Enhanced FortiGate Wazuh Rule Levels Based on Fortinet Log Severity#2
Open
Adicodin wants to merge 1 commit intoalextibor:mainfrom
Open
Enhanced FortiGate Wazuh Rule Levels Based on Fortinet Log Severity#2Adicodin wants to merge 1 commit intoalextibor:mainfrom
Adicodin wants to merge 1 commit intoalextibor:mainfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of Changes:
This pull request updates the
0391-fortigate_rules.xmlfile by assigning more accurate Wazuh rule levels based on the original Fortinet log severity for eachlogid.Previously, all rules had the same alert level i.e.,
level="4", which did not reflect the true risk profile of Fortinet logs.Fortinet → Wazuh Severity Mapping:
I reviewed Fortinet's official log reference documentation and mapped their log severities to appropriate Wazuh levels using the following general logic:
I applied this mapping across all rules by looking up each
logidin Fortinet’s reference and adjusting the<level>tag accordingly with the help of a python script. I’ve mapped the Fortinet severities to Wazuh alert levels using a stricter scale to better reflect the risk profile of each log entry. The mapping favors the maximum in each Wazuh range for clear visibility. Where Fortinet severity is not explicitly defined (like debug or unknown types), I defaulted to level 4 for moderate visibility.Why This Improves the Ruleset:
Provides more accurate alerting in Wazuh based on real-world severity.
Helps prioritize responses to critical Fortinet events.
Reduces alert fatigue by lowering levels for low-risk logs.
References Used:
Fortinet Log Reference Documentation (
https://docs.fortinet.com/document/fortigate/7.6.3/fortios-log-message-reference)Notes:
All changes were made to a single XML file:
0391-fortigate_rules.xml.XML formatting and syntax has been preserved.
No decoders were modified.