Description

This article describes that registry filters can be used to filter the registered logon events on the collector agent based on the Event ID fields.

Scope

FSSO, FortiGate.

1. The FSSO agent is installed and operating in Polling Mode. DC-Agent mode does not support registry filters.
2. FSSO agent is connected to the FortiGate and sends logon events to the FortiGate.

Solution

• Before applying the registry filter, it is important to know the fields that need to be filtered and based on which the FSSO logon event is registered.

Different events have different fields as mentioned below which can be used as filters, lets take an example of event ID 4624.

1. Check the event log in the event viewer to find the values of each field. Navigate to Event Viewer -> Windows Logs -> Security -> Open Logon event -> Details -> Check XML view.
2. The combined string for event ID 4624 is the following:

SubjectUserSid:S-1-0-0,SubjectUserName:-,SubjectDomainName:-,SubjectLogonId:0x0,TargetUserSid:S-1-5-21-3097977416-1246399418-2134868721-1106,TargetUserName:fsae2,TargetDomainName:FSAE20,TargetLogonId:0x6d817c,LogonType:3,LogonProcessName:NtlmSsp,AuthenticationPackageName:NTLM,WorkstationName:DAVID-COMPT,LogonGuid:{00000000-0000-0000-0000-000000000000},TransmittedServices:-,LmPackageName:NTLM V2,KeyLength:128,ProcessId:0x0,ProcessName:-,IpAddress:-,IpPort:-

3. Each field can be used as a filter and below are some of the examples:

a.  Event with Kerberos Authentication only: 'AuthenticationPackageName:Kerberos'.
b.  Event with Username starts with fsae : 'TargetUserName:fsae.*'.

c.  Event with Logon Type 2 or 7 or 10: 'LogonType:(2|7|10)'.

d.  Ignore Username starts with fsae or Fortinet:  'TargetUserName:(?!(fsae)|(fortinet))'.
e.  Include Username starts with fsae or Fortinet: 'TargetUserName:(?=(fsae)|(fortinet))'.

• Fortinet Collector agent supports RE filter for the following events ID: 0528,0540,0672,0673,0674,0680,4624,4768,4769,4770,4776.

To filter out logon events that needs to be registered, create a registry under the collector agent registry editor

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE\collectoragent\RE_xxxx, the name of the likes RE_0528,RE_0540,... RE_4776, and enter the filter string.

Example:

To filter logon type 2,7 or 10 from Event ID 4624

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fortinet\FSAE\collectoragent and then create a new String Value in the collector agent as shown below:

Make sure the Type for this entry is REG_SZ:


 On FSSO Agent:

Navigate to Advance Setting -> Event IDs to Poll -> Specify 4624.

Note:

It is suggested to specify the Event ID such as 4624, 4776 etc. which is required to be filtered. 

Restart the FSSO server: Run 'services.msc' and restart 'Fortinet Single Sign On Agent Service'.

Once the service is restarted, create a logon event with event ID 4624 and confirm the Logon Type in the Event Viewer:

The Event ID is 4624 which matches. However, the Logon Type is 3. The filter is only set to register Logon Events with Logon Type 2, 7 or 10. Therefore, it is expected to NOT see this logon event on the collector agent.

The collector agent debug logs also show if the logon event has matched the RE filter or not which is created in the register editor.

09/12/2023 12:50:59 [ 3084] [D][EPPoller]ApplyReFilter, RE not match:: EvtID=4624, Record=SubjectUserSid:S-1-0-0,SubjectUserName:-,SubjectDomainName:-,SubjectLogonId:0x0,TargetUserSid:S-1-5-21-90155476-3764056487-291651316-1105,TargetUserName:test,TargetDomainName:xyz.COM,TargetLogonId:0x53e86a8,LogonType:3,LogonProcessName:Kerberos,AuthenticationPackageName:Kerberos,WorkstationName:-,LogonGuid:{f46e9b8b-0058-ad0c-9c12-7c64f2c108d0},TransmittedServices:-,LmPackageName:-,KeyLength:0,ProcessId:0x0,ProcessName:-,IpAddress:10.0.0.201,IpPort:58711

Since the filter is NOT matched, there are no Logon Users on the Collector agent from this logon event.

Also, the collector agent logs will show if it is able to find the registry filter that is created for the event ID.

The following logs are produced for the event ID for which there are no filters:

09/12/2023 12:40:48 [ 7412] Failed to read regvalue(REG_SZ) "re_0528"

09/12/2023 12:40:48 [ 7412] Failed to read regvalue(REG_SZ) "re_0540"

09/12/2023 12:40:48 [ 7412] Failed to read regvalue(REG_SZ) "re_0672"

09/12/2023 12:40:48 [ 7412] Failed to read regvalue(REG_SZ) "re_0673"

09/12/2023 12:40:48 [ 7412] Failed to read regvalue(REG_SZ) "re_0674"

09/12/2023 12:40:48 [ 7412] Failed to read regvalue(REG_SZ) "re_0680"

09/12/2023 12:40:48 [ 7412] Failed to read regvalue(REG_SZ) "re_4770"

09/12/2023 12:40:48 [ 7412] Failed to read regvalue(REG_SZ) "cert_file"

09/12/2023 12:40:48 [ 7412] Failed to read regvalue(REG_SZ) "key_file"

Note:

As there is a filter for re_4624, Collector Agent is able to read the regvalue and didn't show an error for regvalue 4624. 

The following log entry of collector Agent logs shows which Event ID is being Polled:

09/12/2023 12:40:48 [ 7412] [I][EPPoller]EventIDs(0): 4624, 0, 0, 0, 0, 0, 0, 0.

Below are the supported event ID and the related fields:

0528 fields list   
User Name,Domain,Logon ID,Logon Type,Logon Process,Authentication Package,Workstation Name,Logon GUID,Caller User Name,Caller Domain,Caller Logon ID,Caller Process ID,Transisted Services,Source Network Address,Source Port       

0540 fields list   
User Name,Domain,Logon ID,Logon Type,Logon Process,Authentication Package,Workstation Name,Logon GUID,Caller User Name,Caller Domain,Caller Logon ID,Caller Process ID,Transisted Services,Source Network Address,Source Port        
0672 fields list   
User Name,Supplied Realm Name,User ID,Service Name,Service ID,Ticket Options,Result Code,Ticket Encryption Type,Pre-Authentication Type,Client Address,Certificate Issuer Name,Certificate Serial Number,Certificate Thumbprint      

  0673 fields list   
User Name,User Domain,Service Name,Service ID,Ticket Options,Ticket Encryption Type,Client Address,Failure Code,Logon GUID,Transited Services     
0674 fields list   
User Name,User Domain,Service Name,Service ID,Ticket Options,Ticket Encryption Type,Client Address       

 0680 fields list   
Logon Attempt by,Logon Account,Source Workstation,Error Code       

 4624 fields list    SubjectUserSid,SubjectUserName,SubjectDomainName,SubjectLogonId,TargetUserSid,TargetUserName,TargetDomainName,TargetLogonId,LogonType,LogonProcessName,AuthenticationPackageName,WorkstationName,LogonGuid,TransmittedServices,LmPackageName,KeyLength,ProcessId,ProcessName,IpAddress,IpPort      

  4768 fields list    TargetUserName,TargetDomainName,TargetSid,ServiceName,ServiceSid,TicketOptions,Status,TicketEncryptionType,PreAuthType,IpAddress,IpPort,CertIssuerName,CertSerialNumber,CertThumbprint        

4769 fields list    TargetUserName,TargetDomainName,ServiceName,ServiceSid,TicketOptions,TicketEncryptionType,IpAddress,IpPort,Status,LogonGuid,TransmittedServices      

  4770 fields list   
TargetUserName,TargetDomainName,ServiceName,ServiceSid,TicketOptions,TicketEncryptionType,IpAddress,IpPort        

4776 fields list  
  PackageName,TargetUserName,Workstation,Status

Related article:
Techincal Tip : Registry filter with event ID set to 0,1 or 2 on FSSO collector agent not working