Parsers and Generated Fields
Tag Fields Created by Parser fortinet-fortigate
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser fortinet-fortigate
| Source Field | CPS Field |
|---|---|
| source.ip | client.ip |
| source.port | client.port |
| Vendor.daddr | destination.address |
| Vendor.dst_host | destination.address |
| Vendor.rcvdbyte | destination.bytes |
| Vendor.dstcity | destination.geo.city_name |
| Vendor.dstcountry | destination.geo.country_name |
| Vendor.dstregion | destination.geo.region_name |
| Vendor.dstip | destination.ip |
| Vendor.remip | destination.ip |
| Vendor.tranip | destination.nat.ip |
| Vendor.tranport | destination.nat.port |
| Vendor.rcvdpkt | destination.packets |
| Vendor.dst_port | destination.port |
| Vendor.dstport | destination.port |
| Vendor.remport | destination.port |
| Vendor.dstuser | destination.user.name |
| Vendor.xid | dns.id |
| Vendor.qclass | dns.question.class |
| Vendor.qname | dns.question.name |
| Vendor.qtype | dns.question.type |
| Vendor.subject | email.subject |
| Vendor.error_num | error.code |
| Vendor.error | error.message |
| Vendor.action | event.action |
| Vendor.eventtype | event.action |
| Vendor.sess_duration | event.duration |
| Vendor.event_id | event.id |
| Vendor.eventid | event.id |
| Vendor.ref | event.reference |
| Vendor.filetype | file.extension |
| Vendor.infectedfiletype | file.extension |
| Vendor.matchedfiletype | file.extension |
| Vendor.filename | file.name |
| Vendor.infectedfilename | file.name |
| Vendor.matchedfilename | file.name |
| Vendor.file | file.path |
| Vendor.filesize | file.size |
| Vendor.infectedfilesize | file.size |
| Vendor.srcname | host.name |
| Vendor.crlevel | host.risk.calculated_level |
| Vendor.crscore | host.risk.calculated_score |
| Vendor.level | log.level |
| source.bytes | network.bytes |
| Vendor.proto | network.iana_number |
| source.packets | network.packets |
| Vendor.dst_int | observer.egress.interface.name |
| Vendor.dstintf | observer.egress.interface.name |
| Vendor.dstintfrole | observer.egress.zone |
| Vendor.src_int | observer.ingress.interface.name |
| Vendor.srcintf | observer.ingress.interface.name |
| Vendor.srcintfrole | observer.ingress.zone |
| Vendor.devname | observer.name |
| Vendor.devid | observer.serial_number |
| Vendor.app | process.name |
| Vendor.catdesc | rule.category |
| Vendor.msg; | rule.description |
| Vendor.comment | rule.description |
| Vendor.logdesc | rule.description |
| Vendor.policyid | rule.id |
| Vendor.policyid | rule.id |
| Vendor.policyname | rule.name |
| Vendor.applist | rule.ruleset |
| Vendor.policytype | rule.ruleset |
| Vendor.profile | rule.ruleset |
| Vendor.poluuid | rule.uuid |
| destination.ip | server.ip |
| destination.port | server.port |
| Vendor.sentbyte | source.bytes |
| Vendor.locip | source.ip |
| Vendor.srcip | source.ip |
| Vendor.transip | source.nat.ip |
| Vendor.transport | source.nat.port |
| Vendor.sentpkt | source.packets |
| Vendor.locport | source.port |
| Vendor.src_port | source.port |
| Vendor.srcport | source.port |
| Vendor.group | source.user.group.name |
| Vendor.unauthuser | source.user.name |
| Vendor.user | source.user.name |
| Vendor.ccertissuer | tls.client.issuer |
| tls.client.issuer | tls.client.x509.issuer.common_name[0] |
| Vendor.scertissuer | tls.server.issuer |
| tls.server.issuer | tls.server.x509.issuer.common_name[0] |
| Vendor.scertcname | tls.server.x509.subject.common_name[0] |
| Vendor.url | url.path |
| source.user.name | user.name |
| Vendor.agent | user_agent.original |
| Vendor.dtype | vulnerability.category[0] |