parent
6debae7195
commit
a1518ff339
@ -1,4 +1,4 @@
|
||||
[monitor:///var/rsyslog/*/fortigate/*/*/*.log]
|
||||
disabled = false
|
||||
index = idx_m-tic_fortigate
|
||||
sourcetype = fortigate
|
||||
sourcetype = fortigate_log
|
||||
@ -1,5 +1,5 @@
|
||||
[esxi]
|
||||
TRANSFORMS-export2rsyslog = send_to_vmware
|
||||
|
||||
[fortigate]
|
||||
[fortigate_log]
|
||||
TRANSFORMS-fortigate = send_to_forti
|
||||
Binary file not shown.
@ -0,0 +1,20 @@
|
||||
#
|
||||
# Splunk app configuration file
|
||||
#
|
||||
|
||||
[install]
|
||||
build = 0001
|
||||
is_configured = 0
|
||||
|
||||
[ui]
|
||||
is_visible = 1
|
||||
label = Fortinet FortiGate App for Splunk
|
||||
|
||||
[launcher]
|
||||
author = jli@fortinet.com
|
||||
description = Fortinet FortiGate App provides datacenter threat visualizations to identify anomalous behavior and helps de-duplicate threat feed data to enable the fast creation and consolidation of analytics. The Fortinet FortiGate App properly maps log fields from FortiGate appliances and interchanges into a common format to splunk intelligence framework.
|
||||
version = 1.6.3
|
||||
|
||||
[package]
|
||||
id = SplunkAppForFortinet
|
||||
check_for_updates = 1
|
||||
@ -0,0 +1,872 @@
|
||||
{
|
||||
"modelName": "ftnt_fos",
|
||||
"displayName": "Fortinet FOS Log",
|
||||
"description": "",
|
||||
"objectSummary": {
|
||||
"Event-Based": 18,
|
||||
"Transaction-Based": 0,
|
||||
"Search-Based": 0
|
||||
},
|
||||
"objects": [
|
||||
{
|
||||
"objectName": "log",
|
||||
"displayName": "Firewall Logs",
|
||||
"parentName": "BaseEvent",
|
||||
"fields": [
|
||||
{
|
||||
"fieldName": "devname",
|
||||
"owner": "log",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "device_name",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "vd",
|
||||
"owner": "log",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "vdom",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "dstip",
|
||||
"owner": "log",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "destination_ip",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "dstport",
|
||||
"owner": "log",
|
||||
"type": "number",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "destination_port",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "vendor_action",
|
||||
"owner": "log",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "vendor_action",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "subtype",
|
||||
"owner": "log",
|
||||
"type": "string",
|
||||
"required": true,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "subtype",
|
||||
"comment": "",
|
||||
"fieldSearch": "subtype=*"
|
||||
},
|
||||
{
|
||||
"fieldName": "msg",
|
||||
"owner": "log",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "msg",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "srcip",
|
||||
"owner": "log",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "source_ip",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "user",
|
||||
"owner": "log",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "user",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "sentbyte",
|
||||
"owner": "log",
|
||||
"type": "number",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "bytes_sent",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "rcvdbyte",
|
||||
"owner": "log",
|
||||
"type": "number",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "bytes_received",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculations": [
|
||||
{
|
||||
"outputFields": [
|
||||
{
|
||||
"fieldName": "bytes",
|
||||
"owner": "log",
|
||||
"type": "number",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "bytes",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculationID": "33ye7jatrnc23xr",
|
||||
"owner": "log",
|
||||
"editable": true,
|
||||
"comment": "",
|
||||
"calculationType": "Eval",
|
||||
"expression": "rcvdbyte + sentbyte"
|
||||
},
|
||||
{
|
||||
"outputFields": [
|
||||
{
|
||||
"fieldName": "suser",
|
||||
"owner": "log",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "user",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculationID": "b5nvzeqblzjs8aor",
|
||||
"owner": "log",
|
||||
"editable": true,
|
||||
"comment": "",
|
||||
"calculationType": "Eval",
|
||||
"expression": "coalesce(user, \"unknown\")"
|
||||
}
|
||||
],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "`fortigate_logs`",
|
||||
"owner": "log"
|
||||
}
|
||||
],
|
||||
"lineage": "log"
|
||||
},
|
||||
{
|
||||
"objectName": "traffic",
|
||||
"displayName": "traffic",
|
||||
"parentName": "log",
|
||||
"fields": [
|
||||
{
|
||||
"fieldName": "app",
|
||||
"owner": "log.traffic",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "application",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "action",
|
||||
"owner": "log.traffic",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "action",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "sessionid",
|
||||
"owner": "log.traffic",
|
||||
"type": "number",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "sessionid",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "srcintf",
|
||||
"owner": "log.traffic",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "source_interface",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "dstintf",
|
||||
"owner": "log.traffic",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "destination_interface",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculations": [
|
||||
{
|
||||
"outputFields": [
|
||||
{
|
||||
"fieldName": "sappcat",
|
||||
"owner": "log.traffic",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "appcat",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculationID": "mzjg69trwbmg3nmi",
|
||||
"owner": "log.traffic",
|
||||
"editable": true,
|
||||
"comment": "",
|
||||
"calculationType": "Eval",
|
||||
"expression": "coalesce(appcat, \"unknown\")"
|
||||
},
|
||||
{
|
||||
"outputFields": [
|
||||
{
|
||||
"fieldName": "gapp",
|
||||
"owner": "log.traffic",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "Application",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculationID": "6xc7edtj41zcl3di",
|
||||
"owner": "log.traffic",
|
||||
"editable": true,
|
||||
"comment": "",
|
||||
"calculationType": "Eval",
|
||||
"expression": "case(isnotnull(app), app, 1=1, service)"
|
||||
}
|
||||
],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "type=traffic",
|
||||
"owner": "log.traffic"
|
||||
}
|
||||
],
|
||||
"lineage": "log.traffic"
|
||||
},
|
||||
{
|
||||
"objectName": "utm",
|
||||
"displayName": "utm",
|
||||
"parentName": "log",
|
||||
"fields": [
|
||||
{
|
||||
"fieldName": "service",
|
||||
"owner": "log.utm",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "service",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculations": [
|
||||
{
|
||||
"outputFields": [
|
||||
{
|
||||
"fieldName": "gseverity",
|
||||
"owner": "log.utm",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "generic severity",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculationID": "xkmgmwi8eka9k9",
|
||||
"owner": "log.utm",
|
||||
"editable": true,
|
||||
"comment": "",
|
||||
"calculationType": "Eval",
|
||||
"expression": "case( ( subtype==\"app-ctrl\" AND appcat==\"Botnet\"), \"critical\", (subtype==\"app-ctrl\" AND appcat==\"P2P\"), \"medium\", (subtype==\"app-ctrl\" AND appcat==\"Game\"), \"low\", (subtype==\"app-ctrl\" AND appcat==\"Proxy\"),\"high\", (subtype==\"webfilter\" AND (cat==26 OR cat==61 OR cat==86 OR action==\"blocked\")), \"high\",(subtype==\"webfilter\" AND (cat==1 OR cat==2 OR cat==3 OR cat==4 OR cat==5 OR cat==6 OR cat==12 OR cat==59 OR cat==62 OR cat==83)), \"medium\",(subtype==\"webfilter\" AND (cat==14 OR cat==72)), \"low\",severity==\"critical\", \"critical\", severity==\"high\", \"high\", severity==\"medium\", \"medium\",severity==\"low\", \"low\", (subtype==\"virus\" AND eventype==\"infected\"), \"critical\", (1=1), \"\")"
|
||||
}
|
||||
],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "(type=utm OR type=anomaly) AND (subtype=app-ctrl OR subtype=webfilter OR subtype=ips OR subtype=virus OR subtype=emailfitler OR subtype=dlp OR subtype=anomaly)",
|
||||
"owner": "log.utm"
|
||||
}
|
||||
],
|
||||
"lineage": "log.utm"
|
||||
},
|
||||
{
|
||||
"objectName": "system_event",
|
||||
"displayName": "system_event",
|
||||
"parentName": "log",
|
||||
"fields": [],
|
||||
"calculations": [],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "type=event AND subtype!=wireless",
|
||||
"owner": "log.system_event"
|
||||
}
|
||||
],
|
||||
"lineage": "log.system_event"
|
||||
},
|
||||
{
|
||||
"objectName": "virus",
|
||||
"displayName": "virus",
|
||||
"parentName": "utm",
|
||||
"fields": [],
|
||||
"calculations": [],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "subtype=virus",
|
||||
"owner": "log.utm.virus"
|
||||
}
|
||||
],
|
||||
"lineage": "log.utm.virus"
|
||||
},
|
||||
{
|
||||
"objectName": "webfilter",
|
||||
"displayName": "webfilter",
|
||||
"parentName": "utm",
|
||||
"fields": [
|
||||
{
|
||||
"fieldName": "hostname",
|
||||
"owner": "log.utm.webfilter",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "hostname",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculations": [],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "subtype=webfilter",
|
||||
"owner": "log.utm.webfilter"
|
||||
}
|
||||
],
|
||||
"lineage": "log.utm.webfilter"
|
||||
},
|
||||
{
|
||||
"objectName": "ips",
|
||||
"displayName": "ips",
|
||||
"parentName": "utm",
|
||||
"fields": [
|
||||
{
|
||||
"fieldName": "attack",
|
||||
"owner": "log.utm.ips",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "attack_name",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculations": [],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "subtype=ips OR subtype=anomaly",
|
||||
"owner": "log.utm.ips"
|
||||
}
|
||||
],
|
||||
"lineage": "log.utm.ips"
|
||||
},
|
||||
{
|
||||
"objectName": "spam",
|
||||
"displayName": "spam",
|
||||
"parentName": "utm",
|
||||
"fields": [],
|
||||
"calculations": [],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "subtype=spam",
|
||||
"owner": "log.utm.spam"
|
||||
}
|
||||
],
|
||||
"lineage": "log.utm.spam"
|
||||
},
|
||||
{
|
||||
"objectName": "appctrl",
|
||||
"displayName": "appctrl",
|
||||
"parentName": "utm",
|
||||
"fields": [],
|
||||
"calculations": [
|
||||
{
|
||||
"outputFields": [
|
||||
{
|
||||
"fieldName": "app_severity",
|
||||
"owner": "log.utm.appctrl",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "severity",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculationID": "nxbd9b3tj88jv2t9",
|
||||
"owner": "log.utm.appctrl",
|
||||
"editable": true,
|
||||
"comment": "",
|
||||
"calculationType": "Eval",
|
||||
"expression": "case(appcat==\"Botnet\", \"critical\", appcat==\"p2p\", \"medium\", appcat==\"game\", \"low\", appcat==\"proxy\",\"high\")"
|
||||
}
|
||||
],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "subtype=app-ctrl",
|
||||
"owner": "log.utm.appctrl"
|
||||
}
|
||||
],
|
||||
"lineage": "log.utm.appctrl"
|
||||
},
|
||||
{
|
||||
"objectName": "system",
|
||||
"displayName": "system",
|
||||
"parentName": "system_event",
|
||||
"fields": [
|
||||
{
|
||||
"fieldName": "level",
|
||||
"owner": "log.system_event.system",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "level",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "cpu",
|
||||
"owner": "log.system_event.system",
|
||||
"type": "number",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "cpu",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "mem",
|
||||
"owner": "log.system_event.system",
|
||||
"type": "number",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "mem",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "setuprate",
|
||||
"owner": "log.system_event.system",
|
||||
"type": "number",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "setuprate",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "totalsession",
|
||||
"owner": "log.system_event.system",
|
||||
"type": "number",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "totalsession",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculations": [],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "subtype=system OR subtype=router OR subtype=wad OR subtype=ha",
|
||||
"owner": "log.system_event.system"
|
||||
}
|
||||
],
|
||||
"lineage": "log.system_event.system"
|
||||
},
|
||||
{
|
||||
"objectName": "vpn",
|
||||
"displayName": "vpn",
|
||||
"parentName": "system_event",
|
||||
"fields": [
|
||||
{
|
||||
"fieldName": "group",
|
||||
"owner": "log.system_event.vpn",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "user_group",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "tunneltype",
|
||||
"owner": "log.system_event.vpn",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "tunneltype",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "duration",
|
||||
"owner": "log.system_event.vpn",
|
||||
"type": "number",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "duration",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculations": [
|
||||
{
|
||||
"outputFields": [
|
||||
{
|
||||
"fieldName": "tunnelname",
|
||||
"owner": "log.system_event.vpn",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "tunnel_name",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculationID": "0mzxjr0ttlzq6w29",
|
||||
"owner": "log.system_event.vpn",
|
||||
"editable": true,
|
||||
"comment": "",
|
||||
"calculationType": "Eval",
|
||||
"expression": "coalesce(vpntunnel,tunnelid)"
|
||||
}
|
||||
],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "subtype=vpn",
|
||||
"owner": "log.system_event.vpn"
|
||||
}
|
||||
],
|
||||
"lineage": "log.system_event.vpn"
|
||||
},
|
||||
{
|
||||
"objectName": "user",
|
||||
"displayName": "user",
|
||||
"parentName": "system_event",
|
||||
"fields": [
|
||||
{
|
||||
"fieldName": "vendor_status",
|
||||
"owner": "log.system_event.user",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "vendor_status",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "time",
|
||||
"owner": "log.system_event.user",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "time",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculations": [],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "subtype=user",
|
||||
"owner": "log.system_event.user"
|
||||
}
|
||||
],
|
||||
"lineage": "log.system_event.user"
|
||||
},
|
||||
{
|
||||
"objectName": "dlp",
|
||||
"displayName": "dlp",
|
||||
"parentName": "utm",
|
||||
"fields": [],
|
||||
"calculations": [],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "subtype=dlp",
|
||||
"owner": "log.utm.dlp"
|
||||
}
|
||||
],
|
||||
"lineage": "log.utm.dlp"
|
||||
},
|
||||
{
|
||||
"objectName": "wireless",
|
||||
"displayName": "wireless",
|
||||
"parentName": "log",
|
||||
"fields": [
|
||||
{
|
||||
"fieldName": "stamac",
|
||||
"owner": "log.wireless",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "station-mac-address",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "ap",
|
||||
"owner": "log.wireless",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "ap",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "apstatus",
|
||||
"owner": "log.wireless",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "apstatus",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "manuf",
|
||||
"owner": "log.wireless",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "vendor",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "bssid",
|
||||
"owner": "log.wireless",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "bssid",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "security",
|
||||
"owner": "log.wireless",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "security",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "radioband",
|
||||
"owner": "log.wireless",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "radioband",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "channel",
|
||||
"owner": "log.wireless",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "channel",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "sndetected",
|
||||
"owner": "log.wireless",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "detected-by",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "signal",
|
||||
"owner": "log.wireless",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "signal",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
},
|
||||
{
|
||||
"fieldName": "onwire",
|
||||
"owner": "log.wireless",
|
||||
"type": "string",
|
||||
"required": false,
|
||||
"multivalue": false,
|
||||
"hidden": false,
|
||||
"editable": true,
|
||||
"displayName": "onwire",
|
||||
"comment": "",
|
||||
"fieldSearch": ""
|
||||
}
|
||||
],
|
||||
"calculations": [],
|
||||
"constraints": [
|
||||
{
|
||||
"search": "type=event AND subtype=wireless",
|
||||
"owner": "log.wireless"
|
||||
}
|
||||
],
|
||||
"lineage": "log.wireless"
|
||||
}
|
||||
],
|
||||
"objectNameList": [
|
||||
"log",
|
||||
"traffic",
|
||||
"utm",
|
||||
"system_event",
|
||||
"virus",
|
||||
"webfilter",
|
||||
"ips",
|
||||
"spam",
|
||||
"appctrl",
|
||||
"system",
|
||||
"vpn",
|
||||
"user",
|
||||
"dlp",
|
||||
"wireless"
|
||||
]
|
||||
}
|
||||
@ -0,0 +1,84 @@
|
||||
<nav search_view="search" color="#800000">
|
||||
<collection label="Fortinet Network Security">
|
||||
<view name="overall" default="true" />
|
||||
<collection label="Search FortiGate Data">
|
||||
<a href="search">Search</a>
|
||||
<a href="search?q=%60fortigate_traffic%60">Traffic Logs</a>
|
||||
<a href="search?q=%60fortigate_ips%60">IPS Logs</a>
|
||||
<a href="search?q=%60fortigate_virus%60">Virus Logs</a>
|
||||
<a href="search?q=%60fortigate_appctrl%60">Application Logs</a>
|
||||
<a href="search?q=%60fortigate_webfilter%60">WEB Filter Logs</a>
|
||||
<a href="search?q=%60fortigate_spam%60">SPAM Filter Logs</a>
|
||||
<a href="search?q=%60fortigate_dlp%60">DLP Logs</a>
|
||||
<a href="search?q=%60fortigate_netscan%60">NetScan Logs</a>
|
||||
<a href="search?q=%60fortigate_system%60">System Logs</a>
|
||||
<a href="search?q=%60fortigate_vpn%60">VPN Logs</a>
|
||||
<a href="search?q=%60fortigate_auth%60">Authentication Logs</a>
|
||||
<a href="search?q=%60fortigate_wireless%60">Wireless Logs</a>
|
||||
</collection>
|
||||
<!--
|
||||
<a href="about">About</a>
|
||||
-->
|
||||
</collection>
|
||||
|
||||
<collection label="Traffic">
|
||||
<view name="traffic_dashboard" />
|
||||
<divider />
|
||||
<divider />
|
||||
<collection label="Searches & Reports">
|
||||
<a href="flashtimeline?q=search%20%60fortigate_traffic%60">Search Traffic Data</a>
|
||||
<divider />
|
||||
<saved source="all" match="Fortigate - Traffic" view="flashtimeline" />
|
||||
</collection>
|
||||
</collection>
|
||||
|
||||
<collection label="Unified Threat Management">
|
||||
<view name="threat_dashboard" />
|
||||
<divider />
|
||||
<view name="utm_summary" />
|
||||
</collection>
|
||||
|
||||
<collection label="Wireless">
|
||||
<view name="wireless_dashboard" />
|
||||
<divider />
|
||||
<divider />
|
||||
<collection label="Searches & Reports">
|
||||
<a href="flashtimeline?q=search%20%60fortigate_wireless%60">Search Wireless Data</a>
|
||||
<divider />
|
||||
<saved source="all" match="Fortigate - Wireless" view="flashtimeline" />
|
||||
</collection>
|
||||
</collection>
|
||||
|
||||
<collection label="System">
|
||||
<view name="event_dashboard" />
|
||||
<divider />
|
||||
<divider />
|
||||
<collection label="Searches & Reports">
|
||||
<a href="flashtimeline?q=search%20%60fortigate_system%60">Search System Event Data</a>
|
||||
<divider />
|
||||
<saved source="all" match="Fortigate - System" view="flashtimeline" />
|
||||
</collection>
|
||||
</collection>
|
||||
|
||||
<collection label="Authentication">
|
||||
<view name="user_dashboard" />
|
||||
<divider />
|
||||
<divider />
|
||||
<collection label="Searches & Reports">
|
||||
<a href="flashtimeline?q=search%20%60fortigate_auth%60">Search Authentication Data</a>
|
||||
<divider />
|
||||
<saved source="all" match="Fortigate - Authentication" view="flashtimeline" />
|
||||
</collection>
|
||||
</collection>
|
||||
|
||||
<collection label="VPN">
|
||||
<view name="vpn_dashboard" />
|
||||
<divider />
|
||||
<divider />
|
||||
<collection label="Searches & Reports">
|
||||
<a href="flashtimeline?q=search%20%60fortigate_vpn%60">Search VPN Data</a>
|
||||
<divider />
|
||||
<saved source="all" match="Fortigate - VPN" view="flashtimeline" />
|
||||
</collection>
|
||||
</collection>
|
||||
</nav>
|
||||
@ -0,0 +1,5 @@
|
||||
<dashboard version="1.1">
|
||||
<label>Content Filter Dashboard</label>
|
||||
<description/>
|
||||
</dashboard>
|
||||
|
||||
@ -0,0 +1,343 @@
|
||||
<form version="1.1">
|
||||
<label>Event Dashboard</label>
|
||||
<description></description>
|
||||
<fieldset autoRun="true" submitButton="true">
|
||||
<input type="time" searchWhenChanged="true" token="time_token">
|
||||
<label></label>
|
||||
<default>
|
||||
<earliest>-60m@m</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="dropdown" token="devname">
|
||||
<label>Device</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<default>*</default>
|
||||
<prefix>log.devname="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<search>
|
||||
<query>|`_ftnt_dropdown(log.system_event.system, log.devname)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
</input>
|
||||
<input type="dropdown" token="vdom">
|
||||
<label>Virtual Domain</label>
|
||||
<prefix>log.vd="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.system_event.system, log.vd)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="dropdown" token="subtype">
|
||||
<label>Subtype</label>
|
||||
<prefix>(log.subtype="</prefix>
|
||||
<suffix>" )</suffix>
|
||||
<default>*</default>
|
||||
<choice value="*">ANY</choice>
|
||||
<choice value="system">SYSTEM</choice>
|
||||
<choice value="router">ROUTER</choice>
|
||||
<choice value="wad">WAD</choice>
|
||||
<choice value="ha">HA</choice>
|
||||
</input>
|
||||
<input type="dropdown" token="level" searchWhenChanged="true">
|
||||
<label>Level</label>
|
||||
<prefix>log.system_event.system.level="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<choice value="*">ANY</choice>
|
||||
<choice value="critical">CRITICAL</choice>
|
||||
<choice value="error">ERROR</choice>
|
||||
<choice value="information">INFORMATION</choice>
|
||||
<choice value="notice">NOTICE</choice>
|
||||
<choice value="warning">WARNING</choice>
|
||||
<choice value="emergency">EMERGENCY</choice>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="dropdown" token="action">
|
||||
<label>Action</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<default>*</default>
|
||||
<prefix>log.vendor_action="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.system_event.system, log.vendor_action)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Events</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>|tstats summariesonly=true count FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" $subtype$ $level$ $vdom$ $devname$ $action$ groupby _time | timechart values(count)</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">zero</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">none</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<option name="charting.axisTitleY.text">System Events Count</option>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Notable Events</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>|tstats summariesonly=true count AS Count FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" $subtype$ $vdom$ $devname$ (log.system_event.system.level=warning OR log.system_event.system.level=emergency OR log.system_event.system.level=critical) groupby log.vendor_action | sort -Count</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_system` (level=warning OR level=emergency OR level=critical) vendor_action="$click.value$"&earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Latest Events</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true max(_time) AS NTime, values(log.devname) as Device, values(log.vd) as Virtual_Domain, values(log.subtype) as Subtype, values(log.system_event.system.level) as Level, values(log.vendor_action) as Action, values(log.msg) as Message from datamodel="ftnt_fos" where nodename="log.system_event.system" $subtype$ $level$ $vdom$ $devname$ $action$ groupby _time, log.devname, log.vd, log.subtype, log.system_event.system.level, log.vendor_action, log.msg | sort -_time | convert ctime(NTime) as Time | table Time, Device, Virtual_Domain, Subtype, Level, Action, Message | sort -_time</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="wrap">true</option>
|
||||
<option name="rowNumbers">true</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="list.drilldown">full</option>
|
||||
<option name="list.wrap">1</option>
|
||||
<option name="maxLines">5</option>
|
||||
<option name="raw.drilldown">full</option>
|
||||
<option name="table.drilldown">all</option>
|
||||
<option name="table.wrap">1</option>
|
||||
<option name="type">list</option>
|
||||
<option name="count">10</option>
|
||||
<option name="drilldown">none</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "system" search | search (log.devname="$row.devname$" log.vd="$row.vd$" log.subtype="$row.subtype$" log.vendor_action="$row.action$" log.msg="$row.msg$")&earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<chart>
|
||||
<title>CPU</title>
|
||||
<search>
|
||||
<query>|tstats summariesonly=true last(log.system_event.system.cpu) AS cpus FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" $devname$ log.vendor_action=perf-stats groupby _time log.devname | timechart values(cpus) by log.devname</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">line</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">connect</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="mapping.data.maxClusters">100</option>
|
||||
<option name="mapping.map.center">(0,0)</option>
|
||||
<option name="mapping.map.zoom">2</option>
|
||||
<option name="mapping.markerLayer.markerMaxSize">50</option>
|
||||
<option name="mapping.markerLayer.markerMinSize">10</option>
|
||||
<option name="mapping.markerLayer.markerOpacity">0.8</option>
|
||||
<option name="mapping.tileLayer.maxZoom">7</option>
|
||||
<option name="mapping.tileLayer.minZoom">0</option>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<chart>
|
||||
<title>Memory</title>
|
||||
<search>
|
||||
<query>|tstats summariesonly=true last(log.system_event.system.mem) AS mems FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" $devname$ log.vendor_action=perf-stats groupby _time log.devname | timechart values(mems) by log.devname</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">line</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">connect</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<chart>
|
||||
<title>Session Setup Rate</title>
|
||||
<search>
|
||||
<query>|tstats summariesonly=true last(log.system_event.system.setuprate) AS setuprate FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" $devname$ log.vendor_action=perf-stats groupby _time log.devname | timechart values(setuprate) by log.devname</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">line</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">connect</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="wrap">true</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="count">10</option>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<chart>
|
||||
<title>Concurrent Sessions</title>
|
||||
<search>
|
||||
<query>|tstats summariesonly=true last(log.system_event.system.totalsession) AS totalsession FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" $devname$ log.vendor_action=perf-stats groupby _time log.devname | timechart values(totalsession) by log.devname</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">line</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">connect</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,156 @@
|
||||
<dashboard version="1.1">
|
||||
<label>Overview</label>
|
||||
<description></description>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Device</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`fortigate_logs` | stats dc(devid)</query>
|
||||
<earliest>rt-10m</earliest>
|
||||
<latest>rtnow</latest>
|
||||
</search>
|
||||
</single>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Virtual Domain</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`fortigate_logs` | eval dev-vd= devid."-".vd | stats dc(dev-vd)</query>
|
||||
<earliest>rt-10m</earliest>
|
||||
<latest>rtnow</latest>
|
||||
</search>
|
||||
</single>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Session</title>
|
||||
<single>
|
||||
<search>
|
||||
<query>`fortigate_logs` | eval dev-sess= devid."-".session_id | stats dc(dev-sess)</query>
|
||||
<earliest>rt-10m</earliest>
|
||||
<latest>rtnow</latest>
|
||||
</search>
|
||||
</single>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Sessions Transferred Over Time</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`fortigate_traffic` | eval dev-sess= devid."-".session_id |timechart dc("dev-sess") by devname</query>
|
||||
<earliest>rt-10m</earliest>
|
||||
<latest>rt</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">line</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="charting.axisTitleX.text">Time</option>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Top 20 Applications</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`fortigate_traffic` | TOP limit=20 app</query>
|
||||
<earliest>rt-10m</earliest>
|
||||
<latest>rt</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Threat</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>`fortigate_utm` AND (severity=critical OR severity=high OR severity=medium OR severity=low) | timechart count by severity</query>
|
||||
<earliest>rt-1h</earliest>
|
||||
<latest>rt</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">line</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Application By Destination Countries</title>
|
||||
<map>
|
||||
<search>
|
||||
<query>`fortigate_traffic` | iplocation "dstip" | geostats count by app</query>
|
||||
<earliest>rt-1h</earliest>
|
||||
<latest>rt</latest>
|
||||
</search>
|
||||
<option name="mapping.data.maxClusters">100</option>
|
||||
<option name="mapping.drilldown">all</option>
|
||||
<option name="mapping.map.center">(0,0)</option>
|
||||
<option name="mapping.map.zoom">2</option>
|
||||
<option name="mapping.markerLayer.markerMaxSize">50</option>
|
||||
<option name="mapping.markerLayer.markerMinSize">10</option>
|
||||
<option name="mapping.markerLayer.markerOpacity">0.8</option>
|
||||
<option name="mapping.tileLayer.maxZoom">7</option>
|
||||
<option name="mapping.tileLayer.minZoom">0</option>
|
||||
<option name="drilldown">all</option>
|
||||
</map>
|
||||
</panel>
|
||||
</row>
|
||||
</dashboard>
|
||||
@ -0,0 +1,340 @@
|
||||
<form version="1.1">
|
||||
<label>Threat Dashboard</label>
|
||||
<fieldset autoRun="true" submitButton="true">
|
||||
<input type="time" searchWhenChanged="true" token="time_token">
|
||||
<label></label>
|
||||
<default>
|
||||
<earliest>-60m@m</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="dropdown" token="devname">
|
||||
<label>Device</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.utm, log.devname)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<prefix>log.devname="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="dropdown" token="vdom" searchWhenChanged="true">
|
||||
<label>Virtual Domain</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.utm, log.vd)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<prefix>log.vd="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="dropdown" token="subtype">
|
||||
<label>Subtype</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.utm, log.subtype)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<default>*</default>
|
||||
<prefix>log.subtype="</prefix>
|
||||
<suffix>"</suffix>
|
||||
</input>
|
||||
<input type="text" token="srcip">
|
||||
<label>Source IP</label>
|
||||
<prefix>log.srcip="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="text" token="dstip">
|
||||
<label>Destination IP</label>
|
||||
<prefix>log.dstip="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="text" token="dstport">
|
||||
<label>Destination Port</label>
|
||||
<prefix>log.dstport="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Threat By Severity</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel=ftnt_fos where nodename="log.utm" log.utm.gseverity!="" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ GROUPBY _time log.utm.gseverity | timechart values(count) by log.utm.gseverity</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">line</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">zero</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_utm` severity="$click.name2$" earliest=$click.value$ [| stats count | eval latest = $click.value$ %2b 300 | fields latest]
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>IPS Attack By Device</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm.ips" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ GROUPBY log.devname | sort -count | head 30</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_ips` devname="$click.value$"&earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Threat By SubType</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm" log.utm.gseverity!="" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ GROUPBY log.subtype | sort -count | head 20</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "utm" search | search (log.utm.gseverity!="" AND log.subtype="$click.value$")&earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Threat By Source IP</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm" log.utm.gseverity!="" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ GROUPBY log.srcip | sort -count | head 30</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "utm" search | search (log.utm.gseverity!="" AND log.srcip="$click.value$")&earliest=$time_token.earliest$&latest=$time_token.latest$]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Threat By Destination IP</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ log.utm.gseverity!="" GROUPBY log.dstip| sort-count | head 30</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "utm" search | search (log.utm.gseverity!="" AND log.dstip="$click.value$")&earliest=$time_token.earliest$&latest=$time_token.latest$]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Threat By User</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm" log.utm.gseverity!="" log.user!="" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ GROUPBY log.user | sort -count | head 20</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "utm" search | search (log.utm.gseverity!="" AND log.user="$click.value$")&earliest=$time_token.earliest$&latest=$time_token.latest$]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Threat By Service</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm" log.utm.gseverity!="" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ GROUPBY log.utm.service | sort -count | head 20</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "utm" search | search (log.utm.gseverity!="" AND log.utm.service="$click.value$")&earliest=$time_token.earliest$&latest=$time_token.latest$]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,418 @@
|
||||
<form version="1.1">
|
||||
<label>Traffic Dashboard</label>
|
||||
<fieldset autoRun="true" submitButton="true">
|
||||
<input type="time" searchWhenChanged="true" token="time_token">
|
||||
<label></label>
|
||||
<default>
|
||||
<earliest>-60m@m</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="dropdown" token="device">
|
||||
<label>Device</label>
|
||||
<default>*</default>
|
||||
<prefix>log.devname="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.traffic, log.devname)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
</input>
|
||||
<input type="dropdown" token="vdom" searchWhenChanged="true">
|
||||
<label>Virtual Domain</label>
|
||||
<prefix>log.vd="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.traffic, log.vd)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="text" token="srcip">
|
||||
<label>Source IP</label>
|
||||
<prefix>log.srcip="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="text" token="dstip">
|
||||
<label>Destination IP</label>
|
||||
<prefix>log.dstip="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="text" token="user">
|
||||
<label>User</label>
|
||||
<default>*</default>
|
||||
<prefix>(log.suser="</prefix>
|
||||
<suffix>" OR log.user="")</suffix>
|
||||
</input>
|
||||
<input type="dropdown" token="app" searchWhenChanged="true">
|
||||
<label>Application</label>
|
||||
<prefix>(log.traffic.app="</prefix>
|
||||
<suffix>" OR log.traffic.app="")</suffix>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.traffic, log.traffic.app)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<choice value="*">ANY</choice>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="dropdown" token="srcintf">
|
||||
<label>Source Interface</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<default>*</default>
|
||||
<prefix>log.traffic.srcintf="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.traffic, log.traffic.srcintf)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
</input>
|
||||
<input type="dropdown" token="dstintf">
|
||||
<label>Destination Interface</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<default>*</default>
|
||||
<prefix>log.traffic.dstintf="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.traffic, log.traffic.dstintf)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Sessions Over Time</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count latest(log.traffic.sessionid) as sessionid FROM datamodel=ftnt_fos where nodename="log.traffic" log.srcip="*" log.dstip="*" log.vd="*" log.vendor_action="*" log.devname="*" (log.suser="*" OR log.user="") (log.traffic.app="*" OR log.traffic.app="") log.traffic.srcintf="*" log.traffic.dstintf="*" GROUPBY _time , log.traffic.action, log.traffic.sessionid | timechart dc("sessionid") by log.traffic.action</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">0</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">line</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">zero</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">none</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Traffic Over Time</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true sum(log.sentbyte) AS sumSent sum(log.rcvdbyte) AS sumReceived from datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $vdom$ $device$ $user$ $app$ $srcintf$ $dstintf$ groupby _time | eval msumSent = (sumSent/(1024*1024)) | eval msumReceived = (sumReceived/(1024*1024)) | timechart values("msumReceived") AS "MBytes Received" values("msumSent") AS "MBytes Sent"</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">0</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">line</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">zero</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">stacked</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">none</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="refresh.display">progressbar</option>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Top Source IP</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.srcip | sort -count | head 20</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">stacked</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<option name="mapping.data.maxClusters">100</option>
|
||||
<option name="mapping.map.center">(0,0)</option>
|
||||
<option name="mapping.map.zoom">2</option>
|
||||
<option name="mapping.markerLayer.markerMaxSize">50</option>
|
||||
<option name="mapping.markerLayer.markerMinSize">10</option>
|
||||
<option name="mapping.markerLayer.markerOpacity">0.8</option>
|
||||
<option name="mapping.tileLayer.maxZoom">7</option>
|
||||
<option name="mapping.tileLayer.minZoom">0</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_traffic` srcip="$click.value$" earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Top Destination IP</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.dstip | sort -count | head 20</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_traffic` dstip="$click.value$" earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Traffic by Device</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true sum(log.bytes) as MBytes_transferred from datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.devname | eval MBytes_transferred = (MBytes_transferred/(1024*1024)) | sort -MBytes_transferred | head 10</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_traffic` devname="$click.value$" earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Traffic by User</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>|tstats summariesonly=true sum(log.bytes) as MBytes_transferred from datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.user | eval MBytes_transferred = (MBytes_transferred/(1024*1024)) | sort -MBytes_transferred | head 10</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="list.drilldown">full</option>
|
||||
<option name="list.wrap">1</option>
|
||||
<option name="maxLines">5</option>
|
||||
<option name="raw.drilldown">full</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="table.drilldown">all</option>
|
||||
<option name="table.wrap">1</option>
|
||||
<option name="type">list</option>
|
||||
<option name="wrap">true</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="count">10</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<option name="charting.axisTitleX.text">User</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_traffic` user="$click.value$" earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Traffic by Application</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true sum(log.bytes) as MBytes_transferred from datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.traffic.app | eval MBytes_transferred = (MBytes_transferred/(1024*1024)) | sort -MBytes_transferred | head 10</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_traffic` app="$click.value$" earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Traffic by Interface</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true sum(log.bytes) as MBytes_transferred from datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.traffic.srcintf | eval MBytes_transferred = (MBytes_transferred/(1024*1024)) | sort -MBytes_transferred | head 10</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_traffic` srcintf="$click.value$" earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,219 @@
|
||||
<form version="1.1">
|
||||
<label>Authentication Dashboard</label>
|
||||
<description></description>
|
||||
<fieldset autoRun="true" submitButton="true">
|
||||
<input type="time" searchWhenChanged="true" token="time_token">
|
||||
<label></label>
|
||||
<default>
|
||||
<earliest>-60m@m</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="dropdown" token="devname">
|
||||
<label>Device</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<default>*</default>
|
||||
<prefix>log.devname="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<search>
|
||||
<query>|`_ftnt_dropdown(log.system_event.user, log.devname)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
</input>
|
||||
<input type="dropdown" token="vdom">
|
||||
<label>Virtual Domain</label>
|
||||
<prefix>log.vd="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.system_event.user, log.vd)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="dropdown" token="user">
|
||||
<label>User</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<default>*</default>
|
||||
<prefix>log.user="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<search>
|
||||
<query>|`_ftnt_dropdown(log.system_event.user, log.user)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
</input>
|
||||
<input type="dropdown" token="status">
|
||||
<label>Status</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.system_event.user, log.system_event.user.vendor_status)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<prefix>log.system_event.user.vendor_status="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Authentication Request Overview</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.system_event.user" $devname$ $vdom$ $user$ $status$ GROUPBY log.user | sort -count | head 20</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="count">10</option>
|
||||
<option name="list.drilldown">full</option>
|
||||
<option name="list.wrap">1</option>
|
||||
<option name="maxLines">5</option>
|
||||
<option name="raw.drilldown">full</option>
|
||||
<option name="rowNumbers">0</option>
|
||||
<option name="table.drilldown">all</option>
|
||||
<option name="table.wrap">1</option>
|
||||
<option name="type">list</option>
|
||||
<fields>[]</fields>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "user" search | search (log.user="$click.value$" $devname$ $vdom$)&earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Authentication Request Over Time</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.system_event.user" $devname$ $vdom$ $user$ $status$ GROUPBY _time log.system_event.user.vendor_status | timechart values(count) by log.system_event.user.vendor_status</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">stacked</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="list.drilldown">full</option>
|
||||
<option name="list.wrap">1</option>
|
||||
<option name="maxLines">5</option>
|
||||
<option name="raw.drilldown">full</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="table.drilldown">all</option>
|
||||
<option name="table.wrap">1</option>
|
||||
<option name="type">list</option>
|
||||
<option name="wrap">true</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "user" search | search (log.system_event.user.vendor_status="$click.name2$" $devname$ $vdom$)&earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Latest Events</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true max(_time) as NTime count FROM datamodel=ftnt_fos where nodename="log.system_event.user" $devname$ $vdom$ $user$ $status$ GROUPBY _time log.system_event.user.time log.devname log.vd log.user log.vendor_action log.system_event.user.vendor_status log.msg | rename log.devname AS Devname, log.vd AS Virtual_Domain, log.user AS User, log.vendor_action AS Action, log.system_event.user.vendor_status AS Status, log.msg AS Message | convert ctime(NTime) as Time | sort -_time | table Time Devname Virtual_Domain User Action Status Message</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="wrap">true</option>
|
||||
<option name="rowNumbers">true</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="list.drilldown">full</option>
|
||||
<option name="list.wrap">1</option>
|
||||
<option name="maxLines">5</option>
|
||||
<option name="raw.drilldown">full</option>
|
||||
<option name="table.drilldown">all</option>
|
||||
<option name="table.wrap">1</option>
|
||||
<option name="type">list</option>
|
||||
<option name="drilldown">none</option>
|
||||
<option name="count">10</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "user" search | search (log.user="$row.user$" log.devname="$row.devname$" log.vd="$row.vd$")&earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,270 @@
|
||||
<form version="1.1">
|
||||
<label>UTM Overview</label>
|
||||
<fieldset autoRun="true" submitButton="true">
|
||||
<input type="time" searchWhenChanged="true" token="time_token">
|
||||
<label></label>
|
||||
<default>
|
||||
<earliest>-60m@m</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="dropdown" token="devname">
|
||||
<label>Device</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.utm, log.devname)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<prefix>log.devname="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="dropdown" token="vdom" searchWhenChanged="true">
|
||||
<label>Virtual Domain</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.utm, log.vd)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<prefix>log.vd="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="text" token="srcip">
|
||||
<label>Source IP</label>
|
||||
<prefix>log.srcip="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="text" token="dstip">
|
||||
<label>Destination IP</label>
|
||||
<prefix>log.dstip="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="text" token="dstport">
|
||||
<label>Destination Port</label>
|
||||
<prefix>log.dstport="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Applications</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count(log.traffic.gapp) AS Sessions, sum(log.sentbyte) AS Sent sum(log.rcvdbyte) AS Received from datamodel="ftnt_fos" where nodename="log.traffic" $devname$ $vdom$ $srcip$ $dstip$ $dstport$ groupby log.traffic.gapp, log.traffic.sappcat | sort -Sessions| rename log.traffic.gapp AS Application, log.traffic.sappcat AS Category</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<option name="wrap">true</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">row</option>
|
||||
<option name="count">10</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "traffic" search | search log.traffic.gapp="$click.value$"&earliest=$time_token.earliest$&latest=$time_token.latest$]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</table>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Cloud Application</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count(log.traffic.gapp) AS Sessions, sum(log.sentbyte) AS Sent sum(log.rcvdbyte) AS Received from datamodel="ftnt_fos" where nodename="log.traffic" $devname$ $vdom$ $srcip$ $dstip$ $dstport$ (log.traffic.sappcat="Video/Audio" OR log.traffic.sappcat="Storage.Backup" OR log.traffic.sappcat="Cloud.IT" OR log.traffic.sappcat="Collabroation") groupby log.traffic.gapp, log.traffic.sappcat | sort -Sent| rename log.traffic.gapp AS Application, log.traffic.sappcat AS Category</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<option name="wrap">true</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="drilldown">row</option>
|
||||
<option name="count">10</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "traffic" search | search log.traffic.gapp="$click.value$"&earliest=$time_token.earliest$&latest=$time_token.latest$]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Web Server Access</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm.webfilter" $devname$ $vdom$ $srcip$ GROUPBY log.utm.webfilter.hostname | sort -count | head 30</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<!--
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_webfilter` hostname="$click.value$"&earliest=$earliest$&latest=$latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
-->
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "webfilter" search | search log.utm.webfilter.hostname="$click.value$"&earliest=$time_token.earliest$&latest=$time_token.latest$]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Web Server Access By User</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm.webfilter" log.user!="" $devname$ $vdom$ $srcip$ $dstip$ $dstport$ GROUPBY log.suser | sort -count | head 30</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_webfilter` user="$click.value$"&earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Attacks</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm.ips" GROUPBY log.utm.ips.attack | sort -count | head 30</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_ips` attack="$click.value$"&earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,212 @@
|
||||
<form version="1.1">
|
||||
<label>VPN Dashboard</label>
|
||||
<description></description>
|
||||
<fieldset autoRun="true" submitButton="true">
|
||||
<input type="time" searchWhenChanged="true" token="time_token">
|
||||
<label></label>
|
||||
<default>
|
||||
<earliest>-60m@m</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="dropdown" token="devname">
|
||||
<label>Device</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<default>*</default>
|
||||
<prefix>log.devname="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<search>
|
||||
<query>|`_ftnt_dropdown(log.system_event.vpn, log.devname)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
</input>
|
||||
<input type="dropdown" token="vdom">
|
||||
<label>Virtual Domain</label>
|
||||
<prefix>log.vd="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.system_event.vpn, log.vd)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="dropdown" token="tunneltype">
|
||||
<label>Tunnel Type</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<default>*</default>
|
||||
<prefix>log.system_event.vpn.tunneltype="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<search>
|
||||
<query>|`_ftnt_dropdown(log.system_event.vpn, log.system_event.vpn.tunneltype)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
</input>
|
||||
<input type="dropdown" token="user">
|
||||
<label>VPN user</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<default>*</default>
|
||||
<prefix>log.user="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<search>
|
||||
<query>|`_ftnt_dropdown(log.system_event.vpn, log.user)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Throughput by VPN Tunnel</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true last(log.system_event.vpn.tunnelname), last(log.sentbyte) AS Sent, last(log.rcvdbyte) AS Received FROM datamodel="ftnt_fos" WHERE nodename="log.system_event.vpn" log.sentbyte!=0 log.rcvdbyte!=0 $devname$ $vdom$ $tunneltype$ $user$ groupby log.system_event.vpn.tunnelname | rename log.system_event.vpn.tunnelname AS Tunnel_Name, | dedup Tunnel_Name |eval Received_MB = (Received/(1024*1024)) | eval Sent_MB = (Sent/(1024*1024))| eval Transferred = Received_MB + Sent_MB | sort -Transferred| Fields Tunnel_Name, Received_MB, Sent_MB | head 20</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="count">10</option>
|
||||
<option name="list.drilldown">full</option>
|
||||
<option name="list.wrap">1</option>
|
||||
<option name="maxLines">5</option>
|
||||
<option name="raw.drilldown">full</option>
|
||||
<option name="rowNumbers">0</option>
|
||||
<option name="table.drilldown">all</option>
|
||||
<option name="table.wrap">1</option>
|
||||
<option name="type">list</option>
|
||||
<fields>[]</fields>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.chart.stackMode">stacked</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">stacked</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_vpn` tunnelname="$click.value$" &earliest=$time_token.earliest$&latest=$time_token.latest$]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
<panel>
|
||||
<title>Connections By Time</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.system_event.vpn" $devname$ $vdom$ $tunneltype$ $user$ (log.vendor_action="tunnel-up" OR log.vendor_action="phase2-up") GROUPBY _time | timechart values(count)</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="count">10</option>
|
||||
<option name="list.drilldown">full</option>
|
||||
<option name="list.wrap">1</option>
|
||||
<option name="maxLines">5</option>
|
||||
<option name="raw.drilldown">full</option>
|
||||
<option name="rowNumbers">0</option>
|
||||
<option name="table.drilldown">all</option>
|
||||
<option name="table.wrap">1</option>
|
||||
<option name="type">list</option>
|
||||
<fields>[]</fields>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<option name="charting.axisTitleY.text">Connections</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q=`fortigate_vpn` (vendor_action="tunnel-up" OR vendor_action="phase2-up")&earliest=$time_token.earliest$&latest=$time_token.latest$]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Latest Events</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true max(_time) AS NTime, last(log.system_event.vpn.tunnelname) AS Tunnel_Name, last(log.sentbyte) AS Sent, last(log.rcvdbyte) AS Received, last(log.system_event.vpn.tunneltype) AS Tunnel_Type, last(log.user) AS User, last(log.system_event.vpn.group) AS User_Group, last(log.system_event.vpn.duration) AS Duration_Sec FROM datamodel="ftnt_fos" WHERE nodename="log.system_event.vpn" log.sentbyte!=0 log.rcvdbyte!=0 $devname$ $vdom$ $tunneltype$ $user$ groupby _time log.system_event.vpn.tunnelname | sort -_time | eval Received_MB = (Received/(1024*1024))| eval Sent_MB = (Sent/(1024*1024)) |sort -_time| convert ctime(NTime) as Time | table Time, Tunnel_Name, Tunnel_Type, User, User_Group, Sent_MB, Received_MB, Duration_Sec</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.axisY2.enabled">false</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
|
||||
<option name="charting.axisTitleX.visibility">visible</option>
|
||||
<option name="charting.axisTitleY.visibility">visible</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">right</option>
|
||||
<option name="wrap">true</option>
|
||||
<option name="rowNumbers">true</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="list.drilldown">full</option>
|
||||
<option name="list.wrap">1</option>
|
||||
<option name="maxLines">5</option>
|
||||
<option name="raw.drilldown">full</option>
|
||||
<option name="table.drilldown">all</option>
|
||||
<option name="table.wrap">1</option>
|
||||
<option name="type">list</option>
|
||||
<option name="drilldown">none</option>
|
||||
<option name="count">10</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,133 @@
|
||||
<form version="1.1">
|
||||
<label>Wireless Dashboard</label>
|
||||
<fieldset autoRun="true" submitButton="true">
|
||||
<input type="time" searchWhenChanged="true" token="time_token">
|
||||
<label></label>
|
||||
<default>
|
||||
<earliest>-60m@m</earliest>
|
||||
<latest>now</latest>
|
||||
</default>
|
||||
</input>
|
||||
<input type="dropdown" token="devname">
|
||||
<label>Device</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.wireless, log.devname)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<prefix>log.devname="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
<change>
|
||||
<set token="devname_label">$label$</set>
|
||||
<set token="devname_value">$value$</set>
|
||||
</change>
|
||||
</input>
|
||||
<input type="dropdown" token="vdom" searchWhenChanged="true">
|
||||
<label>Virtual Domain</label>
|
||||
<choice value="*">ANY</choice>
|
||||
<search>
|
||||
<query>| `_ftnt_dropdown(log.wireless, log.vd)`</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<fieldForLabel>field_with_count</fieldForLabel>
|
||||
<fieldForValue>field</fieldForValue>
|
||||
<prefix>log.vd="</prefix>
|
||||
<suffix>"</suffix>
|
||||
<default>*</default>
|
||||
<change>
|
||||
<set token="vdom_label">$label$</set>
|
||||
<set token="vdom_value">$value$</set>
|
||||
</change>
|
||||
</input>
|
||||
</fieldset>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Top Client Per-AP</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true dc(log.wireless.stamac) FROM datamodel="ftnt_fos" WHERE nodename="log.wireless" log.vendor_action="client-ip-detected" $devname$ $vdom$ GROUPBY log.wireless.ap | sort -dc(log.wireless.stamac) | head 30</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<drilldown>
|
||||
<link>
|
||||
<![CDATA[
|
||||
/app/SplunkAppForFortinet/search?q= `fortigate_wireless` (vendor_action="client-ip-detected" devname="$devname_value$" vd="$vdom_value$") (ap="$click.value$")&earliest=$time_token.earliest$&latest=$time_token.latest$
|
||||
]]>
|
||||
</link>
|
||||
</drilldown>
|
||||
</chart>
|
||||
</panel>
|
||||
</row>
|
||||
<row>
|
||||
<panel>
|
||||
<title>Rogue AP</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>| tstats summariesonly=true max(_time) AS NTime count FROM datamodel="ftnt_fos" WHERE nodename="log.wireless" $devname$ $vdom$ log.vendor_action="rogue-ap-detected" groupby log.wireless.apstatus, log.wireless.manuf, log.wireless.bssid, log.wireless.security, log.wireless.radioband, log.wireless.channel, log.wireless.sndetected, log.wireless.signal, log.wireless.onwire | rename log.wireless.apstatus AS Status, log.wireless.manuf AS Vendor, log.wireless.bssid AS BSSID, log.wireless.security AS Security, log.wireless.radioband AS RadioBand, log.wireless.channel AS Channel, log.wireless.sndetected AS Detected-By, log.wireless.signal AS Signal, log.wireless.onwire AS OnWire | sort -_time | convert ctime(NTime) as Time | table Time, Status, Vendor, BSSID, Security, RadioBand, Channel, Detected-By, Signal, OnWire</query>
|
||||
<earliest>$time_token.earliest$</earliest>
|
||||
<latest>$time_token.latest$</latest>
|
||||
</search>
|
||||
<option name="charting.chart">column</option>
|
||||
<option name="charting.axisY2.enabled">undefined</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
|
||||
<option name="charting.axisLabelsX.majorLabelStyle.rotation">45</option>
|
||||
<option name="charting.axisTitleX.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY.visibility">collapsed</option>
|
||||
<option name="charting.axisTitleY2.visibility">visible</option>
|
||||
<option name="charting.axisX.scale">linear</option>
|
||||
<option name="charting.axisY.scale">linear</option>
|
||||
<option name="charting.axisY2.scale">inherit</option>
|
||||
<option name="charting.chart.bubbleMaximumSize">50</option>
|
||||
<option name="charting.chart.bubbleMinimumSize">10</option>
|
||||
<option name="charting.chart.bubbleSizeBy">area</option>
|
||||
<option name="charting.chart.nullValueMode">gaps</option>
|
||||
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
|
||||
<option name="charting.chart.stackMode">default</option>
|
||||
<option name="charting.chart.style">shiny</option>
|
||||
<option name="charting.drilldown">all</option>
|
||||
<option name="charting.layout.splitSeries">0</option>
|
||||
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
|
||||
<option name="charting.legend.placement">none</option>
|
||||
<option name="wrap">true</option>
|
||||
<option name="rowNumbers">false</option>
|
||||
<option name="dataOverlayMode">none</option>
|
||||
<option name="list.drilldown">full</option>
|
||||
<option name="list.wrap">1</option>
|
||||
<option name="maxLines">5</option>
|
||||
<option name="raw.drilldown">full</option>
|
||||
<option name="table.drilldown">all</option>
|
||||
<option name="table.wrap">1</option>
|
||||
<option name="type">list</option>
|
||||
<option name="count">10</option>
|
||||
<option name="drilldown">none</option>
|
||||
</table>
|
||||
</panel>
|
||||
</row>
|
||||
</form>
|
||||
@ -0,0 +1,3 @@
|
||||
[ftnt_fos]
|
||||
acceleration = 0
|
||||
acceleration.earliest_time = -1mon
|
||||
@ -0,0 +1,11 @@
|
||||
########################
|
||||
#
|
||||
# Base Macros
|
||||
#
|
||||
########################
|
||||
|
||||
[_ftnt_dropdown(2)]
|
||||
args = node, field
|
||||
definition = tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="$node$" groupby $field$ | rename $field$ as field | eval field_with_count = field . " (" . count . ")"
|
||||
|
||||
|
||||
@ -0,0 +1,139 @@
|
||||
{
|
||||
"version": "1.0",
|
||||
"date": "2022-11-12T08:25:13.054927457Z",
|
||||
"hashAlgorithm": "SHA-256",
|
||||
"app": {
|
||||
"id": 2800,
|
||||
"version": "1.6.3",
|
||||
"files": [
|
||||
{
|
||||
"path": "static/appIconAlt.png",
|
||||
"hash": "afd0661f827ccaf16d7e486d0286304e2ce887706e82c29051fb861bf15adfcf"
|
||||
},
|
||||
{
|
||||
"path": "static/appIcon.png",
|
||||
"hash": "afd0661f827ccaf16d7e486d0286304e2ce887706e82c29051fb861bf15adfcf"
|
||||
},
|
||||
{
|
||||
"path": "static/appIconAlt_2x.png",
|
||||
"hash": "133e9a0aa2c545c102072ba8d6879509783688b213160c464aa4f0a72456e278"
|
||||
},
|
||||
{
|
||||
"path": "static/appIcon_2x.png",
|
||||
"hash": "133e9a0aa2c545c102072ba8d6879509783688b213160c464aa4f0a72456e278"
|
||||
},
|
||||
{
|
||||
"path": "README.txt",
|
||||
"hash": "894fbd7cb2aadf1f3632ea2b37ffcf3663aa18d06588bbb9294605aee976f17a"
|
||||
},
|
||||
{
|
||||
"path": "default/app.conf",
|
||||
"hash": "6515afdacbca57c8519e7324b03a9144b22877370b8a412c2505c37ce449a820"
|
||||
},
|
||||
{
|
||||
"path": "default/datamodels.conf",
|
||||
"hash": "1a39f248ce8df4353ab694c06788637a98cb9ba982db3b82d237c55bef7a3fbe"
|
||||
},
|
||||
{
|
||||
"path": "default/data/ui/nav/default.xml",
|
||||
"hash": "cc707ca52e88549a7072fc2f59ff1f2c531b7b8fa486e2a506e1dfbd4ae9ea5b"
|
||||
},
|
||||
{
|
||||
"path": "default/data/ui/views/threat_dashboard.xml",
|
||||
"hash": "575b2b82a003a6a51839750e25be8e1f645105d0ea43591af521902d6bea1a71"
|
||||
},
|
||||
{
|
||||
"path": "default/data/ui/views/wireless_dashboard.xml",
|
||||
"hash": "7a00e7e3d82dc30c012444d79c24c3861b676251a4f7f06bb919b92d9bb39a91"
|
||||
},
|
||||
{
|
||||
"path": "default/data/ui/views/overall.xml",
|
||||
"hash": "64d4031a91ec2c1dbcba31dab2e6f1c1207e360735df679a81c735e6f86e001f"
|
||||
},
|
||||
{
|
||||
"path": "default/data/ui/views/user_dashboard.xml",
|
||||
"hash": "53dc8d26e2eba3c3b33ffb834b440c9742c2851f332908cfc78e82a98146f579"
|
||||
},
|
||||
{
|
||||
"path": "default/data/ui/views/vpn_dashboard.xml",
|
||||
"hash": "32aa174ed6417b19803d031fed0461194f91d2ed40213112a213e39fbf0b7d62"
|
||||
},
|
||||
{
|
||||
"path": "default/data/ui/views/content_dashboard.xml",
|
||||
"hash": "9fa36ed479e778a1844dcd720e0da707f468bdcd9a7e318eb5de3a45a78e4603"
|
||||
},
|
||||
{
|
||||
"path": "default/data/ui/views/traffic_dashboard.xml",
|
||||
"hash": "e3ef94125002d864e5e4b450d9a4f790af19199c899dae2eb427b088e7e01d89"
|
||||
},
|
||||
{
|
||||
"path": "default/data/ui/views/utm_summary.xml",
|
||||
"hash": "296b6c199ddd5d1b0715e6024a4c34425478a13d9cc12ca75644ac0d4a34dbe9"
|
||||
},
|
||||
{
|
||||
"path": "default/data/ui/views/event_dashboard.xml",
|
||||
"hash": "4624c1401aff34289e05409a0d165bd97a7afd3326871a34752979fd86468f43"
|
||||
},
|
||||
{
|
||||
"path": "default/data/models/ftnt_fos.json",
|
||||
"hash": "c9d972eb3b2a2b8eee073024a5ad79900023f504593cfbb735a86c6132a36c6b"
|
||||
},
|
||||
{
|
||||
"path": "default/macros.conf",
|
||||
"hash": "0a3108d582be9c58f17eb209166eea3ebf58b04d854998007239f0408da6bc7b"
|
||||
},
|
||||
{
|
||||
"path": "EULA.pdf",
|
||||
"hash": "4b74b5ff9abd03f8e464aea123a0c9584740a2854d1fde93da80dd0a0c81a605"
|
||||
}
|
||||
]
|
||||
},
|
||||
"products": [
|
||||
{
|
||||
"platform": "splunk",
|
||||
"product": "enterprise",
|
||||
"versions": [
|
||||
"7.2",
|
||||
"7.3",
|
||||
"8.0",
|
||||
"8.1",
|
||||
"8.2",
|
||||
"9.0"
|
||||
],
|
||||
"architectures": [
|
||||
"x86_64"
|
||||
],
|
||||
"operatingSystems": [
|
||||
"windows",
|
||||
"linux",
|
||||
"macos",
|
||||
"freebsd",
|
||||
"solaris",
|
||||
"aix"
|
||||
]
|
||||
},
|
||||
{
|
||||
"platform": "splunk",
|
||||
"product": "cloud",
|
||||
"versions": [
|
||||
"7.2",
|
||||
"7.3",
|
||||
"8.0",
|
||||
"8.1",
|
||||
"8.2",
|
||||
"9.0"
|
||||
],
|
||||
"architectures": [
|
||||
"x86_64"
|
||||
],
|
||||
"operatingSystems": [
|
||||
"windows",
|
||||
"linux",
|
||||
"macos",
|
||||
"freebsd",
|
||||
"solaris",
|
||||
"aix"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
After Width: | Height: | Size: 1.2 KiB |
|
After Width: | Height: | Size: 1.2 KiB |
|
After Width: | Height: | Size: 1.5 KiB |
|
After Width: | Height: | Size: 1.5 KiB |
Binary file not shown.
@ -0,0 +1 @@
|
||||
1.6.7
|
||||
@ -0,0 +1,69 @@
|
||||
{
|
||||
"dependencies": null,
|
||||
"incompatibleApps": null,
|
||||
"info": {
|
||||
"author": [
|
||||
{
|
||||
"name": "splunk_app@fortinet.com",
|
||||
"email": null,
|
||||
"company": null
|
||||
}
|
||||
],
|
||||
"classification": {
|
||||
"categories": [
|
||||
"Security,Fraud & Compliance"
|
||||
],
|
||||
"developmentStatus": null,
|
||||
"intendedAudience": null
|
||||
},
|
||||
"commonInformationModels": {
|
||||
"Alerts": "==4.18.1",
|
||||
"Authentication": "==4.18.1",
|
||||
"Change": "==4.18.1",
|
||||
"Email": "==4.18.1",
|
||||
"IDS": "==4.18.1",
|
||||
"Malware": "==4.18.1",
|
||||
"Network Session": "==4.18.1",
|
||||
"Network Trafffic": "==4.18.1",
|
||||
"Performance": "==4.18.1",
|
||||
"Web": "==4.18.1"
|
||||
},
|
||||
"description": "Fortinet FortiGate Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and traffic data collected from FortiGate physical and virtual appliances across domains.",
|
||||
"id": {
|
||||
"group": null,
|
||||
"name": "Splunk_TA_fortinet_fortigate",
|
||||
"version": "1.6.7"
|
||||
},
|
||||
"license": {
|
||||
"name": null,
|
||||
"text": null,
|
||||
"uri": null
|
||||
},
|
||||
"privacyPolicy": {
|
||||
"name": null,
|
||||
"text": null,
|
||||
"uri": null
|
||||
},
|
||||
"releaseDate": null,
|
||||
"releaseNotes": {
|
||||
"name": "README",
|
||||
"text": "README.txt",
|
||||
"uri": "https://splunkbase.splunk.com/app/2846/#/overview"
|
||||
},
|
||||
"title": "Fortinet Fortigate Add-on for Splunk"
|
||||
},
|
||||
"inputGroups": null,
|
||||
"platformRequirements": null,
|
||||
"schemaVersion": "2.0.0",
|
||||
"supportedDeployments": [
|
||||
"_standalone",
|
||||
"_distributed",
|
||||
"_search_head_clustering"
|
||||
],
|
||||
"targetWorkloads": [
|
||||
"_search_heads",
|
||||
"_indexers",
|
||||
"_forwarders"
|
||||
],
|
||||
"tasks": null
|
||||
}
|
||||
@ -0,0 +1,24 @@
|
||||
#
|
||||
# Splunk app configuration file
|
||||
#
|
||||
[install]
|
||||
is_configured = 0
|
||||
build = 1624973079
|
||||
|
||||
[ui]
|
||||
is_visible = 0
|
||||
label = Fortinet Fortigate Add-on for Splunk
|
||||
|
||||
[launcher]
|
||||
author = splunk_app@fortinet.com
|
||||
description = Fortinet FortiGate Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and traffic data collected from FortiGate physical and virtual appliances across domains.
|
||||
version = 1.6.7
|
||||
|
||||
[package]
|
||||
id = Splunk_TA_fortinet_fortigate
|
||||
check_for_updates = 1
|
||||
|
||||
[id]
|
||||
name = Splunk_TA_fortinet_fortigate
|
||||
version = 1.6.7
|
||||
|
||||
@ -0,0 +1,7 @@
|
||||
<nav search_view="search" color="#800000">
|
||||
<view name="search" default='true' />
|
||||
<view name="data_models" />
|
||||
<view name="reports" />
|
||||
<view name="alerts" />
|
||||
<view name="dashboards" />
|
||||
</nav>
|
||||
@ -0,0 +1,110 @@
|
||||
[ftnt_fortigate]
|
||||
search = sourcetype=fgt_traffic OR sourcetype=fgt_utm OR sourcetype=fgt_event OR sourcetype=fgt_anomaly OR sourcetype=fortigate_traffic OR sourcetype=fortigate_utm OR sourcetype=fortigate_event OR sourcetype=fortigate_anomaly
|
||||
|
||||
[ftnt_fortigate_traffic]
|
||||
search = sourcetype=fgt_traffic OR sourcetype=fortigate_traffic
|
||||
|
||||
#[ftnt_fgt_traffic_start]
|
||||
#search = sourcetype=fgt_traffic
|
||||
|
||||
#[ftnt_fgt_traffic_end]
|
||||
#search = sourcetype=fgt_traffic
|
||||
|
||||
[ftnt_fortigate_utm]
|
||||
search = sourcetype=fortigate_utm OR sourcetype=fortigate_anomaly OR sourcetype = fgt_utm OR sourcetype=fgt_anomaly
|
||||
|
||||
[ftnt_fortigate_ips]
|
||||
search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=ips
|
||||
|
||||
[ftnt_fortigate_anomaly]
|
||||
search = (sourcetype=fortigate_anomaly OR sourcetype=fortigate_utm OR sourcetype=fgt_anomaly OR sourcetype=fgt_utm) subtype=anomaly
|
||||
|
||||
[ftnt_fortigate_virus]
|
||||
search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=virus vendor_action!=analytics
|
||||
|
||||
[ftnt_fortigate_netscan]
|
||||
search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=netscan
|
||||
|
||||
[ftnt_fortigate_spam]
|
||||
search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=spam
|
||||
|
||||
[ftnt_fortigate_webfilter]
|
||||
search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=webfilter
|
||||
|
||||
[ftnt_fortigate_appctrl]
|
||||
search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=app-ctrl
|
||||
|
||||
[ftnt_fortigate_event]
|
||||
search = sourcetype=fgt_event OR sourcetype=fortigate_event
|
||||
|
||||
[ftnt_fortigate_vpn]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=vpn
|
||||
|
||||
[ftnt_fortigate_vpn_cert_change]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=vpn logid IN("0101041984", "0101041987")
|
||||
|
||||
[ftnt_fortigate_vpn_auth]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=vpn (vendor_action=negotiate OR vendor_action=ssl-login-fail)
|
||||
|
||||
[ftnt_fortigate_vpn_start]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=vpn vendor_action IN("tunnel-up", "install_sa", "ssl-new-con", "ssl-web-pass")
|
||||
|
||||
[ftnt_fortigate_vpn_end]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) ((subtype=vpn AND vendor_action IN("tunnel-down", "delete_ipsec_sa", "ssl-web-close")) OR (logid=0107045061 AND connection_type="sslvpn"))
|
||||
|
||||
[ftnt_fortigate_wireless]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=wireless
|
||||
|
||||
[ftnt_fortigate_wireless_config_change]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=wireless vendor_action IN("oper-channel", "oper-txpower", "config-txpower", "country-config-success", "controller-cfg-loaded", "controller-up", "ap-join", "ap-add")
|
||||
|
||||
[ftnt_fortigate_wireless_client_auth]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=wireless (vendor_action=client-ip-detected OR vendor_action=client-deauthentication)
|
||||
|
||||
[ftnt_fortigate_wireless_client_authentication]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=wireless vendor_action IN("client-authentication", "user-sign-on-success", "user-sign-on", "user-sign-on-failure")
|
||||
|
||||
[ftnt_fortigate_wireless_client_deauthentication]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=wireless vendor_action=client-deauthentication
|
||||
|
||||
[ftnt_fortigate_system]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system
|
||||
|
||||
[ftnt_fortigate_dhcp_ack]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system logid=0100026001
|
||||
|
||||
[ftnt_fortigate_auth]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=user vendor_action=authentication (vendor_status=success OR vendor_status=failure)
|
||||
|
||||
[ftnt_fortigate_auth_privileged]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system (vendor_action=login OR vendor_action=logout)
|
||||
|
||||
[ftnt_fortigate_auth_privileged_login]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system vendor_action=login NOT (logid=0100022952 OR logid=0100022949)
|
||||
|
||||
[ftnt_fortigate_auth_privileged_logout]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system vendor_action=logout
|
||||
|
||||
[ftnt_fortigate_perf_stats]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system vendor_action=perf-stats
|
||||
|
||||
[ftnt_fortigate_cpu_stats]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system vendor_action=cpu-usage
|
||||
|
||||
[ftnt_fortigate_config_change]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system (vendor_action IN("Add", "Edit", "delete", "add-vdom", "pba-create", "pba-close") OR logid IN("0100032141", "0100041000", "0100032130", "0100032102"))
|
||||
|
||||
[ftnt_fortigate_restart]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system (vendor_action=reboot OR vendor_action=shutdown)
|
||||
|
||||
[ftnt_fortigate_scanunit_db]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) logid IN("0100022815","0100022813")
|
||||
|
||||
[ftnt_fortigate_user_config_change]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) logid IN("0100032132","0102043039")
|
||||
|
||||
[ftnt_fortigate_alerts]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) logid IN("0101041990", "0101041992", "0101039946", "0100046600", "0101053103", "0100032006", "0100022918", "0100022952", "0100022949", "0100036883", "0101039944")
|
||||
|
||||
[ftnt_fortigate_detected_ip_using_dhcp]
|
||||
search = (sourcetype=fortigate_event OR sourcetype=fgt_event) logid=0104043579
|
||||
@ -0,0 +1,55 @@
|
||||
########################
|
||||
#
|
||||
# Base Macros
|
||||
#
|
||||
########################
|
||||
|
||||
|
||||
[fortigate_traffic]
|
||||
definition = eventtype=ftnt_fortigate_traffic
|
||||
|
||||
[fortigate_utm]
|
||||
definition = eventtype=ftnt_fortigate_utm
|
||||
|
||||
[fortigate_event]
|
||||
definition = eventtype=ftnt_fortigate_event
|
||||
|
||||
[fortigate_logs]
|
||||
definition = `fortigate_traffic` OR `fortigate_utm` OR `fortigate_event`
|
||||
|
||||
[fortigate_virus]
|
||||
definition = `fortigate_utm` subtype=virus
|
||||
|
||||
[fortigate_ips]
|
||||
definition = `fortigate_utm` (subtype=ips OR subtype=anomaly)
|
||||
|
||||
[fortigate_anomaly]
|
||||
definition = `fortigate_utm` subtype=anomaly
|
||||
|
||||
[fortigate_appctrl]
|
||||
definition = `fortigate_utm` subtype=app-ctrl
|
||||
|
||||
[fortigate_webfilter]
|
||||
definition = `fortigate_utm` subtype=webfilter
|
||||
|
||||
[fortigate_spam]
|
||||
definition = `fortigate_utm` subtype=spam
|
||||
|
||||
[fortigate_netscan]
|
||||
definition = `fortigate_utm` subtype=netscan
|
||||
|
||||
[fortigate_dlp]
|
||||
definition = `fortigate_utm` subtype=dlp
|
||||
|
||||
[fortigate_vpn]
|
||||
definition = `fortigate_event` subtype=vpn
|
||||
|
||||
[fortigate_wireless]
|
||||
definition = `fortigate_event` subtype=wireless
|
||||
|
||||
[fortigate_auth]
|
||||
definition = `fortigate_event` subtype=user
|
||||
|
||||
[fortigate_system]
|
||||
definition = `fortigate_event` subtype=system
|
||||
|
||||
@ -0,0 +1,231 @@
|
||||
[fortigate_log]
|
||||
TRANSFORMS-force_sourcetype_fortigate = force_sourcetype_fortigate
|
||||
SHOULD_LINEMERGE = false
|
||||
EVENT_BREAKER_ENABLE = true
|
||||
|
||||
[fgt_log]
|
||||
TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fortigate
|
||||
SHOULD_LINEMERGE = false
|
||||
EVENT_BREAKER_ENABLE = true
|
||||
|
||||
[fortigate_traffic]
|
||||
TIME_PREFIX = ^
|
||||
SHOULD_LINEMERGE = false
|
||||
EVENT_BREAKER_ENABLE = true
|
||||
KV_MODE = none
|
||||
REPORT-field_extract = field_extract
|
||||
ANNOTATE_PUNCT = false
|
||||
EVAL-vendor = "Fortinet"
|
||||
EVAL-product = "Firewall"
|
||||
EVAL-vendor_product = "Fortinet Firewall"
|
||||
EVAL-product_version = coalesce(logver, "50")
|
||||
EVAL-devname = coalesce(devname, devid)
|
||||
FIELDALIAS-fortigate_traffic_dvc = devname as dvc
|
||||
FIELDALIAS-fortigate_traffic_vendor_eventtype = eventtype as vendor_eventtype
|
||||
FIELDALIAS-fortigate_traffic_vendor_transport = transport as vendor_transport
|
||||
FIELDALIAS-vendor_action = action as vendor_action
|
||||
FIELDALIAS-vendor_status = status as vendor_status
|
||||
EVAL-ftnt_action = coalesce(utmaction, vendor_action, vendor_status)
|
||||
LOOKUP-fortigate_traffic_action = ftnt_action_lookup ftnt_action OUTPUT action
|
||||
EVAL-sentbyte = coalesce(sentdelta, sentbyte)
|
||||
EVAL-rcvdbyte = coalesce(rcvddelta, rcvdbyte)
|
||||
EVAL-bytes = coalesce(rcvddelta + sentdelta, rcvdbyte + sentbyte)
|
||||
EVAL-bytes_in = coalesce(rcvddelta, rcvdbyte)
|
||||
EVAL-bytes_out = coalesce(sentdelta, sentbyte)
|
||||
FIELDALIAS-fortigate_traffic_dest_ip = dstip as dest_ip
|
||||
FIELDALIAS-fortigate_traffic_dest = dstip as dest
|
||||
FIELDALIAS-fortigate_traffic_dest_interface = dstintf as dest_interface
|
||||
FIELDALIAS-fortigate_traffic_dst_mac = dstmac as dest_mac
|
||||
FIELDALIAS-fortigate_traffic_dest_port = dstport as dest_port
|
||||
FIELDALIAS-fortigate_traffic_dest_translated_ip = tranip as dest_translated_ip
|
||||
FIELDALIAS-fortigate_traffic_dest_translated_port = tranport as dest_translated_port
|
||||
EVAL-packets = (rcvdpkt + sentpkt)
|
||||
EVAL-protocol_version = case(isnotnull(srcip), if(match(srcip,":"), "ipv6", "ipv4"), isnotnull(dstip), if(match(dstip,":"), "ipv6", "ipv4"))
|
||||
EVAL-wifi = if(isnotnull(radioband), replace(radioband,",.*",""), null)
|
||||
EVAL-tcp_flag = if(vendor_action IN("server-rst","client-rst"), "RST", tcp_flag)
|
||||
FIELDALIAS-fortigate_traffic_packets_in = rcvdpkt as packets_in
|
||||
FIELDALIAS-fortigate_traffic_packets_out = sentpkt as packets_out
|
||||
FIELDALIAS-fortigate_traffic_rule = poluuid as rule
|
||||
FIELDALIAS-fortigate_traffic_rule_id = policyid as rule_id
|
||||
FIELDALIAS-fortigate_traffic_session_id = sessionid as session_id
|
||||
FIELDALIAS-fortigate_traffic_src = srcip as src
|
||||
FIELDALIAS-fortigate_traffic_src_interface = srcintf as src_interface
|
||||
FIELDALIAS-fortigate_traffic_src_ip = srcip as src_ip
|
||||
FIELDALIAS-fortigate_traffic_src_mac = srcmac as src_mac
|
||||
FIELDALIAS-fortigate_traffic_src_port = srcport as src_port
|
||||
FIELDALIAS-fortigate_traffic_src_translated_ip = transip as src_translated_ip
|
||||
FIELDALIAS-fortigate_traffic_src_translated_port = srcport as src_translated_port
|
||||
FIELDALIAS-fortigate_traffic_src_zone = srcintfrole as src_zone
|
||||
FIELDALIAS-fortigate_traffic_dest_zone = dstintfrole as dest_zone
|
||||
EVAL-ssid = coalesce(srcssid, dstssid)
|
||||
LOOKUP-fortigate_traffic_ftnt_protocol_lookup = ftnt_protocol_lookup proto OUTPUT transport,protocol
|
||||
EVAL-app = coalesce(app, service, transport)
|
||||
EVAL-user = coalesce(user, unauthuser)
|
||||
|
||||
[fgt_traffic]
|
||||
rename = fortigate_traffic
|
||||
|
||||
[fortigate_utm]
|
||||
#subtype app-ctrl webfilter virus voip ips
|
||||
TIME_PREFIX = ^
|
||||
SHOULD_LINEMERGE = false
|
||||
EVENT_BREAKER_ENABLE = true
|
||||
KV_MODE = none
|
||||
REPORT-field_extract = field_extract, extract_file_and_file_path, extract_url_domain
|
||||
ANNOTATE_PUNCT = false
|
||||
FIELDALIAS-fortigate_utm_dest_ip = dstip as dest_ip
|
||||
FIELDALIAS-fortigate_utm_vendor_eventtype = eventtype as vendor_eventtype
|
||||
FIELDALIAS-fortigate_utm_vendor_url = url as vendor_url
|
||||
FIELDALIAS-vendor_action = action as vendor_action
|
||||
FIELDALIAS-vendor_status = status as vendor_status
|
||||
EVAL-severity = coalesce(severity, crlevel, apprisk, "informational")
|
||||
EVAL-vendor = "Fortinet"
|
||||
EVAL-product = "Firewall"
|
||||
EVAL-vendor_product = "Fortinet Firewall"
|
||||
EVAL-ids_type = "network"
|
||||
EVAL-product_version = coalesce(logver, "50")
|
||||
EVAL-devname = coalesce(devname, devid)
|
||||
FIELDALIAS-fortigate_utm_dvc = devname as dvc
|
||||
EVAL-ftnt_action = coalesce(vendor_action, vendor_status)
|
||||
EVAL-protocol_version = case(isnotnull(srcip), if(match(srcip,":"), "ipv6", "ipv4"), isnotnull(dstip), if(match(dstip,":"), "ipv6", "ipv4"))
|
||||
LOOKUP-fortigate_utm_action = ftnt_action_lookup ftnt_action OUTPUT action
|
||||
FIELDALIAS-fortigate_utm_rule_id = policyid as rule_id
|
||||
FIELDALIAS-fortigate_utm_src_zone = srcintfrole as src_zone
|
||||
FIELDALIAS-fortigate_utm_dest_zone = dstintfrole as dest_zone
|
||||
FIELDALIAS-fortigate_utm_dest_interface = dstintf as dest_interface
|
||||
FIELDALIAS-fortigate_utm_dest = dstip as dest
|
||||
FIELDALIAS-fortigate_utm_dest_port = dstport as dest_port
|
||||
FIELDALIAS-fortigate_utm_dst_mac = dstmac as dst_mac
|
||||
FIELDALIAS-fortigate_utm_session_id = sessionid as session_id
|
||||
FIELDALIAS-fortigate_utm_src_interface = srcintf as src_interface
|
||||
FIELDALIAS-fortigate_utm_src_ip = srcip as src_ip
|
||||
FIELDALIAS-fortigate_utm_src = srcip as src
|
||||
FIELDALIAS-fortigate_utm_src_port = srcport as src_port
|
||||
FIELDALIAS-fortigate_utm_src_mac = srcmac as src_mac
|
||||
EVAL-bytes = (rcvdbyte + sentbyte)
|
||||
FIELDALIAS-fortigate_utm_bytes_in = rcvdbyte as bytes_in
|
||||
FIELDALIAS-fortigate_utm_bytes_out = sentbyte as bytes_out
|
||||
FIELDALIAS-fortigate_utm_http_referrer = referralurl as http_referrer
|
||||
FIELDALIAS-http_user_agent = agent as http_user_agent
|
||||
FIELDALIAS-fortigate_utm_site = hostname as site
|
||||
FIELDALIAS-fortigate_utm_file_hash = analyticscksum as file_hash
|
||||
EVAL-file_name = coalesce(filename,file_name)
|
||||
EVAL-file_path = if(match(vendor_url,"^\/"),hostname+file_path,file_path)
|
||||
EVAL-url = if(match(vendor_url,"^\/"),hostname+vendor_url,vendor_url)
|
||||
EVAL-url_domain = coalesce(url_domain,if(match(hostname,"^(?:\d+\.){3}\d+"),null(),hostname))
|
||||
EVAL-signature = coalesce(attack, attackname, virus)
|
||||
FIELDALIAS-signature_id = attackid as signature_id
|
||||
EVAL-category = coalesce(attack, attackname, virus, catdesc, dtype,case(subtype=="app-ctrl", appcat, subtype=="webfilter", urlsource))
|
||||
EVAL-app = coalesce(app,service)
|
||||
LOOKUP-fortigate_protocol_lookup = ftnt_protocol_lookup proto OUTPUT transport,protocol
|
||||
|
||||
[fgt_utm]
|
||||
rename = fortigate_utm
|
||||
|
||||
[fortigate_anomaly]
|
||||
TIME_PREFIX = ^
|
||||
SHOULD_LINEMERGE = false
|
||||
EVENT_BREAKER_ENABLE = true
|
||||
KV_MODE = none
|
||||
REPORT-field_extract = field_extract
|
||||
ANNOTATE_PUNCT = false
|
||||
FIELDALIAS-fortigate_utm_vendor_eventtype = eventtype as vendor_eventtype
|
||||
FIELDALIAS-fortigate_utm_vendor_url = url as vendor_url
|
||||
FIELDALIAS-vendor_action = action as vendor_action
|
||||
FIELDALIAS-vendor_status = status as vendor_status
|
||||
EVAL-severity = coalesce(severity, crlevel, apprisk, "informational")
|
||||
EVAL-vendor = "Fortinet"
|
||||
EVAL-product = "Firewall"
|
||||
EVAL-ids_type = "network"
|
||||
EVAL-product_version = coalesce(logver, "50")
|
||||
EVAL-devname = coalesce(devname, devid)
|
||||
FIELDALIAS-fortigate_utm_dvc = devname as dvc
|
||||
EVAL-ftnt_action = coalesce(vendor_action, vendor_status)
|
||||
LOOKUP-fortigate_utm_action = ftnt_action_lookup ftnt_action OUTPUT action
|
||||
FIELDALIAS-fortigate_utm_dest_interface = dstintf as dest_interface
|
||||
FIELDALIAS-fortigate_utm_dest = dstip as dest
|
||||
FIELDALIAS-fortigate_utm_dest_port = dstport as dest_port
|
||||
FIELDALIAS-fortigate_utm_dst_mac = dstmac as dst_mac
|
||||
FIELDALIAS-fortigate_utm_session_id = sessionid as session_id
|
||||
FIELDALIAS-fortigate_utm_src_interface = srcintf as src_interface
|
||||
FIELDALIAS-fortigate_utm_src_ip = srcip as src
|
||||
FIELDALIAS-fortigate_utm_src_port = srcport as src_port
|
||||
FIELDALIAS-fortigate_utm_src_mac = srcmac as src_mac
|
||||
EVAL-bytes = (rcvdbyte + sentbyte)
|
||||
FIELDALIAS-fortigate_utm_bytes_in = rcvdbyte as bytes_in
|
||||
FIELDALIAS-fortigate_utm_bytes_out = sentbyte as bytes_out
|
||||
FIELDALIAS-fortigate_utm_http_method = reqtype as http_method
|
||||
FIELDALIAS-fortigate_utm_http_referrer = referralurl as http_referrer
|
||||
FIELDALIAS-fortigate_utm_http_status = vendor_action as status
|
||||
FIELDALIAS-http_user_agent = agent as http_user_agent
|
||||
FIELDALIAS-fortigate_utm_site = hostname as site
|
||||
FIELDALIAS-fortigate_utm_file_hash = analyticscksum as file_hash
|
||||
FIELDALIAS-fortigate_utm_file_name = filename as file_name
|
||||
FIELDALIAS-fortigate_utm_file_path = vendor_url as file_path
|
||||
EVAL-url = coalesce(hostname + vendor_url, vendor_url)
|
||||
EVAL-signature = coalesce(attack, attackname, virus)
|
||||
EVAL-category = coalesce(attack, attackname, virus, catdesc, dtype)
|
||||
|
||||
[fgt_anomaly]
|
||||
rename = fortigate_anomaly
|
||||
|
||||
[fortigate_event]
|
||||
TIME_PREFIX = ^
|
||||
SHOULD_LINEMERGE = false
|
||||
EVENT_BREAKER_ENABLE = true
|
||||
KV_MODE = none
|
||||
REPORT-field_extract = field_extract, extract_cim_fields_for_user
|
||||
ANNOTATE_PUNCT = false
|
||||
EVAL-vendor = "Fortinet"
|
||||
EVAL-product = "Firewall"
|
||||
EVAL-vendor_product = "Fortinet Firewall"
|
||||
FIELDALIAS-vendor_action = action as vendor_action
|
||||
FIELDALIAS-vendor_status = status as vendor_status
|
||||
## Don't remove unknown from vendor_status eval because of lookup dependency.
|
||||
EVAL-vendor_status = coalesce(vendor_status, "unknown")
|
||||
EVAL-status = if(logid IN("0100041000","0102043039","0100032132"),"success",coalesce(status, case(logid IN("0100032141","0100044547","0104043575","0104043588","0104043594","0104043591","0104043593","0104043551","0104043597","0100032301","0104043612","0104043611","0100022016","0100022015","0100032130","0100032102","0100022813","0100022815"),"success")))
|
||||
FIELDALIAS-fortigate_event_vendor_url = url as vendor_url
|
||||
FIELDALIAS-fortigate_event_vendor_eventtype = eventtype as vendor_eventtype
|
||||
FIELDALIAS-mem_used = mem as mem_used
|
||||
EVAL-mem_free = 100 - mem_used
|
||||
EVAL-log_action = case(logid IN("0101041984","0100022815","0100022813"), "read", logid IN("0101041987","0100032141","0100041000","0100032102"), "modified", logid=="0100026001", "added", logid=="0100032132", "Local user added", logid=="0100032130", "User changed", true(), action)
|
||||
LOOKUP-fortigate_event_action = ftnt_event_action_lookup subtype vendor_action as log_action vendor_status OUTPUT action, change_type
|
||||
LOOKUP-fortigate_severity = ftnt_severity_lookup level OUTPUT severity,severity_id
|
||||
EVAL-product_version = coalesce(logver, "50")
|
||||
EVAL-devname = coalesce(devname, devid)
|
||||
FIELDALIAS-fortigate_event_dvc = devname as dvc
|
||||
EVAL-user = coalesce(user_name, if(xauthuser=="N/A",null(),xauthuser))
|
||||
EVAL-user_name = coalesce(user_name, if(xauthuser=="N/A",null(),xauthuser))
|
||||
|
||||
FIELDALIAS-fortigate_system_cpu = cpu as cpu_load_percent
|
||||
EVAL-object = coalesce(cfgobj,case(logid IN("0100022016","0100022015"), poolname, logid IN("0101041984","0101041987","0100032130","0100032132"), name, logid=="0100032141", field, logid IN ("0104043551","0104043597"), replace(msg,"^AP\s*(.*?)\s(?:joined\.|added)","\1"), match(logdesc,"^Physical AP radio"), "radio", logid=="0104043575", "client-"+stamac, logid IN("0100032003","0102043039"), user, logid=="0100032301", replace(msg,"Virtual\sdomain\s(.*?)\sis\sadded","\1"), logid=="0104043612", "wireless controller cfg", logid=="0100041000", "FortiGate", logid=="0104043611", "wireless controller", logid=="0100032102", replace(msg,"Configuration\sis\schanged\sin\sthe\s(.*)","\1"), logid IN("0100022813","0100022815"), "Scanunit"))
|
||||
EVAL-object_attrs = coalesce(cfgattr, case(vendor_action=="oper-channel", "channel", vendor_action=="oper-txpower", "txpower", vendor_action=="config-txpower", "cfgtxpower",vendor_action=="country-config-success", "country " + configcountry, logid IN("0100022813","0100022815"), "AV Database", logid IN("0101041984","0101041987"), "cert-type"))
|
||||
EVAL-object_category = case(logid IN("0104043575","0100032003","0100032130","0102043039","0100032132"), "user", match(logdesc,"^Physical AP radio") OR logid IN("0100032141","0100044547","0104043551","0104043597","0100032301","0104043611","0100022016","0100022015","0100041000","0100032102","0100022813","0100022815"), "configuration",logid IN("0101041984","0101041987","0104043612"), "file")
|
||||
EVAL-object_id = coalesce(cfortigateid, cfgtid, case(logid IN("0104043551","0104043597"), ap,logid=="0104043575", stamac, match(logdesc,"^Physical AP radio"), radioid))
|
||||
EVAL-object_path = coalesce(cfgpath,case(match(logdesc,"^Physical AP radio"),replace(msg,"\sradio.*","")))
|
||||
EVAL-result = coalesce(result, logdesc)
|
||||
EVAL-user_type = case(match(logdesc,"^Admin log(?:out|in)"), "Admin", logid=="0104043575", "Wireless client")
|
||||
EVAL-src_user_type = case(match(logdesc,"^Admin log(?:out|in)"), "Admin", logid=="0104043575", "Wireless client")
|
||||
EVAL-tunnelname = coalesce(vpntunnel,tunnelid)
|
||||
REPORT-src_ip_from_ui = src_ip_from_ui
|
||||
EVAL-src = coalesce(srcip, remip, src_ip_from_ui, case(logid IN("0104043588","0104043594","0104043591","0104043593","0104043551"),ip))
|
||||
EVAL-src_ip = coalesce(srcip, remip, src_ip_from_ui, case(logid IN("0104043588","0104043594","0104043591","0104043593","0104043551"),ip))
|
||||
EVAL-dest = coalesce(if(dstip=="N/A",null(),dstip), locip, ssid, case(logid IN("0100032141","0100032301","0100044547","0101039426","0104043588","0104043594","0104043591","0104043593","0104043551","0104043597","0101041984","0101041987","0101041990","0100022952","0101041992","0104043612","0104043611","0100040705","0100022016","0100022015","0100041000","0100032130","0100022918","0100040704","0100022949","0100036883","0100032102","0101039944","0102043039","0100032132","0100022813","0100022815","0100032001","0100032003"),dvc, logid=="0100026001", ip))
|
||||
EVAL-dest_ip = coalesce(if(dstip=="N/A",null(),dstip), locip, case(logid=="0100026001", ip))
|
||||
EVAL-signature = case(logid IN("0104043579","0101041990","0100022952","0101041992","0101039946","0100046600","0101053103","0100032006","0100022918","0100040704","0100026001","0101039425","0100022949","0100036883","0101039944","0100040704","0101039940","0101037135","0101039948","0101037133"), logdesc, logid IN("0101039424","0101039938"), tunneltype, logid=="0101039943", tunneltype+" "+subtype, logid=="0107045061", connection_type)
|
||||
EVAL-dest_mac = coalesce(dest_mac,case(logid=="0100026001", mac))
|
||||
EVAL-resource_type = coalesce(resource_type, case(logid IN("0100040704","0100040705"),"system"))
|
||||
EVAL-src_port_range = case(logid IN("0100022015","0100022016"), portbegin+"-"+portend)
|
||||
EVAL-src_ip_range = if(logid=="0100022015",saddr,null())
|
||||
EVAL-dest_ip_range = if(logid=="0100022015",saddr,null())
|
||||
FIELDALIAS-body = msg as body
|
||||
FIELDALIAS-id = logid as id
|
||||
FIELDALIAS-fortigate_wireless_src_mac = stamac as src_mac
|
||||
FIELDALIAS-fortigate_wireless_src_interface = vap as src_interface
|
||||
FIELDALIAS-lease_duration = lease as lease_duration
|
||||
EVAL-wifi = if(isnotnull(radioband), replace(radioband,",.*",""), null)
|
||||
EVAL-app = case(logid=="0101039944", tunneltype+" vpn", logid=="0101039946", "vpn", true(), coalesce(authproto,tunneltype,security,case(logid IN("0101041990","0101041992","0101053103","0101037127","0101037121"), "vpn", logid=="0100022918", "FortiGuard",logid IN("0100022952","0100022949"), "FortiCloud",logid IN("0100046600","0100032006","0100036883"), "system", logid IN("0100032002","0100032001"), "FortiOS")))
|
||||
FIELDALIAS-authentication_service = security as authentication_service
|
||||
|
||||
[fgt_event]
|
||||
rename = fortigate_event
|
||||
@ -0,0 +1,107 @@
|
||||
[eventtype=ftnt_fortigate_traffic]
|
||||
network = enabled
|
||||
communicate = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_appctrl]
|
||||
network = enabled
|
||||
communicate = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_webfilter]
|
||||
web = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_virus]
|
||||
malware = enabled
|
||||
attack = enabled
|
||||
operations = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_spam]
|
||||
email = enabled
|
||||
filter = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_ips]
|
||||
ids = enabled
|
||||
attack = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_anomaly]
|
||||
ids = enabled
|
||||
attack = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_auth]
|
||||
authentication = enabled
|
||||
default = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_wireless_client_authentication]
|
||||
authentication = enabled
|
||||
default = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_wireless_client_deauthentication]
|
||||
change = enabled
|
||||
network = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_auth_privileged_login]
|
||||
authentication = enabled
|
||||
privileged = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_auth_privileged_logout]
|
||||
change = enabled
|
||||
account = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_vpn_auth]
|
||||
authentication = enabled
|
||||
default = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_vpn_cert_change]
|
||||
change = enabled
|
||||
network = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_dhcp_ack]
|
||||
network = enabled
|
||||
session = enabled
|
||||
dhcp = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_detected_ip_using_dhcp]
|
||||
network = enabled
|
||||
session = enabled
|
||||
start = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_vpn_start]
|
||||
network = enabled
|
||||
session = enabled
|
||||
vpn = enabled
|
||||
start = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_vpn_end]
|
||||
network = enabled
|
||||
session = enabled
|
||||
vpn = enabled
|
||||
end = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_perf_stats]
|
||||
os = enabled
|
||||
performance = enabled
|
||||
cpu = enabled
|
||||
memory = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_cpu_stats]
|
||||
performance = enabled
|
||||
cpu = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_restart]
|
||||
change = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_scanunit_db]
|
||||
change = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_user_config_change]
|
||||
change = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_config_change]
|
||||
change = enabled
|
||||
network = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_wireless_config_change]
|
||||
change = enabled
|
||||
network = enabled
|
||||
|
||||
[eventtype=ftnt_fortigate_alerts]
|
||||
alert = enabled
|
||||
@ -0,0 +1,45 @@
|
||||
##sourcetype
|
||||
[force_sourcetype_fortigate]
|
||||
SOURCE_KEY = _raw
|
||||
DEST_KEY = MetaData:Sourcetype
|
||||
REGEX = ^.+?devid=\"?F(?:G|W|\dK).+?(?:\s|\,|\,\s)type=\"?(traffic|utm|event|anomaly)
|
||||
FORMAT = sourcetype::fortigate_$1
|
||||
|
||||
## LOOKUP
|
||||
|
||||
[ftnt_protocol_lookup]
|
||||
filename = ftnt_protocol_info.csv
|
||||
|
||||
[ftnt_action_lookup]
|
||||
filename = ftnt_action_info.csv
|
||||
|
||||
[ftnt_event_action_lookup]
|
||||
filename = ftnt_event_action_info.csv
|
||||
|
||||
[ftnt_severity_lookup]
|
||||
filename = ftnt_severity_info.csv
|
||||
|
||||
## REPORT
|
||||
|
||||
[field_extract]
|
||||
DELIMS = "\ ,", "="
|
||||
|
||||
[src_ip_from_ui]
|
||||
SOURCE_KEY = ui
|
||||
REGEX = ((?:\d+\.){3}\d+)
|
||||
FORMAT = src_ip_from_ui::$1
|
||||
|
||||
[extract_cim_fields_for_user]
|
||||
SOURCE_KEY = user
|
||||
REGEX = ^(?:N\/A$|(((.*))))
|
||||
FORMAT = src_user::$1 src_user_name::$2 user_name::$3
|
||||
|
||||
[extract_file_and_file_path]
|
||||
SOURCE_KEY = url
|
||||
REGEX = ^((?:[^?]*[\/])([^?]*))
|
||||
FORMAT = file_path::$1 file_name::$2
|
||||
|
||||
[extract_url_domain]
|
||||
SOURCE_KEY = url
|
||||
REGEX = ^(?:[^:]+:\/\/)?(?!(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\S+:\/\/))([^:\/]+)
|
||||
FORMAT = url_domain::$1
|
||||
|
|
|
|
@ -0,0 +1,5 @@
|
||||
[]
|
||||
access = read : [ * ], write : [ * ]
|
||||
export = system
|
||||
version = 6.2.4
|
||||
modtime = 1439517297.392860000
|
||||
@ -0,0 +1,3 @@
|
||||
date=2015-08-11 time=19:25:33 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0102043040 type=event subtype=user level=notice vd=root logdesc="FortiGuard authentication status" srcip=x.x.x.x dstip=N/A policyid=0 user="leolee" group="N/A" authproto="leolee(x.x.x.x)" action=authentication status=logout reason="N/A" msg="User leolee succeeded in logout"
|
||||
date=2015-08-11 time=19:25:32 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0102043040 type=event subtype=user level=notice vd=root logdesc="FortiGuard authentication status" srcip=x.x.x.x dstip=N/A policyid=0 user="leolee" group="UG_Dialup_VPN" authproto="leolee(x.x.x.x)" action=authentication status=logout reason="N/A" msg="User leolee succeeded in logout"
|
||||
date=2015-08-11 time=19:21:27 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0102043040 type=event subtype=user level=notice vd=root logdesc="FortiGuard authentication status" srcip=x.x.x.x dstip=N/A policyid=0 user="chrisnavarrete" group="N/A" authproto="chrisnavarrete(x.x.x.x)" action=authentication status=logout reason="N/A" msg="User chrisnavarrete succeeded in logout"
|
||||
@ -0,0 +1,6 @@
|
||||
date=2015-08-11 time=19:25:12 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0100032003 type=event subtype=system level=information vd=root logdesc="Admin logout successful" sn=1439346295 user="fortiguard-it" ui=ssh(x.x.x.x) action=logout status=success duration=17 reason=exit msg="Administrator fortiguard-it logged out from ssh(x.x.x.x)"
|
||||
date=2015-08-11 time=19:25:12 devname=2M-Colo1 devid=FG200D4613800211 logid=0100032003 type=event subtype=system level=information vd=root user="fortiguard-it" ui=ssh(x.x.x.x) action=logout status=success duration=17 reason=exit msg="Administrator fortiguard-it logged out from ssh(x.x.x.x)"
|
||||
date=2015-08-11 time=19:24:55 devname=2M-Colo1 devid=FG200D4613800211 logid=0100032001 type=event subtype=system level=information vd=root user="fortiguard-it" ui=ssh(x.x.x.x) action=login status=success reason=none profile="FortiGuard" msg="Administrator fortiguard-it logged in successfully from ssh(x.x.x.x)"
|
||||
date=2015-08-11 time=19:24:55 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0100032001 type=event subtype=system level=information vd=root logdesc="Admin login successful" sn=1439346295 user="fortiguard-it" ui=ssh(x.x.x.x) action=login status=success reason=none profile="FortiGuard" msg="Administrator fortiguard-it logged in successfully from ssh(x.x.x.x)"
|
||||
date=2015-08-11 time=19:21:56 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0100032003 type=event subtype=system level=information vd=root logdesc="Admin logout successful" sn=1439346099 user="fortiguard-it" ui=ssh(x.x.x.x) action=logout status=success duration=17 reason=exit msg="Administrator fortiguard-it logged out from ssh(x.x.x.x)"
|
||||
date=2015-08-11 time=19:21:56 devname=2M-Colo1 devid=FG200D4613800211 logid=0100032003 type=event subtype=system level=information vd=root user="fortiguard-it" ui=ssh(x.x.x.x) action=logout status=success duration=17 reason=exit msg="Administrator fortiguard-it logged out from ssh(x.x.x.x)"
|
||||
@ -0,0 +1,4 @@
|
||||
date=2015-08-11 time=17:51:33 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0100044547 type=event subtype=system level=information vd=root logdesc="Object attribute configured" user="FGT_ha_admin" ui="ha_daemon" action=Edit cfgtid=2826195 cfgpath="user.fortitoken" cfgobj="FTKMOB47ED6DD69D" cfgattr="activation-expire[Tue Aug 18 17:49:32 2015->Tue Aug 18 17:49:32 2015]activation-code[DEIKXAXC4O4JO4I4->DEIKXAXC4O4JO4I4]license[EFTM200021556100->EFTM200021556100]" msg="Edit user.fortitoken FTKMOB47ED6DD69D"
|
||||
date=2015-08-11 time=17:51:33 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0100044547 type=event subtype=system level=information vd=root logdesc="Object attribute configured" user="FGT_ha_admin" ui="ha_daemon" action=Edit cfgtid=2826194 cfgpath="user.fortitoken" cfgobj="FTKMOB47ED6DD69D" cfgattr="activation-expire[Tue Aug 18 17:49:32 2015->Tue Aug 18 17:49:32 2015]activation-code[DEIKXAXC4O4JO4I4->DEIKXAXC4O4JO4I4]license[EFTM200021556100->EFTM200021556100]" msg="Edit user.fortitoken FTKMOB47ED6DD69D"
|
||||
date=2015-08-11 time=17:51:33 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0100044547 type=event subtype=system level=information vd=root logdesc="Object attribute configured" user="FGT_ha_admin" ui="ha_daemon" action=Edit cfgtid=2826193 cfgpath="user.fortitoken" cfgobj="FTKMOB5374362440" cfgattr="activation-expire[Mon Jul 6 08:36:02 2015->N/A]activation-code[DEIFUSXL6VJX42K5->]license[EFTM200036296700->EFTM200036296700]seed[yjfZOwDwMDCfTj2hnldZvFP8mDBqLQSzcVxobe9cgld9cKxT3WyX/QbOPYlrVrwsdQR2jrLZsWqPmCNo7P/XKJu0qWmAxMbnQUkK4CQTvJELIgCLzhZZ69znadXWK8RmzT49oq6Du9Krve9M8E3lonjZxx9HbOa7Mq+T+sMo2A4d+v8t->]" msg="Edit user.fortitoken FTKMOB5374362440"
|
||||
date=2015-08-11 time=17:49:37 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0100044547 type=event subtype=system level=information vd=root logdesc="Object attribute configured" user="charlihchen" ui="GUI(x.x.x.x)" action=Edit cfgtid=2760243 cfgpath="user.local" cfgobj="gzhang" cfgattr="fortitoken[FTKMOB5374362440->FTKMOB47ED6DD69D]" msg="Edit user.local gzhang"
|
||||
@ -0,0 +1,3 @@
|
||||
date=2015-08-11 time=19:04:57 devname=2M-Colo1 devid=FG200D4613800211 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=medium srcip=x.x.x.x dstip=x.x.x.x srcintf="wan1" dstintf="dmz1" policyid=36 identidx=0 sessionid=815439641 status=detected proto=6 service=http count=1 attackname="FCKeditor.CurrentFolder.Arbitrary.File.Upload" srcport=58214 dstport=80 attackid=17570 sensor="all_default" ref="http://www.fortinet.com/ids/VID17570" incidentserialno=267824612 msg="applications3: FCKeditor.CurrentFolder.Arbitrary.File.Upload,"
|
||||
date=2015-08-11 time=19:03:55 devname=2M-Colo1 devid=FG200D4613800211 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=critical srcip=x.x.x.x dstip=x.x.x.x srcintf="wan1" dstintf="dmz1" policyid=36 identidx=0 sessionid=815436844 status=detected proto=6 service=https count=1 attackname="OpenSSL.TLS.Heartbeat.Information.Disclosure" srcport=33782 dstport=443 attackid=38307 sensor="all_default" ref="http://www.fortinet.com/ids/VID38307" incidentserialno=116664577 msg="applications: OpenSSL.TLS.Heartbeat.Information.Disclosure,"
|
||||
date=2015-08-11 time=19:01:09 devname=2M-Colo1 devid=FG200D4613800211 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=medium srcip=x.x.x.x dstip=x.x.x.x srcintf="wan1" dstintf="dmz1" policyid=36 identidx=0 sessionid=815428740 status=detected proto=6 service=http count=1 attackname="FCKeditor.CurrentFolder.Arbitrary.File.Upload" srcport=59990 dstport=80 attackid=17570 sensor="all_default" ref="http://www.fortinet.com/ids/VID17570" incidentserialno=625870517 msg="applications3: FCKeditor.CurrentFolder.Arbitrary.File.Upload,"
|
||||
@ -0,0 +1,6 @@
|
||||
date=2015-08-11 time=19:29:36 devname=2M-Colo2 devid=FG200D3913801010 logid=0100040704 type=event subtype=system level=notice vd=root action="perf-stats" cpu=0 mem=36 totalsession=178 msg="Performance statistics"
|
||||
date=2015-08-11 time=19:29:31 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0100040704 type=event subtype=system level=notice vd=root logdesc="System performance statistics" action="perf-stats" cpu=26 mem=52 totalsession=257 disk=72 bandwidth=794/734 setuprate=0 disklograte=20 fazlograte=20 msg="Performance statistics: average CPU: 26, memory: 52, concurrent sessions: 257, setup-rate: 0"
|
||||
date=2015-08-11 time=19:29:22 devname=US-Wifi-AC2 devid=FG800C3913801927 logid=0100100040704 type=event subtype=system level=notice vd="root" logdesc="System performance statistics" action="perf-stats" cpu=1 mem=25 totalsession=526 disk=2 bandwidth=95/131 setuprate=0 disklograte=0 fazlograte=0 msg="Performance statistics: average CPU: 1, memory: 25, concurrent sessions: 526, setup-rate: 0"
|
||||
date=2015-08-11 time=19:28:49 devname=US-Wifi-AC1 devid=FG800C3913802024 logid=0100100040704 type=event subtype=system level=notice vd="root" logdesc="System performance statistics" action="perf-stats" cpu=1 mem=55 totalsession=2115 disk=9 bandwidth=3602/1082 setuprate=11 disklograte=31 fazlograte=31 msg="Performance statistics: average CPU: 1, memory: 55, concurrent sessions: 2115, setup-rate: 11"
|
||||
date=2015-08-11 time=19:27:53 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0100040704 type=event subtype=system level=notice vd=root logdesc="System performance statistics" action="perf-stats" cpu=1 mem=57 totalsession=547 disk=8 bandwidth=467/439 setuprate=5 disklograte=5 fazlograte=5 msg="Performance statistics: average CPU: 1, memory: 57, concurrent sessions: 547, setup-rate: 5"
|
||||
date=2015-08-11 time=19:27:50 logver=52 devname=US-IDF185_1 devid=FG3K2C3Z13800659 logid=0100040704 type=event subtype=system level=notice vd=root logdesc="System performance statistics" action="perf-stats" cpu=1 mem=54 totalsession=4871 disk=1 bandwidth=30260/29390 setuprate=15 disklograte=0 fazlograte=50 msg="Performance statistics: average CPU: 1, memory: 54, concurrent sessions: 4871, setup-rate: 15"
|
||||
@ -0,0 +1,5 @@
|
||||
date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf="port3" dstip=ff02::1:ff77:20d4 dstintf="port3" sessionid=408903 proto=58 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=:: transport=0 service="icmp6/131/0" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app="IPv6.ICMP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1
|
||||
date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=x.x.x.x srcport=0 srcintf="port3" dstip=x.x.x.x dstport=0 dstintf="port3" sessionid=5026 proto=50 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=x.x.x.x transport=0 service="esp" duration=33 sentbyte=0 rcvdbyte=204904 sentpkt=0 rcvdpkt=0 appid=16312 app="ESP.IP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1
|
||||
date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=x.x.x.x srcport=9909 srcintf="port1" dstip=x.x.x.x dstport=20386 dstintf="port1" sessionid=305 proto=17 action=accept policyid=1 dstcountry="China" srccountry="United States" trandisp=snat transip=x.x.x.x transport=0 service="udp/20386" duration=58 sentbyte=7879 rcvdbyte=197537 sentpkt=0 rcvdpkt=0 appcat="unscanned"
|
||||
date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=x.x.x.x srcport=62176 srcintf="port1" dstip=x.x.x.x dstport=1194 dstintf="port1" sessionid=3364 proto=17 action=accept policyid=1 dstcountry="Japan" srccountry="United States" trandisp=snat transip=x.x.x.x transport=0 service="udp/1194" duration=46 sentbyte=187792 rcvdbyte=17758 sentpkt=0 rcvdpkt=0 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7" mastersrcmac=00:09:0f:97:ef:e4 srcmac=00:09:0f:97:ef:e4
|
||||
date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=x.x.x.x srcport=60832 srcintf="port1" dstip=x.x.x.x dstport=443 dstintf="port1" sessionid=12512 proto=17 action=accept policyid=1 dstcountry="United States" srccountry="United States" trandisp=snat transip=x.x.x.x transport=0 service="udp/443" duration=10 sentbyte=202281 rcvdbyte=3089 sentpkt=0 rcvdpkt=0 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7" mastersrcmac=00:09:0f:97:ef:e4 srcmac=00:09:0f:97:ef:e4
|
||||
@ -0,0 +1,4 @@
|
||||
date=2015-08-11 time=19:21:02 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0201009233 type=utm subtype=virus level=notice vd=root msg="File submitted to Sandbox." action=analytics service=HTTP sessionid=1490839738 srcip=x.x.x.x dstip=x.x.x.x srcport=51211 dstport=80 srcintf="External-SDC" dstintf="DMZ" proto=6 direction=incoming filename="functions.js" quarskip=No-skip url="http://oa.fortinet.com/js/functions.js" profile="scan+sandbox" user="" agent="Mozilla/5.0" analyticscksum="0362a2dfabddf155aea6183c04ee7e00e5455d0560882d27b348b9ef1421ba53" analyticssubmit=true
|
||||
date=2015-08-11 time=19:21:02 devname=Nosey devid=FG800C3912801080 logid=0201009233 type=utm subtype=virus eventtype=analytics level=notice vd="root" msg="File submitted to Sandbox." action=analytics service=HTTP sessionid=416045 srcip=x.x.x.x dstip=x.x.x.x srcport=63987 dstport=80 srcintf="port1" dstintf="port1" proto=6 direction=incoming quarskip=No-skip url="http://hq.sinajs.cn/?func=WidgetRecentZixuanInsert();&list=s_sh600030,s_sh601988,s_sh601766,s_sh600021,s_sh601989,s_sz002024,s_sz00016" profile="sniffer-profile" user="" agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36" analyticscksum="a0eb116ee56af75852b7ce4e21da18fefe45586bf123fadde7298aaae4c356b1" analyticssubmit=true
|
||||
date=2015-08-11 time=19:21:02 devname=Nosey devid=FG800C3912801080 logid=0201009233 type=utm subtype=virus eventtype=analytics level=notice vd="root" msg="File submitted to Sandbox." action=analytics service=HTTP sessionid=416043 srcip=x.x.x.x dstip=x.x.x.x srcport=63986 dstport=80 srcintf="port1" dstintf="port1" proto=6 direction=incoming filename="rn=1439346063419&list=s_sh000001,s_sz399001,s_sh000300,s_sz3994" quarskip=No-skip url="http://hq.sinajs.cn/rn=1439346063419&list=s_sh000001,s_sz399001,s_sh000300,s_sz399415,s_sz399006" profile="sniffer-profile" user="" agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36" analyticscksum="ce441fbeb2b83ec1bccde14017c4012da52589fe61efcbfeeeecc0bea87089f0" analyticssubmit=true
|
||||
date=2015-08-11 time=19:21:02 devname=Nosey devid=FG800C3912801080 logid=0201009233 type=utm subtype=virus eventtype=analytics level=notice vd="root" msg="File submitted to Sandbox." action=analytics service=HTTP sessionid=416042 srcip=x.x.x.x dstip=x.x.x.x srcport=63985 dstport=80 srcintf="port1" dstintf="port1" proto=6 direction=incoming filename="list=s_sh600146,s_sz000753" quarskip=No-skip url="http://hq.sinajs.cn/list=s_sh600146,s_sz000753" profile="sniffer-profile" user="" agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36" analyticscksum="301c8026a761ea7bc967db9f1f447b0f9ecc011d387866d0fc8eef83972e819e" analyticssubmit=true
|
||||
@ -0,0 +1,8 @@
|
||||
date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="dff154934f2418ec/e111711492ca17ca" user="richard_b" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Richard_Basile_ph1" status=success init=local mode=xauth dir=outbound stage=1 role=initiator result=OK
|
||||
date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="dff154934f2418ec/e111711492ca17ca" user="richard_b" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Richard_Basile_ph1" status=success init=local mode=aggressive dir=inbound stage=2 role=initiator result=DONE
|
||||
date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="dff154934f2418ec/e111711492ca17ca" user="richard_b" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Richard_Basile_ph1" status=success init=remote mode=aggressive dir=inbound stage=2 role=responder result=DONE
|
||||
date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="dff154934f2418ec/e111711492ca17ca" user="richard_b" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Richard_Basile_ph1" status=success init=remote mode=aggressive dir=outbound stage=1 role=responder result=OK
|
||||
date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037134 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 1 SA deleted" msg="delete IPsec phase 1 SA" action=delete_phase1_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="ec919861a41622a3/e8c2a6a9eb4d7727" user="thor_e" group="N/A" xauthuser="tevenhouse" xauthgroup="N/A" assignip=N/A vpntunnel="Thor_Evenhouse_ph1"
|
||||
date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037121 type=event subtype=vpn level=error vd=root logdesc="Negotiate IPsec phase 1" msg="negotiate IPsec phase 1" action=negotiate remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="ec919861a41622a3/e8c2a6a9eb4d7727" user="thor_e" group="N/A" xauthuser="tevenhouse" xauthgroup="N/A" assignip=N/A vpntunnel="Thor_Evenhouse_ph1" status=failure result="XAUTH authentication failed"
|
||||
date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037134 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 1 SA deleted" msg="delete IPsec phase 1 SA" action=delete_phase1_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="ad4dba0c4669e0fd/572014b0c5fc7e70" user="andres_h" group="N/A" xauthuser="aherrera" xauthgroup="N/A" assignip=N/A vpntunnel="Andres_Herrera_ph1"
|
||||
date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037121 type=event subtype=vpn level=error vd=root logdesc="Negotiate IPsec phase 1" msg="negotiate IPsec phase 1" action=negotiate remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="ad4dba0c4669e0fd/572014b0c5fc7e70" user="andres_h" group="N/A" xauthuser="aherrera" xauthgroup="N/A" assignip=N/A vpntunnel="Andres_Herrera_ph1" status=failure result="XAUTH authentication failed"
|
||||
@ -0,0 +1,5 @@
|
||||
date=2015-08-11 time=19:21:48 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037135 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 2 SA deleted" msg="delete IPsec phase 2 SA" action=delete_ipsec_sa remip=x.x.x.x locip=x.x.x.x remport=1024 locport=4500 outintf="port6" cookies="d3bb987a97b70dd9/bf23f465ba89f8a5" user="nathan_r" group="N/A" xauthuser="masohan" xauthgroup="UG_S2S_VPN" assignip=N/A vpntunnel="Nathan_Riehl-ph1_0" in_spi="17e66f2" out_spi="2e7d0e3d"
|
||||
date=2015-08-11 time=19:21:27 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0101039948 type=event subtype=vpn level=information vd=root logdesc="SSL VPN tunnel down" action="tunnel-down" tunneltype="ssl-tunnel" tunnelid=1709264498 remip=x.x.x.x tunnelip=x.x.x.x user="chrisnavarrete" group="UG_Dialup_VPN_2" dst_host="N/A" reason="N/A" duration=516 sentbyte=2666584 rcvdbyte=1375905 msg="SSL tunnel shutdown"
|
||||
date=2015-08-11 time=19:21:20 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0101037135 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 2 SA deleted" msg="delete IPsec phase 2 SA" action=delete_ipsec_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="External-SDC" cookies="a89d6b3b8dd53bb8/a5c59764925b7d9d" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Miami_ph1" in_spi="e2c9fd31" out_spi="e760bc42"
|
||||
date=2015-08-11 time=19:20:30 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037135 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 2 SA deleted" msg="delete IPsec phase 2 SA" action=delete_ipsec_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="7967fecde2c3f0c5/c453c72aca6537ad" user="intruguard" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Intruguard_ph1_0" in_spi="f35a6a5f" out_spi="2e7d0e3a"
|
||||
date=2015-08-11 time=19:20:28 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0101037135 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 2 SA deleted" msg="delete IPsec phase 2 SA" action=delete_ipsec_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="External-SDC" cookies="42b66b99542b6bce/03b78c05252fc0a3" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="India_HTC_ph1" in_spi="c343b300" out_spi="e760bc41"
|
||||
@ -0,0 +1,5 @@
|
||||
date=2015-08-11 time=19:22:21 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037133 type=event subtype=vpn level=notice vd=root logdesc="IPsec SA installed" msg="install IPsec SA" action=install_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="e89a7cb47e1cebbf/2804eb970b646c7a" user="praveenl" group="N/A" xauthuser="plokesh" xauthgroup="UG_S2S_VPN" assignip=N/A vpntunnel="Praveen_Lokesh_ph1_0" role=responder in_spi="2e7d0e72" out_spi="091159af"
|
||||
date=2015-08-11 time=19:22:18 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037133 type=event subtype=vpn level=notice vd=root logdesc="IPsec SA installed" msg="install IPsec SA" action=install_sa remip=x.x.x.x locip=x.x.x.x remport=4500 locport=4500 outintf="port6" cookies="c9b12b0b3f2afe2d/c26311f8fb3facf6" user="sai-raj" group="N/A" xauthuser="srajamahanthi" xauthgroup="UG_S2S_VPN" assignip=N/A vpntunnel="Sai_Rajamahanthi_ph1" role=responder in_spi="2e7d0e71" out_spi="c60b7fb2"
|
||||
date=2015-08-11 time=19:22:14 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037133 type=event subtype=vpn level=notice vd=root logdesc="IPsec SA installed" msg="install IPsec SA" action=install_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="e89a7cb47e1cebbf/2804eb970b646c7a" user="praveenl" group="N/A" xauthuser="plokesh" xauthgroup="UG_S2S_VPN" assignip=N/A vpntunnel="Praveen_Lokesh_ph1_0" role=responder in_spi="2e7d0e70" out_spi="091159ae"
|
||||
date=2015-08-11 time=19:21:40 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037133 type=event subtype=vpn level=notice vd=root logdesc="IPsec SA installed" msg="install IPsec SA" action=install_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="e89a7cb47e1cebbf/2804eb970b646c7a" user="praveenl" group="N/A" xauthuser="plokesh" xauthgroup="UG_S2S_VPN" assignip=N/A vpntunnel="Praveen_Lokesh_ph1_0" role=responder in_spi="2e7d0e6f" out_spi="091159ad"
|
||||
date=2015-08-11 time=19:21:27 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037133 type=event subtype=vpn level=notice vd=root logdesc="IPsec SA installed" msg="install IPsec SA" action=install_sa remip=x.x.x.x locip=x.x.x.x remport=1024 locport=4500 outintf="port6" cookies="d3bb987a97b70dd9/bf23f465ba89f8a5" user="nathan_r" group="N/A" xauthuser="masohan" xauthgroup="UG_S2S_VPN" assignip=N/A vpntunnel="Nathan_Riehl-ph1_0" role=responder in_spi="2e7d0e6e" out_spi="017e66f3
|
||||
@ -0,0 +1,5 @@
|
||||
date=2015-08-11 time=19:21:40 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490844879 user="" srcip=x.x.x.x srcport=50367 srcintf="External-SDC" dstip=x.x.x.x dstport=443 dstintf="Internal" proto=6 service=HTTPS hostname="asset.myfortinet.com" profile="scan" action=passthrough reqtype=direct url="/" sentbyte=1418 rcvdbyte=507 direction=outgoing msg="URL belongs to an allowed category in policy" method=domain cat=52 catdesc="Information Technology"
|
||||
date=2015-08-11 time=19:21:40 logver=52 devname=US-IDF175_1 devid=FG3K2C3Z13800741 logid=0315013317 type=utm subtype=webfilter eventtype=urlfilter level=notice vd=root sessionid=284520245 user="" srcip=x.x.x.x srcport=50175 srcintf="PC" dstip=x.x.x.x dstport=80 dstintf="External" proto=6 service=HTTP hostname="x.x.x.x" profile="scan" action=passthrough reqtype=direct url="/device/get/1.xml" sentbyte=169 rcvdbyte=809 direction=outgoing msg="URL has been visited" method=domain cat=0
|
||||
date=2015-08-11 time=19:21:40 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490761283 user="" srcip=x.x.x.x srcport=53971 srcintf="Internal" dstip=192.168.10 dstport=80 dstintf="External-SDC" proto=6 service=HTTP hostname="ping.chartbeat.net" profile="scan" action=passthrough reqtype=referral url="/ping?h=fortune.com&p=%2F2014%2F10%2F27%2Fgoogle-rise-of-sundar-pichai%2F&u=C5sKcjDIa4ndN0LKa&d=fortune.com&g" sentbyte=603 rcvdbyte=213 direction=outgoing msg="URL belongs to an allowed category in policy" method=domain cat=52 catdesc="Information Technology"
|
||||
date=2015-08-11 time=19:21:40 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490842644 user="" srcip=x.x.x.x srcport=53988 srcintf="Internal" dstip=192.168.10 dstport=80 dstintf="External-SDC" proto=6 service=HTTP hostname="crl.microsoft.com" profile="scan" action=passthrough reqtype=direct url="/pki/crl/products/MicTimStaPCA_2010-07-01.crl" sentbyte=277 rcvdbyte=227 direction=outgoing msg="URL belongs to an allowed category in policy" method=domain cat=52 catdesc="Information Technology"
|
||||
date=2015-08-11 time=19:21:40 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490845588 user="" srcip=x.x.x.x srcport=53235 srcintf="Internal" dstip=x.x.x.x dstport=80 dstintf="External-SDC" proto=6 service=HTTP hostname="popo.wan.ijinshan.com" profile="scan" action=passthrough reqtype=direct url="/popo/launch?c=cHA9d29vZHMxOTgyQGhvdG1haWwuY29tJnV1aWQ9NDBiNDkyZDRmNzdhNjFmOTNlMjQwMjhiYjE3ZGRlYTYmY29tcGl" sentbyte=525 rcvdbyte=325 direction=outgoing msg="URL belongs to an allowed category in policy" method=domain cat=52 catdesc="Information Technology"
|
||||
@ -0,0 +1,187 @@
|
||||
{
|
||||
"version": "1.0",
|
||||
"date": "2023-03-27T17:52:08.507063439Z",
|
||||
"hashAlgorithm": "SHA-256",
|
||||
"app": {
|
||||
"id": 2846,
|
||||
"version": "1.6.7",
|
||||
"files": [
|
||||
{
|
||||
"path": "static/appIconAlt.png",
|
||||
"hash": "afd0661f827ccaf16d7e486d0286304e2ce887706e82c29051fb861bf15adfcf"
|
||||
},
|
||||
{
|
||||
"path": "static/appIcon.png",
|
||||
"hash": "afd0661f827ccaf16d7e486d0286304e2ce887706e82c29051fb861bf15adfcf"
|
||||
},
|
||||
{
|
||||
"path": "static/appIconAlt_2x.png",
|
||||
"hash": "133e9a0aa2c545c102072ba8d6879509783688b213160c464aa4f0a72456e278"
|
||||
},
|
||||
{
|
||||
"path": "static/appIcon_2x.png",
|
||||
"hash": "133e9a0aa2c545c102072ba8d6879509783688b213160c464aa4f0a72456e278"
|
||||
},
|
||||
{
|
||||
"path": "app.manifest",
|
||||
"hash": "21e89063d76f943c3f8c40cab83fc37e769b48a59b1c8b2f7b21412d5b397b8f"
|
||||
},
|
||||
{
|
||||
"path": "README.txt",
|
||||
"hash": "a5f41c5250ebd3fa4dc14347ed293785d150c9f87ecfa629642dfb7b8eedb07f"
|
||||
},
|
||||
{
|
||||
"path": "default/transforms.conf",
|
||||
"hash": "881ddc1bdfb74597125ba7d4d5c72b524a2a5e2cfdb81c16403d8e61f5e2da72"
|
||||
},
|
||||
{
|
||||
"path": "default/tags.conf",
|
||||
"hash": "12608b97b2ee5965405a5e07a4f71142353740e7d93a0d373d4f70795dc7ab78"
|
||||
},
|
||||
{
|
||||
"path": "default/app.conf",
|
||||
"hash": "ddf6b4aabe0a21feaea9b71e7811b19f7b21a73db5d0bd349244878cc99b0c0b"
|
||||
},
|
||||
{
|
||||
"path": "default/props.conf",
|
||||
"hash": "c9c0927ebc4e04828e491e502ff1bd9f479d9521fd7dbed144158e95d83449e0"
|
||||
},
|
||||
{
|
||||
"path": "default/data/ui/nav/default.xml",
|
||||
"hash": "35a4889f9adb852e7c27447f3e0275bb42002038746cd7b2559e7d749e0c8540"
|
||||
},
|
||||
{
|
||||
"path": "default/macros.conf",
|
||||
"hash": "3f7b94dc5c8331313d09596a1af93746e47df9fc480ab6d06f01983390795d20"
|
||||
},
|
||||
{
|
||||
"path": "default/eventtypes.conf",
|
||||
"hash": "7923ecc31a479fee3e806ba044abd1410e915592a004f828f19c722ef18502d6"
|
||||
},
|
||||
{
|
||||
"path": "LICENSES/LicenseRef-Splunk-1-2020.txt",
|
||||
"hash": "4890319bc6dddfcd1fb3e4dd6dc32205bce332924d5ac9e5032de1abc542acb7"
|
||||
},
|
||||
{
|
||||
"path": "VERSION",
|
||||
"hash": "440031e799a6323ba88b40d71261399d1c65380c5b283810bdaf995b703fb499"
|
||||
},
|
||||
{
|
||||
"path": "lookups/ftnt_event_action_info.csv",
|
||||
"hash": "99863b3b5c8ee2b486e25966b579387169a636f8d02ad489c3f53b48e529a480"
|
||||
},
|
||||
{
|
||||
"path": "lookups/ftnt_protocol_info.csv",
|
||||
"hash": "316aa94b83e5dcd5c04ccf354784bf7ebff809a84806e3fd125714cff9f21b09"
|
||||
},
|
||||
{
|
||||
"path": "lookups/ftnt_action_info.csv",
|
||||
"hash": "551b4866a00946b37bee18452679b57bca404cef1f181a09cd80f5c3aa67b0bd"
|
||||
},
|
||||
{
|
||||
"path": "lookups/ftnt_severity_info.csv",
|
||||
"hash": "b04c5db17d2da9f2fa6fd38118594609f3dbbc769cc27722de0054df573cfa24"
|
||||
},
|
||||
{
|
||||
"path": "samples/sample.ftnt_fortigate_ips",
|
||||
"hash": "b9ac036a0a3dd99a67be4b92166745887bb1b69b04338844c61b6c75c5f9c2d5"
|
||||
},
|
||||
{
|
||||
"path": "samples/sample.ftnt_fortigate_webfilter",
|
||||
"hash": "7b3a897dada48fdf24285b5beff165d21d8ebd27156b2313d64ef9d918aec5c7"
|
||||
},
|
||||
{
|
||||
"path": "samples/sample.ftnt_fortigate_vpn",
|
||||
"hash": "c571041509ca7e85ab5172549d1d23fb8b2651a006b067356be9733760117dc1"
|
||||
},
|
||||
{
|
||||
"path": "samples/sample.ftnt_fortigate_perf_stats",
|
||||
"hash": "adedcf70d120d292dd367c7e93baa6be8cb45edbd27c1de82bf2237d8fc76566"
|
||||
},
|
||||
{
|
||||
"path": "samples/sample.ftnt_fortigate_virus",
|
||||
"hash": "27d9385975cd881eeea0acae06858af00af0c008083e975907fcb5a453cc45df"
|
||||
},
|
||||
{
|
||||
"path": "samples/sample.ftnt_fortigate_config_change",
|
||||
"hash": "bbf0fa5a49c1ab9f571140b8eba4dda8a5f9906d48d083fb40810203cb907b13"
|
||||
},
|
||||
{
|
||||
"path": "samples/sample.ftnt_fortigate_auth",
|
||||
"hash": "4b5e4bb2e93ad9e2448e72a44b41d54c1f42dad8883858c06fa801e0d102a892"
|
||||
},
|
||||
{
|
||||
"path": "samples/sample.ftnt_fortigate_vpn_end",
|
||||
"hash": "c31ef1db53c662ea02d96197749234239b058040990eee8fd22b87b9fe1f2370"
|
||||
},
|
||||
{
|
||||
"path": "samples/sample.ftnt_fortigate_traffic",
|
||||
"hash": "45464bb1df5153a0b35af13431ff82071dcf496cb24d061701447d6f0d74829d"
|
||||
},
|
||||
{
|
||||
"path": "samples/sample.ftnt_fortigate_auth_priviledged",
|
||||
"hash": "49a07c1d617e5339087129bdceee973cf3fd4072fc51b62fd317b6bc03f8e62b"
|
||||
},
|
||||
{
|
||||
"path": "samples/sample.ftnt_fortigate_vpn_start",
|
||||
"hash": "2855172f693a9fecd6361f9181cd0c3883e38d2f96dbc20c1fba7b4ea83c2cfe"
|
||||
},
|
||||
{
|
||||
"path": "metadata/default.meta",
|
||||
"hash": "66aa854b29dd6d888d93d9be91785866da8e7bf76f8ebae45d1852b884a8919c"
|
||||
},
|
||||
{
|
||||
"path": "EULA.pdf",
|
||||
"hash": "4b74b5ff9abd03f8e464aea123a0c9584740a2854d1fde93da80dd0a0c81a605"
|
||||
}
|
||||
]
|
||||
},
|
||||
"products": [
|
||||
{
|
||||
"platform": "splunk",
|
||||
"product": "enterprise",
|
||||
"versions": [
|
||||
"7.2",
|
||||
"7.3",
|
||||
"8.0",
|
||||
"8.1",
|
||||
"8.2",
|
||||
"9.0"
|
||||
],
|
||||
"architectures": [
|
||||
"x86_64"
|
||||
],
|
||||
"operatingSystems": [
|
||||
"windows",
|
||||
"linux",
|
||||
"macos",
|
||||
"freebsd",
|
||||
"solaris",
|
||||
"aix"
|
||||
]
|
||||
},
|
||||
{
|
||||
"platform": "splunk",
|
||||
"product": "cloud",
|
||||
"versions": [
|
||||
"7.2",
|
||||
"7.3",
|
||||
"8.0",
|
||||
"8.1",
|
||||
"8.2",
|
||||
"9.0"
|
||||
],
|
||||
"architectures": [
|
||||
"x86_64"
|
||||
],
|
||||
"operatingSystems": [
|
||||
"windows",
|
||||
"linux",
|
||||
"macos",
|
||||
"freebsd",
|
||||
"solaris",
|
||||
"aix"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
After Width: | Height: | Size: 1.2 KiB |
|
After Width: | Height: | Size: 1.2 KiB |
|
After Width: | Height: | Size: 1.5 KiB |
|
After Width: | Height: | Size: 1.5 KiB |
Loading…
Reference in new issue