Metadata as the proprietary fields of FortiAnalyzer.

Metadata as the data source fields of SIEM parser.

Application data. Specifies the shared communication service and application's information used by hosts in a communications network.

Destination data. Represents movement through geographic space, from a source to a destination.

Event data. Collected and stored by various tracking tools or methods in order to provide insights about user behavior, traffic patterns, and other metrics related to online events.

File data. Stores information to be used by a computer application or system.

Host data. Stores information of a computer or other device that communicates with other hosts on a network.

Logon data. Defines metadata about the logon events.

Network data. Defines metadata about network information seen in a typical OSI layer.

Process data. Defines metadata about processes in an system. Isolated memory address space that is used to run a program.

Protocol data. Defines metadata about protocol related information for transmitting/exchanging data between the devices.

Registry data. Defines metadata about Windows registry entries in a system.

Source data. Represents movement through geographic space, from a source to a destination.

Transport Layer Security (TLS) data.

Threat data. Refers to a known list of malicious threat information.

ADOM ID from DVM for internal use.

Endpoint ID used as key for FortiAnalyzer-DST-UEBA correlation.

End-user ID used as key for FortiAnalyzer-DST-UEBA correlation.

Endpoint ID used as key for FortiAnalyzer-UEBA correlation.

End-user ID used as key for FortiAnalyzer-UEBA correlation.

Timestamp set by FortiAnalyzer when it receives the data.

Parser name used for parsing data.

Machine\Host\Device\VM ID for the data source.

Machine\Host\Device\VM Name for the data source.

Data source type.

Data source version.

The operation the user performed in the context of the application.

Application category.

Application ID.

Application name.

Process name.

Reference for additional information about application.

Service name.

Application state.

Destination asset ID.

Destination domain name.

Destination geo.

Destination geo city information.

Destination geo country.

Destination geo country code.

Destination geo latitude.

Destination geo longitude.

Destination geo region.

Destination interface.

GUID of the network interface which was used for authentication request.

Destination IP.

Destination MAC.

Destination NAT IP.

Destination NAT port.

Main action taken.

Event category.

The number of aggregated events.

Original time when event/log was created as reported from the log source itself.

The length/duration of the event in seconds (for example, 1 min is 60.0).

The time in which the event ended.

Information about an error.

Integer that defines a particular error.

Event\Log ID from data source.

Main message from data source or set by parser.

Event outcome.

Event policy.

Event profile.

Reference for additional info about event.

URL of the full analysis report.

The resource group to which the device generating the record belongs. This might be an AWS account, or an Azure subscription or Resource Group.

The resource ID of the device generating the message.

Event severity.

Data\Event source on Application layer.

The time in which the event stated.

Defines the status of a particular event.

Integer that defines a particular status.

Event subtype.

Event type.

Original unique ID specific to the log/event assigned to the event (not original).

File accessed time.

File create time.

File extention.

File hash.

File hash type.

File name.

File path.

Host classification.

Host hardware vendor.

Host hardware version.

Host IP.

Host location.

Hostname MAC.

Host model name.

Host name.

Host OS family.

Host OS name.

Host OS version.

Host owner.

Host type.

The name of the authentication package which was used for the logon authentication process.

Logon device claims.

Logon GUID.

Logon ID.

Logon server name (it is a free text). The server name of the URL.

Logon remote IP. It could be user's IP, and a remote IP.

The list of transmitted services.

Logon type.

Logon user claims.

Network direction.

Network name.

Network payload ID.

The package loss percentage info.

Network protocol.

Number of received packets.

Received bytes.

Sent bytes.

Number of sent packets.

Session duration.

Session ID.

Stack trace of where open process is called.

Command arguments that were were executed by the process in the endpoint.

Process company information.

Process global unique identifer used to identify a process across other operating systems.

Process hash value.

Process hash type.

Process ID.

The memory address where the subprocess is injected.

Process integrity level.

Process name.

Process parent name.

DNS additional name.

DNS query data.

DNS query class.

DNS query type.

The server responded to the query but no answers were given.

DNS response data.

Round trip time (RTT) of the DNS query to answer.

DNS server name.

Hexadecimal identifier assigned by the program that generated the DNS query.

HTTP cookie.

HTTP method.

HTTP referer.

The raw HTTP (response) body.

The amount of time in milliseconds it took to receive a response in the server.

HTTP response status code. 1XX Informational codes; 2XX Success codes; 3XX Redirection codes; 4XX Client error codes; 5XX Server error codes.

HTTP server reply message.

HTTP URL.

HTTP user agent.

HTTP request version.

Mail attachment.

Mail from.

Mail size.

Mail subject.

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

The Windows security model enables you to control access to registry keys. The valid access rights for registry keys.

This field contains the key name without the full path. Take in consideration the name of the key value in the registry key path.

Next-level down from registry root-keys. This field contains the full path of a registry key.

Root-Keys are the root, or primary divisions, of the registry. They do not contain configuration data; they contain the keys, subkeys, and values in which the data is stored.

Each registry key value consists of a value name and its associated data. Registry key value data store the actual configuration data for the operating system and the programs that run on the system.

Source asset id.

Source domain.

Source geo.

Source geo city information.

Source geo country.

Source geo country code.

Source geo latitude.

Source geo longitude.

Source geo region.

Source interface.

GUID of the network interface which was used for authentication request.

Source IP.

Source MAC

Source NAT IP.

Source NAT port.

The cipher (encryption) parameters used to make the TLS connection.

Elliptic curve the server chose when using ECDH/ECDHE.

Indicates if the session has been established successfully, or if it was aborted during the handshake.

Next protocol the server chose using the application layer next protocol extension, if present.

If the session was resumed from previous established connection.

The name of the requested server/destination; this should be copied to dst_host_name.

Threat action.

Threat category provided by the alert.

Threat direction.

Threat ID.

Threat message provided by the alert.

Threat name.

Threat pattern.

Threat reference.

Threat score.

Threat severity.

User authtype.

User importance as per data source.

User domain.

User email.

User group.

User's ID/username (login).

User location info.

User's full name.

User organization.

User phone number.

User role.