Map files for Fortinet
Thanks for the map files Eric!
I am starting to build use cases and trying to learn what our Fortinet events actually mean within ArcSight. I can not find any documentation from Fortinet or on the web describing what each device action or device event class id mean. So, I created a query to filter on each unique device action. The fields I included was message, device event class ID, name, and device severity. I then noticed that there were only five device severity categories in my query. I wanted to start at a high level to begin use cases, so I am working on filtering down on the device severity, which is NOTICE, INFORMATION, WARNING, ALERT and ERROR.
Please let me know if you have any suggestions or documents for explaining Fortinet events for Fortigate and Fortiweb logs? I will be happy to share my ideas as they come. Also, how did you come up with the mappings of your attached zip file?
The only doc I found was on the web site of Fortinet describing each message but I dont know if its up to date.
How to apply it to the ArcSight? I have an events from Fortigate but I can not use their in ArcSight Express Firewall use cases because case uses category properties like /Firewall, /Access, /Success and in my events all category field are empty.
Hi, my map files are for correcting the categorization, you should have categorization already, if not then your connector is not configured properly.
categorization for Fortigate events works at the connector, but not for all events. How to apply your solution to the connector to provide correct categorization?
Retrieving data ...