Parsers and Generated Fields
Tag Fields Created by Parser fortinet-fortigate
#Cps.version
#Vendor
#ecs.version
#event.dataset
#event.kind
#event.module
#event.outcome
#observer.type
Fields Identified by Parser fortinet-fortigate
| Vendor Field | CPS Field | Description |
|---|---|---|
| Vendor.eventtime | @timestamp | Primary timestamp field |
| source.ip | client.ip | |
| source.port | client.port | |
| Vendor.daddr; | destination.address | |
| Vendor.dst_host | destination.address | |
| Vendor.rcvdbyte | destination.bytes | Bytes received by destination |
| Vendor.dstcity | destination.geo.city_name | Destination city |
| Vendor.dstcountry | destination.geo.country_name | Destination country (if not "Reserved") |
| Vendor.dstcountry; | destination.geo.country_name | |
| Vendor.dstregion | destination.geo.region_name | Destination region |
| Vendor.dstip | destination.ip | Destination IP address |
| Vendor.tranip | destination.nat.ip | Translated destination IP |
| Vendor.tranport | destination.nat.port | Translated destination port |
| Vendor.rcvdpkt | destination.packets | Packets received by destination |
| Vendor.dst_port | destination.port | Destination port for UTM type |
| Vendor.dstport | destination.port | Destination port for traffic type |
| Vendor.dstport; | destination.port | |
| Vendor.remport | destination.port | Alternative destination port field |
| Vendor.remport; | destination.port | |
| Vendor.dstuser | destination.user.name | Destination user name |
| Vendor.xid | dns.id | DNS transaction ID |
| Vendor.qclass | dns.question.class | DNS query class |
| Vendor.qname | dns.question.name | DNS query name |
| Vendor.qtype | dns.question.type | DNS query type |
| Vendor.ipaddr | dns.resolved_ip | DNS resolved IP addresses |
| Vendor.cc | email.cc.address[0] | Email CC address |
| Vendor.collectedemail | email.from.address[0] | Source email address |
| Vendor.from | email.from.address[1] | Email from address |
| Vendor.sender | email.sender.address | Email sender address |
| Vendor.subject | email.subject | Email subject |
| Vendor.dstcollectedemail | email.to.address[0] | Destination email address |
| Vendor.recipient | email.to.address[1] | Email recipient |
| Vendor.error_num | error.code | Error code |
| Vendor.error | error.message | Error message |
| Vendor.action; | event.action | |
| Vendor.eventtype; | event.action | |
| Vendor.sess_duration | event.duration | Session duration |
| Vendor.event_id; | event.id | |
| Vendor.eventid; | event.id | |
| Vendor.reason | event.reason | Event reason |
| Vendor.ref | event.reference | Event reference |
| Vendor.severity | event.severity | Maps severity levels to numeric values |
| Vendor.filetype | file.extension | File type |
| Vendor.infectedfiletype | file.extension | Used when file.extension is empty |
| Vendor.infectedfiletype; | file.extension | |
| Vendor.matchedfiletype | file.extension | Alternative when file.extension is empty |
| Vendor.matchedfiletype; | file.extension | |
| Vendor.filename | file.name | File name |
| Vendor.infectedfilename | file.name | Used when file.name is empty |
| Vendor.infectedfilename; | file.name | |
| Vendor.matchedfilename | file.name | Alternative when file.name is empty |
| Vendor.matchedfilename; | file.name | |
| Vendor.file | file.path | File path |
| Vendor.filesize | file.size | File size |
| Vendor.infectedfilesize | file.size | Used when file.size is empty |
| Vendor.infectedfilesize; | file.size | |
| Vendor.srcname | host.name | Source host name |
| Vendor.crlevel | host.risk.calculated_level | Risk level |
| Vendor.crscore | host.risk.calculated_score | Risk score |
| Vendor.httpmethod | http.request.method | HTTP method for UTM events |
| Vendor.method | http.request.method | For REST API events |
| Vendor.status | http.response.status_code | For REST API events |
| Vendor.status; | http.response.status_code | |
| Vendor.level | log.level | Log level |
| Vendor.msg | message | For UTM alert events |
| Vendor.app | network.application | Application name (lowercase) |
| source.bytes | network.bytes | |
| Vendor.proto | network.iana_number | Protocol number |
| source.packets | network.packets | |
| Vendor.dst_int | observer.egress.interface.name | Alternative destination interface name |
| Vendor.dst_int; | observer.egress.interface.name | |
| Vendor.dstintf | observer.egress.interface.name | Destination interface name |
| Vendor.dstintf; | observer.egress.interface.name | |
| Vendor.dstintfrole | observer.egress.zone | Destination interface role |
| Vendor.src_int | observer.ingress.interface.name | Alternative source interface name |
| Vendor.src_int; | observer.ingress.interface.name | |
| Vendor.srcintf | observer.ingress.interface.name | Source interface name |
| Vendor.srcintf; | observer.ingress.interface.name | |
| Vendor.srcintfrole | observer.ingress.zone | Source interface role |
| Vendor.devname | observer.name | Device name |
| Vendor.device_id | observer.serial_number | Alternative device ID |
| Vendor.devid | observer.serial_number | Device ID |
| Vendor.app | process.name | Application name |
| Vendor.catdesc | rule.category | Category description |
| Vendor.comment | rule.description | For traffic type logs |
| Vendor.comment; | rule.description | |
| Vendor.logdesc | rule.description | For event type logs |
| Vendor.logdesc; | rule.description | |
| Vendor.msg | rule.description | For UTM type logs |
| Vendor.msg; | rule.description | |
| Vendor.policyid | rule.id | Policy ID |
| Vendor.policyid; | rule.id | |
| Vendor.attack | rule.name | For UTM alert events |
| Vendor.attack; | rule.name | |
| Vendor.policyname | rule.name | Policy name |
| Vendor.applist | rule.ruleset | For UTM type logs |
| Vendor.policytype | rule.ruleset | For traffic type logs |
| Vendor.policytype; | rule.ruleset | |
| Vendor.profile | rule.ruleset | Alternative for UTM type logs |
| Vendor.profile; | rule.ruleset | |
| Vendor.poluuid | rule.uuid | Policy UUID |
| destination.ip | server.ip | |
| destination.port | server.port | |
| Vendor.sentbyte | source.bytes | Bytes sent from source |
| Vendor.srccountry | source.geo.country_name | Source country (if not "Reserved") |
| Vendor.srccountry; | source.geo.country_name | |
| Vendor.locip | source.ip | Used when source.ip is empty |
| Vendor.locip; | source.ip | |
| Vendor.remip | source.ip | Alternative source IP field |
| Vendor.srcip | source.ip | Source IP address |
| Vendor.transip | source.nat.ip | Translated source IP |
| Vendor.transport | source.nat.port | Translated source port |
| Vendor.sentpkt | source.packets | Packets sent from source |
| Vendor.locport | source.port | Source port for UTM type |
| Vendor.locport; | source.port | |
| Vendor.src_port | source.port | Alternative source port field |
| Vendor.src_port; | source.port | |
| Vendor.srcport | source.port | Source port for traffic type |
| Vendor.srcport; | source.port | |
| Vendor.group | source.user.group.name | User group name |
| Vendor.unauthuser | source.user.name | Alternative user name |
| Vendor.unauthuser; | source.user.name | |
| Vendor.user | source.user.name | User name |
| Vendor.user; | source.user.name | |
| Vendor.ccertissuer | tls.client.issuer | Client certificate issuer |
| tls.client.issuer | tls.client.x509.issuer.common_name[0] | |
| Vendor.scertissuer | tls.server.issuer | Server certificate issuer |
| tls.server.issuer | tls.server.x509.issuer.common_name[0] | |
| Vendor.scertcname | tls.server.x509.subject.common_name[0] | Server certificate common name |
| Vendor.hostname | url.domain | URL domain name |
| Vendor.url | url.original | Original URL |
| source.user.name | user.name | |
| Vendor.agent | user_agent.original | User agent string |
| Vendor.dtype | vulnerability.category[0] | Vulnerability category |