FortiSandbox logs
FortiAnalyzer supports normalizing FortiSandbox logs as Fabric logs.
The following field mapping applies:
FortiSandbox Log Field |
Normalized Fabric Log Field |
---|---|
loguid,id |
loguid |
epid |
epid |
euid |
euid |
devid,device_id | data_sourceid |
data_source_name | data_sourcename |
data_sourcetype |
data_sourcetype |
data_timestamp | data_timestamp |
vmos | app_cat |
jobid,sid | app_id |
vmname | app_name |
pid | app_proc |
rsrc | app_ref |
service | app_service |
vmkey | app_ver |
dstip | dst_ip |
dstport | dst_port |
concat_eventaction,snmpaction | event_action |
logid,log_id | event_id |
msg | event_message |
letype | event_ref |
level | event_severity |
subtype | event_subtype |
type | event_type |
ftype | file_ext |
file_hash | file_hash |
file_hash_type | file_hashtype |
fname | file_name |
filepath | file_path |
host_classification | host_classification |
host_hwvendor | host_hwvendor |
host_hwver | host_hwver |
host_ip | host_ip |
host_mac | host_mac |
hostname,host,host_name | host_name |
host_osname | host_osname |
host_osver | host_osver |
host_type | host_type |
host_uid | host_uid |
url | http_url |
emlsndr | mail_from |
subject | mail_subject |
emlrcvr | mail_to |
proto | net_proto |
srcip | src_ip |
srcport | src_port |
attackname,mname | threat_name |
risk | threat_severity |
stype | user_classification |
ui | user_domain |
user_email | |
user,unauthuser,suser | user_id |