FortiEDR logs
FortiAnalyzer supports normalizing FortiEDR logs as Fabric logs.
The following field mapping applies:
FortiEDR Log Field |
Normalized Fabric Log Field |
---|---|
loguid,id | loguid |
epid | epid |
euid | euid |
devid | data_sourceid |
device_name,devid | data_sourcename |
data_sourcetype | data_sourcetype |
data_timestamp | data_timestamp |
component_type | app_cat |
data_id | app_id |
component_name | app_name |
autonomous_system | app_ref |
device_state | app_state |
action | event_action |
event_id | event_id |
event_message | event_message |
destination | event_outcome |
rule_list | event_policy |
severity | event_severity |
classification | event_subtype |
event_type | event_type |
last_seen | file_accessetime |
first_seen | file_createtime |
process_hash | file_hash |
process_name,script,remediation_files | file_name |
process_path,script_path | file_path |
source_ip | host_ip |
mac_address | host_mac |
device_name | host_name |
operating_system | host_osname |
remote_connection | http_method |
organization | src_domain |
country | src_geo |
source_ip | src_ip |
action | threat_action |
siem_threat_name | threat_name |
siem_threat_pattern | threat_pattern |
siem_threat_type | threat_type |
users | user_id |
user_name | user_name |