResultDetails = "NA" | lookup EventLookup on DeviceAction - | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName + | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ApplicationProtocol | project-rename Url = RequestURL , UrlCategory = RequestContext @@ -72,6 +72,7 @@ ParserQuery: | , SrcInterfaceName = DeviceInboundInterface , SrcIpAddr = SourceIP , SrcPortNumber = SourcePort + , NetworkApplicationProtocol = ApplicationProtocol , DvcId = DeviceExternalID , EventUid = _ItemId , DstHostname = DestinationHostName From c4299c2898105bfaa0f2b4139e27a4f82233976e Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Tue, 30 Jan 2024 23:33:56 +0200 Subject: [PATCH 04/31] Adding NetworkApplicationProtocol to the project operation. --- .../ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml index d7f145fa031..075d462defb 100644 --- a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml @@ -115,7 +115,7 @@ ParserQuery: | | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in)) | lookup EventLookup on DeviceAction | where (eventresult == '*' or EventResult =~ eventresult) - | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ASimMatchingIpAddr + | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ASimMatchingIpAddr, ApplicationProtocol | project-rename Url = RequestURL , UrlCategory = RequestContext @@ -132,6 +132,7 @@ ParserQuery: | , SrcInterfaceName = DeviceInboundInterface , SrcIpAddr = SourceIP , SrcPortNumber = SourcePort + , NetworkApplicationProtocol = ApplicationProtocol , DvcId = DeviceExternalID , EventUid = _ItemId , DstHostname = DestinationHostName From e2470e62b215393c660277fde72ba9f3b6aa206a Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Wed, 31 Jan 2024 00:14:09 +0200 Subject: [PATCH 05/31] Updata regex for HttpRequestMethod and HttpUserAgent --- .../Parsers/ASimWebSessionFortinetFortiGate.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml index 1a0ce58c62d..d80d8a5a987 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml @@ -117,8 +117,8 @@ ParserQuery: | SrcPackets = FortinetFortiGatesentpkt, DstPackets = FortinetFortiGatercvdpkt | extend - temp_HttpRequestMethod = extract(@"Method=(.*?)(?:\||\;|$)", 1, AdditionalExtensions), - temp_HttpUserAgent = extract(@"User-Agent=(.*?)(?:\||\;|$)", 1, AdditionalExtensions) + temp_HttpRequestMethod = extract(@"rawdata=.*?Method=(.*?)(?:\||\;|$)", 1, AdditionalExtensions), + temp_HttpUserAgent = extract(@"rawdata=.*?User-Agent=(.*?)(?:\||\;|$)", 1, AdditionalExtensions) | extend HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod), HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent) From 87d66f65eecf814edcd111caac3744f5aca3dca6 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Wed, 31 Jan 2024 00:14:47 +0200 Subject: [PATCH 06/31] Updata regex for HttpRequestMethod and HttpUserAgent --- .../Parsers/vimWebSessionFortinetFortiGate.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml index 075d462defb..5424738afe6 100644 --- a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml @@ -177,8 +177,8 @@ ParserQuery: | SrcPackets = FortinetFortiGatesentpkt, DstPackets = FortinetFortiGatercvdpkt | extend - temp_HttpRequestMethod = extract(@"Method=(.*?)(?:\||\;|$)", 1, AdditionalExtensions), - temp_HttpUserAgent = extract(@"User-Agent=(.*?)(?:\||\;|$)", 1, AdditionalExtensions) + temp_HttpRequestMethod = extract(@"rawdata=.*?Method=(.*?)(?:\||\;|$)", 1, AdditionalExtensions), + temp_HttpUserAgent = extract(@"rawdata=.*?User-Agent=(.*?)(?:\||\;|$)", 1, AdditionalExtensions) | extend HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod), HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent) From 955e9231b41981065a2615634e389973d714ed3e Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Thu, 1 Aug 2024 17:38:13 +0300 Subject: [PATCH 07/31] Adding EventProduct to ASimWebSessionFortinetFortiGate --- .../ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml index d80d8a5a987..96bf898d891 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml @@ -129,6 +129,7 @@ ParserQuery: | , EventSchemaVersion = "0.2.6" , EventType = "HTTPsession" , EventVendor = "Fortinet" + , EventProduct = "Fortigate" , DvcIdType = "Other" , NetworkBytes = DstBytes + SrcBytes , EventEndTime = TimeGenerated From 5f9bdfa1864af42b3dbe51421a5417ee2c1def23 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Thu, 1 Aug 2024 17:39:17 +0300 Subject: [PATCH 08/31] Adding EventVendor to vimWebSessionFortinetFortiGate --- .../ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml index 5424738afe6..61bff634971 100644 --- a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml @@ -190,6 +190,7 @@ ParserQuery: | , EventSchemaVersion = "0.2.6" , EventType = "HTTPsession" , EventVendor = "Fortinet" + , EventProduct = "Fortigate" , DvcIdType = "Other" , NetworkBytes = DstBytes + SrcBytes , EventEndTime = TimeGenerated From 4cda3db0d3b0a0829e58b4f67e05a4278d2708f4 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Tue, 10 Sep 2024 12:47:15 +0300 Subject: [PATCH 09/31] Adding results Fortinet_FortiGate_ASimWebSession_SchemaTest.csv --- ...et_FortiGate_ASimWebSession_SchemaTest.csv | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 Parsers/ASimWebSession/Tests/Fortinet_FortiGate_ASimWebSession_SchemaTest.csv diff --git a/Parsers/ASimWebSession/Tests/Fortinet_FortiGate_ASimWebSession_SchemaTest.csv b/Parsers/ASimWebSession/Tests/Fortinet_FortiGate_ASimWebSession_SchemaTest.csv new file mode 100644 index 00000000000..a363bdcaf9b --- /dev/null +++ b/Parsers/ASimWebSession/Tests/Fortinet_FortiGate_ASimWebSession_SchemaTest.csv @@ -0,0 +1,103 @@ +Result +"(0) Error: Missing recommended alias [HttpStatusCode] aliasing existing column [EventResultDetails]" +"(1) Warning: Missing recommended field [ASimMatchingIpAddr]" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [SrcDomain]" +"(2) Info: Missing optional alias [Hash] aliasing non-existent column [MD5|SHA1|SHA256|SHA512]" +"(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]" +"(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DstAppId]" +"(2) Info: Missing optional field [DstAppName]" +"(2) Info: Missing optional field [DstAppType]" +"(2) Info: Missing optional field [DstDescription]" +"(2) Info: Missing optional field [DstDeviceType]" +"(2) Info: Missing optional field [DstDomain]" +"(2) Info: Missing optional field [DstDvcId]" +"(2) Info: Missing optional field [DstFQDN]" +"(2) Info: Missing optional field [DstGeoCity]" +"(2) Info: Missing optional field [DstGeoLatitude]" +"(2) Info: Missing optional field [DstGeoLongitude]" +"(2) Info: Missing optional field [DstGeoRegion]" +"(2) Info: Missing optional field [DstInterfaceGuid]" +"(2) Info: Missing optional field [DstMacAddr]" +"(2) Info: Missing optional field [DstNatIpAddr]" +"(2) Info: Missing optional field [DstNatPortNumber]" +"(2) Info: Missing optional field [DstOriginalUserType]" +"(2) Info: Missing optional field [DstUserId]" +"(2) Info: Missing optional field [DstUserType]" +"(2) Info: Missing optional field [DstVlanId]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcInboundInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOutboundInterface]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalType]" +"(2) Info: Missing optional field [EventOriginalUid]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [FileContentType]" +"(2) Info: Missing optional field [FileMD5]" +"(2) Info: Missing optional field [FileName]" +"(2) Info: Missing optional field [FileSHA1]" +"(2) Info: Missing optional field [FileSHA256]" +"(2) Info: Missing optional field [FileSHA512]" +"(2) Info: Missing optional field [FileSize]" +"(2) Info: Missing optional field [HttpContentFormat]" +"(2) Info: Missing optional field [HttpContentType]" +"(2) Info: Missing optional field [HttpCookie]" +"(2) Info: Missing optional field [HttpHost]" +"(2) Info: Missing optional field [HttpIsProxied]" +"(2) Info: Missing optional field [HttpRequestBodyBytes]" +"(2) Info: Missing optional field [HttpRequestCacheControl]" +"(2) Info: Missing optional field [HttpRequestHeaderCount]" +"(2) Info: Missing optional field [HttpRequestTime]" +"(2) Info: Missing optional field [HttpResponseBodyBytes]" +"(2) Info: Missing optional field [HttpResponseCacheControl]" +"(2) Info: Missing optional field [HttpResponseExpires]" +"(2) Info: Missing optional field [HttpResponseHeaderCount]" +"(2) Info: Missing optional field [HttpResponseTime]" +"(2) Info: Missing optional field [HttpVersion]" +"(2) Info: Missing optional field [NetworkConnectionHistory]" +"(2) Info: Missing optional field [NetworkDirection]" +"(2) Info: Missing optional field [NetworkIcmpCode]" +"(2) Info: Missing optional field [NetworkIcmpType]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [SrcAppId]" +"(2) Info: Missing optional field [SrcAppName]" +"(2) Info: Missing optional field [SrcAppType]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcInterfaceGuid]" +"(2) Info: Missing optional field [SrcMacAddr]" +"(2) Info: Missing optional field [SrcNatIpAddr]" +"(2) Info: Missing optional field [SrcNatPortNumber]" +"(2) Info: Missing optional field [SrcOriginalUserType]" +"(2) Info: Missing optional field [SrcUserId]" +"(2) Info: Missing optional field [SrcUserType]" +"(2) Info: Missing optional field [SrcVlanId]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: Missing optional field [UrlOriginal]" From a0d60a1f6bc339e264fd4a6bd465fe116edabe4e Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Tue, 10 Sep 2024 13:32:51 +0300 Subject: [PATCH 10/31] Adding results Fortinet_FortiGate_ASimWebSession_DataTest.csv --- ...inet_FortiGate_ASimWebSession_DataTest.csv | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 Parsers/ASimWebSession/Tests/Fortinet_FortiGate_ASimWebSession_DataTest.csv diff --git a/Parsers/ASimWebSession/Tests/Fortinet_FortiGate_ASimWebSession_DataTest.csv b/Parsers/ASimWebSession/Tests/Fortinet_FortiGate_ASimWebSession_DataTest.csv new file mode 100644 index 00000000000..b1d8329186a --- /dev/null +++ b/Parsers/ASimWebSession/Tests/Fortinet_FortiGate_ASimWebSession_DataTest.csv @@ -0,0 +1,23 @@ +Result +"(0) Error: 30 invalid value(s) (up to 10 listed) in 29949 records (99.83%) for field [DstHostname] of type [Hostname]: [""mask.icloud.com"",""mask-h2.icloud.com"",""mask-api.icloud.com""] (Schema:WebSession)" +"(0) Error: 30 invalid value(s) (up to 10 listed) in 29949 records (99.83%) for field [Hostname] of type [Hostname]: [""mask.icloud.com"",""mask-h2.icloud.com"",""mask-api.icloud.com""] (Schema:WebSession)" +"(2) Info: Empty value in 1 records (0.0%) in optional field [UrlCategory] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [DstGeoCountry] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [DstPackets] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [DstUsername] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [DstZone] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [HttpReferrer] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [HttpRequestMethod] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [HttpRequestXff] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [HttpUserAgent] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [NetworkDuration] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [NetworkPackets] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [NetworkSessionId] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [RuleNumber] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [Rule] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [SrcGeoCountry] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [SrcPackets] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [SrcUsername] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [SrcZone] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in optional field [ThreatOriginalRiskLevel] (Schema:WebSession)" +"(2) Info: Empty value in 30000 records (100.0%) in recommended field [SrcHostname] (Schema:WebSession)" From ab7d17057d012ec78c6731849b3d048d5dc533bd Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 4 Nov 2024 23:18:06 +0200 Subject: [PATCH 11/31] Parser Version fix ASimWebSessionFortinetFortiGate --- .../Parsers/ASimWebSessionFortinetFortiGate.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml index 96bf898d891..7c58f95ab2e 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml @@ -1,7 +1,7 @@ Parser: Title: Web Session ASIM parser for Fortinet FortiGate - Version: '0.1' - LastUpdated: Nov 11th, 2023 + Version: '0.1.1' + LastUpdated: Nov 11, 2023 Product: Name: Fortinet FortiGate Normalization: From 34634d84b1c200596a5f172cd55f8aa71fdd4fc2 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 4 Nov 2024 23:18:47 +0200 Subject: [PATCH 12/31] Parser Version fix ASimWebSessionFortinetFortiGate --- .../ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml index 7c58f95ab2e..af71d62179b 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml @@ -1,7 +1,7 @@ Parser: Title: Web Session ASIM parser for Fortinet FortiGate Version: '0.1.1' - LastUpdated: Nov 11, 2023 + LastUpdated: Nov 4, 2024 Product: Name: Fortinet FortiGate Normalization: From c713e0fe925cf452854cfba3e92495719e724a24 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 4 Nov 2024 23:19:22 +0200 Subject: [PATCH 13/31] Parser Version fix vimWebSessionFortinetFortiGate --- .../Parsers/vimWebSessionFortinetFortiGate.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml index 61bff634971..0e4bf9fcc86 100644 --- a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml @@ -1,7 +1,7 @@ Parser: Title: Web Session ASIM filtering parser for Fortinet FortiGate - Version: '0.1' - LastUpdated: Nov 11th, 2023 + Version: '0.1.1' + LastUpdated: Nov 4, 2024 Product: Name: Fortinet FortiGate Normalization: From c505f22642b23dc51964594c73c06092a481230e Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 4 Nov 2024 23:36:39 +0200 Subject: [PATCH 14/31] Reference fix vimWebSessionFortinetFortiGate --- .../ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml index 0e4bf9fcc86..78712dd2d69 100644 --- a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml @@ -11,7 +11,7 @@ References: - Title: ASIM Web Session Schema Link: https://aka.ms/ASimWebSessionDoc - Title: ASIM - Link: https:/aka.ms/AboutASIM + Link: https://aka.ms/AboutASIM - Title: web log fields Link: https://docs.fortinet.com/document/fortigate/7.4.0/fortios-log-message-reference/400992 - Title: Fortinet FortiGate CEF setup From 233a173baa5d8f21320fb6f3f60ea06139b529a8 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 4 Nov 2024 23:37:09 +0200 Subject: [PATCH 15/31] Reference fix ASimWebSessionFortinetFortiGate --- .../ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml index af71d62179b..8b7a11ae824 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml @@ -11,7 +11,7 @@ References: - Title: ASIM Web Session Schema Link: https://aka.ms/ASimWebSessionDoc - Title: ASIM - Link: https:/aka.ms/AboutASIM + Link: https://aka.ms/AboutASIM - Title: web log fields Link: https://docs.fortinet.com/document/fortigate/7.4.0/fortios-log-message-reference/400992 - Title: Fortinet FortiGate CEF setup From 15e64b3267a5c1c6cf2622a38b1e50083a22d627 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 4 Nov 2024 23:49:16 +0200 Subject: [PATCH 16/31] Fix HttpStatusCode vimWebSessionFortinetFortiGate --- .../ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml index 78712dd2d69..e58868f0d14 100644 --- a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml @@ -181,7 +181,8 @@ ParserQuery: | temp_HttpUserAgent = extract(@"rawdata=.*?User-Agent=(.*?)(?:\||\;|$)", 1, AdditionalExtensions) | extend HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod), - HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent) + HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent), + HttpStatusCode = EventResultDetails | project-away temp_* | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any(httpuseragent_has_any)) | extend From 7d190924995738d81d4053111d9c47cbda725210 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 4 Nov 2024 23:50:44 +0200 Subject: [PATCH 17/31] Fix HttpStatusCode ASimWebSessionFortinetFortiGate --- .../Parsers/ASimWebSessionFortinetFortiGate.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml index 8b7a11ae824..ea7013984db 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml @@ -121,7 +121,8 @@ ParserQuery: | temp_HttpUserAgent = extract(@"rawdata=.*?User-Agent=(.*?)(?:\||\;|$)", 1, AdditionalExtensions) | extend HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod), - HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent) + HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent), + HttpStatusCode = EventResultDetails | project-away temp_* | extend EventCount = int(1) From a6d6f2deaeb57276921a154936ef3d7cb894a3a1 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Tue, 5 Nov 2024 00:05:21 +0200 Subject: [PATCH 18/31] Adding _ASIM_ResolveDstFQDN ASimWebSessionFortinetFortiGate --- .../ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml index ea7013984db..15c471e5c8b 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml @@ -75,7 +75,6 @@ ParserQuery: | , NetworkApplicationProtocol = ApplicationProtocol , DvcId = DeviceExternalID , EventUid = _ItemId - , DstHostname = DestinationHostName , SrcHostname = SourceHostName , SrcUsername = SourceUserName , DstUsername = DestinationUserName @@ -101,6 +100,7 @@ ParserQuery: | ['ad.agent']:string ) with (pair_delimiter=';', kv_delimiter='=') | parse AdditionalExtensions with * "x-forwarded-for=" HttpRequestXff:string ";" * + | invoke _ASIM_ResolveDstFQDN('DestinationHostName') | project-rename HttpReferrer = ['ad.referralurl'], HttpRequestMethod = ['ad.httpmethod'], From 1920b0044af9c274a63009f1984893522ce25dbf Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Tue, 5 Nov 2024 00:07:40 +0200 Subject: [PATCH 19/31] Add _ASIM_ResolveDstFQDN vimWebSessionFortinetFortiGate --- .../ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml index e58868f0d14..176862c4605 100644 --- a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml @@ -135,7 +135,6 @@ ParserQuery: | , NetworkApplicationProtocol = ApplicationProtocol , DvcId = DeviceExternalID , EventUid = _ItemId - , DstHostname = DestinationHostName , SrcHostname = SourceHostName , SrcUsername = SourceUserName , DstUsername = DestinationUserName @@ -161,6 +160,7 @@ ParserQuery: | ['ad.agent']:string ) with (pair_delimiter=';', kv_delimiter='=') | parse AdditionalExtensions with * "x-forwarded-for=" HttpRequestXff:string ";" * + | invoke _ASIM_ResolveDstFQDN('DestinationHostName') | project-rename HttpReferrer = ['ad.referralurl'], HttpRequestMethod = ['ad.httpmethod'], From f8a94b59b8fea41eb2bc0d7914ff04b167c473be Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 9 Dec 2024 10:35:06 +0200 Subject: [PATCH 20/31] Add Fortinet_Fortigate_WebSession_IngestedLogs.csv --- .../Fortinet_Fortigate_WebSession_IngestedLogs.csv | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv diff --git a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv new file mode 100644 index 00000000000..73e78f4fdcd --- /dev/null +++ b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv @@ -0,0 +1,11 @@ +TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,DeviceAction,ApplicationProtocol,DeviceExternalID,DeviceInboundInterface,DeviceOutboundInterface,DestinationHostName,DestinationPort,DestinationIP,DeviceName,Message,SourceIP,Computer +"test-tenant-id","12/9/2024, 8:19:02.792 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host" +"test-tenant-id","12/9/2024, 8:20:14.519 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"64.233.180.138","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host" +"test-tenant-id","12/9/2024, 8:20:51.358 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host" +"test-tenant-id","12/9/2024, 8:20:07.169 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host" +"test-tenant-id","12/9/2024, 8:16:52.453 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host" +"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host" +"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0319013317,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL has been visited","192.168.1.2","test-host" +"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host" +"test-tenant-id","12/9/2024, 8:20:31.854 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host" +"test-tenant-id","12/9/2024, 8:20:41.934 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.179.206","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host" From 5ab2b0df45f6cd5d8f2feda02213558d44422326 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 9 Dec 2024 11:01:26 +0200 Subject: [PATCH 21/31] Updating Fortinet_Fortigate_WebSession_IngestedLogs.csv --- ...inet_Fortigate_WebSession_IngestedLogs.csv | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv index 73e78f4fdcd..dfcc7263954 100644 --- a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv @@ -1,11 +1,11 @@ -TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,DeviceAction,ApplicationProtocol,DeviceExternalID,DeviceInboundInterface,DeviceOutboundInterface,DestinationHostName,DestinationPort,DestinationIP,DeviceName,Message,SourceIP,Computer -"test-tenant-id","12/9/2024, 8:19:02.792 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host" -"test-tenant-id","12/9/2024, 8:20:14.519 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"64.233.180.138","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host" -"test-tenant-id","12/9/2024, 8:20:51.358 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host" -"test-tenant-id","12/9/2024, 8:20:07.169 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host" -"test-tenant-id","12/9/2024, 8:16:52.453 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host" -"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host" -"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0319013317,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL has been visited","192.168.1.2","test-host" -"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host" -"test-tenant-id","12/9/2024, 8:20:31.854 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host" -"test-tenant-id","12/9/2024, 8:20:41.934 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.179.206","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host" +TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,DeviceAction,ApplicationProtocol,DeviceExternalID,DeviceInboundInterface,DeviceOutboundInterface,DestinationHostName,DestinationPort,DestinationIP,DeviceName,Message,SourceIP,Computer,Type +"test-tenant-id","12/9/2024, 8:19:02.792 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:14.519 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"64.233.180.138","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:51.358 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:07.169 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:16:52.453 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0319013317,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL has been visited","192.168.1.2","test-host",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:31.854 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:41.934 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.179.206","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",CommonSecurityLog From 0747a90fb041ebcfeafb0b5c8d8814d924382fdc Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 9 Dec 2024 12:41:53 +0200 Subject: [PATCH 22/31] Update Fortinet_Fortigate_WebSession_IngestedLogs.csv --- ...inet_Fortigate_WebSession_IngestedLogs.csv | 32 ++++++++++++------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv index dfcc7263954..0d68261ee48 100644 --- a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv @@ -1,11 +1,21 @@ -TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,DeviceAction,ApplicationProtocol,DeviceExternalID,DeviceInboundInterface,DeviceOutboundInterface,DestinationHostName,DestinationPort,DestinationIP,DeviceName,Message,SourceIP,Computer,Type -"test-tenant-id","12/9/2024, 8:19:02.792 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:14.519 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"64.233.180.138","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:51.358 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:07.169 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:16:52.453 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0319013317,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL has been visited","192.168.1.2","test-host",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:31.854 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:41.934 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.179.206","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",CommonSecurityLog +TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,DeviceExternalID,DeviceInboundInterface,DeviceOutboundInterface,DestinationHostName,DestinationPort,DestinationIP,DeviceName,Message,SourceIP,Computer,RequestURL,Type +"test-tenant-id","12/9/2024, 8:19:02.792 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",,CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:14.519 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"64.233.180.138","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",,CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:51.358 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",,CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:07.169 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",,CommonSecurityLog +"test-tenant-id","12/9/2024, 8:16:52.453 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",,CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",,CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0319013317,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL has been visited","192.168.1.2","test-host",,CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",,CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:31.854 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",,CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:41.934 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.179.206","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",,CommonSecurityLog +"test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","192.168.1.5","test-host","URL belongs to an allowed category in policy","http://www.google.eu/",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:57.662 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:56;logver=700140601;vd=root;eventtime=1733738576673815547;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.65.227","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","URL belongs to an allowed category in policy","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:54:58.821 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0318012801,"webfilter utm passthrough",6,"start=Dec 09 2024 10:54:57;logver=700140601;vd=root;eventtime=1733738097548935397;tz=""+0100"";logid=0318012801;subtype=webfilter;eventtype=ftgd_err;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"172.217.168.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","URL belongs to an allowed category in policy","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:20.139 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:18;logver=700140601;vd=root;eventtime=1733738539033428721;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=HEAD|User-Agent=Mozilla/5.0 (X11 Linux aarch64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/90.0.4430.225 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","URL belongs to an allowed category in policy","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:01.276 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:01:58;logver=700140601;vd=root;eventtime=1733738518753360834;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","gstatic.com",80,"172.217.17.67","test-host","192.168.2.10","test-host","URL belongs to an allowed category in policy","http://gstatic.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:58.897 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:52;logver=700140601;vd=root;eventtime=1733738577040919079;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","192.168.1.2","test-host","URL belongs to an allowed category in policy","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:59.044 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 20:02:54;logver=700140601;vd=root;eventtime=1733738576522657421;tz=""+1000"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.66.195","test-host","192.168.1.2","test-host","URL belongs to an allowed category in policy","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:52.496 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:48;logver=700140601;vd=root;eventtime=1733738570438330090;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apple.com",80,"184.28.84.242","test-host","192.168.50.2","test-host","URL belongs to an allowed category in policy",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:57:56.865 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0315012545,"webfilter utm passthrough",4,"start=Dec 09 2024 10:57:51;logver=700140601;vd=root;eventtime=1733738273866871021;tz=""+0100"";logid=0315012545;subtype=webfilter;eventtype=urlfilter;deviceSeverity=information;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","captive.apple.com",80,"184.28.84.242","test-host","192.168.7.2","test-host","URL belongs to an allowed category in policy","http://captive.apple.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:06.245 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:04;logver=700150632;vd=root;eventtime=1733738525613152583;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (Windows NT 10.0 Win64 x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","edge-http.microsoft.com",80,"13.107.6.158","test-host","192.168.70.8","test-host","URL belongs to an allowed category in policy","http://edge-http.microsoft.com/captiveportal/generate_204",CommonSecurityLog From 3c943b73355d9a40bab80f778f3176950a4305d2 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 9 Dec 2024 13:16:17 +0200 Subject: [PATCH 23/31] Update Fortinet_Fortigate_WebSession_IngestedLogs.csv --- .../Fortinet_Fortigate_WebSession_IngestedLogs.csv | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv index 0d68261ee48..11accda0ffd 100644 --- a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv @@ -9,13 +9,13 @@ TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEv "test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",,CommonSecurityLog "test-tenant-id","12/9/2024, 8:20:31.854 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",,CommonSecurityLog "test-tenant-id","12/9/2024, 8:20:41.934 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.179.206","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",,CommonSecurityLog -"test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","192.168.1.5","test-host","URL belongs to an allowed category in policy","http://www.google.eu/",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:57.662 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:56;logver=700140601;vd=root;eventtime=1733738576673815547;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.65.227","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","URL belongs to an allowed category in policy","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 9:54:58.821 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0318012801,"webfilter utm passthrough",6,"start=Dec 09 2024 10:54:57;logver=700140601;vd=root;eventtime=1733738097548935397;tz=""+0100"";logid=0318012801;subtype=webfilter;eventtype=ftgd_err;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"172.217.168.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","URL belongs to an allowed category in policy","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:20.139 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:18;logver=700140601;vd=root;eventtime=1733738539033428721;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=HEAD|User-Agent=Mozilla/5.0 (X11 Linux aarch64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/90.0.4430.225 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","URL belongs to an allowed category in policy","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.5","test-host","http://www.google.eu/",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:57.662 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:56;logver=700140601;vd=root;eventtime=1733738576673815547;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.65.227","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:54:58.821 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0318012801,"webfilter utm passthrough",6,"start=Dec 09 2024 10:54:57;logver=700140601;vd=root;eventtime=1733738097548935397;tz=""+0100"";logid=0318012801;subtype=webfilter;eventtype=ftgd_err;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"172.217.168.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:20.139 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:18;logver=700140601;vd=root;eventtime=1733738539033428721;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=HEAD|User-Agent=Mozilla/5.0 (X11 Linux aarch64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/90.0.4430.225 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog "test-tenant-id","12/9/2024, 10:02:01.276 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:01:58;logver=700140601;vd=root;eventtime=1733738518753360834;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","gstatic.com",80,"172.217.17.67","test-host","192.168.2.10","test-host","URL belongs to an allowed category in policy","http://gstatic.com/",CommonSecurityLog "test-tenant-id","12/9/2024, 10:02:58.897 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:52;logver=700140601;vd=root;eventtime=1733738577040919079;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","192.168.1.2","test-host","URL belongs to an allowed category in policy","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog "test-tenant-id","12/9/2024, 10:02:59.044 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 20:02:54;logver=700140601;vd=root;eventtime=1733738576522657421;tz=""+1000"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.66.195","test-host","192.168.1.2","test-host","URL belongs to an allowed category in policy","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:52.496 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:48;logver=700140601;vd=root;eventtime=1733738570438330090;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apple.com",80,"184.28.84.242","test-host","192.168.50.2","test-host","URL belongs to an allowed category in policy",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:52.496 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:48;logver=700140601;vd=root;eventtime=1733738570438330090;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apple.com",80,"184.28.84.242","test-host","192.168.50.2","test-host","URL belongs to an allowed category in policy","http://apple.com/",CommonSecurityLog "test-tenant-id","12/9/2024, 9:57:56.865 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0315012545,"webfilter utm passthrough",4,"start=Dec 09 2024 10:57:51;logver=700140601;vd=root;eventtime=1733738273866871021;tz=""+0100"";logid=0315012545;subtype=webfilter;eventtype=urlfilter;deviceSeverity=information;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","captive.apple.com",80,"184.28.84.242","test-host","192.168.7.2","test-host","URL belongs to an allowed category in policy","http://captive.apple.com/",CommonSecurityLog "test-tenant-id","12/9/2024, 10:02:06.245 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:04;logver=700150632;vd=root;eventtime=1733738525613152583;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (Windows NT 10.0 Win64 x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","edge-http.microsoft.com",80,"13.107.6.158","test-host","192.168.70.8","test-host","URL belongs to an allowed category in policy","http://edge-http.microsoft.com/captiveportal/generate_204",CommonSecurityLog From 8197afaebef5b8251e74cd52aeac02b4fcbea37e Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 9 Dec 2024 13:18:53 +0200 Subject: [PATCH 24/31] Update Fortinet_Fortigate_WebSession_IngestedLogs.csv --- .../Fortinet_Fortigate_WebSession_IngestedLogs.csv | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv index 11accda0ffd..0867c3f6475 100644 --- a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv @@ -13,9 +13,9 @@ TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEv "test-tenant-id","12/9/2024, 10:02:57.662 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:56;logver=700140601;vd=root;eventtime=1733738576673815547;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.65.227","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog "test-tenant-id","12/9/2024, 9:54:58.821 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0318012801,"webfilter utm passthrough",6,"start=Dec 09 2024 10:54:57;logver=700140601;vd=root;eventtime=1733738097548935397;tz=""+0100"";logid=0318012801;subtype=webfilter;eventtype=ftgd_err;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"172.217.168.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog "test-tenant-id","12/9/2024, 10:02:20.139 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:18;logver=700140601;vd=root;eventtime=1733738539033428721;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=HEAD|User-Agent=Mozilla/5.0 (X11 Linux aarch64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/90.0.4430.225 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:01.276 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:01:58;logver=700140601;vd=root;eventtime=1733738518753360834;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","gstatic.com",80,"172.217.17.67","test-host","192.168.2.10","test-host","URL belongs to an allowed category in policy","http://gstatic.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:58.897 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:52;logver=700140601;vd=root;eventtime=1733738577040919079;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","192.168.1.2","test-host","URL belongs to an allowed category in policy","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:59.044 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 20:02:54;logver=700140601;vd=root;eventtime=1733738576522657421;tz=""+1000"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.66.195","test-host","192.168.1.2","test-host","URL belongs to an allowed category in policy","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:52.496 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:48;logver=700140601;vd=root;eventtime=1733738570438330090;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apple.com",80,"184.28.84.242","test-host","192.168.50.2","test-host","URL belongs to an allowed category in policy","http://apple.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 9:57:56.865 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0315012545,"webfilter utm passthrough",4,"start=Dec 09 2024 10:57:51;logver=700140601;vd=root;eventtime=1733738273866871021;tz=""+0100"";logid=0315012545;subtype=webfilter;eventtype=urlfilter;deviceSeverity=information;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","captive.apple.com",80,"184.28.84.242","test-host","192.168.7.2","test-host","URL belongs to an allowed category in policy","http://captive.apple.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:06.245 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:04;logver=700150632;vd=root;eventtime=1733738525613152583;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (Windows NT 10.0 Win64 x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","edge-http.microsoft.com",80,"13.107.6.158","test-host","192.168.70.8","test-host","URL belongs to an allowed category in policy","http://edge-http.microsoft.com/captiveportal/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:01.276 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:01:58;logver=700140601;vd=root;eventtime=1733738518753360834;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","gstatic.com",80,"172.217.17.67","test-host","URL belongs to an allowed category in policy","192.168.2.10","test-host","http://gstatic.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:58.897 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:52;logver=700140601;vd=root;eventtime=1733738577040919079;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:59.044 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 20:02:54;logver=700140601;vd=root;eventtime=1733738576522657421;tz=""+1000"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.66.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:52.496 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:48;logver=700140601;vd=root;eventtime=1733738570438330090;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apple.com",80,"184.28.84.242","test-host","URL belongs to an allowed category in policy","192.168.50.2","test-host","http://apple.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:57:56.865 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0315012545,"webfilter utm passthrough",4,"start=Dec 09 2024 10:57:51;logver=700140601;vd=root;eventtime=1733738273866871021;tz=""+0100"";logid=0315012545;subtype=webfilter;eventtype=urlfilter;deviceSeverity=information;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","captive.apple.com",80,"184.28.84.242","test-host","URL belongs to an allowed category in policy","192.168.7.2","test-host","http://captive.apple.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:06.245 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:04;logver=700150632;vd=root;eventtime=1733738525613152583;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (Windows NT 10.0 Win64 x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","edge-http.microsoft.com",80,"13.107.6.158","test-host","URL belongs to an allowed category in policy","192.168.70.8","test-host","http://edge-http.microsoft.com/captiveportal/generate_204",CommonSecurityLog From 93232926e56f48264c3cb7b2cfaae083d0d50e22 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:51:33 +0200 Subject: [PATCH 25/31] Update Fortinet_Fortigate_WebSession_IngestedLogs.csv --- ...inet_Fortigate_WebSession_IngestedLogs.csv | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv index 0867c3f6475..51e8fc9e62b 100644 --- a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv @@ -1,14 +1,14 @@ TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,DeviceExternalID,DeviceInboundInterface,DeviceOutboundInterface,DestinationHostName,DestinationPort,DestinationIP,DeviceName,Message,SourceIP,Computer,RequestURL,Type -"test-tenant-id","12/9/2024, 8:19:02.792 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",,CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:14.519 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"64.233.180.138","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",,CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:51.358 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",,CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:07.169 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",,CommonSecurityLog -"test-tenant-id","12/9/2024, 8:16:52.453 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host",,CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",,CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0319013317,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL has been visited","192.168.1.2","test-host",,CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",,CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:31.854 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",,CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:41.934 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.179.206","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host",,CommonSecurityLog +"test-tenant-id","12/9/2024, 8:19:02.792 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host","https://play.google.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:14.519 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"64.233.180.138","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host","https://play.google.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:51.358 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host","https://play.google.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:07.169 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host","https://play.google.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:16:52.453 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host","https://play.google.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","https://mtalk.google.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0319013317,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL has been visited","192.168.1.2","test-host","https://mtalk.google.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","https://www.google.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:31.854 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","https://www.google.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 8:20:41.934 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.179.206","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","https://play.google.com/",CommonSecurityLog "test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.5","test-host","http://www.google.eu/",CommonSecurityLog "test-tenant-id","12/9/2024, 10:02:57.662 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:56;logver=700140601;vd=root;eventtime=1733738576673815547;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.65.227","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog "test-tenant-id","12/9/2024, 9:54:58.821 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0318012801,"webfilter utm passthrough",6,"start=Dec 09 2024 10:54:57;logver=700140601;vd=root;eventtime=1733738097548935397;tz=""+0100"";logid=0318012801;subtype=webfilter;eventtype=ftgd_err;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"172.217.168.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog From dc7fbba9c4e7b706a432bf82f179a15026042db0 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Mon, 9 Dec 2024 17:39:30 +0200 Subject: [PATCH 26/31] Update Fortinet_Fortigate_WebSession_IngestedLogs.csv --- .../Fortinet_Fortigate_WebSession_IngestedLogs.csv | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv index 51e8fc9e62b..c0a1bada489 100644 --- a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv @@ -1,14 +1,5 @@ TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,DeviceExternalID,DeviceInboundInterface,DeviceOutboundInterface,DestinationHostName,DestinationPort,DestinationIP,DeviceName,Message,SourceIP,Computer,RequestURL,Type -"test-tenant-id","12/9/2024, 8:19:02.792 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host","https://play.google.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:14.519 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"64.233.180.138","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host","https://play.google.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:51.358 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host","https://play.google.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:07.169 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.200.110","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host","https://play.google.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:16:52.453 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,,blocked,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"216.58.213.14","test-host","URL belongs to a denied category in policy","192.168.1.2","test-host","https://play.google.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","https://mtalk.google.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0319013317,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","mtalk.google.com",443,"74.125.203.188","test-host","URL has been visited","192.168.1.2","test-host","https://mtalk.google.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:31.851 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","https://www.google.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:31.854 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.com",443,"142.250.179.132","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","https://www.google.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 8:20:41.934 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,,passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","play.google.com",443,"142.250.179.206","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","https://play.google.com/",CommonSecurityLog +"test-tenant-id","12/2/2024, 5:35:25.263 PM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm passthrough",5,"start=Dec 02 2024 18:35:21;logver=700140601;vd=root;eventtime=1733160922753130687;tz=""+0100"";logid=0315012545;subtype=webfilter;eventtype=urlfilter;deviceSeverity=information;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=CONNECT|User-Agent=Mozilla/5.0 (Linux Android 10 K) AppleWebKit/537.36 (KHTML like Gecko) Chrome/115.0.0.0 Mobile Safari/537.36",passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","accounts.google.com",443,"146.59.231.198","test-host","URL was exempted because it is in the URL filter list","192.168.1.2","test-host","https://accounts.google.com/",CommonSecurityLog "test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.5","test-host","http://www.google.eu/",CommonSecurityLog "test-tenant-id","12/9/2024, 10:02:57.662 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:56;logver=700140601;vd=root;eventtime=1733738576673815547;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.65.227","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog "test-tenant-id","12/9/2024, 9:54:58.821 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0318012801,"webfilter utm passthrough",6,"start=Dec 09 2024 10:54:57;logver=700140601;vd=root;eventtime=1733738097548935397;tz=""+0100"";logid=0318012801;subtype=webfilter;eventtype=ftgd_err;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"172.217.168.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog @@ -19,3 +10,5 @@ TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEv "test-tenant-id","12/9/2024, 10:02:52.496 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:48;logver=700140601;vd=root;eventtime=1733738570438330090;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apple.com",80,"184.28.84.242","test-host","URL belongs to an allowed category in policy","192.168.50.2","test-host","http://apple.com/",CommonSecurityLog "test-tenant-id","12/9/2024, 9:57:56.865 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0315012545,"webfilter utm passthrough",4,"start=Dec 09 2024 10:57:51;logver=700140601;vd=root;eventtime=1733738273866871021;tz=""+0100"";logid=0315012545;subtype=webfilter;eventtype=urlfilter;deviceSeverity=information;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","captive.apple.com",80,"184.28.84.242","test-host","URL belongs to an allowed category in policy","192.168.7.2","test-host","http://captive.apple.com/",CommonSecurityLog "test-tenant-id","12/9/2024, 10:02:06.245 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:04;logver=700150632;vd=root;eventtime=1733738525613152583;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (Windows NT 10.0 Win64 x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","edge-http.microsoft.com",80,"13.107.6.158","test-host","URL belongs to an allowed category in policy","192.168.70.8","test-host","http://edge-http.microsoft.com/captiveportal/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:58.897 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:52;logver=700140601;vd=root;eventtime=1733738577040919079;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.5","test-host","http://www.google.eu/",CommonSecurityLog From 23b3cca35d81b000b1818a2ea327010fb2cf11c4 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Tue, 10 Dec 2024 11:01:16 +0200 Subject: [PATCH 27/31] Update Fortinet_Fortigate_WebSession_IngestedLogs.csv --- Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv index c0a1bada489..cc5f141b814 100644 --- a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv @@ -12,3 +12,4 @@ TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEv "test-tenant-id","12/9/2024, 10:02:06.245 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:04;logver=700150632;vd=root;eventtime=1733738525613152583;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (Windows NT 10.0 Win64 x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","edge-http.microsoft.com",80,"13.107.6.158","test-host","URL belongs to an allowed category in policy","192.168.70.8","test-host","http://edge-http.microsoft.com/captiveportal/generate_204",CommonSecurityLog "test-tenant-id","12/9/2024, 10:02:58.897 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:52;logver=700140601;vd=root;eventtime=1733738577040919079;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog "test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.5","test-host","http://www.google.eu/",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.8","test-host","http://www.google.eu/",CommonSecurityLog From 53de3f27ea653fd7de570ace5d83298bc39a2684 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Tue, 10 Dec 2024 12:16:52 +0200 Subject: [PATCH 28/31] Update Fortinet_Fortigate_WebSession_IngestedLogs.csv --- ...inet_Fortigate_WebSession_IngestedLogs.csv | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv index cc5f141b814..d3ddf7bc034 100644 --- a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv @@ -1,15 +1,15 @@ -TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,DeviceExternalID,DeviceInboundInterface,DeviceOutboundInterface,DestinationHostName,DestinationPort,DestinationIP,DeviceName,Message,SourceIP,Computer,RequestURL,Type -"test-tenant-id","12/2/2024, 5:35:25.263 PM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm passthrough",5,"start=Dec 02 2024 18:35:21;logver=700140601;vd=root;eventtime=1733160922753130687;tz=""+0100"";logid=0315012545;subtype=webfilter;eventtype=urlfilter;deviceSeverity=information;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=CONNECT|User-Agent=Mozilla/5.0 (Linux Android 10 K) AppleWebKit/537.36 (KHTML like Gecko) Chrome/115.0.0.0 Mobile Safari/537.36",passthrough,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","accounts.google.com",443,"146.59.231.198","test-host","URL was exempted because it is in the URL filter list","192.168.1.2","test-host","https://accounts.google.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.5","test-host","http://www.google.eu/",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:57.662 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:56;logver=700140601;vd=root;eventtime=1733738576673815547;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.65.227","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 9:54:58.821 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0318012801,"webfilter utm passthrough",6,"start=Dec 09 2024 10:54:57;logver=700140601;vd=root;eventtime=1733738097548935397;tz=""+0100"";logid=0318012801;subtype=webfilter;eventtype=ftgd_err;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"172.217.168.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:20.139 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:18;logver=700140601;vd=root;eventtime=1733738539033428721;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=HEAD|User-Agent=Mozilla/5.0 (X11 Linux aarch64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/90.0.4430.225 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:01.276 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:01:58;logver=700140601;vd=root;eventtime=1733738518753360834;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","gstatic.com",80,"172.217.17.67","test-host","URL belongs to an allowed category in policy","192.168.2.10","test-host","http://gstatic.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:58.897 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:52;logver=700140601;vd=root;eventtime=1733738577040919079;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:59.044 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 20:02:54;logver=700140601;vd=root;eventtime=1733738576522657421;tz=""+1000"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.66.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:52.496 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:48;logver=700140601;vd=root;eventtime=1733738570438330090;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apple.com",80,"184.28.84.242","test-host","URL belongs to an allowed category in policy","192.168.50.2","test-host","http://apple.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 9:57:56.865 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0315012545,"webfilter utm passthrough",4,"start=Dec 09 2024 10:57:51;logver=700140601;vd=root;eventtime=1733738273866871021;tz=""+0100"";logid=0315012545;subtype=webfilter;eventtype=urlfilter;deviceSeverity=information;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","captive.apple.com",80,"184.28.84.242","test-host","URL belongs to an allowed category in policy","192.168.7.2","test-host","http://captive.apple.com/",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:06.245 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:04;logver=700150632;vd=root;eventtime=1733738525613152583;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (Windows NT 10.0 Win64 x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","edge-http.microsoft.com",80,"13.107.6.158","test-host","URL belongs to an allowed category in policy","192.168.70.8","test-host","http://edge-http.microsoft.com/captiveportal/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 10:02:58.897 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:52;logver=700140601;vd=root;eventtime=1733738577040919079;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog -"test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.5","test-host","http://www.google.eu/",CommonSecurityLog -"test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",passthrough,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.8","test-host","http://www.google.eu/",CommonSecurityLog +TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,AdditionalExtensions,DeviceAction,Protocol,ApplicationProtocol,DeviceExternalID,DeviceInboundInterface,DeviceOutboundInterface,DestinationHostName,DestinationPort,DestinationIP,DeviceName,Message,SourceIP,Computer,RequestURL,Type +"test-tenant-id","12/2/2024, 5:35:25.263 PM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm passthrough",5,"start=Dec 02 2024 18:35:21;logver=700140601;vd=root;eventtime=1733160922753130687;tz=""+0100"";logid=0315012545;subtype=webfilter;eventtype=urlfilter;deviceSeverity=information;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=CONNECT|User-Agent=Mozilla/5.0 (Linux Android 10 K) AppleWebKit/537.36 (KHTML like Gecko) Chrome/115.0.0.0 Mobile Safari/537.36",passthrough,6,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","accounts.google.com",443,"146.59.231.198","test-host","URL was exempted because it is in the URL filter list","192.168.1.2","test-host","https://accounts.google.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.5","test-host","http://www.google.eu/",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:57.662 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:56;logver=700140601;vd=root;eventtime=1733738576673815547;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.65.227","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:54:58.821 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0318012801,"webfilter utm passthrough",6,"start=Dec 09 2024 10:54:57;logver=700140601;vd=root;eventtime=1733738097548935397;tz=""+0100"";logid=0318012801;subtype=webfilter;eventtype=ftgd_err;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"172.217.168.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:20.139 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:18;logver=700140601;vd=root;eventtime=1733738539033428721;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=HEAD|User-Agent=Mozilla/5.0 (X11 Linux aarch64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/90.0.4430.225 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:01.276 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:01:58;logver=700140601;vd=root;eventtime=1733738518753360834;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","gstatic.com",80,"172.217.17.67","test-host","URL belongs to an allowed category in policy","192.168.2.10","test-host","http://gstatic.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:58.897 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:52;logver=700140601;vd=root;eventtime=1733738577040919079;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:59.044 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 20:02:54;logver=700140601;vd=root;eventtime=1733738576522657421;tz=""+1000"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.66.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:52.496 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:48;logver=700140601;vd=root;eventtime=1733738570438330090;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apple.com",80,"184.28.84.242","test-host","URL belongs to an allowed category in policy","192.168.50.2","test-host","http://apple.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:57:56.865 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0315012545,"webfilter utm passthrough",4,"start=Dec 09 2024 10:57:51;logver=700140601;vd=root;eventtime=1733738273866871021;tz=""+0100"";logid=0315012545;subtype=webfilter;eventtype=urlfilter;deviceSeverity=information;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","captive.apple.com",80,"184.28.84.242","test-host","URL belongs to an allowed category in policy","192.168.7.2","test-host","http://captive.apple.com/",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:06.245 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:04;logver=700150632;vd=root;eventtime=1733738525613152583;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (Windows NT 10.0 Win64 x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","edge-http.microsoft.com",80,"13.107.6.158","test-host","URL belongs to an allowed category in policy","192.168.70.8","test-host","http://edge-http.microsoft.com/captiveportal/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:58.897 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:52;logver=700140601;vd=root;eventtime=1733738577040919079;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.5","test-host","http://www.google.eu/",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.8","test-host","http://www.google.eu/",CommonSecurityLog From dd6cd9b57d6bb01fe404b8e3f488da14988b8ebe Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Wed, 11 Dec 2024 13:00:43 +0200 Subject: [PATCH 29/31] Removing EventResultsDetails and HttpStatusCode. --- .../Parsers/ASimWebSessionFortinetFortiGate.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml index 15c471e5c8b..c02bae1c304 100644 --- a/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/ASimWebSessionFortinetFortiGate.yaml @@ -52,10 +52,9 @@ ParserQuery: | | where DeviceVendor == "Fortinet" and DeviceProduct startswith "Fortigate" and Activity has_all ('webfilter', 'utm') - | extend - EventResultDetails = "NA" + //| extend EventResultDetails = "NA" // HTTP response codes are not included in Fortigate logs. | lookup EventLookup on DeviceAction - | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ApplicationProtocol + | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ApplicationProtocol | project-rename Url = RequestURL , UrlCategory = RequestContext @@ -121,8 +120,8 @@ ParserQuery: | temp_HttpUserAgent = extract(@"rawdata=.*?User-Agent=(.*?)(?:\||\;|$)", 1, AdditionalExtensions) | extend HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod), - HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent), - HttpStatusCode = EventResultDetails + HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent) + //HttpStatusCode = EventResultDetails // HTTP response codes are not included in Fortigate logs. | project-away temp_* | extend EventCount = int(1) From 0505918792c1411142b9fc47b7d9d542fe7a44d3 Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Wed, 11 Dec 2024 13:10:39 +0200 Subject: [PATCH 30/31] Removing EventResultDetails and HttpStatusCode vim --- .../Parsers/vimWebSessionFortinetFortiGate.yaml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml index 176862c4605..905718b0f7b 100644 --- a/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml +++ b/Parsers/ASimWebSession/Parsers/vimWebSessionFortinetFortiGate.yaml @@ -43,9 +43,6 @@ ParserParams: - Name: httpuseragent_has_any Type: dynamic Default: dynamic([]) - - Name: eventresultdetails_in - Type: dynamic - Default: dynamic([]) - Name: eventresult Type: string Default: '*' @@ -60,7 +57,6 @@ ParserQuery: | ipaddr_has_any_prefix:dynamic = dynamic([]), url_has_any:dynamic = dynamic([]), httpuseragent_has_any:dynamic = dynamic([]), - eventresultdetails_in:dynamic = dynamic([]), eventresult:string = '*', disabled:bool = false ){ @@ -110,12 +106,9 @@ ParserQuery: | "No match") | where ASimMatchingIpAddr != "No match" | project-away temp_* - | extend - EventResultDetails = "NA" - | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in)) | lookup EventLookup on DeviceAction | where (eventresult == '*' or EventResult =~ eventresult) - | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ASimMatchingIpAddr, ApplicationProtocol + | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ASimMatchingIpAddr, ApplicationProtocol | project-rename Url = RequestURL , UrlCategory = RequestContext @@ -181,8 +174,7 @@ ParserQuery: | temp_HttpUserAgent = extract(@"rawdata=.*?User-Agent=(.*?)(?:\||\;|$)", 1, AdditionalExtensions) | extend HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod), - HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent), - HttpStatusCode = EventResultDetails + HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent) | project-away temp_* | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any(httpuseragent_has_any)) | extend @@ -214,4 +206,4 @@ ParserQuery: | Rule = tostring(RuleNumber) | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber }; - parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled) + parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresult=eventresult, disabled=disabled) From 110ff7fff8e9a995707093d1fc9f9f86773d7d7a Mon Sep 17 00:00:00 2001 From: t-pol <24976309+t-pol@users.noreply.github.com> Date: Fri, 17 Jan 2025 15:45:30 +0200 Subject: [PATCH 31/31] Update Fortinet_Fortigate_WebSession_IngestedLogs.csv --- ...ortinet_Fortigate_WebSession_IngestedLogs.csv | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv index d3ddf7bc034..18792bdb5f3 100644 --- a/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Fortinet_Fortigate_WebSession_IngestedLogs.csv @@ -2,6 +2,9 @@ TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEv "test-tenant-id","12/2/2024, 5:35:25.263 PM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm passthrough",5,"start=Dec 02 2024 18:35:21;logver=700140601;vd=root;eventtime=1733160922753130687;tz=""+0100"";logid=0315012545;subtype=webfilter;eventtype=urlfilter;deviceSeverity=information;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=CONNECT|User-Agent=Mozilla/5.0 (Linux Android 10 K) AppleWebKit/537.36 (KHTML like Gecko) Chrome/115.0.0.0 Mobile Safari/537.36",passthrough,6,HTTPS,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","accounts.google.com",443,"146.59.231.198","test-host","URL was exempted because it is in the URL filter list","192.168.1.2","test-host","https://accounts.google.com/",CommonSecurityLog "test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.5","test-host","http://www.google.eu/",CommonSecurityLog "test-tenant-id","12/9/2024, 10:02:57.662 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:56;logver=700140601;vd=root;eventtime=1733738576673815547;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.65.227","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:57.662 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:56;logver=700140601;vd=root;eventtime=1733738576673815547;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.65.227","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 10:02:57.662 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:56;logver=700140601;vd=root;eventtime=1733738576673815547;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.65.227","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog +"test-tenant-id","12/9/2024, 9:54:58.821 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0318012801,"webfilter utm passthrough",6,"start=Dec 09 2024 10:54:57;logver=700140601;vd=root;eventtime=1733738097548935397;tz=""+0100"";logid=0318012801;subtype=webfilter;eventtype=ftgd_err;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"172.217.168.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog "test-tenant-id","12/9/2024, 9:54:58.821 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0318012801,"webfilter utm passthrough",6,"start=Dec 09 2024 10:54:57;logver=700140601;vd=root;eventtime=1733738097548935397;tz=""+0100"";logid=0318012801;subtype=webfilter;eventtype=ftgd_err;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"172.217.168.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog "test-tenant-id","12/9/2024, 10:02:20.139 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:18;logver=700140601;vd=root;eventtime=1733738539033428721;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=HEAD|User-Agent=Mozilla/5.0 (X11 Linux aarch64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/90.0.4430.225 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog "test-tenant-id","12/9/2024, 10:02:01.276 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:01:58;logver=700140601;vd=root;eventtime=1733738518753360834;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","gstatic.com",80,"172.217.17.67","test-host","URL belongs to an allowed category in policy","192.168.2.10","test-host","http://gstatic.com/",CommonSecurityLog @@ -13,3 +16,16 @@ TenantId,"TimeGenerated [UTC]",DeviceVendor,DeviceProduct,DeviceVersion,DeviceEv "test-tenant-id","12/9/2024, 10:02:58.897 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 11:02:52;logver=700140601;vd=root;eventtime=1733738577040919079;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","connectivitycheck.gstatic.com",80,"142.250.187.195","test-host","URL belongs to an allowed category in policy","192.168.1.2","test-host","http://connectivitycheck.gstatic.com/generate_204",CommonSecurityLog "test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.5","test-host","http://www.google.eu/",CommonSecurityLog "test-tenant-id","12/9/2024, 9:54:59.935 AM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0317013312,"webfilter utm passthrough",5,"start=Dec 09 2024 10:54:58;logver=700140601;vd=root;eventtime=1733738099387945126;tz=""+0100"";logid=0317013312;subtype=webfilter;eventtype=ftgd_allow;deviceSeverity=notice;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;rawdata=Method=GET|User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246",passthrough,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","www.google.eu",80,"142.250.200.3","test-host","URL belongs to an allowed category in policy","192.168.1.8","test-host","http://www.google.eu/",CommonSecurityLog + +"test-tenant-id","1/17/2025, 12:42:44.113 PM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,"start=Jan 17 2025 13:42:39;logver=700140601;vd=root;eventtime=1737117762101183062;tz=""+0100"";logid=0316013056;subtype=webfilter;eventtype=ftgd_blk;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=Ireland;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;method=domain;rawdata=Method=GET|User-Agent=Dalvik/2.1.0 (Linux U Android 11 SM-G398FN Build/RP1A.200720.012)",blocked,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","vas.samsungapps.com",80,"54.171.6.170","test-host","URL belongs to a denied category in policy","192.168.1.123","test-host","http://vas.samsungapps.com/stub/stubUpdateCheck.as?appId=com.samsung.android.timezone.data_R&callerId=com.samsung.android.timezone.updater",CommonSecurityLog +"test-tenant-id","1/17/2025, 12:44:04.992 PM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,"start=Jan 17 2025 13:44:02;logver=700140601;vd=root;eventtime=1737117843843068354;tz=""+0100"";logid=0316013056;subtype=webfilter;eventtype=ftgd_blk;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;method=domain;rawdata=Method=GET|User-Agent=User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",blocked,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","members.dyndns.org",80,"147.154.111.115","test-host-1","URL belongs to a denied category in policy","192.168.10.3","test-host-1","http://members.dyndns.org/nic/update?",CommonSecurityLog +"test-tenant-id","1/17/2025, 12:43:17.795 PM",Fortinet,"FortiGate-101E","7.0.14,build0601 (GA)",0316013056,"webfilter utm blocked",6,"start=Jan 17 2025 13:43:13;logver=700140601;vd=root;eventtime=1737117793266256995;tz=""+0100"";logid=0316013056;subtype=webfilter;eventtype=ftgd_blk;deviceSeverity=warning;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=Italy;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;method=domain;rawdata=Method=GET|User-Agent=Dalvik/2.1.0 (Linux U Android 10 Infinix X657C Build/QP1A.190711.020)",blocked,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","cdn2.palmplaystore.com",80,"108.156.2.5","test-host","URL belongs to a denied category in policy","192.168.10.2","test-host","http://cdn2.palmplaystore.com/static/",CommonSecurityLog +"test-tenant-id","1/17/2025, 12:43:13.541 PM",Fortinet,"FortiGate-101F","7.0.14,build0601 (GA)",0315012544,"webfilter utm blocked",6,"start=Jan 17 2025 13:43:11;logver=700140601;vd=root;eventtime=1737117791693404190;tz=""+0100"";logid=0315012544;subtype=webfilter;eventtype=urlfilter;deviceSeverity=warning;urlfilteridx=1;urlfilterlist=filterlist;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;urlsource=Local URLfilter Block;crscore=30;craction=8;crlevel=high;rawdata=Method=GET",blocked,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apresolve.spotify.com",80,"35.186.224.24","test-host-0","URL was blocked because it is in the URL filter list","192.168.10.10","test-host-0","http://apresolve.spotify.com/",CommonSecurityLog +"test-tenant-id","1/17/2025, 12:41:00.517 PM",Fortinet,"FortiGate-101F","7.0.14,build0601 (GA)",0315012544,"webfilter utm blocked",6,"start=Jan 17 2025 13:40:58;logver=700140601;vd=root;eventtime=1737117659303179290;tz=""+0100"";logid=0315012544;subtype=webfilter;eventtype=urlfilter;deviceSeverity=warning;urlfilteridx=1;urlfilterlist=filterlist;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;urlsource=Local URLfilter Block;crscore=30;craction=8;crlevel=high;rawdata=Method=GET",blocked,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apresolve.spotify.com",80,"35.186.224.24","test-host","URL was blocked because it is in the URL filter list","192.168.11.2","test-host","http://apresolve.spotify.com/",CommonSecurityLog +"test-tenant-id","1/17/2025, 12:41:00.517 PM",Fortinet,"FortiGate-101F","7.0.14,build0601 (GA)",0315012544,"webfilter utm blocked",6,"start=Jan 17 2025 13:40:58;logver=700140601;vd=root;eventtime=1737117659303179290;tz=""+0100"";logid=0315012544;subtype=webfilter;eventtype=urlfilter;deviceSeverity=warning;urlfilteridx=1;urlfilterlist=filterlist;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;urlsource=Local URLfilter Block;crscore=30;craction=8;crlevel=high;rawdata=Method=GET",blocked,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apresolve.spotify.com",80,"35.186.224.24","test-host","URL was blocked because it is in the URL filter list","192.168.11.2","test-host","http://apresolve.spotify.com/",CommonSecurityLog +"test-tenant-id","1/17/2025, 12:41:00.517 PM",Fortinet,"FortiGate-101F","7.0.14,build0601 (GA)",0315012544,"webfilter utm blocked",6,"start=Jan 17 2025 13:40:58;logver=700140601;vd=root;eventtime=1737117659303179290;tz=""+0100"";logid=0315012544;subtype=webfilter;eventtype=urlfilter;deviceSeverity=warning;urlfilteridx=1;urlfilterlist=filterlist;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;urlsource=Local URLfilter Block;crscore=30;craction=8;crlevel=high;rawdata=Method=GET",blocked,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apresolve.spotify.com",80,"35.186.224.24","test-host","URL was blocked because it is in the URL filter list","192.168.11.2","test-host","http://apresolve.spotify.com/",CommonSecurityLog +"test-tenant-id","1/17/2025, 12:41:00.517 PM",Fortinet,"FortiGate-101F","7.0.14,build0601 (GA)",0315012544,"webfilter utm blocked",6,"start=Jan 17 2025 13:40:58;logver=700140601;vd=root;eventtime=1737117659303179290;tz=""+0100"";logid=0315012544;subtype=webfilter;eventtype=urlfilter;deviceSeverity=warning;urlfilteridx=1;urlfilterlist=filterlist;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;urlsource=Local URLfilter Block;crscore=30;craction=8;crlevel=high;rawdata=Method=GET",blocked,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apresolve.spotify.com",80,"35.186.224.24","test-host","URL was blocked because it is in the URL filter list","192.168.11.2","test-host","http://apresolve.spotify.com/",CommonSecurityLog +"test-tenant-id","1/17/2025, 12:44:45.476 PM",Fortinet,"FortiGate-101F","7.0.14,build0601 (GA)",0315012544,"webfilter utm blocked",6,"start=Jan 17 2025 13:44:42;logver=700140601;vd=root;eventtime=1737117883815016430;tz=""+0100"";logid=0315012544;subtype=webfilter;eventtype=urlfilter;deviceSeverity=warning;urlfilteridx=1;urlfilterlist=filterlist;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;urlsource=Local URLfilter Block;crscore=30;craction=8;crlevel=high;rawdata=Method=GET",blocked,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","spotify.com",80,"35.186.224.24",test-host,"URL was blocked because it is in the URL filter list","192.168.1.125","test-host","http://spotify.com/",CommonSecurityLog +"test-tenant-id","1/17/2025, 12:44:03.717 PM",Fortinet,"FortiGate-101F","7.0.14,build0601 (GA)",0315012544,"webfilter utm blocked",6,"start=Jan 17 2025 13:44:01;logver=700140601;vd=root;eventtime=1737117842461868550;tz=""+0100"";logid=0315012544;subtype=webfilter;eventtype=urlfilter;deviceSeverity=warning;urlfilteridx=1;urlfilterlist=filterlist;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=United States;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;urlsource=Local URLfilter Block;crscore=30;craction=8;crlevel=high;rawdata=Method=GET",blocked,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","apresolve.spotify.com",80,"35.186.224.24","test-host","URL was blocked because it is in the URL filter list","192.168.2.126","test-host","http://apresolve.spotify.com/",CommonSecurityLog +"test-tenant-id","1/17/2025, 12:45:34.181 PM",Fortinet,"FortiGate-101E","7.0.15,build0632 (GA)",0315012544,"webfilter utm blocked",6,"start=Jan 17 2025 13:45:32;logver=700150632;vd=root;eventtime=1737117933643454960;tz=""+0100"";logid=0315012544;subtype=webfilter;eventtype=urlfilter;deviceSeverity=warning;urlfilteridx=1;urlfilterlist=filterlist;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=Germany;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;urlsource=Local URLfilter Block;crscore=30;craction=8;crlevel=high;rawdata=Method=POST|Request-Content-Type=application/x-www-form-urlencoded|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",blocked,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","global.quickconnect.to",80,"3.79.215.191","test-host-2","URL was blocked because it is in the URL filter list","192.168.70.123","test-host-2","http://global.quickconnect.to/Serv.php",CommonSecurityLog +"test-tenant-id","1/17/2025, 12:45:34.181 PM",Fortinet,"FortiGate-101E","7.0.15,build0632 (GA)",0315012544,"webfilter utm blocked",6,"start=Jan 17 2025 13:45:32;logver=700150632;vd=root;eventtime=1737117933643454960;tz=""+0100"";logid=0315012544;subtype=webfilter;eventtype=urlfilter;deviceSeverity=warning;urlfilteridx=1;urlfilterlist=filterlist;policyid=000;poluuid=00000000-0000-0000-0000-000000000000;policytype=policy;externalID=000000000;srccountry=Reserved;srcintfrole=lan;srcuuid=00000000-0000-0000-0000-000000000000;dstcountry=Germany;dstintfrole=wan;dstuuid=00000000-0000-0000-0000-000000000000;profile=Webfilter;reqtype=direct;direction=outgoing;urlsource=Local URLfilter Block;crscore=30;craction=8;crlevel=high;rawdata=Method=POST|Request-Content-Type=application/x-www-form-urlencoded|User-Agent=Mozilla/5.0 (X11 Linux x86_64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/60.0.3112.32 Safari/537.36",blocked,6,HTTP,"test-fortigate-device","test-inbound-vlan","test-outbound-vlan","global.quickconnect.to",80,"3.79.215.191","test-host-2","URL was blocked because it is in the URL filter list","192.168.70.123","test-host-2","http://global.quickconnect.to/Serv.php",CommonSecurityLog