Fortinet Sandbox¶
About¶
- Simple: Easy integration to an existing security infrastructure to automate threat response.
- Powerful: Built-in machine learning and deep learning engines that improve security efficacy by up to 25% over traditional sandbox detection.
- Anywhere: Flexible deployment options for Information Technology (IT) or Operational Technology (OT) environment to protect the dynamic attack surface.
Product Details¶
Vendor URL: Fortinet Sandbox
Product Type: VPN
Product Tier: Tier II
Integration Method: Custom
Integration URL: Fortinet Sandbox
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 100%
Data Label: FORTINET_SANDBOX
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
action | security_result.action_details |
clientdev | principal.hostname |
clientvd | principal.administrative_domain |
dstip | target.ip |
dstport | target.port |
fname | target.file.full_path |
jobid | security_result.about.process.pid |
level | security_result.rule_type |
logid | metadata.product_log_id |
mcate | security_result.category_details |
md5 | target.file.md5 |
mname | security_result.threat_name |
msg | metadata.description |
observer | observer.hostname |
pid | target.process.pid |
product | metadata.product_name |
product_event | metadata.event_type |
proto | network.application_protocol |
reason | security_result.about.investigation.comments |
severity | security_result.severity_details |
sha1 | target.file.sha1 |
sha256 | target.file.sha256 |
srcip | principal.ip |
srcport | principal.port |
subtype | security_result.description |
tagCountry | principal.asset.location.country_or_region |
type | security_result.summary |
url | target.url |
user | principal.user.userid |
vendor | metadata.vendor_name |
version | metadata.product_version |
vmos | principal.platform_version |
Product Event Types¶
Event | UDM Event Classification |
---|---|
all others | GENERIC_EVENT |
scanstart | SCAN_FILE |
Log Sample¶
{'Message':'2021-11-19T19:23:14-08:00 FortiSandbox CEF: 0|Fortinet|FortiSandbox|4.0.1|1|SYSTEM|7|SYSLOGCEFALLdate=2021-11-19 time=19:23:14 logid=0106000001 type=event subtype=system level=debug user=system ui=system action=oftpd_file status=success reason=none letype=1 fname=jquery.blockUI.min.js sha256=sha256 sha1=sha1 clientvd=vd-inet msg=F6K0028 (domain1) submitted file. fname\=\\"jquery.blockUI.min.js\\" sha256\=sha256 sha1\=sha1"','tagCountry':'US'}
Sample Parsing¶
metadata.product_log_id = "0106000001"
metadata.event_timestamp = "2021-11-20T03:23:14Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Fortinet"
metadata.product_name = "FortiSandbox"
metadata.product_version = "4.0.1"
metadata.product_event_type = "SYSTEM"
metadata.ingested_timestamp = "2021-11-19T19:23:27.531175Z"
principal.user.userid = "system"
principal.administrative_domain = "domain1"
principal.asset.location.country_or_region = "US"
target.file.sha256 = "sha256"
target.file.sha1 = "sha1"
target.file.full_path = "jquery.blockUI.min.js"
observer.hostname = "FortiSandbox"
security_result.about.investigation.comments = "none"
security_result.summary = "event"
security_result.description = "system"
security_result.severity_details = "7"
security_result.action_details = "oftpd_file"
security_result.rule_type = "debug"
Parser Alerting¶
This product currently does not have any Parser-based Alerting