FortiEDR logs
FortiAnalyzer supports normalizing FortiEDR logs as Fabric logs.
The following field mapping applies:
|
FortiEDR Log Field |
Normalized Fabric Log Field |
|---|---|
|
loguid,id |
loguid |
|
epid |
epid |
|
euid |
euid |
|
devid |
data_sourceid |
|
device_name, devid |
data_sourcename |
|
data_sourcetype |
data_sourcetype |
| data_timestamp | data_timestamp |
| component_type | app_cat |
| data_id | app_id |
| component_name | app_name |
| autonomours_system | app_ref |
| device_state | app_state |
| action | event_action |
| event_id | event_id |
| event_message | event_message |
|
destination |
event_outcome |
| rule_list | event_policy |
| severity | event_severity |
| classification | event_subtype |
| event_type | event_type |
|
last_seen |
file_accesstime |
|
first_seen |
file_createtime |
| process_hash | file_hash |
| process_nam, script, remediation_files | file_name |
| process_path, script_path | file_path |
| source_ip | host_ip |
| mac_address | host_mac |
| device_name | host_name |
|
operating_system |
host_osname |
|
remote_connection |
http_method |
| organization | src_domain |
| country | src_geo |
| source_ip | src_ip |
|
action |
threat_action |
|
siem_threat_name |
threat_name |
|
siem_threat_pattern |
threat_pattern |
|
siem_threat_type |
threat_type |
| users | user_id |
| user_name | user_name |