[Filebeat][Fortinet] Fortinet ingest pipeline should set event.kind: alert

[ijokarumawak]

Describe the enhancement:
Fortinet ingest pipeline should set event.kind: alert if fortinet.firewall.attack field is set.

Describe a specific use case for the enhancement or feature:
Filebeat Paloalt module has its ingest pipeline to set event.kind: alert if ctx?.panw?.panos?.type == "THREAT". So analysts can see such events at SIEM Overview 'External alert trend' graph. But Fortinet module doesn't have such logic and its kind is always event.kind: event. Fortinet module should implement the similar logic.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[legoguy1000]

The current sample logs don't have anything that sets the fortinet.firewall.attack field. Can you post sample data and then it will be easy to make the change and verify its in the right place.

[ijokarumawak]

Hi @legoguy1000 , thanks for looking at this. Unfortunately, I don't have the actual log message at hand right now. I will try to find one. The fortinet.firewall.attack field had value such as "Backdoor.DoublePulsar".

[legoguy1000]

looks like Fortinet provides sample logs for the different types. I'll see if that works. https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/986892/sample-logs-by-log-type

[ijokarumawak]

@legoguy1000 Glad to know that you could find the Fortinet sample logs! Thanks for working on it. For further improvement, let me share a actual log message corrected by fortigate via rsyslog. This message does not have the attack field, but have subtype="virus". I think it can be better if Elastic SIEM treats such logs as external alerts. How do you think?

Mar 30 14:04:59 gateway date=2021-03-30 time=14:04:58 devname="htd-Kfgt1" devid="FGT50EXXXXXXXXXX" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1617080699214283280 tz="+0900" policyid=5 msg="File is infected." action="blocked" service="HTTP" sessionid=20572875 srcip=192.168.XX.XX dstip=150.95.9.43 srcport=54987 dstport=80 srcintf="XXX-XXX" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" proto=6 direction="incoming" filename="eicar_test_virus.zip" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://lhsp.s206.xrea.com/download/eicar_test_virus.zip" profile="default" agent="Chrome/89.0.4389.90" analyticscksum="8a18d44ed122e6257863169d9a219946f4229f57b1d49ca0493b8366338230e8" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

[legoguy1000]

I think that makes sense. I proposed a couple other things to change in the PR. As someone who uses the module, can you take a look at the PR #24816 and see if you have any thoughts or concerns about what i changed/am thinking to change?

[legoguy1000]

@legoguy1000 Glad to know that you could find the Fortinet sample logs! Thanks for working on it. For further improvement, let me share a actual log message corrected by fortigate via rsyslog. This message does not have the attack field, but have subtype="virus". I think it can be better if Elastic SIEM treats such logs as external alerts. How do you think?

Mar 30 14:04:59 gateway date=2021-03-30 time=14:04:58 devname="htd-Kfgt1" devid="FGT50EXXXXXXXXXX" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1617080699214283280 tz="+0900" policyid=5 msg="File is infected." action="blocked" service="HTTP" sessionid=20572875 srcip=192.168.XX.XX dstip=150.95.9.43 srcport=54987 dstport=80 srcintf="XXX-XXX" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" proto=6 direction="incoming" filename="eicar_test_virus.zip" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://lhsp.s206.xrea.com/download/eicar_test_virus.zip" profile="default" agent="Chrome/89.0.4389.90" analyticscksum="8a18d44ed122e6257863169d9a219946f4229f57b1d49ca0493b8366338230e8" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

Change made please see the the PR for the updates.