Skip to content

Fortinet Sandbox

Fortinet Sandbox

About

  • Simple: Easy integration to an existing security infrastructure to automate threat response.
  • Powerful: Built-in machine learning and deep learning engines that improve security efficacy by up to 25% over traditional sandbox detection.
  • Anywhere: Flexible deployment options for Information Technology (IT) or Operational Technology (OT) environment to protect the dynamic attack surface.

Product Details

Vendor URL: Fortinet Sandbox

Product Type: VPN

Product Tier: Tier II

Integration Method: Custom

Integration URL: Fortinet Sandbox

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: Syslog

Expected Normalization Rate: near 100%

Data Label: FORTINET_SANDBOX

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
action security_result.action_details
clientdev principal.hostname
clientvd principal.administrative_domain
dstip target.ip
dstport target.port
fname target.file.full_path
jobid security_result.about.process.pid
level security_result.rule_type
logid metadata.product_log_id
mcate security_result.category_details
md5 target.file.md5
mname security_result.threat_name
msg metadata.description
observer observer.hostname
pid target.process.pid
product metadata.product_name
product_event metadata.event_type
proto network.application_protocol
reason security_result.about.investigation.comments
severity security_result.severity_details
sha1 target.file.sha1
sha256 target.file.sha256
srcip principal.ip
srcport principal.port
subtype security_result.description
tagCountry principal.asset.location.country_or_region
type security_result.summary
url target.url
user principal.user.userid
vendor metadata.vendor_name
version metadata.product_version
vmos principal.platform_version

Product Event Types

Event UDM Event Classification
all others GENERIC_EVENT
scanstart SCAN_FILE

Log Sample

{'Message':'2021-11-19T19:23:14-08:00 FortiSandbox CEF: 0|Fortinet|FortiSandbox|4.0.1|1|SYSTEM|7|SYSLOGCEFALLdate=2021-11-19 time=19:23:14 logid=0106000001 type=event subtype=system level=debug user=system ui=system action=oftpd_file status=success  reason=none letype=1 fname=jquery.blockUI.min.js sha256=sha256 sha1=sha1 clientvd=vd-inet msg=F6K0028 (domain1) submitted file. fname\=\\"jquery.blockUI.min.js\\" sha256\=sha256 sha1\=sha1"','tagCountry':'US'}

Sample Parsing

metadata.product_log_id = "0106000001"
metadata.event_timestamp = "2021-11-20T03:23:14Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Fortinet"
metadata.product_name = "FortiSandbox"
metadata.product_version = "4.0.1"
metadata.product_event_type = "SYSTEM"
metadata.ingested_timestamp = "2021-11-19T19:23:27.531175Z"
principal.user.userid = "system"
principal.administrative_domain = "domain1"
principal.asset.location.country_or_region = "US"
target.file.sha256 = "sha256"
target.file.sha1 = "sha1"
target.file.full_path = "jquery.blockUI.min.js"
observer.hostname = "FortiSandbox"
security_result.about.investigation.comments = "none"
security_result.summary = "event"
security_result.description = "system"
security_result.severity_details = "7"
security_result.action_details = "oftpd_file"
security_result.rule_type = "debug"

Parser Alerting

This product currently does not have any Parser-based Alerting