SOLVED

KQL Queries: Fortinet

Iron Contributor

I am looking to extract from Fortinet log(s), any DNS events which are deemed high risk.

 

I have written this query BUT could do with some advice on how to improve it or identify other related queries, that shows those high-risk elements...

 

//List DNS entries with risk-related Log Severity
CommonSecurityLog
| where TimeGenerated > ago (6h)
| where DeviceVendor =~ "Fortinet"
| where ApplicationProtocol == "DNS"
| where LogSeverity has_any ("0","1","2","3")
| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != "0.0.0.0"
| where DeviceAction !in ("close", "client-rst", "server-rst", "deny") and DestinationPort != 161
| project DeviceProduct, LogSeverity, DestinationPort, DestinationIP, Message, SourceIP, SourcePort, Activity, SentBytes, ReceivedBytes
| sort by LogSeverity

 

ANY help is appreciated...

4 Replies
best response confirmed by JMSHW0420 (Iron Contributor)
Solution

@JMSHW0420 
Maybe look at ASIM,

1. Look at the ASIM parser for Fortigate, to get some of the Columns you may need in a normalized way (you may want to adopt the column naming to get your finished query aligned to ASIM now - that way if Forti release a parser you are probably virtually ready to use it). 

Clive_Watson_0-1674474207344.png

2. look at the other DNS ASIM parsers, whilst there isn't one for Forti (yet), you may get some ideas.

Clive_Watson_1-1674474260046.png

 

3. Also look at the DNS Queries that use ASIM Azure-Sentinel/Detections/ASimDNS at master · Azure/Azure-Sentinel (github.com)

Hi Clive,

Thank you for the rapid response.

Not really used ASIM parsers in anger. So assume this means deploying the related parser from the GitHub repository provided at: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers?

Your first screen-shot is generated from where?

@JMSHW0420 

Many are now enabled by default - thanks to Microsoft.  Look in Sentinel --> Logs 

 

Clive_Watson_0-1674479633789.png

Most ASIM parsers are duplicated, one starts with _IM_   ,and the other style _ASim_    The difference is that the _IM_ version allows parameter to be passed (you can see which parameters when you hover over the name), you can also use the function or load the function code to see what its doing!

Clive_Watson_1-1674479709705.png

 

Hi Clive,

Sorry mate, I actually do know what you mean. Thanks for the clarification though. Much appreciated.

Jason
1 best response

Accepted Solutions
best response confirmed by JMSHW0420 (Iron Contributor)
Solution

@JMSHW0420 
Maybe look at ASIM,

1. Look at the ASIM parser for Fortigate, to get some of the Columns you may need in a normalized way (you may want to adopt the column naming to get your finished query aligned to ASIM now - that way if Forti release a parser you are probably virtually ready to use it). 

Clive_Watson_0-1674474207344.png

2. look at the other DNS ASIM parsers, whilst there isn't one for Forti (yet), you may get some ideas.

Clive_Watson_1-1674474260046.png

 

3. Also look at the DNS Queries that use ASIM Azure-Sentinel/Detections/ASimDNS at master · Azure/Azure-Sentinel (github.com)

View solution in original post