Webhook payload fields

The following tables describe the fields included in detection, incident, and audit log event payloads and are supported when creating custom templates. Example detection and audit log event payloads are also provided.

FortiDLP also provides additional contextual information about policy detection events for advanced analysis and response. This extra information is sent in the extended_metadata field for applicable detection events, as outlined in the following table and example payload. For detailed information about the extended metadata fields reported per policy template, refer to the FortiDLP Policies Extended Metadata Reference Guide.

If preferred, extended metadata can be excluded from payloads using custom webhook templates that omit the extended_metadata field. For guidance on using webhook templates, see Creating custom webhook templates.

Detections are sometimes referred to as "sensors" in these tables. A field preceded by an asterisk (*) contains nested fields. Where possible, nested fields are indented below the containing field.

Detection event fields

JSON field	Custom Field	Type	Description
customer	.Customer	String	The tenant's unique identifier.
tenant_id	.TenantUuid	String	The tenant's unique identifier.
tenant_name	.TenantName	String	The tenant's name.
tenant_origin	.TenantOrigin	String	The tenant's web address origin.
agent_uuid	.AgentUuid	String	The unique identifier of the FortiDLP Agent associated with the detection.
agent_hostname	.AgentHostname	String	The hostname of the node associated with the detection.
uuid	.Uuid	String	The detection's unique identifier.
event_type	.EventType	String	The payload event type, which will always be "sensor".
timestamp	.Timestamp	Timestamp	The date/time the detection was generated.
sensor_type	.SensorType	String	The detection's type.
description	.Description	String	The detection's description.
juid	.Juid	String	The unique identifier of the user associated with the detection.
username	.Username	String	The username associated with the detection.
score	.Score	Integer	The detection's risk score.
created_by	.CreatedBy	String	The detection's source, such as the identifier of the policy associated with the detection, or the operator name if the detection was created using the FortiDLP API.
tags	.Tags	Array of strings	A list of tag names associated with the detection.
anonymised_description	.AnonymisedDescription	String	The detection's description, where identifying information is omitted.
requested_actions	.RequestedActions	Array of strings	A list of policy actions requested to execute on the node when the detection occurred.
suppressed_actions	SuppressedActions	Array of strings	A list of policy actions that did not execute on the node when the detection occurred, due to Agent rate limiting.
label_ids	.LabelIds	Array of strings	A list of identifiers for the labels assigned to the entities associated with the detection.
label_names	.LabelNames	Array of strings	A list of names for the labels assigned to the entities associated with the detection.
*metadata	*.Metadata	Object	Contains metadata.
source_ip	.SourceIp	Array of strings nested in object metadata	A list of source IP addresses associated with the detection.
source_port	.SourcePort	Array of integers nested in object metadata	A list of source port numbers associated with the detection.
destination_ip	.DestinationIp	Array of strings nested in object metadata	A list of destination IP addresses associated with the detection.
destination_port	.DestinationPort	Array of integers nested in object metadata	A list of destination port numbers associated with the detection.
url	.Url	Array of strings nested in object metadata	A list of browser request URLs associated with the detection.
host	.Host	Array of strings nested in object metadata	A list of hostnames of the URLs associated with the detection.
application_name	.ApplicationName	Array of strings nested in object metadata	A list of application binary or friendly names associated with the detection.
file_name	.FileName	Array of strings nested in object metadata	A list of filenames that were accessed, created, or deleted associated with the detection.
file_path	.FilePath	Array of strings nested in object metadata	A list of paths of the files that were accessed, created, or deleted associated with the detection.
target_file_name	.TargetFileName	Array of strings nested in object metadata	A list of target filename associated with the detection, such as the name of a newly created compressed file.
target_file_path	.TargetFilePath	Array of strings nested in object metadata	A list of paths of the target files associated with the detection, such as the path of a newly created compressed file.
recipient_mail_address	.RecipientMailAddress	Array of strings nested in object metadata	A list of email recipient addresses associated with the detection (includes the To, CC, and BCC fields).
sender_mail_address	.SenderMailAddress	Array of strings nested in object metadata	A list of email sender addresses associated with the detection.
wifi_ssid	.WifiSsid	Array of strings nested in object metadata	A list of Wi-Fi network SSIDs associated with the detection.
wifi_bssid	.WifiBssid	Array of strings nested in object metadata	A list of Wi-Fi network BSSIDs associated with the detection.
usb_vid	.UsbVid	Array of strings nested in object metadata	A list of USB device vendor IDs associated with the detection.
usb_pid	.UsbPid	Array of strings nested in object metadata	A list of USB device product IDs associated with the detection.
usb_serial	.UsbSerial	Array of strings nested in object metadata	A list of USB device serial numbers associated with the detection.
content_pattern_name	.ContentPatternName	Array of strings nested in object metadata	A list of content inspection pattern names or custom content inspection pattern values associated with the detection.
account_name	.AccountName	Array of strings nested in object metadata	A list of account names or usernames associated with the detection, such as the account name associated with a failed login attempt.
certificate_name	.CertificateName	Array of strings nested in object metadata	A list of subject names of root certificates associated with the detection, such as the subject name of a newly installed root certificate.
mime_type	.MimeType	Array of strings nested in object metadata	A list of file MIME types associated with the detection.
window_title	.WindowTitle	Array of strings nested in object metadata	A list of application window title names associated with the detection.
printer_uuid	.PrinterUuid	Array of strings nested in object metadata	A list of printer unique identifiers.
file_size	.FileSize	Array of integers nested in object metadata	A list of file sizes (measured in bytes) associated with the detection.
*process_info	*.ProcessInfo	Array of objects	Contains process information.
uuid	.Uuid	String nested in array process_info	The unique identifier of the process that executed an application associated with the detection.
binary_name	.BinaryName	String nested in array process_info	The binary name of the process (that is, the name of the application) associated with the detection. This field captures parent and child process values when applicable.
binary_path	.BinaryPath	String nested in array process_info	The binary path of the process associated with the detection, such as the binary path from which the process of a connection was executed. This field captures parent and child process values when applicable.
username	.Username	String nested in array process_info	The username attribute of the process associated with the detection, such as the username of a person who started a process or accessed a file using a process.
app_identifier	.AppIdentifier	String nested in array process_info	The application identifier, typically present on Windows and macOS, associated with the detection.
signed	.Signed	Boolean nested in array process_info	The presence/validity of a process binary's digital signature associated with the detection, where true indicates a process with a valid digital signature and false indicates a process with either an unsigned binary or a binary with an invalid digital signature.
*extended_metadata	*.ExtendedMetadata	Object	Contains additional policy template-specific metadata.
*schema	*.Schema	Object	Contains policy template schema information.
id	.Id	String	The identifier of the policy template associated with the metadata.
version	.Version	String	The version number of the detection metadata schema, which differs from the FortiDLP Policy Templates release version.
*data	*.Data	Map	Contains detection event information that varies by the associated policy template. The nested fields are described in the FortiDLP Policies Extended Metadata Reference Guide.
*data_origin	*.DataOrigin	Array of objects	Contains web-based file origin information.
timestamp	.Timestamp	Timestamp nested in object data_origin	The date and time the file associated with the detection was downloaded from its origin website.
file_path	.FilePath	String nested in object data_origin	The path of the downloaded file on the user's computer.
file_size	.FileSize	Integer nested in object data_origin	The size of the downloaded file (measured in bytes).
origin_type	.OriginType	String nested in object data_origin	The type of file origin, which will be "browser".
*browser	*.Browser	Object nested in object data_origin	Contains origin browser details.
tab_url	.TabUrl	String nested in object browser	The URL of the origin website, from which the file was downloaded.
tab_title	.TabTitle	String nested in object browser	The title of the browser tab that was open when the file was downloaded from its origin website.
account_name	.AccountName	String nested in object browser	The login account name that was used when the file was downloaded from its origin website.
url	.Url	String nested in object browser	The downloaded file's origin URL.
*saas_app	*.SaasApp	Object nested in object browser	Contains origin SaaS app details.
application_id	.ApplicationId	Integer nested in object saas_app	The identifier of the origin SaaS app that was used to download the file.
name	.Name	String nested in object saas_app	The name of the origin SaaS app that was used to download the file.
category	.Category	String nested in object saas_app	The category of the origin SaaS app that was used to download the file.
risk_score	.RiskScore	Integer nested in object saas_app	The risk score assigned to the origin SaaS app that was used to download the file.
verdict	.Verdict	String nested in object saas_app	The verdict assigned to the origin SaaS app that was used to download the file.
*indicators	*.Indicators	Array of objects	Contains details about the MITRE ATT&CK indicator(s) associated with the detection. For more information, refer to FortiDLP Policies Reference Guide.
kind	.Kind	String nested in object indicators	The source or type of the mapped indicator, which will be mitre.
*tactic	*.Tactic	Object nested in object indicators	Contains MITRE ATT&CK tactic details.
id	.Id	String nested in object tactic	The identifier of the mapped MITRE ATT&CK tactic.
title	.Title	String nested in object tactic	The title of the mapped MITRE ATT&CK tactic.
*technique	*.Technique	Object nested in object indicators	Contains MITRE ATT&CK technique details. Subtechniques are specified where relevant.
id	.Id	String nested in object technique	The identifier of the mapped MITRE ATT&CK technique.
title	.Title	String nested in object technique	The title of the mapped MITRE ATT&CK technique.

Incident event fields

JSON field	Custom field	Type	Description
tenant_id	.TenantUuid	String	The tenant's unique identifier.
tenant_name	.TenantName	String	The tenant's name.
tenant_origin	.TenantOrigin	String	The tenant's web address origin.
uuid	.UUID	String	The incident's unique identifier.
type	.Type	String	The reason for the incident, for example, the incident has been resolved or a new user has been added to the incident.
clustering_rule	.ClusteringRule	String	The clustering rule's identifier.
family	.Family	String	The identifier used to associate incidents that have the same cluster data.
created_by	.CreatedBy	String	The identifier of the policy that is associated with the incident.
description	.Description	String	The incident's description.
anonymised_description	.AnonymisedDescription	String	The incident's description, where identifying information is omitted.
generation	.Generation	Integer	The incident's version. When an incident is first created, its generation is 0. If it is resolved by an operator, it will no longer accumulate detections, even if it is reopened. A new incident will be created if a new detection is reported that matches the policy and cluster data of the resolved incident, which will increase the generation to 1. Every time a new incident is created in the same way, the generation will increase by one.
status	.Status	Timestamp	The date/time the incident was created.
last_updated	.LastUpdated	Timestamp	The date/time the incident's detection count was last updated.
sensor_count	.SensorCount	Integer	The number of detections forming the incident.
score	.Score	Integer	The incident's risk score, derived from its detection(s).
changed_status_at	.ChangedStatusAt	Timestamp	The date/time the incident status was last updated.
changed_status_by	.ChangedStatusBy	String	The operator who updated the incident status.
changed_status_reason	.ChangedStatusReason	String	The operator's comment that was provided when resolving or reopening an incident.
first_detection	.FirstDetection	Timestamp	The date/time the incident's first detection was generated.
last_detection	.LastDetection	Timestamp	The date/time the incident's last detection was generated.
new_entity	.NewEntity	String	The unique identifier of the node or user added to an open incident. This applies when an incident's new detection is generated by a new node or user.
new_entity_name	.NewEntityName	String	The name of the node or user added to an open incident. This applies when an incident's new detection is generated by a new node or user.
*cluster_data	*.ClusterData	Map	Contains the key and value that formed the incident.

Audit log event fields

JSON field	Custom field	Type	Description
tenant_id	.TenantUuid	String	The tenant's unique identifier.
tenant_name	.TenantName	String	The tenant's name.
tenant_origin	.TenantOrigin	String	The tenant's web address origin.
type	.Type	String	The type of audit log event.
*fields	*.Fields	Map	Contains audit log content in raw JSON format. The nested fields vary by the associated event.

Batched event fields

JSON field	Custom field	Type	Description
detections	.Detections	Array of objects	A batch of detection events, where each detection is an object containing applicable Detection event fields.
incidents	.Incidents	Array of objects	A batch of incident events, where each incident is an object containing applicable Incident event fields.
audit_logs	.AuditLogs	Array of objects	A batch of audit log events, where each audit log is an object containing applicable Audit log event fields.

For details regarding pseudonymization of these fields, see Operator roles.

Detection event payload

{
  "customer": "ecf86a6f-4b70-44fb-7b01-b1a327434e6f",
  "tenant_id": "ecf86a6f-4b70-44fb-7b01-b1a327434e6f",
  "tenant_name": "example",
  "tenant_origin": "https://example.reveal.nextdlp.com",
  "agent_uuid": "73f2653e-32ed-4e7b-b3e8-bb145f4e76a1",
  "agent_hostname": "Mark-Laptop",
  "uuid": "554924f1-faf0-4dfc-87c1-66adb5b192a8",
  "event_type": "sensor",
  "timestamp": "2024-02-23T16:40:13.125581231Z",
  "sensor_type": "AGENT_POLICY",
  "description": "File upload to \"filebin.net\" from Firefox: secret.txt with size 1GB containing \"confidential\" with at least 1 match.",
  "juid": "e62915a3-9683-4ad5-923c-b8afeb300141",
  "username": "Mark Smith",
  "score": 50,
  "created_by": "policy:///a99acdf6-cc72-4022-6220-c3/c1f4ce78-68ca-4634-6761-84cafb?instance=b342ca45-8431-4a44-4e01-508eeefab2aa&name=Sensitive+file+uploaded",
  "tags": [
    "datatracking",
    "blocking",
    "web",
    "dataupload",
    "ml"
  ],
  "anonymised_description": "File upload to \"filebin.net\" from Firefox: [REDACTED] with size 1GB containing \"confidential\" with at least 1 match.",
  "requested_actions": [],
  "suppressed_actions": [
    "message"
  ],
  "label_ids": [
    "1ae14245-8056-4d3a-6c9d-93e21133e331",
    "bf8g6ab5-68d0-4ae4-6f8e-babf39b4052b"
  ],
  "label_names": [
    "Windows",
    "Sales"
  ],
  "metadata": {
    "source_ip": ["192.0.2.10"],
    "source_port": [12345],
    "destination_ip": ["192.0.2.30"],
    "destination_port": [80],
    "url": [
      "https://filebin.net/"
    ],
    "host": [
      "filebin.net"
    ],
    "application_name": [
      "Firefox"
    ],
    "file_name": [
      "secret.txt"
    ],
    "file_path": [
      "C:\\Users\\marksmith\\Desktop\\secret.txt"
    ],
    "target_file_name": [],
    "target_file_path": [],
    "recipient_mail_address": [],
    "sender_mail_address": [],
    "wifi_ssid": [],
    "wifi_bssid": [],
    "usb_vid": [],
    "usb_pid": [],
    "usb_serial": [],
    "content_pattern_name": [
      "\"confidential\""
    ],
    "account_name": [],
    "certificate_name": [],
    "mime_type": [],
    "window_title": [
      "Filebin"
    ],
    "file_size": [
      1073741824
    ],
    "printer_type": [
      "VirtualPrinter"
    ],
    "printer_uuid": [
      "c7102075-e369-4af5-98a4-5c3fb296111f"
    ]
  },
  "extended_metadata": {
    "schema": {
      "id": "fff50b49_3f86_5821_40be_0e",
      "version": "ad82d9bcf40cc34c"
    },
    "data": {
      "blocked": [
        false
      ],
      "browser_tab": [
        {
          "browser_name": "Firefox",
          "id": 2,
          "incognito": false,
          "title": "Filebin",
          "url": "https://filebin.net/",
          "user": "S-1-5-21-567657-768498707-870149045-1002",
          "window_id": 1
        }
      ],
      "new_host": [
        false
      ]
    }
  },
  "process_info": [
    {
      "uuid": "11a466b9-ff10-4698-505c-7fcf74e3ff50",
      "binary_name": "firefox.exe",
      "binary_path": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
      "username": "Mark-Laptop\\msmith",
      "app_identifier": "v1.9466bbc96ff3b06205c78e99459e03dad10431e8c5e053a450d807d6ccf723ec",
      "signed": true
    }
  ],
  "data_origin": [
    {
      "timestamp": "2024-06-20T16:40:13.125581231Z",
      "file_path": "C:\\Users\\marksmith\\Downloads\\ClientAccounts.xlsx",
      "file_size": 1000,
      "origin_type": "browser",
      "browser": {
        "tab_url": "https://drive.google.com/drive/u/0/folders/1KD567PICqJgYi8a",
        "tab_title": "Sales - Google Drive",
        "account_name": "mark.smith@example.com",
        "url": "https://drive.google.com/file/d/1VLqSQSyBL9aIzaiuEg8/view",
        "saas_app": {
          "application_id": 100,
          "name": "Google Drive",
          "category": "Google Apps",
          "risk_score": 50,
          "verdict": "sanctioned"
        }
      }
    }
  ],
  "indicators": [
    {
      "kind": "mitre",
      "tactic": {
        "id": "TA0010",
        "title": "Exfiltration"
      },
      "technique": {
        "id": "T10552.001",
        "title": "Exfiltration over USB"
      }
    }
  ]
}

Audit log event payload

{
  "tenant_id": "ecf86a6f-4b70-44fb-7b01-b1a327434e6f",
  "tenant_name": "example",
  "tenant_origin": "https://example.reveal.nextdlp.com",
  "type": "OperatorLogin",
  "fields": {
    "auth": {
      "audience": [
        "webapp"
      ],
      "operator_display_name": "Ellie Smith",
      "operator_id": "e52c5aba-62b2-4f64-4236-12343f8de78",
      "operator_login_name": "EllieS",
      "role": [
        "Built-in/Administrator"
      ],
      "session_id": "0b362b98-44c3-484c-4779-34717c3d5201"
    },
    "enabled": true,
    "http": {
      "host": "example.reveal.nextdlp.com",
      "method": PUT,
      "path": "/api/v1/admin/login/banner",
      "remote_address": "123.45.678.910",
      "user_agent": "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion",
    },
    "summary": "Login banner updated",
    "timestamp": "2024-06-27T10:57:46.726255058Z",
    "title": "Welcome",
    "trace_id": "11111111111111111111111111111111",
    "type": "LoginBannerUpdated",
    "type_id": 75,
  }
}