Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FNC Python Library

    Home FortiNDR Cloud 2024.10.0 FNC Python Library
    2024.10.0
    2024.10.0

    Observations

    Observations

    Field

    Type

    Description

    Example

    category

    string

    The subject of an observation.

    relationship

    class

    string

    confidence

    string

    The confidence in the model output to what was attempted to be observed.

    high

    context

    string

    A set of key value pairs providing additional details for this specific observation occurrence.

    customer_id

    string

    The code of the account that owns the event.

    chg

    dst_ip

    string

    The IP of the responder to the connection.

    1.2.3.4

    dst_ip_enrichments

    ip_enrichments

    Enrichments for an IP.

    event_type

    string

    The type of event recorded.

    flow

    evidence_end_timestamp

    string

    The timestamp for which the flagged activity ended.

    2019-01-01T00:00:00.000000Z

    evidence_iql

    string

    An IQL statement that attempts to identify the events used to generate the observation.

    src.ip = 4.3.2.1' AND customer_id = 'abc' AND dce_rpc:dce_rpc_operation = 'NetrSessionEnum' AND timestamp >= t'2019-01-01T22:00:00.000000Z' AND timestamp <= t'2019-01-01T22:10:00.000000Z'

    evidence_start_timestamp

    string

    The timestamp for which the flagged activity began.

    2019-01-01T00:00:00.000000Z

    geo_distance

    number

    The difference between src and dstgeovalues.

    1410.373826280689

    intel

    intel[]

    Intel that matched entities in the event.

    observation_uuid

    string

    A unique identifier for the model used to generate the observation. Multiple models may exist for the same title.

    ac33589c-ee31-4f5e-b6a1-dcb23da37205

    sensor_id

    string

    The sensor that created the event.

    sen1

    sensor_ids

    string[]

    A list of sensors from which activity was used as part of the observation.

    [abc1,abc2,abc3]

    source

    string

    The source of the event.

    Zeek

    src_ip

    string

    The IP of the initiator of the connection.

    4.3.2.1

    src_ip_enrichments

    ip_enrichments

    Enrichments for an IP.

    timestamp

    string

    The time at which traffic for the event began.

    2019-01-01T00:00:00.000000Z

    title

    string

    The title of what was attempted to be detected (similar to a suricata sig name).

    High Count of NetSession Destinations

    uuid

    string

    A unique identifier for the event.

    ac33589c-ee31-4f5e-b6a1-dcb23da37205

    category

    string

    The subject of an observation.

    relationship
    Previous
    Next

    Observations

    Observations

    Field

    Type

    Description

    Example

    category

    string

    The subject of an observation.

    relationship

    class

    string

    confidence

    string

    The confidence in the model output to what was attempted to be observed.

    high

    context

    string

    A set of key value pairs providing additional details for this specific observation occurrence.

    customer_id

    string

    The code of the account that owns the event.

    chg

    dst_ip

    string

    The IP of the responder to the connection.

    1.2.3.4

    dst_ip_enrichments

    ip_enrichments

    Enrichments for an IP.

    event_type

    string

    The type of event recorded.

    flow

    evidence_end_timestamp

    string

    The timestamp for which the flagged activity ended.

    2019-01-01T00:00:00.000000Z

    evidence_iql

    string

    An IQL statement that attempts to identify the events used to generate the observation.

    src.ip = 4.3.2.1' AND customer_id = 'abc' AND dce_rpc:dce_rpc_operation = 'NetrSessionEnum' AND timestamp >= t'2019-01-01T22:00:00.000000Z' AND timestamp <= t'2019-01-01T22:10:00.000000Z'

    evidence_start_timestamp

    string

    The timestamp for which the flagged activity began.

    2019-01-01T00:00:00.000000Z

    geo_distance

    number

    The difference between src and dstgeovalues.

    1410.373826280689

    intel

    intel[]

    Intel that matched entities in the event.

    observation_uuid

    string

    A unique identifier for the model used to generate the observation. Multiple models may exist for the same title.

    ac33589c-ee31-4f5e-b6a1-dcb23da37205

    sensor_id

    string

    The sensor that created the event.

    sen1

    sensor_ids

    string[]

    A list of sensors from which activity was used as part of the observation.

    [abc1,abc2,abc3]

    source

    string

    The source of the event.

    Zeek

    src_ip

    string

    The IP of the initiator of the connection.

    4.3.2.1

    src_ip_enrichments

    ip_enrichments

    Enrichments for an IP.

    timestamp

    string

    The time at which traffic for the event began.

    2019-01-01T00:00:00.000000Z

    title

    string

    The title of what was attempted to be detected (similar to a suricata sig name).

    High Count of NetSession Destinations

    uuid

    string

    A unique identifier for the event.

    ac33589c-ee31-4f5e-b6a1-dcb23da37205

    category

    string

    The subject of an observation.

    relationship
    Previous
    Next