Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Fortigate Fortinet index to multiple detection rules #4275

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add Fortigate Fortinet index to multiple detection rules #4275

wants to merge 3 commits into from

Conversation

SHolzhauer
Copy link
Contributor

Pull Request

Issue link(s):
Resolves #4268

Summary - What I changed

Did a bit of a dive into the mentioned rules and how they map to the fortinet fortigate integration

rule name observation should work update required
RPC (Remote Procedure Call) to the Internet The integration has the relevant fields y the index should be updated to include the integration
RPC (Remote Procedure Call) from the Internet The integration has the relevant fields y the index should be updated to include the integration
VNC (Virtual Network Computing) to the Internet The integration has the relevant fields y the index should be updated to include the integration
VNC (Virtual Network Computing) from the Internet The integration has the relevant fields y the index should be updated to include the integration
Accepted Default Telnet Port Connection Unsure if the event.action will match with the fortinet logs
Roshal Archive (RAR) or PowerShell File Downloaded from the Internet The integration has the relevant fields y the index should be updated to include the integration
Possible FIN7 DGA Command and Control Behavior no type field exported by fortinet
IPSEC NAT Traversal Port Activity The integration has the relevant fields y the index should be updated to include the integration
SMTP on Port 26/TCP The integration has the relevant fields y the index should be updated to include the integration
Potential Network Sweep Detected The integration has the relevant fields y the index should be updated to include the integration
Potential Network Scan Detected Unsure if the event.action will match with the fortinet logs
Potential SYN-Based Network Scan Detected The integration has the relevant fields y the index should be updated to include the integration
RDP (Remote Desktop Protocol) from the Internet The integration has the relevant fields y the index should be updated to include the integration
SMB (Windows File Sharing) Activity to the Internet

How To Test

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
    - [ ] Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
    - [ ] Automated testing was updated or added to match the most common scenarios
    - [ ] Documentation and comments were added for features that require explanation

Contributor checklist

@SHolzhauer SHolzhauer marked this pull request as ready for review November 27, 2024 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson Mikaayenson is a code owner

@eric-forte-elastic eric-forte-elastic Awaiting requested review from eric-forte-elastic eric-forte-elastic is a code owner

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus terrancedejesus is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
backport: auto community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Rule Tuning] RPC (Remote Procedure Call) from the Internet
1 participant
@SHolzhauer