Fabric log field descriptions
The normalized fabric log fields are organized in the following categories.
|
Category |
Description |
|---|---|
|
Metadata as the proprietary fields of FortiAnalyzer. |
|
|
Metadata as the data source fields of SIEM parser. |
|
|
Application data. Specifies the shared communication service and application's information used by hosts in a communications network. |
|
|
Destination data. Represents movement through geographic space, from a source to a destination. |
|
|
Event data. Collected and stored by various tracking tools or methods in order to provide insights about user behavior, traffic patterns, and other metrics related to online events. |
|
|
File data. Stores information to be used by a computer application or system. |
|
|
Host data. Stores information of a computer or other device that communicates with other hosts on a network. |
|
|
Network data. Defines metadata about network information seen in a typical OSI layer. |
|
|
Protocol data. Defines metadata about protocol related information for transmitting/exchanging data between the devices. |
|
|
Source data. Represents movement through geographic space, from a source to a destination. |
|
|
Threat data. Refers to a known list of malicious threat information. |
|
|
User data. Defines metadata about users in a network environment. |
The following tables list the available normalized fabric log fields in FortiAnalyzer 7.4.9.
base
|
Normalized fabric log field |
Type |
Description |
|---|---|---|
|
adom_oid |
uint32 |
ADOM ID from DVM for internal use. |
|
dstepid |
uint32 |
Endpoint ID used as key for FortiAnalyzer-DST-UEBA correlation. |
|
dsteuid |
uint32 |
End-user ID used as key for FortiAnalyzer-DST-UEBA correlation. |
|
epid |
uint32 |
Endpoint ID used as key for FortiAnalyzer-UEBA correlation. |
|
euid |
uint32 |
End-user ID used as key for FortiAnalyzer-UEBA correlation. |
|
itime |
uint32 |
Timestamp set by FortiAnalyzer when it receives the data. |
|
loguid |
uint64 |
Unique ID set by FortiAnalyzer on each log for internal use. |
data_source
|
Normalized fabric log field |
Type |
Description |
|---|---|---|
|
data_parsername |
string |
Parser name used for parsing data. |
|
data_sourceid |
string |
Machine\Host\Device\VM ID for the data source. |
|
data_sourcename |
string |
Machine\Host\Device\VM Name for the data source. |
|
data_sourcetype |
string |
Data source type. |
|
data_sourceversion |
string |
Data source version. |
|
data_timestamp |
uint32 |
Timestamp set by data source. |
Application
|
Normalized fabric log field |
Type |
Description |
|---|---|---|
|
app_cat |
string |
Application category. |
|
app_id |
uint32 |
Application ID. |
|
app_name |
string |
Application name. |
|
app_proc |
string |
Process name. |
|
app_ref |
string |
Reference for additional information about application. |
|
app_service |
string |
Service name. |
|
app_state |
string |
Application state. |
|
app_ver |
string |
Application version. |
Destination
|
Normalized fabric log field |
Type |
Description |
|---|---|---|
|
dst_domain |
string |
Destination domain name. |
|
dst_geo |
string |
Destination geo. |
|
dst_intf |
string |
Destination interface. |
|
dst_intf_guid |
string |
GUID of the network interface which was used for authentication request. |
|
dst_ip |
ip |
Destination IP. |
|
dst_mac |
string |
Destination MAC. |
|
dst_natip |
ip |
Destination NAT IP. |
|
dst_natport |
uint16 |
Destination NAT port. |
|
dst_port |
uint16 |
Destination port. |
Event
|
Normalized fabric log field |
Type |
Description |
|---|---|---|
|
event_action |
string |
Main action taken. |
|
event_cat |
string |
Event category. |
|
event_id |
uint32 |
Event\Log ID from data source. |
|
event_message |
string |
Main message from data source or set by parser. |
|
event_outcome |
string |
Event outcome. |
|
event_policy |
string |
Event policy. |
|
event_profile |
string |
Event profile. |
|
event_ref |
string |
Reference for additional info about event. |
|
event_severity |
string |
Event severity. |
|
event_source |
string |
Data\Event source on Application layer. |
|
event_subtype |
string |
Event subtype. |
|
event_type |
string |
Event type. |
File
|
Normalized fabric log field |
Type |
Description |
|---|---|---|
|
file_accessetime |
uint32 |
File accessed time. |
|
file_createtime |
uint32 |
File create time. |
|
file_ext |
string |
File extention. |
|
file_hash |
string |
File hash. |
|
file_hashtype |
string |
File hash type. |
|
file_name |
string |
File name. |
|
file_path |
string |
File path. |
|
file_size |
string |
File size. |
Host
|
Normalized fabric log field |
Type |
Description |
|---|---|---|
|
host_classification |
string |
Host classification. |
|
host_hwvendor |
string |
Host hardware vendor. |
|
host_hwver |
string |
Host hardware version. |
|
host_ip |
ip |
Host IP. |
|
host_location |
string |
Host location. |
|
host_mac |
string |
Hostname MAC. |
|
host_model_name |
string |
Host model name. |
|
host_name |
string |
Host name. |
|
host_osfamily |
string |
Host OS family. |
|
host_osname |
string |
Host OS name. |
|
host_osver |
string |
Host OS version. |
|
host_owner |
string |
Host owner. |
|
host_type |
string |
Host type. |
|
host_uid |
string |
EDR Agent ID such as FortiClient UID. |
Network
|
Normalized fabric log field |
Type |
Description |
|---|---|---|
|
net_direction |
string |
Network direction. |
|
net_name |
string |
Network name. |
|
net_payloadid |
uint32 |
Network payload ID. |
|
net_proto |
string |
Network protocol. |
|
net_rcvdpkts |
uint64 |
Number of received packets. |
|
net_recvbytes |
uint64 |
Received bytes. |
|
net_sentbytes |
uint64 |
Sent bytes. |
|
net_sentpkts |
uint64 |
Number of sent packets. |
|
net_sessionduration |
uint32 |
Session duration. |
|
net_sessionid |
string |
Session ID. |
|
net_ssid |
string |
Network SSID. |
Protocol
|
Normalized fabric log field |
Type |
Description |
|---|---|---|
|
dns_query |
string |
DNS query data. |
|
dns_querytype |
string |
DNS query type. |
|
dns_response |
string |
DNS response data. |
|
http_cookie |
string |
HTTP cookie. |
|
http_method |
string |
HTTP method. |
|
http_referer |
string |
HTTP referer. |
|
http_status_code |
uint16 |
HTTP response status code. 1XX Informational codes; 2XX Success codes; 3XX Redirection codes; 4XX Client error codes; 5XX Server error codes. |
|
http_status_message |
string |
HTTP server reply message. |
|
http_url |
string |
HTTP URL. |
|
http_useragent |
string |
HTTP user agent. |
|
mail_from |
string |
Mail from. |
|
mail_size |
uint32 |
Mail size. |
|
mail_subject |
string |
Mail subject. |
|
mail_to |
string |
Mail to. |
Source
|
Normalized fabric log field |
Type |
Description |
|---|---|---|
|
src_domain |
string |
Source domain. |
|
src_geo |
string |
Source geo. |
|
src_intf |
string |
Source interface. |
|
src_ip |
ip |
Source IP. |
|
src_mac |
string |
Source MAC |
|
src_natip |
ip |
Source NAT IP. |
|
src_natport |
uint16 |
Source NAT port. |
|
src_port |
uint16 |
Source port. |
Threat
|
Normalized fabric log field |
Type |
Description |
|---|---|---|
|
threat_action |
string |
Threat action. |
|
threat_direction |
string |
Threat direction. |
|
threat_id |
string |
Threat ID. |
|
threat_name |
string |
Threat name. |
|
threat_pattern |
string |
Threat pattern. |
|
threat_ref |
string |
Threat reference. |
|
threat_score |
uint32 |
Threat score. |
|
threat_severity |
string |
Threat severity. |
|
threat_type |
string |
Threat type. |
User
|
Normalized fabric log field |
Type |
Description |
|---|---|---|
|
user_authtype |
string |
User authtype. |
|
user_classification |
string |
User importance as per data source. |
|
user_domain |
string |
User domain. |
|
user_email |
string |
User email. |
|
user_group |
string |
User group. |
|
user_id |
string |
User's ID/username (login). |
|
user_location |
string |
User location info. |
|
user_name |
string |
User's full name. |
|
user_org |
string |
User organization. |
|
user_phone |
string |
User phone number. |
|
user_role |
string |
User role. |
|
user_social |
string |
User's social account information. |