Parsers and Generated Fields

Tag Fields Created by Parser fortinet-fortigate
  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser fortinet-fortigate
Vendor FieldCPS FieldDescription
Vendor.eventtime@timestampPrimary timestamp field
source.ipclient.ip 
source.portclient.port 
Vendor.daddr;destination.address 
Vendor.dst_hostdestination.address 
Vendor.rcvdbytedestination.bytesBytes received by destination
Vendor.dstcitydestination.geo.city_nameDestination city
Vendor.dstcountrydestination.geo.country_nameDestination country (if not "Reserved")
Vendor.dstcountry;destination.geo.country_name 
Vendor.dstregiondestination.geo.region_nameDestination region
Vendor.dstipdestination.ipDestination IP address
Vendor.tranipdestination.nat.ipTranslated destination IP
Vendor.tranportdestination.nat.portTranslated destination port
Vendor.rcvdpktdestination.packetsPackets received by destination
Vendor.dst_portdestination.portDestination port for UTM type
Vendor.dstportdestination.portDestination port for traffic type
Vendor.dstport;destination.port 
Vendor.remportdestination.portAlternative destination port field
Vendor.remport;destination.port 
Vendor.dstuserdestination.user.nameDestination user name
Vendor.xiddns.idDNS transaction ID
Vendor.qclassdns.question.classDNS query class
Vendor.qnamedns.question.nameDNS query name
Vendor.qtypedns.question.typeDNS query type
Vendor.ipaddrdns.resolved_ipDNS resolved IP addresses
Vendor.ccemail.cc.address[0]Email CC address
Vendor.collectedemailemail.from.address[0]Source email address
Vendor.fromemail.from.address[1]Email from address
Vendor.senderemail.sender.addressEmail sender address
Vendor.subjectemail.subjectEmail subject
Vendor.dstcollectedemailemail.to.address[0]Destination email address
Vendor.recipientemail.to.address[1]Email recipient
Vendor.error_numerror.codeError code
Vendor.errorerror.messageError message
Vendor.action;event.action 
Vendor.eventtype;event.action 
Vendor.sess_durationevent.durationSession duration
Vendor.event_id;event.id 
Vendor.eventid;event.id 
Vendor.reasonevent.reasonEvent reason
Vendor.refevent.referenceEvent reference
Vendor.severityevent.severityMaps severity levels to numeric values
Vendor.filetypefile.extensionFile type
Vendor.infectedfiletypefile.extensionUsed when file.extension is empty
Vendor.infectedfiletype;file.extension 
Vendor.matchedfiletypefile.extensionAlternative when file.extension is empty
Vendor.matchedfiletype;file.extension 
Vendor.filenamefile.nameFile name
Vendor.infectedfilenamefile.nameUsed when file.name is empty
Vendor.infectedfilename;file.name 
Vendor.matchedfilenamefile.nameAlternative when file.name is empty
Vendor.matchedfilename;file.name 
Vendor.filefile.pathFile path
Vendor.filesizefile.sizeFile size
Vendor.infectedfilesizefile.sizeUsed when file.size is empty
Vendor.infectedfilesize;file.size 
Vendor.srcnamehost.nameSource host name
Vendor.crlevelhost.risk.calculated_levelRisk level
Vendor.crscorehost.risk.calculated_scoreRisk score
Vendor.httpmethodhttp.request.methodHTTP method for UTM events
Vendor.methodhttp.request.methodFor REST API events
Vendor.statushttp.response.status_codeFor REST API events
Vendor.status;http.response.status_code 
Vendor.levellog.levelLog level
Vendor.msgmessageFor UTM alert events
Vendor.appnetwork.applicationApplication name (lowercase)
source.bytesnetwork.bytes 
Vendor.protonetwork.iana_numberProtocol number
source.packetsnetwork.packets 
Vendor.dst_intobserver.egress.interface.nameAlternative destination interface name
Vendor.dst_int;observer.egress.interface.name 
Vendor.dstintfobserver.egress.interface.nameDestination interface name
Vendor.dstintf;observer.egress.interface.name 
Vendor.dstintfroleobserver.egress.zoneDestination interface role
Vendor.src_intobserver.ingress.interface.nameAlternative source interface name
Vendor.src_int;observer.ingress.interface.name 
Vendor.srcintfobserver.ingress.interface.nameSource interface name
Vendor.srcintf;observer.ingress.interface.name 
Vendor.srcintfroleobserver.ingress.zoneSource interface role
Vendor.devnameobserver.nameDevice name
Vendor.device_idobserver.serial_numberAlternative device ID
Vendor.devidobserver.serial_numberDevice ID
Vendor.appprocess.nameApplication name
Vendor.catdescrule.categoryCategory description
Vendor.commentrule.descriptionFor traffic type logs
Vendor.comment;rule.description 
Vendor.logdescrule.descriptionFor event type logs
Vendor.logdesc;rule.description 
Vendor.msgrule.descriptionFor UTM type logs
Vendor.msg;rule.description 
Vendor.policyidrule.idPolicy ID
Vendor.policyid;rule.id 
Vendor.attackrule.nameFor UTM alert events
Vendor.attack;rule.name 
Vendor.policynamerule.namePolicy name
Vendor.applistrule.rulesetFor UTM type logs
Vendor.policytyperule.rulesetFor traffic type logs
Vendor.policytype;rule.ruleset 
Vendor.profilerule.rulesetAlternative for UTM type logs
Vendor.profile;rule.ruleset 
Vendor.poluuidrule.uuidPolicy UUID
destination.ipserver.ip 
destination.portserver.port 
Vendor.sentbytesource.bytesBytes sent from source
Vendor.srccountrysource.geo.country_nameSource country (if not "Reserved")
Vendor.srccountry;source.geo.country_name 
Vendor.locipsource.ipUsed when source.ip is empty
Vendor.locip;source.ip 
Vendor.remipsource.ipAlternative source IP field
Vendor.srcipsource.ipSource IP address
Vendor.transipsource.nat.ipTranslated source IP
Vendor.transportsource.nat.portTranslated source port
Vendor.sentpktsource.packetsPackets sent from source
Vendor.locportsource.portSource port for UTM type
Vendor.locport;source.port 
Vendor.src_portsource.portAlternative source port field
Vendor.src_port;source.port 
Vendor.srcportsource.portSource port for traffic type
Vendor.srcport;source.port 
Vendor.groupsource.user.group.nameUser group name
Vendor.unauthusersource.user.nameAlternative user name
Vendor.unauthuser;source.user.name 
Vendor.usersource.user.nameUser name
Vendor.user;source.user.name 
Vendor.ccertissuertls.client.issuerClient certificate issuer
tls.client.issuertls.client.x509.issuer.common_name[0] 
Vendor.scertissuertls.server.issuerServer certificate issuer
tls.server.issuertls.server.x509.issuer.common_name[0] 
Vendor.scertcnametls.server.x509.subject.common_name[0]Server certificate common name
Vendor.hostnameurl.domainURL domain name
Vendor.urlurl.originalOriginal URL
source.user.nameuser.name 
Vendor.agentuser_agent.originalUser agent string
Vendor.dtypevulnerability.category[0]Vulnerability category