Fortimail Mapping (#32866)

* Created ModelingRules

* Created ParsingRules

* Updated README

* Created and updated ReleaseNotes

* Updated ReleaseNotes

* Bump pack from version Fortimail to 1.0.5.

* Update Packs/Fortimail/README.md

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

* Updated ModelingRules

* Updated ModelingRules

---------

Co-authored-by: Content Bot <bot@demisto.com>
Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

Packs/Fortimail/ModelingRules/Fortimail/Fortimail.yml

@@ -0,0 +1,6 @@
+fromversion: 8.4.0
+id: Fortimail_ModelingRule
+name: Fortimail Modeling Rule
+rules: ''
+schema: ''
+tags: Fortimail

Packs/Fortimail/ModelingRules/Fortimail/Fortimail_schema.json

@@ -0,0 +1,84 @@
+{
+    "fortinet_fortimail_raw": {        
+        "Classifier": {
+            "type": "string",
+            "is_array": false
+        },
+        "Disposition": {
+            "type": "string",
+            "is_array": false
+        },
+        "From": {
+            "type": "string",
+            "is_array": false
+        },
+        "Header_From": {
+            "type": "string",
+            "is_array": false
+        },
+        "To": {
+            "type": "string",
+            "is_array": false
+        },
+        "Subject": {
+            "type": "string",
+            "is_array": false
+        },
+        "Message_ID": {
+            "type": "string",
+            "is_array": false
+        },
+        "Session_ID": {
+            "type": "string",
+            "is_array": false
+        },
+        "Client_IP": {
+            "type": "string",
+            "is_array": false
+        },
+        "Location": {
+            "type": "string",
+            "is_array": false
+        },
+        "Client_Name": {
+            "type": "string",
+            "is_array": false
+        },
+        "Direction": {
+            "type": "string",
+            "is_array": false
+        },
+        "Policy_ID": {
+            "type": "string",
+            "is_array": false
+        },
+        "Domain": {
+            "type": "string",
+            "is_array": false
+        },
+        "Destination_IP": {
+            "type": "string",
+            "is_array": false
+        },
+        "Log_ID": {
+            "type": "string",
+            "is_array": false
+        },
+        "Message": {
+            "type": "string",
+            "is_array": false
+        },
+        "Level": {
+            "type": "string",
+            "is_array": false
+        },
+        "Endpoint": {
+            "type": "string",
+            "is_array": false
+        },
+        "Subtype": {
+            "type": "string",
+            "is_array": false
+        }                                                
+    }
+}

Packs/Fortimail/ParsingRules/Fortimail/Fortimail.xif

@@ -0,0 +1,6 @@
+[INGEST:vendor="fortinet", product="fortimail", target_dataset="fortinet_fortimail_raw", no_hit=keep]
+alter
+    tmp_unite_date_time = concat(Date, " ", Time)
+| alter
+    _time = parse_timestamp("%Y-%m-%d %k:%M:%S", tmp_unite_date_time)
+| fields -tmp_unite_date_time;

Packs/Fortimail/ParsingRules/Fortimail/Fortimail.yml

@@ -0,0 +1,6 @@
+name: Fortimail Parsing Rule
+id: Fortimail_ParsingRule
+fromversion: 8.4.0
+tags: []
+rules: ''
+samples: ''

Packs/Fortimail/README.md

@@ -1,3 +1,7 @@
+# Fortimail
+This pack includes Cortex XSIAM content. 
+
+<~XSOAR>
 Cortex XSOAR interfaces with Fortimail to increase email security.
 
 # What does this pack do?
@@ -6,3 +10,55 @@ Cortex XSOAR interfaces with Fortimail to increase email security.
 - Views, creates, updates, and deletes a Fortimail IP and Email groups directly from Cortex XSOAR.
 - Views, creates, updates, and deletes a Fortimail IP and Email group members directly from Cortex XSOAR.
 - Views all Fortimail profiles.
+</~XSOAR>
+
+<~XSIAM>
+## Configuration on Server Side
+You need to configure Fortimail to forward Syslog messages.
+
+Open the Fortimail interface, and follow these instructions [Documentation](https://docs.fortinet.com/document/fortimail/7.4.2/administration-guide/332364/configuring-logging):
+1. Go to **Log & Report** &rarr; **Log Setting** &rarr; **Remote**
+2. Configure the following settings:
+   | Setting            | Description   
+   | :---               | :---        
+   | `Status`           | Select to enable logging to this location.
+   | `Name`             | Enter a unique name for this configuration.
+   | `Server name/IP`   | Enter the IPv4, IPv6, or domain name (FQDN) address of the Syslog server or FortiAnalyzer that will store the logs.
+   | `Server port`      | If the remote host is a FortiAnalyzer unit, type 514. If the remote host is a Syslog server, type the port number on which the Syslog server listens.
+   | `Protocol`         | Select **Syslog**.
+   | `Mode`             | Select **TCP**.
+   | `Level`            | Select the severity level that a log message must equal or exceed in order to be recorded to this storage location.
+   | `Facility`         | Select the facility identifier that the FortiMail unit will use to identify itself when sending log messages.
+   | `CSV format`       | Enable if you want to send log messages in comma-separated value (CSV) format.
+3. Click **Create**
+
+* To verify logging connectivity, from the FortiMail unit, trigger a log message that matches the types and severity levels that you have chosen to store on the remote host. Then, on the remote host, confirm that it has received that log message.
+
+**Pay Attention**:
+Timestamp ingestion is only available in UTC timezone (00:00) for the **Date** (%Y-%m-%d) and **Time** (%k:%M:%S) fields.
+In order to change Fortimail's system time zone use the commands-
+```text
+    config system time manual
+    set daylight-saving-time {disable | enable}
+    set zone <zone_int>
+    end
+``` 
+For additional information, review Fortimail's System Time Manual [documentation](https://docs.fortinet.com/document/fortimail/7.4.1/cli-reference/302323/system-time-manual).
+
+## Collect Events from Vendor
+In order to use the collector, use the [Broker VM](#broker-vm) option.
+
+### Broker VM
+To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).
+
+You can configure the specific vendor and product for this instance.
+
+1. Navigate to **Settings** &rarr; **Configuration** &rarr; **Data Broker** &rarr; **Broker VMs**.
+2. Go to the **Apps** column under the **Brokers** tab and add the **Syslog Collector** app for the relevant broker instance. If the app already exists, hover over it and click **Configure**.
+3. Click **Add New** for adding a new syslog data source.
+4. When configuring the new syslog data source, set the following values:
+   | Parameter     | Value   
+   | :---          | :---        
+   | `Vendor`      | Enter **fortinet**.
+   | `Product`     | Enter **fortimail**.
+</~XSIAM>

Packs/Fortimail/ReleaseNotes/1_0_5.md

@@ -0,0 +1,12 @@
+
+#### Modeling Rules
+
+##### New: Fortimail Modeling Rule
+
+Added support for Modeling Rules (Available from Cortex XSIAM 2.0).
+
+#### Parsing Rules
+
+##### New: Fortimail Parsing Rule
+
+Added support for Parsing Rules (Available from Cortex XSIAM 2.0).

Packs/Fortimail/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Fortimail",
     "description": "FortiMail is a comprehensive email security solution by Fortinet, offering advanced threat protection, data loss prevention, encryption, and email authentication to safeguard organizations against email-based cyber threats and protect sensitive information.",
     "support": "xsoar",
-    "currentVersion": "1.0.4",
+    "currentVersion": "1.0.5",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",