From 9401842eee40bef1f75289d0b605739d1f79b4ad Mon Sep 17 00:00:00 2001
From: AlfonsoRBJ <sitoruizbravo@hotmail.com>
Date: Fri, 22 Jun 2018 17:08:14 +0200
Subject: [PATCH 1/9] fix the issue #137

We've adjusted the fortigate decoders so you can generate alerts when you receive events in a new format.
---
 decoders/0100-fortigate_decoders.xml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/decoders/0100-fortigate_decoders.xml b/decoders/0100-fortigate_decoders.xml
index 8d532e71f..627d42a43 100644
--- a/decoders/0100-fortigate_decoders.xml
+++ b/decoders/0100-fortigate_decoders.xml
@@ -54,7 +54,7 @@ Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id=
 
 <!-- FortiOS 5.0 via syslog -->
 <decoder name="fortigate-firewall-v5">
-    <prematch>date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ </prematch>
+    <prematch>date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ |date=\S+ time=\.+ devname="\S+" devid="FG\w+" logid="\d+" </prematch>
     <type>syslog</type>
 </decoder>
 
@@ -108,8 +108,8 @@ date=2016-06-16 time=16:22:34 devname=Mobipay_Firewall devid=FGTXXXX9999999999 l
 -->
 <decoder name="fortigate-firewall-v5-event-system-information">
     <parent>fortigate-firewall-v5</parent>
-    <prematch offset="after_parent">type=event subtype=system level=information</prematch>
-    <regex offset="after_parent">user="(\S+)" ui=\p*\w+\((\S+)\)\p* action=(\S+) </regex>
+    <prematch offset="after_parent">type=event subtype=system level=information|type="event" subtype="system" level="information"</prematch>
+    <regex offset="after_parent">user="(\S+)" ui=\p*\w+\((\S+)\)\p* action=(\S+) |user="(\S+)" ui=\p*\w+\((\S+)\)\p* \.*action="(\S+)" </regex>
     <order>srcuser,srcip,action</order>
 </decoder>
 
@@ -121,7 +121,7 @@ date=2016-06-16 time=16:22:34 devname=Mobipay_Firewall devid=FGTXXXX9999999999 l
 
 <decoder name="fortigate-firewall-v5-event-system-information">
     <parent>fortigate-firewall-v5</parent>
-    <regex offset="after_regex">status=(\S+) \.*msg=(\.*)</regex>
+    <regex offset="after_regex">status=(\S+) \.*msg=(\.*)|status="(\S+)" \.*msg=(\.*)</regex>
     <order>status,extra_data</order>
 </decoder>
 

From 2aa2fc7d84bf52cf4999f71cc58be79922c7567d Mon Sep 17 00:00:00 2001
From: frgv <36547287+frgv@users.noreply.github.com>
Date: Mon, 25 Jun 2018 15:24:29 +0200
Subject: [PATCH 2/9] Fortigate - Decoders and rules fixed

Fixed fortigate decoders and rules to decode new fortigate format. GPDR tagging still needed.
---
 decoders/0100-fortigate_decoders.xml | 426 ++++++++++++++++++++++++---
 rules/0390-fortigate_rules.xml       | 148 ++++++++--
 2 files changed, 503 insertions(+), 71 deletions(-)

diff --git a/decoders/0100-fortigate_decoders.xml b/decoders/0100-fortigate_decoders.xml
index 627d42a43..a297c821e 100644
--- a/decoders/0100-fortigate_decoders.xml
+++ b/decoders/0100-fortigate_decoders.xml
@@ -54,32 +54,107 @@ Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id=
 
 <!-- FortiOS 5.0 via syslog -->
 <decoder name="fortigate-firewall-v5">
-    <prematch>date=\S+ time=\.+ devname=\S+ devid=FG\w+ logid=\d+ |date=\S+ time=\.+ devname="\S+" devid="FG\w+" logid="\d+" </prematch>
+    <prematch>date=\S+\.+time=\.+devname=\S+\.+devid=\p*FG\S+\.+logid=</prematch>
     <type>syslog</type>
 </decoder>
 
 <!--
 date=2016-06-15 time=09:41:35 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=utm subtype=ips eventtype=signature level=alert vd="root" severity=info srcip=192.168.10.8 dstip=157.55.235.162 srcintf="internal2" dstintf="wan2" policyid=2 sessionid=1473454 action=dropped proto=6 service=tcp/20480 attack="HTTP.Unknown.Tunnelling" srcport=62216 dstport=80 direction=outgoing attackid=107347981 profile="default" ref="http://www.fortinet.com/ids/VID107347981" incidentserialno=1999871775 msg="http_decoder: HTTP.Unknown.Tunnelling,"
+
 -->
+
+<decoder name="fortigate-firewall-v5-utm-ips">
+    <parent>fortigate-firewall-v5</parent>
+    <prematch offset="after_parent">type=utm,subtype=ips|type=utm subtype=ips|type="utm" subtype="ips"</prematch>
+    <regex offset="after_prematch">\.*severity="(\S+)"|\.*severity=(\S+),|\.*severity=(\S+) </regex>
+    <order>status</order>
+</decoder>
+
 <decoder name="fortigate-firewall-v5-utm-ips">
     <parent>fortigate-firewall-v5</parent>
-    <prematch offset="after_parent">type=utm subtype=ips</prematch>
-    <regex offset="after_prematch">severity=(\S+) srcip=(\S+) dstip=(\S+) \.*action=(\S+) proto\.+srcport=(\d+) dstport=(\d+) \.*msg=(\.*)</regex>
-    <order>status,srcip,dstip,action,srcport,dstport,extra_data</order>
+    <regex offset="after_regex">\.*srcip="(\S+)"|\.*srcip=(\S+),|\.*srcip=(\S+) </regex>
+    <order>srcip</order>
 </decoder>
 
+<decoder name="fortigate-firewall-v5-utm-ips">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*dstip="(\S+)"|\.*dstip=(\S+),|\.*dstip=(\S+) </regex>
+    <order>dstip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-ips">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*action="(\S+)"|\.*action=(\S+),|\.*action=(\S+) </regex>
+    <order>action</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-ips">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*srcport="(\d+)"|\.*srcport=(\d+),|\.*srcport=(\d+) </regex>
+    <order>srcport</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-ips">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*dstport="(\d+)"|\.*dstport=(\d+),|\.*dstport=(\d+) </regex>
+    <order>dstport</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-ips">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*msg="(\.+)"|\.*dstport=(\.+),|\.*dstport=(\.+) </regex>
+    <order>extra_data</order>
+</decoder>
+
+
+
+
+
 <!--
 Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT3HD0000000000 logid=0000018000 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=10.10.10.35 dstip=10.10.10.84 srcintf="port2" sessionid=0 action=detected proto=6 service=tcp/36875 count=1903 attack="tcp_syn_flood" srcport=32835 dstport=2960 attackid=100663396 profile="DoS-policy1" ref="http://www.fortinet.com/ids/VID100663396" msg="anomaly: tcp_syn_flood, 2001 > threshold 2000, repeats 1903 times" crscore=50 crlevel=critical
 
 Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT3HD0000000000 logid=0000018000 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=10.10.10.61 dstip=10.10.10.84 srcintf="port2" sessionid=0 action=dropped proto=6 service=NONE count=9 attack="IP.Bad.Header" attackid=127 profile="N/A" ref="http://www.fortinet.com/ids/VID127" msg="anomaly: IP.Bad.Header, repeats 9 times" crscore=50 crlevel=critical
 -->
+
+
+<decoder name="fortigate-firewall-v5-anomaly">
+    <parent>fortigate-firewall-v5</parent>
+    <prematch offset="after_parent">type="anomaly"|type=anomaly</prematch>
+    <regex offset="after_parent">\.*severity="(\S+)"|\.*severity=(\S+),|\.*severity=(\S+) </regex>
+    <order>status</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-anomaly">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*srcip="(\S+)"|\.*srcip=(\S+),|\.*srcip=(\S+) </regex>
+    <order>srcip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-anomaly">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*dstip="(\S+)"|\.*dstip=(\S+),|\.*dstip=(\S+) </regex>
+    <order>dstip</order>
+</decoder>
+
 <decoder name="fortigate-firewall-v5-anomaly">
     <parent>fortigate-firewall-v5</parent>
-    <prematch offset="after_parent">type=anomaly</prematch>
-    <regex offset="after_parent">severity=(\w+) srcip=(\S+) dstip=(\S+) srcintf=\S+ sessionid=\S+ action=(\w+) proto=\d+ service=(\S+) count=\d+ (attack)="(\.+)"</regex>
-    <order>status, srcip, dstip, action, protocol, id, extra_data</order>
+    <regex offset="after_regex">\.*action="(\S+)"|\.*action=(\S+),|\.*action=(\S+) </regex>
+    <order>action</order>
 </decoder>
 
+<decoder name="fortigate-firewall-v5-anomaly">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*service="(\S+)"|\.*service=(\S+),|\.*service=(\S+) </regex>
+    <order>service</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-anomaly">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*(attack)="(\S+)"|\.*(attack)=(\S+),|\.*(attack)=(\S+) </regex>
+    <order>id, extra_data</order>
+</decoder>
+
+
 <!--
 date=2016-06-15 time=11:44:46 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=utm subtype=webfilter eventtype=urlfilter level=warning vd="root" urlfilteridx=3 urlfilterlist="default" policyid=2 sessionid=1563645 user="" srcip=1.2.3.11 srcport=52414 srcintf="internal2" dstip=1.5.5.92 dstport=443 dstintf="wan2" proto=6 service=HTTPS hostname="4-edge-chat.facebook.com" profile="default" action=blocked reqtype=referral url="/p?partition=-2&cb=lz1k&failure=5&sticky_token=274&sticky_pool=atn2c06_chat-proxy" sentbyte=932 rcvdbyte=0 direction=outgoing msg="URL was blocked because it is in the URL filter list" crscore=30 crlevel=high
 
@@ -88,11 +163,107 @@ date=2016-06-15 time=11:44:46 devname=Device_Name devid=FGTXXXX9999999999 logid=
 -->
 <decoder name="fortigate-firewall-v5-utm-webfilter">
     <parent>fortigate-firewall-v5</parent>
-    <prematch offset="after_parent">type=utm subtype=webfilter</prematch>
-    <regex offset="after_parent">level=(\S+) \.+ user="(\.*)" srcip=(\S+) srcport=(\d+) \.+ dstip=(\S+) dstport=(\d+) \.+ hostname="(\.+)" \.+ action=(\w+)</regex>
-    <order>status,srcuser,srcip,srcport,dstip,dstport,url,action</order>
+    <prematch offset="after_parent">type=utm subtype=webfilter|type=utm,subtype=webfilter|type="utm" subtype="webfilter"</prematch>
+    <regex offset="after_prematch">\.*level="(\S+)"|\.*level=(\S+),|\.*level=(\S+) </regex>
+    <order>status</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-webfilter">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*user="(\.*)"|\.*user=(\.*),|\.*user=(\.*) </regex>
+    <order>srcuser</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-webfilter">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*srcip="(\S+)"|\.*srcip=(\S+),|\.*srcip=(\S+) </regex>
+    <order>srcip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-webfilter">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*srcport="(\d+)"|\.*srcport=(\d+),|\.*srcport=(\d+) </regex>
+    <order>srcport</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-webfilter">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*dstip="(\S+)"|\.*dstip=(\S+),|\.*dstip=(\S+) </regex>
+    <order>dstip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-webfilter">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*dstport="(\d+)"|\.*dstport=(\d+),|\.*dstport=(\d+) </regex>
+    <order>dstport</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-webfilter">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*hostname="(\.+)"|\.*hostname=(\.+),|\.*hostname=(\.+) </regex>
+    <order>url</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-webfilter">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*action="(\S+)"|\.*action=(\S+),|\.*action=(\S+) </regex>
+    <order>action</order>
+</decoder>
+
+<!--
+2018 Apr 09 16:03:37 inwazuhmgr->172.24.0.253 date=2018-04-09 time=16:03:37 devname=BA-RSYS-FW devid=FG600C3912803212 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="BA-EXORA" logtime=1523270017 appid=16009 srcip=172.24.42.175 dstip=111.221.29.254 srcport=55139 dstport=443 srcintf="port3" srcintfrole="wan" dstintf="port5" dstintfrole="undefined" proto=6 service="HTTPS" policyid=107 sessionid=3454887534 applist="block-high-risk" appcat="Update" app="MS.Windows.Update" action="pass" hostname="*.vortex-win.data.microsoft.com" incidentserialno=1405558813 url="/" msg="Update: MS.Windows.Update," apprisk="elevated" scertcname="*.vortex-win.data.microsoft.com"
+-->
+
+<decoder name="fortigate-firewall-v5-utm-app-ctrl">
+    <parent>fortigate-firewall-v5</parent>
+    <prematch offset="after_parent">type=utm subtype=app-ctrl|type=utm,subtype=app-ctrl|type="utm" subtype="app-ctrl"</prematch>
+    <regex offset="after_prematch">\.*level="(\S+)"|\.*level=(\S+),|\.*level=(\S+) </regex>
+    <order>status</order>
 </decoder>
 
+<decoder name="fortigate-firewall-v5-utm-app-ctrl">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*user="(\.*)"|\.*user=(\.*),|\.*user=(\.*) </regex>
+    <order>srcuser</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-app-ctrl">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*srcip="(\S+)"|\.*srcip=(\S+),|\.*srcip=(\S+) </regex>
+    <order>srcip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-app-ctrl">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*srcport="(\d+)"|\.*srcport=(\d+),|\.*srcport=(\d+) </regex>
+    <order>srcport</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-app-ctrl">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*dstip="(\S+)"|\.*dstip=(\S+),|\.*dstip=(\S+) </regex>
+    <order>dstip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-app-ctrl">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*dstport="(\d+)"|\.*dstport=(\d+),|\.*dstport=(\d+) </regex>
+    <order>dstport</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-app-ctrl">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*action="(\S+)"|\.*action=(\S+),|\.*action=(\S+) </regex>
+    <order>action</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-app-ctrl">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*hostname="(\.+)"|\.*hostname=(\.+),|\.*hostname=(\.+) </regex>
+    <order>url</order>
+</decoder>
+
+
 <!--
 date=2016-06-16 time=09:03:03 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=system level=information vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(4.3.5.8)" action=Edit cfgtid=2162752 cfgpath="firewall.service.custom" cfgobj="Custom-TCP_10443" cfgattr="tcp-portrange[->10443]udp-portrange[->]sctp-portrange[->]" msg="Edit firewall.service.custom Custom-TCP_10443"
 
@@ -106,57 +277,100 @@ date=2016-06-16 time=08:48:28 devname=Device_Name devid=FGTXXXX9999999999 logid=
 
 date=2016-06-16 time=16:22:34 devname=Mobipay_Firewall devid=FGTXXXX9999999999 logid=0100032001 type=event subtype=system level=information vd="root" logdesc="Admin login successful" sn=1466090554 user="a@b.com.na" ui=https(10.42.8.253) action=login status=success reason=none profile="super_admin" msg="Administrator a@b.com.na logged in successfully from https(10.42.8.253)"
 -->
+
 <decoder name="fortigate-firewall-v5-event-system-information">
     <parent>fortigate-firewall-v5</parent>
-    <prematch offset="after_parent">type=event subtype=system level=information|type="event" subtype="system" level="information"</prematch>
-    <regex offset="after_parent">user="(\S+)" ui=\p*\w+\((\S+)\)\p* action=(\S+) |user="(\S+)" ui=\p*\w+\((\S+)\)\p* \.*action="(\S+)" </regex>
-    <order>srcuser,srcip,action</order>
+    <prematch offset="after_parent">type=event subtype=system level=information|type=event,subtype=system,level=information|type="event" subtype="system" level="information"</prematch>
+    <regex offset="after_prematch">\.*user="(\S+)"|\.*user(\S+)</regex>
+    <order>srcuser</order>
 </decoder>
 
 <decoder name="fortigate-firewall-v5-event-system-information">
     <parent>fortigate-firewall-v5</parent>
-    <regex offset="after_regex">cfgtid=(\d+) \.*cfgattr=(\.*) msg=(\.*)</regex>
-    <order>id,url,extra_data</order>
+    <regex offset="after_regex">ui=\p*\w+\((\S+)\)\p*</regex>
+    <order>srcip</order>
 </decoder>
 
 <decoder name="fortigate-firewall-v5-event-system-information">
     <parent>fortigate-firewall-v5</parent>
-    <regex offset="after_regex">status=(\S+) \.*msg=(\.*)|status="(\S+)" \.*msg=(\.*)</regex>
-    <order>status,extra_data</order>
+    <regex offset="after_regex">\.*action="(\S+)"|\.*action=(\S+)</regex>
+    <order>action</order>
 </decoder>
 
+<decoder name="fortigate-firewall-v5-event-system-information">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*cfgtid="(\d+)"|\.*cfgtid=(\d+)</regex>
+    <order>id</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-event-system-information">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*cfgattr="(\.*)"|\.*cfgattr=(\.*)</regex>
+    <order>url</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-event-system-information">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*ip="(\S+)"|\.*ip=(\S+)</regex>
+    <order>src_ip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-event-system-information">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*srcip="(\S+)"|\.*srcip=(\S+)</regex>
+    <order>src_ip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-event-system-information">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*status="(\S+)"|\.*status=(\S+)</regex>
+    <order>status</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-event-system-information">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex"> msg="(\.*)"|,msg=(\.*)</regex>
+    <order>extra_data</order>
+</decoder>
+
+
+
+
 <!--
 date=2016-06-14 time=12:22:01 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=system level=alert vd="root" logdesc="Admin login failed" sn=0 user="gfedhf" ui=https(4.3.5.253) action=login status=failed reason="name_invalid" msg="Administrator gfedhf login failed from https(4.3.5.253) because of invalid user name"
 
 date=2016-06-17 time=02:37:41 devname=Mobipay_Firewall devid=FGTXXXX9999999999 logid=0100032002 type=event subtype=system level=alert vd="root" logdesc="Admin login failed" sn=0 user="root" ui=ssh(222.186.130.227) action=login status=failed reason="name_invalid" msg="Administrator root login failed from ssh(222.186.130.227) because of invalid user name"
 -->
+
 <decoder name="fortigate-firewall-v5-event-system-alert-fields1">
     <parent>fortigate-firewall-v5</parent>
-    <prematch offset="after_parent">type=event subtype=system level=alert vd="\S+" logdesc="\.+" sn=\S+ </prematch>
-    <regex offset="after_prematch">user="(\S+)" ui=\w+\((\S+)\) action=(\S+) status=(\S+) reason="\.+" msg="(\.+)"$</regex>
-    <order>user,srcip,action,status,extra_data</order>
+    <prematch offset="after_parent">type=event subtype=system level=alert|type=event,subtype=system,level=alert|type="event" subtype="system" level="alert"</prematch>
+    <regex offset="after_prematch">\.*user="(\S+)"|\.*user=(\S+),|\.*user=(\S+) </regex>
+    <order>srcuser</order>
 </decoder>
 
-<!--
-date=2016-06-14 time=10:47:23 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=system level=alert vd="root" logdesc="Configuration changed" user="admin" ui=https(105.232.255.15) msg="Configuration is changed in the admin session"
+<decoder name="fortigate-firewall-v5-event-system-alert-fields1">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">ui=\p*(\w+)\((\S+)\)\p*</regex>
+    <order>protocol,srcip</order>
+</decoder>
 
-date=2016-06-16 time=08:48:28 devname=Mobipay_Firewall devid=FGTXXXX9999999999 logid=0100032400 type=event subtype=system level=alert vd="root" logdesc="Configuration changed" user="a@b.com.na" ui=https(10.42.8.253) msg="Configuration is changed in the admin session"
--->
-<decoder name="fortigate-firewall-v5-event-system-alert-fields2">
+<decoder name="fortigate-firewall-v5-event-system-alert-fields1">
     <parent>fortigate-firewall-v5</parent>
-    <prematch offset="after_parent">type=event subtype=system level=alert vd="\S+" logdesc="\.+" user=</prematch>
-    <regex offset="after_prematch">"(\.+)" ui=\w+\((\S+)\) msg="(\.+)"</regex>
-    <order>user,srcip,extra_data</order>
+    <regex offset="after_regex">\.*action="(\S+)"|\.*action=(\S+),|\.*action=(\S+) </regex>
+    <order>action</order>
 </decoder>
 
-<!--
-date=2016-06-14 time=12:22:03 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=system level=alert vd="root" logdesc="Admin login disabled" ui=4.3.5.253 action=login status=failed reason=exceed_limit msg="Login disabled from IP 4.3.5.253 for 60 seconds because of 3 bad attempts"
--->
-<decoder name="fortigate-firewall-v5-event-system-alert-fields3">
+<decoder name="fortigate-firewall-v5-event-system-alert-fields1">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*status="(\S+)"|\.*status=(\S+),|\.*status=(\S+) </regex>
+    <order>status</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-event-system-alert-fields1">
     <parent>fortigate-firewall-v5</parent>
-    <prematch offset="after_parent">type=event subtype=system level=alert vd="\S+" logdesc="\.+" ui=</prematch>
-    <regex offset="after_prematch">(\S+) action=(\S+) status=(\S+) reason=\S+ msg="(\.+)"</regex>
-    <order>srcip,action,status,extra_data</order>
+    <regex offset="after_regex">\.*msg="(\.+)"|\.*msg=(\.+),|\.*msg=(\.+) </regex>
+    <order>extra_data</order>
 </decoder>
 
 <!--
@@ -167,13 +381,47 @@ date=2016-06-15 time=21:35:09 devname=Device_Name devid=FGTXXXX9999999999 logid=
 date=2016-06-16 time=08:47:00 devname=Device_Name devid=FGTXXXX9999999999 logid=0101039947 type=event subtype=vpn level=information vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=1050355638 remip=9.8.7.7 tunnelip=1.2.4.6 user="my_user_name" group="SSL_VPN" dst_host="N/A" reason="N/A" msg="SSL tunnel established"
 
 date=2016-06-16 time=08:49:26 devname=Device_Name devid=FGTXXXX9999999999 logid=0101039948 type=event subtype=vpn level=information vd="root" logdesc="SSL VPN tunnel down" action="tunnel-down" tunneltype="ssl-tunnel" tunnelid=1050355638 remip=5.7.8.9 tunnelip=8.4.2.1 user="my_user_name" group="SSL_VPN" dst_host="N/A" reason="N/A" duration=147 sentbyte=2284 rcvdbyte=2630 msg="SSL tunnel shutdown"
--->
+
 <decoder name="fortigate-firewall-v5-event-vpn-fields1">
     <parent>fortigate-firewall-v5</parent>
     <prematch offset="after_parent">type=event subtype=vpn level=\S+ vd="\.+" logdesc="\.+" msg="\.+" action=</prematch>
     <regex>logdesc="(\.+)" msg=\.+ action=(\.*) remip=(\S+) locip=(\S+) \.+ status=(\S+)</regex>
     <order>extra_data,action,dstip,srcip,status</order>
 </decoder>
+-->
+
+
+
+<decoder name="fortigate-firewall-v5-event-vpn-fields1">
+    <parent>fortigate-firewall-v5</parent>
+    <prematch offset="after_parent">type=event subtype=vpn|type="event" subtype="vpn"|type=event,subtype=vpn</prematch>
+    <regex offset="after_prematch">\.*logdesc="(\.+)"</regex>
+    <order>extra_data</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-event-vpn-fields1">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*action="(\S+)"|\.*action=(\S+),|\.*action=(\S+) </regex>
+    <order>action</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-event-vpn-fields1">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*remip="(\S+)"|\.*remip=(\S+),|\.*remip=(\S+) </regex>
+    <order>dstip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-event-vpn-fields1">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*locip="(\S+)"|\.*locip=(\S+),|\.*locip=(\S+) </regex>
+    <order>srcip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-event-vpn-fields1">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*status="(\S+)"|\.*status=(\S+),|\.*status=(\S+) </regex>
+    <order>status</order>
+</decoder>
 
 <decoder name="fortigate-firewall-v5-event-vpn-fields2">
     <parent>fortigate-firewall-v5</parent>
@@ -189,7 +437,107 @@ date=2016-06-16 time=10:49:08 devname=Device_Name devid=FGTXXXX9999999999 logid=
 -->
 <decoder name="fortigate-firewall-v5-traffic">
     <parent>fortigate-firewall-v5</parent>
-    <prematch offset="after_parent">type=traffic</prematch>
-    <regex>srcip=(\S+) srcport=(\d+) \.+ dstip=(\S+) dstport=(\d+) \.+ appcat="(\.+)" apprisk=(\w+) applist=</regex>
-    <order>srcip,srcport,dstip,dstport,protocol,status</order>
+    <prematch offset="after_parent">type=traffic|type="traffic"</prematch>
+    <regex offset="after_prematch">\.*srcip="(\S+)"|\.*srcip=(\S+),|\.*srcip=(\S+) </regex>
+    <order>srcip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-traffic">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*srcport="(\d+)"|\.*srcport=(\d+),|\.*srcport=(\d+) </regex>
+    <order>srcport</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-traffic">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*dstip="(\S+)"|\.*dstip=(\S+),|\.*dstip=(\S+) </regex>
+    <order>dstip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-traffic">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*dstport="(\d+)"|\.*dstport=(\d+),|\.*dstport=(\d+) </regex>
+    <order>dstport</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-traffic">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*appcat="(\.+)"|\.*appcat=(\.+),|\.*appcat=(\.+) </regex>
+    <order>protocol</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-traffic">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*apprisk="(\S+)"|\.*apprisk=(\S+),|\.*apprisk=(\S+) </regex>
+    <order>status</order>
+</decoder>
+
+<!--
+date=2018-05-31 time=08:58:56 devname="BA-RSYS-FW" devid="FG600C3912803212" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="BA-EXORA" eventtime=1527737336 msg="File is infected." action="blocked" service="HTTP" sessionid=377413095 srcip=172.24.12.52 dstip=164.100.80.203 srcport=64982 dstport=80 srcintf="port5" srcintfrole="undefined" dstintf="port3" dstintfrole="wan" policyid=108 proto=6 direction="incoming" filename="FrontPageImgHandler.ashx" quarskip="File-was-not-quarantined." virus="Malware_Generic.P0" dtype="Virus" ref="http://www.fortinet.com/ve?vn=Malware_Generic.P0" virusid=7024603 url="http://www.karsec.gov.in/FrontPageImgHandler.ashx?id=12" profile="Web-Browsing" agent="Chrome/66.0.3359.181" analyticscksum="a9165dbae34e6e2952270536e95a2bb154dff0cfcdf41315f0796ee14b36123b" analyticssubmit="false" crscore=50 crlevel="critical"
+-->
+<decoder name="fortigate-firewall-v5-utm-virus">
+    <parent>fortigate-firewall-v5</parent>
+    <prematch offset="after_parent">type=utm subtype=virus|type=utm,subtype=virus|type="utm" subtype="virus"</prematch>
+    <regex offset="after_prematch">\.*eventtype="(\S+)"|\.*eventtype=(\S+),|\.*eventtype=(\S+) </regex>
+    <order>protocol</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-virus">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*level="(\S+)"|\.*level=(\S+),|\.*level=(\S+) </regex>
+    <order>status</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-virus">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*action="(\S+)"|\.*action=(\S+),|\.*action=(\S+) </regex>
+    <order>action</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-virus">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*user="(\.*)"|\.*user=(\.*),|\.*user=(\.*) </regex>
+    <order>srcuser</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-virus">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*srcip="(\S+)"|\.*srcip=(\S+),|\.*srcip=(\S+) </regex>
+    <order>srcip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-virus">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*dstip="(\S+)"|\.*dstip=(\S+),|\.*dstip=(\S+) </regex>
+    <order>dstip</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-virus">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*srcport="(\d+)"|\.*srcport=(\d+),|\.*srcport=(\d+) </regex>
+    <order>srcport</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-virus">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*dstport="(\d+)"|\.*dstport=(\d+),|\.*dstport=(\d+) </regex>
+    <order>dstport</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-virus">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*filename="(\.+)"|\.*filename=(\.+),|\.*filename=(\.+) </regex>
+    <order>fortigate.file_infected</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-virus">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*virus="(\.+)"|\.*virus=(\.+),|\.*virus=(\.+) </regex>
+    <order>fortigate.virus_found</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-utm-virus">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*url="(\.+)"|\.*url=(\.+),|\.*url=(\.+) </regex>
+    <order>url</order>
 </decoder>
diff --git a/rules/0390-fortigate_rules.xml b/rules/0390-fortigate_rules.xml
index 05ed9f1f1..d363415fd 100644
--- a/rules/0390-fortigate_rules.xml
+++ b/rules/0390-fortigate_rules.xml
@@ -37,14 +37,14 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <status>dpd_failure</status>
         <description>Fortigate: IP Sec DPD Failed.</description>
-        <group>firewall_drop,pci_dss_1.4,gdpr_IV_35.7.d,</group>
+        <group>firewall_drop,pci_dss_1.4,</group>
     </rule>
 
     <rule id="81605" level="7" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81604</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall drop events from same source.</description>
-        <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,</group>
     </rule>
 
 
@@ -56,7 +56,7 @@ ID: 81600 - 80799
         <action>login</action>
         <status>failed</status>
         <description>Fortigate: Login failed.</description>
-        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
+        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,</group>
     </rule>
 
     <rule id="81607" level="7" frequency="16" timeframe="45" ignore="240">
@@ -64,7 +64,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple failed login events from same source.</description>
-        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
+        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,</group>
     </rule>
 
 
@@ -76,14 +76,12 @@ ID: 81600 - 80799
         <match>Configuration is changed in the admin session</match>
         <options>alert_by_email</options>
         <description>Fortigate: Configuration changed.</description>
-        <group>gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
     </rule>
 
     <rule id="81609" level="8" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81608</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple changed configuration events from same source.</description>
-        <group>gdpr_IV_35.7.d,</group>
     </rule>
 
     <!--
@@ -93,7 +91,7 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <match>http_decoder: HTTP.Unknown.Tunnelling</match>
         <description>Fortigate: Default tunneling setting. Could be IPS.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>pci_dss_10.6.1,</group>
     </rule>
 
     <rule id="81611" level="7" frequency="16" timeframe="45" ignore="240">
@@ -101,7 +99,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple default tunneling setting events from same source.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>pci_dss_10.6.1,</group>
     </rule>
 
     <!--
@@ -111,14 +109,31 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <action>Edit</action>
         <description>Fortigate: Firewall configuration changes</description>
-        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,</group>
+        <group>pci_dss_10.6.1,gpg13_4.13,</group>
     </rule>
 
     <rule id="81613" level="4" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81612</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall edit events from same source.</description>
-        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,</group>
+        <group>pci_dss_10.6.1,gpg13_4.13,</group>
+    </rule>
+
+    <!--
+    date=2016-06-16 time=09:03:03 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=system level=information vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(4.3.5.8)" action=Add cfgtid=2162750 cfgpath="firewall.service.custom" cfgobj="Custom-TCP_10443" cfgattr="" msg="Add firewall.service.custom Custom-TCP_10443"
+    -->
+        <rule id="81631" level="3">
+        <if_sid>81603</if_sid>
+        <action>Add</action>
+        <description>Fortigate: Firewall configuration changes</description>
+        <group>pci_dss_1.4,gpg13_4.13,</group>
+    </rule>
+
+    <rule id="81632" level="4" frequency="16" timeframe="45" ignore="240">
+        <if_matched_sid>81631</if_matched_sid>
+        <same_source_ip />
+        <description>Fortigate: Multiple Firewall edit events from same source.</description>
+        <group>pci_dss_1.4,ci_dss_10.6.1,gpg13_4.13,gdpr_2.3,</group>
     </rule>
 
 
@@ -129,7 +144,7 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <match>ssl-login-fail</match>
         <description>Fortigate: SSL VPN User failed login attempt</description>
-        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
+        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,</group>
     </rule>
 
     <rule id="81615" level="7" frequency="16" timeframe="45" ignore="240">
@@ -137,7 +152,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple Firewall SSL VPN failed login events from same source.</description>
-        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
+        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,</group>
     </rule>
 
     <!--
@@ -148,25 +163,24 @@ ID: 81600 - 80799
         <action>logout</action>
         <status>success</status>
         <description>Fortigate: User logout successful</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,</group>
     </rule>
 
     <rule id="81617" level="7" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81616</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall logout events from same source.</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,</group>
     </rule>
 
     <!--
     date=2016-06-16 time=10:49:08 devname=Device_Name devid=FGTXXXX9999999999 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=4.3.5.161 srcport=51082 srcintf="internal1" dstip=54.192.197.185 dstport=80 dstintf="wan1" poluuid=d6217c58-8c42-51e5-c3a6-c7766895cbfd sessionid=199618 proto=6 action=deny policyid=8 dstcountry="United States" srccountry="Reserved" trandisp=snat transip=160.242.8.82 transport=51082 service="HTTP" appid=6 app="BitTorrent" appcat="P2P" apprisk=high applist="default" appact=drop-session duration=3 sentbyte=60 rcvdbyte=3050 sentpkt=1 utmaction=block countapp=1 crscore=5 craction=1048576
     -->
-    <rule id="81618" level="1">
+    <rule id="81618" level="3">
         <if_sid>81603</if_sid>
-        <match>type=traffic</match>
-        <status>high</status>
+        <match>type=traffic|type="traffic"</match>
         <description>Fortigate: Traffic to be aware of.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>pci_dss_10.6.1,</group>
     </rule>
 
     <rule id="81619" level="3" frequency="16" timeframe="45" ignore="240">
@@ -174,25 +188,25 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple high traffic events from same source.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>pci_dss_10.6.1,</group>
     </rule>
 
     <!--
     date=2016-06-15 time=11:44:46 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=utm subtype=webfilter eventtype=urlfilter level=warning vd="root" urlfilteridx=3 urlfilterlist="default" policyid=2 sessionid=1563645 user="" srcip=1.2.3.11 srcport=52414 srcintf="internal2" dstip=1.5.5.92 dstport=443 dstintf="wan2" proto=6 service=HTTPS hostname="4-edge-chat.facebook.com" profile="default" action=blocked reqtype=referral url="/p?partition=-2&cb=lz1k&failure=5&sticky_token=274&sticky_pool=atn2c06_chat-proxy" sentbyte=932 rcvdbyte=0 direction=outgoing msg="URL was blocked because it is in the URL filter list" crscore=30 crlevel=high
     -->
-    <rule id="81620" level="0">
+    <rule id="81620" level="3">
         <if_sid>81603</if_sid>
         <status>warning</status>
         <action>blocked</action>
         <description>Fortigate: URL Blocked by Firewall.</description>
-        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>firewall_drop,pci_dss_10.6.1,</group>
     </rule>
 
     <rule id="81621" level="3" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81620</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple URL blocked from same source.</description>
-        <group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>multiple_drops,pci_dss_10.6.1,</group>
     </rule>
 
     <!--
@@ -200,17 +214,17 @@ ID: 81600 - 80799
     -->
     <rule id="81622" level="3">
         <if_sid>81603</if_sid>
-        <match>level=information</match>
+        <match>level=information|level="information"</match>
         <action>tunnel-up</action>
         <description>Fortigate: VPN User connected.</description>
-        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,</group>
+        4.13<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,</group>
     </rule>
 
     <rule id="81623" level="4" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81622</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple vpn user connected from same source.</description>
-        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,</group>
+        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,</group>
     </rule>
 
     <!--
@@ -218,17 +232,17 @@ ID: 81600 - 80799
     -->
     <rule id="81624" level="3">
         <if_sid>81603</if_sid>
-        <match>level=information</match>
+        <match>level=information|level="information"</match>
         <action>tunnel-down</action>
         <description>Fortigate: VPN User disconnected.</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,</group>
     </rule>
 
     <rule id="81625" level="4" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81624</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple user disconnected events from same source.</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,</group>
     </rule>
 
     <!--
@@ -240,14 +254,14 @@ ID: 81600 - 80799
         <status>success</status>
         <action>login</action>
         <description>Fortigate: User successfully logged into firewall interface.</description>
-        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
+        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,</group>
     </rule>
 
     <rule id="81627" level="4" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81626</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall login events from same source.</description>
-        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,</group>
+        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,</group>
     </rule>
 
 
@@ -261,7 +275,7 @@ ID: 81600 - 80799
         <match>attack</match>
         <action>detected</action>
         <description>Fortigate Attack Detected</description>
-        <group>attack,gdpr_IV_35.7.d,</group>
+        <group>attack,</group>
     </rule>
 
     <rule id="81629" level="3">
@@ -269,7 +283,77 @@ ID: 81600 - 80799
         <match>attack</match>
         <action>dropped</action>
         <description>Fortigate Attack Dropped</description>
-        <group>attack,gdpr_IV_35.7.d,</group>
+        <group>attack,</group>
+    </rule>
+
+    <rule id="81630" level="3">
+        <if_sid>81603</if_sid>
+        <match>attack</match>
+        <action>clear_session</action>
+        <description>Fortigate Attack: Session cleared.</description>
+        <group>attack,gdpr_2.4</group>
+    </rule>
+
+    <!--
+    2018 Apr 09 16:05:06 inwazuhmgr->172.24.0.253 date=2018-04-09 time=16:05:06 devname=BA-RSYS-FW devid=FG600C3912803212 logid="1059028705" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="warning" vd="BA-EXORA" logtime=1523270106 appid=17244 srcip=172.24.150.115 dstip=139.59.35.216 srcport=62159 dstport=443 srcintf="port5" srcintfrole="undefined" dstintf="port4" dstintfrole="wan" proto=6 service="HTTPS" policyid=107 sessionid=3454918141 applist="block-high-risk" appcat="Proxy" app="OpenVPN" action="block" incidentserialno=798746654 msg="Proxy: OpenVPN," apprisk="elevated"
+    -->
+    <rule id="81633" level="3">
+        <if_sid>81603</if_sid>
+        <match>subtype="app-ctrl"|subtype=app-ctrl</match>
+        <action>pass</action>
+        <description>Fortigate: App passed by firewall.</description>
+        <group>pci_dss_10.6.1,gdpr_2.3,</group>
+    </rule>
+
+    <rule id="81634" level="3">
+        <if_sid>81603</if_sid>
+        <match>subtype="app-ctrl"|subtype=app-ctrl</match>
+        <action>block</action>
+        <description>Fortigate: App blocked by firewall.</description>
+        <group>firewall_drop,pci_dss_10.6.1,gdpr_2.3,</group>
     </rule>
 
+    <rule id="81635" level="3" frequency="16" timeframe="45" ignore="240">
+        <if_matched_sid>81620</if_matched_sid>
+        <same_source_ip />
+        <description>Fortigate: Multiple URL blocked from same source.</description>
+        <group>multiple_drops,pci_dss_10.6.1,gdpr_2.3,</group>
+    </rule>
+
+    <!--
+    2018 Apr 09 16:03:11 inwazuhmgr->172.0.0.1 date=2018-04-09 time=16:03:11 devname=BA-BE-BI devid=FG600C1234567890 logid="0101037141" type="event" subtype="vpn" level="notice" vd="BA-BEBI" logtime=1523269991 logdesc="IPsec tunnel statistics" msg="IPsec tunnel statistics" action="tunnel-stats" remip=1.1.1.1 locip=1.1.1.1 remport=500 locport=500 outintf="port3" cookies="c95409asssss4d44/b8a16eeeeebe269a" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="AWS-VPN-B" tunnelip=N/A tunnelid=2490314698 tunneltype="ipsec" duration=243565 sentbyte=116502517 rcvdbyte=347903642 nextstat=600
+    -->
+
+    <rule id="81636" level="1">
+        <if_sid>81603</if_sid>
+        <match>type="event" subtype="vpn" level="notice"|type=event subtype=vpn level=notice|type=event,subtype=vpn,level=notice</match>
+        <description>Fortigate: VPN related information</description>
+    </rule>
+
+    <rule id="81637" level="1">
+        <if_sid>81603</if_sid>
+        <match>type="event" subtype="vpn" level="error"|type=event subtype=vpn level=error|type=event,subtype=vpn,level=error</match>
+        <description>Fortigate: VPN related error</description>
+    </rule>
+
+<!--
+May 31 08:58:56 172.0.0.1 date=2018-05-31 time=08:58:56 devname="BA-BEBI" devid="FG600C1234567890" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="BA-BIBO" eventtime=1527737336 msg="File is infected." action="blocked" service="HTTP" sessionid=377413095 srcip=11.22.33.44 dstip=55.66.77.88 srcport=64982 dstport=80 srcintf="port5" srcintfrole="undefined" dstintf="port3" dstintfrole="wan" policyid=108 proto=6 direction="incoming" filename="FrontPageImgHandler.ashx" quarskip="File-was-not-quarantined." virus="Malware_Generic.P0" dtype="Virus" ref="http://www.fortinet.com/ve?vn=Malware_Generic.P0" virusid=7024603 url="http://www.badguys.web/FrontPageImgHandler.ashx?id=12" profile="Web-Browsing" agent="Chrome/66.0.3359.181" analyticscksum="a9165dbae34e6e2952270536e95a2bb154df61h6d95hfh6ee14b36123b" analyticssubmit="false" crscore=50 crlevel="critical"
+-->
+
+    <rule id="81638" level="5">
+        <if_sid>81603</if_sid>
+        <match>subtype=virus|subtype="virus"</match>
+        <description>Fortigate: Virus detected.</description>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+    </rule>
+
+    <rule id="81639" level="5">
+        <if_sid>81638</if_sid>
+        <action>blocked</action>
+        <description>Fortigate: Blocked URL because a virus was detected.</description>
+        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+    </rule>
+
+
+
 </group>

From 9b0d3c18bb3d38f010083d9e7f381a9827963570 Mon Sep 17 00:00:00 2001
From: frgv <36547287+frgv@users.noreply.github.com>
Date: Mon, 25 Jun 2018 16:41:06 +0200
Subject: [PATCH 3/9] Added passthrough rule (Fortigate)

---
 rules/0390-fortigate_rules.xml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/rules/0390-fortigate_rules.xml b/rules/0390-fortigate_rules.xml
index d363415fd..07c75af54 100644
--- a/rules/0390-fortigate_rules.xml
+++ b/rules/0390-fortigate_rules.xml
@@ -354,6 +354,20 @@ May 31 08:58:56 172.0.0.1 date=2018-05-31 time=08:58:56 devname="BA-BEBI" devid=
         <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
+<!--
+2018 Jun 21 00:00:35 XXX->127.0.0.1 date=2018-06-21 time=03:00:35 devname="xxx" devid="FG123341414414" logid="111111111" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="xxx" eventtime=111111111 policyid=111 sessionid=111111111 srcip=127.0.0.1 srcport=11111 srcintf="port1" srcintfrole="undefined" dstip=127.0.0.1 dstport=111 dstintf="port111" dstintfrole="undefined" proto=1 service="XXX" hostname="xxxxx.com" profile="xx" action="passthrough" reqtype="direct" url="/xxxxxxxxxxxx" sentbyte=11 rcvdbyte=111 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=50 catdesc="Information and Computer Security"
+
+NOTE: Since this rule can be noisy is set to level 0 by default.
+-->
+
+    <rule id="81640" level="1">
+        <if_sid>81603</if_sid>
+        <status>notice</status>
+        <action>passthrough</action>
+        <description>Fortigate: URL belongs to an allowed category.</description>
+        <group>pci_dss_10.6.1,</group>
+    </rule>
+
 
 
 </group>

From e8f9c9cc895c528922304b34329ac3d74219f1a9 Mon Sep 17 00:00:00 2001
From: AlfonsoRBJ <sitoruizbravo@hotmail.com>
Date: Mon, 25 Jun 2018 18:30:13 +0200
Subject: [PATCH 4/9]  GDPR groups added

GDPR groups added to the new rules.
---
 rules/0390-fortigate_rules.xml | 61 +++++++++++++++++-----------------
 1 file changed, 31 insertions(+), 30 deletions(-)

diff --git a/rules/0390-fortigate_rules.xml b/rules/0390-fortigate_rules.xml
index 07c75af54..3d776c822 100644
--- a/rules/0390-fortigate_rules.xml
+++ b/rules/0390-fortigate_rules.xml
@@ -37,14 +37,14 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <status>dpd_failure</status>
         <description>Fortigate: IP Sec DPD Failed.</description>
-        <group>firewall_drop,pci_dss_1.4,</group>
+        <group>firewall_drop,pci_dss_1.4,gdpr_IV_35.7.d,</group>
     </rule>
 
     <rule id="81605" level="7" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81604</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall drop events from same source.</description>
-        <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,</group>
+        <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
 
@@ -56,7 +56,7 @@ ID: 81600 - 80799
         <action>login</action>
         <status>failed</status>
         <description>Fortigate: Login failed.</description>
-        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,</group>
+        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
     </rule>
 
     <rule id="81607" level="7" frequency="16" timeframe="45" ignore="240">
@@ -64,7 +64,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple failed login events from same source.</description>
-        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,</group>
+        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
     </rule>
 
 
@@ -76,12 +76,14 @@ ID: 81600 - 80799
         <match>Configuration is changed in the admin session</match>
         <options>alert_by_email</options>
         <description>Fortigate: Configuration changed.</description>
+        <group>gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
     </rule>
 
     <rule id="81609" level="8" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81608</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple changed configuration events from same source.</description>
+        <group>gdpr_IV_35.7.d,</group>
     </rule>
 
     <!--
@@ -91,7 +93,7 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <match>http_decoder: HTTP.Unknown.Tunnelling</match>
         <description>Fortigate: Default tunneling setting. Could be IPS.</description>
-        <group>pci_dss_10.6.1,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
     <rule id="81611" level="7" frequency="16" timeframe="45" ignore="240">
@@ -99,7 +101,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple default tunneling setting events from same source.</description>
-        <group>pci_dss_10.6.1,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
     <!--
@@ -109,14 +111,14 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <action>Edit</action>
         <description>Fortigate: Firewall configuration changes</description>
-        <group>pci_dss_10.6.1,gpg13_4.13,</group>
+        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,</group>
     </rule>
 
     <rule id="81613" level="4" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81612</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall edit events from same source.</description>
-        <group>pci_dss_10.6.1,gpg13_4.13,</group>
+        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,</group>
     </rule>
 
     <!--
@@ -133,7 +135,7 @@ ID: 81600 - 80799
         <if_matched_sid>81631</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall edit events from same source.</description>
-        <group>pci_dss_1.4,ci_dss_10.6.1,gpg13_4.13,gdpr_2.3,</group>
+        <group>pci_dss_1.4,ci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,</group>
     </rule>
 
 
@@ -144,7 +146,7 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <match>ssl-login-fail</match>
         <description>Fortigate: SSL VPN User failed login attempt</description>
-        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,</group>
+        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
     </rule>
 
     <rule id="81615" level="7" frequency="16" timeframe="45" ignore="240">
@@ -152,7 +154,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple Firewall SSL VPN failed login events from same source.</description>
-        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,</group>
+        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,</group>
     </rule>
 
     <!--
@@ -163,14 +165,14 @@ ID: 81600 - 80799
         <action>logout</action>
         <status>success</status>
         <description>Fortigate: User logout successful</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,</group>
     </rule>
 
     <rule id="81617" level="7" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81616</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall logout events from same source.</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,</group>
     </rule>
 
     <!--
@@ -180,7 +182,7 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <match>type=traffic|type="traffic"</match>
         <description>Fortigate: Traffic to be aware of.</description>
-        <group>pci_dss_10.6.1,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
     <rule id="81619" level="3" frequency="16" timeframe="45" ignore="240">
@@ -188,7 +190,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple high traffic events from same source.</description>
-        <group>pci_dss_10.6.1,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
     <!--
@@ -199,14 +201,14 @@ ID: 81600 - 80799
         <status>warning</status>
         <action>blocked</action>
         <description>Fortigate: URL Blocked by Firewall.</description>
-        <group>firewall_drop,pci_dss_10.6.1,</group>
+        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
     <rule id="81621" level="3" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81620</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple URL blocked from same source.</description>
-        <group>multiple_drops,pci_dss_10.6.1,</group>
+        <group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
     <!--
@@ -217,14 +219,14 @@ ID: 81600 - 80799
         <match>level=information|level="information"</match>
         <action>tunnel-up</action>
         <description>Fortigate: VPN User connected.</description>
-        4.13<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,</group>
+        4.13<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,</group>
     </rule>
 
     <rule id="81623" level="4" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81622</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple vpn user connected from same source.</description>
-        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,</group>
+        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,</group>
     </rule>
 
     <!--
@@ -235,14 +237,14 @@ ID: 81600 - 80799
         <match>level=information|level="information"</match>
         <action>tunnel-down</action>
         <description>Fortigate: VPN User disconnected.</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,</group>
     </rule>
 
     <rule id="81625" level="4" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81624</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple user disconnected events from same source.</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,</group>
     </rule>
 
     <!--
@@ -254,14 +256,14 @@ ID: 81600 - 80799
         <status>success</status>
         <action>login</action>
         <description>Fortigate: User successfully logged into firewall interface.</description>
-        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,</group>
+        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,</group>
     </rule>
 
     <rule id="81627" level="4" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81626</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall login events from same source.</description>
-        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,</group>
+        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,</group>
     </rule>
 
 
@@ -275,7 +277,7 @@ ID: 81600 - 80799
         <match>attack</match>
         <action>detected</action>
         <description>Fortigate Attack Detected</description>
-        <group>attack,</group>
+        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
     <rule id="81629" level="3">
@@ -283,7 +285,7 @@ ID: 81600 - 80799
         <match>attack</match>
         <action>dropped</action>
         <description>Fortigate Attack Dropped</description>
-        <group>attack,</group>
+        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
     <rule id="81630" level="3">
@@ -291,7 +293,7 @@ ID: 81600 - 80799
         <match>attack</match>
         <action>clear_session</action>
         <description>Fortigate Attack: Session cleared.</description>
-        <group>attack,gdpr_2.4</group>
+        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
     <!--
@@ -302,7 +304,7 @@ ID: 81600 - 80799
         <match>subtype="app-ctrl"|subtype=app-ctrl</match>
         <action>pass</action>
         <description>Fortigate: App passed by firewall.</description>
-        <group>pci_dss_10.6.1,gdpr_2.3,</group>
+        <group>pci_dss_10.6.1,ggdpr_IV_35.7.d,</group>
     </rule>
 
     <rule id="81634" level="3">
@@ -310,14 +312,14 @@ ID: 81600 - 80799
         <match>subtype="app-ctrl"|subtype=app-ctrl</match>
         <action>block</action>
         <description>Fortigate: App blocked by firewall.</description>
-        <group>firewall_drop,pci_dss_10.6.1,gdpr_2.3,</group>
+        <group>firewall_drop,pci_dss_10.6.1,dpr_IV_35.7.d,</group>
     </rule>
 
     <rule id="81635" level="3" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81620</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple URL blocked from same source.</description>
-        <group>multiple_drops,pci_dss_10.6.1,gdpr_2.3,</group>
+        <group>multiple_drops,pci_dss_10.6.1,dpr_IV_35.7.d,</group>
     </rule>
 
     <!--
@@ -365,7 +367,6 @@ NOTE: Since this rule can be noisy is set to level 0 by default.
         <status>notice</status>
         <action>passthrough</action>
         <description>Fortigate: URL belongs to an allowed category.</description>
-        <group>pci_dss_10.6.1,</group>
     </rule>
 
 

From 01b639471cb6c0d9e25807658b12337e80736698 Mon Sep 17 00:00:00 2001
From: AlfonsoRBJ <sitoruizbravo@hotmail.com>
Date: Mon, 25 Jun 2018 18:32:26 +0200
Subject: [PATCH 5/9] Update 0390-fortigate_rules.xml

Typos fixed
---
 rules/0390-fortigate_rules.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/0390-fortigate_rules.xml b/rules/0390-fortigate_rules.xml
index 3d776c822..9000145ee 100644
--- a/rules/0390-fortigate_rules.xml
+++ b/rules/0390-fortigate_rules.xml
@@ -304,7 +304,7 @@ ID: 81600 - 80799
         <match>subtype="app-ctrl"|subtype=app-ctrl</match>
         <action>pass</action>
         <description>Fortigate: App passed by firewall.</description>
-        <group>pci_dss_10.6.1,ggdpr_IV_35.7.d,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
     <rule id="81634" level="3">
@@ -312,14 +312,14 @@ ID: 81600 - 80799
         <match>subtype="app-ctrl"|subtype=app-ctrl</match>
         <action>block</action>
         <description>Fortigate: App blocked by firewall.</description>
-        <group>firewall_drop,pci_dss_10.6.1,dpr_IV_35.7.d,</group>
+        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
     <rule id="81635" level="3" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81620</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple URL blocked from same source.</description>
-        <group>multiple_drops,pci_dss_10.6.1,dpr_IV_35.7.d,</group>
+        <group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
     </rule>
 
     <!--

From 73dbb747757154fe6ac3e59b2545e34f03860d4a Mon Sep 17 00:00:00 2001
From: AlfonsoRBJ <sitoruizbravo@hotmail.com>
Date: Tue, 28 Aug 2018 12:54:01 +0200
Subject: [PATCH 6/9] Update 0100-fortigate_decoders.xml

We have added two traffic decoders to obtain the action and level fields.
---
 decoders/0100-fortigate_decoders.xml | 35 ++++++++++++----------------
 1 file changed, 15 insertions(+), 20 deletions(-)

diff --git a/decoders/0100-fortigate_decoders.xml b/decoders/0100-fortigate_decoders.xml
index a297c821e..abbc2666a 100644
--- a/decoders/0100-fortigate_decoders.xml
+++ b/decoders/0100-fortigate_decoders.xml
@@ -32,11 +32,8 @@ Mar 24 12:19:43 date=2011-07-25 time=08: 19:42 devname=Name_of_Device device_id=
 
 <!--
 FortiOS 4.0 via syslog
-
 Feb 20 12:26:25 date=2011-02-20 time=12: 26:24 devname=Device_Name device_id=FGXXXX0000000001 log_id=9999999999 type=traffic subtype=other pri=notice status=deny vd="root" src=10.10.10.10 srcname=10.10.10.10 src_port=1111 dst=10.20.30.40 dstname=10.20.30.40 dst_port=2222 service=65535/tcp proto=6 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" src_int="Interface Name" dst_int="internal" SN=123456 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A"
-
 Feb 19 22:00:07 date=2011-02-19 time=22: 00:07 devname=Device_Name device_id=FGXXXX1231231231 log_id=3213213213 type=traffic subtype=other pri=notice status=deny vd="root" src=10.10.10.1 srcname=10.10.10.1 src_port=1111 dst=10.9.8.7 dstname=10.9.8.7 dst_port=2222 service=65535/udp proto=17 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" src_int="wan1" dst_int="root" SN=333333 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A"
-
 Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id=FGXXXX1000000000 log_id=8888888888 type=traffic subtype=other pri=notice status=accept vd="root" src=192.168.0.1 srcname=192.168.0.1 src_port=0 dst=192.168.254.254 dstname=192.168.254.254 dst_port=0 service=11/icmp proto=1 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A" vpn="N/A" src_int="root" dst_int="N/A" SN=123412341234 app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A"
 -->
 <decoder name="fortigate-firewall-v4">
@@ -60,7 +57,6 @@ Feb 20 12:31:11 date=2011-02-20 time=12: 31:09 devname=Name_of_Device device_id=
 
 <!--
 date=2016-06-15 time=09:41:35 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=utm subtype=ips eventtype=signature level=alert vd="root" severity=info srcip=192.168.10.8 dstip=157.55.235.162 srcintf="internal2" dstintf="wan2" policyid=2 sessionid=1473454 action=dropped proto=6 service=tcp/20480 attack="HTTP.Unknown.Tunnelling" srcport=62216 dstport=80 direction=outgoing attackid=107347981 profile="default" ref="http://www.fortinet.com/ids/VID107347981" incidentserialno=1999871775 msg="http_decoder: HTTP.Unknown.Tunnelling,"
-
 -->
 
 <decoder name="fortigate-firewall-v5-utm-ips">
@@ -112,7 +108,6 @@ date=2016-06-15 time=09:41:35 devname=Device_Name devid=FGTXXXX9999999999 logid=
 
 <!--
 Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT3HD0000000000 logid=0000018000 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=10.10.10.35 dstip=10.10.10.84 srcintf="port2" sessionid=0 action=detected proto=6 service=tcp/36875 count=1903 attack="tcp_syn_flood" srcport=32835 dstport=2960 attackid=100663396 profile="DoS-policy1" ref="http://www.fortinet.com/ids/VID100663396" msg="anomaly: tcp_syn_flood, 2001 > threshold 2000, repeats 1903 times" crscore=50 crlevel=critical
-
 Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT3HD0000000000 logid=0000018000 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=10.10.10.61 dstip=10.10.10.84 srcintf="port2" sessionid=0 action=dropped proto=6 service=NONE count=9 attack="IP.Bad.Header" attackid=127 profile="N/A" ref="http://www.fortinet.com/ids/VID127" msg="anomaly: IP.Bad.Header, repeats 9 times" crscore=50 crlevel=critical
 -->
 
@@ -157,8 +152,6 @@ Mar 22 19:21:00 10.10.10.10 date=2016-03-22 time=19:20:46 devname=Text devid=FGT
 
 <!--
 date=2016-06-15 time=11:44:46 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=utm subtype=webfilter eventtype=urlfilter level=warning vd="root" urlfilteridx=3 urlfilterlist="default" policyid=2 sessionid=1563645 user="" srcip=1.2.3.11 srcport=52414 srcintf="internal2" dstip=1.5.5.92 dstport=443 dstintf="wan2" proto=6 service=HTTPS hostname="4-edge-chat.facebook.com" profile="default" action=blocked reqtype=referral url="/p?partition=-2&cb=lz1k&failure=5&sticky_token=274&sticky_pool=atn2c06_chat-proxy" sentbyte=932 rcvdbyte=0 direction=outgoing msg="URL was blocked because it is in the URL filter list" crscore=30 crlevel=high
-
-
 2016 Jun 16 00:00:00 OSSECSERVER->8.5.2.1 date=2016-06-15 time=23:57:11 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=utm subtype=webfilter eventtype=urlfilter level=warning vd="root" urlfilteridx=3 urlfilterlist="default" policyid=8 sessionid=42895 user="" srcip=2.5.8.8 srcport=57629 srcintf="internal1" dstip=13.107.4.50 dstport=80 dstintf="wan1" proto=6 service=HTTP hostname="www.download.windowsupdate.com" profile="default" action=blocked reqtype=direct url="/msdownload/update/v3/static/trustedr/en/authrootstl.cab" sentbyte=217 rcvdbyte=0 direction=outgoing msg="URL was blocked because it is in the URL filter list" crscore=30 crlevel=high
 -->
 <decoder name="fortigate-firewall-v5-utm-webfilter">
@@ -266,15 +259,10 @@ date=2016-06-15 time=11:44:46 devname=Device_Name devid=FGTXXXX9999999999 logid=
 
 <!--
 date=2016-06-16 time=09:03:03 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=system level=information vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(4.3.5.8)" action=Edit cfgtid=2162752 cfgpath="firewall.service.custom" cfgobj="Custom-TCP_10443" cfgattr="tcp-portrange[->10443]udp-portrange[->]sctp-portrange[->]" msg="Edit firewall.service.custom Custom-TCP_10443"
-
 date=2016-06-16 time=09:03:03 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=system level=information vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(4.3.5.8)" action=Edit cfgtid=2162751 cfgpath="firewall.service.custom" cfgobj="Custom-TCP_10443" cfgattr="protocol[TCP/UDP/SCTP->TCP/UDP/SCTP]udp-portrange[->]sctp-portrange[->]" msg="Edit firewall.service.custom Custom-TCP_10443"
-
 date=2016-06-16 time=09:03:03 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=system level=information vd="root" logdesc="Object attribute configured" user="admin" ui="GUI(4.3.5.8)" action=Add cfgtid=2162750 cfgpath="firewall.service.custom" cfgobj="Custom-TCP_10443" cfgattr="" msg="Add firewall.service.custom Custom-TCP_10443"
-
 date=2016-06-16 time=08:41:14 devname=Mobipay_Firewall devid=FGTXXXX9999999999 logid=0100044546 type=event subtype=system level=information vd="root" logdesc="Attribute configured" user="a@b.com.na" ui="GUI(10.42.8.253)" action=Edit cfgtid=2162733 cfgpath="log.threat-weight" cfgattr="failed-connection[low->medium]" msg="Edit log.threat-weight "
-
 date=2016-06-16 time=08:48:28 devname=Device_Name devid=FGTXXXX9999999999 logid=0100032003 type=event subtype=system level=information vd="root" logdesc="Admin logout successful" sn=1466062693 user="a@b.com.na" ui=https(4.3.5.253) action=logout status=success duration=615 state="Config-Changed" reason=exit msg="Administrator a@b.com.na logged out from https(2.3.8.1)"
-
 date=2016-06-16 time=16:22:34 devname=Mobipay_Firewall devid=FGTXXXX9999999999 logid=0100032001 type=event subtype=system level=information vd="root" logdesc="Admin login successful" sn=1466090554 user="a@b.com.na" ui=https(10.42.8.253) action=login status=success reason=none profile="super_admin" msg="Administrator a@b.com.na logged in successfully from https(10.42.8.253)"
 -->
 
@@ -338,7 +326,6 @@ date=2016-06-16 time=16:22:34 devname=Mobipay_Firewall devid=FGTXXXX9999999999 l
 
 <!--
 date=2016-06-14 time=12:22:01 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=system level=alert vd="root" logdesc="Admin login failed" sn=0 user="gfedhf" ui=https(4.3.5.253) action=login status=failed reason="name_invalid" msg="Administrator gfedhf login failed from https(4.3.5.253) because of invalid user name"
-
 date=2016-06-17 time=02:37:41 devname=Mobipay_Firewall devid=FGTXXXX9999999999 logid=0100032002 type=event subtype=system level=alert vd="root" logdesc="Admin login failed" sn=0 user="root" ui=ssh(222.186.130.227) action=login status=failed reason="name_invalid" msg="Administrator root login failed from ssh(222.186.130.227) because of invalid user name"
 -->
 
@@ -375,13 +362,9 @@ date=2016-06-17 time=02:37:41 devname=Mobipay_Firewall devid=FGTXXXX9999999999 l
 
 <!--
 date=2016-06-15 time=10:42:31 devname=Device_Name devid=FGTXXXX9999999999 logid=9999999999 type=event subtype=vpn level=error vd="root" logdesc="IPsec DPD failed" msg="IPsec DPD failure" action=dpd remip=1.2.3.4 locip=4.3.2.1 remport=500 locport=500 outintf="wan1" cookies="fsdagfdfgfdgfdg/qwerweafasfefsd" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="BW" status=dpd_failure
-
 date=2016-06-15 time=21:35:09 devname=Device_Name devid=FGTXXXX9999999999 logid=0101039426 type=event subtype=vpn level=alert vd="root" logdesc="SSL VPN login fail" action="ssl-login-fail" tunneltype="ssl-web" tunnelid=0 remip=2.4.6.8 tunnelip=(null) user="my_user_name" group="N/A" dst_host="N/A" reason="sslvpn_login_unknown_user" msg="SSL user failed to logged in"
-
 date=2016-06-16 time=08:47:00 devname=Device_Name devid=FGTXXXX9999999999 logid=0101039947 type=event subtype=vpn level=information vd="root" logdesc="SSL VPN tunnel up" action="tunnel-up" tunneltype="ssl-tunnel" tunnelid=1050355638 remip=9.8.7.7 tunnelip=1.2.4.6 user="my_user_name" group="SSL_VPN" dst_host="N/A" reason="N/A" msg="SSL tunnel established"
-
 date=2016-06-16 time=08:49:26 devname=Device_Name devid=FGTXXXX9999999999 logid=0101039948 type=event subtype=vpn level=information vd="root" logdesc="SSL VPN tunnel down" action="tunnel-down" tunneltype="ssl-tunnel" tunnelid=1050355638 remip=5.7.8.9 tunnelip=8.4.2.1 user="my_user_name" group="SSL_VPN" dst_host="N/A" reason="N/A" duration=147 sentbyte=2284 rcvdbyte=2630 msg="SSL tunnel shutdown"
-
 <decoder name="fortigate-firewall-v5-event-vpn-fields1">
     <parent>fortigate-firewall-v5</parent>
     <prematch offset="after_parent">type=event subtype=vpn level=\S+ vd="\.+" logdesc="\.+" msg="\.+" action=</prematch>
@@ -419,7 +402,7 @@ date=2016-06-16 time=08:49:26 devname=Device_Name devid=FGTXXXX9999999999 logid=
 
 <decoder name="fortigate-firewall-v5-event-vpn-fields1">
     <parent>fortigate-firewall-v5</parent>
-    <regex offset="after_regex">\.*status="(\S+)"|\.*status=(\S+),|\.*status=(\S+) </regex>
+    <regex offset="after_regex">\.*status="(\S+)"|\.*status=(\S+),|\.*status=(\S+)</regex>
     <order>status</order>
 </decoder>
 
@@ -432,13 +415,18 @@ date=2016-06-16 time=08:49:26 devname=Device_Name devid=FGTXXXX9999999999 logid=
 
 <!--
 date=2016-06-16 time=10:19:23 devname=Device_Name devid=FGTXXXX9999999999 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=7.3.8.5 srcport=57727 srcintf="internal1" dstip=7.8.9.81 dstport=80 dstintf="wan1" poluuid=d6217c58-8c42-51e5-c3a6-c7766895cbfd sessionid=181876 proto=6 action=deny policyid=8 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=160.242.8.82 transport=57727 service="HTTP" appid=107347980 app="Proxy.HTTP" appcat="Proxy" apprisk=critical applist="default" appact=drop-session duration=30 sentbyte=0 rcvdbyte=3042 sentpkt=0 utmaction=block countapp=1 crscore=10 craction=1048576
-
 date=2016-06-16 time=10:49:08 devname=Device_Name devid=FGTXXXX9999999999 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=4.3.5.161 srcport=51082 srcintf="internal1" dstip=54.192.197.185 dstport=80 dstintf="wan1" poluuid=d6217c58-8c42-51e5-c3a6-c7766895cbfd sessionid=199618 proto=6 action=deny policyid=8 dstcountry="United States" srccountry="Reserved" trandisp=snat transip=160.242.8.82 transport=51082 service="HTTP" appid=6 app="BitTorrent" appcat="P2P" apprisk=high applist="default" appact=drop-session duration=3 sentbyte=60 rcvdbyte=3050 sentpkt=1 utmaction=block countapp=1 crscore=5 craction=1048576
 -->
 <decoder name="fortigate-firewall-v5-traffic">
     <parent>fortigate-firewall-v5</parent>
     <prematch offset="after_parent">type=traffic|type="traffic"</prematch>
-    <regex offset="after_prematch">\.*srcip="(\S+)"|\.*srcip=(\S+),|\.*srcip=(\S+) </regex>
+    <regex offset="after_prematch">\.*level="(\S+)"|\.*level=(\S+),|\.*level=(\S+) </regex>
+    <order>level</order>
+</decoder>
+
+<decoder name="fortigate-firewall-v5-traffic">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*srcip="(\S+)"|\.*srcip=(\S+),|\.*srcip=(\S+) </regex>
     <order>srcip</order>
 </decoder>
 
@@ -460,6 +448,12 @@ date=2016-06-16 time=10:49:08 devname=Device_Name devid=FGTXXXX9999999999 logid=
     <order>dstport</order>
 </decoder>
 
+<decoder name="fortigate-firewall-v5-traffic">
+    <parent>fortigate-firewall-v5</parent>
+    <regex offset="after_regex">\.*action="(\S+)"|\.*action=(\S+),|\.*action=(\S+) </regex>
+    <order>action</order>
+</decoder>
+
 <decoder name="fortigate-firewall-v5-traffic">
     <parent>fortigate-firewall-v5</parent>
     <regex offset="after_regex">\.*appcat="(\.+)"|\.*appcat=(\.+),|\.*appcat=(\.+) </regex>
@@ -541,3 +535,4 @@ date=2018-05-31 time=08:58:56 devname="BA-RSYS-FW" devid="FG600C3912803212" logi
     <regex offset="after_regex">\.*url="(\.+)"|\.*url=(\.+),|\.*url=(\.+) </regex>
     <order>url</order>
 </decoder>
+

From 1c55c30f2d8a08be92d3be957592d7f231021885 Mon Sep 17 00:00:00 2001
From: lopezziur <lopezziur@gmail.com>
Date: Tue, 30 Jul 2019 11:24:23 +0200
Subject: [PATCH 7/9] corrected typos

---
 rules/0390-fortigate_rules.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/0390-fortigate_rules.xml b/rules/0390-fortigate_rules.xml
index 8e6ab7009..78d45943f 100644
--- a/rules/0390-fortigate_rules.xml
+++ b/rules/0390-fortigate_rules.xml
@@ -135,7 +135,7 @@ ID: 81600 - 80799
         <if_matched_sid>81631</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall edit events from same source.</description>
-        <group>pci_dss_1.4,ci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,</group>
+        <group>pci_dss_1.4,pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,</group>
     </rule>
 
 
@@ -219,7 +219,7 @@ ID: 81600 - 80799
         <match>level=information|level="information"</match>
         <action>tunnel-up</action>
         <description>Fortigate: VPN User connected.</description>
-        4.13<group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,</group>
+        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,</group>
     </rule>
 
     <rule id="81623" level="4" frequency="18" timeframe="45" ignore="240">

From 42bd67a938bfd9ca65bd48165e47f3aa749ab457 Mon Sep 17 00:00:00 2001
From: lopezziur <lopezziur@gmail.com>
Date: Tue, 30 Jul 2019 13:23:46 +0200
Subject: [PATCH 8/9] adds HIPAA and NIST standards to the label groups

---
 rules/0390-fortigate_rules.xml | 64 +++++++++++++++++-----------------
 1 file changed, 32 insertions(+), 32 deletions(-)

diff --git a/rules/0390-fortigate_rules.xml b/rules/0390-fortigate_rules.xml
index 7844a2f84..3c35f8a1e 100644
--- a/rules/0390-fortigate_rules.xml
+++ b/rules/0390-fortigate_rules.xml
@@ -38,14 +38,14 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <status>dpd_failure</status>
         <description>Fortigate: IP Sec DPD Failed.</description>
-        <group>firewall_drop,pci_dss_1.4,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_SC.7,</group>
+        <group>firewall_drop,pci_dss_1.4,gdpr_IV_35.7.d,nist_800_53_SC.7,hipaa_164.312.a.1,</group>
     </rule>
 
     <rule id="81605" level="7" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81604</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall drop events from same source.</description>
-        <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,</group>
+        <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_SC.7,nist_800_53_AU.6,hipaa_164.312.a.1,hipaa_164.312.b,</group>
     </rule>
 
 
@@ -57,7 +57,7 @@ ID: 81600 - 80799
         <action>login</action>
         <status>failed</status>
         <description>Fortigate: Login failed.</description>
-        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81607" level="7" frequency="18" timeframe="45" ignore="240">
@@ -65,7 +65,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple failed login events from same source.</description>
-        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
     </rule>
 
 
@@ -94,7 +94,7 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <match>http_decoder: HTTP.Unknown.Tunnelling</match>
         <description>Fortigate: Default tunneling setting. Could be IPS.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81611" level="7" frequency="18" timeframe="45" ignore="240">
@@ -102,7 +102,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple default tunneling setting events from same source.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
     </rule>
 
     <!--
@@ -112,14 +112,14 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <action>Edit</action>
         <description>Fortigate: Firewall configuration changes</description>
-        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
+        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81613" level="4" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81612</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall edit events from same source.</description>
-        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
+        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
     </rule>
 
     <!--
@@ -129,14 +129,14 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <action>Add</action>
         <description>Fortigate: Firewall configuration changes</description>
-        <group>pci_dss_1.4,gpg13_4.13,</group>
+        <group>pci_dss_1.4,gpg13_4.13,hipaa_164.312.a.1,</group>
     </rule>
 
     <rule id="81632" level="4" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81631</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall edit events from same source.</description>
-        <group>pci_dss_1.4,pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,</group>
+        <group>pci_dss_1.4,pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,</group>
     </rule>
 
 
@@ -147,7 +147,7 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <match>ssl-login-fail</match>
         <description>Fortigate: SSL VPN User failed login attempt</description>
-        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81615" level="7" frequency="18" timeframe="45" ignore="240">
@@ -155,7 +155,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple Firewall SSL VPN failed login events from same source.</description>
-        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
     </rule>
 
     <!--
@@ -166,14 +166,14 @@ ID: 81600 - 80799
         <action>logout</action>
         <status>success</status>
         <description>Fortigate: User logout successful</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81617" level="7" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81616</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall logout events from same source.</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
     </rule>
 
     <!--
@@ -183,7 +183,7 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <match>type=traffic|type="traffic"</match>
         <description>Fortigate: Traffic to be aware of.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81619" level="3" frequency="18" timeframe="45" ignore="240">
@@ -191,7 +191,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple high traffic events from same source.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
     </rule>
 
     <!--
@@ -202,14 +202,14 @@ ID: 81600 - 80799
         <status>warning</status>
         <action>blocked</action>
         <description>Fortigate: URL Blocked by Firewall.</description>
-        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
+        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81621" level="3" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81620</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple URL blocked from same source.</description>
-        <group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
+        <group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
     </rule>
 
     <!--
@@ -220,14 +220,14 @@ ID: 81600 - 80799
         <match>level=information|level="information"</match>
         <action>tunnel-up</action>
         <description>Fortigate: VPN User connected.</description>
-        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81623" level="4" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81622</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple vpn user connected from same source.</description>
-        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
     </rule>
 
     <!--
@@ -238,14 +238,14 @@ ID: 81600 - 80799
         <match>level=information|level="information"</match>
         <action>tunnel-down</action>
         <description>Fortigate: VPN User disconnected.</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81625" level="4" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81624</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple user disconnected events from same source.</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
     </rule>
 
     <!--
@@ -257,14 +257,14 @@ ID: 81600 - 80799
         <status>success</status>
         <action>login</action>
         <description>Fortigate: User successfully logged into firewall interface.</description>
-        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,</group>
+        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,nist_800_53_AU.6,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81627" level="4" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81626</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall login events from same source.</description>
-        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
+        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
     </rule>
 
 
@@ -278,7 +278,7 @@ ID: 81600 - 80799
         <match>attack</match>
         <action>detected</action>
         <description>Fortigate Attack Detected</description>
-        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81629" level="3">
@@ -286,7 +286,7 @@ ID: 81600 - 80799
         <match>attack</match>
         <action>dropped</action>
         <description>Fortigate Attack Dropped</description>
-        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81630" level="3">
@@ -294,7 +294,7 @@ ID: 81600 - 80799
         <match>attack</match>
         <action>clear_session</action>
         <description>Fortigate Attack: Session cleared.</description>
-        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
     </rule>
 
     <!--
@@ -305,7 +305,7 @@ ID: 81600 - 80799
         <match>subtype="app-ctrl"|subtype=app-ctrl</match>
         <action>pass</action>
         <description>Fortigate: App passed by firewall.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81634" level="3">
@@ -313,14 +313,14 @@ ID: 81600 - 80799
         <match>subtype="app-ctrl"|subtype=app-ctrl</match>
         <action>block</action>
         <description>Fortigate: App blocked by firewall.</description>
-        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81635" level="3" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81620</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple URL blocked from same source.</description>
-        <group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
     </rule>
 
     <!--
@@ -347,14 +347,14 @@ May 31 08:58:56 172.0.0.1 date=2018-05-31 time=08:58:56 devname="BA-BEBI" devid=
         <if_sid>81603</if_sid>
         <match>subtype=virus|subtype="virus"</match>
         <description>Fortigate: Virus detected.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
     </rule>
 
     <rule id="81639" level="5">
         <if_sid>81638</if_sid>
         <action>blocked</action>
         <description>Fortigate: Blocked URL because a virus was detected.</description>
-        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
+        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
     </rule>
 
 <!--

From d7016282b257f00d8836471dd5f4a3641c96c4db Mon Sep 17 00:00:00 2001
From: lopezziur <lopezziur@gmail.com>
Date: Tue, 30 Jul 2019 13:58:48 +0200
Subject: [PATCH 9/9] adds HIPAA and NIST standards to the label groups

---
 rules/0390-fortigate_rules.xml | 64 +++++++++++++++++-----------------
 1 file changed, 32 insertions(+), 32 deletions(-)

diff --git a/rules/0390-fortigate_rules.xml b/rules/0390-fortigate_rules.xml
index 3c35f8a1e..b478b39ec 100644
--- a/rules/0390-fortigate_rules.xml
+++ b/rules/0390-fortigate_rules.xml
@@ -38,14 +38,14 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <status>dpd_failure</status>
         <description>Fortigate: IP Sec DPD Failed.</description>
-        <group>firewall_drop,pci_dss_1.4,gdpr_IV_35.7.d,nist_800_53_SC.7,hipaa_164.312.a.1,</group>
+        <group>firewall_drop,pci_dss_1.4,gdpr_IV_35.7.d,hipaa_164.312.a.1,nist_800_53_SC.7,</group>
     </rule>
 
     <rule id="81605" level="7" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81604</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall drop events from same source.</description>
-        <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_SC.7,nist_800_53_AU.6,hipaa_164.312.a.1,hipaa_164.312.b,</group>
+        <group>multiple_drops,pci_dss_1.4,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,</group>
     </rule>
 
 
@@ -57,7 +57,7 @@ ID: 81600 - 80799
         <action>login</action>
         <status>failed</status>
         <description>Fortigate: Login failed.</description>
-        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
+        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
     </rule>
 
     <rule id="81607" level="7" frequency="18" timeframe="45" ignore="240">
@@ -65,7 +65,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple failed login events from same source.</description>
-        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
+        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,</group>
     </rule>
 
 
@@ -94,7 +94,7 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <match>http_decoder: HTTP.Unknown.Tunnelling</match>
         <description>Fortigate: Default tunneling setting. Could be IPS.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <rule id="81611" level="7" frequency="18" timeframe="45" ignore="240">
@@ -102,7 +102,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple default tunneling setting events from same source.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <!--
@@ -112,14 +112,14 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <action>Edit</action>
         <description>Fortigate: Firewall configuration changes</description>
-        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
+        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <rule id="81613" level="4" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81612</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall edit events from same source.</description>
-        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
+        <group>pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <!--
@@ -129,14 +129,14 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <action>Add</action>
         <description>Fortigate: Firewall configuration changes</description>
-        <group>pci_dss_1.4,gpg13_4.13,hipaa_164.312.a.1,</group>
+        <group>pci_dss_1.4,gpg13_4.13,hipaa_164.312.a.1,nist_800_53_SC.7,</group>
     </rule>
 
     <rule id="81632" level="4" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81631</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall edit events from same source.</description>
-        <group>pci_dss_1.4,pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,</group>
+        <group>pci_dss_1.4,pci_dss_10.6.1,gpg13_4.13,gdpr_IV_35.7.d,hipaa_164.312.a.1,hipaa_164.312.b,nist_800_53_SC.7,nist_800_53_AU.6,</group>
     </rule>
 
 
@@ -147,7 +147,7 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <match>ssl-login-fail</match>
         <description>Fortigate: SSL VPN User failed login attempt</description>
-        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
+        <group>authentication_failed,invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
     </rule>
 
     <rule id="81615" level="7" frequency="18" timeframe="45" ignore="240">
@@ -155,7 +155,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple Firewall SSL VPN failed login events from same source.</description>
-        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
+        <group>authentication_failures,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,</group>
     </rule>
 
     <!--
@@ -166,14 +166,14 @@ ID: 81600 - 80799
         <action>logout</action>
         <status>success</status>
         <description>Fortigate: User logout successful</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
     </rule>
 
     <rule id="81617" level="7" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81616</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall logout events from same source.</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
     </rule>
 
     <!--
@@ -183,7 +183,7 @@ ID: 81600 - 80799
         <if_sid>81603</if_sid>
         <match>type=traffic|type="traffic"</match>
         <description>Fortigate: Traffic to be aware of.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <rule id="81619" level="3" frequency="18" timeframe="45" ignore="240">
@@ -191,7 +191,7 @@ ID: 81600 - 80799
         <same_source_ip />
         <options>alert_by_email</options>
         <description>Fortigate: Multiple high traffic events from same source.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <!--
@@ -202,14 +202,14 @@ ID: 81600 - 80799
         <status>warning</status>
         <action>blocked</action>
         <description>Fortigate: URL Blocked by Firewall.</description>
-        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
+        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <rule id="81621" level="3" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81620</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple URL blocked from same source.</description>
-        <group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
+        <group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <!--
@@ -220,14 +220,14 @@ ID: 81600 - 80799
         <match>level=information|level="information"</match>
         <action>tunnel-up</action>
         <description>Fortigate: VPN User connected.</description>
-        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
+        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
     </rule>
 
     <rule id="81623" level="4" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81622</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple vpn user connected from same source.</description>
-        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
+        <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
     </rule>
 
     <!--
@@ -238,14 +238,14 @@ ID: 81600 - 80799
         <match>level=information|level="information"</match>
         <action>tunnel-down</action>
         <description>Fortigate: VPN User disconnected.</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
     </rule>
 
     <rule id="81625" level="4" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81624</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple user disconnected events from same source.</description>
-        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,nist_800_53_AU.14,nist_800_53_AC.7,hipaa_164.312.b,</group>
+        <group>pci_dss_10.2.5,gpg13_7.1,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,</group>
     </rule>
 
     <!--
@@ -257,14 +257,14 @@ ID: 81600 - 80799
         <status>success</status>
         <action>login</action>
         <description>Fortigate: User successfully logged into firewall interface.</description>
-        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,nist_800_53_AU.6,hipaa_164.312.b,</group>
+        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <rule id="81627" level="4" frequency="18" timeframe="45" ignore="240">
         <if_matched_sid>81626</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple Firewall login events from same source.</description>
-        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,nist_800_53_AU.6,hipaa_164.312.b,</group>
+        <group>pci_dss_10.6.1,gpg13_7.1,gpg13_7.2,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
 
@@ -278,7 +278,7 @@ ID: 81600 - 80799
         <match>attack</match>
         <action>detected</action>
         <description>Fortigate Attack Detected</description>
-        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
+        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <rule id="81629" level="3">
@@ -286,7 +286,7 @@ ID: 81600 - 80799
         <match>attack</match>
         <action>dropped</action>
         <description>Fortigate Attack Dropped</description>
-        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
+        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <rule id="81630" level="3">
@@ -294,7 +294,7 @@ ID: 81600 - 80799
         <match>attack</match>
         <action>clear_session</action>
         <description>Fortigate Attack: Session cleared.</description>
-        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
+        <group>attack,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <!--
@@ -305,7 +305,7 @@ ID: 81600 - 80799
         <match>subtype="app-ctrl"|subtype=app-ctrl</match>
         <action>pass</action>
         <description>Fortigate: App passed by firewall.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <rule id="81634" level="3">
@@ -313,14 +313,14 @@ ID: 81600 - 80799
         <match>subtype="app-ctrl"|subtype=app-ctrl</match>
         <action>block</action>
         <description>Fortigate: App blocked by firewall.</description>
-        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
+        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <rule id="81635" level="3" frequency="16" timeframe="45" ignore="240">
         <if_matched_sid>81620</if_matched_sid>
         <same_source_ip />
         <description>Fortigate: Multiple URL blocked from same source.</description>
-        <group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
+        <group>multiple_drops,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <!--
@@ -347,14 +347,14 @@ May 31 08:58:56 172.0.0.1 date=2018-05-31 time=08:58:56 devname="BA-BEBI" devid=
         <if_sid>81603</if_sid>
         <match>subtype=virus|subtype="virus"</match>
         <description>Fortigate: Virus detected.</description>
-        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
+        <group>pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
     <rule id="81639" level="5">
         <if_sid>81638</if_sid>
         <action>blocked</action>
         <description>Fortigate: Blocked URL because a virus was detected.</description>
-        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,</group>
+        <group>firewall_drop,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,</group>
     </rule>
 
 <!--