Sumo Logic + Fortigate + Web Classification (update!)

You should read this post first then check on the difference in the query from this post.

The major change below is that unrated websites are now classified as UNRATED. I should have caught this when I was writing the original post but in my testing I did not have many of the unrated items showing up and it didn’t show up on my radar.

_index=security_logs _sourceCategory=fw_security "subtype=webfilter"
  | parse " catdesc=\"*\"" as category nodrop
  | parse " error=\"*\"" as error nodrop
  | keyvalue regex "=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}) " keys "srcip"
  | keyvalue regex "=(\d+) " keys "sentbyte", "rcvdbyte"
  // Line below does the work
  | if (error matches "unknown", "UNRATED", category) as category
  | sentbyte+rcvdbyte as bytes
  | sum(bytes) as bytes by category
  | where bytes >=500
  | sort by bytes
  | limit 20