Hey Colin,
Thank you for your response.
I have a search and a rule looking for some property inside some Fortinet Events. What I noticed in the last months was:
In the past we had Behavior 1 and then came a DSM update and we noticed Behavior 2. Then we changed our rules and searches.
Then there was another DSM Update and we noticed Behavior 1 again. Now It changed to Behavior 2 again after the last DSM Update.
For a long time I though it was my mistake or that Fortinet had changed something, but now I am sure that it was the DSM.
The properties I am talking about are:
- Hostname
- URL
Here one Example (XXXX -> Placeholder)
Event before Update(my screenshot): mapped to QID 20257919
<189>logver=602051142 timestamp=1603324098 tz="UTC+2:00" devname="XXXX" devid="XXXX" vd="XXXX" date=2020-10-22 time=01:48:18 logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" eventtime=XXXX tz="+0200" policyid=337 sessionid=1068646757 srcip=XXXX srcport=XXXX srcintf="XXXX" srcintfrole="undefined" dstip=XXXX dstport=53 dstintf="VIF1015" dstintfrole="undefined" proto=17 profile="XXXX" xid=51481 qname="www.google.com" qtype="AAAA" qtypeval=28 qclass="IN" ipaddr="XXXX" msg="Domain is monitored" action="pass" cat=41 catdesc="Search Engines and Portals"
New Event mapped to QID 20286032
<189>logver=602051142 timestamp=1606212160 tz="UTC+1:00" devname="FGGR" devid="XXXX" vd="XXXX" date=2020-11-24 time=11:02:40 logid="1501054802" type="utm" subtype="dns" eventtype="dns-response" level="notice" eventtime=1606212161975171866 tz="+0100" policyid=30 sessionid=210165476 srcip=XXXX srcport=51057 srcintf="XXXX" srcintfrole="undefined" dstip=XXXX dstport=53 dstintf="wan1" dstintfrole="undefined" proto=17 profile="XXXX" xid=62170 qname="0.de.pool.ntp.org" qtype="A" qtypeval=1 qclass="IN" ipaddr="XXXX" msg="Domain is monitored" action="pass" cat=52 catdesc="Information Technology"
Thank you
Regards,
Bruno
------------------------------
BrunoMarX
------------------------------
Original Message:
Sent: Mon November 23, 2020 09:32 AM
From: COLIN HAY
Subject: Rules not working after DSM Update
Hi Bruno,
You say some properties are not being extracted but your screenshot actually indicates that a particular QID is no longer showing up. This is a different kind of problem as the QID is not extracted from the raw event, rather it is looked up based on the Event ID and Event Category determined by the DSM as part of its processing logic. It could be that there was a change where the Event ID or Event Category are now being set differently, or they may now map to a different QID record. Neither should happen unless absolutely necessary, and even then we would usually have a migration option of some kind, so I think something did go wrong here, I will raise it with the team.
Are there other QIDs you've noticed are no longer appearing, or are there any other properties that are not being populated as they were before?
Can you provide a sample event payload for one of the events returned by the search in your screenshot? If so, please replace any usernames/IPs/hostnames/etc with placeholders values to protect your organization's privacy.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
Original Message:
Sent: Fri November 20, 2020 02:17 PM
From: BrunoMarX
Subject: Rules not working after DSM Update
Hi Community,
How to deal with rules not firing after a DSM Autoupdate?
For example, here you see that the nee DSM FortinetFortigate was installed on 22nd October. Before that and I can confirm that by running a historical correlation rule against that period, I can see that my rules work.
One example ist the event UTM Pass.
Some properties were not being extracted for some events that I used in my rules and searches previously.
I though that this was not supposed to happen, right?
Greetings
Bruno
------------------------------
BrunoMarX
------------------------------