fortinet/fortimail

VendorFortinet Inc.
AuthorCrowdStrike
Version1.0.0
Minimum LogScale Version1.82.0

Fortinet FortiMail logs provide information on network email activity that help identify security issues such as viruses detected within an email. FortiMail units can log many different email activities and traffic, including:

  • system-related events, such as system restarts and HA activity

  • virus detections

  • spam filtering results

  • POP3, SMTP, IMAP and webmail events

Using FortiMail with LogScale enables users to correlate email and user activity data in LogScale, correlate data with Office365 logs, and identify and update a list of suspicious activities. This provides additional value, particularly if FortiGate is already set up to ingest into LogScale and user's pipelines are set up with FortiNet Analyzer.

Breaking Changes

This update includes parser changes, which means that data ingested after upgrade will not be backwards compatible with logs ingested with the previous version.

Updating to version 1.0.0 or newer will therefore result in issues with existing queries in for example dashboards or alerts created prior to this version.

See CrowdStrike Parsing Standard (CPS) 1.0 for more details on the new parser schema.

Follow the CPS Migration to update your queries to use the fields and tags that are available in data parsed with version 1.0.0.

Installing the Package in LogScale

Find the repository where you want to send the FortiMail events, or Creating a Repository or View.

  1. Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.

  2. Click Marketplace and install the LogScale package for FortiMail (i.e. fortimail).

  3. When the package has finished installing, click Ingest tokens on the left (still under the Settings menu).

  4. In the right panel, click + Add Token to create a new token. Give the token an appropriate name (e.g. the name of the server the token is ingesting logs for), and either leave the parser unassigned (instead of setting the parser in the log collector configuration later on), or assign the fortinet-fortimail parser.

    Before leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.

Configurations and Sending the Logs to LogScale

First you need to configure FortiGate to send all logs types to the syslog server.

Next, configure the Falcon LogScale Collector to ship the logs from your syslog server into LogScale. Follow LogScale Collector Install LogScale Collector and Configure LogScale Collector. LogScale Collector documentation also provides an example of how you can configure your syslog datasource.

Verify Data is Arriving in LogScale

Once you have completed the above steps the FortiMail data should be arriving in your LogScale repository.

You can verify this by doing a simple search for #Vendor = "fortinet" | #event.module = "fortimail" to see the events.