Parsers and Generated Fields

Tag Fields Created by Parser fortinet-fortigate

  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser fortinet-fortigate
Vendor FieldCPS FieldDescription
`dns.resolved_ip[]`ArrayVendor.ipaddr
`email.cc.address[]`ArrayVendor.cc
`email.from.address[]`ArrayVendor.collectedemail, Vendor.from
`email.to.address[]`ArrayVendor.dstcollectedemail, Vendor.recipient
`event.category[]`ArrayVendor.type, Vendor.subtype, Vendor.action, Vendor.logdesc
`event.type[]`ArrayVendor.type, Vendor.action, Vendor.subtype
`tls.client.x509.issuer.common_name[]`ArrayVendor.ccertissuer
`tls.server.x509.issuer.common_name[]`ArrayVendor.scertissuer
`tls.server.x509.subject.common_name[]`ArrayVendor.scertcname
`vulnerability.category[]`ArrayVendor.dtype
`network.bytes`CalculatedVendor.sentbyte, Vendor.rcvdbyte
`network.packets`CalculatedVendor.sentpkt, Vendor.rcvdpkt
`event.dataset`ConditionalVendor.type, Vendor.subtype
`event.outcome`ConditionalVendor.type, Vendor.action, Vendor.status, Vendor.result, Vendor.logdesc, Vendor.reason
`rule.description`ConditionalVendor.logdesc, Vendor.comment, Vendor.msg
`rule.ruleset`ConditionalVendor.policytype, Vendor.applist, Vendor.profile
`threat.enrichments[0].indicator.confidence`ConditionalVendor.crlevel, Vendor.severity, Vendor.apprisk
`threat.enrichments[0].indicator.file.extension`ConditionalVendor.filetype
`threat.enrichments[0].indicator.file.hash.sha256`ConditionalVendor.analyticscksum
`threat.enrichments[0].indicator.file.name`ConditionalVendor.filename
`threat.enrichments[0].indicator.file.size`ConditionalVendor.filesize
`threat.enrichments[0].indicator.name`ConditionalVendor.virus, Vendor.attack, Vendor.app
`threat.enrichments[0].indicator.provider`ConditionalVendor.domainfilterlist
`threat.enrichments[0].indicator.reference`ConditionalVendor.ref
`threat.enrichments[0].indicator.type`ConditionalVendor.dtype, Vendor.appcat, Vendor.eventsubtype
`threat.enrichments[0].indicator.url.domain`ConditionalVendor.qname, Vendor.sni
`threat.enrichments[0].indicator.url.full`ConditionalVendor.url
`client.address`Conditionallysource.address
`client.domain`Conditionallysource.domain
`client.ip`Conditionallysource.ip
`client.mac`Conditionallysource.mac
`client.port`Conditionallysource.port
`server.address`Conditionallydestination.address
`server.domain`Conditionallydestination.domain
`server.ip`Conditionallydestination.ip
`server.mac`Conditionallydestination.mac
`server.port`Conditionallydestination.port
`destination.address`CopiedVendor.dstip, Vendor.remip, Vendor.dst_host, Vendor.dstname
`destination.bytes`CopiedVendor.rcvdbyte
`destination.domain`CopiedVendor.dst_host, Vendor.dstname
`destination.geo.city_name`CopiedVendor.dstcity
`destination.geo.country_name`CopiedVendor.dstcountry
`destination.geo.region_name`CopiedVendor.dstregion
`destination.ip`CopiedVendor.dstip, Vendor.remip
`destination.mac`CopiedVendor.dstmac, Vendor.destination_mac
`destination.nat.ip`CopiedVendor.tranip
`destination.nat.port`CopiedVendor.tranport
`destination.packets`CopiedVendor.rcvdpkt
`destination.port`CopiedVendor.dstport, Vendor.remport, Vendor.dst_port
`destination.user.name`CopiedVendor.dstuser
`dns.id`CopiedVendor.xid
`dns.question.class`CopiedVendor.qclass
`dns.question.name`CopiedVendor.qname
`dns.question.type`CopiedVendor.qtype
`email.sender.address`CopiedVendor.sender
`email.subject`CopiedVendor.subject
`error.code`CopiedVendor.error_num
`error.message`CopiedVendor.error
`event.action`CopiedVendor.action, Vendor.logdesc, Vendor.eventtype
`event.duration`CopiedVendor.sess_duration, Vendor.duration
`event.id`CopiedVendor.event_id, Vendor.eventid
`event.reason`CopiedVendor.reason
`event.reference`CopiedVendor.ref
`file.extension`CopiedVendor.filetype, Vendor.infectedfiletype, Vendor.matchedfiletype
`file.name`CopiedVendor.filename, Vendor.infectedfilename, Vendor.matchedfilename, Vendor.fname
`file.path`CopiedVendor.file
`file.size`CopiedVendor.filesize, Vendor.infectedfilesize
`host.name`CopiedVendor.srcname, Vendor.dvchost
`host.risk.calculated_level`CopiedVendor.crlevel
`host.risk.calculated_score`CopiedVendor.crscore
`http.request.method`CopiedVendor.httpmethod, Vendor.method
`log.level`CopiedVendor.level, Vendor.deviceSeverity
`message`CopiedVendor.msg
`network.application`CopiedVendor.app
`network.iana_number`CopiedVendor.proto
`network.name`CopiedVendor.vpntunnel
`observer.egress.interface.name`CopiedVendor.dstintf, Vendor.dst_int, Vendor.outintf
`observer.egress.zone`CopiedVendor.dstintfrole
`observer.ingress.interface.name`CopiedVendor.srcintf, Vendor.src_int, Vendor.interface
`observer.ingress.zone`CopiedVendor.srcintfrole
`observer.name`CopiedVendor.devname
`observer.serial_number`CopiedVendor.devid, Vendor.device_id
`process.name`CopiedVendor.app
`rule.category`CopiedVendor.catdesc, Vendor.filtertype, Vendor.filtercat, Vendor.policymode
`rule.id`CopiedVendor.policyid, Vendor.policy_id, Vendor.filteridx
`rule.name`CopiedVendor.policyname, Vendor.constraint, Vendor.dlpextra
`rule.uuid`CopiedVendor.poluuid
`source.address`Copiedsource.address, Vendor.srcip, Vendor.locip, Vendor.src, Vendor.srcname, Vendor.authserver, Vendor.srcdomain
`source.bytes`CopiedVendor.sentbyte
`source.domain`CopiedVendor.srcname, Vendor.authserver, Vendor.srcdomain
`source.geo.country_name`CopiedVendor.srccountry
`source.ip`CopiedVendor.srcip, Vendor.locip
`source.mac`CopiedVendor.srcmac, Vendor.source_mac
`source.nat.ip`CopiedVendor.transip
`source.nat.port`CopiedVendor.transport
`source.packets`CopiedVendor.sentpkt
`source.port`CopiedVendor.srcport, Vendor.locport, Vendor.src_port, Vendor.spt
`source.user.name`CopiedVendor.unauthuser
`tls.client.issuer`CopiedVendor.ccertissuer
`tls.server.issuer`CopiedVendor.scertissuer
`url.domain`CopiedVendor.hostname
`url.original`CopiedVendor.url
`user.group.name`CopiedVendor.group
`user.name`CopiedVendor.user
`user_agent.original`CopiedVendor.agent
`@timestamp.nanos`ExtractedVendor.eventtime
`http.response.status_code`ExtractedVendor.status
`log.syslog.hostname`Extracted@rawstring
`log.syslog.priority`Extracted@rawstring
`log.syslog.structured_data`Extracted@rawstring
`network.protocol`ExtractedVendor.service, Vendor.subtype, Vendor.method
`url.query`ExtractedVendor.url
`url.top_level_domain`ExtractedVendor.hostname
`event.severity`MappedVendor.severity
`network.direction`MappedVendor.dir, Vendor.direction
`network.transport`MappedVendor.proto
`@timestamp`ParsedVendor.eventtime, Vendor.date, Vendor.time, Vendor.tz, _ts
`ecs.version`StaticNone
`event.kind`StaticVendor.type, log.level, Vendor.severity
`event.module`StaticNone
`observer.product`StaticNone
`observer.type`StaticNone
`observer.vendor`StaticNone
Vendor.actVendor.action 
Vendor.catVendor.type 
source.addressclient.address 
source.domainclient.domain 
source.ipclient.ip 
source.portclient.port 
Vendor.rcvdbytedestination.bytes 
Vendor.dstcitydestination.geo.city_name 
Vendor.dstregiondestination.geo.region_name 
Vendor.tranipdestination.nat.ip 
Vendor.tranportdestination.nat.port 
Vendor.rcvdpktdestination.packets 
Vendor.dstuserdestination.user.name 
Vendor.xiddns.id 
Vendor.qclassdns.question.class 
Vendor.qnamedns.question.name 
Vendor.qtypedns.question.type 
Vendor.subjectemail.subject 
Vendor.error_numerror.code 
Vendor.errorerror.message 
Vendor.reasonevent.reason 
Vendor.refevent.reference 
Vendor.filefile.path 
Vendor.crlevelhost.risk.calculated_level 
Vendor.crscorehost.risk.calculated_score 
Vendor.httpmethodhttp.request.method 
Vendor.msgmessage 
source.bytesnetwork.bytes 
Vendor.protonetwork.iana_number 
Vendor.vpntunnelnetwork.name 
source.packetsnetwork.packets 
Vendor.dstintfroleobserver.egress.zone 
Vendor.srcintfroleobserver.ingress.zone 
Vendor.devnameobserver.name 
Vendor.appprocess.name 
Vendor.policynamerule.name 
Vendor.poluuidrule.uuid 
destination.addressserver.address 
destination.domainserver.domain 
destination.ipserver.ip 
destination.portserver.port 
Vendor.sentbytesource.bytes 
Vendor.transipsource.nat.ip 
Vendor.transportsource.nat.port 
Vendor.sentpktsource.packets 
Vendor.unauthusersource.user.name 
Vendor.crlevelthreat.enrichments[0].indicator.confidence 
Vendor.analyticscksumthreat.enrichments[0].indicator.file.hash.sha256 
Vendor.filenamethreat.enrichments[0].indicator.file.name 
Vendor.filesizethreat.enrichments[0].indicator.file.size 
Vendor.appthreat.enrichments[0].indicator.name 
Vendor.attackthreat.enrichments[0].indicator.name 
Vendor.virusthreat.enrichments[0].indicator.name 
Vendor.domainfilterlistthreat.enrichments[0].indicator.provider 
Vendor.refthreat.enrichments[0].indicator.reference 
Vendor.appcatthreat.enrichments[0].indicator.type 
Vendor.dtypethreat.enrichments[0].indicator.type 
Vendor.eventsubtypethreat.enrichments[0].indicator.type 
Vendor.snithreat.enrichments[0].indicator.url.domain 
Vendor.ccertissuertls.client.issuer 
Vendor.scertissuertls.server.issuer 
Vendor.urlurl.original 
Vendor.groupuser.group.name 
Vendor.useruser.name 
Vendor.agentuser_agent.original