How to import MISP data threat feeds in to FortiSIEMNote: requires "jq"
to be installed on the Supervisor node. wget -O jq
https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64chmod
+x ./jqcp jq /usr/bin
This would be the very basics of a parser to match your log
\s+<_day:gPatDay>\s+<_time:gPatTime>.*CEF:\d+\|<_body:gPatMesgBody>]]>
toDateTime($_mon, $_day, $_time)
convertStrToIntIpProto($_proto)
combineMsgId("Sharetech-...
Would probably need a little more info on this... but from the above ..I
believe you are probably seeing a 4625 event with a "Reason for Error"
populated with "The user is a member of a protected group and must
authenticate with Kerberos" ? Or simply...
So I believe with that version of FortiSIEM, you event would be matching
the WinOSWmiParser If you are comfortable editing parsers, you can add
this extra statement below to the xml that is processing the
18456 eventId
'\..*?\[CLIENT: <_srcId:gPat...
