Help
FortiSIEM Discussions
Bruce7x2
New Contributor III

Created on ‎01-24-2024 10:01 PM

[FortiSIEM]Process of Log Capture and Rule Creation in Different Env.

Dear Team,

I currently want to fetch a log from a Supervisor/Collector in an operational environment and import this log into the Supervisor/Collector in my LAB environment.

This will allow me to create a rule to trigger incidents and finally import this rule into the operational environment.

Therefore, I would like to know whether there is a more convenient method to achieve this goal (fetching and importing logs), other than directly capturing the raw log through tcpdump in the CLI of the Supervisor/Collector.

 

Best Regards,

Bruce

 

Bruce Liu
Bruce Liu
Labels:
497
0 Kudos
2 Solutions
sioannou
Contributor

Created on ‎01-28-2024 11:42 PM

Hi, 

 

There are 3 ways you can achieve this: 

1) Replicating logs to the test environment.

You can utilise the procedure here and forward your production logs either from collector or worker to the demo environment. 

https://help.fortinet.com/fsiem/7-1-3/Online-Help/HTML5_Help/Event_Handling_Settings.htm#Event2

You can size your test environment as required and build the rule. 

2) Utilise the FortiSIEM API for Event Query.

You can utilise the Event Query API, export the logs and replay them either using python or netcat to your collector. You can set the timers and polling periods as you like. 

3) Utilising the Analytics Engine. 

With the analytics engine you have 2 options: 

a) You can utilise the "Actions" option and then create rule from your search queries, from there you can set the rule as disabled and utilise it as a query until you get the desired results. This imposes a limitation for Rules with multiple subpatterns, since you can only utilise a single subpattern for query at a time. 

b) You can set a time on the analytics and then export the raw logs in CSV format. The raw logs can be easily replayed either utilising netcat (https://gist.github.com/dwallraff/82a629a5836947ab975a4999ee6b964f) or a python script. 

 

General Advice, do not export and import the rules, rebuild them in the production environment, we have seen conflicts with existing Event_Types. 

 

Regards,

 

S

View solution in original post

445
FSM_FTNT
Staff
Staff

Created on ‎01-31-2024 06:12 AM

Hi Bruce,

 

Can I clarify my understanding...

 

You have FortiSIEM in a separate OT environment that receives logs from devices.
You have a lab with FortiSIEM in which you want to create rules and test the rules from events received in the product FortiSIEM OT environment.

 

If that is correct, I would suggest that you export the logs you need with the "Raw Event Log" field in CSV format from the production environment.

 

Then, create the rule you need in the lab environment and either:

 

1) Use the test rule feature where you enter test events; or

2) Take the raw event and send it via netcat to FortiSIEM and see if the rule matches. Example:

nc -u <IP/hostname> <port>
<log>
CTRL+C

Example:

nc -u 127.0.0.1 514
<190>Jan 31 09:03:06 time=09:28:55 devname="100D_OT" devid="FG240D3913800456" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1529072935 appid=25873 srcip=10.100.23.2 dstip=10.100.14.2 srcport=46671 dstport=502 srcintf="Level2-3" srcintfrole="lan" dstintf="Level1-4" dstintfrole="lan" proto=6 service="tcp/502" policyid=9 sessionid=37164675 applist="default" appcat="Industrial" app="Modbus_Read.Input.Registers" action="pass" incidentserialno=59599764 msg="Industrial: Modbus_Read.Input.Registers," apprisk="elevated"

 

 

View solution in original post

422
5 REPLIES 5
PartBhat
Staff
Staff

Created on ‎01-28-2024 09:45 PM

Collector logs are fed into FortiSIEM. So you can query them from GUI and export the result to CSV files.

459
sioannou
Contributor

Created on ‎01-28-2024 11:42 PM

Hi, 

 

There are 3 ways you can achieve this: 

1) Replicating logs to the test environment.

You can utilise the procedure here and forward your production logs either from collector or worker to the demo environment. 

https://help.fortinet.com/fsiem/7-1-3/Online-Help/HTML5_Help/Event_Handling_Settings.htm#Event2

You can size your test environment as required and build the rule. 

2) Utilise the FortiSIEM API for Event Query.

You can utilise the Event Query API, export the logs and replay them either using python or netcat to your collector. You can set the timers and polling periods as you like. 

3) Utilising the Analytics Engine. 

With the analytics engine you have 2 options: 

a) You can utilise the "Actions" option and then create rule from your search queries, from there you can set the rule as disabled and utilise it as a query until you get the desired results. This imposes a limitation for Rules with multiple subpatterns, since you can only utilise a single subpattern for query at a time. 

b) You can set a time on the analytics and then export the raw logs in CSV format. The raw logs can be easily replayed either utilising netcat (https://gist.github.com/dwallraff/82a629a5836947ab975a4999ee6b964f) or a python script. 

 

General Advice, do not export and import the rules, rebuild them in the production environment, we have seen conflicts with existing Event_Types. 

 

Regards,

 

S

446
Bruce7x2
New Contributor III
In response to sioannou

Created on ‎02-03-2024 05:09 AM

Hi Sioannou,
I do appreciate you providing such comprehensive information~ This is very helpful to me.

Bruce Liu
Bruce Liu
399
0 Kudos
FSM_FTNT
Staff
Staff

Created on ‎01-31-2024 06:12 AM

Hi Bruce,

 

Can I clarify my understanding...

 

You have FortiSIEM in a separate OT environment that receives logs from devices.
You have a lab with FortiSIEM in which you want to create rules and test the rules from events received in the product FortiSIEM OT environment.

 

If that is correct, I would suggest that you export the logs you need with the "Raw Event Log" field in CSV format from the production environment.

 

Then, create the rule you need in the lab environment and either:

 

1) Use the test rule feature where you enter test events; or

2) Take the raw event and send it via netcat to FortiSIEM and see if the rule matches. Example:

nc -u <IP/hostname> <port>
<log>
CTRL+C

Example:

nc -u 127.0.0.1 514
<190>Jan 31 09:03:06 time=09:28:55 devname="100D_OT" devid="FG240D3913800456" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1529072935 appid=25873 srcip=10.100.23.2 dstip=10.100.14.2 srcport=46671 dstport=502 srcintf="Level2-3" srcintfrole="lan" dstintf="Level1-4" dstintfrole="lan" proto=6 service="tcp/502" policyid=9 sessionid=37164675 applist="default" appcat="Industrial" app="Modbus_Read.Input.Registers" action="pass" incidentserialno=59599764 msg="Industrial: Modbus_Read.Input.Registers," apprisk="elevated"

 

 

423
Bruce7x2
New Contributor III
In response to FSM_FTNT

Created on ‎02-03-2024 05:06 AM

Yes, your understanding is almost correct, thank you for your detailed and thoughtful reply.

Bruce Liu
Bruce Liu
399
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.