Fortinet

Overview

Table name: fortinet_firewall

Fortinet Firewall logs provide detailed records of events and traffic flowing through the firewall. These logs are crucial for security analysis, troubleshooting, and compliance reporting. They include information on allowed and denied traffic, security threats detected, system events, VPN activities, and more. Analyzing these logs helps in identifying suspicious activities, understanding traffic patterns, and ensuring the network's security posture is maintained effectively.

Learn more here.

For details on specific events logged see here.

Send data to Hunters

Hunters supports the ingestion of Fortinet logs via an intermediary AWS S3 bucket.

To connect Fortinet logs:

1. Export your logs from Fortinet to an AWS S3 bucket by following this guide.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in KeyVal format.

date=2017-11-15 time=11:44:16 logid="LOG_09" type="traffic" subtype="forward" level="notice" vd="VDOM_01" eventtime=1510775056000 srcip=IP_INTERNAL_04 srcname="HOST_01" srcport=PORT_02 srcintf="INTF_01" srcintfrole="undefined" dstip=IP_EXTERNAL_12 dstname="DOMAIN_10" dstport=443 dstintf="INTF_02" dstintfrole="undefined" poluuid="UUID_01" sessionid=SESSION_08 proto=6 action="close" policyid=POLICY_01 policytype="policy" policymode="learn" service="HTTPS" dstcountry="COUNTRY_01" srccountry="COUNTRY_02" trandisp="snat" transip=IP_INTERNAL_05 transport=PORT_02 appid=APP_01 app="HTTPS.BROWSER" appcat="Web.Client" apprisk="medium" duration=2 sentbyte=1850 rcvdbyte=39898 sentpkt=25 rcvdpkt=37 utmaction="allow" countapp=1 devtype="Linux PC" osname="Linux" mastersrcmac="MAC_01" srcmac="MAC_01" srcserver=0 utmref=REF_01

Overview

Table name: fortinet_fortianalyzer

Fortinet FortiAnalyzer Logs provide centralized logging and analysis for Fortinet security devices, enabling organizations to collect, store, and analyze logs from multiple sources. This helps identify security incidents, monitor network activity, and meet compliance requirements. FortiAnalyzer supports advanced analytics, reporting, and visualization tools, allowing for streamlined investigation and response to threats.

Send data to Hunters

Hunters supports the ingestion of Fortinet logs via an intermediary AWS S3 bucket.

To connect Fortinet logs:

1. Export your logs from Fortinet to an AWS S3 bucket by following this guide.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in KeyVal format.

date=2024-04-01 time=02:12:12 tz=\"+0100\" devname=SU-FAZ-SH-1OG1 device_id=FL-2HFTB20000891 log_id=0001010081 type=event subtype=system pri=notice desc=\"System performance statistics notice\" user=\"system\" userfrom=\"system\" msg=\"System Performance status: log rate low (0%), lograte=0/sec, msgrate=0/sec, CPU usage(0%), Memory usage(34%)\" operation=\"Perf stats\" performed_on=\"Local system\" changes=\"Show system performance stats.\" lograte=0 msgrate=0 logratelimit=3000 logratepeak=4500 action=\"Stats\" cpuusage=0 memusage=34

Overview

Table name: fortimail_logs

Fortinet FortiMail Logs record email traffic and activity within the FortiMail secure email gateway. These logs provide detailed insights into email flows, spam filtering, and potential threats, helping organizations monitor and analyze email-based security events. FortiMail logs support compliance reporting, threat investigation, and proactive measures against phishing, malware, and other email-borne attacks.

Send data to Hunters

Hunters supports the ingestion of Fortinet logs via an intermediary AWS S3 bucket.

To connect Fortinet logs:

1. Export your logs from Fortinet to an AWS S3 bucket by following this guide.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in KeyVal format.

date=2024-12-06 time=07:18:26.596 device_id=DEVICE_01 log_id=LOG_01 type=kevent subtype=system pri=information user=system ui=system action=none status=success msg="ldapcached: type=User, file=QueryFactory.cpp, line=561, exception=LDAPException(4), Connection.cpp:470, 'Error: 'Invalid credentials' during bind to ldap://[IP_INTERNAL_01]:389/'LDAPException(4), Connection.cpp:508,"
date=2024-12-06 time=07:18:26.596 device_id=DEVICE_02 log_id=LOG_02 type=kevent subtype=system pri=information user=system ui=system action=none status=success msg="ldapcached: type=User, file=QueryFactory.cpp, line=561, exception=LDAPException(4), Connection.cpp:700, 'Error: 'Invalid credentials' during bind to ldap://[IP_INTERNAL_02]:PORT_01/'LDAPException(4), Connection.cpp:518,"

Overview

Table name: fortinet_fortiedr_security_events

Fortinet FortiEDR logs provide detailed telemetry on endpoint activity, focusing on detecting and responding to advanced threats in real time. These logs include information about process execution, network connections, file access, and behavioral anomalies. They are typically used for threat hunting, incident investigation, and integration with SIEM platforms for centralized security monitoring.

Send data to Hunters

Hunters supports the ingestion of Fortinet FortiEDR logs via an API connection.

📘Note

To perform this process, you must have FortiEDR administration rights.

To connect FortiEDR logs:

1. Create a designated FortiEDR user:

   1. On your FortiEDR platform, open the Administration section and then navigate to Users.

   2. Click Add User to open the user details window.
      

   3. Fill in the fields to create a designated user for Hunters. We recommend providing an informative user name.

   4. Define a password for the user and remember it for the next steps.

   5. Under Roles, select Senior Analyst.

   6. Under Advanced, mark the Rest API checkbox.

   7. Make sure the Two-Factor Authentication checkbox is NOT selected.

   8. Click Save.

2. Complete the process on the Hunters platform, following this guide.

   During this process, provide Hunters with the user name and password of the user created in step 1.

Expected format

Logs are expected in JSON format.

{
  "eventId": EVENT_01,
  "process": "PROCESS_01.exe",
  "processPath": "C:\\Windows\\TEMP_PATH_01\\PROCESS_01.exe",
  "processType": "64 bit",
  "firstSeen": "2025-04-24 19:04:03",
  "lastSeen": "2025-04-24 19:04:03",
  "seen": false,
  "handled": false,
  "comment": null,
  "certified": true,
  "archived": false,
  "severity": "High",
  "classification": "Inconclusive",
  "destinations": [
    "File Creation"
  ],
  "rules": [
    "RULE_01"
  ],
  "loggedUsers": [],
  "organization": "ORG_01",
  "muted": false,
  "muteEndTime": null,
  "processOwner": "SYSTEM_ACCOUNT",
  "threatDetails": {
    "threatFamily": "Unknown",
    "threatType": "Unknown",
    "threatName": "Unknown"
  },
  "collectors": [
    {
      "lastSeen": "2025-04-24 14:00:53",
      "ip": "IP_INTERNAL_06",
      "collectorGroup": "GROUP_01",
      "macAddresses": [
        "MAC_02",
        "MAC_03"
      ],
      "id": COLLECTOR_01,
      "device": "HOST_02",
      "operatingSystem": "Windows_10_VARIANT_01"
    }
  ],
  "action": "Block"
}

Overview

Table name: fortidlp_logs

Fortinet FortiDLP (Data Loss Prevention) logs is a core component of the Fortinet Security Fabric, designed to prevent the unauthorized exposure or transmission of sensitive information. It provides centralized visibility and control over data movement across networks, endpoints, and cloud services, helping organizations protect confidential information and maintain regulatory compliance.

Using content inspection, pattern recognition, and policy-based enforcement, FortiDLP identifies sensitive data, including PII, PCI, and PHI, as well as proprietary corporate information. It continuously monitors data in motion and at rest, detecting potential data loss incidents and taking automated actions such as blocking, quarantining, or alerting.

FortiDLP supports monitoring across key communication channels, including:

• Email traffic — scanning outgoing messages and attachments

• Web uploads/downloads — inspecting browser-based data transfers

• FTP/SFTP transfers — controlling file movements

• Cloud storage and file-sharing platforms — monitoring shared content

Through comprehensive logging and reporting, FortiDLP enables administrators to analyze data movement patterns, identify potential data loss incidents, and enforce compliance policies effectively.

Send data to Hunters

Hunters supports the ingestion of Fortinet FortiDLP logs via an API connection.

📘Note

To perform this process, you must have FortiDLP administration rights.

To connect FortiDLP logs:

1. Create a designated FortiDLP user:

   1. On your FortiDLP platform you’ll have to grant Hunters with permissions in order to retrieve your data, like mentioned in their official docs - fortiDLP_docs

   2. Make sure the Two-Factor Authentication checkbox is NOT selected.

2. Complete the process on the Hunters platform, following this guide.

   During this process, provide Hunters with the user name and password of the user created in step 1.

Expected format

Logs are expected in JSON format.

{
  "sensor": {
    "tenant_id": "abcd-9c34-1221-8f2d-1234567",
    "tenant_name": "tenant_xyz",
    "tenant_origin": "https://example-tenant.io",
    "uuid": "123abc-4e5f-1234-0123-abcdfefxyz",
    "created_by": {
      "uri": "policy:///aa11bb22-33cc-44dd-55ee-66778899aabb/ccdd1122-3344-5566-7788-99aabbccdde0?instance=aa223344-5566-7788-99aa-bbccddeeff01&name=AutoStart+entry+created",
      "policy": {
        "group_id": "aa11bb22-33cc-44dd-55ee-66778899aabb",
        "policy_id": "ccdd1122-3344-5566-7788-99aabbccdde0",
        "name": "AutoStart entry created",
        "instance": "aa223344-5566-7788-99aa-bbccddeeff01"
      }
    },
    "sensor_type": "XYZ_POLICY",
    "agent_uuid": "7a6b5c4d-3e2f-1a0b-9c8d-7e6f5a4b3c2d",
    "agent_hostname": "LAPTOP-XYZ",
    "user_id": "usr-1235",
    "user_name": "user",
    "user_email": "user@example.com",
    "score": 72,
    "label_ids": [
      "a1b2c3d4-e5f6-4712-9abc-def012345678",
      "b2c3d4e5-f6a7-4812-9bcd-ef0123456789",
      "c3d4e5f6-a7b8-4912-9cde-f0123456789a"
    ],
    "label_names": [
      "Windows",
      "1.2.3",
      "Staging"
    ],
    "timestamp": "2025-11-04T09:15:00.000000000Z",
    "description": "Xyz.exe added registry startup item USER\\Software\\Xyz\\Windows\\CurrentVersion\\Run",
    "anonymised_description": "Xyz.exe added registry startup item USER\\Software\\Xyz\\Windows\\CurrentVersion\\Run named \"NotepadPlus\" for \"C:\\Users\\AppData\\Local\\Xyz\\abc.exe\"",
    "tags": [
      "persistence",
      "possible_suspicious"
    ],
    "metadata": {
      "source_ip": [],
      "source_port": [],
      "destination_ip": [],
      "destination_port": [],
      "url": [],
      "host": [
        "LAPTOP-XYZ.example.local"
      ],
      "application_name": [
        "Xyz"
      ],
      "file_name": [
        "xyz"
      ],
      "file_path": [
        "C:\\Users\\AppData\\Local\\Xyz\\abc.exe"
      ],
      "target_file_name": [],
      "target_file_path": [],
      "recipient_mail_address": [],
      "sender_mail_address": [],
      "wifi_ssid": [],
      "wifi_bssid": [],
      "usb_vid": [],
      "usb_pid": [],
      "usb_serial": [],
      "content_pattern_name": [],
      "account_name": [
        "Xyz"
      ],
      "certificate_name": [],
      "mime_type": [],
      "window_title": [],
      "file_size": [
        1234
      ],
      "printer_uuid": [],
      "file_extension": [
        "xyz.exe"
      ],
      "target_username": [],
      "visibility_type": [
        "user"
      ],
      "target_file_extension": []
    },
    "process_info": [
      {
        "binary_name": "Xyz.exe",
        "binary_path": "C:\\Users\\AppData\\Local\\Xyz\\abc.exe",
        "username": "CORP\\jdoe",
        "app_identifier": "v2.12345678901234567",
        "signed": false,
        "uuid": "1a2b3c4d-abcd-7081-92a3-1234567"
      }
    ],
    "requested_actions": [
      "quarantine",
      "screenshot"
    ],
    "suppressed_actions": [],
    "classifications": {
      "url": []
    },
    "extended_metadata": {
      "schema": {
        "id": "12345-abcd-8b7c-6d5e-1234567",
        "version": "0011223344abcd12345"
      },
      "data": {
        "effect_description": [
          "the Run key is executed after every logon"
        ],
        "reg_key_name": [
          "USER\\Software\\Xyz\\Windows\\CurrentVersion\\Run"
        ],
        "reg_value": [
          "C:\\Users\\AppData\\Local\\Xyz\\abc.exe"
        ],
        "reg_value_name": [
          "NotepadPlus"
        ]
      }
    },
    "data_origin": [
      "endpoint_agent"
    ],
    "indicators": [
      {
        "kind": "mitre",
        "tactic": {
          "id": "XYZ123",
          "title": "Persistence"
        },
        "technique": {
          "id": "XYZ",
          "title": "Registry Run Keys / Startup Folder"
        }
      },
      {
        "kind": "custom",
        "tactic": {
          "id": "XYZ-01",
          "title": "Potential Application Install"
        },
        "technique": {
          "id": "XYZ-REG-01",
          "title": "Unusual User Run Value"
        }
      }
    ],
    "data_flow": {
      "lineages": []
    }
  },
  "enrichment_errors": []
}