fortigate vpn auth logs config changes

cyences_app_for_splunk/default/data/ui/views/cs_asset_intelligence.xml

@@ -339,7 +339,7 @@
         <search>
           <query>| tstats `cs_summariesonly_authentication` values(Authentication.src) as src_ip from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND $tkn_filter_authentication$ AND `cs_vpn_indexes` by _time Authentication.action Authentication.user span=1s | rename Authentication.* as *
         | iplocation src_ip
-        | eval Country = if(isnull(Country) OR Country="", "Unknown", Country)
+        | eval Country = if(isnull(Country) OR Country="", "Unknown", Country), action = if(action="added", "success", action)
         | eval City = if(isnull(City) OR City="", "Unknown", City) | fields _time user action src_ip City Country
         | rename user as User, action as Status, src_ip as "SourceIP"
         | sort - _time</query>

cyences_app_for_splunk/default/data/ui/views/cs_vpn_reports.xml

@@ -8,6 +8,7 @@
     <query>
       | tstats `cs_summariesonly_authentication` values(Authentication.src) as src_ip from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND `cs_vpn_indexes` by _time Authentication.action Authentication.user Authentication.dest span=1s
       | rename Authentication.* as *
+      | eval action=if(action="added", "success", action)
     </query>
     <earliest>$time.earliest$</earliest>
     <latest>$time.latest$</latest>
@@ -231,7 +232,7 @@
       <table>
         <title>Successful Session</title>
         <search>
-          <query>`cs_vpn_indexes` dest_category="vpn_auth" action="success" user IN $User$ dest=$tkn_dest$ src=$tkn_public_ip$ 
+          <query>`cs_vpn_indexes` dest_category="vpn_auth" action IN ("success", "added") user IN $User$ dest=$tkn_dest$ src=$tkn_public_ip$ 
 | fields _time dest user action private_ip src City Country
 | eval private_ip = if(private_ip="0.0.0.0", null(), private_ip) 
 | fillnull value="Unknown" private_ip

cyences_app_for_splunk/default/eventtypes.conf

@@ -30,14 +30,14 @@ search = sourcetype="pan:system" object="RSA_Radius" dest_category="radius_auth"
 #####################
 ### Fortigate VPN ###
 #####################
-[cs_fortigate_vpn_auth]
-search = sourcetype IN ("fgt_event", "fortigate_event") subtype="vpn" vendor_action IN ("negotiate", "ssl-login-fail")
+[cs_fortigate_vpn_login]
+search = sourcetype IN ("fgt_event", "fortigate_event") subtype="vpn" AND ((vendor_action="tunnel-up" AND reason="login successfully") OR vendor_action="ssl-login-fail")
 
-[cs_fortigate_vpn_start]
-search = sourcetype IN ("fgt_event", "fortigate_event") subtype="vpn" vendor_action IN("tunnel-up", "install_sa", "ssl-new-con", "ssl-web-pass") 
+[cs_fortigate_vpn_connected]
+search = sourcetype IN ("fgt_event", "fortigate_event") subtype="vpn" vendor_action IN ("tunnel-up") reason="login successfully"
 
-[cs_fortigate_vpn_end]
-search = sourcetype IN ("fgt_event", "fortigate_event") ((subtype=vpn AND vendor_action IN("tunnel-down", "delete_ipsec_sa", "ssl-web-close")) OR (logid=0107045061 AND connection_type="sslvpn"))
+[cs_fortigate_vpn_logout]
+search = sourcetype IN ("fgt_event", "fortigate_event") subtype="vpn" vendor_action IN ("tunnel-down") logdesc="SSL VPN tunnel down"
 
 
 #################

cyences_app_for_splunk/default/macros.conf

@@ -611,7 +611,7 @@ iseval = 0
 
 [cs_current_week_login_count_vpn]
 definition = eval main_event="1" \
-| append [ | tstats count, values(Authentication.org_country) as org_country from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND Authentication.action="success" AND Authentication.user!="unknown" AND `cs_public_ips(Authentication.src)` AND earliest="@w" latest="@d" by Authentication.app, Authentication.user, Authentication.src \
+| append [ | tstats count, values(Authentication.org_country) as org_country from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND Authentication.action IN ("success", "added") AND Authentication.user!="unknown" AND `cs_public_ips(Authentication.src)` AND earliest="@w" latest="@d" by Authentication.app, Authentication.user, Authentication.src \
 | `cs_drop_dm_object_name(Authentication)` \
 | iplocation src \
 | eval Country = if(isnotnull(org_country), org_country, Country) \

cyences_app_for_splunk/default/props.conf

@@ -210,13 +210,13 @@ EXTRACT-src_ip_for_radius = \sfrom \'(?<src_ip>[^\']+)\',
 
 [fgt_event]
 # fgt_event for old Fortigate Add-on (1.6.2)
-EVAL-dest_category = if(subtype="vpn" AND vendor_action IN ("negotiate", "ssl-login-fail"), "vpn_auth", dest_category)
+EVAL-dest_category = if(subtype="vpn" AND ((vendor_action="tunnel-up" AND reason="login successfully") OR vendor_action="ssl-login-fail"), "vpn_auth", dest_category)
 
 
 [fortigate_event]
 # fortigate_event for the new Fortigate Add-on (1.6.5)
-EVAL-dest_category = if(subtype="vpn" AND vendor_action IN ("negotiate", "ssl-login-fail"), "vpn_auth", dest_category)
-# Note - eval action is not working because Fortigate Add-on's lookup is overriding the action field, hence we need to make changes in the data-model definition
+EVAL-dest_category = if(subtype="vpn" AND ((vendor_action="tunnel-up" AND reason="login successfully") OR vendor_action="ssl-login-fail"), "vpn_auth", dest_category)
+# Note - eval action is not working because Fortigate Add-on's lookup is overriding the action field, hence we need to make changes in the data-model & dashboard queries
 # action field update in the Authentication data-model -> case(sourcetype="fgt_event" AND subtype="vpn" AND vendor_action IN ("tunnel-up", "phase2-up"), "success", sourcetype="fgt_event" AND subtype="vpn" AND vendor_action="ssl-login-fail", "failure", isnull(action) OR action="", "unknown", 1==1, action)
 
 

cyences_app_for_splunk/default/savedsearches.conf

@@ -5786,7 +5786,7 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = | tstats `cs_summariesonly_authentication` count from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND Authentication.action="success" AND `cs_public_ips(Authentication.src)` by Authentication.app, Authentication.user, Authentication.src, Authentication.dest, _time \
+search = | tstats `cs_summariesonly_authentication` count from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND Authentication.action IN ("success", "added") AND `cs_public_ips(Authentication.src)` by Authentication.app, Authentication.action, Authentication.user, Authentication.src, Authentication.dest, _time \
 | `cs_drop_dm_object_name(Authentication)` \
 | eval user = lower(user) \
 | iplocation src \
@@ -5798,11 +5798,11 @@ search = | tstats `cs_summariesonly_authentication` count from datamodel=Cyences
 | `cs_authentication_successful_vpn_login_from_unusual_country_filter`
 action.cyences_notable_event_action = 1
 action.cyences_notable_event_action.param.filter_macro_name = cs_authentication_successful_vpn_login_from_unusual_country_filter
-action.cyences_notable_event_action.contributing_events = index=* `cs_vpn_indexes` tag=authentication action="success" dest_category="vpn_auth" `cs_public_ips(src)` | iplocation src | `cs_country_login_percentage`
+action.cyences_notable_event_action.contributing_events = index=* `cs_vpn_indexes` tag=authentication action IN ("success", "added") dest_category="vpn_auth" `cs_public_ips(src)` | iplocation src | `cs_country_login_percentage`
 action.cyences_notable_event_action.system_compromised_search = | stats count by dest
-action.cyences_notable_event_action.system_compromised_drilldown = index=* `cs_vpn_indexes` dest=$row.dest$ tag=authentication action="success" dest_category="vpn_auth" `cs_public_ips(src)` | iplocation src | `cs_country_login_percentage`
+action.cyences_notable_event_action.system_compromised_drilldown = index=* `cs_vpn_indexes` dest=$row.dest$ tag=authentication action IN ("success", "added") dest_category="vpn_auth" `cs_public_ips(src)` | iplocation src | `cs_country_login_percentage`
 action.cyences_notable_event_action.attacker_search = | stats count by user
-action.cyences_notable_event_action.attacker_drilldown = index=* `cs_vpn_indexes` user=$row.user$ tag=authentication action="success" dest_category="vpn_auth" `cs_public_ips(src)` | iplocation src | `cs_country_login_percentage`
+action.cyences_notable_event_action.attacker_drilldown = index=* `cs_vpn_indexes` user=$row.user$ tag=authentication action IN ("success", "added") dest_category="vpn_auth" `cs_public_ips(src)` | iplocation src | `cs_country_login_percentage`
 action.cyences_send_email_action = 1
 action.cyences_notable_event_action.products = VPN
 action.cyences_notable_event_action.teams = SOC, Compliance

cyences_app_for_splunk/default/tags.conf

@@ -39,17 +39,17 @@ end = enabled
 #####################
 ### Fortigate VPN ###
 #####################
-[eventtype=cs_fortigate_vpn_auth]
+[eventtype=cs_fortigate_vpn_login]
 authentication = enabled
 vpn = enabled
 
-[eventtype=cs_fortigate_vpn_start]
+[eventtype=cs_fortigate_vpn_connected]
 vpn = enabled
 network = enabled
 session = enabled
 start = enabled
 
-[eventtype=cs_fortigate_vpn_end]
+[eventtype=cs_fortigate_vpn_logout]
 vpn = enabled
 network = enabled
 session = enabled