diff --git a/deployment-apps/02-M-TIC_fortigate_forwarders_inputs/local/inputs.conf b/deployment-apps/02-M-TIC_fortigate_forwarders_inputs/local/inputs.conf index a94ccf2d..16e0b78f 100644 --- a/deployment-apps/02-M-TIC_fortigate_forwarders_inputs/local/inputs.conf +++ b/deployment-apps/02-M-TIC_fortigate_forwarders_inputs/local/inputs.conf @@ -1,4 +1,4 @@ [monitor:///var/rsyslog/*/fortigate/*/*/*.log] disabled = false index = idx_m-tic_fortigate -sourcetype = fortigate \ No newline at end of file +sourcetype = fortigate_log \ No newline at end of file diff --git a/deployment-apps/03-Forward_to_syslogCTRL/local/props.conf b/deployment-apps/03-Forward_to_syslogCTRL/local/props.conf index c6edd4fa..0f88a1e5 100644 --- a/deployment-apps/03-Forward_to_syslogCTRL/local/props.conf +++ b/deployment-apps/03-Forward_to_syslogCTRL/local/props.conf @@ -1,5 +1,5 @@ [esxi] TRANSFORMS-export2rsyslog = send_to_vmware -[fortigate] +[fortigate_log] TRANSFORMS-fortigate = send_to_forti \ No newline at end of file diff --git a/deployment-apps/SplunkAppForFortinet/EULA.pdf b/deployment-apps/SplunkAppForFortinet/EULA.pdf new file mode 100644 index 00000000..72dbe7c8 Binary files /dev/null and b/deployment-apps/SplunkAppForFortinet/EULA.pdf differ diff --git a/deployment-apps/SplunkAppForFortinet/default/app.conf b/deployment-apps/SplunkAppForFortinet/default/app.conf new file mode 100644 index 00000000..0c341854 --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/app.conf @@ -0,0 +1,20 @@ +# +# Splunk app configuration file +# + +[install] +build = 0001 +is_configured = 0 + +[ui] +is_visible = 1 +label = Fortinet FortiGate App for Splunk + +[launcher] +author = jli@fortinet.com +description = Fortinet FortiGate App provides datacenter threat visualizations to identify anomalous behavior and helps de-duplicate threat feed data to enable the fast creation and consolidation of analytics. The Fortinet FortiGate App properly maps log fields from FortiGate appliances and interchanges into a common format to splunk intelligence framework. +version = 1.6.3 + +[package] +id = SplunkAppForFortinet +check_for_updates = 1 diff --git a/deployment-apps/SplunkAppForFortinet/default/data/models/ftnt_fos.json b/deployment-apps/SplunkAppForFortinet/default/data/models/ftnt_fos.json new file mode 100644 index 00000000..597175fc --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/data/models/ftnt_fos.json @@ -0,0 +1,872 @@ +{ + "modelName": "ftnt_fos", + "displayName": "Fortinet FOS Log", + "description": "", + "objectSummary": { + "Event-Based": 18, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "log", + "displayName": "Firewall Logs", + "parentName": "BaseEvent", + "fields": [ + { + "fieldName": "devname", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "device_name", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vd", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "vdom", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dstip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "destination_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dstport", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "destination_port", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "vendor_action", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "vendor_action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "subtype", + "owner": "log", + "type": "string", + "required": true, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "subtype", + "comment": "", + "fieldSearch": "subtype=*" + }, + { + "fieldName": "msg", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "msg", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "srcip", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source_ip", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "user", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sentbyte", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_sent", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "rcvdbyte", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes_received", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [ + { + "outputFields": [ + { + "fieldName": "bytes", + "owner": "log", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bytes", + "comment": "", + "fieldSearch": "" + } + ], + "calculationID": "33ye7jatrnc23xr", + "owner": "log", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "rcvdbyte + sentbyte" + }, + { + "outputFields": [ + { + "fieldName": "suser", + "owner": "log", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + } + ], + "calculationID": "b5nvzeqblzjs8aor", + "owner": "log", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "coalesce(user, \"unknown\")" + } + ], + "constraints": [ + { + "search": "`fortigate_logs`", + "owner": "log" + } + ], + "lineage": "log" + }, + { + "objectName": "traffic", + "displayName": "traffic", + "parentName": "log", + "fields": [ + { + "fieldName": "app", + "owner": "log.traffic", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "application", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "action", + "owner": "log.traffic", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "action", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sessionid", + "owner": "log.traffic", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sessionid", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "srcintf", + "owner": "log.traffic", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source_interface", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "dstintf", + "owner": "log.traffic", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "destination_interface", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [ + { + "outputFields": [ + { + "fieldName": "sappcat", + "owner": "log.traffic", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "appcat", + "comment": "", + "fieldSearch": "" + } + ], + "calculationID": "mzjg69trwbmg3nmi", + "owner": "log.traffic", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "coalesce(appcat, \"unknown\")" + }, + { + "outputFields": [ + { + "fieldName": "gapp", + "owner": "log.traffic", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "Application", + "comment": "", + "fieldSearch": "" + } + ], + "calculationID": "6xc7edtj41zcl3di", + "owner": "log.traffic", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "case(isnotnull(app), app, 1=1, service)" + } + ], + "constraints": [ + { + "search": "type=traffic", + "owner": "log.traffic" + } + ], + "lineage": "log.traffic" + }, + { + "objectName": "utm", + "displayName": "utm", + "parentName": "log", + "fields": [ + { + "fieldName": "service", + "owner": "log.utm", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "service", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [ + { + "outputFields": [ + { + "fieldName": "gseverity", + "owner": "log.utm", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "generic severity", + "comment": "", + "fieldSearch": "" + } + ], + "calculationID": "xkmgmwi8eka9k9", + "owner": "log.utm", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "case( ( subtype==\"app-ctrl\" AND appcat==\"Botnet\"), \"critical\", (subtype==\"app-ctrl\" AND appcat==\"P2P\"), \"medium\", (subtype==\"app-ctrl\" AND appcat==\"Game\"), \"low\", (subtype==\"app-ctrl\" AND appcat==\"Proxy\"),\"high\", (subtype==\"webfilter\" AND (cat==26 OR cat==61 OR cat==86 OR action==\"blocked\")), \"high\",(subtype==\"webfilter\" AND (cat==1 OR cat==2 OR cat==3 OR cat==4 OR cat==5 OR cat==6 OR cat==12 OR cat==59 OR cat==62 OR cat==83)), \"medium\",(subtype==\"webfilter\" AND (cat==14 OR cat==72)), \"low\",severity==\"critical\", \"critical\", severity==\"high\", \"high\", severity==\"medium\", \"medium\",severity==\"low\", \"low\", (subtype==\"virus\" AND eventype==\"infected\"), \"critical\", (1=1), \"\")" + } + ], + "constraints": [ + { + "search": "(type=utm OR type=anomaly) AND (subtype=app-ctrl OR subtype=webfilter OR subtype=ips OR subtype=virus OR subtype=emailfitler OR subtype=dlp OR subtype=anomaly)", + "owner": "log.utm" + } + ], + "lineage": "log.utm" + }, + { + "objectName": "system_event", + "displayName": "system_event", + "parentName": "log", + "fields": [], + "calculations": [], + "constraints": [ + { + "search": "type=event AND subtype!=wireless", + "owner": "log.system_event" + } + ], + "lineage": "log.system_event" + }, + { + "objectName": "virus", + "displayName": "virus", + "parentName": "utm", + "fields": [], + "calculations": [], + "constraints": [ + { + "search": "subtype=virus", + "owner": "log.utm.virus" + } + ], + "lineage": "log.utm.virus" + }, + { + "objectName": "webfilter", + "displayName": "webfilter", + "parentName": "utm", + "fields": [ + { + "fieldName": "hostname", + "owner": "log.utm.webfilter", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "hostname", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "subtype=webfilter", + "owner": "log.utm.webfilter" + } + ], + "lineage": "log.utm.webfilter" + }, + { + "objectName": "ips", + "displayName": "ips", + "parentName": "utm", + "fields": [ + { + "fieldName": "attack", + "owner": "log.utm.ips", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "attack_name", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "subtype=ips OR subtype=anomaly", + "owner": "log.utm.ips" + } + ], + "lineage": "log.utm.ips" + }, + { + "objectName": "spam", + "displayName": "spam", + "parentName": "utm", + "fields": [], + "calculations": [], + "constraints": [ + { + "search": "subtype=spam", + "owner": "log.utm.spam" + } + ], + "lineage": "log.utm.spam" + }, + { + "objectName": "appctrl", + "displayName": "appctrl", + "parentName": "utm", + "fields": [], + "calculations": [ + { + "outputFields": [ + { + "fieldName": "app_severity", + "owner": "log.utm.appctrl", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "severity", + "comment": "", + "fieldSearch": "" + } + ], + "calculationID": "nxbd9b3tj88jv2t9", + "owner": "log.utm.appctrl", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "case(appcat==\"Botnet\", \"critical\", appcat==\"p2p\", \"medium\", appcat==\"game\", \"low\", appcat==\"proxy\",\"high\")" + } + ], + "constraints": [ + { + "search": "subtype=app-ctrl", + "owner": "log.utm.appctrl" + } + ], + "lineage": "log.utm.appctrl" + }, + { + "objectName": "system", + "displayName": "system", + "parentName": "system_event", + "fields": [ + { + "fieldName": "level", + "owner": "log.system_event.system", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "level", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "cpu", + "owner": "log.system_event.system", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "mem", + "owner": "log.system_event.system", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mem", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "setuprate", + "owner": "log.system_event.system", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "setuprate", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "totalsession", + "owner": "log.system_event.system", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "totalsession", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "subtype=system OR subtype=router OR subtype=wad OR subtype=ha", + "owner": "log.system_event.system" + } + ], + "lineage": "log.system_event.system" + }, + { + "objectName": "vpn", + "displayName": "vpn", + "parentName": "system_event", + "fields": [ + { + "fieldName": "group", + "owner": "log.system_event.vpn", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user_group", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "tunneltype", + "owner": "log.system_event.vpn", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tunneltype", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "duration", + "owner": "log.system_event.vpn", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "duration", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [ + { + "outputFields": [ + { + "fieldName": "tunnelname", + "owner": "log.system_event.vpn", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "tunnel_name", + "comment": "", + "fieldSearch": "" + } + ], + "calculationID": "0mzxjr0ttlzq6w29", + "owner": "log.system_event.vpn", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "coalesce(vpntunnel,tunnelid)" + } + ], + "constraints": [ + { + "search": "subtype=vpn", + "owner": "log.system_event.vpn" + } + ], + "lineage": "log.system_event.vpn" + }, + { + "objectName": "user", + "displayName": "user", + "parentName": "system_event", + "fields": [ + { + "fieldName": "vendor_status", + "owner": "log.system_event.user", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "vendor_status", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "time", + "owner": "log.system_event.user", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "time", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "subtype=user", + "owner": "log.system_event.user" + } + ], + "lineage": "log.system_event.user" + }, + { + "objectName": "dlp", + "displayName": "dlp", + "parentName": "utm", + "fields": [], + "calculations": [], + "constraints": [ + { + "search": "subtype=dlp", + "owner": "log.utm.dlp" + } + ], + "lineage": "log.utm.dlp" + }, + { + "objectName": "wireless", + "displayName": "wireless", + "parentName": "log", + "fields": [ + { + "fieldName": "stamac", + "owner": "log.wireless", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "station-mac-address", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ap", + "owner": "log.wireless", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "ap", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "apstatus", + "owner": "log.wireless", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "apstatus", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "manuf", + "owner": "log.wireless", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "vendor", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "bssid", + "owner": "log.wireless", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "bssid", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "security", + "owner": "log.wireless", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "security", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "radioband", + "owner": "log.wireless", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "radioband", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "channel", + "owner": "log.wireless", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "channel", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sndetected", + "owner": "log.wireless", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "detected-by", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "signal", + "owner": "log.wireless", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "signal", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "onwire", + "owner": "log.wireless", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "onwire", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "type=event AND subtype=wireless", + "owner": "log.wireless" + } + ], + "lineage": "log.wireless" + } + ], + "objectNameList": [ + "log", + "traffic", + "utm", + "system_event", + "virus", + "webfilter", + "ips", + "spam", + "appctrl", + "system", + "vpn", + "user", + "dlp", + "wireless" + ] +} diff --git a/deployment-apps/SplunkAppForFortinet/default/data/ui/nav/default.xml b/deployment-apps/SplunkAppForFortinet/default/data/ui/nav/default.xml new file mode 100644 index 00000000..b67908f5 --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/data/ui/nav/default.xml @@ -0,0 +1,84 @@ + diff --git a/deployment-apps/SplunkAppForFortinet/default/data/ui/views/content_dashboard.xml b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/content_dashboard.xml new file mode 100644 index 00000000..dc80ced9 --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/content_dashboard.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/deployment-apps/SplunkAppForFortinet/default/data/ui/views/event_dashboard.xml b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/event_dashboard.xml new file mode 100644 index 00000000..92e5988d --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/event_dashboard.xml @@ -0,0 +1,343 @@ +
+ + +
+ + + + -60m@m + now + + + + + ANY + * + log.devname=" + " + + |`_ftnt_dropdown(log.system_event.system, log.devname)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + + + + log.vd=" + " + ANY + + | `_ftnt_dropdown(log.system_event.system, log.vd)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + * + + + + (log.subtype=" + " ) + * + ANY + SYSTEM + ROUTER + WAD + HA + + + + log.system_event.system.level=" + " + ANY + CRITICAL + ERROR + INFORMATION + NOTICE + WARNING + EMERGENCY + * + + + + ANY + * + log.vendor_action=" + " + + | `_ftnt_dropdown(log.system_event.system, log.vendor_action)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + +
+ + + Events + + + |tstats summariesonly=true count FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" $subtype$ $level$ $vdom$ $devname$ $action$ groupby _time | timechart values(count) + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + Notable Events + + + |tstats summariesonly=true count AS Count FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" $subtype$ $vdom$ $devname$ (log.system_event.system.level=warning OR log.system_event.system.level=emergency OR log.system_event.system.level=critical) groupby log.vendor_action | sort -Count + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Latest Events + + + | tstats summariesonly=true max(_time) AS NTime, values(log.devname) as Device, values(log.vd) as Virtual_Domain, values(log.subtype) as Subtype, values(log.system_event.system.level) as Level, values(log.vendor_action) as Action, values(log.msg) as Message from datamodel="ftnt_fos" where nodename="log.system_event.system" $subtype$ $level$ $vdom$ $devname$ $action$ groupby _time, log.devname, log.vd, log.subtype, log.system_event.system.level, log.vendor_action, log.msg | sort -_time | convert ctime(NTime) as Time | table Time, Device, Virtual_Domain, Subtype, Level, Action, Message | sort -_time + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + CPU + + |tstats summariesonly=true last(log.system_event.system.cpu) AS cpus FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" $devname$ log.vendor_action=perf-stats groupby _time log.devname | timechart values(cpus) by log.devname + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Memory + + |tstats summariesonly=true last(log.system_event.system.mem) AS mems FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" $devname$ log.vendor_action=perf-stats groupby _time log.devname | timechart values(mems) by log.devname + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Session Setup Rate + + |tstats summariesonly=true last(log.system_event.system.setuprate) AS setuprate FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" $devname$ log.vendor_action=perf-stats groupby _time log.devname | timechart values(setuprate) by log.devname + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Concurrent Sessions + + |tstats summariesonly=true last(log.system_event.system.totalsession) AS totalsession FROM datamodel=ftnt_fos WHERE nodename="log.system_event.system" $devname$ log.vendor_action=perf-stats groupby _time log.devname | timechart values(totalsession) by log.devname + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + +
diff --git a/deployment-apps/SplunkAppForFortinet/default/data/ui/views/overall.xml b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/overall.xml new file mode 100644 index 00000000..0a0e7d79 --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/overall.xml @@ -0,0 +1,156 @@ + + + + + + Device + + + `fortigate_logs` | stats dc(devid) + rt-10m + rtnow + + + + + Virtual Domain + + + `fortigate_logs` | eval dev-vd= devid."-".vd | stats dc(dev-vd) + rt-10m + rtnow + + + + + Session + + + `fortigate_logs` | eval dev-sess= devid."-".session_id | stats dc(dev-sess) + rt-10m + rtnow + + + + + + + Sessions Transferred Over Time + + + `fortigate_traffic` | eval dev-sess= devid."-".session_id |timechart dc("dev-sess") by devname + rt-10m + rt + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Top 20 Applications + + + `fortigate_traffic` | TOP limit=20 app + rt-10m + rt + + + + + + + + + + + + + + + + + + + + + + + + + + Threat + + + `fortigate_utm` AND (severity=critical OR severity=high OR severity=medium OR severity=low) | timechart count by severity + rt-1h + rt + + + + + + + + + + + + + + + + + + + + + + + + + + + + Application By Destination Countries + + + `fortigate_traffic` | iplocation "dstip" | geostats count by app + rt-1h + rt + + + + + + + + + + + + + + + diff --git a/deployment-apps/SplunkAppForFortinet/default/data/ui/views/threat_dashboard.xml b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/threat_dashboard.xml new file mode 100644 index 00000000..6c84dffc --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/threat_dashboard.xml @@ -0,0 +1,340 @@ +
+ +
+ + + + -60m@m + now + + + + + ANY + + | `_ftnt_dropdown(log.utm, log.devname)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + log.devname=" + " + * + + + + ANY + + | `_ftnt_dropdown(log.utm, log.vd)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + log.vd=" + " + * + + + + ANY + + | `_ftnt_dropdown(log.utm, log.subtype)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + * + log.subtype=" + " + + + + log.srcip=" + " + * + + + + log.dstip=" + " + * + + + + log.dstport=" + " + * + +
+ + + Threat By Severity + + + | tstats summariesonly=true count FROM datamodel=ftnt_fos where nodename="log.utm" log.utm.gseverity!="" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ GROUPBY _time log.utm.gseverity | timechart values(count) by log.utm.gseverity + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IPS Attack By Device + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm.ips" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ GROUPBY log.devname | sort -count | head 30 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Threat By SubType + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm" log.utm.gseverity!="" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ GROUPBY log.subtype | sort -count | head 20 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Threat By Source IP + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm" log.utm.gseverity!="" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ GROUPBY log.srcip | sort -count | head 30 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Threat By Destination IP + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ log.utm.gseverity!="" GROUPBY log.dstip| sort-count | head 30 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Threat By User + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm" log.utm.gseverity!="" log.user!="" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ GROUPBY log.user | sort -count | head 20 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Threat By Service + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm" log.utm.gseverity!="" $devname$ $vdom$ $subtype$ $srcip$ $dstip$ $dstport$ GROUPBY log.utm.service | sort -count | head 20 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
diff --git a/deployment-apps/SplunkAppForFortinet/default/data/ui/views/traffic_dashboard.xml b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/traffic_dashboard.xml new file mode 100644 index 00000000..cf390151 --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/traffic_dashboard.xml @@ -0,0 +1,418 @@ +
+ +
+ + + + -60m@m + now + + + + + * + log.devname=" + " + ANY + + | `_ftnt_dropdown(log.traffic, log.devname)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + + + + log.vd=" + " + ANY + + | `_ftnt_dropdown(log.traffic, log.vd)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + * + + + + log.srcip=" + " + * + + + + log.dstip=" + " + * + + + + * + (log.suser=" + " OR log.user="") + + + + (log.traffic.app=" + " OR log.traffic.app="") + + | `_ftnt_dropdown(log.traffic, log.traffic.app)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + ANY + * + + + + ANY + * + log.traffic.srcintf=" + " + + | `_ftnt_dropdown(log.traffic, log.traffic.srcintf)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + + + + ANY + * + log.traffic.dstintf=" + " + + | `_ftnt_dropdown(log.traffic, log.traffic.dstintf)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + +
+ + + Sessions Over Time + + + | tstats summariesonly=true count latest(log.traffic.sessionid) as sessionid FROM datamodel=ftnt_fos where nodename="log.traffic" log.srcip="*" log.dstip="*" log.vd="*" log.vendor_action="*" log.devname="*" (log.suser="*" OR log.user="") (log.traffic.app="*" OR log.traffic.app="") log.traffic.srcintf="*" log.traffic.dstintf="*" GROUPBY _time , log.traffic.action, log.traffic.sessionid | timechart dc("sessionid") by log.traffic.action + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + Traffic Over Time + + + | tstats summariesonly=true sum(log.sentbyte) AS sumSent sum(log.rcvdbyte) AS sumReceived from datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $vdom$ $device$ $user$ $app$ $srcintf$ $dstintf$ groupby _time | eval msumSent = (sumSent/(1024*1024)) | eval msumReceived = (sumReceived/(1024*1024)) | timechart values("msumReceived") AS "MBytes Received" values("msumSent") AS "MBytes Sent" + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Top Source IP + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.srcip | sort -count | head 20 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Top Destination IP + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.dstip | sort -count | head 20 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Traffic by Device + + + | tstats summariesonly=true sum(log.bytes) as MBytes_transferred from datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.devname | eval MBytes_transferred = (MBytes_transferred/(1024*1024)) | sort -MBytes_transferred | head 10 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Traffic by User + + + |tstats summariesonly=true sum(log.bytes) as MBytes_transferred from datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.user | eval MBytes_transferred = (MBytes_transferred/(1024*1024)) | sort -MBytes_transferred | head 10 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Traffic by Application + + + | tstats summariesonly=true sum(log.bytes) as MBytes_transferred from datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.traffic.app | eval MBytes_transferred = (MBytes_transferred/(1024*1024)) | sort -MBytes_transferred | head 10 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Traffic by Interface + + + | tstats summariesonly=true sum(log.bytes) as MBytes_transferred from datamodel="ftnt_fos" where nodename="log.traffic" $srcip$ $dstip$ $user$ $app$ $vdom$ $device$ $srcintf$ $dstintf$ groupby log.traffic.srcintf | eval MBytes_transferred = (MBytes_transferred/(1024*1024)) | sort -MBytes_transferred | head 10 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
diff --git a/deployment-apps/SplunkAppForFortinet/default/data/ui/views/user_dashboard.xml b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/user_dashboard.xml new file mode 100644 index 00000000..0ab8a359 --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/user_dashboard.xml @@ -0,0 +1,219 @@ +
+ + +
+ + + + -60m@m + now + + + + + ANY + * + log.devname=" + " + + |`_ftnt_dropdown(log.system_event.user, log.devname)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + + + + log.vd=" + " + ANY + + | `_ftnt_dropdown(log.system_event.user, log.vd)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + * + + + + ANY + * + log.user=" + " + + |`_ftnt_dropdown(log.system_event.user, log.user)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + + + + ANY + + | `_ftnt_dropdown(log.system_event.user, log.system_event.user.vendor_status)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + log.system_event.user.vendor_status=" + " + * + +
+ + + Authentication Request Overview + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.system_event.user" $devname$ $vdom$ $user$ $status$ GROUPBY log.user | sort -count | head 20 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + [] + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Authentication Request Over Time + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.system_event.user" $devname$ $vdom$ $user$ $status$ GROUPBY _time log.system_event.user.vendor_status | timechart values(count) by log.system_event.user.vendor_status + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Latest Events + + + | tstats summariesonly=true max(_time) as NTime count FROM datamodel=ftnt_fos where nodename="log.system_event.user" $devname$ $vdom$ $user$ $status$ GROUPBY _time log.system_event.user.time log.devname log.vd log.user log.vendor_action log.system_event.user.vendor_status log.msg | rename log.devname AS Devname, log.vd AS Virtual_Domain, log.user AS User, log.vendor_action AS Action, log.system_event.user.vendor_status AS Status, log.msg AS Message | convert ctime(NTime) as Time | sort -_time | table Time Devname Virtual_Domain User Action Status Message + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + +
diff --git a/deployment-apps/SplunkAppForFortinet/default/data/ui/views/utm_summary.xml b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/utm_summary.xml new file mode 100644 index 00000000..69c8416c --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/utm_summary.xml @@ -0,0 +1,270 @@ +
+ +
+ + + + -60m@m + now + + + + + ANY + + | `_ftnt_dropdown(log.utm, log.devname)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + log.devname=" + " + * + + + + ANY + + | `_ftnt_dropdown(log.utm, log.vd)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + log.vd=" + " + * + + + + log.srcip=" + " + * + + + + log.dstip=" + " + * + + + + log.dstport=" + " + * + +
+ + + Applications + + + | tstats summariesonly=true count(log.traffic.gapp) AS Sessions, sum(log.sentbyte) AS Sent sum(log.rcvdbyte) AS Received from datamodel="ftnt_fos" where nodename="log.traffic" $devname$ $vdom$ $srcip$ $dstip$ $dstport$ groupby log.traffic.gapp, log.traffic.sappcat | sort -Sessions| rename log.traffic.gapp AS Application, log.traffic.sappcat AS Category + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + Cloud Application + + + | tstats summariesonly=true count(log.traffic.gapp) AS Sessions, sum(log.sentbyte) AS Sent sum(log.rcvdbyte) AS Received from datamodel="ftnt_fos" where nodename="log.traffic" $devname$ $vdom$ $srcip$ $dstip$ $dstport$ (log.traffic.sappcat="Video/Audio" OR log.traffic.sappcat="Storage.Backup" OR log.traffic.sappcat="Cloud.IT" OR log.traffic.sappcat="Collabroation") groupby log.traffic.gapp, log.traffic.sappcat | sort -Sent| rename log.traffic.gapp AS Application, log.traffic.sappcat AS Category + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + Web Server Access + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm.webfilter" $devname$ $vdom$ $srcip$ GROUPBY log.utm.webfilter.hostname | sort -count | head 30 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Web Server Access By User + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm.webfilter" log.user!="" $devname$ $vdom$ $srcip$ $dstip$ $dstport$ GROUPBY log.suser | sort -count | head 30 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Attacks + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.utm.ips" GROUPBY log.utm.ips.attack | sort -count | head 30 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
diff --git a/deployment-apps/SplunkAppForFortinet/default/data/ui/views/vpn_dashboard.xml b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/vpn_dashboard.xml new file mode 100644 index 00000000..a65496e7 --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/vpn_dashboard.xml @@ -0,0 +1,212 @@ +
+ + +
+ + + + -60m@m + now + + + + + ANY + * + log.devname=" + " + + |`_ftnt_dropdown(log.system_event.vpn, log.devname)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + + + + log.vd=" + " + ANY + + | `_ftnt_dropdown(log.system_event.vpn, log.vd)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + * + + + + ANY + * + log.system_event.vpn.tunneltype=" + " + + |`_ftnt_dropdown(log.system_event.vpn, log.system_event.vpn.tunneltype)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + + + + ANY + * + log.user=" + " + + |`_ftnt_dropdown(log.system_event.vpn, log.user)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + +
+ + + Throughput by VPN Tunnel + + + | tstats summariesonly=true last(log.system_event.vpn.tunnelname), last(log.sentbyte) AS Sent, last(log.rcvdbyte) AS Received FROM datamodel="ftnt_fos" WHERE nodename="log.system_event.vpn" log.sentbyte!=0 log.rcvdbyte!=0 $devname$ $vdom$ $tunneltype$ $user$ groupby log.system_event.vpn.tunnelname | rename log.system_event.vpn.tunnelname AS Tunnel_Name, | dedup Tunnel_Name |eval Received_MB = (Received/(1024*1024)) | eval Sent_MB = (Sent/(1024*1024))| eval Transferred = Received_MB + Sent_MB | sort -Transferred| Fields Tunnel_Name, Received_MB, Sent_MB | head 20 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + [] + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Connections By Time + + + | tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="log.system_event.vpn" $devname$ $vdom$ $tunneltype$ $user$ (log.vendor_action="tunnel-up" OR log.vendor_action="phase2-up") GROUPBY _time | timechart values(count) + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + [] + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Latest Events + + + | tstats summariesonly=true max(_time) AS NTime, last(log.system_event.vpn.tunnelname) AS Tunnel_Name, last(log.sentbyte) AS Sent, last(log.rcvdbyte) AS Received, last(log.system_event.vpn.tunneltype) AS Tunnel_Type, last(log.user) AS User, last(log.system_event.vpn.group) AS User_Group, last(log.system_event.vpn.duration) AS Duration_Sec FROM datamodel="ftnt_fos" WHERE nodename="log.system_event.vpn" log.sentbyte!=0 log.rcvdbyte!=0 $devname$ $vdom$ $tunneltype$ $user$ groupby _time log.system_event.vpn.tunnelname | sort -_time | eval Received_MB = (Received/(1024*1024))| eval Sent_MB = (Sent/(1024*1024)) |sort -_time| convert ctime(NTime) as Time | table Time, Tunnel_Name, Tunnel_Type, User, User_Group, Sent_MB, Received_MB, Duration_Sec + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + +
diff --git a/deployment-apps/SplunkAppForFortinet/default/data/ui/views/wireless_dashboard.xml b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/wireless_dashboard.xml new file mode 100644 index 00000000..c32de15e --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/data/ui/views/wireless_dashboard.xml @@ -0,0 +1,133 @@ +
+ +
+ + + + -60m@m + now + + + + + ANY + + | `_ftnt_dropdown(log.wireless, log.devname)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + log.devname=" + " + * + + $label$ + $value$ + + + + + ANY + + | `_ftnt_dropdown(log.wireless, log.vd)` + $time_token.earliest$ + $time_token.latest$ + + field_with_count + field + log.vd=" + " + * + + $label$ + $value$ + + +
+ + + Top Client Per-AP + + + | tstats summariesonly=true dc(log.wireless.stamac) FROM datamodel="ftnt_fos" WHERE nodename="log.wireless" log.vendor_action="client-ip-detected" $devname$ $vdom$ GROUPBY log.wireless.ap | sort -dc(log.wireless.stamac) | head 30 + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Rogue AP + + + | tstats summariesonly=true max(_time) AS NTime count FROM datamodel="ftnt_fos" WHERE nodename="log.wireless" $devname$ $vdom$ log.vendor_action="rogue-ap-detected" groupby log.wireless.apstatus, log.wireless.manuf, log.wireless.bssid, log.wireless.security, log.wireless.radioband, log.wireless.channel, log.wireless.sndetected, log.wireless.signal, log.wireless.onwire | rename log.wireless.apstatus AS Status, log.wireless.manuf AS Vendor, log.wireless.bssid AS BSSID, log.wireless.security AS Security, log.wireless.radioband AS RadioBand, log.wireless.channel AS Channel, log.wireless.sndetected AS Detected-By, log.wireless.signal AS Signal, log.wireless.onwire AS OnWire | sort -_time | convert ctime(NTime) as Time | table Time, Status, Vendor, BSSID, Security, RadioBand, Channel, Detected-By, Signal, OnWire + $time_token.earliest$ + $time_token.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + +
diff --git a/deployment-apps/SplunkAppForFortinet/default/datamodels.conf b/deployment-apps/SplunkAppForFortinet/default/datamodels.conf new file mode 100644 index 00000000..8f43e861 --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/datamodels.conf @@ -0,0 +1,3 @@ +[ftnt_fos] +acceleration = 0 +acceleration.earliest_time = -1mon diff --git a/deployment-apps/SplunkAppForFortinet/default/macros.conf b/deployment-apps/SplunkAppForFortinet/default/macros.conf new file mode 100644 index 00000000..cdff77b6 --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/default/macros.conf @@ -0,0 +1,11 @@ +######################## +# +# Base Macros +# +######################## + +[_ftnt_dropdown(2)] +args = node, field +definition = tstats summariesonly=true count FROM datamodel="ftnt_fos" WHERE nodename="$node$" groupby $field$ | rename $field$ as field | eval field_with_count = field . " (" . count . ")" + + diff --git a/deployment-apps/SplunkAppForFortinet/splunkbase.manifest b/deployment-apps/SplunkAppForFortinet/splunkbase.manifest new file mode 100644 index 00000000..39a96832 --- /dev/null +++ b/deployment-apps/SplunkAppForFortinet/splunkbase.manifest @@ -0,0 +1,139 @@ +{ + "version": "1.0", + "date": "2022-11-12T08:25:13.054927457Z", + "hashAlgorithm": "SHA-256", + "app": { + "id": 2800, + "version": "1.6.3", + "files": [ + { + "path": "static/appIconAlt.png", + "hash": "afd0661f827ccaf16d7e486d0286304e2ce887706e82c29051fb861bf15adfcf" + }, + { + "path": "static/appIcon.png", + "hash": "afd0661f827ccaf16d7e486d0286304e2ce887706e82c29051fb861bf15adfcf" + }, + { + "path": "static/appIconAlt_2x.png", + "hash": "133e9a0aa2c545c102072ba8d6879509783688b213160c464aa4f0a72456e278" + }, + { + "path": "static/appIcon_2x.png", + "hash": "133e9a0aa2c545c102072ba8d6879509783688b213160c464aa4f0a72456e278" + }, + { + "path": "README.txt", + "hash": "894fbd7cb2aadf1f3632ea2b37ffcf3663aa18d06588bbb9294605aee976f17a" + }, + { + "path": "default/app.conf", + "hash": "6515afdacbca57c8519e7324b03a9144b22877370b8a412c2505c37ce449a820" + }, + { + "path": "default/datamodels.conf", + "hash": "1a39f248ce8df4353ab694c06788637a98cb9ba982db3b82d237c55bef7a3fbe" + }, + { + "path": "default/data/ui/nav/default.xml", + "hash": "cc707ca52e88549a7072fc2f59ff1f2c531b7b8fa486e2a506e1dfbd4ae9ea5b" + }, + { + "path": "default/data/ui/views/threat_dashboard.xml", + "hash": "575b2b82a003a6a51839750e25be8e1f645105d0ea43591af521902d6bea1a71" + }, + { + "path": "default/data/ui/views/wireless_dashboard.xml", + "hash": "7a00e7e3d82dc30c012444d79c24c3861b676251a4f7f06bb919b92d9bb39a91" + }, + { + "path": "default/data/ui/views/overall.xml", + "hash": "64d4031a91ec2c1dbcba31dab2e6f1c1207e360735df679a81c735e6f86e001f" + }, + { + "path": "default/data/ui/views/user_dashboard.xml", + "hash": "53dc8d26e2eba3c3b33ffb834b440c9742c2851f332908cfc78e82a98146f579" + }, + { + "path": "default/data/ui/views/vpn_dashboard.xml", + "hash": "32aa174ed6417b19803d031fed0461194f91d2ed40213112a213e39fbf0b7d62" + }, + { + "path": "default/data/ui/views/content_dashboard.xml", + "hash": "9fa36ed479e778a1844dcd720e0da707f468bdcd9a7e318eb5de3a45a78e4603" + }, + { + "path": "default/data/ui/views/traffic_dashboard.xml", + "hash": "e3ef94125002d864e5e4b450d9a4f790af19199c899dae2eb427b088e7e01d89" + }, + { + "path": "default/data/ui/views/utm_summary.xml", + "hash": "296b6c199ddd5d1b0715e6024a4c34425478a13d9cc12ca75644ac0d4a34dbe9" + }, + { + "path": "default/data/ui/views/event_dashboard.xml", + "hash": "4624c1401aff34289e05409a0d165bd97a7afd3326871a34752979fd86468f43" + }, + { + "path": "default/data/models/ftnt_fos.json", + "hash": "c9d972eb3b2a2b8eee073024a5ad79900023f504593cfbb735a86c6132a36c6b" + }, + { + "path": "default/macros.conf", + "hash": "0a3108d582be9c58f17eb209166eea3ebf58b04d854998007239f0408da6bc7b" + }, + { + "path": "EULA.pdf", + "hash": "4b74b5ff9abd03f8e464aea123a0c9584740a2854d1fde93da80dd0a0c81a605" + } + ] + }, + "products": [ + { + "platform": "splunk", + "product": "enterprise", + "versions": [ + "7.2", + "7.3", + "8.0", + "8.1", + "8.2", + "9.0" + ], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + }, + { + "platform": "splunk", + "product": "cloud", + "versions": [ + "7.2", + "7.3", + "8.0", + "8.1", + "8.2", + "9.0" + ], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + } + ] +} \ No newline at end of file diff --git a/deployment-apps/SplunkAppForFortinet/static/appIcon.png b/deployment-apps/SplunkAppForFortinet/static/appIcon.png new file mode 100644 index 00000000..33ebf44e Binary files /dev/null and b/deployment-apps/SplunkAppForFortinet/static/appIcon.png differ diff --git a/deployment-apps/SplunkAppForFortinet/static/appIconAlt.png b/deployment-apps/SplunkAppForFortinet/static/appIconAlt.png new file mode 100644 index 00000000..33ebf44e Binary files /dev/null and b/deployment-apps/SplunkAppForFortinet/static/appIconAlt.png differ diff --git a/deployment-apps/SplunkAppForFortinet/static/appIconAlt_2x.png b/deployment-apps/SplunkAppForFortinet/static/appIconAlt_2x.png new file mode 100644 index 00000000..5953e47f Binary files /dev/null and b/deployment-apps/SplunkAppForFortinet/static/appIconAlt_2x.png differ diff --git a/deployment-apps/SplunkAppForFortinet/static/appIcon_2x.png b/deployment-apps/SplunkAppForFortinet/static/appIcon_2x.png new file mode 100644 index 00000000..5953e47f Binary files /dev/null and b/deployment-apps/SplunkAppForFortinet/static/appIcon_2x.png differ diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/EULA.pdf b/deployment-apps/Splunk_TA_fortinet_fortigate/EULA.pdf new file mode 100644 index 00000000..72dbe7c8 Binary files /dev/null and b/deployment-apps/Splunk_TA_fortinet_fortigate/EULA.pdf differ diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/VERSION b/deployment-apps/Splunk_TA_fortinet_fortigate/VERSION new file mode 100644 index 00000000..400084b1 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/VERSION @@ -0,0 +1 @@ +1.6.7 diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/app.manifest b/deployment-apps/Splunk_TA_fortinet_fortigate/app.manifest new file mode 100644 index 00000000..44a25486 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/app.manifest @@ -0,0 +1,69 @@ +{ + "dependencies": null, + "incompatibleApps": null, + "info": { + "author": [ + { + "name": "splunk_app@fortinet.com", + "email": null, + "company": null + } + ], + "classification": { + "categories": [ + "Security,Fraud & Compliance" + ], + "developmentStatus": null, + "intendedAudience": null + }, + "commonInformationModels": { + "Alerts": "==4.18.1", + "Authentication": "==4.18.1", + "Change": "==4.18.1", + "Email": "==4.18.1", + "IDS": "==4.18.1", + "Malware": "==4.18.1", + "Network Session": "==4.18.1", + "Network Trafffic": "==4.18.1", + "Performance": "==4.18.1", + "Web": "==4.18.1" + }, + "description": "Fortinet FortiGate Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and traffic data collected from FortiGate physical and virtual appliances across domains.", + "id": { + "group": null, + "name": "Splunk_TA_fortinet_fortigate", + "version": "1.6.7" + }, + "license": { + "name": null, + "text": null, + "uri": null + }, + "privacyPolicy": { + "name": null, + "text": null, + "uri": null + }, + "releaseDate": null, + "releaseNotes": { + "name": "README", + "text": "README.txt", + "uri": "https://splunkbase.splunk.com/app/2846/#/overview" + }, + "title": "Fortinet Fortigate Add-on for Splunk" + }, + "inputGroups": null, + "platformRequirements": null, + "schemaVersion": "2.0.0", + "supportedDeployments": [ + "_standalone", + "_distributed", + "_search_head_clustering" + ], + "targetWorkloads": [ + "_search_heads", + "_indexers", + "_forwarders" + ], + "tasks": null +} diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/default/app.conf b/deployment-apps/Splunk_TA_fortinet_fortigate/default/app.conf new file mode 100644 index 00000000..d953a137 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/default/app.conf @@ -0,0 +1,24 @@ +# +# Splunk app configuration file +# +[install] +is_configured = 0 +build = 1624973079 + +[ui] +is_visible = 0 +label = Fortinet Fortigate Add-on for Splunk + +[launcher] +author = splunk_app@fortinet.com +description = Fortinet FortiGate Add-On for Splunk is the technical add-on (TA) developed by Fortinet, Inc. The add-on enables Splunk Enterprise to ingest or map security and traffic data collected from FortiGate physical and virtual appliances across domains. +version = 1.6.7 + +[package] +id = Splunk_TA_fortinet_fortigate +check_for_updates = 1 + +[id] +name = Splunk_TA_fortinet_fortigate +version = 1.6.7 + diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/default/data/ui/nav/default.xml b/deployment-apps/Splunk_TA_fortinet_fortigate/default/data/ui/nav/default.xml new file mode 100644 index 00000000..b2848ad2 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/default/data/ui/nav/default.xml @@ -0,0 +1,7 @@ + diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/default/eventtypes.conf b/deployment-apps/Splunk_TA_fortinet_fortigate/default/eventtypes.conf new file mode 100644 index 00000000..3a423591 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/default/eventtypes.conf @@ -0,0 +1,110 @@ +[ftnt_fortigate] +search = sourcetype=fgt_traffic OR sourcetype=fgt_utm OR sourcetype=fgt_event OR sourcetype=fgt_anomaly OR sourcetype=fortigate_traffic OR sourcetype=fortigate_utm OR sourcetype=fortigate_event OR sourcetype=fortigate_anomaly + +[ftnt_fortigate_traffic] +search = sourcetype=fgt_traffic OR sourcetype=fortigate_traffic + +#[ftnt_fgt_traffic_start] +#search = sourcetype=fgt_traffic + +#[ftnt_fgt_traffic_end] +#search = sourcetype=fgt_traffic + +[ftnt_fortigate_utm] +search = sourcetype=fortigate_utm OR sourcetype=fortigate_anomaly OR sourcetype = fgt_utm OR sourcetype=fgt_anomaly + +[ftnt_fortigate_ips] +search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=ips + +[ftnt_fortigate_anomaly] +search = (sourcetype=fortigate_anomaly OR sourcetype=fortigate_utm OR sourcetype=fgt_anomaly OR sourcetype=fgt_utm) subtype=anomaly + +[ftnt_fortigate_virus] +search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=virus vendor_action!=analytics + +[ftnt_fortigate_netscan] +search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=netscan + +[ftnt_fortigate_spam] +search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=spam + +[ftnt_fortigate_webfilter] +search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=webfilter + +[ftnt_fortigate_appctrl] +search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=app-ctrl + +[ftnt_fortigate_event] +search = sourcetype=fgt_event OR sourcetype=fortigate_event + +[ftnt_fortigate_vpn] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=vpn + +[ftnt_fortigate_vpn_cert_change] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=vpn logid IN("0101041984", "0101041987") + +[ftnt_fortigate_vpn_auth] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=vpn (vendor_action=negotiate OR vendor_action=ssl-login-fail) + +[ftnt_fortigate_vpn_start] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=vpn vendor_action IN("tunnel-up", "install_sa", "ssl-new-con", "ssl-web-pass") + +[ftnt_fortigate_vpn_end] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) ((subtype=vpn AND vendor_action IN("tunnel-down", "delete_ipsec_sa", "ssl-web-close")) OR (logid=0107045061 AND connection_type="sslvpn")) + +[ftnt_fortigate_wireless] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=wireless + +[ftnt_fortigate_wireless_config_change] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=wireless vendor_action IN("oper-channel", "oper-txpower", "config-txpower", "country-config-success", "controller-cfg-loaded", "controller-up", "ap-join", "ap-add") + +[ftnt_fortigate_wireless_client_auth] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=wireless (vendor_action=client-ip-detected OR vendor_action=client-deauthentication) + +[ftnt_fortigate_wireless_client_authentication] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=wireless vendor_action IN("client-authentication", "user-sign-on-success", "user-sign-on", "user-sign-on-failure") + +[ftnt_fortigate_wireless_client_deauthentication] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=wireless vendor_action=client-deauthentication + +[ftnt_fortigate_system] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system + +[ftnt_fortigate_dhcp_ack] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system logid=0100026001 + +[ftnt_fortigate_auth] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=user vendor_action=authentication (vendor_status=success OR vendor_status=failure) + +[ftnt_fortigate_auth_privileged] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system (vendor_action=login OR vendor_action=logout) + +[ftnt_fortigate_auth_privileged_login] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system vendor_action=login NOT (logid=0100022952 OR logid=0100022949) + +[ftnt_fortigate_auth_privileged_logout] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system vendor_action=logout + +[ftnt_fortigate_perf_stats] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system vendor_action=perf-stats + +[ftnt_fortigate_cpu_stats] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system vendor_action=cpu-usage + +[ftnt_fortigate_config_change] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system (vendor_action IN("Add", "Edit", "delete", "add-vdom", "pba-create", "pba-close") OR logid IN("0100032141", "0100041000", "0100032130", "0100032102")) + +[ftnt_fortigate_restart] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) subtype=system (vendor_action=reboot OR vendor_action=shutdown) + +[ftnt_fortigate_scanunit_db] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) logid IN("0100022815","0100022813") + +[ftnt_fortigate_user_config_change] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) logid IN("0100032132","0102043039") + +[ftnt_fortigate_alerts] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) logid IN("0101041990", "0101041992", "0101039946", "0100046600", "0101053103", "0100032006", "0100022918", "0100022952", "0100022949", "0100036883", "0101039944") + +[ftnt_fortigate_detected_ip_using_dhcp] +search = (sourcetype=fortigate_event OR sourcetype=fgt_event) logid=0104043579 \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/default/macros.conf b/deployment-apps/Splunk_TA_fortinet_fortigate/default/macros.conf new file mode 100644 index 00000000..f86f6d53 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/default/macros.conf @@ -0,0 +1,55 @@ +######################## +# +# Base Macros +# +######################## + + +[fortigate_traffic] +definition = eventtype=ftnt_fortigate_traffic + +[fortigate_utm] +definition = eventtype=ftnt_fortigate_utm + +[fortigate_event] +definition = eventtype=ftnt_fortigate_event + +[fortigate_logs] +definition = `fortigate_traffic` OR `fortigate_utm` OR `fortigate_event` + +[fortigate_virus] +definition = `fortigate_utm` subtype=virus + +[fortigate_ips] +definition = `fortigate_utm` (subtype=ips OR subtype=anomaly) + +[fortigate_anomaly] +definition = `fortigate_utm` subtype=anomaly + +[fortigate_appctrl] +definition = `fortigate_utm` subtype=app-ctrl + +[fortigate_webfilter] +definition = `fortigate_utm` subtype=webfilter + +[fortigate_spam] +definition = `fortigate_utm` subtype=spam + +[fortigate_netscan] +definition = `fortigate_utm` subtype=netscan + +[fortigate_dlp] +definition = `fortigate_utm` subtype=dlp + +[fortigate_vpn] +definition = `fortigate_event` subtype=vpn + +[fortigate_wireless] +definition = `fortigate_event` subtype=wireless + +[fortigate_auth] +definition = `fortigate_event` subtype=user + +[fortigate_system] +definition = `fortigate_event` subtype=system + diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/default/props.conf b/deployment-apps/Splunk_TA_fortinet_fortigate/default/props.conf new file mode 100644 index 00000000..0f29a7e1 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/default/props.conf @@ -0,0 +1,231 @@ +[fortigate_log] +TRANSFORMS-force_sourcetype_fortigate = force_sourcetype_fortigate +SHOULD_LINEMERGE = false +EVENT_BREAKER_ENABLE = true + +[fgt_log] +TRANSFORMS-force_sourcetype_fgt = force_sourcetype_fortigate +SHOULD_LINEMERGE = false +EVENT_BREAKER_ENABLE = true + +[fortigate_traffic] +TIME_PREFIX = ^ +SHOULD_LINEMERGE = false +EVENT_BREAKER_ENABLE = true +KV_MODE = none +REPORT-field_extract = field_extract +ANNOTATE_PUNCT = false +EVAL-vendor = "Fortinet" +EVAL-product = "Firewall" +EVAL-vendor_product = "Fortinet Firewall" +EVAL-product_version = coalesce(logver, "50") +EVAL-devname = coalesce(devname, devid) +FIELDALIAS-fortigate_traffic_dvc = devname as dvc +FIELDALIAS-fortigate_traffic_vendor_eventtype = eventtype as vendor_eventtype +FIELDALIAS-fortigate_traffic_vendor_transport = transport as vendor_transport +FIELDALIAS-vendor_action = action as vendor_action +FIELDALIAS-vendor_status = status as vendor_status +EVAL-ftnt_action = coalesce(utmaction, vendor_action, vendor_status) +LOOKUP-fortigate_traffic_action = ftnt_action_lookup ftnt_action OUTPUT action +EVAL-sentbyte = coalesce(sentdelta, sentbyte) +EVAL-rcvdbyte = coalesce(rcvddelta, rcvdbyte) +EVAL-bytes = coalesce(rcvddelta + sentdelta, rcvdbyte + sentbyte) +EVAL-bytes_in = coalesce(rcvddelta, rcvdbyte) +EVAL-bytes_out = coalesce(sentdelta, sentbyte) +FIELDALIAS-fortigate_traffic_dest_ip = dstip as dest_ip +FIELDALIAS-fortigate_traffic_dest = dstip as dest +FIELDALIAS-fortigate_traffic_dest_interface = dstintf as dest_interface +FIELDALIAS-fortigate_traffic_dst_mac = dstmac as dest_mac +FIELDALIAS-fortigate_traffic_dest_port = dstport as dest_port +FIELDALIAS-fortigate_traffic_dest_translated_ip = tranip as dest_translated_ip +FIELDALIAS-fortigate_traffic_dest_translated_port = tranport as dest_translated_port +EVAL-packets = (rcvdpkt + sentpkt) +EVAL-protocol_version = case(isnotnull(srcip), if(match(srcip,":"), "ipv6", "ipv4"), isnotnull(dstip), if(match(dstip,":"), "ipv6", "ipv4")) +EVAL-wifi = if(isnotnull(radioband), replace(radioband,",.*",""), null) +EVAL-tcp_flag = if(vendor_action IN("server-rst","client-rst"), "RST", tcp_flag) +FIELDALIAS-fortigate_traffic_packets_in = rcvdpkt as packets_in +FIELDALIAS-fortigate_traffic_packets_out = sentpkt as packets_out +FIELDALIAS-fortigate_traffic_rule = poluuid as rule +FIELDALIAS-fortigate_traffic_rule_id = policyid as rule_id +FIELDALIAS-fortigate_traffic_session_id = sessionid as session_id +FIELDALIAS-fortigate_traffic_src = srcip as src +FIELDALIAS-fortigate_traffic_src_interface = srcintf as src_interface +FIELDALIAS-fortigate_traffic_src_ip = srcip as src_ip +FIELDALIAS-fortigate_traffic_src_mac = srcmac as src_mac +FIELDALIAS-fortigate_traffic_src_port = srcport as src_port +FIELDALIAS-fortigate_traffic_src_translated_ip = transip as src_translated_ip +FIELDALIAS-fortigate_traffic_src_translated_port = srcport as src_translated_port +FIELDALIAS-fortigate_traffic_src_zone = srcintfrole as src_zone +FIELDALIAS-fortigate_traffic_dest_zone = dstintfrole as dest_zone +EVAL-ssid = coalesce(srcssid, dstssid) +LOOKUP-fortigate_traffic_ftnt_protocol_lookup = ftnt_protocol_lookup proto OUTPUT transport,protocol +EVAL-app = coalesce(app, service, transport) +EVAL-user = coalesce(user, unauthuser) + +[fgt_traffic] +rename = fortigate_traffic + +[fortigate_utm] +#subtype app-ctrl webfilter virus voip ips +TIME_PREFIX = ^ +SHOULD_LINEMERGE = false +EVENT_BREAKER_ENABLE = true +KV_MODE = none +REPORT-field_extract = field_extract, extract_file_and_file_path, extract_url_domain +ANNOTATE_PUNCT = false +FIELDALIAS-fortigate_utm_dest_ip = dstip as dest_ip +FIELDALIAS-fortigate_utm_vendor_eventtype = eventtype as vendor_eventtype +FIELDALIAS-fortigate_utm_vendor_url = url as vendor_url +FIELDALIAS-vendor_action = action as vendor_action +FIELDALIAS-vendor_status = status as vendor_status +EVAL-severity = coalesce(severity, crlevel, apprisk, "informational") +EVAL-vendor = "Fortinet" +EVAL-product = "Firewall" +EVAL-vendor_product = "Fortinet Firewall" +EVAL-ids_type = "network" +EVAL-product_version = coalesce(logver, "50") +EVAL-devname = coalesce(devname, devid) +FIELDALIAS-fortigate_utm_dvc = devname as dvc +EVAL-ftnt_action = coalesce(vendor_action, vendor_status) +EVAL-protocol_version = case(isnotnull(srcip), if(match(srcip,":"), "ipv6", "ipv4"), isnotnull(dstip), if(match(dstip,":"), "ipv6", "ipv4")) +LOOKUP-fortigate_utm_action = ftnt_action_lookup ftnt_action OUTPUT action +FIELDALIAS-fortigate_utm_rule_id = policyid as rule_id +FIELDALIAS-fortigate_utm_src_zone = srcintfrole as src_zone +FIELDALIAS-fortigate_utm_dest_zone = dstintfrole as dest_zone +FIELDALIAS-fortigate_utm_dest_interface = dstintf as dest_interface +FIELDALIAS-fortigate_utm_dest = dstip as dest +FIELDALIAS-fortigate_utm_dest_port = dstport as dest_port +FIELDALIAS-fortigate_utm_dst_mac = dstmac as dst_mac +FIELDALIAS-fortigate_utm_session_id = sessionid as session_id +FIELDALIAS-fortigate_utm_src_interface = srcintf as src_interface +FIELDALIAS-fortigate_utm_src_ip = srcip as src_ip +FIELDALIAS-fortigate_utm_src = srcip as src +FIELDALIAS-fortigate_utm_src_port = srcport as src_port +FIELDALIAS-fortigate_utm_src_mac = srcmac as src_mac +EVAL-bytes = (rcvdbyte + sentbyte) +FIELDALIAS-fortigate_utm_bytes_in = rcvdbyte as bytes_in +FIELDALIAS-fortigate_utm_bytes_out = sentbyte as bytes_out +FIELDALIAS-fortigate_utm_http_referrer = referralurl as http_referrer +FIELDALIAS-http_user_agent = agent as http_user_agent +FIELDALIAS-fortigate_utm_site = hostname as site +FIELDALIAS-fortigate_utm_file_hash = analyticscksum as file_hash +EVAL-file_name = coalesce(filename,file_name) +EVAL-file_path = if(match(vendor_url,"^\/"),hostname+file_path,file_path) +EVAL-url = if(match(vendor_url,"^\/"),hostname+vendor_url,vendor_url) +EVAL-url_domain = coalesce(url_domain,if(match(hostname,"^(?:\d+\.){3}\d+"),null(),hostname)) +EVAL-signature = coalesce(attack, attackname, virus) +FIELDALIAS-signature_id = attackid as signature_id +EVAL-category = coalesce(attack, attackname, virus, catdesc, dtype,case(subtype=="app-ctrl", appcat, subtype=="webfilter", urlsource)) +EVAL-app = coalesce(app,service) +LOOKUP-fortigate_protocol_lookup = ftnt_protocol_lookup proto OUTPUT transport,protocol + +[fgt_utm] +rename = fortigate_utm + +[fortigate_anomaly] +TIME_PREFIX = ^ +SHOULD_LINEMERGE = false +EVENT_BREAKER_ENABLE = true +KV_MODE = none +REPORT-field_extract = field_extract +ANNOTATE_PUNCT = false +FIELDALIAS-fortigate_utm_vendor_eventtype = eventtype as vendor_eventtype +FIELDALIAS-fortigate_utm_vendor_url = url as vendor_url +FIELDALIAS-vendor_action = action as vendor_action +FIELDALIAS-vendor_status = status as vendor_status +EVAL-severity = coalesce(severity, crlevel, apprisk, "informational") +EVAL-vendor = "Fortinet" +EVAL-product = "Firewall" +EVAL-ids_type = "network" +EVAL-product_version = coalesce(logver, "50") +EVAL-devname = coalesce(devname, devid) +FIELDALIAS-fortigate_utm_dvc = devname as dvc +EVAL-ftnt_action = coalesce(vendor_action, vendor_status) +LOOKUP-fortigate_utm_action = ftnt_action_lookup ftnt_action OUTPUT action +FIELDALIAS-fortigate_utm_dest_interface = dstintf as dest_interface +FIELDALIAS-fortigate_utm_dest = dstip as dest +FIELDALIAS-fortigate_utm_dest_port = dstport as dest_port +FIELDALIAS-fortigate_utm_dst_mac = dstmac as dst_mac +FIELDALIAS-fortigate_utm_session_id = sessionid as session_id +FIELDALIAS-fortigate_utm_src_interface = srcintf as src_interface +FIELDALIAS-fortigate_utm_src_ip = srcip as src +FIELDALIAS-fortigate_utm_src_port = srcport as src_port +FIELDALIAS-fortigate_utm_src_mac = srcmac as src_mac +EVAL-bytes = (rcvdbyte + sentbyte) +FIELDALIAS-fortigate_utm_bytes_in = rcvdbyte as bytes_in +FIELDALIAS-fortigate_utm_bytes_out = sentbyte as bytes_out +FIELDALIAS-fortigate_utm_http_method = reqtype as http_method +FIELDALIAS-fortigate_utm_http_referrer = referralurl as http_referrer +FIELDALIAS-fortigate_utm_http_status = vendor_action as status +FIELDALIAS-http_user_agent = agent as http_user_agent +FIELDALIAS-fortigate_utm_site = hostname as site +FIELDALIAS-fortigate_utm_file_hash = analyticscksum as file_hash +FIELDALIAS-fortigate_utm_file_name = filename as file_name +FIELDALIAS-fortigate_utm_file_path = vendor_url as file_path +EVAL-url = coalesce(hostname + vendor_url, vendor_url) +EVAL-signature = coalesce(attack, attackname, virus) +EVAL-category = coalesce(attack, attackname, virus, catdesc, dtype) + +[fgt_anomaly] +rename = fortigate_anomaly + +[fortigate_event] +TIME_PREFIX = ^ +SHOULD_LINEMERGE = false +EVENT_BREAKER_ENABLE = true +KV_MODE = none +REPORT-field_extract = field_extract, extract_cim_fields_for_user +ANNOTATE_PUNCT = false +EVAL-vendor = "Fortinet" +EVAL-product = "Firewall" +EVAL-vendor_product = "Fortinet Firewall" +FIELDALIAS-vendor_action = action as vendor_action +FIELDALIAS-vendor_status = status as vendor_status +## Don't remove unknown from vendor_status eval because of lookup dependency. +EVAL-vendor_status = coalesce(vendor_status, "unknown") +EVAL-status = if(logid IN("0100041000","0102043039","0100032132"),"success",coalesce(status, case(logid IN("0100032141","0100044547","0104043575","0104043588","0104043594","0104043591","0104043593","0104043551","0104043597","0100032301","0104043612","0104043611","0100022016","0100022015","0100032130","0100032102","0100022813","0100022815"),"success"))) +FIELDALIAS-fortigate_event_vendor_url = url as vendor_url +FIELDALIAS-fortigate_event_vendor_eventtype = eventtype as vendor_eventtype +FIELDALIAS-mem_used = mem as mem_used +EVAL-mem_free = 100 - mem_used +EVAL-log_action = case(logid IN("0101041984","0100022815","0100022813"), "read", logid IN("0101041987","0100032141","0100041000","0100032102"), "modified", logid=="0100026001", "added", logid=="0100032132", "Local user added", logid=="0100032130", "User changed", true(), action) +LOOKUP-fortigate_event_action = ftnt_event_action_lookup subtype vendor_action as log_action vendor_status OUTPUT action, change_type +LOOKUP-fortigate_severity = ftnt_severity_lookup level OUTPUT severity,severity_id +EVAL-product_version = coalesce(logver, "50") +EVAL-devname = coalesce(devname, devid) +FIELDALIAS-fortigate_event_dvc = devname as dvc +EVAL-user = coalesce(user_name, if(xauthuser=="N/A",null(),xauthuser)) +EVAL-user_name = coalesce(user_name, if(xauthuser=="N/A",null(),xauthuser)) + +FIELDALIAS-fortigate_system_cpu = cpu as cpu_load_percent +EVAL-object = coalesce(cfgobj,case(logid IN("0100022016","0100022015"), poolname, logid IN("0101041984","0101041987","0100032130","0100032132"), name, logid=="0100032141", field, logid IN ("0104043551","0104043597"), replace(msg,"^AP\s*(.*?)\s(?:joined\.|added)","\1"), match(logdesc,"^Physical AP radio"), "radio", logid=="0104043575", "client-"+stamac, logid IN("0100032003","0102043039"), user, logid=="0100032301", replace(msg,"Virtual\sdomain\s(.*?)\sis\sadded","\1"), logid=="0104043612", "wireless controller cfg", logid=="0100041000", "FortiGate", logid=="0104043611", "wireless controller", logid=="0100032102", replace(msg,"Configuration\sis\schanged\sin\sthe\s(.*)","\1"), logid IN("0100022813","0100022815"), "Scanunit")) +EVAL-object_attrs = coalesce(cfgattr, case(vendor_action=="oper-channel", "channel", vendor_action=="oper-txpower", "txpower", vendor_action=="config-txpower", "cfgtxpower",vendor_action=="country-config-success", "country " + configcountry, logid IN("0100022813","0100022815"), "AV Database", logid IN("0101041984","0101041987"), "cert-type")) +EVAL-object_category = case(logid IN("0104043575","0100032003","0100032130","0102043039","0100032132"), "user", match(logdesc,"^Physical AP radio") OR logid IN("0100032141","0100044547","0104043551","0104043597","0100032301","0104043611","0100022016","0100022015","0100041000","0100032102","0100022813","0100022815"), "configuration",logid IN("0101041984","0101041987","0104043612"), "file") +EVAL-object_id = coalesce(cfortigateid, cfgtid, case(logid IN("0104043551","0104043597"), ap,logid=="0104043575", stamac, match(logdesc,"^Physical AP radio"), radioid)) +EVAL-object_path = coalesce(cfgpath,case(match(logdesc,"^Physical AP radio"),replace(msg,"\sradio.*",""))) +EVAL-result = coalesce(result, logdesc) +EVAL-user_type = case(match(logdesc,"^Admin log(?:out|in)"), "Admin", logid=="0104043575", "Wireless client") +EVAL-src_user_type = case(match(logdesc,"^Admin log(?:out|in)"), "Admin", logid=="0104043575", "Wireless client") +EVAL-tunnelname = coalesce(vpntunnel,tunnelid) +REPORT-src_ip_from_ui = src_ip_from_ui +EVAL-src = coalesce(srcip, remip, src_ip_from_ui, case(logid IN("0104043588","0104043594","0104043591","0104043593","0104043551"),ip)) +EVAL-src_ip = coalesce(srcip, remip, src_ip_from_ui, case(logid IN("0104043588","0104043594","0104043591","0104043593","0104043551"),ip)) +EVAL-dest = coalesce(if(dstip=="N/A",null(),dstip), locip, ssid, case(logid IN("0100032141","0100032301","0100044547","0101039426","0104043588","0104043594","0104043591","0104043593","0104043551","0104043597","0101041984","0101041987","0101041990","0100022952","0101041992","0104043612","0104043611","0100040705","0100022016","0100022015","0100041000","0100032130","0100022918","0100040704","0100022949","0100036883","0100032102","0101039944","0102043039","0100032132","0100022813","0100022815","0100032001","0100032003"),dvc, logid=="0100026001", ip)) +EVAL-dest_ip = coalesce(if(dstip=="N/A",null(),dstip), locip, case(logid=="0100026001", ip)) +EVAL-signature = case(logid IN("0104043579","0101041990","0100022952","0101041992","0101039946","0100046600","0101053103","0100032006","0100022918","0100040704","0100026001","0101039425","0100022949","0100036883","0101039944","0100040704","0101039940","0101037135","0101039948","0101037133"), logdesc, logid IN("0101039424","0101039938"), tunneltype, logid=="0101039943", tunneltype+" "+subtype, logid=="0107045061", connection_type) +EVAL-dest_mac = coalesce(dest_mac,case(logid=="0100026001", mac)) +EVAL-resource_type = coalesce(resource_type, case(logid IN("0100040704","0100040705"),"system")) +EVAL-src_port_range = case(logid IN("0100022015","0100022016"), portbegin+"-"+portend) +EVAL-src_ip_range = if(logid=="0100022015",saddr,null()) +EVAL-dest_ip_range = if(logid=="0100022015",saddr,null()) +FIELDALIAS-body = msg as body +FIELDALIAS-id = logid as id +FIELDALIAS-fortigate_wireless_src_mac = stamac as src_mac +FIELDALIAS-fortigate_wireless_src_interface = vap as src_interface +FIELDALIAS-lease_duration = lease as lease_duration +EVAL-wifi = if(isnotnull(radioband), replace(radioband,",.*",""), null) +EVAL-app = case(logid=="0101039944", tunneltype+" vpn", logid=="0101039946", "vpn", true(), coalesce(authproto,tunneltype,security,case(logid IN("0101041990","0101041992","0101053103","0101037127","0101037121"), "vpn", logid=="0100022918", "FortiGuard",logid IN("0100022952","0100022949"), "FortiCloud",logid IN("0100046600","0100032006","0100036883"), "system", logid IN("0100032002","0100032001"), "FortiOS"))) +FIELDALIAS-authentication_service = security as authentication_service + +[fgt_event] +rename = fortigate_event diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/default/tags.conf b/deployment-apps/Splunk_TA_fortinet_fortigate/default/tags.conf new file mode 100644 index 00000000..788c5a5c --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/default/tags.conf @@ -0,0 +1,107 @@ +[eventtype=ftnt_fortigate_traffic] +network = enabled +communicate = enabled + +[eventtype=ftnt_fortigate_appctrl] +network = enabled +communicate = enabled + +[eventtype=ftnt_fortigate_webfilter] +web = enabled + +[eventtype=ftnt_fortigate_virus] +malware = enabled +attack = enabled +operations = enabled + +[eventtype=ftnt_fortigate_spam] +email = enabled +filter = enabled + +[eventtype=ftnt_fortigate_ips] +ids = enabled +attack = enabled + +[eventtype=ftnt_fortigate_anomaly] +ids = enabled +attack = enabled + +[eventtype=ftnt_fortigate_auth] +authentication = enabled +default = enabled + +[eventtype=ftnt_fortigate_wireless_client_authentication] +authentication = enabled +default = enabled + +[eventtype=ftnt_fortigate_wireless_client_deauthentication] +change = enabled +network = enabled + +[eventtype=ftnt_fortigate_auth_privileged_login] +authentication = enabled +privileged = enabled + +[eventtype=ftnt_fortigate_auth_privileged_logout] +change = enabled +account = enabled + +[eventtype=ftnt_fortigate_vpn_auth] +authentication = enabled +default = enabled + +[eventtype=ftnt_fortigate_vpn_cert_change] +change = enabled +network = enabled + +[eventtype=ftnt_fortigate_dhcp_ack] +network = enabled +session = enabled +dhcp = enabled + +[eventtype=ftnt_fortigate_detected_ip_using_dhcp] +network = enabled +session = enabled +start = enabled + +[eventtype=ftnt_fortigate_vpn_start] +network = enabled +session = enabled +vpn = enabled +start = enabled + +[eventtype=ftnt_fortigate_vpn_end] +network = enabled +session = enabled +vpn = enabled +end = enabled + +[eventtype=ftnt_fortigate_perf_stats] +os = enabled +performance = enabled +cpu = enabled +memory = enabled + +[eventtype=ftnt_fortigate_cpu_stats] +performance = enabled +cpu = enabled + +[eventtype=ftnt_fortigate_restart] +change = enabled + +[eventtype=ftnt_fortigate_scanunit_db] +change = enabled + +[eventtype=ftnt_fortigate_user_config_change] +change = enabled + +[eventtype=ftnt_fortigate_config_change] +change = enabled +network = enabled + +[eventtype=ftnt_fortigate_wireless_config_change] +change = enabled +network = enabled + +[eventtype=ftnt_fortigate_alerts] +alert = enabled \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/default/transforms.conf b/deployment-apps/Splunk_TA_fortinet_fortigate/default/transforms.conf new file mode 100644 index 00000000..58cbbe2e --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/default/transforms.conf @@ -0,0 +1,45 @@ +##sourcetype +[force_sourcetype_fortigate] +SOURCE_KEY = _raw +DEST_KEY = MetaData:Sourcetype +REGEX = ^.+?devid=\"?F(?:G|W|\dK).+?(?:\s|\,|\,\s)type=\"?(traffic|utm|event|anomaly) +FORMAT = sourcetype::fortigate_$1 + +## LOOKUP + +[ftnt_protocol_lookup] +filename = ftnt_protocol_info.csv + +[ftnt_action_lookup] +filename = ftnt_action_info.csv + +[ftnt_event_action_lookup] +filename = ftnt_event_action_info.csv + +[ftnt_severity_lookup] +filename = ftnt_severity_info.csv + +## REPORT + +[field_extract] +DELIMS = "\ ,", "=" + +[src_ip_from_ui] +SOURCE_KEY = ui +REGEX = ((?:\d+\.){3}\d+) +FORMAT = src_ip_from_ui::$1 + +[extract_cim_fields_for_user] +SOURCE_KEY = user +REGEX = ^(?:N\/A$|(((.*)))) +FORMAT = src_user::$1 src_user_name::$2 user_name::$3 + +[extract_file_and_file_path] +SOURCE_KEY = url +REGEX = ^((?:[^?]*[\/])([^?]*)) +FORMAT = file_path::$1 file_name::$2 + +[extract_url_domain] +SOURCE_KEY = url +REGEX = ^(?:[^:]+:\/\/)?(?!(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\S+:\/\/))([^:\/]+) +FORMAT = url_domain::$1 diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/lookups/ftnt_action_info.csv b/deployment-apps/Splunk_TA_fortinet_fortigate/lookups/ftnt_action_info.csv new file mode 100644 index 00000000..31d63f03 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/lookups/ftnt_action_info.csv @@ -0,0 +1,21 @@ +ftnt_action, action +pass, allowed +passthrough, allowed +log-only, allowed +blocked, blocked +block, blocked +monitored, deferred +analytics, deferred +detected, allowed +dropped, blocked +allowed, allowed +accept, allowed +close, allowed +deny, blocked +dns, allowed +timeout, teardown +ip-conn, allowed +allow, allowed +server-rst, allowed +client-rst, allowed +clear_session, blocked diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/lookups/ftnt_event_action_info.csv b/deployment-apps/Splunk_TA_fortinet_fortigate/lookups/ftnt_event_action_info.csv new file mode 100644 index 00000000..2a55db4c --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/lookups/ftnt_event_action_info.csv @@ -0,0 +1,53 @@ +subtype, vendor_action, vendor_status, action, change_type +user, authentication, success, success, auth +user, authentication, failure, failure, auth +user, auth-logon, logon, modified, AAA +wireless, client-ip-detected, unknown, added, auth +wireless, client-deauthentication, unknown, logoff, AAA +wireless, client-authentication, unknown, success, AAA +wireless, user-sign-on-success, unknown, success, AAA +wireless, user-sign-on, unknown, success, AAA +wireless, user-sign-on-failure, unknown, failure, AAA +wireless, oper-channel, unknown, modified, network_config +wireless, oper-txpower, unknown, modified, network_config +wireless, country-config-success, unknown, modified, network_config +wireless, config-txpower, unknown, modified, network_config +wireless, ap-join, unknown, modified, network_config +wireless, ap-add, unknown, modified, network_config +wireless, controller-cfg-loaded, unknown, read, network_config +wireless, controller-up, unknown, started, network_config +vpn, negotiate, success, success, auth +vpn, ssl-login-fail, unknown, failure, AAA +vpn, negotiate, failure, failure, auth +vpn, negotiate, negotiate_error, failure, auth +vpn, negotiate, esp_error, failure, auth +vpn, read, success, read, filesystem +vpn, modified, success, modified, filesystem +vpn, ssl-new-con, unknown, added, network_config +vpn, ssl-web-pass, unknown, added, network_config +vpn, ssl-web-close, unknown, blocked, network_config +vpn, tunnel-up, unknown, added, network_config +vpn, tunnel-down, unknown, blocked, network_config +vpn, delete_ipsec_sa, unknown, blocked, network_config +vpn, install_sa, unknown, added, network_config +endpoint, close, success, blocked, network_config +system, login, success, success, auth +system, login, failed, failure, auth +system, logout, success, logoff, AAA +system, logout, failed, logoff, AAA +system, add, unknown, created, network_config +system, Add, unknown, created, network_config +system, added, unknown, added, network_config +system, modified, unknown, modified, network_config +system, "Local user added", enable, modified, AAA +system, "User changed", unknown, modified, AAA +system, modified, update, modified, filesystem +system, delete, unknown, deleted, network_config +system, Delete, unknown, deleted, network_config +system, Edit, unknown, modified, network_config +system, shutdown, unknown, modified, restart +system, reboot, unknown, modified, restart +system, add-vdom, unknown, modified, network_config +system, pba-close, unknown, deleted, network_config +system, pba-create, unknown, created, network_config +system, read, unknown, read, filesystem \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/lookups/ftnt_protocol_info.csv b/deployment-apps/Splunk_TA_fortinet_fortigate/lookups/ftnt_protocol_info.csv new file mode 100644 index 00000000..3b7570a5 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/lookups/ftnt_protocol_info.csv @@ -0,0 +1,138 @@ +proto,transport,protocol +0,ip,ip +1,icmp,icmp +2,igmp,ip +3,ggp,ip +4,ipencap,ip +5,st2,ip +6,tcp,ip +7,cbt,ip +8,egp,ip +9,igp,ip +10,bbn-rcc,ip +11,nvp,ip +12,pup,ip +13,argus,ip +14,emcon,ip +15,xnet,ip +16,chaos,ip +17,udp,ip +18,mux,ip +19,dcn,ip +20,hmp,ip +21,prm,ip +22,xns-idp,ip +23,trunk-1,ip +24,trunk-2,ip +25,leaf-1,ip +26,leaf-2,ip +27,rdp,ip +28,irtp,ip +29,iso-tp4,ip +30,netblt,ip +31,mfe-nsp,ip +32,merit-inp,ip +33,sep,ip +34,3pc,ip +35,idpr,ip +36,xtp,ip +37,ddp,ip +38,idpr-cmtp,ip +39,tp++,ip +40,il,ip +41,ipv6,ip +42,sdrp,ip +43,ipv6-route,ip +44,ipv6-frag,ip +45,idrp,ip +46,rsvp,ip +47,gre,ip +48,mhrp,ip +49,bna,ip +50,esp,ip +51,ah,ip +52,i-nlsp,ip +53,swipe,ip +54,narp,ip +55,mobile,ip +56,tlsp,ip +57,skip,ip +58,ipv6-icmp,icmp +59,ipv6-nonxt,ip +60,ipv6-opts,ip +62,cftp,ip +64,sat-expak,ip +65,kryptolan,ip +66,rvd,ip +67,ippc,ip +69,sat-mon,ip +70,visa,ip +71,ipcv,ip +72,cpnx,ip +73,cphb,ip +74,wsn,ip +75,pvp,ip +76,br-sat-mon,ip +77,sun-nd,ip +78,wb-mon,ip +79,wb-expak,ip +80,iso-ip,ip +81,vmtp,ip +82,secure-vmtp,ip +83,vines,ip +84,ttp,ip +85,nsfnet-igp,ip +86,dgp,ip +87,tcf,ip +88,eigrp,ip +89,ospf,ip +90,sprite-rpc,ip +91,larp,ip +92,mtp,ip +93,ax.25,ip +94,ipip,ip +95,micp,ip +96,scc-sp,ip +97,etherip,ip +98,encap,ip +100,gmtp,ip +101,ifmp,ip +102,pnni,ip +103,pim,ip +104,aris,ip +105,scps,ip +106,qnx,ip +107,a/n,ip +108,ipcomp,ip +109,snp,ip +110,compaq-peer,ip +111,ipx-in-ip,ip +112,vrrp,ip +113,pgm,ip +115,l2tp,ip +116,ddx,ip +117,iatp,ip +118,st,ip +119,srp,ip +120,uti,ip +121,smp,ip +122,sm,ip +123,ptp,ip +124,isis,ip +125,fire,ip +126,crtp,ip +127,crdup,ip +128,sscopmce,ip +129,iplt,ip +130,sps,ip +131,pipe,ip +132,sctp,ip +133,fc,ip +135,mobility-header,ip +136,udplite,ip +137,mpls-in-ip,ip +138,manet,ip +139,hip,ip +140,shim6,ip +141,wesp,ip +142,rohc,ip \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/lookups/ftnt_severity_info.csv b/deployment-apps/Splunk_TA_fortinet_fortigate/lookups/ftnt_severity_info.csv new file mode 100644 index 00000000..66b9852b --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/lookups/ftnt_severity_info.csv @@ -0,0 +1,9 @@ +level,severity,severity_id +emergency,critical,0 +alert,critical,1 +critical,critical,2 +error,high,3 +warning,medium,4 +notice,low,5 +information,informational,6 +debug,informational,7 \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/metadata/default.meta b/deployment-apps/Splunk_TA_fortinet_fortigate/metadata/default.meta new file mode 100644 index 00000000..21749ecf --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/metadata/default.meta @@ -0,0 +1,5 @@ +[] +access = read : [ * ], write : [ * ] +export = system +version = 6.2.4 +modtime = 1439517297.392860000 diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_auth b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_auth new file mode 100644 index 00000000..abe6ddbd --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_auth @@ -0,0 +1,3 @@ +date=2015-08-11 time=19:25:33 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0102043040 type=event subtype=user level=notice vd=root logdesc="FortiGuard authentication status" srcip=x.x.x.x dstip=N/A policyid=0 user="leolee" group="N/A" authproto="leolee(x.x.x.x)" action=authentication status=logout reason="N/A" msg="User leolee succeeded in logout" +date=2015-08-11 time=19:25:32 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0102043040 type=event subtype=user level=notice vd=root logdesc="FortiGuard authentication status" srcip=x.x.x.x dstip=N/A policyid=0 user="leolee" group="UG_Dialup_VPN" authproto="leolee(x.x.x.x)" action=authentication status=logout reason="N/A" msg="User leolee succeeded in logout" +date=2015-08-11 time=19:21:27 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0102043040 type=event subtype=user level=notice vd=root logdesc="FortiGuard authentication status" srcip=x.x.x.x dstip=N/A policyid=0 user="chrisnavarrete" group="N/A" authproto="chrisnavarrete(x.x.x.x)" action=authentication status=logout reason="N/A" msg="User chrisnavarrete succeeded in logout" diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_auth_priviledged b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_auth_priviledged new file mode 100644 index 00000000..5ed9407d --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_auth_priviledged @@ -0,0 +1,6 @@ +date=2015-08-11 time=19:25:12 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0100032003 type=event subtype=system level=information vd=root logdesc="Admin logout successful" sn=1439346295 user="fortiguard-it" ui=ssh(x.x.x.x) action=logout status=success duration=17 reason=exit msg="Administrator fortiguard-it logged out from ssh(x.x.x.x)" +date=2015-08-11 time=19:25:12 devname=2M-Colo1 devid=FG200D4613800211 logid=0100032003 type=event subtype=system level=information vd=root user="fortiguard-it" ui=ssh(x.x.x.x) action=logout status=success duration=17 reason=exit msg="Administrator fortiguard-it logged out from ssh(x.x.x.x)" +date=2015-08-11 time=19:24:55 devname=2M-Colo1 devid=FG200D4613800211 logid=0100032001 type=event subtype=system level=information vd=root user="fortiguard-it" ui=ssh(x.x.x.x) action=login status=success reason=none profile="FortiGuard" msg="Administrator fortiguard-it logged in successfully from ssh(x.x.x.x)" +date=2015-08-11 time=19:24:55 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0100032001 type=event subtype=system level=information vd=root logdesc="Admin login successful" sn=1439346295 user="fortiguard-it" ui=ssh(x.x.x.x) action=login status=success reason=none profile="FortiGuard" msg="Administrator fortiguard-it logged in successfully from ssh(x.x.x.x)" +date=2015-08-11 time=19:21:56 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0100032003 type=event subtype=system level=information vd=root logdesc="Admin logout successful" sn=1439346099 user="fortiguard-it" ui=ssh(x.x.x.x) action=logout status=success duration=17 reason=exit msg="Administrator fortiguard-it logged out from ssh(x.x.x.x)" +date=2015-08-11 time=19:21:56 devname=2M-Colo1 devid=FG200D4613800211 logid=0100032003 type=event subtype=system level=information vd=root user="fortiguard-it" ui=ssh(x.x.x.x) action=logout status=success duration=17 reason=exit msg="Administrator fortiguard-it logged out from ssh(x.x.x.x)" diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_config_change b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_config_change new file mode 100644 index 00000000..edad71ee --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_config_change @@ -0,0 +1,4 @@ +date=2015-08-11 time=17:51:33 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0100044547 type=event subtype=system level=information vd=root logdesc="Object attribute configured" user="FGT_ha_admin" ui="ha_daemon" action=Edit cfgtid=2826195 cfgpath="user.fortitoken" cfgobj="FTKMOB47ED6DD69D" cfgattr="activation-expire[Tue Aug 18 17:49:32 2015->Tue Aug 18 17:49:32 2015]activation-code[DEIKXAXC4O4JO4I4->DEIKXAXC4O4JO4I4]license[EFTM200021556100->EFTM200021556100]" msg="Edit user.fortitoken FTKMOB47ED6DD69D" +date=2015-08-11 time=17:51:33 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0100044547 type=event subtype=system level=information vd=root logdesc="Object attribute configured" user="FGT_ha_admin" ui="ha_daemon" action=Edit cfgtid=2826194 cfgpath="user.fortitoken" cfgobj="FTKMOB47ED6DD69D" cfgattr="activation-expire[Tue Aug 18 17:49:32 2015->Tue Aug 18 17:49:32 2015]activation-code[DEIKXAXC4O4JO4I4->DEIKXAXC4O4JO4I4]license[EFTM200021556100->EFTM200021556100]" msg="Edit user.fortitoken FTKMOB47ED6DD69D" +date=2015-08-11 time=17:51:33 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0100044547 type=event subtype=system level=information vd=root logdesc="Object attribute configured" user="FGT_ha_admin" ui="ha_daemon" action=Edit cfgtid=2826193 cfgpath="user.fortitoken" cfgobj="FTKMOB5374362440" cfgattr="activation-expire[Mon Jul 6 08:36:02 2015->N/A]activation-code[DEIFUSXL6VJX42K5->]license[EFTM200036296700->EFTM200036296700]seed[yjfZOwDwMDCfTj2hnldZvFP8mDBqLQSzcVxobe9cgld9cKxT3WyX/QbOPYlrVrwsdQR2jrLZsWqPmCNo7P/XKJu0qWmAxMbnQUkK4CQTvJELIgCLzhZZ69znadXWK8RmzT49oq6Du9Krve9M8E3lonjZxx9HbOa7Mq+T+sMo2A4d+v8t->]" msg="Edit user.fortitoken FTKMOB5374362440" +date=2015-08-11 time=17:49:37 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0100044547 type=event subtype=system level=information vd=root logdesc="Object attribute configured" user="charlihchen" ui="GUI(x.x.x.x)" action=Edit cfgtid=2760243 cfgpath="user.local" cfgobj="gzhang" cfgattr="fortitoken[FTKMOB5374362440->FTKMOB47ED6DD69D]" msg="Edit user.local gzhang" diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_ips b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_ips new file mode 100644 index 00000000..b661916c --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_ips @@ -0,0 +1,3 @@ +date=2015-08-11 time=19:04:57 devname=2M-Colo1 devid=FG200D4613800211 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=medium srcip=x.x.x.x dstip=x.x.x.x srcintf="wan1" dstintf="dmz1" policyid=36 identidx=0 sessionid=815439641 status=detected proto=6 service=http count=1 attackname="FCKeditor.CurrentFolder.Arbitrary.File.Upload" srcport=58214 dstport=80 attackid=17570 sensor="all_default" ref="http://www.fortinet.com/ids/VID17570" incidentserialno=267824612 msg="applications3: FCKeditor.CurrentFolder.Arbitrary.File.Upload," +date=2015-08-11 time=19:03:55 devname=2M-Colo1 devid=FG200D4613800211 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=critical srcip=x.x.x.x dstip=x.x.x.x srcintf="wan1" dstintf="dmz1" policyid=36 identidx=0 sessionid=815436844 status=detected proto=6 service=https count=1 attackname="OpenSSL.TLS.Heartbeat.Information.Disclosure" srcport=33782 dstport=443 attackid=38307 sensor="all_default" ref="http://www.fortinet.com/ids/VID38307" incidentserialno=116664577 msg="applications: OpenSSL.TLS.Heartbeat.Information.Disclosure," +date=2015-08-11 time=19:01:09 devname=2M-Colo1 devid=FG200D4613800211 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=medium srcip=x.x.x.x dstip=x.x.x.x srcintf="wan1" dstintf="dmz1" policyid=36 identidx=0 sessionid=815428740 status=detected proto=6 service=http count=1 attackname="FCKeditor.CurrentFolder.Arbitrary.File.Upload" srcport=59990 dstport=80 attackid=17570 sensor="all_default" ref="http://www.fortinet.com/ids/VID17570" incidentserialno=625870517 msg="applications3: FCKeditor.CurrentFolder.Arbitrary.File.Upload," diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_perf_stats b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_perf_stats new file mode 100644 index 00000000..8288ce49 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_perf_stats @@ -0,0 +1,6 @@ +date=2015-08-11 time=19:29:36 devname=2M-Colo2 devid=FG200D3913801010 logid=0100040704 type=event subtype=system level=notice vd=root action="perf-stats" cpu=0 mem=36 totalsession=178 msg="Performance statistics" +date=2015-08-11 time=19:29:31 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0100040704 type=event subtype=system level=notice vd=root logdesc="System performance statistics" action="perf-stats" cpu=26 mem=52 totalsession=257 disk=72 bandwidth=794/734 setuprate=0 disklograte=20 fazlograte=20 msg="Performance statistics: average CPU: 26, memory: 52, concurrent sessions: 257, setup-rate: 0" +date=2015-08-11 time=19:29:22 devname=US-Wifi-AC2 devid=FG800C3913801927 logid=0100100040704 type=event subtype=system level=notice vd="root" logdesc="System performance statistics" action="perf-stats" cpu=1 mem=25 totalsession=526 disk=2 bandwidth=95/131 setuprate=0 disklograte=0 fazlograte=0 msg="Performance statistics: average CPU: 1, memory: 25, concurrent sessions: 526, setup-rate: 0" +date=2015-08-11 time=19:28:49 devname=US-Wifi-AC1 devid=FG800C3913802024 logid=0100100040704 type=event subtype=system level=notice vd="root" logdesc="System performance statistics" action="perf-stats" cpu=1 mem=55 totalsession=2115 disk=9 bandwidth=3602/1082 setuprate=11 disklograte=31 fazlograte=31 msg="Performance statistics: average CPU: 1, memory: 55, concurrent sessions: 2115, setup-rate: 11" +date=2015-08-11 time=19:27:53 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0100040704 type=event subtype=system level=notice vd=root logdesc="System performance statistics" action="perf-stats" cpu=1 mem=57 totalsession=547 disk=8 bandwidth=467/439 setuprate=5 disklograte=5 fazlograte=5 msg="Performance statistics: average CPU: 1, memory: 57, concurrent sessions: 547, setup-rate: 5" +date=2015-08-11 time=19:27:50 logver=52 devname=US-IDF185_1 devid=FG3K2C3Z13800659 logid=0100040704 type=event subtype=system level=notice vd=root logdesc="System performance statistics" action="perf-stats" cpu=1 mem=54 totalsession=4871 disk=1 bandwidth=30260/29390 setuprate=15 disklograte=0 fazlograte=50 msg="Performance statistics: average CPU: 1, memory: 54, concurrent sessions: 4871, setup-rate: 15" diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_traffic b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_traffic new file mode 100644 index 00000000..41d2c228 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_traffic @@ -0,0 +1,5 @@ +date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf="port3" dstip=ff02::1:ff77:20d4 dstintf="port3" sessionid=408903 proto=58 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=:: transport=0 service="icmp6/131/0" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app="IPv6.ICMP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1 +date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=x.x.x.x srcport=0 srcintf="port3" dstip=x.x.x.x dstport=0 dstintf="port3" sessionid=5026 proto=50 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=x.x.x.x transport=0 service="esp" duration=33 sentbyte=0 rcvdbyte=204904 sentpkt=0 rcvdpkt=0 appid=16312 app="ESP.IP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1 +date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=x.x.x.x srcport=9909 srcintf="port1" dstip=x.x.x.x dstport=20386 dstintf="port1" sessionid=305 proto=17 action=accept policyid=1 dstcountry="China" srccountry="United States" trandisp=snat transip=x.x.x.x transport=0 service="udp/20386" duration=58 sentbyte=7879 rcvdbyte=197537 sentpkt=0 rcvdpkt=0 appcat="unscanned" +date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=x.x.x.x srcport=62176 srcintf="port1" dstip=x.x.x.x dstport=1194 dstintf="port1" sessionid=3364 proto=17 action=accept policyid=1 dstcountry="Japan" srccountry="United States" trandisp=snat transip=x.x.x.x transport=0 service="udp/1194" duration=46 sentbyte=187792 rcvdbyte=17758 sentpkt=0 rcvdpkt=0 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7" mastersrcmac=00:09:0f:97:ef:e4 srcmac=00:09:0f:97:ef:e4 +date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=x.x.x.x srcport=60832 srcintf="port1" dstip=x.x.x.x dstport=443 dstintf="port1" sessionid=12512 proto=17 action=accept policyid=1 dstcountry="United States" srccountry="United States" trandisp=snat transip=x.x.x.x transport=0 service="udp/443" duration=10 sentbyte=202281 rcvdbyte=3089 sentpkt=0 rcvdpkt=0 appcat="unscanned" devtype="Windows PC" osname="Windows" osversion="7" mastersrcmac=00:09:0f:97:ef:e4 srcmac=00:09:0f:97:ef:e4 diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_virus b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_virus new file mode 100644 index 00000000..e95f5ddb --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_virus @@ -0,0 +1,4 @@ +date=2015-08-11 time=19:21:02 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0201009233 type=utm subtype=virus level=notice vd=root msg="File submitted to Sandbox." action=analytics service=HTTP sessionid=1490839738 srcip=x.x.x.x dstip=x.x.x.x srcport=51211 dstport=80 srcintf="External-SDC" dstintf="DMZ" proto=6 direction=incoming filename="functions.js" quarskip=No-skip url="http://oa.fortinet.com/js/functions.js" profile="scan+sandbox" user="" agent="Mozilla/5.0" analyticscksum="0362a2dfabddf155aea6183c04ee7e00e5455d0560882d27b348b9ef1421ba53" analyticssubmit=true +date=2015-08-11 time=19:21:02 devname=Nosey devid=FG800C3912801080 logid=0201009233 type=utm subtype=virus eventtype=analytics level=notice vd="root" msg="File submitted to Sandbox." action=analytics service=HTTP sessionid=416045 srcip=x.x.x.x dstip=x.x.x.x srcport=63987 dstport=80 srcintf="port1" dstintf="port1" proto=6 direction=incoming quarskip=No-skip url="http://hq.sinajs.cn/?func=WidgetRecentZixuanInsert();&list=s_sh600030,s_sh601988,s_sh601766,s_sh600021,s_sh601989,s_sz002024,s_sz00016" profile="sniffer-profile" user="" agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36" analyticscksum="a0eb116ee56af75852b7ce4e21da18fefe45586bf123fadde7298aaae4c356b1" analyticssubmit=true +date=2015-08-11 time=19:21:02 devname=Nosey devid=FG800C3912801080 logid=0201009233 type=utm subtype=virus eventtype=analytics level=notice vd="root" msg="File submitted to Sandbox." action=analytics service=HTTP sessionid=416043 srcip=x.x.x.x dstip=x.x.x.x srcport=63986 dstport=80 srcintf="port1" dstintf="port1" proto=6 direction=incoming filename="rn=1439346063419&list=s_sh000001,s_sz399001,s_sh000300,s_sz3994" quarskip=No-skip url="http://hq.sinajs.cn/rn=1439346063419&list=s_sh000001,s_sz399001,s_sh000300,s_sz399415,s_sz399006" profile="sniffer-profile" user="" agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36" analyticscksum="ce441fbeb2b83ec1bccde14017c4012da52589fe61efcbfeeeecc0bea87089f0" analyticssubmit=true +date=2015-08-11 time=19:21:02 devname=Nosey devid=FG800C3912801080 logid=0201009233 type=utm subtype=virus eventtype=analytics level=notice vd="root" msg="File submitted to Sandbox." action=analytics service=HTTP sessionid=416042 srcip=x.x.x.x dstip=x.x.x.x srcport=63985 dstport=80 srcintf="port1" dstintf="port1" proto=6 direction=incoming filename="list=s_sh600146,s_sz000753" quarskip=No-skip url="http://hq.sinajs.cn/list=s_sh600146,s_sz000753" profile="sniffer-profile" user="" agent="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36" analyticscksum="301c8026a761ea7bc967db9f1f447b0f9ecc011d387866d0fc8eef83972e819e" analyticssubmit=true diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_vpn b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_vpn new file mode 100644 index 00000000..7c14c176 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_vpn @@ -0,0 +1,8 @@ +date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="dff154934f2418ec/e111711492ca17ca" user="richard_b" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Richard_Basile_ph1" status=success init=local mode=xauth dir=outbound stage=1 role=initiator result=OK +date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="dff154934f2418ec/e111711492ca17ca" user="richard_b" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Richard_Basile_ph1" status=success init=local mode=aggressive dir=inbound stage=2 role=initiator result=DONE +date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="dff154934f2418ec/e111711492ca17ca" user="richard_b" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Richard_Basile_ph1" status=success init=remote mode=aggressive dir=inbound stage=2 role=responder result=DONE +date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037127 type=event subtype=vpn level=notice vd=root logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action=negotiate remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="dff154934f2418ec/e111711492ca17ca" user="richard_b" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Richard_Basile_ph1" status=success init=remote mode=aggressive dir=outbound stage=1 role=responder result=OK +date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037134 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 1 SA deleted" msg="delete IPsec phase 1 SA" action=delete_phase1_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="ec919861a41622a3/e8c2a6a9eb4d7727" user="thor_e" group="N/A" xauthuser="tevenhouse" xauthgroup="N/A" assignip=N/A vpntunnel="Thor_Evenhouse_ph1" +date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037121 type=event subtype=vpn level=error vd=root logdesc="Negotiate IPsec phase 1" msg="negotiate IPsec phase 1" action=negotiate remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="ec919861a41622a3/e8c2a6a9eb4d7727" user="thor_e" group="N/A" xauthuser="tevenhouse" xauthgroup="N/A" assignip=N/A vpntunnel="Thor_Evenhouse_ph1" status=failure result="XAUTH authentication failed" +date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037134 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 1 SA deleted" msg="delete IPsec phase 1 SA" action=delete_phase1_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="ad4dba0c4669e0fd/572014b0c5fc7e70" user="andres_h" group="N/A" xauthuser="aherrera" xauthgroup="N/A" assignip=N/A vpntunnel="Andres_Herrera_ph1" +date=2015-08-11 time=19:22:15 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037121 type=event subtype=vpn level=error vd=root logdesc="Negotiate IPsec phase 1" msg="negotiate IPsec phase 1" action=negotiate remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="ad4dba0c4669e0fd/572014b0c5fc7e70" user="andres_h" group="N/A" xauthuser="aherrera" xauthgroup="N/A" assignip=N/A vpntunnel="Andres_Herrera_ph1" status=failure result="XAUTH authentication failed" diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_vpn_end b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_vpn_end new file mode 100644 index 00000000..58cdc1f8 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_vpn_end @@ -0,0 +1,5 @@ +date=2015-08-11 time=19:21:48 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037135 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 2 SA deleted" msg="delete IPsec phase 2 SA" action=delete_ipsec_sa remip=x.x.x.x locip=x.x.x.x remport=1024 locport=4500 outintf="port6" cookies="d3bb987a97b70dd9/bf23f465ba89f8a5" user="nathan_r" group="N/A" xauthuser="masohan" xauthgroup="UG_S2S_VPN" assignip=N/A vpntunnel="Nathan_Riehl-ph1_0" in_spi="17e66f2" out_spi="2e7d0e3d" +date=2015-08-11 time=19:21:27 clusterid=FGHA001500704701_CID logver=52 devname=FGT-FortiToken1 devid=FGHA001500704701_CID logid=0101039948 type=event subtype=vpn level=information vd=root logdesc="SSL VPN tunnel down" action="tunnel-down" tunneltype="ssl-tunnel" tunnelid=1709264498 remip=x.x.x.x tunnelip=x.x.x.x user="chrisnavarrete" group="UG_Dialup_VPN_2" dst_host="N/A" reason="N/A" duration=516 sentbyte=2666584 rcvdbyte=1375905 msg="SSL tunnel shutdown" +date=2015-08-11 time=19:21:20 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0101037135 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 2 SA deleted" msg="delete IPsec phase 2 SA" action=delete_ipsec_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="External-SDC" cookies="a89d6b3b8dd53bb8/a5c59764925b7d9d" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Miami_ph1" in_spi="e2c9fd31" out_spi="e760bc42" +date=2015-08-11 time=19:20:30 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037135 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 2 SA deleted" msg="delete IPsec phase 2 SA" action=delete_ipsec_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="7967fecde2c3f0c5/c453c72aca6537ad" user="intruguard" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="Intruguard_ph1_0" in_spi="f35a6a5f" out_spi="2e7d0e3a" +date=2015-08-11 time=19:20:28 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0101037135 type=event subtype=vpn level=notice vd=root logdesc="IPsec phase 2 SA deleted" msg="delete IPsec phase 2 SA" action=delete_ipsec_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="External-SDC" cookies="42b66b99542b6bce/03b78c05252fc0a3" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="India_HTC_ph1" in_spi="c343b300" out_spi="e760bc41" diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_vpn_start b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_vpn_start new file mode 100644 index 00000000..e2840c19 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_vpn_start @@ -0,0 +1,5 @@ +date=2015-08-11 time=19:22:21 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037133 type=event subtype=vpn level=notice vd=root logdesc="IPsec SA installed" msg="install IPsec SA" action=install_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="e89a7cb47e1cebbf/2804eb970b646c7a" user="praveenl" group="N/A" xauthuser="plokesh" xauthgroup="UG_S2S_VPN" assignip=N/A vpntunnel="Praveen_Lokesh_ph1_0" role=responder in_spi="2e7d0e72" out_spi="091159af" +date=2015-08-11 time=19:22:18 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037133 type=event subtype=vpn level=notice vd=root logdesc="IPsec SA installed" msg="install IPsec SA" action=install_sa remip=x.x.x.x locip=x.x.x.x remport=4500 locport=4500 outintf="port6" cookies="c9b12b0b3f2afe2d/c26311f8fb3facf6" user="sai-raj" group="N/A" xauthuser="srajamahanthi" xauthgroup="UG_S2S_VPN" assignip=N/A vpntunnel="Sai_Rajamahanthi_ph1" role=responder in_spi="2e7d0e71" out_spi="c60b7fb2" +date=2015-08-11 time=19:22:14 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037133 type=event subtype=vpn level=notice vd=root logdesc="IPsec SA installed" msg="install IPsec SA" action=install_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="e89a7cb47e1cebbf/2804eb970b646c7a" user="praveenl" group="N/A" xauthuser="plokesh" xauthgroup="UG_S2S_VPN" assignip=N/A vpntunnel="Praveen_Lokesh_ph1_0" role=responder in_spi="2e7d0e70" out_spi="091159ae" +date=2015-08-11 time=19:21:40 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037133 type=event subtype=vpn level=notice vd=root logdesc="IPsec SA installed" msg="install IPsec SA" action=install_sa remip=x.x.x.x locip=x.x.x.x remport=500 locport=500 outintf="port6" cookies="e89a7cb47e1cebbf/2804eb970b646c7a" user="praveenl" group="N/A" xauthuser="plokesh" xauthgroup="UG_S2S_VPN" assignip=N/A vpntunnel="Praveen_Lokesh_ph1_0" role=responder in_spi="2e7d0e6f" out_spi="091159ad" +date=2015-08-11 time=19:21:27 clusterid=FGHA002020594551_CID logver=52 devname=US-Dialup1 devid=FGHA002020594551_CID logid=0101037133 type=event subtype=vpn level=notice vd=root logdesc="IPsec SA installed" msg="install IPsec SA" action=install_sa remip=x.x.x.x locip=x.x.x.x remport=1024 locport=4500 outintf="port6" cookies="d3bb987a97b70dd9/bf23f465ba89f8a5" user="nathan_r" group="N/A" xauthuser="masohan" xauthgroup="UG_S2S_VPN" assignip=N/A vpntunnel="Nathan_Riehl-ph1_0" role=responder in_spi="2e7d0e6e" out_spi="017e66f3 diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_webfilter b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_webfilter new file mode 100644 index 00000000..fadf974d --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/samples/sample.ftnt_fortigate_webfilter @@ -0,0 +1,5 @@ +date=2015-08-11 time=19:21:40 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490844879 user="" srcip=x.x.x.x srcport=50367 srcintf="External-SDC" dstip=x.x.x.x dstport=443 dstintf="Internal" proto=6 service=HTTPS hostname="asset.myfortinet.com" profile="scan" action=passthrough reqtype=direct url="/" sentbyte=1418 rcvdbyte=507 direction=outgoing msg="URL belongs to an allowed category in policy" method=domain cat=52 catdesc="Information Technology" +date=2015-08-11 time=19:21:40 logver=52 devname=US-IDF175_1 devid=FG3K2C3Z13800741 logid=0315013317 type=utm subtype=webfilter eventtype=urlfilter level=notice vd=root sessionid=284520245 user="" srcip=x.x.x.x srcport=50175 srcintf="PC" dstip=x.x.x.x dstport=80 dstintf="External" proto=6 service=HTTP hostname="x.x.x.x" profile="scan" action=passthrough reqtype=direct url="/device/get/1.xml" sentbyte=169 rcvdbyte=809 direction=outgoing msg="URL has been visited" method=domain cat=0 +date=2015-08-11 time=19:21:40 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490761283 user="" srcip=x.x.x.x srcport=53971 srcintf="Internal" dstip=192.168.10 dstport=80 dstintf="External-SDC" proto=6 service=HTTP hostname="ping.chartbeat.net" profile="scan" action=passthrough reqtype=referral url="/ping?h=fortune.com&p=%2F2014%2F10%2F27%2Fgoogle-rise-of-sundar-pichai%2F&u=C5sKcjDIa4ndN0LKa&d=fortune.com&g" sentbyte=603 rcvdbyte=213 direction=outgoing msg="URL belongs to an allowed category in policy" method=domain cat=52 catdesc="Information Technology" +date=2015-08-11 time=19:21:40 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490842644 user="" srcip=x.x.x.x srcport=53988 srcintf="Internal" dstip=192.168.10 dstport=80 dstintf="External-SDC" proto=6 service=HTTP hostname="crl.microsoft.com" profile="scan" action=passthrough reqtype=direct url="/pki/crl/products/MicTimStaPCA_2010-07-01.crl" sentbyte=277 rcvdbyte=227 direction=outgoing msg="URL belongs to an allowed category in policy" method=domain cat=52 catdesc="Information Technology" +date=2015-08-11 time=19:21:40 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490845588 user="" srcip=x.x.x.x srcport=53235 srcintf="Internal" dstip=x.x.x.x dstport=80 dstintf="External-SDC" proto=6 service=HTTP hostname="popo.wan.ijinshan.com" profile="scan" action=passthrough reqtype=direct url="/popo/launch?c=cHA9d29vZHMxOTgyQGhvdG1haWwuY29tJnV1aWQ9NDBiNDkyZDRmNzdhNjFmOTNlMjQwMjhiYjE3ZGRlYTYmY29tcGl" sentbyte=525 rcvdbyte=325 direction=outgoing msg="URL belongs to an allowed category in policy" method=domain cat=52 catdesc="Information Technology" diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/splunkbase.manifest b/deployment-apps/Splunk_TA_fortinet_fortigate/splunkbase.manifest new file mode 100644 index 00000000..5eea6518 --- /dev/null +++ b/deployment-apps/Splunk_TA_fortinet_fortigate/splunkbase.manifest @@ -0,0 +1,187 @@ +{ + "version": "1.0", + "date": "2023-03-27T17:52:08.507063439Z", + "hashAlgorithm": "SHA-256", + "app": { + "id": 2846, + "version": "1.6.7", + "files": [ + { + "path": "static/appIconAlt.png", + "hash": "afd0661f827ccaf16d7e486d0286304e2ce887706e82c29051fb861bf15adfcf" + }, + { + "path": "static/appIcon.png", + "hash": "afd0661f827ccaf16d7e486d0286304e2ce887706e82c29051fb861bf15adfcf" + }, + { + "path": "static/appIconAlt_2x.png", + "hash": "133e9a0aa2c545c102072ba8d6879509783688b213160c464aa4f0a72456e278" + }, + { + "path": "static/appIcon_2x.png", + "hash": "133e9a0aa2c545c102072ba8d6879509783688b213160c464aa4f0a72456e278" + }, + { + "path": "app.manifest", + "hash": "21e89063d76f943c3f8c40cab83fc37e769b48a59b1c8b2f7b21412d5b397b8f" + }, + { + "path": "README.txt", + "hash": "a5f41c5250ebd3fa4dc14347ed293785d150c9f87ecfa629642dfb7b8eedb07f" + }, + { + "path": "default/transforms.conf", + "hash": "881ddc1bdfb74597125ba7d4d5c72b524a2a5e2cfdb81c16403d8e61f5e2da72" + }, + { + "path": "default/tags.conf", + "hash": "12608b97b2ee5965405a5e07a4f71142353740e7d93a0d373d4f70795dc7ab78" + }, + { + "path": "default/app.conf", + "hash": "ddf6b4aabe0a21feaea9b71e7811b19f7b21a73db5d0bd349244878cc99b0c0b" + }, + { + "path": "default/props.conf", + "hash": "c9c0927ebc4e04828e491e502ff1bd9f479d9521fd7dbed144158e95d83449e0" + }, + { + "path": "default/data/ui/nav/default.xml", + "hash": "35a4889f9adb852e7c27447f3e0275bb42002038746cd7b2559e7d749e0c8540" + }, + { + "path": "default/macros.conf", + "hash": "3f7b94dc5c8331313d09596a1af93746e47df9fc480ab6d06f01983390795d20" + }, + { + "path": "default/eventtypes.conf", + "hash": "7923ecc31a479fee3e806ba044abd1410e915592a004f828f19c722ef18502d6" + }, + { + "path": "LICENSES/LicenseRef-Splunk-1-2020.txt", + "hash": "4890319bc6dddfcd1fb3e4dd6dc32205bce332924d5ac9e5032de1abc542acb7" + }, + { + "path": "VERSION", + "hash": "440031e799a6323ba88b40d71261399d1c65380c5b283810bdaf995b703fb499" + }, + { + "path": "lookups/ftnt_event_action_info.csv", + "hash": "99863b3b5c8ee2b486e25966b579387169a636f8d02ad489c3f53b48e529a480" + }, + { + "path": "lookups/ftnt_protocol_info.csv", + "hash": "316aa94b83e5dcd5c04ccf354784bf7ebff809a84806e3fd125714cff9f21b09" + }, + { + "path": "lookups/ftnt_action_info.csv", + "hash": "551b4866a00946b37bee18452679b57bca404cef1f181a09cd80f5c3aa67b0bd" + }, + { + "path": "lookups/ftnt_severity_info.csv", + "hash": "b04c5db17d2da9f2fa6fd38118594609f3dbbc769cc27722de0054df573cfa24" + }, + { + "path": "samples/sample.ftnt_fortigate_ips", + "hash": "b9ac036a0a3dd99a67be4b92166745887bb1b69b04338844c61b6c75c5f9c2d5" + }, + { + "path": "samples/sample.ftnt_fortigate_webfilter", + "hash": "7b3a897dada48fdf24285b5beff165d21d8ebd27156b2313d64ef9d918aec5c7" + }, + { + "path": "samples/sample.ftnt_fortigate_vpn", + "hash": "c571041509ca7e85ab5172549d1d23fb8b2651a006b067356be9733760117dc1" + }, + { + "path": "samples/sample.ftnt_fortigate_perf_stats", + "hash": "adedcf70d120d292dd367c7e93baa6be8cb45edbd27c1de82bf2237d8fc76566" + }, + { + "path": "samples/sample.ftnt_fortigate_virus", + "hash": "27d9385975cd881eeea0acae06858af00af0c008083e975907fcb5a453cc45df" + }, + { + "path": "samples/sample.ftnt_fortigate_config_change", + "hash": "bbf0fa5a49c1ab9f571140b8eba4dda8a5f9906d48d083fb40810203cb907b13" + }, + { + "path": "samples/sample.ftnt_fortigate_auth", + "hash": "4b5e4bb2e93ad9e2448e72a44b41d54c1f42dad8883858c06fa801e0d102a892" + }, + { + "path": "samples/sample.ftnt_fortigate_vpn_end", + "hash": "c31ef1db53c662ea02d96197749234239b058040990eee8fd22b87b9fe1f2370" + }, + { + "path": "samples/sample.ftnt_fortigate_traffic", + "hash": "45464bb1df5153a0b35af13431ff82071dcf496cb24d061701447d6f0d74829d" + }, + { + "path": "samples/sample.ftnt_fortigate_auth_priviledged", + "hash": "49a07c1d617e5339087129bdceee973cf3fd4072fc51b62fd317b6bc03f8e62b" + }, + { + "path": "samples/sample.ftnt_fortigate_vpn_start", + "hash": "2855172f693a9fecd6361f9181cd0c3883e38d2f96dbc20c1fba7b4ea83c2cfe" + }, + { + "path": "metadata/default.meta", + "hash": "66aa854b29dd6d888d93d9be91785866da8e7bf76f8ebae45d1852b884a8919c" + }, + { + "path": "EULA.pdf", + "hash": "4b74b5ff9abd03f8e464aea123a0c9584740a2854d1fde93da80dd0a0c81a605" + } + ] + }, + "products": [ + { + "platform": "splunk", + "product": "enterprise", + "versions": [ + "7.2", + "7.3", + "8.0", + "8.1", + "8.2", + "9.0" + ], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + }, + { + "platform": "splunk", + "product": "cloud", + "versions": [ + "7.2", + "7.3", + "8.0", + "8.1", + "8.2", + "9.0" + ], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + } + ] +} \ No newline at end of file diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/static/appIcon.png b/deployment-apps/Splunk_TA_fortinet_fortigate/static/appIcon.png new file mode 100644 index 00000000..33ebf44e Binary files /dev/null and b/deployment-apps/Splunk_TA_fortinet_fortigate/static/appIcon.png differ diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/static/appIconAlt.png b/deployment-apps/Splunk_TA_fortinet_fortigate/static/appIconAlt.png new file mode 100644 index 00000000..33ebf44e Binary files /dev/null and b/deployment-apps/Splunk_TA_fortinet_fortigate/static/appIconAlt.png differ diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/static/appIconAlt_2x.png b/deployment-apps/Splunk_TA_fortinet_fortigate/static/appIconAlt_2x.png new file mode 100644 index 00000000..5953e47f Binary files /dev/null and b/deployment-apps/Splunk_TA_fortinet_fortigate/static/appIconAlt_2x.png differ diff --git a/deployment-apps/Splunk_TA_fortinet_fortigate/static/appIcon_2x.png b/deployment-apps/Splunk_TA_fortinet_fortigate/static/appIcon_2x.png new file mode 100644 index 00000000..5953e47f Binary files /dev/null and b/deployment-apps/Splunk_TA_fortinet_fortigate/static/appIcon_2x.png differ