Event message fields
The following tables describe the JSON fields and structure for detection, incident, and audit log events. An example detection event is also provided.
Some fields are optional, and some fields may or may not be populated depending on the context. For example, a policy detection event for a browser file upload will contain URL information, whereas a transfer to a USB storage device will contain details about the storage device.
FortiDLP also provides additional contextual information about policy detection events for advanced analysis and response. This extra information is sent in the extended_metadata field for applicable detection events, as outlined in the following table and example payload. For detailed information about the extended metadata fields reported per policy template, refer to the FortiDLP Policies Extended Metadata Reference Guide.
|
If preferred, reporting of extended metadata can be disabled for Splunk, as described in Integrating using the FortiDLP Add-on for Splunk. |
For each event message, an enrichment_errors field will be included. If there are any issues with the population of the event message's main fields, enrichment_errors will contain corresponding error information.
|
A field preceded by an asterisk (*) contains nested fields. Where possible, nested fields are indented below the containing field. |
| JSON field | Description |
|---|---|
tenant_id
|
The tenant's unique identifier. |
tenant_name
|
The tenant's name. |
tenant_origin
|
The tenant's URL. |
uuid
|
The detection's unique identifier. |
*created_by |
Contains the detection source details. |
uri
|
The unique identifier of the detection's source, such as the identifier of the policy that triggered the detection, or the operator name if the detection was created using the FortiDLP API. |
*policy |
Contains policy invocation details. |
group_id
|
The identifier of the policy group that contains the policy. |
policy_id
|
The policy's identifier. |
name
|
The policy's name. |
instance
|
The unique identifier of the policy invocation. |
sensor_type
|
The detection's type. |
agent_uuid
|
The node's unique identifier. |
agent_hostname
|
The node's hostname. |
user_id
|
The user's identifier. |
user_name
|
The user's username. |
user_email
|
The user's email address. |
score
|
The detection’s risk score. |
label_ids
|
A list of identifiers for the labels assigned to the entities associated with the detection. |
label_names
|
A list of names for the labels assigned to the entities associated with the detection. |
timestamp
|
The date and time of the detection. |
description
|
The detection's description. |
anonymised_description
|
The detection's description, where identifying information is omitted. |
tags
|
A list of the detection's tag names. |
*metadata |
Contains metadata. |
source_ip
|
A list of source IP addresses. |
source_port
|
A list of source port numbers. |
destination_ip
|
A list of destination IP addresses. |
destination_port
|
A list of destination port numbers. |
url
|
A list of browser request URLs. |
host
|
A list of URL hostnames. |
application_name
|
A list of binary or friendly application names. |
window_title
|
A list of application window title names. |
file_name
|
A list of filenames that were accessed, created, or deleted. |
file_path
|
A list of file paths that were accessed, created, or deleted. |
mime_type
|
A list of file MIME types. |
file_size
|
A list of file sizes (measured in bytes). |
target_file_name
|
A list of target filenames, such as the name of a newly created compressed file. |
target_file_path
|
A list of target file paths, such as the path of a newly created compressed file. |
recipient_mail_address
|
A list of email recipient addresses (includes the To, CC, and BCC fields). |
sender_mail_address
|
A list of email sender addresses. |
wifi_ssid
|
A list of Wi-Fi network SSIDs. |
wifi_bssid
|
A list of Wi-Fi network BSSIDs. |
usb_vid
|
A list of USB device vendor IDs. |
usb_pid
|
A list of USB device product IDs. |
usb_serial
|
A list of USB device serial numbers. |
content_pattern_name
|
A list of content inspection pattern names or custom content inspection pattern values. |
account_name
|
A list of account names or usernames, such as the account name associated with a failed login attempt. |
certificate_name
|
A list of subject names of root certificates, such as the subject name of a newly installed root certificate. |
printer_uuid
|
A list of printer unique identifiers. |
*process_info |
Contains process information. |
binary_name
|
The binary name of the process (that is, the name of the application). This field captures parent and child process values when applicable. |
binary_path
|
The binary path of the process, such as the binary path from which the process of a connection was executed. This field captures parent and child process values when applicable. |
username
|
The username attribute of the process, such as the username of a person who started a process or accessed a file using a process. |
app_identifier
|
The application identifier, typically present on Windows and macOS. |
signed
|
The presence/validity of a process binary's digital signature, where true indicates a process with a valid digital signature and false indicates a process with either an unsigned binary or a binary with an invalid digital signature.
|
uuid
|
The unique identifier of the process that executed an application. |
requested_actions
|
A list of policy actions requested to execute on the node when the detection occurred. |
suppressed_actions
|
A list of policy actions that did not execute on the node when the detection occurred, due to Agent rate limiting. |
classifications
|
A list of URL classification categories. |
*extended_metadata |
Contains additional policy template-specific metadata. |
*schema |
Contains policy template schema information. |
id
|
The identifier of the policy template associated with the metadata. |
version
|
The version number of the detection metadata schema, which differs from the FortiDLP Policy Templates release version. |
*data |
Contains detection event information that varies by the associated policy template. The nested fields are described in the FortiDLP Policies Extended Metadata Reference Guide. |
*data_origin |
Contains web-based file origin information. |
timestamp
|
The date and time the file was downloaded from its origin website. |
id
|
The downloaded file's unique identifier. |
file_path
|
The path of the downloaded file on the user's computer. |
file_size
|
The size of the downloaded file (measured in bytes). |
*browser |
Contains origin browser details. |
tab_url
|
The URL of the origin website, from which the file was downloaded. |
tab_title
|
The title of the browser tab that was open when the file was downloaded from its origin website. |
account_name
|
The login account name that was used when the file was downloaded from its origin website. |
url
|
The downloaded file's origin URL. |
*saas_app |
Contains origin SaaS app details. |
application_id
|
The identifier of the origin SaaS app that was used to download the file. |
name
|
The name of the origin SaaS app that was used to download the file. |
category
|
The category of the origin SaaS app that was used to download the file. |
risk_score
|
The risk score assigned to the origin SaaS app that was used to download the file. |
verdict
|
The verdict assigned to the origin SaaS app that was used to download the file. |
*data_flow |
Contains high-level data lineage details associated with the detection. |
*lineages
|
The data lineage of files associated with the detection. |
final_file_path
|
The path of the file when the final file operation was performed. |
operations
|
The operations performed on the file, such as rename, copy, and move. Data lineage is not supported for file deletions. |
origin_ids
|
The original file's unique identifier, which will match the data_origin's id field value. |
*indicators |
Contains details about the MITRE ATT&CK indicator(s) associated with the detection. For more information, refer to the FortiDLP Policies Reference Guide. |
kind
|
The source or type of the mapped indicator, which will be mitre.
|
*tactic |
Contains MITRE ATT&CK tactic details. |
id
|
The identifier of the mapped MITRE ATT&CK tactic. |
title
|
The title of the mapped MITRE ATT&CK tactic. |
*technique |
Contains MITRE ATT&CK technique details. Subtechniques are specified where relevant. |
id
|
The identifier of the mapped MITRE ATT&CK technique. |
title
|
The title of the mapped MITRE ATT&CK technique. |
| JSON field | Description |
|---|---|
tenant_id
|
The tenant's unique identifier. |
tenant_name
|
The tenant's name |
tenant_origin
|
The tenant's URL. |
uuid
|
The incident's unique identifier. |
type
|
The reason for the incident event, for example, the incident has been resolved or a new user has been added to the incident. |
clustering_rule
|
The incident's clustering rule identifier. |
family
|
The unique identifier of the group that contains this incident and other incidents that have the same cluster data. |
*created_by |
Contains policy details. |
uri
|
The unique identifier of the policy associated with the incident. |
*policy |
Contains policy invocation details. |
group_id
|
The unique identifier of the policy group that contains the policy. |
policy_id
|
The unique identifier of the policy. |
name
|
The policy's name. |
instance
|
The unique identifier of the policy invocation. |
description
|
The incident's description. |
anonymised_description
|
The anonymized version of the incident's description, where identifiable information is omitted. |
generation
|
The incident’s version. When an incident is first created, it has a generation of |
status
|
The status of the incident, indicating whether the incident has been resolved by an operator or not. |
started
|
The date and time the incident was created. |
last_updated
|
The date and time the incident's detection count was most recently updated. |
sensor_count
|
The number of detections associated with the incident. |
score
|
The incident's risk score, derived from the risk scores of the detections associated with the incident. |
changed_status_at
|
The date and time the incident's status was most recently updated. |
changed_status_by
|
The operator who updated the incident status. |
changed_status_reason
|
The reason for the incident's most recent status change, provided by an operator. |
first_detection
|
The date and time the incident's first detection was generated. |
last_detection
|
The date and time the incident's most recent detection was generated. |
*new_entity |
Contains incident entity details. |
*agent |
Contains Agent/node details. |
agent_uuid
|
The node's unique identifier. |
agent_hostname
|
The node's hostname. |
*user |
Contains user details. |
user_id
|
The user's identifier. |
user_name
|
The user's name. |
user_email
|
The user's email. |
*cluster_data |
Contains the key and value that formed the incident. |
| JSON field | Description |
|---|---|
tenant_id
|
The tenant's unique identifier. |
tenant_name
|
The tenant's name. |
tenant_origin
|
The tenant's URL. |
type
|
The type of audit log event, such as when an operator logs in/out of FortiDLP or deletes data from FortiDLP. |
*fields |
Contains audit log content in raw JSON format. The nested fields vary by the associated event. |
Detection event message
{
"sensor": {
"tenant_id": "6f651c06-fa40-47bd-96fa-f0e56d838636",
"tenant_name": "example",
"tenant_origin": "https://example.reveal.nextdlp.com",
"uuid": "048a2091-e54f-457b-64a1-7de0e0aac3b1",
"created_by": {
"uri": "policy:///bab6f231-2d2c-4690-597d-bf3e98/ad107922b32?instance=8040390d-3b06c35792a3\u0026name=File+opened+outside+user+directory",
"policy": {
"group_id": "bab6f231-2d2c-4690-597d-b318006f3e98",
"policy_id": "ad10cf00-245a-4992-578d-9ce777922b32",
"name": "File opened outside user directory",
"instance": "8040390d-3cdf-4fcb-7bd5-3b06c35792a3"
}
},
"sensor_type": "AGENT_POLICY",
"agent_uuid": "ccdae548-0d34-4e40-80a1-f76fe27fd8b5",
"agent_hostname": "Adrian Price's Laptop",
"user_id": "c12d9700-99e6-4f30-832b-5a358285b9fb",
"user_name": "Adrian Price",
"user_email": "adrian.price@example.com",
"score": 1,
"label_ids": [
"c8f80c47-ac11-4514-9372-098119062756"
],
"label_names": [
"Department | Finance"
],
"timestamp": "2024-06-25T20:47:27.405170126Z",
"description": "Protected file opened outside user directory at /Library/Keychains/daemons.doc",
"anonymised_description": "Protected file opened outside user directory at [REDACTED]",
"tags": [
"apps",
"datatracking",
"unauthorizedaccess"
],
"metadata": {
"source_ip": [
"192.0.2.10"
],
"source_port": [
54321
],
"destination_ip": [
"192.0.2.30"
],
"destination_port": [
80
],
"url": [
"https://example.com/"
],
"host": [
"example.com"
],
"application_name": [
"Finder"
],
"window_title": [
"Inbox - Gmail - Google Chrome"
],
"file_name": [
"daemons.doc"
],
"file_path": [
"/Library/Keychains/daemons.doc"
],
"mime_type": [
"application/msword"
],
"file_size": [
"1228"
],
"target_file_name": [
"daemons.doc"
],
"target_file_path": [
"/Library/Keychains/daemons.doc"
],
"recipient_mail_address": [
"adrian.b.price@example.com"
],
"sender_mail_address": [
"adrian.b.price@example.com"
],
"wifi_ssid": [
"Test-net"
],
"wifi_bssid": [
"00:53:58:92:0A:67"
],
"usb_vid": [
"046D"
],
"usb_pid": [
"C534"
],
"usb_serial": [
"121220160204"
],
"content_pattern_name": [
"US Social Security Numbers (SSN)"
],
"account_name": [
"aprice"
],
"certificate_name": [
"Personal CA"
],
"printer_uuid": [
"c7102075-e369-4af5-98a4-5c3fb296111f"
]
},
"process_info": [
{
"binary_name": "Finder",
"binary_path": "/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder",
"username": "aprice",
"app_identifier": "v1.com.apple.finder",
"signed": true,
"uuid": "5706a6c8-ca67-413c-6c41-93fd9fb548d5"
}
],
"requested_actions": [
"screenshot"
],
"suppressed_actions": [
"file_shadow"
],
"classifications": {
"url": [
"cloud_storage"
]
},
"extended_metadata": {
"schema": {
"id": "32d1e04d-1c7f-4c78-a734-7aa4158ae76c",
"version": "212af7dbf69748e5"
},
"data": {
"readable": [
true
],
"writable": [
true
]
}
},
"data_origin": [
{
"timestamp": "2024-06-20T20:47:27.405170126Z",
"file_path": "/Users/Adrian/Downloads/ClientAccounts.xlsx",
"file_size": "1000",
"id": "af2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e9891562113d8a62add1bf",
"browser": {
"tab_url": "https://drive.google.com/drive/u/0/folders/1KD567PICqJgYi8a",
"tab_title": "Sales - Google Drive",
"account_name": "adrian.price@example.com",
"url": "https://drive.google.com/file/d/1VLqSQSyBL9aIzaiuEg8/view",
"saas_app": {
"application_id": 100,
"name": "Google Drive",
"category": "Google Apps",
"risk_score": 50,
"verdict": "sanctioned"
}
}
}
],
"data_flow": {
"lineages": [
{
"final_file_path": "/Users/Adrian/Downloads/ClientAccounts.xlsx",
"operations": [
"move",
"rename",
"download"
],
"origin_ids": [
"af2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e9891562113d8a62add1bf"
]
}
]
},
"indicators": [
{
"kind": "mitre",
"tactic": {
"id": "TA0010",
"title": "Exfiltration"
},
"technique": {
"id": "T10552.001",
"title": "Exfiltration over USB"
}
}
]
},
"enrichment_errors": []
}