Title:
How to Enrich Fortinet UTM Web Filter Logs with Username from Traffic Logs Using Session ID?
Body:
Hi everyone,
I'm working on a detection use case using Fortinet logs ingested into Elasticsearch.
Objective:
I want to detect Web Filter (UTM) events (from fortigate.utm index) that match certain risk categories like:
- Drug Abuse
- Hacking
- Illegal or Unethical
- Extremist Groups
- Child Sexual Abuse, etc.
However, these UTM logs do not contain user identity information (like source.user.name), which only appears in traffic logs (fortigate.traffic index).
What I’ve tried:
I'm using an EQL sequence rule in Elastic Security to correlate events based on the shared field fortinet.firewall.sessionid like this:
sequence by fortinet.firewall.sessionid with maxspan = 1h
[web where fortinet.firewall.subtype == "webfilter"
and not event.action in ("block", "blocked")
and rule.category in (
"Drug Abuse", "Hacking", "Discrimination or Unethical",
"Illegal or Unethical", "Extremist Groups", "Explicit Violence",
"Proxy Avoidance", "Plagiarism", "Child Sexual Abuse", "Terrorism")]
[network where fortinet.firewall.type == "traffic" and source.user.name != null]
The goal is to generate an alert when a web filtering event in these categories occurs and the correlated session in traffic logs contains a username.
The Issue:
Even though the sequence detects both stages correctly, the final alert only shows fields from the first stage (webfilter) and does not include the source.user.name from the traffic log.
My Questions:
- Is there a way in Elastic Security to include fields from the second stage of a sequence (e.g.,
source.user.name) in the generated alert? - Is there a recommended way to enrich UTM logs with traffic log fields like username using
sessionid?
(e.g., transform pipelines, enrichment index, etc.) - Would this work better with a
joinrule instead ofsequence?
Any advice or examples from similar use cases would be really helpful. Thanks in advance!