Fortinet FortiAnalyzer

The IBM® QRadar® Fortinet FortiAnalyzer content extension adds custom properties, reports, and saved searches for Fortinet FortiAnalyzer.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.4.1

The following table shows the changed custom properties in IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.4.1.

Table 1. IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.4.0
Name Optimized Capture Group Regex
Application Yes 1 \bapp="([^"]*)";
Application Category Yes 1 \bapp_?cat="([^"]*)";

IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.4.0

The following table shows the changed custom properties in IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.4.0.

Table 2. IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.4.0
Name Optimized Capture Group Regex
Action Yes 1 \baction="([^"]*)"
Active Sessions Yes 1 \btotalsession=(\d+)
Application No 1  \bapp="([^"]*)"
Application Category No 1 \bapp_?cat="([^"]*)"
Application Type Yes 1 \bapp_?type="([^"]*)"
BytesReceived Yes 1 \brcvd(?:byte)?=(\d+)
BytesSent Yes 1 \bsent(?:byte)?=(\d+)
Category Description Yes 1  \bcat_?desc="([^"]*)"
CPU_Usage Yes 1  \bcpu=(\d+)
Destination Country No 1 \bdstcountry="(.*?)"
Destination Interface Yes 1 \bdst_?intf?="([^"]*)"
Destination Interface Role No 1 \bdstintfrole="([^"]*)"
Duration_Seconds No 1 \bduration=(\d+)
Filename Yes 1  \bfilename="([^"]*)"
Hostname Yes 1  \bhostname="([^"]*)"
Level No 1 \blevel="([^"]*)"
Memory Usage Yes 1 \bmem=(\d+)
Message No 1 \bmsg="([^"]*)"
Packets Received No 1 \brcvdpkt=(\d+)
Packets Sent No 1 \bsentpkt=(\d+)
Policy ID No 1 \bpolicyid=(\d+)
Policy Name Yes 1 \bpolicyname="(.*?)"
Service No 1  \bservice="([^"]*)"
Session Number No 1 \bsessionid=(\d+)
Source Country No 1 \bsrccountry="(.*?)"
Source Interface No 1  \bsrc_?intf?="([^"]*)"
Source Interface Role No 1 \bsrcintfrole="([^"]*)"
Status Yes 1  \bstatus="([^"]*)"
Subtype Yes 1 \bsubtype="([^"]*)"
Threat Name Yes 1  \bvirus="([^"]*)"
Threat Score No 1 \bcrscore=(\d+)
Threat Severity No 1 \bcrlevel="([^"]*)"
Threat Type No 1 \bcraction=(\d+)
Type No 1  \btype="([^"]*)"
URL Yes 1 \burl="([^"]*)"

IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.3.2

The Action custom property was assigned a new ID. Delete any existing Action custom properties before you upgrade to 1.3.2.

The owner of the Policy custom property was set to admin.

IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.3.1

The following table shows the changed custom properties in IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.3.1.

Table 3. Changed Custom Properties in IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.3.1
Name Optimized
Action Yes
Duration_Seconds Yes
URL Yes

The following custom property was renamed.

Table 4. Renamed Custom Properties in IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.3.1
Name Renamed to
Virus Name Threat Name

(Back to top)

IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.3.0

The following table describes the changes that are included in IBM QRadar Fortinet FortiAnalyzer Content Extension 1.3.0.

Table 5. Change list for the Fortinet FortiAnalyzer content extension 1.3.0
Type Name Description
Saved search All Blocked Web Sites by URL Rating Added aggregated function (min).
Saved search Antivirus Actions per Violation Type Enclosed field names in double quotation marks.
Saved search Top Active Web Users Converted to basic search.
Saved search Top Allowed Applications v4 User Agency Converted to basic search.
Saved search Top Allowed Categories v4 Converted to basic search.
Saved search Top Allowed Web Sites By URL Rating Added aggregated function (min).
Saved search Top Allowed Web Sites v4 User Agency Converted to basic search.
Saved search Top Applications Enclosed field names in double quotation marks.
Saved search Top Applications by Type Added "Application Type" is not NULL to the where clause.
Saved search Top Applications by Type v4 User Agency Converted to basic search. Added Application Type != 'N/A' to filter.
Saved search Top Blocked Categories v4 Converted to basic search.
Saved search Top Blocked Web Sites Converted to basic search.
Saved search Top Infected Files for Most Common Destinations Enclosed field names in double quotation marks.
Saved search Top Services by Volume Added aggregated function (sum).
Saved search Top Sources by Volume Added aggregated function (sum).
Saved search Top Virus Sources per Device Enclosed field names in double quotation marks.
Saved search Top Virus Sources per Interface Enclosed field names in double quotation marks.
Saved search Top Web Destinations by Volume Enclosed field names in double quotation mark. Added HH:mm:ss to the date format.
Saved search Top Web Servers by Volume Added aggregated function (sum).
Saved search Web Volume by Time Removed non-aggregated field. Removed destination IP, which is not used anyway. Added HH:mm:ss to the date format.
Report Fortigate - Agency User Request - top Applications by Type Replaced the Top Applications chart with the Top Applications by Type chart.
Report Fortigate - Operational Report - Initiated from Internet Removed this report.
Custom Property Fortinet Action Renamed Action.
Custom Property Fortinate App Control Renamed Application.
Custom Property Fortinet App Control Renamed Application Category.
Custom Property Application Control Application Removed this custom property.
Custom Property Fortinet Application Type Renamed Application Type and updated the regex to:

[\t,]{1}(?:apptype|app_type)=("{0,1})([\w\/\-.]+)\1
Custom Property Fortinet BytesReceived Renamed BytesReceived.
Custom Property Fortinet BytesSent Renamed BytesSent.
Custom Property Fortinet Category Description Renamed Category Description.
Custom Property Fortinet Destination Interface Renamed Destination Interface and updated the regex to:

(?:dst_int|dstintf)=("{0,1})([\w\-\/]+)\1
Custom Property Fortinet Device Name Renamed Device Name.
Custom Property Fortinet Hostname Removed this custom property.
Custom Property Hostname FortiGate Removed this custom property.
Custom Property Fortinet Policy ID Removed this custom property.
Custom Property Fortinet Service Renamed Service and updated the regex to:

service="([\w\-\/()+& ]+)" AND service=([\w\-\/()+&]+)[\t ,]{1}
Custom Property Fortinet Session Number Renamed Session Number and updated the regex to:

(SN|sessionid)=(\d+)
Custom Property Fortinet Site Renamed Hostname.
Custom Property Fortinet Source Interface Renamed Source Interface and updated the regex to:

(?:src_int|srcintf)=("{0,1})([\w\-\/]+)\1
Custom Property Fortinet Status Renamed Status and updated the regex to:

status=("{0,1})([\w\_\-]+)\1
Custom Property Fortinet Subtype Renamed Subtype and updated the regex to:

subtype=("{0,1})([\w\-\_]+)\1
Custom Property Fortinet Type Renamed Type and updated the regex to:

([\t ,])type=("{0,1})([\w\-]+)\2
Custom Property Fortinet URL Renamed URL
Custom Property VirusName Updated the regex to:

([\t ,])virus=(["]{0,1})(.*?)\2\1

(Back to top)

IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.2.0

The following table describes the changes that are included in IBM QRadar Fortinet FortiAnalyzer Content Extension 1.2.0.

Table 6. Change list for the Fortinet FortiAnalyzer content extension 1.3.0
Type Name Description
Saved search FortiGate - Top Blocked Applications Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Antivirus Actions per Violation Type Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Memory Usage by Time Period Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Active Web Users Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Active Firewall Sessions by Time Period Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Applications by Type Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Destinations by Volume Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Infected Files for Most Common Destinations Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Infected Files for Most Common Sources Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Requested Web Pages Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Services by Volume Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Services by Volume per Traffic Destination Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Sources by Volume Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Users by Application Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Viruses for Common Sources Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Viruses for Most Common Destinations Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Web Servers by Volume Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Traffic Volume by Destination Interface Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - CPU Usage by Time Period Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved search FortiGate - Top Web Sites for Most Active Users Resolves an issue in the saved search to replace LOGSOURCETYPENAME(logsourceid) with LOGSOURCETYPENAME(devicetype) in the search parameters to ensure that all Fortigate devices return results as expected.
Saved Search FortiGate - All Blocked Web Sites by URL Rating Resolves an issue where invalid AQL syntax prevented the search from completing.
Saved Search FortiGate - top Allowed Web Sites By URL Rating Resolves an issue where invalid AQL syntax prevented the search from completing.
Custom Property hostname Updated the regex to:

hostname=["]{0,1}([A-Za-z0-9\-]*\.(.*?))["]{0,1}[\t ]{1}
Custom Property Application Control Application Updated the regex to:

app(\=["]{0,1}(.*?)["]{0,1}[ ,])
Custom Property Action Updated the regex to:

((action=|status=)["]{0,1}(.*?))["]{0,1}[ \t,] /* [ \t,]

(Back to top)

IBM Security QRadar Fortinet FortiAnalyzer Content Extension 1.1.0

The following saved searches were added in IBM Security QRadar:

  • Fortigate - Active Firewall Sessions by Time Period
  • Fortigate - All Blocked Web Sites by URL Rating
  • Fortigate - Antivirus Actions per Violation Type
  • Fortigate - CPU Usage by Time Period
  • Fortigate - Memory Usage by Time Period
  • Fortigate - Top Active Web Users
  • Fortigate - Top Allowed Applications v4 User Agency
  • Fortigate - Top Allowed Categories v4
  • Fortigate - Top Allowed Web Sites By URL Rating
  • Fortigate - Top Allowed Web Sites v4 User Agency
  • Fortigate - Top Applications
  • Fortigate - Top Applications by Type
  • Fortigate - Top Applications by Type v4 User Agency
  • Fortigate - Top Blocked Applications
  • Fortigate - Top Blocked Categories v4
  • Fortigate - Top Blocked Web Sites
  • Fortigate - Top Destinations by Volume
  • Fortigate - Top Infected Files for Most Common Destinations
  • Fortigate - Top Infected Files for Most Common Sources
  • Fortigate - Top Requested Web Pages
  • Fortigate - Top Services by Volume
  • Fortigate - Top Services by Volume per Traffic Destination
  • Fortigate - Top Sources by Volume
  • Fortigate - Top Users by Application
  • Fortigate - Top Virus Sources
  • Fortigate - Top Virus Sources per Interface
  • Fortigate - Top Viruses for Common Sources
  • Fortigate - Top Viruses for Most Common Destinations
  • Fortigate - Top Web Destinations by Volume
  • Fortigate - Top Web Servers by Volume
  • Fortigate - Top Web Sites for Most Active Users
  • Fortigate - Traffic Volume by Destination Interface
  • Fortigate - Web Volume by Time

The following table shows the custom properties that were added in IBM Security QRadar:

Table 7.
Custom Property Regex
Active Sessions totalsession=([0-9]+)
Application Control Application app(\=(.*?)\ )
CPU Usage cpu=([0-9]+)
Duration_Seconds duration=(\d+)
Filename filename=([^\s]+)
Fortinet Action (action=| status=)(.*?)\
Fortinet App Control app=(\"(.*?)\")
Fortinet Application Category (appcat="| app_cat=")(.*?)\"
Fortinet Application Type (apptype="| app_type=")(.*?)\"
Fortinet Bytes Received ( rcvd=| rcvdbyte=)(.*?)\
Fortinet Bytes Sent ( sent=| sentbyte=)(.*?)\
Fortinet Category Description (catdesc="|cat_desc=")(.*?)\"
Fortinet Destination Interface ( dst_int="| dstintf=")(\w*)\"
Fortinet Device Name devname=((\w(\-)?)*)
Fortinet Hostname hostname=(\"(.*?)\")
Fortinet Policy ID policyid(\=(.*?)\ )
Fortinet Service service(\=(.*?)\ )
Fortinet Session Number (SN=|sessionid=)(.*?)\
Fortinet Site hostname=(\”[A-Za-z\-]*\.(.*?)\")
Fortinet Source Interface (src_int="|srcintf=")(\w*)\"
Fortinet Status status(\=(.*?)\ )
Fortinet Subtype subtype(\=(.*?)\ )
Fortinet Type type(\=(.*?)\ )
Fortinet URL url=(\"(.*?)\")
Hostname FortiGate hostname=(\"(.*?)\")
Memory Usage mem=([0-9]+)
Policy policyid=(\d+)

The following reports were added in IBM Security QRadar:

  • Fortigate - Agency User Request - Allowed Web Sites
  • Fortigate - Agency User Request - Blocked Web Sites
  • Fortigate - Agency User Request - Category
  • Fortigate - Agency User Request - Top Allowed Applications
  • Fortigate - Agency User Request - Top Applications by Type
  • Fortigate - Agency User Request - Web Volume
  • Fortigate - Monthly - Personal Relationships
  • Fortigate - Monthly Status - Hardware Stats
  • Fortigate - Monthly Status - Traffic Volume
  • Fortigate - Monthly Status - Web Filter
  • Fortigate - Operational Report - Application Control
  • Fortigate - Operational Report - Initiated from Inside - Sites
  • Fortigate - Operational Report - Initiated from Inside - Sources and Dests
  • Fortigate - Operational Report - Initiated from Internet
  • Fortigate - Operational Report - Malicious Web Sites
  • Fortigate - Operational Report - Top Virus Destinations
  • Fortigate - Operational Report - Top Virus Sources

(Back to top)