Help
FortiSIEM Discussions
dmontgomery
New Contributor III

Created on ‎04-03-2024 07:00 AM

Fortisiem raw events

We are doing analytics on ADFS logon failures - Windows event ID 364. We are interested the Relying Party specifically. We want to get counts of the logon failures by the Relying Party. We can see the relying party in the raw event message but it cannot be queried on in the analytics or selected as a display column. Does anybody know how to handle this situation?

Labels:
1028
0 Kudos
1 Solution
dmontgomery
New Contributor III

Created on ‎05-21-2024 12:13 PM

After opening a ticket with Fortinet support this has classified as a bug: bug report #1028529

 

 

View solution in original post

689
0 Kudos
7 REPLIES 7
cdurkin_FTNT
Staff
Staff

Created on ‎04-03-2024 08:29 AM

Can you post a sanitized raw message from FortiSIEM and I can take a look?

1020
0 Kudos
dmontgomery
New Contributor III
In response to cdurkin_FTNT

Created on ‎04-03-2024 10:18 AM

Here is the raw message format:

"

2024-04-03T15:05:04Z ADFS.ABDEF.com 192.168.194.244 celOps-WUA-WinLog-AD xx/xxxx [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="92bb4a15-e201-4a1c-a415-db27b1ec3e32" [timeZone]="-0500" [eventName]="AD xx/xxxx" [eventSource]="AD FS" [eventId]="364" [eventType]="Warning" [domain]="abcdefg" [computer]="ADFS.ABDEF.com" [user]="bob" [userSID]="S-1-5-21-1960408961-1303643608-1801674531-49031" [userSIDAcctType]="User" [eventTime]="Apr 03 2024 15:05:03" [deviceTime]="Apr 03 2024 15:05:03" [msg]="Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
https://app.company.com/application

Exception details:
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm."

1007
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to dmontgomery

Created on ‎04-03-2024 10:37 AM

Thank you.

 

If you are using ClickHouse as the database you can use the EXTRACT function as follows in a Display Field..

 

EXTRACT(Raw Event Log, "Relying Party: (.*?\n)")

This should give you what you need in a field, and then you can add the COUNT.

1002
0 Kudos
dmontgomery
New Contributor III
In response to cdurkin_FTNT

Created on ‎04-03-2024 11:23 AM

Our version is 6.7.9. Is Phoenix the clickhouse database? I thought it was based on Postgres.

971
0 Kudos
cdurkin_FTNT
Staff
Staff
In response to dmontgomery

Created on ‎04-03-2024 11:29 AM

The way to check would be under Admin -> Setup -> Storage / Online and look the Event Database.

 

if this is EventDB then your only option would be a parser modification to extract the value.

965
0 Kudos
dmontgomery
New Contributor III
In response to cdurkin_FTNT

Created on ‎04-03-2024 11:48 AM

It's eventDB. Modifying the parser doesn't sound like an easy task.

963
0 Kudos
dmontgomery
New Contributor III

Created on ‎05-21-2024 12:13 PM

After opening a ticket with Fortinet support this has classified as a bug: bug report #1028529

 

 

690
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.