New

The executive guide to generative AI

Read more

Fortinet FortiMail

edit

Version

2.13.1 (View all)

Compatible Kibana version(s)

8.3.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Elastic

Overview

edit

The Fortinet FortiMail integration allows users to monitor History, System, Mail, Antispam, Antivirus, and Encryption events. FortiMail delivers advanced multi-layered protection against the full spectrum of email-borne threats. Powered by FortiGuard Labs threat intelligence and integrated into the Fortinet Security Fabric, FortiMail helps your organization prevent, detect, and respond to email-based threats including spam, phishing, malware, zero-day threats, impersonation, and Business Email Compromise (BEC) attacks.

Use the Fortinet FortiMail integration to collect and parse data from the Syslog. Then visualize that data in Kibana.

Data streams

edit

The Fortinet FortiMail integration collects one type of data stream: log.

Log helps users to keep a record of email activity and traffic including system-related events, such as system restarts and HA activity, virus detections, spam filtering results, POP3, SMTP, IMAP, and webmail events. See more details About FortiMail logging

This integration targets the six types of events as mentioned below:

  • History records all email traffic going through the FortiMail unit.
  • System records system management activities, including changes to the system configuration as well as administrator and user login and logouts.
  • Mail records mail activities.
  • Antispam records spam detection events.
  • Antivirus records virus intrusion events.
  • Encryption records detection of IBE-related events.

Requirements

edit

Elasticsearch is needed to store and search data, and Kibana is needed for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your hardware.

This module has been tested against Fortinet FortiMail version 7.2.2.

The User must have to Enable CSV format option.

Setup

edit

To collect data from Fortinet FortiMail Syslog server, follow the below steps:

edit
Fortinet FortiMail Syslog Server

Logs Reference

edit

Log

edit

This is the Log dataset.

Example

An example event for log looks as following:

{
    "@timestamp": "2013-02-25T07:01:34.000Z",
    "agent": {
        "ephemeral_id": "6e27a1ae-39ab-4632-8e9b-d6d0b7a1e56b",
        "id": "4a5f8370-e38c-43b1-9dc9-b2c1e0788c6d",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.10.2"
    },
    "data_stream": {
        "dataset": "fortinet_fortimail.log",
        "namespace": "ep",
        "type": "logs"
    },
    "destination": {
        "ip": "81.2.69.194"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "4a5f8370-e38c-43b1-9dc9-b2c1e0788c6d",
        "snapshot": false,
        "version": "8.10.2"
    },
    "email": {
        "direction": "unknown",
        "from": {
            "address": [
                "aaa@bbb.com"
            ]
        },
        "subject": "Test12345",
        "to": {
            "address": [
                "user1@example.com"
            ]
        },
        "x_mailer": "proxy"
    },
    "event": {
        "agent_id_status": "verified",
        "code": "0200025843",
        "dataset": "fortinet_fortimail.log",
        "ingested": "2023-10-03T09:51:39Z",
        "kind": "event",
        "original": "<187>date=2013-02-25,time=07:01:34,device_id=FE100C3909600504,log_id=0200025843,type=statistics,pri=information,session_id=\"r1PF1YTh025836-r1PF1YTh025836\",client_name=\"user\",dst_ip=\"81.2.69.194\",endpoint=\"\",from=\"aaa@bbb.com\",to=\"user1@example.com\",polid=\"0:1:0\",domain=\"example.com\",subject=\"Test12345\",mailer=\"proxy\",resolved=\"FAIL\",direction=\"unknown\",virus=\"\",disposition=\"Delay\",classifier=\"Session Limits\",message_length=\"199986\"",
        "outcome": "failure"
    },
    "fortinet_fortimail": {
        "log": {
            "classifier": "Session Limits",
            "client": {
                "name": "user"
            },
            "date": "2013-02-25",
            "destination_ip": "81.2.69.194",
            "device_id": "FE100C3909600504",
            "direction": "unknown",
            "disposition": "Delay",
            "domain": "example.com",
            "from": "aaa@bbb.com",
            "id": "0200025843",
            "mailer": "proxy",
            "message_length": 199986,
            "policy_id": "0:1:0",
            "priority": "information",
            "priority_number": 187,
            "resolved": "FAIL",
            "session_id": "r1PF1YTh025836-r1PF1YTh025836",
            "subject": "Test12345",
            "time": "07:01:34",
            "to": "user1@example.com",
            "type": "statistics"
        }
    },
    "input": {
        "type": "tcp"
    },
    "log": {
        "level": "information",
        "source": {
            "address": "192.168.144.4:54368"
        },
        "syslog": {
            "facility": {
                "code": 22
            },
            "priority": 187,
            "severity": {
                "code": 6
            }
        }
    },
    "observer": {
        "product": "FortiMail",
        "serial_number": "FE100C3909600504",
        "type": "firewall",
        "vendor": "Fortinet"
    },
    "related": {
        "ip": [
            "81.2.69.194"
        ],
        "user": [
            "user",
            "aaa@bbb.com",
            "user1@example.com"
        ]
    },
    "server": {
        "domain": "example.com",
        "registered_domain": "example.com",
        "top_level_domain": "com"
    },
    "source": {
        "user": {
            "name": "user"
        }
    },
    "tags": [
        "preserve_original_event",
        "preserve_duplicate_custom_fields",
        "forwarded",
        "fortinet_fortimail-log"
    ]
}
Exported fields
Field Description Type

@timestamp

Event timestamp.

date

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset.

constant_keyword

event.module

Event module.

constant_keyword

fortinet_fortimail.log.action

keyword

fortinet_fortimail.log.classifier

keyword

fortinet_fortimail.log.client.cc

keyword

fortinet_fortimail.log.client.ip

ip

fortinet_fortimail.log.client.name

keyword

fortinet_fortimail.log.date

keyword

fortinet_fortimail.log.destination_ip

ip

fortinet_fortimail.log.detail

keyword

fortinet_fortimail.log.device_id

keyword

fortinet_fortimail.log.direction

keyword

fortinet_fortimail.log.disposition

keyword

fortinet_fortimail.log.domain

keyword

fortinet_fortimail.log.endpoint

keyword

fortinet_fortimail.log.from

keyword

fortinet_fortimail.log.hfrom

keyword

fortinet_fortimail.log.id

keyword

fortinet_fortimail.log.ip

ip

fortinet_fortimail.log.mailer

keyword

fortinet_fortimail.log.message

keyword

fortinet_fortimail.log.message_id

keyword

fortinet_fortimail.log.message_length

long

fortinet_fortimail.log.module

keyword

fortinet_fortimail.log.network

keyword

fortinet_fortimail.log.notif_delay

keyword

fortinet_fortimail.log.policy_id

keyword

fortinet_fortimail.log.port

long

fortinet_fortimail.log.priority

keyword

fortinet_fortimail.log.priority_number

long

fortinet_fortimail.log.read_status

keyword

fortinet_fortimail.log.reason

keyword

fortinet_fortimail.log.recv_time

keyword

fortinet_fortimail.log.resolved

keyword

fortinet_fortimail.log.scan_time

double

fortinet_fortimail.log.sent_from

keyword

fortinet_fortimail.log.session_id

keyword

fortinet_fortimail.log.source.folder

keyword

fortinet_fortimail.log.source.ip

ip

fortinet_fortimail.log.source.type

keyword

fortinet_fortimail.log.status

keyword

fortinet_fortimail.log.sub_module

keyword

fortinet_fortimail.log.sub_type

keyword

fortinet_fortimail.log.subject

keyword

fortinet_fortimail.log.time

keyword

fortinet_fortimail.log.to

keyword

fortinet_fortimail.log.type

keyword

fortinet_fortimail.log.ui

keyword

fortinet_fortimail.log.ui_ip

ip

fortinet_fortimail.log.user

keyword

fortinet_fortimail.log.virus

keyword

fortinet_fortimail.log.xfer_time

double

input.type

Type of Filebeat input.

keyword

log.file.device_id

ID of the device containing the filesystem where the file resides.

keyword

log.file.fingerprint

The sha256 fingerprint identity of the file when fingerprinting is enabled.

keyword

log.file.idxhi

The high-order part of a unique identifier that is associated with a file. (Windows-only)

keyword

log.file.idxlo

The low-order part of a unique identifier that is associated with a file. (Windows-only)

keyword

log.file.inode

Inode number of the log file.

keyword

log.file.vol

The serial number of the volume that contains a file. (Windows-only)

keyword

log.offset

Log offset.

long

log.source.address

Source address from which the log event was read / sent from.

keyword

tags

User defined tags.

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

2.13.1

Bug fix (View pull request)
Tolerate existing event.timezone value.

8.3.0 or higher

2.13.0

Enhancement (View pull request)
Update package spec to 3.0.3.

8.3.0 or higher

2.12.2

Enhancement (View pull request)
Changed owners

8.3.0 or higher

2.12.1

Bug fix (View pull request)
Fix exclude_files pattern.

8.3.0 or higher

2.12.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

8.3.0 or higher

2.11.0

Enhancement (View pull request)
Improve event.original check to avoid errors if set.

8.3.0 or higher

2.10.0

Enhancement (View pull request)
Adapt fields for changes in file system info

8.3.0 or higher

2.9.0

Enhancement (View pull request)
ECS version updated to 8.10.0.

8.3.0 or higher

2.8.0

Enhancement (View pull request)
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.

8.3.0 or higher

2.7.0

Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.3.0 or higher

2.6.0

Enhancement (View pull request)
Handle block rule addition and removal.

8.3.0 or higher

2.5.0

Enhancement (View pull request)
Update package to ECS 8.9.0.

8.3.0 or higher

2.4.0

Enhancement (View pull request)
Ensure event.kind is correctly set for pipeline errors.

8.3.0 or higher

2.3.0

Enhancement (View pull request)
Update package to ECS 8.8.0.

8.3.0 or higher

2.2.0

Enhancement (View pull request)
Update package-spec version to 2.7.0.

8.3.0 or higher

2.1.0

Enhancement (View pull request)
Update package to ECS 8.7.0.

8.3.0 or higher

2.0.0

Enhancement (View pull request)
Replace RSA2ELK with Syslog integration.

8.3.0 or higher

1.3.1

Enhancement (View pull request)
Added categories and/or subcategories.

7.14.1 or higher
8.0.0 or higher

1.3.0

Enhancement (View pull request)
Update package to ECS 8.6.0.

7.14.1 or higher
8.0.0 or higher

1.2.0

Enhancement (View pull request)
Update package to ECS 8.5.0.

7.14.1 or higher
8.0.0 or higher

1.1.2

Bug fix (View pull request)
Remove duplicate field.

7.14.1 or higher
8.0.0 or higher

1.1.1

Enhancement (View pull request)
Use ECS geo.location definition.

7.14.1 or higher
8.0.0 or higher

1.1.0

Enhancement (View pull request)
Update Ingest Pipeline with observer Fields

7.14.1 or higher
8.0.0 or higher

1.0.0

Enhancement (View pull request)
Initial version of Fortinet FortiMail as separate package

7.14.1 or higher
8.0.0 or higher