Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Rafa123_
New Contributor II

Created on ‎07-13-2022 01:51 PM

Cant find tdtype log field anywhere

Hello all!

Hope you all doing great.

 

I have a Fortigate/Fortimanager/Fortianalyzer combo in the organization I work. My FortiManager was alerting some C&C callbacks based on webfilter logs. I do not have the SOC license, but I do have an third party SIEM.

 

I was trying to configure some rules on my SIEM to mimic the C&C callback alerts on my FortiManager. Inspecting my FortiManager default Event Handlers it says that the alerts are generated when the log field tdtype contains the string "infected".

 

The problem is that I cant find the tdtype field anywhere in the logs. Already tried to look at raw logs.

The documentation says near to nothing related to this log field:

 

Fortinet Documentation on event handlers

 


I also checked the very log entry that generater the alerts but couldnt find this field. Anyone could give me a hint on this one?

 

Best Regards!

1819
0 Kudos
1 Solution
AlexC-FTNT
Staff
Staff
In response to Rafa123_

Created on ‎07-16-2022 12:18 AM

Sorry for my previous reply, it is probably not clear enough.

The IOC feature is FortiAnalyzer feature. When FAZ receives logs from FGTs, Hostnames, Ip addresses are checked against IOC database.
If a match occurs with an Infected/malicious IP or hostname, FAZ adds a log field "tdtype" which you see in FAZ logs and not in FGT logs


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

View solution in original post

1783
4 REPLIES 4
AlexC-FTNT
Staff
Staff

Created on ‎07-14-2022 05:46 AM

From the FortiGate what you see and expect is the Raw Format and from that Raw format, you can specify the Event Handlers, or you can create custom.
The word tdtype is added in the Event Handler which matches this traffic.

Some examples here:

https://docs.fortinet.com/document/fortianalyzer/6.4.0/examples/424704/event-handler-example-scenari...


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
1802
Rafa123_
New Contributor II

Created on ‎07-15-2022 11:52 AM

Ok, but I am seeing some C&C callbacks on my manager. And when I go to see the logs that generated the alert, that isnt any tdtype field on the raw log either. And the event handler that generates this alerts uses this field on the generic text field to generate the C&C callback alert. See evidence below: 

 

Rafa123__0-1657910693257.png

 

When I click in "View log" this is what I can see: 

Rafa123__1-1657910739422.png

 

fortinet.png

I erased some values but the fields are all there. There is no tdtype field. 

The event handler has this filters: 

Rafa123__2-1657911098476.png

It checks for tdtype on traffic, webfilter and dns logs. 

1790
0 Kudos
AlexC-FTNT
Staff
Staff
In response to Rafa123_

Created on ‎07-16-2022 12:18 AM

Sorry for my previous reply, it is probably not clear enough.

The IOC feature is FortiAnalyzer feature. When FAZ receives logs from FGTs, Hostnames, Ip addresses are checked against IOC database.
If a match occurs with an Infected/malicious IP or hostname, FAZ adds a log field "tdtype" which you see in FAZ logs and not in FGT logs


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
1784
NetworkLearning
New Contributor II

Created on ‎07-17-2022 03:00 PM

https://www.youtube.com/playlist?list=PLZZrO6EbLNumED3lW_hxmwTVehsY9oSKd

Complete Training videos of FortiAnylazer

1779
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.