Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiSIEM 7.1.9 User Guide
    7.1.9
    7.5.0
    7.4.2
    7.4.1
    7.4.0
    7.3.5
    7.3.4
    7.3.3
    7.3.2
    7.3.1
    7.3.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.9
    7.1.8
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    4.10.0
    4.9.0
    4.8.1
    4.7.2

    String Functions

    String Functions

    These functions perform operations on strings.

    1. replaceStringByRegex

    2. replaceStrInStr

    3. splitJsonEvent

    4. trimAttribute

    replaceStringByRegex

    Description: This function replaces each portion that matches a regular expression in a string to another string.

    Syntax:

    <setEventAttribute attr="Arg4">
         replaceStringByRegex ($Arg1,Arg2,Arg3)
</setEventAttribute>

    Arg1: Variable storing the string to be converted.

    Arg2: Regular expression specifying the replacement pattern (to be specified within double quotes).

    Arg3: Replacement String (to be specified within double quotes).

    Arg4: Variable storing Arg1 after replacement.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="eventType">
          replaceStringByRegex($_eventType, "\s+", "_")
</setEventAttribute>

    Input:

    _eventType: Event Type 124 456

    Output:

    eventType: Event_Type_123_456

    replaceStrInStr

    Description: This function replaces each portion that matches a specific string to another string. This is a simpler version of replaceStringByRegex function.

    Syntax:

    <setEventAttribute attr="Arg4">
         replaceStrInStr ($Arg1,Arg2,Arg3)
</setEventAttribute>

    Arg1: Variable storing the string to be converted.

    Arg2: String to be replaced (to be specified within double quotes).

    Arg3: Replacement String (to be specified within double quotes).

    Arg4: Variable storing Arg1 after replacement.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="computer">
        replaceStrInStr($_computer, "$", "")
</setEventAttribute>

    Input:

    _computer: host$

    Output:

    computer: host

    splitJsonEvent

    Description: This function splits a JSON array of multiple events into multiple events.

    Syntax:

    <setEventAttribute attr="_resultCount">
           splitJsonEvent($Arg1,Arg2,Arg3, Arg4, Arg5)
</setEventAttribute>

    Arg1: Variable storing the string to be split: a JSON array containing multiple events.

    Arg2: JSON selector (same as the key in collectAndSetAttrByJSON) which returns the array.

    Arg3: Prefix to be prepended to the extracted string (typically the syslog header).

    Arg4: Suffix to be appended to the extracted string.

    Arg5: True or False (case insensitive) to drop the input event (Arg1) or not.

    Example:

    <setEventAttribute attr="_resultCount">
           splitJsonEvent($_body, "params.events", "", "", "true")
</setEventAttribute>

    Suppose _body (Arg1) is

    {
  "jsonrpc": "2.0",
  "method": "addEvents",
  "params": {
    "events": [
      {
        "computer_name": " fc-win7-example ",
        "computer_fqdn": "fc-win7-example",
        "computer_ip": "10.10.10.11",
        "computer_id": "59a1604e60369e06733f8abb",
        "product_installed": "BEST",
        "malware_type": "file",
        "malware_name": "EICAR-Test-File (not a virus)",
        "file_path": "C:\\eicar0000001.txt",
        "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
        "final_status": "deleted",
        "timestamp": "2017-09-08T12:01:36.000Z",
        "companyId": "62a92960315a119dbe0b0246",
        "module": "av",
        "_testEvent_": true
      },
      {
        "computer_name": " fc-win8-example ",
        "computer_fqdn": " fc-win8-example ",
        "computer_ip": "10.10.10.12",
        "computer_id": "59a1604e60369e06733f8abb",
        "product_installed": "BEST",
        "malware_type": "file",
        "malware_name": "EICAR-Test-File (not a virus)",
        "file_path": "C:\\eicar0000001.txt",
        "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
        "final_status": "deleted",
        "timestamp": "2017-09-08T12:01:36.000Z",
        "companyId": "62a92960315a119dbe0b0246",
        "module": "av",
        "_testEvent_": true
      },
      {
        "computer_name": " fc-win9-example",
        "computer_fqdn": "fc-win9-example",
        "computer_ip": "10.10.10.13",
        "computer_id": "59a1604e60369e06733f8abb",
        "product_installed": "BEST",
        "malware_type": "file",
        "malware_name": "EICAR-Test-File (not a virus)",
        "file_path": "C:\\eicar0000001.txt",
        "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
        "final_status": "deleted",
        "timestamp": "2017-09-08T12:01:36.000Z",
        "companyId": "62a92960315a119dbe0b0246",
        "module": "av",
        "_testEvent_": true
      }
    ]
  },
  "id": 1660923455412
}

    FortiSIEM will drop this event and send 3 new events (Event 1, Event 2, Event 3), which are extracted from this event:

    Event 1:

    {
        "computer_name": " fc-win7-example ",
        "computer_fqdn": "fc-win7-example",
        "computer_ip": "10.10.10.11",
        "computer_id": "59a1604e60369e06733f8abb",
        "product_installed": "BEST",
        "malware_type": "file",
        "malware_name": "EICAR-Test-File (not a virus)",
        "file_path": "C:\\eicar0000001.txt",
        "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
        "final_status": "deleted",
        "timestamp": "2017-09-08T12:01:36.000Z",
        "companyId": "62a92960315a119dbe0b0246",
        "module": "av",
        "_testEvent_": true
    }

    Event 2: 

    {
        "computer_name": " fc-win8-example ",
        "computer_fqdn": " fc-win8-example ",
        "computer_ip": "10.10.10.12",
        "computer_id": "59a1604e60369e06733f8abb",
        "product_installed": "BEST",
        "malware_type": "file",
        "malware_name": "EICAR-Test-File (not a virus)",
        "file_path": "C:\\eicar0000001.txt",
        "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
        "final_status": "deleted",
        "timestamp": "2017-09-08T12:01:36.000Z",
        "companyId": "62a92960315a119dbe0b0246",
        "module": "av",
        "_testEvent_": true
      }

    Event 3: 

    {
        "computer_name": " fc-win9-example",
        "computer_fqdn": "fc-win9-example",
        "computer_ip": "10.10.10.13",
        "computer_id": "59a1604e60369e06733f8abb",
        "product_installed": "BEST",
        "malware_type": "file",
        "malware_name": "EICAR-Test-File (not a virus)",
        "file_path": "C:\\eicar0000001.txt",
        "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
        "final_status": "deleted",
        "timestamp": "2017-09-08T12:01:36.000Z",
        "companyId": "62a92960315a119dbe0b0246",
        "module": "av",
        "_testEvent_": true
      }

    trimAttribute

    Description: This function trims characters from a given string in the beginning or at the end.

    Syntax:

     <setEventAttribute attr="Arg3">
      trimAttribute($Arg1,Arg2)
</setEventAttribute>

    Arg1: Variable storing the input string.

    Arg2: Characters to be trimmed (to be specified within double quotes).

    Arg3: Variable storing the string after trim operation.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="destName">
    trimAttribute($destName, "./")
</setEventAttribute>

    Input:

    destName: .example.com/

    Output:

    destName: example.com
    Previous
    Next

    String Functions

    String Functions

    These functions perform operations on strings.

    1. replaceStringByRegex

    2. replaceStrInStr

    3. splitJsonEvent

    4. trimAttribute

    replaceStringByRegex

    Description: This function replaces each portion that matches a regular expression in a string to another string.

    Syntax:

    <setEventAttribute attr="Arg4">
         replaceStringByRegex ($Arg1,Arg2,Arg3)
</setEventAttribute>

    Arg1: Variable storing the string to be converted.

    Arg2: Regular expression specifying the replacement pattern (to be specified within double quotes).

    Arg3: Replacement String (to be specified within double quotes).

    Arg4: Variable storing Arg1 after replacement.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="eventType">
          replaceStringByRegex($_eventType, "\s+", "_")
</setEventAttribute>

    Input:

    _eventType: Event Type 124 456

    Output:

    eventType: Event_Type_123_456

    replaceStrInStr

    Description: This function replaces each portion that matches a specific string to another string. This is a simpler version of replaceStringByRegex function.

    Syntax:

    <setEventAttribute attr="Arg4">
         replaceStrInStr ($Arg1,Arg2,Arg3)
</setEventAttribute>

    Arg1: Variable storing the string to be converted.

    Arg2: String to be replaced (to be specified within double quotes).

    Arg3: Replacement String (to be specified within double quotes).

    Arg4: Variable storing Arg1 after replacement.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="computer">
        replaceStrInStr($_computer, "$", "")
</setEventAttribute>

    Input:

    _computer: host$

    Output:

    computer: host

    splitJsonEvent

    Description: This function splits a JSON array of multiple events into multiple events.

    Syntax:

    <setEventAttribute attr="_resultCount">
           splitJsonEvent($Arg1,Arg2,Arg3, Arg4, Arg5)
</setEventAttribute>

    Arg1: Variable storing the string to be split: a JSON array containing multiple events.

    Arg2: JSON selector (same as the key in collectAndSetAttrByJSON) which returns the array.

    Arg3: Prefix to be prepended to the extracted string (typically the syslog header).

    Arg4: Suffix to be appended to the extracted string.

    Arg5: True or False (case insensitive) to drop the input event (Arg1) or not.

    Example:

    <setEventAttribute attr="_resultCount">
           splitJsonEvent($_body, "params.events", "", "", "true")
</setEventAttribute>

    Suppose _body (Arg1) is

    {
  "jsonrpc": "2.0",
  "method": "addEvents",
  "params": {
    "events": [
      {
        "computer_name": " fc-win7-example ",
        "computer_fqdn": "fc-win7-example",
        "computer_ip": "10.10.10.11",
        "computer_id": "59a1604e60369e06733f8abb",
        "product_installed": "BEST",
        "malware_type": "file",
        "malware_name": "EICAR-Test-File (not a virus)",
        "file_path": "C:\\eicar0000001.txt",
        "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
        "final_status": "deleted",
        "timestamp": "2017-09-08T12:01:36.000Z",
        "companyId": "62a92960315a119dbe0b0246",
        "module": "av",
        "_testEvent_": true
      },
      {
        "computer_name": " fc-win8-example ",
        "computer_fqdn": " fc-win8-example ",
        "computer_ip": "10.10.10.12",
        "computer_id": "59a1604e60369e06733f8abb",
        "product_installed": "BEST",
        "malware_type": "file",
        "malware_name": "EICAR-Test-File (not a virus)",
        "file_path": "C:\\eicar0000001.txt",
        "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
        "final_status": "deleted",
        "timestamp": "2017-09-08T12:01:36.000Z",
        "companyId": "62a92960315a119dbe0b0246",
        "module": "av",
        "_testEvent_": true
      },
      {
        "computer_name": " fc-win9-example",
        "computer_fqdn": "fc-win9-example",
        "computer_ip": "10.10.10.13",
        "computer_id": "59a1604e60369e06733f8abb",
        "product_installed": "BEST",
        "malware_type": "file",
        "malware_name": "EICAR-Test-File (not a virus)",
        "file_path": "C:\\eicar0000001.txt",
        "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
        "final_status": "deleted",
        "timestamp": "2017-09-08T12:01:36.000Z",
        "companyId": "62a92960315a119dbe0b0246",
        "module": "av",
        "_testEvent_": true
      }
    ]
  },
  "id": 1660923455412
}

    FortiSIEM will drop this event and send 3 new events (Event 1, Event 2, Event 3), which are extracted from this event:

    Event 1:

    {
        "computer_name": " fc-win7-example ",
        "computer_fqdn": "fc-win7-example",
        "computer_ip": "10.10.10.11",
        "computer_id": "59a1604e60369e06733f8abb",
        "product_installed": "BEST",
        "malware_type": "file",
        "malware_name": "EICAR-Test-File (not a virus)",
        "file_path": "C:\\eicar0000001.txt",
        "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
        "final_status": "deleted",
        "timestamp": "2017-09-08T12:01:36.000Z",
        "companyId": "62a92960315a119dbe0b0246",
        "module": "av",
        "_testEvent_": true
    }

    Event 2: 

    {
        "computer_name": " fc-win8-example ",
        "computer_fqdn": " fc-win8-example ",
        "computer_ip": "10.10.10.12",
        "computer_id": "59a1604e60369e06733f8abb",
        "product_installed": "BEST",
        "malware_type": "file",
        "malware_name": "EICAR-Test-File (not a virus)",
        "file_path": "C:\\eicar0000001.txt",
        "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
        "final_status": "deleted",
        "timestamp": "2017-09-08T12:01:36.000Z",
        "companyId": "62a92960315a119dbe0b0246",
        "module": "av",
        "_testEvent_": true
      }

    Event 3: 

    {
        "computer_name": " fc-win9-example",
        "computer_fqdn": "fc-win9-example",
        "computer_ip": "10.10.10.13",
        "computer_id": "59a1604e60369e06733f8abb",
        "product_installed": "BEST",
        "malware_type": "file",
        "malware_name": "EICAR-Test-File (not a virus)",
        "file_path": "C:\\eicar0000001.txt",
        "hash": "8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71",
        "final_status": "deleted",
        "timestamp": "2017-09-08T12:01:36.000Z",
        "companyId": "62a92960315a119dbe0b0246",
        "module": "av",
        "_testEvent_": true
      }

    trimAttribute

    Description: This function trims characters from a given string in the beginning or at the end.

    Syntax:

     <setEventAttribute attr="Arg3">
      trimAttribute($Arg1,Arg2)
</setEventAttribute>

    Arg1: Variable storing the input string.

    Arg2: Characters to be trimmed (to be specified within double quotes).

    Arg3: Variable storing the string after trim operation.

    Note: Variable can be a local variable or a FortiSIEM event attribute.

    Example:

    <setEventAttribute attr="destName">
    trimAttribute($destName, "./")
</setEventAttribute>

    Input:

    destName: .example.com/

    Output:

    destName: example.com
    Previous
    Next