Add normalized log fields
|
This information is also available in the FortiAnalyzer 7.6 Fabric Normalization Reference: |
For FortiAnalyzer 7.6.0, 83 new fields have been added to the SIEM database (siemdb). These fields help to provide more origin data from log parsers, which allows for better analysis.
All log parsers of Fortinet devices and the System Log Parser are required to update for mapping the newly added fields. These updated log parsers can be found in Incidents & Events > Log Parser > Log Parsers.
See below for the added fields, including the impacted log parsers:
|
New field |
Affected log parsers, if applicable |
|---|---|
|
http_status_code |
FortiADC |
|
app_action |
FortiFirewall, FortiGate, FortiPAM, and FortiProxy |
|
dns_additional_name |
|
|
dns_query_class |
|
|
dns_rejected |
|
|
dns_rtt |
|
|
dns_server |
|
|
dns_transaction_id |
|
|
dst_asset_id |
FortiFirewall, FortiGate, and FortiProxy |
|
dst_geo_city |
FortiFirewall, FortiGate, FortiPAM, and FortiProxy |
|
dst_geo_country |
FortiAuthenticator, FortiCASB, FortiCache, FortiCache, FortiDeceptor, FortiDDoS, FortiEDR, FortiFirewall, FortiGate, FortiIsolator, FortiNAC, FortiPAM, FortiProxy, FortiSandbox, FortiSOAR, FortiSwitch, FortiToken, FortiWeb, and Syslog |
|
dst_geo_country_code |
|
|
dst_geo_latitude |
|
|
dst_geo_longitude |
|
|
dst_geo_region |
FortiFirewall, FortiGate, FortiPAM, and FortiProxy |
|
dst_intf_guid |
|
|
event_count |
|
|
event_creation_time |
FortiCASB, FortiGate, FortiIsolator, FortiMail, FortiPAM, FortiProxy, FortiSandbox, and FortiToken |
|
event_duration |
FortiADC |
|
event_end_time |
FortiAnalyzer and FortiManager |
|
event_error |
|
|
event_error_code |
|
|
event_report_url |
|
|
event_resource_group |
|
|
event_resource_id |
|
|
event_source |
|
|
event_start_time |
FortiAnalyzer and FortiManager |
|
event_status |
|
|
event_status_code |
|
|
event_uuid |
|
|
event_vendor |
|
|
host_model_name |
|
|
http_response_body |
|
|
http_response_time |
|
|
http_status_message |
|
|
http_version |
|
|
logon_authentication |
|
|
logon_device_claims |
|
|
logon_guid |
|
|
logon_id |
|
|
logon_server |
|
|
logon_srcip |
|
|
logon_transmitted_services |
|
|
logon_type |
|
|
logon_virtual_account |
|
|
mail_attachment |
|
|
net_pktlosspct |
|
|
process_call_trace |
FortiEDR |
|
process_command_line |
|
|
process_company |
FortiEDR |
|
process_guid |
|
|
process_hash |
FortiEDR |
|
process_hash_type |
|
|
process_id |
|
|
process_injected_address |
|
|
process_integrity_level |
|
|
process_name |
FortiClient, and FortiEDR |
|
process_parent_name |
|
|
process_status |
|
|
registry_hive_path |
|
|
registry_key_access_rights |
|
|
registry_key_name |
|
|
registry_key_path |
|
|
registry_root_key |
|
|
registry_value_data |
|
|
registry_value_name |
|
|
src_asset_id |
FortiFirewall, FortiGate, and FortiProxy |
|
src_geo_city |
FortiFirewall, FortiGate, FortiPAM, and FortiProxy |
|
src_geo_country |
FortiAuthenticator, FortiCASB, FortiCache, FortiCache, FortiDeceptor, FortiDDoS, FortiEDR, FortiFirewall, FortiGate, FortiIsolator, FortiNAC, FortiPAM, FortiProxy, FortiSandbox, FortiSOAR, FortiSwitch, FortiToken, FortiWeb, and Syslog |
|
src_geo_country_code |
|
|
src_geo_latitude |
|
|
src_geo_longitude |
|
|
src_geo_region |
FortiFirewall, FortiGate, FortiPAM, and FortiProxy |
|
src_intf_guid |
|
|
threat_category |
|
|
threat_message |
|
|
tls_cipher |
|
|
tls_curve |
|
|
tls_established |
|
|
tls_next_protocol |
|
|
tls_resumed |
|
|
tls_server_name |
|
|
tls_version |
For field descriptions, see the FortiAnalyzer Fabric Normalization Reference.