Course Objectives

After completing this course, you will be able to do the following:

• Examine how FortiSIEM determines which parsers to use
• Review parser terminology and steps to create a parser
• Identify different log types and structures
• Review basic and advanced regex patterns
• Use tools for regex validation and development
• Identify appropriate uses of global and local patterns
• Define local and global patterns
• Identify common string patterns in event logs
• Create event format recognizers
• Configure parsing instructions to extract and map data
• Build collectFieldsByRegex functions
• Build setEventAttribute functions
• Add comments to parser code
• Build conditional matching logic capabilities in parsers
• Parse and normalize date and time from logs
• Add, categorize, and query the CMDB for new parser events
• Create parsers for various log types
• Manipulate extracted strings from logs
• Perform calculations on variables or attributes
• Calculate event severity with Syslog priority values
• Use advanced functions to parse JSON logs
• Enable FortiSIEM support for logs in other languages

Pre-Requisites

You must have an understanding of the topics covered in the following courses, or have equivalent experience:

• NSE 4 FortiGate Security
• NSE 4 FortiGate Infrastructure
• NSE 5 FortiSIEM

It is also recommended that you have knowledge of programming languages and regular expressions.