Parsers and Generated Fields

Tag Fields Created by Parser fortinet-fortigate

  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser fortinet-fortigate
Source FieldCPS FieldDescriptionMapping
Vendor.eventtime, Vendor.date, Vendor.time, Vendor.tz, _ts@timestampPrimary timestamp field for eventsParsed from eventtime with conditional format handling or CEF header timestamp
Vendor.eventtime@timestamp.nanosNanosecond precision timestampExtracted from eventtime when parsing nanosecond precision
source.addressclient.addressClient addressConditionally mapped from source.address
source.domainclient.domainClient domainConditionally mapped from source.domain
source.ipclient.ipClient IP addressConditionally mapped from source.ip
source.macclient.macClient MAC addressConditionally mapped from source.mac
source.portclient.portClient portConditionally mapped from source.port
Vendor.dstip, Vendor.remip, Vendor.dst_host, Vendor.dstname, Vendor.dstdestination.addressDestination addressCopied using coalesce from multiple fields with conditional logic for login events and lowercase normalization
Vendor.rcvdbytedestination.bytesBytes received by destinationCopied from Vendor.rcvdbyte
Vendor.dst_host, Vendor.dstnamedestination.domainDestination domainCopied using coalesce with lowercase conversion
Vendor.dstcitydestination.geo.city_nameDestination cityCopied from Vendor.dstcity
Vendor.dstcountrydestination.geo.country_nameDestination countryCopied from Vendor.dstcountry if not "Reserved"
Vendor.dstregiondestination.geo.region_nameDestination regionCopied from Vendor.dstregion
Vendor.dstip, Vendor.remipdestination.ipDestination IP addressCopied using coalesce with CIDR validation
Vendor.dstmac, Vendor.destination_macdestination.macDestination MAC addressCopied using coalesce with formatting
Vendor.tranipdestination.nat.ipDestination NAT IPCopied from Vendor.tranip
Vendor.tranportdestination.nat.portDestination NAT portCopied from Vendor.tranport
Vendor.rcvdpktdestination.packetsPackets received by destinationCopied from Vendor.rcvdpkt
Vendor.dstport, Vendor.remport, Vendor.dst_port, Vendor.dptdestination.portDestination port numberCopied using coalesce from multiple fields including Vendor.dpt
Vendor.dstuserdestination.user.nameDestination user nameCopied from Vendor.dstuser
Vendor.xiddns.idDNS transaction IDCopied from Vendor.xid
Vendor.qclassdns.question.classDNS query classCopied from Vendor.qclass
Vendor.qnamedns.question.nameDNS query nameCopied from Vendor.qname
Vendor.qtypedns.question.typeDNS query typeCopied from Vendor.qtype
Vendor.ipaddrdns.resolved_ip[]DNS resolved IP addressesArray from split Vendor.ipaddr
Noneecs.versionECS schema versionStatic value: 9.2.0
Vendor.ccemail.cc.address[]Email CC addressesArray populated from Vendor.cc for emailfilter subtype
Vendor.collectedemail, Vendor.fromemail.from.address[]Email from addressesArray populated from multiple fields for emailfilter subtype
Vendor.senderemail.sender.addressEmail sender addressCopied from Vendor.sender for emailfilter subtype
Vendor.subjectemail.subjectEmail subjectCopied from Vendor.subject for emailfilter subtype
Vendor.dstcollectedemail, Vendor.recipientemail.to.address[]Email to addressesArray populated from multiple fields for emailfilter subtype
Vendor.error_numerror.codeError codeCopied from Vendor.error_num
Vendor.errorerror.messageError messageCopied from Vendor.error
Vendor.utmaction, Vendor.action, Vendor.logdesc, Vendor.eventtype, Vendor.actevent.actionAction performedCopied using coalesce with priority order, special handling for UTM block actions
Vendor.type, Vendor.subtype, Vendor.action, Vendor.logdescevent.category[]Event category classificationArray populated based on event subtype and conditions
Vendor.type, Vendor.subtypeevent.datasetDataset classificationConditional based on event type and subtype
Vendor.sess_duration, Vendor.durationevent.durationSession durationCopied using coalesce from multiple fields
Vendor.event_id, Vendor.eventid, Vendor.event_class_idevent.idEvent identifierCopied using coalesce from multiple fields
Vendor.type, log.level, Vendor.severityevent.kindEvent classificationStatic value: event, conditionally set to alert for UTM events
Noneevent.moduleModule identifierStatic value: fortigate
Vendor.type, Vendor.action, Vendor.status, Vendor.result, Vendor.logdesc, Vendor.reasonevent.outcomeSuccess or failure outcome determinationConditional based on event type and action values
Vendor.reason, Vendor.logdescevent.reasonEvent reasonCopied using coalesce from multiple fields
Vendor.refevent.referenceEvent referenceCopied from Vendor.ref
Vendor.severityevent.severityEvent severity levelMapped from Vendor.severity to numeric values with support for numeric and text values
Vendor.startevent.startEvent start timeCopied from Vendor.start
Vendor.type, Vendor.action, Vendor.subtypeevent.type[]Event type categorizationArray populated based on event type and action
Vendor.filetype, Vendor.infectedfiletype, Vendor.matchedfiletypefile.extensionFile extensionCopied using coalesce from multiple fields
Vendor.filename, Vendor.infectedfilename, Vendor.matchedfilename, Vendor.fnamefile.nameFile nameCopied using coalesce from multiple fields including CEF fields
Vendor.filefile.pathFile pathCopied from Vendor.file
Vendor.filesize, Vendor.infectedfilesizefile.sizeFile sizeCopied using coalesce from multiple fields
Vendor.srcname, Vendor.dvchosthost.nameHost nameCopied using coalesce from multiple fields including CEF fields
Vendor.crlevelhost.risk.calculated_levelRisk levelCopied from Vendor.crlevel
Vendor.crscorehost.risk.calculated_scoreRisk scoreCopied from Vendor.crscore
Vendor.httpmethod, Vendor.methodhttp.request.methodHTTP request methodCopied from Vendor.httpmethod or extracted from Vendor.method
Vendor.statushttp.response.status_codeHTTP response status codeExtracted from Vendor.status
Vendor.level, Vendor.deviceSeveritylog.levelLog levelCopied using coalesce from multiple fields
@rawstringlog.syslog.hostnameSyslog hostname from CEF formatExtracted from CEF header
@rawstringlog.syslog.prioritySyslog priority numberExtracted from syslog priority header
Vendor.msgmessageAlert messageCopied from Vendor.msg for alert events
Vendor.appnetwork.applicationNetwork applicationCopied from Vendor.app with lowercase conversion
Vendor.sentbyte, Vendor.rcvdbytenetwork.bytesTotal network bytesCalculated from source.bytes + destination.bytes
Vendor.dir, Vendor.directionnetwork.directionNetwork directionMapped from Vendor.dir or Vendor.direction
Vendor.protonetwork.iana_numberIANA protocol numberCopied from Vendor.proto
Vendor.vpntunnelnetwork.nameNetwork nameCopied from Vendor.vpntunnel
Vendor.sentpkt, Vendor.rcvdpktnetwork.packetsTotal network packetsCalculated from source.packets + destination.packets
Vendor.service, Vendor.subtype, Vendor.methodnetwork.protocolNetwork protocolExtracted from Vendor.service with conditional logic
Vendor.protonetwork.transportTransport protocolMapped from network.iana_number
Vendor.dstintf, Vendor.dst_int, Vendor.outintfobserver.egress.interface.nameEgress interface nameCopied using coalesce from multiple fields
Vendor.dstintfroleobserver.egress.zoneEgress zoneCopied from Vendor.dstintfrole
Vendor.dvchostobserver.hostnameObserver hostnameCopied from Vendor.dvchost
Vendor.srcintf, Vendor.src_int, Vendor.interfaceobserver.ingress.interface.nameIngress interface nameCopied using coalesce from multiple fields
Vendor.srcintfroleobserver.ingress.zoneIngress zoneCopied from Vendor.srcintfrole
Vendor.devnameobserver.nameObserver device nameCopied from Vendor.devname
Noneobserver.productObserver productStatic value: fortigate
Vendor.devid, Vendor.device_id, Vendor.deviceExternalIdobserver.serial_numberObserver serial numberCopied using coalesce from multiple fields
Noneobserver.typeObserver typeStatic value: firewall
Noneobserver.vendorObserver vendorStatic value: fortinet
Vendor.appprocess.nameProcess nameCopied from Vendor.app
Vendor.catdesc, Vendor.filtertype, Vendor.filtercat, Vendor.policymoderule.categoryRule categoryCopied using coalesce from multiple fields
Vendor.logdesc, Vendor.comment, Vendor.msgrule.descriptionRule descriptionConditional based on event type
Vendor.policyid, Vendor.policy_id, Vendor.filteridxrule.idRule IDCopied using coalesce from multiple fields
Vendor.policyname, Vendor.constraint, Vendor.dlpextrarule.nameRule nameCopied using coalesce from multiple fields
Vendor.policytype, Vendor.applist, Vendor.profilerule.rulesetRule rulesetConditional based on event type with coalesce
Vendor.poluuidrule.uuidRule UUIDCopied from Vendor.poluuid
destination.addressserver.addressServer addressConditionally mapped from destination.address
destination.domainserver.domainServer domainConditionally mapped from destination.domain
destination.ipserver.ipServer IP addressConditionally mapped from destination.ip
destination.macserver.macServer MAC addressConditionally mapped from destination.mac
destination.portserver.portServer portConditionally mapped from destination.port
source.address, Vendor.srcip, Vendor.locip, Vendor.src, Vendor.srcname, Vendor.authserver, Vendor.srcdomainsource.addressSource addressCopied using coalesce from multiple fields with conditional logic and lowercase normalization
Vendor.sentbytesource.bytesBytes sent from sourceCopied from Vendor.sentbyte
Vendor.srcname, Vendor.authserver, Vendor.srcdomain, source.addresssource.domainSource domainCopied using coalesce with lowercase conversion or assigned from source.address for non-IP values
Vendor.srccountrysource.geo.country_nameSource countryCopied from Vendor.srccountry if not "Reserved"
Vendor.srcip, Vendor.locipsource.ipSource IP addressCopied using coalesce with CIDR validation
Vendor.srcmac, Vendor.source_macsource.macSource MAC addressCopied using coalesce with formatting
Vendor.transipsource.nat.ipSource NAT IPCopied from Vendor.transip
Vendor.transportsource.nat.portSource NAT portCopied from Vendor.transport
Vendor.sentpktsource.packetsPackets sent from sourceCopied from Vendor.sentpkt
Vendor.srcport, Vendor.locport, Vendor.src_port, Vendor.sptsource.portSource port numberCopied using coalesce from multiple fields including CEF fields
Vendor.unauthusersource.user.nameSource user nameCopied from Vendor.unauthuser
Vendor.crlevel, Vendor.severity, Vendor.appriskthreat.enrichments[0].indicator.confidenceThreat indicator confidenceConditional based on UTM subtype
Vendor.filetypethreat.enrichments[0].indicator.file.extensionThreat indicator file extensionConditional based on UTM subtype
Vendor.analyticscksumthreat.enrichments[0].indicator.file.hash.sha256Threat indicator file hashConditional based on UTM subtype
Vendor.filenamethreat.enrichments[0].indicator.file.nameThreat indicator file nameConditional based on UTM subtype
Vendor.filesizethreat.enrichments[0].indicator.file.sizeThreat indicator file sizeConditional based on UTM subtype
Vendor.virus, Vendor.attack, Vendor.appthreat.enrichments[0].indicator.nameThreat indicator nameConditional based on UTM subtype
Vendor.domainfilterlistthreat.enrichments[0].indicator.providerThreat indicator providerConditional based on UTM subtype
Vendor.refthreat.enrichments[0].indicator.referenceThreat indicator referenceConditional based on UTM subtype
Vendor.dtype, Vendor.appcat, Vendor.eventsubtypethreat.enrichments[0].indicator.typeThreat indicator typeConditional based on UTM subtype
Vendor.qname, Vendor.snithreat.enrichments[0].indicator.url.domainThreat indicator domainConditional based on UTM subtype
Vendor.urlthreat.enrichments[0].indicator.url.fullThreat indicator URLConditional based on UTM subtype
Vendor.ccertissuertls.client.issuerTLS client certificate issuerCopied from Vendor.ccertissuer
Vendor.ccertissuertls.client.x509.issuer.common_name[]TLS client certificate issuer common nameArray populated from tls.client.issuer
Vendor.scertissuertls.server.issuerTLS server certificate issuerCopied from Vendor.scertissuer
Vendor.scertissuertls.server.x509.issuer.common_name[]TLS server certificate issuer common nameArray populated from tls.server.issuer
Vendor.scertcnametls.server.x509.subject.common_name[]TLS server certificate common nameArray populated from Vendor.scertcname
Vendor.hostnameurl.domainURL domainCopied from Vendor.hostname with lowercase conversion
Vendor.urlurl.originalOriginal URLCopied from Vendor.url
Vendor.urlurl.queryURL query parametersExtracted from url.original using regex
Vendor.hostnameurl.top_level_domainTop level domainExtracted from url.domain using string manipulation
Vendor.groupuser.group.nameUser group nameCopied from Vendor.group
Vendor.user, Vendor.suser, Vendor.duseruser.nameUser nameConditional mapping with priority for duser over suser
Vendor.duseruser.target.nameTarget user nameCopied from Vendor.duser when both suser and duser exist
Vendor.agentuser_agent.originalUser agent stringCopied from Vendor.agent
Vendor.dtypevulnerability.category[]Vulnerability categoryArray populated from Vendor.dtype