Hello all!
Hope you all doing great.
I have a Fortigate/Fortimanager/Fortianalyzer combo in the organization I work. My FortiManager was alerting some C&C callbacks based on webfilter logs. I do not have the SOC license, but I do have an third party SIEM.
I was trying to configure some rules on my SIEM to mimic the C&C callback alerts on my FortiManager. Inspecting my FortiManager default Event Handlers it says that the alerts are generated when the log field tdtype contains the string "infected".
The problem is that I cant find the tdtype field anywhere in the logs. Already tried to look at raw logs.
The documentation says near to nothing related to this log field:
Fortinet Documentation on event handlers
I also checked the very log entry that generater the alerts but couldnt find this field. Anyone could give me a hint on this one?
Best Regards!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Sorry for my previous reply, it is probably not clear enough.
The IOC feature is FortiAnalyzer feature. When FAZ receives logs from FGTs, Hostnames, Ip addresses are checked against IOC database.
If a match occurs with an Infected/malicious IP or hostname, FAZ adds a log field "tdtype" which you see in FAZ logs and not in FGT logs
From the FortiGate what you see and expect is the Raw Format and from that Raw format, you can specify the Event Handlers, or you can create custom.
The word tdtype is added in the Event Handler which matches this traffic.
Some examples here:
Ok, but I am seeing some C&C callbacks on my manager. And when I go to see the logs that generated the alert, that isnt any tdtype field on the raw log either. And the event handler that generates this alerts uses this field on the generic text field to generate the C&C callback alert. See evidence below:
When I click in "View log" this is what I can see:
I erased some values but the fields are all there. There is no tdtype field.
The event handler has this filters:
It checks for tdtype on traffic, webfilter and dns logs.
Sorry for my previous reply, it is probably not clear enough.
The IOC feature is FortiAnalyzer feature. When FAZ receives logs from FGTs, Hostnames, Ip addresses are checked against IOC database.
If a match occurs with an Infected/malicious IP or hostname, FAZ adds a log field "tdtype" which you see in FAZ logs and not in FGT logs
https://www.youtube.com/playlist?list=PLZZrO6EbLNumED3lW_hxmwTVehsY9oSKd
Complete Training videos of FortiAnylazer
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.