- "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)\n[\n \"accept\",\"Allow\",\"Success\",\"\"\n , \"client-rst\",\"Reset Source\",\"Failure\",\"\"\n , \"close\",\"\",\"Success\",\"\"\n , \"deny\",\"Deny\",\"Failure\",\"\"\n , \"ip-conn\",\"\",\"Failure\",\"IP connection error\"\n , \"server-rst\",\"Reset Destination\",\"Failure\",\"\"\n , \"timeout\",\"\",\"Failure\",\"\"\n];\n// -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\nlet SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n[\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"High\", // Critical\n \"7\", \"High\", // Alert\n \"8\", \"High\" // Emergency\n];\nlet Parser=(disabled:bool=false){\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" and DeviceProduct startswith \"FortiGate\" and (column_ifexists(\"DeviceEventCategory\",\"\") has \"traffic\" or AdditionalExtensions has \"cat=traffic\")\n | where DeviceAction != \"dns\" and Activity !has \"dns\" \n | parse Activity with \"traffic:forward \" temp_DeviceAction:string \n | extend DeviceAction = coalesce(DeviceAction, temp_DeviceAction) \n | lookup EventLookup on DeviceAction \n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction\n | project-rename DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , Dvc = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n // FTNTFGT format for FortiGate logs\n FTNTFGTstart:datetime,\n FTNTFGTsrcintfrole:string,\n FTNTFGTdstintfrole:string,\n FTNTFGTexternalID:string,\n FTNTFGTpolicyid:int,\n FTNTFGTdstcountry:string,\n FTNTFGTsrccountry:string,\n FTNTFGTcrscore:string,\n FTNTFGTduration:int,\n FTNTFGTsentpkt:long,\n FTNTFGTrcvdpkt:long,\n FTNTFGTutmaction:string,\n // Simple format for FortiAnalyzer logs\n start:datetime,\n srcintfrole:string,\n dstintfrole:string,\n externalID:string,\n policyid:int,\n dstcountry:string,\n srccountry:string,\n crscore:string,\n duration:int,\n sentpkt:long,\n rcvdpkt:long,\n utmaction:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n EventStartTime = coalesce(FTNTFGTstart, start),\n SrcZone = coalesce(FTNTFGTsrcintfrole, srcintfrole),\n DstZone = coalesce(FTNTFGTdstintfrole, dstintfrole),\n NetworkSessionId = coalesce(FTNTFGTexternalID, externalID),\n NetworkRuleNumber = coalesce(FTNTFGTpolicyid, policyid),\n NetworkDuration = coalesce(FTNTFGTduration, duration),\n DstGeoCountry = coalesce(FTNTFGTdstcountry, dstcountry),\n SrcGeoCountry = coalesce(FTNTFGTsrccountry, srccountry),\n ThreatOriginalRiskLevel = coalesce(FTNTFGTcrscore, crscore),\n SrcPackets = coalesce(FTNTFGTsentpkt, sentpkt),\n DstPackets = coalesce(FTNTFGTrcvdpkt, rcvdpkt),\n _UtmAction = coalesce(FTNTFGTutmaction, utmaction)\n | extend \n EventResult = case(\n _UtmAction == \"allow\", \"Success\",\n EventResult\n ),\n EventResultDetails = case(\n _UtmAction == \"allow\" and EventResult == \"Success\", \"\",\n EventResultDetails\n )\n | extend EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.3\"\n , EventType = \"NetworkSession\"\n , EventVendor = \"Fortinet\"\n , EventProduct = \"Fortigate\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(NetworkRuleNumber)\n | project-away FTNTFGT*, start, srcintfrole, dstintfrole, externalID, policyid,\n dstcountry, srccountry, crscore, duration, sentpkt, rcvdpkt, utmaction,\n Protocol, AdditionalExtensions, NetworkProtocolNumber, _UtmAction\n};\nParser (disabled=disabled)",
0 commit comments