Parser Custom "FortiSwitch"

MSY · 11-29-2023 09:24 AM

Hello everyone,
I come from years of experience from Qradar where to create a custom parser was almost child's play...
unfortunately with Chronicle I am having a lot of problems....
can you help me? specifically i am trying to create a custom parser for a "Forti Switch" is there a place where i can find a base already created for custom parsers or do you have to create them right from scratch? thanks to anyone who will answer.

stefancoook1

Look at the built in list of custom parsers, you should be able to extend an existing Fortinet parser, which should be able to parse some of the data.

Mustache

To add to @stefancoook1 , if you're working on a custom parser for a switch, then the firewall might be a closer place to start:

See if the FortiGate will get you a good start.

Unfortunately, you might have to ingest some logs into that Log Label first so that Chronicle will populate the Default Fortigate Parser for you and then allow you to edit it. Without logs, Chronicle doesn't seem to let you touch the default parser, even to create a custom one based on that parser. It might be useful to add that as a feature request!

cmmartin_google

You can call the Chronicle Backstory API and download a Parser without having code samples, e.g.,

DOWNLOAD_PARSER = '{}/tools/cbnParsers/{}'.format(BACKSTORY_API_V1_URL, "WINEVTLOG")

Raising up Feature Requests via support is always encouraged and welcomed for feedback.

Tonio

Hi @cmmartin_google , that is a very nice feature. Is that API still available? would you mind share some updated reference bout it? It's my understanding that the cbn has been recently deprecated.

Thanks

A