FortiAnalyzer Logs Not Appearing in Security Onion Alerts – Guidance on Detection Rules

[arefalabsi]

Version

2.4.141

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

500

Storage for /nsm

326

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I am running a standalone on-prem deployment, Version: 2.4.141 installed from the ISO image. It receives logs from the FortiAnalyzer. There was a problem where there were no logs in the Security Onion dashboard. This was due to the following error: Mapping Conflict: The cat field is sent as long but needs to be keyword. The parsing process was completed, and then the logs appeared in the dashboard, as shown in the following image:

The parsing process was completed, and then the logs appeared in the dashboard, as shown in the following image: However, the Alerts tab did not contain anything. We ran a detection roll using the sigma rule as a test, and the alerts appeared, as shown in the following image:

Note: From Kibana, in the Discover tab, we find that there are Fortigate fields in the Available fields, as well as other fields in the empty fields, as shown in the image. Will this affect the detection rules?

Request for Help
Could anyone advise on:

• Is there a way to benefit from built-in detection rules in Security Onion?
• In my case, which is the best rule to use (Sigma, Yara, or Suricata)?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Suricata rules are for network data, Yara rules are for Strelka and file analysis. If you are sending the data through the integration Sigma is what you would use.

You would want to build queries on the fields to create your alert in Sigma rules. Any of the fields that contain data could be used to build your detection.