FortiEDR logs
FortiAnalyzer supports normalizing FortiEDR logs as Fabric logs.
The following field mapping applies:
|
FortiEDR Log Field |
Normalized Fabric Log Field |
|---|---|
| loguid,id | loguid |
| epid | epid |
| euid | euid |
| devid | data_sourceid |
| device_name,devid | data_sourcename |
| data_sourcetype | data_sourcetype |
| data_timestamp | data_timestamp |
| component_type | app_cat |
| data_id | app_id |
| component_name | app_name |
| autonomous_system | app_ref |
| device_state | app_state |
| action | event_action |
| event_id | event_id |
| event_message | event_message |
| destination | event_outcome |
| rule_list | event_policy |
| severity | event_severity |
| classification | event_subtype |
| event_type | event_type |
| last_seen | file_accessetime |
| first_seen | file_createtime |
| process_hash | file_hash |
| process_name,script,remediation_files | file_name |
| process_path,script_path | file_path |
| source_ip | host_ip |
| mac_address | host_mac |
| device_name | host_name |
| operating_system | host_osname |
| remote_connection | http_method |
| organization | src_domain |
| country | src_geo |
| source_ip | src_ip |
| action | threat_action |
| siem_threat_name | threat_name |
| siem_threat_pattern | threat_pattern |
| siem_threat_type | threat_type |
| users | user_id |
| user_name | user_name |