Parsers and Generated Fields
Tag Fields Created by Parser fortinet-fortigate
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser fortinet-fortigate
| Vendor Field | CPS Field | Description |
|---|---|---|
| `dns.resolved_ip[]` | Array | Vendor.ipaddr |
| `email.from.address[]` | Array | Vendor.collectedemail, Vendor.from |
| `email.to.address[]` | Array | Vendor.dstcollectedemail, Vendor.recipient |
| `event.category[]` | Array | Vendor.type, Vendor.subtype, Vendor.action, Vendor.logdesc |
| `event.type[]` | Array | Vendor.type, Vendor.action, Vendor.subtype |
| `tls.client.x509.issuer.common_name[]` | Array | Vendor.ccertissuer |
| `tls.server.x509.issuer.common_name[]` | Array | Vendor.scertissuer |
| `tls.server.x509.subject.common_name[]` | Array | Vendor.scertcname |
| `vulnerability.category[]` | Array | Vendor.dtype |
| `network.bytes` | Calculated | Vendor.sentbyte, Vendor.rcvdbyte |
| `network.packets` | Calculated | Vendor.sentpkt, Vendor.rcvdpkt |
| `destination.address` | Conditional | Vendor.daddr, Vendor.dst_host, Vendor.dstname |
| `destination.port` | Conditional | Vendor.dstport, Vendor.dst_port, Vendor.remport |
| `event.dataset` | Conditional | Vendor.type, Vendor.subtype |
| `event.outcome` | Conditional | Vendor.type, Vendor.action, Vendor.status, Vendor.result, Vendor.logdesc, Vendor.reason, Vendor.subtype |
| `rule.description` | Conditional | Vendor.logdesc, Vendor.comment, Vendor.msg |
| `rule.ruleset` | Conditional | Vendor.policytype, Vendor.applist, Vendor.profile |
| `source.port` | Conditional | Vendor.srcport, Vendor.locport, Vendor.src_port |
| `client.ip` | Copied | Vendor.srcip, Vendor.remip, Vendor.locip |
| `client.port` | Copied | Vendor.srcport, Vendor.locport, Vendor.src_port |
| `destination.bytes` | Copied | Vendor.rcvdbyte |
| `destination.geo.city_name` | Copied | Vendor.dstcity |
| `destination.geo.country_name` | Copied | Vendor.dstcountry |
| `destination.geo.region_name` | Copied | Vendor.dstregion |
| `destination.ip` | Copied | Vendor.dstip |
| `destination.nat.ip` | Copied | Vendor.tranip |
| `destination.nat.port` | Copied | Vendor.tranport |
| `destination.packets` | Copied | Vendor.rcvdpkt |
| `destination.user.name` | Copied | Vendor.dstuser |
| `dns.id` | Copied | Vendor.xid |
| `dns.question.class` | Copied | Vendor.qclass |
| `dns.question.name` | Copied | Vendor.qname |
| `dns.question.type` | Copied | Vendor.qtype |
| `email.cc.address[0]` | Copied | Vendor.cc |
| `email.sender.address` | Copied | Vendor.sender |
| `email.subject` | Copied | Vendor.subject |
| `error.code` | Copied | Vendor.error_num |
| `error.message` | Copied | Vendor.error |
| `event.action` | Copied | Vendor.action, Vendor.eventtype |
| `event.duration` | Copied | Vendor.sess_duration |
| `event.id` | Copied | Vendor.event_id, Vendor.eventid |
| `event.reason` | Copied | Vendor.reason |
| `event.reference` | Copied | Vendor.ref |
| `file.extension` | Copied | Vendor.filetype, Vendor.infectedfiletype, Vendor.matchedfiletype |
| `file.name` | Copied | Vendor.filename, Vendor.infectedfilename, Vendor.matchedfilename |
| `file.path` | Copied | Vendor.file |
| `file.size` | Copied | Vendor.filesize, Vendor.infectedfilesize |
| `host.name` | Copied | Vendor.srcname |
| `host.risk.calculated_level` | Copied | Vendor.crlevel |
| `host.risk.calculated_score` | Copied | Vendor.crscore |
| `http.request.method` | Copied | Vendor.httpmethod, Vendor.method |
| `http.response.status_code` | Copied | Vendor.status |
| `log.level` | Copied | Vendor.level |
| `message` | Copied | Vendor.msg |
| `network.application` | Copied | Vendor.app |
| `network.iana_number` | Copied | Vendor.proto |
| `observer.egress.interface.name` | Copied | Vendor.dstintf, Vendor.dst_int |
| `observer.egress.zone` | Copied | Vendor.dstintfrole |
| `observer.ingress.interface.name` | Copied | Vendor.srcintf, Vendor.src_int |
| `observer.ingress.zone` | Copied | Vendor.srcintfrole |
| `observer.name` | Copied | Vendor.devname |
| `observer.serial_number` | Copied | Vendor.devid, Vendor.device_id |
| `process.name` | Copied | Vendor.app |
| `rule.category` | Copied | Vendor.catdesc |
| `rule.id` | Copied | Vendor.policyid |
| `rule.name` | Copied | Vendor.policyname, Vendor.attack |
| `rule.uuid` | Copied | Vendor.poluuid |
| `server.ip` | Copied | Vendor.dstip |
| `server.port` | Copied | Vendor.dstport, Vendor.dst_port, Vendor.remport |
| `source.bytes` | Copied | Vendor.sentbyte |
| `source.domain` | Copied | Vendor.srcdomain |
| `source.geo.country_name` | Copied | Vendor.srccountry |
| `source.ip` | Copied | Vendor.srcip, Vendor.remip, Vendor.locip |
| `source.mac` | Copied | Vendor.srcmac, Vendor.source_mac |
| `source.nat.ip` | Copied | Vendor.transip |
| `source.nat.port` | Copied | Vendor.transport |
| `source.packets` | Copied | Vendor.sentpkt |
| `source.user.group.name` | Copied | Vendor.group |
| `source.user.name` | Copied | Vendor.user, Vendor.unauthuser |
| `tls.client.issuer` | Copied | Vendor.ccertissuer |
| `tls.server.issuer` | Copied | Vendor.scertissuer |
| `url.domain` | Copied | Vendor.hostname |
| `url.original` | Copied | Vendor.url |
| `user.name` | Copied | Vendor.user, Vendor.unauthuser |
| `user_agent.original` | Copied | Vendor.agent |
| `log.syslog.priority` | Extracted | @rawstring |
| `network.protocol` | Extracted | Vendor.service |
| `event.severity` | Mapped | Vendor.severity |
| `network.direction` | Mapped | Vendor.dir, Vendor.direction |
| `network.transport` | Mapped | Vendor.proto |
| `@timestamp` | Parsed | Vendor.eventtime |
| `ecs.version` | Static | None |
| `event.kind` | Static | None |
| `event.module` | Static | None |
| `observer.product` | Static | None |
| `observer.type` | Static | None |
| `observer.vendor` | Static | None |
| source.ip | client.ip | |
| source.port | client.port | |
| Vendor.dst_host | destination.address | |
| Vendor.rcvdbyte | destination.bytes | |
| Vendor.dstcity | destination.geo.city_name | |
| Vendor.dstregion | destination.geo.region_name | |
| Vendor.dstip | destination.ip | |
| Vendor.tranip | destination.nat.ip | |
| Vendor.tranport | destination.nat.port | |
| Vendor.rcvdpkt | destination.packets | |
| Vendor.dst_port | destination.port | |
| Vendor.dstport | destination.port | |
| Vendor.dstuser | destination.user.name | |
| Vendor.xid | dns.id | |
| Vendor.qclass | dns.question.class | |
| Vendor.qname | dns.question.name | |
| Vendor.qtype | dns.question.type | |
| Vendor.subject | email.subject | |
| Vendor.error_num | error.code | |
| Vendor.error | error.message | |
| Vendor.sess_duration | event.duration | |
| Vendor.reason | event.reason | |
| Vendor.ref | event.reference | |
| Vendor.filetype | file.extension | |
| Vendor.filename | file.name | |
| Vendor.file | file.path | |
| Vendor.filesize | file.size | |
| Vendor.srcname | host.name | |
| Vendor.crlevel | host.risk.calculated_level | |
| Vendor.crscore | host.risk.calculated_score | |
| Vendor.httpmethod | http.request.method | |
| Vendor.method | http.request.method | |
| Vendor.level | log.level | |
| Vendor.msg | message | |
| source.bytes | network.bytes | |
| Vendor.proto | network.iana_number | |
| source.packets | network.packets | |
| Vendor.dstintfrole | observer.egress.zone | |
| Vendor.srcintfrole | observer.ingress.zone | |
| Vendor.devname | observer.name | |
| Vendor.device_id | observer.serial_number | |
| Vendor.devid | observer.serial_number | |
| Vendor.app | process.name | |
| Vendor.catdesc | rule.category | |
| Vendor.policyid | rule.id | |
| Vendor.policyname | rule.name | |
| Vendor.applist | rule.ruleset | |
| Vendor.poluuid | rule.uuid | |
| destination.ip | server.ip | |
| destination.port | server.port | |
| Vendor.sentbyte | source.bytes | |
| Vendor.remip | source.ip | |
| Vendor.srcip | source.ip | |
| Vendor.transip | source.nat.ip | |
| Vendor.transport | source.nat.port | |
| Vendor.sentpkt | source.packets | |
| Vendor.locport | source.port | |
| Vendor.srcport | source.port | |
| Vendor.group | source.user.group.name | |
| Vendor.ccertissuer | tls.client.issuer | |
| Vendor.scertissuer | tls.server.issuer | |
| Vendor.url | url.original | |
| source.user.name | user.name | |
| Vendor.agent | user_agent.original |