Skip to content

feat(data_library): add FortiGate security-enrichment kv samples#246

Open
chelseawright7 wants to merge 1 commit into
observIQ:mainfrom
chelseawright7:add-fortigate-enrichment-samples
Open

feat(data_library): add FortiGate security-enrichment kv samples#246
chelseawright7 wants to merge 1 commit into
observIQ:mainfrom
chelseawright7:add-fortigate-enrichment-samples

Conversation

@chelseawright7

Copy link
Copy Markdown

What

Adds 5 FortiGate key=value event records to data_library/fortinet/fortigate.log that exercise the MITRE ATT&CK enrichment conditions in the enrich-fortigate-security-logs Bindplane blueprint:

Record type/subtype/action Signal
Admin login success event/system/login status=success Valid Accounts (T1078)
Firewall policy change event/system/Edit cfgpath=firewall.policy Impair Defenses (T1562)
SSL-VPN login failure event/vpn/ssl-login-fail Brute Force (T1110)
Admin login failure event/system/login status=failed Brute Force (T1110)
VPN tunnel established event/vpn/tunnel-up External Remote Services (T1133)

Why

The existing FortiGate samples don't carry status/cfgpath/VPN fields, so none of them trigger the blueprint's enrichment logic. These records give the blueprint realistic inputs that fire each enrichment path.

Verified

Each record was run through the rendered blueprint (transform agent); all five produce the correct security_signal + MITRE attributes. OTTL ParseKeyValue parses the double-quoted values (e.g. msg="SSL VPN login failed") natively.

Add 5 FortiGate key=value event records that exercise MITRE ATT&CK
enrichment conditions (admin login success/failure, firewall policy
change, SSL-VPN login failure, VPN tunnel establishment) used by the
enrich-fortigate-security-logs blueprint. ParseKeyValue handles the
double-quoted values natively.
@chelseawright7 chelseawright7 requested review from a team as code owners July 3, 2026 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant