Get ISDB\Internet Service Name in Traffic Logs?

nateweso · ‎04-22-2022

Hello,

I'd like to know if it is possible to include the ISDB name in the FortiGate/FortiAnalyzer traffic logs. I've had access to this information with another vendor and am curious if it can be done with FortiNet.

This log enrichment would be extremely valuable in threat hunting efforts, where traffic can be immediately identified and associated with the source, as opposed seeing an IP that must be manually looked up.

For context, I've had a lot of success identifying compromised hosts and user accounts by simply searching for inbound traffic originating from VPN vendors and commonly-abused US-based cloud hosting providers like Digital Ocean, AWS, etc.

jimsokol · ‎04-22-2022

A given IP can be in more than one, sometime numerous categories, some benign, some malicious

nateweso · ‎04-22-2022

That makes sense and thank you for the reply. In that case I can see why it is probably not possible to do what I am looking for.

I think what I am really looking is if FortiNet had the ability to append the ASN (Name or Number) to routable IPs, and make that available in the logs. I am also working on this with my current SIEM vendor, Logrhythm but unfortunately they do not have similar log enrichment capability.

Debbie_FTNT · ‎04-22-2022

Hey nateweso,

FortiGate/Fortinet products can't attach ASN information to logs as far as I'm aware, my apologies.

They can however perform reverse lookups on destination IPs and add that information to the logs.

A short KB on the reverse lookup option: https://community.fortinet.com/t5/FortiGate/Technical-Note-Hostname-and-Destination-name-in-traffic-...

I'm not entirely sure if this is in the general direction what you might be looking for.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Get ISDB\Internet Service Name in Traffic Logs?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website