Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk_TA_fortinet_fortigate - domain model Web

Francois_Luno
New Member
2 weeks ago

I'm ingesting Fortigate logs using the Splunk_TA_fortinet_fortigate add-on, and I've noticed that these logs are not tagged with web, even though they seem relevant to the Web data model.

Details:

  • The logs have log_type=utm and subtype=webfilter or subtype=app-ctrl, which I believe should be mapped to the Web data model.
  • I understand that eventtypes are defined during ingestion or at search-time, and they are used to assign tags like web. These tags are what enable CIM data model mapping.
  • For subtype=app-ctrl, I believe only the following categories are applicable to the Web model:
    "Collaboration", "Instant Messaging", "Social.Media", "Streaming Media and Download", "Web.Client", "Business", "Cloud.IT", "Email", "GenAI", "General.Interest", "Video/Audio"

My questions:

  1. Is the absence of the web tag due to using an older version of the TA?
  2. Has the mapping of these subtypes to the Web data model not been implemented in the current TA?
  3. If needed, is it recommended to manually define an eventtype and assign the web tag to ensure proper CIM mapping?

Thanks in advance for any insights!

Labels (1)
Labels
0 Karma
Reply

Francois_Luno
New Member
a week ago

I am in Splunk Cloud 9.4 and ES 7.3.   I do not see any .conf file.  However I can use the UI to see field. For the fortinet-fortigate TA there was no tag web linked to eventtype=fortigate_utm_webfilter.  I change it.  Conversely if I look at eventtype=fortigate_utm_webfilter there is only two tags: traffic, communication.  

But in practice, not in splunk context,  the logs for webfilter and appctrl  and from same session and looking at them separately does not give the whole picture for threat hunting.

As a result of ingesting these logs separately we have lot of logs that have only a few of the fields for the data model web (dataset Web.Web).  I was told I can solve that by doing a join prior to the correlation search used to create the dashboards for web intelligence.  Not sure how that works.

 

 

 

0 Karma
Reply

Francois_Luno
New Member
a week ago

OK.  Thanks for confirming that this is not done by default. 

My is sourcetype=fortigate_utm. 

I added tag web to eventtype=fortigate_utm_webfilter.  And created a new eventtype from eventtype=fortigate_utm_app-ctrl because not all app-ctrl are Dataset Web.Web logs.  This new eventtype is eventtype=fortigate_utm_app-ctrl_web  it only has a subset of the app-ctrl category. 

Logically I would use sessionid to create logical log from both webfilter and app-ctrl and be able to alias all the fields of the logical log to the CIM fields.

For Fortinet TA app and sourcetype=fortigate_utm  I created the following calculated  field  url_length, transport, http_referrer_domain, http_user_agent_lenght, http_method. 

I also created new aliases: vendor_url AS uri, action AS web_action and service AS app_protocol

After I check the dashboard under Security Intelligence>Web Intelligence> new domain analysis was still empty.  I found out to change the alias for  "dest" from domain.  Therefore change the alias for sourcetype.fortigate_utm for dest.  

Does this seems like the right approach.  Is there other guidance on this? 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
2 weeks ago

Hi @Francois_Luno 

The subtype=app-ctrl doesnt get the web tag by default from the app, it only has network/communicate.

The subtype=webfilter should be matched web tag though. The following eventtypes.conf configuration defined this in the latest version of the app, which version are you currently using?

Does your sourcetype match this? If so you should find that the subtype=webfilter has the web tag, because ftnt_fortigate_webfilter eventtype has web=enabled in the tags.conf 

[ftnt_fortigate_webfilter]
search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=webfilter

[ftnt_fortigate_appctrl]
search = (sourcetype=fortigate_utm OR sourcetype=fgt_utm) subtype=app-ctrl

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 
 
0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...