Fortinet Sandbox¶
About¶
- Simple: Easy integration to an existing security infrastructure to automate threat response.
- Powerful: Built-in machine learning and deep learning engines that improve security efficacy by up to 25% over traditional sandbox detection.
- Anywhere: Flexible deployment options for Information Technology (IT) or Operational Technology (OT) environment to protect the dynamic attack surface.
Product Details¶
Vendor URL: Fortinet Sandbox
Product Type: VPN
Product Tier: Tier II
Integration Method: Custom
Integration URL: Fortinet Sandbox
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: near 100%
Data Label: FORTINET_SANDBOX
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | security_result.action_details |
| clientdev | principal.hostname |
| clientvd | principal.administrative_domain |
| dstip | target.ip |
| dstport | target.port |
| fname | target.file.full_path |
| jobid | security_result.about.process.pid |
| level | security_result.rule_type |
| logid | metadata.product_log_id |
| mcate | security_result.category_details |
| md5 | target.file.md5 |
| mname | security_result.threat_name |
| msg | metadata.description |
| observer | observer.hostname |
| pid | target.process.pid |
| product | metadata.product_name |
| product_event | metadata.event_type |
| proto | network.application_protocol |
| reason | security_result.about.investigation.comments |
| severity | security_result.severity_details |
| sha1 | target.file.sha1 |
| sha256 | target.file.sha256 |
| srcip | principal.ip |
| srcport | principal.port |
| subtype | security_result.description |
| tagCountry | principal.asset.location.country_or_region |
| type | security_result.summary |
| url | target.url |
| user | principal.user.userid |
| vendor | metadata.vendor_name |
| version | metadata.product_version |
| vmos | principal.platform_version |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all others | GENERIC_EVENT |
| scanstart | SCAN_FILE |
Log Sample¶
{'Message':'2021-11-19T19:23:14-08:00 FortiSandbox CEF: 0|Fortinet|FortiSandbox|4.0.1|1|SYSTEM|7|SYSLOGCEFALLdate=2021-11-19 time=19:23:14 logid=0106000001 type=event subtype=system level=debug user=system ui=system action=oftpd_file status=success reason=none letype=1 fname=jquery.blockUI.min.js sha256=sha256 sha1=sha1 clientvd=vd-inet msg=F6K0028 (domain1) submitted file. fname\=\\"jquery.blockUI.min.js\\" sha256\=sha256 sha1\=sha1"','tagCountry':'US'}
Sample Parsing¶
metadata.product_log_id = "0106000001"
metadata.event_timestamp = "2021-11-20T03:23:14Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Fortinet"
metadata.product_name = "FortiSandbox"
metadata.product_version = "4.0.1"
metadata.product_event_type = "SYSTEM"
metadata.ingested_timestamp = "2021-11-19T19:23:27.531175Z"
principal.user.userid = "system"
principal.administrative_domain = "domain1"
principal.asset.location.country_or_region = "US"
target.file.sha256 = "sha256"
target.file.sha1 = "sha1"
target.file.full_path = "jquery.blockUI.min.js"
observer.hostname = "FortiSandbox"
security_result.about.investigation.comments = "none"
security_result.summary = "event"
security_result.description = "system"
security_result.severity_details = "7"
security_result.action_details = "oftpd_file"
security_result.rule_type = "debug"
Parser Alerting¶
This product currently does not have any Parser-based Alerting