Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Rafa123_
New Contributor II

Cant find tdtype log field anywhere

Hello all!

Hope you all doing great.

 

I have a Fortigate/Fortimanager/Fortianalyzer combo in the organization I work. My FortiManager was alerting some C&C callbacks based on webfilter logs. I do not have the SOC license, but I do have an third party SIEM.

 

I was trying to configure some rules on my SIEM to mimic the C&C callback alerts on my FortiManager. Inspecting my FortiManager default Event Handlers it says that the alerts are generated when the log field tdtype contains the string "infected".

 

The problem is that I cant find the tdtype field anywhere in the logs. Already tried to look at raw logs.

The documentation says near to nothing related to this log field:

 

Fortinet Documentation on event handlers

 


I also checked the very log entry that generater the alerts but couldnt find this field. Anyone could give me a hint on this one?

 

Best Regards!

1 Solution
AlexC-FTNT

Sorry for my previous reply, it is probably not clear enough.

The IOC feature is FortiAnalyzer feature. When FAZ receives logs from FGTs, Hostnames, Ip addresses are checked against IOC database.
If a match occurs with an Infected/malicious IP or hostname, FAZ adds a log field "tdtype" which you see in FAZ logs and not in FGT logs


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

View solution in original post

4 REPLIES 4
AlexC-FTNT
Staff
Staff

From the FortiGate what you see and expect is the Raw Format and from that Raw format, you can specify the Event Handlers, or you can create custom.
The word tdtype is added in the Event Handler which matches this traffic.

Some examples here:

https://docs.fortinet.com/document/fortianalyzer/6.4.0/examples/424704/event-handler-example-scenari...


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Rafa123_
New Contributor II

Ok, but I am seeing some C&C callbacks on my manager. And when I go to see the logs that generated the alert, that isnt any tdtype field on the raw log either. And the event handler that generates this alerts uses this field on the generic text field to generate the C&C callback alert. See evidence below: 

 

Rafa123__0-1657910693257.png

 

When I click in "View log" this is what I can see: 

Rafa123__1-1657910739422.png

 

fortinet.png

I erased some values but the fields are all there. There is no tdtype field. 

The event handler has this filters: 

Rafa123__2-1657911098476.png

It checks for tdtype on traffic, webfilter and dns logs. 

AlexC-FTNT

Sorry for my previous reply, it is probably not clear enough.

The IOC feature is FortiAnalyzer feature. When FAZ receives logs from FGTs, Hostnames, Ip addresses are checked against IOC database.
If a match occurs with an Infected/malicious IP or hostname, FAZ adds a log field "tdtype" which you see in FAZ logs and not in FGT logs


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
NetworkLearning
New Contributor II

Labels
Top Kudoed Authors