Fortinet

Overview

Table name: fortinet_firewall

Fortinet Firewall logs provide detailed records of events and traffic flowing through the firewall. These logs are crucial for security analysis, troubleshooting, and compliance reporting. They include information on allowed and denied traffic, security threats detected, system events, VPN activities, and more. Analyzing these logs helps in identifying suspicious activities, understanding traffic patterns, and ensuring the network's security posture is maintained effectively.

Learn more here.

For details on specific events logged see here.

Send data to Hunters

Hunters supports the ingestion of Fortinet logs via an intermediary AWS S3 bucket.

To connect Fortinet logs:

1. Export your logs from Fortinet to an AWS S3 bucket by following this guide.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in KeyVal format.

date=2017-11-15 time=11:44:16 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="vdom1" eventtime=1510775056000 srcip=10.1.100.155 srcname="pc1" srcport=40772 srcintf="port12" srcintfrole="undefined" dstip=35.197.51.42 dstname="fortiguard.com" dstport=443 dstintf="port11" dstintfrole="undefined" poluuid="707a0d88-c972-51e7-bbc7-4d421660557b" sessionid=8058 proto=6 action="close" policyid=1 policytype="policy" policymode="learn" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=172.16.200.2 transport=40772 appid=40568 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="a2:e9:00:ec:40:01" srcmac="a2:e9:00:ec:40:01" srcserver=0 utmref=0-220586

Overview

Table name: fortinet_fortianalyzer

Fortinet FortiAnalyzer Logs provide centralized logging and analysis for Fortinet security devices, enabling organizations to collect, store, and analyze logs from multiple sources. This helps identify security incidents, monitor network activity, and meet compliance requirements. FortiAnalyzer supports advanced analytics, reporting, and visualization tools, allowing for streamlined investigation and response to threats.

Send data to Hunters

Hunters supports the ingestion of Fortinet logs via an intermediary AWS S3 bucket.

To connect Fortinet logs:

1. Export your logs from Fortinet to an AWS S3 bucket by following this guide.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in KeyVal format.

date=2024-04-01 time=02:12:12 tz=\"+0100\" devname=SU-FAZ-SH-1OG1 device_id=FL-2HFTB20000891 log_id=0001010081 type=event subtype=system pri=notice desc=\"System performance statistics notice\" user=\"system\" userfrom=\"system\" msg=\"System Performance status: log rate low (0%), lograte=0/sec, msgrate=0/sec, CPU usage(0%), Memory usage(34%)\" operation=\"Perf stats\" performed_on=\"Local system\" changes=\"Show system performance stats.\" lograte=0 msgrate=0 logratelimit=3000 logratepeak=4500 action=\"Stats\" cpuusage=0 memusage=34

Overview

Table name: fortimail_logs

Fortinet FortiMail Logs record email traffic and activity within the FortiMail secure email gateway. These logs provide detailed insights into email flows, spam filtering, and potential threats, helping organizations monitor and analyze email-based security events. FortiMail logs support compliance reporting, threat investigation, and proactive measures against phishing, malware, and other email-borne attacks.

Send data to Hunters

Hunters supports the ingestion of Fortinet logs via an intermediary AWS S3 bucket.

To connect Fortinet logs:

1. Export your logs from Fortinet to an AWS S3 bucket by following this guide.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in KeyVal format.

date=2024-12-06 time=07:18:26.596 device_id=FEVM02TM22000482 log_id=0702005398 type=kevent subtype=system pri=information  user=system ui=system action=none status=success msg="ldapcached: type=User, file=QueryFactory.cpp, line=561, exception=LDAPException( 4 ) , Connection.cpp:470,  'Error: 'Invalid credentials' during bind to ldap://[10.10.0.1]:389/'LDAPException( 4 ) , Connection.cpp:508,"

date=2024-12-06 time=07:18:26.596 device_id=FEVM22000482 log_id=07005398 type=kevent subtype=system pri=information  user=system ui=system action=none status=success msg="ldaapcached: type=User, file=QueryFactory.cp, line=561, exception=LDAPException( 4 ) , Connection.cpp:700,  'Error: 'Invalid credentials' during bind to ldap://[0.0.0.1]:99/'LDAPException( 4 ) , Connection.cpp:518," 

date=2024-12-06 time=07:18:08.752 device_id=FM02TM22000482 log_id=0304739 type=spam subtype=default pri=information  session_id="4B66w014738-4B66I8S0014738" client_name="mal4.bgv.de" client_ip="2.8.5.2" dst_ip="2.1.2.0" from="hu-chaden@bgv.de" to="maion.lotz@grn.de" subject="Schaden: S124-0K7-23-093285" msg="DMARC SPF alignment check succeeded. mailFrom=bgv.de headerFrom=bgv.de" 

date=2024-12-06 time=07:22:43.685 device_id=FEVTM22000482 log_id=03018036 type=spam subtype=user pri=information  user="(web)" session_id="4B5JkB018931-4JxBkD018931" client_ip="0.1.9.1" from="" to="rechnung@grn.de" subject="Rechnung 94014784 Kunde 840" msg="Email user (web) released quarantined message of account rechnung@grn.de for re-scan from 0.1.9.1, session ID(4B036-4B66MhTh018036)." 

date=2024-12-06 time=07:18:43.650 device_id=FE2TM22000482 log_id=03015442 type=spam subtype=default pri=information  session_id="4B66Ih5441-4B66IhKK015441" client_name="" client_ip="0.46.7.3" dst_ip="1.68.2.0" from="Joerg.Hilmer@grn.de" to="s.voith@igw-ingenieure.de" subject="WG: Lese LV MSR Rückgabe" msg="File name: image005.jpg, scanned by Antivirus Scanner(clean), Content Filter(clean)" 

date=2024-12-06 time=07:18:52.042 device_id=FEVM22000482 log_id=0300451 type=spam subtype=default pri=information  session_id="4B66Ipg4B66Ipg7015450" client_name="mail-d8eur05olkn2058.outbound.protection.outlook.com" client_ip="0.9.8.8" dst_ip="1.8.2.10" from="hamit_jiyan@hotmail.com" to="K.Bukatsch@rhein-neckar-kreis.de" subject="Duldung" msg="SPF=PASS: (envelope from: hamit_jiyan@hotmail.com) indicates that MTA (0.92.9.8) is permitted to send email for hotmail.com

date=2024-12-06 time=07:19:33.571 device_id=FEVM0222000482 log_id=03015435 type=spam subtype=default pri=information  session_id="4B66IV15434-4B66IVFC015434" client_name="mail-am6eur05olkn2023.outbound.protection.outlook.com" client_ip="40.92.1.3" dst_ip="12.68.2.10" from="leonardo.balke@outlook.de" to="Fahrerlaubnisse@rhein-neckar-kreis.de" subject="Re: Leonardo Balke 26.05.2007 Antrag Fahrerlaubnis" msg="Antispam profile (AS_Inbound_High) max scan size: 1024KB, email size: 30178KB"

date=2024-12-10 time=02:29:18.058 device_id=FEVM02TM200482 log_id=030013864 type=spam subtype=default pri=information  session_id="4BA1T5j3863-4BA1T5jf013863" client_name="" client_ip="1.5.0.10" dst_ip="192.168.2.10" from="atoss.noreply@avr-umweltservice.de" to="tamara.wolbert@avr-kommunal.de" subject="Aufgabe 'Reminder_Ende_Befristung' bei Ereignis vom Typ 'Erinnerung (Personalstamm)' ausgeführt" msg="SPF=SOFTFAIL: (envelope from: atoss.noreply@avr-umweltservice.de) indicates that MTA (21.5.0.10) may not be permitted to send email for avr-umweltservice.de"

Overview

Table name: fortinet_fortiedr_security_events

Fortinet FortiEDR logs provide detailed telemetry on endpoint activity, focusing on detecting and responding to advanced threats in real time. These logs include information about process execution, network connections, file access, and behavioral anomalies. They are typically used for threat hunting, incident investigation, and integration with SIEM platforms for centralized security monitoring.

Send data to Hunters

Hunters supports the ingestion of Fortinet FortiEDR logs via an API connection.

📘Note

To perform this process, you must have FortiEDR administration rights.

To connect FortiEDR logs:

1. Create a designated FortiEDR user:

   1. On your FortiEDR platform, open the Administration section and then navigate to Users.

   2. Click Add User to open the user details window.
      

   3. Fill in the fields to create a designated user for Hunters. We recommend providing an informative user name.

   4. Define a password for the user and remember it for the next steps.

   5. Under Roles, select Senior Analyst.

   6. Under Advanced, mark the Rest API checkbox.

   7. Make sure the Two-Factor Authentication checkbox is NOT selected.

   8. Click Save.

2. Complete the process on the Hunters platform, following this guide.

   During this process, provide Hunters with the user name and password of the user created in step 1.

Expected format

Logs are expected in JSON format.

{
  "eventId": 32630260,
  "process": "GooglePlayGamesServicesInstaller.exe",
  "processPath": "C:\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping5084_264959272\\GooglePlayGamesServicesInstaller.exe",
  "processType": "64 bit",
  "firstSeen": "2025-04-24 19:04:03",
  "lastSeen": "2025-04-24 19:04:03",
  "seen": false,
  "handled": false,
  "comment": null,
  "certified": true,
  "archived": false,
  "severity": "High",
  "classification": "Inconclusive",
  "destinations": [
    "File Creation"
  ],
  "rules": [
    "Suspicious Packer"
  ],
  "loggedUsers": [],
  "organization": "USS_Region3",
  "muted": false,
  "muteEndTime": null,
  "processOwner": "Local System",
  "threatDetails": {
    "threatFamily": "Unknown",
    "threatType": "Unknown",
    "threatName": "Unknown"
  },
  "collectors": [
    {
      "lastSeen": "2025-04-24 14:00:53",
      "ip": "10.3.150.56",
      "collectorGroup": "High School",
      "macAddresses": [
        "B0-22-7A-34-DD-BB",
        "20-C1-9B-4C-E0-73"
      ],
      "id": 17200087,
      "device": "WS-MXL2143D92",
      "operatingSystem": "Windows 10 Education"
    }
  ],
  "action": "Block"
}