cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

KQL Queries: Fortinet

JMSHW0420
Brass Contributor

‎Jan 23 2023 02:02 AM

‎Jan 23 2023 02:02 AM

KQL Queries: Fortinet

I am looking to extract from Fortinet log(s), any DNS events which are deemed high risk.

 

I have written this query BUT could do with some advice on how to improve it or identify other related queries, that shows those high-risk elements...

 

//List DNS entries with risk-related Log Severity
CommonSecurityLog
| where TimeGenerated > ago (6h)
| where DeviceVendor =~ "Fortinet"
| where ApplicationProtocol == "DNS"
| where LogSeverity has_any ("0","1","2","3")
| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != "0.0.0.0"
| where DeviceAction !in ("close", "client-rst", "server-rst", "deny") and DestinationPort != 161
| project DeviceProduct, LogSeverity, DestinationPort, DestinationIP, Message, SourceIP, SourcePort, Activity, SentBytes, ReceivedBytes
| sort by LogSeverity

 

ANY help is appreciated...

Labels:
2,228 Views
0 Likes
4 Replies
Reply
4 Replies
best response confirmed by JMSHW0420 (Brass Contributor)
Clive_Watson

‎Jan 23 2023 03:48 AM

‎Jan 23 2023 03:48 AM

Solution

Re: KQL Queries: Fortinet

@JMSHW0420 
Maybe look at ASIM,

1. Look at the ASIM parser for Fortigate, to get some of the Columns you may need in a normalized way (you may want to adopt the column naming to get your finished query aligned to ASIM now - that way if Forti release a parser you are probably virtually ready to use it). 

Clive_Watson_0-1674474207344.png

2. look at the other DNS ASIM parsers, whilst there isn't one for Forti (yet), you may get some ideas.

Clive_Watson_1-1674474260046.png

 

3. Also look at the DNS Queries that use ASIM Azure-Sentinel/Detections/ASimDNS at master · Azure/Azure-Sentinel (github.com)

0 Likes
Reply
JMSHW0420

‎Jan 23 2023 05:04 AM

‎Jan 23 2023 05:04 AM

Re: KQL Queries: Fortinet

Hi Clive,

Thank you for the rapid response.

Not really used ASIM parsers in anger. So assume this means deploying the related parser from the GitHub repository provided at: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers?

Your first screen-shot is generated from where?
0 Likes
Reply
Clive_Watson

‎Jan 23 2023 05:16 AM

‎Jan 23 2023 05:16 AM

Re: KQL Queries: Fortinet

@JMSHW0420 

Many are now enabled by default - thanks to Microsoft.  Look in Sentinel --> Logs 

 

Clive_Watson_0-1674479633789.png

Most ASIM parsers are duplicated, one starts with _IM_   ,and the other style _ASim_    The difference is that the _IM_ version allows parameter to be passed (you can see which parameters when you hover over the name), you can also use the function or load the function code to see what its doing!

Clive_Watson_1-1674479709705.png

 

1 Like
Reply
JMSHW0420

‎Jan 23 2023 05:22 AM

‎Jan 23 2023 05:22 AM

Re: KQL Queries: Fortinet

Hi Clive,

Sorry mate, I actually do know what you mean. Thanks for the clarification though. Much appreciated.

Jason
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by JMSHW0420 (Brass Contributor)
Clive_Watson

‎Jan 23 2023 03:48 AM

‎Jan 23 2023 03:48 AM

Solution

Re: KQL Queries: Fortinet

@JMSHW0420 
Maybe look at ASIM,

1. Look at the ASIM parser for Fortigate, to get some of the Columns you may need in a normalized way (you may want to adopt the column naming to get your finished query aligned to ASIM now - that way if Forti release a parser you are probably virtually ready to use it). 

Clive_Watson_0-1674474207344.png

2. look at the other DNS ASIM parsers, whilst there isn't one for Forti (yet), you may get some ideas.

Clive_Watson_1-1674474260046.png

 

3. Also look at the DNS Queries that use ASIM Azure-Sentinel/Detections/ASimDNS at master · Azure/Azure-Sentinel (github.com)

View solution in original post

0 Likes
Reply