Fortinet FortiGate ASIM Auth Parser: Failed and System-Success Login Events Were Silently Dropped

What Changed

Both the base (ASimAuthenticationFortinetFortigate) and filtering (vimAuthenticationFortinetFortigate) ASIM Authentication parsers for Fortinet FortiGate have been updated to version 0.1.1.

Two substantive logic changes were made:

1. Event type expansion – Login and Logout event selection now uses Activity in (…) instead of Activity ==, broadening coverage to three additional Activity values:

   • LogoutEvents: now includes “event:system success” in addition to “system event logout”
   • LoginEvents: now includes “event:system failed” and “event:system success” in addition to “system event login”

2. Primary filter pivot – Both parsers now filter first on DeviceAction (== “login” / == “logout”) before checking Activity, making the classification more robust against variations in the Activity string.

Parser Impact

• Schema: ASIM Authentication (imAuthentication / vimAuthentication)
• Source table: CommonSecurityLog (CEF/Syslog ingestion from FortiGate)
• Data fidelity gap closed: FortiGate logs using the event:system failed and event:system success Activity strings were previously dropped entirely – they matched neither “system event login” nor “system event logout”. Any brute-force attempts, credential stuffing, or failed admin logins logged under event:system failed were invisible to detections using imAuthentication against FortiGate data.
• No field renames or schema field additions – existing detections referencing normalized fields (EventResult, TargetUsername, SrcIpAddr, etc.) are unaffected and do not need updates.
• event:system success dual classification – note that event:system success now routes to both LogoutEvents and LoginEvents. Downstream detections should be aware that a single event may represent either a successful logon or logoff depending on DeviceAction context.

Affected Files

Parsers/ASimAuthentication/ARM/ASimAuthenticationFortinetFortigate/ASimAuthenticationFortinetFortigate.json
Parsers/ASimAuthentication/ARM/vimAuthenticationFortinetFortigate/vimAuthenticationFortinetFortigate.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationFortinetFortigate.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationFortinetFortigate.md
Parsers/ASimAuthentication/Parsers/ASimAuthenticationFortinetFortigate.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationFortinetFortigate.yaml