Skip to content

Fixing integration url.full missing from fortigate#18185

Open
qcorporation wants to merge 4 commits intomainfrom
fix/issue-14463-fortigate-integration-url-full-missi-j62
Open

Fixing integration url.full missing from fortigate#18185
qcorporation wants to merge 4 commits intomainfrom
fix/issue-14463-fortigate-integration-url-full-missi-j62

Conversation

@qcorporation
Copy link
Copy Markdown
Contributor

@qcorporation qcorporation commented Apr 1, 2026

Proposed commit message

Populate url.full when the individual URL components (url.scheme, url.domain, url.path, url.query) are present but url.full is missing. This enables detection rules like Threat Indicator URL Match that rely on url.full for indicator comparison.

WHAT

  • Added 4 processors to utm.yml: infer url.scheme from network.protocol, copy url.full from fortinet.firewall.url when it's already a full URL, and assemble url.full from parts (with and without query string).
  • Added the same 2 assembly processors to default.yml as a fallback for non-UTM log types.
  • Declared url.full in ecs.yml so static field validation passes.
  • Added 2 pipeline test lines to test-fortinet-7-4.log exercising the with-query and without-query assembly paths, using documented logid=1059028704 (LOGID_APP_CTRL_IPS_PASS) and real field values from the FortiOS 7.4 Log Message Reference.

WHY:

Fortigate logs parse url.domain, url.path, and url.scheme individually but never assembled url.full. The Elastic detection rule "Threat Indicator URL Match" compares indicators against url.full, so FortiGate events were invisible to that rule. The approach follows the same pattern the issue reporter validated in their custom pipeline.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

@qcorporation qcorporation self-assigned this Apr 1, 2026
@qcorporation qcorporation added the Integration:fortinet_fortigate Fortinet FortiGate Firewall Logs label Apr 1, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 1, 2026
edited
Loading

Vale Linting Results

Summary: 5 warnings, 3 suggestions found

⚠️ Warnings (5)
File Line Rule Message
packages/fortinet_fortigate/docs/README.md 855 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/fortinet_fortigate/docs/README.md 855 Elastic.DontUse Don't use 'and/or'.
packages/fortinet_fortigate/docs/README.md 859 Elastic.DontUse Don't use 'just'.
packages/fortinet_fortigate/docs/README.md 861 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/fortinet_fortigate/docs/README.md 862 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
💡 Suggestions (3)
File Line Rule Message
packages/fortinet_fortigate/docs/README.md 855 Elastic.Wordiness Consider using 'sometimes' instead of 'In some cases'.
packages/fortinet_fortigate/docs/README.md 855 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/fortinet_fortigate/docs/README.md 859 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Apr 1, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Apr 1, 2026
@qcorporation
Copy link
Copy Markdown
Contributor Author

qcorporation commented Apr 2, 2026

/test

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 2, 2026

💚 Build Succeeded

cc @qcorporation

@qcorporation qcorporation marked this pull request as ready for review April 2, 2026 13:59
@qcorporation qcorporation requested a review from a team as a code owner April 2, 2026 13:59
taylor-swanson
taylor-swanson reviewed Apr 2, 2026
View reviewed changes
packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml
tag: set_url_full_without_query_3f3ba2f9
field: url.full
value: "{{{url.scheme}}}://{{{url.domain}}}{{{url.path}}}"
if: ctx?.url?.scheme != null && ctx?.url?.domain != null && ctx?.url?.path != null && ctx?.url?.full == null && ctx?.url?.query == null
Copy link
Copy Markdown
Contributor

@taylor-swanson taylor-swanson Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: ctx?.url?.scheme != null && ctx?.url?.domain != null && ctx?.url?.path != null && ctx?.url?.full == null && ctx?.url?.query == null
if: ctx.url?.scheme != null && ctx.url.domain != null && ctx.url.path != null && ctx.url.full == null && ctx.url.query == null

packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml
tag: set_url_full_with_query_0d8b7ec0
field: url.full
value: "{{{url.scheme}}}://{{{url.domain}}}{{{url.path}}}?{{{url.query}}}"
if: ctx?.url?.scheme != null && ctx?.url?.domain != null && ctx?.url?.path != null && ctx?.url?.full == null && ctx?.url?.query != null
Copy link
Copy Markdown
Contributor

@taylor-swanson taylor-swanson Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: ctx?.url?.scheme != null && ctx?.url?.domain != null && ctx?.url?.path != null && ctx?.url?.full == null && ctx?.url?.query != null
if: ctx.url?.scheme != null && ctx.url.domain != null && ctx.url.path != null && ctx.url.full == null && ctx.url.query != null

packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/utm.yml
tag: set_url_full_with_query_ff61f80b
field: url.full
value: "{{{url.scheme}}}://{{{url.domain}}}{{{url.path}}}?{{{url.query}}}"
if: ctx.url?.scheme != null && ctx.url?.domain != null && ctx.url?.path != null && ctx.url?.full == null && ctx.url?.query != null
Copy link
Copy Markdown
Contributor

@taylor-swanson taylor-swanson Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: ctx.url?.scheme != null && ctx.url?.domain != null && ctx.url?.path != null && ctx.url?.full == null && ctx.url?.query != null
if: ctx.url?.scheme != null && ctx.url.domain != null && ctx.url.path != null && ctx.url.full == null && ctx.url.query != null

packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/utm.yml
tag: set_url_full_without_query_0a3eb6ad
field: url.full
value: "{{{url.scheme}}}://{{{url.domain}}}{{{url.path}}}"
if: ctx.url?.scheme != null && ctx.url?.domain != null && ctx.url?.path != null && ctx.url?.full == null && ctx.url?.query == null
Copy link
Copy Markdown
Contributor

@taylor-swanson taylor-swanson Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: ctx.url?.scheme != null && ctx.url?.domain != null && ctx.url?.path != null && ctx.url?.full == null && ctx.url?.query == null
if: ctx.url?.scheme != null && ctx.url.domain != null && ctx.url.path != null && ctx.url.full == null && ctx.url.query == null

...es/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-6-2.log-expected.json
Comment on lines +3772 to +3775
],
"url": {
"scheme": "https"
}
Copy link
Copy Markdown
Contributor

@taylor-swanson taylor-swanson Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

url.scheme with nothing else seems odd. The event has to do with certificates, not a URL, so I'm not sure we should have this? network.protocol is set to https, which I think is good enough.

@andrewkroh andrewkroh added the Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] label Apr 2, 2026
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 2, 2026

Pinging @elastic/integration-experience (Team:Integration-Experience)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@taylor-swanson taylor-swanson taylor-swanson left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@qcorporation qcorporation

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:fortinet_fortigate Fortinet FortiGate Firewall Logs Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fortigate Integration url.full missing

4 participants

@qcorporation @elasticmachine @taylor-swanson @andrewkroh